This implies (or states, hard to say) that they don't upstream specifically in order to profit. That is nonsense.

1. Tons of bugs are reported upstream by grsecurity historically.

2. Tons of critical security mitigations in the kernel were outright invented by that team. ASLR, SMAP, SMEP, NX, etc.

3. They were completely FOSS until very recently.

4. They have always maintained that they are entirely willing to upstream patches but that it's a lot of work and would require funding. Upstream has always been extremely hostile towards attempts to take small pieces of Grsecurity and upstream them.

But the patchset should use the same license as the original code, shouldn't?

> as they're profiting from selling the patchset

Profiting from selling their patchset is not the whole story, though. grsec was public and free for a long time and there were many effects at play preventing the kernel from adopting it.