[gentoo-commits] proj/hardened-patchset:master commit in: 4.2.3/

["Anthony G. Basile" <blueness@gentoo.org>]

commit:     b68c3bf79c56ec566a5080b2e316733096b787bf
Author:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
AuthorDate: Tue Oct 20 21:38:58 2015 +0000
Commit:     Anthony G. Basile <blueness <AT> gentoo <DOT> org>
CommitDate: Tue Oct 20 21:38:58 2015 +0000
URL:        https://gitweb.gentoo.org/proj/hardened-patchset.git/commit/?id=b68c3bf7

grsecurity-3.1-4.2.3-201510200858

 4.2.3/0000_README                                  |   2 +-
 ...> 4420_grsecurity-3.1-4.2.3-201510200858.patch} | 500 +++++++++++----------
 2 files changed, 276 insertions(+), 226 deletions(-)

diff --git a/4.2.3/0000_README b/4.2.3/0000_README
index 71a4c94..d0e396e 100644
--- a/4.2.3/0000_README
+++ b/4.2.3/0000_README
@@ -2,7 +2,7 @@ README
 -----------------------------------------------------------------------------
 Individual Patch Descriptions:
 -----------------------------------------------------------------------------
-Patch:	4420_grsecurity-3.1-4.2.3-201510171105.patch
+Patch:	4420_grsecurity-3.1-4.2.3-201510200858.patch
 From:	http://www.grsecurity.net
 Desc:	hardened-sources base patch from upstream grsecurity
 

diff --git a/4.2.3/4420_grsecurity-3.1-4.2.3-201510171105.patch b/4.2.3/4420_grsecurity-3.1-4.2.3-201510200858.patch
similarity index 99%
rename from 4.2.3/4420_grsecurity-3.1-4.2.3-201510171105.patch
rename to 4.2.3/4420_grsecurity-3.1-4.2.3-201510200858.patch
index 304030d..0d6eb57 100644
--- a/4.2.3/4420_grsecurity-3.1-4.2.3-201510171105.patch
+++ b/4.2.3/4420_grsecurity-3.1-4.2.3-201510200858.patch
@@ -20403,17 +20403,10 @@ index bf7f8b5..ca5799d 100644
  {
  	return (pud_t *)get_zeroed_page(GFP_KERNEL|__GFP_REPEAT);
 diff --git a/arch/x86/include/asm/pgtable-2level.h b/arch/x86/include/asm/pgtable-2level.h
-index fd74a11..98bd591 100644
+index fd74a11..35fd5af 100644
 --- a/arch/x86/include/asm/pgtable-2level.h
 +++ b/arch/x86/include/asm/pgtable-2level.h
-@@ -13,12 +13,16 @@
-  */
- static inline void native_set_pte(pte_t *ptep , pte_t pte)
- {
-+	pax_open_kernel();
- 	*ptep = pte;
-+	pax_close_kernel();
- }
+@@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t *ptep , pte_t pte)
  
  static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
  {
@@ -20423,66 +20416,11 @@ index fd74a11..98bd591 100644
  }
  
  static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
-@@ -34,13 +38,20 @@ static inline void native_pmd_clear(pmd_t *pmdp)
- static inline void native_pte_clear(struct mm_struct *mm,
- 				    unsigned long addr, pte_t *xp)
- {
-+	pax_open_kernel();
- 	*xp = native_make_pte(0);
-+	pax_close_kernel();
- }
- 
- #ifdef CONFIG_SMP
- static inline pte_t native_ptep_get_and_clear(pte_t *xp)
- {
--	return __pte(xchg(&xp->pte_low, 0));
-+	pte_t pte;
-+
-+	pax_open_kernel();
-+	pte = __pte(xchg(&xp->pte_low, 0));
-+	pax_close_kernel();
-+	return pte;
- }
- #else
- #define native_ptep_get_and_clear(xp) native_local_ptep_get_and_clear(xp)
-@@ -49,7 +60,12 @@ static inline pte_t native_ptep_get_and_clear(pte_t *xp)
- #ifdef CONFIG_SMP
- static inline pmd_t native_pmdp_get_and_clear(pmd_t *xp)
- {
--	return __pmd(xchg((pmdval_t *)xp, 0));
-+	pmd_t pmd;
-+
-+	pax_open_kernel();
-+	pmd = __pmd(xchg((pmdval_t *)xp, 0));
-+	pax_close_kernel();
-+	return pmd;
- }
- #else
- #define native_pmdp_get_and_clear(xp) native_local_pmdp_get_and_clear(xp)
 diff --git a/arch/x86/include/asm/pgtable-3level.h b/arch/x86/include/asm/pgtable-3level.h
-index cdaa58c..4038692 100644
+index cdaa58c..ae30f0d 100644
 --- a/arch/x86/include/asm/pgtable-3level.h
 +++ b/arch/x86/include/asm/pgtable-3level.h
-@@ -26,9 +26,11 @@
-  */
- static inline void native_set_pte(pte_t *ptep, pte_t pte)
- {
-+	pax_open_kernel();
- 	ptep->pte_high = pte.pte_high;
- 	smp_wmb();
- 	ptep->pte_low = pte.pte_low;
-+	pax_close_kernel();
- }
- 
- #define pmd_read_atomic pmd_read_atomic
-@@ -87,17 +89,23 @@ static inline pmd_t pmd_read_atomic(pmd_t *pmdp)
- 
- static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
- {
-+	pax_open_kernel();
- 	set_64bit((unsigned long long *)(ptep), native_pte_val(pte));
-+	pax_close_kernel();
- }
+@@ -92,12 +92,16 @@ static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
  
  static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
  {
@@ -20499,17 +20437,7 @@ index cdaa58c..4038692 100644
  }
  
  /*
-@@ -108,17 +116,22 @@ static inline void native_set_pud(pud_t *pudp, pud_t pud)
- static inline void native_pte_clear(struct mm_struct *mm, unsigned long addr,
- 				    pte_t *ptep)
- {
-+	pax_open_kernel();
- 	ptep->pte_low = 0;
- 	smp_wmb();
- 	ptep->pte_high = 0;
-+	pax_close_kernel();
- }
- 
+@@ -116,9 +120,12 @@ static inline void native_pte_clear(struct mm_struct *mm, unsigned long addr,
  static inline void native_pmd_clear(pmd_t *pmd)
  {
  	u32 *tmp = (u32 *)pmd;
@@ -20522,30 +20450,6 @@ index cdaa58c..4038692 100644
  }
  
  static inline void pud_clear(pud_t *pudp)
-@@ -143,9 +156,11 @@ static inline pte_t native_ptep_get_and_clear(pte_t *ptep)
- 	pte_t res;
- 
- 	/* xchg acts as a barrier before the setting of the high bits */
-+	pax_open_kernel();
- 	res.pte_low = xchg(&ptep->pte_low, 0);
- 	res.pte_high = ptep->pte_high;
- 	ptep->pte_high = 0;
-+	pax_close_kernel();
- 
- 	return res;
- }
-@@ -166,9 +181,11 @@ static inline pmd_t native_pmdp_get_and_clear(pmd_t *pmdp)
- 	union split_pmd res, *orig = (union split_pmd *)pmdp;
- 
- 	/* xchg acts as a barrier before setting of the high bits */
-+	pax_open_kernel();
- 	res.pmd_low = xchg(&orig->pmd_low, 0);
- 	res.pmd_high = orig->pmd_high;
- 	orig->pmd_high = 0;
-+	pax_close_kernel();
- 
- 	return res.pmd;
- }
 diff --git a/arch/x86/include/asm/pgtable.h b/arch/x86/include/asm/pgtable.h
 index 867da5b..7ec083d 100644
 --- a/arch/x86/include/asm/pgtable.h
@@ -20767,7 +20671,7 @@ index 867da5b..7ec083d 100644
  static inline int page_level_shift(enum pg_level level)
  {
 diff --git a/arch/x86/include/asm/pgtable_32.h b/arch/x86/include/asm/pgtable_32.h
-index b6c0b40..7b497ea 100644
+index b6c0b40..3535d47 100644
 --- a/arch/x86/include/asm/pgtable_32.h
 +++ b/arch/x86/include/asm/pgtable_32.h
 @@ -25,9 +25,6 @@
@@ -20793,7 +20697,15 @@ index b6c0b40..7b497ea 100644
  #if defined(CONFIG_HIGHPTE)
  #define pte_offset_map(dir, address)					\
  	((pte_t *)kmap_atomic(pmd_page(*(dir))) +		\
-@@ -65,6 +68,9 @@ do {						\
+@@ -59,12 +62,17 @@ void paging_init(void);
+ /* Clear a kernel PTE and flush it from the TLB */
+ #define kpte_clear_flush(ptep, vaddr)		\
+ do {						\
++	pax_open_kernel();			\
+ 	pte_clear(&init_mm, (vaddr), (ptep));	\
++	pax_close_kernel();			\
+ 	__flush_tlb_one((vaddr));		\
+ } while (0)
  
  #endif /* !__ASSEMBLY__ */
  
@@ -20846,7 +20758,7 @@ index 9fb2f2b..8e18c70 100644
  #define MODULES_END	VMALLOC_END
  #define MODULES_LEN	(MODULES_VADDR - MODULES_END)
 diff --git a/arch/x86/include/asm/pgtable_64.h b/arch/x86/include/asm/pgtable_64.h
-index 2ee7811..c985cfd 100644
+index 2ee7811..afd76c0 100644
 --- a/arch/x86/include/asm/pgtable_64.h
 +++ b/arch/x86/include/asm/pgtable_64.h
 @@ -16,11 +16,17 @@
@@ -20870,24 +20782,7 @@ index 2ee7811..c985cfd 100644
  
  #define swapper_pg_dir init_level4_pgt
  
-@@ -47,12 +53,16 @@ void set_pte_vaddr_pud(pud_t *pud_page, unsigned long vaddr, pte_t new_pte);
- static inline void native_pte_clear(struct mm_struct *mm, unsigned long addr,
- 				    pte_t *ptep)
- {
-+	pax_open_kernel();
- 	*ptep = native_make_pte(0);
-+	pax_close_kernel();
- }
- 
- static inline void native_set_pte(pte_t *ptep, pte_t pte)
- {
-+	pax_open_kernel();
- 	*ptep = pte;
-+	pax_close_kernel();
- }
- 
- static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
-@@ -62,7 +72,9 @@ static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
+@@ -62,7 +68,9 @@ static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
  
  static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
  {
@@ -20897,35 +20792,7 @@ index 2ee7811..c985cfd 100644
  }
  
  static inline void native_pmd_clear(pmd_t *pmd)
-@@ -73,7 +85,12 @@ static inline void native_pmd_clear(pmd_t *pmd)
- static inline pte_t native_ptep_get_and_clear(pte_t *xp)
- {
- #ifdef CONFIG_SMP
--	return native_make_pte(xchg(&xp->pte, 0));
-+	pte_t pte;
-+
-+	pax_open_kernel();
-+	pte = native_make_pte(xchg(&xp->pte, 0));
-+	pax_close_kernel();
-+	return pte;
- #else
- 	/* native_local_ptep_get_and_clear,
- 	   but duplicated because of cyclic dependency */
-@@ -86,7 +103,12 @@ static inline pte_t native_ptep_get_and_clear(pte_t *xp)
- static inline pmd_t native_pmdp_get_and_clear(pmd_t *xp)
- {
- #ifdef CONFIG_SMP
--	return native_make_pmd(xchg(&xp->pmd, 0));
-+	pmd_t pmd;
-+
-+	pax_open_kernel();
-+	pmd = native_make_pmd(xchg(&xp->pmd, 0));
-+	pax_close_kernel();
-+	return pmd;
- #else
- 	/* native_local_pmdp_get_and_clear,
- 	   but duplicated because of cyclic dependency */
-@@ -98,7 +120,9 @@ static inline pmd_t native_pmdp_get_and_clear(pmd_t *xp)
+@@ -98,7 +106,9 @@ static inline pmd_t native_pmdp_get_and_clear(pmd_t *xp)
  
  static inline void native_set_pud(pud_t *pudp, pud_t pud)
  {
@@ -20935,7 +20802,7 @@ index 2ee7811..c985cfd 100644
  }
  
  static inline void native_pud_clear(pud_t *pud)
-@@ -108,6 +132,13 @@ static inline void native_pud_clear(pud_t *pud)
+@@ -108,6 +118,13 @@ static inline void native_pud_clear(pud_t *pud)
  
  static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
  {
@@ -33743,7 +33610,7 @@ index 81bf3d2..7ef25c2 100644
  	 * XXX: batch / limit 'nr', to avoid large irq off latency
  	 * needs some instrumenting to determine the common sizes used by
 diff --git a/arch/x86/mm/highmem_32.c b/arch/x86/mm/highmem_32.c
-index eecb207a..808343a 100644
+index eecb207a..e76b7f4 100644
 --- a/arch/x86/mm/highmem_32.c
 +++ b/arch/x86/mm/highmem_32.c
 @@ -35,6 +35,8 @@ void *kmap_atomic_prot(struct page *page, pgprot_t prot)
@@ -33755,12 +33622,14 @@ index eecb207a..808343a 100644
  	preempt_disable();
  	pagefault_disable();
  
-@@ -45,7 +47,9 @@ void *kmap_atomic_prot(struct page *page, pgprot_t prot)
+@@ -45,7 +47,11 @@ void *kmap_atomic_prot(struct page *page, pgprot_t prot)
  	idx = type + KM_TYPE_NR*smp_processor_id();
  	vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
  	BUG_ON(!pte_none(*(kmap_pte-idx)));
 +
++	pax_open_kernel();
  	set_pte(kmap_pte-idx, mk_pte(page, prot));
++	pax_close_kernel();
 +
  	arch_flush_lazy_mmu_mode();
  
@@ -34331,7 +34200,7 @@ index 68aec42..95ad5d3 100644
  	printk(KERN_INFO "Write protecting the kernel text: %luk\n",
  		size >> 10);
 diff --git a/arch/x86/mm/init_64.c b/arch/x86/mm/init_64.c
-index 3fba623..a5d0500 100644
+index 3fba623..5ee9802 100644
 --- a/arch/x86/mm/init_64.c
 +++ b/arch/x86/mm/init_64.c
 @@ -136,7 +136,7 @@ int kernel_ident_mapping_init(struct x86_mapping_info *info, pgd_t *pgd_page,
@@ -34419,7 +34288,17 @@ index 3fba623..a5d0500 100644
  		if (pmd != pmd_offset(pud, 0))
  			printk(KERN_ERR "PAGETABLE BUG #01! %p <-> %p\n",
  			       pmd, pmd_offset(pud, 0));
-@@ -337,14 +365,12 @@ static void __init __init_extra_mapping(unsigned long phys, unsigned long size,
+@@ -275,7 +303,9 @@ void set_pte_vaddr_pud(pud_t *pud_page, unsigned long vaddr, pte_t new_pte)
+ 	pmd = fill_pmd(pud, vaddr);
+ 	pte = fill_pte(pmd, vaddr);
+ 
++	pax_open_kernel();
+ 	set_pte(pte, new_pte);
++	pax_close_kernel();
+ 
+ 	/*
+ 	 * It's enough to flush this one mapping.
+@@ -337,14 +367,12 @@ static void __init __init_extra_mapping(unsigned long phys, unsigned long size,
  		pgd = pgd_offset_k((unsigned long)__va(phys));
  		if (pgd_none(*pgd)) {
  			pud = (pud_t *) spp_getpage();
@@ -34436,7 +34315,7 @@ index 3fba623..a5d0500 100644
  		}
  		pmd = pmd_offset(pud, phys);
  		BUG_ON(!pmd_none(*pmd));
-@@ -585,7 +611,7 @@ phys_pud_init(pud_t *pud_page, unsigned long addr, unsigned long end,
+@@ -585,7 +613,7 @@ phys_pud_init(pud_t *pud_page, unsigned long addr, unsigned long end,
  					      prot);
  
  		spin_lock(&init_mm.page_table_lock);
@@ -34445,7 +34324,7 @@ index 3fba623..a5d0500 100644
  		spin_unlock(&init_mm.page_table_lock);
  	}
  	__flush_tlb_all();
-@@ -626,7 +652,7 @@ kernel_physical_mapping_init(unsigned long start,
+@@ -626,7 +654,7 @@ kernel_physical_mapping_init(unsigned long start,
  						 page_size_mask);
  
  		spin_lock(&init_mm.page_table_lock);
@@ -34454,6 +34333,22 @@ index 3fba623..a5d0500 100644
  		spin_unlock(&init_mm.page_table_lock);
  		pgd_changed = true;
  	}
+diff --git a/arch/x86/mm/iomap_32.c b/arch/x86/mm/iomap_32.c
+index 9c0ff04..9020d5f 100644
+--- a/arch/x86/mm/iomap_32.c
++++ b/arch/x86/mm/iomap_32.c
+@@ -65,7 +65,11 @@ void *kmap_atomic_prot_pfn(unsigned long pfn, pgprot_t prot)
+ 	type = kmap_atomic_idx_push();
+ 	idx = type + KM_TYPE_NR * smp_processor_id();
+ 	vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
++
++	pax_open_kernel();
+ 	set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
++	pax_close_kernel();
++
+ 	arch_flush_lazy_mmu_mode();
+ 
+ 	return (void *)vaddr;
 diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c
 index b9c78f3..9ca7e24 100644
 --- a/arch/x86/mm/ioremap.c
@@ -34718,7 +34613,7 @@ index 4053bb5..b1ad3dc 100644
  	unsigned long uninitialized_var(pfn_align);
  	int i, nid;
 diff --git a/arch/x86/mm/pageattr.c b/arch/x86/mm/pageattr.c
-index 727158c..91bc23b 100644
+index 727158c..54dd3ff 100644
 --- a/arch/x86/mm/pageattr.c
 +++ b/arch/x86/mm/pageattr.c
 @@ -260,7 +260,7 @@ static inline pgprot_t static_protections(pgprot_t prot, unsigned long address,
@@ -34765,9 +34660,11 @@ index 727158c..91bc23b 100644
  	prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
  
  	return prot;
-@@ -437,16 +446,28 @@ static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
+@@ -436,23 +445,37 @@ EXPORT_SYMBOL_GPL(slow_virt_to_phys);
+ static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
  {
  	/* change init_mm */
++	pax_open_kernel();
  	set_pte_atomic(kpte, pte);
 +
  #ifdef CONFIG_X86_32
@@ -34796,7 +34693,14 @@ index 727158c..91bc23b 100644
  			pud = pud_offset(pgd, address);
  			pmd = pmd_offset(pud, address);
  			set_pte_atomic((pte_t *)pmd, pte);
-@@ -505,7 +526,8 @@ try_preserve_large_page(pte_t *kpte, unsigned long address,
+ 		}
+ 	}
+ #endif
++	pax_close_kernel();
+ }
+ 
+ static int
+@@ -505,7 +528,8 @@ try_preserve_large_page(pte_t *kpte, unsigned long address,
  	 * up accordingly.
  	 */
  	old_pte = *kpte;
@@ -34806,6 +34710,16 @@ index 727158c..91bc23b 100644
  
  	pgprot_val(req_prot) &= ~pgprot_val(cpa->mask_clr);
  	pgprot_val(req_prot) |= pgprot_val(cpa->mask_set);
+@@ -1176,7 +1200,9 @@ repeat:
+ 		 * Do we really change anything ?
+ 		 */
+ 		if (pte_val(old_pte) != pte_val(new_pte)) {
++			pax_open_kernel();
+ 			set_pte_atomic(kpte, new_pte);
++			pax_close_kernel();
+ 			cpa->flags |= CPA_FLUSHTLB;
+ 		}
+ 		cpa->numpages = 1;
 diff --git a/arch/x86/mm/pat.c b/arch/x86/mm/pat.c
 index 188e3e0..5c75446 100644
 --- a/arch/x86/mm/pat.c
@@ -34920,7 +34834,7 @@ index 9f0614d..92ae64a 100644
  	p += get_opcode(p, &opcode);
  	for (i = 0; i < ARRAY_SIZE(imm_wop); i++)
 diff --git a/arch/x86/mm/pgtable.c b/arch/x86/mm/pgtable.c
-index fb0a9dd..8560f52 100644
+index fb0a9dd..5ab49c4 100644
 --- a/arch/x86/mm/pgtable.c
 +++ b/arch/x86/mm/pgtable.c
 @@ -98,10 +98,75 @@ static inline void pgd_list_del(pgd_t *pgd)
@@ -35272,6 +35186,36 @@ index fb0a9dd..8560f52 100644
  }
  
  void native_set_fixmap(enum fixed_addresses idx, phys_addr_t phys,
+@@ -620,9 +742,11 @@ int pmd_set_huge(pmd_t *pmd, phys_addr_t addr, pgprot_t prot)
+ 
+ 	prot = pgprot_4k_2_large(prot);
+ 
++	pax_open_kernel();
+ 	set_pte((pte_t *)pmd, pfn_pte(
+ 		(u64)addr >> PAGE_SHIFT,
+ 		__pgprot(pgprot_val(prot) | _PAGE_PSE)));
++	pax_close_kernel();
+ 
+ 	return 1;
+ }
+diff --git a/arch/x86/mm/pgtable_32.c b/arch/x86/mm/pgtable_32.c
+index 75cc097..79a097f 100644
+--- a/arch/x86/mm/pgtable_32.c
++++ b/arch/x86/mm/pgtable_32.c
+@@ -47,10 +47,13 @@ void set_pte_vaddr(unsigned long vaddr, pte_t pteval)
+ 		return;
+ 	}
+ 	pte = pte_offset_kernel(pmd, vaddr);
++
++	pax_open_kernel();
+ 	if (pte_val(pteval))
+ 		set_pte_at(&init_mm, vaddr, pte, pteval);
+ 	else
+ 		pte_clear(&init_mm, vaddr, pte);
++	pax_close_kernel();
+ 
+ 	/*
+ 	 * It's enough to flush this one mapping.
 diff --git a/arch/x86/mm/setup_nx.c b/arch/x86/mm/setup_nx.c
 index 90555bf..f5f1828 100644
 --- a/arch/x86/mm/setup_nx.c
@@ -58341,6 +58285,19 @@ index 3806e70..55c508b 100644
  	struct usb_serial_port *port = info->port;
  	struct usb_serial *serial;
  	int retval = -ENODEV;
+diff --git a/drivers/usb/storage/transport.c b/drivers/usb/storage/transport.c
+index 540add2..2a2c7da 100644
+--- a/drivers/usb/storage/transport.c
++++ b/drivers/usb/storage/transport.c
+@@ -689,7 +689,7 @@ void usb_stor_invoke_transport(struct scsi_cmnd *srb, struct us_data *us)
+ 	if (need_auto_sense) {
+ 		int temp_result;
+ 		struct scsi_eh_save ses;
+-		int sense_size = US_SENSE_SIZE;
++		unsigned int sense_size = US_SENSE_SIZE;
+ 		struct scsi_sense_hdr sshdr;
+ 		const u8 *scdd;
+ 		u8 fm_ili;
 diff --git a/drivers/usb/storage/usb.c b/drivers/usb/storage/usb.c
 index 43576ed..583589d 100644
 --- a/drivers/usb/storage/usb.c
@@ -77083,7 +77040,7 @@ index e4141f2..d8263e8 100644
  		i += packet_length_size;
  		if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
 diff --git a/fs/exec.c b/fs/exec.c
-index 1977c2a..40e7f8f 100644
+index 1977c2a..6371905 100644
 --- a/fs/exec.c
 +++ b/fs/exec.c
 @@ -56,8 +56,20 @@
@@ -77579,7 +77536,7 @@ index 1977c2a..40e7f8f 100644
  out:
  	if (bprm->mm) {
  		acct_arg_size(bprm, 0);
-@@ -1743,3 +1918,312 @@ COMPAT_SYSCALL_DEFINE5(execveat, int, fd,
+@@ -1743,3 +1918,317 @@ COMPAT_SYSCALL_DEFINE5(execveat, int, fd,
  				  argv, envp, flags);
  }
  #endif
@@ -77886,9 +77843,14 @@ index 1977c2a..40e7f8f 100644
 +#ifdef CONFIG_PAX_SIZE_OVERFLOW
 +void __nocapture(1, 3, 4) __used report_size_overflow(const char *file, unsigned int line, const char *func, const char *ssa_name)
 +{
++#ifdef CONFIG_PAX_SIZE_OVERFLOW_DISABLE_KILL
++	printk_ratelimited(KERN_EMERG "PAX: size overflow detected in function %s %s:%u %s", func, file, line, ssa_name);
++	dump_stack();
++#else
 +	printk(KERN_EMERG "PAX: size overflow detected in function %s %s:%u %s", func, file, line, ssa_name);
 +	dump_stack();
 +	do_group_exit(SIGKILL);
++#endif
 +}
 +EXPORT_SYMBOL(report_size_overflow);
 +#endif
@@ -112776,17 +112738,32 @@ index 6297f6b..7652403 100644
  }
  EXPORT_SYMBOL(__get_user_pages);
 diff --git a/mm/highmem.c b/mm/highmem.c
-index 123bcd3..07e8516 100644
+index 123bcd3..c2c85db 100644
 --- a/mm/highmem.c
 +++ b/mm/highmem.c
-@@ -196,7 +196,6 @@ static void flush_all_zero_pkmaps(void)
+@@ -195,8 +195,9 @@ static void flush_all_zero_pkmaps(void)
+ 		 * So no dangers, even with speculative execution.
  		 */
  		page = pte_page(pkmap_page_table[i]);
++		pax_open_kernel();
  		pte_clear(&init_mm, PKMAP_ADDR(i), &pkmap_page_table[i]);
 -
++		pax_close_kernel();
  		set_page_address(page, NULL);
  		need_flush = 1;
  	}
+@@ -259,8 +260,11 @@ start:
+ 		}
+ 	}
+ 	vaddr = PKMAP_ADDR(last_pkmap_nr);
++
++	pax_open_kernel();
+ 	set_pte_at(&init_mm, vaddr,
+ 		   &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
++	pax_close_kernel();
+ 
+ 	pkmap_count[last_pkmap_nr] = 1;
+ 	set_page_address(page, (void *)vaddr);
 diff --git a/mm/hugetlb.c b/mm/hugetlb.c
 index a8c3087..ec431dc 100644
 --- a/mm/hugetlb.c
@@ -117574,7 +117551,7 @@ index 68ff8a5..40c7a70 100644
  
  	if (len > buflen)
 diff --git a/mm/vmalloc.c b/mm/vmalloc.c
-index 2faaa29..14881ba 100644
+index 2faaa29..c816cf4 100644
 --- a/mm/vmalloc.c
 +++ b/mm/vmalloc.c
 @@ -40,20 +40,65 @@ struct vfree_deferred {
@@ -117646,9 +117623,11 @@ index 2faaa29..14881ba 100644
  /*** Page table manipulation functions ***/
  
  static void vunmap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end)
-@@ -62,8 +107,19 @@ static void vunmap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end)
+@@ -61,10 +106,23 @@ static void vunmap_pte_range(pmd_t *pmd, unsigned long addr, unsigned long end)
+ 	pte_t *pte;
  
  	pte = pte_offset_kernel(pmd, addr);
++	pax_open_kernel();
  	do {
 -		pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
 -		WARN_ON(!pte_none(ptent) && !pte_present(ptent));
@@ -117666,9 +117645,16 @@ index 2faaa29..14881ba 100644
 +			WARN_ON(!pte_none(ptent) && !pte_present(ptent));
 +		}
  	} while (pte++, addr += PAGE_SIZE, addr != end);
++	pax_close_kernel();
  }
  
-@@ -130,10 +186,18 @@ static int vmap_pte_range(pmd_t *pmd, unsigned long addr,
+ static void vunmap_pmd_range(pud_t *pud, unsigned long addr, unsigned long end)
+@@ -127,16 +185,29 @@ static int vmap_pte_range(pmd_t *pmd, unsigned long addr,
+ 	pte = pte_alloc_kernel(pmd, addr);
+ 	if (!pte)
+ 		return -ENOMEM;
++
++	pax_open_kernel();
  	do {
  		struct page *page = pages[*nr];
  
@@ -117678,18 +117664,24 @@ index 2faaa29..14881ba 100644
 +#endif
 +
 +		if (!pte_none(*pte)) {
++			pax_close_kernel();
 +			WARN_ON(1);
  			return -EBUSY;
 -		if (WARN_ON(!page))
 +		}
 +		if (!page) {
++			pax_close_kernel();
 +			WARN_ON(1);
  			return -ENOMEM;
 +		}
  		set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
  		(*nr)++;
  	} while (pte++, addr += PAGE_SIZE, addr != end);
-@@ -146,7 +210,7 @@ static int vmap_pmd_range(pud_t *pud, unsigned long addr,
++	pax_close_kernel();
+ 	return 0;
+ }
+ 
+@@ -146,7 +217,7 @@ static int vmap_pmd_range(pud_t *pud, unsigned long addr,
  	pmd_t *pmd;
  	unsigned long next;
  
@@ -117698,7 +117690,7 @@ index 2faaa29..14881ba 100644
  	if (!pmd)
  		return -ENOMEM;
  	do {
-@@ -163,7 +227,7 @@ static int vmap_pud_range(pgd_t *pgd, unsigned long addr,
+@@ -163,7 +234,7 @@ static int vmap_pud_range(pgd_t *pgd, unsigned long addr,
  	pud_t *pud;
  	unsigned long next;
  
@@ -117707,7 +117699,7 @@ index 2faaa29..14881ba 100644
  	if (!pud)
  		return -ENOMEM;
  	do {
-@@ -223,6 +287,12 @@ int is_vmalloc_or_module_addr(const void *x)
+@@ -223,6 +294,12 @@ int is_vmalloc_or_module_addr(const void *x)
  	if (addr >= MODULES_VADDR && addr < MODULES_END)
  		return 1;
  #endif
@@ -117720,7 +117712,7 @@ index 2faaa29..14881ba 100644
  	return is_vmalloc_addr(x);
  }
  
-@@ -243,8 +313,14 @@ struct page *vmalloc_to_page(const void *vmalloc_addr)
+@@ -243,8 +320,14 @@ struct page *vmalloc_to_page(const void *vmalloc_addr)
  
  	if (!pgd_none(*pgd)) {
  		pud_t *pud = pud_offset(pgd, addr);
@@ -117735,7 +117727,7 @@ index 2faaa29..14881ba 100644
  			if (!pmd_none(*pmd)) {
  				pte_t *ptep, pte;
  
-@@ -346,7 +422,7 @@ static void purge_vmap_area_lazy(void);
+@@ -346,7 +429,7 @@ static void purge_vmap_area_lazy(void);
   * Allocate a region of KVA of the specified size and alignment, within the
   * vstart and vend.
   */
@@ -117744,7 +117736,7 @@ index 2faaa29..14881ba 100644
  				unsigned long align,
  				unsigned long vstart, unsigned long vend,
  				int node, gfp_t gfp_mask)
-@@ -1202,13 +1278,27 @@ void __init vmalloc_init(void)
+@@ -1202,13 +1285,27 @@ void __init vmalloc_init(void)
  	for_each_possible_cpu(i) {
  		struct vmap_block_queue *vbq;
  		struct vfree_deferred *p;
@@ -117773,7 +117765,7 @@ index 2faaa29..14881ba 100644
  	}
  
  	/* Import existing vmlist entries. */
-@@ -1333,6 +1423,16 @@ static struct vm_struct *__get_vm_area_node(unsigned long size,
+@@ -1333,6 +1430,16 @@ static struct vm_struct *__get_vm_area_node(unsigned long size,
  	struct vm_struct *area;
  
  	BUG_ON(in_interrupt());
@@ -117790,7 +117782,7 @@ index 2faaa29..14881ba 100644
  	if (flags & VM_IOREMAP)
  		align = 1ul << clamp_t(int, fls_long(size),
  				       PAGE_SHIFT, IOREMAP_MAX_ORDER);
-@@ -1531,13 +1631,36 @@ EXPORT_SYMBOL(vfree);
+@@ -1531,13 +1638,36 @@ EXPORT_SYMBOL(vfree);
   */
  void vunmap(const void *addr)
  {
@@ -117830,7 +117822,7 @@ index 2faaa29..14881ba 100644
  /**
   *	vmap  -  map an array of pages into virtually contiguous space
   *	@pages:		array of page pointers
-@@ -1558,6 +1681,11 @@ void *vmap(struct page **pages, unsigned int count,
+@@ -1558,6 +1688,11 @@ void *vmap(struct page **pages, unsigned int count,
  	if (count > totalram_pages)
  		return NULL;
  
@@ -117842,7 +117834,7 @@ index 2faaa29..14881ba 100644
  	area = get_vm_area_caller((count << PAGE_SHIFT), flags,
  					__builtin_return_address(0));
  	if (!area)
-@@ -1662,6 +1790,14 @@ void *__vmalloc_node_range(unsigned long size, unsigned long align,
+@@ -1662,6 +1797,14 @@ void *__vmalloc_node_range(unsigned long size, unsigned long align,
  	if (!size || (size >> PAGE_SHIFT) > totalram_pages)
  		goto fail;
  
@@ -117857,7 +117849,7 @@ index 2faaa29..14881ba 100644
  	area = __get_vm_area_node(size, align, VM_ALLOC | VM_UNINITIALIZED |
  				vm_flags, start, end, node, gfp_mask, caller);
  	if (!area)
-@@ -1715,6 +1851,14 @@ static void *__vmalloc_node(unsigned long size, unsigned long align,
+@@ -1715,6 +1858,14 @@ static void *__vmalloc_node(unsigned long size, unsigned long align,
  				gfp_mask, prot, 0, node, caller);
  }
  
@@ -117872,7 +117864,7 @@ index 2faaa29..14881ba 100644
  void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
  {
  	return __vmalloc_node(size, 1, gfp_mask, prot, NUMA_NO_NODE,
-@@ -1838,10 +1982,9 @@ EXPORT_SYMBOL(vzalloc_node);
+@@ -1838,10 +1989,9 @@ EXPORT_SYMBOL(vzalloc_node);
   *	For tight control over page level allocator and protection flags
   *	use __vmalloc() instead.
   */
@@ -117884,7 +117876,7 @@ index 2faaa29..14881ba 100644
  			      NUMA_NO_NODE, __builtin_return_address(0));
  }
  
-@@ -2148,6 +2291,8 @@ int remap_vmalloc_range_partial(struct vm_area_struct *vma, unsigned long uaddr,
+@@ -2148,6 +2298,8 @@ int remap_vmalloc_range_partial(struct vm_area_struct *vma, unsigned long uaddr,
  {
  	struct vm_struct *area;
  
@@ -117893,7 +117885,7 @@ index 2faaa29..14881ba 100644
  	size = PAGE_ALIGN(size);
  
  	if (!PAGE_ALIGNED(uaddr) || !PAGE_ALIGNED(kaddr))
-@@ -2630,7 +2775,11 @@ static int s_show(struct seq_file *m, void *p)
+@@ -2630,7 +2782,11 @@ static int s_show(struct seq_file *m, void *p)
  		v->addr, v->addr + v->size, v->size);
  
  	if (v->caller)
@@ -125813,10 +125805,10 @@ index c0a932d..817c587 100755
  # Find all available archs
  find_all_archs()
 diff --git a/security/Kconfig b/security/Kconfig
-index bf4ec46..6748ce1 100644
+index bf4ec46..d32a3b8 100644
 --- a/security/Kconfig
 +++ b/security/Kconfig
-@@ -4,6 +4,980 @@
+@@ -4,6 +4,985 @@
  
  menu "Security options"
  
@@ -126762,6 +126754,11 @@ index bf4ec46..6748ce1 100644
 +	  i.e., gcc 4.5 or newer.  You may need to install the supporting
 +	  headers explicitly in addition to the normal gcc package.
 +
++config PAX_SIZE_OVERFLOW_DISABLE_KILL
++	bool "Do not kill process on overflow detection"
++	default y
++	depends on PAX_SIZE_OVERFLOW
++
 +config PAX_LATENT_ENTROPY
 +	bool "Generate some entropy during boot and runtime"
 +	default y if GRKERNSEC_CONFIG_AUTO
@@ -126797,7 +126794,7 @@ index bf4ec46..6748ce1 100644
  source security/keys/Kconfig
  
  config SECURITY_DMESG_RESTRICT
-@@ -104,7 +1078,7 @@ config INTEL_TXT
+@@ -104,7 +1083,7 @@ config INTEL_TXT
  config LSM_MMAP_MIN_ADDR
  	int "Low address space for LSM to protect from user allocation"
  	depends on SECURITY && SECURITY_SELINUX
@@ -132442,10 +132439,10 @@ index 0000000..4c7f7c6
 +targets += size_overflow_hash.h size_overflow_hash_aux.h disable_size_overflow_hash.h
 diff --git a/tools/gcc/size_overflow_plugin/disable_size_overflow_hash.data b/tools/gcc/size_overflow_plugin/disable_size_overflow_hash.data
 new file mode 100644
-index 0000000..3414692
+index 0000000..675f934
 --- /dev/null
 +++ b/tools/gcc/size_overflow_plugin/disable_size_overflow_hash.data
-@@ -0,0 +1,12394 @@
+@@ -0,0 +1,12396 @@
 +disable_so_interrupt_pnode_gru_message_queue_desc_4 interrupt_pnode gru_message_queue_desc 0 4 NULL
 +disable_so_bch_btree_insert_fndecl_12 bch_btree_insert fndecl 0 12 NULL
 +disable_so_macvlan_sync_address_fndecl_22 macvlan_sync_address fndecl 0 22 NULL nohasharray
@@ -144840,6 +144837,8 @@ index 0000000..3414692
 +disable_so_s5m_rtc_set_time_fndecl_65518 s5m_rtc_set_time fndecl 0 65518 NULL
 +disable_so_addr_w83627hf_data_65526 addr w83627hf_data 0 65526 NULL
 +disable_so_si_pt_regs_65527 si pt_regs 0 65527 NULL
++enable_so_rts_threshold_wiphy_15170 rts_threshold wiphy 0 15170 NULL
++enable_so_value_iw_param_65472 value iw_param 0 65472 NULL
 diff --git a/tools/gcc/size_overflow_plugin/generate_size_overflow_hash.sh b/tools/gcc/size_overflow_plugin/generate_size_overflow_hash.sh
 new file mode 100644
 index 0000000..be9724d
@@ -147036,10 +147035,10 @@ index 0000000..ab2d25a
 +}
 diff --git a/tools/gcc/size_overflow_plugin/size_overflow_hash.data b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
 new file mode 100644
-index 0000000..d841329
+index 0000000..ba470a6
 --- /dev/null
 +++ b/tools/gcc/size_overflow_plugin/size_overflow_hash.data
-@@ -0,0 +1,20763 @@
+@@ -0,0 +1,20761 @@
 +enable_so_recv_ctrl_pipe_us_data_0 recv_ctrl_pipe us_data 0 0 NULL
 +enable_so___earlyonly_bootmem_alloc_fndecl_3 __earlyonly_bootmem_alloc fndecl 2-3-4 3 NULL
 +enable_so_size_ttm_mem_reg_8 size ttm_mem_reg 0 8 NULL
@@ -151811,7 +151810,6 @@ index 0000000..d841329
 +enable_so_info0_rx_msdu_start_15164 info0 rx_msdu_start 0 15164 NULL
 +enable_so_i_disk_sec_hpfs_inode_info_15165 i_disk_sec hpfs_inode_info 0 15165 NULL
 +enable_so_ovl_dir_llseek_fndecl_15169 ovl_dir_llseek fndecl 2 15169 NULL
-+enable_so_rts_threshold_wiphy_15170 rts_threshold wiphy 0 15170 NULL
 +enable_so_frontswap_curr_pages_fndecl_15172 frontswap_curr_pages fndecl 0 15172 NULL nohasharray
 +enable_so_xfs_idata_realloc_fndecl_15172 xfs_idata_realloc fndecl 2 15172 &enable_so_frontswap_curr_pages_fndecl_15172
 +enable_so_si_namelen_nfsd4_secinfo_15174 si_namelen nfsd4_secinfo 0 15174 NULL
@@ -167787,7 +167785,6 @@ index 0000000..d841329
 +enable_so_xfs_dir3_data_block_free_fndecl_65456 xfs_dir3_data_block_free fndecl 4 65456 NULL
 +enable_so_wNtbOutMaxDatagrams_usb_cdc_ncm_ntb_parameters_65459 wNtbOutMaxDatagrams usb_cdc_ncm_ntb_parameters 0 65459 NULL
 +enable_so_cfg80211_calculate_bitrate_60g_fndecl_65469 cfg80211_calculate_bitrate_60g fndecl 0 65469 NULL
-+enable_so_value_iw_param_65472 value iw_param 0 65472 NULL
 +enable_so_lfb_base_screen_info_65479 lfb_base screen_info 0 65479 NULL
 +enable_so_pci_hotplug_io_size_vardecl_65480 pci_hotplug_io_size vardecl 0 65480 NULL
 +enable_so_isoc_size_wa_seg_65482 isoc_size wa_seg 0 65482 NULL
@@ -169645,7 +169642,7 @@ index 0000000..6075e8f
 +
 diff --git a/tools/gcc/size_overflow_plugin/size_overflow_plugin.c b/tools/gcc/size_overflow_plugin/size_overflow_plugin.c
 new file mode 100644
-index 0000000..a0415ac
+index 0000000..8838f04
 --- /dev/null
 +++ b/tools/gcc/size_overflow_plugin/size_overflow_plugin.c
 @@ -0,0 +1,318 @@
@@ -169680,7 +169677,7 @@ index 0000000..a0415ac
 +tree size_overflow_type_TI;
 +
 +static struct plugin_info size_overflow_plugin_info = {
-+	.version	= "20151016",
++	.version	= "20151020",
 +	.help		= "no-size-overflow\tturn off size overflow checking\n",
 +};
 +
@@ -169844,7 +169841,7 @@ index 0000000..a0415ac
 +	TREE_PUBLIC(report_size_overflow_decl) = 1;
 +	DECL_EXTERNAL(report_size_overflow_decl) = 1;
 +	DECL_ARTIFICIAL(report_size_overflow_decl) = 1;
-+	TREE_THIS_VOLATILE(report_size_overflow_decl) = 1;
++//	TREE_THIS_VOLATILE(report_size_overflow_decl) = 1;
 +// !!!
 +	DECL_PRESERVE_P(report_size_overflow_decl) = 1;
 +	DECL_UNINLINABLE(report_size_overflow_decl) = 1;
@@ -170327,10 +170324,10 @@ index 0000000..317cd6c
 +
 diff --git a/tools/gcc/size_overflow_plugin/size_overflow_transform.c b/tools/gcc/size_overflow_plugin/size_overflow_transform.c
 new file mode 100644
-index 0000000..b6c6bb1
+index 0000000..ee7633e
 --- /dev/null
 +++ b/tools/gcc/size_overflow_plugin/size_overflow_transform.c
-@@ -0,0 +1,731 @@
+@@ -0,0 +1,742 @@
 +/*
 + * Copyright 2011-2015 by Emese Revfy <re.emese@gmail.com>
 + * Licensed under the GPL v2, or (at your option) v3
@@ -170560,7 +170557,7 @@ index 0000000..b6c6bb1
 +	return TYPE_UNSIGNED(TREE_TYPE(node)) && is_unsigned_error_code_const(node);
 +}
 +
-+static bool has_error_code(interesting_stmts_t expand_from, gphi *phi)
++static bool has_error_code(gphi *phi)
 +{
 +	unsigned int i, len = gimple_phi_num_args(phi);
 +
@@ -170591,12 +170588,17 @@ index 0000000..b6c6bb1
 +static void handle_binary_assign(struct visited *visited, interesting_stmts_t expand_from, gassign *assign, tree rhs)
 +{
 +	tree new_node;
++	gimple def_orig_node;
 +
 +	new_node = expand(visited, expand_from, rhs);
 +	if (new_node == NULL_TREE)
 +		return;
 +
++	def_orig_node = get_def_stmt(rhs);
 +	change_orig_node(visited, assign, rhs, new_node, 0);
++
++	if (pointer_set_contains(visited->no_cast_check, def_orig_node))
++		return;
 +	check_size_overflow(expand_from, assign, TREE_TYPE(new_node), new_node, rhs, BEFORE_STMT);
 +}
 +
@@ -170646,7 +170648,7 @@ index 0000000..b6c6bb1
 +	case GIMPLE_PHI: {
 +		unsigned int i;
 +
-+		error_code = has_error_code(expand_from, as_a_gphi(def_stmt));
++		error_code = has_error_code(as_a_gphi(def_stmt));
 +		for (i = 0; i < gimple_phi_num_args(def_stmt); i++) {
 +			error_code = search_error_codes(visited, visited_error_codes, expand_from, gimple_phi_arg_def(def_stmt, i), error_code);
 +		}
@@ -170681,6 +170683,7 @@ index 0000000..b6c6bb1
 +
 +	for (cur = head; cur; cur = cur->next) {
 +		tree new_node;
++		gimple orig_def_stmt;
 +
 +		if (handle_error_codes(visited, cur))
 +			continue;
@@ -170689,7 +170692,12 @@ index 0000000..b6c6bb1
 +		if (new_node == NULL_TREE)
 +			continue;
 +
++		orig_def_stmt = get_def_stmt(cur->orig_node);
++
 +		change_orig_node(visited, cur->first_stmt, cur->orig_node, new_node, cur->num);
++
++		if (pointer_set_contains(visited->no_cast_check, orig_def_stmt))
++			continue;
 +		check_size_overflow(cur, cur->first_stmt, TREE_TYPE(new_node), new_node, cur->orig_node, BEFORE_STMT);
 +	}
 +}
@@ -171064,10 +171072,10 @@ index 0000000..b6c6bb1
 +}
 diff --git a/tools/gcc/size_overflow_plugin/size_overflow_transform_core.c b/tools/gcc/size_overflow_plugin/size_overflow_transform_core.c
 new file mode 100644
-index 0000000..5fdfca5
+index 0000000..e7a17f5
 --- /dev/null
 +++ b/tools/gcc/size_overflow_plugin/size_overflow_transform_core.c
-@@ -0,0 +1,962 @@
+@@ -0,0 +1,1004 @@
 +/*
 + * Copyright 2011-2015 by Emese Revfy <re.emese@gmail.com>
 + * Licensed under the GPL v2, or (at your option) v3
@@ -171647,6 +171655,69 @@ index 0000000..5fdfca5
 +	insert_check_size_overflow(expand_from, stmt, LT_EXPR, cast_rhs, type_min, before, MIN_CHECK);
 +}
 +
++static tree get_my_stmt_lhs(struct visited *visited, gimple stmt)
++{
++	gimple_stmt_iterator gsi;
++	gimple next_stmt = NULL;
++
++	gsi = gsi_for_stmt(stmt);
++
++	do {
++		gsi_next(&gsi);
++		next_stmt = gsi_stmt(gsi);
++
++		if (gimple_code(stmt) == GIMPLE_PHI && !pointer_set_contains(visited->my_stmts, next_stmt))
++			return NULL_TREE;
++
++		if (pointer_set_contains(visited->my_stmts, next_stmt) && !pointer_set_contains(visited->skip_expr_casts, next_stmt))
++			break;
++
++		gcc_assert(pointer_set_contains(visited->my_stmts, next_stmt));
++	} while (!gsi_end_p(gsi));
++
++	gcc_assert(next_stmt);
++	return get_lhs(next_stmt);
++}
++
++/* When the result of the negation is cast to a signed type then move
++ * the size_overflow cast check before negation.
++ * ssa:
++ * unsigned _588
++ * _588 = _587 >> 12;
++ * _589 = -_588;
++ * _590 = (long int) _589;
++ */
++static bool handle_unsigned_neg_or_bit_not(struct visited *visited, interesting_stmts_t expand_from, const gassign *stmt)
++{
++	gimple def_neg_stmt, neg_stmt;
++	tree lhs, new_neg_rhs;
++	const_tree rhs, neg_rhs;
++	enum tree_code rhs_code;
++
++	rhs = gimple_assign_rhs1(stmt);
++	lhs = gimple_assign_lhs(stmt);
++	if (TYPE_UNSIGNED(TREE_TYPE(lhs)) || !TYPE_UNSIGNED(TREE_TYPE(rhs)))
++		return false;
++
++	neg_stmt = get_def_stmt(rhs);
++	if (!neg_stmt || !is_gimple_assign(neg_stmt))
++		return false;
++
++	rhs_code = gimple_assign_rhs_code(neg_stmt);
++	if (rhs_code != BIT_NOT_EXPR && rhs_code != NEGATE_EXPR)
++		return false;
++
++	neg_rhs = gimple_assign_rhs1(neg_stmt);
++	def_neg_stmt = get_def_stmt(neg_rhs);
++	if (!def_neg_stmt)
++		return false;
++
++	new_neg_rhs = get_my_stmt_lhs(visited, def_neg_stmt);
++	check_size_overflow(expand_from, neg_stmt, TREE_TYPE(new_neg_rhs), new_neg_rhs, lhs, BEFORE_STMT);
++	pointer_set_insert(visited->no_cast_check, stmt);
++	return true;
++}
++
 +static tree create_cast_overflow_check(struct visited *visited, interesting_stmts_t expand_from, tree new_rhs1, gassign *stmt)
 +{
 +	bool cast_lhs, cast_rhs;
@@ -171673,6 +171744,9 @@ index 0000000..5fdfca5
 +		{ true,  false, true,  true  }, // lhs < rhs
 +	};
 +
++	if (handle_unsigned_neg_or_bit_not(visited, expand_from, stmt))
++		return dup_assign(visited, stmt, lhs, new_rhs1, NULL_TREE, NULL_TREE);
++
 +	// skip lhs check on signed SI -> HI cast or signed SI -> QI cast
 +	if (rhs_mode == SImode && !TYPE_UNSIGNED(rhs_type) && (lhs_mode == HImode || lhs_mode == QImode))
 +		return create_assign(visited, stmt, lhs, AFTER_STMT);
@@ -171945,30 +172019,6 @@ index 0000000..5fdfca5
 +}
 +#endif
 +
-+static tree get_my_stmt_lhs(struct visited *visited, gimple stmt)
-+{
-+	gimple_stmt_iterator gsi;
-+	gimple next_stmt = NULL;
-+
-+	gsi = gsi_for_stmt(stmt);
-+
-+	do {
-+		gsi_next(&gsi);
-+		next_stmt = gsi_stmt(gsi);
-+
-+		if (gimple_code(stmt) == GIMPLE_PHI && !pointer_set_contains(visited->my_stmts, next_stmt))
-+			return NULL_TREE;
-+
-+		if (pointer_set_contains(visited->my_stmts, next_stmt) && !pointer_set_contains(visited->skip_expr_casts, next_stmt))
-+			break;
-+
-+		gcc_assert(pointer_set_contains(visited->my_stmts, next_stmt));
-+	} while (!gsi_end_p(gsi));
-+
-+	gcc_assert(next_stmt);
-+	return get_lhs(next_stmt);
-+}
-+
 +static tree expand_visited(struct visited *visited, gimple def_stmt)
 +{
 +	gimple_stmt_iterator gsi;