1 diff -urNp linux-2.6.35.5/arch/alpha/include/asm/dma-mapping.h linux-2.6.35.5/arch/alpha/include/asm/dma-mapping.h
2 --- linux-2.6.35.5/arch/alpha/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
3 +++ linux-2.6.35.5/arch/alpha/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
6 #include <linux/dma-attrs.h>
8 -extern struct dma_map_ops *dma_ops;
9 +extern const struct dma_map_ops *dma_ops;
11 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
12 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
16 diff -urNp linux-2.6.35.5/arch/alpha/include/asm/elf.h linux-2.6.35.5/arch/alpha/include/asm/elf.h
17 --- linux-2.6.35.5/arch/alpha/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
18 +++ linux-2.6.35.5/arch/alpha/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
19 @@ -90,6 +90,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
21 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
23 +#ifdef CONFIG_PAX_ASLR
24 +#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
26 +#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
27 +#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
30 /* $0 is set by ld.so to a pointer to a function which might be
31 registered using atexit. This provides a mean for the dynamic
32 linker to call DT_FINI functions for shared libraries that have
33 diff -urNp linux-2.6.35.5/arch/alpha/include/asm/pgtable.h linux-2.6.35.5/arch/alpha/include/asm/pgtable.h
34 --- linux-2.6.35.5/arch/alpha/include/asm/pgtable.h 2010-08-26 19:47:12.000000000 -0400
35 +++ linux-2.6.35.5/arch/alpha/include/asm/pgtable.h 2010-09-17 20:12:09.000000000 -0400
36 @@ -101,6 +101,17 @@ struct vm_area_struct;
37 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
38 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
39 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
41 +#ifdef CONFIG_PAX_PAGEEXEC
42 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
43 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
44 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
46 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
47 +# define PAGE_COPY_NOEXEC PAGE_COPY
48 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
51 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
53 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
54 diff -urNp linux-2.6.35.5/arch/alpha/kernel/module.c linux-2.6.35.5/arch/alpha/kernel/module.c
55 --- linux-2.6.35.5/arch/alpha/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
56 +++ linux-2.6.35.5/arch/alpha/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
57 @@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
59 /* The small sections were sorted to the end of the segment.
60 The following should definitely cover them. */
61 - gp = (u64)me->module_core + me->core_size - 0x8000;
62 + gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
63 got = sechdrs[me->arch.gotsecindex].sh_addr;
65 for (i = 0; i < n; i++) {
66 diff -urNp linux-2.6.35.5/arch/alpha/kernel/osf_sys.c linux-2.6.35.5/arch/alpha/kernel/osf_sys.c
67 --- linux-2.6.35.5/arch/alpha/kernel/osf_sys.c 2010-08-26 19:47:12.000000000 -0400
68 +++ linux-2.6.35.5/arch/alpha/kernel/osf_sys.c 2010-09-17 20:12:09.000000000 -0400
69 @@ -1170,7 +1170,7 @@ arch_get_unmapped_area_1(unsigned long a
70 /* At this point: (!vma || addr < vma->vm_end). */
71 if (limit - len < addr)
73 - if (!vma || addr + len <= vma->vm_start)
74 + if (check_heap_stack_gap(vma, addr, len))
78 @@ -1206,6 +1206,10 @@ arch_get_unmapped_area(struct file *filp
79 merely specific addresses, but regions of memory -- perhaps
80 this feature should be incorporated into all ports? */
82 +#ifdef CONFIG_PAX_RANDMMAP
83 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
87 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
88 if (addr != (unsigned long) -ENOMEM)
89 @@ -1213,8 +1217,8 @@ arch_get_unmapped_area(struct file *filp
92 /* Next, try allocating at TASK_UNMAPPED_BASE. */
93 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
95 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
97 if (addr != (unsigned long) -ENOMEM)
100 diff -urNp linux-2.6.35.5/arch/alpha/kernel/pci_iommu.c linux-2.6.35.5/arch/alpha/kernel/pci_iommu.c
101 --- linux-2.6.35.5/arch/alpha/kernel/pci_iommu.c 2010-08-26 19:47:12.000000000 -0400
102 +++ linux-2.6.35.5/arch/alpha/kernel/pci_iommu.c 2010-09-17 20:12:09.000000000 -0400
103 @@ -950,7 +950,7 @@ static int alpha_pci_set_mask(struct dev
107 -struct dma_map_ops alpha_pci_ops = {
108 +const struct dma_map_ops alpha_pci_ops = {
109 .alloc_coherent = alpha_pci_alloc_coherent,
110 .free_coherent = alpha_pci_free_coherent,
111 .map_page = alpha_pci_map_page,
112 @@ -962,5 +962,5 @@ struct dma_map_ops alpha_pci_ops = {
113 .set_dma_mask = alpha_pci_set_mask,
116 -struct dma_map_ops *dma_ops = &alpha_pci_ops;
117 +const struct dma_map_ops *dma_ops = &alpha_pci_ops;
118 EXPORT_SYMBOL(dma_ops);
119 diff -urNp linux-2.6.35.5/arch/alpha/kernel/pci-noop.c linux-2.6.35.5/arch/alpha/kernel/pci-noop.c
120 --- linux-2.6.35.5/arch/alpha/kernel/pci-noop.c 2010-08-26 19:47:12.000000000 -0400
121 +++ linux-2.6.35.5/arch/alpha/kernel/pci-noop.c 2010-09-17 20:12:09.000000000 -0400
122 @@ -173,7 +173,7 @@ static int alpha_noop_set_mask(struct de
126 -struct dma_map_ops alpha_noop_ops = {
127 +const struct dma_map_ops alpha_noop_ops = {
128 .alloc_coherent = alpha_noop_alloc_coherent,
129 .free_coherent = alpha_noop_free_coherent,
130 .map_page = alpha_noop_map_page,
131 @@ -183,7 +183,7 @@ struct dma_map_ops alpha_noop_ops = {
132 .set_dma_mask = alpha_noop_set_mask,
135 -struct dma_map_ops *dma_ops = &alpha_noop_ops;
136 +const struct dma_map_ops *dma_ops = &alpha_noop_ops;
137 EXPORT_SYMBOL(dma_ops);
139 void __iomem *pci_iomap(struct pci_dev *dev, int bar, unsigned long maxlen)
140 diff -urNp linux-2.6.35.5/arch/alpha/mm/fault.c linux-2.6.35.5/arch/alpha/mm/fault.c
141 --- linux-2.6.35.5/arch/alpha/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
142 +++ linux-2.6.35.5/arch/alpha/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
143 @@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
144 __reload_thread(pcb);
147 +#ifdef CONFIG_PAX_PAGEEXEC
149 + * PaX: decide what to do with offenders (regs->pc = fault address)
151 + * returns 1 when task should be killed
152 + * 2 when patched PLT trampoline was detected
153 + * 3 when unpatched PLT trampoline was detected
155 +static int pax_handle_fetch_fault(struct pt_regs *regs)
158 +#ifdef CONFIG_PAX_EMUPLT
161 + do { /* PaX: patched PLT emulation #1 */
162 + unsigned int ldah, ldq, jmp;
164 + err = get_user(ldah, (unsigned int *)regs->pc);
165 + err |= get_user(ldq, (unsigned int *)(regs->pc+4));
166 + err |= get_user(jmp, (unsigned int *)(regs->pc+8));
171 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
172 + (ldq & 0xFFFF0000U) == 0xA77B0000U &&
173 + jmp == 0x6BFB0000U)
175 + unsigned long r27, addr;
176 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
177 + unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
179 + addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
180 + err = get_user(r27, (unsigned long *)addr);
190 + do { /* PaX: patched PLT emulation #2 */
191 + unsigned int ldah, lda, br;
193 + err = get_user(ldah, (unsigned int *)regs->pc);
194 + err |= get_user(lda, (unsigned int *)(regs->pc+4));
195 + err |= get_user(br, (unsigned int *)(regs->pc+8));
200 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
201 + (lda & 0xFFFF0000U) == 0xA77B0000U &&
202 + (br & 0xFFE00000U) == 0xC3E00000U)
204 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
205 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
206 + unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
208 + regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
209 + regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
214 + do { /* PaX: unpatched PLT emulation */
217 + err = get_user(br, (unsigned int *)regs->pc);
219 + if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
220 + unsigned int br2, ldq, nop, jmp;
221 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
223 + addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
224 + err = get_user(br2, (unsigned int *)addr);
225 + err |= get_user(ldq, (unsigned int *)(addr+4));
226 + err |= get_user(nop, (unsigned int *)(addr+8));
227 + err |= get_user(jmp, (unsigned int *)(addr+12));
228 + err |= get_user(resolver, (unsigned long *)(addr+16));
233 + if (br2 == 0xC3600000U &&
234 + ldq == 0xA77B000CU &&
235 + nop == 0x47FF041FU &&
236 + jmp == 0x6B7B0000U)
238 + regs->r28 = regs->pc+4;
239 + regs->r27 = addr+16;
240 + regs->pc = resolver;
250 +void pax_report_insns(void *pc, void *sp)
254 + printk(KERN_ERR "PAX: bytes at PC: ");
255 + for (i = 0; i < 5; i++) {
257 + if (get_user(c, (unsigned int *)pc+i))
258 + printk(KERN_CONT "???????? ");
260 + printk(KERN_CONT "%08x ", c);
267 * This routine handles page faults. It determines the address,
268 @@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
270 si_code = SEGV_ACCERR;
272 - if (!(vma->vm_flags & VM_EXEC))
273 + if (!(vma->vm_flags & VM_EXEC)) {
275 +#ifdef CONFIG_PAX_PAGEEXEC
276 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
279 + up_read(&mm->mmap_sem);
280 + switch (pax_handle_fetch_fault(regs)) {
282 +#ifdef CONFIG_PAX_EMUPLT
289 + pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
290 + do_group_exit(SIGKILL);
297 /* Allow reads even for write-only mappings */
298 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
299 diff -urNp linux-2.6.35.5/arch/arm/include/asm/elf.h linux-2.6.35.5/arch/arm/include/asm/elf.h
300 --- linux-2.6.35.5/arch/arm/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
301 +++ linux-2.6.35.5/arch/arm/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
302 @@ -111,7 +111,14 @@ int dump_task_regs(struct task_struct *t
303 the loader. We need to make sure that it is out of the way of the program
304 that it will "exec", and that there is sufficient room for the brk. */
306 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
307 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
309 +#ifdef CONFIG_PAX_ASLR
310 +#define PAX_ELF_ET_DYN_BASE 0x00008000UL
312 +#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
313 +#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
316 /* When the program starts, a1 contains a pointer to a function to be
317 registered with atexit, as per the SVR4 ABI. A value of 0 means we
318 diff -urNp linux-2.6.35.5/arch/arm/include/asm/kmap_types.h linux-2.6.35.5/arch/arm/include/asm/kmap_types.h
319 --- linux-2.6.35.5/arch/arm/include/asm/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
320 +++ linux-2.6.35.5/arch/arm/include/asm/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
321 @@ -21,6 +21,7 @@ enum km_type {
329 diff -urNp linux-2.6.35.5/arch/arm/include/asm/uaccess.h linux-2.6.35.5/arch/arm/include/asm/uaccess.h
330 --- linux-2.6.35.5/arch/arm/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
331 +++ linux-2.6.35.5/arch/arm/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
332 @@ -403,6 +403,9 @@ extern unsigned long __must_check __strn
334 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
339 if (access_ok(VERIFY_READ, from, n))
340 n = __copy_from_user(to, from, n);
341 else /* security hole - plug it */
342 @@ -412,6 +415,9 @@ static inline unsigned long __must_check
344 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
349 if (access_ok(VERIFY_WRITE, to, n))
350 n = __copy_to_user(to, from, n);
352 diff -urNp linux-2.6.35.5/arch/arm/kernel/kgdb.c linux-2.6.35.5/arch/arm/kernel/kgdb.c
353 --- linux-2.6.35.5/arch/arm/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
354 +++ linux-2.6.35.5/arch/arm/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
355 @@ -208,7 +208,7 @@ void kgdb_arch_exit(void)
356 * and we handle the normal undef case within the do_undefinstr
359 -struct kgdb_arch arch_kgdb_ops = {
360 +const struct kgdb_arch arch_kgdb_ops = {
362 .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7}
363 #else /* ! __ARMEB__ */
364 diff -urNp linux-2.6.35.5/arch/arm/mach-at91/pm.c linux-2.6.35.5/arch/arm/mach-at91/pm.c
365 --- linux-2.6.35.5/arch/arm/mach-at91/pm.c 2010-08-26 19:47:12.000000000 -0400
366 +++ linux-2.6.35.5/arch/arm/mach-at91/pm.c 2010-09-17 20:12:09.000000000 -0400
367 @@ -294,7 +294,7 @@ static void at91_pm_end(void)
371 -static struct platform_suspend_ops at91_pm_ops ={
372 +static const struct platform_suspend_ops at91_pm_ops ={
373 .valid = at91_pm_valid_state,
374 .begin = at91_pm_begin,
375 .enter = at91_pm_enter,
376 diff -urNp linux-2.6.35.5/arch/arm/mach-davinci/pm.c linux-2.6.35.5/arch/arm/mach-davinci/pm.c
377 --- linux-2.6.35.5/arch/arm/mach-davinci/pm.c 2010-08-26 19:47:12.000000000 -0400
378 +++ linux-2.6.35.5/arch/arm/mach-davinci/pm.c 2010-09-17 20:12:09.000000000 -0400
379 @@ -110,7 +110,7 @@ static int davinci_pm_enter(suspend_stat
383 -static struct platform_suspend_ops davinci_pm_ops = {
384 +static const struct platform_suspend_ops davinci_pm_ops = {
385 .enter = davinci_pm_enter,
386 .valid = suspend_valid_only_mem,
388 diff -urNp linux-2.6.35.5/arch/arm/mach-msm/last_radio_log.c linux-2.6.35.5/arch/arm/mach-msm/last_radio_log.c
389 --- linux-2.6.35.5/arch/arm/mach-msm/last_radio_log.c 2010-08-26 19:47:12.000000000 -0400
390 +++ linux-2.6.35.5/arch/arm/mach-msm/last_radio_log.c 2010-09-17 20:12:09.000000000 -0400
391 @@ -47,6 +47,7 @@ static ssize_t last_radio_log_read(struc
395 +/* cannot be const, see msm_init_last_radio_log */
396 static struct file_operations last_radio_log_fops = {
397 .read = last_radio_log_read
399 diff -urNp linux-2.6.35.5/arch/arm/mach-omap1/pm.c linux-2.6.35.5/arch/arm/mach-omap1/pm.c
400 --- linux-2.6.35.5/arch/arm/mach-omap1/pm.c 2010-08-26 19:47:12.000000000 -0400
401 +++ linux-2.6.35.5/arch/arm/mach-omap1/pm.c 2010-09-17 20:12:09.000000000 -0400
402 @@ -647,7 +647,7 @@ static struct irqaction omap_wakeup_irq
406 -static struct platform_suspend_ops omap_pm_ops ={
407 +static const struct platform_suspend_ops omap_pm_ops ={
408 .prepare = omap_pm_prepare,
409 .enter = omap_pm_enter,
410 .finish = omap_pm_finish,
411 diff -urNp linux-2.6.35.5/arch/arm/mach-omap2/pm24xx.c linux-2.6.35.5/arch/arm/mach-omap2/pm24xx.c
412 --- linux-2.6.35.5/arch/arm/mach-omap2/pm24xx.c 2010-08-26 19:47:12.000000000 -0400
413 +++ linux-2.6.35.5/arch/arm/mach-omap2/pm24xx.c 2010-09-17 20:12:09.000000000 -0400
414 @@ -325,7 +325,7 @@ static void omap2_pm_finish(void)
418 -static struct platform_suspend_ops omap_pm_ops = {
419 +static const struct platform_suspend_ops omap_pm_ops = {
420 .prepare = omap2_pm_prepare,
421 .enter = omap2_pm_enter,
422 .finish = omap2_pm_finish,
423 diff -urNp linux-2.6.35.5/arch/arm/mach-omap2/pm34xx.c linux-2.6.35.5/arch/arm/mach-omap2/pm34xx.c
424 --- linux-2.6.35.5/arch/arm/mach-omap2/pm34xx.c 2010-08-26 19:47:12.000000000 -0400
425 +++ linux-2.6.35.5/arch/arm/mach-omap2/pm34xx.c 2010-09-17 20:12:09.000000000 -0400
426 @@ -669,7 +669,7 @@ static void omap3_pm_end(void)
430 -static struct platform_suspend_ops omap_pm_ops = {
431 +static const struct platform_suspend_ops omap_pm_ops = {
432 .begin = omap3_pm_begin,
434 .prepare = omap3_pm_prepare,
435 diff -urNp linux-2.6.35.5/arch/arm/mach-pnx4008/pm.c linux-2.6.35.5/arch/arm/mach-pnx4008/pm.c
436 --- linux-2.6.35.5/arch/arm/mach-pnx4008/pm.c 2010-08-26 19:47:12.000000000 -0400
437 +++ linux-2.6.35.5/arch/arm/mach-pnx4008/pm.c 2010-09-17 20:12:09.000000000 -0400
438 @@ -119,7 +119,7 @@ static int pnx4008_pm_valid(suspend_stat
439 (state == PM_SUSPEND_MEM);
442 -static struct platform_suspend_ops pnx4008_pm_ops = {
443 +static const struct platform_suspend_ops pnx4008_pm_ops = {
444 .enter = pnx4008_pm_enter,
445 .valid = pnx4008_pm_valid,
447 diff -urNp linux-2.6.35.5/arch/arm/mach-pxa/pm.c linux-2.6.35.5/arch/arm/mach-pxa/pm.c
448 --- linux-2.6.35.5/arch/arm/mach-pxa/pm.c 2010-08-26 19:47:12.000000000 -0400
449 +++ linux-2.6.35.5/arch/arm/mach-pxa/pm.c 2010-09-17 20:12:09.000000000 -0400
450 @@ -96,7 +96,7 @@ void pxa_pm_finish(void)
451 pxa_cpu_pm_fns->finish();
454 -static struct platform_suspend_ops pxa_pm_ops = {
455 +static const struct platform_suspend_ops pxa_pm_ops = {
456 .valid = pxa_pm_valid,
457 .enter = pxa_pm_enter,
458 .prepare = pxa_pm_prepare,
459 diff -urNp linux-2.6.35.5/arch/arm/mach-pxa/sharpsl_pm.c linux-2.6.35.5/arch/arm/mach-pxa/sharpsl_pm.c
460 --- linux-2.6.35.5/arch/arm/mach-pxa/sharpsl_pm.c 2010-08-26 19:47:12.000000000 -0400
461 +++ linux-2.6.35.5/arch/arm/mach-pxa/sharpsl_pm.c 2010-09-17 20:12:09.000000000 -0400
462 @@ -891,7 +891,7 @@ static void sharpsl_apm_get_power_status
466 -static struct platform_suspend_ops sharpsl_pm_ops = {
467 +static const struct platform_suspend_ops sharpsl_pm_ops = {
468 .prepare = pxa_pm_prepare,
469 .finish = pxa_pm_finish,
470 .enter = corgi_pxa_pm_enter,
471 diff -urNp linux-2.6.35.5/arch/arm/mach-sa1100/pm.c linux-2.6.35.5/arch/arm/mach-sa1100/pm.c
472 --- linux-2.6.35.5/arch/arm/mach-sa1100/pm.c 2010-08-26 19:47:12.000000000 -0400
473 +++ linux-2.6.35.5/arch/arm/mach-sa1100/pm.c 2010-09-17 20:12:09.000000000 -0400
474 @@ -120,7 +120,7 @@ unsigned long sleep_phys_sp(void *sp)
475 return virt_to_phys(sp);
478 -static struct platform_suspend_ops sa11x0_pm_ops = {
479 +static const struct platform_suspend_ops sa11x0_pm_ops = {
480 .enter = sa11x0_pm_enter,
481 .valid = suspend_valid_only_mem,
483 diff -urNp linux-2.6.35.5/arch/arm/mm/fault.c linux-2.6.35.5/arch/arm/mm/fault.c
484 --- linux-2.6.35.5/arch/arm/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
485 +++ linux-2.6.35.5/arch/arm/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
486 @@ -167,6 +167,13 @@ __do_user_fault(struct task_struct *tsk,
490 +#ifdef CONFIG_PAX_PAGEEXEC
491 + if (fsr & FSR_LNX_PF) {
492 + pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
493 + do_group_exit(SIGKILL);
497 tsk->thread.address = addr;
498 tsk->thread.error_code = fsr;
499 tsk->thread.trap_no = 14;
500 @@ -364,6 +371,33 @@ do_page_fault(unsigned long addr, unsign
502 #endif /* CONFIG_MMU */
504 +#ifdef CONFIG_PAX_PAGEEXEC
505 +void pax_report_insns(void *pc, void *sp)
509 + printk(KERN_ERR "PAX: bytes at PC: ");
510 + for (i = 0; i < 20; i++) {
512 + if (get_user(c, (__force unsigned char __user *)pc+i))
513 + printk(KERN_CONT "?? ");
515 + printk(KERN_CONT "%02x ", c);
519 + printk(KERN_ERR "PAX: bytes at SP-4: ");
520 + for (i = -1; i < 20; i++) {
522 + if (get_user(c, (__force unsigned long __user *)sp+i))
523 + printk(KERN_CONT "???????? ");
525 + printk(KERN_CONT "%08lx ", c);
532 * First Level Translation Fault Handler
534 diff -urNp linux-2.6.35.5/arch/arm/mm/mmap.c linux-2.6.35.5/arch/arm/mm/mmap.c
535 --- linux-2.6.35.5/arch/arm/mm/mmap.c 2010-08-26 19:47:12.000000000 -0400
536 +++ linux-2.6.35.5/arch/arm/mm/mmap.c 2010-09-17 20:12:09.000000000 -0400
537 @@ -63,6 +63,10 @@ arch_get_unmapped_area(struct file *filp
541 +#ifdef CONFIG_PAX_RANDMMAP
542 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
547 addr = COLOUR_ALIGN(addr, pgoff);
548 @@ -70,15 +74,14 @@ arch_get_unmapped_area(struct file *filp
549 addr = PAGE_ALIGN(addr);
551 vma = find_vma(mm, addr);
552 - if (TASK_SIZE - len >= addr &&
553 - (!vma || addr + len <= vma->vm_start))
554 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
557 if (len > mm->cached_hole_size) {
558 - start_addr = addr = mm->free_area_cache;
559 + start_addr = addr = mm->free_area_cache;
561 - start_addr = addr = TASK_UNMAPPED_BASE;
562 - mm->cached_hole_size = 0;
563 + start_addr = addr = mm->mmap_base;
564 + mm->cached_hole_size = 0;
568 @@ -94,14 +97,14 @@ full_search:
569 * Start a new search - just in case we missed
572 - if (start_addr != TASK_UNMAPPED_BASE) {
573 - start_addr = addr = TASK_UNMAPPED_BASE;
574 + if (start_addr != mm->mmap_base) {
575 + start_addr = addr = mm->mmap_base;
576 mm->cached_hole_size = 0;
581 - if (!vma || addr + len <= vma->vm_start) {
582 + if (check_heap_stack_gap(vma, addr, len)) {
584 * Remember the place where we stopped the search:
586 diff -urNp linux-2.6.35.5/arch/arm/plat-samsung/pm.c linux-2.6.35.5/arch/arm/plat-samsung/pm.c
587 --- linux-2.6.35.5/arch/arm/plat-samsung/pm.c 2010-08-26 19:47:12.000000000 -0400
588 +++ linux-2.6.35.5/arch/arm/plat-samsung/pm.c 2010-09-17 20:12:09.000000000 -0400
589 @@ -355,7 +355,7 @@ static void s3c_pm_finish(void)
590 s3c_pm_check_cleanup();
593 -static struct platform_suspend_ops s3c_pm_ops = {
594 +static const struct platform_suspend_ops s3c_pm_ops = {
595 .enter = s3c_pm_enter,
596 .prepare = s3c_pm_prepare,
597 .finish = s3c_pm_finish,
598 diff -urNp linux-2.6.35.5/arch/avr32/include/asm/elf.h linux-2.6.35.5/arch/avr32/include/asm/elf.h
599 --- linux-2.6.35.5/arch/avr32/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
600 +++ linux-2.6.35.5/arch/avr32/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
601 @@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpreg
602 the loader. We need to make sure that it is out of the way of the program
603 that it will "exec", and that there is sufficient room for the brk. */
605 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
606 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
608 +#ifdef CONFIG_PAX_ASLR
609 +#define PAX_ELF_ET_DYN_BASE 0x00001000UL
611 +#define PAX_DELTA_MMAP_LEN 15
612 +#define PAX_DELTA_STACK_LEN 15
615 /* This yields a mask that user programs can use to figure out what
616 instruction set this CPU supports. This could be done in user space,
617 diff -urNp linux-2.6.35.5/arch/avr32/include/asm/kmap_types.h linux-2.6.35.5/arch/avr32/include/asm/kmap_types.h
618 --- linux-2.6.35.5/arch/avr32/include/asm/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
619 +++ linux-2.6.35.5/arch/avr32/include/asm/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
620 @@ -22,7 +22,8 @@ D(10) KM_IRQ0,
630 diff -urNp linux-2.6.35.5/arch/avr32/mach-at32ap/pm.c linux-2.6.35.5/arch/avr32/mach-at32ap/pm.c
631 --- linux-2.6.35.5/arch/avr32/mach-at32ap/pm.c 2010-08-26 19:47:12.000000000 -0400
632 +++ linux-2.6.35.5/arch/avr32/mach-at32ap/pm.c 2010-09-17 20:12:09.000000000 -0400
633 @@ -176,7 +176,7 @@ out:
637 -static struct platform_suspend_ops avr32_pm_ops = {
638 +static const struct platform_suspend_ops avr32_pm_ops = {
639 .valid = avr32_pm_valid_state,
640 .enter = avr32_pm_enter,
642 diff -urNp linux-2.6.35.5/arch/avr32/mm/fault.c linux-2.6.35.5/arch/avr32/mm/fault.c
643 --- linux-2.6.35.5/arch/avr32/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
644 +++ linux-2.6.35.5/arch/avr32/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
645 @@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
647 int exception_trace = 1;
649 +#ifdef CONFIG_PAX_PAGEEXEC
650 +void pax_report_insns(void *pc, void *sp)
654 + printk(KERN_ERR "PAX: bytes at PC: ");
655 + for (i = 0; i < 20; i++) {
657 + if (get_user(c, (unsigned char *)pc+i))
658 + printk(KERN_CONT "???????? ");
660 + printk(KERN_CONT "%02x ", c);
667 * This routine handles page faults. It determines the address and the
668 * problem, and then passes it off to one of the appropriate routines.
669 @@ -157,6 +174,16 @@ bad_area:
670 up_read(&mm->mmap_sem);
672 if (user_mode(regs)) {
674 +#ifdef CONFIG_PAX_PAGEEXEC
675 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
676 + if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
677 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
678 + do_group_exit(SIGKILL);
683 if (exception_trace && printk_ratelimit())
684 printk("%s%s[%d]: segfault at %08lx pc %08lx "
685 "sp %08lx ecr %lu\n",
686 diff -urNp linux-2.6.35.5/arch/blackfin/kernel/kgdb.c linux-2.6.35.5/arch/blackfin/kernel/kgdb.c
687 --- linux-2.6.35.5/arch/blackfin/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
688 +++ linux-2.6.35.5/arch/blackfin/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
689 @@ -397,7 +397,7 @@ int kgdb_arch_handle_exception(int vecto
690 return -1; /* this means that we do not want to exit from the handler */
693 -struct kgdb_arch arch_kgdb_ops = {
694 +const struct kgdb_arch arch_kgdb_ops = {
695 .gdb_bpt_instr = {0xa1},
697 .flags = KGDB_HW_BREAKPOINT|KGDB_THR_PROC_SWAP,
698 diff -urNp linux-2.6.35.5/arch/blackfin/mach-common/pm.c linux-2.6.35.5/arch/blackfin/mach-common/pm.c
699 --- linux-2.6.35.5/arch/blackfin/mach-common/pm.c 2010-08-26 19:47:12.000000000 -0400
700 +++ linux-2.6.35.5/arch/blackfin/mach-common/pm.c 2010-09-17 20:12:09.000000000 -0400
701 @@ -232,7 +232,7 @@ static int bfin_pm_enter(suspend_state_t
705 -struct platform_suspend_ops bfin_pm_ops = {
706 +const struct platform_suspend_ops bfin_pm_ops = {
707 .enter = bfin_pm_enter,
708 .valid = bfin_pm_valid,
710 diff -urNp linux-2.6.35.5/arch/blackfin/mm/maccess.c linux-2.6.35.5/arch/blackfin/mm/maccess.c
711 --- linux-2.6.35.5/arch/blackfin/mm/maccess.c 2010-08-26 19:47:12.000000000 -0400
712 +++ linux-2.6.35.5/arch/blackfin/mm/maccess.c 2010-09-17 20:12:09.000000000 -0400
713 @@ -16,7 +16,7 @@ static int validate_memory_access_addres
714 return bfin_mem_access_type(addr, size);
717 -long probe_kernel_read(void *dst, void *src, size_t size)
718 +long probe_kernel_read(void *dst, const void *src, size_t size)
720 unsigned long lsrc = (unsigned long)src;
722 @@ -55,7 +55,7 @@ long probe_kernel_read(void *dst, void *
726 -long probe_kernel_write(void *dst, void *src, size_t size)
727 +long probe_kernel_write(void *dst, const void *src, size_t size)
729 unsigned long ldst = (unsigned long)dst;
731 diff -urNp linux-2.6.35.5/arch/frv/include/asm/kmap_types.h linux-2.6.35.5/arch/frv/include/asm/kmap_types.h
732 --- linux-2.6.35.5/arch/frv/include/asm/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
733 +++ linux-2.6.35.5/arch/frv/include/asm/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
734 @@ -23,6 +23,7 @@ enum km_type {
742 diff -urNp linux-2.6.35.5/arch/frv/mm/elf-fdpic.c linux-2.6.35.5/arch/frv/mm/elf-fdpic.c
743 --- linux-2.6.35.5/arch/frv/mm/elf-fdpic.c 2010-08-26 19:47:12.000000000 -0400
744 +++ linux-2.6.35.5/arch/frv/mm/elf-fdpic.c 2010-09-17 20:12:09.000000000 -0400
745 @@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(str
747 addr = PAGE_ALIGN(addr);
748 vma = find_vma(current->mm, addr);
749 - if (TASK_SIZE - len >= addr &&
750 - (!vma || addr + len <= vma->vm_start))
751 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
755 @@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
756 for (; vma; vma = vma->vm_next) {
759 - if (addr + len <= vma->vm_start)
760 + if (check_heap_stack_gap(vma, addr, len))
764 @@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
765 for (; vma; vma = vma->vm_next) {
768 - if (addr + len <= vma->vm_start)
769 + if (check_heap_stack_gap(vma, addr, len))
773 diff -urNp linux-2.6.35.5/arch/ia64/hp/common/hwsw_iommu.c linux-2.6.35.5/arch/ia64/hp/common/hwsw_iommu.c
774 --- linux-2.6.35.5/arch/ia64/hp/common/hwsw_iommu.c 2010-08-26 19:47:12.000000000 -0400
775 +++ linux-2.6.35.5/arch/ia64/hp/common/hwsw_iommu.c 2010-09-17 20:12:09.000000000 -0400
777 #include <linux/swiotlb.h>
778 #include <asm/machvec.h>
780 -extern struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
781 +extern const struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
783 /* swiotlb declarations & definitions: */
784 extern int swiotlb_late_init_with_default_size (size_t size);
785 @@ -33,7 +33,7 @@ static inline int use_swiotlb(struct dev
786 !sba_dma_ops.dma_supported(dev, *dev->dma_mask);
789 -struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
790 +const struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
792 if (use_swiotlb(dev))
793 return &swiotlb_dma_ops;
794 diff -urNp linux-2.6.35.5/arch/ia64/hp/common/sba_iommu.c linux-2.6.35.5/arch/ia64/hp/common/sba_iommu.c
795 --- linux-2.6.35.5/arch/ia64/hp/common/sba_iommu.c 2010-08-26 19:47:12.000000000 -0400
796 +++ linux-2.6.35.5/arch/ia64/hp/common/sba_iommu.c 2010-09-17 20:12:09.000000000 -0400
797 @@ -2097,7 +2097,7 @@ static struct acpi_driver acpi_sba_ioc_d
801 -extern struct dma_map_ops swiotlb_dma_ops;
802 +extern const struct dma_map_ops swiotlb_dma_ops;
806 @@ -2211,7 +2211,7 @@ sba_page_override(char *str)
808 __setup("sbapagesize=",sba_page_override);
810 -struct dma_map_ops sba_dma_ops = {
811 +const struct dma_map_ops sba_dma_ops = {
812 .alloc_coherent = sba_alloc_coherent,
813 .free_coherent = sba_free_coherent,
814 .map_page = sba_map_page,
815 diff -urNp linux-2.6.35.5/arch/ia64/include/asm/dma-mapping.h linux-2.6.35.5/arch/ia64/include/asm/dma-mapping.h
816 --- linux-2.6.35.5/arch/ia64/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
817 +++ linux-2.6.35.5/arch/ia64/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
820 #define ARCH_HAS_DMA_GET_REQUIRED_MASK
822 -extern struct dma_map_ops *dma_ops;
823 +extern const struct dma_map_ops *dma_ops;
824 extern struct ia64_machine_vector ia64_mv;
825 extern void set_iommu_machvec(void);
827 @@ -24,7 +24,7 @@ extern void machvec_dma_sync_sg(struct d
828 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
829 dma_addr_t *daddr, gfp_t gfp)
831 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
832 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
835 caddr = ops->alloc_coherent(dev, size, daddr, gfp);
836 @@ -35,7 +35,7 @@ static inline void *dma_alloc_coherent(s
837 static inline void dma_free_coherent(struct device *dev, size_t size,
838 void *caddr, dma_addr_t daddr)
840 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
841 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
842 debug_dma_free_coherent(dev, size, caddr, daddr);
843 ops->free_coherent(dev, size, caddr, daddr);
845 @@ -49,13 +49,13 @@ static inline void dma_free_coherent(str
847 static inline int dma_mapping_error(struct device *dev, dma_addr_t daddr)
849 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
850 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
851 return ops->mapping_error(dev, daddr);
854 static inline int dma_supported(struct device *dev, u64 mask)
856 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
857 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
858 return ops->dma_supported(dev, mask);
861 diff -urNp linux-2.6.35.5/arch/ia64/include/asm/elf.h linux-2.6.35.5/arch/ia64/include/asm/elf.h
862 --- linux-2.6.35.5/arch/ia64/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
863 +++ linux-2.6.35.5/arch/ia64/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
866 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
868 +#ifdef CONFIG_PAX_ASLR
869 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
871 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
872 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
875 #define PT_IA_64_UNWIND 0x70000001
877 /* IA-64 relocations: */
878 diff -urNp linux-2.6.35.5/arch/ia64/include/asm/machvec.h linux-2.6.35.5/arch/ia64/include/asm/machvec.h
879 --- linux-2.6.35.5/arch/ia64/include/asm/machvec.h 2010-08-26 19:47:12.000000000 -0400
880 +++ linux-2.6.35.5/arch/ia64/include/asm/machvec.h 2010-09-17 20:12:09.000000000 -0400
881 @@ -45,7 +45,7 @@ typedef void ia64_mv_kernel_launch_event
882 /* DMA-mapping interface: */
883 typedef void ia64_mv_dma_init (void);
884 typedef u64 ia64_mv_dma_get_required_mask (struct device *);
885 -typedef struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
886 +typedef const struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
889 * WARNING: The legacy I/O space is _architected_. Platforms are
890 @@ -251,7 +251,7 @@ extern void machvec_init_from_cmdline(co
891 # endif /* CONFIG_IA64_GENERIC */
893 extern void swiotlb_dma_init(void);
894 -extern struct dma_map_ops *dma_get_ops(struct device *);
895 +extern const struct dma_map_ops *dma_get_ops(struct device *);
898 * Define default versions so we can extend machvec for new platforms without having
899 diff -urNp linux-2.6.35.5/arch/ia64/include/asm/pgtable.h linux-2.6.35.5/arch/ia64/include/asm/pgtable.h
900 --- linux-2.6.35.5/arch/ia64/include/asm/pgtable.h 2010-08-26 19:47:12.000000000 -0400
901 +++ linux-2.6.35.5/arch/ia64/include/asm/pgtable.h 2010-09-17 20:12:09.000000000 -0400
903 * David Mosberger-Tang <davidm@hpl.hp.com>
907 +#include <linux/const.h>
908 #include <asm/mman.h>
909 #include <asm/page.h>
910 #include <asm/processor.h>
912 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
913 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
914 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
916 +#ifdef CONFIG_PAX_PAGEEXEC
917 +# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
918 +# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
919 +# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
921 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
922 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
923 +# define PAGE_COPY_NOEXEC PAGE_COPY
926 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
927 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
928 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
929 diff -urNp linux-2.6.35.5/arch/ia64/include/asm/uaccess.h linux-2.6.35.5/arch/ia64/include/asm/uaccess.h
930 --- linux-2.6.35.5/arch/ia64/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
931 +++ linux-2.6.35.5/arch/ia64/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
932 @@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
933 const void *__cu_from = (from); \
934 long __cu_len = (n); \
936 - if (__access_ok(__cu_to, __cu_len, get_fs())) \
937 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
938 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
941 @@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
942 long __cu_len = (n); \
944 __chk_user_ptr(__cu_from); \
945 - if (__access_ok(__cu_from, __cu_len, get_fs())) \
946 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
947 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
950 diff -urNp linux-2.6.35.5/arch/ia64/kernel/dma-mapping.c linux-2.6.35.5/arch/ia64/kernel/dma-mapping.c
951 --- linux-2.6.35.5/arch/ia64/kernel/dma-mapping.c 2010-08-26 19:47:12.000000000 -0400
952 +++ linux-2.6.35.5/arch/ia64/kernel/dma-mapping.c 2010-09-17 20:12:09.000000000 -0400
954 /* Set this to 1 if there is a HW IOMMU in the system */
955 int iommu_detected __read_mostly;
957 -struct dma_map_ops *dma_ops;
958 +const struct dma_map_ops *dma_ops;
959 EXPORT_SYMBOL(dma_ops);
961 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
962 @@ -16,7 +16,7 @@ static int __init dma_init(void)
964 fs_initcall(dma_init);
966 -struct dma_map_ops *dma_get_ops(struct device *dev)
967 +const struct dma_map_ops *dma_get_ops(struct device *dev)
971 diff -urNp linux-2.6.35.5/arch/ia64/kernel/module.c linux-2.6.35.5/arch/ia64/kernel/module.c
972 --- linux-2.6.35.5/arch/ia64/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
973 +++ linux-2.6.35.5/arch/ia64/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
974 @@ -315,8 +315,7 @@ module_alloc (unsigned long size)
976 module_free (struct module *mod, void *module_region)
978 - if (mod && mod->arch.init_unw_table &&
979 - module_region == mod->module_init) {
980 + if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
981 unw_remove_unwind_table(mod->arch.init_unw_table);
982 mod->arch.init_unw_table = NULL;
984 @@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
988 +in_init_rx (const struct module *mod, uint64_t addr)
990 + return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
994 +in_init_rw (const struct module *mod, uint64_t addr)
996 + return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
1000 in_init (const struct module *mod, uint64_t addr)
1002 - return addr - (uint64_t) mod->module_init < mod->init_size;
1003 + return in_init_rx(mod, addr) || in_init_rw(mod, addr);
1007 +in_core_rx (const struct module *mod, uint64_t addr)
1009 + return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
1013 +in_core_rw (const struct module *mod, uint64_t addr)
1015 + return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
1019 in_core (const struct module *mod, uint64_t addr)
1021 - return addr - (uint64_t) mod->module_core < mod->core_size;
1022 + return in_core_rx(mod, addr) || in_core_rw(mod, addr);
1026 @@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
1030 - val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
1031 + if (in_init_rx(mod, val))
1032 + val -= (uint64_t) mod->module_init_rx;
1033 + else if (in_init_rw(mod, val))
1034 + val -= (uint64_t) mod->module_init_rw;
1035 + else if (in_core_rx(mod, val))
1036 + val -= (uint64_t) mod->module_core_rx;
1037 + else if (in_core_rw(mod, val))
1038 + val -= (uint64_t) mod->module_core_rw;
1042 @@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
1043 * addresses have been selected...
1046 - if (mod->core_size > MAX_LTOFF)
1047 + if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
1049 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
1050 * at the end of the module.
1052 - gp = mod->core_size - MAX_LTOFF / 2;
1053 + gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
1055 - gp = mod->core_size / 2;
1056 - gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
1057 + gp = (mod->core_size_rx + mod->core_size_rw) / 2;
1058 + gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
1060 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
1062 diff -urNp linux-2.6.35.5/arch/ia64/kernel/pci-dma.c linux-2.6.35.5/arch/ia64/kernel/pci-dma.c
1063 --- linux-2.6.35.5/arch/ia64/kernel/pci-dma.c 2010-08-26 19:47:12.000000000 -0400
1064 +++ linux-2.6.35.5/arch/ia64/kernel/pci-dma.c 2010-09-17 20:12:09.000000000 -0400
1065 @@ -43,7 +43,7 @@ struct device fallback_dev = {
1066 .dma_mask = &fallback_dev.coherent_dma_mask,
1069 -extern struct dma_map_ops intel_dma_ops;
1070 +extern const struct dma_map_ops intel_dma_ops;
1072 static int __init pci_iommu_init(void)
1074 diff -urNp linux-2.6.35.5/arch/ia64/kernel/pci-swiotlb.c linux-2.6.35.5/arch/ia64/kernel/pci-swiotlb.c
1075 --- linux-2.6.35.5/arch/ia64/kernel/pci-swiotlb.c 2010-08-26 19:47:12.000000000 -0400
1076 +++ linux-2.6.35.5/arch/ia64/kernel/pci-swiotlb.c 2010-09-17 20:12:09.000000000 -0400
1077 @@ -22,7 +22,7 @@ static void *ia64_swiotlb_alloc_coherent
1078 return swiotlb_alloc_coherent(dev, size, dma_handle, gfp);
1081 -struct dma_map_ops swiotlb_dma_ops = {
1082 +const struct dma_map_ops swiotlb_dma_ops = {
1083 .alloc_coherent = ia64_swiotlb_alloc_coherent,
1084 .free_coherent = swiotlb_free_coherent,
1085 .map_page = swiotlb_map_page,
1086 diff -urNp linux-2.6.35.5/arch/ia64/kernel/sys_ia64.c linux-2.6.35.5/arch/ia64/kernel/sys_ia64.c
1087 --- linux-2.6.35.5/arch/ia64/kernel/sys_ia64.c 2010-08-26 19:47:12.000000000 -0400
1088 +++ linux-2.6.35.5/arch/ia64/kernel/sys_ia64.c 2010-09-17 20:12:09.000000000 -0400
1089 @@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
1090 if (REGION_NUMBER(addr) == RGN_HPAGE)
1094 +#ifdef CONFIG_PAX_RANDMMAP
1095 + if (mm->pax_flags & MF_PAX_RANDMMAP)
1096 + addr = mm->free_area_cache;
1101 addr = mm->free_area_cache;
1103 @@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *fil
1104 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1105 /* At this point: (!vma || addr < vma->vm_end). */
1106 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
1107 - if (start_addr != TASK_UNMAPPED_BASE) {
1108 + if (start_addr != mm->mmap_base) {
1109 /* Start a new search --- just in case we missed some holes. */
1110 - addr = TASK_UNMAPPED_BASE;
1111 + addr = mm->mmap_base;
1116 - if (!vma || addr + len <= vma->vm_start) {
1117 + if (check_heap_stack_gap(vma, addr, len)) {
1118 /* Remember the address where we stopped this search: */
1119 mm->free_area_cache = addr + len;
1121 diff -urNp linux-2.6.35.5/arch/ia64/kernel/vmlinux.lds.S linux-2.6.35.5/arch/ia64/kernel/vmlinux.lds.S
1122 --- linux-2.6.35.5/arch/ia64/kernel/vmlinux.lds.S 2010-08-26 19:47:12.000000000 -0400
1123 +++ linux-2.6.35.5/arch/ia64/kernel/vmlinux.lds.S 2010-09-17 20:12:09.000000000 -0400
1124 @@ -196,7 +196,7 @@ SECTIONS
1126 . = ALIGN(PERCPU_PAGE_SIZE);
1127 PERCPU_VADDR(PERCPU_ADDR, :percpu)
1128 - __phys_per_cpu_start = __per_cpu_load;
1129 + __phys_per_cpu_start = per_cpu_load;
1130 . = __phys_per_cpu_start + PERCPU_PAGE_SIZE; /* ensure percpu data fits
1131 * into percpu page size
1133 diff -urNp linux-2.6.35.5/arch/ia64/mm/fault.c linux-2.6.35.5/arch/ia64/mm/fault.c
1134 --- linux-2.6.35.5/arch/ia64/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
1135 +++ linux-2.6.35.5/arch/ia64/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
1136 @@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned
1137 return pte_present(pte);
1140 +#ifdef CONFIG_PAX_PAGEEXEC
1141 +void pax_report_insns(void *pc, void *sp)
1145 + printk(KERN_ERR "PAX: bytes at PC: ");
1146 + for (i = 0; i < 8; i++) {
1148 + if (get_user(c, (unsigned int *)pc+i))
1149 + printk(KERN_CONT "???????? ");
1151 + printk(KERN_CONT "%08x ", c);
1158 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1160 @@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres
1161 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1162 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1164 - if ((vma->vm_flags & mask) != mask)
1165 + if ((vma->vm_flags & mask) != mask) {
1167 +#ifdef CONFIG_PAX_PAGEEXEC
1168 + if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1169 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1172 + up_read(&mm->mmap_sem);
1173 + pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1174 + do_group_exit(SIGKILL);
1183 * If for any reason at all we couldn't handle the fault, make
1184 * sure we exit gracefully rather than endlessly redo the
1185 diff -urNp linux-2.6.35.5/arch/ia64/mm/hugetlbpage.c linux-2.6.35.5/arch/ia64/mm/hugetlbpage.c
1186 --- linux-2.6.35.5/arch/ia64/mm/hugetlbpage.c 2010-08-26 19:47:12.000000000 -0400
1187 +++ linux-2.6.35.5/arch/ia64/mm/hugetlbpage.c 2010-09-17 20:12:09.000000000 -0400
1188 @@ -171,7 +171,7 @@ unsigned long hugetlb_get_unmapped_area(
1189 /* At this point: (!vmm || addr < vmm->vm_end). */
1190 if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT)
1192 - if (!vmm || (addr + len) <= vmm->vm_start)
1193 + if (check_heap_stack_gap(vmm, addr, len))
1195 addr = ALIGN(vmm->vm_end, HPAGE_SIZE);
1197 diff -urNp linux-2.6.35.5/arch/ia64/mm/init.c linux-2.6.35.5/arch/ia64/mm/init.c
1198 --- linux-2.6.35.5/arch/ia64/mm/init.c 2010-08-26 19:47:12.000000000 -0400
1199 +++ linux-2.6.35.5/arch/ia64/mm/init.c 2010-09-17 20:12:09.000000000 -0400
1200 @@ -122,6 +122,19 @@ ia64_init_addr_space (void)
1201 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1202 vma->vm_end = vma->vm_start + PAGE_SIZE;
1203 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1205 +#ifdef CONFIG_PAX_PAGEEXEC
1206 + if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1207 + vma->vm_flags &= ~VM_EXEC;
1209 +#ifdef CONFIG_PAX_MPROTECT
1210 + if (current->mm->pax_flags & MF_PAX_MPROTECT)
1211 + vma->vm_flags &= ~VM_MAYEXEC;
1217 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1218 down_write(¤t->mm->mmap_sem);
1219 if (insert_vm_struct(current->mm, vma)) {
1220 diff -urNp linux-2.6.35.5/arch/ia64/sn/pci/pci_dma.c linux-2.6.35.5/arch/ia64/sn/pci/pci_dma.c
1221 --- linux-2.6.35.5/arch/ia64/sn/pci/pci_dma.c 2010-08-26 19:47:12.000000000 -0400
1222 +++ linux-2.6.35.5/arch/ia64/sn/pci/pci_dma.c 2010-09-17 20:12:09.000000000 -0400
1223 @@ -465,7 +465,7 @@ int sn_pci_legacy_write(struct pci_bus *
1227 -static struct dma_map_ops sn_dma_ops = {
1228 +static const struct dma_map_ops sn_dma_ops = {
1229 .alloc_coherent = sn_dma_alloc_coherent,
1230 .free_coherent = sn_dma_free_coherent,
1231 .map_page = sn_dma_map_page,
1232 diff -urNp linux-2.6.35.5/arch/m32r/lib/usercopy.c linux-2.6.35.5/arch/m32r/lib/usercopy.c
1233 --- linux-2.6.35.5/arch/m32r/lib/usercopy.c 2010-08-26 19:47:12.000000000 -0400
1234 +++ linux-2.6.35.5/arch/m32r/lib/usercopy.c 2010-09-17 20:12:09.000000000 -0400
1237 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1243 if (access_ok(VERIFY_WRITE, to, n))
1244 __copy_user(to,from,n);
1245 @@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1247 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
1253 if (access_ok(VERIFY_READ, from, n))
1254 __copy_user_zeroing(to,from,n);
1255 diff -urNp linux-2.6.35.5/arch/microblaze/include/asm/device.h linux-2.6.35.5/arch/microblaze/include/asm/device.h
1256 --- linux-2.6.35.5/arch/microblaze/include/asm/device.h 2010-08-26 19:47:12.000000000 -0400
1257 +++ linux-2.6.35.5/arch/microblaze/include/asm/device.h 2010-09-17 20:12:09.000000000 -0400
1258 @@ -13,7 +13,7 @@ struct device_node;
1260 struct dev_archdata {
1261 /* DMA operations on that device */
1262 - struct dma_map_ops *dma_ops;
1263 + const struct dma_map_ops *dma_ops;
1267 diff -urNp linux-2.6.35.5/arch/microblaze/include/asm/dma-mapping.h linux-2.6.35.5/arch/microblaze/include/asm/dma-mapping.h
1268 --- linux-2.6.35.5/arch/microblaze/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
1269 +++ linux-2.6.35.5/arch/microblaze/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
1270 @@ -43,14 +43,14 @@ static inline unsigned long device_to_ma
1271 return 0xfffffffful;
1274 -extern struct dma_map_ops *dma_ops;
1275 +extern const struct dma_map_ops *dma_ops;
1278 * Available generic sets of operations
1280 -extern struct dma_map_ops dma_direct_ops;
1281 +extern const struct dma_map_ops dma_direct_ops;
1283 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
1284 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
1286 /* We don't handle the NULL dev case for ISA for now. We could
1287 * do it via an out of line call but it is not needed for now. The
1288 @@ -63,14 +63,14 @@ static inline struct dma_map_ops *get_dm
1289 return dev->archdata.dma_ops;
1292 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
1293 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
1295 dev->archdata.dma_ops = ops;
1298 static inline int dma_supported(struct device *dev, u64 mask)
1300 - struct dma_map_ops *ops = get_dma_ops(dev);
1301 + const struct dma_map_ops *ops = get_dma_ops(dev);
1305 @@ -87,7 +87,7 @@ static inline int dma_supported(struct d
1307 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
1309 - struct dma_map_ops *ops = get_dma_ops(dev);
1310 + const struct dma_map_ops *ops = get_dma_ops(dev);
1312 if (unlikely(ops == NULL))
1314 @@ -103,7 +103,7 @@ static inline int dma_set_mask(struct de
1316 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
1318 - struct dma_map_ops *ops = get_dma_ops(dev);
1319 + const struct dma_map_ops *ops = get_dma_ops(dev);
1320 if (ops->mapping_error)
1321 return ops->mapping_error(dev, dma_addr);
1323 @@ -117,7 +117,7 @@ static inline int dma_mapping_error(stru
1324 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
1325 dma_addr_t *dma_handle, gfp_t flag)
1327 - struct dma_map_ops *ops = get_dma_ops(dev);
1328 + const struct dma_map_ops *ops = get_dma_ops(dev);
1332 @@ -131,7 +131,7 @@ static inline void *dma_alloc_coherent(s
1333 static inline void dma_free_coherent(struct device *dev, size_t size,
1334 void *cpu_addr, dma_addr_t dma_handle)
1336 - struct dma_map_ops *ops = get_dma_ops(dev);
1337 + const struct dma_map_ops *ops = get_dma_ops(dev);
1340 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
1341 diff -urNp linux-2.6.35.5/arch/microblaze/include/asm/pci.h linux-2.6.35.5/arch/microblaze/include/asm/pci.h
1342 --- linux-2.6.35.5/arch/microblaze/include/asm/pci.h 2010-08-26 19:47:12.000000000 -0400
1343 +++ linux-2.6.35.5/arch/microblaze/include/asm/pci.h 2010-09-17 20:12:09.000000000 -0400
1344 @@ -54,8 +54,8 @@ static inline void pcibios_penalize_isa_
1348 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
1349 -extern struct dma_map_ops *get_pci_dma_ops(void);
1350 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
1351 +extern const struct dma_map_ops *get_pci_dma_ops(void);
1352 #else /* CONFIG_PCI */
1353 #define set_pci_dma_ops(d)
1354 #define get_pci_dma_ops() NULL
1355 diff -urNp linux-2.6.35.5/arch/microblaze/kernel/dma.c linux-2.6.35.5/arch/microblaze/kernel/dma.c
1356 --- linux-2.6.35.5/arch/microblaze/kernel/dma.c 2010-08-26 19:47:12.000000000 -0400
1357 +++ linux-2.6.35.5/arch/microblaze/kernel/dma.c 2010-09-17 20:12:09.000000000 -0400
1358 @@ -133,7 +133,7 @@ static inline void dma_direct_unmap_page
1359 __dma_sync_page(dma_address, 0 , size, direction);
1362 -struct dma_map_ops dma_direct_ops = {
1363 +const struct dma_map_ops dma_direct_ops = {
1364 .alloc_coherent = dma_direct_alloc_coherent,
1365 .free_coherent = dma_direct_free_coherent,
1366 .map_sg = dma_direct_map_sg,
1367 diff -urNp linux-2.6.35.5/arch/microblaze/pci/pci-common.c linux-2.6.35.5/arch/microblaze/pci/pci-common.c
1368 --- linux-2.6.35.5/arch/microblaze/pci/pci-common.c 2010-08-26 19:47:12.000000000 -0400
1369 +++ linux-2.6.35.5/arch/microblaze/pci/pci-common.c 2010-09-17 20:12:09.000000000 -0400
1370 @@ -46,14 +46,14 @@ resource_size_t isa_mem_base;
1371 /* Default PCI flags is 0 on ppc32, modified at boot on ppc64 */
1372 unsigned int pci_flags;
1374 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
1375 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
1377 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
1378 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
1380 pci_dma_ops = dma_ops;
1383 -struct dma_map_ops *get_pci_dma_ops(void)
1384 +const struct dma_map_ops *get_pci_dma_ops(void)
1388 diff -urNp linux-2.6.35.5/arch/mips/alchemy/devboards/pm.c linux-2.6.35.5/arch/mips/alchemy/devboards/pm.c
1389 --- linux-2.6.35.5/arch/mips/alchemy/devboards/pm.c 2010-08-26 19:47:12.000000000 -0400
1390 +++ linux-2.6.35.5/arch/mips/alchemy/devboards/pm.c 2010-09-17 20:12:09.000000000 -0400
1391 @@ -110,7 +110,7 @@ static void db1x_pm_end(void)
1395 -static struct platform_suspend_ops db1x_pm_ops = {
1396 +static const struct platform_suspend_ops db1x_pm_ops = {
1397 .valid = suspend_valid_only_mem,
1398 .begin = db1x_pm_begin,
1399 .enter = db1x_pm_enter,
1400 diff -urNp linux-2.6.35.5/arch/mips/include/asm/elf.h linux-2.6.35.5/arch/mips/include/asm/elf.h
1401 --- linux-2.6.35.5/arch/mips/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
1402 +++ linux-2.6.35.5/arch/mips/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
1403 @@ -368,6 +368,13 @@ extern const char *__elf_platform;
1404 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1407 +#ifdef CONFIG_PAX_ASLR
1408 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1410 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1411 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1414 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
1415 struct linux_binprm;
1416 extern int arch_setup_additional_pages(struct linux_binprm *bprm,
1417 diff -urNp linux-2.6.35.5/arch/mips/include/asm/page.h linux-2.6.35.5/arch/mips/include/asm/page.h
1418 --- linux-2.6.35.5/arch/mips/include/asm/page.h 2010-08-26 19:47:12.000000000 -0400
1419 +++ linux-2.6.35.5/arch/mips/include/asm/page.h 2010-09-17 20:12:09.000000000 -0400
1420 @@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
1421 #ifdef CONFIG_CPU_MIPS32
1422 typedef struct { unsigned long pte_low, pte_high; } pte_t;
1423 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
1424 - #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
1425 + #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
1427 typedef struct { unsigned long long pte; } pte_t;
1428 #define pte_val(x) ((x).pte)
1429 diff -urNp linux-2.6.35.5/arch/mips/include/asm/system.h linux-2.6.35.5/arch/mips/include/asm/system.h
1430 --- linux-2.6.35.5/arch/mips/include/asm/system.h 2010-08-26 19:47:12.000000000 -0400
1431 +++ linux-2.6.35.5/arch/mips/include/asm/system.h 2010-09-17 20:12:09.000000000 -0400
1432 @@ -234,6 +234,6 @@ extern void per_cpu_trap_init(void);
1434 #define __ARCH_WANT_UNLOCKED_CTXSW
1436 -extern unsigned long arch_align_stack(unsigned long sp);
1437 +#define arch_align_stack(x) ((x) & ALMASK)
1439 #endif /* _ASM_SYSTEM_H */
1440 diff -urNp linux-2.6.35.5/arch/mips/kernel/binfmt_elfn32.c linux-2.6.35.5/arch/mips/kernel/binfmt_elfn32.c
1441 --- linux-2.6.35.5/arch/mips/kernel/binfmt_elfn32.c 2010-08-26 19:47:12.000000000 -0400
1442 +++ linux-2.6.35.5/arch/mips/kernel/binfmt_elfn32.c 2010-09-17 20:12:09.000000000 -0400
1443 @@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1444 #undef ELF_ET_DYN_BASE
1445 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1447 +#ifdef CONFIG_PAX_ASLR
1448 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1450 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1451 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1454 #include <asm/processor.h>
1455 #include <linux/module.h>
1456 #include <linux/elfcore.h>
1457 diff -urNp linux-2.6.35.5/arch/mips/kernel/binfmt_elfo32.c linux-2.6.35.5/arch/mips/kernel/binfmt_elfo32.c
1458 --- linux-2.6.35.5/arch/mips/kernel/binfmt_elfo32.c 2010-08-26 19:47:12.000000000 -0400
1459 +++ linux-2.6.35.5/arch/mips/kernel/binfmt_elfo32.c 2010-09-17 20:12:09.000000000 -0400
1460 @@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1461 #undef ELF_ET_DYN_BASE
1462 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1464 +#ifdef CONFIG_PAX_ASLR
1465 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1467 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1468 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1471 #include <asm/processor.h>
1474 diff -urNp linux-2.6.35.5/arch/mips/kernel/kgdb.c linux-2.6.35.5/arch/mips/kernel/kgdb.c
1475 --- linux-2.6.35.5/arch/mips/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
1476 +++ linux-2.6.35.5/arch/mips/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
1477 @@ -270,6 +270,7 @@ int kgdb_arch_handle_exception(int vecto
1481 +/* cannot be const, see kgdb_arch_init */
1482 struct kgdb_arch arch_kgdb_ops;
1485 diff -urNp linux-2.6.35.5/arch/mips/kernel/process.c linux-2.6.35.5/arch/mips/kernel/process.c
1486 --- linux-2.6.35.5/arch/mips/kernel/process.c 2010-08-26 19:47:12.000000000 -0400
1487 +++ linux-2.6.35.5/arch/mips/kernel/process.c 2010-09-17 20:12:09.000000000 -0400
1488 @@ -474,15 +474,3 @@ unsigned long get_wchan(struct task_stru
1494 - * Don't forget that the stack pointer must be aligned on a 8 bytes
1495 - * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
1497 -unsigned long arch_align_stack(unsigned long sp)
1499 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
1500 - sp -= get_random_int() & ~PAGE_MASK;
1502 - return sp & ALMASK;
1504 diff -urNp linux-2.6.35.5/arch/mips/kernel/syscall.c linux-2.6.35.5/arch/mips/kernel/syscall.c
1505 --- linux-2.6.35.5/arch/mips/kernel/syscall.c 2010-08-26 19:47:12.000000000 -0400
1506 +++ linux-2.6.35.5/arch/mips/kernel/syscall.c 2010-09-17 20:12:09.000000000 -0400
1507 @@ -106,17 +106,21 @@ unsigned long arch_get_unmapped_area(str
1509 if (filp || (flags & MAP_SHARED))
1512 +#ifdef CONFIG_PAX_RANDMMAP
1513 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
1518 addr = COLOUR_ALIGN(addr, pgoff);
1520 addr = PAGE_ALIGN(addr);
1521 vmm = find_vma(current->mm, addr);
1522 - if (task_size - len >= addr &&
1523 - (!vmm || addr + len <= vmm->vm_start))
1524 + if (task_size - len >= addr && check_heap_stack_gap(vmm, addr, len))
1527 - addr = TASK_UNMAPPED_BASE;
1528 + addr = current->mm->mmap_base;
1530 addr = COLOUR_ALIGN(addr, pgoff);
1532 @@ -126,7 +130,7 @@ unsigned long arch_get_unmapped_area(str
1533 /* At this point: (!vmm || addr < vmm->vm_end). */
1534 if (task_size - len < addr)
1536 - if (!vmm || addr + len <= vmm->vm_start)
1537 + if (check_heap_stack_gap(vmm, addr, len))
1541 diff -urNp linux-2.6.35.5/arch/mips/loongson/common/pm.c linux-2.6.35.5/arch/mips/loongson/common/pm.c
1542 --- linux-2.6.35.5/arch/mips/loongson/common/pm.c 2010-08-26 19:47:12.000000000 -0400
1543 +++ linux-2.6.35.5/arch/mips/loongson/common/pm.c 2010-09-17 20:12:09.000000000 -0400
1544 @@ -147,7 +147,7 @@ static int loongson_pm_valid_state(suspe
1548 -static struct platform_suspend_ops loongson_pm_ops = {
1549 +static const struct platform_suspend_ops loongson_pm_ops = {
1550 .valid = loongson_pm_valid_state,
1551 .enter = loongson_pm_enter,
1553 diff -urNp linux-2.6.35.5/arch/mips/mm/fault.c linux-2.6.35.5/arch/mips/mm/fault.c
1554 --- linux-2.6.35.5/arch/mips/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
1555 +++ linux-2.6.35.5/arch/mips/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
1557 #include <asm/ptrace.h>
1558 #include <asm/highmem.h> /* For VMALLOC_END */
1560 +#ifdef CONFIG_PAX_PAGEEXEC
1561 +void pax_report_insns(void *pc)
1565 + printk(KERN_ERR "PAX: bytes at PC: ");
1566 + for (i = 0; i < 5; i++) {
1568 + if (get_user(c, (unsigned int *)pc+i))
1569 + printk(KERN_CONT "???????? ");
1571 + printk(KERN_CONT "%08x ", c);
1578 * This routine handles page faults. It determines the address,
1579 * and the problem, and then passes it off to one of the appropriate
1580 diff -urNp linux-2.6.35.5/arch/parisc/include/asm/elf.h linux-2.6.35.5/arch/parisc/include/asm/elf.h
1581 --- linux-2.6.35.5/arch/parisc/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
1582 +++ linux-2.6.35.5/arch/parisc/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
1583 @@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration..
1585 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
1587 +#ifdef CONFIG_PAX_ASLR
1588 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
1590 +#define PAX_DELTA_MMAP_LEN 16
1591 +#define PAX_DELTA_STACK_LEN 16
1594 /* This yields a mask that user programs can use to figure out what
1595 instruction set this CPU supports. This could be done in user space,
1596 but it's not easy, and we've already done it here. */
1597 diff -urNp linux-2.6.35.5/arch/parisc/include/asm/pgtable.h linux-2.6.35.5/arch/parisc/include/asm/pgtable.h
1598 --- linux-2.6.35.5/arch/parisc/include/asm/pgtable.h 2010-08-26 19:47:12.000000000 -0400
1599 +++ linux-2.6.35.5/arch/parisc/include/asm/pgtable.h 2010-09-17 20:12:09.000000000 -0400
1600 @@ -207,6 +207,17 @@
1601 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
1602 #define PAGE_COPY PAGE_EXECREAD
1603 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
1605 +#ifdef CONFIG_PAX_PAGEEXEC
1606 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
1607 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1608 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1610 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1611 +# define PAGE_COPY_NOEXEC PAGE_COPY
1612 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1615 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
1616 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
1617 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
1618 diff -urNp linux-2.6.35.5/arch/parisc/kernel/module.c linux-2.6.35.5/arch/parisc/kernel/module.c
1619 --- linux-2.6.35.5/arch/parisc/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
1620 +++ linux-2.6.35.5/arch/parisc/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
1623 /* three functions to determine where in the module core
1624 * or init pieces the location is */
1625 +static inline int in_init_rx(struct module *me, void *loc)
1627 + return (loc >= me->module_init_rx &&
1628 + loc < (me->module_init_rx + me->init_size_rx));
1631 +static inline int in_init_rw(struct module *me, void *loc)
1633 + return (loc >= me->module_init_rw &&
1634 + loc < (me->module_init_rw + me->init_size_rw));
1637 static inline int in_init(struct module *me, void *loc)
1639 - return (loc >= me->module_init &&
1640 - loc <= (me->module_init + me->init_size));
1641 + return in_init_rx(me, loc) || in_init_rw(me, loc);
1644 +static inline int in_core_rx(struct module *me, void *loc)
1646 + return (loc >= me->module_core_rx &&
1647 + loc < (me->module_core_rx + me->core_size_rx));
1650 +static inline int in_core_rw(struct module *me, void *loc)
1652 + return (loc >= me->module_core_rw &&
1653 + loc < (me->module_core_rw + me->core_size_rw));
1656 static inline int in_core(struct module *me, void *loc)
1658 - return (loc >= me->module_core &&
1659 - loc <= (me->module_core + me->core_size));
1660 + return in_core_rx(me, loc) || in_core_rw(me, loc);
1663 static inline int in_local(struct module *me, void *loc)
1664 @@ -365,13 +387,13 @@ int module_frob_arch_sections(CONST Elf_
1667 /* align things a bit */
1668 - me->core_size = ALIGN(me->core_size, 16);
1669 - me->arch.got_offset = me->core_size;
1670 - me->core_size += gots * sizeof(struct got_entry);
1672 - me->core_size = ALIGN(me->core_size, 16);
1673 - me->arch.fdesc_offset = me->core_size;
1674 - me->core_size += fdescs * sizeof(Elf_Fdesc);
1675 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1676 + me->arch.got_offset = me->core_size_rw;
1677 + me->core_size_rw += gots * sizeof(struct got_entry);
1679 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1680 + me->arch.fdesc_offset = me->core_size_rw;
1681 + me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
1683 me->arch.got_max = gots;
1684 me->arch.fdesc_max = fdescs;
1685 @@ -389,7 +411,7 @@ static Elf64_Word get_got(struct module
1689 - got = me->module_core + me->arch.got_offset;
1690 + got = me->module_core_rw + me->arch.got_offset;
1691 for (i = 0; got[i].addr; i++)
1692 if (got[i].addr == value)
1694 @@ -407,7 +429,7 @@ static Elf64_Word get_got(struct module
1696 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
1698 - Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
1699 + Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
1702 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
1703 @@ -425,7 +447,7 @@ static Elf_Addr get_fdesc(struct module
1705 /* Create new one */
1706 fdesc->addr = value;
1707 - fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1708 + fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1709 return (Elf_Addr)fdesc;
1711 #endif /* CONFIG_64BIT */
1712 @@ -849,7 +871,7 @@ register_unwind_table(struct module *me,
1714 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
1715 end = table + sechdrs[me->arch.unwind_section].sh_size;
1716 - gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1717 + gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1719 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
1720 me->arch.unwind_section, table, end, gp);
1721 diff -urNp linux-2.6.35.5/arch/parisc/kernel/sys_parisc.c linux-2.6.35.5/arch/parisc/kernel/sys_parisc.c
1722 --- linux-2.6.35.5/arch/parisc/kernel/sys_parisc.c 2010-08-26 19:47:12.000000000 -0400
1723 +++ linux-2.6.35.5/arch/parisc/kernel/sys_parisc.c 2010-09-17 20:12:09.000000000 -0400
1724 @@ -43,7 +43,7 @@ static unsigned long get_unshared_area(u
1725 /* At this point: (!vma || addr < vma->vm_end). */
1726 if (TASK_SIZE - len < addr)
1728 - if (!vma || addr + len <= vma->vm_start)
1729 + if (check_heap_stack_gap(vma, addr, len))
1733 @@ -79,7 +79,7 @@ static unsigned long get_shared_area(str
1734 /* At this point: (!vma || addr < vma->vm_end). */
1735 if (TASK_SIZE - len < addr)
1737 - if (!vma || addr + len <= vma->vm_start)
1738 + if (check_heap_stack_gap(vma, addr, len))
1740 addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
1741 if (addr < vma->vm_end) /* handle wraparound */
1742 @@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
1743 if (flags & MAP_FIXED)
1746 - addr = TASK_UNMAPPED_BASE;
1747 + addr = current->mm->mmap_base;
1750 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
1751 diff -urNp linux-2.6.35.5/arch/parisc/kernel/traps.c linux-2.6.35.5/arch/parisc/kernel/traps.c
1752 --- linux-2.6.35.5/arch/parisc/kernel/traps.c 2010-08-26 19:47:12.000000000 -0400
1753 +++ linux-2.6.35.5/arch/parisc/kernel/traps.c 2010-09-17 20:12:09.000000000 -0400
1754 @@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
1756 down_read(¤t->mm->mmap_sem);
1757 vma = find_vma(current->mm,regs->iaoq[0]);
1758 - if (vma && (regs->iaoq[0] >= vma->vm_start)
1759 - && (vma->vm_flags & VM_EXEC)) {
1761 + if (vma && (regs->iaoq[0] >= vma->vm_start)) {
1762 fault_address = regs->iaoq[0];
1763 fault_space = regs->iasq[0];
1765 diff -urNp linux-2.6.35.5/arch/parisc/mm/fault.c linux-2.6.35.5/arch/parisc/mm/fault.c
1766 --- linux-2.6.35.5/arch/parisc/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
1767 +++ linux-2.6.35.5/arch/parisc/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
1769 #include <linux/sched.h>
1770 #include <linux/interrupt.h>
1771 #include <linux/module.h>
1772 +#include <linux/unistd.h>
1774 #include <asm/uaccess.h>
1775 #include <asm/traps.h>
1776 @@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
1777 static unsigned long
1778 parisc_acctyp(unsigned long code, unsigned int inst)
1780 - if (code == 6 || code == 16)
1781 + if (code == 6 || code == 7 || code == 16)
1784 switch (inst & 0xf0000000) {
1785 @@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
1789 +#ifdef CONFIG_PAX_PAGEEXEC
1791 + * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
1793 + * returns 1 when task should be killed
1794 + * 2 when rt_sigreturn trampoline was detected
1795 + * 3 when unpatched PLT trampoline was detected
1797 +static int pax_handle_fetch_fault(struct pt_regs *regs)
1800 +#ifdef CONFIG_PAX_EMUPLT
1803 + do { /* PaX: unpatched PLT emulation */
1804 + unsigned int bl, depwi;
1806 + err = get_user(bl, (unsigned int *)instruction_pointer(regs));
1807 + err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
1812 + if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
1813 + unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
1815 + err = get_user(ldw, (unsigned int *)addr);
1816 + err |= get_user(bv, (unsigned int *)(addr+4));
1817 + err |= get_user(ldw2, (unsigned int *)(addr+8));
1822 + if (ldw == 0x0E801096U &&
1823 + bv == 0xEAC0C000U &&
1824 + ldw2 == 0x0E881095U)
1826 + unsigned int resolver, map;
1828 + err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
1829 + err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
1833 + regs->gr[20] = instruction_pointer(regs)+8;
1834 + regs->gr[21] = map;
1835 + regs->gr[22] = resolver;
1836 + regs->iaoq[0] = resolver | 3UL;
1837 + regs->iaoq[1] = regs->iaoq[0] + 4;
1844 +#ifdef CONFIG_PAX_EMUTRAMP
1846 +#ifndef CONFIG_PAX_EMUSIGRT
1847 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
1851 + do { /* PaX: rt_sigreturn emulation */
1852 + unsigned int ldi1, ldi2, bel, nop;
1854 + err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
1855 + err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
1856 + err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
1857 + err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
1862 + if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
1863 + ldi2 == 0x3414015AU &&
1864 + bel == 0xE4008200U &&
1865 + nop == 0x08000240U)
1867 + regs->gr[25] = (ldi1 & 2) >> 1;
1868 + regs->gr[20] = __NR_rt_sigreturn;
1869 + regs->gr[31] = regs->iaoq[1] + 16;
1870 + regs->sr[0] = regs->iasq[1];
1871 + regs->iaoq[0] = 0x100UL;
1872 + regs->iaoq[1] = regs->iaoq[0] + 4;
1873 + regs->iasq[0] = regs->sr[2];
1874 + regs->iasq[1] = regs->sr[2];
1883 +void pax_report_insns(void *pc, void *sp)
1887 + printk(KERN_ERR "PAX: bytes at PC: ");
1888 + for (i = 0; i < 5; i++) {
1890 + if (get_user(c, (unsigned int *)pc+i))
1891 + printk(KERN_CONT "???????? ");
1893 + printk(KERN_CONT "%08x ", c);
1899 int fixup_exception(struct pt_regs *regs)
1901 const struct exception_table_entry *fix;
1902 @@ -192,8 +303,33 @@ good_area:
1904 acc_type = parisc_acctyp(code,regs->iir);
1906 - if ((vma->vm_flags & acc_type) != acc_type)
1907 + if ((vma->vm_flags & acc_type) != acc_type) {
1909 +#ifdef CONFIG_PAX_PAGEEXEC
1910 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
1911 + (address & ~3UL) == instruction_pointer(regs))
1913 + up_read(&mm->mmap_sem);
1914 + switch (pax_handle_fetch_fault(regs)) {
1916 +#ifdef CONFIG_PAX_EMUPLT
1921 +#ifdef CONFIG_PAX_EMUTRAMP
1927 + pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
1928 + do_group_exit(SIGKILL);
1936 * If for any reason at all we couldn't handle the fault, make
1937 diff -urNp linux-2.6.35.5/arch/powerpc/include/asm/device.h linux-2.6.35.5/arch/powerpc/include/asm/device.h
1938 --- linux-2.6.35.5/arch/powerpc/include/asm/device.h 2010-08-26 19:47:12.000000000 -0400
1939 +++ linux-2.6.35.5/arch/powerpc/include/asm/device.h 2010-09-17 20:12:09.000000000 -0400
1940 @@ -11,7 +11,7 @@ struct device_node;
1942 struct dev_archdata {
1943 /* DMA operations on that device */
1944 - struct dma_map_ops *dma_ops;
1945 + const struct dma_map_ops *dma_ops;
1948 * When an iommu is in use, dma_data is used as a ptr to the base of the
1949 diff -urNp linux-2.6.35.5/arch/powerpc/include/asm/dma-mapping.h linux-2.6.35.5/arch/powerpc/include/asm/dma-mapping.h
1950 --- linux-2.6.35.5/arch/powerpc/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
1951 +++ linux-2.6.35.5/arch/powerpc/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
1952 @@ -66,12 +66,13 @@ static inline unsigned long device_to_ma
1954 * Available generic sets of operations
1956 +/* cannot be const */
1958 extern struct dma_map_ops dma_iommu_ops;
1960 -extern struct dma_map_ops dma_direct_ops;
1961 +extern const struct dma_map_ops dma_direct_ops;
1963 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
1964 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
1966 /* We don't handle the NULL dev case for ISA for now. We could
1967 * do it via an out of line call but it is not needed for now. The
1968 @@ -84,7 +85,7 @@ static inline struct dma_map_ops *get_dm
1969 return dev->archdata.dma_ops;
1972 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
1973 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
1975 dev->archdata.dma_ops = ops;
1977 @@ -118,7 +119,7 @@ static inline void set_dma_offset(struct
1979 static inline int dma_supported(struct device *dev, u64 mask)
1981 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
1982 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
1984 if (unlikely(dma_ops == NULL))
1986 @@ -129,7 +130,7 @@ static inline int dma_supported(struct d
1988 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
1990 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
1991 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
1993 if (unlikely(dma_ops == NULL))
1995 @@ -144,7 +145,7 @@ static inline int dma_set_mask(struct de
1996 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
1997 dma_addr_t *dma_handle, gfp_t flag)
1999 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2000 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2004 @@ -159,7 +160,7 @@ static inline void *dma_alloc_coherent(s
2005 static inline void dma_free_coherent(struct device *dev, size_t size,
2006 void *cpu_addr, dma_addr_t dma_handle)
2008 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2009 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2013 @@ -170,7 +171,7 @@ static inline void dma_free_coherent(str
2015 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
2017 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2018 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2020 if (dma_ops->mapping_error)
2021 return dma_ops->mapping_error(dev, dma_addr);
2022 diff -urNp linux-2.6.35.5/arch/powerpc/include/asm/elf.h linux-2.6.35.5/arch/powerpc/include/asm/elf.h
2023 --- linux-2.6.35.5/arch/powerpc/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
2024 +++ linux-2.6.35.5/arch/powerpc/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
2025 @@ -178,8 +178,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
2026 the loader. We need to make sure that it is out of the way of the program
2027 that it will "exec", and that there is sufficient room for the brk. */
2029 -extern unsigned long randomize_et_dyn(unsigned long base);
2030 -#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
2031 +#define ELF_ET_DYN_BASE (0x20000000)
2033 +#ifdef CONFIG_PAX_ASLR
2034 +#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
2036 +#ifdef __powerpc64__
2037 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
2038 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
2040 +#define PAX_DELTA_MMAP_LEN 15
2041 +#define PAX_DELTA_STACK_LEN 15
2046 * Our registers are always unsigned longs, whether we're a 32 bit
2047 @@ -274,9 +285,6 @@ extern int arch_setup_additional_pages(s
2048 (0x7ff >> (PAGE_SHIFT - 12)) : \
2049 (0x3ffff >> (PAGE_SHIFT - 12)))
2051 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
2052 -#define arch_randomize_brk arch_randomize_brk
2054 #endif /* __KERNEL__ */
2057 diff -urNp linux-2.6.35.5/arch/powerpc/include/asm/iommu.h linux-2.6.35.5/arch/powerpc/include/asm/iommu.h
2058 --- linux-2.6.35.5/arch/powerpc/include/asm/iommu.h 2010-08-26 19:47:12.000000000 -0400
2059 +++ linux-2.6.35.5/arch/powerpc/include/asm/iommu.h 2010-09-17 20:12:09.000000000 -0400
2060 @@ -116,6 +116,9 @@ extern void iommu_init_early_iSeries(voi
2061 extern void iommu_init_early_dart(void);
2062 extern void iommu_init_early_pasemi(void);
2065 +extern int dma_iommu_dma_supported(struct device *dev, u64 mask);
2068 extern void pci_iommu_init(void);
2069 extern void pci_direct_iommu_init(void);
2070 diff -urNp linux-2.6.35.5/arch/powerpc/include/asm/kmap_types.h linux-2.6.35.5/arch/powerpc/include/asm/kmap_types.h
2071 --- linux-2.6.35.5/arch/powerpc/include/asm/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
2072 +++ linux-2.6.35.5/arch/powerpc/include/asm/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
2073 @@ -27,6 +27,7 @@ enum km_type {
2081 diff -urNp linux-2.6.35.5/arch/powerpc/include/asm/page_64.h linux-2.6.35.5/arch/powerpc/include/asm/page_64.h
2082 --- linux-2.6.35.5/arch/powerpc/include/asm/page_64.h 2010-08-26 19:47:12.000000000 -0400
2083 +++ linux-2.6.35.5/arch/powerpc/include/asm/page_64.h 2010-09-17 20:12:09.000000000 -0400
2084 @@ -172,15 +172,18 @@ do { \
2085 * stack by default, so in the absense of a PT_GNU_STACK program header
2086 * we turn execute permission off.
2088 -#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2089 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2090 +#define VM_STACK_DEFAULT_FLAGS32 \
2091 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2092 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2094 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2095 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2097 +#ifndef CONFIG_PAX_PAGEEXEC
2098 #define VM_STACK_DEFAULT_FLAGS \
2099 (test_thread_flag(TIF_32BIT) ? \
2100 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
2103 #include <asm-generic/getorder.h>
2105 diff -urNp linux-2.6.35.5/arch/powerpc/include/asm/page.h linux-2.6.35.5/arch/powerpc/include/asm/page.h
2106 --- linux-2.6.35.5/arch/powerpc/include/asm/page.h 2010-08-26 19:47:12.000000000 -0400
2107 +++ linux-2.6.35.5/arch/powerpc/include/asm/page.h 2010-09-17 20:12:09.000000000 -0400
2108 @@ -129,8 +129,9 @@ extern phys_addr_t kernstart_addr;
2109 * and needs to be executable. This means the whole heap ends
2110 * up being executable.
2112 -#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2113 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2114 +#define VM_DATA_DEFAULT_FLAGS32 \
2115 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2116 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2118 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2119 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2120 @@ -158,6 +159,9 @@ extern phys_addr_t kernstart_addr;
2121 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
2124 +#define ktla_ktva(addr) (addr)
2125 +#define ktva_ktla(addr) (addr)
2127 #ifndef __ASSEMBLY__
2129 #undef STRICT_MM_TYPECHECKS
2130 diff -urNp linux-2.6.35.5/arch/powerpc/include/asm/pci.h linux-2.6.35.5/arch/powerpc/include/asm/pci.h
2131 --- linux-2.6.35.5/arch/powerpc/include/asm/pci.h 2010-08-26 19:47:12.000000000 -0400
2132 +++ linux-2.6.35.5/arch/powerpc/include/asm/pci.h 2010-09-17 20:12:09.000000000 -0400
2133 @@ -65,8 +65,8 @@ static inline int pci_get_legacy_ide_irq
2137 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
2138 -extern struct dma_map_ops *get_pci_dma_ops(void);
2139 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
2140 +extern const struct dma_map_ops *get_pci_dma_ops(void);
2141 #else /* CONFIG_PCI */
2142 #define set_pci_dma_ops(d)
2143 #define get_pci_dma_ops() NULL
2144 diff -urNp linux-2.6.35.5/arch/powerpc/include/asm/pte-hash32.h linux-2.6.35.5/arch/powerpc/include/asm/pte-hash32.h
2145 --- linux-2.6.35.5/arch/powerpc/include/asm/pte-hash32.h 2010-08-26 19:47:12.000000000 -0400
2146 +++ linux-2.6.35.5/arch/powerpc/include/asm/pte-hash32.h 2010-09-17 20:12:09.000000000 -0400
2148 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
2149 #define _PAGE_USER 0x004 /* usermode access allowed */
2150 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
2151 +#define _PAGE_EXEC _PAGE_GUARDED
2152 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
2153 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
2154 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
2155 diff -urNp linux-2.6.35.5/arch/powerpc/include/asm/reg.h linux-2.6.35.5/arch/powerpc/include/asm/reg.h
2156 --- linux-2.6.35.5/arch/powerpc/include/asm/reg.h 2010-08-26 19:47:12.000000000 -0400
2157 +++ linux-2.6.35.5/arch/powerpc/include/asm/reg.h 2010-09-17 20:12:09.000000000 -0400
2159 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
2160 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
2161 #define DSISR_NOHPTE 0x40000000 /* no translation found */
2162 +#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
2163 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
2164 #define DSISR_ISSTORE 0x02000000 /* access was a store */
2165 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
2166 diff -urNp linux-2.6.35.5/arch/powerpc/include/asm/swiotlb.h linux-2.6.35.5/arch/powerpc/include/asm/swiotlb.h
2167 --- linux-2.6.35.5/arch/powerpc/include/asm/swiotlb.h 2010-08-26 19:47:12.000000000 -0400
2168 +++ linux-2.6.35.5/arch/powerpc/include/asm/swiotlb.h 2010-09-17 20:12:09.000000000 -0400
2171 #include <linux/swiotlb.h>
2173 -extern struct dma_map_ops swiotlb_dma_ops;
2174 +extern const struct dma_map_ops swiotlb_dma_ops;
2176 static inline void dma_mark_clean(void *addr, size_t size) {}
2178 diff -urNp linux-2.6.35.5/arch/powerpc/include/asm/uaccess.h linux-2.6.35.5/arch/powerpc/include/asm/uaccess.h
2179 --- linux-2.6.35.5/arch/powerpc/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
2180 +++ linux-2.6.35.5/arch/powerpc/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
2182 #define VERIFY_READ 0
2183 #define VERIFY_WRITE 1
2185 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
2188 * The fs value determines whether argument validity checking should be
2189 * performed or not. If get_fs() == USER_DS, checking is performed, with
2190 @@ -327,52 +329,6 @@ do { \
2191 extern unsigned long __copy_tofrom_user(void __user *to,
2192 const void __user *from, unsigned long size);
2194 -#ifndef __powerpc64__
2196 -static inline unsigned long copy_from_user(void *to,
2197 - const void __user *from, unsigned long n)
2199 - unsigned long over;
2201 - if (access_ok(VERIFY_READ, from, n))
2202 - return __copy_tofrom_user((__force void __user *)to, from, n);
2203 - if ((unsigned long)from < TASK_SIZE) {
2204 - over = (unsigned long)from + n - TASK_SIZE;
2205 - return __copy_tofrom_user((__force void __user *)to, from,
2211 -static inline unsigned long copy_to_user(void __user *to,
2212 - const void *from, unsigned long n)
2214 - unsigned long over;
2216 - if (access_ok(VERIFY_WRITE, to, n))
2217 - return __copy_tofrom_user(to, (__force void __user *)from, n);
2218 - if ((unsigned long)to < TASK_SIZE) {
2219 - over = (unsigned long)to + n - TASK_SIZE;
2220 - return __copy_tofrom_user(to, (__force void __user *)from,
2226 -#else /* __powerpc64__ */
2228 -#define __copy_in_user(to, from, size) \
2229 - __copy_tofrom_user((to), (from), (size))
2231 -extern unsigned long copy_from_user(void *to, const void __user *from,
2233 -extern unsigned long copy_to_user(void __user *to, const void *from,
2235 -extern unsigned long copy_in_user(void __user *to, const void __user *from,
2238 -#endif /* __powerpc64__ */
2240 static inline unsigned long __copy_from_user_inatomic(void *to,
2241 const void __user *from, unsigned long n)
2243 @@ -396,6 +352,10 @@ static inline unsigned long __copy_from_
2248 + if (!__builtin_constant_p(n))
2249 + check_object_size(to, n, false);
2251 return __copy_tofrom_user((__force void __user *)to, from, n);
2254 @@ -422,6 +382,10 @@ static inline unsigned long __copy_to_us
2259 + if (!__builtin_constant_p(n))
2260 + check_object_size(from, n, true);
2262 return __copy_tofrom_user(to, (__force const void __user *)from, n);
2265 @@ -439,6 +403,92 @@ static inline unsigned long __copy_to_us
2266 return __copy_to_user_inatomic(to, from, size);
2269 +#ifndef __powerpc64__
2271 +static inline unsigned long __must_check copy_from_user(void *to,
2272 + const void __user *from, unsigned long n)
2274 + unsigned long over;
2279 + if (access_ok(VERIFY_READ, from, n)) {
2280 + if (!__builtin_constant_p(n))
2281 + check_object_size(to, n, false);
2282 + return __copy_tofrom_user((__force void __user *)to, from, n);
2284 + if ((unsigned long)from < TASK_SIZE) {
2285 + over = (unsigned long)from + n - TASK_SIZE;
2286 + if (!__builtin_constant_p(n - over))
2287 + check_object_size(to, n - over, false);
2288 + return __copy_tofrom_user((__force void __user *)to, from,
2294 +static inline unsigned long __must_check copy_to_user(void __user *to,
2295 + const void *from, unsigned long n)
2297 + unsigned long over;
2302 + if (access_ok(VERIFY_WRITE, to, n)) {
2303 + if (!__builtin_constant_p(n))
2304 + check_object_size(from, n, true);
2305 + return __copy_tofrom_user(to, (__force void __user *)from, n);
2307 + if ((unsigned long)to < TASK_SIZE) {
2308 + over = (unsigned long)to + n - TASK_SIZE;
2309 + if (!__builtin_constant_p(n))
2310 + check_object_size(from, n - over, true);
2311 + return __copy_tofrom_user(to, (__force void __user *)from,
2317 +#else /* __powerpc64__ */
2319 +#define __copy_in_user(to, from, size) \
2320 + __copy_tofrom_user((to), (from), (size))
2322 +static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
2324 + if ((long)n < 0 || n > INT_MAX)
2327 + if (!__builtin_constant_p(n))
2328 + check_object_size(to, n, false);
2330 + if (likely(access_ok(VERIFY_READ, from, n)))
2331 + n = __copy_from_user(to, from, n);
2337 +static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
2339 + if ((long)n < 0 || n > INT_MAX)
2342 + if (likely(access_ok(VERIFY_WRITE, to, n))) {
2343 + if (!__builtin_constant_p(n))
2344 + check_object_size(from, n, true);
2345 + n = __copy_to_user(to, from, n);
2350 +extern unsigned long copy_in_user(void __user *to, const void __user *from,
2353 +#endif /* __powerpc64__ */
2355 extern unsigned long __clear_user(void __user *addr, unsigned long size);
2357 static inline unsigned long clear_user(void __user *addr, unsigned long size)
2358 diff -urNp linux-2.6.35.5/arch/powerpc/kernel/dma.c linux-2.6.35.5/arch/powerpc/kernel/dma.c
2359 --- linux-2.6.35.5/arch/powerpc/kernel/dma.c 2010-08-26 19:47:12.000000000 -0400
2360 +++ linux-2.6.35.5/arch/powerpc/kernel/dma.c 2010-09-17 20:12:09.000000000 -0400
2361 @@ -135,7 +135,7 @@ static inline void dma_direct_sync_singl
2365 -struct dma_map_ops dma_direct_ops = {
2366 +const struct dma_map_ops dma_direct_ops = {
2367 .alloc_coherent = dma_direct_alloc_coherent,
2368 .free_coherent = dma_direct_free_coherent,
2369 .map_sg = dma_direct_map_sg,
2370 diff -urNp linux-2.6.35.5/arch/powerpc/kernel/dma-iommu.c linux-2.6.35.5/arch/powerpc/kernel/dma-iommu.c
2371 --- linux-2.6.35.5/arch/powerpc/kernel/dma-iommu.c 2010-08-26 19:47:12.000000000 -0400
2372 +++ linux-2.6.35.5/arch/powerpc/kernel/dma-iommu.c 2010-09-17 20:12:09.000000000 -0400
2373 @@ -70,7 +70,7 @@ static void dma_iommu_unmap_sg(struct de
2376 /* We support DMA to/from any memory page via the iommu */
2377 -static int dma_iommu_dma_supported(struct device *dev, u64 mask)
2378 +int dma_iommu_dma_supported(struct device *dev, u64 mask)
2380 struct iommu_table *tbl = get_iommu_table_base(dev);
2382 diff -urNp linux-2.6.35.5/arch/powerpc/kernel/dma-swiotlb.c linux-2.6.35.5/arch/powerpc/kernel/dma-swiotlb.c
2383 --- linux-2.6.35.5/arch/powerpc/kernel/dma-swiotlb.c 2010-08-26 19:47:12.000000000 -0400
2384 +++ linux-2.6.35.5/arch/powerpc/kernel/dma-swiotlb.c 2010-09-17 20:12:09.000000000 -0400
2385 @@ -31,7 +31,7 @@ unsigned int ppc_swiotlb_enable;
2386 * map_page, and unmap_page on highmem, use normal dma_ops
2387 * for everything else.
2389 -struct dma_map_ops swiotlb_dma_ops = {
2390 +const struct dma_map_ops swiotlb_dma_ops = {
2391 .alloc_coherent = dma_direct_alloc_coherent,
2392 .free_coherent = dma_direct_free_coherent,
2393 .map_sg = swiotlb_map_sg_attrs,
2394 diff -urNp linux-2.6.35.5/arch/powerpc/kernel/exceptions-64e.S linux-2.6.35.5/arch/powerpc/kernel/exceptions-64e.S
2395 --- linux-2.6.35.5/arch/powerpc/kernel/exceptions-64e.S 2010-08-26 19:47:12.000000000 -0400
2396 +++ linux-2.6.35.5/arch/powerpc/kernel/exceptions-64e.S 2010-09-17 20:12:09.000000000 -0400
2397 @@ -455,6 +455,7 @@ storage_fault_common:
2400 addi r3,r1,STACK_FRAME_OVERHEAD
2404 ld r14,PACA_EXGEN+EX_R14(r13)
2405 @@ -464,8 +465,7 @@ storage_fault_common:
2408 b .ret_from_except_lite
2412 addi r3,r1,STACK_FRAME_OVERHEAD
2415 diff -urNp linux-2.6.35.5/arch/powerpc/kernel/exceptions-64s.S linux-2.6.35.5/arch/powerpc/kernel/exceptions-64s.S
2416 --- linux-2.6.35.5/arch/powerpc/kernel/exceptions-64s.S 2010-08-26 19:47:12.000000000 -0400
2417 +++ linux-2.6.35.5/arch/powerpc/kernel/exceptions-64s.S 2010-09-17 20:12:09.000000000 -0400
2418 @@ -840,10 +840,10 @@ handle_page_fault:
2421 addi r3,r1,STACK_FRAME_OVERHEAD
2428 addi r3,r1,STACK_FRAME_OVERHEAD
2430 diff -urNp linux-2.6.35.5/arch/powerpc/kernel/ibmebus.c linux-2.6.35.5/arch/powerpc/kernel/ibmebus.c
2431 --- linux-2.6.35.5/arch/powerpc/kernel/ibmebus.c 2010-08-26 19:47:12.000000000 -0400
2432 +++ linux-2.6.35.5/arch/powerpc/kernel/ibmebus.c 2010-09-17 20:12:09.000000000 -0400
2433 @@ -128,7 +128,7 @@ static int ibmebus_dma_supported(struct
2437 -static struct dma_map_ops ibmebus_dma_ops = {
2438 +static const struct dma_map_ops ibmebus_dma_ops = {
2439 .alloc_coherent = ibmebus_alloc_coherent,
2440 .free_coherent = ibmebus_free_coherent,
2441 .map_sg = ibmebus_map_sg,
2442 diff -urNp linux-2.6.35.5/arch/powerpc/kernel/kgdb.c linux-2.6.35.5/arch/powerpc/kernel/kgdb.c
2443 --- linux-2.6.35.5/arch/powerpc/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
2444 +++ linux-2.6.35.5/arch/powerpc/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
2445 @@ -128,7 +128,7 @@ static int kgdb_handle_breakpoint(struct
2446 if (kgdb_handle_exception(1, SIGTRAP, 0, regs) != 0)
2449 - if (*(u32 *) (regs->nip) == *(u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
2450 + if (*(u32 *) (regs->nip) == *(const u32 *) (&arch_kgdb_ops.gdb_bpt_instr))
2454 @@ -360,7 +360,7 @@ int kgdb_arch_handle_exception(int vecto
2458 -struct kgdb_arch arch_kgdb_ops = {
2459 +const struct kgdb_arch arch_kgdb_ops = {
2460 .gdb_bpt_instr = {0x7d, 0x82, 0x10, 0x08},
2463 diff -urNp linux-2.6.35.5/arch/powerpc/kernel/module_32.c linux-2.6.35.5/arch/powerpc/kernel/module_32.c
2464 --- linux-2.6.35.5/arch/powerpc/kernel/module_32.c 2010-08-26 19:47:12.000000000 -0400
2465 +++ linux-2.6.35.5/arch/powerpc/kernel/module_32.c 2010-09-17 20:12:09.000000000 -0400
2466 @@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
2467 me->arch.core_plt_section = i;
2469 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
2470 - printk("Module doesn't contain .plt or .init.plt sections.\n");
2471 + printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
2475 @@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
2477 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
2478 /* Init, or core PLT? */
2479 - if (location >= mod->module_core
2480 - && location < mod->module_core + mod->core_size)
2481 + if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
2482 + (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
2483 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
2485 + else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
2486 + (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
2487 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
2489 + printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
2493 /* Find this entry, or if that fails, the next avail. entry */
2494 while (entry->jump[0]) {
2495 diff -urNp linux-2.6.35.5/arch/powerpc/kernel/module.c linux-2.6.35.5/arch/powerpc/kernel/module.c
2496 --- linux-2.6.35.5/arch/powerpc/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
2497 +++ linux-2.6.35.5/arch/powerpc/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
2500 LIST_HEAD(module_bug_list);
2502 +#ifdef CONFIG_PAX_KERNEXEC
2503 void *module_alloc(unsigned long size)
2508 + return vmalloc(size);
2511 +void *module_alloc_exec(unsigned long size)
2513 +void *module_alloc(unsigned long size)
2520 return vmalloc_exec(size);
2523 @@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
2524 vfree(module_region);
2527 +#ifdef CONFIG_PAX_KERNEXEC
2528 +void module_free_exec(struct module *mod, void *module_region)
2530 + module_free(mod, module_region);
2534 static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
2535 const Elf_Shdr *sechdrs,
2537 diff -urNp linux-2.6.35.5/arch/powerpc/kernel/pci-common.c linux-2.6.35.5/arch/powerpc/kernel/pci-common.c
2538 --- linux-2.6.35.5/arch/powerpc/kernel/pci-common.c 2010-08-26 19:47:12.000000000 -0400
2539 +++ linux-2.6.35.5/arch/powerpc/kernel/pci-common.c 2010-09-17 20:12:09.000000000 -0400
2540 @@ -51,14 +51,14 @@ resource_size_t isa_mem_base;
2541 unsigned int ppc_pci_flags = 0;
2544 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2545 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2547 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
2548 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
2550 pci_dma_ops = dma_ops;
2553 -struct dma_map_ops *get_pci_dma_ops(void)
2554 +const struct dma_map_ops *get_pci_dma_ops(void)
2558 diff -urNp linux-2.6.35.5/arch/powerpc/kernel/process.c linux-2.6.35.5/arch/powerpc/kernel/process.c
2559 --- linux-2.6.35.5/arch/powerpc/kernel/process.c 2010-08-26 19:47:12.000000000 -0400
2560 +++ linux-2.6.35.5/arch/powerpc/kernel/process.c 2010-09-17 20:12:09.000000000 -0400
2561 @@ -1215,51 +1215,3 @@ unsigned long arch_align_stack(unsigned
2562 sp -= get_random_int() & ~PAGE_MASK;
2566 -static inline unsigned long brk_rnd(void)
2568 - unsigned long rnd = 0;
2570 - /* 8MB for 32bit, 1GB for 64bit */
2571 - if (is_32bit_task())
2572 - rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
2574 - rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
2576 - return rnd << PAGE_SHIFT;
2579 -unsigned long arch_randomize_brk(struct mm_struct *mm)
2581 - unsigned long base = mm->brk;
2582 - unsigned long ret;
2584 -#ifdef CONFIG_PPC_STD_MMU_64
2586 - * If we are using 1TB segments and we are allowed to randomise
2587 - * the heap, we can put it above 1TB so it is backed by a 1TB
2588 - * segment. Otherwise the heap will be in the bottom 1TB
2589 - * which always uses 256MB segments and this may result in a
2590 - * performance penalty.
2592 - if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
2593 - base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
2596 - ret = PAGE_ALIGN(base + brk_rnd());
2598 - if (ret < mm->brk)
2604 -unsigned long randomize_et_dyn(unsigned long base)
2606 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2613 diff -urNp linux-2.6.35.5/arch/powerpc/kernel/signal_32.c linux-2.6.35.5/arch/powerpc/kernel/signal_32.c
2614 --- linux-2.6.35.5/arch/powerpc/kernel/signal_32.c 2010-08-26 19:47:12.000000000 -0400
2615 +++ linux-2.6.35.5/arch/powerpc/kernel/signal_32.c 2010-09-17 20:12:09.000000000 -0400
2616 @@ -857,7 +857,7 @@ int handle_rt_signal32(unsigned long sig
2617 /* Save user registers on the stack */
2618 frame = &rt_sf->uc.uc_mcontext;
2620 - if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
2621 + if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2622 if (save_user_regs(regs, frame, 0, 1))
2624 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
2625 diff -urNp linux-2.6.35.5/arch/powerpc/kernel/signal_64.c linux-2.6.35.5/arch/powerpc/kernel/signal_64.c
2626 --- linux-2.6.35.5/arch/powerpc/kernel/signal_64.c 2010-08-26 19:47:12.000000000 -0400
2627 +++ linux-2.6.35.5/arch/powerpc/kernel/signal_64.c 2010-09-17 20:12:09.000000000 -0400
2628 @@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct
2629 current->thread.fpscr.val = 0;
2631 /* Set up to return from userspace. */
2632 - if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
2633 + if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2634 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
2636 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
2637 diff -urNp linux-2.6.35.5/arch/powerpc/kernel/vdso.c linux-2.6.35.5/arch/powerpc/kernel/vdso.c
2638 --- linux-2.6.35.5/arch/powerpc/kernel/vdso.c 2010-08-26 19:47:12.000000000 -0400
2639 +++ linux-2.6.35.5/arch/powerpc/kernel/vdso.c 2010-09-17 20:12:09.000000000 -0400
2641 #include <asm/firmware.h>
2642 #include <asm/vdso.h>
2643 #include <asm/vdso_datapage.h>
2644 +#include <asm/mman.h>
2648 @@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
2649 vdso_base = VDSO32_MBASE;
2652 - current->mm->context.vdso_base = 0;
2653 + current->mm->context.vdso_base = ~0UL;
2655 /* vDSO has a problem and was disabled, just don't "enable" it for the
2657 @@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
2658 vdso_base = get_unmapped_area(NULL, vdso_base,
2659 (vdso_pages << PAGE_SHIFT) +
2660 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
2662 + 0, MAP_PRIVATE | MAP_EXECUTABLE);
2663 if (IS_ERR_VALUE(vdso_base)) {
2666 diff -urNp linux-2.6.35.5/arch/powerpc/kernel/vio.c linux-2.6.35.5/arch/powerpc/kernel/vio.c
2667 --- linux-2.6.35.5/arch/powerpc/kernel/vio.c 2010-08-26 19:47:12.000000000 -0400
2668 +++ linux-2.6.35.5/arch/powerpc/kernel/vio.c 2010-09-17 20:12:09.000000000 -0400
2669 @@ -602,11 +602,12 @@ static void vio_dma_iommu_unmap_sg(struc
2670 vio_cmo_dealloc(viodev, alloc_size);
2673 -struct dma_map_ops vio_dma_mapping_ops = {
2674 +static const struct dma_map_ops vio_dma_mapping_ops = {
2675 .alloc_coherent = vio_dma_iommu_alloc_coherent,
2676 .free_coherent = vio_dma_iommu_free_coherent,
2677 .map_sg = vio_dma_iommu_map_sg,
2678 .unmap_sg = vio_dma_iommu_unmap_sg,
2679 + .dma_supported = dma_iommu_dma_supported,
2680 .map_page = vio_dma_iommu_map_page,
2681 .unmap_page = vio_dma_iommu_unmap_page,
2683 @@ -860,7 +861,6 @@ static void vio_cmo_bus_remove(struct vi
2685 static void vio_cmo_set_dma_ops(struct vio_dev *viodev)
2687 - vio_dma_mapping_ops.dma_supported = dma_iommu_ops.dma_supported;
2688 viodev->dev.archdata.dma_ops = &vio_dma_mapping_ops;
2691 diff -urNp linux-2.6.35.5/arch/powerpc/lib/usercopy_64.c linux-2.6.35.5/arch/powerpc/lib/usercopy_64.c
2692 --- linux-2.6.35.5/arch/powerpc/lib/usercopy_64.c 2010-08-26 19:47:12.000000000 -0400
2693 +++ linux-2.6.35.5/arch/powerpc/lib/usercopy_64.c 2010-09-17 20:12:09.000000000 -0400
2695 #include <linux/module.h>
2696 #include <asm/uaccess.h>
2698 -unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
2700 - if (likely(access_ok(VERIFY_READ, from, n)))
2701 - n = __copy_from_user(to, from, n);
2707 -unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
2709 - if (likely(access_ok(VERIFY_WRITE, to, n)))
2710 - n = __copy_to_user(to, from, n);
2714 unsigned long copy_in_user(void __user *to, const void __user *from,
2717 @@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
2721 -EXPORT_SYMBOL(copy_from_user);
2722 -EXPORT_SYMBOL(copy_to_user);
2723 EXPORT_SYMBOL(copy_in_user);
2725 diff -urNp linux-2.6.35.5/arch/powerpc/mm/fault.c linux-2.6.35.5/arch/powerpc/mm/fault.c
2726 --- linux-2.6.35.5/arch/powerpc/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
2727 +++ linux-2.6.35.5/arch/powerpc/mm/fault.c 2010-09-17 20:12:09.000000000 -0400
2729 #include <linux/kprobes.h>
2730 #include <linux/kdebug.h>
2731 #include <linux/perf_event.h>
2732 +#include <linux/slab.h>
2733 +#include <linux/pagemap.h>
2734 +#include <linux/compiler.h>
2735 +#include <linux/unistd.h>
2737 #include <asm/firmware.h>
2738 #include <asm/page.h>
2740 #include <asm/tlbflush.h>
2741 #include <asm/siginfo.h>
2742 #include <mm/mmu_decl.h>
2743 +#include <asm/ptrace.h>
2745 #ifdef CONFIG_KPROBES
2746 static inline int notify_page_fault(struct pt_regs *regs)
2747 @@ -64,6 +69,33 @@ static inline int notify_page_fault(stru
2751 +#ifdef CONFIG_PAX_PAGEEXEC
2753 + * PaX: decide what to do with offenders (regs->nip = fault address)
2755 + * returns 1 when task should be killed
2757 +static int pax_handle_fetch_fault(struct pt_regs *regs)
2762 +void pax_report_insns(void *pc, void *sp)
2766 + printk(KERN_ERR "PAX: bytes at PC: ");
2767 + for (i = 0; i < 5; i++) {
2769 + if (get_user(c, (unsigned int __user *)pc+i))
2770 + printk(KERN_CONT "???????? ");
2772 + printk(KERN_CONT "%08x ", c);
2779 * Check whether the instruction at regs->nip is a store using
2780 * an update addressing form which will update r1.
2781 @@ -134,7 +166,7 @@ int __kprobes do_page_fault(struct pt_re
2782 * indicate errors in DSISR but can validly be set in SRR1.
2785 - error_code &= 0x48200000;
2786 + error_code &= 0x58200000;
2788 is_write = error_code & DSISR_ISSTORE;
2790 @@ -257,7 +289,7 @@ good_area:
2791 * "undefined". Of those that can be set, this is the only
2792 * one which seems bad.
2794 - if (error_code & 0x10000000)
2795 + if (error_code & DSISR_GUARDED)
2796 /* Guarded storage error. */
2798 #endif /* CONFIG_8xx */
2799 @@ -272,7 +304,7 @@ good_area:
2800 * processors use the same I/D cache coherency mechanism
2803 - if (error_code & DSISR_PROTFAULT)
2804 + if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
2806 #endif /* CONFIG_PPC_STD_MMU */
2808 @@ -341,6 +373,23 @@ bad_area:
2809 bad_area_nosemaphore:
2810 /* User mode accesses cause a SIGSEGV */
2811 if (user_mode(regs)) {
2813 +#ifdef CONFIG_PAX_PAGEEXEC
2814 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
2815 +#ifdef CONFIG_PPC_STD_MMU
2816 + if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
2818 + if (is_exec && regs->nip == address) {
2820 + switch (pax_handle_fetch_fault(regs)) {
2823 + pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
2824 + do_group_exit(SIGKILL);
2829 _exception(SIGSEGV, regs, code, address);
2832 diff -urNp linux-2.6.35.5/arch/powerpc/mm/mmap_64.c linux-2.6.35.5/arch/powerpc/mm/mmap_64.c
2833 --- linux-2.6.35.5/arch/powerpc/mm/mmap_64.c 2010-08-26 19:47:12.000000000 -0400
2834 +++ linux-2.6.35.5/arch/powerpc/mm/mmap_64.c 2010-09-17 20:12:09.000000000 -0400
2835 @@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
2837 if (mmap_is_legacy()) {
2838 mm->mmap_base = TASK_UNMAPPED_BASE;
2840 +#ifdef CONFIG_PAX_RANDMMAP
2841 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2842 + mm->mmap_base += mm->delta_mmap;
2845 mm->get_unmapped_area = arch_get_unmapped_area;
2846 mm->unmap_area = arch_unmap_area;
2848 mm->mmap_base = mmap_base();
2850 +#ifdef CONFIG_PAX_RANDMMAP
2851 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2852 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2855 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
2856 mm->unmap_area = arch_unmap_area_topdown;
2858 diff -urNp linux-2.6.35.5/arch/powerpc/mm/slice.c linux-2.6.35.5/arch/powerpc/mm/slice.c
2859 --- linux-2.6.35.5/arch/powerpc/mm/slice.c 2010-08-26 19:47:12.000000000 -0400
2860 +++ linux-2.6.35.5/arch/powerpc/mm/slice.c 2010-09-17 20:12:09.000000000 -0400
2861 @@ -98,10 +98,9 @@ static int slice_area_is_free(struct mm_
2862 if ((mm->task_size - len) < addr)
2864 vma = find_vma(mm, addr);
2865 - return (!vma || (addr + len) <= vma->vm_start);
2866 + return check_heap_stack_gap(vma, addr, len);
2869 -static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
2871 return !slice_area_is_free(mm, slice << SLICE_LOW_SHIFT,
2872 1ul << SLICE_LOW_SHIFT);
2873 @@ -256,7 +255,7 @@ full_search:
2874 addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT);
2877 - if (!vma || addr + len <= vma->vm_start) {
2878 + if (check_heap_stack_gap(vma, addr, len)) {
2880 * Remember the place where we stopped the search:
2882 @@ -336,7 +335,7 @@ static unsigned long slice_find_area_top
2883 * return with success:
2885 vma = find_vma(mm, addr);
2886 - if (!vma || (addr + len) <= vma->vm_start) {
2887 + if (check_heap_stack_gap(vma, addr, len)) {
2888 /* remember the address as a hint for next time */
2890 mm->free_area_cache = addr;
2891 @@ -426,6 +425,11 @@ unsigned long slice_get_unmapped_area(un
2892 if (fixed && addr > (mm->task_size - len))
2895 +#ifdef CONFIG_PAX_RANDMMAP
2896 + if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
2900 /* If hint, make sure it matches our alignment restrictions */
2901 if (!fixed && addr) {
2902 addr = _ALIGN_UP(addr, 1ul << pshift);
2903 diff -urNp linux-2.6.35.5/arch/powerpc/platforms/52xx/lite5200_pm.c linux-2.6.35.5/arch/powerpc/platforms/52xx/lite5200_pm.c
2904 --- linux-2.6.35.5/arch/powerpc/platforms/52xx/lite5200_pm.c 2010-08-26 19:47:12.000000000 -0400
2905 +++ linux-2.6.35.5/arch/powerpc/platforms/52xx/lite5200_pm.c 2010-09-17 20:12:09.000000000 -0400
2906 @@ -235,7 +235,7 @@ static void lite5200_pm_end(void)
2907 lite5200_pm_target_state = PM_SUSPEND_ON;
2910 -static struct platform_suspend_ops lite5200_pm_ops = {
2911 +static const struct platform_suspend_ops lite5200_pm_ops = {
2912 .valid = lite5200_pm_valid,
2913 .begin = lite5200_pm_begin,
2914 .prepare = lite5200_pm_prepare,
2915 diff -urNp linux-2.6.35.5/arch/powerpc/platforms/52xx/mpc52xx_pm.c linux-2.6.35.5/arch/powerpc/platforms/52xx/mpc52xx_pm.c
2916 --- linux-2.6.35.5/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2010-08-26 19:47:12.000000000 -0400
2917 +++ linux-2.6.35.5/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2010-09-17 20:12:09.000000000 -0400
2918 @@ -189,7 +189,7 @@ void mpc52xx_pm_finish(void)
2922 -static struct platform_suspend_ops mpc52xx_pm_ops = {
2923 +static const struct platform_suspend_ops mpc52xx_pm_ops = {
2924 .valid = mpc52xx_pm_valid,
2925 .prepare = mpc52xx_pm_prepare,
2926 .enter = mpc52xx_pm_enter,
2927 diff -urNp linux-2.6.35.5/arch/powerpc/platforms/83xx/suspend.c linux-2.6.35.5/arch/powerpc/platforms/83xx/suspend.c
2928 --- linux-2.6.35.5/arch/powerpc/platforms/83xx/suspend.c 2010-08-26 19:47:12.000000000 -0400
2929 +++ linux-2.6.35.5/arch/powerpc/platforms/83xx/suspend.c 2010-09-17 20:12:09.000000000 -0400
2930 @@ -311,7 +311,7 @@ static int mpc83xx_is_pci_agent(void)
2934 -static struct platform_suspend_ops mpc83xx_suspend_ops = {
2935 +static const struct platform_suspend_ops mpc83xx_suspend_ops = {
2936 .valid = mpc83xx_suspend_valid,
2937 .begin = mpc83xx_suspend_begin,
2938 .enter = mpc83xx_suspend_enter,
2939 diff -urNp linux-2.6.35.5/arch/powerpc/platforms/cell/iommu.c linux-2.6.35.5/arch/powerpc/platforms/cell/iommu.c
2940 --- linux-2.6.35.5/arch/powerpc/platforms/cell/iommu.c 2010-08-26 19:47:12.000000000 -0400
2941 +++ linux-2.6.35.5/arch/powerpc/platforms/cell/iommu.c 2010-09-17 20:12:09.000000000 -0400
2942 @@ -642,7 +642,7 @@ static int dma_fixed_dma_supported(struc
2944 static int dma_set_mask_and_switch(struct device *dev, u64 dma_mask);
2946 -struct dma_map_ops dma_iommu_fixed_ops = {
2947 +const struct dma_map_ops dma_iommu_fixed_ops = {
2948 .alloc_coherent = dma_fixed_alloc_coherent,
2949 .free_coherent = dma_fixed_free_coherent,
2950 .map_sg = dma_fixed_map_sg,
2951 diff -urNp linux-2.6.35.5/arch/powerpc/platforms/ps3/system-bus.c linux-2.6.35.5/arch/powerpc/platforms/ps3/system-bus.c
2952 --- linux-2.6.35.5/arch/powerpc/platforms/ps3/system-bus.c 2010-08-26 19:47:12.000000000 -0400
2953 +++ linux-2.6.35.5/arch/powerpc/platforms/ps3/system-bus.c 2010-09-17 20:12:09.000000000 -0400
2954 @@ -695,7 +695,7 @@ static int ps3_dma_supported(struct devi
2955 return mask >= DMA_BIT_MASK(32);
2958 -static struct dma_map_ops ps3_sb_dma_ops = {
2959 +static const struct dma_map_ops ps3_sb_dma_ops = {
2960 .alloc_coherent = ps3_alloc_coherent,
2961 .free_coherent = ps3_free_coherent,
2962 .map_sg = ps3_sb_map_sg,
2963 @@ -705,7 +705,7 @@ static struct dma_map_ops ps3_sb_dma_ops
2964 .unmap_page = ps3_unmap_page,
2967 -static struct dma_map_ops ps3_ioc0_dma_ops = {
2968 +static const struct dma_map_ops ps3_ioc0_dma_ops = {
2969 .alloc_coherent = ps3_alloc_coherent,
2970 .free_coherent = ps3_free_coherent,
2971 .map_sg = ps3_ioc0_map_sg,
2972 diff -urNp linux-2.6.35.5/arch/powerpc/sysdev/fsl_pmc.c linux-2.6.35.5/arch/powerpc/sysdev/fsl_pmc.c
2973 --- linux-2.6.35.5/arch/powerpc/sysdev/fsl_pmc.c 2010-08-26 19:47:12.000000000 -0400
2974 +++ linux-2.6.35.5/arch/powerpc/sysdev/fsl_pmc.c 2010-09-17 20:12:09.000000000 -0400
2975 @@ -53,7 +53,7 @@ static int pmc_suspend_valid(suspend_sta
2979 -static struct platform_suspend_ops pmc_suspend_ops = {
2980 +static const struct platform_suspend_ops pmc_suspend_ops = {
2981 .valid = pmc_suspend_valid,
2982 .enter = pmc_suspend_enter,
2984 diff -urNp linux-2.6.35.5/arch/s390/include/asm/elf.h linux-2.6.35.5/arch/s390/include/asm/elf.h
2985 --- linux-2.6.35.5/arch/s390/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
2986 +++ linux-2.6.35.5/arch/s390/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
2987 @@ -163,6 +163,13 @@ extern unsigned int vdso_enabled;
2988 that it will "exec", and that there is sufficient room for the brk. */
2989 #define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
2991 +#ifdef CONFIG_PAX_ASLR
2992 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
2994 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
2995 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
2998 /* This yields a mask that user programs can use to figure out what
2999 instruction set this CPU supports. */
3001 diff -urNp linux-2.6.35.5/arch/s390/include/asm/uaccess.h linux-2.6.35.5/arch/s390/include/asm/uaccess.h
3002 --- linux-2.6.35.5/arch/s390/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
3003 +++ linux-2.6.35.5/arch/s390/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
3004 @@ -234,6 +234,10 @@ static inline unsigned long __must_check
3005 copy_to_user(void __user *to, const void *from, unsigned long n)
3012 if (access_ok(VERIFY_WRITE, to, n))
3013 n = __copy_to_user(to, from, n);
3015 @@ -259,6 +263,9 @@ copy_to_user(void __user *to, const void
3016 static inline unsigned long __must_check
3017 __copy_from_user(void *to, const void __user *from, unsigned long n)
3022 if (__builtin_constant_p(n) && (n <= 256))
3023 return uaccess.copy_from_user_small(n, from, to);
3025 @@ -293,6 +300,10 @@ copy_from_user(void *to, const void __us
3026 unsigned int sz = __compiletime_object_size(to);
3033 if (unlikely(sz != -1 && sz < n)) {
3034 copy_from_user_overflow();
3036 diff -urNp linux-2.6.35.5/arch/s390/Kconfig linux-2.6.35.5/arch/s390/Kconfig
3037 --- linux-2.6.35.5/arch/s390/Kconfig 2010-08-26 19:47:12.000000000 -0400
3038 +++ linux-2.6.35.5/arch/s390/Kconfig 2010-09-17 20:12:09.000000000 -0400
3039 @@ -230,13 +230,12 @@ config AUDIT_ARCH
3041 config S390_EXEC_PROTECT
3042 bool "Data execute protection"
3045 This option allows to enable a buffer overflow protection for user
3046 - space programs and it also selects the addressing mode option above.
3047 - The kernel parameter noexec=on will enable this feature and also
3048 - switch the addressing modes, default is disabled. Enabling this (via
3049 - kernel parameter) on machines earlier than IBM System z9-109 EC/BC
3050 - will reduce system performance.
3052 + Enabling this on machines earlier than IBM System z9-109 EC/BC will
3053 + reduce system performance.
3055 comment "Code generation options"
3057 diff -urNp linux-2.6.35.5/arch/s390/kernel/module.c linux-2.6.35.5/arch/s390/kernel/module.c
3058 --- linux-2.6.35.5/arch/s390/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
3059 +++ linux-2.6.35.5/arch/s390/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
3060 @@ -168,11 +168,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
3062 /* Increase core size by size of got & plt and set start
3063 offsets for got and plt. */
3064 - me->core_size = ALIGN(me->core_size, 4);
3065 - me->arch.got_offset = me->core_size;
3066 - me->core_size += me->arch.got_size;
3067 - me->arch.plt_offset = me->core_size;
3068 - me->core_size += me->arch.plt_size;
3069 + me->core_size_rw = ALIGN(me->core_size_rw, 4);
3070 + me->arch.got_offset = me->core_size_rw;
3071 + me->core_size_rw += me->arch.got_size;
3072 + me->arch.plt_offset = me->core_size_rx;
3073 + me->core_size_rx += me->arch.plt_size;
3077 @@ -258,7 +258,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3078 if (info->got_initialized == 0) {
3081 - gotent = me->module_core + me->arch.got_offset +
3082 + gotent = me->module_core_rw + me->arch.got_offset +
3085 info->got_initialized = 1;
3086 @@ -282,7 +282,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3087 else if (r_type == R_390_GOTENT ||
3088 r_type == R_390_GOTPLTENT)
3089 *(unsigned int *) loc =
3090 - (val + (Elf_Addr) me->module_core - loc) >> 1;
3091 + (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
3092 else if (r_type == R_390_GOT64 ||
3093 r_type == R_390_GOTPLT64)
3094 *(unsigned long *) loc = val;
3095 @@ -296,7 +296,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3096 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
3097 if (info->plt_initialized == 0) {
3099 - ip = me->module_core + me->arch.plt_offset +
3100 + ip = me->module_core_rx + me->arch.plt_offset +
3102 #ifndef CONFIG_64BIT
3103 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
3104 @@ -321,7 +321,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3105 val - loc + 0xffffUL < 0x1ffffeUL) ||
3106 (r_type == R_390_PLT32DBL &&
3107 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
3108 - val = (Elf_Addr) me->module_core +
3109 + val = (Elf_Addr) me->module_core_rx +
3110 me->arch.plt_offset +
3112 val += rela->r_addend - loc;
3113 @@ -343,7 +343,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3114 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
3115 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
3116 val = val + rela->r_addend -
3117 - ((Elf_Addr) me->module_core + me->arch.got_offset);
3118 + ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
3119 if (r_type == R_390_GOTOFF16)
3120 *(unsigned short *) loc = val;
3121 else if (r_type == R_390_GOTOFF32)
3122 @@ -353,7 +353,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3124 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
3125 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
3126 - val = (Elf_Addr) me->module_core + me->arch.got_offset +
3127 + val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
3128 rela->r_addend - loc;
3129 if (r_type == R_390_GOTPC)
3130 *(unsigned int *) loc = val;
3131 diff -urNp linux-2.6.35.5/arch/s390/kernel/setup.c linux-2.6.35.5/arch/s390/kernel/setup.c
3132 --- linux-2.6.35.5/arch/s390/kernel/setup.c 2010-08-26 19:47:12.000000000 -0400
3133 +++ linux-2.6.35.5/arch/s390/kernel/setup.c 2010-09-17 20:12:09.000000000 -0400
3134 @@ -281,7 +281,7 @@ static int __init early_parse_mem(char *
3136 early_param("mem", early_parse_mem);
3138 -unsigned int user_mode = HOME_SPACE_MODE;
3139 +unsigned int user_mode = SECONDARY_SPACE_MODE;
3140 EXPORT_SYMBOL_GPL(user_mode);
3142 static int set_amode_and_uaccess(unsigned long user_amode,
3143 @@ -310,17 +310,6 @@ static int set_amode_and_uaccess(unsigne
3148 - * Switch kernel/user addressing modes?
3150 -static int __init early_parse_switch_amode(char *p)
3152 - if (user_mode != SECONDARY_SPACE_MODE)
3153 - user_mode = PRIMARY_SPACE_MODE;
3156 -early_param("switch_amode", early_parse_switch_amode);
3158 static int __init early_parse_user_mode(char *p)
3160 if (p && strcmp(p, "primary") == 0)
3161 @@ -337,20 +326,6 @@ static int __init early_parse_user_mode(
3163 early_param("user_mode", early_parse_user_mode);
3165 -#ifdef CONFIG_S390_EXEC_PROTECT
3167 - * Enable execute protection?
3169 -static int __init early_parse_noexec(char *p)
3171 - if (!strncmp(p, "off", 3))
3173 - user_mode = SECONDARY_SPACE_MODE;
3176 -early_param("noexec", early_parse_noexec);
3177 -#endif /* CONFIG_S390_EXEC_PROTECT */
3179 static void setup_addressing_mode(void)
3181 if (user_mode == SECONDARY_SPACE_MODE) {
3182 diff -urNp linux-2.6.35.5/arch/s390/mm/maccess.c linux-2.6.35.5/arch/s390/mm/maccess.c
3183 --- linux-2.6.35.5/arch/s390/mm/maccess.c 2010-08-26 19:47:12.000000000 -0400
3184 +++ linux-2.6.35.5/arch/s390/mm/maccess.c 2010-09-17 20:12:09.000000000 -0400
3185 @@ -45,7 +45,7 @@ static long probe_kernel_write_odd(void
3186 return rc ? rc : count;
3189 -long probe_kernel_write(void *dst, void *src, size_t size)
3190 +long probe_kernel_write(void *dst, const void *src, size_t size)
3194 diff -urNp linux-2.6.35.5/arch/s390/mm/mmap.c linux-2.6.35.5/arch/s390/mm/mmap.c
3195 --- linux-2.6.35.5/arch/s390/mm/mmap.c 2010-08-26 19:47:12.000000000 -0400
3196 +++ linux-2.6.35.5/arch/s390/mm/mmap.c 2010-09-17 20:12:09.000000000 -0400
3197 @@ -78,10 +78,22 @@ void arch_pick_mmap_layout(struct mm_str
3199 if (mmap_is_legacy()) {
3200 mm->mmap_base = TASK_UNMAPPED_BASE;
3202 +#ifdef CONFIG_PAX_RANDMMAP
3203 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3204 + mm->mmap_base += mm->delta_mmap;
3207 mm->get_unmapped_area = arch_get_unmapped_area;
3208 mm->unmap_area = arch_unmap_area;
3210 mm->mmap_base = mmap_base();
3212 +#ifdef CONFIG_PAX_RANDMMAP
3213 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3214 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3217 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3218 mm->unmap_area = arch_unmap_area_topdown;
3220 @@ -153,10 +165,22 @@ void arch_pick_mmap_layout(struct mm_str
3222 if (mmap_is_legacy()) {
3223 mm->mmap_base = TASK_UNMAPPED_BASE;
3225 +#ifdef CONFIG_PAX_RANDMMAP
3226 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3227 + mm->mmap_base += mm->delta_mmap;
3230 mm->get_unmapped_area = s390_get_unmapped_area;
3231 mm->unmap_area = arch_unmap_area;
3233 mm->mmap_base = mmap_base();
3235 +#ifdef CONFIG_PAX_RANDMMAP
3236 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3237 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3240 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
3241 mm->unmap_area = arch_unmap_area_topdown;
3243 diff -urNp linux-2.6.35.5/arch/sh/boards/mach-hp6xx/pm.c linux-2.6.35.5/arch/sh/boards/mach-hp6xx/pm.c
3244 --- linux-2.6.35.5/arch/sh/boards/mach-hp6xx/pm.c 2010-08-26 19:47:12.000000000 -0400
3245 +++ linux-2.6.35.5/arch/sh/boards/mach-hp6xx/pm.c 2010-09-17 20:12:09.000000000 -0400
3246 @@ -143,7 +143,7 @@ static int hp6x0_pm_enter(suspend_state_
3250 -static struct platform_suspend_ops hp6x0_pm_ops = {
3251 +static const struct platform_suspend_ops hp6x0_pm_ops = {
3252 .enter = hp6x0_pm_enter,
3253 .valid = suspend_valid_only_mem,
3255 diff -urNp linux-2.6.35.5/arch/sh/include/asm/dma-mapping.h linux-2.6.35.5/arch/sh/include/asm/dma-mapping.h
3256 --- linux-2.6.35.5/arch/sh/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
3257 +++ linux-2.6.35.5/arch/sh/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
3259 #ifndef __ASM_SH_DMA_MAPPING_H
3260 #define __ASM_SH_DMA_MAPPING_H
3262 -extern struct dma_map_ops *dma_ops;
3263 +extern const struct dma_map_ops *dma_ops;
3264 extern void no_iommu_init(void);
3266 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3267 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3271 @@ -14,7 +14,7 @@ static inline struct dma_map_ops *get_dm
3273 static inline int dma_supported(struct device *dev, u64 mask)
3275 - struct dma_map_ops *ops = get_dma_ops(dev);
3276 + const struct dma_map_ops *ops = get_dma_ops(dev);
3278 if (ops->dma_supported)
3279 return ops->dma_supported(dev, mask);
3280 @@ -24,7 +24,7 @@ static inline int dma_supported(struct d
3282 static inline int dma_set_mask(struct device *dev, u64 mask)
3284 - struct dma_map_ops *ops = get_dma_ops(dev);
3285 + const struct dma_map_ops *ops = get_dma_ops(dev);
3287 if (!dev->dma_mask || !dma_supported(dev, mask))
3289 @@ -59,7 +59,7 @@ static inline int dma_get_cache_alignmen
3291 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
3293 - struct dma_map_ops *ops = get_dma_ops(dev);
3294 + const struct dma_map_ops *ops = get_dma_ops(dev);
3296 if (ops->mapping_error)
3297 return ops->mapping_error(dev, dma_addr);
3298 @@ -70,7 +70,7 @@ static inline int dma_mapping_error(stru
3299 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3300 dma_addr_t *dma_handle, gfp_t gfp)
3302 - struct dma_map_ops *ops = get_dma_ops(dev);
3303 + const struct dma_map_ops *ops = get_dma_ops(dev);
3306 if (dma_alloc_from_coherent(dev, size, dma_handle, &memory))
3307 @@ -87,7 +87,7 @@ static inline void *dma_alloc_coherent(s
3308 static inline void dma_free_coherent(struct device *dev, size_t size,
3309 void *vaddr, dma_addr_t dma_handle)
3311 - struct dma_map_ops *ops = get_dma_ops(dev);
3312 + const struct dma_map_ops *ops = get_dma_ops(dev);
3314 if (dma_release_from_coherent(dev, get_order(size), vaddr))
3316 diff -urNp linux-2.6.35.5/arch/sh/kernel/cpu/shmobile/pm.c linux-2.6.35.5/arch/sh/kernel/cpu/shmobile/pm.c
3317 --- linux-2.6.35.5/arch/sh/kernel/cpu/shmobile/pm.c 2010-08-26 19:47:12.000000000 -0400
3318 +++ linux-2.6.35.5/arch/sh/kernel/cpu/shmobile/pm.c 2010-09-17 20:12:09.000000000 -0400
3319 @@ -141,7 +141,7 @@ static int sh_pm_enter(suspend_state_t s
3323 -static struct platform_suspend_ops sh_pm_ops = {
3324 +static const struct platform_suspend_ops sh_pm_ops = {
3325 .enter = sh_pm_enter,
3326 .valid = suspend_valid_only_mem,
3328 diff -urNp linux-2.6.35.5/arch/sh/kernel/dma-nommu.c linux-2.6.35.5/arch/sh/kernel/dma-nommu.c
3329 --- linux-2.6.35.5/arch/sh/kernel/dma-nommu.c 2010-08-26 19:47:12.000000000 -0400
3330 +++ linux-2.6.35.5/arch/sh/kernel/dma-nommu.c 2010-09-17 20:12:09.000000000 -0400
3331 @@ -62,7 +62,7 @@ static void nommu_sync_sg(struct device
3335 -struct dma_map_ops nommu_dma_ops = {
3336 +const struct dma_map_ops nommu_dma_ops = {
3337 .alloc_coherent = dma_generic_alloc_coherent,
3338 .free_coherent = dma_generic_free_coherent,
3339 .map_page = nommu_map_page,
3340 diff -urNp linux-2.6.35.5/arch/sh/kernel/kgdb.c linux-2.6.35.5/arch/sh/kernel/kgdb.c
3341 --- linux-2.6.35.5/arch/sh/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
3342 +++ linux-2.6.35.5/arch/sh/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
3343 @@ -319,7 +319,7 @@ void kgdb_arch_exit(void)
3344 unregister_die_notifier(&kgdb_notifier);
3347 -struct kgdb_arch arch_kgdb_ops = {
3348 +const struct kgdb_arch arch_kgdb_ops = {
3349 /* Breakpoint instruction: trapa #0x3c */
3350 #ifdef CONFIG_CPU_LITTLE_ENDIAN
3351 .gdb_bpt_instr = { 0x3c, 0xc3 },
3352 diff -urNp linux-2.6.35.5/arch/sh/mm/consistent.c linux-2.6.35.5/arch/sh/mm/consistent.c
3353 --- linux-2.6.35.5/arch/sh/mm/consistent.c 2010-08-26 19:47:12.000000000 -0400
3354 +++ linux-2.6.35.5/arch/sh/mm/consistent.c 2010-09-17 20:12:09.000000000 -0400
3357 #define PREALLOC_DMA_DEBUG_ENTRIES 4096
3359 -struct dma_map_ops *dma_ops;
3360 +const struct dma_map_ops *dma_ops;
3361 EXPORT_SYMBOL(dma_ops);
3363 static int __init dma_init(void)
3364 diff -urNp linux-2.6.35.5/arch/sh/mm/mmap.c linux-2.6.35.5/arch/sh/mm/mmap.c
3365 --- linux-2.6.35.5/arch/sh/mm/mmap.c 2010-08-26 19:47:12.000000000 -0400
3366 +++ linux-2.6.35.5/arch/sh/mm/mmap.c 2010-09-17 20:12:09.000000000 -0400
3367 @@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(str
3368 addr = PAGE_ALIGN(addr);
3370 vma = find_vma(mm, addr);
3371 - if (TASK_SIZE - len >= addr &&
3372 - (!vma || addr + len <= vma->vm_start))
3373 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3377 @@ -106,7 +105,7 @@ full_search:
3381 - if (likely(!vma || addr + len <= vma->vm_start)) {
3382 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3384 * Remember the place where we stopped the search:
3386 @@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct fi
3387 addr = PAGE_ALIGN(addr);
3389 vma = find_vma(mm, addr);
3390 - if (TASK_SIZE - len >= addr &&
3391 - (!vma || addr + len <= vma->vm_start))
3392 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3396 @@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct fi
3397 /* make sure it can fit in the remaining address space */
3398 if (likely(addr > len)) {
3399 vma = find_vma(mm, addr-len);
3400 - if (!vma || addr <= vma->vm_start) {
3401 + if (check_heap_stack_gap(vma, addr - len, len)) {
3402 /* remember the address as a hint for next time */
3403 return (mm->free_area_cache = addr-len);
3405 @@ -199,7 +197,7 @@ arch_get_unmapped_area_topdown(struct fi
3406 * return with success:
3408 vma = find_vma(mm, addr);
3409 - if (likely(!vma || addr+len <= vma->vm_start)) {
3410 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3411 /* remember the address as a hint for next time */
3412 return (mm->free_area_cache = addr);
3414 diff -urNp linux-2.6.35.5/arch/sparc/include/asm/atomic_64.h linux-2.6.35.5/arch/sparc/include/asm/atomic_64.h
3415 --- linux-2.6.35.5/arch/sparc/include/asm/atomic_64.h 2010-08-26 19:47:12.000000000 -0400
3416 +++ linux-2.6.35.5/arch/sparc/include/asm/atomic_64.h 2010-09-17 20:12:09.000000000 -0400
3418 #define ATOMIC64_INIT(i) { (i) }
3420 #define atomic_read(v) (*(volatile int *)&(v)->counter)
3421 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
3423 + return v->counter;
3425 #define atomic64_read(v) (*(volatile long *)&(v)->counter)
3426 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
3428 + return v->counter;
3431 #define atomic_set(v, i) (((v)->counter) = i)
3432 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
3436 #define atomic64_set(v, i) (((v)->counter) = i)
3437 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
3442 extern void atomic_add(int, atomic_t *);
3443 +extern void atomic_add_unchecked(int, atomic_unchecked_t *);
3444 extern void atomic64_add(long, atomic64_t *);
3445 +extern void atomic64_add_unchecked(long, atomic64_unchecked_t *);
3446 extern void atomic_sub(int, atomic_t *);
3447 +extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
3448 extern void atomic64_sub(long, atomic64_t *);
3449 +extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *);
3451 extern int atomic_add_ret(int, atomic_t *);
3452 +extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *);
3453 extern long atomic64_add_ret(long, atomic64_t *);
3454 +extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *);
3455 extern int atomic_sub_ret(int, atomic_t *);
3456 extern long atomic64_sub_ret(long, atomic64_t *);
3458 @@ -33,7 +55,15 @@ extern long atomic64_sub_ret(long, atomi
3459 #define atomic64_dec_return(v) atomic64_sub_ret(1, v)
3461 #define atomic_inc_return(v) atomic_add_ret(1, v)
3462 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
3464 + return atomic_add_ret_unchecked(1, v);
3466 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
3467 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
3469 + return atomic64_add_ret_unchecked(1, v);
3472 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
3473 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
3474 @@ -59,10 +89,26 @@ extern long atomic64_sub_ret(long, atomi
3475 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
3477 #define atomic_inc(v) atomic_add(1, v)
3478 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
3480 + atomic_add_unchecked(1, v);
3482 #define atomic64_inc(v) atomic64_add(1, v)
3483 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
3485 + atomic64_add_unchecked(1, v);
3488 #define atomic_dec(v) atomic_sub(1, v)
3489 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
3491 + atomic_sub_unchecked(1, v);
3493 #define atomic64_dec(v) atomic64_sub(1, v)
3494 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
3496 + atomic64_sub_unchecked(1, v);
3499 #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0)
3500 #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0)
3501 @@ -72,17 +118,28 @@ extern long atomic64_sub_ret(long, atomi
3503 static inline int atomic_add_unless(atomic_t *v, int a, int u)
3509 - if (unlikely(c == (u)))
3510 + if (unlikely(c == u))
3512 - old = atomic_cmpxchg((v), c, c + (a));
3514 + asm volatile("addcc %2, %0, %0\n"
3516 +#ifdef CONFIG_PAX_REFCOUNT
3521 + : "0" (c), "ir" (a)
3524 + old = atomic_cmpxchg(v, c, new);
3525 if (likely(old == c))
3533 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
3534 @@ -93,17 +150,28 @@ static inline int atomic_add_unless(atom
3536 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
3540 c = atomic64_read(v);
3542 - if (unlikely(c == (u)))
3543 + if (unlikely(c == u))
3545 - old = atomic64_cmpxchg((v), c, c + (a));
3547 + asm volatile("addcc %2, %0, %0\n"
3549 +#ifdef CONFIG_PAX_REFCOUNT
3554 + : "0" (c), "ir" (a)
3557 + old = atomic64_cmpxchg(v, c, new);
3558 if (likely(old == c))
3566 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
3567 diff -urNp linux-2.6.35.5/arch/sparc/include/asm/dma-mapping.h linux-2.6.35.5/arch/sparc/include/asm/dma-mapping.h
3568 --- linux-2.6.35.5/arch/sparc/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
3569 +++ linux-2.6.35.5/arch/sparc/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
3570 @@ -13,10 +13,10 @@ extern int dma_supported(struct device *
3571 #define dma_free_noncoherent(d, s, v, h) dma_free_coherent(d, s, v, h)
3572 #define dma_is_consistent(d, h) (1)
3574 -extern struct dma_map_ops *dma_ops, pci32_dma_ops;
3575 +extern const struct dma_map_ops *dma_ops, pci32_dma_ops;
3576 extern struct bus_type pci_bus_type;
3578 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3579 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3581 #if defined(CONFIG_SPARC32) && defined(CONFIG_PCI)
3582 if (dev->bus == &pci_bus_type)
3583 @@ -30,7 +30,7 @@ static inline struct dma_map_ops *get_dm
3584 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3585 dma_addr_t *dma_handle, gfp_t flag)
3587 - struct dma_map_ops *ops = get_dma_ops(dev);
3588 + const struct dma_map_ops *ops = get_dma_ops(dev);
3591 cpu_addr = ops->alloc_coherent(dev, size, dma_handle, flag);
3592 @@ -41,7 +41,7 @@ static inline void *dma_alloc_coherent(s
3593 static inline void dma_free_coherent(struct device *dev, size_t size,
3594 void *cpu_addr, dma_addr_t dma_handle)
3596 - struct dma_map_ops *ops = get_dma_ops(dev);
3597 + const struct dma_map_ops *ops = get_dma_ops(dev);
3599 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
3600 ops->free_coherent(dev, size, cpu_addr, dma_handle);
3601 diff -urNp linux-2.6.35.5/arch/sparc/include/asm/elf_32.h linux-2.6.35.5/arch/sparc/include/asm/elf_32.h
3602 --- linux-2.6.35.5/arch/sparc/include/asm/elf_32.h 2010-08-26 19:47:12.000000000 -0400
3603 +++ linux-2.6.35.5/arch/sparc/include/asm/elf_32.h 2010-09-17 20:12:09.000000000 -0400
3604 @@ -114,6 +114,13 @@ typedef struct {
3606 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
3608 +#ifdef CONFIG_PAX_ASLR
3609 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
3611 +#define PAX_DELTA_MMAP_LEN 16
3612 +#define PAX_DELTA_STACK_LEN 16
3615 /* This yields a mask that user programs can use to figure out what
3616 instruction set this cpu supports. This can NOT be done in userspace
3618 diff -urNp linux-2.6.35.5/arch/sparc/include/asm/elf_64.h linux-2.6.35.5/arch/sparc/include/asm/elf_64.h
3619 --- linux-2.6.35.5/arch/sparc/include/asm/elf_64.h 2010-08-26 19:47:12.000000000 -0400
3620 +++ linux-2.6.35.5/arch/sparc/include/asm/elf_64.h 2010-09-17 20:12:09.000000000 -0400
3621 @@ -162,6 +162,12 @@ typedef struct {
3622 #define ELF_ET_DYN_BASE 0x0000010000000000UL
3623 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
3625 +#ifdef CONFIG_PAX_ASLR
3626 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
3628 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
3629 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
3632 /* This yields a mask that user programs can use to figure out what
3633 instruction set this cpu supports. */
3634 diff -urNp linux-2.6.35.5/arch/sparc/include/asm/pgtable_32.h linux-2.6.35.5/arch/sparc/include/asm/pgtable_32.h
3635 --- linux-2.6.35.5/arch/sparc/include/asm/pgtable_32.h 2010-08-26 19:47:12.000000000 -0400
3636 +++ linux-2.6.35.5/arch/sparc/include/asm/pgtable_32.h 2010-09-17 20:12:09.000000000 -0400
3637 @@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
3638 BTFIXUPDEF_INT(page_none)
3639 BTFIXUPDEF_INT(page_copy)
3640 BTFIXUPDEF_INT(page_readonly)
3642 +#ifdef CONFIG_PAX_PAGEEXEC
3643 +BTFIXUPDEF_INT(page_shared_noexec)
3644 +BTFIXUPDEF_INT(page_copy_noexec)
3645 +BTFIXUPDEF_INT(page_readonly_noexec)
3648 BTFIXUPDEF_INT(page_kernel)
3650 #define PMD_SHIFT SUN4C_PMD_SHIFT
3651 @@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED;
3652 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
3653 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
3655 +#ifdef CONFIG_PAX_PAGEEXEC
3656 +extern pgprot_t PAGE_SHARED_NOEXEC;
3657 +# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
3658 +# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
3660 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
3661 +# define PAGE_COPY_NOEXEC PAGE_COPY
3662 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
3665 extern unsigned long page_kernel;
3668 diff -urNp linux-2.6.35.5/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.35.5/arch/sparc/include/asm/pgtsrmmu.h
3669 --- linux-2.6.35.5/arch/sparc/include/asm/pgtsrmmu.h 2010-08-26 19:47:12.000000000 -0400
3670 +++ linux-2.6.35.5/arch/sparc/include/asm/pgtsrmmu.h 2010-09-17 20:12:09.000000000 -0400
3671 @@ -115,6 +115,13 @@
3672 SRMMU_EXEC | SRMMU_REF)
3673 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
3674 SRMMU_EXEC | SRMMU_REF)
3676 +#ifdef CONFIG_PAX_PAGEEXEC
3677 +#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
3678 +#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3679 +#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3682 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
3683 SRMMU_DIRTY | SRMMU_REF)
3685 diff -urNp linux-2.6.35.5/arch/sparc/include/asm/spinlock_64.h linux-2.6.35.5/arch/sparc/include/asm/spinlock_64.h
3686 --- linux-2.6.35.5/arch/sparc/include/asm/spinlock_64.h 2010-08-26 19:47:12.000000000 -0400
3687 +++ linux-2.6.35.5/arch/sparc/include/asm/spinlock_64.h 2010-09-17 20:12:09.000000000 -0400
3688 @@ -99,7 +99,12 @@ static void inline arch_read_lock(arch_r
3689 __asm__ __volatile__ (
3690 "1: ldsw [%2], %0\n"
3692 -"4: add %0, 1, %1\n"
3693 +"4: addcc %0, 1, %1\n"
3695 +#ifdef CONFIG_PAX_REFCOUNT
3699 " cas [%2], %0, %1\n"
3701 " bne,pn %%icc, 1b\n"
3702 @@ -112,7 +117,7 @@ static void inline arch_read_lock(arch_r
3704 : "=&r" (tmp1), "=&r" (tmp2)
3707 + : "memory", "cc");
3710 static int inline arch_read_trylock(arch_rwlock_t *lock)
3711 @@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch
3712 "1: ldsw [%2], %0\n"
3713 " brlz,a,pn %0, 2f\n"
3716 +" addcc %0, 1, %1\n"
3718 +#ifdef CONFIG_PAX_REFCOUNT
3722 " cas [%2], %0, %1\n"
3724 " bne,pn %%icc, 1b\n"
3725 @@ -142,7 +152,12 @@ static void inline arch_read_unlock(arch
3727 __asm__ __volatile__(
3728 "1: lduw [%2], %0\n"
3730 +" subcc %0, 1, %1\n"
3732 +#ifdef CONFIG_PAX_REFCOUNT
3736 " cas [%2], %0, %1\n"
3738 " bne,pn %%xcc, 1b\n"
3739 diff -urNp linux-2.6.35.5/arch/sparc/include/asm/uaccess_32.h linux-2.6.35.5/arch/sparc/include/asm/uaccess_32.h
3740 --- linux-2.6.35.5/arch/sparc/include/asm/uaccess_32.h 2010-08-26 19:47:12.000000000 -0400
3741 +++ linux-2.6.35.5/arch/sparc/include/asm/uaccess_32.h 2010-09-17 20:12:09.000000000 -0400
3742 @@ -249,14 +249,25 @@ extern unsigned long __copy_user(void __
3744 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
3746 - if (n && __access_ok((unsigned long) to, n))
3750 + if (n && __access_ok((unsigned long) to, n)) {
3751 + if (!__builtin_constant_p(n))
3752 + check_object_size(from, n, true);
3753 return __copy_user(to, (__force void __user *) from, n);
3759 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
3764 + if (!__builtin_constant_p(n))
3765 + check_object_size(from, n, true);
3767 return __copy_user(to, (__force void __user *) from, n);
3770 @@ -272,19 +283,27 @@ static inline unsigned long copy_from_us
3772 int sz = __compiletime_object_size(to);
3777 if (unlikely(sz != -1 && sz < n)) {
3778 copy_from_user_overflow();
3782 - if (n && __access_ok((unsigned long) from, n))
3783 + if (n && __access_ok((unsigned long) from, n)) {
3784 + if (!__builtin_constant_p(n))
3785 + check_object_size(to, n, false);
3786 return __copy_user((__force void __user *) to, from, n);
3792 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
3797 return __copy_user((__force void __user *) to, from, n);
3800 diff -urNp linux-2.6.35.5/arch/sparc/include/asm/uaccess_64.h linux-2.6.35.5/arch/sparc/include/asm/uaccess_64.h
3801 --- linux-2.6.35.5/arch/sparc/include/asm/uaccess_64.h 2010-08-26 19:47:12.000000000 -0400
3802 +++ linux-2.6.35.5/arch/sparc/include/asm/uaccess_64.h 2010-09-17 20:12:09.000000000 -0400
3804 #include <linux/compiler.h>
3805 #include <linux/string.h>
3806 #include <linux/thread_info.h>
3807 +#include <linux/kernel.h>
3808 #include <asm/asi.h>
3809 #include <asm/system.h>
3810 #include <asm/spitfire.h>
3811 @@ -224,6 +225,12 @@ copy_from_user(void *to, const void __us
3812 int sz = __compiletime_object_size(to);
3813 unsigned long ret = size;
3815 + if ((long)size < 0 || size > INT_MAX)
3818 + if (!__builtin_constant_p(size))
3819 + check_object_size(to, size, false);
3821 if (likely(sz == -1 || sz >= size)) {
3822 ret = ___copy_from_user(to, from, size);
3824 @@ -243,8 +250,15 @@ extern unsigned long copy_to_user_fixup(
3825 static inline unsigned long __must_check
3826 copy_to_user(void __user *to, const void *from, unsigned long size)
3828 - unsigned long ret = ___copy_to_user(to, from, size);
3829 + unsigned long ret;
3831 + if ((long)size < 0 || size > INT_MAX)
3834 + if (!__builtin_constant_p(size))
3835 + check_object_size(from, size, true);
3837 + ret = ___copy_to_user(to, from, size);
3839 ret = copy_to_user_fixup(to, from, size);
3841 diff -urNp linux-2.6.35.5/arch/sparc/include/asm/uaccess.h linux-2.6.35.5/arch/sparc/include/asm/uaccess.h
3842 --- linux-2.6.35.5/arch/sparc/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
3843 +++ linux-2.6.35.5/arch/sparc/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
3845 #ifndef ___ASM_SPARC_UACCESS_H
3846 #define ___ASM_SPARC_UACCESS_H
3849 +#ifndef __ASSEMBLY__
3850 +#include <linux/types.h>
3851 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
3855 #if defined(__sparc__) && defined(__arch64__)
3856 #include <asm/uaccess_64.h>
3858 diff -urNp linux-2.6.35.5/arch/sparc/kernel/iommu.c linux-2.6.35.5/arch/sparc/kernel/iommu.c
3859 --- linux-2.6.35.5/arch/sparc/kernel/iommu.c 2010-08-26 19:47:12.000000000 -0400
3860 +++ linux-2.6.35.5/arch/sparc/kernel/iommu.c 2010-09-17 20:12:09.000000000 -0400
3861 @@ -828,7 +828,7 @@ static void dma_4u_sync_sg_for_cpu(struc
3862 spin_unlock_irqrestore(&iommu->lock, flags);
3865 -static struct dma_map_ops sun4u_dma_ops = {
3866 +static const struct dma_map_ops sun4u_dma_ops = {
3867 .alloc_coherent = dma_4u_alloc_coherent,
3868 .free_coherent = dma_4u_free_coherent,
3869 .map_page = dma_4u_map_page,
3870 @@ -839,7 +839,7 @@ static struct dma_map_ops sun4u_dma_ops
3871 .sync_sg_for_cpu = dma_4u_sync_sg_for_cpu,
3874 -struct dma_map_ops *dma_ops = &sun4u_dma_ops;
3875 +const struct dma_map_ops *dma_ops = &sun4u_dma_ops;
3876 EXPORT_SYMBOL(dma_ops);
3878 extern int pci64_dma_supported(struct pci_dev *pdev, u64 device_mask);
3879 diff -urNp linux-2.6.35.5/arch/sparc/kernel/ioport.c linux-2.6.35.5/arch/sparc/kernel/ioport.c
3880 --- linux-2.6.35.5/arch/sparc/kernel/ioport.c 2010-08-26 19:47:12.000000000 -0400
3881 +++ linux-2.6.35.5/arch/sparc/kernel/ioport.c 2010-09-17 20:12:09.000000000 -0400
3882 @@ -397,7 +397,7 @@ static void sbus_sync_sg_for_device(stru
3886 -struct dma_map_ops sbus_dma_ops = {
3887 +const struct dma_map_ops sbus_dma_ops = {
3888 .alloc_coherent = sbus_alloc_coherent,
3889 .free_coherent = sbus_free_coherent,
3890 .map_page = sbus_map_page,
3891 @@ -408,7 +408,7 @@ struct dma_map_ops sbus_dma_ops = {
3892 .sync_sg_for_device = sbus_sync_sg_for_device,
3895 -struct dma_map_ops *dma_ops = &sbus_dma_ops;
3896 +const struct dma_map_ops *dma_ops = &sbus_dma_ops;
3897 EXPORT_SYMBOL(dma_ops);
3899 static int __init sparc_register_ioport(void)
3900 @@ -645,7 +645,7 @@ static void pci32_sync_sg_for_device(str
3904 -struct dma_map_ops pci32_dma_ops = {
3905 +const struct dma_map_ops pci32_dma_ops = {
3906 .alloc_coherent = pci32_alloc_coherent,
3907 .free_coherent = pci32_free_coherent,
3908 .map_page = pci32_map_page,
3909 diff -urNp linux-2.6.35.5/arch/sparc/kernel/kgdb_32.c linux-2.6.35.5/arch/sparc/kernel/kgdb_32.c
3910 --- linux-2.6.35.5/arch/sparc/kernel/kgdb_32.c 2010-08-26 19:47:12.000000000 -0400
3911 +++ linux-2.6.35.5/arch/sparc/kernel/kgdb_32.c 2010-09-17 20:12:09.000000000 -0400
3912 @@ -164,7 +164,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
3913 regs->npc = regs->pc + 4;
3916 -struct kgdb_arch arch_kgdb_ops = {
3917 +const struct kgdb_arch arch_kgdb_ops = {
3918 /* Breakpoint instruction: ta 0x7d */
3919 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x7d },
3921 diff -urNp linux-2.6.35.5/arch/sparc/kernel/kgdb_64.c linux-2.6.35.5/arch/sparc/kernel/kgdb_64.c
3922 --- linux-2.6.35.5/arch/sparc/kernel/kgdb_64.c 2010-08-26 19:47:12.000000000 -0400
3923 +++ linux-2.6.35.5/arch/sparc/kernel/kgdb_64.c 2010-09-17 20:12:09.000000000 -0400
3924 @@ -187,7 +187,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
3925 regs->tnpc = regs->tpc + 4;
3928 -struct kgdb_arch arch_kgdb_ops = {
3929 +const struct kgdb_arch arch_kgdb_ops = {
3930 /* Breakpoint instruction: ta 0x72 */
3931 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x72 },
3933 diff -urNp linux-2.6.35.5/arch/sparc/kernel/Makefile linux-2.6.35.5/arch/sparc/kernel/Makefile
3934 --- linux-2.6.35.5/arch/sparc/kernel/Makefile 2010-08-26 19:47:12.000000000 -0400
3935 +++ linux-2.6.35.5/arch/sparc/kernel/Makefile 2010-09-17 20:12:09.000000000 -0400
3940 -ccflags-y := -Werror
3941 +#ccflags-y := -Werror
3943 extra-y := head_$(BITS).o
3944 extra-y += init_task.o
3945 diff -urNp linux-2.6.35.5/arch/sparc/kernel/pci_sun4v.c linux-2.6.35.5/arch/sparc/kernel/pci_sun4v.c
3946 --- linux-2.6.35.5/arch/sparc/kernel/pci_sun4v.c 2010-08-26 19:47:12.000000000 -0400
3947 +++ linux-2.6.35.5/arch/sparc/kernel/pci_sun4v.c 2010-09-17 20:12:09.000000000 -0400
3948 @@ -525,7 +525,7 @@ static void dma_4v_unmap_sg(struct devic
3949 spin_unlock_irqrestore(&iommu->lock, flags);
3952 -static struct dma_map_ops sun4v_dma_ops = {
3953 +static const struct dma_map_ops sun4v_dma_ops = {
3954 .alloc_coherent = dma_4v_alloc_coherent,
3955 .free_coherent = dma_4v_free_coherent,
3956 .map_page = dma_4v_map_page,
3957 diff -urNp linux-2.6.35.5/arch/sparc/kernel/sys_sparc_32.c linux-2.6.35.5/arch/sparc/kernel/sys_sparc_32.c
3958 --- linux-2.6.35.5/arch/sparc/kernel/sys_sparc_32.c 2010-08-26 19:47:12.000000000 -0400
3959 +++ linux-2.6.35.5/arch/sparc/kernel/sys_sparc_32.c 2010-09-17 20:12:09.000000000 -0400
3960 @@ -57,7 +57,7 @@ unsigned long arch_get_unmapped_area(str
3961 if (ARCH_SUN4C && len > 0x20000000)
3964 - addr = TASK_UNMAPPED_BASE;
3965 + addr = current->mm->mmap_base;
3967 if (flags & MAP_SHARED)
3968 addr = COLOUR_ALIGN(addr);
3969 @@ -72,7 +72,7 @@ unsigned long arch_get_unmapped_area(str
3971 if (TASK_SIZE - PAGE_SIZE - len < addr)
3973 - if (!vmm || addr + len <= vmm->vm_start)
3974 + if (check_heap_stack_gap(vmm, addr, len))
3977 if (flags & MAP_SHARED)
3978 diff -urNp linux-2.6.35.5/arch/sparc/kernel/sys_sparc_64.c linux-2.6.35.5/arch/sparc/kernel/sys_sparc_64.c
3979 --- linux-2.6.35.5/arch/sparc/kernel/sys_sparc_64.c 2010-08-26 19:47:12.000000000 -0400
3980 +++ linux-2.6.35.5/arch/sparc/kernel/sys_sparc_64.c 2010-09-17 20:12:09.000000000 -0400
3981 @@ -124,7 +124,7 @@ unsigned long arch_get_unmapped_area(str
3982 /* We do not accept a shared mapping if it would violate
3983 * cache aliasing constraints.
3985 - if ((flags & MAP_SHARED) &&
3986 + if ((filp || (flags & MAP_SHARED)) &&
3987 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
3990 @@ -139,6 +139,10 @@ unsigned long arch_get_unmapped_area(str
3991 if (filp || (flags & MAP_SHARED))
3994 +#ifdef CONFIG_PAX_RANDMMAP
3995 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4000 addr = COLOUR_ALIGN(addr, pgoff);
4001 @@ -146,15 +150,14 @@ unsigned long arch_get_unmapped_area(str
4002 addr = PAGE_ALIGN(addr);
4004 vma = find_vma(mm, addr);
4005 - if (task_size - len >= addr &&
4006 - (!vma || addr + len <= vma->vm_start))
4007 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4011 if (len > mm->cached_hole_size) {
4012 - start_addr = addr = mm->free_area_cache;
4013 + start_addr = addr = mm->free_area_cache;
4015 - start_addr = addr = TASK_UNMAPPED_BASE;
4016 + start_addr = addr = mm->mmap_base;
4017 mm->cached_hole_size = 0;
4020 @@ -174,14 +177,14 @@ full_search:
4021 vma = find_vma(mm, VA_EXCLUDE_END);
4023 if (unlikely(task_size < addr)) {
4024 - if (start_addr != TASK_UNMAPPED_BASE) {
4025 - start_addr = addr = TASK_UNMAPPED_BASE;
4026 + if (start_addr != mm->mmap_base) {
4027 + start_addr = addr = mm->mmap_base;
4028 mm->cached_hole_size = 0;
4033 - if (likely(!vma || addr + len <= vma->vm_start)) {
4034 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4036 * Remember the place where we stopped the search:
4038 @@ -215,7 +218,7 @@ arch_get_unmapped_area_topdown(struct fi
4039 /* We do not accept a shared mapping if it would violate
4040 * cache aliasing constraints.
4042 - if ((flags & MAP_SHARED) &&
4043 + if ((filp || (flags & MAP_SHARED)) &&
4044 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4047 @@ -236,8 +239,7 @@ arch_get_unmapped_area_topdown(struct fi
4048 addr = PAGE_ALIGN(addr);
4050 vma = find_vma(mm, addr);
4051 - if (task_size - len >= addr &&
4052 - (!vma || addr + len <= vma->vm_start))
4053 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4057 @@ -258,7 +260,7 @@ arch_get_unmapped_area_topdown(struct fi
4058 /* make sure it can fit in the remaining address space */
4059 if (likely(addr > len)) {
4060 vma = find_vma(mm, addr-len);
4061 - if (!vma || addr <= vma->vm_start) {
4062 + if (check_heap_stack_gap(vma, addr - len, len)) {
4063 /* remember the address as a hint for next time */
4064 return (mm->free_area_cache = addr-len);
4066 @@ -278,7 +280,7 @@ arch_get_unmapped_area_topdown(struct fi
4067 * return with success:
4069 vma = find_vma(mm, addr);
4070 - if (likely(!vma || addr+len <= vma->vm_start)) {
4071 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4072 /* remember the address as a hint for next time */
4073 return (mm->free_area_cache = addr);
4075 @@ -385,6 +387,12 @@ void arch_pick_mmap_layout(struct mm_str
4076 gap == RLIM_INFINITY ||
4077 sysctl_legacy_va_layout) {
4078 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
4080 +#ifdef CONFIG_PAX_RANDMMAP
4081 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4082 + mm->mmap_base += mm->delta_mmap;
4085 mm->get_unmapped_area = arch_get_unmapped_area;
4086 mm->unmap_area = arch_unmap_area;
4088 @@ -397,6 +405,12 @@ void arch_pick_mmap_layout(struct mm_str
4089 gap = (task_size / 6 * 5);
4091 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
4093 +#ifdef CONFIG_PAX_RANDMMAP
4094 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4095 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4098 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4099 mm->unmap_area = arch_unmap_area_topdown;
4101 diff -urNp linux-2.6.35.5/arch/sparc/kernel/traps_64.c linux-2.6.35.5/arch/sparc/kernel/traps_64.c
4102 --- linux-2.6.35.5/arch/sparc/kernel/traps_64.c 2010-08-26 19:47:12.000000000 -0400
4103 +++ linux-2.6.35.5/arch/sparc/kernel/traps_64.c 2010-09-17 20:12:09.000000000 -0400
4104 @@ -95,6 +95,12 @@ void bad_trap(struct pt_regs *regs, long
4107 if (regs->tstate & TSTATE_PRIV) {
4109 +#ifdef CONFIG_PAX_REFCOUNT
4111 + pax_report_refcount_overflow(regs);
4114 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
4115 die_if_kernel(buffer, regs);
4117 @@ -113,11 +119,16 @@ void bad_trap(struct pt_regs *regs, long
4118 void bad_trap_tl1(struct pt_regs *regs, long lvl)
4123 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
4124 0, lvl, SIGTRAP) == NOTIFY_STOP)
4127 +#ifdef CONFIG_PAX_REFCOUNT
4129 + pax_report_refcount_overflow(regs);
4132 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
4134 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
4135 diff -urNp linux-2.6.35.5/arch/sparc/lib/atomic_64.S linux-2.6.35.5/arch/sparc/lib/atomic_64.S
4136 --- linux-2.6.35.5/arch/sparc/lib/atomic_64.S 2010-08-26 19:47:12.000000000 -0400
4137 +++ linux-2.6.35.5/arch/sparc/lib/atomic_64.S 2010-09-17 20:12:37.000000000 -0400
4139 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
4143 + addcc %g1, %o0, %g7
4145 +#ifdef CONFIG_PAX_REFCOUNT
4152 @@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
4153 2: BACKOFF_SPIN(%o2, %o3, 1b)
4154 .size atomic_add, .-atomic_add
4156 + .globl atomic_add_unchecked
4157 + .type atomic_add_unchecked,#function
4158 +atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4159 + BACKOFF_SETUP(%o2)
4162 + cas [%o1], %g1, %g7
4168 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4169 + .size atomic_add_unchecked, .-atomic_add_unchecked
4172 .type atomic_sub,#function
4173 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4177 + subcc %g1, %o0, %g7
4179 +#ifdef CONFIG_PAX_REFCOUNT
4186 @@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
4187 2: BACKOFF_SPIN(%o2, %o3, 1b)
4188 .size atomic_sub, .-atomic_sub
4190 + .globl atomic_sub_unchecked
4191 + .type atomic_sub_unchecked,#function
4192 +atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4193 + BACKOFF_SETUP(%o2)
4196 + cas [%o1], %g1, %g7
4202 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4203 + .size atomic_sub_unchecked, .-atomic_sub_unchecked
4205 .globl atomic_add_ret
4206 .type atomic_add_ret,#function
4207 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4211 + addcc %g1, %o0, %g7
4213 +#ifdef CONFIG_PAX_REFCOUNT
4220 @@ -59,12 +104,33 @@ atomic_add_ret: /* %o0 = increment, %o1
4221 2: BACKOFF_SPIN(%o2, %o3, 1b)
4222 .size atomic_add_ret, .-atomic_add_ret
4224 + .globl atomic_add_ret_unchecked
4225 + .type atomic_add_ret_unchecked,#function
4226 +atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4227 + BACKOFF_SETUP(%o2)
4229 + addcc %g1, %o0, %g7
4230 + cas [%o1], %g1, %g7
4237 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4238 + .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked
4240 .globl atomic_sub_ret
4241 .type atomic_sub_ret,#function
4242 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4246 + subcc %g1, %o0, %g7
4248 +#ifdef CONFIG_PAX_REFCOUNT
4255 @@ -80,7 +146,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
4256 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
4260 + addcc %g1, %o0, %g7
4262 +#ifdef CONFIG_PAX_REFCOUNT
4266 casx [%o1], %g1, %g7
4269 @@ -90,12 +161,32 @@ atomic64_add: /* %o0 = increment, %o1 =
4270 2: BACKOFF_SPIN(%o2, %o3, 1b)
4271 .size atomic64_add, .-atomic64_add
4273 + .globl atomic64_add_unchecked
4274 + .type atomic64_add_unchecked,#function
4275 +atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4276 + BACKOFF_SETUP(%o2)
4278 + addcc %g1, %o0, %g7
4279 + casx [%o1], %g1, %g7
4285 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4286 + .size atomic64_add_unchecked, .-atomic64_add_unchecked
4289 .type atomic64_sub,#function
4290 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4294 + subcc %g1, %o0, %g7
4296 +#ifdef CONFIG_PAX_REFCOUNT
4300 casx [%o1], %g1, %g7
4303 @@ -105,12 +196,32 @@ atomic64_sub: /* %o0 = decrement, %o1 =
4304 2: BACKOFF_SPIN(%o2, %o3, 1b)
4305 .size atomic64_sub, .-atomic64_sub
4307 + .globl atomic64_sub_unchecked
4308 + .type atomic64_sub_unchecked,#function
4309 +atomic64_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4310 + BACKOFF_SETUP(%o2)
4312 + subcc %g1, %o0, %g7
4313 + casx [%o1], %g1, %g7
4319 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4320 + .size atomic64_sub_unchecked, .-atomic64_sub_unchecked
4322 .globl atomic64_add_ret
4323 .type atomic64_add_ret,#function
4324 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4328 + addcc %g1, %o0, %g7
4330 +#ifdef CONFIG_PAX_REFCOUNT
4334 casx [%o1], %g1, %g7
4337 @@ -121,12 +232,33 @@ atomic64_add_ret: /* %o0 = increment, %o
4338 2: BACKOFF_SPIN(%o2, %o3, 1b)
4339 .size atomic64_add_ret, .-atomic64_add_ret
4341 + .globl atomic64_add_ret_unchecked
4342 + .type atomic64_add_ret_unchecked,#function
4343 +atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4344 + BACKOFF_SETUP(%o2)
4346 + addcc %g1, %o0, %g7
4347 + casx [%o1], %g1, %g7
4354 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4355 + .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
4357 .globl atomic64_sub_ret
4358 .type atomic64_sub_ret,#function
4359 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4363 + subcc %g1, %o0, %g7
4365 +#ifdef CONFIG_PAX_REFCOUNT
4369 casx [%o1], %g1, %g7
4372 diff -urNp linux-2.6.35.5/arch/sparc/lib/ksyms.c linux-2.6.35.5/arch/sparc/lib/ksyms.c
4373 --- linux-2.6.35.5/arch/sparc/lib/ksyms.c 2010-08-26 19:47:12.000000000 -0400
4374 +++ linux-2.6.35.5/arch/sparc/lib/ksyms.c 2010-09-17 20:12:09.000000000 -0400
4375 @@ -142,12 +142,17 @@ EXPORT_SYMBOL(__downgrade_write);
4377 /* Atomic counter implementation. */
4378 EXPORT_SYMBOL(atomic_add);
4379 +EXPORT_SYMBOL(atomic_add_unchecked);
4380 EXPORT_SYMBOL(atomic_add_ret);
4381 EXPORT_SYMBOL(atomic_sub);
4382 +EXPORT_SYMBOL(atomic_sub_unchecked);
4383 EXPORT_SYMBOL(atomic_sub_ret);
4384 EXPORT_SYMBOL(atomic64_add);
4385 +EXPORT_SYMBOL(atomic64_add_unchecked);
4386 EXPORT_SYMBOL(atomic64_add_ret);
4387 +EXPORT_SYMBOL(atomic64_add_ret_unchecked);
4388 EXPORT_SYMBOL(atomic64_sub);
4389 +EXPORT_SYMBOL(atomic64_sub_unchecked);
4390 EXPORT_SYMBOL(atomic64_sub_ret);
4392 /* Atomic bit operations. */
4393 diff -urNp linux-2.6.35.5/arch/sparc/lib/rwsem_64.S linux-2.6.35.5/arch/sparc/lib/rwsem_64.S
4394 --- linux-2.6.35.5/arch/sparc/lib/rwsem_64.S 2010-08-26 19:47:12.000000000 -0400
4395 +++ linux-2.6.35.5/arch/sparc/lib/rwsem_64.S 2010-09-17 20:12:09.000000000 -0400
4403 +#ifdef CONFIG_PAX_REFCOUNT
4410 @@ -33,7 +38,12 @@ __down_read:
4411 .globl __down_read_trylock
4412 __down_read_trylock:
4417 +#ifdef CONFIG_PAX_REFCOUNT
4424 @@ -51,7 +61,12 @@ __down_write:
4425 or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
4429 + addcc %g3, %g1, %g7
4431 +#ifdef CONFIG_PAX_REFCOUNT
4438 @@ -77,7 +92,12 @@ __down_write_trylock:
4443 + addcc %g3, %g1, %g7
4445 +#ifdef CONFIG_PAX_REFCOUNT
4452 @@ -90,7 +110,12 @@ __down_write_trylock:
4459 +#ifdef CONFIG_PAX_REFCOUNT
4466 @@ -118,7 +143,12 @@ __up_write:
4467 or %g1, %lo(RWSEM_ACTIVE_WRITE_BIAS), %g1
4471 + subcc %g3, %g1, %g7
4473 +#ifdef CONFIG_PAX_REFCOUNT
4480 @@ -143,7 +173,12 @@ __downgrade_write:
4481 or %g1, %lo(RWSEM_WAITING_BIAS), %g1
4485 + subcc %g3, %g1, %g7
4487 +#ifdef CONFIG_PAX_REFCOUNT
4494 diff -urNp linux-2.6.35.5/arch/sparc/Makefile linux-2.6.35.5/arch/sparc/Makefile
4495 --- linux-2.6.35.5/arch/sparc/Makefile 2010-08-26 19:47:12.000000000 -0400
4496 +++ linux-2.6.35.5/arch/sparc/Makefile 2010-09-17 20:12:37.000000000 -0400
4497 @@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
4498 # Export what is needed by arch/sparc/boot/Makefile
4499 export VMLINUX_INIT VMLINUX_MAIN
4500 VMLINUX_INIT := $(head-y) $(init-y)
4501 -VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
4502 +VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
4503 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
4504 VMLINUX_MAIN += $(drivers-y) $(net-y)
4506 diff -urNp linux-2.6.35.5/arch/sparc/mm/fault_32.c linux-2.6.35.5/arch/sparc/mm/fault_32.c
4507 --- linux-2.6.35.5/arch/sparc/mm/fault_32.c 2010-08-26 19:47:12.000000000 -0400
4508 +++ linux-2.6.35.5/arch/sparc/mm/fault_32.c 2010-09-17 20:12:09.000000000 -0400
4510 #include <linux/interrupt.h>
4511 #include <linux/module.h>
4512 #include <linux/kdebug.h>
4513 +#include <linux/slab.h>
4514 +#include <linux/pagemap.h>
4515 +#include <linux/compiler.h>
4517 #include <asm/system.h>
4518 #include <asm/page.h>
4519 @@ -209,6 +212,268 @@ static unsigned long compute_si_addr(str
4520 return safe_compute_effective_address(regs, insn);
4523 +#ifdef CONFIG_PAX_PAGEEXEC
4524 +#ifdef CONFIG_PAX_DLRESOLVE
4525 +static void pax_emuplt_close(struct vm_area_struct *vma)
4527 + vma->vm_mm->call_dl_resolve = 0UL;
4530 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4532 + unsigned int *kaddr;
4534 + vmf->page = alloc_page(GFP_HIGHUSER);
4536 + return VM_FAULT_OOM;
4538 + kaddr = kmap(vmf->page);
4539 + memset(kaddr, 0, PAGE_SIZE);
4540 + kaddr[0] = 0x9DE3BFA8U; /* save */
4541 + flush_dcache_page(vmf->page);
4542 + kunmap(vmf->page);
4543 + return VM_FAULT_MAJOR;
4546 +static const struct vm_operations_struct pax_vm_ops = {
4547 + .close = pax_emuplt_close,
4548 + .fault = pax_emuplt_fault
4551 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4555 + INIT_LIST_HEAD(&vma->anon_vma_chain);
4556 + vma->vm_mm = current->mm;
4557 + vma->vm_start = addr;
4558 + vma->vm_end = addr + PAGE_SIZE;
4559 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4560 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4561 + vma->vm_ops = &pax_vm_ops;
4563 + ret = insert_vm_struct(current->mm, vma);
4567 + ++current->mm->total_vm;
4573 + * PaX: decide what to do with offenders (regs->pc = fault address)
4575 + * returns 1 when task should be killed
4576 + * 2 when patched PLT trampoline was detected
4577 + * 3 when unpatched PLT trampoline was detected
4579 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4582 +#ifdef CONFIG_PAX_EMUPLT
4585 + do { /* PaX: patched PLT emulation #1 */
4586 + unsigned int sethi1, sethi2, jmpl;
4588 + err = get_user(sethi1, (unsigned int *)regs->pc);
4589 + err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
4590 + err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
4595 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4596 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
4597 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
4599 + unsigned int addr;
4601 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4602 + addr = regs->u_regs[UREG_G1];
4603 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4605 + regs->npc = addr+4;
4610 + { /* PaX: patched PLT emulation #2 */
4613 + err = get_user(ba, (unsigned int *)regs->pc);
4615 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4616 + unsigned int addr;
4618 + addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4620 + regs->npc = addr+4;
4625 + do { /* PaX: patched PLT emulation #3 */
4626 + unsigned int sethi, jmpl, nop;
4628 + err = get_user(sethi, (unsigned int *)regs->pc);
4629 + err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
4630 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
4635 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4636 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
4637 + nop == 0x01000000U)
4639 + unsigned int addr;
4641 + addr = (sethi & 0x003FFFFFU) << 10;
4642 + regs->u_regs[UREG_G1] = addr;
4643 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4645 + regs->npc = addr+4;
4650 + do { /* PaX: unpatched PLT emulation step 1 */
4651 + unsigned int sethi, ba, nop;
4653 + err = get_user(sethi, (unsigned int *)regs->pc);
4654 + err |= get_user(ba, (unsigned int *)(regs->pc+4));
4655 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
4660 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4661 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
4662 + nop == 0x01000000U)
4664 + unsigned int addr, save, call;
4666 + if ((ba & 0xFFC00000U) == 0x30800000U)
4667 + addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4669 + addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
4671 + err = get_user(save, (unsigned int *)addr);
4672 + err |= get_user(call, (unsigned int *)(addr+4));
4673 + err |= get_user(nop, (unsigned int *)(addr+8));
4677 +#ifdef CONFIG_PAX_DLRESOLVE
4678 + if (save == 0x9DE3BFA8U &&
4679 + (call & 0xC0000000U) == 0x40000000U &&
4680 + nop == 0x01000000U)
4682 + struct vm_area_struct *vma;
4683 + unsigned long call_dl_resolve;
4685 + down_read(¤t->mm->mmap_sem);
4686 + call_dl_resolve = current->mm->call_dl_resolve;
4687 + up_read(¤t->mm->mmap_sem);
4688 + if (likely(call_dl_resolve))
4691 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
4693 + down_write(¤t->mm->mmap_sem);
4694 + if (current->mm->call_dl_resolve) {
4695 + call_dl_resolve = current->mm->call_dl_resolve;
4696 + up_write(¤t->mm->mmap_sem);
4698 + kmem_cache_free(vm_area_cachep, vma);
4702 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
4703 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
4704 + up_write(¤t->mm->mmap_sem);
4706 + kmem_cache_free(vm_area_cachep, vma);
4710 + if (pax_insert_vma(vma, call_dl_resolve)) {
4711 + up_write(¤t->mm->mmap_sem);
4712 + kmem_cache_free(vm_area_cachep, vma);
4716 + current->mm->call_dl_resolve = call_dl_resolve;
4717 + up_write(¤t->mm->mmap_sem);
4720 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4721 + regs->pc = call_dl_resolve;
4722 + regs->npc = addr+4;
4727 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
4728 + if ((save & 0xFFC00000U) == 0x05000000U &&
4729 + (call & 0xFFFFE000U) == 0x85C0A000U &&
4730 + nop == 0x01000000U)
4732 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4733 + regs->u_regs[UREG_G2] = addr + 4;
4734 + addr = (save & 0x003FFFFFU) << 10;
4735 + addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4737 + regs->npc = addr+4;
4743 + do { /* PaX: unpatched PLT emulation step 2 */
4744 + unsigned int save, call, nop;
4746 + err = get_user(save, (unsigned int *)(regs->pc-4));
4747 + err |= get_user(call, (unsigned int *)regs->pc);
4748 + err |= get_user(nop, (unsigned int *)(regs->pc+4));
4752 + if (save == 0x9DE3BFA8U &&
4753 + (call & 0xC0000000U) == 0x40000000U &&
4754 + nop == 0x01000000U)
4756 + unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
4758 + regs->u_regs[UREG_RETPC] = regs->pc;
4759 + regs->pc = dl_resolve;
4760 + regs->npc = dl_resolve+4;
4769 +void pax_report_insns(void *pc, void *sp)
4773 + printk(KERN_ERR "PAX: bytes at PC: ");
4774 + for (i = 0; i < 8; i++) {
4776 + if (get_user(c, (unsigned int *)pc+i))
4777 + printk(KERN_CONT "???????? ");
4779 + printk(KERN_CONT "%08x ", c);
4785 static noinline void do_fault_siginfo(int code, int sig, struct pt_regs *regs,
4788 @@ -282,6 +547,24 @@ good_area:
4789 if(!(vma->vm_flags & VM_WRITE))
4793 +#ifdef CONFIG_PAX_PAGEEXEC
4794 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
4795 + up_read(&mm->mmap_sem);
4796 + switch (pax_handle_fetch_fault(regs)) {
4798 +#ifdef CONFIG_PAX_EMUPLT
4805 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
4806 + do_group_exit(SIGKILL);
4810 /* Allow reads even for write-only mappings */
4811 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
4813 diff -urNp linux-2.6.35.5/arch/sparc/mm/fault_64.c linux-2.6.35.5/arch/sparc/mm/fault_64.c
4814 --- linux-2.6.35.5/arch/sparc/mm/fault_64.c 2010-08-26 19:47:12.000000000 -0400
4815 +++ linux-2.6.35.5/arch/sparc/mm/fault_64.c 2010-09-17 20:12:09.000000000 -0400
4817 #include <linux/kprobes.h>
4818 #include <linux/kdebug.h>
4819 #include <linux/percpu.h>
4820 +#include <linux/slab.h>
4821 +#include <linux/pagemap.h>
4822 +#include <linux/compiler.h>
4824 #include <asm/page.h>
4825 #include <asm/pgtable.h>
4826 @@ -272,6 +275,457 @@ static void noinline __kprobes bogus_32b
4830 +#ifdef CONFIG_PAX_PAGEEXEC
4831 +#ifdef CONFIG_PAX_DLRESOLVE
4832 +static void pax_emuplt_close(struct vm_area_struct *vma)
4834 + vma->vm_mm->call_dl_resolve = 0UL;
4837 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4839 + unsigned int *kaddr;
4841 + vmf->page = alloc_page(GFP_HIGHUSER);
4843 + return VM_FAULT_OOM;
4845 + kaddr = kmap(vmf->page);
4846 + memset(kaddr, 0, PAGE_SIZE);
4847 + kaddr[0] = 0x9DE3BFA8U; /* save */
4848 + flush_dcache_page(vmf->page);
4849 + kunmap(vmf->page);
4850 + return VM_FAULT_MAJOR;
4853 +static const struct vm_operations_struct pax_vm_ops = {
4854 + .close = pax_emuplt_close,
4855 + .fault = pax_emuplt_fault
4858 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4862 + INIT_LIST_HEAD(&vma->anon_vma_chain);
4863 + vma->vm_mm = current->mm;
4864 + vma->vm_start = addr;
4865 + vma->vm_end = addr + PAGE_SIZE;
4866 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4867 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4868 + vma->vm_ops = &pax_vm_ops;
4870 + ret = insert_vm_struct(current->mm, vma);
4874 + ++current->mm->total_vm;
4880 + * PaX: decide what to do with offenders (regs->tpc = fault address)
4882 + * returns 1 when task should be killed
4883 + * 2 when patched PLT trampoline was detected
4884 + * 3 when unpatched PLT trampoline was detected
4886 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4889 +#ifdef CONFIG_PAX_EMUPLT
4892 + do { /* PaX: patched PLT emulation #1 */
4893 + unsigned int sethi1, sethi2, jmpl;
4895 + err = get_user(sethi1, (unsigned int *)regs->tpc);
4896 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
4897 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
4902 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4903 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
4904 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
4906 + unsigned long addr;
4908 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4909 + addr = regs->u_regs[UREG_G1];
4910 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4912 + if (test_thread_flag(TIF_32BIT))
4913 + addr &= 0xFFFFFFFFUL;
4916 + regs->tnpc = addr+4;
4921 + { /* PaX: patched PLT emulation #2 */
4924 + err = get_user(ba, (unsigned int *)regs->tpc);
4926 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4927 + unsigned long addr;
4929 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
4931 + if (test_thread_flag(TIF_32BIT))
4932 + addr &= 0xFFFFFFFFUL;
4935 + regs->tnpc = addr+4;
4940 + do { /* PaX: patched PLT emulation #3 */
4941 + unsigned int sethi, jmpl, nop;
4943 + err = get_user(sethi, (unsigned int *)regs->tpc);
4944 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
4945 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
4950 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4951 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
4952 + nop == 0x01000000U)
4954 + unsigned long addr;
4956 + addr = (sethi & 0x003FFFFFU) << 10;
4957 + regs->u_regs[UREG_G1] = addr;
4958 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
4960 + if (test_thread_flag(TIF_32BIT))
4961 + addr &= 0xFFFFFFFFUL;
4964 + regs->tnpc = addr+4;
4969 + do { /* PaX: patched PLT emulation #4 */
4970 + unsigned int sethi, mov1, call, mov2;
4972 + err = get_user(sethi, (unsigned int *)regs->tpc);
4973 + err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
4974 + err |= get_user(call, (unsigned int *)(regs->tpc+8));
4975 + err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
4980 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4981 + mov1 == 0x8210000FU &&
4982 + (call & 0xC0000000U) == 0x40000000U &&
4983 + mov2 == 0x9E100001U)
4985 + unsigned long addr;
4987 + regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
4988 + addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
4990 + if (test_thread_flag(TIF_32BIT))
4991 + addr &= 0xFFFFFFFFUL;
4994 + regs->tnpc = addr+4;
4999 + do { /* PaX: patched PLT emulation #5 */
5000 + unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
5002 + err = get_user(sethi, (unsigned int *)regs->tpc);
5003 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5004 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5005 + err |= get_user(or1, (unsigned int *)(regs->tpc+12));
5006 + err |= get_user(or2, (unsigned int *)(regs->tpc+16));
5007 + err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
5008 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
5009 + err |= get_user(nop, (unsigned int *)(regs->tpc+28));
5014 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5015 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5016 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5017 + (or1 & 0xFFFFE000U) == 0x82106000U &&
5018 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5019 + sllx == 0x83287020U &&
5020 + jmpl == 0x81C04005U &&
5021 + nop == 0x01000000U)
5023 + unsigned long addr;
5025 + regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5026 + regs->u_regs[UREG_G1] <<= 32;
5027 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5028 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5030 + regs->tnpc = addr+4;
5035 + do { /* PaX: patched PLT emulation #6 */
5036 + unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
5038 + err = get_user(sethi, (unsigned int *)regs->tpc);
5039 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5040 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5041 + err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
5042 + err |= get_user(or, (unsigned int *)(regs->tpc+16));
5043 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
5044 + err |= get_user(nop, (unsigned int *)(regs->tpc+24));
5049 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5050 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5051 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5052 + sllx == 0x83287020U &&
5053 + (or & 0xFFFFE000U) == 0x8A116000U &&
5054 + jmpl == 0x81C04005U &&
5055 + nop == 0x01000000U)
5057 + unsigned long addr;
5059 + regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
5060 + regs->u_regs[UREG_G1] <<= 32;
5061 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
5062 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5064 + regs->tnpc = addr+4;
5069 + do { /* PaX: unpatched PLT emulation step 1 */
5070 + unsigned int sethi, ba, nop;
5072 + err = get_user(sethi, (unsigned int *)regs->tpc);
5073 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5074 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5079 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5080 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5081 + nop == 0x01000000U)
5083 + unsigned long addr;
5084 + unsigned int save, call;
5085 + unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
5087 + if ((ba & 0xFFC00000U) == 0x30800000U)
5088 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5090 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5092 + if (test_thread_flag(TIF_32BIT))
5093 + addr &= 0xFFFFFFFFUL;
5095 + err = get_user(save, (unsigned int *)addr);
5096 + err |= get_user(call, (unsigned int *)(addr+4));
5097 + err |= get_user(nop, (unsigned int *)(addr+8));
5101 +#ifdef CONFIG_PAX_DLRESOLVE
5102 + if (save == 0x9DE3BFA8U &&
5103 + (call & 0xC0000000U) == 0x40000000U &&
5104 + nop == 0x01000000U)
5106 + struct vm_area_struct *vma;
5107 + unsigned long call_dl_resolve;
5109 + down_read(¤t->mm->mmap_sem);
5110 + call_dl_resolve = current->mm->call_dl_resolve;
5111 + up_read(¤t->mm->mmap_sem);
5112 + if (likely(call_dl_resolve))
5115 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
5117 + down_write(¤t->mm->mmap_sem);
5118 + if (current->mm->call_dl_resolve) {
5119 + call_dl_resolve = current->mm->call_dl_resolve;
5120 + up_write(¤t->mm->mmap_sem);
5122 + kmem_cache_free(vm_area_cachep, vma);
5126 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5127 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5128 + up_write(¤t->mm->mmap_sem);
5130 + kmem_cache_free(vm_area_cachep, vma);
5134 + if (pax_insert_vma(vma, call_dl_resolve)) {
5135 + up_write(¤t->mm->mmap_sem);
5136 + kmem_cache_free(vm_area_cachep, vma);
5140 + current->mm->call_dl_resolve = call_dl_resolve;
5141 + up_write(¤t->mm->mmap_sem);
5144 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5145 + regs->tpc = call_dl_resolve;
5146 + regs->tnpc = addr+4;
5151 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5152 + if ((save & 0xFFC00000U) == 0x05000000U &&
5153 + (call & 0xFFFFE000U) == 0x85C0A000U &&
5154 + nop == 0x01000000U)
5156 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5157 + regs->u_regs[UREG_G2] = addr + 4;
5158 + addr = (save & 0x003FFFFFU) << 10;
5159 + addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5161 + if (test_thread_flag(TIF_32BIT))
5162 + addr &= 0xFFFFFFFFUL;
5165 + regs->tnpc = addr+4;
5169 + /* PaX: 64-bit PLT stub */
5170 + err = get_user(sethi1, (unsigned int *)addr);
5171 + err |= get_user(sethi2, (unsigned int *)(addr+4));
5172 + err |= get_user(or1, (unsigned int *)(addr+8));
5173 + err |= get_user(or2, (unsigned int *)(addr+12));
5174 + err |= get_user(sllx, (unsigned int *)(addr+16));
5175 + err |= get_user(add, (unsigned int *)(addr+20));
5176 + err |= get_user(jmpl, (unsigned int *)(addr+24));
5177 + err |= get_user(nop, (unsigned int *)(addr+28));
5181 + if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
5182 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5183 + (or1 & 0xFFFFE000U) == 0x88112000U &&
5184 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5185 + sllx == 0x89293020U &&
5186 + add == 0x8A010005U &&
5187 + jmpl == 0x89C14000U &&
5188 + nop == 0x01000000U)
5190 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5191 + regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5192 + regs->u_regs[UREG_G4] <<= 32;
5193 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5194 + regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
5195 + regs->u_regs[UREG_G4] = addr + 24;
5196 + addr = regs->u_regs[UREG_G5];
5198 + regs->tnpc = addr+4;
5204 +#ifdef CONFIG_PAX_DLRESOLVE
5205 + do { /* PaX: unpatched PLT emulation step 2 */
5206 + unsigned int save, call, nop;
5208 + err = get_user(save, (unsigned int *)(regs->tpc-4));
5209 + err |= get_user(call, (unsigned int *)regs->tpc);
5210 + err |= get_user(nop, (unsigned int *)(regs->tpc+4));
5214 + if (save == 0x9DE3BFA8U &&
5215 + (call & 0xC0000000U) == 0x40000000U &&
5216 + nop == 0x01000000U)
5218 + unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5220 + if (test_thread_flag(TIF_32BIT))
5221 + dl_resolve &= 0xFFFFFFFFUL;
5223 + regs->u_regs[UREG_RETPC] = regs->tpc;
5224 + regs->tpc = dl_resolve;
5225 + regs->tnpc = dl_resolve+4;
5231 + do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
5232 + unsigned int sethi, ba, nop;
5234 + err = get_user(sethi, (unsigned int *)regs->tpc);
5235 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5236 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5241 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5242 + (ba & 0xFFF00000U) == 0x30600000U &&
5243 + nop == 0x01000000U)
5245 + unsigned long addr;
5247 + addr = (sethi & 0x003FFFFFU) << 10;
5248 + regs->u_regs[UREG_G1] = addr;
5249 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5251 + if (test_thread_flag(TIF_32BIT))
5252 + addr &= 0xFFFFFFFFUL;
5255 + regs->tnpc = addr+4;
5265 +void pax_report_insns(void *pc, void *sp)
5269 + printk(KERN_ERR "PAX: bytes at PC: ");
5270 + for (i = 0; i < 8; i++) {
5272 + if (get_user(c, (unsigned int *)pc+i))
5273 + printk(KERN_CONT "???????? ");
5275 + printk(KERN_CONT "%08x ", c);
5281 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
5283 struct mm_struct *mm = current->mm;
5284 @@ -340,6 +794,29 @@ asmlinkage void __kprobes do_sparc64_fau
5288 +#ifdef CONFIG_PAX_PAGEEXEC
5289 + /* PaX: detect ITLB misses on non-exec pages */
5290 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
5291 + !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
5293 + if (address != regs->tpc)
5296 + up_read(&mm->mmap_sem);
5297 + switch (pax_handle_fetch_fault(regs)) {
5299 +#ifdef CONFIG_PAX_EMUPLT
5306 + pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
5307 + do_group_exit(SIGKILL);
5311 /* Pure DTLB misses do not tell us whether the fault causing
5312 * load/store/atomic was a write or not, it only says that there
5313 * was no match. So in such a case we (carefully) read the
5314 diff -urNp linux-2.6.35.5/arch/sparc/mm/hugetlbpage.c linux-2.6.35.5/arch/sparc/mm/hugetlbpage.c
5315 --- linux-2.6.35.5/arch/sparc/mm/hugetlbpage.c 2010-08-26 19:47:12.000000000 -0400
5316 +++ linux-2.6.35.5/arch/sparc/mm/hugetlbpage.c 2010-09-17 20:12:09.000000000 -0400
5317 @@ -68,7 +68,7 @@ full_search:
5321 - if (likely(!vma || addr + len <= vma->vm_start)) {
5322 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5324 * Remember the place where we stopped the search:
5326 @@ -107,7 +107,7 @@ hugetlb_get_unmapped_area_topdown(struct
5327 /* make sure it can fit in the remaining address space */
5328 if (likely(addr > len)) {
5329 vma = find_vma(mm, addr-len);
5330 - if (!vma || addr <= vma->vm_start) {
5331 + if (check_heap_stack_gap(vma, addr - len, len)) {
5332 /* remember the address as a hint for next time */
5333 return (mm->free_area_cache = addr-len);
5335 @@ -125,7 +125,7 @@ hugetlb_get_unmapped_area_topdown(struct
5336 * return with success:
5338 vma = find_vma(mm, addr);
5339 - if (likely(!vma || addr+len <= vma->vm_start)) {
5340 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5341 /* remember the address as a hint for next time */
5342 return (mm->free_area_cache = addr);
5344 @@ -182,8 +182,7 @@ hugetlb_get_unmapped_area(struct file *f
5346 addr = ALIGN(addr, HPAGE_SIZE);
5347 vma = find_vma(mm, addr);
5348 - if (task_size - len >= addr &&
5349 - (!vma || addr + len <= vma->vm_start))
5350 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
5353 if (mm->get_unmapped_area == arch_get_unmapped_area)
5354 diff -urNp linux-2.6.35.5/arch/sparc/mm/init_32.c linux-2.6.35.5/arch/sparc/mm/init_32.c
5355 --- linux-2.6.35.5/arch/sparc/mm/init_32.c 2010-08-26 19:47:12.000000000 -0400
5356 +++ linux-2.6.35.5/arch/sparc/mm/init_32.c 2010-09-17 20:12:09.000000000 -0400
5357 @@ -318,6 +318,9 @@ extern void device_scan(void);
5358 pgprot_t PAGE_SHARED __read_mostly;
5359 EXPORT_SYMBOL(PAGE_SHARED);
5361 +pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
5362 +EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
5364 void __init paging_init(void)
5366 switch(sparc_cpu_model) {
5367 @@ -346,17 +349,17 @@ void __init paging_init(void)
5369 /* Initialize the protection map with non-constant, MMU dependent values. */
5370 protection_map[0] = PAGE_NONE;
5371 - protection_map[1] = PAGE_READONLY;
5372 - protection_map[2] = PAGE_COPY;
5373 - protection_map[3] = PAGE_COPY;
5374 + protection_map[1] = PAGE_READONLY_NOEXEC;
5375 + protection_map[2] = PAGE_COPY_NOEXEC;
5376 + protection_map[3] = PAGE_COPY_NOEXEC;
5377 protection_map[4] = PAGE_READONLY;
5378 protection_map[5] = PAGE_READONLY;
5379 protection_map[6] = PAGE_COPY;
5380 protection_map[7] = PAGE_COPY;
5381 protection_map[8] = PAGE_NONE;
5382 - protection_map[9] = PAGE_READONLY;
5383 - protection_map[10] = PAGE_SHARED;
5384 - protection_map[11] = PAGE_SHARED;
5385 + protection_map[9] = PAGE_READONLY_NOEXEC;
5386 + protection_map[10] = PAGE_SHARED_NOEXEC;
5387 + protection_map[11] = PAGE_SHARED_NOEXEC;
5388 protection_map[12] = PAGE_READONLY;
5389 protection_map[13] = PAGE_READONLY;
5390 protection_map[14] = PAGE_SHARED;
5391 diff -urNp linux-2.6.35.5/arch/sparc/mm/Makefile linux-2.6.35.5/arch/sparc/mm/Makefile
5392 --- linux-2.6.35.5/arch/sparc/mm/Makefile 2010-08-26 19:47:12.000000000 -0400
5393 +++ linux-2.6.35.5/arch/sparc/mm/Makefile 2010-09-17 20:12:09.000000000 -0400
5398 -ccflags-y := -Werror
5399 +#ccflags-y := -Werror
5401 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
5402 obj-y += fault_$(BITS).o
5403 diff -urNp linux-2.6.35.5/arch/sparc/mm/srmmu.c linux-2.6.35.5/arch/sparc/mm/srmmu.c
5404 --- linux-2.6.35.5/arch/sparc/mm/srmmu.c 2010-08-26 19:47:12.000000000 -0400
5405 +++ linux-2.6.35.5/arch/sparc/mm/srmmu.c 2010-09-17 20:12:09.000000000 -0400
5406 @@ -2198,6 +2198,13 @@ void __init ld_mmu_srmmu(void)
5407 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
5408 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
5409 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
5411 +#ifdef CONFIG_PAX_PAGEEXEC
5412 + PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
5413 + BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
5414 + BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
5417 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
5418 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
5420 diff -urNp linux-2.6.35.5/arch/um/include/asm/kmap_types.h linux-2.6.35.5/arch/um/include/asm/kmap_types.h
5421 --- linux-2.6.35.5/arch/um/include/asm/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
5422 +++ linux-2.6.35.5/arch/um/include/asm/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
5423 @@ -23,6 +23,7 @@ enum km_type {
5431 diff -urNp linux-2.6.35.5/arch/um/include/asm/page.h linux-2.6.35.5/arch/um/include/asm/page.h
5432 --- linux-2.6.35.5/arch/um/include/asm/page.h 2010-08-26 19:47:12.000000000 -0400
5433 +++ linux-2.6.35.5/arch/um/include/asm/page.h 2010-09-17 20:12:09.000000000 -0400
5435 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
5436 #define PAGE_MASK (~(PAGE_SIZE-1))
5438 +#define ktla_ktva(addr) (addr)
5439 +#define ktva_ktla(addr) (addr)
5441 #ifndef __ASSEMBLY__
5444 diff -urNp linux-2.6.35.5/arch/um/sys-i386/syscalls.c linux-2.6.35.5/arch/um/sys-i386/syscalls.c
5445 --- linux-2.6.35.5/arch/um/sys-i386/syscalls.c 2010-08-26 19:47:12.000000000 -0400
5446 +++ linux-2.6.35.5/arch/um/sys-i386/syscalls.c 2010-09-17 20:12:09.000000000 -0400
5448 #include "asm/uaccess.h"
5449 #include "asm/unistd.h"
5451 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
5453 + unsigned long pax_task_size = TASK_SIZE;
5455 +#ifdef CONFIG_PAX_SEGMEXEC
5456 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
5457 + pax_task_size = SEGMEXEC_TASK_SIZE;
5460 + if (len > pax_task_size || addr > pax_task_size - len)
5467 * The prototype on i386 is:
5469 diff -urNp linux-2.6.35.5/arch/x86/boot/bitops.h linux-2.6.35.5/arch/x86/boot/bitops.h
5470 --- linux-2.6.35.5/arch/x86/boot/bitops.h 2010-08-26 19:47:12.000000000 -0400
5471 +++ linux-2.6.35.5/arch/x86/boot/bitops.h 2010-09-17 20:12:09.000000000 -0400
5472 @@ -26,7 +26,7 @@ static inline int variable_test_bit(int
5474 const u32 *p = (const u32 *)addr;
5476 - asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5477 + asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5481 @@ -37,7 +37,7 @@ static inline int variable_test_bit(int
5483 static inline void set_bit(int nr, void *addr)
5485 - asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5486 + asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5489 #endif /* BOOT_BITOPS_H */
5490 diff -urNp linux-2.6.35.5/arch/x86/boot/boot.h linux-2.6.35.5/arch/x86/boot/boot.h
5491 --- linux-2.6.35.5/arch/x86/boot/boot.h 2010-08-26 19:47:12.000000000 -0400
5492 +++ linux-2.6.35.5/arch/x86/boot/boot.h 2010-09-17 20:12:09.000000000 -0400
5493 @@ -82,7 +82,7 @@ static inline void io_delay(void)
5494 static inline u16 ds(void)
5497 - asm("movw %%ds,%0" : "=rm" (seg));
5498 + asm volatile("movw %%ds,%0" : "=rm" (seg));
5502 @@ -178,7 +178,7 @@ static inline void wrgs32(u32 v, addr_t
5503 static inline int memcmp(const void *s1, const void *s2, size_t len)
5506 - asm("repe; cmpsb; setnz %0"
5507 + asm volatile("repe; cmpsb; setnz %0"
5508 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
5511 diff -urNp linux-2.6.35.5/arch/x86/boot/compressed/head_32.S linux-2.6.35.5/arch/x86/boot/compressed/head_32.S
5512 --- linux-2.6.35.5/arch/x86/boot/compressed/head_32.S 2010-08-26 19:47:12.000000000 -0400
5513 +++ linux-2.6.35.5/arch/x86/boot/compressed/head_32.S 2010-09-17 20:12:09.000000000 -0400
5514 @@ -76,7 +76,7 @@ ENTRY(startup_32)
5518 - movl $LOAD_PHYSICAL_ADDR, %ebx
5519 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5522 /* Target address to relocate to for decompression */
5523 @@ -149,7 +149,7 @@ relocated:
5524 * and where it was actually loaded.
5527 - subl $LOAD_PHYSICAL_ADDR, %ebx
5528 + subl $____LOAD_PHYSICAL_ADDR, %ebx
5529 jz 2f /* Nothing to be done if loaded at compiled addr. */
5531 * Process relocations.
5532 @@ -157,8 +157,7 @@ relocated:
5539 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
5542 diff -urNp linux-2.6.35.5/arch/x86/boot/compressed/head_64.S linux-2.6.35.5/arch/x86/boot/compressed/head_64.S
5543 --- linux-2.6.35.5/arch/x86/boot/compressed/head_64.S 2010-08-26 19:47:12.000000000 -0400
5544 +++ linux-2.6.35.5/arch/x86/boot/compressed/head_64.S 2010-09-17 20:12:09.000000000 -0400
5545 @@ -91,7 +91,7 @@ ENTRY(startup_32)
5549 - movl $LOAD_PHYSICAL_ADDR, %ebx
5550 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5553 /* Target address to relocate to for decompression */
5554 @@ -233,7 +233,7 @@ ENTRY(startup_64)
5558 - movq $LOAD_PHYSICAL_ADDR, %rbp
5559 + movq $____LOAD_PHYSICAL_ADDR, %rbp
5562 /* Target address to relocate to for decompression */
5563 diff -urNp linux-2.6.35.5/arch/x86/boot/compressed/misc.c linux-2.6.35.5/arch/x86/boot/compressed/misc.c
5564 --- linux-2.6.35.5/arch/x86/boot/compressed/misc.c 2010-08-26 19:47:12.000000000 -0400
5565 +++ linux-2.6.35.5/arch/x86/boot/compressed/misc.c 2010-09-17 20:12:09.000000000 -0400
5566 @@ -285,7 +285,7 @@ static void parse_elf(void *output)
5568 #ifdef CONFIG_RELOCATABLE
5570 - dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
5571 + dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
5573 dest = (void *)(phdr->p_paddr);
5575 @@ -332,7 +332,7 @@ asmlinkage void decompress_kernel(void *
5576 error("Destination address too large");
5578 #ifndef CONFIG_RELOCATABLE
5579 - if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
5580 + if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
5581 error("Wrong destination address");
5584 diff -urNp linux-2.6.35.5/arch/x86/boot/compressed/mkpiggy.c linux-2.6.35.5/arch/x86/boot/compressed/mkpiggy.c
5585 --- linux-2.6.35.5/arch/x86/boot/compressed/mkpiggy.c 2010-08-26 19:47:12.000000000 -0400
5586 +++ linux-2.6.35.5/arch/x86/boot/compressed/mkpiggy.c 2010-09-17 20:12:09.000000000 -0400
5587 @@ -74,7 +74,7 @@ int main(int argc, char *argv[])
5589 offs = (olen > ilen) ? olen - ilen : 0;
5590 offs += olen >> 12; /* Add 8 bytes for each 32K block */
5591 - offs += 32*1024 + 18; /* Add 32K + 18 bytes slack */
5592 + offs += 64*1024; /* Add 64K bytes slack */
5593 offs = (offs+4095) & ~4095; /* Round to a 4K boundary */
5595 printf(".section \".rodata..compressed\",\"a\",@progbits\n");
5596 diff -urNp linux-2.6.35.5/arch/x86/boot/compressed/relocs.c linux-2.6.35.5/arch/x86/boot/compressed/relocs.c
5597 --- linux-2.6.35.5/arch/x86/boot/compressed/relocs.c 2010-08-26 19:47:12.000000000 -0400
5598 +++ linux-2.6.35.5/arch/x86/boot/compressed/relocs.c 2010-09-17 20:12:09.000000000 -0400
5601 static void die(char *fmt, ...);
5603 +#include "../../../../include/generated/autoconf.h"
5605 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
5606 static Elf32_Ehdr ehdr;
5607 +static Elf32_Phdr *phdr;
5608 static unsigned long reloc_count, reloc_idx;
5609 static unsigned long *relocs;
5611 @@ -270,9 +273,39 @@ static void read_ehdr(FILE *fp)
5615 +static void read_phdrs(FILE *fp)
5619 + phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
5621 + die("Unable to allocate %d program headers\n",
5624 + if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
5625 + die("Seek to %d failed: %s\n",
5626 + ehdr.e_phoff, strerror(errno));
5628 + if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
5629 + die("Cannot read ELF program headers: %s\n",
5632 + for(i = 0; i < ehdr.e_phnum; i++) {
5633 + phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
5634 + phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
5635 + phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
5636 + phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
5637 + phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
5638 + phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
5639 + phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
5640 + phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
5645 static void read_shdrs(FILE *fp)
5651 secs = calloc(ehdr.e_shnum, sizeof(struct section));
5652 @@ -307,7 +340,7 @@ static void read_shdrs(FILE *fp)
5654 static void read_strtabs(FILE *fp)
5658 for (i = 0; i < ehdr.e_shnum; i++) {
5659 struct section *sec = &secs[i];
5660 if (sec->shdr.sh_type != SHT_STRTAB) {
5661 @@ -332,7 +365,7 @@ static void read_strtabs(FILE *fp)
5663 static void read_symtabs(FILE *fp)
5667 for (i = 0; i < ehdr.e_shnum; i++) {
5668 struct section *sec = &secs[i];
5669 if (sec->shdr.sh_type != SHT_SYMTAB) {
5670 @@ -365,7 +398,9 @@ static void read_symtabs(FILE *fp)
5672 static void read_relocs(FILE *fp)
5678 for (i = 0; i < ehdr.e_shnum; i++) {
5679 struct section *sec = &secs[i];
5680 if (sec->shdr.sh_type != SHT_REL) {
5681 @@ -385,9 +420,18 @@ static void read_relocs(FILE *fp)
5682 die("Cannot read symbol table: %s\n",
5686 + for (j = 0; j < ehdr.e_phnum; j++) {
5687 + if (phdr[j].p_type != PT_LOAD )
5689 + if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
5691 + base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
5694 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
5695 Elf32_Rel *rel = &sec->reltab[j];
5696 - rel->r_offset = elf32_to_cpu(rel->r_offset);
5697 + rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
5698 rel->r_info = elf32_to_cpu(rel->r_info);
5701 @@ -396,14 +440,14 @@ static void read_relocs(FILE *fp)
5703 static void print_absolute_symbols(void)
5707 printf("Absolute symbols\n");
5708 printf(" Num: Value Size Type Bind Visibility Name\n");
5709 for (i = 0; i < ehdr.e_shnum; i++) {
5710 struct section *sec = &secs[i];
5712 Elf32_Sym *sh_symtab;
5716 if (sec->shdr.sh_type != SHT_SYMTAB) {
5718 @@ -431,14 +475,14 @@ static void print_absolute_symbols(void)
5720 static void print_absolute_relocs(void)
5722 - int i, printed = 0;
5723 + unsigned int i, printed = 0;
5725 for (i = 0; i < ehdr.e_shnum; i++) {
5726 struct section *sec = &secs[i];
5727 struct section *sec_applies, *sec_symtab;
5729 Elf32_Sym *sh_symtab;
5732 if (sec->shdr.sh_type != SHT_REL) {
5735 @@ -499,13 +543,13 @@ static void print_absolute_relocs(void)
5737 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
5741 /* Walk through the relocations */
5742 for (i = 0; i < ehdr.e_shnum; i++) {
5744 Elf32_Sym *sh_symtab;
5745 struct section *sec_applies, *sec_symtab;
5748 struct section *sec = &secs[i];
5750 if (sec->shdr.sh_type != SHT_REL) {
5751 @@ -530,6 +574,22 @@ static void walk_relocs(void (*visit)(El
5752 !is_rel_reloc(sym_name(sym_strtab, sym))) {
5755 + /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
5756 + if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
5759 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
5760 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
5761 + if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
5763 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
5765 + if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
5767 + if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
5774 @@ -571,7 +631,7 @@ static int cmp_relocs(const void *va, co
5776 static void emit_relocs(int as_text)
5780 /* Count how many relocations I have and allocate space for them. */
5782 walk_relocs(count_reloc);
5783 @@ -665,6 +725,7 @@ int main(int argc, char **argv)
5784 fname, strerror(errno));
5791 diff -urNp linux-2.6.35.5/arch/x86/boot/cpucheck.c linux-2.6.35.5/arch/x86/boot/cpucheck.c
5792 --- linux-2.6.35.5/arch/x86/boot/cpucheck.c 2010-08-26 19:47:12.000000000 -0400
5793 +++ linux-2.6.35.5/arch/x86/boot/cpucheck.c 2010-09-17 20:12:09.000000000 -0400
5794 @@ -74,7 +74,7 @@ static int has_fpu(void)
5795 u16 fcw = -1, fsw = -1;
5798 - asm("movl %%cr0,%0" : "=r" (cr0));
5799 + asm volatile("movl %%cr0,%0" : "=r" (cr0));
5800 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
5801 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
5802 asm volatile("movl %0,%%cr0" : : "r" (cr0));
5803 @@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
5808 + asm volatile("pushfl ; "
5812 @@ -115,7 +115,7 @@ static void get_flags(void)
5813 set_bit(X86_FEATURE_FPU, cpu.flags);
5815 if (has_eflag(X86_EFLAGS_ID)) {
5817 + asm volatile("cpuid"
5818 : "=a" (max_intel_level),
5819 "=b" (cpu_vendor[0]),
5820 "=d" (cpu_vendor[1]),
5821 @@ -124,7 +124,7 @@ static void get_flags(void)
5823 if (max_intel_level >= 0x00000001 &&
5824 max_intel_level <= 0x0000ffff) {
5826 + asm volatile("cpuid"
5828 "=c" (cpu.flags[4]),
5830 @@ -136,7 +136,7 @@ static void get_flags(void)
5831 cpu.model += ((tfms >> 16) & 0xf) << 4;
5835 + asm volatile("cpuid"
5836 : "=a" (max_amd_level)
5838 : "ebx", "ecx", "edx");
5839 @@ -144,7 +144,7 @@ static void get_flags(void)
5840 if (max_amd_level >= 0x80000001 &&
5841 max_amd_level <= 0x8000ffff) {
5842 u32 eax = 0x80000001;
5844 + asm volatile("cpuid"
5846 "=c" (cpu.flags[6]),
5848 @@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
5849 u32 ecx = MSR_K7_HWCR;
5852 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5853 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5855 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5856 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5858 get_flags(); /* Make sure it really did something */
5859 err = check_flags();
5860 @@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
5861 u32 ecx = MSR_VIA_FCR;
5864 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5865 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5866 eax |= (1<<1)|(1<<7);
5867 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5868 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5870 set_bit(X86_FEATURE_CX8, cpu.flags);
5871 err = check_flags();
5872 @@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
5876 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5877 - asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
5879 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
5880 + asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
5881 + asm volatile("cpuid"
5882 : "+a" (level), "=d" (cpu.flags[0])
5884 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5885 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
5887 err = check_flags();
5889 diff -urNp linux-2.6.35.5/arch/x86/boot/header.S linux-2.6.35.5/arch/x86/boot/header.S
5890 --- linux-2.6.35.5/arch/x86/boot/header.S 2010-08-26 19:47:12.000000000 -0400
5891 +++ linux-2.6.35.5/arch/x86/boot/header.S 2010-09-17 20:12:09.000000000 -0400
5892 @@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
5893 # single linked list of
5896 -pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
5897 +pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
5899 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
5900 #define VO_INIT_SIZE (VO__end - VO__text)
5901 diff -urNp linux-2.6.35.5/arch/x86/boot/memory.c linux-2.6.35.5/arch/x86/boot/memory.c
5902 --- linux-2.6.35.5/arch/x86/boot/memory.c 2010-08-26 19:47:12.000000000 -0400
5903 +++ linux-2.6.35.5/arch/x86/boot/memory.c 2010-09-17 20:12:09.000000000 -0400
5906 static int detect_memory_e820(void)
5909 + unsigned int count = 0;
5910 struct biosregs ireg, oreg;
5911 struct e820entry *desc = boot_params.e820_map;
5912 static struct e820entry buf; /* static so it is zeroed */
5913 diff -urNp linux-2.6.35.5/arch/x86/boot/video.c linux-2.6.35.5/arch/x86/boot/video.c
5914 --- linux-2.6.35.5/arch/x86/boot/video.c 2010-08-26 19:47:12.000000000 -0400
5915 +++ linux-2.6.35.5/arch/x86/boot/video.c 2010-09-17 20:12:09.000000000 -0400
5916 @@ -96,7 +96,7 @@ static void store_mode_params(void)
5917 static unsigned int get_entry(void)
5921 + unsigned int i, len = 0;
5925 diff -urNp linux-2.6.35.5/arch/x86/boot/video-vesa.c linux-2.6.35.5/arch/x86/boot/video-vesa.c
5926 --- linux-2.6.35.5/arch/x86/boot/video-vesa.c 2010-08-26 19:47:12.000000000 -0400
5927 +++ linux-2.6.35.5/arch/x86/boot/video-vesa.c 2010-09-17 20:12:09.000000000 -0400
5928 @@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
5930 boot_params.screen_info.vesapm_seg = oreg.es;
5931 boot_params.screen_info.vesapm_off = oreg.di;
5932 + boot_params.screen_info.vesapm_size = oreg.cx;
5936 diff -urNp linux-2.6.35.5/arch/x86/ia32/ia32_aout.c linux-2.6.35.5/arch/x86/ia32/ia32_aout.c
5937 --- linux-2.6.35.5/arch/x86/ia32/ia32_aout.c 2010-08-26 19:47:12.000000000 -0400
5938 +++ linux-2.6.35.5/arch/x86/ia32/ia32_aout.c 2010-09-23 20:32:33.000000000 -0400
5939 @@ -168,6 +168,8 @@ static int aout_core_dump(long signr, st
5940 unsigned long dump_start, dump_size;
5943 + memset(&dump, 0, sizeof(dump));
5948 @@ -217,12 +219,6 @@ static int aout_core_dump(long signr, st
5949 dump_size = dump.u_ssize << PAGE_SHIFT;
5950 DUMP_WRITE(dump_start, dump_size);
5953 - * Finally dump the task struct. Not be used by gdb, but
5956 - set_fs(KERNEL_DS);
5957 - DUMP_WRITE(current, sizeof(*current));
5961 diff -urNp linux-2.6.35.5/arch/x86/ia32/ia32entry.S linux-2.6.35.5/arch/x86/ia32/ia32entry.S
5962 --- linux-2.6.35.5/arch/x86/ia32/ia32entry.S 2010-09-20 17:33:09.000000000 -0400
5963 +++ linux-2.6.35.5/arch/x86/ia32/ia32entry.S 2010-09-17 20:12:37.000000000 -0400
5965 #include <asm/thread_info.h>
5966 #include <asm/segment.h>
5967 #include <asm/irqflags.h>
5968 +#include <asm/pgtable.h>
5969 #include <linux/linkage.h>
5971 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
5972 @@ -120,6 +121,11 @@ ENTRY(ia32_sysenter_target)
5974 movq PER_CPU_VAR(kernel_stack), %rsp
5975 addq $(KERNEL_STACK_OFFSET),%rsp
5977 +#ifdef CONFIG_PAX_MEMORY_UDEREF
5978 + call pax_enter_kernel_user
5982 * No need to follow this irqs on/off section: the syscall
5983 * disabled irqs, here we enable it straight after entry:
5984 @@ -150,6 +156,12 @@ ENTRY(ia32_sysenter_target)
5986 /* no need to do an access_ok check here because rbp has been
5987 32bit zero extended */
5989 +#ifdef CONFIG_PAX_MEMORY_UDEREF
5990 + mov $PAX_USER_SHADOW_BASE,%r10
5995 .section __ex_table,"a"
5996 .quad 1b,ia32_badarg
5997 @@ -172,6 +184,11 @@ sysenter_dispatch:
5998 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6000 sysexit_from_sys_call:
6002 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6003 + call pax_exit_kernel_user
6006 andl $~TS_COMPAT,TI_status(%r10)
6007 /* clear IF, that popfq doesn't enable interrupts early */
6008 andl $~0x200,EFLAGS-R11(%rsp)
6009 @@ -290,6 +307,11 @@ ENTRY(ia32_cstar_target)
6012 movq PER_CPU_VAR(kernel_stack),%rsp
6014 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6015 + call pax_enter_kernel_user
6019 * No need to follow this irqs on/off section: the syscall
6020 * disabled irqs and here we enable it straight after entry:
6021 @@ -311,6 +333,12 @@ ENTRY(ia32_cstar_target)
6022 /* no need to do an access_ok check here because r8 has been
6023 32bit zero extended */
6024 /* hardware stack frame is complete now */
6026 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6027 + mov $PAX_USER_SHADOW_BASE,%r10
6032 .section __ex_table,"a"
6033 .quad 1b,ia32_badarg
6034 @@ -333,6 +361,11 @@ cstar_dispatch:
6035 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6037 sysretl_from_sys_call:
6039 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6040 + call pax_exit_kernel_user
6043 andl $~TS_COMPAT,TI_status(%r10)
6044 RESTORE_ARGS 1,-ARG_SKIP,1,1,1
6045 movl RIP-ARGOFFSET(%rsp),%ecx
6046 @@ -415,6 +448,11 @@ ENTRY(ia32_syscall)
6047 CFI_REL_OFFSET rip,RIP-RIP
6048 PARAVIRT_ADJUST_EXCEPTION_FRAME
6051 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6052 + call pax_enter_kernel_user
6056 * No need to follow this irqs on/off section: the syscall
6057 * disabled irqs and here we enable it straight after entry:
6058 diff -urNp linux-2.6.35.5/arch/x86/ia32/ia32_signal.c linux-2.6.35.5/arch/x86/ia32/ia32_signal.c
6059 --- linux-2.6.35.5/arch/x86/ia32/ia32_signal.c 2010-08-26 19:47:12.000000000 -0400
6060 +++ linux-2.6.35.5/arch/x86/ia32/ia32_signal.c 2010-09-17 20:12:09.000000000 -0400
6061 @@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
6063 /* Align the stack pointer according to the i386 ABI,
6064 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
6065 - sp = ((sp + 4) & -16ul) - 4;
6066 + sp = ((sp - 12) & -16ul) - 4;
6067 return (void __user *) sp;
6070 @@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
6072 __NR_ia32_rt_sigreturn,
6078 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
6079 diff -urNp linux-2.6.35.5/arch/x86/include/asm/alternative.h linux-2.6.35.5/arch/x86/include/asm/alternative.h
6080 --- linux-2.6.35.5/arch/x86/include/asm/alternative.h 2010-08-26 19:47:12.000000000 -0400
6081 +++ linux-2.6.35.5/arch/x86/include/asm/alternative.h 2010-09-17 20:12:09.000000000 -0400
6082 @@ -91,7 +91,7 @@ static inline int alternatives_text_rese
6083 " .byte 664f-663f\n" /* replacementlen */ \
6084 " .byte 0xff + (664f-663f) - (662b-661b)\n" /* rlen <= slen */ \
6086 - ".section .altinstr_replacement, \"ax\"\n" \
6087 + ".section .altinstr_replacement, \"a\"\n" \
6088 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
6091 diff -urNp linux-2.6.35.5/arch/x86/include/asm/apm.h linux-2.6.35.5/arch/x86/include/asm/apm.h
6092 --- linux-2.6.35.5/arch/x86/include/asm/apm.h 2010-08-26 19:47:12.000000000 -0400
6093 +++ linux-2.6.35.5/arch/x86/include/asm/apm.h 2010-09-17 20:12:09.000000000 -0400
6094 @@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
6095 __asm__ __volatile__(APM_DO_ZERO_SEGS
6098 - "lcall *%%cs:apm_bios_entry\n\t"
6099 + "lcall *%%ss:apm_bios_entry\n\t"
6103 @@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
6104 __asm__ __volatile__(APM_DO_ZERO_SEGS
6107 - "lcall *%%cs:apm_bios_entry\n\t"
6108 + "lcall *%%ss:apm_bios_entry\n\t"
6112 diff -urNp linux-2.6.35.5/arch/x86/include/asm/asm.h linux-2.6.35.5/arch/x86/include/asm/asm.h
6113 --- linux-2.6.35.5/arch/x86/include/asm/asm.h 2010-08-26 19:47:12.000000000 -0400
6114 +++ linux-2.6.35.5/arch/x86/include/asm/asm.h 2010-09-17 20:12:09.000000000 -0400
6116 #define _ASM_SI __ASM_REG(si)
6117 #define _ASM_DI __ASM_REG(di)
6119 +#ifdef CONFIG_X86_32
6120 +#define _ASM_INTO "into"
6122 +#define _ASM_INTO "int $4"
6125 /* Exception table entry */
6127 # define _ASM_EXTABLE(from,to) \
6128 diff -urNp linux-2.6.35.5/arch/x86/include/asm/atomic64_32.h linux-2.6.35.5/arch/x86/include/asm/atomic64_32.h
6129 --- linux-2.6.35.5/arch/x86/include/asm/atomic64_32.h 2010-08-26 19:47:12.000000000 -0400
6130 +++ linux-2.6.35.5/arch/x86/include/asm/atomic64_32.h 2010-09-17 20:12:09.000000000 -0400
6131 @@ -12,6 +12,14 @@ typedef struct {
6132 u64 __aligned(8) counter;
6135 +#ifdef CONFIG_PAX_REFCOUNT
6137 + u64 __aligned(8) counter;
6138 +} atomic64_unchecked_t;
6140 +typedef atomic64_t atomic64_unchecked_t;
6143 #define ATOMIC64_INIT(val) { (val) }
6145 #ifdef CONFIG_X86_CMPXCHG64
6146 diff -urNp linux-2.6.35.5/arch/x86/include/asm/atomic64_64.h linux-2.6.35.5/arch/x86/include/asm/atomic64_64.h
6147 --- linux-2.6.35.5/arch/x86/include/asm/atomic64_64.h 2010-08-26 19:47:12.000000000 -0400
6148 +++ linux-2.6.35.5/arch/x86/include/asm/atomic64_64.h 2010-09-17 20:12:09.000000000 -0400
6149 @@ -22,6 +22,18 @@ static inline long atomic64_read(const a
6153 + * atomic64_read_unchecked - read atomic64 variable
6154 + * @v: pointer of type atomic64_unchecked_t
6156 + * Atomically reads the value of @v.
6157 + * Doesn't imply a read memory barrier.
6159 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
6161 + return v->counter;
6165 * atomic64_set - set atomic64 variable
6166 * @v: pointer to type atomic64_t
6167 * @i: required value
6168 @@ -34,6 +46,18 @@ static inline void atomic64_set(atomic64
6172 + * atomic64_set_unchecked - set atomic64 variable
6173 + * @v: pointer to type atomic64_unchecked_t
6174 + * @i: required value
6176 + * Atomically sets the value of @v to @i.
6178 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
6184 * atomic64_add - add integer to atomic64 variable
6185 * @i: integer value to add
6186 * @v: pointer to type atomic64_t
6187 @@ -42,6 +66,28 @@ static inline void atomic64_set(atomic64
6189 static inline void atomic64_add(long i, atomic64_t *v)
6191 + asm volatile(LOCK_PREFIX "addq %1,%0\n"
6193 +#ifdef CONFIG_PAX_REFCOUNT
6195 + LOCK_PREFIX "subq %1,%0\n"
6197 + _ASM_EXTABLE(0b, 0b)
6200 + : "=m" (v->counter)
6201 + : "er" (i), "m" (v->counter));
6205 + * atomic64_add_unchecked - add integer to atomic64 variable
6206 + * @i: integer value to add
6207 + * @v: pointer to type atomic64_unchecked_t
6209 + * Atomically adds @i to @v.
6211 +static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
6213 asm volatile(LOCK_PREFIX "addq %1,%0"
6215 : "er" (i), "m" (v->counter));
6216 @@ -56,7 +102,15 @@ static inline void atomic64_add(long i,
6218 static inline void atomic64_sub(long i, atomic64_t *v)
6220 - asm volatile(LOCK_PREFIX "subq %1,%0"
6221 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
6223 +#ifdef CONFIG_PAX_REFCOUNT
6225 + LOCK_PREFIX "addq %1,%0\n"
6227 + _ASM_EXTABLE(0b, 0b)
6231 : "er" (i), "m" (v->counter));
6233 @@ -74,7 +128,16 @@ static inline int atomic64_sub_and_test(
6237 - asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
6238 + asm volatile(LOCK_PREFIX "subq %2,%0\n"
6240 +#ifdef CONFIG_PAX_REFCOUNT
6242 + LOCK_PREFIX "addq %2,%0\n"
6244 + _ASM_EXTABLE(0b, 0b)
6248 : "=m" (v->counter), "=qm" (c)
6249 : "er" (i), "m" (v->counter) : "memory");
6251 @@ -88,6 +151,31 @@ static inline int atomic64_sub_and_test(
6253 static inline void atomic64_inc(atomic64_t *v)
6255 + asm volatile(LOCK_PREFIX "incq %0\n"
6257 +#ifdef CONFIG_PAX_REFCOUNT
6260 + ".pushsection .fixup,\"ax\"\n"
6262 + LOCK_PREFIX "decq %0\n"
6265 + _ASM_EXTABLE(0b, 1b)
6268 + : "=m" (v->counter)
6269 + : "m" (v->counter));
6273 + * atomic64_inc_unchecked - increment atomic64 variable
6274 + * @v: pointer to type atomic64_unchecked_t
6276 + * Atomically increments @v by 1.
6278 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
6280 asm volatile(LOCK_PREFIX "incq %0"
6282 : "m" (v->counter));
6283 @@ -101,7 +189,32 @@ static inline void atomic64_inc(atomic64
6285 static inline void atomic64_dec(atomic64_t *v)
6287 - asm volatile(LOCK_PREFIX "decq %0"
6288 + asm volatile(LOCK_PREFIX "decq %0\n"
6290 +#ifdef CONFIG_PAX_REFCOUNT
6293 + ".pushsection .fixup,\"ax\"\n"
6295 + LOCK_PREFIX "incq %0\n"
6298 + _ASM_EXTABLE(0b, 1b)
6301 + : "=m" (v->counter)
6302 + : "m" (v->counter));
6306 + * atomic64_dec_unchecked - decrement atomic64 variable
6307 + * @v: pointer to type atomic64_t
6309 + * Atomically decrements @v by 1.
6311 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
6313 + asm volatile(LOCK_PREFIX "decq %0\n"
6315 : "m" (v->counter));
6317 @@ -118,7 +231,20 @@ static inline int atomic64_dec_and_test(
6321 - asm volatile(LOCK_PREFIX "decq %0; sete %1"
6322 + asm volatile(LOCK_PREFIX "decq %0\n"
6324 +#ifdef CONFIG_PAX_REFCOUNT
6327 + ".pushsection .fixup,\"ax\"\n"
6329 + LOCK_PREFIX "incq %0\n"
6332 + _ASM_EXTABLE(0b, 1b)
6336 : "=m" (v->counter), "=qm" (c)
6337 : "m" (v->counter) : "memory");
6339 @@ -136,7 +262,20 @@ static inline int atomic64_inc_and_test(
6343 - asm volatile(LOCK_PREFIX "incq %0; sete %1"
6344 + asm volatile(LOCK_PREFIX "incq %0\n"
6346 +#ifdef CONFIG_PAX_REFCOUNT
6349 + ".pushsection .fixup,\"ax\"\n"
6351 + LOCK_PREFIX "decq %0\n"
6354 + _ASM_EXTABLE(0b, 1b)
6358 : "=m" (v->counter), "=qm" (c)
6359 : "m" (v->counter) : "memory");
6361 @@ -155,7 +294,16 @@ static inline int atomic64_add_negative(
6365 - asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
6366 + asm volatile(LOCK_PREFIX "addq %2,%0\n"
6368 +#ifdef CONFIG_PAX_REFCOUNT
6370 + LOCK_PREFIX "subq %2,%0\n"
6372 + _ASM_EXTABLE(0b, 0b)
6376 : "=m" (v->counter), "=qm" (c)
6377 : "er" (i), "m" (v->counter) : "memory");
6379 @@ -171,7 +319,31 @@ static inline int atomic64_add_negative(
6380 static inline long atomic64_add_return(long i, atomic64_t *v)
6383 - asm volatile(LOCK_PREFIX "xaddq %0, %1;"
6384 + asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
6386 +#ifdef CONFIG_PAX_REFCOUNT
6390 + _ASM_EXTABLE(0b, 0b)
6393 + : "+r" (i), "+m" (v->counter)
6399 + * atomic64_add_return_unchecked - add and return
6400 + * @i: integer value to add
6401 + * @v: pointer to type atomic64_unchecked_t
6403 + * Atomically adds @i to @v and returns @i + @v
6405 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
6408 + asm volatile(LOCK_PREFIX "xaddq %0, %1"
6409 : "+r" (i), "+m" (v->counter)
6412 @@ -183,6 +355,10 @@ static inline long atomic64_sub_return(l
6415 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
6416 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
6418 + return atomic64_add_return_unchecked(1, v);
6420 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
6422 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
6423 @@ -206,17 +382,29 @@ static inline long atomic64_xchg(atomic6
6425 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
6429 c = atomic64_read(v);
6431 - if (unlikely(c == (u)))
6432 + if (unlikely(c == u))
6434 - old = atomic64_cmpxchg((v), c, c + (a));
6436 + asm volatile("add %2,%0\n"
6438 +#ifdef CONFIG_PAX_REFCOUNT
6441 + _ASM_EXTABLE(0b, 0b)
6445 + : "0" (c), "ir" (a));
6447 + old = atomic64_cmpxchg(v, c, new);
6448 if (likely(old == c))
6456 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
6457 diff -urNp linux-2.6.35.5/arch/x86/include/asm/atomic.h linux-2.6.35.5/arch/x86/include/asm/atomic.h
6458 --- linux-2.6.35.5/arch/x86/include/asm/atomic.h 2010-08-26 19:47:12.000000000 -0400
6459 +++ linux-2.6.35.5/arch/x86/include/asm/atomic.h 2010-09-17 20:12:09.000000000 -0400
6460 @@ -26,6 +26,17 @@ static inline int atomic_read(const atom
6464 + * atomic_read_unchecked - read atomic variable
6465 + * @v: pointer of type atomic_unchecked_t
6467 + * Atomically reads the value of @v.
6469 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
6471 + return v->counter;
6475 * atomic_set - set atomic variable
6476 * @v: pointer of type atomic_t
6477 * @i: required value
6478 @@ -38,6 +49,18 @@ static inline void atomic_set(atomic_t *
6482 + * atomic_set_unchecked - set atomic variable
6483 + * @v: pointer of type atomic_unchecked_t
6484 + * @i: required value
6486 + * Atomically sets the value of @v to @i.
6488 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
6494 * atomic_add - add integer to atomic variable
6495 * @i: integer value to add
6496 * @v: pointer of type atomic_t
6497 @@ -46,7 +69,29 @@ static inline void atomic_set(atomic_t *
6499 static inline void atomic_add(int i, atomic_t *v)
6501 - asm volatile(LOCK_PREFIX "addl %1,%0"
6502 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6504 +#ifdef CONFIG_PAX_REFCOUNT
6506 + LOCK_PREFIX "subl %1,%0\n"
6507 + _ASM_INTO "\n0:\n"
6508 + _ASM_EXTABLE(0b, 0b)
6511 + : "+m" (v->counter)
6516 + * atomic_add_unchecked - add integer to atomic variable
6517 + * @i: integer value to add
6518 + * @v: pointer of type atomic_unchecked_t
6520 + * Atomically adds @i to @v.
6522 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
6524 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6528 @@ -60,7 +105,29 @@ static inline void atomic_add(int i, ato
6530 static inline void atomic_sub(int i, atomic_t *v)
6532 - asm volatile(LOCK_PREFIX "subl %1,%0"
6533 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
6535 +#ifdef CONFIG_PAX_REFCOUNT
6537 + LOCK_PREFIX "addl %1,%0\n"
6538 + _ASM_INTO "\n0:\n"
6539 + _ASM_EXTABLE(0b, 0b)
6542 + : "+m" (v->counter)
6547 + * atomic_sub_unchecked - subtract integer from atomic variable
6548 + * @i: integer value to subtract
6549 + * @v: pointer of type atomic_t
6551 + * Atomically subtracts @i from @v.
6553 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
6555 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
6559 @@ -78,7 +145,16 @@ static inline int atomic_sub_and_test(in
6563 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
6564 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
6566 +#ifdef CONFIG_PAX_REFCOUNT
6568 + LOCK_PREFIX "addl %2,%0\n"
6569 + _ASM_INTO "\n0:\n"
6570 + _ASM_EXTABLE(0b, 0b)
6574 : "+m" (v->counter), "=qm" (c)
6575 : "ir" (i) : "memory");
6577 @@ -92,7 +168,27 @@ static inline int atomic_sub_and_test(in
6579 static inline void atomic_inc(atomic_t *v)
6581 - asm volatile(LOCK_PREFIX "incl %0"
6582 + asm volatile(LOCK_PREFIX "incl %0\n"
6584 +#ifdef CONFIG_PAX_REFCOUNT
6586 + LOCK_PREFIX "decl %0\n"
6587 + _ASM_INTO "\n0:\n"
6588 + _ASM_EXTABLE(0b, 0b)
6591 + : "+m" (v->counter));
6595 + * atomic_inc_unchecked - increment atomic variable
6596 + * @v: pointer of type atomic_unchecked_t
6598 + * Atomically increments @v by 1.
6600 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
6602 + asm volatile(LOCK_PREFIX "incl %0\n"
6603 : "+m" (v->counter));
6606 @@ -104,7 +200,27 @@ static inline void atomic_inc(atomic_t *
6608 static inline void atomic_dec(atomic_t *v)
6610 - asm volatile(LOCK_PREFIX "decl %0"
6611 + asm volatile(LOCK_PREFIX "decl %0\n"
6613 +#ifdef CONFIG_PAX_REFCOUNT
6615 + LOCK_PREFIX "incl %0\n"
6616 + _ASM_INTO "\n0:\n"
6617 + _ASM_EXTABLE(0b, 0b)
6620 + : "+m" (v->counter));
6624 + * atomic_dec_unchecked - decrement atomic variable
6625 + * @v: pointer of type atomic_t
6627 + * Atomically decrements @v by 1.
6629 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
6631 + asm volatile(LOCK_PREFIX "decl %0\n"
6632 : "+m" (v->counter));
6635 @@ -120,7 +236,16 @@ static inline int atomic_dec_and_test(at
6639 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
6640 + asm volatile(LOCK_PREFIX "decl %0\n"
6642 +#ifdef CONFIG_PAX_REFCOUNT
6644 + LOCK_PREFIX "incl %0\n"
6645 + _ASM_INTO "\n0:\n"
6646 + _ASM_EXTABLE(0b, 0b)
6650 : "+m" (v->counter), "=qm" (c)
6653 @@ -138,7 +263,16 @@ static inline int atomic_inc_and_test(at
6657 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
6658 + asm volatile(LOCK_PREFIX "incl %0\n"
6660 +#ifdef CONFIG_PAX_REFCOUNT
6662 + LOCK_PREFIX "decl %0\n"
6663 + _ASM_INTO "\n0:\n"
6664 + _ASM_EXTABLE(0b, 0b)
6668 : "+m" (v->counter), "=qm" (c)
6671 @@ -157,7 +291,16 @@ static inline int atomic_add_negative(in
6675 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
6676 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
6678 +#ifdef CONFIG_PAX_REFCOUNT
6680 + LOCK_PREFIX "subl %2,%0\n"
6681 + _ASM_INTO "\n0:\n"
6682 + _ASM_EXTABLE(0b, 0b)
6686 : "+m" (v->counter), "=qm" (c)
6687 : "ir" (i) : "memory");
6689 @@ -180,6 +323,46 @@ static inline int atomic_add_return(int
6691 /* Modern 486+ processor */
6693 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
6695 +#ifdef CONFIG_PAX_REFCOUNT
6698 + _ASM_INTO "\n0:\n"
6699 + _ASM_EXTABLE(0b, 0b)
6702 + : "+r" (i), "+m" (v->counter)
6707 +no_xadd: /* Legacy 386 processor */
6708 + local_irq_save(flags);
6709 + __i = atomic_read(v);
6710 + atomic_set(v, i + __i);
6711 + local_irq_restore(flags);
6717 + * atomic_add_return_unchecked - add integer and return
6718 + * @v: pointer of type atomic_unchecked_t
6719 + * @i: integer value to add
6721 + * Atomically adds @i to @v and returns @i + @v
6723 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
6727 + unsigned long flags;
6728 + if (unlikely(boot_cpu_data.x86 <= 3))
6731 + /* Modern 486+ processor */
6733 asm volatile(LOCK_PREFIX "xaddl %0, %1"
6734 : "+r" (i), "+m" (v->counter)
6736 @@ -208,6 +391,10 @@ static inline int atomic_sub_return(int
6739 #define atomic_inc_return(v) (atomic_add_return(1, v))
6740 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
6742 + return atomic_add_return_unchecked(1, v);
6744 #define atomic_dec_return(v) (atomic_sub_return(1, v))
6746 static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
6747 @@ -231,17 +418,29 @@ static inline int atomic_xchg(atomic_t *
6749 static inline int atomic_add_unless(atomic_t *v, int a, int u)
6755 - if (unlikely(c == (u)))
6756 + if (unlikely(c == u))
6758 - old = atomic_cmpxchg((v), c, c + (a));
6760 + asm volatile("addl %2,%0\n"
6762 +#ifdef CONFIG_PAX_REFCOUNT
6764 + _ASM_INTO "\n0:\n"
6765 + _ASM_EXTABLE(0b, 0b)
6769 + : "0" (c), "ir" (a));
6771 + old = atomic_cmpxchg(v, c, new);
6772 if (likely(old == c))
6780 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
6781 diff -urNp linux-2.6.35.5/arch/x86/include/asm/boot.h linux-2.6.35.5/arch/x86/include/asm/boot.h
6782 --- linux-2.6.35.5/arch/x86/include/asm/boot.h 2010-08-26 19:47:12.000000000 -0400
6783 +++ linux-2.6.35.5/arch/x86/include/asm/boot.h 2010-09-17 20:12:09.000000000 -0400
6785 #include <asm/pgtable_types.h>
6787 /* Physical address where kernel should be loaded. */
6788 -#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
6789 +#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
6790 + (CONFIG_PHYSICAL_ALIGN - 1)) \
6791 & ~(CONFIG_PHYSICAL_ALIGN - 1))
6793 +#ifndef __ASSEMBLY__
6794 +extern unsigned char __LOAD_PHYSICAL_ADDR[];
6795 +#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
6798 /* Minimum kernel alignment, as a power of two */
6799 #ifdef CONFIG_X86_64
6800 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
6801 diff -urNp linux-2.6.35.5/arch/x86/include/asm/cacheflush.h linux-2.6.35.5/arch/x86/include/asm/cacheflush.h
6802 --- linux-2.6.35.5/arch/x86/include/asm/cacheflush.h 2010-08-26 19:47:12.000000000 -0400
6803 +++ linux-2.6.35.5/arch/x86/include/asm/cacheflush.h 2010-09-17 20:12:09.000000000 -0400
6804 @@ -66,7 +66,7 @@ static inline unsigned long get_page_mem
6805 unsigned long pg_flags = pg->flags & _PGMT_MASK;
6807 if (pg_flags == _PGMT_DEFAULT)
6810 else if (pg_flags == _PGMT_WC)
6811 return _PAGE_CACHE_WC;
6812 else if (pg_flags == _PGMT_UC_MINUS)
6813 diff -urNp linux-2.6.35.5/arch/x86/include/asm/cache.h linux-2.6.35.5/arch/x86/include/asm/cache.h
6814 --- linux-2.6.35.5/arch/x86/include/asm/cache.h 2010-08-26 19:47:12.000000000 -0400
6815 +++ linux-2.6.35.5/arch/x86/include/asm/cache.h 2010-09-17 20:12:09.000000000 -0400
6817 #define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
6819 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
6820 +#define __read_only __attribute__((__section__(".data..read_only")))
6822 #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT
6823 #define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT)
6824 diff -urNp linux-2.6.35.5/arch/x86/include/asm/checksum_32.h linux-2.6.35.5/arch/x86/include/asm/checksum_32.h
6825 --- linux-2.6.35.5/arch/x86/include/asm/checksum_32.h 2010-08-26 19:47:12.000000000 -0400
6826 +++ linux-2.6.35.5/arch/x86/include/asm/checksum_32.h 2010-09-17 20:12:09.000000000 -0400
6827 @@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
6828 int len, __wsum sum,
6829 int *src_err_ptr, int *dst_err_ptr);
6831 +asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
6832 + int len, __wsum sum,
6833 + int *src_err_ptr, int *dst_err_ptr);
6835 +asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
6836 + int len, __wsum sum,
6837 + int *src_err_ptr, int *dst_err_ptr);
6840 * Note: when you get a NULL pointer exception here this means someone
6841 * passed in an incorrect kernel address to one of these functions.
6842 @@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
6846 - return csum_partial_copy_generic((__force void *)src, dst,
6847 + return csum_partial_copy_generic_from_user((__force void *)src, dst,
6848 len, sum, err_ptr, NULL);
6851 @@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
6854 if (access_ok(VERIFY_WRITE, dst, len))
6855 - return csum_partial_copy_generic(src, (__force void *)dst,
6856 + return csum_partial_copy_generic_to_user(src, (__force void *)dst,
6857 len, sum, NULL, err_ptr);
6860 diff -urNp linux-2.6.35.5/arch/x86/include/asm/cpufeature.h linux-2.6.35.5/arch/x86/include/asm/cpufeature.h
6861 --- linux-2.6.35.5/arch/x86/include/asm/cpufeature.h 2010-08-26 19:47:12.000000000 -0400
6862 +++ linux-2.6.35.5/arch/x86/include/asm/cpufeature.h 2010-09-17 20:12:09.000000000 -0400
6863 @@ -323,7 +323,7 @@ static __always_inline __pure bool __sta
6864 " .byte 4f - 3f\n" /* replacement len */
6865 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* padding */
6867 - ".section .altinstr_replacement,\"ax\"\n"
6868 + ".section .altinstr_replacement,\"a\"\n"
6872 diff -urNp linux-2.6.35.5/arch/x86/include/asm/desc.h linux-2.6.35.5/arch/x86/include/asm/desc.h
6873 --- linux-2.6.35.5/arch/x86/include/asm/desc.h 2010-08-26 19:47:12.000000000 -0400
6874 +++ linux-2.6.35.5/arch/x86/include/asm/desc.h 2010-09-17 20:12:09.000000000 -0400
6876 #include <asm/desc_defs.h>
6877 #include <asm/ldt.h>
6878 #include <asm/mmu.h>
6879 +#include <asm/pgtable.h>
6880 #include <linux/smp.h>
6882 static inline void fill_ldt(struct desc_struct *desc,
6883 @@ -15,6 +16,7 @@ static inline void fill_ldt(struct desc_
6884 desc->base1 = (info->base_addr & 0x00ff0000) >> 16;
6885 desc->type = (info->read_exec_only ^ 1) << 1;
6886 desc->type |= info->contents << 2;
6887 + desc->type |= info->seg_not_present ^ 1;
6890 desc->p = info->seg_not_present ^ 1;
6891 @@ -31,16 +33,12 @@ static inline void fill_ldt(struct desc_
6894 extern struct desc_ptr idt_descr;
6895 -extern gate_desc idt_table[];
6898 - struct desc_struct gdt[GDT_ENTRIES];
6899 -} __attribute__((aligned(PAGE_SIZE)));
6900 -DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
6901 +extern gate_desc idt_table[256];
6903 +extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
6904 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
6906 - return per_cpu(gdt_page, cpu).gdt;
6907 + return cpu_gdt_table[cpu];
6910 #ifdef CONFIG_X86_64
6911 @@ -115,19 +113,24 @@ static inline void paravirt_free_ldt(str
6912 static inline void native_write_idt_entry(gate_desc *idt, int entry,
6913 const gate_desc *gate)
6915 + pax_open_kernel();
6916 memcpy(&idt[entry], gate, sizeof(*gate));
6917 + pax_close_kernel();
6920 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry,
6923 + pax_open_kernel();
6924 memcpy(&ldt[entry], desc, 8);
6925 + pax_close_kernel();
6928 static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry,
6929 const void *desc, int type)
6935 size = sizeof(tss_desc);
6936 @@ -139,7 +142,10 @@ static inline void native_write_gdt_entr
6937 size = sizeof(struct desc_struct);
6941 + pax_open_kernel();
6942 memcpy(&gdt[entry], desc, size);
6943 + pax_close_kernel();
6946 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
6947 @@ -211,7 +217,9 @@ static inline void native_set_ldt(const
6949 static inline void native_load_tr_desc(void)
6951 + pax_open_kernel();
6952 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
6953 + pax_close_kernel();
6956 static inline void native_load_gdt(const struct desc_ptr *dtr)
6957 @@ -246,8 +254,10 @@ static inline void native_load_tls(struc
6959 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
6961 + pax_open_kernel();
6962 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
6963 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
6964 + pax_close_kernel();
6967 #define _LDT_empty(info) \
6968 @@ -309,7 +319,7 @@ static inline void set_desc_limit(struct
6969 desc->limit = (limit >> 16) & 0xf;
6972 -static inline void _set_gate(int gate, unsigned type, void *addr,
6973 +static inline void _set_gate(int gate, unsigned type, const void *addr,
6974 unsigned dpl, unsigned ist, unsigned seg)
6977 @@ -327,7 +337,7 @@ static inline void _set_gate(int gate, u
6978 * Pentium F0 0F bugfix can have resulted in the mapped
6979 * IDT being write-protected.
6981 -static inline void set_intr_gate(unsigned int n, void *addr)
6982 +static inline void set_intr_gate(unsigned int n, const void *addr)
6984 BUG_ON((unsigned)n > 0xFF);
6985 _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
6986 @@ -356,19 +366,19 @@ static inline void alloc_intr_gate(unsig
6988 * This routine sets up an interrupt gate at directory privilege level 3.
6990 -static inline void set_system_intr_gate(unsigned int n, void *addr)
6991 +static inline void set_system_intr_gate(unsigned int n, const void *addr)
6993 BUG_ON((unsigned)n > 0xFF);
6994 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
6997 -static inline void set_system_trap_gate(unsigned int n, void *addr)
6998 +static inline void set_system_trap_gate(unsigned int n, const void *addr)
7000 BUG_ON((unsigned)n > 0xFF);
7001 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
7004 -static inline void set_trap_gate(unsigned int n, void *addr)
7005 +static inline void set_trap_gate(unsigned int n, const void *addr)
7007 BUG_ON((unsigned)n > 0xFF);
7008 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
7009 @@ -377,19 +387,31 @@ static inline void set_trap_gate(unsigne
7010 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
7012 BUG_ON((unsigned)n > 0xFF);
7013 - _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
7014 + _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
7017 -static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
7018 +static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
7020 BUG_ON((unsigned)n > 0xFF);
7021 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
7024 -static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
7025 +static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
7027 BUG_ON((unsigned)n > 0xFF);
7028 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
7031 +#ifdef CONFIG_X86_32
7032 +static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
7034 + struct desc_struct d;
7036 + if (likely(limit))
7037 + limit = (limit - 1UL) >> PAGE_SHIFT;
7038 + pack_descriptor(&d, base, limit, 0xFB, 0xC);
7039 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
7043 #endif /* _ASM_X86_DESC_H */
7044 diff -urNp linux-2.6.35.5/arch/x86/include/asm/device.h linux-2.6.35.5/arch/x86/include/asm/device.h
7045 --- linux-2.6.35.5/arch/x86/include/asm/device.h 2010-08-26 19:47:12.000000000 -0400
7046 +++ linux-2.6.35.5/arch/x86/include/asm/device.h 2010-09-17 20:12:09.000000000 -0400
7047 @@ -6,7 +6,7 @@ struct dev_archdata {
7050 #ifdef CONFIG_X86_64
7051 -struct dma_map_ops *dma_ops;
7052 + const struct dma_map_ops *dma_ops;
7054 #if defined(CONFIG_DMAR) || defined(CONFIG_AMD_IOMMU)
7055 void *iommu; /* hook for IOMMU specific extension */
7056 diff -urNp linux-2.6.35.5/arch/x86/include/asm/dma-mapping.h linux-2.6.35.5/arch/x86/include/asm/dma-mapping.h
7057 --- linux-2.6.35.5/arch/x86/include/asm/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
7058 +++ linux-2.6.35.5/arch/x86/include/asm/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
7059 @@ -26,9 +26,9 @@ extern int iommu_merge;
7060 extern struct device x86_dma_fallback_dev;
7061 extern int panic_on_overflow;
7063 -extern struct dma_map_ops *dma_ops;
7064 +extern const struct dma_map_ops *dma_ops;
7066 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
7067 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
7069 #ifdef CONFIG_X86_32
7071 @@ -45,7 +45,7 @@ static inline struct dma_map_ops *get_dm
7072 /* Make sure we keep the same behaviour */
7073 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
7075 - struct dma_map_ops *ops = get_dma_ops(dev);
7076 + const struct dma_map_ops *ops = get_dma_ops(dev);
7077 if (ops->mapping_error)
7078 return ops->mapping_error(dev, dma_addr);
7080 @@ -123,7 +123,7 @@ static inline void *
7081 dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_handle,
7084 - struct dma_map_ops *ops = get_dma_ops(dev);
7085 + const struct dma_map_ops *ops = get_dma_ops(dev);
7088 gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32);
7089 @@ -150,7 +150,7 @@ dma_alloc_coherent(struct device *dev, s
7090 static inline void dma_free_coherent(struct device *dev, size_t size,
7091 void *vaddr, dma_addr_t bus)
7093 - struct dma_map_ops *ops = get_dma_ops(dev);
7094 + const struct dma_map_ops *ops = get_dma_ops(dev);
7096 WARN_ON(irqs_disabled()); /* for portability */
7098 diff -urNp linux-2.6.35.5/arch/x86/include/asm/e820.h linux-2.6.35.5/arch/x86/include/asm/e820.h
7099 --- linux-2.6.35.5/arch/x86/include/asm/e820.h 2010-08-26 19:47:12.000000000 -0400
7100 +++ linux-2.6.35.5/arch/x86/include/asm/e820.h 2010-09-17 20:12:09.000000000 -0400
7101 @@ -69,7 +69,7 @@ struct e820map {
7102 #define ISA_START_ADDRESS 0xa0000
7103 #define ISA_END_ADDRESS 0x100000
7105 -#define BIOS_BEGIN 0x000a0000
7106 +#define BIOS_BEGIN 0x000c0000
7107 #define BIOS_END 0x00100000
7110 diff -urNp linux-2.6.35.5/arch/x86/include/asm/elf.h linux-2.6.35.5/arch/x86/include/asm/elf.h
7111 --- linux-2.6.35.5/arch/x86/include/asm/elf.h 2010-08-26 19:47:12.000000000 -0400
7112 +++ linux-2.6.35.5/arch/x86/include/asm/elf.h 2010-09-17 20:12:09.000000000 -0400
7113 @@ -237,7 +237,25 @@ extern int force_personality32;
7114 the loader. We need to make sure that it is out of the way of the program
7115 that it will "exec", and that there is sufficient room for the brk. */
7117 +#ifdef CONFIG_PAX_SEGMEXEC
7118 +#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
7120 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
7123 +#ifdef CONFIG_PAX_ASLR
7124 +#ifdef CONFIG_X86_32
7125 +#define PAX_ELF_ET_DYN_BASE 0x10000000UL
7127 +#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7128 +#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7130 +#define PAX_ELF_ET_DYN_BASE 0x400000UL
7132 +#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7133 +#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7137 /* This yields a mask that user programs can use to figure out what
7138 instruction set this CPU supports. This could be done in user space,
7139 @@ -291,8 +309,7 @@ do { \
7140 #define ARCH_DLINFO \
7143 - NEW_AUX_ENT(AT_SYSINFO_EHDR, \
7144 - (unsigned long)current->mm->context.vdso); \
7145 + NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
7148 #define AT_SYSINFO 32
7149 @@ -303,7 +320,7 @@ do { \
7151 #endif /* !CONFIG_X86_32 */
7153 -#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
7154 +#define VDSO_CURRENT_BASE (current->mm->context.vdso)
7156 #define VDSO_ENTRY \
7157 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
7158 @@ -317,7 +334,4 @@ extern int arch_setup_additional_pages(s
7159 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
7160 #define compat_arch_setup_additional_pages syscall32_setup_pages
7162 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
7163 -#define arch_randomize_brk arch_randomize_brk
7165 #endif /* _ASM_X86_ELF_H */
7166 diff -urNp linux-2.6.35.5/arch/x86/include/asm/futex.h linux-2.6.35.5/arch/x86/include/asm/futex.h
7167 --- linux-2.6.35.5/arch/x86/include/asm/futex.h 2010-08-26 19:47:12.000000000 -0400
7168 +++ linux-2.6.35.5/arch/x86/include/asm/futex.h 2010-09-17 20:12:09.000000000 -0400
7170 #include <asm/processor.h>
7171 #include <asm/system.h>
7173 +#ifdef CONFIG_X86_32
7174 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
7176 + "movw\t%w6, %%ds\n" \
7177 + "1:\t" insn "\n" \
7178 + "2:\tpushl\t%%ss\n" \
7179 + "\tpopl\t%%ds\n" \
7180 + "\t.section .fixup,\"ax\"\n" \
7181 + "3:\tmov\t%3, %1\n" \
7184 + _ASM_EXTABLE(1b, 3b) \
7185 + : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
7186 + : "i" (-EFAULT), "0" (oparg), "1" (0), "r" (__USER_DS))
7188 +#define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
7189 + asm volatile("movw\t%w7, %%es\n" \
7190 + "1:\tmovl\t%%es:%2, %0\n" \
7191 + "\tmovl\t%0, %3\n" \
7193 + "2:\t" LOCK_PREFIX "cmpxchgl %3, %%es:%2\n"\
7195 + "3:\tpushl\t%%ss\n" \
7196 + "\tpopl\t%%es\n" \
7197 + "\t.section .fixup,\"ax\"\n" \
7198 + "4:\tmov\t%5, %1\n" \
7201 + _ASM_EXTABLE(1b, 4b) \
7202 + _ASM_EXTABLE(2b, 4b) \
7203 + : "=&a" (oldval), "=&r" (ret), \
7204 + "+m" (*uaddr), "=&r" (tem) \
7205 + : "r" (oparg), "i" (-EFAULT), "1" (0), "r" (__USER_DS))
7207 +#define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
7208 + typecheck(u32 *, uaddr); \
7209 asm volatile("1:\t" insn "\n" \
7210 "2:\t.section .fixup,\"ax\"\n" \
7211 "3:\tmov\t%3, %1\n" \
7214 _ASM_EXTABLE(1b, 3b) \
7215 - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
7216 + : "=r" (oldval), "=r" (ret), \
7217 + "+m" (*(uaddr + PAX_USER_SHADOW_BASE / 4))\
7218 : "i" (-EFAULT), "0" (oparg), "1" (0))
7220 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
7221 + typecheck(u32 *, uaddr); \
7222 asm volatile("1:\tmovl %2, %0\n" \
7223 "\tmovl\t%0, %3\n" \
7226 _ASM_EXTABLE(1b, 4b) \
7227 _ASM_EXTABLE(2b, 4b) \
7228 : "=&a" (oldval), "=&r" (ret), \
7229 - "+m" (*uaddr), "=&r" (tem) \
7230 + "+m" (*(uaddr + PAX_USER_SHADOW_BASE / 4)),\
7232 : "r" (oparg), "i" (-EFAULT), "1" (0))
7235 -static inline int futex_atomic_op_inuser(int encoded_op, int __user *uaddr)
7236 +static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
7238 int op = (encoded_op >> 28) & 7;
7239 int cmp = (encoded_op >> 24) & 15;
7240 @@ -61,11 +100,20 @@ static inline int futex_atomic_op_inuser
7244 +#ifdef CONFIG_X86_32
7245 + __futex_atomic_op1("xchgl %0, %%ds:%2", ret, oldval, uaddr, oparg);
7247 __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
7251 +#ifdef CONFIG_X86_32
7252 + __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %%ds:%2", ret, oldval,
7255 __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
7260 __futex_atomic_op2("orl %4, %3", ret, oldval, uaddr, oparg);
7261 @@ -109,7 +157,7 @@ static inline int futex_atomic_op_inuser
7265 -static inline int futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval,
7266 +static inline int futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval,
7270 @@ -119,17 +167,31 @@ static inline int futex_atomic_cmpxchg_i
7274 - if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
7275 + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
7278 - asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
7279 - "2:\t.section .fixup, \"ax\"\n"
7281 +#ifdef CONFIG_X86_32
7282 + "\tmovw %w5, %%ds\n"
7283 + "1:\t" LOCK_PREFIX "cmpxchgl %3, %%ds:%1\n"
7284 + "2:\tpushl %%ss\n"
7287 + "1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
7290 + "\t.section .fixup, \"ax\"\n"
7294 _ASM_EXTABLE(1b, 3b)
7295 +#ifdef CONFIG_X86_32
7296 : "=a" (oldval), "+m" (*uaddr)
7297 + : "i" (-EFAULT), "r" (newval), "0" (oldval), "r" (__USER_DS)
7299 + : "=a" (oldval), "+m" (*(uaddr + PAX_USER_SHADOW_BASE / 4))
7300 : "i" (-EFAULT), "r" (newval), "0" (oldval)
7305 diff -urNp linux-2.6.35.5/arch/x86/include/asm/i387.h linux-2.6.35.5/arch/x86/include/asm/i387.h
7306 --- linux-2.6.35.5/arch/x86/include/asm/i387.h 2010-08-26 19:47:12.000000000 -0400
7307 +++ linux-2.6.35.5/arch/x86/include/asm/i387.h 2010-09-17 20:12:09.000000000 -0400
7308 @@ -77,6 +77,11 @@ static inline int fxrstor_checking(struc
7312 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7313 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7314 + fx = (struct i387_fxsave_struct *)((void *)fx + PAX_USER_SHADOW_BASE);
7317 asm volatile("1: rex64/fxrstor (%[fx])\n\t"
7319 ".section .fixup,\"ax\"\n"
7320 @@ -127,6 +132,11 @@ static inline int fxsave_user(struct i38
7324 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7325 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7326 + fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE);
7329 asm volatile("1: rex64/fxsave (%[fx])\n\t"
7331 ".section .fixup,\"ax\"\n"
7332 @@ -220,13 +230,8 @@ static inline int fxrstor_checking(struc
7335 /* We need a safe address that is cheap to find and that is already
7336 - in L1 during context switch. The best choices are unfortunately
7337 - different for UP and SMP */
7339 -#define safe_address (__per_cpu_offset[0])
7341 -#define safe_address (kstat_cpu(0).cpustat.user)
7343 + in L1 during context switch. */
7344 +#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
7347 * These must be called with preempt disabled
7348 diff -urNp linux-2.6.35.5/arch/x86/include/asm/io.h linux-2.6.35.5/arch/x86/include/asm/io.h
7349 --- linux-2.6.35.5/arch/x86/include/asm/io.h 2010-08-26 19:47:12.000000000 -0400
7350 +++ linux-2.6.35.5/arch/x86/include/asm/io.h 2010-09-17 20:12:09.000000000 -0400
7351 @@ -213,6 +213,17 @@ extern void iounmap(volatile void __iome
7353 #include <linux/vmalloc.h>
7355 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
7356 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
7358 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7361 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
7363 + return (pfn + (count >> PAGE_SHIFT)) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7367 * Convert a virtual cached pointer to an uncached pointer
7369 diff -urNp linux-2.6.35.5/arch/x86/include/asm/iommu.h linux-2.6.35.5/arch/x86/include/asm/iommu.h
7370 --- linux-2.6.35.5/arch/x86/include/asm/iommu.h 2010-08-26 19:47:12.000000000 -0400
7371 +++ linux-2.6.35.5/arch/x86/include/asm/iommu.h 2010-09-17 20:12:09.000000000 -0400
7373 #ifndef _ASM_X86_IOMMU_H
7374 #define _ASM_X86_IOMMU_H
7376 -extern struct dma_map_ops nommu_dma_ops;
7377 +extern const struct dma_map_ops nommu_dma_ops;
7378 extern int force_iommu, no_iommu;
7379 extern int iommu_detected;
7380 extern int iommu_pass_through;
7381 diff -urNp linux-2.6.35.5/arch/x86/include/asm/irqflags.h linux-2.6.35.5/arch/x86/include/asm/irqflags.h
7382 --- linux-2.6.35.5/arch/x86/include/asm/irqflags.h 2010-08-26 19:47:12.000000000 -0400
7383 +++ linux-2.6.35.5/arch/x86/include/asm/irqflags.h 2010-09-17 20:12:09.000000000 -0400
7384 @@ -142,6 +142,11 @@ static inline unsigned long __raw_local_
7388 +#define GET_CR0_INTO_RDI mov %cr0, %rdi
7389 +#define SET_RDI_INTO_CR0 mov %rdi, %cr0
7390 +#define GET_CR3_INTO_RDI mov %cr3, %rdi
7391 +#define SET_RDI_INTO_CR3 mov %rdi, %cr3
7394 #define INTERRUPT_RETURN iret
7395 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
7396 diff -urNp linux-2.6.35.5/arch/x86/include/asm/kvm_host.h linux-2.6.35.5/arch/x86/include/asm/kvm_host.h
7397 --- linux-2.6.35.5/arch/x86/include/asm/kvm_host.h 2010-08-26 19:47:12.000000000 -0400
7398 +++ linux-2.6.35.5/arch/x86/include/asm/kvm_host.h 2010-09-17 20:12:09.000000000 -0400
7399 @@ -536,7 +536,7 @@ struct kvm_x86_ops {
7400 const struct trace_print_flags *exit_reasons_str;
7403 -extern struct kvm_x86_ops *kvm_x86_ops;
7404 +extern const struct kvm_x86_ops *kvm_x86_ops;
7406 int kvm_mmu_module_init(void);
7407 void kvm_mmu_module_exit(void);
7408 diff -urNp linux-2.6.35.5/arch/x86/include/asm/local.h linux-2.6.35.5/arch/x86/include/asm/local.h
7409 --- linux-2.6.35.5/arch/x86/include/asm/local.h 2010-08-26 19:47:12.000000000 -0400
7410 +++ linux-2.6.35.5/arch/x86/include/asm/local.h 2010-09-17 20:12:09.000000000 -0400
7411 @@ -18,26 +18,90 @@ typedef struct {
7413 static inline void local_inc(local_t *l)
7415 - asm volatile(_ASM_INC "%0"
7416 + asm volatile(_ASM_INC "%0\n"
7418 +#ifdef CONFIG_PAX_REFCOUNT
7419 +#ifdef CONFIG_X86_32
7425 + ".pushsection .fixup,\"ax\"\n"
7430 + _ASM_EXTABLE(0b, 1b)
7433 : "+m" (l->a.counter));
7436 static inline void local_dec(local_t *l)
7438 - asm volatile(_ASM_DEC "%0"
7439 + asm volatile(_ASM_DEC "%0\n"
7441 +#ifdef CONFIG_PAX_REFCOUNT
7442 +#ifdef CONFIG_X86_32
7448 + ".pushsection .fixup,\"ax\"\n"
7453 + _ASM_EXTABLE(0b, 1b)
7456 : "+m" (l->a.counter));
7459 static inline void local_add(long i, local_t *l)
7461 - asm volatile(_ASM_ADD "%1,%0"
7462 + asm volatile(_ASM_ADD "%1,%0\n"
7464 +#ifdef CONFIG_PAX_REFCOUNT
7465 +#ifdef CONFIG_X86_32
7471 + ".pushsection .fixup,\"ax\"\n"
7473 + _ASM_SUB "%1,%0\n"
7476 + _ASM_EXTABLE(0b, 1b)
7479 : "+m" (l->a.counter)
7483 static inline void local_sub(long i, local_t *l)
7485 - asm volatile(_ASM_SUB "%1,%0"
7486 + asm volatile(_ASM_SUB "%1,%0\n"
7488 +#ifdef CONFIG_PAX_REFCOUNT
7489 +#ifdef CONFIG_X86_32
7495 + ".pushsection .fixup,\"ax\"\n"
7497 + _ASM_ADD "%1,%0\n"
7500 + _ASM_EXTABLE(0b, 1b)
7503 : "+m" (l->a.counter)
7506 @@ -55,7 +119,24 @@ static inline int local_sub_and_test(lon
7510 - asm volatile(_ASM_SUB "%2,%0; sete %1"
7511 + asm volatile(_ASM_SUB "%2,%0\n"
7513 +#ifdef CONFIG_PAX_REFCOUNT
7514 +#ifdef CONFIG_X86_32
7520 + ".pushsection .fixup,\"ax\"\n"
7522 + _ASM_ADD "%2,%0\n"
7525 + _ASM_EXTABLE(0b, 1b)
7529 : "+m" (l->a.counter), "=qm" (c)
7530 : "ir" (i) : "memory");
7532 @@ -73,7 +154,24 @@ static inline int local_dec_and_test(loc
7536 - asm volatile(_ASM_DEC "%0; sete %1"
7537 + asm volatile(_ASM_DEC "%0\n"
7539 +#ifdef CONFIG_PAX_REFCOUNT
7540 +#ifdef CONFIG_X86_32
7546 + ".pushsection .fixup,\"ax\"\n"
7551 + _ASM_EXTABLE(0b, 1b)
7555 : "+m" (l->a.counter), "=qm" (c)
7558 @@ -91,7 +189,24 @@ static inline int local_inc_and_test(loc
7562 - asm volatile(_ASM_INC "%0; sete %1"
7563 + asm volatile(_ASM_INC "%0\n"
7565 +#ifdef CONFIG_PAX_REFCOUNT
7566 +#ifdef CONFIG_X86_32
7572 + ".pushsection .fixup,\"ax\"\n"
7577 + _ASM_EXTABLE(0b, 1b)
7581 : "+m" (l->a.counter), "=qm" (c)
7584 @@ -110,7 +225,24 @@ static inline int local_add_negative(lon
7588 - asm volatile(_ASM_ADD "%2,%0; sets %1"
7589 + asm volatile(_ASM_ADD "%2,%0\n"
7591 +#ifdef CONFIG_PAX_REFCOUNT
7592 +#ifdef CONFIG_X86_32
7598 + ".pushsection .fixup,\"ax\"\n"
7600 + _ASM_SUB "%2,%0\n"
7603 + _ASM_EXTABLE(0b, 1b)
7607 : "+m" (l->a.counter), "=qm" (c)
7608 : "ir" (i) : "memory");
7610 @@ -133,7 +265,23 @@ static inline long local_add_return(long
7612 /* Modern 486+ processor */
7614 - asm volatile(_ASM_XADD "%0, %1;"
7615 + asm volatile(_ASM_XADD "%0, %1\n"
7617 +#ifdef CONFIG_PAX_REFCOUNT
7618 +#ifdef CONFIG_X86_32
7624 + ".pushsection .fixup,\"ax\"\n"
7626 + _ASM_MOV "%0,%1\n"
7629 + _ASM_EXTABLE(0b, 1b)
7632 : "+r" (i), "+m" (l->a.counter)
7635 diff -urNp linux-2.6.35.5/arch/x86/include/asm/mc146818rtc.h linux-2.6.35.5/arch/x86/include/asm/mc146818rtc.h
7636 --- linux-2.6.35.5/arch/x86/include/asm/mc146818rtc.h 2010-08-26 19:47:12.000000000 -0400
7637 +++ linux-2.6.35.5/arch/x86/include/asm/mc146818rtc.h 2010-09-17 20:12:09.000000000 -0400
7638 @@ -81,8 +81,8 @@ static inline unsigned char current_lock
7640 #define lock_cmos_prefix(reg) do {} while (0)
7641 #define lock_cmos_suffix(reg) do {} while (0)
7642 -#define lock_cmos(reg)
7643 -#define unlock_cmos()
7644 +#define lock_cmos(reg) do {} while (0)
7645 +#define unlock_cmos() do {} while (0)
7646 #define do_i_have_lock_cmos() 0
7647 #define current_lock_cmos_reg() 0
7649 diff -urNp linux-2.6.35.5/arch/x86/include/asm/microcode.h linux-2.6.35.5/arch/x86/include/asm/microcode.h
7650 --- linux-2.6.35.5/arch/x86/include/asm/microcode.h 2010-08-26 19:47:12.000000000 -0400
7651 +++ linux-2.6.35.5/arch/x86/include/asm/microcode.h 2010-09-17 20:12:09.000000000 -0400
7652 @@ -12,13 +12,13 @@ struct device;
7653 enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND };
7655 struct microcode_ops {
7656 - enum ucode_state (*request_microcode_user) (int cpu,
7657 + enum ucode_state (* const request_microcode_user) (int cpu,
7658 const void __user *buf, size_t size);
7660 - enum ucode_state (*request_microcode_fw) (int cpu,
7661 + enum ucode_state (* const request_microcode_fw) (int cpu,
7662 struct device *device);
7664 - void (*microcode_fini_cpu) (int cpu);
7665 + void (* const microcode_fini_cpu) (int cpu);
7668 * The generic 'microcode_core' part guarantees that
7669 @@ -38,18 +38,18 @@ struct ucode_cpu_info {
7670 extern struct ucode_cpu_info ucode_cpu_info[];
7672 #ifdef CONFIG_MICROCODE_INTEL
7673 -extern struct microcode_ops * __init init_intel_microcode(void);
7674 +extern const struct microcode_ops * __init init_intel_microcode(void);
7676 -static inline struct microcode_ops * __init init_intel_microcode(void)
7677 +static inline const struct microcode_ops * __init init_intel_microcode(void)
7681 #endif /* CONFIG_MICROCODE_INTEL */
7683 #ifdef CONFIG_MICROCODE_AMD
7684 -extern struct microcode_ops * __init init_amd_microcode(void);
7685 +extern const struct microcode_ops * __init init_amd_microcode(void);
7687 -static inline struct microcode_ops * __init init_amd_microcode(void)
7688 +static inline const struct microcode_ops * __init init_amd_microcode(void)
7692 diff -urNp linux-2.6.35.5/arch/x86/include/asm/mman.h linux-2.6.35.5/arch/x86/include/asm/mman.h
7693 --- linux-2.6.35.5/arch/x86/include/asm/mman.h 2010-08-26 19:47:12.000000000 -0400
7694 +++ linux-2.6.35.5/arch/x86/include/asm/mman.h 2010-09-17 20:12:09.000000000 -0400
7697 #include <asm-generic/mman.h>
7700 +#ifndef __ASSEMBLY__
7701 +#ifdef CONFIG_X86_32
7702 +#define arch_mmap_check i386_mmap_check
7703 +int i386_mmap_check(unsigned long addr, unsigned long len,
7704 + unsigned long flags);
7709 #endif /* _ASM_X86_MMAN_H */
7710 diff -urNp linux-2.6.35.5/arch/x86/include/asm/mmu_context.h linux-2.6.35.5/arch/x86/include/asm/mmu_context.h
7711 --- linux-2.6.35.5/arch/x86/include/asm/mmu_context.h 2010-08-26 19:47:12.000000000 -0400
7712 +++ linux-2.6.35.5/arch/x86/include/asm/mmu_context.h 2010-09-17 20:12:09.000000000 -0400
7713 @@ -24,6 +24,21 @@ void destroy_context(struct mm_struct *m
7715 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
7718 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7722 + pax_open_kernel();
7723 + pgd = get_cpu_pgd(smp_processor_id());
7724 + for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
7725 + if (paravirt_enabled())
7726 + set_pgd(pgd+i, native_make_pgd(0));
7728 + pgd[i] = native_make_pgd(0);
7729 + pax_close_kernel();
7733 if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
7734 percpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
7735 @@ -34,27 +49,70 @@ static inline void switch_mm(struct mm_s
7736 struct task_struct *tsk)
7738 unsigned cpu = smp_processor_id();
7739 +#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
7740 + int tlbstate = TLBSTATE_OK;
7743 if (likely(prev != next)) {
7744 /* stop flush ipis for the previous mm */
7745 cpumask_clear_cpu(cpu, mm_cpumask(prev));
7747 +#ifdef CONFIG_X86_32
7748 + tlbstate = percpu_read(cpu_tlbstate.state);
7750 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
7751 percpu_write(cpu_tlbstate.active_mm, next);
7753 cpumask_set_cpu(cpu, mm_cpumask(next));
7755 /* Re-load page tables */
7756 +#ifdef CONFIG_PAX_PER_CPU_PGD
7757 + pax_open_kernel();
7758 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
7759 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
7760 + pax_close_kernel();
7761 + load_cr3(get_cpu_pgd(cpu));
7763 load_cr3(next->pgd);
7767 * load the LDT, if the LDT is different:
7769 if (unlikely(prev->context.ldt != next->context.ldt))
7770 load_LDT_nolock(&next->context);
7773 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
7774 + if (!(__supported_pte_mask & _PAGE_NX)) {
7775 + smp_mb__before_clear_bit();
7776 + cpu_clear(cpu, prev->context.cpu_user_cs_mask);
7777 + smp_mb__after_clear_bit();
7778 + cpu_set(cpu, next->context.cpu_user_cs_mask);
7782 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7783 + if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
7784 + prev->context.user_cs_limit != next->context.user_cs_limit))
7785 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7787 + else if (unlikely(tlbstate != TLBSTATE_OK))
7788 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7795 +#ifdef CONFIG_PAX_PER_CPU_PGD
7796 + pax_open_kernel();
7797 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
7798 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
7799 + pax_close_kernel();
7800 + load_cr3(get_cpu_pgd(cpu));
7804 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
7805 BUG_ON(percpu_read(cpu_tlbstate.active_mm) != next);
7807 @@ -63,11 +121,28 @@ static inline void switch_mm(struct mm_s
7808 * tlb flush IPI delivery. We must reload CR3
7809 * to make sure to use no freed page tables.
7812 +#ifndef CONFIG_PAX_PER_CPU_PGD
7813 load_cr3(next->pgd);
7816 load_LDT_nolock(&next->context);
7818 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
7819 + if (!(__supported_pte_mask & _PAGE_NX))
7820 + cpu_set(cpu, next->context.cpu_user_cs_mask);
7823 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7824 +#ifdef CONFIG_PAX_PAGEEXEC
7825 + if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX)))
7827 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7836 #define activate_mm(prev, next) \
7837 diff -urNp linux-2.6.35.5/arch/x86/include/asm/mmu.h linux-2.6.35.5/arch/x86/include/asm/mmu.h
7838 --- linux-2.6.35.5/arch/x86/include/asm/mmu.h 2010-08-26 19:47:12.000000000 -0400
7839 +++ linux-2.6.35.5/arch/x86/include/asm/mmu.h 2010-09-17 20:12:09.000000000 -0400
7841 * we put the segment information here.
7845 + struct desc_struct *ldt;
7849 + unsigned long vdso;
7851 +#ifdef CONFIG_X86_32
7852 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
7853 + unsigned long user_cs_base;
7854 + unsigned long user_cs_limit;
7856 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
7857 + cpumask_t cpu_user_cs_mask;
7866 diff -urNp linux-2.6.35.5/arch/x86/include/asm/module.h linux-2.6.35.5/arch/x86/include/asm/module.h
7867 --- linux-2.6.35.5/arch/x86/include/asm/module.h 2010-08-26 19:47:12.000000000 -0400
7868 +++ linux-2.6.35.5/arch/x86/include/asm/module.h 2010-09-17 20:12:37.000000000 -0400
7870 #error unknown processor family
7873 +#ifdef CONFIG_PAX_MEMORY_UDEREF
7874 +#define MODULE_PAX_UDEREF "UDEREF "
7876 +#define MODULE_PAX_UDEREF ""
7879 #ifdef CONFIG_X86_32
7880 # ifdef CONFIG_4KSTACKS
7881 # define MODULE_STACKSIZE "4KSTACKS "
7883 # define MODULE_STACKSIZE ""
7885 -# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE
7886 +# ifdef CONFIG_PAX_KERNEXEC
7887 +# define MODULE_PAX_KERNEXEC "KERNEXEC "
7889 +# define MODULE_PAX_KERNEXEC ""
7891 +# ifdef CONFIG_GRKERNSEC
7892 +# define MODULE_GRSEC "GRSECURITY "
7894 +# define MODULE_GRSEC ""
7896 +# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE MODULE_GRSEC MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF
7898 +# define MODULE_ARCH_VERMAGIC MODULE_PAX_UDEREF
7901 #endif /* _ASM_X86_MODULE_H */
7902 diff -urNp linux-2.6.35.5/arch/x86/include/asm/page_32_types.h linux-2.6.35.5/arch/x86/include/asm/page_32_types.h
7903 --- linux-2.6.35.5/arch/x86/include/asm/page_32_types.h 2010-08-26 19:47:12.000000000 -0400
7904 +++ linux-2.6.35.5/arch/x86/include/asm/page_32_types.h 2010-09-17 20:12:09.000000000 -0400
7907 #define __PAGE_OFFSET _AC(CONFIG_PAGE_OFFSET, UL)
7909 +#ifdef CONFIG_PAX_PAGEEXEC
7910 +#define CONFIG_ARCH_TRACK_EXEC_LIMIT 1
7913 #ifdef CONFIG_4KSTACKS
7914 #define THREAD_ORDER 0
7916 diff -urNp linux-2.6.35.5/arch/x86/include/asm/paravirt.h linux-2.6.35.5/arch/x86/include/asm/paravirt.h
7917 --- linux-2.6.35.5/arch/x86/include/asm/paravirt.h 2010-08-26 19:47:12.000000000 -0400
7918 +++ linux-2.6.35.5/arch/x86/include/asm/paravirt.h 2010-09-17 20:12:09.000000000 -0400
7919 @@ -720,6 +720,21 @@ static inline void __set_fixmap(unsigned
7920 pv_mmu_ops.set_fixmap(idx, phys, flags);
7923 +#ifdef CONFIG_PAX_KERNEXEC
7924 +static inline unsigned long pax_open_kernel(void)
7926 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
7929 +static inline unsigned long pax_close_kernel(void)
7931 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
7934 +static inline unsigned long pax_open_kernel(void) { return 0; }
7935 +static inline unsigned long pax_close_kernel(void) { return 0; }
7938 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
7940 static inline int arch_spin_is_locked(struct arch_spinlock *lock)
7941 @@ -936,7 +951,7 @@ extern void default_banner(void);
7943 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
7944 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
7945 -#define PARA_INDIRECT(addr) *%cs:addr
7946 +#define PARA_INDIRECT(addr) *%ss:addr
7949 #define INTERRUPT_RETURN \
7950 @@ -1013,6 +1028,21 @@ extern void default_banner(void);
7951 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
7953 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
7955 +#define GET_CR0_INTO_RDI \
7956 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
7959 +#define SET_RDI_INTO_CR0 \
7960 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
7962 +#define GET_CR3_INTO_RDI \
7963 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
7966 +#define SET_RDI_INTO_CR3 \
7967 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
7969 #endif /* CONFIG_X86_32 */
7971 #endif /* __ASSEMBLY__ */
7972 diff -urNp linux-2.6.35.5/arch/x86/include/asm/paravirt_types.h linux-2.6.35.5/arch/x86/include/asm/paravirt_types.h
7973 --- linux-2.6.35.5/arch/x86/include/asm/paravirt_types.h 2010-08-26 19:47:12.000000000 -0400
7974 +++ linux-2.6.35.5/arch/x86/include/asm/paravirt_types.h 2010-09-17 20:12:09.000000000 -0400
7975 @@ -312,6 +312,12 @@ struct pv_mmu_ops {
7976 an mfn. We can tell which is which from the index. */
7977 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
7978 phys_addr_t phys, pgprot_t flags);
7980 +#ifdef CONFIG_PAX_KERNEXEC
7981 + unsigned long (*pax_open_kernel)(void);
7982 + unsigned long (*pax_close_kernel)(void);
7987 struct arch_spinlock;
7988 diff -urNp linux-2.6.35.5/arch/x86/include/asm/pci_x86.h linux-2.6.35.5/arch/x86/include/asm/pci_x86.h
7989 --- linux-2.6.35.5/arch/x86/include/asm/pci_x86.h 2010-08-26 19:47:12.000000000 -0400
7990 +++ linux-2.6.35.5/arch/x86/include/asm/pci_x86.h 2010-09-17 20:12:09.000000000 -0400
7991 @@ -91,16 +91,16 @@ extern int (*pcibios_enable_irq)(struct
7992 extern void (*pcibios_disable_irq)(struct pci_dev *dev);
7994 struct pci_raw_ops {
7995 - int (*read)(unsigned int domain, unsigned int bus, unsigned int devfn,
7996 + int (* const read)(unsigned int domain, unsigned int bus, unsigned int devfn,
7997 int reg, int len, u32 *val);
7998 - int (*write)(unsigned int domain, unsigned int bus, unsigned int devfn,
7999 + int (* const write)(unsigned int domain, unsigned int bus, unsigned int devfn,
8000 int reg, int len, u32 val);
8003 -extern struct pci_raw_ops *raw_pci_ops;
8004 -extern struct pci_raw_ops *raw_pci_ext_ops;
8005 +extern const struct pci_raw_ops *raw_pci_ops;
8006 +extern const struct pci_raw_ops *raw_pci_ext_ops;
8008 -extern struct pci_raw_ops pci_direct_conf1;
8009 +extern const struct pci_raw_ops pci_direct_conf1;
8010 extern bool port_cf9_safe;
8012 /* arch_initcall level */
8013 diff -urNp linux-2.6.35.5/arch/x86/include/asm/pgalloc.h linux-2.6.35.5/arch/x86/include/asm/pgalloc.h
8014 --- linux-2.6.35.5/arch/x86/include/asm/pgalloc.h 2010-08-26 19:47:12.000000000 -0400
8015 +++ linux-2.6.35.5/arch/x86/include/asm/pgalloc.h 2010-09-17 20:12:09.000000000 -0400
8016 @@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
8017 pmd_t *pmd, pte_t *pte)
8019 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8020 + set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
8023 +static inline void pmd_populate_user(struct mm_struct *mm,
8024 + pmd_t *pmd, pte_t *pte)
8026 + paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8027 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
8030 diff -urNp linux-2.6.35.5/arch/x86/include/asm/pgtable-2level.h linux-2.6.35.5/arch/x86/include/asm/pgtable-2level.h
8031 --- linux-2.6.35.5/arch/x86/include/asm/pgtable-2level.h 2010-08-26 19:47:12.000000000 -0400
8032 +++ linux-2.6.35.5/arch/x86/include/asm/pgtable-2level.h 2010-09-17 20:12:09.000000000 -0400
8033 @@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
8035 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8037 + pax_open_kernel();
8039 + pax_close_kernel();
8042 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
8043 diff -urNp linux-2.6.35.5/arch/x86/include/asm/pgtable_32.h linux-2.6.35.5/arch/x86/include/asm/pgtable_32.h
8044 --- linux-2.6.35.5/arch/x86/include/asm/pgtable_32.h 2010-08-26 19:47:12.000000000 -0400
8045 +++ linux-2.6.35.5/arch/x86/include/asm/pgtable_32.h 2010-09-17 20:12:09.000000000 -0400
8048 struct vm_area_struct;
8050 -extern pgd_t swapper_pg_dir[1024];
8052 static inline void pgtable_cache_init(void) { }
8053 static inline void check_pgt_cache(void) { }
8054 void paging_init(void);
8055 @@ -47,6 +45,11 @@ extern void set_pmd_pfn(unsigned long, u
8056 # include <asm/pgtable-2level.h>
8059 +extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
8060 +#ifdef CONFIG_X86_PAE
8061 +extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
8064 #if defined(CONFIG_HIGHPTE)
8066 (in_nmi() ? KM_NMI_PTE : \
8067 @@ -71,7 +74,9 @@ extern void set_pmd_pfn(unsigned long, u
8068 /* Clear a kernel PTE and flush it from the TLB */
8069 #define kpte_clear_flush(ptep, vaddr) \
8071 + pax_open_kernel(); \
8072 pte_clear(&init_mm, (vaddr), (ptep)); \
8073 + pax_close_kernel(); \
8074 __flush_tlb_one((vaddr)); \
8077 @@ -83,6 +88,9 @@ do { \
8079 #endif /* !__ASSEMBLY__ */
8081 +#define HAVE_ARCH_UNMAPPED_AREA
8082 +#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
8085 * kern_addr_valid() is (1) for FLATMEM and (0) for
8086 * SPARSEMEM and DISCONTIGMEM
8087 diff -urNp linux-2.6.35.5/arch/x86/include/asm/pgtable_32_types.h linux-2.6.35.5/arch/x86/include/asm/pgtable_32_types.h
8088 --- linux-2.6.35.5/arch/x86/include/asm/pgtable_32_types.h 2010-08-26 19:47:12.000000000 -0400
8089 +++ linux-2.6.35.5/arch/x86/include/asm/pgtable_32_types.h 2010-09-17 20:12:09.000000000 -0400
8092 #ifdef CONFIG_X86_PAE
8093 # include <asm/pgtable-3level_types.h>
8094 -# define PMD_SIZE (1UL << PMD_SHIFT)
8095 +# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
8096 # define PMD_MASK (~(PMD_SIZE - 1))
8098 # include <asm/pgtable-2level_types.h>
8099 @@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
8100 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
8103 +#ifdef CONFIG_PAX_KERNEXEC
8104 +#ifndef __ASSEMBLY__
8105 +extern unsigned char MODULES_EXEC_VADDR[];
8106 +extern unsigned char MODULES_EXEC_END[];
8108 +#include <asm/boot.h>
8109 +#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
8110 +#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
8112 +#define ktla_ktva(addr) (addr)
8113 +#define ktva_ktla(addr) (addr)
8116 #define MODULES_VADDR VMALLOC_START
8117 #define MODULES_END VMALLOC_END
8118 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
8119 diff -urNp linux-2.6.35.5/arch/x86/include/asm/pgtable-3level.h linux-2.6.35.5/arch/x86/include/asm/pgtable-3level.h
8120 --- linux-2.6.35.5/arch/x86/include/asm/pgtable-3level.h 2010-08-26 19:47:12.000000000 -0400
8121 +++ linux-2.6.35.5/arch/x86/include/asm/pgtable-3level.h 2010-09-17 20:12:09.000000000 -0400
8122 @@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
8124 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8126 + pax_open_kernel();
8127 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
8128 + pax_close_kernel();
8131 static inline void native_set_pud(pud_t *pudp, pud_t pud)
8133 + pax_open_kernel();
8134 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
8135 + pax_close_kernel();
8139 diff -urNp linux-2.6.35.5/arch/x86/include/asm/pgtable_64.h linux-2.6.35.5/arch/x86/include/asm/pgtable_64.h
8140 --- linux-2.6.35.5/arch/x86/include/asm/pgtable_64.h 2010-08-26 19:47:12.000000000 -0400
8141 +++ linux-2.6.35.5/arch/x86/include/asm/pgtable_64.h 2010-09-17 20:12:09.000000000 -0400
8144 extern pud_t level3_kernel_pgt[512];
8145 extern pud_t level3_ident_pgt[512];
8146 +extern pud_t level3_vmalloc_pgt[512];
8147 +extern pud_t level3_vmemmap_pgt[512];
8148 +extern pud_t level2_vmemmap_pgt[512];
8149 extern pmd_t level2_kernel_pgt[512];
8150 extern pmd_t level2_fixmap_pgt[512];
8151 -extern pmd_t level2_ident_pgt[512];
8152 -extern pgd_t init_level4_pgt[];
8153 +extern pmd_t level2_ident_pgt[512*2];
8154 +extern pgd_t init_level4_pgt[512];
8156 #define swapper_pg_dir init_level4_pgt
8158 @@ -74,7 +77,9 @@ static inline pte_t native_ptep_get_and_
8160 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8162 + pax_open_kernel();
8164 + pax_close_kernel();
8167 static inline void native_pmd_clear(pmd_t *pmd)
8168 @@ -94,7 +99,9 @@ static inline void native_pud_clear(pud_
8170 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
8172 + pax_open_kernel();
8174 + pax_close_kernel();
8177 static inline void native_pgd_clear(pgd_t *pgd)
8178 diff -urNp linux-2.6.35.5/arch/x86/include/asm/pgtable_64_types.h linux-2.6.35.5/arch/x86/include/asm/pgtable_64_types.h
8179 --- linux-2.6.35.5/arch/x86/include/asm/pgtable_64_types.h 2010-08-26 19:47:12.000000000 -0400
8180 +++ linux-2.6.35.5/arch/x86/include/asm/pgtable_64_types.h 2010-09-17 20:12:09.000000000 -0400
8181 @@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t;
8182 #define MODULES_VADDR _AC(0xffffffffa0000000, UL)
8183 #define MODULES_END _AC(0xffffffffff000000, UL)
8184 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
8185 +#define MODULES_EXEC_VADDR MODULES_VADDR
8186 +#define MODULES_EXEC_END MODULES_END
8188 +#define ktla_ktva(addr) (addr)
8189 +#define ktva_ktla(addr) (addr)
8191 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
8192 diff -urNp linux-2.6.35.5/arch/x86/include/asm/pgtable.h linux-2.6.35.5/arch/x86/include/asm/pgtable.h
8193 --- linux-2.6.35.5/arch/x86/include/asm/pgtable.h 2010-08-26 19:47:12.000000000 -0400
8194 +++ linux-2.6.35.5/arch/x86/include/asm/pgtable.h 2010-09-17 20:12:09.000000000 -0400
8195 @@ -76,12 +76,51 @@ extern struct list_head pgd_list;
8197 #define arch_end_context_switch(prev) do {} while(0)
8199 +#define pax_open_kernel() native_pax_open_kernel()
8200 +#define pax_close_kernel() native_pax_close_kernel()
8201 #endif /* CONFIG_PARAVIRT */
8203 +#define __HAVE_ARCH_PAX_OPEN_KERNEL
8204 +#define __HAVE_ARCH_PAX_CLOSE_KERNEL
8206 +#ifdef CONFIG_PAX_KERNEXEC
8207 +static inline unsigned long native_pax_open_kernel(void)
8209 + unsigned long cr0;
8211 + preempt_disable();
8213 + cr0 = read_cr0() ^ X86_CR0_WP;
8214 + BUG_ON(unlikely(cr0 & X86_CR0_WP));
8216 + return cr0 ^ X86_CR0_WP;
8219 +static inline unsigned long native_pax_close_kernel(void)
8221 + unsigned long cr0;
8223 + cr0 = read_cr0() ^ X86_CR0_WP;
8224 + BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
8227 + preempt_enable_no_resched();
8228 + return cr0 ^ X86_CR0_WP;
8231 +static inline unsigned long native_pax_open_kernel(void) { return 0; }
8232 +static inline unsigned long native_pax_close_kernel(void) { return 0; }
8236 * The following only work if pte_present() is true.
8237 * Undefined behaviour if not..
8239 +static inline int pte_user(pte_t pte)
8241 + return pte_val(pte) & _PAGE_USER;
8244 static inline int pte_dirty(pte_t pte)
8246 return pte_flags(pte) & _PAGE_DIRTY;
8247 @@ -169,9 +208,29 @@ static inline pte_t pte_wrprotect(pte_t
8248 return pte_clear_flags(pte, _PAGE_RW);
8251 +static inline pte_t pte_mkread(pte_t pte)
8253 + return __pte(pte_val(pte) | _PAGE_USER);
8256 static inline pte_t pte_mkexec(pte_t pte)
8258 - return pte_clear_flags(pte, _PAGE_NX);
8259 +#ifdef CONFIG_X86_PAE
8260 + if (__supported_pte_mask & _PAGE_NX)
8261 + return pte_clear_flags(pte, _PAGE_NX);
8264 + return pte_set_flags(pte, _PAGE_USER);
8267 +static inline pte_t pte_exprotect(pte_t pte)
8269 +#ifdef CONFIG_X86_PAE
8270 + if (__supported_pte_mask & _PAGE_NX)
8271 + return pte_set_flags(pte, _PAGE_NX);
8274 + return pte_clear_flags(pte, _PAGE_USER);
8277 static inline pte_t pte_mkdirty(pte_t pte)
8278 @@ -304,6 +363,15 @@ pte_t *populate_extra_pte(unsigned long
8281 #ifndef __ASSEMBLY__
8283 +#ifdef CONFIG_PAX_PER_CPU_PGD
8284 +extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD];
8285 +static inline pgd_t *get_cpu_pgd(unsigned int cpu)
8287 + return cpu_pgd[cpu];
8291 #include <linux/mm_types.h>
8293 static inline int pte_none(pte_t pte)
8294 @@ -474,7 +542,7 @@ static inline pud_t *pud_offset(pgd_t *p
8296 static inline int pgd_bad(pgd_t pgd)
8298 - return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
8299 + return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
8302 static inline int pgd_none(pgd_t pgd)
8303 @@ -497,7 +565,12 @@ static inline int pgd_none(pgd_t pgd)
8304 * pgd_offset() returns a (pgd_t *)
8305 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
8307 -#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
8308 +#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
8310 +#ifdef CONFIG_PAX_PER_CPU_PGD
8311 +#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address))
8315 * a shortcut which implies the use of the kernel's pgd, instead
8317 @@ -508,6 +581,20 @@ static inline int pgd_none(pgd_t pgd)
8318 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
8319 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
8321 +#ifdef CONFIG_X86_32
8322 +#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
8324 +#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
8325 +#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
8327 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8328 +#define PAX_USER_SHADOW_BASE (_AC(1,UL) << TASK_SIZE_MAX_SHIFT)
8330 +#define PAX_USER_SHADOW_BASE (_AC(0,UL))
8335 #ifndef __ASSEMBLY__
8337 extern int direct_gbpages;
8338 @@ -613,11 +700,23 @@ static inline void ptep_set_wrprotect(st
8339 * dst and src can be on the same page, but the range must not overlap,
8340 * and must not cross a page boundary.
8342 -static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
8343 +static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
8345 - memcpy(dst, src, count * sizeof(pgd_t));
8346 + pax_open_kernel();
8349 + pax_close_kernel();
8352 +#ifdef CONFIG_PAX_PER_CPU_PGD
8353 +extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8356 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8357 +extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8359 +static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
8362 #include <asm-generic/pgtable.h>
8363 #endif /* __ASSEMBLY__ */
8364 diff -urNp linux-2.6.35.5/arch/x86/include/asm/pgtable_types.h linux-2.6.35.5/arch/x86/include/asm/pgtable_types.h
8365 --- linux-2.6.35.5/arch/x86/include/asm/pgtable_types.h 2010-08-26 19:47:12.000000000 -0400
8366 +++ linux-2.6.35.5/arch/x86/include/asm/pgtable_types.h 2010-09-17 20:12:09.000000000 -0400
8368 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
8369 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
8370 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
8371 -#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
8372 +#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
8373 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
8374 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
8375 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
8376 -#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
8377 -#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
8378 +#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
8379 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
8381 /* If _PAGE_BIT_PRESENT is clear, we use these: */
8383 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
8384 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
8385 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
8386 -#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
8387 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
8388 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
8389 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
8392 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
8393 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
8395 +#elif defined(CONFIG_KMEMCHECK)
8396 #define _PAGE_NX (_AT(pteval_t, 0))
8398 +#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
8401 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
8403 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
8406 +#define PAGE_READONLY_NOEXEC PAGE_READONLY
8407 +#define PAGE_SHARED_NOEXEC PAGE_SHARED
8409 #define __PAGE_KERNEL_EXEC \
8410 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
8411 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
8413 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
8414 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
8415 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
8416 -#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
8417 -#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
8418 +#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
8419 +#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
8420 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
8421 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
8422 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
8424 * bits are combined, this will alow user to access the high address mapped
8425 * VDSO in the presence of CONFIG_COMPAT_VDSO
8427 -#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
8428 -#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
8429 +#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8430 +#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8431 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
8434 @@ -202,7 +205,17 @@ static inline pgdval_t pgd_flags(pgd_t p
8436 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
8440 +#if PAGETABLE_LEVELS == 3
8441 +#include <asm-generic/pgtable-nopud.h>
8444 +#if PAGETABLE_LEVELS == 2
8445 +#include <asm-generic/pgtable-nopmd.h>
8448 +#ifndef __ASSEMBLY__
8449 #if PAGETABLE_LEVELS > 3
8450 typedef struct { pudval_t pud; } pud_t;
8452 @@ -216,8 +229,6 @@ static inline pudval_t native_pud_val(pu
8456 -#include <asm-generic/pgtable-nopud.h>
8458 static inline pudval_t native_pud_val(pud_t pud)
8460 return native_pgd_val(pud.pgd);
8461 @@ -237,8 +248,6 @@ static inline pmdval_t native_pmd_val(pm
8465 -#include <asm-generic/pgtable-nopmd.h>
8467 static inline pmdval_t native_pmd_val(pmd_t pmd)
8469 return native_pgd_val(pmd.pud.pgd);
8470 @@ -278,7 +287,6 @@ typedef struct page *pgtable_t;
8472 extern pteval_t __supported_pte_mask;
8473 extern void set_nx(void);
8474 -extern int nx_enabled;
8476 #define pgprot_writecombine pgprot_writecombine
8477 extern pgprot_t pgprot_writecombine(pgprot_t prot);
8478 diff -urNp linux-2.6.35.5/arch/x86/include/asm/processor.h linux-2.6.35.5/arch/x86/include/asm/processor.h
8479 --- linux-2.6.35.5/arch/x86/include/asm/processor.h 2010-08-26 19:47:12.000000000 -0400
8480 +++ linux-2.6.35.5/arch/x86/include/asm/processor.h 2010-09-17 20:12:09.000000000 -0400
8481 @@ -269,7 +269,7 @@ struct tss_struct {
8483 } ____cacheline_aligned;
8485 -DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
8486 +extern struct tss_struct init_tss[NR_CPUS];
8489 * Save the original ist values for checking stack pointers during debugging
8490 @@ -884,8 +884,15 @@ static inline void spin_lock_prefetch(co
8492 #define TASK_SIZE PAGE_OFFSET
8493 #define TASK_SIZE_MAX TASK_SIZE
8495 +#ifdef CONFIG_PAX_SEGMEXEC
8496 +#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
8497 +#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
8499 #define STACK_TOP TASK_SIZE
8500 -#define STACK_TOP_MAX STACK_TOP
8503 +#define STACK_TOP_MAX TASK_SIZE
8505 #define INIT_THREAD { \
8506 .sp0 = sizeof(init_stack) + (long)&init_stack, \
8507 @@ -902,7 +909,7 @@ static inline void spin_lock_prefetch(co
8509 #define INIT_TSS { \
8511 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
8512 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
8513 .ss0 = __KERNEL_DS, \
8514 .ss1 = __KERNEL_CS, \
8515 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
8516 @@ -913,11 +920,7 @@ static inline void spin_lock_prefetch(co
8517 extern unsigned long thread_saved_pc(struct task_struct *tsk);
8519 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
8520 -#define KSTK_TOP(info) \
8522 - unsigned long *__ptr = (unsigned long *)(info); \
8523 - (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
8525 +#define KSTK_TOP(info) ((info)->task.thread.sp0)
8528 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
8529 @@ -932,7 +935,7 @@ extern unsigned long thread_saved_pc(str
8530 #define task_pt_regs(task) \
8532 struct pt_regs *__regs__; \
8533 - __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
8534 + __regs__ = (struct pt_regs *)((task)->thread.sp0); \
8538 @@ -942,13 +945,13 @@ extern unsigned long thread_saved_pc(str
8540 * User space process size. 47bits minus one guard page.
8542 -#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
8543 +#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
8545 /* This decides where the kernel will search for a free chunk of vm
8546 * space during mmap's.
8548 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
8549 - 0xc0000000 : 0xFFFFe000)
8550 + 0xc0000000 : 0xFFFFf000)
8552 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
8553 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
8554 @@ -985,6 +988,10 @@ extern void start_thread(struct pt_regs
8556 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
8558 +#ifdef CONFIG_PAX_SEGMEXEC
8559 +#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
8562 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
8564 /* Get/set a process' ability to use the timestamp counter instruction */
8565 diff -urNp linux-2.6.35.5/arch/x86/include/asm/ptrace.h linux-2.6.35.5/arch/x86/include/asm/ptrace.h
8566 --- linux-2.6.35.5/arch/x86/include/asm/ptrace.h 2010-08-26 19:47:12.000000000 -0400
8567 +++ linux-2.6.35.5/arch/x86/include/asm/ptrace.h 2010-09-17 20:12:09.000000000 -0400
8568 @@ -152,28 +152,29 @@ static inline unsigned long regs_return_
8572 - * user_mode_vm(regs) determines whether a register set came from user mode.
8573 + * user_mode(regs) determines whether a register set came from user mode.
8574 * This is true if V8086 mode was enabled OR if the register set was from
8575 * protected mode with RPL-3 CS value. This tricky test checks that with
8576 * one comparison. Many places in the kernel can bypass this full check
8577 - * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
8578 + * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
8581 -static inline int user_mode(struct pt_regs *regs)
8582 +static inline int user_mode_novm(struct pt_regs *regs)
8584 #ifdef CONFIG_X86_32
8585 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
8587 - return !!(regs->cs & 3);
8588 + return !!(regs->cs & SEGMENT_RPL_MASK);
8592 -static inline int user_mode_vm(struct pt_regs *regs)
8593 +static inline int user_mode(struct pt_regs *regs)
8595 #ifdef CONFIG_X86_32
8596 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
8599 - return user_mode(regs);
8600 + return user_mode_novm(regs);
8604 diff -urNp linux-2.6.35.5/arch/x86/include/asm/reboot.h linux-2.6.35.5/arch/x86/include/asm/reboot.h
8605 --- linux-2.6.35.5/arch/x86/include/asm/reboot.h 2010-08-26 19:47:12.000000000 -0400
8606 +++ linux-2.6.35.5/arch/x86/include/asm/reboot.h 2010-09-17 20:12:09.000000000 -0400
8607 @@ -18,7 +18,7 @@ extern struct machine_ops machine_ops;
8609 void native_machine_crash_shutdown(struct pt_regs *regs);
8610 void native_machine_shutdown(void);
8611 -void machine_real_restart(const unsigned char *code, int length);
8612 +void machine_real_restart(const unsigned char *code, unsigned int length);
8614 typedef void (*nmi_shootdown_cb)(int, struct die_args*);
8615 void nmi_shootdown_cpus(nmi_shootdown_cb callback);
8616 diff -urNp linux-2.6.35.5/arch/x86/include/asm/rwsem.h linux-2.6.35.5/arch/x86/include/asm/rwsem.h
8617 --- linux-2.6.35.5/arch/x86/include/asm/rwsem.h 2010-08-26 19:47:12.000000000 -0400
8618 +++ linux-2.6.35.5/arch/x86/include/asm/rwsem.h 2010-09-17 20:12:09.000000000 -0400
8619 @@ -118,10 +118,26 @@ static inline void __down_read(struct rw
8621 asm volatile("# beginning down_read\n\t"
8622 LOCK_PREFIX _ASM_INC "(%1)\n\t"
8624 +#ifdef CONFIG_PAX_REFCOUNT
8625 +#ifdef CONFIG_X86_32
8631 + ".pushsection .fixup,\"ax\"\n"
8633 + LOCK_PREFIX _ASM_DEC "(%1)\n"
8636 + _ASM_EXTABLE(0b, 1b)
8639 /* adds 0x00000001, returns the old value */
8642 " call call_rwsem_down_read_failed\n"
8645 "# ending down_read\n\t"
8648 @@ -136,13 +152,29 @@ static inline int __down_read_trylock(st
8649 rwsem_count_t result, tmp;
8650 asm volatile("# beginning __down_read_trylock\n\t"
8658 +#ifdef CONFIG_PAX_REFCOUNT
8659 +#ifdef CONFIG_X86_32
8665 + ".pushsection .fixup,\"ax\"\n"
8670 + _ASM_EXTABLE(0b, 1b)
8674 LOCK_PREFIX " cmpxchg %2,%0\n\t"
8679 "# ending __down_read_trylock\n\t"
8680 : "+m" (sem->count), "=&a" (result), "=&r" (tmp)
8681 : "i" (RWSEM_ACTIVE_READ_BIAS)
8682 @@ -160,12 +192,28 @@ static inline void __down_write_nested(s
8683 tmp = RWSEM_ACTIVE_WRITE_BIAS;
8684 asm volatile("# beginning down_write\n\t"
8685 LOCK_PREFIX " xadd %1,(%2)\n\t"
8687 +#ifdef CONFIG_PAX_REFCOUNT
8688 +#ifdef CONFIG_X86_32
8694 + ".pushsection .fixup,\"ax\"\n"
8699 + _ASM_EXTABLE(0b, 1b)
8702 /* subtract 0x0000ffff, returns the old value */
8704 /* was the count 0 before? */
8707 " call call_rwsem_down_write_failed\n"
8710 "# ending down_write"
8711 : "+m" (sem->count), "=d" (tmp)
8712 : "a" (sem), "1" (tmp)
8713 @@ -198,10 +246,26 @@ static inline void __up_read(struct rw_s
8714 rwsem_count_t tmp = -RWSEM_ACTIVE_READ_BIAS;
8715 asm volatile("# beginning __up_read\n\t"
8716 LOCK_PREFIX " xadd %1,(%2)\n\t"
8718 +#ifdef CONFIG_PAX_REFCOUNT
8719 +#ifdef CONFIG_X86_32
8725 + ".pushsection .fixup,\"ax\"\n"
8730 + _ASM_EXTABLE(0b, 1b)
8733 /* subtracts 1, returns the old value */
8736 " call call_rwsem_wake\n"
8739 "# ending __up_read\n"
8740 : "+m" (sem->count), "=d" (tmp)
8741 : "a" (sem), "1" (tmp)
8742 @@ -216,11 +280,27 @@ static inline void __up_write(struct rw_
8744 asm volatile("# beginning __up_write\n\t"
8745 LOCK_PREFIX " xadd %1,(%2)\n\t"
8747 +#ifdef CONFIG_PAX_REFCOUNT
8748 +#ifdef CONFIG_X86_32
8754 + ".pushsection .fixup,\"ax\"\n"
8759 + _ASM_EXTABLE(0b, 1b)
8762 /* tries to transition
8763 0xffff0001 -> 0x00000000 */
8766 " call call_rwsem_wake\n"
8769 "# ending __up_write\n"
8770 : "+m" (sem->count), "=d" (tmp)
8771 : "a" (sem), "1" (-RWSEM_ACTIVE_WRITE_BIAS)
8772 @@ -234,13 +314,29 @@ static inline void __downgrade_write(str
8774 asm volatile("# beginning __downgrade_write\n\t"
8775 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
8777 +#ifdef CONFIG_PAX_REFCOUNT
8778 +#ifdef CONFIG_X86_32
8784 + ".pushsection .fixup,\"ax\"\n"
8786 + LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
8789 + _ASM_EXTABLE(0b, 1b)
8793 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
8794 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
8798 " call call_rwsem_downgrade_wake\n"
8801 "# ending __downgrade_write\n"
8803 : "a" (sem), "er" (-RWSEM_WAITING_BIAS)
8804 @@ -253,7 +349,23 @@ static inline void __downgrade_write(str
8805 static inline void rwsem_atomic_add(rwsem_count_t delta,
8806 struct rw_semaphore *sem)
8808 - asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
8809 + asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
8811 +#ifdef CONFIG_PAX_REFCOUNT
8812 +#ifdef CONFIG_X86_32
8818 + ".pushsection .fixup,\"ax\"\n"
8820 + LOCK_PREFIX _ASM_SUB "%1,%0\n"
8823 + _ASM_EXTABLE(0b, 1b)
8829 @@ -266,7 +378,23 @@ static inline rwsem_count_t rwsem_atomic
8831 rwsem_count_t tmp = delta;
8833 - asm volatile(LOCK_PREFIX "xadd %0,%1"
8834 + asm volatile(LOCK_PREFIX "xadd %0,%1\n"
8836 +#ifdef CONFIG_PAX_REFCOUNT
8837 +#ifdef CONFIG_X86_32
8843 + ".pushsection .fixup,\"ax\"\n"
8848 + _ASM_EXTABLE(0b, 1b)
8851 : "+r" (tmp), "+m" (sem->count)
8854 diff -urNp linux-2.6.35.5/arch/x86/include/asm/segment.h linux-2.6.35.5/arch/x86/include/asm/segment.h
8855 --- linux-2.6.35.5/arch/x86/include/asm/segment.h 2010-08-26 19:47:12.000000000 -0400
8856 +++ linux-2.6.35.5/arch/x86/include/asm/segment.h 2010-09-17 20:12:09.000000000 -0400
8858 * 26 - ESPFIX small SS
8859 * 27 - per-cpu [ offset to per-cpu data area ]
8860 * 28 - stack_canary-20 [ for stack protector ]
8863 + * 29 - PCI BIOS CS
8864 + * 30 - PCI BIOS DS
8865 * 31 - TSS for double fault handler
8867 #define GDT_ENTRY_TLS_MIN 6
8870 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE + 0)
8872 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
8874 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE + 1)
8876 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE + 4)
8878 #define GDT_ENTRY_ESPFIX_SS (GDT_ENTRY_KERNEL_BASE + 14)
8879 #define __ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)
8881 -#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
8882 +#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
8884 #define __KERNEL_PERCPU (GDT_ENTRY_PERCPU * 8)
8886 @@ -102,6 +104,12 @@
8887 #define __KERNEL_STACK_CANARY 0
8890 +#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE + 17)
8891 +#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
8893 +#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE + 18)
8894 +#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
8896 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
8902 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
8903 -#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
8904 +#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
8909 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3)
8910 #define __USER32_DS __USER_DS
8912 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
8914 #define GDT_ENTRY_TSS 8 /* needs two entries */
8915 #define GDT_ENTRY_LDT 10 /* needs two entries */
8916 #define GDT_ENTRY_TLS_MIN 12
8920 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS * 8)
8921 +#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS * 8)
8922 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS * 8)
8923 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS* 8 + 3)
8924 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS* 8 + 3)
8925 diff -urNp linux-2.6.35.5/arch/x86/include/asm/spinlock.h linux-2.6.35.5/arch/x86/include/asm/spinlock.h
8926 --- linux-2.6.35.5/arch/x86/include/asm/spinlock.h 2010-08-26 19:47:12.000000000 -0400
8927 +++ linux-2.6.35.5/arch/x86/include/asm/spinlock.h 2010-09-17 20:12:09.000000000 -0400
8928 @@ -249,18 +249,50 @@ static inline int arch_write_can_lock(ar
8929 static inline void arch_read_lock(arch_rwlock_t *rw)
8931 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
8933 - "call __read_lock_failed\n\t"
8935 +#ifdef CONFIG_PAX_REFCOUNT
8936 +#ifdef CONFIG_X86_32
8942 + ".pushsection .fixup,\"ax\"\n"
8944 + LOCK_PREFIX " addl $1,(%0)\n"
8947 + _ASM_EXTABLE(0b, 1b)
8951 + "call __read_lock_failed\n\t"
8953 ::LOCK_PTR_REG (rw) : "memory");
8956 static inline void arch_write_lock(arch_rwlock_t *rw)
8958 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
8960 - "call __write_lock_failed\n\t"
8962 +#ifdef CONFIG_PAX_REFCOUNT
8963 +#ifdef CONFIG_X86_32
8969 + ".pushsection .fixup,\"ax\"\n"
8971 + LOCK_PREFIX " addl %1,(%0)\n"
8974 + _ASM_EXTABLE(0b, 1b)
8978 + "call __write_lock_failed\n\t"
8980 ::LOCK_PTR_REG (rw), "i" (RW_LOCK_BIAS) : "memory");
8983 @@ -286,12 +318,45 @@ static inline int arch_write_trylock(arc
8985 static inline void arch_read_unlock(arch_rwlock_t *rw)
8987 - asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
8988 + asm volatile(LOCK_PREFIX "incl %0\n"
8990 +#ifdef CONFIG_PAX_REFCOUNT
8991 +#ifdef CONFIG_X86_32
8997 + ".pushsection .fixup,\"ax\"\n"
8999 + LOCK_PREFIX "decl %0\n"
9002 + _ASM_EXTABLE(0b, 1b)
9005 + :"+m" (rw->lock) : : "memory");
9008 static inline void arch_write_unlock(arch_rwlock_t *rw)
9010 - asm volatile(LOCK_PREFIX "addl %1, %0"
9011 + asm volatile(LOCK_PREFIX "addl %1, %0\n"
9013 +#ifdef CONFIG_PAX_REFCOUNT
9014 +#ifdef CONFIG_X86_32
9020 + ".pushsection .fixup,\"ax\"\n"
9022 + LOCK_PREFIX "subl %1,%0\n"
9025 + _ASM_EXTABLE(0b, 1b)
9028 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
9031 diff -urNp linux-2.6.35.5/arch/x86/include/asm/system.h linux-2.6.35.5/arch/x86/include/asm/system.h
9032 --- linux-2.6.35.5/arch/x86/include/asm/system.h 2010-08-26 19:47:12.000000000 -0400
9033 +++ linux-2.6.35.5/arch/x86/include/asm/system.h 2010-09-17 20:12:09.000000000 -0400
9034 @@ -202,7 +202,7 @@ static inline unsigned long get_limit(un
9036 unsigned long __limit;
9037 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
9038 - return __limit + 1;
9042 static inline void native_clts(void)
9043 @@ -342,7 +342,7 @@ void enable_hlt(void);
9045 void cpu_idle_wait(void);
9047 -extern unsigned long arch_align_stack(unsigned long sp);
9048 +#define arch_align_stack(x) ((x) & ~0xfUL)
9049 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
9051 void default_idle(void);
9052 diff -urNp linux-2.6.35.5/arch/x86/include/asm/uaccess_32.h linux-2.6.35.5/arch/x86/include/asm/uaccess_32.h
9053 --- linux-2.6.35.5/arch/x86/include/asm/uaccess_32.h 2010-08-26 19:47:12.000000000 -0400
9054 +++ linux-2.6.35.5/arch/x86/include/asm/uaccess_32.h 2010-09-17 20:12:09.000000000 -0400
9055 @@ -44,6 +44,9 @@ unsigned long __must_check __copy_from_u
9056 static __always_inline unsigned long __must_check
9057 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
9062 if (__builtin_constant_p(n)) {
9065 @@ -62,6 +65,8 @@ __copy_to_user_inatomic(void __user *to,
9069 + if (!__builtin_constant_p(n))
9070 + check_object_size(from, n, true);
9071 return __copy_to_user_ll(to, from, n);
9074 @@ -89,6 +94,9 @@ __copy_to_user(void __user *to, const vo
9075 static __always_inline unsigned long
9076 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
9081 /* Avoid zeroing the tail if the copy fails..
9082 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
9083 * but as the zeroing behaviour is only significant when n is not
9084 @@ -138,6 +146,10 @@ static __always_inline unsigned long
9085 __copy_from_user(void *to, const void __user *from, unsigned long n)
9092 if (__builtin_constant_p(n)) {
9095 @@ -153,6 +165,8 @@ __copy_from_user(void *to, const void __
9099 + if (!__builtin_constant_p(n))
9100 + check_object_size(to, n, false);
9101 return __copy_from_user_ll(to, from, n);
9104 @@ -160,6 +174,10 @@ static __always_inline unsigned long __c
9105 const void __user *from, unsigned long n)
9112 if (__builtin_constant_p(n)) {
9115 @@ -182,15 +200,19 @@ static __always_inline unsigned long
9116 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
9119 - return __copy_from_user_ll_nocache_nozero(to, from, n);
9124 -unsigned long __must_check copy_to_user(void __user *to,
9125 - const void *from, unsigned long n);
9126 -unsigned long __must_check _copy_from_user(void *to,
9127 - const void __user *from,
9129 + return __copy_from_user_ll_nocache_nozero(to, from, n);
9132 +extern void copy_to_user_overflow(void)
9133 +#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9134 + __compiletime_error("copy_to_user() buffer size is not provably correct")
9136 + __compiletime_warning("copy_to_user() buffer size is not provably correct")
9140 extern void copy_from_user_overflow(void)
9141 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9142 @@ -200,17 +222,61 @@ extern void copy_from_user_overflow(void
9146 -static inline unsigned long __must_check copy_from_user(void *to,
9147 - const void __user *from,
9150 + * copy_to_user: - Copy a block of data into user space.
9151 + * @to: Destination address, in user space.
9152 + * @from: Source address, in kernel space.
9153 + * @n: Number of bytes to copy.
9155 + * Context: User context only. This function may sleep.
9157 + * Copy data from kernel space to user space.
9159 + * Returns number of bytes that could not be copied.
9160 + * On success, this will be zero.
9162 +static inline unsigned long __must_check
9163 +copy_to_user(void __user *to, const void *from, unsigned long n)
9165 + int sz = __compiletime_object_size(from);
9167 + if (unlikely(sz != -1 && sz < n))
9168 + copy_to_user_overflow();
9169 + else if (access_ok(VERIFY_WRITE, to, n))
9170 + n = __copy_to_user(to, from, n);
9175 + * copy_from_user: - Copy a block of data from user space.
9176 + * @to: Destination address, in kernel space.
9177 + * @from: Source address, in user space.
9178 + * @n: Number of bytes to copy.
9180 + * Context: User context only. This function may sleep.
9182 + * Copy data from user space to kernel space.
9184 + * Returns number of bytes that could not be copied.
9185 + * On success, this will be zero.
9187 + * If some data could not be copied, this function will pad the copied
9188 + * data to the requested size using zero bytes.
9190 +static inline unsigned long __must_check
9191 +copy_from_user(void *to, const void __user *from, unsigned long n)
9193 int sz = __compiletime_object_size(to);
9195 - if (likely(sz == -1 || sz >= n))
9196 - n = _copy_from_user(to, from, n);
9198 + if (unlikely(sz != -1 && sz < n))
9199 copy_from_user_overflow();
9201 + else if (access_ok(VERIFY_READ, from, n))
9202 + n = __copy_from_user(to, from, n);
9203 + else if ((long)n > 0) {
9204 + if (!__builtin_constant_p(n))
9205 + check_object_size(to, n, false);
9211 diff -urNp linux-2.6.35.5/arch/x86/include/asm/uaccess_64.h linux-2.6.35.5/arch/x86/include/asm/uaccess_64.h
9212 --- linux-2.6.35.5/arch/x86/include/asm/uaccess_64.h 2010-08-26 19:47:12.000000000 -0400
9213 +++ linux-2.6.35.5/arch/x86/include/asm/uaccess_64.h 2010-09-17 20:12:37.000000000 -0400
9215 #include <asm/alternative.h>
9216 #include <asm/cpufeature.h>
9217 #include <asm/page.h>
9218 +#include <asm/pgtable.h>
9220 +#define set_fs(x) (current_thread_info()->addr_limit = (x))
9222 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
9225 * Copy To/From Userspace
9226 @@ -37,26 +42,26 @@ copy_user_generic(void *to, const void *
9230 -__must_check unsigned long
9231 -_copy_to_user(void __user *to, const void *from, unsigned len);
9232 -__must_check unsigned long
9233 -_copy_from_user(void *to, const void __user *from, unsigned len);
9234 +static __always_inline __must_check unsigned long
9235 +__copy_to_user(void __user *to, const void *from, unsigned len);
9236 +static __always_inline __must_check unsigned long
9237 +__copy_from_user(void *to, const void __user *from, unsigned len);
9238 __must_check unsigned long
9239 copy_in_user(void __user *to, const void __user *from, unsigned len);
9241 static inline unsigned long __must_check copy_from_user(void *to,
9242 const void __user *from,
9246 - int sz = __compiletime_object_size(to);
9249 - if (likely(sz == -1 || sz >= n))
9250 - n = _copy_from_user(to, from, n);
9251 -#ifdef CONFIG_DEBUG_VM
9253 - WARN(1, "Buffer overflow detected!\n");
9256 + if (access_ok(VERIFY_READ, from, n))
9257 + n = __copy_from_user(to, from, n);
9258 + else if ((int)n > 0) {
9259 + if (!__builtin_constant_p(n))
9260 + check_object_size(to, n, false);
9266 @@ -65,17 +70,35 @@ int copy_to_user(void __user *dst, const
9270 - return _copy_to_user(dst, src, size);
9271 + if (access_ok(VERIFY_WRITE, dst, size))
9272 + size = __copy_to_user(dst, src, size);
9276 static __always_inline __must_check
9277 -int __copy_from_user(void *dst, const void __user *src, unsigned size)
9278 +unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
9281 + int sz = __compiletime_object_size(dst);
9285 - if (!__builtin_constant_p(size))
9287 + if ((int)size < 0)
9290 + if (unlikely(sz != -1 && sz < size)) {
9291 +#ifdef CONFIG_DEBUG_VM
9292 + WARN(1, "Buffer overflow detected!\n");
9297 + if (!__builtin_constant_p(size)) {
9298 + check_object_size(dst, size, false);
9299 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9300 + src += PAX_USER_SHADOW_BASE;
9301 return copy_user_generic(dst, (__force void *)src, size);
9304 case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
9305 ret, "b", "b", "=q", 1);
9306 @@ -108,18 +131,36 @@ int __copy_from_user(void *dst, const vo
9307 ret, "q", "", "=r", 8);
9310 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9311 + src += PAX_USER_SHADOW_BASE;
9312 return copy_user_generic(dst, (__force void *)src, size);
9316 static __always_inline __must_check
9317 -int __copy_to_user(void __user *dst, const void *src, unsigned size)
9318 +unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
9321 + int sz = __compiletime_object_size(src);
9325 - if (!__builtin_constant_p(size))
9327 + if ((int)size < 0)
9330 + if (unlikely(sz != -1 && sz < size)) {
9331 +#ifdef CONFIG_DEBUG_VM
9332 + WARN(1, "Buffer overflow detected!\n");
9337 + if (!__builtin_constant_p(size)) {
9338 + check_object_size(src, size, true);
9339 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9340 + dst += PAX_USER_SHADOW_BASE;
9341 return copy_user_generic((__force void *)dst, src, size);
9344 case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
9345 ret, "b", "b", "iq", 1);
9346 @@ -152,19 +193,30 @@ int __copy_to_user(void __user *dst, con
9347 ret, "q", "", "er", 8);
9350 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9351 + dst += PAX_USER_SHADOW_BASE;
9352 return copy_user_generic((__force void *)dst, src, size);
9356 static __always_inline __must_check
9357 -int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
9358 +unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
9364 - if (!__builtin_constant_p(size))
9366 + if ((int)size < 0)
9369 + if (!__builtin_constant_p(size)) {
9370 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9371 + src += PAX_USER_SHADOW_BASE;
9372 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9373 + dst += PAX_USER_SHADOW_BASE;
9374 return copy_user_generic((__force void *)dst,
9375 (__force void *)src, size);
9380 @@ -204,6 +256,10 @@ int __copy_in_user(void __user *dst, con
9384 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9385 + src += PAX_USER_SHADOW_BASE;
9386 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9387 + dst += PAX_USER_SHADOW_BASE;
9388 return copy_user_generic((__force void *)dst,
9389 (__force void *)src, size);
9391 @@ -222,33 +278,45 @@ __must_check unsigned long __clear_user(
9392 static __must_check __always_inline int
9393 __copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
9395 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9396 + src += PAX_USER_SHADOW_BASE;
9397 return copy_user_generic(dst, (__force const void *)src, size);
9400 -static __must_check __always_inline int
9401 +static __must_check __always_inline unsigned long
9402 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
9404 + if ((int)size < 0)
9407 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9408 + dst += PAX_USER_SHADOW_BASE;
9409 return copy_user_generic((__force void *)dst, src, size);
9412 -extern long __copy_user_nocache(void *dst, const void __user *src,
9413 +extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
9414 unsigned size, int zerorest);
9417 -__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
9418 +static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
9422 + if ((int)size < 0)
9425 return __copy_user_nocache(dst, src, size, 1);
9429 -__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
9430 +static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
9433 + if ((int)size < 0)
9436 return __copy_user_nocache(dst, src, size, 0);
9440 +extern unsigned long
9441 copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
9443 #endif /* _ASM_X86_UACCESS_64_H */
9444 diff -urNp linux-2.6.35.5/arch/x86/include/asm/uaccess.h linux-2.6.35.5/arch/x86/include/asm/uaccess.h
9445 --- linux-2.6.35.5/arch/x86/include/asm/uaccess.h 2010-08-26 19:47:12.000000000 -0400
9446 +++ linux-2.6.35.5/arch/x86/include/asm/uaccess.h 2010-09-17 20:12:09.000000000 -0400
9448 #include <linux/thread_info.h>
9449 #include <linux/prefetch.h>
9450 #include <linux/string.h>
9451 +#include <linux/sched.h>
9452 #include <asm/asm.h>
9453 #include <asm/page.h>
9455 #define VERIFY_READ 0
9456 #define VERIFY_WRITE 1
9458 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
9461 * The fs value determines whether argument validity checking should be
9462 * performed or not. If get_fs() == USER_DS, checking is performed, with
9465 #define get_ds() (KERNEL_DS)
9466 #define get_fs() (current_thread_info()->addr_limit)
9467 +#ifdef CONFIG_X86_32
9468 +void __set_fs(mm_segment_t x, int cpu);
9469 +void set_fs(mm_segment_t x);
9471 #define set_fs(x) (current_thread_info()->addr_limit = (x))
9474 #define segment_eq(a, b) ((a).seg == (b).seg)
9477 * checks that the pointer is in the user space range - after calling
9478 * this function, memory access functions may still return -EFAULT.
9480 -#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
9481 +#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
9482 +#define access_ok(type, addr, size) \
9484 + long __size = size; \
9485 + unsigned long __addr = (unsigned long)addr; \
9486 + unsigned long __addr_ao = __addr & PAGE_MASK; \
9487 + unsigned long __end_ao = __addr + __size - 1; \
9488 + bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
9489 + if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
9490 + while(__addr_ao <= __end_ao) { \
9492 + __addr_ao += PAGE_SIZE; \
9493 + if (__size > PAGE_SIZE) \
9495 + if (__get_user(__c_ao, (char __user *)__addr)) \
9497 + if (type != VERIFY_WRITE) { \
9498 + __addr = __addr_ao; \
9501 + if (__put_user(__c_ao, (char __user *)__addr)) \
9503 + __addr = __addr_ao; \
9510 * The exception table consists of pairs of addresses: the first is the
9511 @@ -183,13 +217,21 @@ extern int __get_user_bad(void);
9512 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
9513 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
9516 +#ifdef CONFIG_X86_32
9517 +#define _ASM_LOAD_USER_DS(ds) "movw %w" #ds ",%%ds\n"
9518 +#define _ASM_LOAD_KERNEL_DS "pushl %%ss; popl %%ds\n"
9520 +#define _ASM_LOAD_USER_DS(ds)
9521 +#define _ASM_LOAD_KERNEL_DS
9524 #ifdef CONFIG_X86_32
9525 #define __put_user_asm_u64(x, addr, err, errret) \
9526 - asm volatile("1: movl %%eax,0(%2)\n" \
9527 - "2: movl %%edx,4(%2)\n" \
9528 + asm volatile(_ASM_LOAD_USER_DS(5) \
9529 + "1: movl %%eax,%%ds:0(%2)\n" \
9530 + "2: movl %%edx,%%ds:4(%2)\n" \
9532 + _ASM_LOAD_KERNEL_DS \
9533 ".section .fixup,\"ax\"\n" \
9536 @@ -197,15 +239,18 @@ extern int __get_user_bad(void);
9537 _ASM_EXTABLE(1b, 4b) \
9538 _ASM_EXTABLE(2b, 4b) \
9540 - : "A" (x), "r" (addr), "i" (errret), "0" (err))
9541 + : "A" (x), "r" (addr), "i" (errret), "0" (err), \
9544 #define __put_user_asm_ex_u64(x, addr) \
9545 - asm volatile("1: movl %%eax,0(%1)\n" \
9546 - "2: movl %%edx,4(%1)\n" \
9547 + asm volatile(_ASM_LOAD_USER_DS(2) \
9548 + "1: movl %%eax,%%ds:0(%1)\n" \
9549 + "2: movl %%edx,%%ds:4(%1)\n" \
9551 + _ASM_LOAD_KERNEL_DS \
9552 _ASM_EXTABLE(1b, 2b - 1b) \
9553 _ASM_EXTABLE(2b, 3b - 2b) \
9554 - : : "A" (x), "r" (addr))
9555 + : : "A" (x), "r" (addr), "r"(__USER_DS))
9557 #define __put_user_x8(x, ptr, __ret_pu) \
9558 asm volatile("call __put_user_8" : "=a" (__ret_pu) \
9559 @@ -374,16 +419,18 @@ do { \
9562 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
9563 - asm volatile("1: mov"itype" %2,%"rtype"1\n" \
9564 + asm volatile(_ASM_LOAD_USER_DS(5) \
9565 + "1: mov"itype" %%ds:%2,%"rtype"1\n" \
9567 + _ASM_LOAD_KERNEL_DS \
9568 ".section .fixup,\"ax\"\n" \
9570 " xor"itype" %"rtype"1,%"rtype"1\n" \
9573 _ASM_EXTABLE(1b, 3b) \
9574 - : "=r" (err), ltype(x) \
9575 - : "m" (__m(addr)), "i" (errret), "0" (err))
9576 + : "=r" (err), ltype (x) \
9577 + : "m" (__m(addr)), "i" (errret), "0" (err), "r"(__USER_DS))
9579 #define __get_user_size_ex(x, ptr, size) \
9581 @@ -407,10 +454,12 @@ do { \
9584 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
9585 - asm volatile("1: mov"itype" %1,%"rtype"0\n" \
9586 + asm volatile(_ASM_LOAD_USER_DS(2) \
9587 + "1: mov"itype" %%ds:%1,%"rtype"0\n" \
9589 + _ASM_LOAD_KERNEL_DS \
9590 _ASM_EXTABLE(1b, 2b - 1b) \
9591 - : ltype(x) : "m" (__m(addr)))
9592 + : ltype(x) : "m" (__m(addr)), "r"(__USER_DS))
9594 #define __put_user_nocheck(x, ptr, size) \
9596 @@ -424,13 +473,24 @@ do { \
9598 unsigned long __gu_val; \
9599 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
9600 - (x) = (__force __typeof__(*(ptr)))__gu_val; \
9601 + (x) = (__typeof__(*(ptr)))__gu_val; \
9605 /* FIXME: this hack is definitely wrong -AK */
9606 struct __large_struct { unsigned long buf[100]; };
9607 -#define __m(x) (*(struct __large_struct __user *)(x))
9608 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9611 + unsigned long ____x = (unsigned long)(x); \
9612 + if (____x < PAX_USER_SHADOW_BASE) \
9613 + ____x += PAX_USER_SHADOW_BASE; \
9614 + (void __user *)____x; \
9617 +#define ____m(x) (x)
9619 +#define __m(x) (*(struct __large_struct __user *)____m(x))
9622 * Tell gcc we read from memory instead of writing: this is because
9623 @@ -438,21 +498,26 @@ struct __large_struct { unsigned long bu
9626 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
9627 - asm volatile("1: mov"itype" %"rtype"1,%2\n" \
9628 + asm volatile(_ASM_LOAD_USER_DS(5) \
9629 + "1: mov"itype" %"rtype"1,%%ds:%2\n" \
9631 + _ASM_LOAD_KERNEL_DS \
9632 ".section .fixup,\"ax\"\n" \
9636 _ASM_EXTABLE(1b, 3b) \
9638 - : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
9639 + : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err),\
9642 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
9643 - asm volatile("1: mov"itype" %"rtype"0,%1\n" \
9644 + asm volatile(_ASM_LOAD_USER_DS(2) \
9645 + "1: mov"itype" %"rtype"0,%%ds:%1\n" \
9647 + _ASM_LOAD_KERNEL_DS \
9648 _ASM_EXTABLE(1b, 2b - 1b) \
9649 - : : ltype(x), "m" (__m(addr)))
9650 + : : ltype(x), "m" (__m(addr)), "r"(__USER_DS))
9653 * uaccess_try and catch
9654 @@ -530,7 +595,7 @@ struct __large_struct { unsigned long bu
9655 #define get_user_ex(x, ptr) do { \
9656 unsigned long __gue_val; \
9657 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
9658 - (x) = (__force __typeof__(*(ptr)))__gue_val; \
9659 + (x) = (__typeof__(*(ptr)))__gue_val; \
9662 #ifdef CONFIG_X86_WP_WORKS_OK
9663 @@ -567,6 +632,7 @@ extern struct movsl_mask {
9665 #define ARCH_HAS_NOCACHE_UACCESS 1
9667 +#define ARCH_HAS_SORT_EXTABLE
9668 #ifdef CONFIG_X86_32
9669 # include "uaccess_32.h"
9671 diff -urNp linux-2.6.35.5/arch/x86/include/asm/vgtod.h linux-2.6.35.5/arch/x86/include/asm/vgtod.h
9672 --- linux-2.6.35.5/arch/x86/include/asm/vgtod.h 2010-08-26 19:47:12.000000000 -0400
9673 +++ linux-2.6.35.5/arch/x86/include/asm/vgtod.h 2010-09-17 20:12:09.000000000 -0400
9674 @@ -14,6 +14,7 @@ struct vsyscall_gtod_data {
9676 struct timezone sys_tz;
9677 struct { /* extract of a clocksource struct */
9679 cycle_t (*vread)(void);
9682 diff -urNp linux-2.6.35.5/arch/x86/include/asm/vmi.h linux-2.6.35.5/arch/x86/include/asm/vmi.h
9683 --- linux-2.6.35.5/arch/x86/include/asm/vmi.h 2010-08-26 19:47:12.000000000 -0400
9684 +++ linux-2.6.35.5/arch/x86/include/asm/vmi.h 2010-09-17 20:12:09.000000000 -0400
9685 @@ -191,6 +191,7 @@ struct vrom_header {
9686 u8 reserved[96]; /* Reserved for headers */
9687 char vmi_init[8]; /* VMI_Init jump point */
9688 char get_reloc[8]; /* VMI_GetRelocationInfo jump point */
9689 + char rom_data[8048]; /* rest of the option ROM */
9690 } __attribute__((packed));
9693 diff -urNp linux-2.6.35.5/arch/x86/include/asm/vsyscall.h linux-2.6.35.5/arch/x86/include/asm/vsyscall.h
9694 --- linux-2.6.35.5/arch/x86/include/asm/vsyscall.h 2010-08-26 19:47:12.000000000 -0400
9695 +++ linux-2.6.35.5/arch/x86/include/asm/vsyscall.h 2010-09-17 20:12:09.000000000 -0400
9696 @@ -15,9 +15,10 @@ enum vsyscall_num {
9699 #include <linux/seqlock.h>
9700 +#include <linux/getcpu.h>
9701 +#include <linux/time.h>
9703 #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16)))
9704 -#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16)))
9706 /* Definitions for CONFIG_GENERIC_TIME definitions */
9707 #define __section_vsyscall_gtod_data __attribute__ \
9708 @@ -31,7 +32,6 @@ enum vsyscall_num {
9709 #define VGETCPU_LSL 2
9711 extern int __vgetcpu_mode;
9712 -extern volatile unsigned long __jiffies;
9714 /* kernel space (writeable) */
9715 extern int vgetcpu_mode;
9716 @@ -39,6 +39,9 @@ extern struct timezone sys_tz;
9718 extern void map_vsyscall(void);
9720 +extern int vgettimeofday(struct timeval * tv, struct timezone * tz);
9721 +extern time_t vtime(time_t *t);
9722 +extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache);
9723 #endif /* __KERNEL__ */
9725 #endif /* _ASM_X86_VSYSCALL_H */
9726 diff -urNp linux-2.6.35.5/arch/x86/include/asm/xsave.h linux-2.6.35.5/arch/x86/include/asm/xsave.h
9727 --- linux-2.6.35.5/arch/x86/include/asm/xsave.h 2010-08-26 19:47:12.000000000 -0400
9728 +++ linux-2.6.35.5/arch/x86/include/asm/xsave.h 2010-09-17 20:12:09.000000000 -0400
9729 @@ -59,6 +59,12 @@ static inline int fpu_xrstor_checking(st
9730 static inline int xsave_user(struct xsave_struct __user *buf)
9734 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9735 + if ((unsigned long)buf < PAX_USER_SHADOW_BASE)
9736 + buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE);
9739 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x27\n"
9741 ".section .fixup,\"ax\"\n"
9742 @@ -85,6 +91,11 @@ static inline int xrestore_user(struct x
9744 u32 hmask = mask >> 32;
9746 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9747 + if ((unsigned long)xstate < PAX_USER_SHADOW_BASE)
9748 + xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE);
9751 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
9753 ".section .fixup,\"ax\"\n"
9754 diff -urNp linux-2.6.35.5/arch/x86/Kconfig linux-2.6.35.5/arch/x86/Kconfig
9755 --- linux-2.6.35.5/arch/x86/Kconfig 2010-08-26 19:47:12.000000000 -0400
9756 +++ linux-2.6.35.5/arch/x86/Kconfig 2010-09-17 20:12:37.000000000 -0400
9757 @@ -1038,7 +1038,7 @@ choice
9761 - depends on !X86_NUMAQ
9762 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
9764 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
9765 However, the address space of 32-bit x86 processors is only 4
9766 @@ -1075,7 +1075,7 @@ config NOHIGHMEM
9770 - depends on !X86_NUMAQ
9771 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
9773 Select this if you have a 32-bit processor and between 1 and 4
9774 gigabytes of physical RAM.
9775 @@ -1129,7 +1129,7 @@ config PAGE_OFFSET
9777 default 0xB0000000 if VMSPLIT_3G_OPT
9778 default 0x80000000 if VMSPLIT_2G
9779 - default 0x78000000 if VMSPLIT_2G_OPT
9780 + default 0x70000000 if VMSPLIT_2G_OPT
9781 default 0x40000000 if VMSPLIT_1G
9784 @@ -1461,7 +1461,7 @@ config ARCH_USES_PG_UNCACHED
9787 bool "EFI runtime service support"
9789 + depends on ACPI && !PAX_KERNEXEC
9791 This enables the kernel to use EFI runtime services that are
9792 available (such as the EFI variable services).
9793 @@ -1548,6 +1548,7 @@ config KEXEC_JUMP
9794 config PHYSICAL_START
9795 hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
9797 + range 0x400000 0x40000000
9799 This gives the physical address where the kernel is loaded.
9801 @@ -1611,6 +1612,7 @@ config X86_NEED_RELOCS
9802 config PHYSICAL_ALIGN
9803 hex "Alignment value to which kernel should be aligned" if X86_32
9805 + range 0x400000 0x1000000 if PAX_KERNEXEC
9806 range 0x2000 0x1000000
9808 This value puts the alignment restrictions on physical address
9809 @@ -1642,9 +1644,10 @@ config HOTPLUG_CPU
9810 Say N if you want to disable CPU hotplug.
9815 prompt "Compat VDSO support"
9816 depends on X86_32 || IA32_EMULATION
9817 + depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
9819 Map the 32-bit VDSO to the predictable old-style address too.
9821 diff -urNp linux-2.6.35.5/arch/x86/Kconfig.cpu linux-2.6.35.5/arch/x86/Kconfig.cpu
9822 --- linux-2.6.35.5/arch/x86/Kconfig.cpu 2010-08-26 19:47:12.000000000 -0400
9823 +++ linux-2.6.35.5/arch/x86/Kconfig.cpu 2010-09-17 20:12:09.000000000 -0400
9824 @@ -336,7 +336,7 @@ config X86_PPRO_FENCE
9828 - depends on M586MMX || M586TSC || M586 || M486 || M386
9829 + depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
9833 @@ -360,7 +360,7 @@ config X86_POPAD_OK
9835 config X86_ALIGNMENT_16
9837 - depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
9838 + depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
9840 config X86_INTEL_USERCOPY
9842 @@ -406,7 +406,7 @@ config X86_CMPXCHG64
9846 - depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
9847 + depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
9849 config X86_MINIMUM_CPU_FAMILY
9851 diff -urNp linux-2.6.35.5/arch/x86/Kconfig.debug linux-2.6.35.5/arch/x86/Kconfig.debug
9852 --- linux-2.6.35.5/arch/x86/Kconfig.debug 2010-08-26 19:47:12.000000000 -0400
9853 +++ linux-2.6.35.5/arch/x86/Kconfig.debug 2010-09-17 20:12:09.000000000 -0400
9854 @@ -97,7 +97,7 @@ config X86_PTDUMP
9856 bool "Write protect kernel read-only data structures"
9858 - depends on DEBUG_KERNEL
9859 + depends on DEBUG_KERNEL && BROKEN
9861 Mark the kernel read-only data as write-protected in the pagetables,
9862 in order to catch accidental (and incorrect) writes to such const
9863 diff -urNp linux-2.6.35.5/arch/x86/kernel/acpi/boot.c linux-2.6.35.5/arch/x86/kernel/acpi/boot.c
9864 --- linux-2.6.35.5/arch/x86/kernel/acpi/boot.c 2010-08-26 19:47:12.000000000 -0400
9865 +++ linux-2.6.35.5/arch/x86/kernel/acpi/boot.c 2010-09-17 20:12:09.000000000 -0400
9866 @@ -1472,7 +1472,7 @@ static struct dmi_system_id __initdata a
9867 DMI_MATCH(DMI_PRODUCT_NAME, "HP Compaq 6715b"),
9871 + { NULL, NULL, {{0, {0}}}, NULL}
9875 diff -urNp linux-2.6.35.5/arch/x86/kernel/acpi/realmode/wakeup.S linux-2.6.35.5/arch/x86/kernel/acpi/realmode/wakeup.S
9876 --- linux-2.6.35.5/arch/x86/kernel/acpi/realmode/wakeup.S 2010-08-26 19:47:12.000000000 -0400
9877 +++ linux-2.6.35.5/arch/x86/kernel/acpi/realmode/wakeup.S 2010-09-17 20:12:09.000000000 -0400
9878 @@ -104,7 +104,7 @@ _start:
9882 - movl $0xc0000080, %ecx
9883 + mov $MSR_EFER, %ecx
9887 diff -urNp linux-2.6.35.5/arch/x86/kernel/acpi/sleep.c linux-2.6.35.5/arch/x86/kernel/acpi/sleep.c
9888 --- linux-2.6.35.5/arch/x86/kernel/acpi/sleep.c 2010-08-26 19:47:12.000000000 -0400
9889 +++ linux-2.6.35.5/arch/x86/kernel/acpi/sleep.c 2010-09-17 20:12:09.000000000 -0400
9891 #include <linux/cpumask.h>
9892 #include <asm/segment.h>
9893 #include <asm/desc.h>
9894 +#include <asm/e820.h>
9896 #include "realmode/wakeup.h"
9899 -unsigned long acpi_wakeup_address;
9900 +unsigned long acpi_wakeup_address = 0x2000;
9901 unsigned long acpi_realmode_flags;
9903 /* address in low memory of the wakeup routine. */
9904 @@ -96,8 +97,12 @@ int acpi_save_state_mem(void)
9905 header->trampoline_segment = setup_trampoline() >> 4;
9907 stack_start.sp = temp_stack + sizeof(temp_stack);
9909 + pax_open_kernel();
9910 early_gdt_descr.address =
9911 (unsigned long)get_cpu_gdt_table(smp_processor_id());
9912 + pax_close_kernel();
9914 initial_gs = per_cpu_offset(smp_processor_id());
9916 initial_code = (unsigned long)wakeup_long64;
9917 diff -urNp linux-2.6.35.5/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.35.5/arch/x86/kernel/acpi/wakeup_32.S
9918 --- linux-2.6.35.5/arch/x86/kernel/acpi/wakeup_32.S 2010-08-26 19:47:12.000000000 -0400
9919 +++ linux-2.6.35.5/arch/x86/kernel/acpi/wakeup_32.S 2010-09-17 20:12:09.000000000 -0400
9920 @@ -30,13 +30,11 @@ wakeup_pmode_return:
9921 # and restore the stack ... but you need gdt for this to work
9922 movl saved_context_esp, %esp
9924 - movl %cs:saved_magic, %eax
9925 - cmpl $0x12345678, %eax
9926 + cmpl $0x12345678, saved_magic
9929 # jump to place where we left off
9930 - movl saved_eip, %eax
9936 diff -urNp linux-2.6.35.5/arch/x86/kernel/alternative.c linux-2.6.35.5/arch/x86/kernel/alternative.c
9937 --- linux-2.6.35.5/arch/x86/kernel/alternative.c 2010-08-26 19:47:12.000000000 -0400
9938 +++ linux-2.6.35.5/arch/x86/kernel/alternative.c 2010-09-17 20:12:09.000000000 -0400
9939 @@ -247,7 +247,7 @@ static void alternatives_smp_lock(const
9940 if (!*poff || ptr < text || ptr >= text_end)
9942 /* turn DS segment override prefix into lock prefix */
9944 + if (*ktla_ktva(ptr) == 0x3e)
9945 text_poke(ptr, ((unsigned char []){0xf0}), 1);
9947 mutex_unlock(&text_mutex);
9948 @@ -268,7 +268,7 @@ static void alternatives_smp_unlock(cons
9949 if (!*poff || ptr < text || ptr >= text_end)
9951 /* turn lock prefix into DS segment override prefix */
9953 + if (*ktla_ktva(ptr) == 0xf0)
9954 text_poke(ptr, ((unsigned char []){0x3E}), 1);
9956 mutex_unlock(&text_mutex);
9957 @@ -436,7 +436,7 @@ void __init_or_module apply_paravirt(str
9959 BUG_ON(p->len > MAX_PATCH_LEN);
9960 /* prep the buffer with the original instructions */
9961 - memcpy(insnbuf, p->instr, p->len);
9962 + memcpy(insnbuf, ktla_ktva(p->instr), p->len);
9963 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
9964 (unsigned long)p->instr, p->len);
9966 @@ -504,7 +504,7 @@ void __init alternative_instructions(voi
9968 free_init_pages("SMP alternatives",
9969 (unsigned long)__smp_locks,
9970 - (unsigned long)__smp_locks_end);
9971 + PAGE_ALIGN((unsigned long)__smp_locks_end));
9975 @@ -521,13 +521,17 @@ void __init alternative_instructions(voi
9976 * instructions. And on the local CPU you need to be protected again NMI or MCE
9977 * handlers seeing an inconsistent instruction while you patch.
9979 -static void *__init_or_module text_poke_early(void *addr, const void *opcode,
9980 +static void *__kprobes text_poke_early(void *addr, const void *opcode,
9983 unsigned long flags;
9984 local_irq_save(flags);
9985 - memcpy(addr, opcode, len);
9987 + pax_open_kernel();
9988 + memcpy(ktla_ktva(addr), opcode, len);
9990 + pax_close_kernel();
9992 local_irq_restore(flags);
9993 /* Could also do a CLFLUSH here to speed up CPU recovery; but
9994 that causes hangs on some VIA CPUs. */
9995 @@ -549,36 +553,22 @@ static void *__init_or_module text_poke_
9997 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
9999 - unsigned long flags;
10001 + unsigned char *vaddr = ktla_ktva(addr);
10002 struct page *pages[2];
10006 if (!core_kernel_text((unsigned long)addr)) {
10007 - pages[0] = vmalloc_to_page(addr);
10008 - pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
10009 + pages[0] = vmalloc_to_page(vaddr);
10010 + pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
10012 - pages[0] = virt_to_page(addr);
10013 + pages[0] = virt_to_page(vaddr);
10014 WARN_ON(!PageReserved(pages[0]));
10015 - pages[1] = virt_to_page(addr + PAGE_SIZE);
10016 + pages[1] = virt_to_page(vaddr + PAGE_SIZE);
10019 - local_irq_save(flags);
10020 - set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
10022 - set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
10023 - vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
10024 - memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
10025 - clear_fixmap(FIX_TEXT_POKE0);
10027 - clear_fixmap(FIX_TEXT_POKE1);
10028 - local_flush_tlb();
10030 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
10031 - that causes hangs on some VIA CPUs. */
10032 + text_poke_early(addr, opcode, len);
10033 for (i = 0; i < len; i++)
10034 - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
10035 - local_irq_restore(flags);
10036 + BUG_ON(((char *)vaddr)[i] != ((char *)opcode)[i]);
10040 diff -urNp linux-2.6.35.5/arch/x86/kernel/amd_iommu.c linux-2.6.35.5/arch/x86/kernel/amd_iommu.c
10041 --- linux-2.6.35.5/arch/x86/kernel/amd_iommu.c 2010-08-26 19:47:12.000000000 -0400
10042 +++ linux-2.6.35.5/arch/x86/kernel/amd_iommu.c 2010-09-17 20:12:09.000000000 -0400
10043 @@ -2284,7 +2284,7 @@ static void prealloc_protection_domains(
10047 -static struct dma_map_ops amd_iommu_dma_ops = {
10048 +static const struct dma_map_ops amd_iommu_dma_ops = {
10049 .alloc_coherent = alloc_coherent,
10050 .free_coherent = free_coherent,
10051 .map_page = map_page,
10052 diff -urNp linux-2.6.35.5/arch/x86/kernel/apic/io_apic.c linux-2.6.35.5/arch/x86/kernel/apic/io_apic.c
10053 --- linux-2.6.35.5/arch/x86/kernel/apic/io_apic.c 2010-09-20 17:33:09.000000000 -0400
10054 +++ linux-2.6.35.5/arch/x86/kernel/apic/io_apic.c 2010-09-20 17:33:32.000000000 -0400
10055 @@ -691,7 +691,7 @@ struct IO_APIC_route_entry **alloc_ioapi
10056 ioapic_entries = kzalloc(sizeof(*ioapic_entries) * nr_ioapics,
10058 if (!ioapic_entries)
10062 for (apic = 0; apic < nr_ioapics; apic++) {
10063 ioapic_entries[apic] =
10064 @@ -708,7 +708,7 @@ nomem:
10065 kfree(ioapic_entries[apic]);
10066 kfree(ioapic_entries);
10073 @@ -1118,7 +1118,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
10075 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
10077 -void lock_vector_lock(void)
10078 +void lock_vector_lock(void) __acquires(vector_lock)
10080 /* Used to the online set of cpus does not change
10081 * during assign_irq_vector.
10082 @@ -1126,7 +1126,7 @@ void lock_vector_lock(void)
10083 raw_spin_lock(&vector_lock);
10086 -void unlock_vector_lock(void)
10087 +void unlock_vector_lock(void) __releases(vector_lock)
10089 raw_spin_unlock(&vector_lock);
10091 diff -urNp linux-2.6.35.5/arch/x86/kernel/apm_32.c linux-2.6.35.5/arch/x86/kernel/apm_32.c
10092 --- linux-2.6.35.5/arch/x86/kernel/apm_32.c 2010-08-26 19:47:12.000000000 -0400
10093 +++ linux-2.6.35.5/arch/x86/kernel/apm_32.c 2010-09-17 20:12:09.000000000 -0400
10094 @@ -410,7 +410,7 @@ static DEFINE_MUTEX(apm_mutex);
10095 * This is for buggy BIOS's that refer to (real mode) segment 0x40
10096 * even though they are called in protected mode.
10098 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
10099 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
10100 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
10102 static const char driver_version[] = "1.16ac"; /* no spaces */
10103 @@ -588,7 +588,10 @@ static long __apm_bios_call(void *_call)
10105 gdt = get_cpu_gdt_table(cpu);
10106 save_desc_40 = gdt[0x40 / 8];
10108 + pax_open_kernel();
10109 gdt[0x40 / 8] = bad_bios_desc;
10110 + pax_close_kernel();
10112 apm_irq_save(flags);
10114 @@ -597,7 +600,11 @@ static long __apm_bios_call(void *_call)
10116 APM_DO_RESTORE_SEGS;
10117 apm_irq_restore(flags);
10119 + pax_open_kernel();
10120 gdt[0x40 / 8] = save_desc_40;
10121 + pax_close_kernel();
10125 return call->eax & 0xff;
10126 @@ -664,7 +671,10 @@ static long __apm_bios_call_simple(void
10128 gdt = get_cpu_gdt_table(cpu);
10129 save_desc_40 = gdt[0x40 / 8];
10131 + pax_open_kernel();
10132 gdt[0x40 / 8] = bad_bios_desc;
10133 + pax_close_kernel();
10135 apm_irq_save(flags);
10137 @@ -672,7 +682,11 @@ static long __apm_bios_call_simple(void
10139 APM_DO_RESTORE_SEGS;
10140 apm_irq_restore(flags);
10142 + pax_open_kernel();
10143 gdt[0x40 / 8] = save_desc_40;
10144 + pax_close_kernel();
10149 @@ -975,7 +989,7 @@ recalc:
10151 static void apm_power_off(void)
10153 - unsigned char po_bios_call[] = {
10154 + const unsigned char po_bios_call[] = {
10155 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
10156 0x8e, 0xd0, /* movw ax,ss */
10157 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
10158 @@ -1931,7 +1945,10 @@ static const struct file_operations apm_
10159 static struct miscdevice apm_device = {
10170 @@ -2252,7 +2269,7 @@ static struct dmi_system_id __initdata a
10171 { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
10175 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
10179 @@ -2355,12 +2372,15 @@ static int __init apm_init(void)
10180 * code to that CPU.
10182 gdt = get_cpu_gdt_table(0);
10184 + pax_open_kernel();
10185 set_desc_base(&gdt[APM_CS >> 3],
10186 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
10187 set_desc_base(&gdt[APM_CS_16 >> 3],
10188 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
10189 set_desc_base(&gdt[APM_DS >> 3],
10190 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
10191 + pax_close_kernel();
10193 proc_create("apm", 0, NULL, &apm_file_ops);
10195 diff -urNp linux-2.6.35.5/arch/x86/kernel/asm-offsets_32.c linux-2.6.35.5/arch/x86/kernel/asm-offsets_32.c
10196 --- linux-2.6.35.5/arch/x86/kernel/asm-offsets_32.c 2010-08-26 19:47:12.000000000 -0400
10197 +++ linux-2.6.35.5/arch/x86/kernel/asm-offsets_32.c 2010-09-17 20:12:09.000000000 -0400
10198 @@ -115,6 +115,11 @@ void foo(void)
10199 OFFSET(PV_CPU_iret, pv_cpu_ops, iret);
10200 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
10201 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
10203 +#ifdef CONFIG_PAX_KERNEXEC
10204 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
10210 diff -urNp linux-2.6.35.5/arch/x86/kernel/asm-offsets_64.c linux-2.6.35.5/arch/x86/kernel/asm-offsets_64.c
10211 --- linux-2.6.35.5/arch/x86/kernel/asm-offsets_64.c 2010-08-26 19:47:12.000000000 -0400
10212 +++ linux-2.6.35.5/arch/x86/kernel/asm-offsets_64.c 2010-09-17 20:12:09.000000000 -0400
10213 @@ -63,6 +63,18 @@ int main(void)
10214 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
10215 OFFSET(PV_CPU_swapgs, pv_cpu_ops, swapgs);
10216 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
10218 +#ifdef CONFIG_PAX_KERNEXEC
10219 + OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
10220 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
10223 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10224 + OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
10225 + OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
10226 + OFFSET(PV_MMU_set_pgd, pv_mmu_ops, set_pgd);
10232 @@ -115,6 +127,7 @@ int main(void)
10236 + DEFINE(TSS_size, sizeof(struct tss_struct));
10237 DEFINE(TSS_ist, offsetof(struct tss_struct, x86_tss.ist));
10239 DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx));
10240 diff -urNp linux-2.6.35.5/arch/x86/kernel/cpu/common.c linux-2.6.35.5/arch/x86/kernel/cpu/common.c
10241 --- linux-2.6.35.5/arch/x86/kernel/cpu/common.c 2010-08-26 19:47:12.000000000 -0400
10242 +++ linux-2.6.35.5/arch/x86/kernel/cpu/common.c 2010-09-17 20:12:09.000000000 -0400
10243 @@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
10245 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
10247 -DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
10248 -#ifdef CONFIG_X86_64
10250 - * We need valid kernel segments for data and code in long mode too
10251 - * IRET will check the segment types kkeil 2000/10/28
10252 - * Also sysret mandates a special GDT layout
10254 - * TLS descriptors are currently at a different place compared to i386.
10255 - * Hopefully nobody expects them at a fixed place (Wine?)
10257 - [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
10258 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
10259 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
10260 - [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
10261 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
10262 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
10264 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
10265 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10266 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
10267 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
10269 - * Segments used for calling PnP BIOS have byte granularity.
10270 - * They code segments and data segments have fixed 64k limits,
10271 - * the transfer segment sizes are set at run time.
10273 - /* 32-bit code */
10274 - [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
10275 - /* 16-bit code */
10276 - [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
10277 - /* 16-bit data */
10278 - [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
10279 - /* 16-bit data */
10280 - [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
10281 - /* 16-bit data */
10282 - [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
10284 - * The APM segments have byte granularity and their bases
10285 - * are set at run time. All have 64k limits.
10287 - /* 32-bit code */
10288 - [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
10289 - /* 16-bit code */
10290 - [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
10292 - [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
10294 - [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10295 - [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10296 - GDT_STACK_CANARY_INIT
10299 -EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
10301 static int __init x86_xsave_setup(char *s)
10303 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
10304 @@ -344,7 +290,7 @@ void switch_to_new_gdt(int cpu)
10306 struct desc_ptr gdt_descr;
10308 - gdt_descr.address = (long)get_cpu_gdt_table(cpu);
10309 + gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
10310 gdt_descr.size = GDT_SIZE - 1;
10311 load_gdt(&gdt_descr);
10312 /* Reload the per-cpu base */
10313 @@ -802,6 +748,10 @@ static void __cpuinit identify_cpu(struc
10314 /* Filter out anything that depends on CPUID levels we don't have */
10315 filter_cpuid_features(c, true);
10317 +#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
10318 + setup_clear_cpu_cap(X86_FEATURE_SEP);
10321 /* If the model name is still unset, do table lookup. */
10322 if (!c->x86_model_id[0]) {
10324 @@ -1117,7 +1067,7 @@ void __cpuinit cpu_init(void)
10327 cpu = stack_smp_processor_id();
10328 - t = &per_cpu(init_tss, cpu);
10329 + t = init_tss + cpu;
10330 oist = &per_cpu(orig_ist, cpu);
10333 @@ -1143,7 +1093,7 @@ void __cpuinit cpu_init(void)
10334 switch_to_new_gdt(cpu);
10335 loadsegment(fs, 0);
10337 - load_idt((const struct desc_ptr *)&idt_descr);
10338 + load_idt(&idt_descr);
10340 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
10342 @@ -1205,7 +1155,7 @@ void __cpuinit cpu_init(void)
10344 int cpu = smp_processor_id();
10345 struct task_struct *curr = current;
10346 - struct tss_struct *t = &per_cpu(init_tss, cpu);
10347 + struct tss_struct *t = init_tss + cpu;
10348 struct thread_struct *thread = &curr->thread;
10350 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
10351 diff -urNp linux-2.6.35.5/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c linux-2.6.35.5/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c
10352 --- linux-2.6.35.5/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2010-08-26 19:47:12.000000000 -0400
10353 +++ linux-2.6.35.5/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2010-09-17 20:12:09.000000000 -0400
10354 @@ -484,7 +484,7 @@ static const struct dmi_system_id sw_any
10355 DMI_MATCH(DMI_PRODUCT_NAME, "X6DLP"),
10359 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
10362 static int acpi_cpufreq_blacklist(struct cpuinfo_x86 *c)
10363 diff -urNp linux-2.6.35.5/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c linux-2.6.35.5/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c
10364 --- linux-2.6.35.5/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2010-08-26 19:47:12.000000000 -0400
10365 +++ linux-2.6.35.5/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2010-09-17 20:12:09.000000000 -0400
10366 @@ -226,7 +226,7 @@ static struct cpu_model models[] =
10367 { &cpu_ids[CPU_MP4HT_D0], NULL, 0, NULL },
10368 { &cpu_ids[CPU_MP4HT_E0], NULL, 0, NULL },
10371 + { NULL, NULL, 0, NULL}
10375 diff -urNp linux-2.6.35.5/arch/x86/kernel/cpu/intel.c linux-2.6.35.5/arch/x86/kernel/cpu/intel.c
10376 --- linux-2.6.35.5/arch/x86/kernel/cpu/intel.c 2010-08-26 19:47:12.000000000 -0400
10377 +++ linux-2.6.35.5/arch/x86/kernel/cpu/intel.c 2010-09-17 20:12:09.000000000 -0400
10378 @@ -160,7 +160,7 @@ static void __cpuinit trap_init_f00f_bug
10379 * Update the IDT descriptor and reload the IDT so that
10380 * it uses the read-only mapped virtual address.
10382 - idt_descr.address = fix_to_virt(FIX_F00F_IDT);
10383 + idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
10384 load_idt(&idt_descr);
10387 diff -urNp linux-2.6.35.5/arch/x86/kernel/cpu/Makefile linux-2.6.35.5/arch/x86/kernel/cpu/Makefile
10388 --- linux-2.6.35.5/arch/x86/kernel/cpu/Makefile 2010-08-26 19:47:12.000000000 -0400
10389 +++ linux-2.6.35.5/arch/x86/kernel/cpu/Makefile 2010-09-17 20:12:09.000000000 -0400
10390 @@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg
10391 CFLAGS_REMOVE_perf_event.o = -pg
10394 -# Make sure load_percpu_segment has no stackprotector
10395 -nostackp := $(call cc-option, -fno-stack-protector)
10396 -CFLAGS_common.o := $(nostackp)
10398 obj-y := intel_cacheinfo.o addon_cpuid_features.o
10399 obj-y += proc.o capflags.o powerflags.o common.o
10400 obj-y += vmware.o hypervisor.o sched.o mshyperv.o
10401 diff -urNp linux-2.6.35.5/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.35.5/arch/x86/kernel/cpu/mcheck/mce.c
10402 --- linux-2.6.35.5/arch/x86/kernel/cpu/mcheck/mce.c 2010-08-26 19:47:12.000000000 -0400
10403 +++ linux-2.6.35.5/arch/x86/kernel/cpu/mcheck/mce.c 2010-09-17 20:12:09.000000000 -0400
10404 @@ -219,7 +219,7 @@ static void print_mce(struct mce *m)
10405 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
10408 - if (m->cs == __KERNEL_CS)
10409 + if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
10410 print_symbol("{%s}", m->ip);
10413 @@ -1471,14 +1471,14 @@ void __cpuinit mcheck_cpu_init(struct cp
10416 static DEFINE_SPINLOCK(mce_state_lock);
10417 -static int open_count; /* #times opened */
10418 +static atomic_t open_count; /* #times opened */
10419 static int open_exclu; /* already open exclusive? */
10421 static int mce_open(struct inode *inode, struct file *file)
10423 spin_lock(&mce_state_lock);
10425 - if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
10426 + if (open_exclu || (atomic_read(&open_count) && (file->f_flags & O_EXCL))) {
10427 spin_unlock(&mce_state_lock);
10430 @@ -1486,7 +1486,7 @@ static int mce_open(struct inode *inode,
10432 if (file->f_flags & O_EXCL)
10435 + atomic_inc(&open_count);
10437 spin_unlock(&mce_state_lock);
10439 @@ -1497,7 +1497,7 @@ static int mce_release(struct inode *ino
10441 spin_lock(&mce_state_lock);
10444 + atomic_dec(&open_count);
10447 spin_unlock(&mce_state_lock);
10448 @@ -1683,6 +1683,7 @@ static struct miscdevice mce_log_device
10452 + {NULL, NULL}, NULL, NULL
10456 diff -urNp linux-2.6.35.5/arch/x86/kernel/cpu/mtrr/generic.c linux-2.6.35.5/arch/x86/kernel/cpu/mtrr/generic.c
10457 --- linux-2.6.35.5/arch/x86/kernel/cpu/mtrr/generic.c 2010-08-26 19:47:12.000000000 -0400
10458 +++ linux-2.6.35.5/arch/x86/kernel/cpu/mtrr/generic.c 2010-09-17 20:12:09.000000000 -0400
10459 @@ -28,7 +28,7 @@ static struct fixed_range_block fixed_ra
10460 { MSR_MTRRfix64K_00000, 1 }, /* one 64k MTRR */
10461 { MSR_MTRRfix16K_80000, 2 }, /* two 16k MTRRs */
10462 { MSR_MTRRfix4K_C0000, 8 }, /* eight 4k MTRRs */
10467 static unsigned long smp_changes_mask;
10468 diff -urNp linux-2.6.35.5/arch/x86/kernel/cpu/mtrr/main.c linux-2.6.35.5/arch/x86/kernel/cpu/mtrr/main.c
10469 --- linux-2.6.35.5/arch/x86/kernel/cpu/mtrr/main.c 2010-08-26 19:47:12.000000000 -0400
10470 +++ linux-2.6.35.5/arch/x86/kernel/cpu/mtrr/main.c 2010-09-17 20:12:09.000000000 -0400
10471 @@ -61,7 +61,7 @@ static DEFINE_MUTEX(mtrr_mutex);
10472 u64 size_or_mask, size_and_mask;
10473 static bool mtrr_aps_delayed_init;
10475 -static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
10476 +static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
10478 const struct mtrr_ops *mtrr_if;
10480 diff -urNp linux-2.6.35.5/arch/x86/kernel/cpu/mtrr/mtrr.h linux-2.6.35.5/arch/x86/kernel/cpu/mtrr/mtrr.h
10481 --- linux-2.6.35.5/arch/x86/kernel/cpu/mtrr/mtrr.h 2010-08-26 19:47:12.000000000 -0400
10482 +++ linux-2.6.35.5/arch/x86/kernel/cpu/mtrr/mtrr.h 2010-09-17 20:12:09.000000000 -0400
10483 @@ -12,19 +12,19 @@
10484 extern unsigned int mtrr_usage_table[MTRR_MAX_VAR_RANGES];
10488 - u32 use_intel_if;
10489 - void (*set)(unsigned int reg, unsigned long base,
10490 + const u32 vendor;
10491 + const u32 use_intel_if;
10492 + void (* const set)(unsigned int reg, unsigned long base,
10493 unsigned long size, mtrr_type type);
10494 - void (*set_all)(void);
10495 + void (* const set_all)(void);
10497 - void (*get)(unsigned int reg, unsigned long *base,
10498 + void (* const get)(unsigned int reg, unsigned long *base,
10499 unsigned long *size, mtrr_type *type);
10500 - int (*get_free_region)(unsigned long base, unsigned long size,
10501 + int (* const get_free_region)(unsigned long base, unsigned long size,
10503 - int (*validate_add_page)(unsigned long base, unsigned long size,
10504 + int (* const validate_add_page)(unsigned long base, unsigned long size,
10505 unsigned int type);
10506 - int (*have_wrcomb)(void);
10507 + int (* const have_wrcomb)(void);
10510 extern int generic_get_free_region(unsigned long base, unsigned long size,
10511 diff -urNp linux-2.6.35.5/arch/x86/kernel/cpu/perfctr-watchdog.c linux-2.6.35.5/arch/x86/kernel/cpu/perfctr-watchdog.c
10512 --- linux-2.6.35.5/arch/x86/kernel/cpu/perfctr-watchdog.c 2010-08-26 19:47:12.000000000 -0400
10513 +++ linux-2.6.35.5/arch/x86/kernel/cpu/perfctr-watchdog.c 2010-09-17 20:12:09.000000000 -0400
10514 @@ -30,11 +30,11 @@ struct nmi_watchdog_ctlblk {
10516 /* Interface defining a CPU specific perfctr watchdog */
10518 - int (*reserve)(void);
10519 - void (*unreserve)(void);
10520 - int (*setup)(unsigned nmi_hz);
10521 - void (*rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
10522 - void (*stop)(void);
10523 + int (* const reserve)(void);
10524 + void (* const unreserve)(void);
10525 + int (* const setup)(unsigned nmi_hz);
10526 + void (* const rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
10527 + void (* const stop)(void);
10531 @@ -634,6 +634,7 @@ static const struct wd_ops p4_wd_ops = {
10532 #define ARCH_PERFMON_NMI_EVENT_SEL ARCH_PERFMON_UNHALTED_CORE_CYCLES_SEL
10533 #define ARCH_PERFMON_NMI_EVENT_UMASK ARCH_PERFMON_UNHALTED_CORE_CYCLES_UMASK
10535 +/* cannot be const, see probe_nmi_watchdog */
10536 static struct wd_ops intel_arch_wd_ops;
10538 static int setup_intel_arch_watchdog(unsigned nmi_hz)
10539 @@ -686,6 +687,7 @@ static int setup_intel_arch_watchdog(uns
10543 +/* cannot be const */
10544 static struct wd_ops intel_arch_wd_ops __read_mostly = {
10545 .reserve = single_msr_reserve,
10546 .unreserve = single_msr_unreserve,
10547 diff -urNp linux-2.6.35.5/arch/x86/kernel/cpu/perf_event.c linux-2.6.35.5/arch/x86/kernel/cpu/perf_event.c
10548 --- linux-2.6.35.5/arch/x86/kernel/cpu/perf_event.c 2010-08-26 19:47:12.000000000 -0400
10549 +++ linux-2.6.35.5/arch/x86/kernel/cpu/perf_event.c 2010-09-17 20:12:09.000000000 -0400
10550 @@ -1685,7 +1685,7 @@ perf_callchain_user(struct pt_regs *regs
10553 callchain_store(entry, frame.return_address);
10554 - fp = frame.next_frame;
10555 + fp = (__force const void __user *)frame.next_frame;
10559 diff -urNp linux-2.6.35.5/arch/x86/kernel/crash.c linux-2.6.35.5/arch/x86/kernel/crash.c
10560 --- linux-2.6.35.5/arch/x86/kernel/crash.c 2010-08-26 19:47:12.000000000 -0400
10561 +++ linux-2.6.35.5/arch/x86/kernel/crash.c 2010-09-17 20:12:09.000000000 -0400
10562 @@ -40,7 +40,7 @@ static void kdump_nmi_callback(int cpu,
10565 #ifdef CONFIG_X86_32
10566 - if (!user_mode_vm(regs)) {
10567 + if (!user_mode(regs)) {
10568 crash_fixup_ss_esp(&fixed_regs, regs);
10569 regs = &fixed_regs;
10571 diff -urNp linux-2.6.35.5/arch/x86/kernel/doublefault_32.c linux-2.6.35.5/arch/x86/kernel/doublefault_32.c
10572 --- linux-2.6.35.5/arch/x86/kernel/doublefault_32.c 2010-08-26 19:47:12.000000000 -0400
10573 +++ linux-2.6.35.5/arch/x86/kernel/doublefault_32.c 2010-09-17 20:12:09.000000000 -0400
10576 #define DOUBLEFAULT_STACKSIZE (1024)
10577 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
10578 -#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
10579 +#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
10581 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
10583 @@ -21,7 +21,7 @@ static void doublefault_fn(void)
10584 unsigned long gdt, tss;
10586 store_gdt(&gdt_desc);
10587 - gdt = gdt_desc.address;
10588 + gdt = (unsigned long)gdt_desc.address;
10590 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
10592 @@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
10593 /* 0x2 bit is always set */
10594 .flags = X86_EFLAGS_SF | 0x2,
10597 + .es = __KERNEL_DS,
10601 + .ds = __KERNEL_DS,
10602 .fs = __KERNEL_PERCPU,
10604 .__cr3 = __pa_nodebug(swapper_pg_dir),
10605 diff -urNp linux-2.6.35.5/arch/x86/kernel/dumpstack_32.c linux-2.6.35.5/arch/x86/kernel/dumpstack_32.c
10606 --- linux-2.6.35.5/arch/x86/kernel/dumpstack_32.c 2010-08-26 19:47:12.000000000 -0400
10607 +++ linux-2.6.35.5/arch/x86/kernel/dumpstack_32.c 2010-09-17 20:12:09.000000000 -0400
10608 @@ -107,11 +107,12 @@ void show_registers(struct pt_regs *regs
10609 * When in-kernel, we also print out the stack and code at the
10610 * time of the fault..
10612 - if (!user_mode_vm(regs)) {
10613 + if (!user_mode(regs)) {
10614 unsigned int code_prologue = code_bytes * 43 / 64;
10615 unsigned int code_len = code_bytes;
10618 + unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
10620 printk(KERN_EMERG "Stack:\n");
10621 show_stack_log_lvl(NULL, regs, ®s->sp,
10622 @@ -119,10 +120,10 @@ void show_registers(struct pt_regs *regs
10624 printk(KERN_EMERG "Code: ");
10626 - ip = (u8 *)regs->ip - code_prologue;
10627 + ip = (u8 *)regs->ip - code_prologue + cs_base;
10628 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
10629 /* try starting at IP */
10630 - ip = (u8 *)regs->ip;
10631 + ip = (u8 *)regs->ip + cs_base;
10632 code_len = code_len - code_prologue + 1;
10634 for (i = 0; i < code_len; i++, ip++) {
10635 @@ -131,7 +132,7 @@ void show_registers(struct pt_regs *regs
10636 printk(" Bad EIP value.");
10639 - if (ip == (u8 *)regs->ip)
10640 + if (ip == (u8 *)regs->ip + cs_base)
10641 printk("<%02x> ", c);
10643 printk("%02x ", c);
10644 @@ -144,6 +145,7 @@ int is_valid_bugaddr(unsigned long ip)
10646 unsigned short ud2;
10648 + ip = ktla_ktva(ip);
10649 if (ip < PAGE_OFFSET)
10651 if (probe_kernel_address((unsigned short *)ip, ud2))
10652 diff -urNp linux-2.6.35.5/arch/x86/kernel/dumpstack.c linux-2.6.35.5/arch/x86/kernel/dumpstack.c
10653 --- linux-2.6.35.5/arch/x86/kernel/dumpstack.c 2010-08-26 19:47:12.000000000 -0400
10654 +++ linux-2.6.35.5/arch/x86/kernel/dumpstack.c 2010-09-17 20:12:09.000000000 -0400
10655 @@ -207,7 +207,7 @@ void dump_stack(void)
10658 printk("Pid: %d, comm: %.20s xid: #%u %s %s %.*s\n",
10659 - current->pid, current->comm, current->xid, print_tainted(),
10660 + task_pid_nr(current), current->comm, current->xid, print_tainted(),
10661 init_utsname()->release,
10662 (int)strcspn(init_utsname()->version, " "),
10663 init_utsname()->version);
10664 @@ -263,7 +263,7 @@ void __kprobes oops_end(unsigned long fl
10665 panic("Fatal exception in interrupt");
10667 panic("Fatal exception");
10669 + do_group_exit(signr);
10672 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
10673 @@ -290,7 +290,7 @@ int __kprobes __die(const char *str, str
10675 show_registers(regs);
10676 #ifdef CONFIG_X86_32
10677 - if (user_mode_vm(regs)) {
10678 + if (user_mode(regs)) {
10680 ss = regs->ss & 0xffff;
10682 @@ -318,7 +318,7 @@ void die(const char *str, struct pt_regs
10683 unsigned long flags = oops_begin();
10686 - if (!user_mode_vm(regs))
10687 + if (!user_mode(regs))
10688 report_bug(regs->ip, regs);
10690 if (__die(str, regs, err))
10691 diff -urNp linux-2.6.35.5/arch/x86/kernel/efi_32.c linux-2.6.35.5/arch/x86/kernel/efi_32.c
10692 --- linux-2.6.35.5/arch/x86/kernel/efi_32.c 2010-08-26 19:47:12.000000000 -0400
10693 +++ linux-2.6.35.5/arch/x86/kernel/efi_32.c 2010-09-17 20:12:09.000000000 -0400
10694 @@ -38,70 +38,38 @@
10697 static unsigned long efi_rt_eflags;
10698 -static pgd_t efi_bak_pg_dir_pointer[2];
10699 +static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
10701 -void efi_call_phys_prelog(void)
10702 +void __init efi_call_phys_prelog(void)
10704 - unsigned long cr4;
10705 - unsigned long temp;
10706 struct desc_ptr gdt_descr;
10708 local_irq_save(efi_rt_eflags);
10711 - * If I don't have PAE, I should just duplicate two entries in page
10712 - * directory. If I have PAE, I just need to duplicate one entry in
10713 - * page directory.
10715 - cr4 = read_cr4_safe();
10717 - if (cr4 & X86_CR4_PAE) {
10718 - efi_bak_pg_dir_pointer[0].pgd =
10719 - swapper_pg_dir[pgd_index(0)].pgd;
10720 - swapper_pg_dir[0].pgd =
10721 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
10723 - efi_bak_pg_dir_pointer[0].pgd =
10724 - swapper_pg_dir[pgd_index(0)].pgd;
10725 - efi_bak_pg_dir_pointer[1].pgd =
10726 - swapper_pg_dir[pgd_index(0x400000)].pgd;
10727 - swapper_pg_dir[pgd_index(0)].pgd =
10728 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
10729 - temp = PAGE_OFFSET + 0x400000;
10730 - swapper_pg_dir[pgd_index(0x400000)].pgd =
10731 - swapper_pg_dir[pgd_index(temp)].pgd;
10733 + clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
10734 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
10735 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
10738 * After the lock is released, the original page table is restored.
10742 - gdt_descr.address = __pa(get_cpu_gdt_table(0));
10743 + gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0));
10744 gdt_descr.size = GDT_SIZE - 1;
10745 load_gdt(&gdt_descr);
10748 -void efi_call_phys_epilog(void)
10749 +void __init efi_call_phys_epilog(void)
10751 - unsigned long cr4;
10752 struct desc_ptr gdt_descr;
10754 - gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
10755 + gdt_descr.address = get_cpu_gdt_table(0);
10756 gdt_descr.size = GDT_SIZE - 1;
10757 load_gdt(&gdt_descr);
10759 - cr4 = read_cr4_safe();
10761 - if (cr4 & X86_CR4_PAE) {
10762 - swapper_pg_dir[pgd_index(0)].pgd =
10763 - efi_bak_pg_dir_pointer[0].pgd;
10765 - swapper_pg_dir[pgd_index(0)].pgd =
10766 - efi_bak_pg_dir_pointer[0].pgd;
10767 - swapper_pg_dir[pgd_index(0x400000)].pgd =
10768 - efi_bak_pg_dir_pointer[1].pgd;
10770 + clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
10773 * After the lock is released, the original page table is restored.
10774 diff -urNp linux-2.6.35.5/arch/x86/kernel/efi_stub_32.S linux-2.6.35.5/arch/x86/kernel/efi_stub_32.S
10775 --- linux-2.6.35.5/arch/x86/kernel/efi_stub_32.S 2010-08-26 19:47:12.000000000 -0400
10776 +++ linux-2.6.35.5/arch/x86/kernel/efi_stub_32.S 2010-09-17 20:12:09.000000000 -0400
10780 #include <linux/linkage.h>
10781 +#include <linux/init.h>
10782 #include <asm/page_types.h>
10786 * service functions will comply with gcc calling convention, too.
10791 ENTRY(efi_call_phys)
10793 * 0. The function can only be called in Linux kernel. So CS has been
10794 @@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
10795 * The mapping of lower virtual memory has been created in prelog and
10799 - subl $__PAGE_OFFSET, %edx
10801 + jmp 1f-__PAGE_OFFSET
10805 @@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
10806 * parameter 2, ..., param n. To make things easy, we save the return
10807 * address of efi_call_phys in a global variable.
10810 - movl %edx, saved_return_addr
10811 - /* get the function pointer into ECX*/
10813 - movl %ecx, efi_rt_function_ptr
10815 - subl $__PAGE_OFFSET, %edx
10817 + popl (saved_return_addr)
10818 + popl (efi_rt_function_ptr)
10821 * 3. Clear PG bit in %CR0.
10822 @@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
10824 * 5. Call the physical function.
10827 + call *(efi_rt_function_ptr-__PAGE_OFFSET)
10831 * 6. After EFI runtime service returns, control will return to
10832 * following instruction. We'd better readjust stack pointer first.
10833 @@ -88,35 +80,28 @@ ENTRY(efi_call_phys)
10835 orl $0x80000000, %edx
10841 * 8. Now restore the virtual mode from flat mode by
10842 * adding EIP with PAGE_OFFSET.
10846 + jmp 1f+__PAGE_OFFSET
10850 * 9. Balance the stack. And because EAX contain the return value,
10851 * we'd better not clobber it.
10853 - leal efi_rt_function_ptr, %edx
10854 - movl (%edx), %ecx
10856 + pushl (efi_rt_function_ptr)
10859 - * 10. Push the saved return address onto the stack and return.
10860 + * 10. Return to the saved return address.
10862 - leal saved_return_addr, %edx
10863 - movl (%edx), %ecx
10866 + jmpl *(saved_return_addr)
10867 ENDPROC(efi_call_phys)
10874 efi_rt_function_ptr:
10875 diff -urNp linux-2.6.35.5/arch/x86/kernel/entry_32.S linux-2.6.35.5/arch/x86/kernel/entry_32.S
10876 --- linux-2.6.35.5/arch/x86/kernel/entry_32.S 2010-08-26 19:47:12.000000000 -0400
10877 +++ linux-2.6.35.5/arch/x86/kernel/entry_32.S 2010-09-17 20:12:09.000000000 -0400
10878 @@ -192,7 +192,67 @@
10880 #endif /* CONFIG_X86_32_LAZY_GS */
10883 +.macro PAX_EXIT_KERNEL
10884 +#ifdef CONFIG_PAX_KERNEXEC
10885 +#ifdef CONFIG_PARAVIRT
10886 + push %eax; push %ecx;
10889 + cmp $__KERNEXEC_KERNEL_CS, %esi
10891 +#ifdef CONFIG_PARAVIRT
10892 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
10898 + ljmp $__KERNEL_CS, $1f
10900 +#ifdef CONFIG_PARAVIRT
10902 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
10907 +#ifdef CONFIG_PARAVIRT
10908 + pop %ecx; pop %eax
10913 +.macro PAX_ENTER_KERNEL
10914 +#ifdef CONFIG_PAX_KERNEXEC
10915 +#ifdef CONFIG_PARAVIRT
10916 + push %eax; push %ecx;
10917 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
10925 + cmp $__KERNEL_CS, %esi
10927 + ljmp $__KERNEL_CS, $3f
10928 +1: ljmp $__KERNEXEC_KERNEL_CS, $2f
10930 +#ifdef CONFIG_PARAVIRT
10932 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
10937 +#ifdef CONFIG_PARAVIRT
10938 + pop %ecx; pop %eax
10943 +.macro __SAVE_ALL _DS
10947 @@ -225,7 +285,7 @@
10949 CFI_ADJUST_CFA_OFFSET 4
10950 CFI_REL_OFFSET ebx, 0
10951 - movl $(__USER_DS), %edx
10955 movl $(__KERNEL_PERCPU), %edx
10956 @@ -233,6 +293,15 @@
10961 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
10962 + __SAVE_ALL __KERNEL_DS
10965 + __SAVE_ALL __USER_DS
10969 .macro RESTORE_INT_REGS
10971 CFI_ADJUST_CFA_OFFSET -4
10972 @@ -357,7 +426,15 @@ check_userspace:
10973 movb PT_CS(%esp), %al
10974 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
10975 cmpl $USER_RPL, %eax
10977 +#ifdef CONFIG_PAX_KERNEXEC
10978 + jae resume_userspace
10981 + jmp resume_kernel
10983 jb resume_kernel # not returning to v8086 or userspace
10986 ENTRY(resume_userspace)
10988 @@ -423,10 +500,9 @@ sysenter_past_esp:
10989 /*CFI_REL_OFFSET cs, 0*/
10991 * Push current_thread_info()->sysenter_return to the stack.
10992 - * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
10993 - * pushed above; +8 corresponds to copy_thread's esp0 setting.
10995 - pushl (TI_sysenter_return-THREAD_SIZE+8+4*4)(%esp)
10996 + GET_THREAD_INFO(%ebp)
10997 + pushl TI_sysenter_return(%ebp)
10998 CFI_ADJUST_CFA_OFFSET 4
10999 CFI_REL_OFFSET eip, 0
11001 @@ -439,9 +515,19 @@ sysenter_past_esp:
11002 * Load the potential sixth argument from user stack.
11003 * Careful about security.
11005 + movl PT_OLDESP(%esp),%ebp
11007 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11008 + mov PT_OLDSS(%esp),%ds
11009 +1: movl %ds:(%ebp),%ebp
11013 cmpl $__PAGE_OFFSET-3,%ebp
11015 1: movl (%ebp),%ebp
11018 movl %ebp,PT_EBP(%esp)
11019 .section __ex_table,"a"
11021 @@ -464,12 +550,23 @@ sysenter_do_call:
11022 testl $_TIF_ALLWORK_MASK, %ecx
11026 +#ifdef CONFIG_PAX_RANDKSTACK
11028 + CFI_ADJUST_CFA_OFFSET 4
11029 + call pax_randomize_kstack
11031 + CFI_ADJUST_CFA_OFFSET -4
11034 /* if something modifies registers it must also disable sysexit */
11035 movl PT_EIP(%esp), %edx
11036 movl PT_OLDESP(%esp), %ecx
11039 1: mov PT_FS(%esp), %fs
11040 +2: mov PT_DS(%esp), %ds
11041 +3: mov PT_ES(%esp), %es
11043 ENABLE_INTERRUPTS_SYSEXIT
11045 @@ -513,11 +610,17 @@ sysexit_audit:
11048 .pushsection .fixup,"ax"
11049 -2: movl $0,PT_FS(%esp)
11050 +4: movl $0,PT_FS(%esp)
11052 +5: movl $0,PT_DS(%esp)
11054 +6: movl $0,PT_ES(%esp)
11056 .section __ex_table,"a"
11064 ENDPROC(ia32_sysenter_target)
11065 @@ -551,6 +654,10 @@ syscall_exit:
11066 testl $_TIF_ALLWORK_MASK, %ecx # current->work
11067 jne syscall_exit_work
11069 +#ifdef CONFIG_PAX_RANDKSTACK
11070 + call pax_randomize_kstack
11075 restore_all_notrace:
11076 @@ -615,7 +722,13 @@ ldt_ss:
11077 mov PT_OLDESP(%esp), %eax /* load userspace esp */
11078 mov %dx, %ax /* eax: new kernel esp */
11079 sub %eax, %edx /* offset (low word is 0) */
11080 - PER_CPU(gdt_page, %ebx)
11082 + movl PER_CPU_VAR(cpu_number), %ebx
11083 + shll $PAGE_SHIFT_asm, %ebx
11084 + addl $cpu_gdt_table, %ebx
11086 + movl $cpu_gdt_table, %ebx
11089 mov %dl, GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx) /* bits 16..23 */
11090 mov %dh, GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx) /* bits 24..31 */
11091 @@ -655,25 +768,19 @@ work_resched:
11093 work_notifysig: # deal with pending signals and
11094 # notify-resume requests
11097 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
11099 - jne work_notifysig_v86 # returning to kernel-space or
11100 + jz 1f # returning to kernel-space or
11103 - call do_notify_resume
11104 - jmp resume_userspace_sig
11107 -work_notifysig_v86:
11108 pushl %ecx # save ti_flags for do_notify_resume
11109 CFI_ADJUST_CFA_OFFSET 4
11110 call save_v86_state # %eax contains pt_regs pointer
11112 CFI_ADJUST_CFA_OFFSET -4
11119 call do_notify_resume
11120 @@ -708,6 +815,10 @@ END(syscall_exit_work)
11122 RING0_INT_FRAME # can't unwind into user space anyway
11124 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11128 GET_THREAD_INFO(%ebp)
11129 movl $-EFAULT,PT_EAX(%esp)
11130 jmp resume_userspace
11131 @@ -791,7 +902,13 @@ ptregs_clone:
11132 * normal stack and adjusts ESP with the matching offset.
11134 /* fixup the stack */
11135 - PER_CPU(gdt_page, %ebx)
11137 + movl PER_CPU_VAR(cpu_number), %ebx
11138 + shll $PAGE_SHIFT_asm, %ebx
11139 + addl $cpu_gdt_table, %ebx
11141 + movl $cpu_gdt_table, %ebx
11143 mov GDT_ENTRY_ESPFIX_SS * 8 + 4(%ebx), %al /* bits 16..23 */
11144 mov GDT_ENTRY_ESPFIX_SS * 8 + 7(%ebx), %ah /* bits 24..31 */
11146 @@ -1273,7 +1390,6 @@ return_to_handler:
11150 -.section .rodata,"a"
11151 #include "syscall_table_32.S"
11153 syscall_table_size=(.-sys_call_table)
11154 @@ -1330,9 +1446,12 @@ error_code:
11155 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
11158 - movl $(__USER_DS), %ecx
11159 + movl $(__KERNEL_DS), %ecx
11166 movl %esp,%eax # pt_regs pointer
11168 @@ -1426,6 +1545,9 @@ nmi_stack_correct:
11169 xorl %edx,%edx # zero error code
11170 movl %esp,%eax # pt_regs pointer
11175 jmp restore_all_notrace
11178 @@ -1466,6 +1588,9 @@ nmi_espfix_stack:
11179 FIXUP_ESPFIX_STACK # %eax == %esp
11180 xorl %edx,%edx # zero error code
11186 lss 12+4(%esp), %esp # back to espfix stack
11187 CFI_ADJUST_CFA_OFFSET -24
11188 diff -urNp linux-2.6.35.5/arch/x86/kernel/entry_64.S linux-2.6.35.5/arch/x86/kernel/entry_64.S
11189 --- linux-2.6.35.5/arch/x86/kernel/entry_64.S 2010-08-26 19:47:12.000000000 -0400
11190 +++ linux-2.6.35.5/arch/x86/kernel/entry_64.S 2010-09-17 20:12:09.000000000 -0400
11192 #include <asm/paravirt.h>
11193 #include <asm/ftrace.h>
11194 #include <asm/percpu.h>
11195 +#include <asm/pgtable.h>
11197 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
11198 #include <linux/elf-em.h>
11199 @@ -174,6 +175,189 @@ ENTRY(native_usergs_sysret64)
11200 ENDPROC(native_usergs_sysret64)
11201 #endif /* CONFIG_PARAVIRT */
11203 + .macro ljmpq sel, off
11204 +#if defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
11205 + .byte 0x48; ljmp *1234f(%rip)
11206 + .pushsection .rodata
11208 + 1234: .quad \off; .word \sel
11217 +ENTRY(pax_enter_kernel)
11219 +#ifdef CONFIG_PAX_KERNEXEC
11222 +#ifdef CONFIG_PARAVIRT
11223 + PV_SAVE_REGS(CLBR_RDI)
11230 + cmp $__KERNEL_CS,%edi
11232 + ljmpq __KERNEL_CS,3f
11233 +1: ljmpq __KERNEXEC_KERNEL_CS,2f
11234 +2: SET_RDI_INTO_CR0
11237 +#ifdef CONFIG_PARAVIRT
11238 + PV_RESTORE_REGS(CLBR_RDI)
11245 +ENDPROC(pax_enter_kernel)
11247 +ENTRY(pax_exit_kernel)
11249 +#ifdef CONFIG_PAX_KERNEXEC
11252 +#ifdef CONFIG_PARAVIRT
11253 + PV_SAVE_REGS(CLBR_RDI)
11257 + cmp $__KERNEXEC_KERNEL_CS,%edi
11261 + ljmpq __KERNEL_CS,1f
11262 +1: SET_RDI_INTO_CR0
11265 +#ifdef CONFIG_PARAVIRT
11266 + PV_RESTORE_REGS(CLBR_RDI);
11273 +ENDPROC(pax_exit_kernel)
11275 +ENTRY(pax_enter_kernel_user)
11277 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11281 +#ifdef CONFIG_PARAVIRT
11282 + PV_SAVE_REGS(CLBR_RDI)
11287 + add $__START_KERNEL_map,%rbx
11288 + sub phys_base(%rip),%rbx
11290 +#ifdef CONFIG_PARAVIRT
11292 + cmpl $0, pv_info+PARAVIRT_enabled
11295 + .rept USER_PGD_PTRS
11296 + mov i*8(%rbx),%rsi
11298 + lea i*8(%rbx),%rdi
11299 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
11307 + .rept USER_PGD_PTRS
11308 + movb $0,i*8(%rbx)
11312 +#ifdef CONFIG_PARAVIRT
11317 +#ifdef CONFIG_PAX_KERNEXEC
11323 +#ifdef CONFIG_PARAVIRT
11324 + PV_RESTORE_REGS(CLBR_RDI)
11332 +ENDPROC(pax_enter_kernel_user)
11334 +ENTRY(pax_exit_kernel_user)
11336 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11339 +#ifdef CONFIG_PARAVIRT
11341 + PV_SAVE_REGS(CLBR_RDI)
11344 +#ifdef CONFIG_PAX_KERNEXEC
11351 + add $__START_KERNEL_map,%rdi
11352 + sub phys_base(%rip),%rdi
11354 +#ifdef CONFIG_PARAVIRT
11355 + cmpl $0, pv_info+PARAVIRT_enabled
11359 + .rept USER_PGD_PTRS
11360 + mov i*8(%rbx),%rsi
11362 + lea i*8(%rbx),%rdi
11363 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
11371 + .rept USER_PGD_PTRS
11372 + movb $0x67,i*8(%rdi)
11376 +#ifdef CONFIG_PARAVIRT
11377 +2: PV_RESTORE_REGS(CLBR_RDI)
11385 +ENDPROC(pax_exit_kernel_user)
11387 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
11388 #ifdef CONFIG_TRACE_IRQFLAGS
11389 @@ -317,7 +501,7 @@ ENTRY(save_args)
11390 leaq -ARGOFFSET+16(%rsp),%rdi /* arg1 for handler */
11391 movq_cfi rbp, 8 /* push %rbp */
11392 leaq 8(%rsp), %rbp /* mov %rsp, %ebp */
11393 - testl $3, CS(%rdi)
11394 + testb $3, CS(%rdi)
11398 @@ -409,7 +593,7 @@ ENTRY(ret_from_fork)
11402 - testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
11403 + testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
11404 je int_ret_from_sys_call
11406 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
11407 @@ -468,6 +652,11 @@ ENTRY(system_call_after_swapgs)
11409 movq %rsp,PER_CPU_VAR(old_rsp)
11410 movq PER_CPU_VAR(kernel_stack),%rsp
11412 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11413 + call pax_enter_kernel_user
11417 * No need to follow this irqs off/on section - it's straight
11419 @@ -502,6 +691,11 @@ sysret_check:
11424 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11425 + call pax_exit_kernel_user
11429 * sysretq will re-enable interrupts:
11431 @@ -613,7 +807,7 @@ tracesys:
11432 GLOBAL(int_ret_from_sys_call)
11433 DISABLE_INTERRUPTS(CLBR_NONE)
11435 - testl $3,CS-ARGOFFSET(%rsp)
11436 + testb $3,CS-ARGOFFSET(%rsp)
11437 je retint_restore_args
11438 movl $_TIF_ALLWORK_MASK,%edi
11439 /* edi: mask to check */
11440 @@ -800,6 +994,16 @@ END(interrupt)
11441 CFI_ADJUST_CFA_OFFSET 10*8
11444 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11445 + testb $3, CS(%rdi)
11447 + call pax_enter_kernel
11449 +1: call pax_enter_kernel_user
11452 + call pax_enter_kernel
11457 @@ -826,7 +1030,7 @@ ret_from_intr:
11458 CFI_ADJUST_CFA_OFFSET -8
11460 GET_THREAD_INFO(%rcx)
11461 - testl $3,CS-ARGOFFSET(%rsp)
11462 + testb $3,CS-ARGOFFSET(%rsp)
11465 /* Interrupt came from user space */
11466 @@ -848,12 +1052,18 @@ retint_swapgs: /* return to user-space
11467 * The iretq could re-enable interrupts:
11469 DISABLE_INTERRUPTS(CLBR_ANY)
11471 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11472 + call pax_exit_kernel_user
11479 retint_restore_args: /* return to kernel space */
11480 DISABLE_INTERRUPTS(CLBR_ANY)
11481 + call pax_exit_kernel
11483 * The iretq could re-enable interrupts:
11485 @@ -1040,6 +1250,16 @@ ENTRY(\sym)
11486 CFI_ADJUST_CFA_OFFSET 15*8
11489 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11490 + testb $3, CS(%rsp)
11492 + call pax_enter_kernel
11494 +1: call pax_enter_kernel_user
11497 + call pax_enter_kernel
11499 movq %rsp,%rdi /* pt_regs pointer */
11500 xorl %esi,%esi /* no error code */
11502 @@ -1057,6 +1277,16 @@ ENTRY(\sym)
11506 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11507 + testb $3, CS(%rsp)
11509 + call pax_enter_kernel
11511 +1: call pax_enter_kernel_user
11514 + call pax_enter_kernel
11516 movq %rsp,%rdi /* pt_regs pointer */
11517 xorl %esi,%esi /* no error code */
11519 @@ -1074,9 +1304,24 @@ ENTRY(\sym)
11523 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11524 + testb $3, CS(%rsp)
11526 + call pax_enter_kernel
11528 +1: call pax_enter_kernel_user
11531 + call pax_enter_kernel
11533 movq %rsp,%rdi /* pt_regs pointer */
11534 xorl %esi,%esi /* no error code */
11535 - PER_CPU(init_tss, %r12)
11537 + imul $TSS_size, PER_CPU_VAR(cpu_number), %r12d
11538 + lea init_tss(%r12), %r12
11540 + lea init_tss(%rip), %r12
11542 subq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%r12)
11544 addq $EXCEPTION_STKSZ, TSS_ist + (\ist - 1) * 8(%r12)
11545 @@ -1093,6 +1338,16 @@ ENTRY(\sym)
11546 CFI_ADJUST_CFA_OFFSET 15*8
11549 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11550 + testb $3, CS(%rsp)
11552 + call pax_enter_kernel
11554 +1: call pax_enter_kernel_user
11557 + call pax_enter_kernel
11559 movq %rsp,%rdi /* pt_regs pointer */
11560 movq ORIG_RAX(%rsp),%rsi /* get error code */
11561 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
11562 @@ -1112,6 +1367,16 @@ ENTRY(\sym)
11566 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11567 + testb $3, CS(%rsp)
11569 + call pax_enter_kernel
11571 +1: call pax_enter_kernel_user
11574 + call pax_enter_kernel
11576 movq %rsp,%rdi /* pt_regs pointer */
11577 movq ORIG_RAX(%rsp),%rsi /* get error code */
11578 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
11579 @@ -1370,14 +1635,27 @@ ENTRY(paranoid_exit)
11581 testl %ebx,%ebx /* swapgs needed? */
11582 jnz paranoid_restore
11583 - testl $3,CS(%rsp)
11584 + testb $3,CS(%rsp)
11585 jnz paranoid_userspace
11586 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11587 + call pax_exit_kernel
11588 + TRACE_IRQS_IRETQ 0
11589 + SWAPGS_UNSAFE_STACK
11594 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11595 + call pax_exit_kernel_user
11597 + call pax_exit_kernel
11600 SWAPGS_UNSAFE_STACK
11604 + call pax_exit_kernel
11608 @@ -1435,7 +1713,7 @@ ENTRY(error_entry)
11609 movq_cfi r14, R14+8
11610 movq_cfi r15, R15+8
11612 - testl $3,CS+8(%rsp)
11613 + testb $3,CS+8(%rsp)
11614 je error_kernelspace
11617 @@ -1499,6 +1777,16 @@ ENTRY(nmi)
11618 CFI_ADJUST_CFA_OFFSET 15*8
11621 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11622 + testb $3, CS(%rsp)
11624 + call pax_enter_kernel
11626 +1: call pax_enter_kernel_user
11629 + call pax_enter_kernel
11631 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
11634 @@ -1509,11 +1797,12 @@ ENTRY(nmi)
11635 DISABLE_INTERRUPTS(CLBR_NONE)
11636 testl %ebx,%ebx /* swapgs needed? */
11638 - testl $3,CS(%rsp)
11639 + testb $3,CS(%rsp)
11642 SWAPGS_UNSAFE_STACK
11644 + call pax_exit_kernel
11648 diff -urNp linux-2.6.35.5/arch/x86/kernel/ftrace.c linux-2.6.35.5/arch/x86/kernel/ftrace.c
11649 --- linux-2.6.35.5/arch/x86/kernel/ftrace.c 2010-08-26 19:47:12.000000000 -0400
11650 +++ linux-2.6.35.5/arch/x86/kernel/ftrace.c 2010-09-17 20:12:09.000000000 -0400
11651 @@ -174,7 +174,9 @@ void ftrace_nmi_enter(void)
11653 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
11655 + pax_open_kernel();
11657 + pax_close_kernel();
11658 atomic_inc(&nmi_update_count);
11660 /* Must have previous changes seen before executions */
11661 @@ -260,7 +262,7 @@ do_ftrace_mod_code(unsigned long ip, voi
11665 -static unsigned char ftrace_nop[MCOUNT_INSN_SIZE];
11666 +static unsigned char ftrace_nop[MCOUNT_INSN_SIZE] __read_only;
11668 static unsigned char *ftrace_nop_replace(void)
11670 @@ -273,6 +275,8 @@ ftrace_modify_code(unsigned long ip, uns
11672 unsigned char replaced[MCOUNT_INSN_SIZE];
11674 + ip = ktla_ktva(ip);
11677 * Note: Due to modules and __init, code can
11678 * disappear and change, we need to protect against faulting
11679 @@ -329,7 +333,7 @@ int ftrace_update_ftrace_func(ftrace_fun
11680 unsigned char old[MCOUNT_INSN_SIZE], *new;
11683 - memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
11684 + memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
11685 new = ftrace_call_replace(ip, (unsigned long)func);
11686 ret = ftrace_modify_code(ip, old, new);
11688 @@ -382,15 +386,15 @@ int __init ftrace_dyn_arch_init(void *da
11691 pr_info("converting mcount calls to 0f 1f 44 00 00\n");
11692 - memcpy(ftrace_nop, ftrace_test_p6nop, MCOUNT_INSN_SIZE);
11693 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_p6nop), MCOUNT_INSN_SIZE);
11696 pr_info("converting mcount calls to 66 66 66 66 90\n");
11697 - memcpy(ftrace_nop, ftrace_test_nop5, MCOUNT_INSN_SIZE);
11698 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_nop5), MCOUNT_INSN_SIZE);
11701 pr_info("converting mcount calls to jmp . + 5\n");
11702 - memcpy(ftrace_nop, ftrace_test_jmp, MCOUNT_INSN_SIZE);
11703 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_jmp), MCOUNT_INSN_SIZE);
11707 @@ -411,6 +415,8 @@ static int ftrace_mod_jmp(unsigned long
11709 unsigned char code[MCOUNT_INSN_SIZE];
11711 + ip = ktla_ktva(ip);
11713 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
11716 diff -urNp linux-2.6.35.5/arch/x86/kernel/head32.c linux-2.6.35.5/arch/x86/kernel/head32.c
11717 --- linux-2.6.35.5/arch/x86/kernel/head32.c 2010-08-26 19:47:12.000000000 -0400
11718 +++ linux-2.6.35.5/arch/x86/kernel/head32.c 2010-09-17 20:12:09.000000000 -0400
11720 #include <asm/apic.h>
11721 #include <asm/io_apic.h>
11722 #include <asm/bios_ebda.h>
11723 +#include <asm/boot.h>
11725 static void __init i386_default_early_setup(void)
11727 @@ -40,7 +41,7 @@ void __init i386_start_kernel(void)
11731 - reserve_early(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
11732 + reserve_early(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
11734 #ifdef CONFIG_BLK_DEV_INITRD
11735 /* Reserve INITRD */
11736 diff -urNp linux-2.6.35.5/arch/x86/kernel/head_32.S linux-2.6.35.5/arch/x86/kernel/head_32.S
11737 --- linux-2.6.35.5/arch/x86/kernel/head_32.S 2010-08-26 19:47:12.000000000 -0400
11738 +++ linux-2.6.35.5/arch/x86/kernel/head_32.S 2010-09-17 20:12:09.000000000 -0400
11740 /* Physical address */
11741 #define pa(X) ((X) - __PAGE_OFFSET)
11743 +#ifdef CONFIG_PAX_KERNEXEC
11746 +#define ta(X) ((X) - __PAGE_OFFSET)
11750 * References to members of the new_cpu_data structure.
11753 * and small than max_low_pfn, otherwise will waste some page table entries
11756 -#if PTRS_PER_PMD > 1
11757 -#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
11759 -#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
11761 +#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
11763 /* Enough space to fit pagetables for the low memory linear map */
11764 MAPPING_BEYOND_END = \
11765 @@ -75,6 +77,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
11766 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
11769 + * Real beginning of normal "text" segment
11775 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
11776 * %esi points to the real-mode code as a 32-bit pointer.
11777 * CS and DS must be 4 GB flat segments, but we don't depend on
11778 @@ -82,6 +90,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
11783 +#ifdef CONFIG_PAX_KERNEXEC
11785 +/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
11786 +.fill PAGE_SIZE-5,1,0xcc
11790 /* test KEEP_SEGMENTS flag to see if the bootloader is asking
11791 us to not reload segments */
11792 @@ -99,6 +114,55 @@ ENTRY(startup_32)
11797 + movl $pa(cpu_gdt_table),%edi
11798 + movl $__per_cpu_load,%eax
11799 + movw %ax,__KERNEL_PERCPU + 2(%edi)
11801 + movb %al,__KERNEL_PERCPU + 4(%edi)
11802 + movb %ah,__KERNEL_PERCPU + 7(%edi)
11803 + movl $__per_cpu_end - 1,%eax
11804 + subl $__per_cpu_start,%eax
11805 + movw %ax,__KERNEL_PERCPU + 0(%edi)
11808 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11809 + movl $NR_CPUS,%ecx
11810 + movl $pa(cpu_gdt_table),%edi
11812 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
11813 + addl $PAGE_SIZE_asm,%edi
11817 +#ifdef CONFIG_PAX_KERNEXEC
11818 + movl $pa(boot_gdt),%edi
11819 + movl $__LOAD_PHYSICAL_ADDR,%eax
11820 + movw %ax,__BOOT_CS + 2(%edi)
11822 + movb %al,__BOOT_CS + 4(%edi)
11823 + movb %ah,__BOOT_CS + 7(%edi)
11826 + ljmp $(__BOOT_CS),$1f
11829 + movl $NR_CPUS,%ecx
11830 + movl $pa(cpu_gdt_table),%edi
11831 + addl $__PAGE_OFFSET,%eax
11833 + movw %ax,__KERNEL_CS + 2(%edi)
11834 + movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
11836 + movb %al,__KERNEL_CS + 4(%edi)
11837 + movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
11838 + movb %ah,__KERNEL_CS + 7(%edi)
11839 + movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
11841 + addl $PAGE_SIZE_asm,%edi
11846 * Clear BSS first so that there are no surprises...
11848 @@ -142,9 +206,7 @@ ENTRY(startup_32)
11849 cmpl $num_subarch_entries, %eax
11852 - movl pa(subarch_entries)(,%eax,4), %eax
11853 - subl $__PAGE_OFFSET, %eax
11855 + jmp *pa(subarch_entries)(,%eax,4)
11859 @@ -156,10 +218,10 @@ WEAK(xen_entry)
11863 - .long default_entry /* normal x86/PC */
11864 - .long lguest_entry /* lguest hypervisor */
11865 - .long xen_entry /* Xen hypervisor */
11866 - .long default_entry /* Moorestown MID */
11867 + .long ta(default_entry) /* normal x86/PC */
11868 + .long ta(lguest_entry) /* lguest hypervisor */
11869 + .long ta(xen_entry) /* Xen hypervisor */
11870 + .long ta(default_entry) /* Moorestown MID */
11871 num_subarch_entries = (. - subarch_entries) / 4
11873 #endif /* CONFIG_PARAVIRT */
11874 @@ -220,8 +282,11 @@ default_entry:
11875 movl %eax, pa(max_pfn_mapped)
11877 /* Do early initialization of the fixmap area */
11878 - movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
11879 - movl %eax,pa(swapper_pg_pmd+0x1000*KPMDS-8)
11880 +#ifdef CONFIG_COMPAT_VDSO
11881 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_pmd+0x1000*KPMDS-8)
11883 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_pmd+0x1000*KPMDS-8)
11885 #else /* Not PAE */
11887 page_pde_offset = (__PAGE_OFFSET >> 20);
11888 @@ -251,8 +316,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
11889 movl %eax, pa(max_pfn_mapped)
11891 /* Do early initialization of the fixmap area */
11892 - movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
11893 - movl %eax,pa(swapper_pg_dir+0xffc)
11894 +#ifdef CONFIG_COMPAT_VDSO
11895 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_dir+0xffc)
11897 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_dir+0xffc)
11902 @@ -299,6 +367,7 @@ ENTRY(startup_32_smp)
11906 +#ifdef CONFIG_X86_PAE
11907 testb $X86_CR4_PAE, %al # check if PAE is enabled
11910 @@ -323,6 +392,9 @@ ENTRY(startup_32_smp)
11911 /* Make changes effective */
11914 + btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
11920 @@ -348,9 +420,7 @@ ENTRY(startup_32_smp)
11924 - jz 1f /* Initial CPU cleans BSS */
11927 + jnz checkCPUtype /* Initial CPU cleans BSS */
11928 #endif /* CONFIG_SMP */
11931 @@ -428,7 +498,7 @@ is386: movl $2,%ecx # set MP
11932 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
11933 movl %eax,%ss # after changing gdt.
11935 - movl $(__USER_DS),%eax # DS/ES contains default USER segment
11936 +# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
11940 @@ -442,8 +512,11 @@ is386: movl $2,%ecx # set MP
11944 - movl $gdt_page,%eax
11945 + movl $cpu_gdt_table,%eax
11946 movl $stack_canary,%ecx
11948 + addl $__per_cpu_load,%ecx
11950 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
11952 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
11953 @@ -461,10 +534,6 @@ is386: movl $2,%ecx # set MP
11957 - cmpb $0,%cl # the first CPU calls start_kernel
11959 - movl (stack_start), %esp
11961 #endif /* CONFIG_SMP */
11962 jmp *(initial_code)
11964 @@ -550,22 +619,22 @@ early_page_fault:
11969 #ifdef CONFIG_PRINTK
11970 + cmpl $1,%ss:early_recursion_flag
11972 + incl %ss:early_recursion_flag
11975 movl $(__KERNEL_DS),%eax
11978 - cmpl $2,early_recursion_flag
11980 - incl early_recursion_flag
11983 pushl %edx /* trapno */
11992 @@ -573,8 +642,11 @@ hlt_loop:
11993 /* This is the default interrupt "handler" :-) */
11997 #ifdef CONFIG_PRINTK
11998 + cmpl $2,%ss:early_recursion_flag
12000 + incl %ss:early_recursion_flag
12005 @@ -583,9 +655,6 @@ ignore_int:
12006 movl $(__KERNEL_DS),%eax
12009 - cmpl $2,early_recursion_flag
12011 - incl early_recursion_flag
12015 @@ -612,27 +681,38 @@ ENTRY(initial_code)
12019 -__PAGE_ALIGNED_BSS
12020 - .align PAGE_SIZE_asm
12021 #ifdef CONFIG_X86_PAE
12022 +.section .swapper_pg_pmd,"a",@progbits
12024 .fill 1024*KPMDS,4,0
12026 +.section .swapper_pg_dir,"a",@progbits
12027 ENTRY(swapper_pg_dir)
12034 +.section .empty_zero_page,"a",@progbits
12035 ENTRY(empty_zero_page)
12039 + * The IDT has to be page-aligned to simplify the Pentium
12040 + * F0 0F bug workaround.. We have a special link segment
12043 +.section .idt,"a",@progbits
12048 * This starts the data section.
12050 #ifdef CONFIG_X86_PAE
12051 -__PAGE_ALIGNED_DATA
12052 - /* Page-aligned for the benefit of paravirt? */
12053 - .align PAGE_SIZE_asm
12054 +.section .swapper_pg_dir,"a",@progbits
12056 ENTRY(swapper_pg_dir)
12057 .long pa(swapper_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
12059 @@ -651,15 +731,24 @@ ENTRY(swapper_pg_dir)
12060 # error "Kernel PMDs should be 1, 2 or 3"
12062 .align PAGE_SIZE_asm /* needs to be page-sized too */
12064 +#ifdef CONFIG_PAX_PER_CPU_PGD
12075 - .long init_thread_union+THREAD_SIZE
12076 + .long init_thread_union+THREAD_SIZE-8
12081 +.section .rodata,"a",@progbits
12082 early_recursion_flag:
12085 @@ -695,7 +784,7 @@ fault_msg:
12086 .word 0 # 32 bit align gdt_desc.address
12089 - .long boot_gdt - __PAGE_OFFSET
12090 + .long pa(boot_gdt)
12092 .word 0 # 32-bit align idt_desc.address
12094 @@ -706,7 +795,7 @@ idt_descr:
12095 .word 0 # 32 bit align gdt_desc.address
12096 ENTRY(early_gdt_descr)
12097 .word GDT_ENTRIES*8-1
12098 - .long gdt_page /* Overwritten for secondary CPUs */
12099 + .long cpu_gdt_table /* Overwritten for secondary CPUs */
12102 * The boot_gdt must mirror the equivalent in setup.S and is
12103 @@ -715,5 +804,65 @@ ENTRY(early_gdt_descr)
12104 .align L1_CACHE_BYTES
12106 .fill GDT_ENTRY_BOOT_CS,8,0
12107 - .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
12108 - .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
12109 + .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
12110 + .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
12112 + .align PAGE_SIZE_asm
12113 +ENTRY(cpu_gdt_table)
12115 + .quad 0x0000000000000000 /* NULL descriptor */
12116 + .quad 0x0000000000000000 /* 0x0b reserved */
12117 + .quad 0x0000000000000000 /* 0x13 reserved */
12118 + .quad 0x0000000000000000 /* 0x1b reserved */
12120 +#ifdef CONFIG_PAX_KERNEXEC
12121 + .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
12123 + .quad 0x0000000000000000 /* 0x20 unused */
12126 + .quad 0x0000000000000000 /* 0x28 unused */
12127 + .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
12128 + .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
12129 + .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
12130 + .quad 0x0000000000000000 /* 0x4b reserved */
12131 + .quad 0x0000000000000000 /* 0x53 reserved */
12132 + .quad 0x0000000000000000 /* 0x5b reserved */
12134 + .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
12135 + .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
12136 + .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
12137 + .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
12139 + .quad 0x0000000000000000 /* 0x80 TSS descriptor */
12140 + .quad 0x0000000000000000 /* 0x88 LDT descriptor */
12143 + * Segments used for calling PnP BIOS have byte granularity.
12144 + * The code segments and data segments have fixed 64k limits,
12145 + * the transfer segment sizes are set at run time.
12147 + .quad 0x00409b000000ffff /* 0x90 32-bit code */
12148 + .quad 0x00009b000000ffff /* 0x98 16-bit code */
12149 + .quad 0x000093000000ffff /* 0xa0 16-bit data */
12150 + .quad 0x0000930000000000 /* 0xa8 16-bit data */
12151 + .quad 0x0000930000000000 /* 0xb0 16-bit data */
12154 + * The APM segments have byte granularity and their bases
12155 + * are set at run time. All have 64k limits.
12157 + .quad 0x00409b000000ffff /* 0xb8 APM CS code */
12158 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
12159 + .quad 0x004093000000ffff /* 0xc8 APM DS data */
12161 + .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
12162 + .quad 0x0040930000000000 /* 0xd8 - PERCPU */
12163 + .quad 0x0040910000000018 /* 0xe0 - STACK_CANARY */
12164 + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
12165 + .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
12166 + .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
12168 + /* Be sure this is zeroed to avoid false validations in Xen */
12169 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0
12171 diff -urNp linux-2.6.35.5/arch/x86/kernel/head_64.S linux-2.6.35.5/arch/x86/kernel/head_64.S
12172 --- linux-2.6.35.5/arch/x86/kernel/head_64.S 2010-08-26 19:47:12.000000000 -0400
12173 +++ linux-2.6.35.5/arch/x86/kernel/head_64.S 2010-09-17 20:12:09.000000000 -0400
12175 #include <asm/cache.h>
12176 #include <asm/processor-flags.h>
12177 #include <asm/percpu.h>
12178 +#include <asm/cpufeature.h>
12180 #ifdef CONFIG_PARAVIRT
12181 #include <asm/asm-offsets.h>
12182 @@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
12183 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
12184 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
12185 L3_START_KERNEL = pud_index(__START_KERNEL_map)
12186 +L4_VMALLOC_START = pgd_index(VMALLOC_START)
12187 +L3_VMALLOC_START = pud_index(VMALLOC_START)
12188 +L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
12189 +L3_VMEMMAP_START = pud_index(VMEMMAP_START)
12193 @@ -85,35 +90,22 @@ startup_64:
12195 addq %rbp, init_level4_pgt + 0(%rip)
12196 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
12197 + addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
12198 + addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
12199 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
12201 addq %rbp, level3_ident_pgt + 0(%rip)
12202 +#ifndef CONFIG_XEN
12203 + addq %rbp, level3_ident_pgt + 8(%rip)
12206 - addq %rbp, level3_kernel_pgt + (510*8)(%rip)
12207 - addq %rbp, level3_kernel_pgt + (511*8)(%rip)
12208 + addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
12210 - addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
12211 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
12212 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
12214 - /* Add an Identity mapping if I am above 1G */
12215 - leaq _text(%rip), %rdi
12216 - andq $PMD_PAGE_MASK, %rdi
12219 - shrq $PUD_SHIFT, %rax
12220 - andq $(PTRS_PER_PUD - 1), %rax
12221 - jz ident_complete
12223 - leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
12224 - leaq level3_ident_pgt(%rip), %rbx
12225 - movq %rdx, 0(%rbx, %rax, 8)
12228 - shrq $PMD_SHIFT, %rax
12229 - andq $(PTRS_PER_PMD - 1), %rax
12230 - leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
12231 - leaq level2_spare_pgt(%rip), %rbx
12232 - movq %rdx, 0(%rbx, %rax, 8)
12234 + addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
12235 + addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
12238 * Fixup the kernel text+data virtual addresses. Note that
12239 @@ -161,8 +153,8 @@ ENTRY(secondary_startup_64)
12240 * after the boot processor executes this code.
12243 - /* Enable PAE mode and PGE */
12244 - movl $(X86_CR4_PAE | X86_CR4_PGE), %eax
12245 + /* Enable PAE mode and PSE/PGE */
12246 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
12249 /* Setup early boot stage 4 level pagetables. */
12250 @@ -184,9 +176,14 @@ ENTRY(secondary_startup_64)
12251 movl $MSR_EFER, %ecx
12253 btsl $_EFER_SCE, %eax /* Enable System Call */
12254 - btl $20,%edi /* No Execute supported? */
12255 + btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
12257 btsl $_EFER_NX, %eax
12258 + leaq init_level4_pgt(%rip), %rdi
12259 + btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
12260 + btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
12261 + btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
12262 + btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip)
12263 1: wrmsr /* Make changes effective */
12266 @@ -271,7 +268,7 @@ ENTRY(secondary_startup_64)
12270 - .section ".init.text","ax"
12272 #ifdef CONFIG_EARLY_PRINTK
12273 .globl early_idt_handlers
12274 early_idt_handlers:
12275 @@ -316,18 +313,23 @@ ENTRY(early_idt_handler)
12276 #endif /* EARLY_PRINTK */
12281 #ifdef CONFIG_EARLY_PRINTK
12283 early_recursion_flag:
12287 + .section .rodata,"a",@progbits
12289 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
12292 -#endif /* CONFIG_EARLY_PRINTK */
12294 +#endif /* CONFIG_EARLY_PRINTK */
12296 + .section .rodata,"a",@progbits
12297 #define NEXT_PAGE(name) \
12298 .balign PAGE_SIZE; \
12300 @@ -351,13 +353,36 @@ NEXT_PAGE(init_level4_pgt)
12301 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12302 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
12303 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12304 + .org init_level4_pgt + L4_VMALLOC_START*8, 0
12305 + .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
12306 + .org init_level4_pgt + L4_VMEMMAP_START*8, 0
12307 + .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
12308 .org init_level4_pgt + L4_START_KERNEL*8, 0
12309 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
12310 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
12312 +#ifdef CONFIG_PAX_PER_CPU_PGD
12313 +NEXT_PAGE(cpu_pgd)
12319 NEXT_PAGE(level3_ident_pgt)
12320 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12324 + .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
12328 +NEXT_PAGE(level3_vmalloc_pgt)
12331 +NEXT_PAGE(level3_vmemmap_pgt)
12332 + .fill L3_VMEMMAP_START,8,0
12333 + .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
12335 NEXT_PAGE(level3_kernel_pgt)
12336 .fill L3_START_KERNEL,8,0
12337 @@ -365,20 +390,23 @@ NEXT_PAGE(level3_kernel_pgt)
12338 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
12339 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
12341 +NEXT_PAGE(level2_vmemmap_pgt)
12344 NEXT_PAGE(level2_fixmap_pgt)
12346 - .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
12347 - /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
12350 + .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
12351 + /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
12354 -NEXT_PAGE(level1_fixmap_pgt)
12355 +NEXT_PAGE(level1_vsyscall_pgt)
12358 -NEXT_PAGE(level2_ident_pgt)
12359 - /* Since I easily can, map the first 1G.
12360 + /* Since I easily can, map the first 2G.
12361 * Don't set NX because code runs from these pages.
12363 - PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
12364 +NEXT_PAGE(level2_ident_pgt)
12365 + PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
12367 NEXT_PAGE(level2_kernel_pgt)
12369 @@ -391,33 +419,55 @@ NEXT_PAGE(level2_kernel_pgt)
12370 * If you want to increase this then increase MODULES_VADDR
12373 - PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
12374 - KERNEL_IMAGE_SIZE/PMD_SIZE)
12376 -NEXT_PAGE(level2_spare_pgt)
12378 + PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
12385 +ENTRY(cpu_gdt_table)
12387 + .quad 0x0000000000000000 /* NULL descriptor */
12388 + .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
12389 + .quad 0x00af9b000000ffff /* __KERNEL_CS */
12390 + .quad 0x00cf93000000ffff /* __KERNEL_DS */
12391 + .quad 0x00cffb000000ffff /* __USER32_CS */
12392 + .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
12393 + .quad 0x00affb000000ffff /* __USER_CS */
12395 +#ifdef CONFIG_PAX_KERNEXEC
12396 + .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
12398 + .quad 0x0 /* unused */
12401 + .quad 0,0 /* TSS */
12402 + .quad 0,0 /* LDT */
12403 + .quad 0,0,0 /* three TLS descriptors */
12404 + .quad 0x0000f40000000000 /* node/CPU stored in limit */
12405 + /* asm/segment.h:GDT_ENTRIES must match this */
12407 + /* zero the remaining page */
12408 + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
12412 .globl early_gdt_descr
12414 .word GDT_ENTRIES*8-1
12415 early_gdt_descr_base:
12416 - .quad INIT_PER_CPU_VAR(gdt_page)
12417 + .quad cpu_gdt_table
12420 /* This must match the first entry in level2_kernel_pgt */
12421 .quad 0x0000000000000000
12423 #include "../../x86/xen/xen-head.S"
12425 - .section .bss, "aw", @nobits
12427 + .section .rodata,"a",@progbits
12428 .align L1_CACHE_BYTES
12430 - .skip IDT_ENTRIES * 16
12435 diff -urNp linux-2.6.35.5/arch/x86/kernel/i386_ksyms_32.c linux-2.6.35.5/arch/x86/kernel/i386_ksyms_32.c
12436 --- linux-2.6.35.5/arch/x86/kernel/i386_ksyms_32.c 2010-08-26 19:47:12.000000000 -0400
12437 +++ linux-2.6.35.5/arch/x86/kernel/i386_ksyms_32.c 2010-09-17 20:12:09.000000000 -0400
12438 @@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
12439 EXPORT_SYMBOL(cmpxchg8b_emu);
12442 +EXPORT_SYMBOL_GPL(cpu_gdt_table);
12444 /* Networking helper routines. */
12445 EXPORT_SYMBOL(csum_partial_copy_generic);
12446 +EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
12447 +EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
12449 EXPORT_SYMBOL(__get_user_1);
12450 EXPORT_SYMBOL(__get_user_2);
12451 @@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
12453 EXPORT_SYMBOL(csum_partial);
12454 EXPORT_SYMBOL(empty_zero_page);
12456 +#ifdef CONFIG_PAX_KERNEXEC
12457 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
12459 diff -urNp linux-2.6.35.5/arch/x86/kernel/init_task.c linux-2.6.35.5/arch/x86/kernel/init_task.c
12460 --- linux-2.6.35.5/arch/x86/kernel/init_task.c 2010-08-26 19:47:12.000000000 -0400
12461 +++ linux-2.6.35.5/arch/x86/kernel/init_task.c 2010-09-17 20:12:09.000000000 -0400
12462 @@ -38,5 +38,5 @@ EXPORT_SYMBOL(init_task);
12463 * section. Since TSS's are completely CPU-local, we want them
12464 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
12466 -DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
12468 +struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
12469 +EXPORT_SYMBOL(init_tss);
12470 diff -urNp linux-2.6.35.5/arch/x86/kernel/ioport.c linux-2.6.35.5/arch/x86/kernel/ioport.c
12471 --- linux-2.6.35.5/arch/x86/kernel/ioport.c 2010-08-26 19:47:12.000000000 -0400
12472 +++ linux-2.6.35.5/arch/x86/kernel/ioport.c 2010-09-17 20:12:37.000000000 -0400
12474 #include <linux/sched.h>
12475 #include <linux/kernel.h>
12476 #include <linux/capability.h>
12477 +#include <linux/security.h>
12478 #include <linux/errno.h>
12479 #include <linux/types.h>
12480 #include <linux/ioport.h>
12481 @@ -41,6 +42,12 @@ asmlinkage long sys_ioperm(unsigned long
12483 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
12485 +#ifdef CONFIG_GRKERNSEC_IO
12486 + if (turn_on && grsec_disable_privio) {
12487 + gr_handle_ioperm();
12491 if (turn_on && !capable(CAP_SYS_RAWIO))
12494 @@ -67,7 +74,7 @@ asmlinkage long sys_ioperm(unsigned long
12495 * because the ->io_bitmap_max value must match the bitmap
12498 - tss = &per_cpu(init_tss, get_cpu());
12499 + tss = init_tss + get_cpu();
12501 set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
12503 @@ -112,6 +119,12 @@ long sys_iopl(unsigned int level, struct
12505 /* Trying to gain more privileges? */
12507 +#ifdef CONFIG_GRKERNSEC_IO
12508 + if (grsec_disable_privio) {
12509 + gr_handle_iopl();
12513 if (!capable(CAP_SYS_RAWIO))
12516 diff -urNp linux-2.6.35.5/arch/x86/kernel/irq_32.c linux-2.6.35.5/arch/x86/kernel/irq_32.c
12517 --- linux-2.6.35.5/arch/x86/kernel/irq_32.c 2010-08-26 19:47:12.000000000 -0400
12518 +++ linux-2.6.35.5/arch/x86/kernel/irq_32.c 2010-09-17 20:12:09.000000000 -0400
12519 @@ -94,7 +94,7 @@ execute_on_irq_stack(int overflow, struc
12522 /* build the stack frame on the IRQ stack */
12523 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
12524 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
12525 irqctx->tinfo.task = curctx->tinfo.task;
12526 irqctx->tinfo.previous_esp = current_stack_pointer;
12528 @@ -175,7 +175,7 @@ asmlinkage void do_softirq(void)
12529 irqctx->tinfo.previous_esp = current_stack_pointer;
12531 /* build the stack frame on the softirq stack */
12532 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
12533 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
12535 call_on_stack(__do_softirq, isp);
12537 diff -urNp linux-2.6.35.5/arch/x86/kernel/kgdb.c linux-2.6.35.5/arch/x86/kernel/kgdb.c
12538 --- linux-2.6.35.5/arch/x86/kernel/kgdb.c 2010-08-26 19:47:12.000000000 -0400
12539 +++ linux-2.6.35.5/arch/x86/kernel/kgdb.c 2010-09-17 20:12:09.000000000 -0400
12540 @@ -77,7 +77,7 @@ void pt_regs_to_gdb_regs(unsigned long *
12541 gdb_regs[GDB_CS] = regs->cs;
12542 gdb_regs[GDB_FS] = 0xFFFF;
12543 gdb_regs[GDB_GS] = 0xFFFF;
12544 - if (user_mode_vm(regs)) {
12545 + if (user_mode(regs)) {
12546 gdb_regs[GDB_SS] = regs->ss;
12547 gdb_regs[GDB_SP] = regs->sp;
12549 @@ -720,7 +720,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
12553 -struct kgdb_arch arch_kgdb_ops = {
12554 +const struct kgdb_arch arch_kgdb_ops = {
12555 /* Breakpoint instruction: */
12556 .gdb_bpt_instr = { 0xcc },
12557 .flags = KGDB_HW_BREAKPOINT,
12558 diff -urNp linux-2.6.35.5/arch/x86/kernel/kprobes.c linux-2.6.35.5/arch/x86/kernel/kprobes.c
12559 --- linux-2.6.35.5/arch/x86/kernel/kprobes.c 2010-08-26 19:47:12.000000000 -0400
12560 +++ linux-2.6.35.5/arch/x86/kernel/kprobes.c 2010-09-17 20:12:09.000000000 -0400
12561 @@ -114,9 +114,12 @@ static void __kprobes __synthesize_relat
12563 } __attribute__((packed)) *insn;
12565 - insn = (struct __arch_relative_insn *)from;
12566 + insn = (struct __arch_relative_insn *)(ktla_ktva(from));
12568 + pax_open_kernel();
12569 insn->raddr = (s32)((long)(to) - ((long)(from) + 5));
12571 + pax_close_kernel();
12574 /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/
12575 @@ -315,7 +318,9 @@ static int __kprobes __copy_instruction(
12578 insn_get_length(&insn);
12579 + pax_open_kernel();
12580 memcpy(dest, insn.kaddr, insn.length);
12581 + pax_close_kernel();
12583 #ifdef CONFIG_X86_64
12584 if (insn_rip_relative(&insn)) {
12585 @@ -339,7 +344,9 @@ static int __kprobes __copy_instruction(
12587 BUG_ON((s64) (s32) newdisp != newdisp); /* Sanity check. */
12588 disp = (u8 *) dest + insn_offset_displacement(&insn);
12589 + pax_open_kernel();
12590 *(s32 *) disp = (s32) newdisp;
12591 + pax_close_kernel();
12594 return insn.length;
12595 @@ -353,12 +360,12 @@ static void __kprobes arch_copy_kprobe(s
12597 __copy_instruction(p->ainsn.insn, p->addr, 0);
12599 - if (can_boost(p->addr))
12600 + if (can_boost(ktla_ktva(p->addr)))
12601 p->ainsn.boostable = 0;
12603 p->ainsn.boostable = -1;
12605 - p->opcode = *p->addr;
12606 + p->opcode = *(ktla_ktva(p->addr));
12609 int __kprobes arch_prepare_kprobe(struct kprobe *p)
12610 @@ -475,7 +482,7 @@ static void __kprobes setup_singlestep(s
12611 * nor set current_kprobe, because it doesn't use single
12614 - regs->ip = (unsigned long)p->ainsn.insn;
12615 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
12616 preempt_enable_no_resched();
12619 @@ -494,7 +501,7 @@ static void __kprobes setup_singlestep(s
12620 if (p->opcode == BREAKPOINT_INSTRUCTION)
12621 regs->ip = (unsigned long)p->addr;
12623 - regs->ip = (unsigned long)p->ainsn.insn;
12624 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
12628 @@ -573,7 +580,7 @@ static int __kprobes kprobe_handler(stru
12629 setup_singlestep(p, regs, kcb, 0);
12632 - } else if (*addr != BREAKPOINT_INSTRUCTION) {
12633 + } else if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
12635 * The breakpoint instruction was removed right
12636 * after we hit it. Another cpu has removed
12637 @@ -799,7 +806,7 @@ static void __kprobes resume_execution(s
12638 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
12640 unsigned long *tos = stack_addr(regs);
12641 - unsigned long copy_ip = (unsigned long)p->ainsn.insn;
12642 + unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
12643 unsigned long orig_ip = (unsigned long)p->addr;
12644 kprobe_opcode_t *insn = p->ainsn.insn;
12646 @@ -982,7 +989,7 @@ int __kprobes kprobe_exceptions_notify(s
12647 struct die_args *args = data;
12648 int ret = NOTIFY_DONE;
12650 - if (args->regs && user_mode_vm(args->regs))
12651 + if (args->regs && user_mode(args->regs))
12655 diff -urNp linux-2.6.35.5/arch/x86/kernel/ldt.c linux-2.6.35.5/arch/x86/kernel/ldt.c
12656 --- linux-2.6.35.5/arch/x86/kernel/ldt.c 2010-08-26 19:47:12.000000000 -0400
12657 +++ linux-2.6.35.5/arch/x86/kernel/ldt.c 2010-09-17 20:12:09.000000000 -0400
12658 @@ -67,13 +67,13 @@ static int alloc_ldt(mm_context_t *pc, i
12663 + load_LDT_nolock(pc);
12664 if (!cpumask_equal(mm_cpumask(current->mm),
12665 cpumask_of(smp_processor_id())))
12666 smp_call_function(flush_ldt, current->mm, 1);
12670 + load_LDT_nolock(pc);
12674 @@ -95,7 +95,7 @@ static inline int copy_ldt(mm_context_t
12677 for (i = 0; i < old->size; i++)
12678 - write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
12679 + write_ldt_entry(new->ldt, i, old->ldt + i);
12683 @@ -116,6 +116,24 @@ int init_new_context(struct task_struct
12684 retval = copy_ldt(&mm->context, &old_mm->context);
12685 mutex_unlock(&old_mm->context.lock);
12688 + if (tsk == current) {
12689 + mm->context.vdso = ~0UL;
12691 +#ifdef CONFIG_X86_32
12692 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
12693 + mm->context.user_cs_base = 0UL;
12694 + mm->context.user_cs_limit = ~0UL;
12696 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
12697 + cpus_clear(mm->context.cpu_user_cs_mask);
12708 @@ -230,6 +248,13 @@ static int write_ldt(void __user *ptr, u
12712 +#ifdef CONFIG_PAX_SEGMEXEC
12713 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
12719 fill_ldt(&ldt, &ldt_info);
12722 diff -urNp linux-2.6.35.5/arch/x86/kernel/machine_kexec_32.c linux-2.6.35.5/arch/x86/kernel/machine_kexec_32.c
12723 --- linux-2.6.35.5/arch/x86/kernel/machine_kexec_32.c 2010-08-26 19:47:12.000000000 -0400
12724 +++ linux-2.6.35.5/arch/x86/kernel/machine_kexec_32.c 2010-09-17 20:12:09.000000000 -0400
12726 #include <asm/cacheflush.h>
12727 #include <asm/debugreg.h>
12729 -static void set_idt(void *newidt, __u16 limit)
12730 +static void set_idt(struct desc_struct *newidt, __u16 limit)
12732 struct desc_ptr curidt;
12734 @@ -39,7 +39,7 @@ static void set_idt(void *newidt, __u16
12738 -static void set_gdt(void *newgdt, __u16 limit)
12739 +static void set_gdt(struct desc_struct *newgdt, __u16 limit)
12741 struct desc_ptr curgdt;
12743 @@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
12746 control_page = page_address(image->control_code_page);
12747 - memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
12748 + memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
12750 relocate_kernel_ptr = control_page;
12751 page_list[PA_CONTROL_PAGE] = __pa(control_page);
12752 diff -urNp linux-2.6.35.5/arch/x86/kernel/microcode_amd.c linux-2.6.35.5/arch/x86/kernel/microcode_amd.c
12753 --- linux-2.6.35.5/arch/x86/kernel/microcode_amd.c 2010-08-26 19:47:12.000000000 -0400
12754 +++ linux-2.6.35.5/arch/x86/kernel/microcode_amd.c 2010-09-17 20:12:09.000000000 -0400
12755 @@ -331,7 +331,7 @@ static void microcode_fini_cpu_amd(int c
12759 -static struct microcode_ops microcode_amd_ops = {
12760 +static const struct microcode_ops microcode_amd_ops = {
12761 .request_microcode_user = request_microcode_user,
12762 .request_microcode_fw = request_microcode_fw,
12763 .collect_cpu_info = collect_cpu_info_amd,
12764 @@ -339,7 +339,7 @@ static struct microcode_ops microcode_am
12765 .microcode_fini_cpu = microcode_fini_cpu_amd,
12768 -struct microcode_ops * __init init_amd_microcode(void)
12769 +const struct microcode_ops * __init init_amd_microcode(void)
12771 return µcode_amd_ops;
12773 diff -urNp linux-2.6.35.5/arch/x86/kernel/microcode_core.c linux-2.6.35.5/arch/x86/kernel/microcode_core.c
12774 --- linux-2.6.35.5/arch/x86/kernel/microcode_core.c 2010-08-26 19:47:12.000000000 -0400
12775 +++ linux-2.6.35.5/arch/x86/kernel/microcode_core.c 2010-09-17 20:12:09.000000000 -0400
12776 @@ -92,7 +92,7 @@ MODULE_LICENSE("GPL");
12778 #define MICROCODE_VERSION "2.00"
12780 -static struct microcode_ops *microcode_ops;
12781 +static const struct microcode_ops *microcode_ops;
12785 diff -urNp linux-2.6.35.5/arch/x86/kernel/microcode_intel.c linux-2.6.35.5/arch/x86/kernel/microcode_intel.c
12786 --- linux-2.6.35.5/arch/x86/kernel/microcode_intel.c 2010-08-26 19:47:12.000000000 -0400
12787 +++ linux-2.6.35.5/arch/x86/kernel/microcode_intel.c 2010-09-17 20:12:09.000000000 -0400
12788 @@ -446,13 +446,13 @@ static enum ucode_state request_microcod
12790 static int get_ucode_user(void *to, const void *from, size_t n)
12792 - return copy_from_user(to, from, n);
12793 + return copy_from_user(to, (__force const void __user *)from, n);
12796 static enum ucode_state
12797 request_microcode_user(int cpu, const void __user *buf, size_t size)
12799 - return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
12800 + return generic_load_microcode(cpu, (__force void *)buf, size, &get_ucode_user);
12803 static void microcode_fini_cpu(int cpu)
12804 @@ -463,7 +463,7 @@ static void microcode_fini_cpu(int cpu)
12808 -static struct microcode_ops microcode_intel_ops = {
12809 +static const struct microcode_ops microcode_intel_ops = {
12810 .request_microcode_user = request_microcode_user,
12811 .request_microcode_fw = request_microcode_fw,
12812 .collect_cpu_info = collect_cpu_info,
12813 @@ -471,7 +471,7 @@ static struct microcode_ops microcode_in
12814 .microcode_fini_cpu = microcode_fini_cpu,
12817 -struct microcode_ops * __init init_intel_microcode(void)
12818 +const struct microcode_ops * __init init_intel_microcode(void)
12820 return µcode_intel_ops;
12822 diff -urNp linux-2.6.35.5/arch/x86/kernel/module.c linux-2.6.35.5/arch/x86/kernel/module.c
12823 --- linux-2.6.35.5/arch/x86/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
12824 +++ linux-2.6.35.5/arch/x86/kernel/module.c 2010-09-17 20:12:09.000000000 -0400
12826 #define DEBUGP(fmt...)
12829 -void *module_alloc(unsigned long size)
12830 +static void *__module_alloc(unsigned long size, pgprot_t prot)
12832 struct vm_struct *area;
12834 @@ -49,8 +49,18 @@ void *module_alloc(unsigned long size)
12838 - return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM,
12839 - PAGE_KERNEL_EXEC);
12840 + return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot);
12843 +void *module_alloc(unsigned long size)
12846 +#ifdef CONFIG_PAX_KERNEXEC
12847 + return __module_alloc(size, PAGE_KERNEL);
12849 + return __module_alloc(size, PAGE_KERNEL_EXEC);
12854 /* Free memory returned from module_alloc */
12855 @@ -59,6 +69,40 @@ void module_free(struct module *mod, voi
12856 vfree(module_region);
12859 +#ifdef CONFIG_PAX_KERNEXEC
12860 +#ifdef CONFIG_X86_32
12861 +void *module_alloc_exec(unsigned long size)
12863 + struct vm_struct *area;
12868 + area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
12869 + return area ? area->addr : NULL;
12871 +EXPORT_SYMBOL(module_alloc_exec);
12873 +void module_free_exec(struct module *mod, void *module_region)
12875 + vunmap(module_region);
12877 +EXPORT_SYMBOL(module_free_exec);
12879 +void module_free_exec(struct module *mod, void *module_region)
12881 + module_free(mod, module_region);
12883 +EXPORT_SYMBOL(module_free_exec);
12885 +void *module_alloc_exec(unsigned long size)
12887 + return __module_alloc(size, PAGE_KERNEL_RX);
12889 +EXPORT_SYMBOL(module_alloc_exec);
12893 /* We don't need anything special. */
12894 int module_frob_arch_sections(Elf_Ehdr *hdr,
12896 @@ -78,14 +122,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
12898 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
12900 - uint32_t *location;
12901 + uint32_t *plocation, location;
12903 DEBUGP("Applying relocate section %u to %u\n", relsec,
12904 sechdrs[relsec].sh_info);
12905 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
12906 /* This is where to make the change */
12907 - location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
12908 - + rel[i].r_offset;
12909 + plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
12910 + location = (uint32_t)plocation;
12911 + if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
12912 + plocation = ktla_ktva((void *)plocation);
12913 /* This is the symbol it is referring to. Note that all
12914 undefined symbols have been resolved. */
12915 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
12916 @@ -94,11 +140,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
12917 switch (ELF32_R_TYPE(rel[i].r_info)) {
12919 /* We add the value into the location given */
12920 - *location += sym->st_value;
12921 + pax_open_kernel();
12922 + *plocation += sym->st_value;
12923 + pax_close_kernel();
12926 /* Add the value, subtract its postition */
12927 - *location += sym->st_value - (uint32_t)location;
12928 + pax_open_kernel();
12929 + *plocation += sym->st_value - location;
12930 + pax_close_kernel();
12933 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
12934 @@ -154,21 +204,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
12935 case R_X86_64_NONE:
12938 + pax_open_kernel();
12940 + pax_close_kernel();
12943 + pax_open_kernel();
12945 + pax_close_kernel();
12946 if (val != *(u32 *)loc)
12950 + pax_open_kernel();
12952 + pax_close_kernel();
12953 if ((s64)val != *(s32 *)loc)
12956 case R_X86_64_PC32:
12958 + pax_open_kernel();
12960 + pax_close_kernel();
12963 if ((s64)val != *(s32 *)loc)
12965 diff -urNp linux-2.6.35.5/arch/x86/kernel/paravirt.c linux-2.6.35.5/arch/x86/kernel/paravirt.c
12966 --- linux-2.6.35.5/arch/x86/kernel/paravirt.c 2010-08-26 19:47:12.000000000 -0400
12967 +++ linux-2.6.35.5/arch/x86/kernel/paravirt.c 2010-09-17 20:12:09.000000000 -0400
12968 @@ -122,7 +122,7 @@ unsigned paravirt_patch_jmp(void *insnbu
12969 * corresponding structure. */
12970 static void *get_call_destination(u8 type)
12972 - struct paravirt_patch_template tmpl = {
12973 + const struct paravirt_patch_template tmpl = {
12974 .pv_init_ops = pv_init_ops,
12975 .pv_time_ops = pv_time_ops,
12976 .pv_cpu_ops = pv_cpu_ops,
12977 @@ -145,14 +145,14 @@ unsigned paravirt_patch_default(u8 type,
12978 if (opfunc == NULL)
12979 /* If there's no function, patch it with a ud2a (BUG) */
12980 ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
12981 - else if (opfunc == _paravirt_nop)
12982 + else if (opfunc == (void *)_paravirt_nop)
12983 /* If the operation is a nop, then nop the callsite */
12984 ret = paravirt_patch_nop();
12986 /* identity functions just return their single argument */
12987 - else if (opfunc == _paravirt_ident_32)
12988 + else if (opfunc == (void *)_paravirt_ident_32)
12989 ret = paravirt_patch_ident_32(insnbuf, len);
12990 - else if (opfunc == _paravirt_ident_64)
12991 + else if (opfunc == (void *)_paravirt_ident_64)
12992 ret = paravirt_patch_ident_64(insnbuf, len);
12994 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
12995 @@ -178,7 +178,7 @@ unsigned paravirt_patch_insns(void *insn
12996 if (insn_len > len || start == NULL)
12999 - memcpy(insnbuf, start, insn_len);
13000 + memcpy(insnbuf, ktla_ktva(start), insn_len);
13004 @@ -294,22 +294,22 @@ void arch_flush_lazy_mmu_mode(void)
13008 -struct pv_info pv_info = {
13009 +struct pv_info pv_info __read_only = {
13010 .name = "bare hardware",
13011 .paravirt_enabled = 0,
13013 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
13016 -struct pv_init_ops pv_init_ops = {
13017 +struct pv_init_ops pv_init_ops __read_only = {
13018 .patch = native_patch,
13021 -struct pv_time_ops pv_time_ops = {
13022 +struct pv_time_ops pv_time_ops __read_only = {
13023 .sched_clock = native_sched_clock,
13026 -struct pv_irq_ops pv_irq_ops = {
13027 +struct pv_irq_ops pv_irq_ops __read_only = {
13028 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
13029 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
13030 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
13031 @@ -321,7 +321,7 @@ struct pv_irq_ops pv_irq_ops = {
13035 -struct pv_cpu_ops pv_cpu_ops = {
13036 +struct pv_cpu_ops pv_cpu_ops __read_only = {
13037 .cpuid = native_cpuid,
13038 .get_debugreg = native_get_debugreg,
13039 .set_debugreg = native_set_debugreg,
13040 @@ -382,7 +382,7 @@ struct pv_cpu_ops pv_cpu_ops = {
13041 .end_context_switch = paravirt_nop,
13044 -struct pv_apic_ops pv_apic_ops = {
13045 +struct pv_apic_ops pv_apic_ops __read_only = {
13046 #ifdef CONFIG_X86_LOCAL_APIC
13047 .startup_ipi_hook = paravirt_nop,
13049 @@ -396,7 +396,7 @@ struct pv_apic_ops pv_apic_ops = {
13050 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
13053 -struct pv_mmu_ops pv_mmu_ops = {
13054 +struct pv_mmu_ops pv_mmu_ops __read_only = {
13056 .read_cr2 = native_read_cr2,
13057 .write_cr2 = native_write_cr2,
13058 @@ -463,6 +463,12 @@ struct pv_mmu_ops pv_mmu_ops = {
13061 .set_fixmap = native_set_fixmap,
13063 +#ifdef CONFIG_PAX_KERNEXEC
13064 + .pax_open_kernel = native_pax_open_kernel,
13065 + .pax_close_kernel = native_pax_close_kernel,
13070 EXPORT_SYMBOL_GPL(pv_time_ops);
13071 diff -urNp linux-2.6.35.5/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.35.5/arch/x86/kernel/paravirt-spinlocks.c
13072 --- linux-2.6.35.5/arch/x86/kernel/paravirt-spinlocks.c 2010-08-26 19:47:12.000000000 -0400
13073 +++ linux-2.6.35.5/arch/x86/kernel/paravirt-spinlocks.c 2010-09-17 20:12:09.000000000 -0400
13074 @@ -13,7 +13,7 @@ default_spin_lock_flags(arch_spinlock_t
13075 arch_spin_lock(lock);
13078 -struct pv_lock_ops pv_lock_ops = {
13079 +struct pv_lock_ops pv_lock_ops __read_only = {
13081 .spin_is_locked = __ticket_spin_is_locked,
13082 .spin_is_contended = __ticket_spin_is_contended,
13083 diff -urNp linux-2.6.35.5/arch/x86/kernel/pci-calgary_64.c linux-2.6.35.5/arch/x86/kernel/pci-calgary_64.c
13084 --- linux-2.6.35.5/arch/x86/kernel/pci-calgary_64.c 2010-08-26 19:47:12.000000000 -0400
13085 +++ linux-2.6.35.5/arch/x86/kernel/pci-calgary_64.c 2010-09-17 20:12:09.000000000 -0400
13086 @@ -475,7 +475,7 @@ static void calgary_free_coherent(struct
13087 free_pages((unsigned long)vaddr, get_order(size));
13090 -static struct dma_map_ops calgary_dma_ops = {
13091 +static const struct dma_map_ops calgary_dma_ops = {
13092 .alloc_coherent = calgary_alloc_coherent,
13093 .free_coherent = calgary_free_coherent,
13094 .map_sg = calgary_map_sg,
13095 diff -urNp linux-2.6.35.5/arch/x86/kernel/pci-dma.c linux-2.6.35.5/arch/x86/kernel/pci-dma.c
13096 --- linux-2.6.35.5/arch/x86/kernel/pci-dma.c 2010-08-26 19:47:12.000000000 -0400
13097 +++ linux-2.6.35.5/arch/x86/kernel/pci-dma.c 2010-09-17 20:12:09.000000000 -0400
13100 static int forbid_dac __read_mostly;
13102 -struct dma_map_ops *dma_ops = &nommu_dma_ops;
13103 +const struct dma_map_ops *dma_ops = &nommu_dma_ops;
13104 EXPORT_SYMBOL(dma_ops);
13106 static int iommu_sac_force __read_mostly;
13107 @@ -248,7 +248,7 @@ early_param("iommu", iommu_setup);
13109 int dma_supported(struct device *dev, u64 mask)
13111 - struct dma_map_ops *ops = get_dma_ops(dev);
13112 + const struct dma_map_ops *ops = get_dma_ops(dev);
13115 if (mask > 0xffffffff && forbid_dac > 0) {
13116 diff -urNp linux-2.6.35.5/arch/x86/kernel/pci-gart_64.c linux-2.6.35.5/arch/x86/kernel/pci-gart_64.c
13117 --- linux-2.6.35.5/arch/x86/kernel/pci-gart_64.c 2010-08-26 19:47:12.000000000 -0400
13118 +++ linux-2.6.35.5/arch/x86/kernel/pci-gart_64.c 2010-09-17 20:12:09.000000000 -0400
13119 @@ -699,7 +699,7 @@ static __init int init_k8_gatt(struct ag
13123 -static struct dma_map_ops gart_dma_ops = {
13124 +static const struct dma_map_ops gart_dma_ops = {
13125 .map_sg = gart_map_sg,
13126 .unmap_sg = gart_unmap_sg,
13127 .map_page = gart_map_page,
13128 diff -urNp linux-2.6.35.5/arch/x86/kernel/pci-nommu.c linux-2.6.35.5/arch/x86/kernel/pci-nommu.c
13129 --- linux-2.6.35.5/arch/x86/kernel/pci-nommu.c 2010-08-26 19:47:12.000000000 -0400
13130 +++ linux-2.6.35.5/arch/x86/kernel/pci-nommu.c 2010-09-17 20:12:09.000000000 -0400
13131 @@ -95,7 +95,7 @@ static void nommu_sync_sg_for_device(str
13132 flush_write_buffers();
13135 -struct dma_map_ops nommu_dma_ops = {
13136 +const struct dma_map_ops nommu_dma_ops = {
13137 .alloc_coherent = dma_generic_alloc_coherent,
13138 .free_coherent = nommu_free_coherent,
13139 .map_sg = nommu_map_sg,
13140 diff -urNp linux-2.6.35.5/arch/x86/kernel/pci-swiotlb.c linux-2.6.35.5/arch/x86/kernel/pci-swiotlb.c
13141 --- linux-2.6.35.5/arch/x86/kernel/pci-swiotlb.c 2010-08-26 19:47:12.000000000 -0400
13142 +++ linux-2.6.35.5/arch/x86/kernel/pci-swiotlb.c 2010-09-17 20:12:09.000000000 -0400
13143 @@ -25,7 +25,7 @@ static void *x86_swiotlb_alloc_coherent(
13144 return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
13147 -static struct dma_map_ops swiotlb_dma_ops = {
13148 +static const struct dma_map_ops swiotlb_dma_ops = {
13149 .mapping_error = swiotlb_dma_mapping_error,
13150 .alloc_coherent = x86_swiotlb_alloc_coherent,
13151 .free_coherent = swiotlb_free_coherent,
13152 diff -urNp linux-2.6.35.5/arch/x86/kernel/process_32.c linux-2.6.35.5/arch/x86/kernel/process_32.c
13153 --- linux-2.6.35.5/arch/x86/kernel/process_32.c 2010-08-26 19:47:12.000000000 -0400
13154 +++ linux-2.6.35.5/arch/x86/kernel/process_32.c 2010-09-17 20:12:09.000000000 -0400
13155 @@ -65,6 +65,7 @@ asmlinkage void ret_from_fork(void) __as
13156 unsigned long thread_saved_pc(struct task_struct *tsk)
13158 return ((unsigned long *)tsk->thread.sp)[3];
13159 +//XXX return tsk->thread.eip;
13163 @@ -126,7 +127,7 @@ void __show_regs(struct pt_regs *regs, i
13165 unsigned short ss, gs;
13167 - if (user_mode_vm(regs)) {
13168 + if (user_mode(regs)) {
13170 ss = regs->ss & 0xffff;
13171 gs = get_user_gs(regs);
13172 @@ -196,7 +197,7 @@ int copy_thread(unsigned long clone_flag
13173 struct task_struct *tsk;
13176 - childregs = task_pt_regs(p);
13177 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
13178 *childregs = *regs;
13180 childregs->sp = sp;
13181 @@ -230,6 +231,7 @@ int copy_thread(unsigned long clone_flag
13182 * Set a new TLS for the child thread?
13184 if (clone_flags & CLONE_SETTLS)
13185 +//XXX needs set_fs()?
13186 err = do_set_thread_area(p, -1,
13187 (struct user_desc __user *)childregs->si, 0);
13189 @@ -293,7 +295,7 @@ __switch_to(struct task_struct *prev_p,
13190 struct thread_struct *prev = &prev_p->thread,
13191 *next = &next_p->thread;
13192 int cpu = smp_processor_id();
13193 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
13194 + struct tss_struct *tss = init_tss + cpu;
13197 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
13198 @@ -328,6 +330,11 @@ __switch_to(struct task_struct *prev_p,
13200 lazy_save_gs(prev->gs);
13202 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13203 + if (!segment_eq(task_thread_info(prev_p)->addr_limit, task_thread_info(next_p)->addr_limit))
13204 + __set_fs(task_thread_info(next_p)->addr_limit, cpu);
13208 * Load the per-thread Thread-Local Storage descriptor.
13210 @@ -404,3 +411,27 @@ unsigned long get_wchan(struct task_stru
13214 +#ifdef CONFIG_PAX_RANDKSTACK
13215 +asmlinkage void pax_randomize_kstack(void)
13217 + struct thread_struct *thread = ¤t->thread;
13218 + unsigned long time;
13220 + if (!randomize_va_space)
13225 + /* P4 seems to return a 0 LSB, ignore it */
13226 +#ifdef CONFIG_MPENTIUM4
13234 + thread->sp0 ^= time;
13235 + load_sp0(init_tss + smp_processor_id(), thread);
13238 diff -urNp linux-2.6.35.5/arch/x86/kernel/process_64.c linux-2.6.35.5/arch/x86/kernel/process_64.c
13239 --- linux-2.6.35.5/arch/x86/kernel/process_64.c 2010-08-26 19:47:12.000000000 -0400
13240 +++ linux-2.6.35.5/arch/x86/kernel/process_64.c 2010-09-17 20:12:09.000000000 -0400
13241 @@ -87,7 +87,7 @@ static void __exit_idle(void)
13242 void exit_idle(void)
13244 /* idle loop has pid 0 */
13245 - if (current->pid)
13246 + if (task_pid_nr(current))
13250 @@ -375,7 +375,7 @@ __switch_to(struct task_struct *prev_p,
13251 struct thread_struct *prev = &prev_p->thread;
13252 struct thread_struct *next = &next_p->thread;
13253 int cpu = smp_processor_id();
13254 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
13255 + struct tss_struct *tss = init_tss + cpu;
13256 unsigned fsindex, gsindex;
13259 @@ -528,12 +528,11 @@ unsigned long get_wchan(struct task_stru
13260 if (!p || p == current || p->state == TASK_RUNNING)
13262 stack = (unsigned long)task_stack_page(p);
13263 - if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
13264 + if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-8-sizeof(u64))
13266 fp = *(u64 *)(p->thread.sp);
13268 - if (fp < (unsigned long)stack ||
13269 - fp >= (unsigned long)stack+THREAD_SIZE)
13270 + if (fp < stack || fp > stack+THREAD_SIZE-8-sizeof(u64))
13272 ip = *(u64 *)(fp+8);
13273 if (!in_sched_functions(ip))
13274 diff -urNp linux-2.6.35.5/arch/x86/kernel/process.c linux-2.6.35.5/arch/x86/kernel/process.c
13275 --- linux-2.6.35.5/arch/x86/kernel/process.c 2010-08-26 19:47:12.000000000 -0400
13276 +++ linux-2.6.35.5/arch/x86/kernel/process.c 2010-09-17 20:12:09.000000000 -0400
13277 @@ -73,7 +73,7 @@ void exit_thread(void)
13278 unsigned long *bp = t->io_bitmap_ptr;
13281 - struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
13282 + struct tss_struct *tss = init_tss + get_cpu();
13284 t->io_bitmap_ptr = NULL;
13285 clear_thread_flag(TIF_IO_BITMAP);
13286 @@ -117,6 +117,9 @@ void flush_thread(void)
13288 struct task_struct *tsk = current;
13290 +#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR)
13291 + loadsegment(gs, 0);
13293 flush_ptrace_hw_breakpoint(tsk);
13294 memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
13296 @@ -279,8 +282,8 @@ int kernel_thread(int (*fn)(void *), voi
13297 regs.di = (unsigned long) arg;
13299 #ifdef CONFIG_X86_32
13300 - regs.ds = __USER_DS;
13301 - regs.es = __USER_DS;
13302 + regs.ds = __KERNEL_DS;
13303 + regs.es = __KERNEL_DS;
13304 regs.fs = __KERNEL_PERCPU;
13305 regs.gs = __KERNEL_STACK_CANARY;
13307 @@ -689,17 +692,3 @@ static int __init idle_setup(char *str)
13310 early_param("idle", idle_setup);
13312 -unsigned long arch_align_stack(unsigned long sp)
13314 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
13315 - sp -= get_random_int() % 8192;
13316 - return sp & ~0xf;
13319 -unsigned long arch_randomize_brk(struct mm_struct *mm)
13321 - unsigned long range_end = mm->brk + 0x02000000;
13322 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
13325 diff -urNp linux-2.6.35.5/arch/x86/kernel/ptrace.c linux-2.6.35.5/arch/x86/kernel/ptrace.c
13326 --- linux-2.6.35.5/arch/x86/kernel/ptrace.c 2010-08-26 19:47:12.000000000 -0400
13327 +++ linux-2.6.35.5/arch/x86/kernel/ptrace.c 2010-09-17 20:12:09.000000000 -0400
13328 @@ -804,7 +804,7 @@ static const struct user_regset_view use
13329 long arch_ptrace(struct task_struct *child, long request, long addr, long data)
13332 - unsigned long __user *datap = (unsigned long __user *)data;
13333 + unsigned long __user *datap = (__force unsigned long __user *)data;
13336 /* read the word at location addr in the USER area. */
13337 @@ -891,14 +891,14 @@ long arch_ptrace(struct task_struct *chi
13340 ret = do_get_thread_area(child, addr,
13341 - (struct user_desc __user *) data);
13342 + (__force struct user_desc __user *) data);
13345 case PTRACE_SET_THREAD_AREA:
13348 ret = do_set_thread_area(child, addr,
13349 - (struct user_desc __user *) data, 0);
13350 + (__force struct user_desc __user *) data, 0);
13354 @@ -1315,7 +1315,7 @@ static void fill_sigtrap_info(struct tas
13355 memset(info, 0, sizeof(*info));
13356 info->si_signo = SIGTRAP;
13357 info->si_code = si_code;
13358 - info->si_addr = user_mode_vm(regs) ? (void __user *)regs->ip : NULL;
13359 + info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL;
13362 void user_single_step_siginfo(struct task_struct *tsk,
13363 diff -urNp linux-2.6.35.5/arch/x86/kernel/reboot.c linux-2.6.35.5/arch/x86/kernel/reboot.c
13364 --- linux-2.6.35.5/arch/x86/kernel/reboot.c 2010-08-26 19:47:12.000000000 -0400
13365 +++ linux-2.6.35.5/arch/x86/kernel/reboot.c 2010-09-17 20:12:09.000000000 -0400
13366 @@ -33,7 +33,7 @@ void (*pm_power_off)(void);
13367 EXPORT_SYMBOL(pm_power_off);
13369 static const struct desc_ptr no_idt = {};
13370 -static int reboot_mode;
13371 +static unsigned short reboot_mode;
13372 enum reboot_type reboot_type = BOOT_KBD;
13375 @@ -284,7 +284,7 @@ static struct dmi_system_id __initdata r
13376 DMI_MATCH(DMI_BOARD_NAME, "P4S800"),
13380 + { NULL, NULL, {{0, {0}}}, NULL}
13383 static int __init reboot_init(void)
13384 @@ -300,12 +300,12 @@ core_initcall(reboot_init);
13385 controller to pulse the CPU reset line, which is more thorough, but
13386 doesn't work with at least one type of 486 motherboard. It is easy
13387 to stop this code working; hence the copious comments. */
13388 -static const unsigned long long
13389 -real_mode_gdt_entries [3] =
13390 +static struct desc_struct
13391 +real_mode_gdt_entries [3] __read_only =
13393 - 0x0000000000000000ULL, /* Null descriptor */
13394 - 0x00009b000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
13395 - 0x000093000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
13396 + GDT_ENTRY_INIT(0, 0, 0), /* Null descriptor */
13397 + GDT_ENTRY_INIT(0x9b, 0, 0xffff), /* 16-bit real-mode 64k code at 0x00000000 */
13398 + GDT_ENTRY_INIT(0x93, 0x100, 0xffff) /* 16-bit real-mode 64k data at 0x00000100 */
13401 static const struct desc_ptr
13402 @@ -354,7 +354,7 @@ static const unsigned char jump_to_bios
13403 * specified by the code and length parameters.
13404 * We assume that length will aways be less that 100!
13406 -void machine_real_restart(const unsigned char *code, int length)
13407 +void machine_real_restart(const unsigned char *code, unsigned int length)
13409 local_irq_disable();
13411 @@ -374,8 +374,8 @@ void machine_real_restart(const unsigned
13412 /* Remap the kernel at virtual address zero, as well as offset zero
13413 from the kernel segment. This assumes the kernel segment starts at
13414 virtual address PAGE_OFFSET. */
13415 - memcpy(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13416 - sizeof(swapper_pg_dir [0]) * KERNEL_PGD_PTRS);
13417 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13418 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
13421 * Use `swapper_pg_dir' as our page directory.
13422 @@ -387,16 +387,15 @@ void machine_real_restart(const unsigned
13423 boot)". This seems like a fairly standard thing that gets set by
13424 REBOOT.COM programs, and the previous reset routine did this
13426 - *((unsigned short *)0x472) = reboot_mode;
13427 + *(unsigned short *)(__va(0x472)) = reboot_mode;
13429 /* For the switch to real mode, copy some code to low memory. It has
13430 to be in the first 64k because it is running in 16-bit mode, and it
13431 has to have the same physical and virtual address, because it turns
13432 off paging. Copy it near the end of the first page, out of the way
13433 of BIOS variables. */
13434 - memcpy((void *)(0x1000 - sizeof(real_mode_switch) - 100),
13435 - real_mode_switch, sizeof (real_mode_switch));
13436 - memcpy((void *)(0x1000 - 100), code, length);
13437 + memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
13438 + memcpy(__va(0x1000 - 100), code, length);
13440 /* Set up the IDT for real mode. */
13441 load_idt(&real_mode_idt);
13442 diff -urNp linux-2.6.35.5/arch/x86/kernel/setup.c linux-2.6.35.5/arch/x86/kernel/setup.c
13443 --- linux-2.6.35.5/arch/x86/kernel/setup.c 2010-08-26 19:47:12.000000000 -0400
13444 +++ linux-2.6.35.5/arch/x86/kernel/setup.c 2010-09-17 20:12:09.000000000 -0400
13445 @@ -704,7 +704,7 @@ static void __init trim_bios_range(void)
13446 * area (640->1Mb) as ram even though it is not.
13449 - e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1);
13450 + e820_remove_range(ISA_START_ADDRESS, ISA_END_ADDRESS - ISA_START_ADDRESS, E820_RAM, 1);
13451 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
13454 @@ -791,14 +791,14 @@ void __init setup_arch(char **cmdline_p)
13456 if (!boot_params.hdr.root_flags)
13457 root_mountflags &= ~MS_RDONLY;
13458 - init_mm.start_code = (unsigned long) _text;
13459 - init_mm.end_code = (unsigned long) _etext;
13460 + init_mm.start_code = ktla_ktva((unsigned long) _text);
13461 + init_mm.end_code = ktla_ktva((unsigned long) _etext);
13462 init_mm.end_data = (unsigned long) _edata;
13463 init_mm.brk = _brk_end;
13465 - code_resource.start = virt_to_phys(_text);
13466 - code_resource.end = virt_to_phys(_etext)-1;
13467 - data_resource.start = virt_to_phys(_etext);
13468 + code_resource.start = virt_to_phys(ktla_ktva(_text));
13469 + code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
13470 + data_resource.start = virt_to_phys(_sdata);
13471 data_resource.end = virt_to_phys(_edata)-1;
13472 bss_resource.start = virt_to_phys(&__bss_start);
13473 bss_resource.end = virt_to_phys(&__bss_stop)-1;
13474 diff -urNp linux-2.6.35.5/arch/x86/kernel/setup_percpu.c linux-2.6.35.5/arch/x86/kernel/setup_percpu.c
13475 --- linux-2.6.35.5/arch/x86/kernel/setup_percpu.c 2010-08-26 19:47:12.000000000 -0400
13476 +++ linux-2.6.35.5/arch/x86/kernel/setup_percpu.c 2010-09-17 20:12:09.000000000 -0400
13477 @@ -21,19 +21,17 @@
13478 #include <asm/cpu.h>
13479 #include <asm/stackprotector.h>
13482 DEFINE_PER_CPU(int, cpu_number);
13483 EXPORT_PER_CPU_SYMBOL(cpu_number);
13486 -#ifdef CONFIG_X86_64
13487 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
13489 -#define BOOT_PERCPU_OFFSET 0
13492 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
13493 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
13495 -unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
13496 +unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
13497 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
13499 EXPORT_SYMBOL(__per_cpu_offset);
13500 @@ -161,10 +159,10 @@ static inline void setup_percpu_segment(
13502 #ifdef CONFIG_X86_32
13503 struct desc_struct gdt;
13504 + unsigned long base = per_cpu_offset(cpu);
13506 - pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
13507 - 0x2 | DESCTYPE_S, 0x8);
13509 + pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
13510 + 0x83 | DESCTYPE_S, 0xC);
13511 write_gdt_entry(get_cpu_gdt_table(cpu),
13512 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
13514 @@ -213,6 +211,11 @@ void __init setup_per_cpu_areas(void)
13515 /* alrighty, percpu areas up and running */
13516 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
13517 for_each_possible_cpu(cpu) {
13518 +#ifdef CONFIG_CC_STACKPROTECTOR
13519 +#ifdef CONFIG_x86_32
13520 + unsigned long canary = per_cpu(stack_canary, cpu);
13523 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
13524 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
13525 per_cpu(cpu_number, cpu) = cpu;
13526 @@ -249,6 +252,12 @@ void __init setup_per_cpu_areas(void)
13527 set_cpu_numa_node(cpu, early_cpu_to_node(cpu));
13530 +#ifdef CONFIG_CC_STACKPROTECTOR
13531 +#ifdef CONFIG_x86_32
13532 + if (cpu == boot_cpu_id)
13533 + per_cpu(stack_canary, cpu) = canary;
13537 * Up to this point, the boot CPU has been using .init.data
13538 * area. Reload any changed state for the boot CPU.
13539 diff -urNp linux-2.6.35.5/arch/x86/kernel/signal.c linux-2.6.35.5/arch/x86/kernel/signal.c
13540 --- linux-2.6.35.5/arch/x86/kernel/signal.c 2010-08-26 19:47:12.000000000 -0400
13541 +++ linux-2.6.35.5/arch/x86/kernel/signal.c 2010-09-17 20:12:09.000000000 -0400
13542 @@ -198,7 +198,7 @@ static unsigned long align_sigframe(unsi
13543 * Align the stack pointer according to the i386 ABI,
13544 * i.e. so that on function entry ((sp + 4) & 15) == 0.
13546 - sp = ((sp + 4) & -16ul) - 4;
13547 + sp = ((sp - 12) & -16ul) - 4;
13548 #else /* !CONFIG_X86_32 */
13549 sp = round_down(sp, 16) - 8;
13551 @@ -249,11 +249,11 @@ get_sigframe(struct k_sigaction *ka, str
13552 * Return an always-bogus address instead so we will die with SIGSEGV.
13554 if (onsigstack && !likely(on_sig_stack(sp)))
13555 - return (void __user *)-1L;
13556 + return (__force void __user *)-1L;
13558 /* save i387 state */
13559 if (used_math() && save_i387_xstate(*fpstate) < 0)
13560 - return (void __user *)-1L;
13561 + return (__force void __user *)-1L;
13563 return (void __user *)sp;
13565 @@ -308,9 +308,9 @@ __setup_frame(int sig, struct k_sigactio
13568 if (current->mm->context.vdso)
13569 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
13570 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
13572 - restorer = &frame->retcode;
13573 + restorer = (void __user *)&frame->retcode;
13574 if (ka->sa.sa_flags & SA_RESTORER)
13575 restorer = ka->sa.sa_restorer;
13577 @@ -324,7 +324,7 @@ __setup_frame(int sig, struct k_sigactio
13578 * reasons and because gdb uses it as a signature to notice
13579 * signal handler stack frames.
13581 - err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
13582 + err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
13586 @@ -378,7 +378,7 @@ static int __setup_rt_frame(int sig, str
13587 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
13589 /* Set up to return from userspace. */
13590 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
13591 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
13592 if (ka->sa.sa_flags & SA_RESTORER)
13593 restorer = ka->sa.sa_restorer;
13594 put_user_ex(restorer, &frame->pretcode);
13595 @@ -390,7 +390,7 @@ static int __setup_rt_frame(int sig, str
13596 * reasons and because gdb uses it as a signature to notice
13597 * signal handler stack frames.
13599 - put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
13600 + put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
13601 } put_user_catch(err);
13604 @@ -780,7 +780,7 @@ static void do_signal(struct pt_regs *re
13605 * X86_32: vm86 regs switched out by assembly code before reaching
13606 * here, so testing against kernel CS suffices.
13608 - if (!user_mode(regs))
13609 + if (!user_mode_novm(regs))
13612 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
13613 diff -urNp linux-2.6.35.5/arch/x86/kernel/smpboot.c linux-2.6.35.5/arch/x86/kernel/smpboot.c
13614 --- linux-2.6.35.5/arch/x86/kernel/smpboot.c 2010-08-26 19:47:12.000000000 -0400
13615 +++ linux-2.6.35.5/arch/x86/kernel/smpboot.c 2010-09-17 20:12:09.000000000 -0400
13616 @@ -780,7 +780,11 @@ do_rest:
13617 (unsigned long)task_stack_page(c_idle.idle) -
13618 KERNEL_STACK_OFFSET + THREAD_SIZE;
13621 + pax_open_kernel();
13622 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
13623 + pax_close_kernel();
13625 initial_code = (unsigned long)start_secondary;
13626 stack_start.sp = (void *) c_idle.idle->thread.sp;
13628 @@ -920,6 +924,12 @@ int __cpuinit native_cpu_up(unsigned int
13630 per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
13632 +#ifdef CONFIG_PAX_PER_CPU_PGD
13633 + clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY,
13634 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13635 + KERNEL_PGD_PTRS);
13638 #ifdef CONFIG_X86_32
13639 /* init low mem mapping */
13640 clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13641 diff -urNp linux-2.6.35.5/arch/x86/kernel/step.c linux-2.6.35.5/arch/x86/kernel/step.c
13642 --- linux-2.6.35.5/arch/x86/kernel/step.c 2010-08-26 19:47:12.000000000 -0400
13643 +++ linux-2.6.35.5/arch/x86/kernel/step.c 2010-09-17 20:12:09.000000000 -0400
13644 @@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
13645 struct desc_struct *desc;
13646 unsigned long base;
13651 mutex_lock(&child->mm->context.lock);
13652 - if (unlikely((seg >> 3) >= child->mm->context.size))
13653 + if (unlikely(seg >= child->mm->context.size))
13654 addr = -1L; /* bogus selector, access would fault */
13656 desc = child->mm->context.ldt + seg;
13657 @@ -53,6 +53,9 @@ static int is_setting_trap_flag(struct t
13658 unsigned char opcode[15];
13659 unsigned long addr = convert_ip_to_linear(child, regs);
13661 + if (addr == -EINVAL)
13664 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
13665 for (i = 0; i < copied; i++) {
13666 switch (opcode[i]) {
13667 @@ -74,7 +77,7 @@ static int is_setting_trap_flag(struct t
13669 #ifdef CONFIG_X86_64
13670 case 0x40 ... 0x4f:
13671 - if (regs->cs != __USER_CS)
13672 + if ((regs->cs & 0xffff) != __USER_CS)
13673 /* 32-bit mode: register increment */
13675 /* 64-bit mode: REX prefix */
13676 diff -urNp linux-2.6.35.5/arch/x86/kernel/syscall_table_32.S linux-2.6.35.5/arch/x86/kernel/syscall_table_32.S
13677 --- linux-2.6.35.5/arch/x86/kernel/syscall_table_32.S 2010-08-26 19:47:12.000000000 -0400
13678 +++ linux-2.6.35.5/arch/x86/kernel/syscall_table_32.S 2010-09-17 20:12:09.000000000 -0400
13680 +.section .rodata,"a",@progbits
13681 ENTRY(sys_call_table)
13682 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
13684 diff -urNp linux-2.6.35.5/arch/x86/kernel/sys_i386_32.c linux-2.6.35.5/arch/x86/kernel/sys_i386_32.c
13685 --- linux-2.6.35.5/arch/x86/kernel/sys_i386_32.c 2010-08-26 19:47:12.000000000 -0400
13686 +++ linux-2.6.35.5/arch/x86/kernel/sys_i386_32.c 2010-09-17 20:12:09.000000000 -0400
13687 @@ -24,6 +24,224 @@
13689 #include <asm/syscalls.h>
13691 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
13693 + unsigned long pax_task_size = TASK_SIZE;
13695 +#ifdef CONFIG_PAX_SEGMEXEC
13696 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
13697 + pax_task_size = SEGMEXEC_TASK_SIZE;
13700 + if (len > pax_task_size || addr > pax_task_size - len)
13707 +arch_get_unmapped_area(struct file *filp, unsigned long addr,
13708 + unsigned long len, unsigned long pgoff, unsigned long flags)
13710 + struct mm_struct *mm = current->mm;
13711 + struct vm_area_struct *vma;
13712 + unsigned long start_addr, pax_task_size = TASK_SIZE;
13714 +#ifdef CONFIG_PAX_SEGMEXEC
13715 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
13716 + pax_task_size = SEGMEXEC_TASK_SIZE;
13719 + if (len > pax_task_size)
13722 + if (flags & MAP_FIXED)
13725 +#ifdef CONFIG_PAX_RANDMMAP
13726 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
13730 + addr = PAGE_ALIGN(addr);
13731 + if (pax_task_size - len >= addr) {
13732 + vma = find_vma(mm, addr);
13733 + if (check_heap_stack_gap(vma, addr, len))
13737 + if (len > mm->cached_hole_size) {
13738 + start_addr = addr = mm->free_area_cache;
13740 + start_addr = addr = mm->mmap_base;
13741 + mm->cached_hole_size = 0;
13744 +#ifdef CONFIG_PAX_PAGEEXEC
13745 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
13746 + start_addr = 0x00110000UL;
13748 +#ifdef CONFIG_PAX_RANDMMAP
13749 + if (mm->pax_flags & MF_PAX_RANDMMAP)
13750 + start_addr += mm->delta_mmap & 0x03FFF000UL;
13753 + if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
13754 + start_addr = addr = mm->mmap_base;
13756 + addr = start_addr;
13761 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
13762 + /* At this point: (!vma || addr < vma->vm_end). */
13763 + if (pax_task_size - len < addr) {
13765 + * Start a new search - just in case we missed
13768 + if (start_addr != mm->mmap_base) {
13769 + start_addr = addr = mm->mmap_base;
13770 + mm->cached_hole_size = 0;
13771 + goto full_search;
13775 + if (check_heap_stack_gap(vma, addr, len))
13777 + if (addr + mm->cached_hole_size < vma->vm_start)
13778 + mm->cached_hole_size = vma->vm_start - addr;
13779 + addr = vma->vm_end;
13780 + if (mm->start_brk <= addr && addr < mm->mmap_base) {
13781 + start_addr = addr = mm->mmap_base;
13782 + mm->cached_hole_size = 0;
13783 + goto full_search;
13788 + * Remember the place where we stopped the search:
13790 + mm->free_area_cache = addr + len;
13795 +arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
13796 + const unsigned long len, const unsigned long pgoff,
13797 + const unsigned long flags)
13799 + struct vm_area_struct *vma;
13800 + struct mm_struct *mm = current->mm;
13801 + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
13803 +#ifdef CONFIG_PAX_SEGMEXEC
13804 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
13805 + pax_task_size = SEGMEXEC_TASK_SIZE;
13808 + /* requested length too big for entire address space */
13809 + if (len > pax_task_size)
13812 + if (flags & MAP_FIXED)
13815 +#ifdef CONFIG_PAX_PAGEEXEC
13816 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
13820 +#ifdef CONFIG_PAX_RANDMMAP
13821 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
13824 + /* requesting a specific address */
13826 + addr = PAGE_ALIGN(addr);
13827 + if (pax_task_size - len >= addr) {
13828 + vma = find_vma(mm, addr);
13829 + if (check_heap_stack_gap(vma, addr, len))
13834 + /* check if free_area_cache is useful for us */
13835 + if (len <= mm->cached_hole_size) {
13836 + mm->cached_hole_size = 0;
13837 + mm->free_area_cache = mm->mmap_base;
13840 + /* either no address requested or can't fit in requested address hole */
13841 + addr = mm->free_area_cache;
13843 + /* make sure it can fit in the remaining address space */
13844 + if (addr > len) {
13845 + vma = find_vma(mm, addr-len);
13846 + if (check_heap_stack_gap(vma, addr - len, len))
13847 + /* remember the address as a hint for next time */
13848 + return (mm->free_area_cache = addr-len);
13851 + if (mm->mmap_base < len)
13854 + addr = mm->mmap_base-len;
13858 + * Lookup failure means no vma is above this address,
13859 + * else if new region fits below vma->vm_start,
13860 + * return with success:
13862 + vma = find_vma(mm, addr);
13863 + if (check_heap_stack_gap(vma, addr, len))
13864 + /* remember the address as a hint for next time */
13865 + return (mm->free_area_cache = addr);
13867 + /* remember the largest hole we saw so far */
13868 + if (addr + mm->cached_hole_size < vma->vm_start)
13869 + mm->cached_hole_size = vma->vm_start - addr;
13871 + /* try just below the current vma->vm_start */
13872 + addr = vma->vm_start-len;
13873 + } while (len < vma->vm_start);
13877 + * A failed mmap() very likely causes application failure,
13878 + * so fall back to the bottom-up function here. This scenario
13879 + * can happen with large stack limits and large mmap()
13883 +#ifdef CONFIG_PAX_SEGMEXEC
13884 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
13885 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
13889 + mm->mmap_base = TASK_UNMAPPED_BASE;
13891 +#ifdef CONFIG_PAX_RANDMMAP
13892 + if (mm->pax_flags & MF_PAX_RANDMMAP)
13893 + mm->mmap_base += mm->delta_mmap;
13896 + mm->free_area_cache = mm->mmap_base;
13897 + mm->cached_hole_size = ~0UL;
13898 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
13900 + * Restore the topdown base:
13902 + mm->mmap_base = base;
13903 + mm->free_area_cache = base;
13904 + mm->cached_hole_size = ~0UL;
13910 * Do a system call from kernel instead of calling sys_execve so we
13911 * end up with proper pt_regs.
13912 diff -urNp linux-2.6.35.5/arch/x86/kernel/sys_x86_64.c linux-2.6.35.5/arch/x86/kernel/sys_x86_64.c
13913 --- linux-2.6.35.5/arch/x86/kernel/sys_x86_64.c 2010-08-26 19:47:12.000000000 -0400
13914 +++ linux-2.6.35.5/arch/x86/kernel/sys_x86_64.c 2010-09-17 20:12:09.000000000 -0400
13915 @@ -32,8 +32,8 @@ out:
13919 -static void find_start_end(unsigned long flags, unsigned long *begin,
13920 - unsigned long *end)
13921 +static void find_start_end(struct mm_struct *mm, unsigned long flags,
13922 + unsigned long *begin, unsigned long *end)
13924 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
13925 unsigned long new_begin;
13926 @@ -52,7 +52,7 @@ static void find_start_end(unsigned long
13927 *begin = new_begin;
13930 - *begin = TASK_UNMAPPED_BASE;
13931 + *begin = mm->mmap_base;
13935 @@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp
13936 if (flags & MAP_FIXED)
13939 - find_start_end(flags, &begin, &end);
13940 + find_start_end(mm, flags, &begin, &end);
13945 +#ifdef CONFIG_PAX_RANDMMAP
13946 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
13950 addr = PAGE_ALIGN(addr);
13951 vma = find_vma(mm, addr);
13952 - if (end - len >= addr &&
13953 - (!vma || addr + len <= vma->vm_start))
13954 + if (end - len >= addr && check_heap_stack_gap(vma, addr, len))
13957 if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32))
13958 @@ -106,7 +109,7 @@ full_search:
13962 - if (!vma || addr + len <= vma->vm_start) {
13963 + if (check_heap_stack_gap(vma, addr, len)) {
13965 * Remember the place where we stopped the search:
13967 @@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct fi
13969 struct vm_area_struct *vma;
13970 struct mm_struct *mm = current->mm;
13971 - unsigned long addr = addr0;
13972 + unsigned long base = mm->mmap_base, addr = addr0;
13974 /* requested length too big for entire address space */
13975 if (len > TASK_SIZE)
13976 @@ -141,12 +144,15 @@ arch_get_unmapped_area_topdown(struct fi
13977 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
13980 +#ifdef CONFIG_PAX_RANDMMAP
13981 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
13984 /* requesting a specific address */
13986 addr = PAGE_ALIGN(addr);
13987 vma = find_vma(mm, addr);
13988 - if (TASK_SIZE - len >= addr &&
13989 - (!vma || addr + len <= vma->vm_start))
13990 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
13994 @@ -162,7 +168,7 @@ arch_get_unmapped_area_topdown(struct fi
13995 /* make sure it can fit in the remaining address space */
13997 vma = find_vma(mm, addr-len);
13998 - if (!vma || addr <= vma->vm_start)
13999 + if (check_heap_stack_gap(vma, addr - len, len))
14000 /* remember the address as a hint for next time */
14001 return mm->free_area_cache = addr-len;
14003 @@ -179,7 +185,7 @@ arch_get_unmapped_area_topdown(struct fi
14004 * return with success:
14006 vma = find_vma(mm, addr);
14007 - if (!vma || addr+len <= vma->vm_start)
14008 + if (check_heap_stack_gap(vma, addr, len))
14009 /* remember the address as a hint for next time */
14010 return mm->free_area_cache = addr;
14012 @@ -198,13 +204,21 @@ bottomup:
14013 * can happen with large stack limits and large mmap()
14016 + mm->mmap_base = TASK_UNMAPPED_BASE;
14018 +#ifdef CONFIG_PAX_RANDMMAP
14019 + if (mm->pax_flags & MF_PAX_RANDMMAP)
14020 + mm->mmap_base += mm->delta_mmap;
14023 + mm->free_area_cache = mm->mmap_base;
14024 mm->cached_hole_size = ~0UL;
14025 - mm->free_area_cache = TASK_UNMAPPED_BASE;
14026 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
14028 * Restore the topdown base:
14030 - mm->free_area_cache = mm->mmap_base;
14031 + mm->mmap_base = base;
14032 + mm->free_area_cache = base;
14033 mm->cached_hole_size = ~0UL;
14036 diff -urNp linux-2.6.35.5/arch/x86/kernel/time.c linux-2.6.35.5/arch/x86/kernel/time.c
14037 --- linux-2.6.35.5/arch/x86/kernel/time.c 2010-08-26 19:47:12.000000000 -0400
14038 +++ linux-2.6.35.5/arch/x86/kernel/time.c 2010-09-17 20:12:09.000000000 -0400
14039 @@ -26,17 +26,13 @@
14043 -#ifdef CONFIG_X86_64
14044 -volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES;
14047 unsigned long profile_pc(struct pt_regs *regs)
14049 unsigned long pc = instruction_pointer(regs);
14051 - if (!user_mode_vm(regs) && in_lock_functions(pc)) {
14052 + if (!user_mode(regs) && in_lock_functions(pc)) {
14053 #ifdef CONFIG_FRAME_POINTER
14054 - return *(unsigned long *)(regs->bp + sizeof(long));
14055 + return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
14057 unsigned long *sp =
14058 (unsigned long *)kernel_stack_pointer(regs);
14059 @@ -45,11 +41,17 @@ unsigned long profile_pc(struct pt_regs
14060 * or above a saved flags. Eflags has bits 22-31 zero,
14061 * kernel addresses don't.
14064 +#ifdef CONFIG_PAX_KERNEXEC
14065 + return ktla_ktva(sp[0]);
14077 diff -urNp linux-2.6.35.5/arch/x86/kernel/tls.c linux-2.6.35.5/arch/x86/kernel/tls.c
14078 --- linux-2.6.35.5/arch/x86/kernel/tls.c 2010-08-26 19:47:12.000000000 -0400
14079 +++ linux-2.6.35.5/arch/x86/kernel/tls.c 2010-09-17 20:12:09.000000000 -0400
14080 @@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
14081 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
14084 +#ifdef CONFIG_PAX_SEGMEXEC
14085 + if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
14089 set_tls_desc(p, idx, &info, 1);
14092 diff -urNp linux-2.6.35.5/arch/x86/kernel/trampoline_32.S linux-2.6.35.5/arch/x86/kernel/trampoline_32.S
14093 --- linux-2.6.35.5/arch/x86/kernel/trampoline_32.S 2010-08-26 19:47:12.000000000 -0400
14094 +++ linux-2.6.35.5/arch/x86/kernel/trampoline_32.S 2010-09-17 20:12:09.000000000 -0400
14096 #include <asm/segment.h>
14097 #include <asm/page_types.h>
14099 +#ifdef CONFIG_PAX_KERNEXEC
14102 +#define ta(X) ((X) - __PAGE_OFFSET)
14105 /* We can free up trampoline after bootup if cpu hotplug is not supported. */
14108 @@ -60,7 +66,7 @@ r_base = .
14109 inc %ax # protected mode (PE) bit
14110 lmsw %ax # into protected mode
14111 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
14112 - ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
14113 + ljmpl $__BOOT_CS, $ta(startup_32_smp)
14115 # These need to be in the same 64K segment as the above;
14116 # hence we don't use the boot_gdt_descr defined in head.S
14117 diff -urNp linux-2.6.35.5/arch/x86/kernel/traps.c linux-2.6.35.5/arch/x86/kernel/traps.c
14118 --- linux-2.6.35.5/arch/x86/kernel/traps.c 2010-08-26 19:47:12.000000000 -0400
14119 +++ linux-2.6.35.5/arch/x86/kernel/traps.c 2010-09-17 20:12:09.000000000 -0400
14120 @@ -70,12 +70,6 @@ asmlinkage int system_call(void);
14122 /* Do we ignore FPU interrupts ? */
14123 char ignore_fpu_irq;
14126 - * The IDT has to be page-aligned to simplify the Pentium
14127 - * F0 0F bug workaround.
14129 -gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
14132 DECLARE_BITMAP(used_vectors, NR_VECTORS);
14133 @@ -110,13 +104,13 @@ static inline void preempt_conditional_c
14136 static void __kprobes
14137 -do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
14138 +do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
14139 long error_code, siginfo_t *info)
14141 struct task_struct *tsk = current;
14143 #ifdef CONFIG_X86_32
14144 - if (regs->flags & X86_VM_MASK) {
14145 + if (v8086_mode(regs)) {
14147 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
14148 * On nmi (interrupt 2), do_trap should not be called.
14149 @@ -127,7 +121,7 @@ do_trap(int trapnr, int signr, char *str
14153 - if (!user_mode(regs))
14154 + if (!user_mode_novm(regs))
14157 #ifdef CONFIG_X86_32
14158 @@ -150,7 +144,7 @@ trap_signal:
14159 printk_ratelimit()) {
14161 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
14162 - tsk->comm, tsk->pid, str,
14163 + tsk->comm, task_pid_nr(tsk), str,
14164 regs->ip, regs->sp, error_code);
14165 print_vma_addr(" in ", regs->ip);
14167 @@ -167,8 +161,20 @@ kernel_trap:
14168 if (!fixup_exception(regs)) {
14169 tsk->thread.error_code = error_code;
14170 tsk->thread.trap_no = trapnr;
14172 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14173 + if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
14174 + str = "PAX: suspicious stack segment fault";
14177 die(str, regs, error_code);
14180 +#ifdef CONFIG_PAX_REFCOUNT
14182 + pax_report_refcount_overflow(regs);
14187 #ifdef CONFIG_X86_32
14188 @@ -257,14 +263,30 @@ do_general_protection(struct pt_regs *re
14189 conditional_sti(regs);
14191 #ifdef CONFIG_X86_32
14192 - if (regs->flags & X86_VM_MASK)
14193 + if (v8086_mode(regs))
14198 - if (!user_mode(regs))
14199 + if (!user_mode_novm(regs))
14202 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
14203 + if (!(__supported_pte_mask & _PAGE_NX) && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
14204 + struct mm_struct *mm = tsk->mm;
14205 + unsigned long limit;
14207 + down_write(&mm->mmap_sem);
14208 + limit = mm->context.user_cs_limit;
14209 + if (limit < TASK_SIZE) {
14210 + track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
14211 + up_write(&mm->mmap_sem);
14214 + up_write(&mm->mmap_sem);
14218 tsk->thread.error_code = error_code;
14219 tsk->thread.trap_no = 13;
14221 @@ -297,6 +319,13 @@ gp_in_kernel:
14222 if (notify_die(DIE_GPF, "general protection fault", regs,
14223 error_code, 13, SIGSEGV) == NOTIFY_STOP)
14226 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14227 + if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
14228 + die("PAX: suspicious general protection fault", regs, error_code);
14232 die("general protection fault", regs, error_code);
14235 @@ -565,7 +594,7 @@ dotraplinkage void __kprobes do_debug(st
14236 /* It's safe to allow irq's after DR6 has been saved */
14237 preempt_conditional_sti(regs);
14239 - if (regs->flags & X86_VM_MASK) {
14240 + if (v8086_mode(regs)) {
14241 handle_vm86_trap((struct kernel_vm86_regs *) regs,
14244 @@ -578,7 +607,7 @@ dotraplinkage void __kprobes do_debug(st
14245 * We already checked v86 mode above, so we can check for kernel mode
14246 * by just checking the CPL of CS.
14248 - if ((dr6 & DR_STEP) && !user_mode(regs)) {
14249 + if ((dr6 & DR_STEP) && !user_mode_novm(regs)) {
14250 tsk->thread.debugreg6 &= ~DR_STEP;
14251 set_tsk_thread_flag(tsk, TIF_SINGLESTEP);
14252 regs->flags &= ~X86_EFLAGS_TF;
14253 @@ -607,7 +636,7 @@ void math_error(struct pt_regs *regs, in
14255 conditional_sti(regs);
14257 - if (!user_mode_vm(regs))
14258 + if (!user_mode(regs))
14260 if (!fixup_exception(regs)) {
14261 task->thread.error_code = error_code;
14262 diff -urNp linux-2.6.35.5/arch/x86/kernel/tsc.c linux-2.6.35.5/arch/x86/kernel/tsc.c
14263 --- linux-2.6.35.5/arch/x86/kernel/tsc.c 2010-09-20 17:33:09.000000000 -0400
14264 +++ linux-2.6.35.5/arch/x86/kernel/tsc.c 2010-09-20 17:33:32.000000000 -0400
14265 @@ -833,7 +833,7 @@ static struct dmi_system_id __initdata b
14266 DMI_MATCH(DMI_BOARD_NAME, "2635FA0"),
14270 + { NULL, NULL, {{0, {0}}}, NULL}
14273 static void __init check_system_tsc_reliable(void)
14274 diff -urNp linux-2.6.35.5/arch/x86/kernel/vm86_32.c linux-2.6.35.5/arch/x86/kernel/vm86_32.c
14275 --- linux-2.6.35.5/arch/x86/kernel/vm86_32.c 2010-08-26 19:47:12.000000000 -0400
14276 +++ linux-2.6.35.5/arch/x86/kernel/vm86_32.c 2010-09-17 20:12:37.000000000 -0400
14278 #include <linux/ptrace.h>
14279 #include <linux/audit.h>
14280 #include <linux/stddef.h>
14281 +#include <linux/grsecurity.h>
14283 #include <asm/uaccess.h>
14284 #include <asm/io.h>
14285 @@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
14289 - tss = &per_cpu(init_tss, get_cpu());
14290 + tss = init_tss + get_cpu();
14291 current->thread.sp0 = current->thread.saved_sp0;
14292 current->thread.sysenter_cs = __KERNEL_CS;
14293 load_sp0(tss, ¤t->thread);
14294 @@ -207,6 +208,13 @@ int sys_vm86old(struct vm86_struct __use
14295 struct task_struct *tsk;
14296 int tmp, ret = -EPERM;
14298 +#ifdef CONFIG_GRKERNSEC_VM86
14299 + if (!capable(CAP_SYS_RAWIO)) {
14300 + gr_handle_vm86();
14306 if (tsk->thread.saved_sp0)
14308 @@ -237,6 +245,14 @@ int sys_vm86(unsigned long cmd, unsigned
14310 struct vm86plus_struct __user *v86;
14312 +#ifdef CONFIG_GRKERNSEC_VM86
14313 + if (!capable(CAP_SYS_RAWIO)) {
14314 + gr_handle_vm86();
14322 case VM86_REQUEST_IRQ:
14323 @@ -323,7 +339,7 @@ static void do_sys_vm86(struct kernel_vm
14324 tsk->thread.saved_fs = info->regs32->fs;
14325 tsk->thread.saved_gs = get_user_gs(info->regs32);
14327 - tss = &per_cpu(init_tss, get_cpu());
14328 + tss = init_tss + get_cpu();
14329 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
14331 tsk->thread.sysenter_cs = 0;
14332 @@ -528,7 +544,7 @@ static void do_int(struct kernel_vm86_re
14333 goto cannot_handle;
14334 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
14335 goto cannot_handle;
14336 - intr_ptr = (unsigned long __user *) (i << 2);
14337 + intr_ptr = (__force unsigned long __user *) (i << 2);
14338 if (get_user(segoffs, intr_ptr))
14339 goto cannot_handle;
14340 if ((segoffs >> 16) == BIOSSEG)
14341 diff -urNp linux-2.6.35.5/arch/x86/kernel/vmi_32.c linux-2.6.35.5/arch/x86/kernel/vmi_32.c
14342 --- linux-2.6.35.5/arch/x86/kernel/vmi_32.c 2010-08-26 19:47:12.000000000 -0400
14343 +++ linux-2.6.35.5/arch/x86/kernel/vmi_32.c 2010-09-17 20:12:09.000000000 -0400
14344 @@ -46,12 +46,17 @@ typedef u32 __attribute__((regparm(1)))
14345 typedef u64 __attribute__((regparm(2))) (VROMLONGFUNC)(int);
14347 #define call_vrom_func(rom,func) \
14348 - (((VROMFUNC *)(rom->func))())
14349 + (((VROMFUNC *)(ktva_ktla(rom.func)))())
14351 #define call_vrom_long_func(rom,func,arg) \
14352 - (((VROMLONGFUNC *)(rom->func)) (arg))
14354 + u64 __reloc = ((VROMLONGFUNC *)(ktva_ktla(rom.func))) (arg);\
14355 + struct vmi_relocation_info *const __rel = (struct vmi_relocation_info *)&__reloc;\
14356 + __rel->eip = (unsigned char *)ktva_ktla((unsigned long)__rel->eip);\
14360 -static struct vrom_header *vmi_rom;
14361 +static struct vrom_header vmi_rom __attribute((__section__(".vmi.rom"), __aligned__(PAGE_SIZE)));
14362 static int disable_pge;
14363 static int disable_pse;
14364 static int disable_sep;
14365 @@ -78,10 +83,10 @@ static struct {
14366 void (*set_initial_ap_state)(int, int);
14367 void (*halt)(void);
14368 void (*set_lazy_mode)(int mode);
14370 +} vmi_ops __read_only;
14372 /* Cached VMI operations */
14373 -struct vmi_timer_ops vmi_timer_ops;
14374 +struct vmi_timer_ops vmi_timer_ops __read_only;
14377 * VMI patching routines.
14378 @@ -96,7 +101,7 @@ struct vmi_timer_ops vmi_timer_ops;
14379 static inline void patch_offset(void *insnbuf,
14380 unsigned long ip, unsigned long dest)
14382 - *(unsigned long *)(insnbuf+1) = dest-ip-5;
14383 + *(unsigned long *)(insnbuf+1) = dest-ip-5;
14386 static unsigned patch_internal(int call, unsigned len, void *insnbuf,
14387 @@ -104,6 +109,7 @@ static unsigned patch_internal(int call,
14390 struct vmi_relocation_info *const rel = (struct vmi_relocation_info *)&reloc;
14392 reloc = call_vrom_long_func(vmi_rom, get_reloc, call);
14393 switch(rel->type) {
14394 case VMI_RELOCATION_CALL_REL:
14395 @@ -382,13 +388,13 @@ static void vmi_set_pud(pud_t *pudp, pud
14397 static void vmi_pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
14399 - const pte_t pte = { .pte = 0 };
14400 + const pte_t pte = __pte(0ULL);
14401 vmi_ops.set_pte(pte, ptep, vmi_flags_addr(mm, addr, VMI_PAGE_PT, 0));
14404 static void vmi_pmd_clear(pmd_t *pmd)
14406 - const pte_t pte = { .pte = 0 };
14407 + const pte_t pte = __pte(0ULL);
14408 vmi_ops.set_pte(pte, (pte_t *)pmd, VMI_PAGE_PD);
14411 @@ -416,8 +422,8 @@ vmi_startup_ipi_hook(int phys_apicid, un
14412 ap.ss = __KERNEL_DS;
14413 ap.esp = (unsigned long) start_esp;
14415 - ap.ds = __USER_DS;
14416 - ap.es = __USER_DS;
14417 + ap.ds = __KERNEL_DS;
14418 + ap.es = __KERNEL_DS;
14419 ap.fs = __KERNEL_PERCPU;
14420 ap.gs = __KERNEL_STACK_CANARY;
14422 @@ -464,6 +470,18 @@ static void vmi_leave_lazy_mmu(void)
14423 paravirt_leave_lazy_mmu();
14426 +#ifdef CONFIG_PAX_KERNEXEC
14427 +static unsigned long vmi_pax_open_kernel(void)
14432 +static unsigned long vmi_pax_close_kernel(void)
14438 static inline int __init check_vmi_rom(struct vrom_header *rom)
14440 struct pci_header *pci;
14441 @@ -476,6 +494,10 @@ static inline int __init check_vmi_rom(s
14443 if (rom->vrom_signature != VMI_SIGNATURE)
14445 + if (rom->rom_length * 512 > sizeof(*rom)) {
14446 + printk(KERN_WARNING "PAX: VMI: ROM size too big: %x\n", rom->rom_length * 512);
14449 if (rom->api_version_maj != VMI_API_REV_MAJOR ||
14450 rom->api_version_min+1 < VMI_API_REV_MINOR+1) {
14451 printk(KERN_WARNING "VMI: Found mismatched rom version %d.%d\n",
14452 @@ -540,7 +562,7 @@ static inline int __init probe_vmi_rom(v
14453 struct vrom_header *romstart;
14454 romstart = (struct vrom_header *)isa_bus_to_virt(base);
14455 if (check_vmi_rom(romstart)) {
14456 - vmi_rom = romstart;
14457 + vmi_rom = *romstart;
14461 @@ -816,6 +838,11 @@ static inline int __init activate_vmi(vo
14463 para_fill(pv_irq_ops.safe_halt, Halt);
14465 +#ifdef CONFIG_PAX_KERNEXEC
14466 + pv_mmu_ops.pax_open_kernel = vmi_pax_open_kernel;
14467 + pv_mmu_ops.pax_close_kernel = vmi_pax_close_kernel;
14471 * Alternative instruction rewriting doesn't happen soon enough
14472 * to convert VMI_IRET to a call instead of a jump; so we have
14473 @@ -833,16 +860,16 @@ static inline int __init activate_vmi(vo
14475 void __init vmi_init(void)
14478 + if (!vmi_rom.rom_signature)
14481 - check_vmi_rom(vmi_rom);
14482 + check_vmi_rom(&vmi_rom);
14484 /* In case probing for or validating the ROM failed, basil */
14486 + if (!vmi_rom.rom_signature)
14489 - reserve_top_address(-vmi_rom->virtual_top);
14490 + reserve_top_address(-vmi_rom.virtual_top);
14492 #ifdef CONFIG_X86_IO_APIC
14493 /* This is virtual hardware; timer routing is wired correctly */
14494 @@ -854,7 +881,7 @@ void __init vmi_activate(void)
14496 unsigned long flags;
14499 + if (!vmi_rom.rom_signature)
14502 local_irq_save(flags);
14503 diff -urNp linux-2.6.35.5/arch/x86/kernel/vmlinux.lds.S linux-2.6.35.5/arch/x86/kernel/vmlinux.lds.S
14504 --- linux-2.6.35.5/arch/x86/kernel/vmlinux.lds.S 2010-08-26 19:47:12.000000000 -0400
14505 +++ linux-2.6.35.5/arch/x86/kernel/vmlinux.lds.S 2010-09-17 20:12:09.000000000 -0400
14507 #include <asm/page_types.h>
14508 #include <asm/cache.h>
14509 #include <asm/boot.h>
14510 +#include <asm/segment.h>
14512 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14513 +#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
14515 +#define __KERNEL_TEXT_OFFSET 0
14518 #undef i386 /* in case the preprocessor is a 32bit one */
14520 @@ -34,13 +41,13 @@ OUTPUT_FORMAT(CONFIG_OUTPUT_FORMAT, CONF
14521 #ifdef CONFIG_X86_32
14523 ENTRY(phys_startup_32)
14524 -jiffies = jiffies_64;
14526 OUTPUT_ARCH(i386:x86-64)
14527 ENTRY(phys_startup_64)
14528 -jiffies_64 = jiffies;
14531 +jiffies = jiffies_64;
14533 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
14535 * On 64-bit, align RODATA to 2MB so that even with CONFIG_DEBUG_RODATA
14536 @@ -69,31 +76,46 @@ jiffies_64 = jiffies;
14539 text PT_LOAD FLAGS(5); /* R_E */
14540 - data PT_LOAD FLAGS(7); /* RWE */
14541 +#ifdef CONFIG_X86_32
14542 + module PT_LOAD FLAGS(5); /* R_E */
14545 + rodata PT_LOAD FLAGS(5); /* R_E */
14547 + rodata PT_LOAD FLAGS(4); /* R__ */
14549 + data PT_LOAD FLAGS(6); /* RW_ */
14550 #ifdef CONFIG_X86_64
14551 user PT_LOAD FLAGS(5); /* R_E */
14553 + init.begin PT_LOAD FLAGS(6); /* RW_ */
14555 percpu PT_LOAD FLAGS(6); /* RW_ */
14557 + text.init PT_LOAD FLAGS(5); /* R_E */
14558 + text.exit PT_LOAD FLAGS(5); /* R_E */
14559 init PT_LOAD FLAGS(7); /* RWE */
14561 note PT_NOTE FLAGS(0); /* ___ */
14566 #ifdef CONFIG_X86_32
14567 - . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
14568 - phys_startup_32 = startup_32 - LOAD_OFFSET;
14569 + . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
14571 - . = __START_KERNEL;
14572 - phys_startup_64 = startup_64 - LOAD_OFFSET;
14573 + . = __START_KERNEL;
14576 /* Text and read-only data */
14577 - .text : AT(ADDR(.text) - LOAD_OFFSET) {
14579 + .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
14580 /* bootstrapping code */
14581 +#ifdef CONFIG_X86_32
14582 + phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
14584 + phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
14586 + __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
14589 #ifdef CONFIG_X86_32
14590 . = ALIGN(PAGE_SIZE);
14591 @@ -108,13 +130,50 @@ SECTIONS
14595 - /* End of text section */
14599 - NOTES :text :note
14600 + . += __KERNEL_TEXT_OFFSET;
14602 +#ifdef CONFIG_X86_32
14603 + . = ALIGN(PAGE_SIZE);
14604 + .vmi.rom : AT(ADDR(.vmi.rom) - LOAD_OFFSET) {
14608 + . = ALIGN(PAGE_SIZE);
14609 + .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
14611 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
14612 + MODULES_EXEC_VADDR = .;
14614 + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
14615 + . = ALIGN(HPAGE_SIZE);
14616 + MODULES_EXEC_END = . - 1;
14622 + .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
14623 + /* End of text section */
14624 + _etext = . - __KERNEL_TEXT_OFFSET;
14627 +#ifdef CONFIG_X86_32
14628 + . = ALIGN(PAGE_SIZE);
14629 + .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
14631 + . = ALIGN(PAGE_SIZE);
14632 + *(.empty_zero_page)
14633 + *(.swapper_pg_pmd)
14634 + *(.swapper_pg_dir)
14638 + . = ALIGN(PAGE_SIZE);
14639 + NOTES :rodata :note
14641 - EXCEPTION_TABLE(16) :text = 0x9090
14642 + EXCEPTION_TABLE(16) :rodata
14644 X64_ALIGN_DEBUG_RODATA_BEGIN
14646 @@ -122,16 +181,20 @@ SECTIONS
14649 .data : AT(ADDR(.data) - LOAD_OFFSET) {
14651 +#ifdef CONFIG_PAX_KERNEXEC
14652 + . = ALIGN(HPAGE_SIZE);
14654 + . = ALIGN(PAGE_SIZE);
14657 /* Start of data section */
14661 INIT_TASK_DATA(THREAD_SIZE)
14663 -#ifdef CONFIG_X86_32
14664 - /* 32 bit has nosave before _edata */
14668 PAGE_ALIGNED_DATA(PAGE_SIZE)
14670 @@ -194,12 +257,6 @@ SECTIONS
14672 vgetcpu_mode = VVIRT(.vgetcpu_mode);
14674 - . = ALIGN(L1_CACHE_BYTES);
14675 - .jiffies : AT(VLOAD(.jiffies)) {
14678 - jiffies = VVIRT(.jiffies);
14680 .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
14683 @@ -215,12 +272,19 @@ SECTIONS
14684 #endif /* CONFIG_X86_64 */
14686 /* Init code and data - will be freed after init */
14687 - . = ALIGN(PAGE_SIZE);
14688 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
14691 +#ifdef CONFIG_PAX_KERNEXEC
14692 + . = ALIGN(HPAGE_SIZE);
14694 + . = ALIGN(PAGE_SIZE);
14697 __init_begin = .; /* paired with __init_end */
14701 -#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
14704 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
14705 * output PHDR, so the next output section - .init.text - should
14706 @@ -229,12 +293,27 @@ SECTIONS
14707 PERCPU_VADDR(0, :percpu)
14710 - INIT_TEXT_SECTION(PAGE_SIZE)
14711 -#ifdef CONFIG_X86_64
14714 + . = ALIGN(PAGE_SIZE);
14716 + .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
14717 + VMLINUX_SYMBOL(_sinittext) = .;
14719 + VMLINUX_SYMBOL(_einittext) = .;
14720 + . = ALIGN(PAGE_SIZE);
14724 + * .exit.text is discard at runtime, not link time, to deal with
14725 + * references from .altinstructions and .eh_frame
14727 + .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
14731 + . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
14733 - INIT_DATA_SECTION(16)
14734 + . = ALIGN(PAGE_SIZE);
14735 + INIT_DATA_SECTION(16) :init
14737 .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
14738 __x86_cpu_dev_start = .;
14739 @@ -260,19 +339,11 @@ SECTIONS
14740 *(.altinstr_replacement)
14744 - * .exit.text is discard at runtime, not link time, to deal with
14745 - * references from .altinstructions and .eh_frame
14747 - .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
14751 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
14755 -#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
14756 +#ifndef CONFIG_SMP
14760 @@ -291,16 +362,10 @@ SECTIONS
14761 .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
14764 - . = ALIGN(PAGE_SIZE);
14765 __smp_locks_end = .;
14766 + . = ALIGN(PAGE_SIZE);
14769 -#ifdef CONFIG_X86_64
14770 - .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
14776 . = ALIGN(PAGE_SIZE);
14777 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
14778 @@ -316,6 +381,7 @@ SECTIONS
14780 . += 64 * 1024; /* 64k alignment slop space */
14781 *(.brk_reservation) /* areas brk users have reserved */
14782 + . = ALIGN(HPAGE_SIZE);
14786 @@ -342,13 +408,12 @@ SECTIONS
14787 * for the boot processor.
14789 #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load
14790 -INIT_PER_CPU(gdt_page);
14791 INIT_PER_CPU(irq_stack_union);
14794 * Build-time check on the image size:
14796 -. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
14797 +. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
14798 "kernel image bigger than KERNEL_IMAGE_SIZE");
14801 diff -urNp linux-2.6.35.5/arch/x86/kernel/vsyscall_64.c linux-2.6.35.5/arch/x86/kernel/vsyscall_64.c
14802 --- linux-2.6.35.5/arch/x86/kernel/vsyscall_64.c 2010-08-26 19:47:12.000000000 -0400
14803 +++ linux-2.6.35.5/arch/x86/kernel/vsyscall_64.c 2010-09-17 20:12:09.000000000 -0400
14804 @@ -80,6 +80,7 @@ void update_vsyscall(struct timespec *wa
14806 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
14807 /* copy vsyscall data */
14808 + strlcpy(vsyscall_gtod_data.clock.name, clock->name, sizeof vsyscall_gtod_data.clock.name);
14809 vsyscall_gtod_data.clock.vread = clock->vread;
14810 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
14811 vsyscall_gtod_data.clock.mask = clock->mask;
14812 @@ -203,7 +204,7 @@ vgetcpu(unsigned *cpu, unsigned *node, s
14813 We do this here because otherwise user space would do it on
14814 its own in a likely inferior way (no access to jiffies).
14815 If you don't like it pass NULL. */
14816 - if (tcache && tcache->blob[0] == (j = __jiffies)) {
14817 + if (tcache && tcache->blob[0] == (j = jiffies)) {
14818 p = tcache->blob[1];
14819 } else if (__vgetcpu_mode == VGETCPU_RDTSCP) {
14820 /* Load per CPU data from RDTSCP */
14821 diff -urNp linux-2.6.35.5/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.35.5/arch/x86/kernel/x8664_ksyms_64.c
14822 --- linux-2.6.35.5/arch/x86/kernel/x8664_ksyms_64.c 2010-08-26 19:47:12.000000000 -0400
14823 +++ linux-2.6.35.5/arch/x86/kernel/x8664_ksyms_64.c 2010-09-17 20:12:09.000000000 -0400
14824 @@ -29,8 +29,6 @@ EXPORT_SYMBOL(__put_user_8);
14825 EXPORT_SYMBOL(copy_user_generic_string);
14826 EXPORT_SYMBOL(copy_user_generic_unrolled);
14827 EXPORT_SYMBOL(__copy_user_nocache);
14828 -EXPORT_SYMBOL(_copy_from_user);
14829 -EXPORT_SYMBOL(_copy_to_user);
14831 EXPORT_SYMBOL(copy_page);
14832 EXPORT_SYMBOL(clear_page);
14833 diff -urNp linux-2.6.35.5/arch/x86/kernel/xsave.c linux-2.6.35.5/arch/x86/kernel/xsave.c
14834 --- linux-2.6.35.5/arch/x86/kernel/xsave.c 2010-08-26 19:47:12.000000000 -0400
14835 +++ linux-2.6.35.5/arch/x86/kernel/xsave.c 2010-09-17 20:12:09.000000000 -0400
14836 @@ -54,7 +54,7 @@ int check_for_xstate(struct i387_fxsave_
14837 fx_sw_user->xstate_size > fx_sw_user->extended_size)
14840 - err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
14841 + err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
14842 fx_sw_user->extended_size -
14843 FP_XSTATE_MAGIC2_SIZE));
14845 @@ -196,7 +196,7 @@ fx_only:
14846 * the other extended state.
14848 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
14849 - return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
14850 + return fxrstor_checking((struct i387_fxsave_struct __user *)buf);
14854 @@ -228,7 +228,7 @@ int restore_i387_xstate(void __user *buf
14856 err = restore_user_xstate(buf);
14858 - err = fxrstor_checking((__force struct i387_fxsave_struct *)
14859 + err = fxrstor_checking((struct i387_fxsave_struct __user *)
14861 if (unlikely(err)) {
14863 diff -urNp linux-2.6.35.5/arch/x86/kvm/emulate.c linux-2.6.35.5/arch/x86/kvm/emulate.c
14864 --- linux-2.6.35.5/arch/x86/kvm/emulate.c 2010-08-26 19:47:12.000000000 -0400
14865 +++ linux-2.6.35.5/arch/x86/kvm/emulate.c 2010-09-17 20:12:09.000000000 -0400
14866 @@ -88,11 +88,11 @@
14867 #define Src2CL (1<<29)
14868 #define Src2ImmByte (2<<29)
14869 #define Src2One (3<<29)
14870 -#define Src2Imm16 (4<<29)
14871 -#define Src2Mem16 (5<<29) /* Used for Ep encoding. First argument has to be
14872 +#define Src2Imm16 (4U<<29)
14873 +#define Src2Mem16 (5U<<29) /* Used for Ep encoding. First argument has to be
14874 in memory and second argument is located
14875 immediately after the first one in memory. */
14876 -#define Src2Mask (7<<29)
14877 +#define Src2Mask (7U<<29)
14880 Group1_80, Group1_81, Group1_82, Group1_83,
14881 @@ -446,6 +446,7 @@ static u32 group2_table[] = {
14883 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
14885 + unsigned long _tmp; \
14886 __asm__ __volatile__ ( \
14887 _PRE_EFLAGS("0", "4", "2") \
14888 _op _suffix " %"_x"3,%1; " \
14889 @@ -459,8 +460,6 @@ static u32 group2_table[] = {
14890 /* Raw emulation: instruction has two explicit operands. */
14891 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
14893 - unsigned long _tmp; \
14895 switch ((_dst).bytes) { \
14897 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
14898 @@ -476,7 +475,6 @@ static u32 group2_table[] = {
14900 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
14902 - unsigned long _tmp; \
14903 switch ((_dst).bytes) { \
14905 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
14906 diff -urNp linux-2.6.35.5/arch/x86/kvm/lapic.c linux-2.6.35.5/arch/x86/kvm/lapic.c
14907 --- linux-2.6.35.5/arch/x86/kvm/lapic.c 2010-08-26 19:47:12.000000000 -0400
14908 +++ linux-2.6.35.5/arch/x86/kvm/lapic.c 2010-09-17 20:12:09.000000000 -0400
14910 #define APIC_BUS_CYCLE_NS 1
14912 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
14913 -#define apic_debug(fmt, arg...)
14914 +#define apic_debug(fmt, arg...) do {} while (0)
14916 #define APIC_LVT_NUM 6
14917 /* 14 is the version for Xeon and Pentium 8.4.8*/
14918 diff -urNp linux-2.6.35.5/arch/x86/kvm/svm.c linux-2.6.35.5/arch/x86/kvm/svm.c
14919 --- linux-2.6.35.5/arch/x86/kvm/svm.c 2010-08-26 19:47:12.000000000 -0400
14920 +++ linux-2.6.35.5/arch/x86/kvm/svm.c 2010-09-17 20:12:09.000000000 -0400
14921 @@ -2796,7 +2796,11 @@ static void reload_tss(struct kvm_vcpu *
14922 int cpu = raw_smp_processor_id();
14924 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
14926 + pax_open_kernel();
14927 sd->tss_desc->type = 9; /* available 32/64-bit TSS */
14928 + pax_close_kernel();
14933 @@ -3337,7 +3341,7 @@ static void svm_fpu_deactivate(struct kv
14934 update_cr0_intercept(svm);
14937 -static struct kvm_x86_ops svm_x86_ops = {
14938 +static const struct kvm_x86_ops svm_x86_ops = {
14939 .cpu_has_kvm_support = has_svm,
14940 .disabled_by_bios = is_disabled,
14941 .hardware_setup = svm_hardware_setup,
14942 diff -urNp linux-2.6.35.5/arch/x86/kvm/vmx.c linux-2.6.35.5/arch/x86/kvm/vmx.c
14943 --- linux-2.6.35.5/arch/x86/kvm/vmx.c 2010-08-26 19:47:12.000000000 -0400
14944 +++ linux-2.6.35.5/arch/x86/kvm/vmx.c 2010-09-17 20:12:09.000000000 -0400
14945 @@ -653,7 +653,11 @@ static void reload_tss(void)
14947 native_store_gdt(&gdt);
14948 descs = (void *)gdt.address;
14950 + pax_open_kernel();
14951 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
14952 + pax_close_kernel();
14957 @@ -1550,8 +1554,11 @@ static __init int hardware_setup(void)
14958 if (!cpu_has_vmx_flexpriority())
14959 flexpriority_enabled = 0;
14961 - if (!cpu_has_vmx_tpr_shadow())
14962 - kvm_x86_ops->update_cr8_intercept = NULL;
14963 + if (!cpu_has_vmx_tpr_shadow()) {
14964 + pax_open_kernel();
14965 + *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
14966 + pax_close_kernel();
14969 if (enable_ept && !cpu_has_vmx_ept_2m_page())
14970 kvm_disable_largepages();
14971 @@ -2533,7 +2540,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
14972 vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
14974 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
14975 - vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
14976 + vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
14977 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
14978 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
14979 vmcs_write64(VM_EXIT_MSR_LOAD_ADDR, __pa(vmx->msr_autoload.host));
14980 @@ -3909,6 +3916,12 @@ static void vmx_vcpu_run(struct kvm_vcpu
14981 "jmp .Lkvm_vmx_return \n\t"
14982 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
14983 ".Lkvm_vmx_return: "
14985 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14986 + "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
14987 + ".Lkvm_vmx_return2: "
14990 /* Save guest registers, load host registers, keep flags */
14991 "xchg %0, (%%"R"sp) \n\t"
14992 "mov %%"R"ax, %c[rax](%0) \n\t"
14993 @@ -3955,8 +3968,13 @@ static void vmx_vcpu_run(struct kvm_vcpu
14994 [r15]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R15])),
14996 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2))
14998 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14999 + ,[cs]"i"(__KERNEL_CS)
15003 - , R"bx", R"di", R"si"
15004 + , R"ax", R"bx", R"di", R"si"
15005 #ifdef CONFIG_X86_64
15006 , "r8", "r9", "r10", "r11", "r12", "r13", "r14", "r15"
15008 @@ -3970,7 +3988,7 @@ static void vmx_vcpu_run(struct kvm_vcpu
15009 if (vmx->rmode.irq.pending)
15010 fixup_rmode_irq(vmx);
15012 - asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
15013 + asm("mov %0, %%ds; mov %0, %%es" : : "r"(__KERNEL_DS));
15016 vmx_complete_interrupts(vmx);
15017 @@ -4191,7 +4209,7 @@ static void vmx_set_supported_cpuid(u32
15021 -static struct kvm_x86_ops vmx_x86_ops = {
15022 +static const struct kvm_x86_ops vmx_x86_ops = {
15023 .cpu_has_kvm_support = cpu_has_kvm_support,
15024 .disabled_by_bios = vmx_disabled_by_bios,
15025 .hardware_setup = hardware_setup,
15026 diff -urNp linux-2.6.35.5/arch/x86/kvm/x86.c linux-2.6.35.5/arch/x86/kvm/x86.c
15027 --- linux-2.6.35.5/arch/x86/kvm/x86.c 2010-08-26 19:47:12.000000000 -0400
15028 +++ linux-2.6.35.5/arch/x86/kvm/x86.c 2010-09-17 20:12:09.000000000 -0400
15029 @@ -86,7 +86,7 @@ static void update_cr8_intercept(struct
15030 static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
15031 struct kvm_cpuid_entry2 __user *entries);
15033 -struct kvm_x86_ops *kvm_x86_ops;
15034 +const struct kvm_x86_ops *kvm_x86_ops;
15035 EXPORT_SYMBOL_GPL(kvm_x86_ops);
15037 int ignore_msrs = 0;
15038 @@ -112,38 +112,38 @@ static struct kvm_shared_msrs_global __r
15039 static DEFINE_PER_CPU(struct kvm_shared_msrs, shared_msrs);
15041 struct kvm_stats_debugfs_item debugfs_entries[] = {
15042 - { "pf_fixed", VCPU_STAT(pf_fixed) },
15043 - { "pf_guest", VCPU_STAT(pf_guest) },
15044 - { "tlb_flush", VCPU_STAT(tlb_flush) },
15045 - { "invlpg", VCPU_STAT(invlpg) },
15046 - { "exits", VCPU_STAT(exits) },
15047 - { "io_exits", VCPU_STAT(io_exits) },
15048 - { "mmio_exits", VCPU_STAT(mmio_exits) },
15049 - { "signal_exits", VCPU_STAT(signal_exits) },
15050 - { "irq_window", VCPU_STAT(irq_window_exits) },
15051 - { "nmi_window", VCPU_STAT(nmi_window_exits) },
15052 - { "halt_exits", VCPU_STAT(halt_exits) },
15053 - { "halt_wakeup", VCPU_STAT(halt_wakeup) },
15054 - { "hypercalls", VCPU_STAT(hypercalls) },
15055 - { "request_irq", VCPU_STAT(request_irq_exits) },
15056 - { "irq_exits", VCPU_STAT(irq_exits) },
15057 - { "host_state_reload", VCPU_STAT(host_state_reload) },
15058 - { "efer_reload", VCPU_STAT(efer_reload) },
15059 - { "fpu_reload", VCPU_STAT(fpu_reload) },
15060 - { "insn_emulation", VCPU_STAT(insn_emulation) },
15061 - { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail) },
15062 - { "irq_injections", VCPU_STAT(irq_injections) },
15063 - { "nmi_injections", VCPU_STAT(nmi_injections) },
15064 - { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped) },
15065 - { "mmu_pte_write", VM_STAT(mmu_pte_write) },
15066 - { "mmu_pte_updated", VM_STAT(mmu_pte_updated) },
15067 - { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped) },
15068 - { "mmu_flooded", VM_STAT(mmu_flooded) },
15069 - { "mmu_recycled", VM_STAT(mmu_recycled) },
15070 - { "mmu_cache_miss", VM_STAT(mmu_cache_miss) },
15071 - { "mmu_unsync", VM_STAT(mmu_unsync) },
15072 - { "remote_tlb_flush", VM_STAT(remote_tlb_flush) },
15073 - { "largepages", VM_STAT(lpages) },
15074 + { "pf_fixed", VCPU_STAT(pf_fixed), NULL },
15075 + { "pf_guest", VCPU_STAT(pf_guest), NULL },
15076 + { "tlb_flush", VCPU_STAT(tlb_flush), NULL },
15077 + { "invlpg", VCPU_STAT(invlpg), NULL },
15078 + { "exits", VCPU_STAT(exits), NULL },
15079 + { "io_exits", VCPU_STAT(io_exits), NULL },
15080 + { "mmio_exits", VCPU_STAT(mmio_exits), NULL },
15081 + { "signal_exits", VCPU_STAT(signal_exits), NULL },
15082 + { "irq_window", VCPU_STAT(irq_window_exits), NULL },
15083 + { "nmi_window", VCPU_STAT(nmi_window_exits), NULL },
15084 + { "halt_exits", VCPU_STAT(halt_exits), NULL },
15085 + { "halt_wakeup", VCPU_STAT(halt_wakeup), NULL },
15086 + { "hypercalls", VCPU_STAT(hypercalls), NULL },
15087 + { "request_irq", VCPU_STAT(request_irq_exits), NULL },
15088 + { "irq_exits", VCPU_STAT(irq_exits), NULL },
15089 + { "host_state_reload", VCPU_STAT(host_state_reload), NULL },
15090 + { "efer_reload", VCPU_STAT(efer_reload), NULL },
15091 + { "fpu_reload", VCPU_STAT(fpu_reload), NULL },
15092 + { "insn_emulation", VCPU_STAT(insn_emulation), NULL },
15093 + { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail), NULL },
15094 + { "irq_injections", VCPU_STAT(irq_injections), NULL },
15095 + { "nmi_injections", VCPU_STAT(nmi_injections), NULL },
15096 + { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped), NULL },
15097 + { "mmu_pte_write", VM_STAT(mmu_pte_write), NULL },
15098 + { "mmu_pte_updated", VM_STAT(mmu_pte_updated), NULL },
15099 + { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped), NULL },
15100 + { "mmu_flooded", VM_STAT(mmu_flooded), NULL },
15101 + { "mmu_recycled", VM_STAT(mmu_recycled), NULL },
15102 + { "mmu_cache_miss", VM_STAT(mmu_cache_miss), NULL },
15103 + { "mmu_unsync", VM_STAT(mmu_unsync), NULL },
15104 + { "remote_tlb_flush", VM_STAT(remote_tlb_flush), NULL },
15105 + { "largepages", VM_STAT(lpages), NULL },
15109 @@ -1672,6 +1672,8 @@ long kvm_arch_dev_ioctl(struct file *fil
15110 if (n < msr_list.nmsrs)
15113 + if (num_msrs_to_save > ARRAY_SIZE(msrs_to_save))
15115 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
15116 num_msrs_to_save * sizeof(u32)))
15118 @@ -2103,7 +2105,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
15119 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
15120 struct kvm_interrupt *irq)
15122 - if (irq->irq < 0 || irq->irq >= 256)
15123 + if (irq->irq >= 256)
15125 if (irqchip_in_kernel(vcpu->kvm))
15127 @@ -4070,10 +4072,10 @@ void kvm_after_handle_nmi(struct kvm_vcp
15129 EXPORT_SYMBOL_GPL(kvm_after_handle_nmi);
15131 -int kvm_arch_init(void *opaque)
15132 +int kvm_arch_init(const void *opaque)
15135 - struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
15136 + const struct kvm_x86_ops *ops = (const struct kvm_x86_ops *)opaque;
15139 printk(KERN_ERR "kvm: already loaded the other module\n");
15140 diff -urNp linux-2.6.35.5/arch/x86/lib/checksum_32.S linux-2.6.35.5/arch/x86/lib/checksum_32.S
15141 --- linux-2.6.35.5/arch/x86/lib/checksum_32.S 2010-08-26 19:47:12.000000000 -0400
15142 +++ linux-2.6.35.5/arch/x86/lib/checksum_32.S 2010-09-17 20:12:09.000000000 -0400
15144 #include <linux/linkage.h>
15145 #include <asm/dwarf2.h>
15146 #include <asm/errno.h>
15148 +#include <asm/segment.h>
15151 * computes a partial checksum, e.g. for TCP/UDP fragments
15153 @@ -304,9 +305,22 @@ unsigned int csum_partial_copy_generic (
15158 -ENTRY(csum_partial_copy_generic)
15160 +ENTRY(csum_partial_copy_generic_to_user)
15162 + pushl $(__USER_DS)
15163 + CFI_ADJUST_CFA_OFFSET 4
15165 + CFI_ADJUST_CFA_OFFSET -4
15166 + jmp csum_partial_copy_generic
15168 +ENTRY(csum_partial_copy_generic_from_user)
15169 + pushl $(__USER_DS)
15170 + CFI_ADJUST_CFA_OFFSET 4
15172 + CFI_ADJUST_CFA_OFFSET -4
15174 +ENTRY(csum_partial_copy_generic)
15176 CFI_ADJUST_CFA_OFFSET 4
15178 @@ -331,7 +345,7 @@ ENTRY(csum_partial_copy_generic)
15180 SRC(1: movw (%esi), %bx )
15182 -DST( movw %bx, (%edi) )
15183 +DST( movw %bx, %es:(%edi) )
15187 @@ -343,30 +357,30 @@ DST( movw %bx, (%edi) )
15188 SRC(1: movl (%esi), %ebx )
15189 SRC( movl 4(%esi), %edx )
15191 -DST( movl %ebx, (%edi) )
15192 +DST( movl %ebx, %es:(%edi) )
15194 -DST( movl %edx, 4(%edi) )
15195 +DST( movl %edx, %es:4(%edi) )
15197 SRC( movl 8(%esi), %ebx )
15198 SRC( movl 12(%esi), %edx )
15200 -DST( movl %ebx, 8(%edi) )
15201 +DST( movl %ebx, %es:8(%edi) )
15203 -DST( movl %edx, 12(%edi) )
15204 +DST( movl %edx, %es:12(%edi) )
15206 SRC( movl 16(%esi), %ebx )
15207 SRC( movl 20(%esi), %edx )
15209 -DST( movl %ebx, 16(%edi) )
15210 +DST( movl %ebx, %es:16(%edi) )
15212 -DST( movl %edx, 20(%edi) )
15213 +DST( movl %edx, %es:20(%edi) )
15215 SRC( movl 24(%esi), %ebx )
15216 SRC( movl 28(%esi), %edx )
15218 -DST( movl %ebx, 24(%edi) )
15219 +DST( movl %ebx, %es:24(%edi) )
15221 -DST( movl %edx, 28(%edi) )
15222 +DST( movl %edx, %es:28(%edi) )
15226 @@ -380,7 +394,7 @@ DST( movl %edx, 28(%edi) )
15227 shrl $2, %edx # This clears CF
15228 SRC(3: movl (%esi), %ebx )
15230 -DST( movl %ebx, (%edi) )
15231 +DST( movl %ebx, %es:(%edi) )
15235 @@ -392,12 +406,12 @@ DST( movl %ebx, (%edi) )
15237 SRC( movw (%esi), %cx )
15239 -DST( movw %cx, (%edi) )
15240 +DST( movw %cx, %es:(%edi) )
15244 SRC(5: movb (%esi), %cl )
15245 -DST( movb %cl, (%edi) )
15246 +DST( movb %cl, %es:(%edi) )
15250 @@ -408,7 +422,7 @@ DST( movb %cl, (%edi) )
15253 movl ARGBASE+20(%esp), %ebx # src_err_ptr
15254 - movl $-EFAULT, (%ebx)
15255 + movl $-EFAULT, %ss:(%ebx)
15257 # zero the complete destination - computing the rest
15259 @@ -421,11 +435,19 @@ DST( movb %cl, (%edi) )
15262 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
15263 - movl $-EFAULT,(%ebx)
15264 + movl $-EFAULT,%ss:(%ebx)
15270 + CFI_ADJUST_CFA_OFFSET 4
15272 + CFI_ADJUST_CFA_OFFSET -4
15274 + CFI_ADJUST_CFA_OFFSET 4
15276 + CFI_ADJUST_CFA_OFFSET -4
15278 CFI_ADJUST_CFA_OFFSET -4
15280 @@ -439,26 +461,41 @@ DST( movb %cl, (%edi) )
15281 CFI_ADJUST_CFA_OFFSET -4
15284 -ENDPROC(csum_partial_copy_generic)
15285 +ENDPROC(csum_partial_copy_generic_to_user)
15289 /* Version for PentiumII/PPro */
15291 #define ROUND1(x) \
15293 SRC(movl x(%esi), %ebx ) ; \
15294 addl %ebx, %eax ; \
15295 - DST(movl %ebx, x(%edi) ) ;
15296 + DST(movl %ebx, %es:x(%edi)) ;
15300 SRC(movl x(%esi), %ebx ) ; \
15301 adcl %ebx, %eax ; \
15302 - DST(movl %ebx, x(%edi) ) ;
15303 + DST(movl %ebx, %es:x(%edi)) ;
15307 -ENTRY(csum_partial_copy_generic)
15309 +ENTRY(csum_partial_copy_generic_to_user)
15311 + pushl $(__USER_DS)
15312 + CFI_ADJUST_CFA_OFFSET 4
15314 + CFI_ADJUST_CFA_OFFSET -4
15315 + jmp csum_partial_copy_generic
15317 +ENTRY(csum_partial_copy_generic_from_user)
15318 + pushl $(__USER_DS)
15319 + CFI_ADJUST_CFA_OFFSET 4
15321 + CFI_ADJUST_CFA_OFFSET -4
15323 +ENTRY(csum_partial_copy_generic)
15325 CFI_ADJUST_CFA_OFFSET 4
15326 CFI_REL_OFFSET ebx, 0
15327 @@ -482,7 +519,7 @@ ENTRY(csum_partial_copy_generic)
15331 - lea 3f(%ebx,%ebx), %ebx
15332 + lea 3f(%ebx,%ebx,2), %ebx
15336 @@ -503,19 +540,19 @@ ENTRY(csum_partial_copy_generic)
15338 SRC( movw (%esi), %dx )
15340 -DST( movw %dx, (%edi) )
15341 +DST( movw %dx, %es:(%edi) )
15346 SRC( movb (%esi), %dl )
15347 -DST( movb %dl, (%edi) )
15348 +DST( movb %dl, %es:(%edi) )
15352 .section .fixup, "ax"
15353 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
15354 - movl $-EFAULT, (%ebx)
15355 + movl $-EFAULT, %ss:(%ebx)
15356 # zero the complete destination (computing the rest is too much work)
15357 movl ARGBASE+8(%esp),%edi # dst
15358 movl ARGBASE+12(%esp),%ecx # len
15359 @@ -523,10 +560,18 @@ DST( movb %dl, (%edi) )
15362 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
15363 - movl $-EFAULT, (%ebx)
15364 + movl $-EFAULT, %ss:(%ebx)
15369 + CFI_ADJUST_CFA_OFFSET 4
15371 + CFI_ADJUST_CFA_OFFSET -4
15373 + CFI_ADJUST_CFA_OFFSET 4
15375 + CFI_ADJUST_CFA_OFFSET -4
15377 CFI_ADJUST_CFA_OFFSET -4
15379 @@ -538,7 +583,7 @@ DST( movb %dl, (%edi) )
15383 -ENDPROC(csum_partial_copy_generic)
15384 +ENDPROC(csum_partial_copy_generic_to_user)
15388 diff -urNp linux-2.6.35.5/arch/x86/lib/clear_page_64.S linux-2.6.35.5/arch/x86/lib/clear_page_64.S
15389 --- linux-2.6.35.5/arch/x86/lib/clear_page_64.S 2010-08-26 19:47:12.000000000 -0400
15390 +++ linux-2.6.35.5/arch/x86/lib/clear_page_64.S 2010-09-17 20:12:09.000000000 -0400
15391 @@ -43,7 +43,7 @@ ENDPROC(clear_page)
15393 #include <asm/cpufeature.h>
15395 - .section .altinstr_replacement,"ax"
15396 + .section .altinstr_replacement,"a"
15397 1: .byte 0xeb /* jmp <disp8> */
15398 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
15400 diff -urNp linux-2.6.35.5/arch/x86/lib/copy_page_64.S linux-2.6.35.5/arch/x86/lib/copy_page_64.S
15401 --- linux-2.6.35.5/arch/x86/lib/copy_page_64.S 2010-08-26 19:47:12.000000000 -0400
15402 +++ linux-2.6.35.5/arch/x86/lib/copy_page_64.S 2010-09-17 20:12:09.000000000 -0400
15403 @@ -104,7 +104,7 @@ ENDPROC(copy_page)
15405 #include <asm/cpufeature.h>
15407 - .section .altinstr_replacement,"ax"
15408 + .section .altinstr_replacement,"a"
15409 1: .byte 0xeb /* jmp <disp8> */
15410 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
15412 diff -urNp linux-2.6.35.5/arch/x86/lib/copy_user_64.S linux-2.6.35.5/arch/x86/lib/copy_user_64.S
15413 --- linux-2.6.35.5/arch/x86/lib/copy_user_64.S 2010-08-26 19:47:12.000000000 -0400
15414 +++ linux-2.6.35.5/arch/x86/lib/copy_user_64.S 2010-09-17 20:12:09.000000000 -0400
15415 @@ -15,13 +15,14 @@
15416 #include <asm/asm-offsets.h>
15417 #include <asm/thread_info.h>
15418 #include <asm/cpufeature.h>
15419 +#include <asm/pgtable.h>
15421 .macro ALTERNATIVE_JUMP feature,orig,alt
15423 .byte 0xe9 /* 32bit jump */
15424 .long \orig-1f /* by default jump to orig */
15426 - .section .altinstr_replacement,"ax"
15427 + .section .altinstr_replacement,"a"
15428 2: .byte 0xe9 /* near jump with 32bit immediate */
15429 .long \alt-1b /* offset */ /* or alternatively to alt */
15431 @@ -64,37 +65,13 @@
15435 -/* Standard copy_to_user with segment limit checking */
15436 -ENTRY(_copy_to_user)
15438 - GET_THREAD_INFO(%rax)
15442 - cmpq TI_addr_limit(%rax),%rcx
15444 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
15446 -ENDPROC(_copy_to_user)
15448 -/* Standard copy_from_user with segment limit checking */
15449 -ENTRY(_copy_from_user)
15451 - GET_THREAD_INFO(%rax)
15455 - cmpq TI_addr_limit(%rax),%rcx
15456 - jae bad_from_user
15457 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
15459 -ENDPROC(_copy_from_user)
15461 .section .fixup,"ax"
15462 /* must zero dest */
15463 ENTRY(bad_from_user)
15471 diff -urNp linux-2.6.35.5/arch/x86/lib/copy_user_nocache_64.S linux-2.6.35.5/arch/x86/lib/copy_user_nocache_64.S
15472 --- linux-2.6.35.5/arch/x86/lib/copy_user_nocache_64.S 2010-08-26 19:47:12.000000000 -0400
15473 +++ linux-2.6.35.5/arch/x86/lib/copy_user_nocache_64.S 2010-09-17 20:12:09.000000000 -0400
15475 #include <asm/current.h>
15476 #include <asm/asm-offsets.h>
15477 #include <asm/thread_info.h>
15478 +#include <asm/pgtable.h>
15480 .macro ALIGN_DESTINATION
15481 #ifdef FIX_ALIGNMENT
15484 ENTRY(__copy_user_nocache)
15487 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15488 + mov $PAX_USER_SHADOW_BASE,%rcx
15496 jb 20f /* less then 8 bytes, go to byte copy loop */
15498 diff -urNp linux-2.6.35.5/arch/x86/lib/csum-wrappers_64.c linux-2.6.35.5/arch/x86/lib/csum-wrappers_64.c
15499 --- linux-2.6.35.5/arch/x86/lib/csum-wrappers_64.c 2010-08-26 19:47:12.000000000 -0400
15500 +++ linux-2.6.35.5/arch/x86/lib/csum-wrappers_64.c 2010-09-17 20:12:09.000000000 -0400
15501 @@ -52,6 +52,8 @@ csum_partial_copy_from_user(const void _
15505 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
15506 + src += PAX_USER_SHADOW_BASE;
15507 isum = csum_partial_copy_generic((__force const void *)src,
15508 dst, len, isum, errp, NULL);
15509 if (unlikely(*errp))
15510 @@ -105,6 +107,8 @@ csum_partial_copy_to_user(const void *sr
15514 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
15515 + dst += PAX_USER_SHADOW_BASE;
15516 return csum_partial_copy_generic(src, (void __force *)dst,
15517 len, isum, NULL, errp);
15519 diff -urNp linux-2.6.35.5/arch/x86/lib/getuser.S linux-2.6.35.5/arch/x86/lib/getuser.S
15520 --- linux-2.6.35.5/arch/x86/lib/getuser.S 2010-08-26 19:47:12.000000000 -0400
15521 +++ linux-2.6.35.5/arch/x86/lib/getuser.S 2010-09-17 20:12:09.000000000 -0400
15522 @@ -33,14 +33,38 @@
15523 #include <asm/asm-offsets.h>
15524 #include <asm/thread_info.h>
15525 #include <asm/asm.h>
15526 +#include <asm/segment.h>
15527 +#include <asm/pgtable.h>
15530 ENTRY(__get_user_1)
15533 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15534 + pushl $(__USER_DS)
15537 GET_THREAD_INFO(%_ASM_DX)
15538 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15541 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15542 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15543 + cmp %_ASM_DX,%_ASM_AX
15545 + add %_ASM_DX,%_ASM_AX
15551 1: movzb (%_ASM_AX),%edx
15553 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15561 @@ -49,11 +73,33 @@ ENDPROC(__get_user_1)
15562 ENTRY(__get_user_2)
15566 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15567 + pushl $(__USER_DS)
15571 GET_THREAD_INFO(%_ASM_DX)
15572 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15575 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15576 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15577 + cmp %_ASM_DX,%_ASM_AX
15579 + add %_ASM_DX,%_ASM_AX
15585 2: movzwl -1(%_ASM_AX),%edx
15587 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15595 @@ -62,11 +108,33 @@ ENDPROC(__get_user_2)
15596 ENTRY(__get_user_4)
15600 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15601 + pushl $(__USER_DS)
15605 GET_THREAD_INFO(%_ASM_DX)
15606 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15609 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15610 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15611 + cmp %_ASM_DX,%_ASM_AX
15613 + add %_ASM_DX,%_ASM_AX
15619 3: mov -3(%_ASM_AX),%edx
15621 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15629 @@ -80,6 +148,15 @@ ENTRY(__get_user_8)
15630 GET_THREAD_INFO(%_ASM_DX)
15631 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15634 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15635 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15636 + cmp %_ASM_DX,%_ASM_AX
15638 + add %_ASM_DX,%_ASM_AX
15642 4: movq -7(%_ASM_AX),%_ASM_DX
15645 @@ -89,6 +166,12 @@ ENDPROC(__get_user_8)
15650 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15656 mov $(-EFAULT),%_ASM_AX
15658 diff -urNp linux-2.6.35.5/arch/x86/lib/insn.c linux-2.6.35.5/arch/x86/lib/insn.c
15659 --- linux-2.6.35.5/arch/x86/lib/insn.c 2010-08-26 19:47:12.000000000 -0400
15660 +++ linux-2.6.35.5/arch/x86/lib/insn.c 2010-09-17 20:12:09.000000000 -0400
15662 #include <linux/string.h>
15663 #include <asm/inat.h>
15664 #include <asm/insn.h>
15665 +#include <asm/pgtable_types.h>
15667 #define get_next(t, insn) \
15668 ({t r; r = *(t*)insn->next_byte; insn->next_byte += sizeof(t); r; })
15670 void insn_init(struct insn *insn, const void *kaddr, int x86_64)
15672 memset(insn, 0, sizeof(*insn));
15673 - insn->kaddr = kaddr;
15674 - insn->next_byte = kaddr;
15675 + insn->kaddr = ktla_ktva(kaddr);
15676 + insn->next_byte = ktla_ktva(kaddr);
15677 insn->x86_64 = x86_64 ? 1 : 0;
15678 insn->opnd_bytes = 4;
15680 diff -urNp linux-2.6.35.5/arch/x86/lib/mmx_32.c linux-2.6.35.5/arch/x86/lib/mmx_32.c
15681 --- linux-2.6.35.5/arch/x86/lib/mmx_32.c 2010-08-26 19:47:12.000000000 -0400
15682 +++ linux-2.6.35.5/arch/x86/lib/mmx_32.c 2010-09-17 20:12:09.000000000 -0400
15683 @@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
15687 + unsigned long cr0;
15689 if (unlikely(in_interrupt()))
15690 return __memcpy(to, from, len);
15691 @@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
15692 kernel_fpu_begin();
15694 __asm__ __volatile__ (
15695 - "1: prefetch (%0)\n" /* This set is 28 bytes */
15696 - " prefetch 64(%0)\n"
15697 - " prefetch 128(%0)\n"
15698 - " prefetch 192(%0)\n"
15699 - " prefetch 256(%0)\n"
15700 + "1: prefetch (%1)\n" /* This set is 28 bytes */
15701 + " prefetch 64(%1)\n"
15702 + " prefetch 128(%1)\n"
15703 + " prefetch 192(%1)\n"
15704 + " prefetch 256(%1)\n"
15706 ".section .fixup, \"ax\"\n"
15707 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
15710 +#ifdef CONFIG_PAX_KERNEXEC
15711 + " movl %%cr0, %0\n"
15712 + " movl %0, %%eax\n"
15713 + " andl $0xFFFEFFFF, %%eax\n"
15714 + " movl %%eax, %%cr0\n"
15717 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
15719 +#ifdef CONFIG_PAX_KERNEXEC
15720 + " movl %0, %%cr0\n"
15725 _ASM_EXTABLE(1b, 3b)
15727 + : "=&r" (cr0) : "r" (from) : "ax");
15729 for ( ; i > 5; i--) {
15730 __asm__ __volatile__ (
15731 - "1: prefetch 320(%0)\n"
15732 - "2: movq (%0), %%mm0\n"
15733 - " movq 8(%0), %%mm1\n"
15734 - " movq 16(%0), %%mm2\n"
15735 - " movq 24(%0), %%mm3\n"
15736 - " movq %%mm0, (%1)\n"
15737 - " movq %%mm1, 8(%1)\n"
15738 - " movq %%mm2, 16(%1)\n"
15739 - " movq %%mm3, 24(%1)\n"
15740 - " movq 32(%0), %%mm0\n"
15741 - " movq 40(%0), %%mm1\n"
15742 - " movq 48(%0), %%mm2\n"
15743 - " movq 56(%0), %%mm3\n"
15744 - " movq %%mm0, 32(%1)\n"
15745 - " movq %%mm1, 40(%1)\n"
15746 - " movq %%mm2, 48(%1)\n"
15747 - " movq %%mm3, 56(%1)\n"
15748 + "1: prefetch 320(%1)\n"
15749 + "2: movq (%1), %%mm0\n"
15750 + " movq 8(%1), %%mm1\n"
15751 + " movq 16(%1), %%mm2\n"
15752 + " movq 24(%1), %%mm3\n"
15753 + " movq %%mm0, (%2)\n"
15754 + " movq %%mm1, 8(%2)\n"
15755 + " movq %%mm2, 16(%2)\n"
15756 + " movq %%mm3, 24(%2)\n"
15757 + " movq 32(%1), %%mm0\n"
15758 + " movq 40(%1), %%mm1\n"
15759 + " movq 48(%1), %%mm2\n"
15760 + " movq 56(%1), %%mm3\n"
15761 + " movq %%mm0, 32(%2)\n"
15762 + " movq %%mm1, 40(%2)\n"
15763 + " movq %%mm2, 48(%2)\n"
15764 + " movq %%mm3, 56(%2)\n"
15765 ".section .fixup, \"ax\"\n"
15766 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
15769 +#ifdef CONFIG_PAX_KERNEXEC
15770 + " movl %%cr0, %0\n"
15771 + " movl %0, %%eax\n"
15772 + " andl $0xFFFEFFFF, %%eax\n"
15773 + " movl %%eax, %%cr0\n"
15776 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
15778 +#ifdef CONFIG_PAX_KERNEXEC
15779 + " movl %0, %%cr0\n"
15784 _ASM_EXTABLE(1b, 3b)
15785 - : : "r" (from), "r" (to) : "memory");
15786 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
15790 @@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
15791 static void fast_copy_page(void *to, void *from)
15794 + unsigned long cr0;
15796 kernel_fpu_begin();
15798 @@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
15799 * but that is for later. -AV
15801 __asm__ __volatile__(
15802 - "1: prefetch (%0)\n"
15803 - " prefetch 64(%0)\n"
15804 - " prefetch 128(%0)\n"
15805 - " prefetch 192(%0)\n"
15806 - " prefetch 256(%0)\n"
15807 + "1: prefetch (%1)\n"
15808 + " prefetch 64(%1)\n"
15809 + " prefetch 128(%1)\n"
15810 + " prefetch 192(%1)\n"
15811 + " prefetch 256(%1)\n"
15813 ".section .fixup, \"ax\"\n"
15814 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
15817 +#ifdef CONFIG_PAX_KERNEXEC
15818 + " movl %%cr0, %0\n"
15819 + " movl %0, %%eax\n"
15820 + " andl $0xFFFEFFFF, %%eax\n"
15821 + " movl %%eax, %%cr0\n"
15824 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
15826 +#ifdef CONFIG_PAX_KERNEXEC
15827 + " movl %0, %%cr0\n"
15832 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
15833 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
15835 for (i = 0; i < (4096-320)/64; i++) {
15836 __asm__ __volatile__ (
15837 - "1: prefetch 320(%0)\n"
15838 - "2: movq (%0), %%mm0\n"
15839 - " movntq %%mm0, (%1)\n"
15840 - " movq 8(%0), %%mm1\n"
15841 - " movntq %%mm1, 8(%1)\n"
15842 - " movq 16(%0), %%mm2\n"
15843 - " movntq %%mm2, 16(%1)\n"
15844 - " movq 24(%0), %%mm3\n"
15845 - " movntq %%mm3, 24(%1)\n"
15846 - " movq 32(%0), %%mm4\n"
15847 - " movntq %%mm4, 32(%1)\n"
15848 - " movq 40(%0), %%mm5\n"
15849 - " movntq %%mm5, 40(%1)\n"
15850 - " movq 48(%0), %%mm6\n"
15851 - " movntq %%mm6, 48(%1)\n"
15852 - " movq 56(%0), %%mm7\n"
15853 - " movntq %%mm7, 56(%1)\n"
15854 + "1: prefetch 320(%1)\n"
15855 + "2: movq (%1), %%mm0\n"
15856 + " movntq %%mm0, (%2)\n"
15857 + " movq 8(%1), %%mm1\n"
15858 + " movntq %%mm1, 8(%2)\n"
15859 + " movq 16(%1), %%mm2\n"
15860 + " movntq %%mm2, 16(%2)\n"
15861 + " movq 24(%1), %%mm3\n"
15862 + " movntq %%mm3, 24(%2)\n"
15863 + " movq 32(%1), %%mm4\n"
15864 + " movntq %%mm4, 32(%2)\n"
15865 + " movq 40(%1), %%mm5\n"
15866 + " movntq %%mm5, 40(%2)\n"
15867 + " movq 48(%1), %%mm6\n"
15868 + " movntq %%mm6, 48(%2)\n"
15869 + " movq 56(%1), %%mm7\n"
15870 + " movntq %%mm7, 56(%2)\n"
15871 ".section .fixup, \"ax\"\n"
15872 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
15875 +#ifdef CONFIG_PAX_KERNEXEC
15876 + " movl %%cr0, %0\n"
15877 + " movl %0, %%eax\n"
15878 + " andl $0xFFFEFFFF, %%eax\n"
15879 + " movl %%eax, %%cr0\n"
15882 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
15884 +#ifdef CONFIG_PAX_KERNEXEC
15885 + " movl %0, %%cr0\n"
15890 - _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
15891 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
15895 @@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
15896 static void fast_copy_page(void *to, void *from)
15899 + unsigned long cr0;
15901 kernel_fpu_begin();
15903 __asm__ __volatile__ (
15904 - "1: prefetch (%0)\n"
15905 - " prefetch 64(%0)\n"
15906 - " prefetch 128(%0)\n"
15907 - " prefetch 192(%0)\n"
15908 - " prefetch 256(%0)\n"
15909 + "1: prefetch (%1)\n"
15910 + " prefetch 64(%1)\n"
15911 + " prefetch 128(%1)\n"
15912 + " prefetch 192(%1)\n"
15913 + " prefetch 256(%1)\n"
15915 ".section .fixup, \"ax\"\n"
15916 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
15919 +#ifdef CONFIG_PAX_KERNEXEC
15920 + " movl %%cr0, %0\n"
15921 + " movl %0, %%eax\n"
15922 + " andl $0xFFFEFFFF, %%eax\n"
15923 + " movl %%eax, %%cr0\n"
15926 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
15928 +#ifdef CONFIG_PAX_KERNEXEC
15929 + " movl %0, %%cr0\n"
15934 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
15935 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
15937 for (i = 0; i < 4096/64; i++) {
15938 __asm__ __volatile__ (
15939 - "1: prefetch 320(%0)\n"
15940 - "2: movq (%0), %%mm0\n"
15941 - " movq 8(%0), %%mm1\n"
15942 - " movq 16(%0), %%mm2\n"
15943 - " movq 24(%0), %%mm3\n"
15944 - " movq %%mm0, (%1)\n"
15945 - " movq %%mm1, 8(%1)\n"
15946 - " movq %%mm2, 16(%1)\n"
15947 - " movq %%mm3, 24(%1)\n"
15948 - " movq 32(%0), %%mm0\n"
15949 - " movq 40(%0), %%mm1\n"
15950 - " movq 48(%0), %%mm2\n"
15951 - " movq 56(%0), %%mm3\n"
15952 - " movq %%mm0, 32(%1)\n"
15953 - " movq %%mm1, 40(%1)\n"
15954 - " movq %%mm2, 48(%1)\n"
15955 - " movq %%mm3, 56(%1)\n"
15956 + "1: prefetch 320(%1)\n"
15957 + "2: movq (%1), %%mm0\n"
15958 + " movq 8(%1), %%mm1\n"
15959 + " movq 16(%1), %%mm2\n"
15960 + " movq 24(%1), %%mm3\n"
15961 + " movq %%mm0, (%2)\n"
15962 + " movq %%mm1, 8(%2)\n"
15963 + " movq %%mm2, 16(%2)\n"
15964 + " movq %%mm3, 24(%2)\n"
15965 + " movq 32(%1), %%mm0\n"
15966 + " movq 40(%1), %%mm1\n"
15967 + " movq 48(%1), %%mm2\n"
15968 + " movq 56(%1), %%mm3\n"
15969 + " movq %%mm0, 32(%2)\n"
15970 + " movq %%mm1, 40(%2)\n"
15971 + " movq %%mm2, 48(%2)\n"
15972 + " movq %%mm3, 56(%2)\n"
15973 ".section .fixup, \"ax\"\n"
15974 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
15977 +#ifdef CONFIG_PAX_KERNEXEC
15978 + " movl %%cr0, %0\n"
15979 + " movl %0, %%eax\n"
15980 + " andl $0xFFFEFFFF, %%eax\n"
15981 + " movl %%eax, %%cr0\n"
15984 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
15986 +#ifdef CONFIG_PAX_KERNEXEC
15987 + " movl %0, %%cr0\n"
15992 _ASM_EXTABLE(1b, 3b)
15993 - : : "r" (from), "r" (to) : "memory");
15994 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
15998 diff -urNp linux-2.6.35.5/arch/x86/lib/putuser.S linux-2.6.35.5/arch/x86/lib/putuser.S
15999 --- linux-2.6.35.5/arch/x86/lib/putuser.S 2010-08-26 19:47:12.000000000 -0400
16000 +++ linux-2.6.35.5/arch/x86/lib/putuser.S 2010-09-17 20:12:09.000000000 -0400
16002 #include <asm/thread_info.h>
16003 #include <asm/errno.h>
16004 #include <asm/asm.h>
16006 +#include <asm/segment.h>
16007 +#include <asm/pgtable.h>
16011 @@ -29,59 +30,162 @@
16012 * as they get called from within inline assembly.
16015 -#define ENTER CFI_STARTPROC ; \
16016 - GET_THREAD_INFO(%_ASM_BX)
16017 +#define ENTER CFI_STARTPROC
16018 #define EXIT ret ; \
16021 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16022 +#define _DEST %_ASM_CX,%_ASM_BX
16024 +#define _DEST %_ASM_CX
16028 ENTRY(__put_user_1)
16031 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16032 + pushl $(__USER_DS)
16035 + GET_THREAD_INFO(%_ASM_BX)
16036 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
16038 -1: movb %al,(%_ASM_CX)
16040 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16041 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16042 + cmp %_ASM_BX,%_ASM_CX
16050 +1: movb %al,(_DEST)
16052 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16059 ENDPROC(__put_user_1)
16061 ENTRY(__put_user_2)
16064 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16065 + pushl $(__USER_DS)
16068 + GET_THREAD_INFO(%_ASM_BX)
16069 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16071 cmp %_ASM_BX,%_ASM_CX
16073 -2: movw %ax,(%_ASM_CX)
16075 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16076 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16077 + cmp %_ASM_BX,%_ASM_CX
16085 +2: movw %ax,(_DEST)
16087 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16094 ENDPROC(__put_user_2)
16096 ENTRY(__put_user_4)
16099 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16100 + pushl $(__USER_DS)
16103 + GET_THREAD_INFO(%_ASM_BX)
16104 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16106 cmp %_ASM_BX,%_ASM_CX
16108 -3: movl %eax,(%_ASM_CX)
16110 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16111 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16112 + cmp %_ASM_BX,%_ASM_CX
16120 +3: movl %eax,(_DEST)
16122 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16129 ENDPROC(__put_user_4)
16131 ENTRY(__put_user_8)
16134 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16135 + pushl $(__USER_DS)
16138 + GET_THREAD_INFO(%_ASM_BX)
16139 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16141 cmp %_ASM_BX,%_ASM_CX
16143 -4: mov %_ASM_AX,(%_ASM_CX)
16145 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16146 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16147 + cmp %_ASM_BX,%_ASM_CX
16155 +4: mov %_ASM_AX,(_DEST)
16156 #ifdef CONFIG_X86_32
16157 -5: movl %edx,4(%_ASM_CX)
16158 +5: movl %edx,4(_DEST)
16161 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16168 ENDPROC(__put_user_8)
16173 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16181 diff -urNp linux-2.6.35.5/arch/x86/lib/usercopy_32.c linux-2.6.35.5/arch/x86/lib/usercopy_32.c
16182 --- linux-2.6.35.5/arch/x86/lib/usercopy_32.c 2010-08-26 19:47:12.000000000 -0400
16183 +++ linux-2.6.35.5/arch/x86/lib/usercopy_32.c 2010-09-17 20:12:09.000000000 -0400
16184 @@ -36,31 +36,38 @@ static inline int __movsl_is_ok(unsigned
16185 * Copy a null terminated string from userspace.
16188 -#define __do_strncpy_from_user(dst, src, count, res) \
16190 - int __d0, __d1, __d2; \
16192 - __asm__ __volatile__( \
16193 - " testl %1,%1\n" \
16197 - " testb %%al,%%al\n" \
16201 - "1: subl %1,%0\n" \
16203 - ".section .fixup,\"ax\"\n" \
16204 - "3: movl %5,%0\n" \
16207 - _ASM_EXTABLE(0b,3b) \
16208 - : "=&d"(res), "=&c"(count), "=&a" (__d0), "=&S" (__d1), \
16210 - : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst) \
16213 +static long __do_strncpy_from_user(char *dst, const char __user *src, long count)
16215 + int __d0, __d1, __d2;
16216 + long res = -EFAULT;
16219 + __asm__ __volatile__(
16220 + " movw %w10,%%ds\n"
16225 + " testb %%al,%%al\n"
16229 + "1: subl %1,%0\n"
16233 + ".section .fixup,\"ax\"\n"
16234 + "3: movl %5,%0\n"
16237 + _ASM_EXTABLE(0b,3b)
16238 + : "=&d"(res), "=&c"(count), "=&a" (__d0), "=&S" (__d1),
16240 + : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst),
16247 * __strncpy_from_user: - Copy a NUL terminated string from userspace, with less checking.
16248 @@ -85,9 +92,7 @@ do { \
16250 __strncpy_from_user(char *dst, const char __user *src, long count)
16253 - __do_strncpy_from_user(dst, src, count, res);
16255 + return __do_strncpy_from_user(dst, src, count);
16257 EXPORT_SYMBOL(__strncpy_from_user);
16259 @@ -114,7 +119,7 @@ strncpy_from_user(char *dst, const char
16261 long res = -EFAULT;
16262 if (access_ok(VERIFY_READ, src, 1))
16263 - __do_strncpy_from_user(dst, src, count, res);
16264 + res = __do_strncpy_from_user(dst, src, count);
16267 EXPORT_SYMBOL(strncpy_from_user);
16268 @@ -123,24 +128,30 @@ EXPORT_SYMBOL(strncpy_from_user);
16272 -#define __do_clear_user(addr,size) \
16276 - __asm__ __volatile__( \
16277 - "0: rep; stosl\n" \
16278 - " movl %2,%0\n" \
16279 - "1: rep; stosb\n" \
16281 - ".section .fixup,\"ax\"\n" \
16282 - "3: lea 0(%2,%0,4),%0\n" \
16285 - _ASM_EXTABLE(0b,3b) \
16286 - _ASM_EXTABLE(1b,2b) \
16287 - : "=&c"(size), "=&D" (__d0) \
16288 - : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0)); \
16290 +static unsigned long __do_clear_user(void __user *addr, unsigned long size)
16295 + __asm__ __volatile__(
16296 + " movw %w6,%%es\n"
16297 + "0: rep; stosl\n"
16299 + "1: rep; stosb\n"
16303 + ".section .fixup,\"ax\"\n"
16304 + "3: lea 0(%2,%0,4),%0\n"
16307 + _ASM_EXTABLE(0b,3b)
16308 + _ASM_EXTABLE(1b,2b)
16309 + : "=&c"(size), "=&D" (__d0)
16310 + : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0),
16316 * clear_user: - Zero a block of memory in user space.
16317 @@ -157,7 +168,7 @@ clear_user(void __user *to, unsigned lon
16320 if (access_ok(VERIFY_WRITE, to, n))
16321 - __do_clear_user(to, n);
16322 + n = __do_clear_user(to, n);
16325 EXPORT_SYMBOL(clear_user);
16326 @@ -176,8 +187,7 @@ EXPORT_SYMBOL(clear_user);
16328 __clear_user(void __user *to, unsigned long n)
16330 - __do_clear_user(to, n);
16332 + return __do_clear_user(to, n);
16334 EXPORT_SYMBOL(__clear_user);
16336 @@ -200,14 +210,17 @@ long strnlen_user(const char __user *s,
16339 __asm__ __volatile__(
16340 + " movw %w8,%%es\n"
16343 - " andl %0,%%ecx\n"
16344 + " movl %0,%%ecx\n"
16345 "0: repne; scasb\n"
16352 ".section .fixup,\"ax\"\n"
16353 "2: xorl %%eax,%%eax\n"
16355 @@ -219,7 +232,7 @@ long strnlen_user(const char __user *s,
16358 :"=&r" (n), "=&D" (s), "=&a" (res), "=&c" (tmp)
16359 - :"0" (n), "1" (s), "2" (0), "3" (mask)
16360 + :"0" (n), "1" (s), "2" (0), "3" (mask), "r" (__USER_DS)
16364 @@ -227,10 +240,121 @@ EXPORT_SYMBOL(strnlen_user);
16366 #ifdef CONFIG_X86_INTEL_USERCOPY
16367 static unsigned long
16368 -__copy_user_intel(void __user *to, const void *from, unsigned long size)
16369 +__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
16372 + __asm__ __volatile__(
16373 + " movw %w6, %%es\n"
16374 + " .align 2,0x90\n"
16375 + "1: movl 32(%4), %%eax\n"
16376 + " cmpl $67, %0\n"
16378 + "2: movl 64(%4), %%eax\n"
16379 + " .align 2,0x90\n"
16380 + "3: movl 0(%4), %%eax\n"
16381 + "4: movl 4(%4), %%edx\n"
16382 + "5: movl %%eax, %%es:0(%3)\n"
16383 + "6: movl %%edx, %%es:4(%3)\n"
16384 + "7: movl 8(%4), %%eax\n"
16385 + "8: movl 12(%4),%%edx\n"
16386 + "9: movl %%eax, %%es:8(%3)\n"
16387 + "10: movl %%edx, %%es:12(%3)\n"
16388 + "11: movl 16(%4), %%eax\n"
16389 + "12: movl 20(%4), %%edx\n"
16390 + "13: movl %%eax, %%es:16(%3)\n"
16391 + "14: movl %%edx, %%es:20(%3)\n"
16392 + "15: movl 24(%4), %%eax\n"
16393 + "16: movl 28(%4), %%edx\n"
16394 + "17: movl %%eax, %%es:24(%3)\n"
16395 + "18: movl %%edx, %%es:28(%3)\n"
16396 + "19: movl 32(%4), %%eax\n"
16397 + "20: movl 36(%4), %%edx\n"
16398 + "21: movl %%eax, %%es:32(%3)\n"
16399 + "22: movl %%edx, %%es:36(%3)\n"
16400 + "23: movl 40(%4), %%eax\n"
16401 + "24: movl 44(%4), %%edx\n"
16402 + "25: movl %%eax, %%es:40(%3)\n"
16403 + "26: movl %%edx, %%es:44(%3)\n"
16404 + "27: movl 48(%4), %%eax\n"
16405 + "28: movl 52(%4), %%edx\n"
16406 + "29: movl %%eax, %%es:48(%3)\n"
16407 + "30: movl %%edx, %%es:52(%3)\n"
16408 + "31: movl 56(%4), %%eax\n"
16409 + "32: movl 60(%4), %%edx\n"
16410 + "33: movl %%eax, %%es:56(%3)\n"
16411 + "34: movl %%edx, %%es:60(%3)\n"
16412 + " addl $-64, %0\n"
16413 + " addl $64, %4\n"
16414 + " addl $64, %3\n"
16415 + " cmpl $63, %0\n"
16417 + "35: movl %0, %%eax\n"
16419 + " andl $3, %%eax\n"
16421 + "99: rep; movsl\n"
16422 + "36: movl %%eax, %0\n"
16423 + "37: rep; movsb\n"
16427 + ".section .fixup,\"ax\"\n"
16428 + "101: lea 0(%%eax,%0,4),%0\n"
16431 + ".section __ex_table,\"a\"\n"
16433 + " .long 1b,100b\n"
16434 + " .long 2b,100b\n"
16435 + " .long 3b,100b\n"
16436 + " .long 4b,100b\n"
16437 + " .long 5b,100b\n"
16438 + " .long 6b,100b\n"
16439 + " .long 7b,100b\n"
16440 + " .long 8b,100b\n"
16441 + " .long 9b,100b\n"
16442 + " .long 10b,100b\n"
16443 + " .long 11b,100b\n"
16444 + " .long 12b,100b\n"
16445 + " .long 13b,100b\n"
16446 + " .long 14b,100b\n"
16447 + " .long 15b,100b\n"
16448 + " .long 16b,100b\n"
16449 + " .long 17b,100b\n"
16450 + " .long 18b,100b\n"
16451 + " .long 19b,100b\n"
16452 + " .long 20b,100b\n"
16453 + " .long 21b,100b\n"
16454 + " .long 22b,100b\n"
16455 + " .long 23b,100b\n"
16456 + " .long 24b,100b\n"
16457 + " .long 25b,100b\n"
16458 + " .long 26b,100b\n"
16459 + " .long 27b,100b\n"
16460 + " .long 28b,100b\n"
16461 + " .long 29b,100b\n"
16462 + " .long 30b,100b\n"
16463 + " .long 31b,100b\n"
16464 + " .long 32b,100b\n"
16465 + " .long 33b,100b\n"
16466 + " .long 34b,100b\n"
16467 + " .long 35b,100b\n"
16468 + " .long 36b,100b\n"
16469 + " .long 37b,100b\n"
16470 + " .long 99b,101b\n"
16472 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
16473 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
16474 + : "eax", "edx", "memory");
16478 +static unsigned long
16479 +__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
16482 __asm__ __volatile__(
16483 + " movw %w6, %%ds\n"
16485 "1: movl 32(%4), %%eax\n"
16487 @@ -239,36 +363,36 @@ __copy_user_intel(void __user *to, const
16489 "3: movl 0(%4), %%eax\n"
16490 "4: movl 4(%4), %%edx\n"
16491 - "5: movl %%eax, 0(%3)\n"
16492 - "6: movl %%edx, 4(%3)\n"
16493 + "5: movl %%eax, %%es:0(%3)\n"
16494 + "6: movl %%edx, %%es:4(%3)\n"
16495 "7: movl 8(%4), %%eax\n"
16496 "8: movl 12(%4),%%edx\n"
16497 - "9: movl %%eax, 8(%3)\n"
16498 - "10: movl %%edx, 12(%3)\n"
16499 + "9: movl %%eax, %%es:8(%3)\n"
16500 + "10: movl %%edx, %%es:12(%3)\n"
16501 "11: movl 16(%4), %%eax\n"
16502 "12: movl 20(%4), %%edx\n"
16503 - "13: movl %%eax, 16(%3)\n"
16504 - "14: movl %%edx, 20(%3)\n"
16505 + "13: movl %%eax, %%es:16(%3)\n"
16506 + "14: movl %%edx, %%es:20(%3)\n"
16507 "15: movl 24(%4), %%eax\n"
16508 "16: movl 28(%4), %%edx\n"
16509 - "17: movl %%eax, 24(%3)\n"
16510 - "18: movl %%edx, 28(%3)\n"
16511 + "17: movl %%eax, %%es:24(%3)\n"
16512 + "18: movl %%edx, %%es:28(%3)\n"
16513 "19: movl 32(%4), %%eax\n"
16514 "20: movl 36(%4), %%edx\n"
16515 - "21: movl %%eax, 32(%3)\n"
16516 - "22: movl %%edx, 36(%3)\n"
16517 + "21: movl %%eax, %%es:32(%3)\n"
16518 + "22: movl %%edx, %%es:36(%3)\n"
16519 "23: movl 40(%4), %%eax\n"
16520 "24: movl 44(%4), %%edx\n"
16521 - "25: movl %%eax, 40(%3)\n"
16522 - "26: movl %%edx, 44(%3)\n"
16523 + "25: movl %%eax, %%es:40(%3)\n"
16524 + "26: movl %%edx, %%es:44(%3)\n"
16525 "27: movl 48(%4), %%eax\n"
16526 "28: movl 52(%4), %%edx\n"
16527 - "29: movl %%eax, 48(%3)\n"
16528 - "30: movl %%edx, 52(%3)\n"
16529 + "29: movl %%eax, %%es:48(%3)\n"
16530 + "30: movl %%edx, %%es:52(%3)\n"
16531 "31: movl 56(%4), %%eax\n"
16532 "32: movl 60(%4), %%edx\n"
16533 - "33: movl %%eax, 56(%3)\n"
16534 - "34: movl %%edx, 60(%3)\n"
16535 + "33: movl %%eax, %%es:56(%3)\n"
16536 + "34: movl %%edx, %%es:60(%3)\n"
16540 @@ -282,6 +406,8 @@ __copy_user_intel(void __user *to, const
16541 "36: movl %%eax, %0\n"
16546 ".section .fixup,\"ax\"\n"
16547 "101: lea 0(%%eax,%0,4),%0\n"
16549 @@ -328,7 +454,7 @@ __copy_user_intel(void __user *to, const
16550 " .long 99b,101b\n"
16552 : "=&c"(size), "=&D" (d0), "=&S" (d1)
16553 - : "1"(to), "2"(from), "0"(size)
16554 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
16555 : "eax", "edx", "memory");
16558 @@ -338,6 +464,7 @@ __copy_user_zeroing_intel(void *to, cons
16561 __asm__ __volatile__(
16562 + " movw %w6, %%ds\n"
16564 "0: movl 32(%4), %%eax\n"
16566 @@ -346,36 +473,36 @@ __copy_user_zeroing_intel(void *to, cons
16568 "2: movl 0(%4), %%eax\n"
16569 "21: movl 4(%4), %%edx\n"
16570 - " movl %%eax, 0(%3)\n"
16571 - " movl %%edx, 4(%3)\n"
16572 + " movl %%eax, %%es:0(%3)\n"
16573 + " movl %%edx, %%es:4(%3)\n"
16574 "3: movl 8(%4), %%eax\n"
16575 "31: movl 12(%4),%%edx\n"
16576 - " movl %%eax, 8(%3)\n"
16577 - " movl %%edx, 12(%3)\n"
16578 + " movl %%eax, %%es:8(%3)\n"
16579 + " movl %%edx, %%es:12(%3)\n"
16580 "4: movl 16(%4), %%eax\n"
16581 "41: movl 20(%4), %%edx\n"
16582 - " movl %%eax, 16(%3)\n"
16583 - " movl %%edx, 20(%3)\n"
16584 + " movl %%eax, %%es:16(%3)\n"
16585 + " movl %%edx, %%es:20(%3)\n"
16586 "10: movl 24(%4), %%eax\n"
16587 "51: movl 28(%4), %%edx\n"
16588 - " movl %%eax, 24(%3)\n"
16589 - " movl %%edx, 28(%3)\n"
16590 + " movl %%eax, %%es:24(%3)\n"
16591 + " movl %%edx, %%es:28(%3)\n"
16592 "11: movl 32(%4), %%eax\n"
16593 "61: movl 36(%4), %%edx\n"
16594 - " movl %%eax, 32(%3)\n"
16595 - " movl %%edx, 36(%3)\n"
16596 + " movl %%eax, %%es:32(%3)\n"
16597 + " movl %%edx, %%es:36(%3)\n"
16598 "12: movl 40(%4), %%eax\n"
16599 "71: movl 44(%4), %%edx\n"
16600 - " movl %%eax, 40(%3)\n"
16601 - " movl %%edx, 44(%3)\n"
16602 + " movl %%eax, %%es:40(%3)\n"
16603 + " movl %%edx, %%es:44(%3)\n"
16604 "13: movl 48(%4), %%eax\n"
16605 "81: movl 52(%4), %%edx\n"
16606 - " movl %%eax, 48(%3)\n"
16607 - " movl %%edx, 52(%3)\n"
16608 + " movl %%eax, %%es:48(%3)\n"
16609 + " movl %%edx, %%es:52(%3)\n"
16610 "14: movl 56(%4), %%eax\n"
16611 "91: movl 60(%4), %%edx\n"
16612 - " movl %%eax, 56(%3)\n"
16613 - " movl %%edx, 60(%3)\n"
16614 + " movl %%eax, %%es:56(%3)\n"
16615 + " movl %%edx, %%es:60(%3)\n"
16619 @@ -389,6 +516,8 @@ __copy_user_zeroing_intel(void *to, cons
16625 ".section .fixup,\"ax\"\n"
16626 "9: lea 0(%%eax,%0,4),%0\n"
16628 @@ -423,7 +552,7 @@ __copy_user_zeroing_intel(void *to, cons
16631 : "=&c"(size), "=&D" (d0), "=&S" (d1)
16632 - : "1"(to), "2"(from), "0"(size)
16633 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
16634 : "eax", "edx", "memory");
16637 @@ -439,6 +568,7 @@ static unsigned long __copy_user_zeroing
16640 __asm__ __volatile__(
16641 + " movw %w6, %%ds\n"
16643 "0: movl 32(%4), %%eax\n"
16645 @@ -447,36 +577,36 @@ static unsigned long __copy_user_zeroing
16647 "2: movl 0(%4), %%eax\n"
16648 "21: movl 4(%4), %%edx\n"
16649 - " movnti %%eax, 0(%3)\n"
16650 - " movnti %%edx, 4(%3)\n"
16651 + " movnti %%eax, %%es:0(%3)\n"
16652 + " movnti %%edx, %%es:4(%3)\n"
16653 "3: movl 8(%4), %%eax\n"
16654 "31: movl 12(%4),%%edx\n"
16655 - " movnti %%eax, 8(%3)\n"
16656 - " movnti %%edx, 12(%3)\n"
16657 + " movnti %%eax, %%es:8(%3)\n"
16658 + " movnti %%edx, %%es:12(%3)\n"
16659 "4: movl 16(%4), %%eax\n"
16660 "41: movl 20(%4), %%edx\n"
16661 - " movnti %%eax, 16(%3)\n"
16662 - " movnti %%edx, 20(%3)\n"
16663 + " movnti %%eax, %%es:16(%3)\n"
16664 + " movnti %%edx, %%es:20(%3)\n"
16665 "10: movl 24(%4), %%eax\n"
16666 "51: movl 28(%4), %%edx\n"
16667 - " movnti %%eax, 24(%3)\n"
16668 - " movnti %%edx, 28(%3)\n"
16669 + " movnti %%eax, %%es:24(%3)\n"
16670 + " movnti %%edx, %%es:28(%3)\n"
16671 "11: movl 32(%4), %%eax\n"
16672 "61: movl 36(%4), %%edx\n"
16673 - " movnti %%eax, 32(%3)\n"
16674 - " movnti %%edx, 36(%3)\n"
16675 + " movnti %%eax, %%es:32(%3)\n"
16676 + " movnti %%edx, %%es:36(%3)\n"
16677 "12: movl 40(%4), %%eax\n"
16678 "71: movl 44(%4), %%edx\n"
16679 - " movnti %%eax, 40(%3)\n"
16680 - " movnti %%edx, 44(%3)\n"
16681 + " movnti %%eax, %%es:40(%3)\n"
16682 + " movnti %%edx, %%es:44(%3)\n"
16683 "13: movl 48(%4), %%eax\n"
16684 "81: movl 52(%4), %%edx\n"
16685 - " movnti %%eax, 48(%3)\n"
16686 - " movnti %%edx, 52(%3)\n"
16687 + " movnti %%eax, %%es:48(%3)\n"
16688 + " movnti %%edx, %%es:52(%3)\n"
16689 "14: movl 56(%4), %%eax\n"
16690 "91: movl 60(%4), %%edx\n"
16691 - " movnti %%eax, 56(%3)\n"
16692 - " movnti %%edx, 60(%3)\n"
16693 + " movnti %%eax, %%es:56(%3)\n"
16694 + " movnti %%edx, %%es:60(%3)\n"
16698 @@ -491,6 +621,8 @@ static unsigned long __copy_user_zeroing
16704 ".section .fixup,\"ax\"\n"
16705 "9: lea 0(%%eax,%0,4),%0\n"
16707 @@ -525,7 +657,7 @@ static unsigned long __copy_user_zeroing
16710 : "=&c"(size), "=&D" (d0), "=&S" (d1)
16711 - : "1"(to), "2"(from), "0"(size)
16712 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
16713 : "eax", "edx", "memory");
16716 @@ -536,6 +668,7 @@ static unsigned long __copy_user_intel_n
16719 __asm__ __volatile__(
16720 + " movw %w6, %%ds\n"
16722 "0: movl 32(%4), %%eax\n"
16724 @@ -544,36 +677,36 @@ static unsigned long __copy_user_intel_n
16726 "2: movl 0(%4), %%eax\n"
16727 "21: movl 4(%4), %%edx\n"
16728 - " movnti %%eax, 0(%3)\n"
16729 - " movnti %%edx, 4(%3)\n"
16730 + " movnti %%eax, %%es:0(%3)\n"
16731 + " movnti %%edx, %%es:4(%3)\n"
16732 "3: movl 8(%4), %%eax\n"
16733 "31: movl 12(%4),%%edx\n"
16734 - " movnti %%eax, 8(%3)\n"
16735 - " movnti %%edx, 12(%3)\n"
16736 + " movnti %%eax, %%es:8(%3)\n"
16737 + " movnti %%edx, %%es:12(%3)\n"
16738 "4: movl 16(%4), %%eax\n"
16739 "41: movl 20(%4), %%edx\n"
16740 - " movnti %%eax, 16(%3)\n"
16741 - " movnti %%edx, 20(%3)\n"
16742 + " movnti %%eax, %%es:16(%3)\n"
16743 + " movnti %%edx, %%es:20(%3)\n"
16744 "10: movl 24(%4), %%eax\n"
16745 "51: movl 28(%4), %%edx\n"
16746 - " movnti %%eax, 24(%3)\n"
16747 - " movnti %%edx, 28(%3)\n"
16748 + " movnti %%eax, %%es:24(%3)\n"
16749 + " movnti %%edx, %%es:28(%3)\n"
16750 "11: movl 32(%4), %%eax\n"
16751 "61: movl 36(%4), %%edx\n"
16752 - " movnti %%eax, 32(%3)\n"
16753 - " movnti %%edx, 36(%3)\n"
16754 + " movnti %%eax, %%es:32(%3)\n"
16755 + " movnti %%edx, %%es:36(%3)\n"
16756 "12: movl 40(%4), %%eax\n"
16757 "71: movl 44(%4), %%edx\n"
16758 - " movnti %%eax, 40(%3)\n"
16759 - " movnti %%edx, 44(%3)\n"
16760 + " movnti %%eax, %%es:40(%3)\n"
16761 + " movnti %%edx, %%es:44(%3)\n"
16762 "13: movl 48(%4), %%eax\n"
16763 "81: movl 52(%4), %%edx\n"
16764 - " movnti %%eax, 48(%3)\n"
16765 - " movnti %%edx, 52(%3)\n"
16766 + " movnti %%eax, %%es:48(%3)\n"
16767 + " movnti %%edx, %%es:52(%3)\n"
16768 "14: movl 56(%4), %%eax\n"
16769 "91: movl 60(%4), %%edx\n"
16770 - " movnti %%eax, 56(%3)\n"
16771 - " movnti %%edx, 60(%3)\n"
16772 + " movnti %%eax, %%es:56(%3)\n"
16773 + " movnti %%edx, %%es:60(%3)\n"
16777 @@ -588,6 +721,8 @@ static unsigned long __copy_user_intel_n
16783 ".section .fixup,\"ax\"\n"
16784 "9: lea 0(%%eax,%0,4),%0\n"
16786 @@ -616,7 +751,7 @@ static unsigned long __copy_user_intel_n
16789 : "=&c"(size), "=&D" (d0), "=&S" (d1)
16790 - : "1"(to), "2"(from), "0"(size)
16791 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
16792 : "eax", "edx", "memory");
16795 @@ -629,90 +764,146 @@ static unsigned long __copy_user_intel_n
16797 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
16798 unsigned long size);
16799 -unsigned long __copy_user_intel(void __user *to, const void *from,
16800 +unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
16801 + unsigned long size);
16802 +unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
16803 unsigned long size);
16804 unsigned long __copy_user_zeroing_intel_nocache(void *to,
16805 const void __user *from, unsigned long size);
16806 #endif /* CONFIG_X86_INTEL_USERCOPY */
16808 /* Generic arbitrary sized copy. */
16809 -#define __copy_user(to, from, size) \
16811 - int __d0, __d1, __d2; \
16812 - __asm__ __volatile__( \
16815 - " movl %1,%0\n" \
16817 - " andl $7,%0\n" \
16818 - " subl %0,%3\n" \
16819 - "4: rep; movsb\n" \
16820 - " movl %3,%0\n" \
16821 - " shrl $2,%0\n" \
16822 - " andl $3,%3\n" \
16823 - " .align 2,0x90\n" \
16824 - "0: rep; movsl\n" \
16825 - " movl %3,%0\n" \
16826 - "1: rep; movsb\n" \
16828 - ".section .fixup,\"ax\"\n" \
16829 - "5: addl %3,%0\n" \
16831 - "3: lea 0(%3,%0,4),%0\n" \
16834 - ".section __ex_table,\"a\"\n" \
16836 - " .long 4b,5b\n" \
16837 - " .long 0b,3b\n" \
16838 - " .long 1b,2b\n" \
16840 - : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
16841 - : "3"(size), "0"(size), "1"(to), "2"(from) \
16845 -#define __copy_user_zeroing(to, from, size) \
16847 - int __d0, __d1, __d2; \
16848 - __asm__ __volatile__( \
16851 - " movl %1,%0\n" \
16853 - " andl $7,%0\n" \
16854 - " subl %0,%3\n" \
16855 - "4: rep; movsb\n" \
16856 - " movl %3,%0\n" \
16857 - " shrl $2,%0\n" \
16858 - " andl $3,%3\n" \
16859 - " .align 2,0x90\n" \
16860 - "0: rep; movsl\n" \
16861 - " movl %3,%0\n" \
16862 - "1: rep; movsb\n" \
16864 - ".section .fixup,\"ax\"\n" \
16865 - "5: addl %3,%0\n" \
16867 - "3: lea 0(%3,%0,4),%0\n" \
16868 - "6: pushl %0\n" \
16869 - " pushl %%eax\n" \
16870 - " xorl %%eax,%%eax\n" \
16871 - " rep; stosb\n" \
16872 - " popl %%eax\n" \
16876 - ".section __ex_table,\"a\"\n" \
16878 - " .long 4b,5b\n" \
16879 - " .long 0b,3b\n" \
16880 - " .long 1b,6b\n" \
16882 - : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
16883 - : "3"(size), "0"(size), "1"(to), "2"(from) \
16886 +static unsigned long
16887 +__generic_copy_to_user(void __user *to, const void *from, unsigned long size)
16889 + int __d0, __d1, __d2;
16891 + __asm__ __volatile__(
16892 + " movw %w8,%%es\n"
16899 + "4: rep; movsb\n"
16903 + " .align 2,0x90\n"
16904 + "0: rep; movsl\n"
16906 + "1: rep; movsb\n"
16910 + ".section .fixup,\"ax\"\n"
16911 + "5: addl %3,%0\n"
16913 + "3: lea 0(%3,%0,4),%0\n"
16916 + ".section __ex_table,\"a\"\n"
16922 + : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
16923 + : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
16928 +static unsigned long
16929 +__generic_copy_from_user(void *to, const void __user *from, unsigned long size)
16931 + int __d0, __d1, __d2;
16933 + __asm__ __volatile__(
16934 + " movw %w8,%%ds\n"
16941 + "4: rep; movsb\n"
16945 + " .align 2,0x90\n"
16946 + "0: rep; movsl\n"
16948 + "1: rep; movsb\n"
16952 + ".section .fixup,\"ax\"\n"
16953 + "5: addl %3,%0\n"
16955 + "3: lea 0(%3,%0,4),%0\n"
16958 + ".section __ex_table,\"a\"\n"
16964 + : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
16965 + : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
16970 +static unsigned long
16971 +__copy_user_zeroing(void *to, const void __user *from, unsigned long size)
16973 + int __d0, __d1, __d2;
16975 + __asm__ __volatile__(
16976 + " movw %w8,%%ds\n"
16983 + "4: rep; movsb\n"
16987 + " .align 2,0x90\n"
16988 + "0: rep; movsl\n"
16990 + "1: rep; movsb\n"
16994 + ".section .fixup,\"ax\"\n"
16995 + "5: addl %3,%0\n"
16997 + "3: lea 0(%3,%0,4),%0\n"
17000 + " xorl %%eax,%%eax\n"
17006 + ".section __ex_table,\"a\"\n"
17012 + : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
17013 + : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
17018 unsigned long __copy_to_user_ll(void __user *to, const void *from,
17020 @@ -775,9 +966,9 @@ survive:
17023 if (movsl_is_ok(to, from, n))
17024 - __copy_user(to, from, n);
17025 + n = __generic_copy_to_user(to, from, n);
17027 - n = __copy_user_intel(to, from, n);
17028 + n = __generic_copy_to_user_intel(to, from, n);
17031 EXPORT_SYMBOL(__copy_to_user_ll);
17032 @@ -786,7 +977,7 @@ unsigned long __copy_from_user_ll(void *
17035 if (movsl_is_ok(to, from, n))
17036 - __copy_user_zeroing(to, from, n);
17037 + n = __copy_user_zeroing(to, from, n);
17039 n = __copy_user_zeroing_intel(to, from, n);
17041 @@ -797,10 +988,9 @@ unsigned long __copy_from_user_ll_nozero
17044 if (movsl_is_ok(to, from, n))
17045 - __copy_user(to, from, n);
17046 + n = __generic_copy_from_user(to, from, n);
17048 - n = __copy_user_intel((void __user *)to,
17049 - (const void *)from, n);
17050 + n = __generic_copy_from_user_intel(to, from, n);
17053 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
17054 @@ -812,9 +1002,9 @@ unsigned long __copy_from_user_ll_nocach
17055 if (n > 64 && cpu_has_xmm2)
17056 n = __copy_user_zeroing_intel_nocache(to, from, n);
17058 - __copy_user_zeroing(to, from, n);
17059 + n = __copy_user_zeroing(to, from, n);
17061 - __copy_user_zeroing(to, from, n);
17062 + n = __copy_user_zeroing(to, from, n);
17066 @@ -827,65 +1017,53 @@ unsigned long __copy_from_user_ll_nocach
17067 if (n > 64 && cpu_has_xmm2)
17068 n = __copy_user_intel_nocache(to, from, n);
17070 - __copy_user(to, from, n);
17071 + n = __generic_copy_from_user(to, from, n);
17073 - __copy_user(to, from, n);
17074 + n = __generic_copy_from_user(to, from, n);
17078 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
17081 - * copy_to_user: - Copy a block of data into user space.
17082 - * @to: Destination address, in user space.
17083 - * @from: Source address, in kernel space.
17084 - * @n: Number of bytes to copy.
17086 - * Context: User context only. This function may sleep.
17088 - * Copy data from kernel space to user space.
17090 - * Returns number of bytes that could not be copied.
17091 - * On success, this will be zero.
17094 -copy_to_user(void __user *to, const void *from, unsigned long n)
17095 +void copy_from_user_overflow(void)
17097 - if (access_ok(VERIFY_WRITE, to, n))
17098 - n = __copy_to_user(to, from, n);
17100 + WARN(1, "Buffer overflow detected!\n");
17102 -EXPORT_SYMBOL(copy_to_user);
17103 +EXPORT_SYMBOL(copy_from_user_overflow);
17106 - * copy_from_user: - Copy a block of data from user space.
17107 - * @to: Destination address, in kernel space.
17108 - * @from: Source address, in user space.
17109 - * @n: Number of bytes to copy.
17111 - * Context: User context only. This function may sleep.
17113 - * Copy data from user space to kernel space.
17115 - * Returns number of bytes that could not be copied.
17116 - * On success, this will be zero.
17118 - * If some data could not be copied, this function will pad the copied
17119 - * data to the requested size using zero bytes.
17122 -_copy_from_user(void *to, const void __user *from, unsigned long n)
17123 +void copy_to_user_overflow(void)
17125 - if (access_ok(VERIFY_READ, from, n))
17126 - n = __copy_from_user(to, from, n);
17128 - memset(to, 0, n);
17130 + WARN(1, "Buffer overflow detected!\n");
17132 -EXPORT_SYMBOL(_copy_from_user);
17133 +EXPORT_SYMBOL(copy_to_user_overflow);
17135 -void copy_from_user_overflow(void)
17136 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17137 +void __set_fs(mm_segment_t x, int cpu)
17139 - WARN(1, "Buffer overflow detected!\n");
17140 + unsigned long limit = x.seg;
17141 + struct desc_struct d;
17143 + current_thread_info()->addr_limit = x;
17144 + if (unlikely(paravirt_enabled()))
17147 + if (likely(limit))
17148 + limit = (limit - 1UL) >> PAGE_SHIFT;
17149 + pack_descriptor(&d, 0UL, limit, 0xF3, 0xC);
17150 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_DS, &d, DESCTYPE_S);
17152 -EXPORT_SYMBOL(copy_from_user_overflow);
17154 +void set_fs(mm_segment_t x)
17156 + __set_fs(x, get_cpu());
17159 +EXPORT_SYMBOL(copy_from_user);
17161 +void set_fs(mm_segment_t x)
17163 + current_thread_info()->addr_limit = x;
17167 +EXPORT_SYMBOL(set_fs);
17168 diff -urNp linux-2.6.35.5/arch/x86/lib/usercopy_64.c linux-2.6.35.5/arch/x86/lib/usercopy_64.c
17169 --- linux-2.6.35.5/arch/x86/lib/usercopy_64.c 2010-08-26 19:47:12.000000000 -0400
17170 +++ linux-2.6.35.5/arch/x86/lib/usercopy_64.c 2010-09-17 20:12:09.000000000 -0400
17171 @@ -42,6 +42,8 @@ long
17172 __strncpy_from_user(char *dst, const char __user *src, long count)
17175 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
17176 + src += PAX_USER_SHADOW_BASE;
17177 __do_strncpy_from_user(dst, src, count, res);
17180 @@ -65,6 +67,8 @@ unsigned long __clear_user(void __user *
17184 + if ((unsigned long)addr < PAX_USER_SHADOW_BASE)
17185 + addr += PAX_USER_SHADOW_BASE;
17186 /* no memory constraint because it doesn't change any memory gcc knows
17189 @@ -151,10 +155,14 @@ EXPORT_SYMBOL(strlen_user);
17191 unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
17193 - if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
17194 + if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
17195 + if ((unsigned long)to < PAX_USER_SHADOW_BASE)
17196 + to += PAX_USER_SHADOW_BASE;
17197 + if ((unsigned long)from < PAX_USER_SHADOW_BASE)
17198 + from += PAX_USER_SHADOW_BASE;
17199 return copy_user_generic((__force void *)to, (__force void *)from, len);
17205 EXPORT_SYMBOL(copy_in_user);
17207 diff -urNp linux-2.6.35.5/arch/x86/Makefile linux-2.6.35.5/arch/x86/Makefile
17208 --- linux-2.6.35.5/arch/x86/Makefile 2010-08-26 19:47:12.000000000 -0400
17209 +++ linux-2.6.35.5/arch/x86/Makefile 2010-09-17 20:12:09.000000000 -0400
17210 @@ -191,3 +191,12 @@ define archhelp
17211 echo ' FDARGS="..." arguments for the booted kernel'
17212 echo ' FDINITRD=file initrd for the booted kernel'
17217 +*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
17218 +*** Please upgrade your binutils to 2.18 or newer
17222 + $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
17223 diff -urNp linux-2.6.35.5/arch/x86/mm/extable.c linux-2.6.35.5/arch/x86/mm/extable.c
17224 --- linux-2.6.35.5/arch/x86/mm/extable.c 2010-08-26 19:47:12.000000000 -0400
17225 +++ linux-2.6.35.5/arch/x86/mm/extable.c 2010-09-17 20:12:09.000000000 -0400
17227 #include <linux/module.h>
17228 #include <linux/spinlock.h>
17229 +#include <linux/sort.h>
17230 #include <asm/uaccess.h>
17231 +#include <asm/pgtable.h>
17234 + * The exception table needs to be sorted so that the binary
17235 + * search that we use to find entries in it works properly.
17236 + * This is used both for the kernel exception table and for
17237 + * the exception tables of modules that get loaded.
17239 +static int cmp_ex(const void *a, const void *b)
17241 + const struct exception_table_entry *x = a, *y = b;
17243 + /* avoid overflow */
17244 + if (x->insn > y->insn)
17246 + if (x->insn < y->insn)
17251 +static void swap_ex(void *a, void *b, int size)
17253 + struct exception_table_entry t, *x = a, *y = b;
17257 + pax_open_kernel();
17260 + pax_close_kernel();
17263 +void sort_extable(struct exception_table_entry *start,
17264 + struct exception_table_entry *finish)
17266 + sort(start, finish - start, sizeof(struct exception_table_entry),
17267 + cmp_ex, swap_ex);
17270 +#ifdef CONFIG_MODULES
17272 + * If the exception table is sorted, any referring to the module init
17273 + * will be at the beginning or the end.
17275 +void trim_init_extable(struct module *m)
17277 + /*trim the beginning*/
17278 + while (m->num_exentries && within_module_init(m->extable[0].insn, m)) {
17280 + m->num_exentries--;
17283 + while (m->num_exentries &&
17284 + within_module_init(m->extable[m->num_exentries-1].insn, m))
17285 + m->num_exentries--;
17287 +#endif /* CONFIG_MODULES */
17289 int fixup_exception(struct pt_regs *regs)
17291 const struct exception_table_entry *fixup;
17293 #ifdef CONFIG_PNPBIOS
17294 - if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
17295 + if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
17296 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
17297 extern u32 pnp_bios_is_utter_crap;
17298 pnp_bios_is_utter_crap = 1;
17299 diff -urNp linux-2.6.35.5/arch/x86/mm/fault.c linux-2.6.35.5/arch/x86/mm/fault.c
17300 --- linux-2.6.35.5/arch/x86/mm/fault.c 2010-08-26 19:47:12.000000000 -0400
17301 +++ linux-2.6.35.5/arch/x86/mm/fault.c 2010-09-17 20:12:37.000000000 -0400
17302 @@ -11,10 +11,19 @@
17303 #include <linux/kprobes.h> /* __kprobes, ... */
17304 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
17305 #include <linux/perf_event.h> /* perf_sw_event */
17306 +#include <linux/unistd.h>
17307 +#include <linux/compiler.h>
17309 #include <asm/traps.h> /* dotraplinkage, ... */
17310 #include <asm/pgalloc.h> /* pgd_*(), ... */
17311 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
17312 +#include <asm/vsyscall.h>
17313 +#include <asm/tlbflush.h>
17315 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17316 +#include <asm/stacktrace.h>
17317 +#include "../kernel/dumpstack.h"
17321 * Page fault error code bits:
17322 @@ -52,7 +61,7 @@ static inline int __kprobes notify_page_
17325 /* kprobe_running() needs smp_processor_id() */
17326 - if (kprobes_built_in() && !user_mode_vm(regs)) {
17327 + if (kprobes_built_in() && !user_mode(regs)) {
17329 if (kprobe_running() && kprobe_fault_handler(regs, 14))
17331 @@ -173,6 +182,30 @@ force_sig_info_fault(int si_signo, int s
17332 force_sig_info(si_signo, &info, tsk);
17335 +#ifdef CONFIG_PAX_EMUTRAMP
17336 +static int pax_handle_fetch_fault(struct pt_regs *regs);
17339 +#ifdef CONFIG_PAX_PAGEEXEC
17340 +static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
17346 + pgd = pgd_offset(mm, address);
17347 + if (!pgd_present(*pgd))
17349 + pud = pud_offset(pgd, address);
17350 + if (!pud_present(*pud))
17352 + pmd = pmd_offset(pud, address);
17353 + if (!pmd_present(*pmd))
17359 DEFINE_SPINLOCK(pgd_lock);
17360 LIST_HEAD(pgd_list);
17362 @@ -225,11 +258,24 @@ void vmalloc_sync_all(void)
17363 address += PMD_SIZE) {
17365 unsigned long flags;
17367 +#ifdef CONFIG_PAX_PER_CPU_PGD
17368 + unsigned long cpu;
17373 spin_lock_irqsave(&pgd_lock, flags);
17375 +#ifdef CONFIG_PAX_PER_CPU_PGD
17376 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
17377 + pgd_t *pgd = get_cpu_pgd(cpu);
17379 list_for_each_entry(page, &pgd_list, lru) {
17380 - if (!vmalloc_sync_one(page_address(page), address))
17381 + pgd_t *pgd = page_address(page);
17384 + if (!vmalloc_sync_one(pgd, address))
17387 spin_unlock_irqrestore(&pgd_lock, flags);
17388 @@ -259,6 +305,11 @@ static noinline __kprobes int vmalloc_fa
17389 * an interrupt in the middle of a task switch..
17391 pgd_paddr = read_cr3();
17393 +#ifdef CONFIG_PAX_PER_CPU_PGD
17394 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK));
17397 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
17400 @@ -333,15 +384,27 @@ void vmalloc_sync_all(void)
17402 const pgd_t *pgd_ref = pgd_offset_k(address);
17403 unsigned long flags;
17405 +#ifdef CONFIG_PAX_PER_CPU_PGD
17406 + unsigned long cpu;
17411 if (pgd_none(*pgd_ref))
17414 spin_lock_irqsave(&pgd_lock, flags);
17416 +#ifdef CONFIG_PAX_PER_CPU_PGD
17417 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
17418 + pgd_t *pgd = pgd_offset_cpu(cpu, address);
17420 list_for_each_entry(page, &pgd_list, lru) {
17422 pgd = (pgd_t *)page_address(page) + pgd_index(address);
17425 if (pgd_none(*pgd))
17426 set_pgd(pgd, *pgd_ref);
17428 @@ -374,7 +437,14 @@ static noinline __kprobes int vmalloc_fa
17429 * happen within a race in page table update. In the later
17433 +#ifdef CONFIG_PAX_PER_CPU_PGD
17434 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK));
17435 + pgd = pgd_offset_cpu(smp_processor_id(), address);
17437 pgd = pgd_offset(current->active_mm, address);
17440 pgd_ref = pgd_offset_k(address);
17441 if (pgd_none(*pgd_ref))
17443 @@ -536,7 +606,7 @@ static int is_errata93(struct pt_regs *r
17444 static int is_errata100(struct pt_regs *regs, unsigned long address)
17446 #ifdef CONFIG_X86_64
17447 - if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
17448 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
17452 @@ -563,7 +633,7 @@ static int is_f00f_bug(struct pt_regs *r
17455 static const char nx_warning[] = KERN_CRIT
17456 -"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
17457 +"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
17460 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
17461 @@ -572,15 +642,26 @@ show_fault_oops(struct pt_regs *regs, un
17462 if (!oops_may_print())
17465 - if (error_code & PF_INSTR) {
17466 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) {
17467 unsigned int level;
17469 pte_t *pte = lookup_address(address, &level);
17471 if (pte && pte_present(*pte) && !pte_exec(*pte))
17472 - printk(nx_warning, current_uid());
17473 + printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
17476 +#ifdef CONFIG_PAX_KERNEXEC
17477 + if (init_mm.start_code <= address && address < init_mm.end_code) {
17478 + if (current->signal->curr_ip)
17479 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
17480 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
17482 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
17483 + current->comm, task_pid_nr(current), current_uid(), current_euid());
17487 printk(KERN_ALERT "BUG: unable to handle kernel ");
17488 if (address < PAGE_SIZE)
17489 printk(KERN_CONT "NULL pointer dereference");
17490 @@ -705,6 +786,68 @@ __bad_area_nosemaphore(struct pt_regs *r
17491 unsigned long address, int si_code)
17493 struct task_struct *tsk = current;
17494 + struct mm_struct *mm = tsk->mm;
17496 +#ifdef CONFIG_X86_64
17497 + if (mm && (error_code & PF_INSTR)) {
17498 + if (regs->ip == (unsigned long)vgettimeofday) {
17499 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday);
17501 + } else if (regs->ip == (unsigned long)vtime) {
17502 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_time);
17504 + } else if (regs->ip == (unsigned long)vgetcpu) {
17505 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, getcpu);
17511 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
17512 + if (mm && (error_code & PF_USER)) {
17513 + unsigned long ip = regs->ip;
17515 + if (v8086_mode(regs))
17516 + ip = ((regs->cs & 0xffff) << 4) + (regs->ip & 0xffff);
17519 + * It's possible to have interrupts off here:
17521 + local_irq_enable();
17523 +#ifdef CONFIG_PAX_PAGEEXEC
17524 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
17525 + (((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && regs->ip == address))) {
17527 +#ifdef CONFIG_PAX_EMUTRAMP
17528 + switch (pax_handle_fetch_fault(regs)) {
17534 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
17535 + do_group_exit(SIGKILL);
17539 +#ifdef CONFIG_PAX_SEGMEXEC
17540 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (regs->ip + SEGMEXEC_TASK_SIZE == address)) {
17542 +#ifdef CONFIG_PAX_EMUTRAMP
17543 + switch (pax_handle_fetch_fault(regs)) {
17549 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
17550 + do_group_exit(SIGKILL);
17557 /* User mode accesses just cause a SIGSEGV */
17558 if (error_code & PF_USER) {
17559 @@ -851,6 +994,106 @@ static int spurious_fault_check(unsigned
17563 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
17564 +static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
17569 + unsigned char pte_mask;
17571 + if ((__supported_pte_mask & _PAGE_NX) || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
17572 + !(mm->pax_flags & MF_PAX_PAGEEXEC))
17575 + /* PaX: it's our fault, let's handle it if we can */
17577 + /* PaX: take a look at read faults before acquiring any locks */
17578 + if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
17579 + /* instruction fetch attempt from a protected page in user mode */
17580 + up_read(&mm->mmap_sem);
17582 +#ifdef CONFIG_PAX_EMUTRAMP
17583 + switch (pax_handle_fetch_fault(regs)) {
17589 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
17590 + do_group_exit(SIGKILL);
17593 + pmd = pax_get_pmd(mm, address);
17594 + if (unlikely(!pmd))
17597 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
17598 + if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
17599 + pte_unmap_unlock(pte, ptl);
17603 + if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
17604 + /* write attempt to a protected page in user mode */
17605 + pte_unmap_unlock(pte, ptl);
17610 + if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
17612 + if (likely(address > get_limit(regs->cs)))
17615 + set_pte(pte, pte_mkread(*pte));
17616 + __flush_tlb_one(address);
17617 + pte_unmap_unlock(pte, ptl);
17618 + up_read(&mm->mmap_sem);
17622 + pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
17625 + * PaX: fill DTLB with user rights and retry
17627 + __asm__ __volatile__ (
17628 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17629 + "movw %w4,%%es\n"
17632 +#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
17634 + * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
17635 + * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
17636 + * page fault when examined during a TLB load attempt. this is true not only
17637 + * for PTEs holding a non-present entry but also present entries that will
17638 + * raise a page fault (such as those set up by PaX, or the copy-on-write
17639 + * mechanism). in effect it means that we do *not* need to flush the TLBs
17640 + * for our target pages since their PTEs are simply not in the TLBs at all.
17642 + * the best thing in omitting it is that we gain around 15-20% speed in the
17643 + * fast path of the page fault handler and can get rid of tracing since we
17644 + * can no longer flush unintended entries.
17648 + "testb $0,%%es:(%0)\n"
17650 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17655 + : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER), "r" (__USER_DS)
17656 + : "memory", "cc");
17657 + pte_unmap_unlock(pte, ptl);
17658 + up_read(&mm->mmap_sem);
17664 * Handle a spurious fault caused by a stale TLB entry.
17666 @@ -917,6 +1160,9 @@ int show_unhandled_signals = 1;
17668 access_error(unsigned long error_code, int write, struct vm_area_struct *vma)
17670 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
17674 /* write, present and write, not present: */
17675 if (unlikely(!(vma->vm_flags & VM_WRITE)))
17676 @@ -950,17 +1196,31 @@ do_page_fault(struct pt_regs *regs, unsi
17678 struct vm_area_struct *vma;
17679 struct task_struct *tsk;
17680 - unsigned long address;
17681 struct mm_struct *mm;
17685 + /* Get the faulting address: */
17686 + unsigned long address = read_cr2();
17688 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17689 + if (!user_mode(regs) && address < 2 * PAX_USER_SHADOW_BASE) {
17690 + if (!search_exception_tables(regs->ip)) {
17691 + bad_area_nosemaphore(regs, error_code, address);
17694 + if (address < PAX_USER_SHADOW_BASE) {
17695 + printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n");
17696 + printk(KERN_ERR "PAX: faulting IP: %pS\n", (void *)regs->ip);
17697 + show_trace_log_lvl(NULL, NULL, (void *)regs->sp, regs->bp, KERN_ERR);
17699 + address -= PAX_USER_SHADOW_BASE;
17706 - /* Get the faulting address: */
17707 - address = read_cr2();
17710 * Detect and handle instructions that would cause a page fault for
17711 * both a tracked kernel page and a userspace page.
17712 @@ -1020,7 +1280,7 @@ do_page_fault(struct pt_regs *regs, unsi
17713 * User-mode registers count as a user access even for any
17714 * potential system fault or CPU buglet:
17716 - if (user_mode_vm(regs)) {
17717 + if (user_mode(regs)) {
17718 local_irq_enable();
17719 error_code |= PF_USER;
17721 @@ -1074,6 +1334,11 @@ do_page_fault(struct pt_regs *regs, unsi
17725 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
17726 + if (pax_handle_pageexec_fault(regs, mm, address, error_code))
17730 vma = find_vma(mm, address);
17731 if (unlikely(!vma)) {
17732 bad_area(regs, error_code, address);
17733 @@ -1085,18 +1350,24 @@ do_page_fault(struct pt_regs *regs, unsi
17734 bad_area(regs, error_code, address);
17737 - if (error_code & PF_USER) {
17739 - * Accessing the stack below %sp is always a bug.
17740 - * The large cushion allows instructions like enter
17741 - * and pusha to work. ("enter $65535, $31" pushes
17742 - * 32 pointers and then decrements %sp by 65535.)
17744 - if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
17745 - bad_area(regs, error_code, address);
17749 + * Accessing the stack below %sp is always a bug.
17750 + * The large cushion allows instructions like enter
17751 + * and pusha to work. ("enter $65535, $31" pushes
17752 + * 32 pointers and then decrements %sp by 65535.)
17754 + if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
17755 + bad_area(regs, error_code, address);
17759 +#ifdef CONFIG_PAX_SEGMEXEC
17760 + if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
17761 + bad_area(regs, error_code, address);
17766 if (unlikely(expand_stack(vma, address))) {
17767 bad_area(regs, error_code, address);
17769 @@ -1140,3 +1411,199 @@ good_area:
17771 up_read(&mm->mmap_sem);
17774 +#ifdef CONFIG_PAX_EMUTRAMP
17775 +static int pax_handle_fetch_fault_32(struct pt_regs *regs)
17779 + do { /* PaX: gcc trampoline emulation #1 */
17780 + unsigned char mov1, mov2;
17781 + unsigned short jmp;
17782 + unsigned int addr1, addr2;
17784 +#ifdef CONFIG_X86_64
17785 + if ((regs->ip + 11) >> 32)
17789 + err = get_user(mov1, (unsigned char __user *)regs->ip);
17790 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
17791 + err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
17792 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
17793 + err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
17798 + if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
17799 + regs->cx = addr1;
17800 + regs->ax = addr2;
17801 + regs->ip = addr2;
17806 + do { /* PaX: gcc trampoline emulation #2 */
17807 + unsigned char mov, jmp;
17808 + unsigned int addr1, addr2;
17810 +#ifdef CONFIG_X86_64
17811 + if ((regs->ip + 9) >> 32)
17815 + err = get_user(mov, (unsigned char __user *)regs->ip);
17816 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
17817 + err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
17818 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
17823 + if (mov == 0xB9 && jmp == 0xE9) {
17824 + regs->cx = addr1;
17825 + regs->ip = (unsigned int)(regs->ip + addr2 + 10);
17830 + return 1; /* PaX in action */
17833 +#ifdef CONFIG_X86_64
17834 +static int pax_handle_fetch_fault_64(struct pt_regs *regs)
17838 + do { /* PaX: gcc trampoline emulation #1 */
17839 + unsigned short mov1, mov2, jmp1;
17840 + unsigned char jmp2;
17841 + unsigned int addr1;
17842 + unsigned long addr2;
17844 + err = get_user(mov1, (unsigned short __user *)regs->ip);
17845 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
17846 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
17847 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
17848 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
17849 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
17854 + if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
17855 + regs->r11 = addr1;
17856 + regs->r10 = addr2;
17857 + regs->ip = addr1;
17862 + do { /* PaX: gcc trampoline emulation #2 */
17863 + unsigned short mov1, mov2, jmp1;
17864 + unsigned char jmp2;
17865 + unsigned long addr1, addr2;
17867 + err = get_user(mov1, (unsigned short __user *)regs->ip);
17868 + err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
17869 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
17870 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
17871 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
17872 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
17877 + if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
17878 + regs->r11 = addr1;
17879 + regs->r10 = addr2;
17880 + regs->ip = addr1;
17885 + return 1; /* PaX in action */
17890 + * PaX: decide what to do with offenders (regs->ip = fault address)
17892 + * returns 1 when task should be killed
17893 + * 2 when gcc trampoline was detected
17895 +static int pax_handle_fetch_fault(struct pt_regs *regs)
17897 + if (v8086_mode(regs))
17900 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
17903 +#ifdef CONFIG_X86_32
17904 + return pax_handle_fetch_fault_32(regs);
17906 + if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
17907 + return pax_handle_fetch_fault_32(regs);
17909 + return pax_handle_fetch_fault_64(regs);
17914 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
17915 +void pax_report_insns(void *pc, void *sp)
17919 + printk(KERN_ERR "PAX: bytes at PC: ");
17920 + for (i = 0; i < 20; i++) {
17922 + if (get_user(c, (__force unsigned char __user *)pc+i))
17923 + printk(KERN_CONT "?? ");
17925 + printk(KERN_CONT "%02x ", c);
17929 + printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
17930 + for (i = -1; i < 80 / (long)sizeof(long); i++) {
17932 + if (get_user(c, (__force unsigned long __user *)sp+i))
17933 +#ifdef CONFIG_X86_32
17934 + printk(KERN_CONT "???????? ");
17936 + printk(KERN_CONT "???????????????? ");
17939 + printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
17946 + * probe_kernel_write(): safely attempt to write to a location
17947 + * @dst: address to write to
17948 + * @src: pointer to the data that shall be written
17949 + * @size: size of the data chunk
17951 + * Safely write to address @dst from the buffer at @src. If a kernel fault
17952 + * happens, handle that and return -EFAULT.
17954 +long notrace probe_kernel_write(void *dst, const void *src, size_t size)
17957 + mm_segment_t old_fs = get_fs();
17959 + set_fs(KERNEL_DS);
17960 + pagefault_disable();
17961 + pax_open_kernel();
17962 + ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
17963 + pax_close_kernel();
17964 + pagefault_enable();
17967 + return ret ? -EFAULT : 0;
17969 diff -urNp linux-2.6.35.5/arch/x86/mm/gup.c linux-2.6.35.5/arch/x86/mm/gup.c
17970 --- linux-2.6.35.5/arch/x86/mm/gup.c 2010-08-26 19:47:12.000000000 -0400
17971 +++ linux-2.6.35.5/arch/x86/mm/gup.c 2010-09-17 20:12:09.000000000 -0400
17972 @@ -237,7 +237,7 @@ int __get_user_pages_fast(unsigned long
17974 len = (unsigned long) nr_pages << PAGE_SHIFT;
17976 - if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
17977 + if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
17978 (void __user *)start, len)))
17981 diff -urNp linux-2.6.35.5/arch/x86/mm/highmem_32.c linux-2.6.35.5/arch/x86/mm/highmem_32.c
17982 --- linux-2.6.35.5/arch/x86/mm/highmem_32.c 2010-08-26 19:47:12.000000000 -0400
17983 +++ linux-2.6.35.5/arch/x86/mm/highmem_32.c 2010-09-17 20:12:09.000000000 -0400
17984 @@ -43,7 +43,10 @@ void *kmap_atomic_prot(struct page *page
17985 idx = type + KM_TYPE_NR*smp_processor_id();
17986 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
17987 BUG_ON(!pte_none(*(kmap_pte-idx)));
17989 + pax_open_kernel();
17990 set_pte(kmap_pte-idx, mk_pte(page, prot));
17991 + pax_close_kernel();
17993 return (void *)vaddr;
17995 diff -urNp linux-2.6.35.5/arch/x86/mm/hugetlbpage.c linux-2.6.35.5/arch/x86/mm/hugetlbpage.c
17996 --- linux-2.6.35.5/arch/x86/mm/hugetlbpage.c 2010-08-26 19:47:12.000000000 -0400
17997 +++ linux-2.6.35.5/arch/x86/mm/hugetlbpage.c 2010-09-17 20:12:09.000000000 -0400
17998 @@ -266,13 +266,18 @@ static unsigned long hugetlb_get_unmappe
17999 struct hstate *h = hstate_file(file);
18000 struct mm_struct *mm = current->mm;
18001 struct vm_area_struct *vma;
18002 - unsigned long start_addr;
18003 + unsigned long start_addr, pax_task_size = TASK_SIZE;
18005 +#ifdef CONFIG_PAX_SEGMEXEC
18006 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18007 + pax_task_size = SEGMEXEC_TASK_SIZE;
18010 if (len > mm->cached_hole_size) {
18011 - start_addr = mm->free_area_cache;
18012 + start_addr = mm->free_area_cache;
18014 - start_addr = TASK_UNMAPPED_BASE;
18015 - mm->cached_hole_size = 0;
18016 + start_addr = mm->mmap_base;
18017 + mm->cached_hole_size = 0;
18021 @@ -280,26 +285,27 @@ full_search:
18023 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
18024 /* At this point: (!vma || addr < vma->vm_end). */
18025 - if (TASK_SIZE - len < addr) {
18026 + if (pax_task_size - len < addr) {
18028 * Start a new search - just in case we missed
18031 - if (start_addr != TASK_UNMAPPED_BASE) {
18032 - start_addr = TASK_UNMAPPED_BASE;
18033 + if (start_addr != mm->mmap_base) {
18034 + start_addr = mm->mmap_base;
18035 mm->cached_hole_size = 0;
18040 - if (!vma || addr + len <= vma->vm_start) {
18041 - mm->free_area_cache = addr + len;
18044 + if (check_heap_stack_gap(vma, addr, len))
18046 if (addr + mm->cached_hole_size < vma->vm_start)
18047 mm->cached_hole_size = vma->vm_start - addr;
18048 addr = ALIGN(vma->vm_end, huge_page_size(h));
18051 + mm->free_area_cache = addr + len;
18055 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
18056 @@ -308,10 +314,9 @@ static unsigned long hugetlb_get_unmappe
18058 struct hstate *h = hstate_file(file);
18059 struct mm_struct *mm = current->mm;
18060 - struct vm_area_struct *vma, *prev_vma;
18061 - unsigned long base = mm->mmap_base, addr = addr0;
18062 + struct vm_area_struct *vma;
18063 + unsigned long base = mm->mmap_base, addr;
18064 unsigned long largest_hole = mm->cached_hole_size;
18065 - int first_time = 1;
18067 /* don't allow allocations above current base */
18068 if (mm->free_area_cache > base)
18069 @@ -321,7 +326,7 @@ static unsigned long hugetlb_get_unmappe
18071 mm->free_area_cache = base;
18075 /* make sure it can fit in the remaining address space */
18076 if (mm->free_area_cache < len)
18078 @@ -329,33 +334,27 @@ try_again:
18079 /* either no address requested or cant fit in requested address hole */
18080 addr = (mm->free_area_cache - len) & huge_page_mask(h);
18082 + vma = find_vma(mm, addr);
18084 * Lookup failure means no vma is above this address,
18085 * i.e. return with success:
18087 - if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
18091 * new region fits between prev_vma->vm_end and
18092 * vma->vm_start, use it:
18094 - if (addr + len <= vma->vm_start &&
18095 - (!prev_vma || (addr >= prev_vma->vm_end))) {
18096 + if (check_heap_stack_gap(vma, addr, len)) {
18097 /* remember the address as a hint for next time */
18098 - mm->cached_hole_size = largest_hole;
18099 - return (mm->free_area_cache = addr);
18101 - /* pull free_area_cache down to the first hole */
18102 - if (mm->free_area_cache == vma->vm_end) {
18103 - mm->free_area_cache = vma->vm_start;
18104 - mm->cached_hole_size = largest_hole;
18106 + mm->cached_hole_size = largest_hole;
18107 + return (mm->free_area_cache = addr);
18109 + /* pull free_area_cache down to the first hole */
18110 + if (mm->free_area_cache == vma->vm_end) {
18111 + mm->free_area_cache = vma->vm_start;
18112 + mm->cached_hole_size = largest_hole;
18115 /* remember the largest hole we saw so far */
18116 if (addr + largest_hole < vma->vm_start)
18117 - largest_hole = vma->vm_start - addr;
18118 + largest_hole = vma->vm_start - addr;
18120 /* try just below the current vma->vm_start */
18121 addr = (vma->vm_start - len) & huge_page_mask(h);
18122 @@ -363,22 +362,26 @@ try_again:
18126 - * if hint left us with no space for the requested
18127 - * mapping then try again:
18129 - if (first_time) {
18130 - mm->free_area_cache = base;
18131 - largest_hole = 0;
18136 * A failed mmap() very likely causes application failure,
18137 * so fall back to the bottom-up function here. This scenario
18138 * can happen with large stack limits and large mmap()
18141 - mm->free_area_cache = TASK_UNMAPPED_BASE;
18143 +#ifdef CONFIG_PAX_SEGMEXEC
18144 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18145 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
18149 + mm->mmap_base = TASK_UNMAPPED_BASE;
18151 +#ifdef CONFIG_PAX_RANDMMAP
18152 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18153 + mm->mmap_base += mm->delta_mmap;
18156 + mm->free_area_cache = mm->mmap_base;
18157 mm->cached_hole_size = ~0UL;
18158 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
18159 len, pgoff, flags);
18160 @@ -386,6 +389,7 @@ fail:
18162 * Restore the topdown base:
18164 + mm->mmap_base = base;
18165 mm->free_area_cache = base;
18166 mm->cached_hole_size = ~0UL;
18168 @@ -399,10 +403,17 @@ hugetlb_get_unmapped_area(struct file *f
18169 struct hstate *h = hstate_file(file);
18170 struct mm_struct *mm = current->mm;
18171 struct vm_area_struct *vma;
18172 + unsigned long pax_task_size = TASK_SIZE;
18174 if (len & ~huge_page_mask(h))
18176 - if (len > TASK_SIZE)
18178 +#ifdef CONFIG_PAX_SEGMEXEC
18179 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18180 + pax_task_size = SEGMEXEC_TASK_SIZE;
18183 + if (len > pax_task_size)
18186 if (flags & MAP_FIXED) {
18187 @@ -414,8 +425,7 @@ hugetlb_get_unmapped_area(struct file *f
18189 addr = ALIGN(addr, huge_page_size(h));
18190 vma = find_vma(mm, addr);
18191 - if (TASK_SIZE - len >= addr &&
18192 - (!vma || addr + len <= vma->vm_start))
18193 + if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
18196 if (mm->get_unmapped_area == arch_get_unmapped_area)
18197 diff -urNp linux-2.6.35.5/arch/x86/mm/init_32.c linux-2.6.35.5/arch/x86/mm/init_32.c
18198 --- linux-2.6.35.5/arch/x86/mm/init_32.c 2010-08-26 19:47:12.000000000 -0400
18199 +++ linux-2.6.35.5/arch/x86/mm/init_32.c 2010-09-17 20:12:09.000000000 -0400
18200 @@ -72,36 +72,6 @@ static __init void *alloc_low_page(void)
18204 - * Creates a middle page table and puts a pointer to it in the
18205 - * given global directory entry. This only returns the gd entry
18206 - * in non-PAE compilation mode, since the middle layer is folded.
18208 -static pmd_t * __init one_md_table_init(pgd_t *pgd)
18211 - pmd_t *pmd_table;
18213 -#ifdef CONFIG_X86_PAE
18214 - if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
18215 - if (after_bootmem)
18216 - pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
18218 - pmd_table = (pmd_t *)alloc_low_page();
18219 - paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
18220 - set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
18221 - pud = pud_offset(pgd, 0);
18222 - BUG_ON(pmd_table != pmd_offset(pud, 0));
18224 - return pmd_table;
18227 - pud = pud_offset(pgd, 0);
18228 - pmd_table = pmd_offset(pud, 0);
18230 - return pmd_table;
18234 * Create a page table and place a pointer to it in a middle page
18237 @@ -121,13 +91,28 @@ static pte_t * __init one_page_table_ini
18238 page_table = (pte_t *)alloc_low_page();
18240 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
18241 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
18242 + set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
18244 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
18246 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
18249 return pte_offset_kernel(pmd, 0);
18252 +static pmd_t * __init one_md_table_init(pgd_t *pgd)
18255 + pmd_t *pmd_table;
18257 + pud = pud_offset(pgd, 0);
18258 + pmd_table = pmd_offset(pud, 0);
18260 + return pmd_table;
18263 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
18265 int pgd_idx = pgd_index(vaddr);
18266 @@ -201,6 +186,7 @@ page_table_range_init(unsigned long star
18267 int pgd_idx, pmd_idx;
18268 unsigned long vaddr;
18274 @@ -210,8 +196,13 @@ page_table_range_init(unsigned long star
18275 pgd = pgd_base + pgd_idx;
18277 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
18278 - pmd = one_md_table_init(pgd);
18279 - pmd = pmd + pmd_index(vaddr);
18280 + pud = pud_offset(pgd, vaddr);
18281 + pmd = pmd_offset(pud, vaddr);
18283 +#ifdef CONFIG_X86_PAE
18284 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
18287 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
18288 pmd++, pmd_idx++) {
18289 pte = page_table_kmap_check(one_page_table_init(pmd),
18290 @@ -223,11 +214,20 @@ page_table_range_init(unsigned long star
18294 -static inline int is_kernel_text(unsigned long addr)
18295 +static inline int is_kernel_text(unsigned long start, unsigned long end)
18297 - if (addr >= PAGE_OFFSET && addr <= (unsigned long)__init_end)
18300 + if ((start > ktla_ktva((unsigned long)_etext) ||
18301 + end <= ktla_ktva((unsigned long)_stext)) &&
18302 + (start > ktla_ktva((unsigned long)_einittext) ||
18303 + end <= ktla_ktva((unsigned long)_sinittext)) &&
18305 +#ifdef CONFIG_ACPI_SLEEP
18306 + (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
18309 + (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
18315 @@ -244,9 +244,10 @@ kernel_physical_mapping_init(unsigned lo
18316 unsigned long last_map_addr = end;
18317 unsigned long start_pfn, end_pfn;
18318 pgd_t *pgd_base = swapper_pg_dir;
18319 - int pgd_idx, pmd_idx, pte_ofs;
18320 + unsigned int pgd_idx, pmd_idx, pte_ofs;
18326 unsigned pages_2m, pages_4k;
18327 @@ -279,8 +280,13 @@ repeat:
18329 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
18330 pgd = pgd_base + pgd_idx;
18331 - for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
18332 - pmd = one_md_table_init(pgd);
18333 + for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
18334 + pud = pud_offset(pgd, 0);
18335 + pmd = pmd_offset(pud, 0);
18337 +#ifdef CONFIG_X86_PAE
18338 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
18341 if (pfn >= end_pfn)
18343 @@ -292,14 +298,13 @@ repeat:
18345 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
18346 pmd++, pmd_idx++) {
18347 - unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
18348 + unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
18351 * Map with big pages if possible, otherwise
18352 * create normal page tables:
18355 - unsigned int addr2;
18356 pgprot_t prot = PAGE_KERNEL_LARGE;
18358 * first pass will use the same initial
18359 @@ -309,11 +314,7 @@ repeat:
18360 __pgprot(PTE_IDENT_ATTR |
18363 - addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
18364 - PAGE_OFFSET + PAGE_SIZE-1;
18366 - if (is_kernel_text(addr) ||
18367 - is_kernel_text(addr2))
18368 + if (is_kernel_text(address, address + PMD_SIZE))
18369 prot = PAGE_KERNEL_LARGE_EXEC;
18372 @@ -330,7 +331,7 @@ repeat:
18373 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
18375 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
18376 - pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
18377 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
18378 pgprot_t prot = PAGE_KERNEL;
18380 * first pass will use the same initial
18381 @@ -338,7 +339,7 @@ repeat:
18383 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
18385 - if (is_kernel_text(addr))
18386 + if (is_kernel_text(address, address + PAGE_SIZE))
18387 prot = PAGE_KERNEL_EXEC;
18390 @@ -491,7 +492,7 @@ void __init native_pagetable_setup_start
18392 pud = pud_offset(pgd, va);
18393 pmd = pmd_offset(pud, va);
18394 - if (!pmd_present(*pmd))
18395 + if (!pmd_present(*pmd) || pmd_huge(*pmd))
18398 pte = pte_offset_kernel(pmd, va);
18399 @@ -543,9 +544,7 @@ void __init early_ioremap_page_table_ran
18401 static void __init pagetable_init(void)
18403 - pgd_t *pgd_base = swapper_pg_dir;
18405 - permanent_kmaps_init(pgd_base);
18406 + permanent_kmaps_init(swapper_pg_dir);
18409 #ifdef CONFIG_ACPI_SLEEP
18410 @@ -553,12 +552,12 @@ static void __init pagetable_init(void)
18411 * ACPI suspend needs this for resume, because things like the intel-agp
18412 * driver might have split up a kernel 4MB mapping.
18414 -char swsusp_pg_dir[PAGE_SIZE]
18415 +pgd_t swsusp_pg_dir[PTRS_PER_PGD]
18416 __attribute__ ((aligned(PAGE_SIZE)));
18418 static inline void save_pg_dir(void)
18420 - memcpy(swsusp_pg_dir, swapper_pg_dir, PAGE_SIZE);
18421 + clone_pgd_range(swsusp_pg_dir, swapper_pg_dir, PTRS_PER_PGD);
18423 #else /* !CONFIG_ACPI_SLEEP */
18424 static inline void save_pg_dir(void)
18425 @@ -590,7 +589,7 @@ void zap_low_mappings(bool early)
18429 -pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
18430 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
18431 EXPORT_SYMBOL_GPL(__supported_pte_mask);
18433 /* user-defined highmem size */
18434 @@ -781,7 +780,7 @@ void __init setup_bootmem_allocator(void
18435 * Initialize the boot-time allocator (with low memory only):
18437 bootmap_size = bootmem_bootmap_pages(max_low_pfn)<<PAGE_SHIFT;
18438 - bootmap = find_e820_area(0, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
18439 + bootmap = find_e820_area(0x100000, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
18441 if (bootmap == -1L)
18442 panic("Cannot find bootmem map of size %ld\n", bootmap_size);
18443 @@ -871,6 +870,12 @@ void __init mem_init(void)
18447 +#ifdef CONFIG_PAX_PER_CPU_PGD
18448 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
18449 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
18450 + KERNEL_PGD_PTRS);
18453 #ifdef CONFIG_FLATMEM
18456 @@ -888,7 +893,7 @@ void __init mem_init(void)
18457 set_highmem_pages_init();
18459 codesize = (unsigned long) &_etext - (unsigned long) &_text;
18460 - datasize = (unsigned long) &_edata - (unsigned long) &_etext;
18461 + datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
18462 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
18464 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
18465 @@ -929,10 +934,10 @@ void __init mem_init(void)
18466 ((unsigned long)&__init_end -
18467 (unsigned long)&__init_begin) >> 10,
18469 - (unsigned long)&_etext, (unsigned long)&_edata,
18470 - ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
18471 + (unsigned long)&_sdata, (unsigned long)&_edata,
18472 + ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
18474 - (unsigned long)&_text, (unsigned long)&_etext,
18475 + ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
18476 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
18479 @@ -1013,6 +1018,7 @@ void set_kernel_text_rw(void)
18480 if (!kernel_set_to_readonly)
18483 + start = ktla_ktva(start);
18484 pr_debug("Set kernel text: %lx - %lx for read write\n",
18485 start, start+size);
18487 @@ -1027,6 +1033,7 @@ void set_kernel_text_ro(void)
18488 if (!kernel_set_to_readonly)
18491 + start = ktla_ktva(start);
18492 pr_debug("Set kernel text: %lx - %lx for read only\n",
18493 start, start+size);
18495 @@ -1038,6 +1045,7 @@ void mark_rodata_ro(void)
18496 unsigned long start = PFN_ALIGN(_text);
18497 unsigned long size = PFN_ALIGN(_etext) - start;
18499 + start = ktla_ktva(start);
18500 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
18501 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
18503 diff -urNp linux-2.6.35.5/arch/x86/mm/init_64.c linux-2.6.35.5/arch/x86/mm/init_64.c
18504 --- linux-2.6.35.5/arch/x86/mm/init_64.c 2010-08-26 19:47:12.000000000 -0400
18505 +++ linux-2.6.35.5/arch/x86/mm/init_64.c 2010-09-17 20:12:09.000000000 -0400
18507 #include <asm/numa.h>
18508 #include <asm/cacheflush.h>
18509 #include <asm/init.h>
18510 -#include <linux/bootmem.h>
18512 static unsigned long dma_reserve __initdata;
18514 @@ -74,7 +73,7 @@ early_param("gbpages", parse_direct_gbpa
18515 * around without checking the pgd every time.
18518 -pteval_t __supported_pte_mask __read_mostly = ~_PAGE_IOMAP;
18519 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_IOMAP);
18520 EXPORT_SYMBOL_GPL(__supported_pte_mask);
18522 int force_personality32;
18523 @@ -165,7 +164,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
18524 pmd = fill_pmd(pud, vaddr);
18525 pte = fill_pte(pmd, vaddr);
18527 + pax_open_kernel();
18528 set_pte(pte, new_pte);
18529 + pax_close_kernel();
18532 * It's enough to flush this one mapping.
18533 @@ -224,14 +225,12 @@ static void __init __init_extra_mapping(
18534 pgd = pgd_offset_k((unsigned long)__va(phys));
18535 if (pgd_none(*pgd)) {
18536 pud = (pud_t *) spp_getpage();
18537 - set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
18539 + set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
18541 pud = pud_offset(pgd, (unsigned long)__va(phys));
18542 if (pud_none(*pud)) {
18543 pmd = (pmd_t *) spp_getpage();
18544 - set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
18546 + set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
18548 pmd = pmd_offset(pud, phys);
18549 BUG_ON(!pmd_none(*pmd));
18550 @@ -680,6 +679,12 @@ void __init mem_init(void)
18554 +#ifdef CONFIG_PAX_PER_CPU_PGD
18555 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
18556 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
18557 + KERNEL_PGD_PTRS);
18560 /* clear_bss() already clear the empty_zero_page */
18563 @@ -886,8 +891,8 @@ int kern_addr_valid(unsigned long addr)
18564 static struct vm_area_struct gate_vma = {
18565 .vm_start = VSYSCALL_START,
18566 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
18567 - .vm_page_prot = PAGE_READONLY_EXEC,
18568 - .vm_flags = VM_READ | VM_EXEC
18569 + .vm_page_prot = PAGE_READONLY,
18570 + .vm_flags = VM_READ
18573 struct vm_area_struct *get_gate_vma(struct task_struct *tsk)
18574 @@ -921,7 +926,7 @@ int in_gate_area_no_task(unsigned long a
18576 const char *arch_vma_name(struct vm_area_struct *vma)
18578 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
18579 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
18581 if (vma == &gate_vma)
18582 return "[vsyscall]";
18583 diff -urNp linux-2.6.35.5/arch/x86/mm/init.c linux-2.6.35.5/arch/x86/mm/init.c
18584 --- linux-2.6.35.5/arch/x86/mm/init.c 2010-08-26 19:47:12.000000000 -0400
18585 +++ linux-2.6.35.5/arch/x86/mm/init.c 2010-09-17 20:12:09.000000000 -0400
18586 @@ -70,11 +70,7 @@ static void __init find_early_table_spac
18587 * cause a hotspot and fill up ZONE_DMA. The page tables
18588 * need roughly 0.5KB per GB.
18590 -#ifdef CONFIG_X86_32
18595 + start = 0x100000;
18596 e820_table_start = find_e820_area(start, max_pfn_mapped<<PAGE_SHIFT,
18597 tables, PAGE_SIZE);
18598 if (e820_table_start == -1UL)
18599 @@ -321,7 +317,13 @@ unsigned long __init_refok init_memory_m
18601 int devmem_is_allowed(unsigned long pagenr)
18603 - if (pagenr <= 256)
18606 +#ifdef CONFIG_VM86
18607 + if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
18610 + if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
18612 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
18614 @@ -380,6 +382,88 @@ void free_init_pages(char *what, unsigne
18616 void free_initmem(void)
18619 +#ifdef CONFIG_PAX_KERNEXEC
18620 +#ifdef CONFIG_X86_32
18621 + /* PaX: limit KERNEL_CS to actual size */
18622 + unsigned long addr, limit;
18623 + struct desc_struct d;
18626 + limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
18627 + limit = (limit - 1UL) >> PAGE_SHIFT;
18629 + memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
18630 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
18631 + pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
18632 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
18635 + /* PaX: make KERNEL_CS read-only */
18636 + addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
18637 + if (!paravirt_enabled())
18638 + set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
18640 + for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
18641 + pgd = pgd_offset_k(addr);
18642 + pud = pud_offset(pgd, addr);
18643 + pmd = pmd_offset(pud, addr);
18644 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
18647 +#ifdef CONFIG_X86_PAE
18648 + set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
18650 + for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
18651 + pgd = pgd_offset_k(addr);
18652 + pud = pud_offset(pgd, addr);
18653 + pmd = pmd_offset(pud, addr);
18654 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
18659 +#ifdef CONFIG_MODULES
18660 + set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
18667 + unsigned long addr, end;
18669 + /* PaX: make kernel code/rodata read-only, rest non-executable */
18670 + for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
18671 + pgd = pgd_offset_k(addr);
18672 + pud = pud_offset(pgd, addr);
18673 + pmd = pmd_offset(pud, addr);
18674 + if (!pmd_present(*pmd))
18676 + if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
18677 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
18679 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
18682 + addr = (unsigned long)__va(__pa(__START_KERNEL_map));
18683 + end = addr + KERNEL_IMAGE_SIZE;
18684 + for (; addr < end; addr += PMD_SIZE) {
18685 + pgd = pgd_offset_k(addr);
18686 + pud = pud_offset(pgd, addr);
18687 + pmd = pmd_offset(pud, addr);
18688 + if (!pmd_present(*pmd))
18690 + if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
18691 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
18693 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
18700 free_init_pages("unused kernel memory",
18701 (unsigned long)(&__init_begin),
18702 (unsigned long)(&__init_end));
18703 diff -urNp linux-2.6.35.5/arch/x86/mm/iomap_32.c linux-2.6.35.5/arch/x86/mm/iomap_32.c
18704 --- linux-2.6.35.5/arch/x86/mm/iomap_32.c 2010-08-26 19:47:12.000000000 -0400
18705 +++ linux-2.6.35.5/arch/x86/mm/iomap_32.c 2010-09-17 20:12:09.000000000 -0400
18706 @@ -65,7 +65,11 @@ void *kmap_atomic_prot_pfn(unsigned long
18707 debug_kmap_atomic(type);
18708 idx = type + KM_TYPE_NR * smp_processor_id();
18709 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
18711 + pax_open_kernel();
18712 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
18713 + pax_close_kernel();
18715 arch_flush_lazy_mmu_mode();
18717 return (void *)vaddr;
18718 diff -urNp linux-2.6.35.5/arch/x86/mm/ioremap.c linux-2.6.35.5/arch/x86/mm/ioremap.c
18719 --- linux-2.6.35.5/arch/x86/mm/ioremap.c 2010-08-26 19:47:12.000000000 -0400
18720 +++ linux-2.6.35.5/arch/x86/mm/ioremap.c 2010-09-17 20:12:09.000000000 -0400
18721 @@ -100,13 +100,10 @@ static void __iomem *__ioremap_caller(re
18723 * Don't allow anybody to remap normal RAM that we're using..
18725 - for (pfn = phys_addr >> PAGE_SHIFT;
18726 - (pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK);
18729 + for (pfn = phys_addr >> PAGE_SHIFT; ((resource_size_t)pfn << PAGE_SHIFT) < (last_addr & PAGE_MASK); pfn++) {
18730 int is_ram = page_is_ram(pfn);
18732 - if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
18733 + if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
18735 WARN_ON_ONCE(is_ram);
18737 @@ -346,7 +343,7 @@ static int __init early_ioremap_debug_se
18738 early_param("early_ioremap_debug", early_ioremap_debug_setup);
18740 static __initdata int after_paging_init;
18741 -static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
18742 +static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
18744 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
18746 @@ -378,8 +375,7 @@ void __init early_ioremap_init(void)
18747 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
18749 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
18750 - memset(bm_pte, 0, sizeof(bm_pte));
18751 - pmd_populate_kernel(&init_mm, pmd, bm_pte);
18752 + pmd_populate_user(&init_mm, pmd, bm_pte);
18755 * The boot-ioremap range spans multiple pmds, for which
18756 diff -urNp linux-2.6.35.5/arch/x86/mm/kmemcheck/kmemcheck.c linux-2.6.35.5/arch/x86/mm/kmemcheck/kmemcheck.c
18757 --- linux-2.6.35.5/arch/x86/mm/kmemcheck/kmemcheck.c 2010-08-26 19:47:12.000000000 -0400
18758 +++ linux-2.6.35.5/arch/x86/mm/kmemcheck/kmemcheck.c 2010-09-17 20:12:09.000000000 -0400
18759 @@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
18760 * memory (e.g. tracked pages)? For now, we need this to avoid
18761 * invoking kmemcheck for PnP BIOS calls.
18763 - if (regs->flags & X86_VM_MASK)
18764 + if (v8086_mode(regs))
18766 - if (regs->cs != __KERNEL_CS)
18767 + if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
18770 pte = kmemcheck_pte_lookup(address);
18771 diff -urNp linux-2.6.35.5/arch/x86/mm/mmap.c linux-2.6.35.5/arch/x86/mm/mmap.c
18772 --- linux-2.6.35.5/arch/x86/mm/mmap.c 2010-08-26 19:47:12.000000000 -0400
18773 +++ linux-2.6.35.5/arch/x86/mm/mmap.c 2010-09-17 20:12:09.000000000 -0400
18774 @@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
18775 * Leave an at least ~128 MB hole with possible stack randomization.
18777 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
18778 -#define MAX_GAP (TASK_SIZE/6*5)
18779 +#define MAX_GAP (pax_task_size/6*5)
18782 * True on X86_32 or when emulating IA32 on X86_64
18783 @@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
18784 return rnd << PAGE_SHIFT;
18787 -static unsigned long mmap_base(void)
18788 +static unsigned long mmap_base(struct mm_struct *mm)
18790 unsigned long gap = rlimit(RLIMIT_STACK);
18791 + unsigned long pax_task_size = TASK_SIZE;
18793 +#ifdef CONFIG_PAX_SEGMEXEC
18794 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18795 + pax_task_size = SEGMEXEC_TASK_SIZE;
18800 else if (gap > MAX_GAP)
18803 - return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
18804 + return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
18808 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
18809 * does, but not when emulating X86_32
18811 -static unsigned long mmap_legacy_base(void)
18812 +static unsigned long mmap_legacy_base(struct mm_struct *mm)
18814 - if (mmap_is_ia32())
18815 + if (mmap_is_ia32()) {
18817 +#ifdef CONFIG_PAX_SEGMEXEC
18818 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18819 + return SEGMEXEC_TASK_UNMAPPED_BASE;
18823 return TASK_UNMAPPED_BASE;
18826 return TASK_UNMAPPED_BASE + mmap_rnd();
18829 @@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
18830 void arch_pick_mmap_layout(struct mm_struct *mm)
18832 if (mmap_is_legacy()) {
18833 - mm->mmap_base = mmap_legacy_base();
18834 + mm->mmap_base = mmap_legacy_base(mm);
18836 +#ifdef CONFIG_PAX_RANDMMAP
18837 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18838 + mm->mmap_base += mm->delta_mmap;
18841 mm->get_unmapped_area = arch_get_unmapped_area;
18842 mm->unmap_area = arch_unmap_area;
18844 - mm->mmap_base = mmap_base();
18845 + mm->mmap_base = mmap_base(mm);
18847 +#ifdef CONFIG_PAX_RANDMMAP
18848 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18849 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
18852 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
18853 mm->unmap_area = arch_unmap_area_topdown;
18855 diff -urNp linux-2.6.35.5/arch/x86/mm/numa_32.c linux-2.6.35.5/arch/x86/mm/numa_32.c
18856 --- linux-2.6.35.5/arch/x86/mm/numa_32.c 2010-08-26 19:47:12.000000000 -0400
18857 +++ linux-2.6.35.5/arch/x86/mm/numa_32.c 2010-09-17 20:12:09.000000000 -0400
18858 @@ -98,7 +98,6 @@ unsigned long node_memmap_size_bytes(int
18862 -extern unsigned long find_max_low_pfn(void);
18863 extern unsigned long highend_pfn, highstart_pfn;
18865 #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
18866 diff -urNp linux-2.6.35.5/arch/x86/mm/pageattr.c linux-2.6.35.5/arch/x86/mm/pageattr.c
18867 --- linux-2.6.35.5/arch/x86/mm/pageattr.c 2010-08-26 19:47:12.000000000 -0400
18868 +++ linux-2.6.35.5/arch/x86/mm/pageattr.c 2010-09-17 20:12:09.000000000 -0400
18869 @@ -261,16 +261,17 @@ static inline pgprot_t static_protection
18870 * PCI BIOS based config access (CONFIG_PCI_GOBIOS) support.
18872 if (within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
18873 - pgprot_val(forbidden) |= _PAGE_NX;
18874 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
18877 * The kernel text needs to be executable for obvious reasons
18878 * Does not cover __inittext since that is gone later on. On
18879 * 64bit we do not enforce !NX on the low mapping
18881 - if (within(address, (unsigned long)_text, (unsigned long)_etext))
18882 - pgprot_val(forbidden) |= _PAGE_NX;
18883 + if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
18884 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
18886 +#ifdef CONFIG_DEBUG_RODATA
18888 * The .rodata section needs to be read-only. Using the pfn
18889 * catches all aliases.
18890 @@ -278,6 +279,7 @@ static inline pgprot_t static_protection
18891 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
18892 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
18893 pgprot_val(forbidden) |= _PAGE_RW;
18896 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
18898 @@ -316,6 +318,13 @@ static inline pgprot_t static_protection
18902 +#ifdef CONFIG_PAX_KERNEXEC
18903 + if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) {
18904 + pgprot_val(forbidden) |= _PAGE_RW;
18905 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
18909 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
18912 @@ -368,23 +377,37 @@ EXPORT_SYMBOL_GPL(lookup_address);
18913 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
18915 /* change init_mm */
18916 + pax_open_kernel();
18917 set_pte_atomic(kpte, pte);
18919 #ifdef CONFIG_X86_32
18920 if (!SHARED_KERNEL_PMD) {
18922 +#ifdef CONFIG_PAX_PER_CPU_PGD
18923 + unsigned long cpu;
18928 +#ifdef CONFIG_PAX_PER_CPU_PGD
18929 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
18930 + pgd_t *pgd = get_cpu_pgd(cpu);
18932 list_for_each_entry(page, &pgd_list, lru) {
18934 + pgd_t *pgd = (pgd_t *)page_address(page);
18940 - pgd = (pgd_t *)page_address(page) + pgd_index(address);
18941 + pgd += pgd_index(address);
18942 pud = pud_offset(pgd, address);
18943 pmd = pmd_offset(pud, address);
18944 set_pte_atomic((pte_t *)pmd, pte);
18948 + pax_close_kernel();
18952 diff -urNp linux-2.6.35.5/arch/x86/mm/pageattr-test.c linux-2.6.35.5/arch/x86/mm/pageattr-test.c
18953 --- linux-2.6.35.5/arch/x86/mm/pageattr-test.c 2010-08-26 19:47:12.000000000 -0400
18954 +++ linux-2.6.35.5/arch/x86/mm/pageattr-test.c 2010-09-17 20:12:09.000000000 -0400
18955 @@ -36,7 +36,7 @@ enum {
18957 static int pte_testbit(pte_t pte)
18959 - return pte_flags(pte) & _PAGE_UNUSED1;
18960 + return pte_flags(pte) & _PAGE_CPA_TEST;
18963 struct split_state {
18964 diff -urNp linux-2.6.35.5/arch/x86/mm/pat.c linux-2.6.35.5/arch/x86/mm/pat.c
18965 --- linux-2.6.35.5/arch/x86/mm/pat.c 2010-08-26 19:47:12.000000000 -0400
18966 +++ linux-2.6.35.5/arch/x86/mm/pat.c 2010-09-17 20:12:09.000000000 -0400
18967 @@ -361,7 +361,7 @@ int free_memtype(u64 start, u64 end)
18970 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
18971 - current->comm, current->pid, start, end);
18972 + current->comm, task_pid_nr(current), start, end);
18976 @@ -492,8 +492,8 @@ static inline int range_is_allowed(unsig
18977 while (cursor < to) {
18978 if (!devmem_is_allowed(pfn)) {
18980 - "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
18981 - current->comm, from, to);
18982 + "Program %s tried to access /dev/mem between %Lx->%Lx (%Lx).\n",
18983 + current->comm, from, to, cursor);
18986 cursor += PAGE_SIZE;
18987 @@ -557,7 +557,7 @@ int kernel_map_sync_memtype(u64 base, un
18989 "%s:%d ioremap_change_attr failed %s "
18991 - current->comm, current->pid,
18992 + current->comm, task_pid_nr(current),
18994 base, (unsigned long long)(base + size));
18996 @@ -593,7 +593,7 @@ static int reserve_pfn_range(u64 paddr,
18997 if (want_flags != flags) {
18998 printk(KERN_WARNING
18999 "%s:%d map pfn RAM range req %s for %Lx-%Lx, got %s\n",
19000 - current->comm, current->pid,
19001 + current->comm, task_pid_nr(current),
19002 cattr_name(want_flags),
19003 (unsigned long long)paddr,
19004 (unsigned long long)(paddr + size),
19005 @@ -615,7 +615,7 @@ static int reserve_pfn_range(u64 paddr,
19006 free_memtype(paddr, paddr + size);
19007 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
19008 " for %Lx-%Lx, got %s\n",
19009 - current->comm, current->pid,
19010 + current->comm, task_pid_nr(current),
19011 cattr_name(want_flags),
19012 (unsigned long long)paddr,
19013 (unsigned long long)(paddr + size),
19014 diff -urNp linux-2.6.35.5/arch/x86/mm/pgtable_32.c linux-2.6.35.5/arch/x86/mm/pgtable_32.c
19015 --- linux-2.6.35.5/arch/x86/mm/pgtable_32.c 2010-08-26 19:47:12.000000000 -0400
19016 +++ linux-2.6.35.5/arch/x86/mm/pgtable_32.c 2010-09-17 20:12:09.000000000 -0400
19017 @@ -48,10 +48,13 @@ void set_pte_vaddr(unsigned long vaddr,
19020 pte = pte_offset_kernel(pmd, vaddr);
19022 + pax_open_kernel();
19023 if (pte_val(pteval))
19024 set_pte_at(&init_mm, vaddr, pte, pteval);
19026 pte_clear(&init_mm, vaddr, pte);
19027 + pax_close_kernel();
19030 * It's enough to flush this one mapping.
19031 diff -urNp linux-2.6.35.5/arch/x86/mm/pgtable.c linux-2.6.35.5/arch/x86/mm/pgtable.c
19032 --- linux-2.6.35.5/arch/x86/mm/pgtable.c 2010-08-26 19:47:12.000000000 -0400
19033 +++ linux-2.6.35.5/arch/x86/mm/pgtable.c 2010-09-17 20:12:09.000000000 -0400
19034 @@ -84,8 +84,59 @@ static inline void pgd_list_del(pgd_t *p
19035 list_del(&page->lru);
19038 -#define UNSHARED_PTRS_PER_PGD \
19039 - (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
19040 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19041 +pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
19043 +void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
19046 + *dst++ = __pgd((pgd_val(*src++) | _PAGE_NX) & ~_PAGE_USER);
19051 +#ifdef CONFIG_PAX_PER_CPU_PGD
19052 +void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count)
19056 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19057 + *dst++ = __pgd(pgd_val(*src++) & clone_pgd_mask);
19065 +#ifdef CONFIG_PAX_PER_CPU_PGD
19066 +static inline void pgd_ctor(pgd_t *pgd) {}
19067 +static inline void pgd_dtor(pgd_t *pgd) {}
19068 +#ifdef CONFIG_X86_64
19069 +#define pxd_t pud_t
19070 +#define pyd_t pgd_t
19071 +#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
19072 +#define pxd_free(mm, pud) pud_free((mm), (pud))
19073 +#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
19074 +#define pyd_offset(mm ,address) pgd_offset((mm), (address))
19075 +#define PYD_SIZE PGDIR_SIZE
19077 +#define pxd_t pmd_t
19078 +#define pyd_t pud_t
19079 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
19080 +#define pxd_free(mm, pud) pmd_free((mm), (pud))
19081 +#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
19082 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
19083 +#define PYD_SIZE PUD_SIZE
19086 +#define pxd_t pmd_t
19087 +#define pyd_t pud_t
19088 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
19089 +#define pxd_free(mm, pmd) pmd_free((mm), (pmd))
19090 +#define pyd_populate(mm, pud, pmd) pud_populate((mm), (pud), (pmd))
19091 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
19092 +#define PYD_SIZE PUD_SIZE
19094 static void pgd_ctor(pgd_t *pgd)
19096 @@ -120,6 +171,7 @@ static void pgd_dtor(pgd_t *pgd)
19098 spin_unlock_irqrestore(&pgd_lock, flags);
19103 * List of all pgd's needed for non-PAE so it can invalidate entries
19104 @@ -132,7 +184,7 @@ static void pgd_dtor(pgd_t *pgd)
19108 -#ifdef CONFIG_X86_PAE
19109 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
19111 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
19112 * updating the top-level pagetable entries to guarantee the
19113 @@ -144,7 +196,7 @@ static void pgd_dtor(pgd_t *pgd)
19114 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
19115 * and initialize the kernel pmds here.
19117 -#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
19118 +#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
19120 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
19122 @@ -163,36 +215,38 @@ void pud_populate(struct mm_struct *mm,
19123 if (mm == current->active_mm)
19124 write_cr3(read_cr3());
19126 +#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
19127 +#define PREALLOCATED_PXDS USER_PGD_PTRS
19128 #else /* !CONFIG_X86_PAE */
19130 /* No need to prepopulate any pagetable entries in non-PAE modes. */
19131 -#define PREALLOCATED_PMDS 0
19132 +#define PREALLOCATED_PXDS 0
19134 #endif /* CONFIG_X86_PAE */
19136 -static void free_pmds(pmd_t *pmds[])
19137 +static void free_pxds(pxd_t *pxds[])
19141 - for(i = 0; i < PREALLOCATED_PMDS; i++)
19143 - free_page((unsigned long)pmds[i]);
19144 + for(i = 0; i < PREALLOCATED_PXDS; i++)
19146 + free_page((unsigned long)pxds[i]);
19149 -static int preallocate_pmds(pmd_t *pmds[])
19150 +static int preallocate_pxds(pxd_t *pxds[])
19153 bool failed = false;
19155 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
19156 - pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
19158 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
19159 + pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
19172 @@ -205,51 +259,56 @@ static int preallocate_pmds(pmd_t *pmds[
19173 * preallocate which never got a corresponding vma will need to be
19176 -static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
19177 +static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
19181 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
19182 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
19183 pgd_t pgd = pgdp[i];
19185 if (pgd_val(pgd) != 0) {
19186 - pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
19187 + pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
19189 - pgdp[i] = native_make_pgd(0);
19190 + set_pgd(pgdp + i, native_make_pgd(0));
19192 - paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
19193 - pmd_free(mm, pmd);
19194 + paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
19195 + pxd_free(mm, pxd);
19200 -static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
19201 +static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
19205 unsigned long addr;
19208 - if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
19209 + if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
19212 - pud = pud_offset(pgd, 0);
19213 +#ifdef CONFIG_X86_64
19214 + pyd = pyd_offset(mm, 0L);
19216 + pyd = pyd_offset(pgd, 0L);
19219 - for (addr = i = 0; i < PREALLOCATED_PMDS;
19220 - i++, pud++, addr += PUD_SIZE) {
19221 - pmd_t *pmd = pmds[i];
19222 + for (addr = i = 0; i < PREALLOCATED_PXDS;
19223 + i++, pyd++, addr += PYD_SIZE) {
19224 + pxd_t *pxd = pxds[i];
19226 if (i >= KERNEL_PGD_BOUNDARY)
19227 - memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
19228 - sizeof(pmd_t) * PTRS_PER_PMD);
19229 + memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
19230 + sizeof(pxd_t) * PTRS_PER_PMD);
19232 - pud_populate(mm, pud, pmd);
19233 + pyd_populate(mm, pyd, pxd);
19237 pgd_t *pgd_alloc(struct mm_struct *mm)
19240 - pmd_t *pmds[PREALLOCATED_PMDS];
19241 + pxd_t *pxds[PREALLOCATED_PXDS];
19243 unsigned long flags;
19245 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
19246 @@ -259,11 +318,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
19250 - if (preallocate_pmds(pmds) != 0)
19251 + if (preallocate_pxds(pxds) != 0)
19254 if (paravirt_pgd_alloc(mm) != 0)
19255 - goto out_free_pmds;
19256 + goto out_free_pxds;
19259 * Make sure that pre-populating the pmds is atomic with
19260 @@ -273,14 +332,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
19261 spin_lock_irqsave(&pgd_lock, flags);
19264 - pgd_prepopulate_pmd(mm, pgd, pmds);
19265 + pgd_prepopulate_pxd(mm, pgd, pxds);
19267 spin_unlock_irqrestore(&pgd_lock, flags);
19276 free_page((unsigned long)pgd);
19278 @@ -289,7 +348,7 @@ out:
19280 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
19282 - pgd_mop_up_pmds(mm, pgd);
19283 + pgd_mop_up_pxds(mm, pgd);
19285 paravirt_pgd_free(mm, pgd);
19286 free_page((unsigned long)pgd);
19287 diff -urNp linux-2.6.35.5/arch/x86/mm/setup_nx.c linux-2.6.35.5/arch/x86/mm/setup_nx.c
19288 --- linux-2.6.35.5/arch/x86/mm/setup_nx.c 2010-08-26 19:47:12.000000000 -0400
19289 +++ linux-2.6.35.5/arch/x86/mm/setup_nx.c 2010-09-17 20:12:09.000000000 -0400
19291 #include <asm/pgtable.h>
19292 #include <asm/proto.h>
19294 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
19295 static int disable_nx __cpuinitdata;
19297 +#ifndef CONFIG_PAX_PAGEEXEC
19301 @@ -28,12 +30,17 @@ static int __init noexec_setup(char *str
19304 early_param("noexec", noexec_setup);
19309 void __cpuinit x86_configure_nx(void)
19311 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
19312 if (cpu_has_nx && !disable_nx)
19313 __supported_pte_mask |= _PAGE_NX;
19316 __supported_pte_mask &= ~_PAGE_NX;
19319 diff -urNp linux-2.6.35.5/arch/x86/mm/tlb.c linux-2.6.35.5/arch/x86/mm/tlb.c
19320 --- linux-2.6.35.5/arch/x86/mm/tlb.c 2010-08-26 19:47:12.000000000 -0400
19321 +++ linux-2.6.35.5/arch/x86/mm/tlb.c 2010-09-17 20:12:09.000000000 -0400
19323 #include <asm/uv/uv.h>
19325 DEFINE_PER_CPU_SHARED_ALIGNED(struct tlb_state, cpu_tlbstate)
19326 - = { &init_mm, 0, };
19327 + = { &init_mm, 0 };
19330 * Smarter SMP flushing macros.
19331 @@ -62,7 +62,11 @@ void leave_mm(int cpu)
19333 cpumask_clear_cpu(cpu,
19334 mm_cpumask(percpu_read(cpu_tlbstate.active_mm)));
19336 +#ifndef CONFIG_PAX_PER_CPU_PGD
19337 load_cr3(swapper_pg_dir);
19341 EXPORT_SYMBOL_GPL(leave_mm);
19343 diff -urNp linux-2.6.35.5/arch/x86/oprofile/backtrace.c linux-2.6.35.5/arch/x86/oprofile/backtrace.c
19344 --- linux-2.6.35.5/arch/x86/oprofile/backtrace.c 2010-08-26 19:47:12.000000000 -0400
19345 +++ linux-2.6.35.5/arch/x86/oprofile/backtrace.c 2010-09-17 20:12:09.000000000 -0400
19346 @@ -58,7 +58,7 @@ static struct frame_head *dump_user_back
19347 struct frame_head bufhead[2];
19349 /* Also check accessibility of one struct frame_head beyond */
19350 - if (!access_ok(VERIFY_READ, head, sizeof(bufhead)))
19351 + if (!__access_ok(VERIFY_READ, head, sizeof(bufhead)))
19353 if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead)))
19355 @@ -78,7 +78,7 @@ x86_backtrace(struct pt_regs * const reg
19357 struct frame_head *head = (struct frame_head *)frame_pointer(regs);
19359 - if (!user_mode_vm(regs)) {
19360 + if (!user_mode(regs)) {
19361 unsigned long stack = kernel_stack_pointer(regs);
19363 dump_trace(NULL, regs, (unsigned long *)stack, 0,
19364 diff -urNp linux-2.6.35.5/arch/x86/oprofile/op_model_p4.c linux-2.6.35.5/arch/x86/oprofile/op_model_p4.c
19365 --- linux-2.6.35.5/arch/x86/oprofile/op_model_p4.c 2010-08-26 19:47:12.000000000 -0400
19366 +++ linux-2.6.35.5/arch/x86/oprofile/op_model_p4.c 2010-09-17 20:12:09.000000000 -0400
19367 @@ -50,7 +50,7 @@ static inline void setup_num_counters(vo
19371 -static int inline addr_increment(void)
19372 +static inline int addr_increment(void)
19375 return smp_num_siblings == 2 ? 2 : 1;
19376 diff -urNp linux-2.6.35.5/arch/x86/pci/common.c linux-2.6.35.5/arch/x86/pci/common.c
19377 --- linux-2.6.35.5/arch/x86/pci/common.c 2010-08-26 19:47:12.000000000 -0400
19378 +++ linux-2.6.35.5/arch/x86/pci/common.c 2010-09-17 20:12:09.000000000 -0400
19379 @@ -32,8 +32,8 @@ int noioapicreroute = 1;
19380 int pcibios_last_bus = -1;
19381 unsigned long pirq_table_addr;
19382 struct pci_bus *pci_root_bus;
19383 -struct pci_raw_ops *raw_pci_ops;
19384 -struct pci_raw_ops *raw_pci_ext_ops;
19385 +const struct pci_raw_ops *raw_pci_ops;
19386 +const struct pci_raw_ops *raw_pci_ext_ops;
19388 int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
19389 int reg, int len, u32 *val)
19390 @@ -365,7 +365,7 @@ static const struct dmi_system_id __devi
19391 DMI_MATCH(DMI_PRODUCT_NAME, "ProLiant DL585 G2"),
19395 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
19398 void __init dmi_check_pciprobe(void)
19399 diff -urNp linux-2.6.35.5/arch/x86/pci/direct.c linux-2.6.35.5/arch/x86/pci/direct.c
19400 --- linux-2.6.35.5/arch/x86/pci/direct.c 2010-08-26 19:47:12.000000000 -0400
19401 +++ linux-2.6.35.5/arch/x86/pci/direct.c 2010-09-17 20:12:09.000000000 -0400
19402 @@ -79,7 +79,7 @@ static int pci_conf1_write(unsigned int
19404 #undef PCI_CONF1_ADDRESS
19406 -struct pci_raw_ops pci_direct_conf1 = {
19407 +const struct pci_raw_ops pci_direct_conf1 = {
19408 .read = pci_conf1_read,
19409 .write = pci_conf1_write,
19411 @@ -173,7 +173,7 @@ static int pci_conf2_write(unsigned int
19413 #undef PCI_CONF2_ADDRESS
19415 -struct pci_raw_ops pci_direct_conf2 = {
19416 +const struct pci_raw_ops pci_direct_conf2 = {
19417 .read = pci_conf2_read,
19418 .write = pci_conf2_write,
19420 @@ -189,7 +189,7 @@ struct pci_raw_ops pci_direct_conf2 = {
19421 * This should be close to trivial, but it isn't, because there are buggy
19422 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
19424 -static int __init pci_sanity_check(struct pci_raw_ops *o)
19425 +static int __init pci_sanity_check(const struct pci_raw_ops *o)
19429 diff -urNp linux-2.6.35.5/arch/x86/pci/fixup.c linux-2.6.35.5/arch/x86/pci/fixup.c
19430 --- linux-2.6.35.5/arch/x86/pci/fixup.c 2010-08-26 19:47:12.000000000 -0400
19431 +++ linux-2.6.35.5/arch/x86/pci/fixup.c 2010-09-17 20:12:09.000000000 -0400
19432 @@ -364,7 +364,7 @@ static const struct dmi_system_id __devi
19433 DMI_MATCH(DMI_PRODUCT_NAME, "MS-6702E"),
19437 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19441 @@ -435,7 +435,7 @@ static const struct dmi_system_id __devi
19442 DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
19446 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19449 static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
19450 diff -urNp linux-2.6.35.5/arch/x86/pci/irq.c linux-2.6.35.5/arch/x86/pci/irq.c
19451 --- linux-2.6.35.5/arch/x86/pci/irq.c 2010-08-26 19:47:12.000000000 -0400
19452 +++ linux-2.6.35.5/arch/x86/pci/irq.c 2010-09-17 20:12:09.000000000 -0400
19453 @@ -542,7 +542,7 @@ static __init int intel_router_probe(str
19454 static struct pci_device_id __initdata pirq_440gx[] = {
19455 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0) },
19456 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_2) },
19458 + { PCI_DEVICE(0, 0) }
19461 /* 440GX has a proprietary PIRQ router -- don't use it */
19462 @@ -1113,7 +1113,7 @@ static struct dmi_system_id __initdata p
19463 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
19467 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19470 void __init pcibios_irq_init(void)
19471 diff -urNp linux-2.6.35.5/arch/x86/pci/mmconfig_32.c linux-2.6.35.5/arch/x86/pci/mmconfig_32.c
19472 --- linux-2.6.35.5/arch/x86/pci/mmconfig_32.c 2010-08-26 19:47:12.000000000 -0400
19473 +++ linux-2.6.35.5/arch/x86/pci/mmconfig_32.c 2010-09-17 20:12:09.000000000 -0400
19474 @@ -117,7 +117,7 @@ static int pci_mmcfg_write(unsigned int
19478 -static struct pci_raw_ops pci_mmcfg = {
19479 +static const struct pci_raw_ops pci_mmcfg = {
19480 .read = pci_mmcfg_read,
19481 .write = pci_mmcfg_write,
19483 diff -urNp linux-2.6.35.5/arch/x86/pci/mmconfig_64.c linux-2.6.35.5/arch/x86/pci/mmconfig_64.c
19484 --- linux-2.6.35.5/arch/x86/pci/mmconfig_64.c 2010-08-26 19:47:12.000000000 -0400
19485 +++ linux-2.6.35.5/arch/x86/pci/mmconfig_64.c 2010-09-17 20:12:09.000000000 -0400
19486 @@ -81,7 +81,7 @@ static int pci_mmcfg_write(unsigned int
19490 -static struct pci_raw_ops pci_mmcfg = {
19491 +static const struct pci_raw_ops pci_mmcfg = {
19492 .read = pci_mmcfg_read,
19493 .write = pci_mmcfg_write,
19495 diff -urNp linux-2.6.35.5/arch/x86/pci/numaq_32.c linux-2.6.35.5/arch/x86/pci/numaq_32.c
19496 --- linux-2.6.35.5/arch/x86/pci/numaq_32.c 2010-08-26 19:47:12.000000000 -0400
19497 +++ linux-2.6.35.5/arch/x86/pci/numaq_32.c 2010-09-17 20:12:09.000000000 -0400
19498 @@ -108,7 +108,7 @@ static int pci_conf1_mq_write(unsigned i
19500 #undef PCI_CONF1_MQ_ADDRESS
19502 -static struct pci_raw_ops pci_direct_conf1_mq = {
19503 +static const struct pci_raw_ops pci_direct_conf1_mq = {
19504 .read = pci_conf1_mq_read,
19505 .write = pci_conf1_mq_write
19507 diff -urNp linux-2.6.35.5/arch/x86/pci/olpc.c linux-2.6.35.5/arch/x86/pci/olpc.c
19508 --- linux-2.6.35.5/arch/x86/pci/olpc.c 2010-08-26 19:47:12.000000000 -0400
19509 +++ linux-2.6.35.5/arch/x86/pci/olpc.c 2010-09-17 20:12:09.000000000 -0400
19510 @@ -297,7 +297,7 @@ static int pci_olpc_write(unsigned int s
19514 -static struct pci_raw_ops pci_olpc_conf = {
19515 +static const struct pci_raw_ops pci_olpc_conf = {
19516 .read = pci_olpc_read,
19517 .write = pci_olpc_write,
19519 diff -urNp linux-2.6.35.5/arch/x86/pci/pcbios.c linux-2.6.35.5/arch/x86/pci/pcbios.c
19520 --- linux-2.6.35.5/arch/x86/pci/pcbios.c 2010-08-26 19:47:12.000000000 -0400
19521 +++ linux-2.6.35.5/arch/x86/pci/pcbios.c 2010-09-17 20:12:09.000000000 -0400
19522 @@ -57,50 +57,93 @@ union bios32 {
19524 unsigned long address;
19525 unsigned short segment;
19526 -} bios32_indirect = { 0, __KERNEL_CS };
19527 +} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
19530 * Returns the entry point for the given service, NULL on error
19533 -static unsigned long bios32_service(unsigned long service)
19534 +static unsigned long __devinit bios32_service(unsigned long service)
19536 unsigned char return_code; /* %al */
19537 unsigned long address; /* %ebx */
19538 unsigned long length; /* %ecx */
19539 unsigned long entry; /* %edx */
19540 unsigned long flags;
19541 + struct desc_struct d, *gdt;
19543 local_irq_save(flags);
19544 - __asm__("lcall *(%%edi); cld"
19546 + gdt = get_cpu_gdt_table(smp_processor_id());
19548 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
19549 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
19550 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
19551 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
19553 + __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
19554 : "=a" (return_code),
19560 - "D" (&bios32_indirect));
19561 + "D" (&bios32_indirect),
19562 + "r"(__PCIBIOS_DS)
19565 + pax_open_kernel();
19566 + gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
19567 + gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
19568 + gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
19569 + gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
19570 + pax_close_kernel();
19572 local_irq_restore(flags);
19574 switch (return_code) {
19576 - return address + entry;
19577 - case 0x80: /* Not present */
19578 - printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
19580 - default: /* Shouldn't happen */
19581 - printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
19582 - service, return_code);
19585 + unsigned char flags;
19587 + printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
19588 + if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
19589 + printk(KERN_WARNING "bios32_service: not valid\n");
19592 + address = address + PAGE_OFFSET;
19593 + length += 16UL; /* some BIOSs underreport this... */
19595 + if (length >= 64*1024*1024) {
19596 + length >>= PAGE_SHIFT;
19600 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
19601 + gdt = get_cpu_gdt_table(cpu);
19602 + pack_descriptor(&d, address, length, 0x9b, flags);
19603 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
19604 + pack_descriptor(&d, address, length, 0x93, flags);
19605 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
19609 + case 0x80: /* Not present */
19610 + printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
19612 + default: /* Shouldn't happen */
19613 + printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
19614 + service, return_code);
19620 unsigned long address;
19621 unsigned short segment;
19622 -} pci_indirect = { 0, __KERNEL_CS };
19623 +} pci_indirect __read_only = { 0, __PCIBIOS_CS };
19625 -static int pci_bios_present;
19626 +static int pci_bios_present __read_only;
19628 static int __devinit check_pcibios(void)
19630 @@ -109,11 +152,13 @@ static int __devinit check_pcibios(void)
19631 unsigned long flags, pcibios_entry;
19633 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
19634 - pci_indirect.address = pcibios_entry + PAGE_OFFSET;
19635 + pci_indirect.address = pcibios_entry;
19637 local_irq_save(flags);
19639 - "lcall *(%%edi); cld\n\t"
19640 + __asm__("movw %w6, %%ds\n\t"
19641 + "lcall *%%ss:(%%edi); cld\n\t"
19647 @@ -122,7 +167,8 @@ static int __devinit check_pcibios(void)
19650 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
19651 - "D" (&pci_indirect)
19652 + "D" (&pci_indirect),
19653 + "r" (__PCIBIOS_DS)
19655 local_irq_restore(flags);
19657 @@ -166,7 +212,10 @@ static int pci_bios_read(unsigned int se
19661 - __asm__("lcall *(%%esi); cld\n\t"
19662 + __asm__("movw %w6, %%ds\n\t"
19663 + "lcall *%%ss:(%%esi); cld\n\t"
19669 @@ -175,7 +224,8 @@ static int pci_bios_read(unsigned int se
19670 : "1" (PCIBIOS_READ_CONFIG_BYTE),
19673 - "S" (&pci_indirect));
19674 + "S" (&pci_indirect),
19675 + "r" (__PCIBIOS_DS));
19677 * Zero-extend the result beyond 8 bits, do not trust the
19678 * BIOS having done it:
19679 @@ -183,7 +233,10 @@ static int pci_bios_read(unsigned int se
19683 - __asm__("lcall *(%%esi); cld\n\t"
19684 + __asm__("movw %w6, %%ds\n\t"
19685 + "lcall *%%ss:(%%esi); cld\n\t"
19691 @@ -192,7 +245,8 @@ static int pci_bios_read(unsigned int se
19692 : "1" (PCIBIOS_READ_CONFIG_WORD),
19695 - "S" (&pci_indirect));
19696 + "S" (&pci_indirect),
19697 + "r" (__PCIBIOS_DS));
19699 * Zero-extend the result beyond 16 bits, do not trust the
19700 * BIOS having done it:
19701 @@ -200,7 +254,10 @@ static int pci_bios_read(unsigned int se
19705 - __asm__("lcall *(%%esi); cld\n\t"
19706 + __asm__("movw %w6, %%ds\n\t"
19707 + "lcall *%%ss:(%%esi); cld\n\t"
19713 @@ -209,7 +266,8 @@ static int pci_bios_read(unsigned int se
19714 : "1" (PCIBIOS_READ_CONFIG_DWORD),
19717 - "S" (&pci_indirect));
19718 + "S" (&pci_indirect),
19719 + "r" (__PCIBIOS_DS));
19723 @@ -232,7 +290,10 @@ static int pci_bios_write(unsigned int s
19727 - __asm__("lcall *(%%esi); cld\n\t"
19728 + __asm__("movw %w6, %%ds\n\t"
19729 + "lcall *%%ss:(%%esi); cld\n\t"
19735 @@ -241,10 +302,14 @@ static int pci_bios_write(unsigned int s
19739 - "S" (&pci_indirect));
19740 + "S" (&pci_indirect),
19741 + "r" (__PCIBIOS_DS));
19744 - __asm__("lcall *(%%esi); cld\n\t"
19745 + __asm__("movw %w6, %%ds\n\t"
19746 + "lcall *%%ss:(%%esi); cld\n\t"
19752 @@ -253,10 +318,14 @@ static int pci_bios_write(unsigned int s
19756 - "S" (&pci_indirect));
19757 + "S" (&pci_indirect),
19758 + "r" (__PCIBIOS_DS));
19761 - __asm__("lcall *(%%esi); cld\n\t"
19762 + __asm__("movw %w6, %%ds\n\t"
19763 + "lcall *%%ss:(%%esi); cld\n\t"
19769 @@ -265,7 +334,8 @@ static int pci_bios_write(unsigned int s
19773 - "S" (&pci_indirect));
19774 + "S" (&pci_indirect),
19775 + "r" (__PCIBIOS_DS));
19779 @@ -279,7 +349,7 @@ static int pci_bios_write(unsigned int s
19780 * Function table for BIOS32 access
19783 -static struct pci_raw_ops pci_bios_access = {
19784 +static const struct pci_raw_ops pci_bios_access = {
19785 .read = pci_bios_read,
19786 .write = pci_bios_write
19788 @@ -288,7 +358,7 @@ static struct pci_raw_ops pci_bios_acces
19789 * Try to find PCI BIOS.
19792 -static struct pci_raw_ops * __devinit pci_find_bios(void)
19793 +static const struct pci_raw_ops * __devinit pci_find_bios(void)
19795 union bios32 *check;
19797 @@ -369,10 +439,13 @@ struct irq_routing_table * pcibios_get_i
19799 DBG("PCI: Fetching IRQ routing table... ");
19800 __asm__("push %%es\n\t"
19801 + "movw %w8, %%ds\n\t"
19804 - "lcall *(%%esi); cld\n\t"
19805 + "lcall *%%ss:(%%esi); cld\n\t"
19812 @@ -383,7 +456,8 @@ struct irq_routing_table * pcibios_get_i
19815 "S" (&pci_indirect),
19818 + "r" (__PCIBIOS_DS)
19820 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
19822 @@ -407,7 +481,10 @@ int pcibios_set_irq_routing(struct pci_d
19826 - __asm__("lcall *(%%esi); cld\n\t"
19827 + __asm__("movw %w5, %%ds\n\t"
19828 + "lcall *%%ss:(%%esi); cld\n\t"
19834 @@ -415,7 +492,8 @@ int pcibios_set_irq_routing(struct pci_d
19835 : "0" (PCIBIOS_SET_PCI_HW_INT),
19836 "b" ((dev->bus->number << 8) | dev->devfn),
19837 "c" ((irq << 8) | (pin + 10)),
19838 - "S" (&pci_indirect));
19839 + "S" (&pci_indirect),
19840 + "r" (__PCIBIOS_DS));
19841 return !(ret & 0xff00);
19843 EXPORT_SYMBOL(pcibios_set_irq_routing);
19844 diff -urNp linux-2.6.35.5/arch/x86/power/cpu.c linux-2.6.35.5/arch/x86/power/cpu.c
19845 --- linux-2.6.35.5/arch/x86/power/cpu.c 2010-09-20 17:33:09.000000000 -0400
19846 +++ linux-2.6.35.5/arch/x86/power/cpu.c 2010-09-20 17:33:32.000000000 -0400
19847 @@ -130,7 +130,7 @@ static void do_fpu_end(void)
19848 static void fix_processor_context(void)
19850 int cpu = smp_processor_id();
19851 - struct tss_struct *t = &per_cpu(init_tss, cpu);
19852 + struct tss_struct *t = init_tss + cpu;
19854 set_tss_desc(cpu, t); /*
19855 * This just modifies memory; should not be
19856 @@ -140,7 +140,9 @@ static void fix_processor_context(void)
19859 #ifdef CONFIG_X86_64
19860 + pax_open_kernel();
19861 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
19862 + pax_close_kernel();
19864 syscall_init(); /* This sets MSR_*STAR and related */
19866 diff -urNp linux-2.6.35.5/arch/x86/vdso/Makefile linux-2.6.35.5/arch/x86/vdso/Makefile
19867 --- linux-2.6.35.5/arch/x86/vdso/Makefile 2010-08-26 19:47:12.000000000 -0400
19868 +++ linux-2.6.35.5/arch/x86/vdso/Makefile 2010-09-17 20:12:09.000000000 -0400
19869 @@ -122,7 +122,7 @@ quiet_cmd_vdso = VDSO $@
19870 $(VDSO_LDFLAGS) $(VDSO_LDFLAGS_$(filter %.lds,$(^F))) \
19871 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^)
19873 -VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
19874 +VDSO_LDFLAGS = -fPIC -shared --no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
19878 diff -urNp linux-2.6.35.5/arch/x86/vdso/vclock_gettime.c linux-2.6.35.5/arch/x86/vdso/vclock_gettime.c
19879 --- linux-2.6.35.5/arch/x86/vdso/vclock_gettime.c 2010-08-26 19:47:12.000000000 -0400
19880 +++ linux-2.6.35.5/arch/x86/vdso/vclock_gettime.c 2010-09-17 20:12:09.000000000 -0400
19881 @@ -22,24 +22,48 @@
19882 #include <asm/hpet.h>
19883 #include <asm/unistd.h>
19884 #include <asm/io.h>
19885 +#include <asm/fixmap.h>
19886 #include "vextern.h"
19888 #define gtod vdso_vsyscall_gtod_data
19890 +notrace noinline long __vdso_fallback_time(long *t)
19893 + asm volatile("syscall"
19895 + : "0" (__NR_time),"D" (t) : "r11", "cx", "memory");
19899 notrace static long vdso_fallback_gettime(long clock, struct timespec *ts)
19902 asm("syscall" : "=a" (ret) :
19903 - "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "memory");
19904 + "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "r11", "cx", "memory");
19908 +notrace static inline cycle_t __vdso_vread_hpet(void)
19910 + return readl((const void __iomem *)fix_to_virt(VSYSCALL_HPET) + 0xf0);
19913 +notrace static inline cycle_t __vdso_vread_tsc(void)
19915 + cycle_t ret = (cycle_t)vget_cycles();
19917 + return ret >= gtod->clock.cycle_last ? ret : gtod->clock.cycle_last;
19920 notrace static inline long vgetns(void)
19923 - cycles_t (*vread)(void);
19924 - vread = gtod->clock.vread;
19925 - v = (vread() - gtod->clock.cycle_last) & gtod->clock.mask;
19926 + if (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3])
19927 + v = __vdso_vread_tsc();
19929 + v = __vdso_vread_hpet();
19930 + v = (v - gtod->clock.cycle_last) & gtod->clock.mask;
19931 return (v * gtod->clock.mult) >> gtod->clock.shift;
19934 @@ -113,7 +137,9 @@ notrace static noinline int do_monotonic
19936 notrace int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
19938 - if (likely(gtod->sysctl_enabled))
19939 + if (likely(gtod->sysctl_enabled &&
19940 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
19941 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
19943 case CLOCK_REALTIME:
19944 if (likely(gtod->clock.vread))
19945 @@ -133,10 +159,20 @@ notrace int __vdso_clock_gettime(clockid
19946 int clock_gettime(clockid_t, struct timespec *)
19947 __attribute__((weak, alias("__vdso_clock_gettime")));
19949 -notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
19950 +notrace noinline int __vdso_fallback_gettimeofday(struct timeval *tv, struct timezone *tz)
19953 - if (likely(gtod->sysctl_enabled && gtod->clock.vread)) {
19954 + asm("syscall" : "=a" (ret) :
19955 + "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "r11", "cx", "memory");
19959 +notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
19961 + if (likely(gtod->sysctl_enabled &&
19962 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
19963 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
19965 if (likely(tv != NULL)) {
19966 BUILD_BUG_ON(offsetof(struct timeval, tv_usec) !=
19967 offsetof(struct timespec, tv_nsec) ||
19968 @@ -151,9 +187,7 @@ notrace int __vdso_gettimeofday(struct t
19972 - asm("syscall" : "=a" (ret) :
19973 - "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
19975 + return __vdso_fallback_gettimeofday(tv, tz);
19977 int gettimeofday(struct timeval *, struct timezone *)
19978 __attribute__((weak, alias("__vdso_gettimeofday")));
19979 diff -urNp linux-2.6.35.5/arch/x86/vdso/vdso32-setup.c linux-2.6.35.5/arch/x86/vdso/vdso32-setup.c
19980 --- linux-2.6.35.5/arch/x86/vdso/vdso32-setup.c 2010-08-26 19:47:12.000000000 -0400
19981 +++ linux-2.6.35.5/arch/x86/vdso/vdso32-setup.c 2010-09-17 20:12:09.000000000 -0400
19983 #include <asm/tlbflush.h>
19984 #include <asm/vdso.h>
19985 #include <asm/proto.h>
19986 +#include <asm/mman.h>
19990 @@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
19991 void enable_sep_cpu(void)
19993 int cpu = get_cpu();
19994 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
19995 + struct tss_struct *tss = init_tss + cpu;
19997 if (!boot_cpu_has(X86_FEATURE_SEP)) {
19999 @@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
20000 gate_vma.vm_start = FIXADDR_USER_START;
20001 gate_vma.vm_end = FIXADDR_USER_END;
20002 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
20003 - gate_vma.vm_page_prot = __P101;
20004 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
20006 * Make sure the vDSO gets into every core dump.
20007 * Dumping its contents makes post-mortem fully interpretable later
20008 @@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
20010 addr = VDSO_HIGH_BASE;
20012 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
20013 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
20014 if (IS_ERR_VALUE(addr)) {
20020 - current->mm->context.vdso = (void *)addr;
20021 + current->mm->context.vdso = addr;
20023 if (compat_uses_vma || !compat) {
20025 @@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
20028 current_thread_info()->sysenter_return =
20029 - VDSO32_SYMBOL(addr, SYSENTER_RETURN);
20030 + (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
20034 - current->mm->context.vdso = NULL;
20035 + current->mm->context.vdso = 0;
20037 up_write(&mm->mmap_sem);
20039 @@ -412,8 +413,14 @@ __initcall(ia32_binfmt_init);
20041 const char *arch_vma_name(struct vm_area_struct *vma)
20043 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
20044 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
20047 +#ifdef CONFIG_PAX_SEGMEXEC
20048 + if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
20055 @@ -422,7 +429,7 @@ struct vm_area_struct *get_gate_vma(stru
20056 struct mm_struct *mm = tsk->mm;
20058 /* Check to see if this task was created in compat vdso mode */
20059 - if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
20060 + if (mm && mm->context.vdso == VDSO_HIGH_BASE)
20064 diff -urNp linux-2.6.35.5/arch/x86/vdso/vdso.lds.S linux-2.6.35.5/arch/x86/vdso/vdso.lds.S
20065 --- linux-2.6.35.5/arch/x86/vdso/vdso.lds.S 2010-08-26 19:47:12.000000000 -0400
20066 +++ linux-2.6.35.5/arch/x86/vdso/vdso.lds.S 2010-09-17 20:12:09.000000000 -0400
20067 @@ -35,3 +35,9 @@ VDSO64_PRELINK = VDSO_PRELINK;
20068 #define VEXTERN(x) VDSO64_ ## x = vdso_ ## x;
20069 #include "vextern.h"
20072 +#define VEXTERN(x) VDSO64_ ## x = __vdso_ ## x;
20073 +VEXTERN(fallback_gettimeofday)
20074 +VEXTERN(fallback_time)
20077 diff -urNp linux-2.6.35.5/arch/x86/vdso/vextern.h linux-2.6.35.5/arch/x86/vdso/vextern.h
20078 --- linux-2.6.35.5/arch/x86/vdso/vextern.h 2010-08-26 19:47:12.000000000 -0400
20079 +++ linux-2.6.35.5/arch/x86/vdso/vextern.h 2010-09-17 20:12:09.000000000 -0400
20081 put into vextern.h and be referenced as a pointer with vdso prefix.
20082 The main kernel later fills in the values. */
20085 VEXTERN(vgetcpu_mode)
20086 VEXTERN(vsyscall_gtod_data)
20087 diff -urNp linux-2.6.35.5/arch/x86/vdso/vma.c linux-2.6.35.5/arch/x86/vdso/vma.c
20088 --- linux-2.6.35.5/arch/x86/vdso/vma.c 2010-08-26 19:47:12.000000000 -0400
20089 +++ linux-2.6.35.5/arch/x86/vdso/vma.c 2010-09-17 20:12:09.000000000 -0400
20090 @@ -58,7 +58,7 @@ static int __init init_vdso_vars(void)
20094 - if (memcmp(vbase, "\177ELF", 4)) {
20095 + if (memcmp(vbase, ELFMAG, SELFMAG)) {
20096 printk("VDSO: I'm broken; not ELF\n");
20099 @@ -67,6 +67,7 @@ static int __init init_vdso_vars(void)
20100 *(typeof(__ ## x) **) var_ref(VDSO64_SYMBOL(vbase, x), #x) = &__ ## x;
20101 #include "vextern.h"
20107 @@ -117,7 +118,7 @@ int arch_setup_additional_pages(struct l
20111 - current->mm->context.vdso = (void *)addr;
20112 + current->mm->context.vdso = addr;
20114 ret = install_special_mapping(mm, addr, vdso_size,
20116 @@ -125,7 +126,7 @@ int arch_setup_additional_pages(struct l
20120 - current->mm->context.vdso = NULL;
20121 + current->mm->context.vdso = 0;
20125 @@ -133,10 +134,3 @@ up_fail:
20126 up_write(&mm->mmap_sem);
20130 -static __init int vdso_setup(char *s)
20132 - vdso_enabled = simple_strtoul(s, NULL, 0);
20135 -__setup("vdso=", vdso_setup);
20136 diff -urNp linux-2.6.35.5/arch/x86/xen/enlighten.c linux-2.6.35.5/arch/x86/xen/enlighten.c
20137 --- linux-2.6.35.5/arch/x86/xen/enlighten.c 2010-08-26 19:47:12.000000000 -0400
20138 +++ linux-2.6.35.5/arch/x86/xen/enlighten.c 2010-09-17 20:12:09.000000000 -0400
20139 @@ -74,8 +74,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
20141 struct shared_info xen_dummy_shared_info;
20143 -void *xen_initial_gdt;
20146 * Point at some empty memory to start with. We map the real shared_info
20147 * page as soon as fixmap is up and running.
20148 @@ -551,7 +549,7 @@ static void xen_write_idt_entry(gate_des
20152 - start = __get_cpu_var(idt_desc).address;
20153 + start = (unsigned long)__get_cpu_var(idt_desc).address;
20154 end = start + __get_cpu_var(idt_desc).size + 1;
20157 @@ -1103,7 +1101,17 @@ asmlinkage void __init xen_start_kernel(
20158 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
20160 /* Work out if we support NX */
20161 - x86_configure_nx();
20162 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
20163 + if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
20164 + (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
20167 + __supported_pte_mask |= _PAGE_NX;
20168 + rdmsr(MSR_EFER, l, h);
20170 + wrmsr(MSR_EFER, l, h);
20174 xen_setup_features();
20176 @@ -1134,13 +1142,6 @@ asmlinkage void __init xen_start_kernel(
20178 machine_ops = xen_machine_ops;
20181 - * The only reliable way to retain the initial address of the
20182 - * percpu gdt_page is to remember it here, so we can go and
20183 - * mark it RW later, when the initial percpu area is freed.
20185 - xen_initial_gdt = &per_cpu(gdt_page, 0);
20189 pgd = (pgd_t *)xen_start_info->pt_base;
20190 diff -urNp linux-2.6.35.5/arch/x86/xen/mmu.c linux-2.6.35.5/arch/x86/xen/mmu.c
20191 --- linux-2.6.35.5/arch/x86/xen/mmu.c 2010-08-26 19:47:12.000000000 -0400
20192 +++ linux-2.6.35.5/arch/x86/xen/mmu.c 2010-09-17 20:12:09.000000000 -0400
20193 @@ -1694,6 +1694,8 @@ __init pgd_t *xen_setup_kernel_pagetable
20194 convert_pfn_mfn(init_level4_pgt);
20195 convert_pfn_mfn(level3_ident_pgt);
20196 convert_pfn_mfn(level3_kernel_pgt);
20197 + convert_pfn_mfn(level3_vmalloc_pgt);
20198 + convert_pfn_mfn(level3_vmemmap_pgt);
20200 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
20201 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
20202 @@ -1712,7 +1714,10 @@ __init pgd_t *xen_setup_kernel_pagetable
20203 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
20204 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
20205 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
20206 + set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
20207 + set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
20208 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
20209 + set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
20210 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
20211 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
20213 diff -urNp linux-2.6.35.5/arch/x86/xen/smp.c linux-2.6.35.5/arch/x86/xen/smp.c
20214 --- linux-2.6.35.5/arch/x86/xen/smp.c 2010-08-26 19:47:12.000000000 -0400
20215 +++ linux-2.6.35.5/arch/x86/xen/smp.c 2010-09-17 20:12:09.000000000 -0400
20216 @@ -169,11 +169,6 @@ static void __init xen_smp_prepare_boot_
20218 BUG_ON(smp_processor_id() != 0);
20219 native_smp_prepare_boot_cpu();
20221 - /* We've switched to the "real" per-cpu gdt, so make sure the
20222 - old memory can be recycled */
20223 - make_lowmem_page_readwrite(xen_initial_gdt);
20225 xen_setup_vcpu_info_placement();
20228 @@ -233,8 +228,8 @@ cpu_initialize_context(unsigned int cpu,
20229 gdt = get_cpu_gdt_table(cpu);
20231 ctxt->flags = VGCF_IN_KERNEL;
20232 - ctxt->user_regs.ds = __USER_DS;
20233 - ctxt->user_regs.es = __USER_DS;
20234 + ctxt->user_regs.ds = __KERNEL_DS;
20235 + ctxt->user_regs.es = __KERNEL_DS;
20236 ctxt->user_regs.ss = __KERNEL_DS;
20237 #ifdef CONFIG_X86_32
20238 ctxt->user_regs.fs = __KERNEL_PERCPU;
20239 diff -urNp linux-2.6.35.5/arch/x86/xen/xen-head.S linux-2.6.35.5/arch/x86/xen/xen-head.S
20240 --- linux-2.6.35.5/arch/x86/xen/xen-head.S 2010-08-26 19:47:12.000000000 -0400
20241 +++ linux-2.6.35.5/arch/x86/xen/xen-head.S 2010-09-17 20:12:09.000000000 -0400
20242 @@ -19,6 +19,17 @@ ENTRY(startup_xen)
20243 #ifdef CONFIG_X86_32
20244 mov %esi,xen_start_info
20245 mov $init_thread_union+THREAD_SIZE,%esp
20247 + movl $cpu_gdt_table,%edi
20248 + movl $__per_cpu_load,%eax
20249 + movw %ax,__KERNEL_PERCPU + 2(%edi)
20251 + movb %al,__KERNEL_PERCPU + 4(%edi)
20252 + movb %ah,__KERNEL_PERCPU + 7(%edi)
20253 + movl $__per_cpu_end - 1,%eax
20254 + subl $__per_cpu_start,%eax
20255 + movw %ax,__KERNEL_PERCPU + 0(%edi)
20258 mov %rsi,xen_start_info
20259 mov $init_thread_union+THREAD_SIZE,%rsp
20260 diff -urNp linux-2.6.35.5/arch/x86/xen/xen-ops.h linux-2.6.35.5/arch/x86/xen/xen-ops.h
20261 --- linux-2.6.35.5/arch/x86/xen/xen-ops.h 2010-08-26 19:47:12.000000000 -0400
20262 +++ linux-2.6.35.5/arch/x86/xen/xen-ops.h 2010-09-17 20:12:09.000000000 -0400
20264 extern const char xen_hypervisor_callback[];
20265 extern const char xen_failsafe_callback[];
20267 -extern void *xen_initial_gdt;
20270 void xen_copy_trap_info(struct trap_info *traps);
20272 diff -urNp linux-2.6.35.5/block/blk-iopoll.c linux-2.6.35.5/block/blk-iopoll.c
20273 --- linux-2.6.35.5/block/blk-iopoll.c 2010-08-26 19:47:12.000000000 -0400
20274 +++ linux-2.6.35.5/block/blk-iopoll.c 2010-09-17 20:12:09.000000000 -0400
20275 @@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
20277 EXPORT_SYMBOL(blk_iopoll_complete);
20279 -static void blk_iopoll_softirq(struct softirq_action *h)
20280 +static void blk_iopoll_softirq(void)
20282 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
20283 int rearm = 0, budget = blk_iopoll_budget;
20284 diff -urNp linux-2.6.35.5/block/blk-map.c linux-2.6.35.5/block/blk-map.c
20285 --- linux-2.6.35.5/block/blk-map.c 2010-08-26 19:47:12.000000000 -0400
20286 +++ linux-2.6.35.5/block/blk-map.c 2010-09-17 20:12:09.000000000 -0400
20287 @@ -54,7 +54,7 @@ static int __blk_rq_map_user(struct requ
20288 * direct dma. else, set up kernel bounce buffers
20290 uaddr = (unsigned long) ubuf;
20291 - if (blk_rq_aligned(q, ubuf, len) && !map_data)
20292 + if (blk_rq_aligned(q, (__force void *)ubuf, len) && !map_data)
20293 bio = bio_map_user(q, NULL, uaddr, len, reading, gfp_mask);
20295 bio = bio_copy_user(q, map_data, uaddr, len, reading, gfp_mask);
20296 @@ -297,7 +297,7 @@ int blk_rq_map_kern(struct request_queue
20300 - do_copy = !blk_rq_aligned(q, kbuf, len) || object_is_on_stack(kbuf);
20301 + do_copy = !blk_rq_aligned(q, kbuf, len) || object_starts_on_stack(kbuf);
20303 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
20305 diff -urNp linux-2.6.35.5/block/blk-softirq.c linux-2.6.35.5/block/blk-softirq.c
20306 --- linux-2.6.35.5/block/blk-softirq.c 2010-08-26 19:47:12.000000000 -0400
20307 +++ linux-2.6.35.5/block/blk-softirq.c 2010-09-17 20:12:09.000000000 -0400
20308 @@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
20309 * Softirq action handler - move entries to local list and loop over them
20310 * while passing them to the queue registered handler.
20312 -static void blk_done_softirq(struct softirq_action *h)
20313 +static void blk_done_softirq(void)
20315 struct list_head *cpu_list, local_list;
20317 diff -urNp linux-2.6.35.5/crypto/lrw.c linux-2.6.35.5/crypto/lrw.c
20318 --- linux-2.6.35.5/crypto/lrw.c 2010-08-26 19:47:12.000000000 -0400
20319 +++ linux-2.6.35.5/crypto/lrw.c 2010-09-17 20:12:09.000000000 -0400
20320 @@ -60,7 +60,7 @@ static int setkey(struct crypto_tfm *par
20321 struct priv *ctx = crypto_tfm_ctx(parent);
20322 struct crypto_cipher *child = ctx->child;
20324 - be128 tmp = { 0 };
20325 + be128 tmp = { 0, 0 };
20326 int bsize = crypto_cipher_blocksize(child);
20328 crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
20329 diff -urNp linux-2.6.35.5/Documentation/dontdiff linux-2.6.35.5/Documentation/dontdiff
20330 --- linux-2.6.35.5/Documentation/dontdiff 2010-08-26 19:47:12.000000000 -0400
20331 +++ linux-2.6.35.5/Documentation/dontdiff 2010-09-17 20:12:09.000000000 -0400
20351 @@ -49,11 +52,16 @@
20368 @@ -76,7 +84,10 @@ btfixupprep
20379 @@ -100,19 +111,22 @@ fore200e_mkfirm
20394 initramfs_data.cpio
20395 +initramfs_data.cpio.bz2
20396 initramfs_data.cpio.gz
20403 @@ -136,10 +150,13 @@ mkboot
20417 @@ -151,7 +168,9 @@ parse.h
20427 @@ -160,12 +179,14 @@ qconf
20442 @@ -189,14 +210,20 @@ version.h*
20463 diff -urNp linux-2.6.35.5/Documentation/filesystems/sysfs.txt linux-2.6.35.5/Documentation/filesystems/sysfs.txt
20464 --- linux-2.6.35.5/Documentation/filesystems/sysfs.txt 2010-08-26 19:47:12.000000000 -0400
20465 +++ linux-2.6.35.5/Documentation/filesystems/sysfs.txt 2010-09-17 20:12:09.000000000 -0400
20466 @@ -123,8 +123,8 @@ set of sysfs operations for forwarding r
20467 show and store methods of the attribute owners.
20470 - ssize_t (*show)(struct kobject *, struct attribute *, char *);
20471 - ssize_t (*store)(struct kobject *, struct attribute *, const char *);
20472 + ssize_t (* const show)(struct kobject *, struct attribute *, char *);
20473 + ssize_t (* const store)(struct kobject *, struct attribute *, const char *);
20476 [ Subsystems should have already defined a struct kobj_type as a
20477 diff -urNp linux-2.6.35.5/Documentation/kernel-parameters.txt linux-2.6.35.5/Documentation/kernel-parameters.txt
20478 --- linux-2.6.35.5/Documentation/kernel-parameters.txt 2010-08-26 19:47:12.000000000 -0400
20479 +++ linux-2.6.35.5/Documentation/kernel-parameters.txt 2010-09-17 20:12:09.000000000 -0400
20480 @@ -1910,6 +1910,12 @@ and is between 256 and 4096 characters.
20481 the specified number of seconds. This is to be used if
20482 your oopses keep scrolling off the screen.
20484 + pax_nouderef [X86-32] disables UDEREF. Most likely needed under certain
20485 + virtualization environments that don't cope well with the
20486 + expand down segment used by UDEREF on X86-32.
20488 + pax_softmode= [X86-32] 0/1 to disable/enable PaX softmode on boot already.
20493 diff -urNp linux-2.6.35.5/drivers/acpi/battery.c linux-2.6.35.5/drivers/acpi/battery.c
20494 --- linux-2.6.35.5/drivers/acpi/battery.c 2010-08-26 19:47:12.000000000 -0400
20495 +++ linux-2.6.35.5/drivers/acpi/battery.c 2010-09-17 20:12:09.000000000 -0400
20496 @@ -810,7 +810,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
20499 static struct battery_file {
20500 - struct file_operations ops;
20501 + const struct file_operations ops;
20504 } acpi_battery_file[] = {
20505 diff -urNp linux-2.6.35.5/drivers/acpi/blacklist.c linux-2.6.35.5/drivers/acpi/blacklist.c
20506 --- linux-2.6.35.5/drivers/acpi/blacklist.c 2010-08-26 19:47:12.000000000 -0400
20507 +++ linux-2.6.35.5/drivers/acpi/blacklist.c 2010-09-17 20:12:09.000000000 -0400
20508 @@ -73,7 +73,7 @@ static struct acpi_blacklist_item acpi_b
20509 {"IBM ", "TP600E ", 0x00000105, ACPI_SIG_DSDT, less_than_or_equal,
20510 "Incorrect _ADR", 1},
20513 + {"", "", 0, NULL, all_versions, NULL, 0}
20516 #if CONFIG_ACPI_BLACKLIST_YEAR
20517 diff -urNp linux-2.6.35.5/drivers/acpi/dock.c linux-2.6.35.5/drivers/acpi/dock.c
20518 --- linux-2.6.35.5/drivers/acpi/dock.c 2010-08-26 19:47:12.000000000 -0400
20519 +++ linux-2.6.35.5/drivers/acpi/dock.c 2010-09-17 20:12:09.000000000 -0400
20520 @@ -77,7 +77,7 @@ struct dock_dependent_device {
20521 struct list_head list;
20522 struct list_head hotplug_list;
20523 acpi_handle handle;
20524 - struct acpi_dock_ops *ops;
20525 + const struct acpi_dock_ops *ops;
20529 @@ -589,7 +589,7 @@ EXPORT_SYMBOL_GPL(unregister_dock_notifi
20530 * the dock driver after _DCK is executed.
20533 -register_hotplug_dock_device(acpi_handle handle, struct acpi_dock_ops *ops,
20534 +register_hotplug_dock_device(acpi_handle handle, const struct acpi_dock_ops *ops,
20537 struct dock_dependent_device *dd;
20538 diff -urNp linux-2.6.35.5/drivers/acpi/osl.c linux-2.6.35.5/drivers/acpi/osl.c
20539 --- linux-2.6.35.5/drivers/acpi/osl.c 2010-08-26 19:47:12.000000000 -0400
20540 +++ linux-2.6.35.5/drivers/acpi/osl.c 2010-09-17 20:12:09.000000000 -0400
20541 @@ -523,6 +523,8 @@ acpi_os_read_memory(acpi_physical_addres
20542 void __iomem *virt_addr;
20544 virt_addr = ioremap(phys_addr, width);
20546 + return AE_NO_MEMORY;
20550 @@ -551,6 +553,8 @@ acpi_os_write_memory(acpi_physical_addre
20551 void __iomem *virt_addr;
20553 virt_addr = ioremap(phys_addr, width);
20555 + return AE_NO_MEMORY;
20559 diff -urNp linux-2.6.35.5/drivers/acpi/power_meter.c linux-2.6.35.5/drivers/acpi/power_meter.c
20560 --- linux-2.6.35.5/drivers/acpi/power_meter.c 2010-08-26 19:47:12.000000000 -0400
20561 +++ linux-2.6.35.5/drivers/acpi/power_meter.c 2010-09-17 20:12:09.000000000 -0400
20562 @@ -316,8 +316,6 @@ static ssize_t set_trip(struct device *d
20569 mutex_lock(&resource->lock);
20570 resource->trip[attr->index - 7] = temp;
20571 diff -urNp linux-2.6.35.5/drivers/acpi/proc.c linux-2.6.35.5/drivers/acpi/proc.c
20572 --- linux-2.6.35.5/drivers/acpi/proc.c 2010-08-26 19:47:12.000000000 -0400
20573 +++ linux-2.6.35.5/drivers/acpi/proc.c 2010-09-17 20:12:09.000000000 -0400
20574 @@ -391,20 +391,15 @@ acpi_system_write_wakeup_device(struct f
20575 size_t count, loff_t * ppos)
20577 struct list_head *node, *next;
20579 - char str[5] = "";
20580 - unsigned int len = count;
20581 + char strbuf[5] = {0};
20582 struct acpi_device *found_dev = NULL;
20591 - if (copy_from_user(strbuf, buffer, len))
20592 + if (copy_from_user(strbuf, buffer, count))
20594 - strbuf[len] = '\0';
20595 - sscanf(strbuf, "%s", str);
20596 + strbuf[count] = '\0';
20598 mutex_lock(&acpi_device_lock);
20599 list_for_each_safe(node, next, &acpi_wakeup_device_list) {
20600 @@ -413,7 +408,7 @@ acpi_system_write_wakeup_device(struct f
20601 if (!dev->wakeup.flags.valid)
20604 - if (!strncmp(dev->pnp.bus_id, str, 4)) {
20605 + if (!strncmp(dev->pnp.bus_id, strbuf, 4)) {
20606 dev->wakeup.state.enabled =
20607 dev->wakeup.state.enabled ? 0 : 1;
20609 diff -urNp linux-2.6.35.5/drivers/acpi/processor_driver.c linux-2.6.35.5/drivers/acpi/processor_driver.c
20610 --- linux-2.6.35.5/drivers/acpi/processor_driver.c 2010-08-26 19:47:12.000000000 -0400
20611 +++ linux-2.6.35.5/drivers/acpi/processor_driver.c 2010-09-17 20:12:09.000000000 -0400
20612 @@ -586,7 +586,7 @@ static int __cpuinit acpi_processor_add(
20616 - BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
20617 + BUG_ON(pr->id >= nr_cpu_ids);
20621 diff -urNp linux-2.6.35.5/drivers/acpi/processor_idle.c linux-2.6.35.5/drivers/acpi/processor_idle.c
20622 --- linux-2.6.35.5/drivers/acpi/processor_idle.c 2010-08-26 19:47:12.000000000 -0400
20623 +++ linux-2.6.35.5/drivers/acpi/processor_idle.c 2010-09-17 20:12:09.000000000 -0400
20624 @@ -124,7 +124,7 @@ static struct dmi_system_id __cpuinitdat
20625 DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."),
20626 DMI_MATCH(DMI_PRODUCT_NAME,"L8400B series Notebook PC")},
20629 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL},
20633 diff -urNp linux-2.6.35.5/drivers/acpi/sleep.c linux-2.6.35.5/drivers/acpi/sleep.c
20634 --- linux-2.6.35.5/drivers/acpi/sleep.c 2010-08-26 19:47:12.000000000 -0400
20635 +++ linux-2.6.35.5/drivers/acpi/sleep.c 2010-09-17 20:12:09.000000000 -0400
20636 @@ -318,7 +318,7 @@ static int acpi_suspend_state_valid(susp
20640 -static struct platform_suspend_ops acpi_suspend_ops = {
20641 +static const struct platform_suspend_ops acpi_suspend_ops = {
20642 .valid = acpi_suspend_state_valid,
20643 .begin = acpi_suspend_begin,
20644 .prepare_late = acpi_pm_prepare,
20645 @@ -346,7 +346,7 @@ static int acpi_suspend_begin_old(suspen
20646 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
20649 -static struct platform_suspend_ops acpi_suspend_ops_old = {
20650 +static const struct platform_suspend_ops acpi_suspend_ops_old = {
20651 .valid = acpi_suspend_state_valid,
20652 .begin = acpi_suspend_begin_old,
20653 .prepare_late = acpi_pm_freeze,
20654 @@ -478,7 +478,7 @@ static void acpi_pm_thaw(void)
20655 acpi_enable_all_runtime_gpes();
20658 -static struct platform_hibernation_ops acpi_hibernation_ops = {
20659 +static const struct platform_hibernation_ops acpi_hibernation_ops = {
20660 .begin = acpi_hibernation_begin,
20661 .end = acpi_pm_end,
20662 .pre_snapshot = acpi_hibernation_pre_snapshot,
20663 @@ -528,7 +528,7 @@ static int acpi_hibernation_pre_snapshot
20664 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
20667 -static struct platform_hibernation_ops acpi_hibernation_ops_old = {
20668 +static const struct platform_hibernation_ops acpi_hibernation_ops_old = {
20669 .begin = acpi_hibernation_begin_old,
20670 .end = acpi_pm_end,
20671 .pre_snapshot = acpi_hibernation_pre_snapshot_old,
20672 diff -urNp linux-2.6.35.5/drivers/acpi/video.c linux-2.6.35.5/drivers/acpi/video.c
20673 --- linux-2.6.35.5/drivers/acpi/video.c 2010-08-26 19:47:12.000000000 -0400
20674 +++ linux-2.6.35.5/drivers/acpi/video.c 2010-09-17 20:12:09.000000000 -0400
20675 @@ -363,7 +363,7 @@ static int acpi_video_set_brightness(str
20676 vd->brightness->levels[request_level]);
20679 -static struct backlight_ops acpi_backlight_ops = {
20680 +static const struct backlight_ops acpi_backlight_ops = {
20681 .get_brightness = acpi_video_get_brightness,
20682 .update_status = acpi_video_set_brightness,
20684 diff -urNp linux-2.6.35.5/drivers/ata/ahci.c linux-2.6.35.5/drivers/ata/ahci.c
20685 --- linux-2.6.35.5/drivers/ata/ahci.c 2010-08-26 19:47:12.000000000 -0400
20686 +++ linux-2.6.35.5/drivers/ata/ahci.c 2010-09-17 20:12:09.000000000 -0400
20687 @@ -89,17 +89,17 @@ static int ahci_pci_device_suspend(struc
20688 static int ahci_pci_device_resume(struct pci_dev *pdev);
20691 -static struct ata_port_operations ahci_vt8251_ops = {
20692 +static const struct ata_port_operations ahci_vt8251_ops = {
20693 .inherits = &ahci_ops,
20694 .hardreset = ahci_vt8251_hardreset,
20697 -static struct ata_port_operations ahci_p5wdh_ops = {
20698 +static const struct ata_port_operations ahci_p5wdh_ops = {
20699 .inherits = &ahci_ops,
20700 .hardreset = ahci_p5wdh_hardreset,
20703 -static struct ata_port_operations ahci_sb600_ops = {
20704 +static const struct ata_port_operations ahci_sb600_ops = {
20705 .inherits = &ahci_ops,
20706 .softreset = ahci_sb600_softreset,
20707 .pmp_softreset = ahci_sb600_softreset,
20708 @@ -370,7 +370,7 @@ static const struct pci_device_id ahci_p
20709 { PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
20710 PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci },
20712 - { } /* terminate list */
20713 + { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
20717 diff -urNp linux-2.6.35.5/drivers/ata/ahci.h linux-2.6.35.5/drivers/ata/ahci.h
20718 --- linux-2.6.35.5/drivers/ata/ahci.h 2010-08-26 19:47:12.000000000 -0400
20719 +++ linux-2.6.35.5/drivers/ata/ahci.h 2010-09-17 20:12:09.000000000 -0400
20720 @@ -298,7 +298,7 @@ struct ahci_host_priv {
20721 extern int ahci_ignore_sss;
20723 extern struct scsi_host_template ahci_sht;
20724 -extern struct ata_port_operations ahci_ops;
20725 +extern const struct ata_port_operations ahci_ops;
20727 void ahci_save_initial_config(struct device *dev,
20728 struct ahci_host_priv *hpriv,
20729 diff -urNp linux-2.6.35.5/drivers/ata/ata_generic.c linux-2.6.35.5/drivers/ata/ata_generic.c
20730 --- linux-2.6.35.5/drivers/ata/ata_generic.c 2010-08-26 19:47:12.000000000 -0400
20731 +++ linux-2.6.35.5/drivers/ata/ata_generic.c 2010-09-17 20:12:09.000000000 -0400
20732 @@ -104,7 +104,7 @@ static struct scsi_host_template generic
20733 ATA_BMDMA_SHT(DRV_NAME),
20736 -static struct ata_port_operations generic_port_ops = {
20737 +static const struct ata_port_operations generic_port_ops = {
20738 .inherits = &ata_bmdma_port_ops,
20739 .cable_detect = ata_cable_unknown,
20740 .set_mode = generic_set_mode,
20741 diff -urNp linux-2.6.35.5/drivers/ata/ata_piix.c linux-2.6.35.5/drivers/ata/ata_piix.c
20742 --- linux-2.6.35.5/drivers/ata/ata_piix.c 2010-08-26 19:47:12.000000000 -0400
20743 +++ linux-2.6.35.5/drivers/ata/ata_piix.c 2010-09-17 20:12:09.000000000 -0400
20744 @@ -302,7 +302,7 @@ static const struct pci_device_id piix_p
20745 { 0x8086, 0x1c08, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
20746 /* SATA Controller IDE (CPT) */
20747 { 0x8086, 0x1c09, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
20748 - { } /* terminate list */
20749 + { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
20752 static struct pci_driver piix_pci_driver = {
20753 @@ -320,12 +320,12 @@ static struct scsi_host_template piix_sh
20754 ATA_BMDMA_SHT(DRV_NAME),
20757 -static struct ata_port_operations piix_sata_ops = {
20758 +static const struct ata_port_operations piix_sata_ops = {
20759 .inherits = &ata_bmdma32_port_ops,
20760 .sff_irq_check = piix_irq_check,
20763 -static struct ata_port_operations piix_pata_ops = {
20764 +static const struct ata_port_operations piix_pata_ops = {
20765 .inherits = &piix_sata_ops,
20766 .cable_detect = ata_cable_40wire,
20767 .set_piomode = piix_set_piomode,
20768 @@ -333,18 +333,18 @@ static struct ata_port_operations piix_p
20769 .prereset = piix_pata_prereset,
20772 -static struct ata_port_operations piix_vmw_ops = {
20773 +static const struct ata_port_operations piix_vmw_ops = {
20774 .inherits = &piix_pata_ops,
20775 .bmdma_status = piix_vmw_bmdma_status,
20778 -static struct ata_port_operations ich_pata_ops = {
20779 +static const struct ata_port_operations ich_pata_ops = {
20780 .inherits = &piix_pata_ops,
20781 .cable_detect = ich_pata_cable_detect,
20782 .set_dmamode = ich_set_dmamode,
20785 -static struct ata_port_operations piix_sidpr_sata_ops = {
20786 +static const struct ata_port_operations piix_sidpr_sata_ops = {
20787 .inherits = &piix_sata_ops,
20788 .hardreset = sata_std_hardreset,
20789 .scr_read = piix_sidpr_scr_read,
20790 @@ -620,7 +620,7 @@ static const struct ich_laptop ich_lapto
20791 { 0x2653, 0x1043, 0x82D8 }, /* ICH6M on Asus Eee 701 */
20792 { 0x27df, 0x104d, 0x900e }, /* ICH7 on Sony TZ-90 */
20799 @@ -1112,7 +1112,7 @@ static int piix_broken_suspend(void)
20803 - { } /* terminate list */
20804 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL } /* terminate list */
20806 static const char *oemstrs[] = {
20808 diff -urNp linux-2.6.35.5/drivers/ata/libahci.c linux-2.6.35.5/drivers/ata/libahci.c
20809 --- linux-2.6.35.5/drivers/ata/libahci.c 2010-09-20 17:33:09.000000000 -0400
20810 +++ linux-2.6.35.5/drivers/ata/libahci.c 2010-09-20 17:33:32.000000000 -0400
20811 @@ -149,7 +149,7 @@ struct scsi_host_template ahci_sht = {
20813 EXPORT_SYMBOL_GPL(ahci_sht);
20815 -struct ata_port_operations ahci_ops = {
20816 +const struct ata_port_operations ahci_ops = {
20817 .inherits = &sata_pmp_port_ops,
20819 .qc_defer = ahci_pmp_qc_defer,
20820 diff -urNp linux-2.6.35.5/drivers/ata/libata-acpi.c linux-2.6.35.5/drivers/ata/libata-acpi.c
20821 --- linux-2.6.35.5/drivers/ata/libata-acpi.c 2010-08-26 19:47:12.000000000 -0400
20822 +++ linux-2.6.35.5/drivers/ata/libata-acpi.c 2010-09-17 20:12:09.000000000 -0400
20823 @@ -224,12 +224,12 @@ static void ata_acpi_dev_uevent(acpi_han
20824 ata_acpi_uevent(dev->link->ap, dev, event);
20827 -static struct acpi_dock_ops ata_acpi_dev_dock_ops = {
20828 +static const struct acpi_dock_ops ata_acpi_dev_dock_ops = {
20829 .handler = ata_acpi_dev_notify_dock,
20830 .uevent = ata_acpi_dev_uevent,
20833 -static struct acpi_dock_ops ata_acpi_ap_dock_ops = {
20834 +static const struct acpi_dock_ops ata_acpi_ap_dock_ops = {
20835 .handler = ata_acpi_ap_notify_dock,
20836 .uevent = ata_acpi_ap_uevent,
20838 diff -urNp linux-2.6.35.5/drivers/ata/libata-core.c linux-2.6.35.5/drivers/ata/libata-core.c
20839 --- linux-2.6.35.5/drivers/ata/libata-core.c 2010-09-20 17:33:09.000000000 -0400
20840 +++ linux-2.6.35.5/drivers/ata/libata-core.c 2010-09-20 17:33:32.000000000 -0400
20841 @@ -901,7 +901,7 @@ static const struct ata_xfer_ent {
20842 { ATA_SHIFT_PIO, ATA_NR_PIO_MODES, XFER_PIO_0 },
20843 { ATA_SHIFT_MWDMA, ATA_NR_MWDMA_MODES, XFER_MW_DMA_0 },
20844 { ATA_SHIFT_UDMA, ATA_NR_UDMA_MODES, XFER_UDMA_0 },
20850 @@ -3073,7 +3073,7 @@ static const struct ata_timing ata_timin
20851 { XFER_UDMA_5, 0, 0, 0, 0, 0, 0, 0, 0, 20 },
20852 { XFER_UDMA_6, 0, 0, 0, 0, 0, 0, 0, 0, 15 },
20855 + { 0xFF, 0, 0, 0, 0, 0, 0, 0, 0 }
20858 #define ENOUGH(v, unit) (((v)-1)/(unit)+1)
20859 @@ -4323,7 +4323,7 @@ static const struct ata_blacklist_entry
20860 { "PIONEER DVD-RW DVRTD08", "1.00", ATA_HORKAGE_NOSETXFER },
20864 + { NULL, NULL, 0 }
20867 static int strn_pattern_cmp(const char *patt, const char *name, int wildchar)
20868 @@ -5881,7 +5881,7 @@ static void ata_host_stop(struct device
20872 -static void ata_finalize_port_ops(struct ata_port_operations *ops)
20873 +static void ata_finalize_port_ops(const struct ata_port_operations *ops)
20875 static DEFINE_SPINLOCK(lock);
20876 const struct ata_port_operations *cur;
20877 @@ -5893,6 +5893,7 @@ static void ata_finalize_port_ops(struct
20881 + pax_open_kernel();
20883 for (cur = ops->inherits; cur; cur = cur->inherits) {
20884 void **inherit = (void **)cur;
20885 @@ -5906,8 +5907,9 @@ static void ata_finalize_port_ops(struct
20889 - ops->inherits = NULL;
20890 + ((struct ata_port_operations *)ops)->inherits = NULL;
20892 + pax_close_kernel();
20893 spin_unlock(&lock);
20896 @@ -6004,7 +6006,7 @@ int ata_host_start(struct ata_host *host
20898 /* KILLME - the only user left is ipr */
20899 void ata_host_init(struct ata_host *host, struct device *dev,
20900 - unsigned long flags, struct ata_port_operations *ops)
20901 + unsigned long flags, const struct ata_port_operations *ops)
20903 spin_lock_init(&host->lock);
20905 @@ -6654,7 +6656,7 @@ static void ata_dummy_error_handler(stru
20909 -struct ata_port_operations ata_dummy_port_ops = {
20910 +const struct ata_port_operations ata_dummy_port_ops = {
20911 .qc_prep = ata_noop_qc_prep,
20912 .qc_issue = ata_dummy_qc_issue,
20913 .error_handler = ata_dummy_error_handler,
20914 diff -urNp linux-2.6.35.5/drivers/ata/libata-eh.c linux-2.6.35.5/drivers/ata/libata-eh.c
20915 --- linux-2.6.35.5/drivers/ata/libata-eh.c 2010-09-20 17:33:09.000000000 -0400
20916 +++ linux-2.6.35.5/drivers/ata/libata-eh.c 2010-09-20 17:33:32.000000000 -0400
20917 @@ -3684,7 +3684,7 @@ void ata_do_eh(struct ata_port *ap, ata_
20919 void ata_std_error_handler(struct ata_port *ap)
20921 - struct ata_port_operations *ops = ap->ops;
20922 + const struct ata_port_operations *ops = ap->ops;
20923 ata_reset_fn_t hardreset = ops->hardreset;
20925 /* ignore built-in hardreset if SCR access is not available */
20926 diff -urNp linux-2.6.35.5/drivers/ata/libata-pmp.c linux-2.6.35.5/drivers/ata/libata-pmp.c
20927 --- linux-2.6.35.5/drivers/ata/libata-pmp.c 2010-08-26 19:47:12.000000000 -0400
20928 +++ linux-2.6.35.5/drivers/ata/libata-pmp.c 2010-09-17 20:12:09.000000000 -0400
20929 @@ -868,7 +868,7 @@ static int sata_pmp_handle_link_fail(str
20931 static int sata_pmp_eh_recover(struct ata_port *ap)
20933 - struct ata_port_operations *ops = ap->ops;
20934 + const struct ata_port_operations *ops = ap->ops;
20935 int pmp_tries, link_tries[SATA_PMP_MAX_PORTS];
20936 struct ata_link *pmp_link = &ap->link;
20937 struct ata_device *pmp_dev = pmp_link->device;
20938 diff -urNp linux-2.6.35.5/drivers/ata/pata_acpi.c linux-2.6.35.5/drivers/ata/pata_acpi.c
20939 --- linux-2.6.35.5/drivers/ata/pata_acpi.c 2010-08-26 19:47:12.000000000 -0400
20940 +++ linux-2.6.35.5/drivers/ata/pata_acpi.c 2010-09-17 20:12:09.000000000 -0400
20941 @@ -216,7 +216,7 @@ static struct scsi_host_template pacpi_s
20942 ATA_BMDMA_SHT(DRV_NAME),
20945 -static struct ata_port_operations pacpi_ops = {
20946 +static const struct ata_port_operations pacpi_ops = {
20947 .inherits = &ata_bmdma_port_ops,
20948 .qc_issue = pacpi_qc_issue,
20949 .cable_detect = pacpi_cable_detect,
20950 diff -urNp linux-2.6.35.5/drivers/ata/pata_ali.c linux-2.6.35.5/drivers/ata/pata_ali.c
20951 --- linux-2.6.35.5/drivers/ata/pata_ali.c 2010-08-26 19:47:12.000000000 -0400
20952 +++ linux-2.6.35.5/drivers/ata/pata_ali.c 2010-09-17 20:12:09.000000000 -0400
20953 @@ -363,7 +363,7 @@ static struct scsi_host_template ali_sht
20954 * Port operations for PIO only ALi
20957 -static struct ata_port_operations ali_early_port_ops = {
20958 +static const struct ata_port_operations ali_early_port_ops = {
20959 .inherits = &ata_sff_port_ops,
20960 .cable_detect = ata_cable_40wire,
20961 .set_piomode = ali_set_piomode,
20962 @@ -380,7 +380,7 @@ static const struct ata_port_operations
20963 * Port operations for DMA capable ALi without cable
20966 -static struct ata_port_operations ali_20_port_ops = {
20967 +static const struct ata_port_operations ali_20_port_ops = {
20968 .inherits = &ali_dma_base_ops,
20969 .cable_detect = ata_cable_40wire,
20970 .mode_filter = ali_20_filter,
20971 @@ -391,7 +391,7 @@ static struct ata_port_operations ali_20
20973 * Port operations for DMA capable ALi with cable detect
20975 -static struct ata_port_operations ali_c2_port_ops = {
20976 +static const struct ata_port_operations ali_c2_port_ops = {
20977 .inherits = &ali_dma_base_ops,
20978 .check_atapi_dma = ali_check_atapi_dma,
20979 .cable_detect = ali_c2_cable_detect,
20980 @@ -402,7 +402,7 @@ static struct ata_port_operations ali_c2
20982 * Port operations for DMA capable ALi with cable detect
20984 -static struct ata_port_operations ali_c4_port_ops = {
20985 +static const struct ata_port_operations ali_c4_port_ops = {
20986 .inherits = &ali_dma_base_ops,
20987 .check_atapi_dma = ali_check_atapi_dma,
20988 .cable_detect = ali_c2_cable_detect,
20989 @@ -412,7 +412,7 @@ static struct ata_port_operations ali_c4
20991 * Port operations for DMA capable ALi with cable detect and LBA48
20993 -static struct ata_port_operations ali_c5_port_ops = {
20994 +static const struct ata_port_operations ali_c5_port_ops = {
20995 .inherits = &ali_dma_base_ops,
20996 .check_atapi_dma = ali_check_atapi_dma,
20997 .dev_config = ali_warn_atapi_dma,
20998 diff -urNp linux-2.6.35.5/drivers/ata/pata_amd.c linux-2.6.35.5/drivers/ata/pata_amd.c
20999 --- linux-2.6.35.5/drivers/ata/pata_amd.c 2010-08-26 19:47:12.000000000 -0400
21000 +++ linux-2.6.35.5/drivers/ata/pata_amd.c 2010-09-17 20:12:09.000000000 -0400
21001 @@ -397,28 +397,28 @@ static const struct ata_port_operations
21002 .prereset = amd_pre_reset,
21005 -static struct ata_port_operations amd33_port_ops = {
21006 +static const struct ata_port_operations amd33_port_ops = {
21007 .inherits = &amd_base_port_ops,
21008 .cable_detect = ata_cable_40wire,
21009 .set_piomode = amd33_set_piomode,
21010 .set_dmamode = amd33_set_dmamode,
21013 -static struct ata_port_operations amd66_port_ops = {
21014 +static const struct ata_port_operations amd66_port_ops = {
21015 .inherits = &amd_base_port_ops,
21016 .cable_detect = ata_cable_unknown,
21017 .set_piomode = amd66_set_piomode,
21018 .set_dmamode = amd66_set_dmamode,
21021 -static struct ata_port_operations amd100_port_ops = {
21022 +static const struct ata_port_operations amd100_port_ops = {
21023 .inherits = &amd_base_port_ops,
21024 .cable_detect = ata_cable_unknown,
21025 .set_piomode = amd100_set_piomode,
21026 .set_dmamode = amd100_set_dmamode,
21029 -static struct ata_port_operations amd133_port_ops = {
21030 +static const struct ata_port_operations amd133_port_ops = {
21031 .inherits = &amd_base_port_ops,
21032 .cable_detect = amd_cable_detect,
21033 .set_piomode = amd133_set_piomode,
21034 @@ -433,13 +433,13 @@ static const struct ata_port_operations
21035 .host_stop = nv_host_stop,
21038 -static struct ata_port_operations nv100_port_ops = {
21039 +static const struct ata_port_operations nv100_port_ops = {
21040 .inherits = &nv_base_port_ops,
21041 .set_piomode = nv100_set_piomode,
21042 .set_dmamode = nv100_set_dmamode,
21045 -static struct ata_port_operations nv133_port_ops = {
21046 +static const struct ata_port_operations nv133_port_ops = {
21047 .inherits = &nv_base_port_ops,
21048 .set_piomode = nv133_set_piomode,
21049 .set_dmamode = nv133_set_dmamode,
21050 diff -urNp linux-2.6.35.5/drivers/ata/pata_artop.c linux-2.6.35.5/drivers/ata/pata_artop.c
21051 --- linux-2.6.35.5/drivers/ata/pata_artop.c 2010-08-26 19:47:12.000000000 -0400
21052 +++ linux-2.6.35.5/drivers/ata/pata_artop.c 2010-09-17 20:12:09.000000000 -0400
21053 @@ -311,7 +311,7 @@ static struct scsi_host_template artop_s
21054 ATA_BMDMA_SHT(DRV_NAME),
21057 -static struct ata_port_operations artop6210_ops = {
21058 +static const struct ata_port_operations artop6210_ops = {
21059 .inherits = &ata_bmdma_port_ops,
21060 .cable_detect = ata_cable_40wire,
21061 .set_piomode = artop6210_set_piomode,
21062 @@ -320,7 +320,7 @@ static struct ata_port_operations artop6
21063 .qc_defer = artop6210_qc_defer,
21066 -static struct ata_port_operations artop6260_ops = {
21067 +static const struct ata_port_operations artop6260_ops = {
21068 .inherits = &ata_bmdma_port_ops,
21069 .cable_detect = artop6260_cable_detect,
21070 .set_piomode = artop6260_set_piomode,
21071 diff -urNp linux-2.6.35.5/drivers/ata/pata_at32.c linux-2.6.35.5/drivers/ata/pata_at32.c
21072 --- linux-2.6.35.5/drivers/ata/pata_at32.c 2010-08-26 19:47:12.000000000 -0400
21073 +++ linux-2.6.35.5/drivers/ata/pata_at32.c 2010-09-17 20:12:09.000000000 -0400
21074 @@ -173,7 +173,7 @@ static struct scsi_host_template at32_sh
21075 ATA_PIO_SHT(DRV_NAME),
21078 -static struct ata_port_operations at32_port_ops = {
21079 +static const struct ata_port_operations at32_port_ops = {
21080 .inherits = &ata_sff_port_ops,
21081 .cable_detect = ata_cable_40wire,
21082 .set_piomode = pata_at32_set_piomode,
21083 diff -urNp linux-2.6.35.5/drivers/ata/pata_at91.c linux-2.6.35.5/drivers/ata/pata_at91.c
21084 --- linux-2.6.35.5/drivers/ata/pata_at91.c 2010-08-26 19:47:12.000000000 -0400
21085 +++ linux-2.6.35.5/drivers/ata/pata_at91.c 2010-09-17 20:12:09.000000000 -0400
21086 @@ -196,7 +196,7 @@ static struct scsi_host_template pata_at
21087 ATA_PIO_SHT(DRV_NAME),
21090 -static struct ata_port_operations pata_at91_port_ops = {
21091 +static const struct ata_port_operations pata_at91_port_ops = {
21092 .inherits = &ata_sff_port_ops,
21094 .sff_data_xfer = pata_at91_data_xfer_noirq,
21095 diff -urNp linux-2.6.35.5/drivers/ata/pata_atiixp.c linux-2.6.35.5/drivers/ata/pata_atiixp.c
21096 --- linux-2.6.35.5/drivers/ata/pata_atiixp.c 2010-08-26 19:47:12.000000000 -0400
21097 +++ linux-2.6.35.5/drivers/ata/pata_atiixp.c 2010-09-17 20:12:09.000000000 -0400
21098 @@ -214,7 +214,7 @@ static struct scsi_host_template atiixp_
21099 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21102 -static struct ata_port_operations atiixp_port_ops = {
21103 +static const struct ata_port_operations atiixp_port_ops = {
21104 .inherits = &ata_bmdma_port_ops,
21106 .qc_prep = ata_bmdma_dumb_qc_prep,
21107 diff -urNp linux-2.6.35.5/drivers/ata/pata_atp867x.c linux-2.6.35.5/drivers/ata/pata_atp867x.c
21108 --- linux-2.6.35.5/drivers/ata/pata_atp867x.c 2010-08-26 19:47:12.000000000 -0400
21109 +++ linux-2.6.35.5/drivers/ata/pata_atp867x.c 2010-09-17 20:12:09.000000000 -0400
21110 @@ -275,7 +275,7 @@ static struct scsi_host_template atp867x
21111 ATA_BMDMA_SHT(DRV_NAME),
21114 -static struct ata_port_operations atp867x_ops = {
21115 +static const struct ata_port_operations atp867x_ops = {
21116 .inherits = &ata_bmdma_port_ops,
21117 .cable_detect = atp867x_cable_detect,
21118 .set_piomode = atp867x_set_piomode,
21119 diff -urNp linux-2.6.35.5/drivers/ata/pata_bf54x.c linux-2.6.35.5/drivers/ata/pata_bf54x.c
21120 --- linux-2.6.35.5/drivers/ata/pata_bf54x.c 2010-08-26 19:47:12.000000000 -0400
21121 +++ linux-2.6.35.5/drivers/ata/pata_bf54x.c 2010-09-17 20:12:09.000000000 -0400
21122 @@ -1420,7 +1420,7 @@ static struct scsi_host_template bfin_sh
21123 .dma_boundary = ATA_DMA_BOUNDARY,
21126 -static struct ata_port_operations bfin_pata_ops = {
21127 +static const struct ata_port_operations bfin_pata_ops = {
21128 .inherits = &ata_bmdma_port_ops,
21130 .set_piomode = bfin_set_piomode,
21131 diff -urNp linux-2.6.35.5/drivers/ata/pata_cmd640.c linux-2.6.35.5/drivers/ata/pata_cmd640.c
21132 --- linux-2.6.35.5/drivers/ata/pata_cmd640.c 2010-08-26 19:47:12.000000000 -0400
21133 +++ linux-2.6.35.5/drivers/ata/pata_cmd640.c 2010-09-17 20:12:09.000000000 -0400
21134 @@ -165,7 +165,7 @@ static struct scsi_host_template cmd640_
21135 ATA_PIO_SHT(DRV_NAME),
21138 -static struct ata_port_operations cmd640_port_ops = {
21139 +static const struct ata_port_operations cmd640_port_ops = {
21140 .inherits = &ata_sff_port_ops,
21141 /* In theory xfer_noirq is not needed once we kill the prefetcher */
21142 .sff_data_xfer = ata_sff_data_xfer_noirq,
21143 diff -urNp linux-2.6.35.5/drivers/ata/pata_cmd64x.c linux-2.6.35.5/drivers/ata/pata_cmd64x.c
21144 --- linux-2.6.35.5/drivers/ata/pata_cmd64x.c 2010-09-20 17:33:09.000000000 -0400
21145 +++ linux-2.6.35.5/drivers/ata/pata_cmd64x.c 2010-09-20 17:33:32.000000000 -0400
21146 @@ -268,18 +268,18 @@ static const struct ata_port_operations
21147 .set_dmamode = cmd64x_set_dmamode,
21150 -static struct ata_port_operations cmd64x_port_ops = {
21151 +static const struct ata_port_operations cmd64x_port_ops = {
21152 .inherits = &cmd64x_base_ops,
21153 .cable_detect = ata_cable_40wire,
21156 -static struct ata_port_operations cmd646r1_port_ops = {
21157 +static const struct ata_port_operations cmd646r1_port_ops = {
21158 .inherits = &cmd64x_base_ops,
21159 .bmdma_stop = cmd646r1_bmdma_stop,
21160 .cable_detect = ata_cable_40wire,
21163 -static struct ata_port_operations cmd648_port_ops = {
21164 +static const struct ata_port_operations cmd648_port_ops = {
21165 .inherits = &cmd64x_base_ops,
21166 .bmdma_stop = cmd648_bmdma_stop,
21167 .cable_detect = cmd648_cable_detect,
21168 diff -urNp linux-2.6.35.5/drivers/ata/pata_cs5520.c linux-2.6.35.5/drivers/ata/pata_cs5520.c
21169 --- linux-2.6.35.5/drivers/ata/pata_cs5520.c 2010-08-26 19:47:12.000000000 -0400
21170 +++ linux-2.6.35.5/drivers/ata/pata_cs5520.c 2010-09-17 20:12:09.000000000 -0400
21171 @@ -108,7 +108,7 @@ static struct scsi_host_template cs5520_
21172 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21175 -static struct ata_port_operations cs5520_port_ops = {
21176 +static const struct ata_port_operations cs5520_port_ops = {
21177 .inherits = &ata_bmdma_port_ops,
21178 .qc_prep = ata_bmdma_dumb_qc_prep,
21179 .cable_detect = ata_cable_40wire,
21180 diff -urNp linux-2.6.35.5/drivers/ata/pata_cs5530.c linux-2.6.35.5/drivers/ata/pata_cs5530.c
21181 --- linux-2.6.35.5/drivers/ata/pata_cs5530.c 2010-08-26 19:47:12.000000000 -0400
21182 +++ linux-2.6.35.5/drivers/ata/pata_cs5530.c 2010-09-17 20:12:09.000000000 -0400
21183 @@ -164,7 +164,7 @@ static struct scsi_host_template cs5530_
21184 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21187 -static struct ata_port_operations cs5530_port_ops = {
21188 +static const struct ata_port_operations cs5530_port_ops = {
21189 .inherits = &ata_bmdma_port_ops,
21191 .qc_prep = ata_bmdma_dumb_qc_prep,
21192 diff -urNp linux-2.6.35.5/drivers/ata/pata_cs5535.c linux-2.6.35.5/drivers/ata/pata_cs5535.c
21193 --- linux-2.6.35.5/drivers/ata/pata_cs5535.c 2010-08-26 19:47:12.000000000 -0400
21194 +++ linux-2.6.35.5/drivers/ata/pata_cs5535.c 2010-09-17 20:12:09.000000000 -0400
21195 @@ -160,7 +160,7 @@ static struct scsi_host_template cs5535_
21196 ATA_BMDMA_SHT(DRV_NAME),
21199 -static struct ata_port_operations cs5535_port_ops = {
21200 +static const struct ata_port_operations cs5535_port_ops = {
21201 .inherits = &ata_bmdma_port_ops,
21202 .cable_detect = cs5535_cable_detect,
21203 .set_piomode = cs5535_set_piomode,
21204 diff -urNp linux-2.6.35.5/drivers/ata/pata_cs5536.c linux-2.6.35.5/drivers/ata/pata_cs5536.c
21205 --- linux-2.6.35.5/drivers/ata/pata_cs5536.c 2010-08-26 19:47:12.000000000 -0400
21206 +++ linux-2.6.35.5/drivers/ata/pata_cs5536.c 2010-09-17 20:12:09.000000000 -0400
21207 @@ -223,7 +223,7 @@ static struct scsi_host_template cs5536_
21208 ATA_BMDMA_SHT(DRV_NAME),
21211 -static struct ata_port_operations cs5536_port_ops = {
21212 +static const struct ata_port_operations cs5536_port_ops = {
21213 .inherits = &ata_bmdma32_port_ops,
21214 .cable_detect = cs5536_cable_detect,
21215 .set_piomode = cs5536_set_piomode,
21216 diff -urNp linux-2.6.35.5/drivers/ata/pata_cypress.c linux-2.6.35.5/drivers/ata/pata_cypress.c
21217 --- linux-2.6.35.5/drivers/ata/pata_cypress.c 2010-08-26 19:47:12.000000000 -0400
21218 +++ linux-2.6.35.5/drivers/ata/pata_cypress.c 2010-09-17 20:12:09.000000000 -0400
21219 @@ -115,7 +115,7 @@ static struct scsi_host_template cy82c69
21220 ATA_BMDMA_SHT(DRV_NAME),
21223 -static struct ata_port_operations cy82c693_port_ops = {
21224 +static const struct ata_port_operations cy82c693_port_ops = {
21225 .inherits = &ata_bmdma_port_ops,
21226 .cable_detect = ata_cable_40wire,
21227 .set_piomode = cy82c693_set_piomode,
21228 diff -urNp linux-2.6.35.5/drivers/ata/pata_efar.c linux-2.6.35.5/drivers/ata/pata_efar.c
21229 --- linux-2.6.35.5/drivers/ata/pata_efar.c 2010-08-26 19:47:12.000000000 -0400
21230 +++ linux-2.6.35.5/drivers/ata/pata_efar.c 2010-09-17 20:12:09.000000000 -0400
21231 @@ -238,7 +238,7 @@ static struct scsi_host_template efar_sh
21232 ATA_BMDMA_SHT(DRV_NAME),
21235 -static struct ata_port_operations efar_ops = {
21236 +static const struct ata_port_operations efar_ops = {
21237 .inherits = &ata_bmdma_port_ops,
21238 .cable_detect = efar_cable_detect,
21239 .set_piomode = efar_set_piomode,
21240 diff -urNp linux-2.6.35.5/drivers/ata/pata_hpt366.c linux-2.6.35.5/drivers/ata/pata_hpt366.c
21241 --- linux-2.6.35.5/drivers/ata/pata_hpt366.c 2010-08-26 19:47:12.000000000 -0400
21242 +++ linux-2.6.35.5/drivers/ata/pata_hpt366.c 2010-09-17 20:12:09.000000000 -0400
21243 @@ -269,7 +269,7 @@ static struct scsi_host_template hpt36x_
21244 * Configuration for HPT366/68
21247 -static struct ata_port_operations hpt366_port_ops = {
21248 +static const struct ata_port_operations hpt366_port_ops = {
21249 .inherits = &ata_bmdma_port_ops,
21250 .cable_detect = hpt36x_cable_detect,
21251 .mode_filter = hpt366_filter,
21252 diff -urNp linux-2.6.35.5/drivers/ata/pata_hpt37x.c linux-2.6.35.5/drivers/ata/pata_hpt37x.c
21253 --- linux-2.6.35.5/drivers/ata/pata_hpt37x.c 2010-08-26 19:47:12.000000000 -0400
21254 +++ linux-2.6.35.5/drivers/ata/pata_hpt37x.c 2010-09-17 20:12:09.000000000 -0400
21255 @@ -564,7 +564,7 @@ static struct scsi_host_template hpt37x_
21256 * Configuration for HPT370
21259 -static struct ata_port_operations hpt370_port_ops = {
21260 +static const struct ata_port_operations hpt370_port_ops = {
21261 .inherits = &ata_bmdma_port_ops,
21263 .bmdma_stop = hpt370_bmdma_stop,
21264 @@ -580,7 +580,7 @@ static struct ata_port_operations hpt370
21265 * Configuration for HPT370A. Close to 370 but less filters
21268 -static struct ata_port_operations hpt370a_port_ops = {
21269 +static const struct ata_port_operations hpt370a_port_ops = {
21270 .inherits = &hpt370_port_ops,
21271 .mode_filter = hpt370a_filter,
21273 @@ -590,7 +590,7 @@ static struct ata_port_operations hpt370
21274 * and DMA mode setting functionality.
21277 -static struct ata_port_operations hpt372_port_ops = {
21278 +static const struct ata_port_operations hpt372_port_ops = {
21279 .inherits = &ata_bmdma_port_ops,
21281 .bmdma_stop = hpt37x_bmdma_stop,
21282 @@ -606,7 +606,7 @@ static struct ata_port_operations hpt372
21283 * but we have a different cable detection procedure for function 1.
21286 -static struct ata_port_operations hpt374_fn1_port_ops = {
21287 +static const struct ata_port_operations hpt374_fn1_port_ops = {
21288 .inherits = &hpt372_port_ops,
21289 .cable_detect = hpt374_fn1_cable_detect,
21290 .prereset = hpt37x_pre_reset,
21291 diff -urNp linux-2.6.35.5/drivers/ata/pata_hpt3x2n.c linux-2.6.35.5/drivers/ata/pata_hpt3x2n.c
21292 --- linux-2.6.35.5/drivers/ata/pata_hpt3x2n.c 2010-08-26 19:47:12.000000000 -0400
21293 +++ linux-2.6.35.5/drivers/ata/pata_hpt3x2n.c 2010-09-17 20:12:09.000000000 -0400
21294 @@ -331,7 +331,7 @@ static struct scsi_host_template hpt3x2n
21295 * Configuration for HPT3x2n.
21298 -static struct ata_port_operations hpt3x2n_port_ops = {
21299 +static const struct ata_port_operations hpt3x2n_port_ops = {
21300 .inherits = &ata_bmdma_port_ops,
21302 .bmdma_stop = hpt3x2n_bmdma_stop,
21303 diff -urNp linux-2.6.35.5/drivers/ata/pata_hpt3x3.c linux-2.6.35.5/drivers/ata/pata_hpt3x3.c
21304 --- linux-2.6.35.5/drivers/ata/pata_hpt3x3.c 2010-08-26 19:47:12.000000000 -0400
21305 +++ linux-2.6.35.5/drivers/ata/pata_hpt3x3.c 2010-09-17 20:12:09.000000000 -0400
21306 @@ -141,7 +141,7 @@ static struct scsi_host_template hpt3x3_
21307 ATA_BMDMA_SHT(DRV_NAME),
21310 -static struct ata_port_operations hpt3x3_port_ops = {
21311 +static const struct ata_port_operations hpt3x3_port_ops = {
21312 .inherits = &ata_bmdma_port_ops,
21313 .cable_detect = ata_cable_40wire,
21314 .set_piomode = hpt3x3_set_piomode,
21315 diff -urNp linux-2.6.35.5/drivers/ata/pata_icside.c linux-2.6.35.5/drivers/ata/pata_icside.c
21316 --- linux-2.6.35.5/drivers/ata/pata_icside.c 2010-08-26 19:47:12.000000000 -0400
21317 +++ linux-2.6.35.5/drivers/ata/pata_icside.c 2010-09-17 20:12:09.000000000 -0400
21318 @@ -320,7 +320,7 @@ static void pata_icside_postreset(struct
21322 -static struct ata_port_operations pata_icside_port_ops = {
21323 +static const struct ata_port_operations pata_icside_port_ops = {
21324 .inherits = &ata_bmdma_port_ops,
21325 /* no need to build any PRD tables for DMA */
21326 .qc_prep = ata_noop_qc_prep,
21327 diff -urNp linux-2.6.35.5/drivers/ata/pata_isapnp.c linux-2.6.35.5/drivers/ata/pata_isapnp.c
21328 --- linux-2.6.35.5/drivers/ata/pata_isapnp.c 2010-08-26 19:47:12.000000000 -0400
21329 +++ linux-2.6.35.5/drivers/ata/pata_isapnp.c 2010-09-17 20:12:09.000000000 -0400
21330 @@ -23,12 +23,12 @@ static struct scsi_host_template isapnp_
21331 ATA_PIO_SHT(DRV_NAME),
21334 -static struct ata_port_operations isapnp_port_ops = {
21335 +static const struct ata_port_operations isapnp_port_ops = {
21336 .inherits = &ata_sff_port_ops,
21337 .cable_detect = ata_cable_40wire,
21340 -static struct ata_port_operations isapnp_noalt_port_ops = {
21341 +static const struct ata_port_operations isapnp_noalt_port_ops = {
21342 .inherits = &ata_sff_port_ops,
21343 .cable_detect = ata_cable_40wire,
21344 /* No altstatus so we don't want to use the lost interrupt poll */
21345 diff -urNp linux-2.6.35.5/drivers/ata/pata_it8213.c linux-2.6.35.5/drivers/ata/pata_it8213.c
21346 --- linux-2.6.35.5/drivers/ata/pata_it8213.c 2010-08-26 19:47:12.000000000 -0400
21347 +++ linux-2.6.35.5/drivers/ata/pata_it8213.c 2010-09-17 20:12:09.000000000 -0400
21348 @@ -233,7 +233,7 @@ static struct scsi_host_template it8213_
21352 -static struct ata_port_operations it8213_ops = {
21353 +static const struct ata_port_operations it8213_ops = {
21354 .inherits = &ata_bmdma_port_ops,
21355 .cable_detect = it8213_cable_detect,
21356 .set_piomode = it8213_set_piomode,
21357 diff -urNp linux-2.6.35.5/drivers/ata/pata_it821x.c linux-2.6.35.5/drivers/ata/pata_it821x.c
21358 --- linux-2.6.35.5/drivers/ata/pata_it821x.c 2010-08-26 19:47:12.000000000 -0400
21359 +++ linux-2.6.35.5/drivers/ata/pata_it821x.c 2010-09-17 20:12:09.000000000 -0400
21360 @@ -801,7 +801,7 @@ static struct scsi_host_template it821x_
21361 ATA_BMDMA_SHT(DRV_NAME),
21364 -static struct ata_port_operations it821x_smart_port_ops = {
21365 +static const struct ata_port_operations it821x_smart_port_ops = {
21366 .inherits = &ata_bmdma_port_ops,
21368 .check_atapi_dma= it821x_check_atapi_dma,
21369 @@ -815,7 +815,7 @@ static struct ata_port_operations it821x
21370 .port_start = it821x_port_start,
21373 -static struct ata_port_operations it821x_passthru_port_ops = {
21374 +static const struct ata_port_operations it821x_passthru_port_ops = {
21375 .inherits = &ata_bmdma_port_ops,
21377 .check_atapi_dma= it821x_check_atapi_dma,
21378 @@ -831,7 +831,7 @@ static struct ata_port_operations it821x
21379 .port_start = it821x_port_start,
21382 -static struct ata_port_operations it821x_rdc_port_ops = {
21383 +static const struct ata_port_operations it821x_rdc_port_ops = {
21384 .inherits = &ata_bmdma_port_ops,
21386 .check_atapi_dma= it821x_check_atapi_dma,
21387 diff -urNp linux-2.6.35.5/drivers/ata/pata_ixp4xx_cf.c linux-2.6.35.5/drivers/ata/pata_ixp4xx_cf.c
21388 --- linux-2.6.35.5/drivers/ata/pata_ixp4xx_cf.c 2010-08-26 19:47:12.000000000 -0400
21389 +++ linux-2.6.35.5/drivers/ata/pata_ixp4xx_cf.c 2010-09-17 20:12:09.000000000 -0400
21390 @@ -89,7 +89,7 @@ static struct scsi_host_template ixp4xx_
21391 ATA_PIO_SHT(DRV_NAME),
21394 -static struct ata_port_operations ixp4xx_port_ops = {
21395 +static const struct ata_port_operations ixp4xx_port_ops = {
21396 .inherits = &ata_sff_port_ops,
21397 .sff_data_xfer = ixp4xx_mmio_data_xfer,
21398 .cable_detect = ata_cable_40wire,
21399 diff -urNp linux-2.6.35.5/drivers/ata/pata_jmicron.c linux-2.6.35.5/drivers/ata/pata_jmicron.c
21400 --- linux-2.6.35.5/drivers/ata/pata_jmicron.c 2010-08-26 19:47:12.000000000 -0400
21401 +++ linux-2.6.35.5/drivers/ata/pata_jmicron.c 2010-09-17 20:12:09.000000000 -0400
21402 @@ -111,7 +111,7 @@ static struct scsi_host_template jmicron
21403 ATA_BMDMA_SHT(DRV_NAME),
21406 -static struct ata_port_operations jmicron_ops = {
21407 +static const struct ata_port_operations jmicron_ops = {
21408 .inherits = &ata_bmdma_port_ops,
21409 .prereset = jmicron_pre_reset,
21411 diff -urNp linux-2.6.35.5/drivers/ata/pata_legacy.c linux-2.6.35.5/drivers/ata/pata_legacy.c
21412 --- linux-2.6.35.5/drivers/ata/pata_legacy.c 2010-08-26 19:47:12.000000000 -0400
21413 +++ linux-2.6.35.5/drivers/ata/pata_legacy.c 2010-09-17 20:12:09.000000000 -0400
21414 @@ -113,7 +113,7 @@ struct legacy_probe {
21416 struct legacy_controller {
21418 - struct ata_port_operations *ops;
21419 + const struct ata_port_operations *ops;
21420 unsigned int pio_mask;
21421 unsigned int flags;
21422 unsigned int pflags;
21423 @@ -230,12 +230,12 @@ static const struct ata_port_operations
21424 * pio_mask as well.
21427 -static struct ata_port_operations simple_port_ops = {
21428 +static const struct ata_port_operations simple_port_ops = {
21429 .inherits = &legacy_base_port_ops,
21430 .sff_data_xfer = ata_sff_data_xfer_noirq,
21433 -static struct ata_port_operations legacy_port_ops = {
21434 +static const struct ata_port_operations legacy_port_ops = {
21435 .inherits = &legacy_base_port_ops,
21436 .sff_data_xfer = ata_sff_data_xfer_noirq,
21437 .set_mode = legacy_set_mode,
21438 @@ -331,7 +331,7 @@ static unsigned int pdc_data_xfer_vlb(st
21442 -static struct ata_port_operations pdc20230_port_ops = {
21443 +static const struct ata_port_operations pdc20230_port_ops = {
21444 .inherits = &legacy_base_port_ops,
21445 .set_piomode = pdc20230_set_piomode,
21446 .sff_data_xfer = pdc_data_xfer_vlb,
21447 @@ -364,7 +364,7 @@ static void ht6560a_set_piomode(struct a
21448 ioread8(ap->ioaddr.status_addr);
21451 -static struct ata_port_operations ht6560a_port_ops = {
21452 +static const struct ata_port_operations ht6560a_port_ops = {
21453 .inherits = &legacy_base_port_ops,
21454 .set_piomode = ht6560a_set_piomode,
21456 @@ -407,7 +407,7 @@ static void ht6560b_set_piomode(struct a
21457 ioread8(ap->ioaddr.status_addr);
21460 -static struct ata_port_operations ht6560b_port_ops = {
21461 +static const struct ata_port_operations ht6560b_port_ops = {
21462 .inherits = &legacy_base_port_ops,
21463 .set_piomode = ht6560b_set_piomode,
21465 @@ -506,7 +506,7 @@ static void opti82c611a_set_piomode(stru
21469 -static struct ata_port_operations opti82c611a_port_ops = {
21470 +static const struct ata_port_operations opti82c611a_port_ops = {
21471 .inherits = &legacy_base_port_ops,
21472 .set_piomode = opti82c611a_set_piomode,
21474 @@ -616,7 +616,7 @@ static unsigned int opti82c46x_qc_issue(
21475 return ata_sff_qc_issue(qc);
21478 -static struct ata_port_operations opti82c46x_port_ops = {
21479 +static const struct ata_port_operations opti82c46x_port_ops = {
21480 .inherits = &legacy_base_port_ops,
21481 .set_piomode = opti82c46x_set_piomode,
21482 .qc_issue = opti82c46x_qc_issue,
21483 @@ -778,20 +778,20 @@ static int qdi_port(struct platform_devi
21487 -static struct ata_port_operations qdi6500_port_ops = {
21488 +static const struct ata_port_operations qdi6500_port_ops = {
21489 .inherits = &legacy_base_port_ops,
21490 .set_piomode = qdi6500_set_piomode,
21491 .qc_issue = qdi_qc_issue,
21492 .sff_data_xfer = vlb32_data_xfer,
21495 -static struct ata_port_operations qdi6580_port_ops = {
21496 +static const struct ata_port_operations qdi6580_port_ops = {
21497 .inherits = &legacy_base_port_ops,
21498 .set_piomode = qdi6580_set_piomode,
21499 .sff_data_xfer = vlb32_data_xfer,
21502 -static struct ata_port_operations qdi6580dp_port_ops = {
21503 +static const struct ata_port_operations qdi6580dp_port_ops = {
21504 .inherits = &legacy_base_port_ops,
21505 .set_piomode = qdi6580dp_set_piomode,
21506 .qc_issue = qdi_qc_issue,
21507 @@ -863,7 +863,7 @@ static int winbond_port(struct platform_
21511 -static struct ata_port_operations winbond_port_ops = {
21512 +static const struct ata_port_operations winbond_port_ops = {
21513 .inherits = &legacy_base_port_ops,
21514 .set_piomode = winbond_set_piomode,
21515 .sff_data_xfer = vlb32_data_xfer,
21516 @@ -986,7 +986,7 @@ static __init int legacy_init_one(struct
21517 int pio_modes = controller->pio_mask;
21518 unsigned long io = probe->port;
21519 u32 mask = (1 << probe->slot);
21520 - struct ata_port_operations *ops = controller->ops;
21521 + const struct ata_port_operations *ops = controller->ops;
21522 struct legacy_data *ld = &legacy_data[probe->slot];
21523 struct ata_host *host = NULL;
21524 struct ata_port *ap;
21525 diff -urNp linux-2.6.35.5/drivers/ata/pata_macio.c linux-2.6.35.5/drivers/ata/pata_macio.c
21526 --- linux-2.6.35.5/drivers/ata/pata_macio.c 2010-08-26 19:47:12.000000000 -0400
21527 +++ linux-2.6.35.5/drivers/ata/pata_macio.c 2010-09-17 20:12:09.000000000 -0400
21528 @@ -918,9 +918,8 @@ static struct scsi_host_template pata_ma
21529 .slave_configure = pata_macio_slave_config,
21532 -static struct ata_port_operations pata_macio_ops = {
21533 +static const struct ata_port_operations pata_macio_ops = {
21534 .inherits = &ata_bmdma_port_ops,
21536 .freeze = pata_macio_freeze,
21537 .set_piomode = pata_macio_set_timings,
21538 .set_dmamode = pata_macio_set_timings,
21539 diff -urNp linux-2.6.35.5/drivers/ata/pata_marvell.c linux-2.6.35.5/drivers/ata/pata_marvell.c
21540 --- linux-2.6.35.5/drivers/ata/pata_marvell.c 2010-08-26 19:47:12.000000000 -0400
21541 +++ linux-2.6.35.5/drivers/ata/pata_marvell.c 2010-09-17 20:12:09.000000000 -0400
21542 @@ -100,7 +100,7 @@ static struct scsi_host_template marvell
21543 ATA_BMDMA_SHT(DRV_NAME),
21546 -static struct ata_port_operations marvell_ops = {
21547 +static const struct ata_port_operations marvell_ops = {
21548 .inherits = &ata_bmdma_port_ops,
21549 .cable_detect = marvell_cable_detect,
21550 .prereset = marvell_pre_reset,
21551 diff -urNp linux-2.6.35.5/drivers/ata/pata_mpc52xx.c linux-2.6.35.5/drivers/ata/pata_mpc52xx.c
21552 --- linux-2.6.35.5/drivers/ata/pata_mpc52xx.c 2010-08-26 19:47:12.000000000 -0400
21553 +++ linux-2.6.35.5/drivers/ata/pata_mpc52xx.c 2010-09-17 20:12:09.000000000 -0400
21554 @@ -609,7 +609,7 @@ static struct scsi_host_template mpc52xx
21555 ATA_PIO_SHT(DRV_NAME),
21558 -static struct ata_port_operations mpc52xx_ata_port_ops = {
21559 +static const struct ata_port_operations mpc52xx_ata_port_ops = {
21560 .inherits = &ata_sff_port_ops,
21561 .sff_dev_select = mpc52xx_ata_dev_select,
21562 .set_piomode = mpc52xx_ata_set_piomode,
21563 diff -urNp linux-2.6.35.5/drivers/ata/pata_mpiix.c linux-2.6.35.5/drivers/ata/pata_mpiix.c
21564 --- linux-2.6.35.5/drivers/ata/pata_mpiix.c 2010-08-26 19:47:12.000000000 -0400
21565 +++ linux-2.6.35.5/drivers/ata/pata_mpiix.c 2010-09-17 20:12:09.000000000 -0400
21566 @@ -140,7 +140,7 @@ static struct scsi_host_template mpiix_s
21567 ATA_PIO_SHT(DRV_NAME),
21570 -static struct ata_port_operations mpiix_port_ops = {
21571 +static const struct ata_port_operations mpiix_port_ops = {
21572 .inherits = &ata_sff_port_ops,
21573 .qc_issue = mpiix_qc_issue,
21574 .cable_detect = ata_cable_40wire,
21575 diff -urNp linux-2.6.35.5/drivers/ata/pata_netcell.c linux-2.6.35.5/drivers/ata/pata_netcell.c
21576 --- linux-2.6.35.5/drivers/ata/pata_netcell.c 2010-08-26 19:47:12.000000000 -0400
21577 +++ linux-2.6.35.5/drivers/ata/pata_netcell.c 2010-09-17 20:12:09.000000000 -0400
21578 @@ -34,7 +34,7 @@ static struct scsi_host_template netcell
21579 ATA_BMDMA_SHT(DRV_NAME),
21582 -static struct ata_port_operations netcell_ops = {
21583 +static const struct ata_port_operations netcell_ops = {
21584 .inherits = &ata_bmdma_port_ops,
21585 .cable_detect = ata_cable_80wire,
21586 .read_id = netcell_read_id,
21587 diff -urNp linux-2.6.35.5/drivers/ata/pata_ninja32.c linux-2.6.35.5/drivers/ata/pata_ninja32.c
21588 --- linux-2.6.35.5/drivers/ata/pata_ninja32.c 2010-08-26 19:47:12.000000000 -0400
21589 +++ linux-2.6.35.5/drivers/ata/pata_ninja32.c 2010-09-17 20:12:09.000000000 -0400
21590 @@ -81,7 +81,7 @@ static struct scsi_host_template ninja32
21591 ATA_BMDMA_SHT(DRV_NAME),
21594 -static struct ata_port_operations ninja32_port_ops = {
21595 +static const struct ata_port_operations ninja32_port_ops = {
21596 .inherits = &ata_bmdma_port_ops,
21597 .sff_dev_select = ninja32_dev_select,
21598 .cable_detect = ata_cable_40wire,
21599 diff -urNp linux-2.6.35.5/drivers/ata/pata_ns87410.c linux-2.6.35.5/drivers/ata/pata_ns87410.c
21600 --- linux-2.6.35.5/drivers/ata/pata_ns87410.c 2010-08-26 19:47:12.000000000 -0400
21601 +++ linux-2.6.35.5/drivers/ata/pata_ns87410.c 2010-09-17 20:12:09.000000000 -0400
21602 @@ -132,7 +132,7 @@ static struct scsi_host_template ns87410
21603 ATA_PIO_SHT(DRV_NAME),
21606 -static struct ata_port_operations ns87410_port_ops = {
21607 +static const struct ata_port_operations ns87410_port_ops = {
21608 .inherits = &ata_sff_port_ops,
21609 .qc_issue = ns87410_qc_issue,
21610 .cable_detect = ata_cable_40wire,
21611 diff -urNp linux-2.6.35.5/drivers/ata/pata_ns87415.c linux-2.6.35.5/drivers/ata/pata_ns87415.c
21612 --- linux-2.6.35.5/drivers/ata/pata_ns87415.c 2010-08-26 19:47:12.000000000 -0400
21613 +++ linux-2.6.35.5/drivers/ata/pata_ns87415.c 2010-09-17 20:12:09.000000000 -0400
21614 @@ -299,7 +299,7 @@ static u8 ns87560_bmdma_status(struct at
21616 #endif /* 87560 SuperIO Support */
21618 -static struct ata_port_operations ns87415_pata_ops = {
21619 +static const struct ata_port_operations ns87415_pata_ops = {
21620 .inherits = &ata_bmdma_port_ops,
21622 .check_atapi_dma = ns87415_check_atapi_dma,
21623 @@ -313,7 +313,7 @@ static struct ata_port_operations ns8741
21626 #if defined(CONFIG_SUPERIO)
21627 -static struct ata_port_operations ns87560_pata_ops = {
21628 +static const struct ata_port_operations ns87560_pata_ops = {
21629 .inherits = &ns87415_pata_ops,
21630 .sff_tf_read = ns87560_tf_read,
21631 .sff_check_status = ns87560_check_status,
21632 diff -urNp linux-2.6.35.5/drivers/ata/pata_octeon_cf.c linux-2.6.35.5/drivers/ata/pata_octeon_cf.c
21633 --- linux-2.6.35.5/drivers/ata/pata_octeon_cf.c 2010-08-26 19:47:12.000000000 -0400
21634 +++ linux-2.6.35.5/drivers/ata/pata_octeon_cf.c 2010-09-17 20:12:09.000000000 -0400
21635 @@ -782,6 +782,7 @@ static unsigned int octeon_cf_qc_issue(s
21639 +/* cannot be const */
21640 static struct ata_port_operations octeon_cf_ops = {
21641 .inherits = &ata_sff_port_ops,
21642 .check_atapi_dma = octeon_cf_check_atapi_dma,
21643 diff -urNp linux-2.6.35.5/drivers/ata/pata_oldpiix.c linux-2.6.35.5/drivers/ata/pata_oldpiix.c
21644 --- linux-2.6.35.5/drivers/ata/pata_oldpiix.c 2010-08-26 19:47:12.000000000 -0400
21645 +++ linux-2.6.35.5/drivers/ata/pata_oldpiix.c 2010-09-17 20:12:09.000000000 -0400
21646 @@ -208,7 +208,7 @@ static struct scsi_host_template oldpiix
21647 ATA_BMDMA_SHT(DRV_NAME),
21650 -static struct ata_port_operations oldpiix_pata_ops = {
21651 +static const struct ata_port_operations oldpiix_pata_ops = {
21652 .inherits = &ata_bmdma_port_ops,
21653 .qc_issue = oldpiix_qc_issue,
21654 .cable_detect = ata_cable_40wire,
21655 diff -urNp linux-2.6.35.5/drivers/ata/pata_opti.c linux-2.6.35.5/drivers/ata/pata_opti.c
21656 --- linux-2.6.35.5/drivers/ata/pata_opti.c 2010-08-26 19:47:12.000000000 -0400
21657 +++ linux-2.6.35.5/drivers/ata/pata_opti.c 2010-09-17 20:12:09.000000000 -0400
21658 @@ -152,7 +152,7 @@ static struct scsi_host_template opti_sh
21659 ATA_PIO_SHT(DRV_NAME),
21662 -static struct ata_port_operations opti_port_ops = {
21663 +static const struct ata_port_operations opti_port_ops = {
21664 .inherits = &ata_sff_port_ops,
21665 .cable_detect = ata_cable_40wire,
21666 .set_piomode = opti_set_piomode,
21667 diff -urNp linux-2.6.35.5/drivers/ata/pata_optidma.c linux-2.6.35.5/drivers/ata/pata_optidma.c
21668 --- linux-2.6.35.5/drivers/ata/pata_optidma.c 2010-08-26 19:47:12.000000000 -0400
21669 +++ linux-2.6.35.5/drivers/ata/pata_optidma.c 2010-09-17 20:12:09.000000000 -0400
21670 @@ -337,7 +337,7 @@ static struct scsi_host_template optidma
21671 ATA_BMDMA_SHT(DRV_NAME),
21674 -static struct ata_port_operations optidma_port_ops = {
21675 +static const struct ata_port_operations optidma_port_ops = {
21676 .inherits = &ata_bmdma_port_ops,
21677 .cable_detect = ata_cable_40wire,
21678 .set_piomode = optidma_set_pio_mode,
21679 @@ -346,7 +346,7 @@ static struct ata_port_operations optidm
21680 .prereset = optidma_pre_reset,
21683 -static struct ata_port_operations optiplus_port_ops = {
21684 +static const struct ata_port_operations optiplus_port_ops = {
21685 .inherits = &optidma_port_ops,
21686 .set_piomode = optiplus_set_pio_mode,
21687 .set_dmamode = optiplus_set_dma_mode,
21688 diff -urNp linux-2.6.35.5/drivers/ata/pata_palmld.c linux-2.6.35.5/drivers/ata/pata_palmld.c
21689 --- linux-2.6.35.5/drivers/ata/pata_palmld.c 2010-08-26 19:47:12.000000000 -0400
21690 +++ linux-2.6.35.5/drivers/ata/pata_palmld.c 2010-09-17 20:12:09.000000000 -0400
21691 @@ -37,7 +37,7 @@ static struct scsi_host_template palmld_
21692 ATA_PIO_SHT(DRV_NAME),
21695 -static struct ata_port_operations palmld_port_ops = {
21696 +static const struct ata_port_operations palmld_port_ops = {
21697 .inherits = &ata_sff_port_ops,
21698 .sff_data_xfer = ata_sff_data_xfer_noirq,
21699 .cable_detect = ata_cable_40wire,
21700 diff -urNp linux-2.6.35.5/drivers/ata/pata_pcmcia.c linux-2.6.35.5/drivers/ata/pata_pcmcia.c
21701 --- linux-2.6.35.5/drivers/ata/pata_pcmcia.c 2010-08-26 19:47:12.000000000 -0400
21702 +++ linux-2.6.35.5/drivers/ata/pata_pcmcia.c 2010-09-17 20:12:09.000000000 -0400
21703 @@ -153,14 +153,14 @@ static struct scsi_host_template pcmcia_
21704 ATA_PIO_SHT(DRV_NAME),
21707 -static struct ata_port_operations pcmcia_port_ops = {
21708 +static const struct ata_port_operations pcmcia_port_ops = {
21709 .inherits = &ata_sff_port_ops,
21710 .sff_data_xfer = ata_sff_data_xfer_noirq,
21711 .cable_detect = ata_cable_40wire,
21712 .set_mode = pcmcia_set_mode,
21715 -static struct ata_port_operations pcmcia_8bit_port_ops = {
21716 +static const struct ata_port_operations pcmcia_8bit_port_ops = {
21717 .inherits = &ata_sff_port_ops,
21718 .sff_data_xfer = ata_data_xfer_8bit,
21719 .cable_detect = ata_cable_40wire,
21720 @@ -243,7 +243,7 @@ static int pcmcia_init_one(struct pcmcia
21721 unsigned long io_base, ctl_base;
21722 void __iomem *io_addr, *ctl_addr;
21724 - struct ata_port_operations *ops = &pcmcia_port_ops;
21725 + const struct ata_port_operations *ops = &pcmcia_port_ops;
21727 /* Set up attributes in order to probe card and get resources */
21728 pdev->io.Attributes1 = IO_DATA_PATH_WIDTH_AUTO;
21729 diff -urNp linux-2.6.35.5/drivers/ata/pata_pdc2027x.c linux-2.6.35.5/drivers/ata/pata_pdc2027x.c
21730 --- linux-2.6.35.5/drivers/ata/pata_pdc2027x.c 2010-08-26 19:47:12.000000000 -0400
21731 +++ linux-2.6.35.5/drivers/ata/pata_pdc2027x.c 2010-09-17 20:12:09.000000000 -0400
21732 @@ -132,14 +132,14 @@ static struct scsi_host_template pdc2027
21733 ATA_BMDMA_SHT(DRV_NAME),
21736 -static struct ata_port_operations pdc2027x_pata100_ops = {
21737 +static const struct ata_port_operations pdc2027x_pata100_ops = {
21738 .inherits = &ata_bmdma_port_ops,
21739 .check_atapi_dma = pdc2027x_check_atapi_dma,
21740 .cable_detect = pdc2027x_cable_detect,
21741 .prereset = pdc2027x_prereset,
21744 -static struct ata_port_operations pdc2027x_pata133_ops = {
21745 +static const struct ata_port_operations pdc2027x_pata133_ops = {
21746 .inherits = &pdc2027x_pata100_ops,
21747 .mode_filter = pdc2027x_mode_filter,
21748 .set_piomode = pdc2027x_set_piomode,
21749 diff -urNp linux-2.6.35.5/drivers/ata/pata_pdc202xx_old.c linux-2.6.35.5/drivers/ata/pata_pdc202xx_old.c
21750 --- linux-2.6.35.5/drivers/ata/pata_pdc202xx_old.c 2010-08-26 19:47:12.000000000 -0400
21751 +++ linux-2.6.35.5/drivers/ata/pata_pdc202xx_old.c 2010-09-17 20:12:09.000000000 -0400
21752 @@ -274,7 +274,7 @@ static struct scsi_host_template pdc202x
21753 ATA_BMDMA_SHT(DRV_NAME),
21756 -static struct ata_port_operations pdc2024x_port_ops = {
21757 +static const struct ata_port_operations pdc2024x_port_ops = {
21758 .inherits = &ata_bmdma_port_ops,
21760 .cable_detect = ata_cable_40wire,
21761 @@ -284,7 +284,7 @@ static struct ata_port_operations pdc202
21762 .sff_exec_command = pdc202xx_exec_command,
21765 -static struct ata_port_operations pdc2026x_port_ops = {
21766 +static const struct ata_port_operations pdc2026x_port_ops = {
21767 .inherits = &pdc2024x_port_ops,
21769 .check_atapi_dma = pdc2026x_check_atapi_dma,
21770 diff -urNp linux-2.6.35.5/drivers/ata/pata_piccolo.c linux-2.6.35.5/drivers/ata/pata_piccolo.c
21771 --- linux-2.6.35.5/drivers/ata/pata_piccolo.c 2010-08-26 19:47:12.000000000 -0400
21772 +++ linux-2.6.35.5/drivers/ata/pata_piccolo.c 2010-09-17 20:12:09.000000000 -0400
21773 @@ -67,7 +67,7 @@ static struct scsi_host_template tosh_sh
21774 ATA_BMDMA_SHT(DRV_NAME),
21777 -static struct ata_port_operations tosh_port_ops = {
21778 +static const struct ata_port_operations tosh_port_ops = {
21779 .inherits = &ata_bmdma_port_ops,
21780 .cable_detect = ata_cable_unknown,
21781 .set_piomode = tosh_set_piomode,
21782 diff -urNp linux-2.6.35.5/drivers/ata/pata_platform.c linux-2.6.35.5/drivers/ata/pata_platform.c
21783 --- linux-2.6.35.5/drivers/ata/pata_platform.c 2010-08-26 19:47:12.000000000 -0400
21784 +++ linux-2.6.35.5/drivers/ata/pata_platform.c 2010-09-17 20:12:09.000000000 -0400
21785 @@ -48,7 +48,7 @@ static struct scsi_host_template pata_pl
21786 ATA_PIO_SHT(DRV_NAME),
21789 -static struct ata_port_operations pata_platform_port_ops = {
21790 +static const struct ata_port_operations pata_platform_port_ops = {
21791 .inherits = &ata_sff_port_ops,
21792 .sff_data_xfer = ata_sff_data_xfer_noirq,
21793 .cable_detect = ata_cable_unknown,
21794 diff -urNp linux-2.6.35.5/drivers/ata/pata_qdi.c linux-2.6.35.5/drivers/ata/pata_qdi.c
21795 --- linux-2.6.35.5/drivers/ata/pata_qdi.c 2010-08-26 19:47:12.000000000 -0400
21796 +++ linux-2.6.35.5/drivers/ata/pata_qdi.c 2010-09-17 20:12:09.000000000 -0400
21797 @@ -157,7 +157,7 @@ static struct scsi_host_template qdi_sht
21798 ATA_PIO_SHT(DRV_NAME),
21801 -static struct ata_port_operations qdi6500_port_ops = {
21802 +static const struct ata_port_operations qdi6500_port_ops = {
21803 .inherits = &ata_sff_port_ops,
21804 .qc_issue = qdi_qc_issue,
21805 .sff_data_xfer = qdi_data_xfer,
21806 @@ -165,7 +165,7 @@ static struct ata_port_operations qdi650
21807 .set_piomode = qdi6500_set_piomode,
21810 -static struct ata_port_operations qdi6580_port_ops = {
21811 +static const struct ata_port_operations qdi6580_port_ops = {
21812 .inherits = &qdi6500_port_ops,
21813 .set_piomode = qdi6580_set_piomode,
21815 diff -urNp linux-2.6.35.5/drivers/ata/pata_radisys.c linux-2.6.35.5/drivers/ata/pata_radisys.c
21816 --- linux-2.6.35.5/drivers/ata/pata_radisys.c 2010-08-26 19:47:12.000000000 -0400
21817 +++ linux-2.6.35.5/drivers/ata/pata_radisys.c 2010-09-17 20:12:09.000000000 -0400
21818 @@ -187,7 +187,7 @@ static struct scsi_host_template radisys
21819 ATA_BMDMA_SHT(DRV_NAME),
21822 -static struct ata_port_operations radisys_pata_ops = {
21823 +static const struct ata_port_operations radisys_pata_ops = {
21824 .inherits = &ata_bmdma_port_ops,
21825 .qc_issue = radisys_qc_issue,
21826 .cable_detect = ata_cable_unknown,
21827 diff -urNp linux-2.6.35.5/drivers/ata/pata_rb532_cf.c linux-2.6.35.5/drivers/ata/pata_rb532_cf.c
21828 --- linux-2.6.35.5/drivers/ata/pata_rb532_cf.c 2010-08-26 19:47:12.000000000 -0400
21829 +++ linux-2.6.35.5/drivers/ata/pata_rb532_cf.c 2010-09-17 20:12:09.000000000 -0400
21830 @@ -69,7 +69,7 @@ static irqreturn_t rb532_pata_irq_handle
21831 return IRQ_HANDLED;
21834 -static struct ata_port_operations rb532_pata_port_ops = {
21835 +static const struct ata_port_operations rb532_pata_port_ops = {
21836 .inherits = &ata_sff_port_ops,
21837 .sff_data_xfer = ata_sff_data_xfer32,
21839 diff -urNp linux-2.6.35.5/drivers/ata/pata_rdc.c linux-2.6.35.5/drivers/ata/pata_rdc.c
21840 --- linux-2.6.35.5/drivers/ata/pata_rdc.c 2010-08-26 19:47:12.000000000 -0400
21841 +++ linux-2.6.35.5/drivers/ata/pata_rdc.c 2010-09-17 20:12:09.000000000 -0400
21842 @@ -273,7 +273,7 @@ static void rdc_set_dmamode(struct ata_p
21843 pci_write_config_byte(dev, 0x48, udma_enable);
21846 -static struct ata_port_operations rdc_pata_ops = {
21847 +static const struct ata_port_operations rdc_pata_ops = {
21848 .inherits = &ata_bmdma32_port_ops,
21849 .cable_detect = rdc_pata_cable_detect,
21850 .set_piomode = rdc_set_piomode,
21851 diff -urNp linux-2.6.35.5/drivers/ata/pata_rz1000.c linux-2.6.35.5/drivers/ata/pata_rz1000.c
21852 --- linux-2.6.35.5/drivers/ata/pata_rz1000.c 2010-08-26 19:47:12.000000000 -0400
21853 +++ linux-2.6.35.5/drivers/ata/pata_rz1000.c 2010-09-17 20:12:09.000000000 -0400
21854 @@ -54,7 +54,7 @@ static struct scsi_host_template rz1000_
21855 ATA_PIO_SHT(DRV_NAME),
21858 -static struct ata_port_operations rz1000_port_ops = {
21859 +static const struct ata_port_operations rz1000_port_ops = {
21860 .inherits = &ata_sff_port_ops,
21861 .cable_detect = ata_cable_40wire,
21862 .set_mode = rz1000_set_mode,
21863 diff -urNp linux-2.6.35.5/drivers/ata/pata_sc1200.c linux-2.6.35.5/drivers/ata/pata_sc1200.c
21864 --- linux-2.6.35.5/drivers/ata/pata_sc1200.c 2010-08-26 19:47:12.000000000 -0400
21865 +++ linux-2.6.35.5/drivers/ata/pata_sc1200.c 2010-09-17 20:12:09.000000000 -0400
21866 @@ -207,7 +207,7 @@ static struct scsi_host_template sc1200_
21867 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21870 -static struct ata_port_operations sc1200_port_ops = {
21871 +static const struct ata_port_operations sc1200_port_ops = {
21872 .inherits = &ata_bmdma_port_ops,
21873 .qc_prep = ata_bmdma_dumb_qc_prep,
21874 .qc_issue = sc1200_qc_issue,
21875 diff -urNp linux-2.6.35.5/drivers/ata/pata_scc.c linux-2.6.35.5/drivers/ata/pata_scc.c
21876 --- linux-2.6.35.5/drivers/ata/pata_scc.c 2010-08-26 19:47:12.000000000 -0400
21877 +++ linux-2.6.35.5/drivers/ata/pata_scc.c 2010-09-17 20:12:09.000000000 -0400
21878 @@ -927,7 +927,7 @@ static struct scsi_host_template scc_sht
21879 ATA_BMDMA_SHT(DRV_NAME),
21882 -static struct ata_port_operations scc_pata_ops = {
21883 +static const struct ata_port_operations scc_pata_ops = {
21884 .inherits = &ata_bmdma_port_ops,
21886 .set_piomode = scc_set_piomode,
21887 diff -urNp linux-2.6.35.5/drivers/ata/pata_sch.c linux-2.6.35.5/drivers/ata/pata_sch.c
21888 --- linux-2.6.35.5/drivers/ata/pata_sch.c 2010-08-26 19:47:12.000000000 -0400
21889 +++ linux-2.6.35.5/drivers/ata/pata_sch.c 2010-09-17 20:12:09.000000000 -0400
21890 @@ -75,7 +75,7 @@ static struct scsi_host_template sch_sht
21891 ATA_BMDMA_SHT(DRV_NAME),
21894 -static struct ata_port_operations sch_pata_ops = {
21895 +static const struct ata_port_operations sch_pata_ops = {
21896 .inherits = &ata_bmdma_port_ops,
21897 .cable_detect = ata_cable_unknown,
21898 .set_piomode = sch_set_piomode,
21899 diff -urNp linux-2.6.35.5/drivers/ata/pata_serverworks.c linux-2.6.35.5/drivers/ata/pata_serverworks.c
21900 --- linux-2.6.35.5/drivers/ata/pata_serverworks.c 2010-08-26 19:47:12.000000000 -0400
21901 +++ linux-2.6.35.5/drivers/ata/pata_serverworks.c 2010-09-17 20:12:09.000000000 -0400
21902 @@ -300,7 +300,7 @@ static struct scsi_host_template serverw
21903 ATA_BMDMA_SHT(DRV_NAME),
21906 -static struct ata_port_operations serverworks_osb4_port_ops = {
21907 +static const struct ata_port_operations serverworks_osb4_port_ops = {
21908 .inherits = &ata_bmdma_port_ops,
21909 .cable_detect = serverworks_cable_detect,
21910 .mode_filter = serverworks_osb4_filter,
21911 @@ -308,7 +308,7 @@ static struct ata_port_operations server
21912 .set_dmamode = serverworks_set_dmamode,
21915 -static struct ata_port_operations serverworks_csb_port_ops = {
21916 +static const struct ata_port_operations serverworks_csb_port_ops = {
21917 .inherits = &serverworks_osb4_port_ops,
21918 .mode_filter = serverworks_csb_filter,
21920 diff -urNp linux-2.6.35.5/drivers/ata/pata_sil680.c linux-2.6.35.5/drivers/ata/pata_sil680.c
21921 --- linux-2.6.35.5/drivers/ata/pata_sil680.c 2010-08-26 19:47:12.000000000 -0400
21922 +++ linux-2.6.35.5/drivers/ata/pata_sil680.c 2010-09-17 20:12:09.000000000 -0400
21923 @@ -214,8 +214,7 @@ static struct scsi_host_template sil680_
21924 ATA_BMDMA_SHT(DRV_NAME),
21928 -static struct ata_port_operations sil680_port_ops = {
21929 +static const struct ata_port_operations sil680_port_ops = {
21930 .inherits = &ata_bmdma32_port_ops,
21931 .sff_exec_command = sil680_sff_exec_command,
21932 .cable_detect = sil680_cable_detect,
21933 diff -urNp linux-2.6.35.5/drivers/ata/pata_sis.c linux-2.6.35.5/drivers/ata/pata_sis.c
21934 --- linux-2.6.35.5/drivers/ata/pata_sis.c 2010-08-26 19:47:12.000000000 -0400
21935 +++ linux-2.6.35.5/drivers/ata/pata_sis.c 2010-09-17 20:12:09.000000000 -0400
21936 @@ -503,47 +503,47 @@ static struct scsi_host_template sis_sht
21937 ATA_BMDMA_SHT(DRV_NAME),
21940 -static struct ata_port_operations sis_133_for_sata_ops = {
21941 +static const struct ata_port_operations sis_133_for_sata_ops = {
21942 .inherits = &ata_bmdma_port_ops,
21943 .set_piomode = sis_133_set_piomode,
21944 .set_dmamode = sis_133_set_dmamode,
21945 .cable_detect = sis_133_cable_detect,
21948 -static struct ata_port_operations sis_base_ops = {
21949 +static const struct ata_port_operations sis_base_ops = {
21950 .inherits = &ata_bmdma_port_ops,
21951 .prereset = sis_pre_reset,
21954 -static struct ata_port_operations sis_133_ops = {
21955 +static const struct ata_port_operations sis_133_ops = {
21956 .inherits = &sis_base_ops,
21957 .set_piomode = sis_133_set_piomode,
21958 .set_dmamode = sis_133_set_dmamode,
21959 .cable_detect = sis_133_cable_detect,
21962 -static struct ata_port_operations sis_133_early_ops = {
21963 +static const struct ata_port_operations sis_133_early_ops = {
21964 .inherits = &sis_base_ops,
21965 .set_piomode = sis_100_set_piomode,
21966 .set_dmamode = sis_133_early_set_dmamode,
21967 .cable_detect = sis_66_cable_detect,
21970 -static struct ata_port_operations sis_100_ops = {
21971 +static const struct ata_port_operations sis_100_ops = {
21972 .inherits = &sis_base_ops,
21973 .set_piomode = sis_100_set_piomode,
21974 .set_dmamode = sis_100_set_dmamode,
21975 .cable_detect = sis_66_cable_detect,
21978 -static struct ata_port_operations sis_66_ops = {
21979 +static const struct ata_port_operations sis_66_ops = {
21980 .inherits = &sis_base_ops,
21981 .set_piomode = sis_old_set_piomode,
21982 .set_dmamode = sis_66_set_dmamode,
21983 .cable_detect = sis_66_cable_detect,
21986 -static struct ata_port_operations sis_old_ops = {
21987 +static const struct ata_port_operations sis_old_ops = {
21988 .inherits = &sis_base_ops,
21989 .set_piomode = sis_old_set_piomode,
21990 .set_dmamode = sis_old_set_dmamode,
21991 diff -urNp linux-2.6.35.5/drivers/ata/pata_sl82c105.c linux-2.6.35.5/drivers/ata/pata_sl82c105.c
21992 --- linux-2.6.35.5/drivers/ata/pata_sl82c105.c 2010-08-26 19:47:12.000000000 -0400
21993 +++ linux-2.6.35.5/drivers/ata/pata_sl82c105.c 2010-09-17 20:12:09.000000000 -0400
21994 @@ -231,7 +231,7 @@ static struct scsi_host_template sl82c10
21995 ATA_BMDMA_SHT(DRV_NAME),
21998 -static struct ata_port_operations sl82c105_port_ops = {
21999 +static const struct ata_port_operations sl82c105_port_ops = {
22000 .inherits = &ata_bmdma_port_ops,
22001 .qc_defer = sl82c105_qc_defer,
22002 .bmdma_start = sl82c105_bmdma_start,
22003 diff -urNp linux-2.6.35.5/drivers/ata/pata_triflex.c linux-2.6.35.5/drivers/ata/pata_triflex.c
22004 --- linux-2.6.35.5/drivers/ata/pata_triflex.c 2010-08-26 19:47:12.000000000 -0400
22005 +++ linux-2.6.35.5/drivers/ata/pata_triflex.c 2010-09-17 20:12:09.000000000 -0400
22006 @@ -178,7 +178,7 @@ static struct scsi_host_template triflex
22007 ATA_BMDMA_SHT(DRV_NAME),
22010 -static struct ata_port_operations triflex_port_ops = {
22011 +static const struct ata_port_operations triflex_port_ops = {
22012 .inherits = &ata_bmdma_port_ops,
22013 .bmdma_start = triflex_bmdma_start,
22014 .bmdma_stop = triflex_bmdma_stop,
22015 diff -urNp linux-2.6.35.5/drivers/ata/pata_via.c linux-2.6.35.5/drivers/ata/pata_via.c
22016 --- linux-2.6.35.5/drivers/ata/pata_via.c 2010-09-20 17:33:09.000000000 -0400
22017 +++ linux-2.6.35.5/drivers/ata/pata_via.c 2010-09-20 17:33:32.000000000 -0400
22018 @@ -441,7 +441,7 @@ static struct scsi_host_template via_sht
22019 ATA_BMDMA_SHT(DRV_NAME),
22022 -static struct ata_port_operations via_port_ops = {
22023 +static const struct ata_port_operations via_port_ops = {
22024 .inherits = &ata_bmdma_port_ops,
22025 .cable_detect = via_cable_detect,
22026 .set_piomode = via_set_piomode,
22027 @@ -452,7 +452,7 @@ static struct ata_port_operations via_po
22028 .mode_filter = via_mode_filter,
22031 -static struct ata_port_operations via_port_ops_noirq = {
22032 +static const struct ata_port_operations via_port_ops_noirq = {
22033 .inherits = &via_port_ops,
22034 .sff_data_xfer = ata_sff_data_xfer_noirq,
22036 diff -urNp linux-2.6.35.5/drivers/ata/pata_winbond.c linux-2.6.35.5/drivers/ata/pata_winbond.c
22037 --- linux-2.6.35.5/drivers/ata/pata_winbond.c 2010-08-26 19:47:12.000000000 -0400
22038 +++ linux-2.6.35.5/drivers/ata/pata_winbond.c 2010-09-17 20:12:09.000000000 -0400
22039 @@ -125,7 +125,7 @@ static struct scsi_host_template winbond
22040 ATA_PIO_SHT(DRV_NAME),
22043 -static struct ata_port_operations winbond_port_ops = {
22044 +static const struct ata_port_operations winbond_port_ops = {
22045 .inherits = &ata_sff_port_ops,
22046 .sff_data_xfer = winbond_data_xfer,
22047 .cable_detect = ata_cable_40wire,
22048 diff -urNp linux-2.6.35.5/drivers/ata/pdc_adma.c linux-2.6.35.5/drivers/ata/pdc_adma.c
22049 --- linux-2.6.35.5/drivers/ata/pdc_adma.c 2010-08-26 19:47:12.000000000 -0400
22050 +++ linux-2.6.35.5/drivers/ata/pdc_adma.c 2010-09-17 20:12:09.000000000 -0400
22051 @@ -146,7 +146,7 @@ static struct scsi_host_template adma_at
22052 .dma_boundary = ADMA_DMA_BOUNDARY,
22055 -static struct ata_port_operations adma_ata_ops = {
22056 +static const struct ata_port_operations adma_ata_ops = {
22057 .inherits = &ata_sff_port_ops,
22059 .lost_interrupt = ATA_OP_NULL,
22060 diff -urNp linux-2.6.35.5/drivers/ata/sata_fsl.c linux-2.6.35.5/drivers/ata/sata_fsl.c
22061 --- linux-2.6.35.5/drivers/ata/sata_fsl.c 2010-08-26 19:47:12.000000000 -0400
22062 +++ linux-2.6.35.5/drivers/ata/sata_fsl.c 2010-09-17 20:12:09.000000000 -0400
22063 @@ -1261,7 +1261,7 @@ static struct scsi_host_template sata_fs
22064 .dma_boundary = ATA_DMA_BOUNDARY,
22067 -static struct ata_port_operations sata_fsl_ops = {
22068 +static const struct ata_port_operations sata_fsl_ops = {
22069 .inherits = &sata_pmp_port_ops,
22071 .qc_defer = ata_std_qc_defer,
22072 diff -urNp linux-2.6.35.5/drivers/ata/sata_inic162x.c linux-2.6.35.5/drivers/ata/sata_inic162x.c
22073 --- linux-2.6.35.5/drivers/ata/sata_inic162x.c 2010-08-26 19:47:12.000000000 -0400
22074 +++ linux-2.6.35.5/drivers/ata/sata_inic162x.c 2010-09-17 20:12:09.000000000 -0400
22075 @@ -705,7 +705,7 @@ static int inic_port_start(struct ata_po
22079 -static struct ata_port_operations inic_port_ops = {
22080 +static const struct ata_port_operations inic_port_ops = {
22081 .inherits = &sata_port_ops,
22083 .check_atapi_dma = inic_check_atapi_dma,
22084 diff -urNp linux-2.6.35.5/drivers/ata/sata_mv.c linux-2.6.35.5/drivers/ata/sata_mv.c
22085 --- linux-2.6.35.5/drivers/ata/sata_mv.c 2010-09-20 17:33:09.000000000 -0400
22086 +++ linux-2.6.35.5/drivers/ata/sata_mv.c 2010-09-20 17:33:32.000000000 -0400
22087 @@ -663,7 +663,7 @@ static struct scsi_host_template mv6_sht
22088 .dma_boundary = MV_DMA_BOUNDARY,
22091 -static struct ata_port_operations mv5_ops = {
22092 +static const struct ata_port_operations mv5_ops = {
22093 .inherits = &ata_sff_port_ops,
22095 .lost_interrupt = ATA_OP_NULL,
22096 @@ -683,7 +683,7 @@ static struct ata_port_operations mv5_op
22097 .port_stop = mv_port_stop,
22100 -static struct ata_port_operations mv6_ops = {
22101 +static const struct ata_port_operations mv6_ops = {
22102 .inherits = &ata_bmdma_port_ops,
22104 .lost_interrupt = ATA_OP_NULL,
22105 @@ -717,7 +717,7 @@ static struct ata_port_operations mv6_op
22106 .port_stop = mv_port_stop,
22109 -static struct ata_port_operations mv_iie_ops = {
22110 +static const struct ata_port_operations mv_iie_ops = {
22111 .inherits = &mv6_ops,
22112 .dev_config = ATA_OP_NULL,
22113 .qc_prep = mv_qc_prep_iie,
22114 diff -urNp linux-2.6.35.5/drivers/ata/sata_nv.c linux-2.6.35.5/drivers/ata/sata_nv.c
22115 --- linux-2.6.35.5/drivers/ata/sata_nv.c 2010-08-26 19:47:12.000000000 -0400
22116 +++ linux-2.6.35.5/drivers/ata/sata_nv.c 2010-09-17 20:12:09.000000000 -0400
22117 @@ -465,7 +465,7 @@ static struct scsi_host_template nv_swnc
22118 * cases. Define nv_hardreset() which only kicks in for post-boot
22119 * probing and use it for all variants.
22121 -static struct ata_port_operations nv_generic_ops = {
22122 +static const struct ata_port_operations nv_generic_ops = {
22123 .inherits = &ata_bmdma_port_ops,
22124 .lost_interrupt = ATA_OP_NULL,
22125 .scr_read = nv_scr_read,
22126 @@ -473,20 +473,20 @@ static struct ata_port_operations nv_gen
22127 .hardreset = nv_hardreset,
22130 -static struct ata_port_operations nv_nf2_ops = {
22131 +static const struct ata_port_operations nv_nf2_ops = {
22132 .inherits = &nv_generic_ops,
22133 .freeze = nv_nf2_freeze,
22134 .thaw = nv_nf2_thaw,
22137 -static struct ata_port_operations nv_ck804_ops = {
22138 +static const struct ata_port_operations nv_ck804_ops = {
22139 .inherits = &nv_generic_ops,
22140 .freeze = nv_ck804_freeze,
22141 .thaw = nv_ck804_thaw,
22142 .host_stop = nv_ck804_host_stop,
22145 -static struct ata_port_operations nv_adma_ops = {
22146 +static const struct ata_port_operations nv_adma_ops = {
22147 .inherits = &nv_ck804_ops,
22149 .check_atapi_dma = nv_adma_check_atapi_dma,
22150 @@ -510,7 +510,7 @@ static struct ata_port_operations nv_adm
22151 .host_stop = nv_adma_host_stop,
22154 -static struct ata_port_operations nv_swncq_ops = {
22155 +static const struct ata_port_operations nv_swncq_ops = {
22156 .inherits = &nv_generic_ops,
22158 .qc_defer = ata_std_qc_defer,
22159 diff -urNp linux-2.6.35.5/drivers/ata/sata_promise.c linux-2.6.35.5/drivers/ata/sata_promise.c
22160 --- linux-2.6.35.5/drivers/ata/sata_promise.c 2010-08-26 19:47:12.000000000 -0400
22161 +++ linux-2.6.35.5/drivers/ata/sata_promise.c 2010-09-17 20:12:09.000000000 -0400
22162 @@ -196,7 +196,7 @@ static const struct ata_port_operations
22163 .error_handler = pdc_error_handler,
22166 -static struct ata_port_operations pdc_sata_ops = {
22167 +static const struct ata_port_operations pdc_sata_ops = {
22168 .inherits = &pdc_common_ops,
22169 .cable_detect = pdc_sata_cable_detect,
22170 .freeze = pdc_sata_freeze,
22171 @@ -209,14 +209,14 @@ static struct ata_port_operations pdc_sa
22173 /* First-generation chips need a more restrictive ->check_atapi_dma op,
22174 and ->freeze/thaw that ignore the hotplug controls. */
22175 -static struct ata_port_operations pdc_old_sata_ops = {
22176 +static const struct ata_port_operations pdc_old_sata_ops = {
22177 .inherits = &pdc_sata_ops,
22178 .freeze = pdc_freeze,
22180 .check_atapi_dma = pdc_old_sata_check_atapi_dma,
22183 -static struct ata_port_operations pdc_pata_ops = {
22184 +static const struct ata_port_operations pdc_pata_ops = {
22185 .inherits = &pdc_common_ops,
22186 .cable_detect = pdc_pata_cable_detect,
22187 .freeze = pdc_freeze,
22188 diff -urNp linux-2.6.35.5/drivers/ata/sata_qstor.c linux-2.6.35.5/drivers/ata/sata_qstor.c
22189 --- linux-2.6.35.5/drivers/ata/sata_qstor.c 2010-08-26 19:47:12.000000000 -0400
22190 +++ linux-2.6.35.5/drivers/ata/sata_qstor.c 2010-09-17 20:12:09.000000000 -0400
22191 @@ -131,7 +131,7 @@ static struct scsi_host_template qs_ata_
22192 .dma_boundary = QS_DMA_BOUNDARY,
22195 -static struct ata_port_operations qs_ata_ops = {
22196 +static const struct ata_port_operations qs_ata_ops = {
22197 .inherits = &ata_sff_port_ops,
22199 .check_atapi_dma = qs_check_atapi_dma,
22200 diff -urNp linux-2.6.35.5/drivers/ata/sata_sil24.c linux-2.6.35.5/drivers/ata/sata_sil24.c
22201 --- linux-2.6.35.5/drivers/ata/sata_sil24.c 2010-08-26 19:47:12.000000000 -0400
22202 +++ linux-2.6.35.5/drivers/ata/sata_sil24.c 2010-09-17 20:12:09.000000000 -0400
22203 @@ -389,7 +389,7 @@ static struct scsi_host_template sil24_s
22204 .dma_boundary = ATA_DMA_BOUNDARY,
22207 -static struct ata_port_operations sil24_ops = {
22208 +static const struct ata_port_operations sil24_ops = {
22209 .inherits = &sata_pmp_port_ops,
22211 .qc_defer = sil24_qc_defer,
22212 diff -urNp linux-2.6.35.5/drivers/ata/sata_sil.c linux-2.6.35.5/drivers/ata/sata_sil.c
22213 --- linux-2.6.35.5/drivers/ata/sata_sil.c 2010-08-26 19:47:12.000000000 -0400
22214 +++ linux-2.6.35.5/drivers/ata/sata_sil.c 2010-09-17 20:12:09.000000000 -0400
22215 @@ -182,7 +182,7 @@ static struct scsi_host_template sil_sht
22216 .sg_tablesize = ATA_MAX_PRD
22219 -static struct ata_port_operations sil_ops = {
22220 +static const struct ata_port_operations sil_ops = {
22221 .inherits = &ata_bmdma32_port_ops,
22222 .dev_config = sil_dev_config,
22223 .set_mode = sil_set_mode,
22224 diff -urNp linux-2.6.35.5/drivers/ata/sata_sis.c linux-2.6.35.5/drivers/ata/sata_sis.c
22225 --- linux-2.6.35.5/drivers/ata/sata_sis.c 2010-08-26 19:47:12.000000000 -0400
22226 +++ linux-2.6.35.5/drivers/ata/sata_sis.c 2010-09-17 20:12:09.000000000 -0400
22227 @@ -89,7 +89,7 @@ static struct scsi_host_template sis_sht
22228 ATA_BMDMA_SHT(DRV_NAME),
22231 -static struct ata_port_operations sis_ops = {
22232 +static const struct ata_port_operations sis_ops = {
22233 .inherits = &ata_bmdma_port_ops,
22234 .scr_read = sis_scr_read,
22235 .scr_write = sis_scr_write,
22236 diff -urNp linux-2.6.35.5/drivers/ata/sata_svw.c linux-2.6.35.5/drivers/ata/sata_svw.c
22237 --- linux-2.6.35.5/drivers/ata/sata_svw.c 2010-08-26 19:47:12.000000000 -0400
22238 +++ linux-2.6.35.5/drivers/ata/sata_svw.c 2010-09-17 20:12:09.000000000 -0400
22239 @@ -344,7 +344,7 @@ static struct scsi_host_template k2_sata
22243 -static struct ata_port_operations k2_sata_ops = {
22244 +static const struct ata_port_operations k2_sata_ops = {
22245 .inherits = &ata_bmdma_port_ops,
22246 .sff_tf_load = k2_sata_tf_load,
22247 .sff_tf_read = k2_sata_tf_read,
22248 diff -urNp linux-2.6.35.5/drivers/ata/sata_sx4.c linux-2.6.35.5/drivers/ata/sata_sx4.c
22249 --- linux-2.6.35.5/drivers/ata/sata_sx4.c 2010-08-26 19:47:12.000000000 -0400
22250 +++ linux-2.6.35.5/drivers/ata/sata_sx4.c 2010-09-17 20:12:09.000000000 -0400
22251 @@ -249,7 +249,7 @@ static struct scsi_host_template pdc_sat
22254 /* TODO: inherit from base port_ops after converting to new EH */
22255 -static struct ata_port_operations pdc_20621_ops = {
22256 +static const struct ata_port_operations pdc_20621_ops = {
22257 .inherits = &ata_sff_port_ops,
22259 .check_atapi_dma = pdc_check_atapi_dma,
22260 diff -urNp linux-2.6.35.5/drivers/ata/sata_uli.c linux-2.6.35.5/drivers/ata/sata_uli.c
22261 --- linux-2.6.35.5/drivers/ata/sata_uli.c 2010-08-26 19:47:12.000000000 -0400
22262 +++ linux-2.6.35.5/drivers/ata/sata_uli.c 2010-09-17 20:12:09.000000000 -0400
22263 @@ -80,7 +80,7 @@ static struct scsi_host_template uli_sht
22264 ATA_BMDMA_SHT(DRV_NAME),
22267 -static struct ata_port_operations uli_ops = {
22268 +static const struct ata_port_operations uli_ops = {
22269 .inherits = &ata_bmdma_port_ops,
22270 .scr_read = uli_scr_read,
22271 .scr_write = uli_scr_write,
22272 diff -urNp linux-2.6.35.5/drivers/ata/sata_via.c linux-2.6.35.5/drivers/ata/sata_via.c
22273 --- linux-2.6.35.5/drivers/ata/sata_via.c 2010-08-26 19:47:12.000000000 -0400
22274 +++ linux-2.6.35.5/drivers/ata/sata_via.c 2010-09-17 20:12:09.000000000 -0400
22275 @@ -115,32 +115,32 @@ static struct scsi_host_template svia_sh
22276 ATA_BMDMA_SHT(DRV_NAME),
22279 -static struct ata_port_operations svia_base_ops = {
22280 +static const struct ata_port_operations svia_base_ops = {
22281 .inherits = &ata_bmdma_port_ops,
22282 .sff_tf_load = svia_tf_load,
22285 -static struct ata_port_operations vt6420_sata_ops = {
22286 +static const struct ata_port_operations vt6420_sata_ops = {
22287 .inherits = &svia_base_ops,
22288 .freeze = svia_noop_freeze,
22289 .prereset = vt6420_prereset,
22290 .bmdma_start = vt6420_bmdma_start,
22293 -static struct ata_port_operations vt6421_pata_ops = {
22294 +static const struct ata_port_operations vt6421_pata_ops = {
22295 .inherits = &svia_base_ops,
22296 .cable_detect = vt6421_pata_cable_detect,
22297 .set_piomode = vt6421_set_pio_mode,
22298 .set_dmamode = vt6421_set_dma_mode,
22301 -static struct ata_port_operations vt6421_sata_ops = {
22302 +static const struct ata_port_operations vt6421_sata_ops = {
22303 .inherits = &svia_base_ops,
22304 .scr_read = svia_scr_read,
22305 .scr_write = svia_scr_write,
22308 -static struct ata_port_operations vt8251_ops = {
22309 +static const struct ata_port_operations vt8251_ops = {
22310 .inherits = &svia_base_ops,
22311 .hardreset = sata_std_hardreset,
22312 .scr_read = vt8251_scr_read,
22313 diff -urNp linux-2.6.35.5/drivers/ata/sata_vsc.c linux-2.6.35.5/drivers/ata/sata_vsc.c
22314 --- linux-2.6.35.5/drivers/ata/sata_vsc.c 2010-08-26 19:47:12.000000000 -0400
22315 +++ linux-2.6.35.5/drivers/ata/sata_vsc.c 2010-09-17 20:12:09.000000000 -0400
22316 @@ -300,7 +300,7 @@ static struct scsi_host_template vsc_sat
22320 -static struct ata_port_operations vsc_sata_ops = {
22321 +static const struct ata_port_operations vsc_sata_ops = {
22322 .inherits = &ata_bmdma_port_ops,
22323 /* The IRQ handling is not quite standard SFF behaviour so we
22324 cannot use the default lost interrupt handler */
22325 diff -urNp linux-2.6.35.5/drivers/atm/adummy.c linux-2.6.35.5/drivers/atm/adummy.c
22326 --- linux-2.6.35.5/drivers/atm/adummy.c 2010-08-26 19:47:12.000000000 -0400
22327 +++ linux-2.6.35.5/drivers/atm/adummy.c 2010-09-17 20:12:09.000000000 -0400
22328 @@ -78,7 +78,7 @@ adummy_send(struct atm_vcc *vcc, struct
22329 vcc->pop(vcc, skb);
22331 dev_kfree_skb_any(skb);
22332 - atomic_inc(&vcc->stats->tx);
22333 + atomic_inc_unchecked(&vcc->stats->tx);
22337 diff -urNp linux-2.6.35.5/drivers/atm/ambassador.c linux-2.6.35.5/drivers/atm/ambassador.c
22338 --- linux-2.6.35.5/drivers/atm/ambassador.c 2010-08-26 19:47:12.000000000 -0400
22339 +++ linux-2.6.35.5/drivers/atm/ambassador.c 2010-09-17 20:12:09.000000000 -0400
22340 @@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev,
22341 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
22344 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
22345 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
22347 // free the descriptor
22349 @@ -495,7 +495,7 @@ static void rx_complete (amb_dev * dev,
22350 dump_skb ("<<<", vc, skb);
22353 - atomic_inc(&atm_vcc->stats->rx);
22354 + atomic_inc_unchecked(&atm_vcc->stats->rx);
22355 __net_timestamp(skb);
22356 // end of our responsability
22357 atm_vcc->push (atm_vcc, skb);
22358 @@ -510,7 +510,7 @@ static void rx_complete (amb_dev * dev,
22360 PRINTK (KERN_INFO, "dropped over-size frame");
22361 // should we count this?
22362 - atomic_inc(&atm_vcc->stats->rx_drop);
22363 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
22367 @@ -1342,7 +1342,7 @@ static int amb_send (struct atm_vcc * at
22370 if (check_area (skb->data, skb->len)) {
22371 - atomic_inc(&atm_vcc->stats->tx_err);
22372 + atomic_inc_unchecked(&atm_vcc->stats->tx_err);
22373 return -ENOMEM; // ?
22376 diff -urNp linux-2.6.35.5/drivers/atm/atmtcp.c linux-2.6.35.5/drivers/atm/atmtcp.c
22377 --- linux-2.6.35.5/drivers/atm/atmtcp.c 2010-08-26 19:47:12.000000000 -0400
22378 +++ linux-2.6.35.5/drivers/atm/atmtcp.c 2010-09-17 20:12:09.000000000 -0400
22379 @@ -207,7 +207,7 @@ static int atmtcp_v_send(struct atm_vcc
22380 if (vcc->pop) vcc->pop(vcc,skb);
22381 else dev_kfree_skb(skb);
22382 if (dev_data) return 0;
22383 - atomic_inc(&vcc->stats->tx_err);
22384 + atomic_inc_unchecked(&vcc->stats->tx_err);
22387 size = skb->len+sizeof(struct atmtcp_hdr);
22388 @@ -215,7 +215,7 @@ static int atmtcp_v_send(struct atm_vcc
22390 if (vcc->pop) vcc->pop(vcc,skb);
22391 else dev_kfree_skb(skb);
22392 - atomic_inc(&vcc->stats->tx_err);
22393 + atomic_inc_unchecked(&vcc->stats->tx_err);
22396 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
22397 @@ -226,8 +226,8 @@ static int atmtcp_v_send(struct atm_vcc
22398 if (vcc->pop) vcc->pop(vcc,skb);
22399 else dev_kfree_skb(skb);
22400 out_vcc->push(out_vcc,new_skb);
22401 - atomic_inc(&vcc->stats->tx);
22402 - atomic_inc(&out_vcc->stats->rx);
22403 + atomic_inc_unchecked(&vcc->stats->tx);
22404 + atomic_inc_unchecked(&out_vcc->stats->rx);
22408 @@ -301,7 +301,7 @@ static int atmtcp_c_send(struct atm_vcc
22409 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
22410 read_unlock(&vcc_sklist_lock);
22412 - atomic_inc(&vcc->stats->tx_err);
22413 + atomic_inc_unchecked(&vcc->stats->tx_err);
22416 skb_pull(skb,sizeof(struct atmtcp_hdr));
22417 @@ -313,8 +313,8 @@ static int atmtcp_c_send(struct atm_vcc
22418 __net_timestamp(new_skb);
22419 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
22420 out_vcc->push(out_vcc,new_skb);
22421 - atomic_inc(&vcc->stats->tx);
22422 - atomic_inc(&out_vcc->stats->rx);
22423 + atomic_inc_unchecked(&vcc->stats->tx);
22424 + atomic_inc_unchecked(&out_vcc->stats->rx);
22426 if (vcc->pop) vcc->pop(vcc,skb);
22427 else dev_kfree_skb(skb);
22428 diff -urNp linux-2.6.35.5/drivers/atm/eni.c linux-2.6.35.5/drivers/atm/eni.c
22429 --- linux-2.6.35.5/drivers/atm/eni.c 2010-08-26 19:47:12.000000000 -0400
22430 +++ linux-2.6.35.5/drivers/atm/eni.c 2010-09-17 20:12:09.000000000 -0400
22431 @@ -526,7 +526,7 @@ static int rx_aal0(struct atm_vcc *vcc)
22432 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
22435 - atomic_inc(&vcc->stats->rx_err);
22436 + atomic_inc_unchecked(&vcc->stats->rx_err);
22439 length = ATM_CELL_SIZE-1; /* no HEC */
22440 @@ -581,7 +581,7 @@ static int rx_aal5(struct atm_vcc *vcc)
22444 - atomic_inc(&vcc->stats->rx_err);
22445 + atomic_inc_unchecked(&vcc->stats->rx_err);
22448 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
22449 @@ -598,7 +598,7 @@ static int rx_aal5(struct atm_vcc *vcc)
22450 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
22451 vcc->dev->number,vcc->vci,length,size << 2,descr);
22453 - atomic_inc(&vcc->stats->rx_err);
22454 + atomic_inc_unchecked(&vcc->stats->rx_err);
22457 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
22458 @@ -771,7 +771,7 @@ rx_dequeued++;
22459 vcc->push(vcc,skb);
22462 - atomic_inc(&vcc->stats->rx);
22463 + atomic_inc_unchecked(&vcc->stats->rx);
22465 wake_up(&eni_dev->rx_wait);
22467 @@ -1228,7 +1228,7 @@ static void dequeue_tx(struct atm_dev *d
22469 if (vcc->pop) vcc->pop(vcc,skb);
22470 else dev_kfree_skb_irq(skb);
22471 - atomic_inc(&vcc->stats->tx);
22472 + atomic_inc_unchecked(&vcc->stats->tx);
22473 wake_up(&eni_dev->tx_wait);
22476 diff -urNp linux-2.6.35.5/drivers/atm/firestream.c linux-2.6.35.5/drivers/atm/firestream.c
22477 --- linux-2.6.35.5/drivers/atm/firestream.c 2010-08-26 19:47:12.000000000 -0400
22478 +++ linux-2.6.35.5/drivers/atm/firestream.c 2010-09-17 20:12:09.000000000 -0400
22479 @@ -749,7 +749,7 @@ static void process_txdone_queue (struct
22483 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
22484 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
22486 fs_dprintk (FS_DEBUG_TXMEM, "i");
22487 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
22488 @@ -816,7 +816,7 @@ static void process_incoming (struct fs_
22490 skb_put (skb, qe->p1 & 0xffff);
22491 ATM_SKB(skb)->vcc = atm_vcc;
22492 - atomic_inc(&atm_vcc->stats->rx);
22493 + atomic_inc_unchecked(&atm_vcc->stats->rx);
22494 __net_timestamp(skb);
22495 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
22496 atm_vcc->push (atm_vcc, skb);
22497 @@ -837,12 +837,12 @@ static void process_incoming (struct fs_
22501 - atomic_inc(&atm_vcc->stats->rx_drop);
22502 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
22504 case 0x1f: /* Reassembly abort: no buffers. */
22505 /* Silently increment error counter. */
22507 - atomic_inc(&atm_vcc->stats->rx_drop);
22508 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
22510 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
22511 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
22512 diff -urNp linux-2.6.35.5/drivers/atm/fore200e.c linux-2.6.35.5/drivers/atm/fore200e.c
22513 --- linux-2.6.35.5/drivers/atm/fore200e.c 2010-08-26 19:47:12.000000000 -0400
22514 +++ linux-2.6.35.5/drivers/atm/fore200e.c 2010-09-17 20:12:09.000000000 -0400
22515 @@ -933,9 +933,9 @@ fore200e_tx_irq(struct fore200e* fore200
22517 /* check error condition */
22518 if (*entry->status & STATUS_ERROR)
22519 - atomic_inc(&vcc->stats->tx_err);
22520 + atomic_inc_unchecked(&vcc->stats->tx_err);
22522 - atomic_inc(&vcc->stats->tx);
22523 + atomic_inc_unchecked(&vcc->stats->tx);
22527 @@ -1084,7 +1084,7 @@ fore200e_push_rpd(struct fore200e* fore2
22529 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
22531 - atomic_inc(&vcc->stats->rx_drop);
22532 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22536 @@ -1127,14 +1127,14 @@ fore200e_push_rpd(struct fore200e* fore2
22538 dev_kfree_skb_any(skb);
22540 - atomic_inc(&vcc->stats->rx_drop);
22541 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22545 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
22547 vcc->push(vcc, skb);
22548 - atomic_inc(&vcc->stats->rx);
22549 + atomic_inc_unchecked(&vcc->stats->rx);
22551 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
22553 @@ -1212,7 +1212,7 @@ fore200e_rx_irq(struct fore200e* fore200
22554 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
22555 fore200e->atm_dev->number,
22556 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
22557 - atomic_inc(&vcc->stats->rx_err);
22558 + atomic_inc_unchecked(&vcc->stats->rx_err);
22562 @@ -1657,7 +1657,7 @@ fore200e_send(struct atm_vcc *vcc, struc
22566 - atomic_inc(&vcc->stats->tx_err);
22567 + atomic_inc_unchecked(&vcc->stats->tx_err);
22569 fore200e->tx_sat++;
22570 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
22571 diff -urNp linux-2.6.35.5/drivers/atm/he.c linux-2.6.35.5/drivers/atm/he.c
22572 --- linux-2.6.35.5/drivers/atm/he.c 2010-08-26 19:47:12.000000000 -0400
22573 +++ linux-2.6.35.5/drivers/atm/he.c 2010-09-17 20:12:09.000000000 -0400
22574 @@ -1770,7 +1770,7 @@ he_service_rbrq(struct he_dev *he_dev, i
22576 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
22577 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
22578 - atomic_inc(&vcc->stats->rx_drop);
22579 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22580 goto return_host_buffers;
22583 @@ -1803,7 +1803,7 @@ he_service_rbrq(struct he_dev *he_dev, i
22584 RBRQ_LEN_ERR(he_dev->rbrq_head)
22586 vcc->vpi, vcc->vci);
22587 - atomic_inc(&vcc->stats->rx_err);
22588 + atomic_inc_unchecked(&vcc->stats->rx_err);
22589 goto return_host_buffers;
22592 @@ -1862,7 +1862,7 @@ he_service_rbrq(struct he_dev *he_dev, i
22593 vcc->push(vcc, skb);
22594 spin_lock(&he_dev->global_lock);
22596 - atomic_inc(&vcc->stats->rx);
22597 + atomic_inc_unchecked(&vcc->stats->rx);
22599 return_host_buffers:
22601 @@ -2207,7 +2207,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
22602 tpd->vcc->pop(tpd->vcc, tpd->skb);
22604 dev_kfree_skb_any(tpd->skb);
22605 - atomic_inc(&tpd->vcc->stats->tx_err);
22606 + atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
22608 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
22610 @@ -2619,7 +2619,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22611 vcc->pop(vcc, skb);
22613 dev_kfree_skb_any(skb);
22614 - atomic_inc(&vcc->stats->tx_err);
22615 + atomic_inc_unchecked(&vcc->stats->tx_err);
22619 @@ -2630,7 +2630,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22620 vcc->pop(vcc, skb);
22622 dev_kfree_skb_any(skb);
22623 - atomic_inc(&vcc->stats->tx_err);
22624 + atomic_inc_unchecked(&vcc->stats->tx_err);
22628 @@ -2642,7 +2642,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22629 vcc->pop(vcc, skb);
22631 dev_kfree_skb_any(skb);
22632 - atomic_inc(&vcc->stats->tx_err);
22633 + atomic_inc_unchecked(&vcc->stats->tx_err);
22634 spin_unlock_irqrestore(&he_dev->global_lock, flags);
22637 @@ -2684,7 +2684,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22638 vcc->pop(vcc, skb);
22640 dev_kfree_skb_any(skb);
22641 - atomic_inc(&vcc->stats->tx_err);
22642 + atomic_inc_unchecked(&vcc->stats->tx_err);
22643 spin_unlock_irqrestore(&he_dev->global_lock, flags);
22646 @@ -2715,7 +2715,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22647 __enqueue_tpd(he_dev, tpd, cid);
22648 spin_unlock_irqrestore(&he_dev->global_lock, flags);
22650 - atomic_inc(&vcc->stats->tx);
22651 + atomic_inc_unchecked(&vcc->stats->tx);
22655 diff -urNp linux-2.6.35.5/drivers/atm/horizon.c linux-2.6.35.5/drivers/atm/horizon.c
22656 --- linux-2.6.35.5/drivers/atm/horizon.c 2010-08-26 19:47:12.000000000 -0400
22657 +++ linux-2.6.35.5/drivers/atm/horizon.c 2010-09-17 20:12:09.000000000 -0400
22658 @@ -1034,7 +1034,7 @@ static void rx_schedule (hrz_dev * dev,
22660 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
22662 - atomic_inc(&vcc->stats->rx);
22663 + atomic_inc_unchecked(&vcc->stats->rx);
22664 __net_timestamp(skb);
22665 // end of our responsability
22666 vcc->push (vcc, skb);
22667 @@ -1186,7 +1186,7 @@ static void tx_schedule (hrz_dev * const
22668 dev->tx_iovec = NULL;
22671 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
22672 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
22675 hrz_kfree_skb (skb);
22676 diff -urNp linux-2.6.35.5/drivers/atm/idt77252.c linux-2.6.35.5/drivers/atm/idt77252.c
22677 --- linux-2.6.35.5/drivers/atm/idt77252.c 2010-08-26 19:47:12.000000000 -0400
22678 +++ linux-2.6.35.5/drivers/atm/idt77252.c 2010-09-17 20:12:09.000000000 -0400
22679 @@ -811,7 +811,7 @@ drain_scq(struct idt77252_dev *card, str
22681 dev_kfree_skb(skb);
22683 - atomic_inc(&vcc->stats->tx);
22684 + atomic_inc_unchecked(&vcc->stats->tx);
22687 atomic_dec(&scq->used);
22688 @@ -1074,13 +1074,13 @@ dequeue_rx(struct idt77252_dev *card, st
22689 if ((sb = dev_alloc_skb(64)) == NULL) {
22690 printk("%s: Can't allocate buffers for aal0.\n",
22692 - atomic_add(i, &vcc->stats->rx_drop);
22693 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
22696 if (!atm_charge(vcc, sb->truesize)) {
22697 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
22699 - atomic_add(i - 1, &vcc->stats->rx_drop);
22700 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
22704 @@ -1097,7 +1097,7 @@ dequeue_rx(struct idt77252_dev *card, st
22705 ATM_SKB(sb)->vcc = vcc;
22706 __net_timestamp(sb);
22707 vcc->push(vcc, sb);
22708 - atomic_inc(&vcc->stats->rx);
22709 + atomic_inc_unchecked(&vcc->stats->rx);
22711 cell += ATM_CELL_PAYLOAD;
22713 @@ -1134,13 +1134,13 @@ dequeue_rx(struct idt77252_dev *card, st
22715 card->name, len, rpp->len, readl(SAR_REG_CDC));
22716 recycle_rx_pool_skb(card, rpp);
22717 - atomic_inc(&vcc->stats->rx_err);
22718 + atomic_inc_unchecked(&vcc->stats->rx_err);
22721 if (stat & SAR_RSQE_CRC) {
22722 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
22723 recycle_rx_pool_skb(card, rpp);
22724 - atomic_inc(&vcc->stats->rx_err);
22725 + atomic_inc_unchecked(&vcc->stats->rx_err);
22728 if (skb_queue_len(&rpp->queue) > 1) {
22729 @@ -1151,7 +1151,7 @@ dequeue_rx(struct idt77252_dev *card, st
22730 RXPRINTK("%s: Can't alloc RX skb.\n",
22732 recycle_rx_pool_skb(card, rpp);
22733 - atomic_inc(&vcc->stats->rx_err);
22734 + atomic_inc_unchecked(&vcc->stats->rx_err);
22737 if (!atm_charge(vcc, skb->truesize)) {
22738 @@ -1170,7 +1170,7 @@ dequeue_rx(struct idt77252_dev *card, st
22739 __net_timestamp(skb);
22741 vcc->push(vcc, skb);
22742 - atomic_inc(&vcc->stats->rx);
22743 + atomic_inc_unchecked(&vcc->stats->rx);
22747 @@ -1192,7 +1192,7 @@ dequeue_rx(struct idt77252_dev *card, st
22748 __net_timestamp(skb);
22750 vcc->push(vcc, skb);
22751 - atomic_inc(&vcc->stats->rx);
22752 + atomic_inc_unchecked(&vcc->stats->rx);
22754 if (skb->truesize > SAR_FB_SIZE_3)
22755 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
22756 @@ -1304,14 +1304,14 @@ idt77252_rx_raw(struct idt77252_dev *car
22757 if (vcc->qos.aal != ATM_AAL0) {
22758 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
22759 card->name, vpi, vci);
22760 - atomic_inc(&vcc->stats->rx_drop);
22761 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22765 if ((sb = dev_alloc_skb(64)) == NULL) {
22766 printk("%s: Can't allocate buffers for AAL0.\n",
22768 - atomic_inc(&vcc->stats->rx_err);
22769 + atomic_inc_unchecked(&vcc->stats->rx_err);
22773 @@ -1330,7 +1330,7 @@ idt77252_rx_raw(struct idt77252_dev *car
22774 ATM_SKB(sb)->vcc = vcc;
22775 __net_timestamp(sb);
22776 vcc->push(vcc, sb);
22777 - atomic_inc(&vcc->stats->rx);
22778 + atomic_inc_unchecked(&vcc->stats->rx);
22781 skb_pull(queue, 64);
22782 @@ -1955,13 +1955,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
22785 printk("%s: NULL connection in send().\n", card->name);
22786 - atomic_inc(&vcc->stats->tx_err);
22787 + atomic_inc_unchecked(&vcc->stats->tx_err);
22788 dev_kfree_skb(skb);
22791 if (!test_bit(VCF_TX, &vc->flags)) {
22792 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
22793 - atomic_inc(&vcc->stats->tx_err);
22794 + atomic_inc_unchecked(&vcc->stats->tx_err);
22795 dev_kfree_skb(skb);
22798 @@ -1973,14 +1973,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
22801 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
22802 - atomic_inc(&vcc->stats->tx_err);
22803 + atomic_inc_unchecked(&vcc->stats->tx_err);
22804 dev_kfree_skb(skb);
22808 if (skb_shinfo(skb)->nr_frags != 0) {
22809 printk("%s: No scatter-gather yet.\n", card->name);
22810 - atomic_inc(&vcc->stats->tx_err);
22811 + atomic_inc_unchecked(&vcc->stats->tx_err);
22812 dev_kfree_skb(skb);
22815 @@ -1988,7 +1988,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
22817 err = queue_skb(card, vc, skb, oam);
22819 - atomic_inc(&vcc->stats->tx_err);
22820 + atomic_inc_unchecked(&vcc->stats->tx_err);
22821 dev_kfree_skb(skb);
22824 @@ -2011,7 +2011,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
22825 skb = dev_alloc_skb(64);
22827 printk("%s: Out of memory in send_oam().\n", card->name);
22828 - atomic_inc(&vcc->stats->tx_err);
22829 + atomic_inc_unchecked(&vcc->stats->tx_err);
22832 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
22833 diff -urNp linux-2.6.35.5/drivers/atm/iphase.c linux-2.6.35.5/drivers/atm/iphase.c
22834 --- linux-2.6.35.5/drivers/atm/iphase.c 2010-08-26 19:47:12.000000000 -0400
22835 +++ linux-2.6.35.5/drivers/atm/iphase.c 2010-09-17 20:12:09.000000000 -0400
22836 @@ -1124,7 +1124,7 @@ static int rx_pkt(struct atm_dev *dev)
22837 status = (u_short) (buf_desc_ptr->desc_mode);
22838 if (status & (RX_CER | RX_PTE | RX_OFL))
22840 - atomic_inc(&vcc->stats->rx_err);
22841 + atomic_inc_unchecked(&vcc->stats->rx_err);
22842 IF_ERR(printk("IA: bad packet, dropping it");)
22843 if (status & RX_CER) {
22844 IF_ERR(printk(" cause: packet CRC error\n");)
22845 @@ -1147,7 +1147,7 @@ static int rx_pkt(struct atm_dev *dev)
22846 len = dma_addr - buf_addr;
22847 if (len > iadev->rx_buf_sz) {
22848 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
22849 - atomic_inc(&vcc->stats->rx_err);
22850 + atomic_inc_unchecked(&vcc->stats->rx_err);
22851 goto out_free_desc;
22854 @@ -1297,7 +1297,7 @@ static void rx_dle_intr(struct atm_dev *
22855 ia_vcc = INPH_IA_VCC(vcc);
22856 if (ia_vcc == NULL)
22858 - atomic_inc(&vcc->stats->rx_err);
22859 + atomic_inc_unchecked(&vcc->stats->rx_err);
22860 dev_kfree_skb_any(skb);
22861 atm_return(vcc, atm_guess_pdu2truesize(len));
22863 @@ -1309,7 +1309,7 @@ static void rx_dle_intr(struct atm_dev *
22864 if ((length > iadev->rx_buf_sz) || (length >
22865 (skb->len - sizeof(struct cpcs_trailer))))
22867 - atomic_inc(&vcc->stats->rx_err);
22868 + atomic_inc_unchecked(&vcc->stats->rx_err);
22869 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
22870 length, skb->len);)
22871 dev_kfree_skb_any(skb);
22872 @@ -1325,7 +1325,7 @@ static void rx_dle_intr(struct atm_dev *
22874 IF_RX(printk("rx_dle_intr: skb push");)
22875 vcc->push(vcc,skb);
22876 - atomic_inc(&vcc->stats->rx);
22877 + atomic_inc_unchecked(&vcc->stats->rx);
22878 iadev->rx_pkt_cnt++;
22881 @@ -2807,15 +2807,15 @@ static int ia_ioctl(struct atm_dev *dev,
22883 struct k_sonet_stats *stats;
22884 stats = &PRIV(_ia_dev[board])->sonet_stats;
22885 - printk("section_bip: %d\n", atomic_read(&stats->section_bip));
22886 - printk("line_bip : %d\n", atomic_read(&stats->line_bip));
22887 - printk("path_bip : %d\n", atomic_read(&stats->path_bip));
22888 - printk("line_febe : %d\n", atomic_read(&stats->line_febe));
22889 - printk("path_febe : %d\n", atomic_read(&stats->path_febe));
22890 - printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
22891 - printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
22892 - printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
22893 - printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
22894 + printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
22895 + printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
22896 + printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
22897 + printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
22898 + printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
22899 + printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
22900 + printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
22901 + printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
22902 + printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
22904 ia_cmds.status = 0;
22906 @@ -2920,7 +2920,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
22907 if ((desc == 0) || (desc > iadev->num_tx_desc))
22909 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
22910 - atomic_inc(&vcc->stats->tx);
22911 + atomic_inc_unchecked(&vcc->stats->tx);
22913 vcc->pop(vcc, skb);
22915 @@ -3025,14 +3025,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
22916 ATM_DESC(skb) = vcc->vci;
22917 skb_queue_tail(&iadev->tx_dma_q, skb);
22919 - atomic_inc(&vcc->stats->tx);
22920 + atomic_inc_unchecked(&vcc->stats->tx);
22921 iadev->tx_pkt_cnt++;
22922 /* Increment transaction counter */
22923 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
22926 /* add flow control logic */
22927 - if (atomic_read(&vcc->stats->tx) % 20 == 0) {
22928 + if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
22929 if (iavcc->vc_desc_cnt > 10) {
22930 vcc->tx_quota = vcc->tx_quota * 3 / 4;
22931 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
22932 diff -urNp linux-2.6.35.5/drivers/atm/lanai.c linux-2.6.35.5/drivers/atm/lanai.c
22933 --- linux-2.6.35.5/drivers/atm/lanai.c 2010-08-26 19:47:12.000000000 -0400
22934 +++ linux-2.6.35.5/drivers/atm/lanai.c 2010-09-17 20:12:09.000000000 -0400
22935 @@ -1303,7 +1303,7 @@ static void lanai_send_one_aal5(struct l
22936 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
22937 lanai_endtx(lanai, lvcc);
22938 lanai_free_skb(lvcc->tx.atmvcc, skb);
22939 - atomic_inc(&lvcc->tx.atmvcc->stats->tx);
22940 + atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
22943 /* Try to fill the buffer - don't call unless there is backlog */
22944 @@ -1426,7 +1426,7 @@ static void vcc_rx_aal5(struct lanai_vcc
22945 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
22946 __net_timestamp(skb);
22947 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
22948 - atomic_inc(&lvcc->rx.atmvcc->stats->rx);
22949 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
22951 lvcc->rx.buf.ptr = end;
22952 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
22953 @@ -1668,7 +1668,7 @@ static int handle_service(struct lanai_d
22954 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
22955 "vcc %d\n", lanai->number, (unsigned int) s, vci);
22956 lanai->stats.service_rxnotaal5++;
22957 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
22958 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
22961 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
22962 @@ -1680,7 +1680,7 @@ static int handle_service(struct lanai_d
22964 read_unlock(&vcc_sklist_lock);
22965 DPRINTK("got trashed rx pdu on vci %d\n", vci);
22966 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
22967 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
22968 lvcc->stats.x.aal5.service_trash++;
22969 bytes = (SERVICE_GET_END(s) * 16) -
22970 (((unsigned long) lvcc->rx.buf.ptr) -
22971 @@ -1692,7 +1692,7 @@ static int handle_service(struct lanai_d
22973 if (s & SERVICE_STREAM) {
22974 read_unlock(&vcc_sklist_lock);
22975 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
22976 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
22977 lvcc->stats.x.aal5.service_stream++;
22978 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
22979 "PDU on VCI %d!\n", lanai->number, vci);
22980 @@ -1700,7 +1700,7 @@ static int handle_service(struct lanai_d
22983 DPRINTK("got rx crc error on vci %d\n", vci);
22984 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
22985 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
22986 lvcc->stats.x.aal5.service_rxcrc++;
22987 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
22988 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
22989 diff -urNp linux-2.6.35.5/drivers/atm/nicstar.c linux-2.6.35.5/drivers/atm/nicstar.c
22990 --- linux-2.6.35.5/drivers/atm/nicstar.c 2010-08-26 19:47:12.000000000 -0400
22991 +++ linux-2.6.35.5/drivers/atm/nicstar.c 2010-09-17 20:12:09.000000000 -0400
22992 @@ -1722,7 +1722,7 @@ static int ns_send(struct atm_vcc *vcc,
22993 if ((vc = (vc_map *) vcc->dev_data) == NULL)
22995 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n", card->index);
22996 - atomic_inc(&vcc->stats->tx_err);
22997 + atomic_inc_unchecked(&vcc->stats->tx_err);
22998 dev_kfree_skb_any(skb);
23001 @@ -1730,7 +1730,7 @@ static int ns_send(struct atm_vcc *vcc,
23004 printk("nicstar%d: Trying to transmit on a non-tx VC.\n", card->index);
23005 - atomic_inc(&vcc->stats->tx_err);
23006 + atomic_inc_unchecked(&vcc->stats->tx_err);
23007 dev_kfree_skb_any(skb);
23010 @@ -1738,7 +1738,7 @@ static int ns_send(struct atm_vcc *vcc,
23011 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0)
23013 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n", card->index);
23014 - atomic_inc(&vcc->stats->tx_err);
23015 + atomic_inc_unchecked(&vcc->stats->tx_err);
23016 dev_kfree_skb_any(skb);
23019 @@ -1746,7 +1746,7 @@ static int ns_send(struct atm_vcc *vcc,
23020 if (skb_shinfo(skb)->nr_frags != 0)
23022 printk("nicstar%d: No scatter-gather yet.\n", card->index);
23023 - atomic_inc(&vcc->stats->tx_err);
23024 + atomic_inc_unchecked(&vcc->stats->tx_err);
23025 dev_kfree_skb_any(skb);
23028 @@ -1791,11 +1791,11 @@ static int ns_send(struct atm_vcc *vcc,
23030 if (push_scqe(card, vc, scq, &scqe, skb) != 0)
23032 - atomic_inc(&vcc->stats->tx_err);
23033 + atomic_inc_unchecked(&vcc->stats->tx_err);
23034 dev_kfree_skb_any(skb);
23037 - atomic_inc(&vcc->stats->tx);
23038 + atomic_inc_unchecked(&vcc->stats->tx);
23042 @@ -2110,14 +2110,14 @@ static void dequeue_rx(ns_dev *card, ns_
23044 printk("nicstar%d: Can't allocate buffers for aal0.\n",
23046 - atomic_add(i,&vcc->stats->rx_drop);
23047 + atomic_add_unchecked(i,&vcc->stats->rx_drop);
23050 if (!atm_charge(vcc, sb->truesize))
23052 RXPRINTK("nicstar%d: atm_charge() dropped aal0 packets.\n",
23054 - atomic_add(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
23055 + atomic_add_unchecked(i-1,&vcc->stats->rx_drop); /* already increased by 1 */
23056 dev_kfree_skb_any(sb);
23059 @@ -2132,7 +2132,7 @@ static void dequeue_rx(ns_dev *card, ns_
23060 ATM_SKB(sb)->vcc = vcc;
23061 __net_timestamp(sb);
23062 vcc->push(vcc, sb);
23063 - atomic_inc(&vcc->stats->rx);
23064 + atomic_inc_unchecked(&vcc->stats->rx);
23065 cell += ATM_CELL_PAYLOAD;
23068 @@ -2151,7 +2151,7 @@ static void dequeue_rx(ns_dev *card, ns_
23071 printk("nicstar%d: Out of iovec buffers.\n", card->index);
23072 - atomic_inc(&vcc->stats->rx_drop);
23073 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23074 recycle_rx_buf(card, skb);
23077 @@ -2181,7 +2181,7 @@ static void dequeue_rx(ns_dev *card, ns_
23078 else if (NS_SKB(iovb)->iovcnt >= NS_MAX_IOVECS)
23080 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
23081 - atomic_inc(&vcc->stats->rx_err);
23082 + atomic_inc_unchecked(&vcc->stats->rx_err);
23083 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data, NS_MAX_IOVECS);
23084 NS_SKB(iovb)->iovcnt = 0;
23086 @@ -2201,7 +2201,7 @@ static void dequeue_rx(ns_dev *card, ns_
23087 printk("nicstar%d: Expected a small buffer, and this is not one.\n",
23089 which_list(card, skb);
23090 - atomic_inc(&vcc->stats->rx_err);
23091 + atomic_inc_unchecked(&vcc->stats->rx_err);
23092 recycle_rx_buf(card, skb);
23094 recycle_iov_buf(card, iovb);
23095 @@ -2215,7 +2215,7 @@ static void dequeue_rx(ns_dev *card, ns_
23096 printk("nicstar%d: Expected a large buffer, and this is not one.\n",
23098 which_list(card, skb);
23099 - atomic_inc(&vcc->stats->rx_err);
23100 + atomic_inc_unchecked(&vcc->stats->rx_err);
23101 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
23102 NS_SKB(iovb)->iovcnt);
23104 @@ -2239,7 +2239,7 @@ static void dequeue_rx(ns_dev *card, ns_
23105 printk(" - PDU size mismatch.\n");
23108 - atomic_inc(&vcc->stats->rx_err);
23109 + atomic_inc_unchecked(&vcc->stats->rx_err);
23110 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
23111 NS_SKB(iovb)->iovcnt);
23113 @@ -2255,7 +2255,7 @@ static void dequeue_rx(ns_dev *card, ns_
23114 if (!atm_charge(vcc, skb->truesize))
23116 push_rxbufs(card, skb);
23117 - atomic_inc(&vcc->stats->rx_drop);
23118 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23122 @@ -2267,7 +2267,7 @@ static void dequeue_rx(ns_dev *card, ns_
23123 ATM_SKB(skb)->vcc = vcc;
23124 __net_timestamp(skb);
23125 vcc->push(vcc, skb);
23126 - atomic_inc(&vcc->stats->rx);
23127 + atomic_inc_unchecked(&vcc->stats->rx);
23130 else if (NS_SKB(iovb)->iovcnt == 2) /* One small plus one large buffer */
23131 @@ -2282,7 +2282,7 @@ static void dequeue_rx(ns_dev *card, ns_
23132 if (!atm_charge(vcc, sb->truesize))
23134 push_rxbufs(card, sb);
23135 - atomic_inc(&vcc->stats->rx_drop);
23136 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23140 @@ -2294,7 +2294,7 @@ static void dequeue_rx(ns_dev *card, ns_
23141 ATM_SKB(sb)->vcc = vcc;
23142 __net_timestamp(sb);
23143 vcc->push(vcc, sb);
23144 - atomic_inc(&vcc->stats->rx);
23145 + atomic_inc_unchecked(&vcc->stats->rx);
23148 push_rxbufs(card, skb);
23149 @@ -2305,7 +2305,7 @@ static void dequeue_rx(ns_dev *card, ns_
23150 if (!atm_charge(vcc, skb->truesize))
23152 push_rxbufs(card, skb);
23153 - atomic_inc(&vcc->stats->rx_drop);
23154 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23158 @@ -2319,7 +2319,7 @@ static void dequeue_rx(ns_dev *card, ns_
23159 ATM_SKB(skb)->vcc = vcc;
23160 __net_timestamp(skb);
23161 vcc->push(vcc, skb);
23162 - atomic_inc(&vcc->stats->rx);
23163 + atomic_inc_unchecked(&vcc->stats->rx);
23166 push_rxbufs(card, sb);
23167 @@ -2341,7 +2341,7 @@ static void dequeue_rx(ns_dev *card, ns_
23170 printk("nicstar%d: Out of huge buffers.\n", card->index);
23171 - atomic_inc(&vcc->stats->rx_drop);
23172 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23173 recycle_iovec_rx_bufs(card, (struct iovec *) iovb->data,
23174 NS_SKB(iovb)->iovcnt);
23176 @@ -2392,7 +2392,7 @@ static void dequeue_rx(ns_dev *card, ns_
23179 dev_kfree_skb_any(hb);
23180 - atomic_inc(&vcc->stats->rx_drop);
23181 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23185 @@ -2426,7 +2426,7 @@ static void dequeue_rx(ns_dev *card, ns_
23186 #endif /* NS_USE_DESTRUCTORS */
23187 __net_timestamp(hb);
23188 vcc->push(vcc, hb);
23189 - atomic_inc(&vcc->stats->rx);
23190 + atomic_inc_unchecked(&vcc->stats->rx);
23194 diff -urNp linux-2.6.35.5/drivers/atm/solos-pci.c linux-2.6.35.5/drivers/atm/solos-pci.c
23195 --- linux-2.6.35.5/drivers/atm/solos-pci.c 2010-08-26 19:47:12.000000000 -0400
23196 +++ linux-2.6.35.5/drivers/atm/solos-pci.c 2010-09-17 20:12:09.000000000 -0400
23197 @@ -715,7 +715,7 @@ void solos_bh(unsigned long card_arg)
23199 atm_charge(vcc, skb->truesize);
23200 vcc->push(vcc, skb);
23201 - atomic_inc(&vcc->stats->rx);
23202 + atomic_inc_unchecked(&vcc->stats->rx);
23206 @@ -1023,7 +1023,7 @@ static uint32_t fpga_tx(struct solos_car
23207 vcc = SKB_CB(oldskb)->vcc;
23210 - atomic_inc(&vcc->stats->tx);
23211 + atomic_inc_unchecked(&vcc->stats->tx);
23212 solos_pop(vcc, oldskb);
23214 dev_kfree_skb_irq(oldskb);
23215 diff -urNp linux-2.6.35.5/drivers/atm/suni.c linux-2.6.35.5/drivers/atm/suni.c
23216 --- linux-2.6.35.5/drivers/atm/suni.c 2010-08-26 19:47:12.000000000 -0400
23217 +++ linux-2.6.35.5/drivers/atm/suni.c 2010-09-17 20:12:09.000000000 -0400
23218 @@ -50,8 +50,8 @@ static DEFINE_SPINLOCK(sunis_lock);
23221 #define ADD_LIMITED(s,v) \
23222 - atomic_add((v),&stats->s); \
23223 - if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
23224 + atomic_add_unchecked((v),&stats->s); \
23225 + if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
23228 static void suni_hz(unsigned long from_timer)
23229 diff -urNp linux-2.6.35.5/drivers/atm/uPD98402.c linux-2.6.35.5/drivers/atm/uPD98402.c
23230 --- linux-2.6.35.5/drivers/atm/uPD98402.c 2010-08-26 19:47:12.000000000 -0400
23231 +++ linux-2.6.35.5/drivers/atm/uPD98402.c 2010-09-17 20:12:09.000000000 -0400
23232 @@ -42,7 +42,7 @@ static int fetch_stats(struct atm_dev *d
23233 struct sonet_stats tmp;
23236 - atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
23237 + atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
23238 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
23239 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
23240 if (zero && !error) {
23241 @@ -161,9 +161,9 @@ static int uPD98402_ioctl(struct atm_dev
23244 #define ADD_LIMITED(s,v) \
23245 - { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
23246 - if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
23247 - atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
23248 + { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
23249 + if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
23250 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
23253 static void stat_event(struct atm_dev *dev)
23254 @@ -194,7 +194,7 @@ static void uPD98402_int(struct atm_dev
23255 if (reason & uPD98402_INT_PFM) stat_event(dev);
23256 if (reason & uPD98402_INT_PCO) {
23257 (void) GET(PCOCR); /* clear interrupt cause */
23258 - atomic_add(GET(HECCT),
23259 + atomic_add_unchecked(GET(HECCT),
23260 &PRIV(dev)->sonet_stats.uncorr_hcs);
23262 if ((reason & uPD98402_INT_RFO) &&
23263 @@ -222,9 +222,9 @@ static int uPD98402_start(struct atm_dev
23264 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
23265 uPD98402_INT_LOS),PIMR); /* enable them */
23266 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
23267 - atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
23268 - atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
23269 - atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
23270 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
23271 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
23272 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
23276 diff -urNp linux-2.6.35.5/drivers/atm/zatm.c linux-2.6.35.5/drivers/atm/zatm.c
23277 --- linux-2.6.35.5/drivers/atm/zatm.c 2010-08-26 19:47:12.000000000 -0400
23278 +++ linux-2.6.35.5/drivers/atm/zatm.c 2010-09-17 20:12:09.000000000 -0400
23279 @@ -459,7 +459,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
23282 dev_kfree_skb_irq(skb);
23283 - if (vcc) atomic_inc(&vcc->stats->rx_err);
23284 + if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
23287 if (!atm_charge(vcc,skb->truesize)) {
23288 @@ -469,7 +469,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
23290 ATM_SKB(skb)->vcc = vcc;
23291 vcc->push(vcc,skb);
23292 - atomic_inc(&vcc->stats->rx);
23293 + atomic_inc_unchecked(&vcc->stats->rx);
23295 zout(pos & 0xffff,MTA(mbx));
23296 #if 0 /* probably a stupid idea */
23297 @@ -733,7 +733,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
23298 skb_queue_head(&zatm_vcc->backlog,skb);
23301 - atomic_inc(&vcc->stats->tx);
23302 + atomic_inc_unchecked(&vcc->stats->tx);
23303 wake_up(&zatm_vcc->tx_wait);
23306 diff -urNp linux-2.6.35.5/drivers/char/agp/frontend.c linux-2.6.35.5/drivers/char/agp/frontend.c
23307 --- linux-2.6.35.5/drivers/char/agp/frontend.c 2010-08-26 19:47:12.000000000 -0400
23308 +++ linux-2.6.35.5/drivers/char/agp/frontend.c 2010-09-17 20:12:09.000000000 -0400
23309 @@ -818,7 +818,7 @@ static int agpioc_reserve_wrap(struct ag
23310 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
23313 - if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
23314 + if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
23317 client = agp_find_client_by_pid(reserve.pid);
23318 diff -urNp linux-2.6.35.5/drivers/char/agp/intel-agp.c linux-2.6.35.5/drivers/char/agp/intel-agp.c
23319 --- linux-2.6.35.5/drivers/char/agp/intel-agp.c 2010-08-26 19:47:12.000000000 -0400
23320 +++ linux-2.6.35.5/drivers/char/agp/intel-agp.c 2010-09-17 20:12:09.000000000 -0400
23321 @@ -1036,7 +1036,7 @@ static struct pci_device_id agp_intel_pc
23322 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_HB),
23323 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_M_HB),
23324 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_S_HB),
23326 + { 0, 0, 0, 0, 0, 0, 0 }
23329 MODULE_DEVICE_TABLE(pci, agp_intel_pci_table);
23330 diff -urNp linux-2.6.35.5/drivers/char/hpet.c linux-2.6.35.5/drivers/char/hpet.c
23331 --- linux-2.6.35.5/drivers/char/hpet.c 2010-08-26 19:47:12.000000000 -0400
23332 +++ linux-2.6.35.5/drivers/char/hpet.c 2010-09-17 20:12:09.000000000 -0400
23333 @@ -429,7 +429,7 @@ static int hpet_release(struct inode *in
23337 -static int hpet_ioctl_common(struct hpet_dev *, int, unsigned long, int);
23338 +static int hpet_ioctl_common(struct hpet_dev *, unsigned int, unsigned long, int);
23340 static long hpet_ioctl(struct file *file, unsigned int cmd,
23342 @@ -553,7 +553,7 @@ static inline unsigned long hpet_time_di
23346 -hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg, int kernel)
23347 +hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg, int kernel)
23349 struct hpet_timer __iomem *timer;
23350 struct hpet __iomem *hpet;
23351 @@ -998,7 +998,7 @@ static struct acpi_driver hpet_acpi_driv
23355 -static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops };
23356 +static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops, {NULL, NULL}, NULL, NULL };
23358 static int __init hpet_init(void)
23360 diff -urNp linux-2.6.35.5/drivers/char/hvc_console.h linux-2.6.35.5/drivers/char/hvc_console.h
23361 --- linux-2.6.35.5/drivers/char/hvc_console.h 2010-08-26 19:47:12.000000000 -0400
23362 +++ linux-2.6.35.5/drivers/char/hvc_console.h 2010-09-17 20:12:09.000000000 -0400
23363 @@ -82,6 +82,7 @@ extern int hvc_instantiate(uint32_t vter
23364 /* register a vterm for hvc tty operation (module_init or hotplug add) */
23365 extern struct hvc_struct * hvc_alloc(uint32_t vtermno, int data,
23366 const struct hv_ops *ops, int outbuf_size);
23368 /* remove a vterm from hvc tty operation (module_exit or hotplug remove) */
23369 extern int hvc_remove(struct hvc_struct *hp);
23371 diff -urNp linux-2.6.35.5/drivers/char/hvcs.c linux-2.6.35.5/drivers/char/hvcs.c
23372 --- linux-2.6.35.5/drivers/char/hvcs.c 2010-08-26 19:47:12.000000000 -0400
23373 +++ linux-2.6.35.5/drivers/char/hvcs.c 2010-09-17 20:12:09.000000000 -0400
23374 @@ -270,7 +270,7 @@ struct hvcs_struct {
23375 unsigned int index;
23377 struct tty_struct *tty;
23379 + atomic_t open_count;
23382 * Used to tell the driver kernel_thread what operations need to take
23383 @@ -420,7 +420,7 @@ static ssize_t hvcs_vterm_state_store(st
23385 spin_lock_irqsave(&hvcsd->lock, flags);
23387 - if (hvcsd->open_count > 0) {
23388 + if (atomic_read(&hvcsd->open_count) > 0) {
23389 spin_unlock_irqrestore(&hvcsd->lock, flags);
23390 printk(KERN_INFO "HVCS: vterm state unchanged. "
23391 "The hvcs device node is still in use.\n");
23392 @@ -1136,7 +1136,7 @@ static int hvcs_open(struct tty_struct *
23393 if ((retval = hvcs_partner_connect(hvcsd)))
23394 goto error_release;
23396 - hvcsd->open_count = 1;
23397 + atomic_set(&hvcsd->open_count, 1);
23399 tty->driver_data = hvcsd;
23401 @@ -1170,7 +1170,7 @@ fast_open:
23403 spin_lock_irqsave(&hvcsd->lock, flags);
23404 kref_get(&hvcsd->kref);
23405 - hvcsd->open_count++;
23406 + atomic_inc(&hvcsd->open_count);
23407 hvcsd->todo_mask |= HVCS_SCHED_READ;
23408 spin_unlock_irqrestore(&hvcsd->lock, flags);
23410 @@ -1214,7 +1214,7 @@ static void hvcs_close(struct tty_struct
23411 hvcsd = tty->driver_data;
23413 spin_lock_irqsave(&hvcsd->lock, flags);
23414 - if (--hvcsd->open_count == 0) {
23415 + if (atomic_dec_and_test(&hvcsd->open_count)) {
23417 vio_disable_interrupts(hvcsd->vdev);
23419 @@ -1240,10 +1240,10 @@ static void hvcs_close(struct tty_struct
23420 free_irq(irq, hvcsd);
23421 kref_put(&hvcsd->kref, destroy_hvcs_struct);
23423 - } else if (hvcsd->open_count < 0) {
23424 + } else if (atomic_read(&hvcsd->open_count) < 0) {
23425 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
23426 " is missmanaged.\n",
23427 - hvcsd->vdev->unit_address, hvcsd->open_count);
23428 + hvcsd->vdev->unit_address, atomic_read(&hvcsd->open_count));
23431 spin_unlock_irqrestore(&hvcsd->lock, flags);
23432 @@ -1259,7 +1259,7 @@ static void hvcs_hangup(struct tty_struc
23434 spin_lock_irqsave(&hvcsd->lock, flags);
23435 /* Preserve this so that we know how many kref refs to put */
23436 - temp_open_count = hvcsd->open_count;
23437 + temp_open_count = atomic_read(&hvcsd->open_count);
23440 * Don't kref put inside the spinlock because the destruction
23441 @@ -1274,7 +1274,7 @@ static void hvcs_hangup(struct tty_struc
23442 hvcsd->tty->driver_data = NULL;
23445 - hvcsd->open_count = 0;
23446 + atomic_set(&hvcsd->open_count, 0);
23448 /* This will drop any buffered data on the floor which is OK in a hangup
23450 @@ -1345,7 +1345,7 @@ static int hvcs_write(struct tty_struct
23451 * the middle of a write operation? This is a crummy place to do this
23452 * but we want to keep it all in the spinlock.
23454 - if (hvcsd->open_count <= 0) {
23455 + if (atomic_read(&hvcsd->open_count) <= 0) {
23456 spin_unlock_irqrestore(&hvcsd->lock, flags);
23459 @@ -1419,7 +1419,7 @@ static int hvcs_write_room(struct tty_st
23461 struct hvcs_struct *hvcsd = tty->driver_data;
23463 - if (!hvcsd || hvcsd->open_count <= 0)
23464 + if (!hvcsd || atomic_read(&hvcsd->open_count) <= 0)
23467 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
23468 diff -urNp linux-2.6.35.5/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.35.5/drivers/char/ipmi/ipmi_msghandler.c
23469 --- linux-2.6.35.5/drivers/char/ipmi/ipmi_msghandler.c 2010-08-26 19:47:12.000000000 -0400
23470 +++ linux-2.6.35.5/drivers/char/ipmi/ipmi_msghandler.c 2010-09-17 20:12:09.000000000 -0400
23471 @@ -414,7 +414,7 @@ struct ipmi_smi {
23472 struct proc_dir_entry *proc_dir;
23473 char proc_dir_name[10];
23475 - atomic_t stats[IPMI_NUM_STATS];
23476 + atomic_unchecked_t stats[IPMI_NUM_STATS];
23479 * run_to_completion duplicate of smb_info, smi_info
23480 @@ -447,9 +447,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
23483 #define ipmi_inc_stat(intf, stat) \
23484 - atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
23485 + atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
23486 #define ipmi_get_stat(intf, stat) \
23487 - ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
23488 + ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
23490 static int is_lan_addr(struct ipmi_addr *addr)
23492 @@ -2817,7 +2817,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
23493 INIT_LIST_HEAD(&intf->cmd_rcvrs);
23494 init_waitqueue_head(&intf->waitq);
23495 for (i = 0; i < IPMI_NUM_STATS; i++)
23496 - atomic_set(&intf->stats[i], 0);
23497 + atomic_set_unchecked(&intf->stats[i], 0);
23499 intf->proc_dir = NULL;
23501 diff -urNp linux-2.6.35.5/drivers/char/ipmi/ipmi_si_intf.c linux-2.6.35.5/drivers/char/ipmi/ipmi_si_intf.c
23502 --- linux-2.6.35.5/drivers/char/ipmi/ipmi_si_intf.c 2010-08-26 19:47:12.000000000 -0400
23503 +++ linux-2.6.35.5/drivers/char/ipmi/ipmi_si_intf.c 2010-09-17 20:12:09.000000000 -0400
23504 @@ -286,7 +286,7 @@ struct smi_info {
23505 unsigned char slave_addr;
23507 /* Counters and things for the proc filesystem. */
23508 - atomic_t stats[SI_NUM_STATS];
23509 + atomic_unchecked_t stats[SI_NUM_STATS];
23511 struct task_struct *thread;
23513 @@ -294,9 +294,9 @@ struct smi_info {
23516 #define smi_inc_stat(smi, stat) \
23517 - atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
23518 + atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
23519 #define smi_get_stat(smi, stat) \
23520 - ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
23521 + ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
23523 #define SI_MAX_PARMS 4
23525 @@ -3143,7 +3143,7 @@ static int try_smi_init(struct smi_info
23526 atomic_set(&new_smi->req_events, 0);
23527 new_smi->run_to_completion = 0;
23528 for (i = 0; i < SI_NUM_STATS; i++)
23529 - atomic_set(&new_smi->stats[i], 0);
23530 + atomic_set_unchecked(&new_smi->stats[i], 0);
23532 new_smi->interrupt_disabled = 1;
23533 atomic_set(&new_smi->stop_operation, 0);
23534 diff -urNp linux-2.6.35.5/drivers/char/keyboard.c linux-2.6.35.5/drivers/char/keyboard.c
23535 --- linux-2.6.35.5/drivers/char/keyboard.c 2010-08-26 19:47:12.000000000 -0400
23536 +++ linux-2.6.35.5/drivers/char/keyboard.c 2010-09-17 20:12:37.000000000 -0400
23537 @@ -640,6 +640,16 @@ static void k_spec(struct vc_data *vc, u
23538 kbd->kbdmode == VC_MEDIUMRAW) &&
23539 value != KVAL(K_SAK))
23540 return; /* SAK is allowed even in raw mode */
23542 +#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
23544 + void *func = fn_handler[value];
23545 + if (func == fn_show_state || func == fn_show_ptregs ||
23546 + func == fn_show_mem)
23551 fn_handler[value](vc);
23554 @@ -1392,7 +1402,7 @@ static const struct input_device_id kbd_
23555 .evbit = { BIT_MASK(EV_SND) },
23558 - { }, /* Terminating entry */
23559 + { 0 }, /* Terminating entry */
23562 MODULE_DEVICE_TABLE(input, kbd_ids);
23563 diff -urNp linux-2.6.35.5/drivers/char/mem.c linux-2.6.35.5/drivers/char/mem.c
23564 --- linux-2.6.35.5/drivers/char/mem.c 2010-08-26 19:47:12.000000000 -0400
23565 +++ linux-2.6.35.5/drivers/char/mem.c 2010-09-17 20:12:37.000000000 -0400
23567 #include <linux/raw.h>
23568 #include <linux/tty.h>
23569 #include <linux/capability.h>
23570 +#include <linux/security.h>
23571 #include <linux/ptrace.h>
23572 #include <linux/device.h>
23573 #include <linux/highmem.h>
23575 # include <linux/efi.h>
23578 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
23579 +extern struct file_operations grsec_fops;
23582 static inline unsigned long size_inside_page(unsigned long start,
23583 unsigned long size)
23585 @@ -120,6 +125,7 @@ static ssize_t read_mem(struct file *fil
23587 while (count > 0) {
23588 unsigned long remaining;
23591 sz = size_inside_page(p, count);
23593 @@ -135,7 +141,23 @@ static ssize_t read_mem(struct file *fil
23597 - remaining = copy_to_user(buf, ptr, sz);
23598 +#ifdef CONFIG_PAX_USERCOPY
23599 + temp = kmalloc(sz, GFP_KERNEL);
23601 + unxlate_dev_mem_ptr(p, ptr);
23604 + memcpy(temp, ptr, sz);
23609 + remaining = copy_to_user(buf, temp, sz);
23611 +#ifdef CONFIG_PAX_USERCOPY
23615 unxlate_dev_mem_ptr(p, ptr);
23618 @@ -161,6 +183,11 @@ static ssize_t write_mem(struct file *fi
23619 if (!valid_phys_addr_range(p, count))
23622 +#ifdef CONFIG_GRKERNSEC_KMEM
23623 + gr_handle_mem_write();
23629 #ifdef __ARCH_HAS_NO_PAGE_ZERO_MAPPED
23630 @@ -316,6 +343,11 @@ static int mmap_mem(struct file *file, s
23631 &vma->vm_page_prot))
23634 +#ifdef CONFIG_GRKERNSEC_KMEM
23635 + if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
23639 vma->vm_page_prot = phys_mem_access_prot(file, vma->vm_pgoff,
23641 vma->vm_page_prot);
23642 @@ -398,9 +430,8 @@ static ssize_t read_kmem(struct file *fi
23643 size_t count, loff_t *ppos)
23645 unsigned long p = *ppos;
23646 - ssize_t low_count, read, sz;
23647 + ssize_t low_count, read, sz, err = 0;
23648 char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
23652 if (p < (unsigned long) high_memory) {
23653 @@ -422,6 +453,8 @@ static ssize_t read_kmem(struct file *fi
23656 while (low_count > 0) {
23659 sz = size_inside_page(p, low_count);
23662 @@ -431,7 +464,22 @@ static ssize_t read_kmem(struct file *fi
23664 kbuf = xlate_dev_kmem_ptr((char *)p);
23666 - if (copy_to_user(buf, kbuf, sz))
23667 +#ifdef CONFIG_PAX_USERCOPY
23668 + temp = kmalloc(sz, GFP_KERNEL);
23671 + memcpy(temp, kbuf, sz);
23676 + err = copy_to_user(buf, temp, sz);
23678 +#ifdef CONFIG_PAX_USERCOPY
23686 @@ -530,6 +578,11 @@ static ssize_t write_kmem(struct file *f
23687 char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
23690 +#ifdef CONFIG_GRKERNSEC_KMEM
23691 + gr_handle_kmem_write();
23695 if (p < (unsigned long) high_memory) {
23696 unsigned long to_write = min_t(unsigned long, count,
23697 (unsigned long)high_memory - p);
23698 @@ -731,6 +784,16 @@ static loff_t memory_lseek(struct file *
23700 static int open_port(struct inode * inode, struct file * filp)
23702 +#ifdef CONFIG_GRKERNSEC_KMEM
23703 + gr_handle_open_port();
23707 + return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
23710 +static int open_mem(struct inode * inode, struct file * filp)
23712 return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
23715 @@ -738,7 +801,6 @@ static int open_port(struct inode * inod
23716 #define full_lseek null_lseek
23717 #define write_zero write_null
23718 #define read_full read_zero
23719 -#define open_mem open_port
23720 #define open_kmem open_mem
23721 #define open_oldmem open_mem
23723 @@ -854,6 +916,9 @@ static const struct memdev {
23724 #ifdef CONFIG_CRASH_DUMP
23725 [12] = { "oldmem", 0, &oldmem_fops, NULL },
23727 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
23728 + [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
23732 static int memory_open(struct inode *inode, struct file *filp)
23733 diff -urNp linux-2.6.35.5/drivers/char/n_tty.c linux-2.6.35.5/drivers/char/n_tty.c
23734 --- linux-2.6.35.5/drivers/char/n_tty.c 2010-08-26 19:47:12.000000000 -0400
23735 +++ linux-2.6.35.5/drivers/char/n_tty.c 2010-09-17 20:12:09.000000000 -0400
23736 @@ -2105,6 +2105,7 @@ void n_tty_inherit_ops(struct tty_ldisc_
23738 *ops = tty_ldisc_N_TTY;
23740 - ops->refcount = ops->flags = 0;
23741 + atomic_set(&ops->refcount, 0);
23744 EXPORT_SYMBOL_GPL(n_tty_inherit_ops);
23745 diff -urNp linux-2.6.35.5/drivers/char/nvram.c linux-2.6.35.5/drivers/char/nvram.c
23746 --- linux-2.6.35.5/drivers/char/nvram.c 2010-08-26 19:47:12.000000000 -0400
23747 +++ linux-2.6.35.5/drivers/char/nvram.c 2010-09-17 20:12:09.000000000 -0400
23748 @@ -245,7 +245,7 @@ static ssize_t nvram_read(struct file *f
23750 spin_unlock_irq(&rtc_lock);
23752 - if (copy_to_user(buf, contents, tmp - contents))
23753 + if (tmp - contents > sizeof(contents) || copy_to_user(buf, contents, tmp - contents))
23757 @@ -434,7 +434,10 @@ static const struct file_operations nvra
23758 static struct miscdevice nvram_dev = {
23768 static int __init nvram_init(void)
23769 diff -urNp linux-2.6.35.5/drivers/char/pcmcia/ipwireless/tty.c linux-2.6.35.5/drivers/char/pcmcia/ipwireless/tty.c
23770 --- linux-2.6.35.5/drivers/char/pcmcia/ipwireless/tty.c 2010-08-26 19:47:12.000000000 -0400
23771 +++ linux-2.6.35.5/drivers/char/pcmcia/ipwireless/tty.c 2010-09-17 20:12:09.000000000 -0400
23772 @@ -51,7 +51,7 @@ struct ipw_tty {
23774 struct ipw_network *network;
23775 struct tty_struct *linux_tty;
23777 + atomic_t open_count;
23778 unsigned int control_lines;
23779 struct mutex ipw_tty_mutex;
23780 int tx_bytes_queued;
23781 @@ -127,10 +127,10 @@ static int ipw_open(struct tty_struct *l
23782 mutex_unlock(&tty->ipw_tty_mutex);
23785 - if (tty->open_count == 0)
23786 + if (atomic_read(&tty->open_count) == 0)
23787 tty->tx_bytes_queued = 0;
23789 - tty->open_count++;
23790 + atomic_inc(&tty->open_count);
23792 tty->linux_tty = linux_tty;
23793 linux_tty->driver_data = tty;
23794 @@ -146,9 +146,7 @@ static int ipw_open(struct tty_struct *l
23796 static void do_ipw_close(struct ipw_tty *tty)
23798 - tty->open_count--;
23800 - if (tty->open_count == 0) {
23801 + if (atomic_dec_return(&tty->open_count) == 0) {
23802 struct tty_struct *linux_tty = tty->linux_tty;
23804 if (linux_tty != NULL) {
23805 @@ -169,7 +167,7 @@ static void ipw_hangup(struct tty_struct
23808 mutex_lock(&tty->ipw_tty_mutex);
23809 - if (tty->open_count == 0) {
23810 + if (atomic_read(&tty->open_count) == 0) {
23811 mutex_unlock(&tty->ipw_tty_mutex);
23814 @@ -198,7 +196,7 @@ void ipwireless_tty_received(struct ipw_
23818 - if (!tty->open_count) {
23819 + if (!atomic_read(&tty->open_count)) {
23820 mutex_unlock(&tty->ipw_tty_mutex);
23823 @@ -240,7 +238,7 @@ static int ipw_write(struct tty_struct *
23826 mutex_lock(&tty->ipw_tty_mutex);
23827 - if (!tty->open_count) {
23828 + if (!atomic_read(&tty->open_count)) {
23829 mutex_unlock(&tty->ipw_tty_mutex);
23832 @@ -280,7 +278,7 @@ static int ipw_write_room(struct tty_str
23836 - if (!tty->open_count)
23837 + if (!atomic_read(&tty->open_count))
23840 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
23841 @@ -322,7 +320,7 @@ static int ipw_chars_in_buffer(struct tt
23845 - if (!tty->open_count)
23846 + if (!atomic_read(&tty->open_count))
23849 return tty->tx_bytes_queued;
23850 @@ -403,7 +401,7 @@ static int ipw_tiocmget(struct tty_struc
23854 - if (!tty->open_count)
23855 + if (!atomic_read(&tty->open_count))
23858 return get_control_lines(tty);
23859 @@ -419,7 +417,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
23863 - if (!tty->open_count)
23864 + if (!atomic_read(&tty->open_count))
23867 return set_control_lines(tty, set, clear);
23868 @@ -433,7 +431,7 @@ static int ipw_ioctl(struct tty_struct *
23872 - if (!tty->open_count)
23873 + if (!atomic_read(&tty->open_count))
23876 /* FIXME: Exactly how is the tty object locked here .. */
23877 @@ -582,7 +580,7 @@ void ipwireless_tty_free(struct ipw_tty
23878 against a parallel ioctl etc */
23879 mutex_lock(&ttyj->ipw_tty_mutex);
23881 - while (ttyj->open_count)
23882 + while (atomic_read(&ttyj->open_count))
23883 do_ipw_close(ttyj);
23884 ipwireless_disassociate_network_ttys(network,
23885 ttyj->channel_idx);
23886 diff -urNp linux-2.6.35.5/drivers/char/pty.c linux-2.6.35.5/drivers/char/pty.c
23887 --- linux-2.6.35.5/drivers/char/pty.c 2010-08-26 19:47:12.000000000 -0400
23888 +++ linux-2.6.35.5/drivers/char/pty.c 2010-09-17 20:12:09.000000000 -0400
23889 @@ -677,7 +677,18 @@ static int ptmx_open(struct inode *inode
23893 -static struct file_operations ptmx_fops;
23894 +static const struct file_operations ptmx_fops = {
23895 + .llseek = no_llseek,
23896 + .read = tty_read,
23897 + .write = tty_write,
23898 + .poll = tty_poll,
23899 + .unlocked_ioctl = tty_ioctl,
23900 + .compat_ioctl = tty_compat_ioctl,
23901 + .open = ptmx_open,
23902 + .release = tty_release,
23903 + .fasync = tty_fasync,
23907 static void __init unix98_pty_init(void)
23909 @@ -731,9 +742,6 @@ static void __init unix98_pty_init(void)
23910 register_sysctl_table(pty_root_table);
23912 /* Now create the /dev/ptmx special device */
23913 - tty_default_fops(&ptmx_fops);
23914 - ptmx_fops.open = ptmx_open;
23916 cdev_init(&ptmx_cdev, &ptmx_fops);
23917 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
23918 register_chrdev_region(MKDEV(TTYAUX_MAJOR, 2), 1, "/dev/ptmx") < 0)
23919 diff -urNp linux-2.6.35.5/drivers/char/random.c linux-2.6.35.5/drivers/char/random.c
23920 --- linux-2.6.35.5/drivers/char/random.c 2010-08-26 19:47:12.000000000 -0400
23921 +++ linux-2.6.35.5/drivers/char/random.c 2010-09-17 20:24:41.000000000 -0400
23922 @@ -254,8 +254,13 @@
23924 * Configuration information
23926 +#ifdef CONFIG_GRKERNSEC_RANDNET
23927 +#define INPUT_POOL_WORDS 512
23928 +#define OUTPUT_POOL_WORDS 128
23930 #define INPUT_POOL_WORDS 128
23931 #define OUTPUT_POOL_WORDS 32
23933 #define SEC_XFER_SIZE 512
23934 #define EXTRACT_SIZE 10
23936 @@ -293,10 +298,17 @@ static struct poolinfo {
23938 int tap1, tap2, tap3, tap4, tap5;
23939 } poolinfo_table[] = {
23940 +#ifdef CONFIG_GRKERNSEC_RANDNET
23941 + /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
23942 + { 512, 411, 308, 208, 104, 1 },
23943 + /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
23944 + { 128, 103, 76, 51, 25, 1 },
23946 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
23947 { 128, 103, 76, 51, 25, 1 },
23948 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
23949 { 32, 26, 20, 14, 7, 1 },
23952 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
23953 { 2048, 1638, 1231, 819, 411, 1 },
23954 @@ -902,7 +914,7 @@ static ssize_t extract_entropy_user(stru
23956 extract_buf(r, tmp);
23957 i = min_t(int, nbytes, EXTRACT_SIZE);
23958 - if (copy_to_user(buf, tmp, i)) {
23959 + if (i > sizeof(tmp) || copy_to_user(buf, tmp, i)) {
23963 @@ -1205,7 +1217,7 @@ EXPORT_SYMBOL(generate_random_uuid);
23964 #include <linux/sysctl.h>
23966 static int min_read_thresh = 8, min_write_thresh;
23967 -static int max_read_thresh = INPUT_POOL_WORDS * 32;
23968 +static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
23969 static int max_write_thresh = INPUT_POOL_WORDS * 32;
23970 static char sysctl_bootid[16];
23972 diff -urNp linux-2.6.35.5/drivers/char/sonypi.c linux-2.6.35.5/drivers/char/sonypi.c
23973 --- linux-2.6.35.5/drivers/char/sonypi.c 2010-08-26 19:47:12.000000000 -0400
23974 +++ linux-2.6.35.5/drivers/char/sonypi.c 2010-09-17 20:12:09.000000000 -0400
23975 @@ -491,7 +491,7 @@ static struct sonypi_device {
23976 spinlock_t fifo_lock;
23977 wait_queue_head_t fifo_proc_list;
23978 struct fasync_struct *fifo_async;
23980 + atomic_t open_count;
23982 struct input_dev *input_jog_dev;
23983 struct input_dev *input_key_dev;
23984 @@ -898,7 +898,7 @@ static int sonypi_misc_fasync(int fd, st
23985 static int sonypi_misc_release(struct inode *inode, struct file *file)
23987 mutex_lock(&sonypi_device.lock);
23988 - sonypi_device.open_count--;
23989 + atomic_dec(&sonypi_device.open_count);
23990 mutex_unlock(&sonypi_device.lock);
23993 @@ -907,9 +907,9 @@ static int sonypi_misc_open(struct inode
23995 mutex_lock(&sonypi_device.lock);
23996 /* Flush input queue on first open */
23997 - if (!sonypi_device.open_count)
23998 + if (!atomic_read(&sonypi_device.open_count))
23999 kfifo_reset(&sonypi_device.fifo);
24000 - sonypi_device.open_count++;
24001 + atomic_inc(&sonypi_device.open_count);
24002 mutex_unlock(&sonypi_device.lock);
24005 diff -urNp linux-2.6.35.5/drivers/char/tpm/tpm_bios.c linux-2.6.35.5/drivers/char/tpm/tpm_bios.c
24006 --- linux-2.6.35.5/drivers/char/tpm/tpm_bios.c 2010-08-26 19:47:12.000000000 -0400
24007 +++ linux-2.6.35.5/drivers/char/tpm/tpm_bios.c 2010-09-17 20:12:09.000000000 -0400
24008 @@ -173,7 +173,7 @@ static void *tpm_bios_measurements_start
24011 if ((event->event_type == 0 && event->event_size == 0) ||
24012 - ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
24013 + (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
24017 @@ -198,7 +198,7 @@ static void *tpm_bios_measurements_next(
24020 if ((event->event_type == 0 && event->event_size == 0) ||
24021 - ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
24022 + (event->event_size >= limit - v - sizeof(struct tcpa_event)))
24026 @@ -291,7 +291,8 @@ static int tpm_binary_bios_measurements_
24029 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
24030 - seq_putc(m, data[i]);
24031 + if (!seq_putc(m, data[i]))
24036 @@ -410,6 +411,11 @@ static int read_log(struct tpm_bios_log
24037 log->bios_event_log_end = log->bios_event_log + len;
24039 virt = acpi_os_map_memory(start, len);
24041 + kfree(log->bios_event_log);
24042 + log->bios_event_log = NULL;
24046 memcpy(log->bios_event_log, virt, len);
24048 diff -urNp linux-2.6.35.5/drivers/char/tty_io.c linux-2.6.35.5/drivers/char/tty_io.c
24049 --- linux-2.6.35.5/drivers/char/tty_io.c 2010-08-26 19:47:12.000000000 -0400
24050 +++ linux-2.6.35.5/drivers/char/tty_io.c 2010-09-17 20:12:09.000000000 -0400
24051 @@ -136,20 +136,10 @@ LIST_HEAD(tty_drivers); /* linked list
24052 DEFINE_MUTEX(tty_mutex);
24053 EXPORT_SYMBOL(tty_mutex);
24055 -static ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
24056 -static ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
24057 ssize_t redirected_tty_write(struct file *, const char __user *,
24059 -static unsigned int tty_poll(struct file *, poll_table *);
24060 static int tty_open(struct inode *, struct file *);
24061 long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
24062 -#ifdef CONFIG_COMPAT
24063 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
24064 - unsigned long arg);
24066 -#define tty_compat_ioctl NULL
24068 -static int tty_fasync(int fd, struct file *filp, int on);
24069 static void release_tty(struct tty_struct *tty, int idx);
24070 static void __proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
24071 static void proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
24072 @@ -871,7 +861,7 @@ EXPORT_SYMBOL(start_tty);
24073 * read calls may be outstanding in parallel.
24076 -static ssize_t tty_read(struct file *file, char __user *buf, size_t count,
24077 +ssize_t tty_read(struct file *file, char __user *buf, size_t count,
24081 @@ -899,6 +889,8 @@ static ssize_t tty_read(struct file *fil
24085 +EXPORT_SYMBOL(tty_read);
24087 void tty_write_unlock(struct tty_struct *tty)
24089 mutex_unlock(&tty->atomic_write_lock);
24090 @@ -1048,7 +1040,7 @@ void tty_write_message(struct tty_struct
24091 * write method will not be invoked in parallel for each device.
24094 -static ssize_t tty_write(struct file *file, const char __user *buf,
24095 +ssize_t tty_write(struct file *file, const char __user *buf,
24096 size_t count, loff_t *ppos)
24098 struct tty_struct *tty;
24099 @@ -1075,6 +1067,8 @@ static ssize_t tty_write(struct file *fi
24103 +EXPORT_SYMBOL(tty_write);
24105 ssize_t redirected_tty_write(struct file *file, const char __user *buf,
24106 size_t count, loff_t *ppos)
24108 @@ -1897,6 +1891,8 @@ got_driver:
24112 +EXPORT_SYMBOL(tty_release);
24115 * tty_poll - check tty status
24116 * @filp: file being polled
24117 @@ -1909,7 +1905,7 @@ got_driver:
24118 * may be re-entered freely by other callers.
24121 -static unsigned int tty_poll(struct file *filp, poll_table *wait)
24122 +unsigned int tty_poll(struct file *filp, poll_table *wait)
24124 struct tty_struct *tty;
24125 struct tty_ldisc *ld;
24126 @@ -1926,7 +1922,9 @@ static unsigned int tty_poll(struct file
24130 -static int tty_fasync(int fd, struct file *filp, int on)
24131 +EXPORT_SYMBOL(tty_poll);
24133 +int tty_fasync(int fd, struct file *filp, int on)
24135 struct tty_struct *tty;
24136 unsigned long flags;
24137 @@ -1970,6 +1968,8 @@ out:
24141 +EXPORT_SYMBOL(tty_fasync);
24144 * tiocsti - fake input character
24145 * @tty: tty to fake input into
24146 @@ -2602,8 +2602,10 @@ long tty_ioctl(struct file *file, unsign
24150 +EXPORT_SYMBOL(tty_ioctl);
24152 #ifdef CONFIG_COMPAT
24153 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
24154 +long tty_compat_ioctl(struct file *file, unsigned int cmd,
24157 struct inode *inode = file->f_dentry->d_inode;
24158 @@ -2627,6 +2629,9 @@ static long tty_compat_ioctl(struct file
24163 +EXPORT_SYMBOL(tty_compat_ioctl);
24168 @@ -3070,11 +3075,6 @@ struct tty_struct *get_current_tty(void)
24170 EXPORT_SYMBOL_GPL(get_current_tty);
24172 -void tty_default_fops(struct file_operations *fops)
24174 - *fops = tty_fops;
24178 * Initialize the console device. This is called *early*, so
24179 * we can't necessarily depend on lots of kernel help here.
24180 diff -urNp linux-2.6.35.5/drivers/char/tty_ldisc.c linux-2.6.35.5/drivers/char/tty_ldisc.c
24181 --- linux-2.6.35.5/drivers/char/tty_ldisc.c 2010-08-26 19:47:12.000000000 -0400
24182 +++ linux-2.6.35.5/drivers/char/tty_ldisc.c 2010-09-17 20:12:09.000000000 -0400
24183 @@ -75,7 +75,7 @@ static void put_ldisc(struct tty_ldisc *
24184 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
24185 struct tty_ldisc_ops *ldo = ld->ops;
24188 + atomic_dec(&ldo->refcount);
24189 module_put(ldo->owner);
24190 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
24192 @@ -109,7 +109,7 @@ int tty_register_ldisc(int disc, struct
24193 spin_lock_irqsave(&tty_ldisc_lock, flags);
24194 tty_ldiscs[disc] = new_ldisc;
24195 new_ldisc->num = disc;
24196 - new_ldisc->refcount = 0;
24197 + atomic_set(&new_ldisc->refcount, 0);
24198 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
24201 @@ -137,7 +137,7 @@ int tty_unregister_ldisc(int disc)
24204 spin_lock_irqsave(&tty_ldisc_lock, flags);
24205 - if (tty_ldiscs[disc]->refcount)
24206 + if (atomic_read(&tty_ldiscs[disc]->refcount))
24209 tty_ldiscs[disc] = NULL;
24210 @@ -158,7 +158,7 @@ static struct tty_ldisc_ops *get_ldops(i
24212 ret = ERR_PTR(-EAGAIN);
24213 if (try_module_get(ldops->owner)) {
24214 - ldops->refcount++;
24215 + atomic_inc(&ldops->refcount);
24219 @@ -171,7 +171,7 @@ static void put_ldops(struct tty_ldisc_o
24220 unsigned long flags;
24222 spin_lock_irqsave(&tty_ldisc_lock, flags);
24223 - ldops->refcount--;
24224 + atomic_dec(&ldops->refcount);
24225 module_put(ldops->owner);
24226 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
24228 diff -urNp linux-2.6.35.5/drivers/char/vt_ioctl.c linux-2.6.35.5/drivers/char/vt_ioctl.c
24229 --- linux-2.6.35.5/drivers/char/vt_ioctl.c 2010-08-26 19:47:12.000000000 -0400
24230 +++ linux-2.6.35.5/drivers/char/vt_ioctl.c 2010-09-17 20:12:37.000000000 -0400
24231 @@ -210,9 +210,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __
24232 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
24235 - if (!capable(CAP_SYS_TTY_CONFIG))
24240 key_map = key_maps[s];
24241 @@ -224,8 +221,12 @@ do_kdsk_ioctl(int cmd, struct kbentry __
24242 val = (i ? K_HOLE : K_NOSUCHMAP);
24243 return put_user(val, &user_kbe->kb_value);
24245 + if (!capable(CAP_SYS_TTY_CONFIG))
24251 if (!i && v == K_NOSUCHMAP) {
24252 /* deallocate map */
24253 key_map = key_maps[s];
24254 @@ -325,9 +326,6 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
24258 - if (!capable(CAP_SYS_TTY_CONFIG))
24261 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
24264 @@ -361,6 +359,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
24266 return ((p && *p) ? -EOVERFLOW : 0);
24268 + if (!capable(CAP_SYS_TTY_CONFIG))
24274 diff -urNp linux-2.6.35.5/drivers/cpuidle/sysfs.c linux-2.6.35.5/drivers/cpuidle/sysfs.c
24275 --- linux-2.6.35.5/drivers/cpuidle/sysfs.c 2010-08-26 19:47:12.000000000 -0400
24276 +++ linux-2.6.35.5/drivers/cpuidle/sysfs.c 2010-09-17 20:12:09.000000000 -0400
24277 @@ -300,7 +300,7 @@ static struct kobj_type ktype_state_cpui
24278 .release = cpuidle_state_sysfs_release,
24281 -static void inline cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
24282 +static inline void cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
24284 kobject_put(&device->kobjs[i]->kobj);
24285 wait_for_completion(&device->kobjs[i]->kobj_unregister);
24286 diff -urNp linux-2.6.35.5/drivers/edac/edac_core.h linux-2.6.35.5/drivers/edac/edac_core.h
24287 --- linux-2.6.35.5/drivers/edac/edac_core.h 2010-08-26 19:47:12.000000000 -0400
24288 +++ linux-2.6.35.5/drivers/edac/edac_core.h 2010-09-17 20:12:09.000000000 -0400
24289 @@ -100,11 +100,11 @@ extern const char *edac_mem_types[];
24291 #else /* !CONFIG_EDAC_DEBUG */
24293 -#define debugf0( ... )
24294 -#define debugf1( ... )
24295 -#define debugf2( ... )
24296 -#define debugf3( ... )
24297 -#define debugf4( ... )
24298 +#define debugf0( ... ) do {} while (0)
24299 +#define debugf1( ... ) do {} while (0)
24300 +#define debugf2( ... ) do {} while (0)
24301 +#define debugf3( ... ) do {} while (0)
24302 +#define debugf4( ... ) do {} while (0)
24304 #endif /* !CONFIG_EDAC_DEBUG */
24306 diff -urNp linux-2.6.35.5/drivers/edac/edac_mc_sysfs.c linux-2.6.35.5/drivers/edac/edac_mc_sysfs.c
24307 --- linux-2.6.35.5/drivers/edac/edac_mc_sysfs.c 2010-08-26 19:47:12.000000000 -0400
24308 +++ linux-2.6.35.5/drivers/edac/edac_mc_sysfs.c 2010-09-17 20:12:09.000000000 -0400
24309 @@ -776,7 +776,7 @@ static void edac_inst_grp_release(struct
24312 /* Intermediate show/store table */
24313 -static struct sysfs_ops inst_grp_ops = {
24314 +static const struct sysfs_ops inst_grp_ops = {
24315 .show = inst_grp_show,
24316 .store = inst_grp_store
24318 diff -urNp linux-2.6.35.5/drivers/firewire/core-cdev.c linux-2.6.35.5/drivers/firewire/core-cdev.c
24319 --- linux-2.6.35.5/drivers/firewire/core-cdev.c 2010-08-26 19:47:12.000000000 -0400
24320 +++ linux-2.6.35.5/drivers/firewire/core-cdev.c 2010-09-17 20:12:09.000000000 -0400
24321 @@ -1195,8 +1195,7 @@ static int init_iso_resource(struct clie
24324 if ((request->channels == 0 && request->bandwidth == 0) ||
24325 - request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL ||
24326 - request->bandwidth < 0)
24327 + request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL)
24330 r = kmalloc(sizeof(*r), GFP_KERNEL);
24331 diff -urNp linux-2.6.35.5/drivers/firmware/dmi_scan.c linux-2.6.35.5/drivers/firmware/dmi_scan.c
24332 --- linux-2.6.35.5/drivers/firmware/dmi_scan.c 2010-08-26 19:47:12.000000000 -0400
24333 +++ linux-2.6.35.5/drivers/firmware/dmi_scan.c 2010-09-17 20:12:09.000000000 -0400
24334 @@ -387,11 +387,6 @@ void __init dmi_scan_machine(void)
24339 - * no iounmap() for that ioremap(); it would be a no-op, but
24340 - * it's so early in setup that sucker gets confused into doing
24341 - * what it shouldn't if we actually call it.
24343 p = dmi_ioremap(0xF0000, 0x10000);
24346 diff -urNp linux-2.6.35.5/drivers/gpu/drm/drm_drv.c linux-2.6.35.5/drivers/gpu/drm/drm_drv.c
24347 --- linux-2.6.35.5/drivers/gpu/drm/drm_drv.c 2010-08-26 19:47:12.000000000 -0400
24348 +++ linux-2.6.35.5/drivers/gpu/drm/drm_drv.c 2010-09-17 20:12:09.000000000 -0400
24349 @@ -449,7 +449,7 @@ long drm_ioctl(struct file *filp,
24351 dev = file_priv->minor->dev;
24352 atomic_inc(&dev->ioctl_count);
24353 - atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
24354 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
24355 ++file_priv->ioctl_count;
24357 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
24358 diff -urNp linux-2.6.35.5/drivers/gpu/drm/drm_fops.c linux-2.6.35.5/drivers/gpu/drm/drm_fops.c
24359 --- linux-2.6.35.5/drivers/gpu/drm/drm_fops.c 2010-08-26 19:47:12.000000000 -0400
24360 +++ linux-2.6.35.5/drivers/gpu/drm/drm_fops.c 2010-09-17 20:12:09.000000000 -0400
24361 @@ -67,7 +67,7 @@ static int drm_setup(struct drm_device *
24364 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
24365 - atomic_set(&dev->counts[i], 0);
24366 + atomic_set_unchecked(&dev->counts[i], 0);
24368 dev->sigdata.lock = NULL;
24370 @@ -131,9 +131,9 @@ int drm_open(struct inode *inode, struct
24372 retcode = drm_open_helper(inode, filp, dev);
24374 - atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
24375 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
24376 spin_lock(&dev->count_lock);
24377 - if (!dev->open_count++) {
24378 + if (atomic_inc_return(&dev->open_count) == 1) {
24379 spin_unlock(&dev->count_lock);
24380 retcode = drm_setup(dev);
24382 @@ -474,7 +474,7 @@ int drm_release(struct inode *inode, str
24386 - DRM_DEBUG("open_count = %d\n", dev->open_count);
24387 + DRM_DEBUG("open_count = %d\n", atomic_read(&dev->open_count));
24389 if (dev->driver->preclose)
24390 dev->driver->preclose(dev, file_priv);
24391 @@ -486,7 +486,7 @@ int drm_release(struct inode *inode, str
24392 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
24393 task_pid_nr(current),
24394 (long)old_encode_dev(file_priv->minor->device),
24395 - dev->open_count);
24396 + atomic_read(&dev->open_count));
24398 /* if the master has gone away we can't do anything with the lock */
24399 if (file_priv->minor->master)
24400 @@ -567,9 +567,9 @@ int drm_release(struct inode *inode, str
24401 * End inline drm_release
24404 - atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
24405 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
24406 spin_lock(&dev->count_lock);
24407 - if (!--dev->open_count) {
24408 + if (atomic_dec_and_test(&dev->open_count)) {
24409 if (atomic_read(&dev->ioctl_count)) {
24410 DRM_ERROR("Device busy: %d\n",
24411 atomic_read(&dev->ioctl_count));
24412 diff -urNp linux-2.6.35.5/drivers/gpu/drm/drm_ioctl.c linux-2.6.35.5/drivers/gpu/drm/drm_ioctl.c
24413 --- linux-2.6.35.5/drivers/gpu/drm/drm_ioctl.c 2010-08-26 19:47:12.000000000 -0400
24414 +++ linux-2.6.35.5/drivers/gpu/drm/drm_ioctl.c 2010-09-17 20:12:09.000000000 -0400
24415 @@ -283,7 +283,7 @@ int drm_getstats(struct drm_device *dev,
24416 stats->data[i].value =
24417 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
24419 - stats->data[i].value = atomic_read(&dev->counts[i]);
24420 + stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
24421 stats->data[i].type = dev->types[i];
24424 diff -urNp linux-2.6.35.5/drivers/gpu/drm/drm_lock.c linux-2.6.35.5/drivers/gpu/drm/drm_lock.c
24425 --- linux-2.6.35.5/drivers/gpu/drm/drm_lock.c 2010-08-26 19:47:12.000000000 -0400
24426 +++ linux-2.6.35.5/drivers/gpu/drm/drm_lock.c 2010-09-17 20:12:09.000000000 -0400
24427 @@ -87,7 +87,7 @@ int drm_lock(struct drm_device *dev, voi
24428 if (drm_lock_take(&master->lock, lock->context)) {
24429 master->lock.file_priv = file_priv;
24430 master->lock.lock_time = jiffies;
24431 - atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
24432 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
24433 break; /* Got lock */
24436 @@ -165,7 +165,7 @@ int drm_unlock(struct drm_device *dev, v
24440 - atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
24441 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
24443 /* kernel_context_switch isn't used by any of the x86 drm
24444 * modules but is required by the Sparc driver.
24445 diff -urNp linux-2.6.35.5/drivers/gpu/drm/i810/i810_dma.c linux-2.6.35.5/drivers/gpu/drm/i810/i810_dma.c
24446 --- linux-2.6.35.5/drivers/gpu/drm/i810/i810_dma.c 2010-08-26 19:47:12.000000000 -0400
24447 +++ linux-2.6.35.5/drivers/gpu/drm/i810/i810_dma.c 2010-09-17 20:12:09.000000000 -0400
24448 @@ -953,8 +953,8 @@ static int i810_dma_vertex(struct drm_de
24449 dma->buflist[vertex->idx],
24450 vertex->discard, vertex->used);
24452 - atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
24453 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
24454 + atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
24455 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
24456 sarea_priv->last_enqueue = dev_priv->counter - 1;
24457 sarea_priv->last_dispatch = (int)hw_status[5];
24459 @@ -1116,8 +1116,8 @@ static int i810_dma_mc(struct drm_device
24460 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
24463 - atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
24464 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
24465 + atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
24466 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
24467 sarea_priv->last_enqueue = dev_priv->counter - 1;
24468 sarea_priv->last_dispatch = (int)hw_status[5];
24470 diff -urNp linux-2.6.35.5/drivers/gpu/drm/i915/dvo_ch7017.c linux-2.6.35.5/drivers/gpu/drm/i915/dvo_ch7017.c
24471 --- linux-2.6.35.5/drivers/gpu/drm/i915/dvo_ch7017.c 2010-08-26 19:47:12.000000000 -0400
24472 +++ linux-2.6.35.5/drivers/gpu/drm/i915/dvo_ch7017.c 2010-09-17 20:12:09.000000000 -0400
24473 @@ -402,7 +402,7 @@ static void ch7017_destroy(struct intel_
24477 -struct intel_dvo_dev_ops ch7017_ops = {
24478 +const struct intel_dvo_dev_ops ch7017_ops = {
24479 .init = ch7017_init,
24480 .detect = ch7017_detect,
24481 .mode_valid = ch7017_mode_valid,
24482 diff -urNp linux-2.6.35.5/drivers/gpu/drm/i915/dvo_ch7xxx.c linux-2.6.35.5/drivers/gpu/drm/i915/dvo_ch7xxx.c
24483 --- linux-2.6.35.5/drivers/gpu/drm/i915/dvo_ch7xxx.c 2010-08-26 19:47:12.000000000 -0400
24484 +++ linux-2.6.35.5/drivers/gpu/drm/i915/dvo_ch7xxx.c 2010-09-17 20:12:09.000000000 -0400
24485 @@ -322,7 +322,7 @@ static void ch7xxx_destroy(struct intel_
24489 -struct intel_dvo_dev_ops ch7xxx_ops = {
24490 +const struct intel_dvo_dev_ops ch7xxx_ops = {
24491 .init = ch7xxx_init,
24492 .detect = ch7xxx_detect,
24493 .mode_valid = ch7xxx_mode_valid,
24494 diff -urNp linux-2.6.35.5/drivers/gpu/drm/i915/dvo.h linux-2.6.35.5/drivers/gpu/drm/i915/dvo.h
24495 --- linux-2.6.35.5/drivers/gpu/drm/i915/dvo.h 2010-08-26 19:47:12.000000000 -0400
24496 +++ linux-2.6.35.5/drivers/gpu/drm/i915/dvo.h 2010-09-17 20:12:09.000000000 -0400
24497 @@ -125,23 +125,23 @@ struct intel_dvo_dev_ops {
24499 * \return singly-linked list of modes or NULL if no modes found.
24501 - struct drm_display_mode *(*get_modes)(struct intel_dvo_device *dvo);
24502 + struct drm_display_mode *(* const get_modes)(struct intel_dvo_device *dvo);
24505 * Clean up driver-specific bits of the output
24507 - void (*destroy) (struct intel_dvo_device *dvo);
24508 + void (* const destroy) (struct intel_dvo_device *dvo);
24511 * Debugging hook to dump device registers to log file
24513 - void (*dump_regs)(struct intel_dvo_device *dvo);
24514 + void (* const dump_regs)(struct intel_dvo_device *dvo);
24517 -extern struct intel_dvo_dev_ops sil164_ops;
24518 -extern struct intel_dvo_dev_ops ch7xxx_ops;
24519 -extern struct intel_dvo_dev_ops ivch_ops;
24520 -extern struct intel_dvo_dev_ops tfp410_ops;
24521 -extern struct intel_dvo_dev_ops ch7017_ops;
24522 +extern const struct intel_dvo_dev_ops sil164_ops;
24523 +extern const struct intel_dvo_dev_ops ch7xxx_ops;
24524 +extern const struct intel_dvo_dev_ops ivch_ops;
24525 +extern const struct intel_dvo_dev_ops tfp410_ops;
24526 +extern const struct intel_dvo_dev_ops ch7017_ops;
24528 #endif /* _INTEL_DVO_H */
24529 diff -urNp linux-2.6.35.5/drivers/gpu/drm/i915/dvo_ivch.c linux-2.6.35.5/drivers/gpu/drm/i915/dvo_ivch.c
24530 --- linux-2.6.35.5/drivers/gpu/drm/i915/dvo_ivch.c 2010-08-26 19:47:12.000000000 -0400
24531 +++ linux-2.6.35.5/drivers/gpu/drm/i915/dvo_ivch.c 2010-09-17 20:12:09.000000000 -0400
24532 @@ -412,7 +412,7 @@ static void ivch_destroy(struct intel_dv
24536 -struct intel_dvo_dev_ops ivch_ops= {
24537 +const struct intel_dvo_dev_ops ivch_ops= {
24540 .mode_valid = ivch_mode_valid,
24541 diff -urNp linux-2.6.35.5/drivers/gpu/drm/i915/dvo_sil164.c linux-2.6.35.5/drivers/gpu/drm/i915/dvo_sil164.c
24542 --- linux-2.6.35.5/drivers/gpu/drm/i915/dvo_sil164.c 2010-08-26 19:47:12.000000000 -0400
24543 +++ linux-2.6.35.5/drivers/gpu/drm/i915/dvo_sil164.c 2010-09-17 20:12:09.000000000 -0400
24544 @@ -254,7 +254,7 @@ static void sil164_destroy(struct intel_
24548 -struct intel_dvo_dev_ops sil164_ops = {
24549 +const struct intel_dvo_dev_ops sil164_ops = {
24550 .init = sil164_init,
24551 .detect = sil164_detect,
24552 .mode_valid = sil164_mode_valid,
24553 diff -urNp linux-2.6.35.5/drivers/gpu/drm/i915/dvo_tfp410.c linux-2.6.35.5/drivers/gpu/drm/i915/dvo_tfp410.c
24554 --- linux-2.6.35.5/drivers/gpu/drm/i915/dvo_tfp410.c 2010-08-26 19:47:12.000000000 -0400
24555 +++ linux-2.6.35.5/drivers/gpu/drm/i915/dvo_tfp410.c 2010-09-17 20:12:09.000000000 -0400
24556 @@ -295,7 +295,7 @@ static void tfp410_destroy(struct intel_
24560 -struct intel_dvo_dev_ops tfp410_ops = {
24561 +const struct intel_dvo_dev_ops tfp410_ops = {
24562 .init = tfp410_init,
24563 .detect = tfp410_detect,
24564 .mode_valid = tfp410_mode_valid,
24565 diff -urNp linux-2.6.35.5/drivers/gpu/drm/i915/i915_dma.c linux-2.6.35.5/drivers/gpu/drm/i915/i915_dma.c
24566 --- linux-2.6.35.5/drivers/gpu/drm/i915/i915_dma.c 2010-09-20 17:33:09.000000000 -0400
24567 +++ linux-2.6.35.5/drivers/gpu/drm/i915/i915_dma.c 2010-09-20 17:33:32.000000000 -0400
24568 @@ -1348,7 +1348,7 @@ static bool i915_switcheroo_can_switch(s
24571 spin_lock(&dev->count_lock);
24572 - can_switch = (dev->open_count == 0);
24573 + can_switch = (atomic_read(&dev->open_count) == 0);
24574 spin_unlock(&dev->count_lock);
24577 diff -urNp linux-2.6.35.5/drivers/gpu/drm/i915/i915_drv.c linux-2.6.35.5/drivers/gpu/drm/i915/i915_drv.c
24578 --- linux-2.6.35.5/drivers/gpu/drm/i915/i915_drv.c 2010-08-26 19:47:12.000000000 -0400
24579 +++ linux-2.6.35.5/drivers/gpu/drm/i915/i915_drv.c 2010-09-17 20:12:09.000000000 -0400
24580 @@ -491,7 +491,7 @@ const struct dev_pm_ops i915_pm_ops = {
24581 .restore = i915_pm_resume,
24584 -static struct vm_operations_struct i915_gem_vm_ops = {
24585 +static const struct vm_operations_struct i915_gem_vm_ops = {
24586 .fault = i915_gem_fault,
24587 .open = drm_gem_vm_open,
24588 .close = drm_gem_vm_close,
24589 diff -urNp linux-2.6.35.5/drivers/gpu/drm/nouveau/nouveau_backlight.c linux-2.6.35.5/drivers/gpu/drm/nouveau/nouveau_backlight.c
24590 --- linux-2.6.35.5/drivers/gpu/drm/nouveau/nouveau_backlight.c 2010-08-26 19:47:12.000000000 -0400
24591 +++ linux-2.6.35.5/drivers/gpu/drm/nouveau/nouveau_backlight.c 2010-09-17 20:12:09.000000000 -0400
24592 @@ -58,7 +58,7 @@ static int nv40_set_intensity(struct bac
24596 -static struct backlight_ops nv40_bl_ops = {
24597 +static const struct backlight_ops nv40_bl_ops = {
24598 .options = BL_CORE_SUSPENDRESUME,
24599 .get_brightness = nv40_get_intensity,
24600 .update_status = nv40_set_intensity,
24601 @@ -81,7 +81,7 @@ static int nv50_set_intensity(struct bac
24605 -static struct backlight_ops nv50_bl_ops = {
24606 +static const struct backlight_ops nv50_bl_ops = {
24607 .options = BL_CORE_SUSPENDRESUME,
24608 .get_brightness = nv50_get_intensity,
24609 .update_status = nv50_set_intensity,
24610 diff -urNp linux-2.6.35.5/drivers/gpu/drm/nouveau/nouveau_state.c linux-2.6.35.5/drivers/gpu/drm/nouveau/nouveau_state.c
24611 --- linux-2.6.35.5/drivers/gpu/drm/nouveau/nouveau_state.c 2010-08-26 19:47:12.000000000 -0400
24612 +++ linux-2.6.35.5/drivers/gpu/drm/nouveau/nouveau_state.c 2010-09-17 20:12:09.000000000 -0400
24613 @@ -395,7 +395,7 @@ static bool nouveau_switcheroo_can_switc
24616 spin_lock(&dev->count_lock);
24617 - can_switch = (dev->open_count == 0);
24618 + can_switch = (atomic_read(&dev->open_count) == 0);
24619 spin_unlock(&dev->count_lock);
24622 diff -urNp linux-2.6.35.5/drivers/gpu/drm/radeon/mkregtable.c linux-2.6.35.5/drivers/gpu/drm/radeon/mkregtable.c
24623 --- linux-2.6.35.5/drivers/gpu/drm/radeon/mkregtable.c 2010-08-26 19:47:12.000000000 -0400
24624 +++ linux-2.6.35.5/drivers/gpu/drm/radeon/mkregtable.c 2010-09-17 20:12:09.000000000 -0400
24625 @@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
24627 regmatch_t match[4];
24635 struct offset *offset;
24636 char last_reg_s[10];
24638 + unsigned long last_reg;
24641 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
24642 diff -urNp linux-2.6.35.5/drivers/gpu/drm/radeon/radeon_device.c linux-2.6.35.5/drivers/gpu/drm/radeon/radeon_device.c
24643 --- linux-2.6.35.5/drivers/gpu/drm/radeon/radeon_device.c 2010-08-26 19:47:12.000000000 -0400
24644 +++ linux-2.6.35.5/drivers/gpu/drm/radeon/radeon_device.c 2010-09-17 20:12:09.000000000 -0400
24645 @@ -562,7 +562,7 @@ static bool radeon_switcheroo_can_switch
24648 spin_lock(&dev->count_lock);
24649 - can_switch = (dev->open_count == 0);
24650 + can_switch = (atomic_read(&dev->open_count) == 0);
24651 spin_unlock(&dev->count_lock);
24654 diff -urNp linux-2.6.35.5/drivers/gpu/drm/radeon/radeon_display.c linux-2.6.35.5/drivers/gpu/drm/radeon/radeon_display.c
24655 --- linux-2.6.35.5/drivers/gpu/drm/radeon/radeon_display.c 2010-08-26 19:47:12.000000000 -0400
24656 +++ linux-2.6.35.5/drivers/gpu/drm/radeon/radeon_display.c 2010-09-17 20:12:09.000000000 -0400
24657 @@ -559,7 +559,7 @@ static void radeon_compute_pll_legacy(st
24659 if (pll->flags & RADEON_PLL_PREFER_CLOSEST_LOWER) {
24660 error = freq - current_freq;
24661 - error = error < 0 ? 0xffffffff : error;
24662 + error = (int32_t)error < 0 ? 0xffffffff : error;
24664 error = abs(current_freq - freq);
24665 vco_diff = abs(vco - best_vco);
24666 diff -urNp linux-2.6.35.5/drivers/gpu/drm/radeon/radeon_state.c linux-2.6.35.5/drivers/gpu/drm/radeon/radeon_state.c
24667 --- linux-2.6.35.5/drivers/gpu/drm/radeon/radeon_state.c 2010-08-26 19:47:12.000000000 -0400
24668 +++ linux-2.6.35.5/drivers/gpu/drm/radeon/radeon_state.c 2010-09-17 20:12:09.000000000 -0400
24669 @@ -2168,7 +2168,7 @@ static int radeon_cp_clear(struct drm_de
24670 if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS)
24671 sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS;
24673 - if (DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
24674 + if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS || DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
24675 sarea_priv->nbox * sizeof(depth_boxes[0])))
24678 @@ -3031,7 +3031,7 @@ static int radeon_cp_getparam(struct drm
24680 drm_radeon_private_t *dev_priv = dev->dev_private;
24681 drm_radeon_getparam_t *param = data;
24685 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
24687 diff -urNp linux-2.6.35.5/drivers/gpu/drm/radeon/radeon_ttm.c linux-2.6.35.5/drivers/gpu/drm/radeon/radeon_ttm.c
24688 --- linux-2.6.35.5/drivers/gpu/drm/radeon/radeon_ttm.c 2010-08-26 19:47:12.000000000 -0400
24689 +++ linux-2.6.35.5/drivers/gpu/drm/radeon/radeon_ttm.c 2010-09-17 20:12:09.000000000 -0400
24690 @@ -601,8 +601,9 @@ void radeon_ttm_fini(struct radeon_devic
24691 DRM_INFO("radeon: ttm finalized\n");
24694 -static struct vm_operations_struct radeon_ttm_vm_ops;
24695 -static const struct vm_operations_struct *ttm_vm_ops = NULL;
24696 +extern int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf);
24697 +extern void ttm_bo_vm_open(struct vm_area_struct *vma);
24698 +extern void ttm_bo_vm_close(struct vm_area_struct *vma);
24700 static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
24702 @@ -610,17 +611,22 @@ static int radeon_ttm_fault(struct vm_ar
24703 struct radeon_device *rdev;
24706 - bo = (struct ttm_buffer_object *)vma->vm_private_data;
24707 - if (bo == NULL) {
24708 + bo = (struct ttm_buffer_object *)vma->vm_private_data;
24710 return VM_FAULT_NOPAGE;
24712 rdev = radeon_get_rdev(bo->bdev);
24713 mutex_lock(&rdev->vram_mutex);
24714 - r = ttm_vm_ops->fault(vma, vmf);
24715 + r = ttm_bo_vm_fault(vma, vmf);
24716 mutex_unlock(&rdev->vram_mutex);
24720 +static const struct vm_operations_struct radeon_ttm_vm_ops = {
24721 + .fault = radeon_ttm_fault,
24722 + .open = ttm_bo_vm_open,
24723 + .close = ttm_bo_vm_close
24726 int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
24728 struct drm_file *file_priv;
24729 @@ -633,18 +639,11 @@ int radeon_mmap(struct file *filp, struc
24731 file_priv = (struct drm_file *)filp->private_data;
24732 rdev = file_priv->minor->dev->dev_private;
24733 - if (rdev == NULL) {
24737 r = ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
24738 - if (unlikely(r != 0)) {
24742 - if (unlikely(ttm_vm_ops == NULL)) {
24743 - ttm_vm_ops = vma->vm_ops;
24744 - radeon_ttm_vm_ops = *ttm_vm_ops;
24745 - radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
24747 vma->vm_ops = &radeon_ttm_vm_ops;
24750 diff -urNp linux-2.6.35.5/drivers/gpu/drm/ttm/ttm_bo.c linux-2.6.35.5/drivers/gpu/drm/ttm/ttm_bo.c
24751 --- linux-2.6.35.5/drivers/gpu/drm/ttm/ttm_bo.c 2010-08-26 19:47:12.000000000 -0400
24752 +++ linux-2.6.35.5/drivers/gpu/drm/ttm/ttm_bo.c 2010-09-17 20:12:09.000000000 -0400
24754 #include <linux/module.h>
24756 #define TTM_ASSERT_LOCKED(param)
24757 -#define TTM_DEBUG(fmt, arg...)
24758 +#define TTM_DEBUG(fmt, arg...) do {} while (0)
24759 #define TTM_BO_HASH_ORDER 13
24761 static int ttm_bo_setup_vm(struct ttm_buffer_object *bo);
24762 diff -urNp linux-2.6.35.5/drivers/gpu/drm/ttm/ttm_bo_vm.c linux-2.6.35.5/drivers/gpu/drm/ttm/ttm_bo_vm.c
24763 --- linux-2.6.35.5/drivers/gpu/drm/ttm/ttm_bo_vm.c 2010-08-26 19:47:12.000000000 -0400
24764 +++ linux-2.6.35.5/drivers/gpu/drm/ttm/ttm_bo_vm.c 2010-09-20 17:14:49.000000000 -0400
24765 @@ -69,11 +69,11 @@ static struct ttm_buffer_object *ttm_bo_
24769 -static int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
24770 +int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
24772 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)
24773 vma->vm_private_data;
24774 - struct ttm_bo_device *bdev = bo->bdev;
24775 + struct ttm_bo_device *bdev;
24776 unsigned long page_offset;
24777 unsigned long page_last;
24779 @@ -84,6 +84,10 @@ static int ttm_bo_vm_fault(struct vm_are
24780 unsigned long address = (unsigned long)vmf->virtual_address;
24781 int retval = VM_FAULT_NOPAGE;
24784 + return VM_FAULT_NOPAGE;
24788 * Work around locking order reversal in fault / nopfn
24789 * between mmap_sem and bo_reserve: Perform a trylock operation
24790 @@ -212,22 +216,25 @@ out_unlock:
24791 ttm_bo_unreserve(bo);
24794 +EXPORT_SYMBOL(ttm_bo_vm_fault);
24796 -static void ttm_bo_vm_open(struct vm_area_struct *vma)
24797 +void ttm_bo_vm_open(struct vm_area_struct *vma)
24799 struct ttm_buffer_object *bo =
24800 (struct ttm_buffer_object *)vma->vm_private_data;
24802 (void)ttm_bo_reference(bo);
24804 +EXPORT_SYMBOL(ttm_bo_vm_open);
24806 -static void ttm_bo_vm_close(struct vm_area_struct *vma)
24807 +void ttm_bo_vm_close(struct vm_area_struct *vma)
24809 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)vma->vm_private_data;
24812 vma->vm_private_data = NULL;
24814 +EXPORT_SYMBOL(ttm_bo_vm_close);
24816 static const struct vm_operations_struct ttm_bo_vm_ops = {
24817 .fault = ttm_bo_vm_fault,
24818 diff -urNp linux-2.6.35.5/drivers/gpu/drm/ttm/ttm_global.c linux-2.6.35.5/drivers/gpu/drm/ttm/ttm_global.c
24819 --- linux-2.6.35.5/drivers/gpu/drm/ttm/ttm_global.c 2010-08-26 19:47:12.000000000 -0400
24820 +++ linux-2.6.35.5/drivers/gpu/drm/ttm/ttm_global.c 2010-09-17 20:12:09.000000000 -0400
24822 struct ttm_global_item {
24823 struct mutex mutex;
24826 + atomic_t refcount;
24829 static struct ttm_global_item glob[TTM_GLOBAL_NUM];
24830 @@ -49,7 +49,7 @@ void ttm_global_init(void)
24831 struct ttm_global_item *item = &glob[i];
24832 mutex_init(&item->mutex);
24833 item->object = NULL;
24834 - item->refcount = 0;
24835 + atomic_set(&item->refcount, 0);
24839 @@ -59,7 +59,7 @@ void ttm_global_release(void)
24840 for (i = 0; i < TTM_GLOBAL_NUM; ++i) {
24841 struct ttm_global_item *item = &glob[i];
24842 BUG_ON(item->object != NULL);
24843 - BUG_ON(item->refcount != 0);
24844 + BUG_ON(atomic_read(&item->refcount) != 0);
24848 @@ -70,7 +70,7 @@ int ttm_global_item_ref(struct ttm_globa
24851 mutex_lock(&item->mutex);
24852 - if (item->refcount == 0) {
24853 + if (atomic_read(&item->refcount) == 0) {
24854 item->object = kzalloc(ref->size, GFP_KERNEL);
24855 if (unlikely(item->object == NULL)) {
24857 @@ -83,7 +83,7 @@ int ttm_global_item_ref(struct ttm_globa
24861 - ++item->refcount;
24862 + atomic_inc(&item->refcount);
24863 ref->object = item->object;
24864 object = item->object;
24865 mutex_unlock(&item->mutex);
24866 @@ -100,9 +100,9 @@ void ttm_global_item_unref(struct ttm_gl
24867 struct ttm_global_item *item = &glob[ref->global_type];
24869 mutex_lock(&item->mutex);
24870 - BUG_ON(item->refcount == 0);
24871 + BUG_ON(atomic_read(&item->refcount) == 0);
24872 BUG_ON(ref->object != item->object);
24873 - if (--item->refcount == 0) {
24874 + if (atomic_dec_and_test(&item->refcount)) {
24876 item->object = NULL;
24878 diff -urNp linux-2.6.35.5/drivers/hid/usbhid/hiddev.c linux-2.6.35.5/drivers/hid/usbhid/hiddev.c
24879 --- linux-2.6.35.5/drivers/hid/usbhid/hiddev.c 2010-08-26 19:47:12.000000000 -0400
24880 +++ linux-2.6.35.5/drivers/hid/usbhid/hiddev.c 2010-09-17 20:12:09.000000000 -0400
24881 @@ -616,7 +616,7 @@ static long hiddev_ioctl(struct file *fi
24882 return put_user(HID_VERSION, (int __user *)arg);
24884 case HIDIOCAPPLICATION:
24885 - if (arg < 0 || arg >= hid->maxapplication)
24886 + if (arg >= hid->maxapplication)
24889 for (i = 0; i < hid->maxcollection; i++)
24890 diff -urNp linux-2.6.35.5/drivers/hwmon/k8temp.c linux-2.6.35.5/drivers/hwmon/k8temp.c
24891 --- linux-2.6.35.5/drivers/hwmon/k8temp.c 2010-09-20 17:33:09.000000000 -0400
24892 +++ linux-2.6.35.5/drivers/hwmon/k8temp.c 2010-09-20 17:33:32.000000000 -0400
24893 @@ -138,7 +138,7 @@ static DEVICE_ATTR(name, S_IRUGO, show_n
24895 static const struct pci_device_id k8temp_ids[] = {
24896 { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_K8_NB_MISC) },
24898 + { 0, 0, 0, 0, 0, 0, 0 },
24901 MODULE_DEVICE_TABLE(pci, k8temp_ids);
24902 diff -urNp linux-2.6.35.5/drivers/hwmon/sis5595.c linux-2.6.35.5/drivers/hwmon/sis5595.c
24903 --- linux-2.6.35.5/drivers/hwmon/sis5595.c 2010-08-26 19:47:12.000000000 -0400
24904 +++ linux-2.6.35.5/drivers/hwmon/sis5595.c 2010-09-17 20:12:09.000000000 -0400
24905 @@ -699,7 +699,7 @@ static struct sis5595_data *sis5595_upda
24907 static const struct pci_device_id sis5595_pci_ids[] = {
24908 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
24910 + { 0, 0, 0, 0, 0, 0, 0 }
24913 MODULE_DEVICE_TABLE(pci, sis5595_pci_ids);
24914 diff -urNp linux-2.6.35.5/drivers/hwmon/via686a.c linux-2.6.35.5/drivers/hwmon/via686a.c
24915 --- linux-2.6.35.5/drivers/hwmon/via686a.c 2010-08-26 19:47:12.000000000 -0400
24916 +++ linux-2.6.35.5/drivers/hwmon/via686a.c 2010-09-17 20:12:09.000000000 -0400
24917 @@ -769,7 +769,7 @@ static struct via686a_data *via686a_upda
24919 static const struct pci_device_id via686a_pci_ids[] = {
24920 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_4) },
24922 + { 0, 0, 0, 0, 0, 0, 0 }
24925 MODULE_DEVICE_TABLE(pci, via686a_pci_ids);
24926 diff -urNp linux-2.6.35.5/drivers/hwmon/vt8231.c linux-2.6.35.5/drivers/hwmon/vt8231.c
24927 --- linux-2.6.35.5/drivers/hwmon/vt8231.c 2010-08-26 19:47:12.000000000 -0400
24928 +++ linux-2.6.35.5/drivers/hwmon/vt8231.c 2010-09-17 20:12:09.000000000 -0400
24929 @@ -699,7 +699,7 @@ static struct platform_driver vt8231_dri
24931 static const struct pci_device_id vt8231_pci_ids[] = {
24932 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_8231_4) },
24934 + { 0, 0, 0, 0, 0, 0, 0 }
24937 MODULE_DEVICE_TABLE(pci, vt8231_pci_ids);
24938 diff -urNp linux-2.6.35.5/drivers/hwmon/w83791d.c linux-2.6.35.5/drivers/hwmon/w83791d.c
24939 --- linux-2.6.35.5/drivers/hwmon/w83791d.c 2010-08-26 19:47:12.000000000 -0400
24940 +++ linux-2.6.35.5/drivers/hwmon/w83791d.c 2010-09-17 20:12:09.000000000 -0400
24941 @@ -329,8 +329,8 @@ static int w83791d_detect(struct i2c_cli
24942 struct i2c_board_info *info);
24943 static int w83791d_remove(struct i2c_client *client);
24945 -static int w83791d_read(struct i2c_client *client, u8 register);
24946 -static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
24947 +static int w83791d_read(struct i2c_client *client, u8 reg);
24948 +static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
24949 static struct w83791d_data *w83791d_update_device(struct device *dev);
24952 diff -urNp linux-2.6.35.5/drivers/i2c/busses/i2c-i801.c linux-2.6.35.5/drivers/i2c/busses/i2c-i801.c
24953 --- linux-2.6.35.5/drivers/i2c/busses/i2c-i801.c 2010-08-26 19:47:12.000000000 -0400
24954 +++ linux-2.6.35.5/drivers/i2c/busses/i2c-i801.c 2010-09-17 20:12:09.000000000 -0400
24955 @@ -592,7 +592,7 @@ static const struct pci_device_id i801_i
24956 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH10_5) },
24957 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PCH_SMBUS) },
24958 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CPT_SMBUS) },
24960 + { 0, 0, 0, 0, 0, 0, 0 }
24963 MODULE_DEVICE_TABLE(pci, i801_ids);
24964 diff -urNp linux-2.6.35.5/drivers/i2c/busses/i2c-piix4.c linux-2.6.35.5/drivers/i2c/busses/i2c-piix4.c
24965 --- linux-2.6.35.5/drivers/i2c/busses/i2c-piix4.c 2010-08-26 19:47:12.000000000 -0400
24966 +++ linux-2.6.35.5/drivers/i2c/busses/i2c-piix4.c 2010-09-17 20:12:09.000000000 -0400
24967 @@ -124,7 +124,7 @@ static struct dmi_system_id __devinitdat
24969 .matches = { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
24972 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
24975 static int __devinit piix4_setup(struct pci_dev *PIIX4_dev,
24976 @@ -491,7 +491,7 @@ static const struct pci_device_id piix4_
24977 PCI_DEVICE_ID_SERVERWORKS_HT1000SB) },
24978 { PCI_DEVICE(PCI_VENDOR_ID_SERVERWORKS,
24979 PCI_DEVICE_ID_SERVERWORKS_HT1100LD) },
24981 + { 0, 0, 0, 0, 0, 0, 0 }
24984 MODULE_DEVICE_TABLE (pci, piix4_ids);
24985 diff -urNp linux-2.6.35.5/drivers/i2c/busses/i2c-sis630.c linux-2.6.35.5/drivers/i2c/busses/i2c-sis630.c
24986 --- linux-2.6.35.5/drivers/i2c/busses/i2c-sis630.c 2010-08-26 19:47:12.000000000 -0400
24987 +++ linux-2.6.35.5/drivers/i2c/busses/i2c-sis630.c 2010-09-17 20:12:09.000000000 -0400
24988 @@ -471,7 +471,7 @@ static struct i2c_adapter sis630_adapter
24989 static const struct pci_device_id sis630_ids[] __devinitconst = {
24990 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
24991 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_LPC) },
24993 + { 0, 0, 0, 0, 0, 0, 0 }
24996 MODULE_DEVICE_TABLE (pci, sis630_ids);
24997 diff -urNp linux-2.6.35.5/drivers/i2c/busses/i2c-sis96x.c linux-2.6.35.5/drivers/i2c/busses/i2c-sis96x.c
24998 --- linux-2.6.35.5/drivers/i2c/busses/i2c-sis96x.c 2010-08-26 19:47:12.000000000 -0400
24999 +++ linux-2.6.35.5/drivers/i2c/busses/i2c-sis96x.c 2010-09-17 20:12:09.000000000 -0400
25000 @@ -247,7 +247,7 @@ static struct i2c_adapter sis96x_adapter
25002 static const struct pci_device_id sis96x_ids[] = {
25003 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_SMBUS) },
25005 + { 0, 0, 0, 0, 0, 0, 0 }
25008 MODULE_DEVICE_TABLE (pci, sis96x_ids);
25009 diff -urNp linux-2.6.35.5/drivers/ide/ide-cd.c linux-2.6.35.5/drivers/ide/ide-cd.c
25010 --- linux-2.6.35.5/drivers/ide/ide-cd.c 2010-08-26 19:47:12.000000000 -0400
25011 +++ linux-2.6.35.5/drivers/ide/ide-cd.c 2010-09-17 20:12:09.000000000 -0400
25012 @@ -774,7 +774,7 @@ static void cdrom_do_block_pc(ide_drive_
25013 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
25014 if ((unsigned long)buf & alignment
25015 || blk_rq_bytes(rq) & q->dma_pad_mask
25016 - || object_is_on_stack(buf))
25017 + || object_starts_on_stack(buf))
25021 diff -urNp linux-2.6.35.5/drivers/ieee1394/dv1394.c linux-2.6.35.5/drivers/ieee1394/dv1394.c
25022 --- linux-2.6.35.5/drivers/ieee1394/dv1394.c 2010-08-26 19:47:12.000000000 -0400
25023 +++ linux-2.6.35.5/drivers/ieee1394/dv1394.c 2010-09-17 20:12:09.000000000 -0400
25024 @@ -739,7 +739,7 @@ static void frame_prepare(struct video_c
25025 based upon DIF section and sequence
25028 -static void inline
25029 +static inline void
25030 frame_put_packet (struct frame *f, struct packet *p)
25032 int section_type = p->data[0] >> 5; /* section type is in bits 5 - 7 */
25033 @@ -2179,7 +2179,7 @@ static const struct ieee1394_device_id d
25034 .specifier_id = AVC_UNIT_SPEC_ID_ENTRY & 0xffffff,
25035 .version = AVC_SW_VERSION_ENTRY & 0xffffff
25038 + { 0, 0, 0, 0, 0, 0 }
25041 MODULE_DEVICE_TABLE(ieee1394, dv1394_id_table);
25042 diff -urNp linux-2.6.35.5/drivers/ieee1394/eth1394.c linux-2.6.35.5/drivers/ieee1394/eth1394.c
25043 --- linux-2.6.35.5/drivers/ieee1394/eth1394.c 2010-08-26 19:47:12.000000000 -0400
25044 +++ linux-2.6.35.5/drivers/ieee1394/eth1394.c 2010-09-17 20:12:09.000000000 -0400
25045 @@ -446,7 +446,7 @@ static const struct ieee1394_device_id e
25046 .specifier_id = ETHER1394_GASP_SPECIFIER_ID,
25047 .version = ETHER1394_GASP_VERSION,
25050 + { 0, 0, 0, 0, 0, 0 }
25053 MODULE_DEVICE_TABLE(ieee1394, eth1394_id_table);
25054 diff -urNp linux-2.6.35.5/drivers/ieee1394/hosts.c linux-2.6.35.5/drivers/ieee1394/hosts.c
25055 --- linux-2.6.35.5/drivers/ieee1394/hosts.c 2010-08-26 19:47:12.000000000 -0400
25056 +++ linux-2.6.35.5/drivers/ieee1394/hosts.c 2010-09-17 20:12:09.000000000 -0400
25057 @@ -78,6 +78,7 @@ static int dummy_isoctl(struct hpsb_iso
25060 static struct hpsb_host_driver dummy_driver = {
25062 .transmit_packet = dummy_transmit_packet,
25063 .devctl = dummy_devctl,
25064 .isoctl = dummy_isoctl
25065 diff -urNp linux-2.6.35.5/drivers/ieee1394/ohci1394.c linux-2.6.35.5/drivers/ieee1394/ohci1394.c
25066 --- linux-2.6.35.5/drivers/ieee1394/ohci1394.c 2010-08-26 19:47:12.000000000 -0400
25067 +++ linux-2.6.35.5/drivers/ieee1394/ohci1394.c 2010-09-17 20:12:09.000000000 -0400
25068 @@ -148,9 +148,9 @@ printk(level "%s: " fmt "\n" , OHCI1394_
25069 printk(level "%s: fw-host%d: " fmt "\n" , OHCI1394_DRIVER_NAME, ohci->host->id , ## args)
25071 /* Module Parameters */
25072 -static int phys_dma = 1;
25073 +static int phys_dma;
25074 module_param(phys_dma, int, 0444);
25075 -MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 1).");
25076 +MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 0).");
25078 static void dma_trm_tasklet(unsigned long data);
25079 static void dma_trm_reset(struct dma_trm_ctx *d);
25080 @@ -3445,7 +3445,7 @@ static struct pci_device_id ohci1394_pci
25081 .subvendor = PCI_ANY_ID,
25082 .subdevice = PCI_ANY_ID,
25085 + { 0, 0, 0, 0, 0, 0, 0 },
25088 MODULE_DEVICE_TABLE(pci, ohci1394_pci_tbl);
25089 diff -urNp linux-2.6.35.5/drivers/ieee1394/raw1394.c linux-2.6.35.5/drivers/ieee1394/raw1394.c
25090 --- linux-2.6.35.5/drivers/ieee1394/raw1394.c 2010-08-26 19:47:12.000000000 -0400
25091 +++ linux-2.6.35.5/drivers/ieee1394/raw1394.c 2010-09-17 20:12:09.000000000 -0400
25092 @@ -3002,7 +3002,7 @@ static const struct ieee1394_device_id r
25093 .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
25094 .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
25095 .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff},
25097 + { 0, 0, 0, 0, 0, 0 }
25100 MODULE_DEVICE_TABLE(ieee1394, raw1394_id_table);
25101 diff -urNp linux-2.6.35.5/drivers/ieee1394/sbp2.c linux-2.6.35.5/drivers/ieee1394/sbp2.c
25102 --- linux-2.6.35.5/drivers/ieee1394/sbp2.c 2010-08-26 19:47:12.000000000 -0400
25103 +++ linux-2.6.35.5/drivers/ieee1394/sbp2.c 2010-09-17 20:12:09.000000000 -0400
25104 @@ -289,7 +289,7 @@ static const struct ieee1394_device_id s
25105 .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
25106 .specifier_id = SBP2_UNIT_SPEC_ID_ENTRY & 0xffffff,
25107 .version = SBP2_SW_VERSION_ENTRY & 0xffffff},
25109 + { 0, 0, 0, 0, 0, 0 }
25111 MODULE_DEVICE_TABLE(ieee1394, sbp2_id_table);
25113 @@ -2110,7 +2110,7 @@ MODULE_DESCRIPTION("IEEE-1394 SBP-2 prot
25114 MODULE_SUPPORTED_DEVICE(SBP2_DEVICE_NAME);
25115 MODULE_LICENSE("GPL");
25117 -static int sbp2_module_init(void)
25118 +static int __init sbp2_module_init(void)
25122 diff -urNp linux-2.6.35.5/drivers/ieee1394/video1394.c linux-2.6.35.5/drivers/ieee1394/video1394.c
25123 --- linux-2.6.35.5/drivers/ieee1394/video1394.c 2010-08-26 19:47:12.000000000 -0400
25124 +++ linux-2.6.35.5/drivers/ieee1394/video1394.c 2010-09-17 20:12:09.000000000 -0400
25125 @@ -1312,7 +1312,7 @@ static const struct ieee1394_device_id v
25126 .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
25127 .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff
25130 + { 0, 0, 0, 0, 0, 0 }
25133 MODULE_DEVICE_TABLE(ieee1394, video1394_id_table);
25134 diff -urNp linux-2.6.35.5/drivers/infiniband/core/cm.c linux-2.6.35.5/drivers/infiniband/core/cm.c
25135 --- linux-2.6.35.5/drivers/infiniband/core/cm.c 2010-08-26 19:47:12.000000000 -0400
25136 +++ linux-2.6.35.5/drivers/infiniband/core/cm.c 2010-09-17 20:12:09.000000000 -0400
25137 @@ -113,7 +113,7 @@ static char const counter_group_names[CM
25139 struct cm_counter_group {
25140 struct kobject obj;
25141 - atomic_long_t counter[CM_ATTR_COUNT];
25142 + atomic_long_unchecked_t counter[CM_ATTR_COUNT];
25145 struct cm_counter_attribute {
25146 @@ -1387,7 +1387,7 @@ static void cm_dup_req_handler(struct cm
25147 struct ib_mad_send_buf *msg = NULL;
25150 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25151 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25152 counter[CM_REQ_COUNTER]);
25154 /* Quick state check to discard duplicate REQs. */
25155 @@ -1765,7 +1765,7 @@ static void cm_dup_rep_handler(struct cm
25159 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25160 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25161 counter[CM_REP_COUNTER]);
25162 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
25164 @@ -1932,7 +1932,7 @@ static int cm_rtu_handler(struct cm_work
25165 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
25166 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
25167 spin_unlock_irq(&cm_id_priv->lock);
25168 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25169 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25170 counter[CM_RTU_COUNTER]);
25173 @@ -2111,7 +2111,7 @@ static int cm_dreq_handler(struct cm_wor
25174 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
25175 dreq_msg->local_comm_id);
25177 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25178 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25179 counter[CM_DREQ_COUNTER]);
25180 cm_issue_drep(work->port, work->mad_recv_wc);
25182 @@ -2132,7 +2132,7 @@ static int cm_dreq_handler(struct cm_wor
25183 case IB_CM_MRA_REP_RCVD:
25185 case IB_CM_TIMEWAIT:
25186 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25187 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25188 counter[CM_DREQ_COUNTER]);
25189 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
25191 @@ -2146,7 +2146,7 @@ static int cm_dreq_handler(struct cm_wor
25194 case IB_CM_DREQ_RCVD:
25195 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25196 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25197 counter[CM_DREQ_COUNTER]);
25200 @@ -2502,7 +2502,7 @@ static int cm_mra_handler(struct cm_work
25201 ib_modify_mad(cm_id_priv->av.port->mad_agent,
25202 cm_id_priv->msg, timeout)) {
25203 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
25204 - atomic_long_inc(&work->port->
25205 + atomic_long_inc_unchecked(&work->port->
25206 counter_group[CM_RECV_DUPLICATES].
25207 counter[CM_MRA_COUNTER]);
25209 @@ -2511,7 +2511,7 @@ static int cm_mra_handler(struct cm_work
25211 case IB_CM_MRA_REQ_RCVD:
25212 case IB_CM_MRA_REP_RCVD:
25213 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25214 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25215 counter[CM_MRA_COUNTER]);
25218 @@ -2673,7 +2673,7 @@ static int cm_lap_handler(struct cm_work
25219 case IB_CM_LAP_IDLE:
25221 case IB_CM_MRA_LAP_SENT:
25222 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25223 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25224 counter[CM_LAP_COUNTER]);
25225 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
25227 @@ -2689,7 +2689,7 @@ static int cm_lap_handler(struct cm_work
25230 case IB_CM_LAP_RCVD:
25231 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25232 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25233 counter[CM_LAP_COUNTER]);
25236 @@ -2973,7 +2973,7 @@ static int cm_sidr_req_handler(struct cm
25237 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
25238 if (cur_cm_id_priv) {
25239 spin_unlock_irq(&cm.lock);
25240 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25241 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25242 counter[CM_SIDR_REQ_COUNTER]);
25243 goto out; /* Duplicate message. */
25245 @@ -3184,10 +3184,10 @@ static void cm_send_handler(struct ib_ma
25246 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
25249 - atomic_long_add(1 + msg->retries,
25250 + atomic_long_add_unchecked(1 + msg->retries,
25251 &port->counter_group[CM_XMIT].counter[attr_index]);
25253 - atomic_long_add(msg->retries,
25254 + atomic_long_add_unchecked(msg->retries,
25255 &port->counter_group[CM_XMIT_RETRIES].
25256 counter[attr_index]);
25258 @@ -3397,7 +3397,7 @@ static void cm_recv_handler(struct ib_ma
25261 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
25262 - atomic_long_inc(&port->counter_group[CM_RECV].
25263 + atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
25264 counter[attr_id - CM_ATTR_ID_OFFSET]);
25266 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
25267 @@ -3595,7 +3595,7 @@ static ssize_t cm_show_counter(struct ko
25268 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
25270 return sprintf(buf, "%ld\n",
25271 - atomic_long_read(&group->counter[cm_attr->index]));
25272 + atomic_long_read_unchecked(&group->counter[cm_attr->index]));
25275 static const struct sysfs_ops cm_counter_ops = {
25276 diff -urNp linux-2.6.35.5/drivers/infiniband/hw/qib/qib.h linux-2.6.35.5/drivers/infiniband/hw/qib/qib.h
25277 --- linux-2.6.35.5/drivers/infiniband/hw/qib/qib.h 2010-08-26 19:47:12.000000000 -0400
25278 +++ linux-2.6.35.5/drivers/infiniband/hw/qib/qib.h 2010-09-17 20:12:09.000000000 -0400
25280 #include <linux/completion.h>
25281 #include <linux/kref.h>
25282 #include <linux/sched.h>
25283 +#include <linux/slab.h>
25285 #include "qib_common.h"
25286 #include "qib_verbs.h"
25287 diff -urNp linux-2.6.35.5/drivers/input/keyboard/atkbd.c linux-2.6.35.5/drivers/input/keyboard/atkbd.c
25288 --- linux-2.6.35.5/drivers/input/keyboard/atkbd.c 2010-08-26 19:47:12.000000000 -0400
25289 +++ linux-2.6.35.5/drivers/input/keyboard/atkbd.c 2010-09-17 20:12:09.000000000 -0400
25290 @@ -1240,7 +1240,7 @@ static struct serio_device_id atkbd_seri
25292 .extra = SERIO_ANY,
25298 MODULE_DEVICE_TABLE(serio, atkbd_serio_ids);
25299 diff -urNp linux-2.6.35.5/drivers/input/mouse/lifebook.c linux-2.6.35.5/drivers/input/mouse/lifebook.c
25300 --- linux-2.6.35.5/drivers/input/mouse/lifebook.c 2010-08-26 19:47:12.000000000 -0400
25301 +++ linux-2.6.35.5/drivers/input/mouse/lifebook.c 2010-09-17 20:12:09.000000000 -0400
25302 @@ -123,7 +123,7 @@ static const struct dmi_system_id __init
25303 DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook B142"),
25307 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
25310 void __init lifebook_module_init(void)
25311 diff -urNp linux-2.6.35.5/drivers/input/mouse/psmouse-base.c linux-2.6.35.5/drivers/input/mouse/psmouse-base.c
25312 --- linux-2.6.35.5/drivers/input/mouse/psmouse-base.c 2010-08-26 19:47:12.000000000 -0400
25313 +++ linux-2.6.35.5/drivers/input/mouse/psmouse-base.c 2010-09-17 20:12:09.000000000 -0400
25314 @@ -1460,7 +1460,7 @@ static struct serio_device_id psmouse_se
25316 .extra = SERIO_ANY,
25322 MODULE_DEVICE_TABLE(serio, psmouse_serio_ids);
25323 diff -urNp linux-2.6.35.5/drivers/input/mouse/synaptics.c linux-2.6.35.5/drivers/input/mouse/synaptics.c
25324 --- linux-2.6.35.5/drivers/input/mouse/synaptics.c 2010-08-26 19:47:12.000000000 -0400
25325 +++ linux-2.6.35.5/drivers/input/mouse/synaptics.c 2010-09-17 20:12:09.000000000 -0400
25326 @@ -476,7 +476,7 @@ static void synaptics_process_packet(str
25329 if (SYN_MODEL_PEN(priv->model_id))
25330 - ; /* Nothing, treat a pen as a single finger */
25331 + break; /* Nothing, treat a pen as a single finger */
25334 if (SYN_CAP_PALMDETECT(priv->capabilities))
25335 @@ -701,7 +701,6 @@ static const struct dmi_system_id __init
25336 DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
25337 DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE M300"),
25342 /* Toshiba Portege M300 */
25343 @@ -710,9 +709,8 @@ static const struct dmi_system_id __init
25344 DMI_MATCH(DMI_PRODUCT_NAME, "Portable PC"),
25345 DMI_MATCH(DMI_PRODUCT_VERSION, "Version 1.0"),
25350 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25354 diff -urNp linux-2.6.35.5/drivers/input/mousedev.c linux-2.6.35.5/drivers/input/mousedev.c
25355 --- linux-2.6.35.5/drivers/input/mousedev.c 2010-08-26 19:47:12.000000000 -0400
25356 +++ linux-2.6.35.5/drivers/input/mousedev.c 2010-09-17 20:12:09.000000000 -0400
25357 @@ -754,7 +754,7 @@ static ssize_t mousedev_read(struct file
25359 spin_unlock_irq(&client->packet_lock);
25361 - if (copy_to_user(buffer, data, count))
25362 + if (count > sizeof(data) || copy_to_user(buffer, data, count))
25366 @@ -1051,7 +1051,7 @@ static struct input_handler mousedev_han
25368 #ifdef CONFIG_INPUT_MOUSEDEV_PSAUX
25369 static struct miscdevice psaux_mouse = {
25370 - PSMOUSE_MINOR, "psaux", &mousedev_fops
25371 + PSMOUSE_MINOR, "psaux", &mousedev_fops, {NULL, NULL}, NULL, NULL
25373 static int psaux_registered;
25375 diff -urNp linux-2.6.35.5/drivers/input/serio/i8042-x86ia64io.h linux-2.6.35.5/drivers/input/serio/i8042-x86ia64io.h
25376 --- linux-2.6.35.5/drivers/input/serio/i8042-x86ia64io.h 2010-08-26 19:47:12.000000000 -0400
25377 +++ linux-2.6.35.5/drivers/input/serio/i8042-x86ia64io.h 2010-09-17 20:12:09.000000000 -0400
25378 @@ -183,7 +183,7 @@ static const struct dmi_system_id __init
25379 DMI_MATCH(DMI_PRODUCT_VERSION, "Rev 1"),
25383 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25387 @@ -413,7 +413,7 @@ static const struct dmi_system_id __init
25388 DMI_MATCH(DMI_PRODUCT_VERSION, "0100"),
25392 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25395 static const struct dmi_system_id __initconst i8042_dmi_reset_table[] = {
25396 @@ -487,7 +487,7 @@ static const struct dmi_system_id __init
25397 DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 1720"),
25401 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25405 @@ -506,7 +506,7 @@ static const struct dmi_system_id __init
25406 DMI_MATCH(DMI_BOARD_VENDOR, "MICRO-STAR INTERNATIONAL CO., LTD"),
25410 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25413 static const struct dmi_system_id __initconst i8042_dmi_laptop_table[] = {
25414 @@ -530,7 +530,7 @@ static const struct dmi_system_id __init
25415 DMI_MATCH(DMI_CHASSIS_TYPE, "14"), /* Sub-Notebook */
25419 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25423 @@ -604,7 +604,7 @@ static const struct dmi_system_id __init
25424 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 4280"),
25428 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25431 #endif /* CONFIG_X86 */
25432 diff -urNp linux-2.6.35.5/drivers/input/serio/serio_raw.c linux-2.6.35.5/drivers/input/serio/serio_raw.c
25433 --- linux-2.6.35.5/drivers/input/serio/serio_raw.c 2010-08-26 19:47:12.000000000 -0400
25434 +++ linux-2.6.35.5/drivers/input/serio/serio_raw.c 2010-09-17 20:12:09.000000000 -0400
25435 @@ -376,7 +376,7 @@ static struct serio_device_id serio_raw_
25437 .extra = SERIO_ANY,
25443 MODULE_DEVICE_TABLE(serio, serio_raw_serio_ids);
25444 diff -urNp linux-2.6.35.5/drivers/isdn/gigaset/common.c linux-2.6.35.5/drivers/isdn/gigaset/common.c
25445 --- linux-2.6.35.5/drivers/isdn/gigaset/common.c 2010-08-26 19:47:12.000000000 -0400
25446 +++ linux-2.6.35.5/drivers/isdn/gigaset/common.c 2010-09-17 20:12:09.000000000 -0400
25447 @@ -723,7 +723,7 @@ struct cardstate *gigaset_initcs(struct
25448 cs->commands_pending = 0;
25449 cs->cur_at_seq = 0;
25451 - cs->open_count = 0;
25452 + atomic_set(&cs->open_count, 0);
25455 cs->tty_dev = NULL;
25456 diff -urNp linux-2.6.35.5/drivers/isdn/gigaset/gigaset.h linux-2.6.35.5/drivers/isdn/gigaset/gigaset.h
25457 --- linux-2.6.35.5/drivers/isdn/gigaset/gigaset.h 2010-08-26 19:47:12.000000000 -0400
25458 +++ linux-2.6.35.5/drivers/isdn/gigaset/gigaset.h 2010-09-17 20:12:09.000000000 -0400
25459 @@ -442,7 +442,7 @@ struct cardstate {
25460 spinlock_t cmdlock;
25461 unsigned curlen, cmdbytes;
25463 - unsigned open_count;
25464 + atomic_t open_count;
25465 struct tty_struct *tty;
25466 struct tasklet_struct if_wake_tasklet;
25467 unsigned control_state;
25468 diff -urNp linux-2.6.35.5/drivers/isdn/gigaset/interface.c linux-2.6.35.5/drivers/isdn/gigaset/interface.c
25469 --- linux-2.6.35.5/drivers/isdn/gigaset/interface.c 2010-08-26 19:47:12.000000000 -0400
25470 +++ linux-2.6.35.5/drivers/isdn/gigaset/interface.c 2010-09-17 20:12:09.000000000 -0400
25471 @@ -160,9 +160,7 @@ static int if_open(struct tty_struct *tt
25472 return -ERESTARTSYS;
25473 tty->driver_data = cs;
25475 - ++cs->open_count;
25477 - if (cs->open_count == 1) {
25478 + if (atomic_inc_return(&cs->open_count) == 1) {
25479 spin_lock_irqsave(&cs->lock, flags);
25481 spin_unlock_irqrestore(&cs->lock, flags);
25482 @@ -190,10 +188,10 @@ static void if_close(struct tty_struct *
25484 if (!cs->connected)
25485 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
25486 - else if (!cs->open_count)
25487 + else if (!atomic_read(&cs->open_count))
25488 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25490 - if (!--cs->open_count) {
25491 + if (!atomic_dec_return(&cs->open_count)) {
25492 spin_lock_irqsave(&cs->lock, flags);
25494 spin_unlock_irqrestore(&cs->lock, flags);
25495 @@ -228,7 +226,7 @@ static int if_ioctl(struct tty_struct *t
25496 if (!cs->connected) {
25497 gig_dbg(DEBUG_IF, "not connected");
25499 - } else if (!cs->open_count)
25500 + } else if (!atomic_read(&cs->open_count))
25501 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25504 @@ -355,7 +353,7 @@ static int if_write(struct tty_struct *t
25505 if (!cs->connected) {
25506 gig_dbg(DEBUG_IF, "not connected");
25508 - } else if (!cs->open_count)
25509 + } else if (!atomic_read(&cs->open_count))
25510 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25511 else if (cs->mstate != MS_LOCKED) {
25512 dev_warn(cs->dev, "can't write to unlocked device\n");
25513 @@ -389,7 +387,7 @@ static int if_write_room(struct tty_stru
25514 if (!cs->connected) {
25515 gig_dbg(DEBUG_IF, "not connected");
25517 - } else if (!cs->open_count)
25518 + } else if (!atomic_read(&cs->open_count))
25519 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25520 else if (cs->mstate != MS_LOCKED) {
25521 dev_warn(cs->dev, "can't write to unlocked device\n");
25522 @@ -419,7 +417,7 @@ static int if_chars_in_buffer(struct tty
25524 if (!cs->connected)
25525 gig_dbg(DEBUG_IF, "not connected");
25526 - else if (!cs->open_count)
25527 + else if (!atomic_read(&cs->open_count))
25528 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25529 else if (cs->mstate != MS_LOCKED)
25530 dev_warn(cs->dev, "can't write to unlocked device\n");
25531 @@ -447,7 +445,7 @@ static void if_throttle(struct tty_struc
25533 if (!cs->connected)
25534 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
25535 - else if (!cs->open_count)
25536 + else if (!atomic_read(&cs->open_count))
25537 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25539 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
25540 @@ -471,7 +469,7 @@ static void if_unthrottle(struct tty_str
25542 if (!cs->connected)
25543 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
25544 - else if (!cs->open_count)
25545 + else if (!atomic_read(&cs->open_count))
25546 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25548 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
25549 @@ -502,7 +500,7 @@ static void if_set_termios(struct tty_st
25553 - if (!cs->open_count) {
25554 + if (!atomic_read(&cs->open_count)) {
25555 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25558 diff -urNp linux-2.6.35.5/drivers/isdn/hardware/avm/b1.c linux-2.6.35.5/drivers/isdn/hardware/avm/b1.c
25559 --- linux-2.6.35.5/drivers/isdn/hardware/avm/b1.c 2010-08-26 19:47:12.000000000 -0400
25560 +++ linux-2.6.35.5/drivers/isdn/hardware/avm/b1.c 2010-09-17 20:12:37.000000000 -0400
25561 @@ -176,7 +176,7 @@ int b1_load_t4file(avmcard *card, capilo
25564 if (t4file->user) {
25565 - if (copy_from_user(buf, dp, left))
25566 + if (left > sizeof(buf) || copy_from_user(buf, dp, left))
25569 memcpy(buf, dp, left);
25570 @@ -224,7 +224,7 @@ int b1_load_config(avmcard *card, capilo
25573 if (config->user) {
25574 - if (copy_from_user(buf, dp, left))
25575 + if (left > sizeof(buf) || copy_from_user(buf, dp, left))
25578 memcpy(buf, dp, left);
25579 diff -urNp linux-2.6.35.5/drivers/isdn/icn/icn.c linux-2.6.35.5/drivers/isdn/icn/icn.c
25580 --- linux-2.6.35.5/drivers/isdn/icn/icn.c 2010-08-26 19:47:12.000000000 -0400
25581 +++ linux-2.6.35.5/drivers/isdn/icn/icn.c 2010-09-17 20:12:37.000000000 -0400
25582 @@ -1045,7 +1045,7 @@ icn_writecmd(const u_char * buf, int len
25586 - if (copy_from_user(msg, buf, count))
25587 + if (count > sizeof(msg) || copy_from_user(msg, buf, count))
25590 memcpy(msg, buf, count);
25591 diff -urNp linux-2.6.35.5/drivers/lguest/core.c linux-2.6.35.5/drivers/lguest/core.c
25592 --- linux-2.6.35.5/drivers/lguest/core.c 2010-08-26 19:47:12.000000000 -0400
25593 +++ linux-2.6.35.5/drivers/lguest/core.c 2010-09-17 20:12:09.000000000 -0400
25594 @@ -92,9 +92,17 @@ static __init int map_switcher(void)
25595 * it's worked so far. The end address needs +1 because __get_vm_area
25596 * allocates an extra guard page, so we need space for that.
25599 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
25600 + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
25601 + VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
25602 + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
25604 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
25605 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
25606 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
25609 if (!switcher_vma) {
25611 printk("lguest: could not map switcher pages high\n");
25612 diff -urNp linux-2.6.35.5/drivers/macintosh/via-pmu-backlight.c linux-2.6.35.5/drivers/macintosh/via-pmu-backlight.c
25613 --- linux-2.6.35.5/drivers/macintosh/via-pmu-backlight.c 2010-08-26 19:47:12.000000000 -0400
25614 +++ linux-2.6.35.5/drivers/macintosh/via-pmu-backlight.c 2010-09-17 20:12:09.000000000 -0400
25617 #define MAX_PMU_LEVEL 0xFF
25619 -static struct backlight_ops pmu_backlight_data;
25620 +static const struct backlight_ops pmu_backlight_data;
25621 static DEFINE_SPINLOCK(pmu_backlight_lock);
25622 static int sleeping, uses_pmu_bl;
25623 static u8 bl_curve[FB_BACKLIGHT_LEVELS];
25624 @@ -115,7 +115,7 @@ static int pmu_backlight_get_brightness(
25625 return bd->props.brightness;
25628 -static struct backlight_ops pmu_backlight_data = {
25629 +static const struct backlight_ops pmu_backlight_data = {
25630 .get_brightness = pmu_backlight_get_brightness,
25631 .update_status = pmu_backlight_update_status,
25633 diff -urNp linux-2.6.35.5/drivers/macintosh/via-pmu.c linux-2.6.35.5/drivers/macintosh/via-pmu.c
25634 --- linux-2.6.35.5/drivers/macintosh/via-pmu.c 2010-08-26 19:47:12.000000000 -0400
25635 +++ linux-2.6.35.5/drivers/macintosh/via-pmu.c 2010-09-17 20:12:09.000000000 -0400
25636 @@ -2254,7 +2254,7 @@ static int pmu_sleep_valid(suspend_state
25637 && (pmac_call_feature(PMAC_FTR_SLEEP_STATE, NULL, 0, -1) >= 0);
25640 -static struct platform_suspend_ops pmu_pm_ops = {
25641 +static const struct platform_suspend_ops pmu_pm_ops = {
25642 .enter = powerbook_sleep,
25643 .valid = pmu_sleep_valid,
25645 diff -urNp linux-2.6.35.5/drivers/md/bitmap.c linux-2.6.35.5/drivers/md/bitmap.c
25646 --- linux-2.6.35.5/drivers/md/bitmap.c 2010-08-26 19:47:12.000000000 -0400
25647 +++ linux-2.6.35.5/drivers/md/bitmap.c 2010-09-17 20:12:09.000000000 -0400
25650 # define PRINTK(x...) printk(KERN_DEBUG x)
25652 -# define PRINTK(x...)
25653 +# define PRINTK(x...) do {} while (0)
25657 diff -urNp linux-2.6.35.5/drivers/md/dm-table.c linux-2.6.35.5/drivers/md/dm-table.c
25658 --- linux-2.6.35.5/drivers/md/dm-table.c 2010-08-26 19:47:12.000000000 -0400
25659 +++ linux-2.6.35.5/drivers/md/dm-table.c 2010-09-17 20:12:09.000000000 -0400
25660 @@ -363,7 +363,7 @@ static int device_area_is_invalid(struct
25664 - if ((start >= dev_size) || (start + len > dev_size)) {
25665 + if ((start >= dev_size) || (len > dev_size - start)) {
25666 DMWARN("%s: %s too small for target: "
25667 "start=%llu, len=%llu, dev_size=%llu",
25668 dm_device_name(ti->table->md), bdevname(bdev, b),
25669 diff -urNp linux-2.6.35.5/drivers/md/md.c linux-2.6.35.5/drivers/md/md.c
25670 --- linux-2.6.35.5/drivers/md/md.c 2010-08-26 19:47:12.000000000 -0400
25671 +++ linux-2.6.35.5/drivers/md/md.c 2010-09-17 20:12:09.000000000 -0400
25672 @@ -6352,7 +6352,7 @@ static int md_seq_show(struct seq_file *
25673 chunk_kb ? "KB" : "B");
25674 if (bitmap->file) {
25675 seq_printf(seq, ", file: ");
25676 - seq_path(seq, &bitmap->file->f_path, " \t\n");
25677 + seq_path(seq, &bitmap->file->f_path, " \t\n\\");
25680 seq_printf(seq, "\n");
25681 @@ -6446,7 +6446,7 @@ static int is_mddev_idle(mddev_t *mddev,
25682 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
25683 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
25684 (int)part_stat_read(&disk->part0, sectors[1]) -
25685 - atomic_read(&disk->sync_io);
25686 + atomic_read_unchecked(&disk->sync_io);
25687 /* sync IO will cause sync_io to increase before the disk_stats
25688 * as sync_io is counted when a request starts, and
25689 * disk_stats is counted when it completes.
25690 diff -urNp linux-2.6.35.5/drivers/md/md.h linux-2.6.35.5/drivers/md/md.h
25691 --- linux-2.6.35.5/drivers/md/md.h 2010-08-26 19:47:12.000000000 -0400
25692 +++ linux-2.6.35.5/drivers/md/md.h 2010-09-17 20:12:09.000000000 -0400
25693 @@ -334,7 +334,7 @@ static inline void rdev_dec_pending(mdk_
25695 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
25697 - atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
25698 + atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
25701 struct mdk_personality
25702 diff -urNp linux-2.6.35.5/drivers/media/dvb/dvb-core/dvbdev.c linux-2.6.35.5/drivers/media/dvb/dvb-core/dvbdev.c
25703 --- linux-2.6.35.5/drivers/media/dvb/dvb-core/dvbdev.c 2010-08-26 19:47:12.000000000 -0400
25704 +++ linux-2.6.35.5/drivers/media/dvb/dvb-core/dvbdev.c 2010-09-17 20:12:09.000000000 -0400
25705 @@ -196,6 +196,7 @@ int dvb_register_device(struct dvb_adapt
25706 const struct dvb_device *template, void *priv, int type)
25708 struct dvb_device *dvbdev;
25709 + /* cannot be const, see this function */
25710 struct file_operations *dvbdevfops;
25711 struct device *clsdev;
25713 diff -urNp linux-2.6.35.5/drivers/media/radio/radio-cadet.c linux-2.6.35.5/drivers/media/radio/radio-cadet.c
25714 --- linux-2.6.35.5/drivers/media/radio/radio-cadet.c 2010-08-26 19:47:12.000000000 -0400
25715 +++ linux-2.6.35.5/drivers/media/radio/radio-cadet.c 2010-09-17 20:12:37.000000000 -0400
25716 @@ -347,7 +347,7 @@ static ssize_t cadet_read(struct file *f
25717 while (i < count && dev->rdsin != dev->rdsout)
25718 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
25720 - if (copy_to_user(data, readbuf, i))
25721 + if (i > sizeof(readbuf) || copy_to_user(data, readbuf, i))
25725 diff -urNp linux-2.6.35.5/drivers/message/fusion/mptbase.c linux-2.6.35.5/drivers/message/fusion/mptbase.c
25726 --- linux-2.6.35.5/drivers/message/fusion/mptbase.c 2010-08-26 19:47:12.000000000 -0400
25727 +++ linux-2.6.35.5/drivers/message/fusion/mptbase.c 2010-09-17 20:12:37.000000000 -0400
25728 @@ -6715,8 +6715,14 @@ procmpt_iocinfo_read(char *buf, char **s
25729 len += sprintf(buf+len, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
25730 len += sprintf(buf+len, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
25732 +#ifdef CONFIG_GRKERNSEC_HIDESYM
25733 + len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
25736 len += sprintf(buf+len, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
25737 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
25741 * Rounding UP to nearest 4-kB boundary here...
25743 diff -urNp linux-2.6.35.5/drivers/message/fusion/mptdebug.h linux-2.6.35.5/drivers/message/fusion/mptdebug.h
25744 --- linux-2.6.35.5/drivers/message/fusion/mptdebug.h 2010-08-26 19:47:12.000000000 -0400
25745 +++ linux-2.6.35.5/drivers/message/fusion/mptdebug.h 2010-09-17 20:12:09.000000000 -0400
25750 -#define MPT_CHECK_LOGGING(IOC, CMD, BITS)
25751 +#define MPT_CHECK_LOGGING(IOC, CMD, BITS) do {} while (0)
25755 diff -urNp linux-2.6.35.5/drivers/message/fusion/mptsas.c linux-2.6.35.5/drivers/message/fusion/mptsas.c
25756 --- linux-2.6.35.5/drivers/message/fusion/mptsas.c 2010-08-26 19:47:12.000000000 -0400
25757 +++ linux-2.6.35.5/drivers/message/fusion/mptsas.c 2010-09-17 20:12:09.000000000 -0400
25758 @@ -437,6 +437,23 @@ mptsas_is_end_device(struct mptsas_devin
25762 +static inline void
25763 +mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
25765 + if (phy_info->port_details) {
25766 + phy_info->port_details->rphy = rphy;
25767 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
25768 + ioc->name, rphy));
25772 + dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
25773 + &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
25774 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
25775 + ioc->name, rphy, rphy->dev.release));
25781 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
25782 @@ -475,23 +492,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *p
25786 -static inline void
25787 -mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
25789 - if (phy_info->port_details) {
25790 - phy_info->port_details->rphy = rphy;
25791 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
25792 - ioc->name, rphy));
25796 - dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
25797 - &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
25798 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
25799 - ioc->name, rphy, rphy->dev.release));
25803 static inline struct sas_port *
25804 mptsas_get_port(struct mptsas_phyinfo *phy_info)
25806 diff -urNp linux-2.6.35.5/drivers/message/i2o/i2o_proc.c linux-2.6.35.5/drivers/message/i2o/i2o_proc.c
25807 --- linux-2.6.35.5/drivers/message/i2o/i2o_proc.c 2010-08-26 19:47:12.000000000 -0400
25808 +++ linux-2.6.35.5/drivers/message/i2o/i2o_proc.c 2010-09-17 20:12:09.000000000 -0400
25809 @@ -255,13 +255,6 @@ static char *scsi_devices[] = {
25810 "Array Controller Device"
25813 -static char *chtostr(u8 * chars, int n)
25817 - return strncat(tmp, (char *)chars, n);
25820 static int i2o_report_query_status(struct seq_file *seq, int block_status,
25823 @@ -838,8 +831,7 @@ static int i2o_seq_show_ddm_table(struct
25825 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
25826 seq_printf(seq, "%-#8x", ddm_table.module_id);
25827 - seq_printf(seq, "%-29s",
25828 - chtostr(ddm_table.module_name_version, 28));
25829 + seq_printf(seq, "%-.28s", ddm_table.module_name_version);
25830 seq_printf(seq, "%9d ", ddm_table.data_size);
25831 seq_printf(seq, "%8d", ddm_table.code_size);
25833 @@ -940,8 +932,8 @@ static int i2o_seq_show_drivers_stored(s
25835 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
25836 seq_printf(seq, "%-#8x", dst->module_id);
25837 - seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
25838 - seq_printf(seq, "%-9s", chtostr(dst->date, 8));
25839 + seq_printf(seq, "%-.28s", dst->module_name_version);
25840 + seq_printf(seq, "%-.8s", dst->date);
25841 seq_printf(seq, "%8d ", dst->module_size);
25842 seq_printf(seq, "%8d ", dst->mpb_size);
25843 seq_printf(seq, "0x%04x", dst->module_flags);
25844 @@ -1272,14 +1264,10 @@ static int i2o_seq_show_dev_identity(str
25845 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
25846 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
25847 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
25848 - seq_printf(seq, "Vendor info : %s\n",
25849 - chtostr((u8 *) (work32 + 2), 16));
25850 - seq_printf(seq, "Product info : %s\n",
25851 - chtostr((u8 *) (work32 + 6), 16));
25852 - seq_printf(seq, "Description : %s\n",
25853 - chtostr((u8 *) (work32 + 10), 16));
25854 - seq_printf(seq, "Product rev. : %s\n",
25855 - chtostr((u8 *) (work32 + 14), 8));
25856 + seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
25857 + seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
25858 + seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
25859 + seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
25861 seq_printf(seq, "Serial number : ");
25862 print_serial_number(seq, (u8 *) (work32 + 16),
25863 @@ -1324,10 +1312,8 @@ static int i2o_seq_show_ddm_identity(str
25866 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
25867 - seq_printf(seq, "Module name : %s\n",
25868 - chtostr(result.module_name, 24));
25869 - seq_printf(seq, "Module revision : %s\n",
25870 - chtostr(result.module_rev, 8));
25871 + seq_printf(seq, "Module name : %.24s\n", result.module_name);
25872 + seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
25874 seq_printf(seq, "Serial number : ");
25875 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
25876 @@ -1358,14 +1344,10 @@ static int i2o_seq_show_uinfo(struct seq
25880 - seq_printf(seq, "Device name : %s\n",
25881 - chtostr(result.device_name, 64));
25882 - seq_printf(seq, "Service name : %s\n",
25883 - chtostr(result.service_name, 64));
25884 - seq_printf(seq, "Physical name : %s\n",
25885 - chtostr(result.physical_location, 64));
25886 - seq_printf(seq, "Instance number : %s\n",
25887 - chtostr(result.instance_number, 4));
25888 + seq_printf(seq, "Device name : %.64s\n", result.device_name);
25889 + seq_printf(seq, "Service name : %.64s\n", result.service_name);
25890 + seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
25891 + seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
25895 diff -urNp linux-2.6.35.5/drivers/mfd/janz-cmodio.c linux-2.6.35.5/drivers/mfd/janz-cmodio.c
25896 --- linux-2.6.35.5/drivers/mfd/janz-cmodio.c 2010-08-26 19:47:12.000000000 -0400
25897 +++ linux-2.6.35.5/drivers/mfd/janz-cmodio.c 2010-09-17 20:12:09.000000000 -0400
25900 #include <linux/kernel.h>
25901 #include <linux/module.h>
25902 +#include <linux/slab.h>
25903 #include <linux/init.h>
25904 #include <linux/pci.h>
25905 #include <linux/interrupt.h>
25906 diff -urNp linux-2.6.35.5/drivers/misc/kgdbts.c linux-2.6.35.5/drivers/misc/kgdbts.c
25907 --- linux-2.6.35.5/drivers/misc/kgdbts.c 2010-08-26 19:47:12.000000000 -0400
25908 +++ linux-2.6.35.5/drivers/misc/kgdbts.c 2010-09-17 20:12:09.000000000 -0400
25909 @@ -118,7 +118,7 @@
25911 #define MAX_CONFIG_LEN 40
25913 -static struct kgdb_io kgdbts_io_ops;
25914 +static const struct kgdb_io kgdbts_io_ops;
25915 static char get_buf[BUFMAX];
25916 static int get_buf_cnt;
25917 static char put_buf[BUFMAX];
25918 @@ -1114,7 +1114,7 @@ static void kgdbts_post_exp_handler(void
25919 module_put(THIS_MODULE);
25922 -static struct kgdb_io kgdbts_io_ops = {
25923 +static const struct kgdb_io kgdbts_io_ops = {
25925 .read_char = kgdbts_get_char,
25926 .write_char = kgdbts_put_char,
25927 diff -urNp linux-2.6.35.5/drivers/misc/sgi-gru/gruhandles.c linux-2.6.35.5/drivers/misc/sgi-gru/gruhandles.c
25928 --- linux-2.6.35.5/drivers/misc/sgi-gru/gruhandles.c 2010-08-26 19:47:12.000000000 -0400
25929 +++ linux-2.6.35.5/drivers/misc/sgi-gru/gruhandles.c 2010-09-17 20:12:09.000000000 -0400
25930 @@ -44,8 +44,8 @@ static void update_mcs_stats(enum mcs_op
25931 unsigned long nsec;
25933 nsec = CLKS2NSEC(clks);
25934 - atomic_long_inc(&mcs_op_statistics[op].count);
25935 - atomic_long_add(nsec, &mcs_op_statistics[op].total);
25936 + atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
25937 + atomic_long_add_unchecked(nsec, &mcs_op_statistics[op].total);
25938 if (mcs_op_statistics[op].max < nsec)
25939 mcs_op_statistics[op].max = nsec;
25941 diff -urNp linux-2.6.35.5/drivers/misc/sgi-gru/gruprocfs.c linux-2.6.35.5/drivers/misc/sgi-gru/gruprocfs.c
25942 --- linux-2.6.35.5/drivers/misc/sgi-gru/gruprocfs.c 2010-08-26 19:47:12.000000000 -0400
25943 +++ linux-2.6.35.5/drivers/misc/sgi-gru/gruprocfs.c 2010-09-17 20:12:09.000000000 -0400
25946 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
25948 -static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
25949 +static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
25951 - unsigned long val = atomic_long_read(v);
25952 + unsigned long val = atomic_long_read_unchecked(v);
25954 seq_printf(s, "%16lu %s\n", val, id);
25956 @@ -134,8 +134,8 @@ static int mcs_statistics_show(struct se
25958 seq_printf(s, "%-20s%12s%12s%12s\n", "#id", "count", "aver-clks", "max-clks");
25959 for (op = 0; op < mcsop_last; op++) {
25960 - count = atomic_long_read(&mcs_op_statistics[op].count);
25961 - total = atomic_long_read(&mcs_op_statistics[op].total);
25962 + count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
25963 + total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
25964 max = mcs_op_statistics[op].max;
25965 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
25966 count ? total / count : 0, max);
25967 diff -urNp linux-2.6.35.5/drivers/misc/sgi-gru/grutables.h linux-2.6.35.5/drivers/misc/sgi-gru/grutables.h
25968 --- linux-2.6.35.5/drivers/misc/sgi-gru/grutables.h 2010-08-26 19:47:12.000000000 -0400
25969 +++ linux-2.6.35.5/drivers/misc/sgi-gru/grutables.h 2010-09-17 20:12:09.000000000 -0400
25970 @@ -167,82 +167,82 @@ extern unsigned int gru_max_gids;
25973 struct gru_stats_s {
25974 - atomic_long_t vdata_alloc;
25975 - atomic_long_t vdata_free;
25976 - atomic_long_t gts_alloc;
25977 - atomic_long_t gts_free;
25978 - atomic_long_t gms_alloc;
25979 - atomic_long_t gms_free;
25980 - atomic_long_t gts_double_allocate;
25981 - atomic_long_t assign_context;
25982 - atomic_long_t assign_context_failed;
25983 - atomic_long_t free_context;
25984 - atomic_long_t load_user_context;
25985 - atomic_long_t load_kernel_context;
25986 - atomic_long_t lock_kernel_context;
25987 - atomic_long_t unlock_kernel_context;
25988 - atomic_long_t steal_user_context;
25989 - atomic_long_t steal_kernel_context;
25990 - atomic_long_t steal_context_failed;
25991 - atomic_long_t nopfn;
25992 - atomic_long_t asid_new;
25993 - atomic_long_t asid_next;
25994 - atomic_long_t asid_wrap;
25995 - atomic_long_t asid_reuse;
25996 - atomic_long_t intr;
25997 - atomic_long_t intr_cbr;
25998 - atomic_long_t intr_tfh;
25999 - atomic_long_t intr_spurious;
26000 - atomic_long_t intr_mm_lock_failed;
26001 - atomic_long_t call_os;
26002 - atomic_long_t call_os_wait_queue;
26003 - atomic_long_t user_flush_tlb;
26004 - atomic_long_t user_unload_context;
26005 - atomic_long_t user_exception;
26006 - atomic_long_t set_context_option;
26007 - atomic_long_t check_context_retarget_intr;
26008 - atomic_long_t check_context_unload;
26009 - atomic_long_t tlb_dropin;
26010 - atomic_long_t tlb_preload_page;
26011 - atomic_long_t tlb_dropin_fail_no_asid;
26012 - atomic_long_t tlb_dropin_fail_upm;
26013 - atomic_long_t tlb_dropin_fail_invalid;
26014 - atomic_long_t tlb_dropin_fail_range_active;
26015 - atomic_long_t tlb_dropin_fail_idle;
26016 - atomic_long_t tlb_dropin_fail_fmm;
26017 - atomic_long_t tlb_dropin_fail_no_exception;
26018 - atomic_long_t tfh_stale_on_fault;
26019 - atomic_long_t mmu_invalidate_range;
26020 - atomic_long_t mmu_invalidate_page;
26021 - atomic_long_t flush_tlb;
26022 - atomic_long_t flush_tlb_gru;
26023 - atomic_long_t flush_tlb_gru_tgh;
26024 - atomic_long_t flush_tlb_gru_zero_asid;
26026 - atomic_long_t copy_gpa;
26027 - atomic_long_t read_gpa;
26029 - atomic_long_t mesq_receive;
26030 - atomic_long_t mesq_receive_none;
26031 - atomic_long_t mesq_send;
26032 - atomic_long_t mesq_send_failed;
26033 - atomic_long_t mesq_noop;
26034 - atomic_long_t mesq_send_unexpected_error;
26035 - atomic_long_t mesq_send_lb_overflow;
26036 - atomic_long_t mesq_send_qlimit_reached;
26037 - atomic_long_t mesq_send_amo_nacked;
26038 - atomic_long_t mesq_send_put_nacked;
26039 - atomic_long_t mesq_page_overflow;
26040 - atomic_long_t mesq_qf_locked;
26041 - atomic_long_t mesq_qf_noop_not_full;
26042 - atomic_long_t mesq_qf_switch_head_failed;
26043 - atomic_long_t mesq_qf_unexpected_error;
26044 - atomic_long_t mesq_noop_unexpected_error;
26045 - atomic_long_t mesq_noop_lb_overflow;
26046 - atomic_long_t mesq_noop_qlimit_reached;
26047 - atomic_long_t mesq_noop_amo_nacked;
26048 - atomic_long_t mesq_noop_put_nacked;
26049 - atomic_long_t mesq_noop_page_overflow;
26050 + atomic_long_unchecked_t vdata_alloc;
26051 + atomic_long_unchecked_t vdata_free;
26052 + atomic_long_unchecked_t gts_alloc;
26053 + atomic_long_unchecked_t gts_free;
26054 + atomic_long_unchecked_t gms_alloc;
26055 + atomic_long_unchecked_t gms_free;
26056 + atomic_long_unchecked_t gts_double_allocate;
26057 + atomic_long_unchecked_t assign_context;
26058 + atomic_long_unchecked_t assign_context_failed;
26059 + atomic_long_unchecked_t free_context;
26060 + atomic_long_unchecked_t load_user_context;
26061 + atomic_long_unchecked_t load_kernel_context;
26062 + atomic_long_unchecked_t lock_kernel_context;
26063 + atomic_long_unchecked_t unlock_kernel_context;
26064 + atomic_long_unchecked_t steal_user_context;
26065 + atomic_long_unchecked_t steal_kernel_context;
26066 + atomic_long_unchecked_t steal_context_failed;
26067 + atomic_long_unchecked_t nopfn;
26068 + atomic_long_unchecked_t asid_new;
26069 + atomic_long_unchecked_t asid_next;
26070 + atomic_long_unchecked_t asid_wrap;
26071 + atomic_long_unchecked_t asid_reuse;
26072 + atomic_long_unchecked_t intr;
26073 + atomic_long_unchecked_t intr_cbr;
26074 + atomic_long_unchecked_t intr_tfh;
26075 + atomic_long_unchecked_t intr_spurious;
26076 + atomic_long_unchecked_t intr_mm_lock_failed;
26077 + atomic_long_unchecked_t call_os;
26078 + atomic_long_unchecked_t call_os_wait_queue;
26079 + atomic_long_unchecked_t user_flush_tlb;
26080 + atomic_long_unchecked_t user_unload_context;
26081 + atomic_long_unchecked_t user_exception;
26082 + atomic_long_unchecked_t set_context_option;
26083 + atomic_long_unchecked_t check_context_retarget_intr;
26084 + atomic_long_unchecked_t check_context_unload;
26085 + atomic_long_unchecked_t tlb_dropin;
26086 + atomic_long_unchecked_t tlb_preload_page;
26087 + atomic_long_unchecked_t tlb_dropin_fail_no_asid;
26088 + atomic_long_unchecked_t tlb_dropin_fail_upm;
26089 + atomic_long_unchecked_t tlb_dropin_fail_invalid;
26090 + atomic_long_unchecked_t tlb_dropin_fail_range_active;
26091 + atomic_long_unchecked_t tlb_dropin_fail_idle;
26092 + atomic_long_unchecked_t tlb_dropin_fail_fmm;
26093 + atomic_long_unchecked_t tlb_dropin_fail_no_exception;
26094 + atomic_long_unchecked_t tfh_stale_on_fault;
26095 + atomic_long_unchecked_t mmu_invalidate_range;
26096 + atomic_long_unchecked_t mmu_invalidate_page;
26097 + atomic_long_unchecked_t flush_tlb;
26098 + atomic_long_unchecked_t flush_tlb_gru;
26099 + atomic_long_unchecked_t flush_tlb_gru_tgh;
26100 + atomic_long_unchecked_t flush_tlb_gru_zero_asid;
26102 + atomic_long_unchecked_t copy_gpa;
26103 + atomic_long_unchecked_t read_gpa;
26105 + atomic_long_unchecked_t mesq_receive;
26106 + atomic_long_unchecked_t mesq_receive_none;
26107 + atomic_long_unchecked_t mesq_send;
26108 + atomic_long_unchecked_t mesq_send_failed;
26109 + atomic_long_unchecked_t mesq_noop;
26110 + atomic_long_unchecked_t mesq_send_unexpected_error;
26111 + atomic_long_unchecked_t mesq_send_lb_overflow;
26112 + atomic_long_unchecked_t mesq_send_qlimit_reached;
26113 + atomic_long_unchecked_t mesq_send_amo_nacked;
26114 + atomic_long_unchecked_t mesq_send_put_nacked;
26115 + atomic_long_unchecked_t mesq_page_overflow;
26116 + atomic_long_unchecked_t mesq_qf_locked;
26117 + atomic_long_unchecked_t mesq_qf_noop_not_full;
26118 + atomic_long_unchecked_t mesq_qf_switch_head_failed;
26119 + atomic_long_unchecked_t mesq_qf_unexpected_error;
26120 + atomic_long_unchecked_t mesq_noop_unexpected_error;
26121 + atomic_long_unchecked_t mesq_noop_lb_overflow;
26122 + atomic_long_unchecked_t mesq_noop_qlimit_reached;
26123 + atomic_long_unchecked_t mesq_noop_amo_nacked;
26124 + atomic_long_unchecked_t mesq_noop_put_nacked;
26125 + atomic_long_unchecked_t mesq_noop_page_overflow;
26129 @@ -251,8 +251,8 @@ enum mcs_op {cchop_allocate, cchop_start
26130 tghop_invalidate, mcsop_last};
26132 struct mcs_op_statistic {
26133 - atomic_long_t count;
26134 - atomic_long_t total;
26135 + atomic_long_unchecked_t count;
26136 + atomic_long_unchecked_t total;
26140 @@ -275,7 +275,7 @@ extern struct mcs_op_statistic mcs_op_st
26142 #define STAT(id) do { \
26143 if (gru_options & OPT_STATS) \
26144 - atomic_long_inc(&gru_stats.id); \
26145 + atomic_long_inc_unchecked(&gru_stats.id); \
26148 #ifdef CONFIG_SGI_GRU_DEBUG
26149 diff -urNp linux-2.6.35.5/drivers/mtd/devices/doc2000.c linux-2.6.35.5/drivers/mtd/devices/doc2000.c
26150 --- linux-2.6.35.5/drivers/mtd/devices/doc2000.c 2010-08-26 19:47:12.000000000 -0400
26151 +++ linux-2.6.35.5/drivers/mtd/devices/doc2000.c 2010-09-17 20:12:09.000000000 -0400
26152 @@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
26154 /* The ECC will not be calculated correctly if less than 512 is written */
26156 - if (len != 0x200 && eccbuf)
26157 + if (len != 0x200)
26158 printk(KERN_WARNING
26159 "ECC needs a full sector write (adr: %lx size %lx)\n",
26160 (long) to, (long) len);
26161 diff -urNp linux-2.6.35.5/drivers/mtd/devices/doc2001.c linux-2.6.35.5/drivers/mtd/devices/doc2001.c
26162 --- linux-2.6.35.5/drivers/mtd/devices/doc2001.c 2010-08-26 19:47:12.000000000 -0400
26163 +++ linux-2.6.35.5/drivers/mtd/devices/doc2001.c 2010-09-17 20:12:09.000000000 -0400
26164 @@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
26165 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
26167 /* Don't allow read past end of device */
26168 - if (from >= this->totlen)
26169 + if (from >= this->totlen || !len)
26172 /* Don't allow a single read to cross a 512-byte block boundary */
26173 diff -urNp linux-2.6.35.5/drivers/mtd/nand/denali.c linux-2.6.35.5/drivers/mtd/nand/denali.c
26174 --- linux-2.6.35.5/drivers/mtd/nand/denali.c 2010-08-26 19:47:12.000000000 -0400
26175 +++ linux-2.6.35.5/drivers/mtd/nand/denali.c 2010-09-17 20:12:09.000000000 -0400
26177 #include <linux/pci.h>
26178 #include <linux/mtd/mtd.h>
26179 #include <linux/module.h>
26180 +#include <linux/slab.h>
26182 #include "denali.h"
26184 diff -urNp linux-2.6.35.5/drivers/mtd/ubi/build.c linux-2.6.35.5/drivers/mtd/ubi/build.c
26185 --- linux-2.6.35.5/drivers/mtd/ubi/build.c 2010-08-26 19:47:12.000000000 -0400
26186 +++ linux-2.6.35.5/drivers/mtd/ubi/build.c 2010-09-17 20:12:09.000000000 -0400
26187 @@ -1282,7 +1282,7 @@ module_exit(ubi_exit);
26188 static int __init bytes_str_to_int(const char *str)
26191 - unsigned long result;
26192 + unsigned long result, scale = 1;
26194 result = simple_strtoul(str, &endp, 0);
26195 if (str == endp || result >= INT_MAX) {
26196 @@ -1293,11 +1293,11 @@ static int __init bytes_str_to_int(const
26208 if (endp[1] == 'i' && endp[2] == 'B')
26211 @@ -1308,7 +1308,13 @@ static int __init bytes_str_to_int(const
26216 + if ((intoverflow_t)result*scale >= INT_MAX) {
26217 + printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
26222 + return result*scale;
26226 diff -urNp linux-2.6.35.5/drivers/net/cxgb3/cxgb3_main.c linux-2.6.35.5/drivers/net/cxgb3/cxgb3_main.c
26227 --- linux-2.6.35.5/drivers/net/cxgb3/cxgb3_main.c 2010-08-26 19:47:12.000000000 -0400
26228 +++ linux-2.6.35.5/drivers/net/cxgb3/cxgb3_main.c 2010-09-17 20:12:37.000000000 -0400
26229 @@ -2296,6 +2296,8 @@ static int cxgb_extension_ioctl(struct n
26230 case CHELSIO_GET_QSET_NUM:{
26231 struct ch_reg edata;
26233 + memset(&edata, 0, sizeof(edata));
26235 edata.cmd = CHELSIO_GET_QSET_NUM;
26236 edata.val = pi->nqsets;
26237 if (copy_to_user(useraddr, &edata, sizeof(edata)))
26238 diff -urNp linux-2.6.35.5/drivers/net/e1000e/82571.c linux-2.6.35.5/drivers/net/e1000e/82571.c
26239 --- linux-2.6.35.5/drivers/net/e1000e/82571.c 2010-08-26 19:47:12.000000000 -0400
26240 +++ linux-2.6.35.5/drivers/net/e1000e/82571.c 2010-09-17 20:12:09.000000000 -0400
26241 @@ -207,6 +207,7 @@ static s32 e1000_init_mac_params_82571(s
26243 struct e1000_hw *hw = &adapter->hw;
26244 struct e1000_mac_info *mac = &hw->mac;
26245 + /* cannot be const */
26246 struct e1000_mac_operations *func = &mac->ops;
26249 @@ -1703,7 +1704,7 @@ static void e1000_clear_hw_cntrs_82571(s
26253 -static struct e1000_mac_operations e82571_mac_ops = {
26254 +static const struct e1000_mac_operations e82571_mac_ops = {
26255 /* .check_mng_mode: mac type dependent */
26256 /* .check_for_link: media type dependent */
26257 .id_led_init = e1000e_id_led_init,
26258 @@ -1725,7 +1726,7 @@ static struct e1000_mac_operations e8257
26259 .read_mac_addr = e1000_read_mac_addr_82571,
26262 -static struct e1000_phy_operations e82_phy_ops_igp = {
26263 +static const struct e1000_phy_operations e82_phy_ops_igp = {
26264 .acquire = e1000_get_hw_semaphore_82571,
26265 .check_polarity = e1000_check_polarity_igp,
26266 .check_reset_block = e1000e_check_reset_block_generic,
26267 @@ -1743,7 +1744,7 @@ static struct e1000_phy_operations e82_p
26268 .cfg_on_link_up = NULL,
26271 -static struct e1000_phy_operations e82_phy_ops_m88 = {
26272 +static const struct e1000_phy_operations e82_phy_ops_m88 = {
26273 .acquire = e1000_get_hw_semaphore_82571,
26274 .check_polarity = e1000_check_polarity_m88,
26275 .check_reset_block = e1000e_check_reset_block_generic,
26276 @@ -1761,7 +1762,7 @@ static struct e1000_phy_operations e82_p
26277 .cfg_on_link_up = NULL,
26280 -static struct e1000_phy_operations e82_phy_ops_bm = {
26281 +static const struct e1000_phy_operations e82_phy_ops_bm = {
26282 .acquire = e1000_get_hw_semaphore_82571,
26283 .check_polarity = e1000_check_polarity_m88,
26284 .check_reset_block = e1000e_check_reset_block_generic,
26285 @@ -1779,7 +1780,7 @@ static struct e1000_phy_operations e82_p
26286 .cfg_on_link_up = NULL,
26289 -static struct e1000_nvm_operations e82571_nvm_ops = {
26290 +static const struct e1000_nvm_operations e82571_nvm_ops = {
26291 .acquire = e1000_acquire_nvm_82571,
26292 .read = e1000e_read_nvm_eerd,
26293 .release = e1000_release_nvm_82571,
26294 diff -urNp linux-2.6.35.5/drivers/net/e1000e/e1000.h linux-2.6.35.5/drivers/net/e1000e/e1000.h
26295 --- linux-2.6.35.5/drivers/net/e1000e/e1000.h 2010-08-26 19:47:12.000000000 -0400
26296 +++ linux-2.6.35.5/drivers/net/e1000e/e1000.h 2010-09-17 20:12:09.000000000 -0400
26297 @@ -377,9 +377,9 @@ struct e1000_info {
26299 u32 max_hw_frame_size;
26300 s32 (*get_variants)(struct e1000_adapter *);
26301 - struct e1000_mac_operations *mac_ops;
26302 - struct e1000_phy_operations *phy_ops;
26303 - struct e1000_nvm_operations *nvm_ops;
26304 + const struct e1000_mac_operations *mac_ops;
26305 + const struct e1000_phy_operations *phy_ops;
26306 + const struct e1000_nvm_operations *nvm_ops;
26309 /* hardware capability, feature, and workaround flags */
26310 diff -urNp linux-2.6.35.5/drivers/net/e1000e/es2lan.c linux-2.6.35.5/drivers/net/e1000e/es2lan.c
26311 --- linux-2.6.35.5/drivers/net/e1000e/es2lan.c 2010-08-26 19:47:12.000000000 -0400
26312 +++ linux-2.6.35.5/drivers/net/e1000e/es2lan.c 2010-09-17 20:12:09.000000000 -0400
26313 @@ -205,6 +205,7 @@ static s32 e1000_init_mac_params_80003es
26315 struct e1000_hw *hw = &adapter->hw;
26316 struct e1000_mac_info *mac = &hw->mac;
26317 + /* cannot be const */
26318 struct e1000_mac_operations *func = &mac->ops;
26320 /* Set media type */
26321 @@ -1431,7 +1432,7 @@ static void e1000_clear_hw_cntrs_80003es
26325 -static struct e1000_mac_operations es2_mac_ops = {
26326 +static const struct e1000_mac_operations es2_mac_ops = {
26327 .read_mac_addr = e1000_read_mac_addr_80003es2lan,
26328 .id_led_init = e1000e_id_led_init,
26329 .check_mng_mode = e1000e_check_mng_mode_generic,
26330 @@ -1453,7 +1454,7 @@ static struct e1000_mac_operations es2_m
26331 .setup_led = e1000e_setup_led_generic,
26334 -static struct e1000_phy_operations es2_phy_ops = {
26335 +static const struct e1000_phy_operations es2_phy_ops = {
26336 .acquire = e1000_acquire_phy_80003es2lan,
26337 .check_polarity = e1000_check_polarity_m88,
26338 .check_reset_block = e1000e_check_reset_block_generic,
26339 @@ -1471,7 +1472,7 @@ static struct e1000_phy_operations es2_p
26340 .cfg_on_link_up = e1000_cfg_on_link_up_80003es2lan,
26343 -static struct e1000_nvm_operations es2_nvm_ops = {
26344 +static const struct e1000_nvm_operations es2_nvm_ops = {
26345 .acquire = e1000_acquire_nvm_80003es2lan,
26346 .read = e1000e_read_nvm_eerd,
26347 .release = e1000_release_nvm_80003es2lan,
26348 diff -urNp linux-2.6.35.5/drivers/net/e1000e/hw.h linux-2.6.35.5/drivers/net/e1000e/hw.h
26349 --- linux-2.6.35.5/drivers/net/e1000e/hw.h 2010-08-26 19:47:12.000000000 -0400
26350 +++ linux-2.6.35.5/drivers/net/e1000e/hw.h 2010-09-17 20:12:09.000000000 -0400
26351 @@ -791,13 +791,13 @@ struct e1000_phy_operations {
26353 /* Function pointers for the NVM. */
26354 struct e1000_nvm_operations {
26355 - s32 (*acquire)(struct e1000_hw *);
26356 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
26357 - void (*release)(struct e1000_hw *);
26358 - s32 (*update)(struct e1000_hw *);
26359 - s32 (*valid_led_default)(struct e1000_hw *, u16 *);
26360 - s32 (*validate)(struct e1000_hw *);
26361 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
26362 + s32 (* const acquire)(struct e1000_hw *);
26363 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
26364 + void (* const release)(struct e1000_hw *);
26365 + s32 (* const update)(struct e1000_hw *);
26366 + s32 (* const valid_led_default)(struct e1000_hw *, u16 *);
26367 + s32 (* const validate)(struct e1000_hw *);
26368 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
26371 struct e1000_mac_info {
26372 @@ -877,6 +877,7 @@ struct e1000_phy_info {
26375 struct e1000_nvm_info {
26376 + /* cannot be const */
26377 struct e1000_nvm_operations ops;
26379 enum e1000_nvm_type type;
26380 diff -urNp linux-2.6.35.5/drivers/net/e1000e/ich8lan.c linux-2.6.35.5/drivers/net/e1000e/ich8lan.c
26381 --- linux-2.6.35.5/drivers/net/e1000e/ich8lan.c 2010-08-26 19:47:12.000000000 -0400
26382 +++ linux-2.6.35.5/drivers/net/e1000e/ich8lan.c 2010-09-17 20:12:09.000000000 -0400
26383 @@ -3388,7 +3388,7 @@ static void e1000_clear_hw_cntrs_ich8lan
26387 -static struct e1000_mac_operations ich8_mac_ops = {
26388 +static const struct e1000_mac_operations ich8_mac_ops = {
26389 .id_led_init = e1000e_id_led_init,
26390 .check_mng_mode = e1000_check_mng_mode_ich8lan,
26391 .check_for_link = e1000_check_for_copper_link_ich8lan,
26392 @@ -3407,7 +3407,7 @@ static struct e1000_mac_operations ich8_
26393 /* id_led_init dependent on mac type */
26396 -static struct e1000_phy_operations ich8_phy_ops = {
26397 +static const struct e1000_phy_operations ich8_phy_ops = {
26398 .acquire = e1000_acquire_swflag_ich8lan,
26399 .check_reset_block = e1000_check_reset_block_ich8lan,
26401 @@ -3421,7 +3421,7 @@ static struct e1000_phy_operations ich8_
26402 .write_reg = e1000e_write_phy_reg_igp,
26405 -static struct e1000_nvm_operations ich8_nvm_ops = {
26406 +static const struct e1000_nvm_operations ich8_nvm_ops = {
26407 .acquire = e1000_acquire_nvm_ich8lan,
26408 .read = e1000_read_nvm_ich8lan,
26409 .release = e1000_release_nvm_ich8lan,
26410 diff -urNp linux-2.6.35.5/drivers/net/eql.c linux-2.6.35.5/drivers/net/eql.c
26411 --- linux-2.6.35.5/drivers/net/eql.c 2010-08-26 19:47:12.000000000 -0400
26412 +++ linux-2.6.35.5/drivers/net/eql.c 2010-09-17 20:12:37.000000000 -0400
26413 @@ -555,6 +555,8 @@ static int eql_g_master_cfg(struct net_d
26415 master_config_t mc;
26417 + memset(&mc, 0, sizeof(mc));
26419 if (eql_is_master(dev)) {
26420 eql = netdev_priv(dev);
26421 mc.max_slaves = eql->max_slaves;
26422 diff -urNp linux-2.6.35.5/drivers/net/igb/e1000_82575.c linux-2.6.35.5/drivers/net/igb/e1000_82575.c
26423 --- linux-2.6.35.5/drivers/net/igb/e1000_82575.c 2010-08-26 19:47:12.000000000 -0400
26424 +++ linux-2.6.35.5/drivers/net/igb/e1000_82575.c 2010-09-17 20:12:09.000000000 -0400
26425 @@ -1597,7 +1597,7 @@ u16 igb_rxpbs_adjust_82580(u32 data)
26429 -static struct e1000_mac_operations e1000_mac_ops_82575 = {
26430 +static const struct e1000_mac_operations e1000_mac_ops_82575 = {
26431 .init_hw = igb_init_hw_82575,
26432 .check_for_link = igb_check_for_link_82575,
26433 .rar_set = igb_rar_set,
26434 @@ -1605,13 +1605,13 @@ static struct e1000_mac_operations e1000
26435 .get_speed_and_duplex = igb_get_speed_and_duplex_copper,
26438 -static struct e1000_phy_operations e1000_phy_ops_82575 = {
26439 +static const struct e1000_phy_operations e1000_phy_ops_82575 = {
26440 .acquire = igb_acquire_phy_82575,
26441 .get_cfg_done = igb_get_cfg_done_82575,
26442 .release = igb_release_phy_82575,
26445 -static struct e1000_nvm_operations e1000_nvm_ops_82575 = {
26446 +static const struct e1000_nvm_operations e1000_nvm_ops_82575 = {
26447 .acquire = igb_acquire_nvm_82575,
26448 .read = igb_read_nvm_eerd,
26449 .release = igb_release_nvm_82575,
26450 diff -urNp linux-2.6.35.5/drivers/net/igb/e1000_hw.h linux-2.6.35.5/drivers/net/igb/e1000_hw.h
26451 --- linux-2.6.35.5/drivers/net/igb/e1000_hw.h 2010-08-26 19:47:12.000000000 -0400
26452 +++ linux-2.6.35.5/drivers/net/igb/e1000_hw.h 2010-09-17 20:12:09.000000000 -0400
26453 @@ -323,17 +323,17 @@ struct e1000_phy_operations {
26456 struct e1000_nvm_operations {
26457 - s32 (*acquire)(struct e1000_hw *);
26458 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
26459 - void (*release)(struct e1000_hw *);
26460 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
26461 + s32 (* const acquire)(struct e1000_hw *);
26462 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
26463 + void (* const release)(struct e1000_hw *);
26464 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
26467 struct e1000_info {
26468 s32 (*get_invariants)(struct e1000_hw *);
26469 - struct e1000_mac_operations *mac_ops;
26470 - struct e1000_phy_operations *phy_ops;
26471 - struct e1000_nvm_operations *nvm_ops;
26472 + const struct e1000_mac_operations *mac_ops;
26473 + const struct e1000_phy_operations *phy_ops;
26474 + const struct e1000_nvm_operations *nvm_ops;
26477 extern const struct e1000_info e1000_82575_info;
26478 @@ -412,6 +412,7 @@ struct e1000_phy_info {
26481 struct e1000_nvm_info {
26482 + /* cannot be const */
26483 struct e1000_nvm_operations ops;
26485 enum e1000_nvm_type type;
26486 diff -urNp linux-2.6.35.5/drivers/net/irda/vlsi_ir.c linux-2.6.35.5/drivers/net/irda/vlsi_ir.c
26487 --- linux-2.6.35.5/drivers/net/irda/vlsi_ir.c 2010-08-26 19:47:12.000000000 -0400
26488 +++ linux-2.6.35.5/drivers/net/irda/vlsi_ir.c 2010-09-17 20:12:09.000000000 -0400
26489 @@ -907,13 +907,12 @@ static netdev_tx_t vlsi_hard_start_xmit(
26490 /* no race - tx-ring already empty */
26491 vlsi_set_baud(idev, iobase);
26492 netif_wake_queue(ndev);
26497 /* keep the speed change pending like it would
26498 * for any len>0 packet. tx completion interrupt
26499 * will apply it when the tx ring becomes empty.
26502 spin_unlock_irqrestore(&idev->lock, flags);
26503 dev_kfree_skb_any(skb);
26504 return NETDEV_TX_OK;
26505 diff -urNp linux-2.6.35.5/drivers/net/pcnet32.c linux-2.6.35.5/drivers/net/pcnet32.c
26506 --- linux-2.6.35.5/drivers/net/pcnet32.c 2010-08-26 19:47:12.000000000 -0400
26507 +++ linux-2.6.35.5/drivers/net/pcnet32.c 2010-09-17 20:12:09.000000000 -0400
26508 @@ -82,7 +82,7 @@ static int cards_found;
26510 * VLB I/O addresses
26512 -static unsigned int pcnet32_portlist[] __initdata =
26513 +static unsigned int pcnet32_portlist[] __devinitdata =
26514 { 0x300, 0x320, 0x340, 0x360, 0 };
26516 static int pcnet32_debug;
26517 diff -urNp linux-2.6.35.5/drivers/net/ppp_generic.c linux-2.6.35.5/drivers/net/ppp_generic.c
26518 --- linux-2.6.35.5/drivers/net/ppp_generic.c 2010-08-26 19:47:12.000000000 -0400
26519 +++ linux-2.6.35.5/drivers/net/ppp_generic.c 2010-09-17 20:12:09.000000000 -0400
26520 @@ -992,7 +992,6 @@ ppp_net_ioctl(struct net_device *dev, st
26521 void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
26522 struct ppp_stats stats;
26523 struct ppp_comp_stats cstats;
26527 case SIOCGPPPSTATS:
26528 @@ -1014,8 +1013,7 @@ ppp_net_ioctl(struct net_device *dev, st
26532 - vers = PPP_VERSION;
26533 - if (copy_to_user(addr, vers, strlen(vers) + 1))
26534 + if (copy_to_user(addr, PPP_VERSION, sizeof(PPP_VERSION)))
26538 diff -urNp linux-2.6.35.5/drivers/net/tg3.c linux-2.6.35.5/drivers/net/tg3.c
26539 --- linux-2.6.35.5/drivers/net/tg3.c 2010-08-26 19:47:12.000000000 -0400
26540 +++ linux-2.6.35.5/drivers/net/tg3.c 2010-09-17 20:12:09.000000000 -0400
26541 @@ -12410,7 +12410,7 @@ static void __devinit tg3_read_vpd(struc
26542 cnt = pci_read_vpd(tp->pdev, pos,
26543 TG3_NVM_VPD_LEN - pos,
26545 - if (cnt == -ETIMEDOUT || -EINTR)
26546 + if (cnt == -ETIMEDOUT || cnt == -EINTR)
26549 goto out_not_found;
26550 diff -urNp linux-2.6.35.5/drivers/net/tg3.h linux-2.6.35.5/drivers/net/tg3.h
26551 --- linux-2.6.35.5/drivers/net/tg3.h 2010-08-26 19:47:12.000000000 -0400
26552 +++ linux-2.6.35.5/drivers/net/tg3.h 2010-09-17 20:12:09.000000000 -0400
26553 @@ -130,6 +130,7 @@
26554 #define CHIPREV_ID_5750_A0 0x4000
26555 #define CHIPREV_ID_5750_A1 0x4001
26556 #define CHIPREV_ID_5750_A3 0x4003
26557 +#define CHIPREV_ID_5750_C1 0x4201
26558 #define CHIPREV_ID_5750_C2 0x4202
26559 #define CHIPREV_ID_5752_A0_HW 0x5000
26560 #define CHIPREV_ID_5752_A0 0x6000
26561 diff -urNp linux-2.6.35.5/drivers/net/tulip/de4x5.c linux-2.6.35.5/drivers/net/tulip/de4x5.c
26562 --- linux-2.6.35.5/drivers/net/tulip/de4x5.c 2010-08-26 19:47:12.000000000 -0400
26563 +++ linux-2.6.35.5/drivers/net/tulip/de4x5.c 2010-09-17 20:12:37.000000000 -0400
26564 @@ -5401,7 +5401,7 @@ de4x5_ioctl(struct net_device *dev, stru
26565 for (i=0; i<ETH_ALEN; i++) {
26566 tmp.addr[i] = dev->dev_addr[i];
26568 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
26569 + if (ioc->len > sizeof(tmp.addr) || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
26572 case DE4X5_SET_HWADDR: /* Set the hardware address */
26573 @@ -5441,7 +5441,7 @@ de4x5_ioctl(struct net_device *dev, stru
26574 spin_lock_irqsave(&lp->lock, flags);
26575 memcpy(&statbuf, &lp->pktStats, ioc->len);
26576 spin_unlock_irqrestore(&lp->lock, flags);
26577 - if (copy_to_user(ioc->data, &statbuf, ioc->len))
26578 + if (ioc->len > sizeof(statbuf) || copy_to_user(ioc->data, &statbuf, ioc->len))
26582 @@ -5474,7 +5474,7 @@ de4x5_ioctl(struct net_device *dev, stru
26583 tmp.lval[6] = inl(DE4X5_STRR); j+=4;
26584 tmp.lval[7] = inl(DE4X5_SIGR); j+=4;
26586 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
26587 + if (copy_to_user(ioc->data, tmp.lval, ioc->len)) return -EFAULT;
26590 #define DE4X5_DUMP 0x0f /* Dump the DE4X5 Status */
26591 diff -urNp linux-2.6.35.5/drivers/net/usb/hso.c linux-2.6.35.5/drivers/net/usb/hso.c
26592 --- linux-2.6.35.5/drivers/net/usb/hso.c 2010-08-26 19:47:12.000000000 -0400
26593 +++ linux-2.6.35.5/drivers/net/usb/hso.c 2010-09-17 20:12:37.000000000 -0400
26594 @@ -258,7 +258,7 @@ struct hso_serial {
26596 /* from usb_serial_port */
26597 struct tty_struct *tty;
26599 + atomic_t open_count;
26600 spinlock_t serial_lock;
26602 int (*write_data) (struct hso_serial *serial);
26603 @@ -1201,7 +1201,7 @@ static void put_rxbuf_data_and_resubmit_
26606 urb = serial->rx_urb[0];
26607 - if (serial->open_count > 0) {
26608 + if (atomic_read(&serial->open_count) > 0) {
26609 count = put_rxbuf_data(urb, serial);
26612 @@ -1237,7 +1237,7 @@ static void hso_std_serial_read_bulk_cal
26613 DUMP1(urb->transfer_buffer, urb->actual_length);
26615 /* Anyone listening? */
26616 - if (serial->open_count == 0)
26617 + if (atomic_read(&serial->open_count) == 0)
26621 @@ -1332,8 +1332,7 @@ static int hso_serial_open(struct tty_st
26622 spin_unlock_irq(&serial->serial_lock);
26624 /* check for port already opened, if not set the termios */
26625 - serial->open_count++;
26626 - if (serial->open_count == 1) {
26627 + if (atomic_inc_return(&serial->open_count) == 1) {
26628 serial->rx_state = RX_IDLE;
26629 /* Force default termio settings */
26630 _hso_serial_set_termios(tty, NULL);
26631 @@ -1345,7 +1344,7 @@ static int hso_serial_open(struct tty_st
26632 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
26634 hso_stop_serial_device(serial->parent);
26635 - serial->open_count--;
26636 + atomic_dec(&serial->open_count);
26637 kref_put(&serial->parent->ref, hso_serial_ref_free);
26640 @@ -1382,10 +1381,10 @@ static void hso_serial_close(struct tty_
26642 /* reset the rts and dtr */
26643 /* do the actual close */
26644 - serial->open_count--;
26645 + atomic_dec(&serial->open_count);
26647 - if (serial->open_count <= 0) {
26648 - serial->open_count = 0;
26649 + if (atomic_read(&serial->open_count) <= 0) {
26650 + atomic_set(&serial->open_count, 0);
26651 spin_lock_irq(&serial->serial_lock);
26652 if (serial->tty == tty) {
26653 serial->tty->driver_data = NULL;
26654 @@ -1467,7 +1466,7 @@ static void hso_serial_set_termios(struc
26656 /* the actual setup */
26657 spin_lock_irqsave(&serial->serial_lock, flags);
26658 - if (serial->open_count)
26659 + if (atomic_read(&serial->open_count))
26660 _hso_serial_set_termios(tty, old);
26662 tty->termios = old;
26663 @@ -1655,6 +1654,9 @@ static int hso_get_count(struct hso_seri
26668 + memset(&icount, 0, sizeof(icount));
26670 spin_lock_irq(&serial->serial_lock);
26671 memcpy(&cnow, &tiocmget->icount, sizeof(struct uart_icount));
26672 spin_unlock_irq(&serial->serial_lock);
26673 @@ -1929,7 +1931,7 @@ static void intr_callback(struct urb *ur
26674 D1("Pending read interrupt on port %d\n", i);
26675 spin_lock(&serial->serial_lock);
26676 if (serial->rx_state == RX_IDLE &&
26677 - serial->open_count > 0) {
26678 + atomic_read(&serial->open_count) > 0) {
26679 /* Setup and send a ctrl req read on
26681 if (!serial->rx_urb_filled[0]) {
26682 @@ -3119,7 +3121,7 @@ static int hso_resume(struct usb_interfa
26683 /* Start all serial ports */
26684 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
26685 if (serial_table[i] && (serial_table[i]->interface == iface)) {
26686 - if (dev2ser(serial_table[i])->open_count) {
26687 + if (atomic_read(&dev2ser(serial_table[i])->open_count)) {
26689 hso_start_serial_device(serial_table[i], GFP_NOIO);
26690 hso_kick_transmit(dev2ser(serial_table[i]));
26691 diff -urNp linux-2.6.35.5/drivers/net/wireless/b43/debugfs.c linux-2.6.35.5/drivers/net/wireless/b43/debugfs.c
26692 --- linux-2.6.35.5/drivers/net/wireless/b43/debugfs.c 2010-08-26 19:47:12.000000000 -0400
26693 +++ linux-2.6.35.5/drivers/net/wireless/b43/debugfs.c 2010-09-17 20:12:09.000000000 -0400
26694 @@ -43,7 +43,7 @@ static struct dentry *rootdir;
26695 struct b43_debugfs_fops {
26696 ssize_t (*read)(struct b43_wldev *dev, char *buf, size_t bufsize);
26697 int (*write)(struct b43_wldev *dev, const char *buf, size_t count);
26698 - struct file_operations fops;
26699 + const struct file_operations fops;
26700 /* Offset of struct b43_dfs_file in struct b43_dfsentry */
26701 size_t file_struct_offset;
26703 diff -urNp linux-2.6.35.5/drivers/net/wireless/b43legacy/debugfs.c linux-2.6.35.5/drivers/net/wireless/b43legacy/debugfs.c
26704 --- linux-2.6.35.5/drivers/net/wireless/b43legacy/debugfs.c 2010-08-26 19:47:12.000000000 -0400
26705 +++ linux-2.6.35.5/drivers/net/wireless/b43legacy/debugfs.c 2010-09-17 20:12:09.000000000 -0400
26706 @@ -44,7 +44,7 @@ static struct dentry *rootdir;
26707 struct b43legacy_debugfs_fops {
26708 ssize_t (*read)(struct b43legacy_wldev *dev, char *buf, size_t bufsize);
26709 int (*write)(struct b43legacy_wldev *dev, const char *buf, size_t count);
26710 - struct file_operations fops;
26711 + const struct file_operations fops;
26712 /* Offset of struct b43legacy_dfs_file in struct b43legacy_dfsentry */
26713 size_t file_struct_offset;
26714 /* Take wl->irq_lock before calling read/write? */
26715 diff -urNp linux-2.6.35.5/drivers/net/wireless/iwlwifi/iwl-debug.h linux-2.6.35.5/drivers/net/wireless/iwlwifi/iwl-debug.h
26716 --- linux-2.6.35.5/drivers/net/wireless/iwlwifi/iwl-debug.h 2010-08-26 19:47:12.000000000 -0400
26717 +++ linux-2.6.35.5/drivers/net/wireless/iwlwifi/iwl-debug.h 2010-09-17 20:12:09.000000000 -0400
26718 @@ -68,8 +68,8 @@ do {
26722 -#define IWL_DEBUG(__priv, level, fmt, args...)
26723 -#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...)
26724 +#define IWL_DEBUG(__priv, level, fmt, args...) do {} while (0)
26725 +#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...) do {} while (0)
26726 static inline void iwl_print_hex_dump(struct iwl_priv *priv, int level,
26729 diff -urNp linux-2.6.35.5/drivers/net/wireless/libertas/debugfs.c linux-2.6.35.5/drivers/net/wireless/libertas/debugfs.c
26730 --- linux-2.6.35.5/drivers/net/wireless/libertas/debugfs.c 2010-08-26 19:47:12.000000000 -0400
26731 +++ linux-2.6.35.5/drivers/net/wireless/libertas/debugfs.c 2010-09-17 20:12:09.000000000 -0400
26732 @@ -718,7 +718,7 @@ out_unlock:
26733 struct lbs_debugfs_files {
26736 - struct file_operations fops;
26737 + const struct file_operations fops;
26740 static const struct lbs_debugfs_files debugfs_files[] = {
26741 diff -urNp linux-2.6.35.5/drivers/net/wireless/rndis_wlan.c linux-2.6.35.5/drivers/net/wireless/rndis_wlan.c
26742 --- linux-2.6.35.5/drivers/net/wireless/rndis_wlan.c 2010-08-26 19:47:12.000000000 -0400
26743 +++ linux-2.6.35.5/drivers/net/wireless/rndis_wlan.c 2010-09-17 20:12:09.000000000 -0400
26744 @@ -1235,7 +1235,7 @@ static int set_rts_threshold(struct usbn
26746 netdev_dbg(usbdev->net, "%s(): %i\n", __func__, rts_threshold);
26748 - if (rts_threshold < 0 || rts_threshold > 2347)
26749 + if (rts_threshold > 2347)
26750 rts_threshold = 2347;
26752 tmp = cpu_to_le32(rts_threshold);
26753 diff -urNp linux-2.6.35.5/drivers/oprofile/buffer_sync.c linux-2.6.35.5/drivers/oprofile/buffer_sync.c
26754 --- linux-2.6.35.5/drivers/oprofile/buffer_sync.c 2010-09-20 17:33:09.000000000 -0400
26755 +++ linux-2.6.35.5/drivers/oprofile/buffer_sync.c 2010-09-20 17:33:32.000000000 -0400
26756 @@ -342,7 +342,7 @@ static void add_data(struct op_entry *en
26757 if (cookie == NO_COOKIE)
26759 if (cookie == INVALID_COOKIE) {
26760 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
26761 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
26764 if (cookie != last_cookie) {
26765 @@ -386,14 +386,14 @@ add_sample(struct mm_struct *mm, struct
26766 /* add userspace sample */
26769 - atomic_inc(&oprofile_stats.sample_lost_no_mm);
26770 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
26774 cookie = lookup_dcookie(mm, s->eip, &offset);
26776 if (cookie == INVALID_COOKIE) {
26777 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
26778 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
26782 @@ -562,7 +562,7 @@ void sync_buffer(int cpu)
26783 /* ignore backtraces if failed to add a sample */
26784 if (state == sb_bt_start) {
26785 state = sb_bt_ignore;
26786 - atomic_inc(&oprofile_stats.bt_lost_no_mapping);
26787 + atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
26791 diff -urNp linux-2.6.35.5/drivers/oprofile/event_buffer.c linux-2.6.35.5/drivers/oprofile/event_buffer.c
26792 --- linux-2.6.35.5/drivers/oprofile/event_buffer.c 2010-08-26 19:47:12.000000000 -0400
26793 +++ linux-2.6.35.5/drivers/oprofile/event_buffer.c 2010-09-17 20:12:09.000000000 -0400
26794 @@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
26797 if (buffer_pos == buffer_size) {
26798 - atomic_inc(&oprofile_stats.event_lost_overflow);
26799 + atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
26803 diff -urNp linux-2.6.35.5/drivers/oprofile/oprof.c linux-2.6.35.5/drivers/oprofile/oprof.c
26804 --- linux-2.6.35.5/drivers/oprofile/oprof.c 2010-08-26 19:47:12.000000000 -0400
26805 +++ linux-2.6.35.5/drivers/oprofile/oprof.c 2010-09-17 20:12:09.000000000 -0400
26806 @@ -110,7 +110,7 @@ static void switch_worker(struct work_st
26807 if (oprofile_ops.switch_events())
26810 - atomic_inc(&oprofile_stats.multiplex_counter);
26811 + atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
26812 start_switch_worker();
26815 diff -urNp linux-2.6.35.5/drivers/oprofile/oprofilefs.c linux-2.6.35.5/drivers/oprofile/oprofilefs.c
26816 --- linux-2.6.35.5/drivers/oprofile/oprofilefs.c 2010-08-26 19:47:12.000000000 -0400
26817 +++ linux-2.6.35.5/drivers/oprofile/oprofilefs.c 2010-09-17 20:12:09.000000000 -0400
26818 @@ -187,7 +187,7 @@ static const struct file_operations atom
26821 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
26822 - char const *name, atomic_t *val)
26823 + char const *name, atomic_unchecked_t *val)
26825 struct dentry *d = __oprofilefs_create_file(sb, root, name,
26826 &atomic_ro_fops, 0444);
26827 diff -urNp linux-2.6.35.5/drivers/oprofile/oprofile_stats.c linux-2.6.35.5/drivers/oprofile/oprofile_stats.c
26828 --- linux-2.6.35.5/drivers/oprofile/oprofile_stats.c 2010-08-26 19:47:12.000000000 -0400
26829 +++ linux-2.6.35.5/drivers/oprofile/oprofile_stats.c 2010-09-17 20:12:09.000000000 -0400
26830 @@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
26831 cpu_buf->sample_invalid_eip = 0;
26834 - atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
26835 - atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
26836 - atomic_set(&oprofile_stats.event_lost_overflow, 0);
26837 - atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
26838 - atomic_set(&oprofile_stats.multiplex_counter, 0);
26839 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
26840 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
26841 + atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
26842 + atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
26843 + atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
26847 diff -urNp linux-2.6.35.5/drivers/oprofile/oprofile_stats.h linux-2.6.35.5/drivers/oprofile/oprofile_stats.h
26848 --- linux-2.6.35.5/drivers/oprofile/oprofile_stats.h 2010-08-26 19:47:12.000000000 -0400
26849 +++ linux-2.6.35.5/drivers/oprofile/oprofile_stats.h 2010-09-17 20:12:09.000000000 -0400
26850 @@ -13,11 +13,11 @@
26851 #include <asm/atomic.h>
26853 struct oprofile_stat_struct {
26854 - atomic_t sample_lost_no_mm;
26855 - atomic_t sample_lost_no_mapping;
26856 - atomic_t bt_lost_no_mapping;
26857 - atomic_t event_lost_overflow;
26858 - atomic_t multiplex_counter;
26859 + atomic_unchecked_t sample_lost_no_mm;
26860 + atomic_unchecked_t sample_lost_no_mapping;
26861 + atomic_unchecked_t bt_lost_no_mapping;
26862 + atomic_unchecked_t event_lost_overflow;
26863 + atomic_unchecked_t multiplex_counter;
26866 extern struct oprofile_stat_struct oprofile_stats;
26867 diff -urNp linux-2.6.35.5/drivers/parport/procfs.c linux-2.6.35.5/drivers/parport/procfs.c
26868 --- linux-2.6.35.5/drivers/parport/procfs.c 2010-08-26 19:47:12.000000000 -0400
26869 +++ linux-2.6.35.5/drivers/parport/procfs.c 2010-09-17 20:12:37.000000000 -0400
26870 @@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
26874 - return copy_to_user(result, buffer, len) ? -EFAULT : 0;
26875 + return (len > sizeof(buffer) || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
26878 #ifdef CONFIG_PARPORT_1284
26879 @@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
26883 - return copy_to_user (result, buffer, len) ? -EFAULT : 0;
26884 + return (len > sizeof(buffer) || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
26886 #endif /* IEEE1284.3 support. */
26888 diff -urNp linux-2.6.35.5/drivers/pci/hotplug/acpiphp_glue.c linux-2.6.35.5/drivers/pci/hotplug/acpiphp_glue.c
26889 --- linux-2.6.35.5/drivers/pci/hotplug/acpiphp_glue.c 2010-08-26 19:47:12.000000000 -0400
26890 +++ linux-2.6.35.5/drivers/pci/hotplug/acpiphp_glue.c 2010-09-17 20:12:09.000000000 -0400
26891 @@ -110,7 +110,7 @@ static int post_dock_fixups(struct notif
26895 -static struct acpi_dock_ops acpiphp_dock_ops = {
26896 +static const struct acpi_dock_ops acpiphp_dock_ops = {
26897 .handler = handle_hotplug_event_func,
26900 diff -urNp linux-2.6.35.5/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.35.5/drivers/pci/hotplug/cpqphp_nvram.c
26901 --- linux-2.6.35.5/drivers/pci/hotplug/cpqphp_nvram.c 2010-08-26 19:47:12.000000000 -0400
26902 +++ linux-2.6.35.5/drivers/pci/hotplug/cpqphp_nvram.c 2010-09-17 20:12:09.000000000 -0400
26903 @@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
26905 void compaq_nvram_init (void __iomem *rom_start)
26908 +#ifndef CONFIG_PAX_KERNEXEC
26910 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
26914 dbg("int15 entry = %p\n", compaq_int15_entry_point);
26916 /* initialize our int15 lock */
26917 diff -urNp linux-2.6.35.5/drivers/pci/intel-iommu.c linux-2.6.35.5/drivers/pci/intel-iommu.c
26918 --- linux-2.6.35.5/drivers/pci/intel-iommu.c 2010-08-26 19:47:12.000000000 -0400
26919 +++ linux-2.6.35.5/drivers/pci/intel-iommu.c 2010-09-17 20:12:09.000000000 -0400
26920 @@ -2938,7 +2938,7 @@ static int intel_mapping_error(struct de
26924 -struct dma_map_ops intel_dma_ops = {
26925 +const struct dma_map_ops intel_dma_ops = {
26926 .alloc_coherent = intel_alloc_coherent,
26927 .free_coherent = intel_free_coherent,
26928 .map_sg = intel_map_sg,
26929 diff -urNp linux-2.6.35.5/drivers/pci/pcie/portdrv_pci.c linux-2.6.35.5/drivers/pci/pcie/portdrv_pci.c
26930 --- linux-2.6.35.5/drivers/pci/pcie/portdrv_pci.c 2010-08-26 19:47:12.000000000 -0400
26931 +++ linux-2.6.35.5/drivers/pci/pcie/portdrv_pci.c 2010-09-17 20:12:09.000000000 -0400
26932 @@ -250,7 +250,7 @@ static void pcie_portdrv_err_resume(stru
26933 static const struct pci_device_id port_pci_ids[] = { {
26934 /* handle any PCI-Express port */
26935 PCI_DEVICE_CLASS(((PCI_CLASS_BRIDGE_PCI << 8) | 0x00), ~0),
26936 - }, { /* end: all zeroes */ }
26937 + }, { 0, 0, 0, 0, 0, 0, 0 }
26939 MODULE_DEVICE_TABLE(pci, port_pci_ids);
26941 diff -urNp linux-2.6.35.5/drivers/pci/probe.c linux-2.6.35.5/drivers/pci/probe.c
26942 --- linux-2.6.35.5/drivers/pci/probe.c 2010-08-26 19:47:12.000000000 -0400
26943 +++ linux-2.6.35.5/drivers/pci/probe.c 2010-09-17 20:12:09.000000000 -0400
26944 @@ -62,14 +62,14 @@ static ssize_t pci_bus_show_cpuaffinity(
26948 -static ssize_t inline pci_bus_show_cpumaskaffinity(struct device *dev,
26949 +static inline ssize_t pci_bus_show_cpumaskaffinity(struct device *dev,
26950 struct device_attribute *attr,
26953 return pci_bus_show_cpuaffinity(dev, 0, attr, buf);
26956 -static ssize_t inline pci_bus_show_cpulistaffinity(struct device *dev,
26957 +static inline ssize_t pci_bus_show_cpulistaffinity(struct device *dev,
26958 struct device_attribute *attr,
26961 diff -urNp linux-2.6.35.5/drivers/pci/proc.c linux-2.6.35.5/drivers/pci/proc.c
26962 --- linux-2.6.35.5/drivers/pci/proc.c 2010-08-26 19:47:12.000000000 -0400
26963 +++ linux-2.6.35.5/drivers/pci/proc.c 2010-09-17 20:12:37.000000000 -0400
26964 @@ -481,7 +481,16 @@ static const struct file_operations proc
26965 static int __init pci_proc_init(void)
26967 struct pci_dev *dev = NULL;
26969 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
26970 +#ifdef CONFIG_GRKERNSEC_PROC_USER
26971 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
26972 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
26973 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
26976 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
26978 proc_create("devices", 0, proc_bus_pci_dir,
26979 &proc_bus_pci_dev_operations);
26980 proc_initialized = 1;
26981 diff -urNp linux-2.6.35.5/drivers/pcmcia/pcmcia_ioctl.c linux-2.6.35.5/drivers/pcmcia/pcmcia_ioctl.c
26982 --- linux-2.6.35.5/drivers/pcmcia/pcmcia_ioctl.c 2010-08-26 19:47:12.000000000 -0400
26983 +++ linux-2.6.35.5/drivers/pcmcia/pcmcia_ioctl.c 2010-09-17 20:12:09.000000000 -0400
26984 @@ -850,7 +850,7 @@ static int ds_ioctl(struct file *file, u
26988 - buf = kmalloc(sizeof(ds_ioctl_arg_t), GFP_KERNEL);
26989 + buf = kzalloc(sizeof(ds_ioctl_arg_t), GFP_KERNEL);
26993 diff -urNp linux-2.6.35.5/drivers/pcmcia/ti113x.h linux-2.6.35.5/drivers/pcmcia/ti113x.h
26994 --- linux-2.6.35.5/drivers/pcmcia/ti113x.h 2010-08-26 19:47:12.000000000 -0400
26995 +++ linux-2.6.35.5/drivers/pcmcia/ti113x.h 2010-09-17 20:12:09.000000000 -0400
26996 @@ -936,7 +936,7 @@ static struct pci_device_id ene_tune_tbl
26997 DEVID(PCI_VENDOR_ID_MOTOROLA, 0x3410, 0xECC0, PCI_ANY_ID,
26998 ENE_TEST_C9_TLTENABLE | ENE_TEST_C9_PFENABLE, ENE_TEST_C9_TLTENABLE),
27001 + { 0, 0, 0, 0, 0, 0, 0 }
27004 static void ene_tune_bridge(struct pcmcia_socket *sock, struct pci_bus *bus)
27005 diff -urNp linux-2.6.35.5/drivers/pcmcia/yenta_socket.c linux-2.6.35.5/drivers/pcmcia/yenta_socket.c
27006 --- linux-2.6.35.5/drivers/pcmcia/yenta_socket.c 2010-08-26 19:47:12.000000000 -0400
27007 +++ linux-2.6.35.5/drivers/pcmcia/yenta_socket.c 2010-09-17 20:12:09.000000000 -0400
27008 @@ -1428,7 +1428,7 @@ static struct pci_device_id yenta_table[
27010 /* match any cardbus bridge */
27011 CB_ID(PCI_ANY_ID, PCI_ANY_ID, DEFAULT),
27012 - { /* all zeroes */ }
27013 + { 0, 0, 0, 0, 0, 0, 0 }
27015 MODULE_DEVICE_TABLE(pci, yenta_table);
27017 diff -urNp linux-2.6.35.5/drivers/platform/x86/acer-wmi.c linux-2.6.35.5/drivers/platform/x86/acer-wmi.c
27018 --- linux-2.6.35.5/drivers/platform/x86/acer-wmi.c 2010-08-26 19:47:12.000000000 -0400
27019 +++ linux-2.6.35.5/drivers/platform/x86/acer-wmi.c 2010-09-17 20:12:09.000000000 -0400
27020 @@ -916,7 +916,7 @@ static int update_bl_status(struct backl
27024 -static struct backlight_ops acer_bl_ops = {
27025 +static const struct backlight_ops acer_bl_ops = {
27026 .get_brightness = read_brightness,
27027 .update_status = update_bl_status,
27029 diff -urNp linux-2.6.35.5/drivers/platform/x86/asus_acpi.c linux-2.6.35.5/drivers/platform/x86/asus_acpi.c
27030 --- linux-2.6.35.5/drivers/platform/x86/asus_acpi.c 2010-08-26 19:47:12.000000000 -0400
27031 +++ linux-2.6.35.5/drivers/platform/x86/asus_acpi.c 2010-09-17 20:12:09.000000000 -0400
27032 @@ -1464,7 +1464,7 @@ static int asus_hotk_remove(struct acpi_
27036 -static struct backlight_ops asus_backlight_data = {
27037 +static const struct backlight_ops asus_backlight_data = {
27038 .get_brightness = read_brightness,
27039 .update_status = set_brightness_status,
27041 diff -urNp linux-2.6.35.5/drivers/platform/x86/asus-laptop.c linux-2.6.35.5/drivers/platform/x86/asus-laptop.c
27042 --- linux-2.6.35.5/drivers/platform/x86/asus-laptop.c 2010-08-26 19:47:12.000000000 -0400
27043 +++ linux-2.6.35.5/drivers/platform/x86/asus-laptop.c 2010-09-17 20:12:09.000000000 -0400
27044 @@ -224,7 +224,6 @@ struct asus_laptop {
27045 struct asus_led gled;
27046 struct asus_led kled;
27047 struct workqueue_struct *led_workqueue;
27049 int wireless_status;
27052 @@ -621,7 +620,7 @@ static int update_bl_status(struct backl
27053 return asus_lcd_set(asus, value);
27056 -static struct backlight_ops asusbl_ops = {
27057 +static const struct backlight_ops asusbl_ops = {
27058 .get_brightness = asus_read_brightness,
27059 .update_status = update_bl_status,
27061 diff -urNp linux-2.6.35.5/drivers/platform/x86/compal-laptop.c linux-2.6.35.5/drivers/platform/x86/compal-laptop.c
27062 --- linux-2.6.35.5/drivers/platform/x86/compal-laptop.c 2010-08-26 19:47:12.000000000 -0400
27063 +++ linux-2.6.35.5/drivers/platform/x86/compal-laptop.c 2010-09-17 20:12:09.000000000 -0400
27064 @@ -168,7 +168,7 @@ static int bl_update_status(struct backl
27065 return set_lcd_level(b->props.brightness);
27068 -static struct backlight_ops compalbl_ops = {
27069 +static const struct backlight_ops compalbl_ops = {
27070 .get_brightness = bl_get_brightness,
27071 .update_status = bl_update_status,
27073 diff -urNp linux-2.6.35.5/drivers/platform/x86/dell-laptop.c linux-2.6.35.5/drivers/platform/x86/dell-laptop.c
27074 --- linux-2.6.35.5/drivers/platform/x86/dell-laptop.c 2010-08-26 19:47:12.000000000 -0400
27075 +++ linux-2.6.35.5/drivers/platform/x86/dell-laptop.c 2010-09-17 20:12:09.000000000 -0400
27076 @@ -469,7 +469,7 @@ out:
27077 return buffer->output[1];
27080 -static struct backlight_ops dell_ops = {
27081 +static const struct backlight_ops dell_ops = {
27082 .get_brightness = dell_get_intensity,
27083 .update_status = dell_send_intensity,
27085 diff -urNp linux-2.6.35.5/drivers/platform/x86/eeepc-laptop.c linux-2.6.35.5/drivers/platform/x86/eeepc-laptop.c
27086 --- linux-2.6.35.5/drivers/platform/x86/eeepc-laptop.c 2010-08-26 19:47:12.000000000 -0400
27087 +++ linux-2.6.35.5/drivers/platform/x86/eeepc-laptop.c 2010-09-17 20:12:09.000000000 -0400
27088 @@ -1114,7 +1114,7 @@ static int update_bl_status(struct backl
27089 return set_brightness(bd, bd->props.brightness);
27092 -static struct backlight_ops eeepcbl_ops = {
27093 +static const struct backlight_ops eeepcbl_ops = {
27094 .get_brightness = read_brightness,
27095 .update_status = update_bl_status,
27097 diff -urNp linux-2.6.35.5/drivers/platform/x86/fujitsu-laptop.c linux-2.6.35.5/drivers/platform/x86/fujitsu-laptop.c
27098 --- linux-2.6.35.5/drivers/platform/x86/fujitsu-laptop.c 2010-08-26 19:47:12.000000000 -0400
27099 +++ linux-2.6.35.5/drivers/platform/x86/fujitsu-laptop.c 2010-09-17 20:12:09.000000000 -0400
27100 @@ -437,7 +437,7 @@ static int bl_update_status(struct backl
27104 -static struct backlight_ops fujitsubl_ops = {
27105 +static const struct backlight_ops fujitsubl_ops = {
27106 .get_brightness = bl_get_brightness,
27107 .update_status = bl_update_status,
27109 diff -urNp linux-2.6.35.5/drivers/platform/x86/sony-laptop.c linux-2.6.35.5/drivers/platform/x86/sony-laptop.c
27110 --- linux-2.6.35.5/drivers/platform/x86/sony-laptop.c 2010-08-26 19:47:12.000000000 -0400
27111 +++ linux-2.6.35.5/drivers/platform/x86/sony-laptop.c 2010-09-17 20:12:09.000000000 -0400
27112 @@ -857,7 +857,7 @@ static int sony_backlight_get_brightness
27115 static struct backlight_device *sony_backlight_device;
27116 -static struct backlight_ops sony_backlight_ops = {
27117 +static const struct backlight_ops sony_backlight_ops = {
27118 .update_status = sony_backlight_update_status,
27119 .get_brightness = sony_backlight_get_brightness,
27121 diff -urNp linux-2.6.35.5/drivers/platform/x86/thinkpad_acpi.c linux-2.6.35.5/drivers/platform/x86/thinkpad_acpi.c
27122 --- linux-2.6.35.5/drivers/platform/x86/thinkpad_acpi.c 2010-08-26 19:47:12.000000000 -0400
27123 +++ linux-2.6.35.5/drivers/platform/x86/thinkpad_acpi.c 2010-09-17 20:12:09.000000000 -0400
27124 @@ -6142,7 +6142,7 @@ static void tpacpi_brightness_notify_cha
27125 BACKLIGHT_UPDATE_HOTKEY);
27128 -static struct backlight_ops ibm_backlight_data = {
27129 +static const struct backlight_ops ibm_backlight_data = {
27130 .get_brightness = brightness_get,
27131 .update_status = brightness_update_status,
27133 diff -urNp linux-2.6.35.5/drivers/platform/x86/toshiba_acpi.c linux-2.6.35.5/drivers/platform/x86/toshiba_acpi.c
27134 --- linux-2.6.35.5/drivers/platform/x86/toshiba_acpi.c 2010-08-26 19:47:12.000000000 -0400
27135 +++ linux-2.6.35.5/drivers/platform/x86/toshiba_acpi.c 2010-09-17 20:12:09.000000000 -0400
27136 @@ -741,7 +741,7 @@ static acpi_status remove_device(void)
27140 -static struct backlight_ops toshiba_backlight_data = {
27141 +static const struct backlight_ops toshiba_backlight_data = {
27142 .get_brightness = get_lcd,
27143 .update_status = set_lcd_status,
27145 diff -urNp linux-2.6.35.5/drivers/pnp/pnpbios/bioscalls.c linux-2.6.35.5/drivers/pnp/pnpbios/bioscalls.c
27146 --- linux-2.6.35.5/drivers/pnp/pnpbios/bioscalls.c 2010-08-26 19:47:12.000000000 -0400
27147 +++ linux-2.6.35.5/drivers/pnp/pnpbios/bioscalls.c 2010-09-17 20:12:09.000000000 -0400
27148 @@ -59,7 +59,7 @@ do { \
27149 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
27152 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
27153 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
27154 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
27157 @@ -96,7 +96,10 @@ static inline u16 call_pnp_bios(u16 func
27160 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
27162 + pax_open_kernel();
27163 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
27164 + pax_close_kernel();
27166 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
27167 spin_lock_irqsave(&pnp_bios_lock, flags);
27168 @@ -134,7 +137,10 @@ static inline u16 call_pnp_bios(u16 func
27170 spin_unlock_irqrestore(&pnp_bios_lock, flags);
27172 + pax_open_kernel();
27173 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
27174 + pax_close_kernel();
27178 /* If we get here and this is set then the PnP BIOS faulted on us. */
27179 @@ -468,7 +474,7 @@ int pnp_bios_read_escd(char *data, u32 n
27183 -void pnpbios_calls_init(union pnp_bios_install_struct *header)
27184 +void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
27188 @@ -476,6 +482,8 @@ void pnpbios_calls_init(union pnp_bios_i
27189 pnp_bios_callpoint.offset = header->fields.pm16offset;
27190 pnp_bios_callpoint.segment = PNP_CS16;
27192 + pax_open_kernel();
27194 for_each_possible_cpu(i) {
27195 struct desc_struct *gdt = get_cpu_gdt_table(i);
27197 @@ -487,4 +495,6 @@ void pnpbios_calls_init(union pnp_bios_i
27198 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
27199 (unsigned long)__va(header->fields.pm16dseg));
27202 + pax_close_kernel();
27204 diff -urNp linux-2.6.35.5/drivers/pnp/quirks.c linux-2.6.35.5/drivers/pnp/quirks.c
27205 --- linux-2.6.35.5/drivers/pnp/quirks.c 2010-08-26 19:47:12.000000000 -0400
27206 +++ linux-2.6.35.5/drivers/pnp/quirks.c 2010-09-17 20:12:09.000000000 -0400
27207 @@ -322,7 +322,7 @@ static struct pnp_fixup pnp_fixups[] = {
27208 /* PnP resources that might overlap PCI BARs */
27209 {"PNP0c01", quirk_system_pci_resources},
27210 {"PNP0c02", quirk_system_pci_resources},
27215 void pnp_fixup_device(struct pnp_dev *dev)
27216 diff -urNp linux-2.6.35.5/drivers/pnp/resource.c linux-2.6.35.5/drivers/pnp/resource.c
27217 --- linux-2.6.35.5/drivers/pnp/resource.c 2010-08-26 19:47:12.000000000 -0400
27218 +++ linux-2.6.35.5/drivers/pnp/resource.c 2010-09-17 20:12:09.000000000 -0400
27219 @@ -360,7 +360,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
27222 /* check if the resource is valid */
27223 - if (*irq < 0 || *irq > 15)
27227 /* check if the resource is reserved */
27228 @@ -424,7 +424,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
27231 /* check if the resource is valid */
27232 - if (*dma < 0 || *dma == 4 || *dma > 7)
27233 + if (*dma == 4 || *dma > 7)
27236 /* check if the resource is reserved */
27237 diff -urNp linux-2.6.35.5/drivers/s390/cio/qdio_debug.c linux-2.6.35.5/drivers/s390/cio/qdio_debug.c
27238 --- linux-2.6.35.5/drivers/s390/cio/qdio_debug.c 2010-08-26 19:47:12.000000000 -0400
27239 +++ linux-2.6.35.5/drivers/s390/cio/qdio_debug.c 2010-09-17 20:12:09.000000000 -0400
27240 @@ -233,7 +233,7 @@ static int qperf_seq_open(struct inode *
27241 filp->f_path.dentry->d_inode->i_private);
27244 -static struct file_operations debugfs_perf_fops = {
27245 +static const struct file_operations debugfs_perf_fops = {
27246 .owner = THIS_MODULE,
27247 .open = qperf_seq_open,
27249 diff -urNp linux-2.6.35.5/drivers/scsi/ipr.c linux-2.6.35.5/drivers/scsi/ipr.c
27250 --- linux-2.6.35.5/drivers/scsi/ipr.c 2010-08-26 19:47:12.000000000 -0400
27251 +++ linux-2.6.35.5/drivers/scsi/ipr.c 2010-09-17 20:12:09.000000000 -0400
27252 @@ -6091,7 +6091,7 @@ static bool ipr_qc_fill_rtf(struct ata_q
27256 -static struct ata_port_operations ipr_sata_ops = {
27257 +static const struct ata_port_operations ipr_sata_ops = {
27258 .phy_reset = ipr_ata_phy_reset,
27259 .hardreset = ipr_sata_reset,
27260 .post_internal_cmd = ipr_ata_post_internal,
27261 diff -urNp linux-2.6.35.5/drivers/scsi/libfc/fc_exch.c linux-2.6.35.5/drivers/scsi/libfc/fc_exch.c
27262 --- linux-2.6.35.5/drivers/scsi/libfc/fc_exch.c 2010-08-26 19:47:12.000000000 -0400
27263 +++ linux-2.6.35.5/drivers/scsi/libfc/fc_exch.c 2010-09-17 20:12:09.000000000 -0400
27264 @@ -100,12 +100,12 @@ struct fc_exch_mgr {
27265 * all together if not used XXX
27268 - atomic_t no_free_exch;
27269 - atomic_t no_free_exch_xid;
27270 - atomic_t xid_not_found;
27271 - atomic_t xid_busy;
27272 - atomic_t seq_not_found;
27273 - atomic_t non_bls_resp;
27274 + atomic_unchecked_t no_free_exch;
27275 + atomic_unchecked_t no_free_exch_xid;
27276 + atomic_unchecked_t xid_not_found;
27277 + atomic_unchecked_t xid_busy;
27278 + atomic_unchecked_t seq_not_found;
27279 + atomic_unchecked_t non_bls_resp;
27282 #define fc_seq_exch(sp) container_of(sp, struct fc_exch, seq)
27283 @@ -671,7 +671,7 @@ static struct fc_exch *fc_exch_em_alloc(
27284 /* allocate memory for exchange */
27285 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
27287 - atomic_inc(&mp->stats.no_free_exch);
27288 + atomic_inc_unchecked(&mp->stats.no_free_exch);
27291 memset(ep, 0, sizeof(*ep));
27292 @@ -719,7 +719,7 @@ out:
27295 spin_unlock_bh(&pool->lock);
27296 - atomic_inc(&mp->stats.no_free_exch_xid);
27297 + atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
27298 mempool_free(ep, mp->ep_pool);
27301 @@ -864,7 +864,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27302 xid = ntohs(fh->fh_ox_id); /* we originated exch */
27303 ep = fc_exch_find(mp, xid);
27305 - atomic_inc(&mp->stats.xid_not_found);
27306 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27307 reject = FC_RJT_OX_ID;
27310 @@ -894,7 +894,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27311 ep = fc_exch_find(mp, xid);
27312 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
27314 - atomic_inc(&mp->stats.xid_busy);
27315 + atomic_inc_unchecked(&mp->stats.xid_busy);
27316 reject = FC_RJT_RX_ID;
27319 @@ -905,7 +905,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27321 xid = ep->xid; /* get our XID */
27323 - atomic_inc(&mp->stats.xid_not_found);
27324 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27325 reject = FC_RJT_RX_ID; /* XID not found */
27328 @@ -922,7 +922,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27331 if (sp->id != fh->fh_seq_id) {
27332 - atomic_inc(&mp->stats.seq_not_found);
27333 + atomic_inc_unchecked(&mp->stats.seq_not_found);
27334 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
27337 @@ -1303,22 +1303,22 @@ static void fc_exch_recv_seq_resp(struct
27339 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
27341 - atomic_inc(&mp->stats.xid_not_found);
27342 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27345 if (ep->esb_stat & ESB_ST_COMPLETE) {
27346 - atomic_inc(&mp->stats.xid_not_found);
27347 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27350 if (ep->rxid == FC_XID_UNKNOWN)
27351 ep->rxid = ntohs(fh->fh_rx_id);
27352 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
27353 - atomic_inc(&mp->stats.xid_not_found);
27354 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27357 if (ep->did != ntoh24(fh->fh_s_id) &&
27358 ep->did != FC_FID_FLOGI) {
27359 - atomic_inc(&mp->stats.xid_not_found);
27360 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27364 @@ -1327,7 +1327,7 @@ static void fc_exch_recv_seq_resp(struct
27365 sp->ssb_stat |= SSB_ST_RESP;
27366 sp->id = fh->fh_seq_id;
27367 } else if (sp->id != fh->fh_seq_id) {
27368 - atomic_inc(&mp->stats.seq_not_found);
27369 + atomic_inc_unchecked(&mp->stats.seq_not_found);
27373 @@ -1390,9 +1390,9 @@ static void fc_exch_recv_resp(struct fc_
27374 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
27377 - atomic_inc(&mp->stats.xid_not_found);
27378 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27380 - atomic_inc(&mp->stats.non_bls_resp);
27381 + atomic_inc_unchecked(&mp->stats.non_bls_resp);
27385 diff -urNp linux-2.6.35.5/drivers/scsi/libsas/sas_ata.c linux-2.6.35.5/drivers/scsi/libsas/sas_ata.c
27386 --- linux-2.6.35.5/drivers/scsi/libsas/sas_ata.c 2010-08-26 19:47:12.000000000 -0400
27387 +++ linux-2.6.35.5/drivers/scsi/libsas/sas_ata.c 2010-09-17 20:12:09.000000000 -0400
27388 @@ -344,7 +344,7 @@ static int sas_ata_scr_read(struct ata_l
27392 -static struct ata_port_operations sas_sata_ops = {
27393 +static const struct ata_port_operations sas_sata_ops = {
27394 .phy_reset = sas_ata_phy_reset,
27395 .post_internal_cmd = sas_ata_post_internal,
27396 .qc_prep = ata_noop_qc_prep,
27397 diff -urNp linux-2.6.35.5/drivers/scsi/mpt2sas/mpt2sas_debug.h linux-2.6.35.5/drivers/scsi/mpt2sas/mpt2sas_debug.h
27398 --- linux-2.6.35.5/drivers/scsi/mpt2sas/mpt2sas_debug.h 2010-08-26 19:47:12.000000000 -0400
27399 +++ linux-2.6.35.5/drivers/scsi/mpt2sas/mpt2sas_debug.h 2010-09-17 20:12:09.000000000 -0400
27404 -#define MPT_CHECK_LOGGING(IOC, CMD, BITS)
27405 +#define MPT_CHECK_LOGGING(IOC, CMD, BITS) do {} while (0)
27406 #endif /* CONFIG_SCSI_MPT2SAS_LOGGING */
27409 diff -urNp linux-2.6.35.5/drivers/scsi/qla2xxx/qla_os.c linux-2.6.35.5/drivers/scsi/qla2xxx/qla_os.c
27410 --- linux-2.6.35.5/drivers/scsi/qla2xxx/qla_os.c 2010-08-26 19:47:12.000000000 -0400
27411 +++ linux-2.6.35.5/drivers/scsi/qla2xxx/qla_os.c 2010-09-17 20:12:09.000000000 -0400
27412 @@ -3899,7 +3899,7 @@ static struct pci_driver qla2xxx_pci_dri
27413 .err_handler = &qla2xxx_err_handler,
27416 -static struct file_operations apidev_fops = {
27417 +static const struct file_operations apidev_fops = {
27418 .owner = THIS_MODULE,
27421 diff -urNp linux-2.6.35.5/drivers/scsi/scsi_logging.h linux-2.6.35.5/drivers/scsi/scsi_logging.h
27422 --- linux-2.6.35.5/drivers/scsi/scsi_logging.h 2010-08-26 19:47:12.000000000 -0400
27423 +++ linux-2.6.35.5/drivers/scsi/scsi_logging.h 2010-09-17 20:12:09.000000000 -0400
27424 @@ -51,7 +51,7 @@ do { \
27428 -#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD)
27429 +#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD) do {} while (0)
27430 #endif /* CONFIG_SCSI_LOGGING */
27433 diff -urNp linux-2.6.35.5/drivers/scsi/sg.c linux-2.6.35.5/drivers/scsi/sg.c
27434 --- linux-2.6.35.5/drivers/scsi/sg.c 2010-08-26 19:47:12.000000000 -0400
27435 +++ linux-2.6.35.5/drivers/scsi/sg.c 2010-09-17 20:12:09.000000000 -0400
27436 @@ -2302,7 +2302,7 @@ struct sg_proc_leaf {
27437 const struct file_operations * fops;
27440 -static struct sg_proc_leaf sg_proc_leaf_arr[] = {
27441 +static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
27442 {"allow_dio", &adio_fops},
27443 {"debug", &debug_fops},
27444 {"def_reserved_size", &dressz_fops},
27445 @@ -2317,7 +2317,7 @@ sg_proc_init(void)
27448 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
27449 - struct sg_proc_leaf * leaf;
27450 + const struct sg_proc_leaf * leaf;
27452 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
27454 diff -urNp linux-2.6.35.5/drivers/serial/8250_pci.c linux-2.6.35.5/drivers/serial/8250_pci.c
27455 --- linux-2.6.35.5/drivers/serial/8250_pci.c 2010-08-26 19:47:12.000000000 -0400
27456 +++ linux-2.6.35.5/drivers/serial/8250_pci.c 2010-09-17 20:12:09.000000000 -0400
27457 @@ -3777,7 +3777,7 @@ static struct pci_device_id serial_pci_t
27458 PCI_ANY_ID, PCI_ANY_ID,
27459 PCI_CLASS_COMMUNICATION_MULTISERIAL << 8,
27460 0xffff00, pbn_default },
27462 + { 0, 0, 0, 0, 0, 0, 0 }
27465 static struct pci_driver serial_pci_driver = {
27466 diff -urNp linux-2.6.35.5/drivers/serial/kgdboc.c linux-2.6.35.5/drivers/serial/kgdboc.c
27467 --- linux-2.6.35.5/drivers/serial/kgdboc.c 2010-08-26 19:47:12.000000000 -0400
27468 +++ linux-2.6.35.5/drivers/serial/kgdboc.c 2010-09-17 20:12:09.000000000 -0400
27471 #define MAX_CONFIG_LEN 40
27473 -static struct kgdb_io kgdboc_io_ops;
27474 +static struct kgdb_io kgdboc_io_ops;
27476 /* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
27477 static int configured = -1;
27478 diff -urNp linux-2.6.35.5/drivers/staging/comedi/comedi_fops.c linux-2.6.35.5/drivers/staging/comedi/comedi_fops.c
27479 --- linux-2.6.35.5/drivers/staging/comedi/comedi_fops.c 2010-08-26 19:47:12.000000000 -0400
27480 +++ linux-2.6.35.5/drivers/staging/comedi/comedi_fops.c 2010-09-17 20:12:09.000000000 -0400
27481 @@ -1425,7 +1425,7 @@ static void comedi_unmap(struct vm_area_
27482 mutex_unlock(&dev->mutex);
27485 -static struct vm_operations_struct comedi_vm_ops = {
27486 +static const struct vm_operations_struct comedi_vm_ops = {
27487 .close = comedi_unmap,
27490 diff -urNp linux-2.6.35.5/drivers/staging/dream/pmem.c linux-2.6.35.5/drivers/staging/dream/pmem.c
27491 --- linux-2.6.35.5/drivers/staging/dream/pmem.c 2010-08-26 19:47:12.000000000 -0400
27492 +++ linux-2.6.35.5/drivers/staging/dream/pmem.c 2010-09-17 20:12:09.000000000 -0400
27493 @@ -175,7 +175,7 @@ static int pmem_mmap(struct file *, stru
27494 static int pmem_open(struct inode *, struct file *);
27495 static long pmem_ioctl(struct file *, unsigned int, unsigned long);
27497 -struct file_operations pmem_fops = {
27498 +const struct file_operations pmem_fops = {
27499 .release = pmem_release,
27502 @@ -1201,7 +1201,7 @@ static ssize_t debug_read(struct file *f
27503 return simple_read_from_buffer(buf, count, ppos, buffer, n);
27506 -static struct file_operations debug_fops = {
27507 +static const struct file_operations debug_fops = {
27508 .read = debug_read,
27509 .open = debug_open,
27511 diff -urNp linux-2.6.35.5/drivers/staging/dream/qdsp5/adsp_driver.c linux-2.6.35.5/drivers/staging/dream/qdsp5/adsp_driver.c
27512 --- linux-2.6.35.5/drivers/staging/dream/qdsp5/adsp_driver.c 2010-08-26 19:47:12.000000000 -0400
27513 +++ linux-2.6.35.5/drivers/staging/dream/qdsp5/adsp_driver.c 2010-09-17 20:12:09.000000000 -0400
27514 @@ -577,7 +577,7 @@ static struct adsp_device *inode_to_devi
27515 static dev_t adsp_devno;
27516 static struct class *adsp_class;
27518 -static struct file_operations adsp_fops = {
27519 +static const struct file_operations adsp_fops = {
27520 .owner = THIS_MODULE,
27522 .unlocked_ioctl = adsp_ioctl,
27523 diff -urNp linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_aac.c linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_aac.c
27524 --- linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_aac.c 2010-08-26 19:47:12.000000000 -0400
27525 +++ linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_aac.c 2010-09-17 20:12:09.000000000 -0400
27526 @@ -1023,7 +1023,7 @@ done:
27530 -static struct file_operations audio_aac_fops = {
27531 +static const struct file_operations audio_aac_fops = {
27532 .owner = THIS_MODULE,
27533 .open = audio_open,
27534 .release = audio_release,
27535 diff -urNp linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_amrnb.c linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_amrnb.c
27536 --- linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_amrnb.c 2010-08-26 19:47:12.000000000 -0400
27537 +++ linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_amrnb.c 2010-09-17 20:12:09.000000000 -0400
27538 @@ -834,7 +834,7 @@ done:
27542 -static struct file_operations audio_amrnb_fops = {
27543 +static const struct file_operations audio_amrnb_fops = {
27544 .owner = THIS_MODULE,
27545 .open = audamrnb_open,
27546 .release = audamrnb_release,
27547 diff -urNp linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_evrc.c linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_evrc.c
27548 --- linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_evrc.c 2010-08-26 19:47:12.000000000 -0400
27549 +++ linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_evrc.c 2010-09-17 20:12:09.000000000 -0400
27550 @@ -806,7 +806,7 @@ dma_fail:
27554 -static struct file_operations audio_evrc_fops = {
27555 +static const struct file_operations audio_evrc_fops = {
27556 .owner = THIS_MODULE,
27557 .open = audevrc_open,
27558 .release = audevrc_release,
27559 diff -urNp linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_in.c linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_in.c
27560 --- linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_in.c 2010-08-26 19:47:12.000000000 -0400
27561 +++ linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_in.c 2010-09-17 20:12:09.000000000 -0400
27562 @@ -914,7 +914,7 @@ static int audpre_open(struct inode *ino
27566 -static struct file_operations audio_fops = {
27567 +static const struct file_operations audio_fops = {
27568 .owner = THIS_MODULE,
27569 .open = audio_in_open,
27570 .release = audio_in_release,
27571 @@ -923,7 +923,7 @@ static struct file_operations audio_fops
27572 .unlocked_ioctl = audio_in_ioctl,
27575 -static struct file_operations audpre_fops = {
27576 +static const struct file_operations audpre_fops = {
27577 .owner = THIS_MODULE,
27578 .open = audpre_open,
27579 .unlocked_ioctl = audpre_ioctl,
27580 diff -urNp linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_mp3.c linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_mp3.c
27581 --- linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_mp3.c 2010-08-26 19:47:12.000000000 -0400
27582 +++ linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_mp3.c 2010-09-17 20:12:09.000000000 -0400
27583 @@ -941,7 +941,7 @@ done:
27587 -static struct file_operations audio_mp3_fops = {
27588 +static const struct file_operations audio_mp3_fops = {
27589 .owner = THIS_MODULE,
27590 .open = audio_open,
27591 .release = audio_release,
27592 diff -urNp linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_out.c linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_out.c
27593 --- linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_out.c 2010-08-26 19:47:12.000000000 -0400
27594 +++ linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_out.c 2010-09-17 20:12:09.000000000 -0400
27595 @@ -800,7 +800,7 @@ static int audpp_open(struct inode *inod
27599 -static struct file_operations audio_fops = {
27600 +static const struct file_operations audio_fops = {
27601 .owner = THIS_MODULE,
27602 .open = audio_open,
27603 .release = audio_release,
27604 @@ -809,7 +809,7 @@ static struct file_operations audio_fops
27605 .unlocked_ioctl = audio_ioctl,
27608 -static struct file_operations audpp_fops = {
27609 +static const struct file_operations audpp_fops = {
27610 .owner = THIS_MODULE,
27611 .open = audpp_open,
27612 .unlocked_ioctl = audpp_ioctl,
27613 diff -urNp linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_qcelp.c linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_qcelp.c
27614 --- linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_qcelp.c 2010-08-26 19:47:12.000000000 -0400
27615 +++ linux-2.6.35.5/drivers/staging/dream/qdsp5/audio_qcelp.c 2010-09-17 20:12:09.000000000 -0400
27616 @@ -817,7 +817,7 @@ err:
27620 -static struct file_operations audio_qcelp_fops = {
27621 +static const struct file_operations audio_qcelp_fops = {
27622 .owner = THIS_MODULE,
27623 .open = audqcelp_open,
27624 .release = audqcelp_release,
27625 diff -urNp linux-2.6.35.5/drivers/staging/dream/qdsp5/snd.c linux-2.6.35.5/drivers/staging/dream/qdsp5/snd.c
27626 --- linux-2.6.35.5/drivers/staging/dream/qdsp5/snd.c 2010-08-26 19:47:12.000000000 -0400
27627 +++ linux-2.6.35.5/drivers/staging/dream/qdsp5/snd.c 2010-09-17 20:12:09.000000000 -0400
27628 @@ -242,7 +242,7 @@ err:
27632 -static struct file_operations snd_fops = {
27633 +static const struct file_operations snd_fops = {
27634 .owner = THIS_MODULE,
27636 .release = snd_release,
27637 diff -urNp linux-2.6.35.5/drivers/staging/dt3155/dt3155_drv.c linux-2.6.35.5/drivers/staging/dt3155/dt3155_drv.c
27638 --- linux-2.6.35.5/drivers/staging/dt3155/dt3155_drv.c 2010-08-26 19:47:12.000000000 -0400
27639 +++ linux-2.6.35.5/drivers/staging/dt3155/dt3155_drv.c 2010-09-17 20:12:09.000000000 -0400
27640 @@ -853,7 +853,7 @@ dt3155_unlocked_ioctl(struct file *file,
27641 * needed by init_module
27643 *****************************************************/
27644 -static struct file_operations dt3155_fops = {
27645 +static const struct file_operations dt3155_fops = {
27646 .read = dt3155_read,
27647 .unlocked_ioctl = dt3155_unlocked_ioctl,
27648 .mmap = dt3155_mmap,
27649 diff -urNp linux-2.6.35.5/drivers/staging/go7007/go7007-v4l2.c linux-2.6.35.5/drivers/staging/go7007/go7007-v4l2.c
27650 --- linux-2.6.35.5/drivers/staging/go7007/go7007-v4l2.c 2010-08-26 19:47:12.000000000 -0400
27651 +++ linux-2.6.35.5/drivers/staging/go7007/go7007-v4l2.c 2010-09-17 20:12:09.000000000 -0400
27652 @@ -1673,7 +1673,7 @@ static int go7007_vm_fault(struct vm_are
27656 -static struct vm_operations_struct go7007_vm_ops = {
27657 +static const struct vm_operations_struct go7007_vm_ops = {
27658 .open = go7007_vm_open,
27659 .close = go7007_vm_close,
27660 .fault = go7007_vm_fault,
27661 diff -urNp linux-2.6.35.5/drivers/staging/hv/hv.c linux-2.6.35.5/drivers/staging/hv/hv.c
27662 --- linux-2.6.35.5/drivers/staging/hv/hv.c 2010-08-26 19:47:12.000000000 -0400
27663 +++ linux-2.6.35.5/drivers/staging/hv/hv.c 2010-09-17 20:12:09.000000000 -0400
27664 @@ -162,7 +162,7 @@ static u64 HvDoHypercall(u64 Control, vo
27665 u64 outputAddress = (Output) ? virt_to_phys(Output) : 0;
27666 u32 outputAddressHi = outputAddress >> 32;
27667 u32 outputAddressLo = outputAddress & 0xFFFFFFFF;
27668 - volatile void *hypercallPage = gHvContext.HypercallPage;
27669 + volatile void *hypercallPage = ktva_ktla(gHvContext.HypercallPage);
27671 DPRINT_DBG(VMBUS, "Hypercall <control %llx input %p output %p>",
27672 Control, Input, Output);
27673 diff -urNp linux-2.6.35.5/drivers/staging/msm/msm_fb_bl.c linux-2.6.35.5/drivers/staging/msm/msm_fb_bl.c
27674 --- linux-2.6.35.5/drivers/staging/msm/msm_fb_bl.c 2010-08-26 19:47:12.000000000 -0400
27675 +++ linux-2.6.35.5/drivers/staging/msm/msm_fb_bl.c 2010-09-17 20:12:09.000000000 -0400
27676 @@ -42,7 +42,7 @@ static int msm_fb_bl_update_status(struc
27680 -static struct backlight_ops msm_fb_bl_ops = {
27681 +static const struct backlight_ops msm_fb_bl_ops = {
27682 .get_brightness = msm_fb_bl_get_brightness,
27683 .update_status = msm_fb_bl_update_status,
27685 diff -urNp linux-2.6.35.5/drivers/staging/panel/panel.c linux-2.6.35.5/drivers/staging/panel/panel.c
27686 --- linux-2.6.35.5/drivers/staging/panel/panel.c 2010-08-26 19:47:12.000000000 -0400
27687 +++ linux-2.6.35.5/drivers/staging/panel/panel.c 2010-09-17 20:12:09.000000000 -0400
27688 @@ -1304,7 +1304,7 @@ static int lcd_release(struct inode *ino
27692 -static struct file_operations lcd_fops = {
27693 +static const struct file_operations lcd_fops = {
27694 .write = lcd_write,
27696 .release = lcd_release,
27697 @@ -1564,7 +1564,7 @@ static int keypad_release(struct inode *
27701 -static struct file_operations keypad_fops = {
27702 +static const struct file_operations keypad_fops = {
27703 .read = keypad_read, /* read */
27704 .open = keypad_open, /* open */
27705 .release = keypad_release, /* close */
27706 diff -urNp linux-2.6.35.5/drivers/staging/phison/phison.c linux-2.6.35.5/drivers/staging/phison/phison.c
27707 --- linux-2.6.35.5/drivers/staging/phison/phison.c 2010-08-26 19:47:12.000000000 -0400
27708 +++ linux-2.6.35.5/drivers/staging/phison/phison.c 2010-09-17 20:12:09.000000000 -0400
27709 @@ -43,7 +43,7 @@ static struct scsi_host_template phison_
27710 ATA_BMDMA_SHT(DRV_NAME),
27713 -static struct ata_port_operations phison_ops = {
27714 +static const struct ata_port_operations phison_ops = {
27715 .inherits = &ata_bmdma_port_ops,
27716 .prereset = phison_pre_reset,
27718 diff -urNp linux-2.6.35.5/drivers/staging/pohmelfs/inode.c linux-2.6.35.5/drivers/staging/pohmelfs/inode.c
27719 --- linux-2.6.35.5/drivers/staging/pohmelfs/inode.c 2010-08-26 19:47:12.000000000 -0400
27720 +++ linux-2.6.35.5/drivers/staging/pohmelfs/inode.c 2010-09-17 20:12:09.000000000 -0400
27721 @@ -1846,7 +1846,7 @@ static int pohmelfs_fill_super(struct su
27722 mutex_init(&psb->mcache_lock);
27723 psb->mcache_root = RB_ROOT;
27724 psb->mcache_timeout = msecs_to_jiffies(5000);
27725 - atomic_long_set(&psb->mcache_gen, 0);
27726 + atomic_long_set_unchecked(&psb->mcache_gen, 0);
27728 psb->trans_max_pages = 100;
27730 diff -urNp linux-2.6.35.5/drivers/staging/pohmelfs/mcache.c linux-2.6.35.5/drivers/staging/pohmelfs/mcache.c
27731 --- linux-2.6.35.5/drivers/staging/pohmelfs/mcache.c 2010-08-26 19:47:12.000000000 -0400
27732 +++ linux-2.6.35.5/drivers/staging/pohmelfs/mcache.c 2010-09-17 20:12:09.000000000 -0400
27733 @@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
27737 - m->gen = atomic_long_inc_return(&psb->mcache_gen);
27738 + m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
27740 mutex_lock(&psb->mcache_lock);
27741 err = pohmelfs_mcache_insert(psb, m);
27742 diff -urNp linux-2.6.35.5/drivers/staging/pohmelfs/netfs.h linux-2.6.35.5/drivers/staging/pohmelfs/netfs.h
27743 --- linux-2.6.35.5/drivers/staging/pohmelfs/netfs.h 2010-08-26 19:47:12.000000000 -0400
27744 +++ linux-2.6.35.5/drivers/staging/pohmelfs/netfs.h 2010-09-17 20:12:09.000000000 -0400
27745 @@ -571,7 +571,7 @@ struct pohmelfs_config;
27746 struct pohmelfs_sb {
27747 struct rb_root mcache_root;
27748 struct mutex mcache_lock;
27749 - atomic_long_t mcache_gen;
27750 + atomic_long_unchecked_t mcache_gen;
27751 unsigned long mcache_timeout;
27754 diff -urNp linux-2.6.35.5/drivers/staging/ramzswap/ramzswap_drv.c linux-2.6.35.5/drivers/staging/ramzswap/ramzswap_drv.c
27755 --- linux-2.6.35.5/drivers/staging/ramzswap/ramzswap_drv.c 2010-08-26 19:47:12.000000000 -0400
27756 +++ linux-2.6.35.5/drivers/staging/ramzswap/ramzswap_drv.c 2010-09-17 20:12:09.000000000 -0400
27757 @@ -693,7 +693,7 @@ void ramzswap_slot_free_notify(struct bl
27761 -static struct block_device_operations ramzswap_devops = {
27762 +static const struct block_device_operations ramzswap_devops = {
27763 .ioctl = ramzswap_ioctl,
27764 .swap_slot_free_notify = ramzswap_slot_free_notify,
27765 .owner = THIS_MODULE
27766 diff -urNp linux-2.6.35.5/drivers/staging/rtl8192u/ieee80211/proc.c linux-2.6.35.5/drivers/staging/rtl8192u/ieee80211/proc.c
27767 --- linux-2.6.35.5/drivers/staging/rtl8192u/ieee80211/proc.c 2010-08-26 19:47:12.000000000 -0400
27768 +++ linux-2.6.35.5/drivers/staging/rtl8192u/ieee80211/proc.c 2010-09-17 20:12:09.000000000 -0400
27769 @@ -99,7 +99,7 @@ static int crypto_info_open(struct inode
27770 return seq_open(file, &crypto_seq_ops);
27773 -static struct file_operations proc_crypto_ops = {
27774 +static const struct file_operations proc_crypto_ops = {
27775 .open = crypto_info_open,
27777 .llseek = seq_lseek,
27778 diff -urNp linux-2.6.35.5/drivers/staging/samsung-laptop/samsung-laptop.c linux-2.6.35.5/drivers/staging/samsung-laptop/samsung-laptop.c
27779 --- linux-2.6.35.5/drivers/staging/samsung-laptop/samsung-laptop.c 2010-08-26 19:47:12.000000000 -0400
27780 +++ linux-2.6.35.5/drivers/staging/samsung-laptop/samsung-laptop.c 2010-09-17 20:12:09.000000000 -0400
27781 @@ -269,7 +269,7 @@ static int update_status(struct backligh
27785 -static struct backlight_ops backlight_ops = {
27786 +static const struct backlight_ops backlight_ops = {
27787 .get_brightness = get_brightness,
27788 .update_status = update_status,
27790 diff -urNp linux-2.6.35.5/drivers/staging/sep/sep_driver.c linux-2.6.35.5/drivers/staging/sep/sep_driver.c
27791 --- linux-2.6.35.5/drivers/staging/sep/sep_driver.c 2010-08-26 19:47:12.000000000 -0400
27792 +++ linux-2.6.35.5/drivers/staging/sep/sep_driver.c 2010-09-17 20:12:09.000000000 -0400
27793 @@ -2637,7 +2637,7 @@ static struct pci_driver sep_pci_driver
27794 static dev_t sep_devno;
27796 /* the files operations structure of the driver */
27797 -static struct file_operations sep_file_operations = {
27798 +static const struct file_operations sep_file_operations = {
27799 .owner = THIS_MODULE,
27800 .unlocked_ioctl = sep_ioctl,
27802 diff -urNp linux-2.6.35.5/drivers/staging/vme/devices/vme_user.c linux-2.6.35.5/drivers/staging/vme/devices/vme_user.c
27803 --- linux-2.6.35.5/drivers/staging/vme/devices/vme_user.c 2010-08-26 19:47:12.000000000 -0400
27804 +++ linux-2.6.35.5/drivers/staging/vme/devices/vme_user.c 2010-09-17 20:12:09.000000000 -0400
27805 @@ -136,7 +136,7 @@ static long vme_user_unlocked_ioctl(stru
27806 static int __init vme_user_probe(struct device *, int, int);
27807 static int __exit vme_user_remove(struct device *, int, int);
27809 -static struct file_operations vme_user_fops = {
27810 +static const struct file_operations vme_user_fops = {
27811 .open = vme_user_open,
27812 .release = vme_user_release,
27813 .read = vme_user_read,
27814 diff -urNp linux-2.6.35.5/drivers/usb/atm/usbatm.c linux-2.6.35.5/drivers/usb/atm/usbatm.c
27815 --- linux-2.6.35.5/drivers/usb/atm/usbatm.c 2010-08-26 19:47:12.000000000 -0400
27816 +++ linux-2.6.35.5/drivers/usb/atm/usbatm.c 2010-09-17 20:12:09.000000000 -0400
27817 @@ -333,7 +333,7 @@ static void usbatm_extract_one_cell(stru
27818 if (printk_ratelimit())
27819 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
27820 __func__, vpi, vci);
27821 - atomic_inc(&vcc->stats->rx_err);
27822 + atomic_inc_unchecked(&vcc->stats->rx_err);
27826 @@ -361,7 +361,7 @@ static void usbatm_extract_one_cell(stru
27827 if (length > ATM_MAX_AAL5_PDU) {
27828 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
27829 __func__, length, vcc);
27830 - atomic_inc(&vcc->stats->rx_err);
27831 + atomic_inc_unchecked(&vcc->stats->rx_err);
27835 @@ -370,14 +370,14 @@ static void usbatm_extract_one_cell(stru
27836 if (sarb->len < pdu_length) {
27837 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
27838 __func__, pdu_length, sarb->len, vcc);
27839 - atomic_inc(&vcc->stats->rx_err);
27840 + atomic_inc_unchecked(&vcc->stats->rx_err);
27844 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
27845 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
27847 - atomic_inc(&vcc->stats->rx_err);
27848 + atomic_inc_unchecked(&vcc->stats->rx_err);
27852 @@ -387,7 +387,7 @@ static void usbatm_extract_one_cell(stru
27853 if (printk_ratelimit())
27854 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
27856 - atomic_inc(&vcc->stats->rx_drop);
27857 + atomic_inc_unchecked(&vcc->stats->rx_drop);
27861 @@ -412,7 +412,7 @@ static void usbatm_extract_one_cell(stru
27863 vcc->push(vcc, skb);
27865 - atomic_inc(&vcc->stats->rx);
27866 + atomic_inc_unchecked(&vcc->stats->rx);
27870 @@ -616,7 +616,7 @@ static void usbatm_tx_process(unsigned l
27871 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
27873 usbatm_pop(vcc, skb);
27874 - atomic_inc(&vcc->stats->tx);
27875 + atomic_inc_unchecked(&vcc->stats->tx);
27877 skb = skb_dequeue(&instance->sndqueue);
27879 @@ -775,11 +775,11 @@ static int usbatm_atm_proc_read(struct a
27881 return sprintf(page,
27882 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
27883 - atomic_read(&atm_dev->stats.aal5.tx),
27884 - atomic_read(&atm_dev->stats.aal5.tx_err),
27885 - atomic_read(&atm_dev->stats.aal5.rx),
27886 - atomic_read(&atm_dev->stats.aal5.rx_err),
27887 - atomic_read(&atm_dev->stats.aal5.rx_drop));
27888 + atomic_read_unchecked(&atm_dev->stats.aal5.tx),
27889 + atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
27890 + atomic_read_unchecked(&atm_dev->stats.aal5.rx),
27891 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
27892 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
27895 if (instance->disconnected)
27896 diff -urNp linux-2.6.35.5/drivers/usb/class/cdc-acm.c linux-2.6.35.5/drivers/usb/class/cdc-acm.c
27897 --- linux-2.6.35.5/drivers/usb/class/cdc-acm.c 2010-09-20 17:33:09.000000000 -0400
27898 +++ linux-2.6.35.5/drivers/usb/class/cdc-acm.c 2010-09-20 17:33:32.000000000 -0400
27899 @@ -1640,7 +1640,7 @@ static const struct usb_device_id acm_id
27900 { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM,
27901 USB_CDC_ACM_PROTO_AT_CDMA) },
27904 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
27907 MODULE_DEVICE_TABLE(usb, acm_ids);
27908 diff -urNp linux-2.6.35.5/drivers/usb/class/cdc-wdm.c linux-2.6.35.5/drivers/usb/class/cdc-wdm.c
27909 --- linux-2.6.35.5/drivers/usb/class/cdc-wdm.c 2010-08-26 19:47:12.000000000 -0400
27910 +++ linux-2.6.35.5/drivers/usb/class/cdc-wdm.c 2010-09-17 20:12:09.000000000 -0400
27911 @@ -342,7 +342,7 @@ static ssize_t wdm_write
27915 - if (!file->f_flags && O_NONBLOCK)
27916 + if (!(file->f_flags & O_NONBLOCK))
27917 r = wait_event_interruptible(desc->wait, !test_bit(WDM_IN_USE,
27920 diff -urNp linux-2.6.35.5/drivers/usb/class/usblp.c linux-2.6.35.5/drivers/usb/class/usblp.c
27921 --- linux-2.6.35.5/drivers/usb/class/usblp.c 2010-08-26 19:47:12.000000000 -0400
27922 +++ linux-2.6.35.5/drivers/usb/class/usblp.c 2010-09-17 20:12:09.000000000 -0400
27923 @@ -226,7 +226,7 @@ static const struct quirk_printer_struct
27924 { 0x0482, 0x0010, USBLP_QUIRK_BIDIR }, /* Kyocera Mita FS 820, by zut <kernel@zut.de> */
27925 { 0x04f9, 0x000d, USBLP_QUIRK_BIDIR }, /* Brother Industries, Ltd HL-1440 Laser Printer */
27926 { 0x04b8, 0x0202, USBLP_QUIRK_BAD_CLASS }, /* Seiko Epson Receipt Printer M129C */
27931 static int usblp_wwait(struct usblp *usblp, int nonblock);
27932 @@ -1398,7 +1398,7 @@ static const struct usb_device_id usblp_
27933 { USB_INTERFACE_INFO(7, 1, 2) },
27934 { USB_INTERFACE_INFO(7, 1, 3) },
27935 { USB_DEVICE(0x04b8, 0x0202) }, /* Seiko Epson Receipt Printer M129C */
27936 - { } /* Terminating entry */
27937 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
27940 MODULE_DEVICE_TABLE (usb, usblp_ids);
27941 diff -urNp linux-2.6.35.5/drivers/usb/core/hcd.c linux-2.6.35.5/drivers/usb/core/hcd.c
27942 --- linux-2.6.35.5/drivers/usb/core/hcd.c 2010-08-26 19:47:12.000000000 -0400
27943 +++ linux-2.6.35.5/drivers/usb/core/hcd.c 2010-09-17 20:12:09.000000000 -0400
27944 @@ -2381,7 +2381,7 @@ EXPORT_SYMBOL_GPL(usb_hcd_platform_shutd
27946 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
27948 -struct usb_mon_operations *mon_ops;
27949 +const struct usb_mon_operations *mon_ops;
27952 * The registration is unlocked.
27953 @@ -2391,7 +2391,7 @@ struct usb_mon_operations *mon_ops;
27954 * symbols from usbcore, usbcore gets referenced and cannot be unloaded first.
27957 -int usb_mon_register (struct usb_mon_operations *ops)
27958 +int usb_mon_register (const struct usb_mon_operations *ops)
27962 diff -urNp linux-2.6.35.5/drivers/usb/core/hub.c linux-2.6.35.5/drivers/usb/core/hub.c
27963 --- linux-2.6.35.5/drivers/usb/core/hub.c 2010-08-26 19:47:12.000000000 -0400
27964 +++ linux-2.6.35.5/drivers/usb/core/hub.c 2010-09-17 20:12:09.000000000 -0400
27965 @@ -3453,7 +3453,7 @@ static const struct usb_device_id hub_id
27966 .bDeviceClass = USB_CLASS_HUB},
27967 { .match_flags = USB_DEVICE_ID_MATCH_INT_CLASS,
27968 .bInterfaceClass = USB_CLASS_HUB},
27969 - { } /* Terminating entry */
27970 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
27973 MODULE_DEVICE_TABLE (usb, hub_id_table);
27974 diff -urNp linux-2.6.35.5/drivers/usb/core/message.c linux-2.6.35.5/drivers/usb/core/message.c
27975 --- linux-2.6.35.5/drivers/usb/core/message.c 2010-09-20 17:33:09.000000000 -0400
27976 +++ linux-2.6.35.5/drivers/usb/core/message.c 2010-09-20 17:33:32.000000000 -0400
27977 @@ -869,8 +869,8 @@ char *usb_cache_string(struct usb_device
27978 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
27980 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
27982 - smallbuf = kmalloc(++len, GFP_NOIO);
27984 + smallbuf = kmalloc(len, GFP_NOIO);
27987 memcpy(smallbuf, buf, len);
27988 diff -urNp linux-2.6.35.5/drivers/usb/early/ehci-dbgp.c linux-2.6.35.5/drivers/usb/early/ehci-dbgp.c
27989 --- linux-2.6.35.5/drivers/usb/early/ehci-dbgp.c 2010-08-26 19:47:12.000000000 -0400
27990 +++ linux-2.6.35.5/drivers/usb/early/ehci-dbgp.c 2010-09-17 20:12:09.000000000 -0400
27991 @@ -1026,6 +1026,7 @@ static void kgdbdbgp_write_char(u8 chr)
27992 early_dbgp_write(NULL, &chr, 1);
27995 +/* cannot be const, see kgdbdbgp_parse_config() */
27996 static struct kgdb_io kgdbdbgp_io_ops = {
27997 .name = "kgdbdbgp",
27998 .read_char = kgdbdbgp_read_char,
27999 diff -urNp linux-2.6.35.5/drivers/usb/host/ehci-pci.c linux-2.6.35.5/drivers/usb/host/ehci-pci.c
28000 --- linux-2.6.35.5/drivers/usb/host/ehci-pci.c 2010-08-26 19:47:12.000000000 -0400
28001 +++ linux-2.6.35.5/drivers/usb/host/ehci-pci.c 2010-09-17 20:12:09.000000000 -0400
28002 @@ -419,7 +419,7 @@ static const struct pci_device_id pci_id
28003 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_EHCI, ~0),
28004 .driver_data = (unsigned long) &ehci_pci_hc_driver,
28006 - { /* end: all zeroes */ }
28007 + { 0, 0, 0, 0, 0, 0, 0 }
28009 MODULE_DEVICE_TABLE(pci, pci_ids);
28011 diff -urNp linux-2.6.35.5/drivers/usb/host/uhci-hcd.c linux-2.6.35.5/drivers/usb/host/uhci-hcd.c
28012 --- linux-2.6.35.5/drivers/usb/host/uhci-hcd.c 2010-08-26 19:47:12.000000000 -0400
28013 +++ linux-2.6.35.5/drivers/usb/host/uhci-hcd.c 2010-09-17 20:12:09.000000000 -0400
28014 @@ -941,7 +941,7 @@ static const struct pci_device_id uhci_p
28015 /* handle any USB UHCI controller */
28016 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_UHCI, ~0),
28017 .driver_data = (unsigned long) &uhci_driver,
28018 - }, { /* end: all zeroes */ }
28019 + }, { 0, 0, 0, 0, 0, 0, 0 }
28022 MODULE_DEVICE_TABLE(pci, uhci_pci_ids);
28023 diff -urNp linux-2.6.35.5/drivers/usb/mon/mon_main.c linux-2.6.35.5/drivers/usb/mon/mon_main.c
28024 --- linux-2.6.35.5/drivers/usb/mon/mon_main.c 2010-08-26 19:47:12.000000000 -0400
28025 +++ linux-2.6.35.5/drivers/usb/mon/mon_main.c 2010-09-17 20:12:09.000000000 -0400
28026 @@ -240,7 +240,7 @@ static struct notifier_block mon_nb = {
28030 -static struct usb_mon_operations mon_ops_0 = {
28031 +static const struct usb_mon_operations mon_ops_0 = {
28032 .urb_submit = mon_submit,
28033 .urb_submit_error = mon_submit_error,
28034 .urb_complete = mon_complete,
28035 diff -urNp linux-2.6.35.5/drivers/usb/storage/debug.h linux-2.6.35.5/drivers/usb/storage/debug.h
28036 --- linux-2.6.35.5/drivers/usb/storage/debug.h 2010-08-26 19:47:12.000000000 -0400
28037 +++ linux-2.6.35.5/drivers/usb/storage/debug.h 2010-09-17 20:12:09.000000000 -0400
28038 @@ -54,9 +54,9 @@ void usb_stor_show_sense( unsigned char
28039 #define US_DEBUGPX(x...) printk( x )
28040 #define US_DEBUG(x) x
28042 -#define US_DEBUGP(x...)
28043 -#define US_DEBUGPX(x...)
28044 -#define US_DEBUG(x)
28045 +#define US_DEBUGP(x...) do {} while (0)
28046 +#define US_DEBUGPX(x...) do {} while (0)
28047 +#define US_DEBUG(x) do {} while (0)
28051 diff -urNp linux-2.6.35.5/drivers/usb/storage/usb.c linux-2.6.35.5/drivers/usb/storage/usb.c
28052 --- linux-2.6.35.5/drivers/usb/storage/usb.c 2010-08-26 19:47:12.000000000 -0400
28053 +++ linux-2.6.35.5/drivers/usb/storage/usb.c 2010-09-17 20:12:09.000000000 -0400
28054 @@ -122,7 +122,7 @@ MODULE_PARM_DESC(quirks, "supplemental l
28056 static struct us_unusual_dev us_unusual_dev_list[] = {
28057 # include "unusual_devs.h"
28058 - { } /* Terminating entry */
28059 + { NULL, NULL, 0, 0, NULL } /* Terminating entry */
28063 diff -urNp linux-2.6.35.5/drivers/usb/storage/usual-tables.c linux-2.6.35.5/drivers/usb/storage/usual-tables.c
28064 --- linux-2.6.35.5/drivers/usb/storage/usual-tables.c 2010-08-26 19:47:12.000000000 -0400
28065 +++ linux-2.6.35.5/drivers/usb/storage/usual-tables.c 2010-09-17 20:12:09.000000000 -0400
28068 struct usb_device_id usb_storage_usb_ids[] = {
28069 # include "unusual_devs.h"
28070 - { } /* Terminating entry */
28071 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
28073 EXPORT_SYMBOL_GPL(usb_storage_usb_ids);
28075 diff -urNp linux-2.6.35.5/drivers/uwb/wlp/messages.c linux-2.6.35.5/drivers/uwb/wlp/messages.c
28076 --- linux-2.6.35.5/drivers/uwb/wlp/messages.c 2010-08-26 19:47:12.000000000 -0400
28077 +++ linux-2.6.35.5/drivers/uwb/wlp/messages.c 2010-09-17 20:12:09.000000000 -0400
28078 @@ -920,7 +920,7 @@ int wlp_parse_f0(struct wlp *wlp, struct
28079 size_t len = skb->len;
28082 - struct wlp_nonce enonce, rnonce;
28083 + struct wlp_nonce enonce = {{0}}, rnonce = {{0}};
28084 enum wlp_assc_error assc_err;
28085 char enonce_buf[WLP_WSS_NONCE_STRSIZE];
28086 char rnonce_buf[WLP_WSS_NONCE_STRSIZE];
28087 diff -urNp linux-2.6.35.5/drivers/vhost/vhost.c linux-2.6.35.5/drivers/vhost/vhost.c
28088 --- linux-2.6.35.5/drivers/vhost/vhost.c 2010-08-26 19:47:12.000000000 -0400
28089 +++ linux-2.6.35.5/drivers/vhost/vhost.c 2010-09-17 20:12:09.000000000 -0400
28090 @@ -357,7 +357,7 @@ static int init_used(struct vhost_virtqu
28091 return get_user(vq->last_used_idx, &used->idx);
28094 -static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp)
28095 +static long vhost_set_vring(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
28097 struct file *eventfp, *filep = NULL,
28098 *pollstart = NULL, *pollstop = NULL;
28099 diff -urNp linux-2.6.35.5/drivers/video/atmel_lcdfb.c linux-2.6.35.5/drivers/video/atmel_lcdfb.c
28100 --- linux-2.6.35.5/drivers/video/atmel_lcdfb.c 2010-08-26 19:47:12.000000000 -0400
28101 +++ linux-2.6.35.5/drivers/video/atmel_lcdfb.c 2010-09-17 20:12:09.000000000 -0400
28102 @@ -111,7 +111,7 @@ static int atmel_bl_get_brightness(struc
28103 return lcdc_readl(sinfo, ATMEL_LCDC_CONTRAST_VAL);
28106 -static struct backlight_ops atmel_lcdc_bl_ops = {
28107 +static const struct backlight_ops atmel_lcdc_bl_ops = {
28108 .update_status = atmel_bl_update_status,
28109 .get_brightness = atmel_bl_get_brightness,
28111 diff -urNp linux-2.6.35.5/drivers/video/aty/aty128fb.c linux-2.6.35.5/drivers/video/aty/aty128fb.c
28112 --- linux-2.6.35.5/drivers/video/aty/aty128fb.c 2010-08-26 19:47:12.000000000 -0400
28113 +++ linux-2.6.35.5/drivers/video/aty/aty128fb.c 2010-09-17 20:12:09.000000000 -0400
28114 @@ -1786,7 +1786,7 @@ static int aty128_bl_get_brightness(stru
28115 return bd->props.brightness;
28118 -static struct backlight_ops aty128_bl_data = {
28119 +static const struct backlight_ops aty128_bl_data = {
28120 .get_brightness = aty128_bl_get_brightness,
28121 .update_status = aty128_bl_update_status,
28123 diff -urNp linux-2.6.35.5/drivers/video/aty/atyfb_base.c linux-2.6.35.5/drivers/video/aty/atyfb_base.c
28124 --- linux-2.6.35.5/drivers/video/aty/atyfb_base.c 2010-08-26 19:47:12.000000000 -0400
28125 +++ linux-2.6.35.5/drivers/video/aty/atyfb_base.c 2010-09-17 20:12:09.000000000 -0400
28126 @@ -2221,7 +2221,7 @@ static int aty_bl_get_brightness(struct
28127 return bd->props.brightness;
28130 -static struct backlight_ops aty_bl_data = {
28131 +static const struct backlight_ops aty_bl_data = {
28132 .get_brightness = aty_bl_get_brightness,
28133 .update_status = aty_bl_update_status,
28135 diff -urNp linux-2.6.35.5/drivers/video/aty/radeon_backlight.c linux-2.6.35.5/drivers/video/aty/radeon_backlight.c
28136 --- linux-2.6.35.5/drivers/video/aty/radeon_backlight.c 2010-08-26 19:47:12.000000000 -0400
28137 +++ linux-2.6.35.5/drivers/video/aty/radeon_backlight.c 2010-09-17 20:12:09.000000000 -0400
28138 @@ -128,7 +128,7 @@ static int radeon_bl_get_brightness(stru
28139 return bd->props.brightness;
28142 -static struct backlight_ops radeon_bl_data = {
28143 +static const struct backlight_ops radeon_bl_data = {
28144 .get_brightness = radeon_bl_get_brightness,
28145 .update_status = radeon_bl_update_status,
28147 diff -urNp linux-2.6.35.5/drivers/video/backlight/88pm860x_bl.c linux-2.6.35.5/drivers/video/backlight/88pm860x_bl.c
28148 --- linux-2.6.35.5/drivers/video/backlight/88pm860x_bl.c 2010-08-26 19:47:12.000000000 -0400
28149 +++ linux-2.6.35.5/drivers/video/backlight/88pm860x_bl.c 2010-09-17 20:12:09.000000000 -0400
28150 @@ -155,7 +155,7 @@ out:
28154 -static struct backlight_ops pm860x_backlight_ops = {
28155 +static const struct backlight_ops pm860x_backlight_ops = {
28156 .options = BL_CORE_SUSPENDRESUME,
28157 .update_status = pm860x_backlight_update_status,
28158 .get_brightness = pm860x_backlight_get_brightness,
28159 diff -urNp linux-2.6.35.5/drivers/video/backlight/max8925_bl.c linux-2.6.35.5/drivers/video/backlight/max8925_bl.c
28160 --- linux-2.6.35.5/drivers/video/backlight/max8925_bl.c 2010-08-26 19:47:12.000000000 -0400
28161 +++ linux-2.6.35.5/drivers/video/backlight/max8925_bl.c 2010-09-17 20:12:09.000000000 -0400
28162 @@ -92,7 +92,7 @@ static int max8925_backlight_get_brightn
28166 -static struct backlight_ops max8925_backlight_ops = {
28167 +static const struct backlight_ops max8925_backlight_ops = {
28168 .options = BL_CORE_SUSPENDRESUME,
28169 .update_status = max8925_backlight_update_status,
28170 .get_brightness = max8925_backlight_get_brightness,
28171 diff -urNp linux-2.6.35.5/drivers/video/fbcmap.c linux-2.6.35.5/drivers/video/fbcmap.c
28172 --- linux-2.6.35.5/drivers/video/fbcmap.c 2010-08-26 19:47:12.000000000 -0400
28173 +++ linux-2.6.35.5/drivers/video/fbcmap.c 2010-09-17 20:12:09.000000000 -0400
28174 @@ -266,8 +266,7 @@ int fb_set_user_cmap(struct fb_cmap_user
28178 - if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
28179 - !info->fbops->fb_setcmap)) {
28180 + if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap) {
28184 diff -urNp linux-2.6.35.5/drivers/video/fbmem.c linux-2.6.35.5/drivers/video/fbmem.c
28185 --- linux-2.6.35.5/drivers/video/fbmem.c 2010-08-26 19:47:12.000000000 -0400
28186 +++ linux-2.6.35.5/drivers/video/fbmem.c 2010-09-17 20:12:09.000000000 -0400
28187 @@ -403,7 +403,7 @@ static void fb_do_show_logo(struct fb_in
28188 image->dx += image->width + 8;
28190 } else if (rotate == FB_ROTATE_UD) {
28191 - for (x = 0; x < num && image->dx >= 0; x++) {
28192 + for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
28193 info->fbops->fb_imageblit(info, image);
28194 image->dx -= image->width + 8;
28196 @@ -415,7 +415,7 @@ static void fb_do_show_logo(struct fb_in
28197 image->dy += image->height + 8;
28199 } else if (rotate == FB_ROTATE_CCW) {
28200 - for (x = 0; x < num && image->dy >= 0; x++) {
28201 + for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
28202 info->fbops->fb_imageblit(info, image);
28203 image->dy -= image->height + 8;
28205 @@ -1119,7 +1119,7 @@ static long do_fb_ioctl(struct fb_info *
28207 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
28209 - if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
28210 + if (con2fb.framebuffer >= FB_MAX)
28212 if (!registered_fb[con2fb.framebuffer])
28213 request_module("fb%d", con2fb.framebuffer);
28214 diff -urNp linux-2.6.35.5/drivers/video/fbmon.c linux-2.6.35.5/drivers/video/fbmon.c
28215 --- linux-2.6.35.5/drivers/video/fbmon.c 2010-08-26 19:47:12.000000000 -0400
28216 +++ linux-2.6.35.5/drivers/video/fbmon.c 2010-09-17 20:12:09.000000000 -0400
28219 #define DPRINTK(fmt, args...) printk(fmt,## args)
28221 -#define DPRINTK(fmt, args...)
28222 +#define DPRINTK(fmt, args...) do {} while (0)
28225 #define FBMON_FIX_HEADER 1
28226 diff -urNp linux-2.6.35.5/drivers/video/i810/i810_accel.c linux-2.6.35.5/drivers/video/i810/i810_accel.c
28227 --- linux-2.6.35.5/drivers/video/i810/i810_accel.c 2010-08-26 19:47:12.000000000 -0400
28228 +++ linux-2.6.35.5/drivers/video/i810/i810_accel.c 2010-09-17 20:12:09.000000000 -0400
28229 @@ -73,6 +73,7 @@ static inline int wait_for_space(struct
28232 printk("ringbuffer lockup!!!\n");
28233 + printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
28234 i810_report_error(mmio);
28235 par->dev_flags |= LOCKUP;
28236 info->pixmap.scan_align = 1;
28237 diff -urNp linux-2.6.35.5/drivers/video/i810/i810_main.c linux-2.6.35.5/drivers/video/i810/i810_main.c
28238 --- linux-2.6.35.5/drivers/video/i810/i810_main.c 2010-08-26 19:47:12.000000000 -0400
28239 +++ linux-2.6.35.5/drivers/video/i810/i810_main.c 2010-09-17 20:12:09.000000000 -0400
28240 @@ -120,7 +120,7 @@ static struct pci_device_id i810fb_pci_t
28241 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 4 },
28242 { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC,
28243 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 5 },
28245 + { 0, 0, 0, 0, 0, 0, 0 },
28248 static struct pci_driver i810fb_driver = {
28249 diff -urNp linux-2.6.35.5/drivers/video/modedb.c linux-2.6.35.5/drivers/video/modedb.c
28250 --- linux-2.6.35.5/drivers/video/modedb.c 2010-08-26 19:47:12.000000000 -0400
28251 +++ linux-2.6.35.5/drivers/video/modedb.c 2010-09-17 20:12:09.000000000 -0400
28252 @@ -40,240 +40,240 @@ static const struct fb_videomode modedb[
28254 /* 640x400 @ 70 Hz, 31.5 kHz hsync */
28255 NULL, 70, 640, 400, 39721, 40, 24, 39, 9, 96, 2,
28256 - 0, FB_VMODE_NONINTERLACED
28257 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28259 /* 640x480 @ 60 Hz, 31.5 kHz hsync */
28260 NULL, 60, 640, 480, 39721, 40, 24, 32, 11, 96, 2,
28261 - 0, FB_VMODE_NONINTERLACED
28262 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28264 /* 800x600 @ 56 Hz, 35.15 kHz hsync */
28265 NULL, 56, 800, 600, 27777, 128, 24, 22, 1, 72, 2,
28266 - 0, FB_VMODE_NONINTERLACED
28267 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28269 /* 1024x768 @ 87 Hz interlaced, 35.5 kHz hsync */
28270 NULL, 87, 1024, 768, 22271, 56, 24, 33, 8, 160, 8,
28271 - 0, FB_VMODE_INTERLACED
28272 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28274 /* 640x400 @ 85 Hz, 37.86 kHz hsync */
28275 NULL, 85, 640, 400, 31746, 96, 32, 41, 1, 64, 3,
28276 - FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28277 + FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28279 /* 640x480 @ 72 Hz, 36.5 kHz hsync */
28280 NULL, 72, 640, 480, 31746, 144, 40, 30, 8, 40, 3,
28281 - 0, FB_VMODE_NONINTERLACED
28282 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28284 /* 640x480 @ 75 Hz, 37.50 kHz hsync */
28285 NULL, 75, 640, 480, 31746, 120, 16, 16, 1, 64, 3,
28286 - 0, FB_VMODE_NONINTERLACED
28287 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28289 /* 800x600 @ 60 Hz, 37.8 kHz hsync */
28290 NULL, 60, 800, 600, 25000, 88, 40, 23, 1, 128, 4,
28291 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28292 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28294 /* 640x480 @ 85 Hz, 43.27 kHz hsync */
28295 NULL, 85, 640, 480, 27777, 80, 56, 25, 1, 56, 3,
28296 - 0, FB_VMODE_NONINTERLACED
28297 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28299 /* 1152x864 @ 89 Hz interlaced, 44 kHz hsync */
28300 NULL, 89, 1152, 864, 15384, 96, 16, 110, 1, 216, 10,
28301 - 0, FB_VMODE_INTERLACED
28302 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28304 /* 800x600 @ 72 Hz, 48.0 kHz hsync */
28305 NULL, 72, 800, 600, 20000, 64, 56, 23, 37, 120, 6,
28306 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28307 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28309 /* 1024x768 @ 60 Hz, 48.4 kHz hsync */
28310 NULL, 60, 1024, 768, 15384, 168, 8, 29, 3, 144, 6,
28311 - 0, FB_VMODE_NONINTERLACED
28312 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28314 /* 640x480 @ 100 Hz, 53.01 kHz hsync */
28315 NULL, 100, 640, 480, 21834, 96, 32, 36, 8, 96, 6,
28316 - 0, FB_VMODE_NONINTERLACED
28317 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28319 /* 1152x864 @ 60 Hz, 53.5 kHz hsync */
28320 NULL, 60, 1152, 864, 11123, 208, 64, 16, 4, 256, 8,
28321 - 0, FB_VMODE_NONINTERLACED
28322 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28324 /* 800x600 @ 85 Hz, 55.84 kHz hsync */
28325 NULL, 85, 800, 600, 16460, 160, 64, 36, 16, 64, 5,
28326 - 0, FB_VMODE_NONINTERLACED
28327 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28329 /* 1024x768 @ 70 Hz, 56.5 kHz hsync */
28330 NULL, 70, 1024, 768, 13333, 144, 24, 29, 3, 136, 6,
28331 - 0, FB_VMODE_NONINTERLACED
28332 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28334 /* 1280x1024 @ 87 Hz interlaced, 51 kHz hsync */
28335 NULL, 87, 1280, 1024, 12500, 56, 16, 128, 1, 216, 12,
28336 - 0, FB_VMODE_INTERLACED
28337 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28339 /* 800x600 @ 100 Hz, 64.02 kHz hsync */
28340 NULL, 100, 800, 600, 14357, 160, 64, 30, 4, 64, 6,
28341 - 0, FB_VMODE_NONINTERLACED
28342 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28344 /* 1024x768 @ 76 Hz, 62.5 kHz hsync */
28345 NULL, 76, 1024, 768, 11764, 208, 8, 36, 16, 120, 3,
28346 - 0, FB_VMODE_NONINTERLACED
28347 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28349 /* 1152x864 @ 70 Hz, 62.4 kHz hsync */
28350 NULL, 70, 1152, 864, 10869, 106, 56, 20, 1, 160, 10,
28351 - 0, FB_VMODE_NONINTERLACED
28352 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28354 /* 1280x1024 @ 61 Hz, 64.2 kHz hsync */
28355 NULL, 61, 1280, 1024, 9090, 200, 48, 26, 1, 184, 3,
28356 - 0, FB_VMODE_NONINTERLACED
28357 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28359 /* 1400x1050 @ 60Hz, 63.9 kHz hsync */
28360 NULL, 60, 1400, 1050, 9259, 136, 40, 13, 1, 112, 3,
28361 - 0, FB_VMODE_NONINTERLACED
28362 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28364 /* 1400x1050 @ 75,107 Hz, 82,392 kHz +hsync +vsync*/
28365 NULL, 75, 1400, 1050, 7190, 120, 56, 23, 10, 112, 13,
28366 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28367 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28369 /* 1400x1050 @ 60 Hz, ? kHz +hsync +vsync*/
28370 NULL, 60, 1400, 1050, 9259, 128, 40, 12, 0, 112, 3,
28371 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28372 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28374 /* 1024x768 @ 85 Hz, 70.24 kHz hsync */
28375 NULL, 85, 1024, 768, 10111, 192, 32, 34, 14, 160, 6,
28376 - 0, FB_VMODE_NONINTERLACED
28377 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28379 /* 1152x864 @ 78 Hz, 70.8 kHz hsync */
28380 NULL, 78, 1152, 864, 9090, 228, 88, 32, 0, 84, 12,
28381 - 0, FB_VMODE_NONINTERLACED
28382 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28384 /* 1280x1024 @ 70 Hz, 74.59 kHz hsync */
28385 NULL, 70, 1280, 1024, 7905, 224, 32, 28, 8, 160, 8,
28386 - 0, FB_VMODE_NONINTERLACED
28387 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28389 /* 1600x1200 @ 60Hz, 75.00 kHz hsync */
28390 NULL, 60, 1600, 1200, 6172, 304, 64, 46, 1, 192, 3,
28391 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28392 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28394 /* 1152x864 @ 84 Hz, 76.0 kHz hsync */
28395 NULL, 84, 1152, 864, 7407, 184, 312, 32, 0, 128, 12,
28396 - 0, FB_VMODE_NONINTERLACED
28397 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28399 /* 1280x1024 @ 74 Hz, 78.85 kHz hsync */
28400 NULL, 74, 1280, 1024, 7407, 256, 32, 34, 3, 144, 3,
28401 - 0, FB_VMODE_NONINTERLACED
28402 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28404 /* 1024x768 @ 100Hz, 80.21 kHz hsync */
28405 NULL, 100, 1024, 768, 8658, 192, 32, 21, 3, 192, 10,
28406 - 0, FB_VMODE_NONINTERLACED
28407 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28409 /* 1280x1024 @ 76 Hz, 81.13 kHz hsync */
28410 NULL, 76, 1280, 1024, 7407, 248, 32, 34, 3, 104, 3,
28411 - 0, FB_VMODE_NONINTERLACED
28412 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28414 /* 1600x1200 @ 70 Hz, 87.50 kHz hsync */
28415 NULL, 70, 1600, 1200, 5291, 304, 64, 46, 1, 192, 3,
28416 - 0, FB_VMODE_NONINTERLACED
28417 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28419 /* 1152x864 @ 100 Hz, 89.62 kHz hsync */
28420 NULL, 100, 1152, 864, 7264, 224, 32, 17, 2, 128, 19,
28421 - 0, FB_VMODE_NONINTERLACED
28422 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28424 /* 1280x1024 @ 85 Hz, 91.15 kHz hsync */
28425 NULL, 85, 1280, 1024, 6349, 224, 64, 44, 1, 160, 3,
28426 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28427 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28429 /* 1600x1200 @ 75 Hz, 93.75 kHz hsync */
28430 NULL, 75, 1600, 1200, 4938, 304, 64, 46, 1, 192, 3,
28431 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28432 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28434 /* 1680x1050 @ 60 Hz, 65.191 kHz hsync */
28435 NULL, 60, 1680, 1050, 6848, 280, 104, 30, 3, 176, 6,
28436 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28437 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28439 /* 1600x1200 @ 85 Hz, 105.77 kHz hsync */
28440 NULL, 85, 1600, 1200, 4545, 272, 16, 37, 4, 192, 3,
28441 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28442 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28444 /* 1280x1024 @ 100 Hz, 107.16 kHz hsync */
28445 NULL, 100, 1280, 1024, 5502, 256, 32, 26, 7, 128, 15,
28446 - 0, FB_VMODE_NONINTERLACED
28447 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28449 /* 1800x1440 @ 64Hz, 96.15 kHz hsync */
28450 NULL, 64, 1800, 1440, 4347, 304, 96, 46, 1, 192, 3,
28451 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28452 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28454 /* 1800x1440 @ 70Hz, 104.52 kHz hsync */
28455 NULL, 70, 1800, 1440, 4000, 304, 96, 46, 1, 192, 3,
28456 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28457 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28459 /* 512x384 @ 78 Hz, 31.50 kHz hsync */
28460 NULL, 78, 512, 384, 49603, 48, 16, 16, 1, 64, 3,
28461 - 0, FB_VMODE_NONINTERLACED
28462 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28464 /* 512x384 @ 85 Hz, 34.38 kHz hsync */
28465 NULL, 85, 512, 384, 45454, 48, 16, 16, 1, 64, 3,
28466 - 0, FB_VMODE_NONINTERLACED
28467 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28469 /* 320x200 @ 70 Hz, 31.5 kHz hsync, 8:5 aspect ratio */
28470 NULL, 70, 320, 200, 79440, 16, 16, 20, 4, 48, 1,
28471 - 0, FB_VMODE_DOUBLE
28472 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28474 /* 320x240 @ 60 Hz, 31.5 kHz hsync, 4:3 aspect ratio */
28475 NULL, 60, 320, 240, 79440, 16, 16, 16, 5, 48, 1,
28476 - 0, FB_VMODE_DOUBLE
28477 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28479 /* 320x240 @ 72 Hz, 36.5 kHz hsync */
28480 NULL, 72, 320, 240, 63492, 16, 16, 16, 4, 48, 2,
28481 - 0, FB_VMODE_DOUBLE
28482 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28484 /* 400x300 @ 56 Hz, 35.2 kHz hsync, 4:3 aspect ratio */
28485 NULL, 56, 400, 300, 55555, 64, 16, 10, 1, 32, 1,
28486 - 0, FB_VMODE_DOUBLE
28487 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28489 /* 400x300 @ 60 Hz, 37.8 kHz hsync */
28490 NULL, 60, 400, 300, 50000, 48, 16, 11, 1, 64, 2,
28491 - 0, FB_VMODE_DOUBLE
28492 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28494 /* 400x300 @ 72 Hz, 48.0 kHz hsync */
28495 NULL, 72, 400, 300, 40000, 32, 24, 11, 19, 64, 3,
28496 - 0, FB_VMODE_DOUBLE
28497 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28499 /* 480x300 @ 56 Hz, 35.2 kHz hsync, 8:5 aspect ratio */
28500 NULL, 56, 480, 300, 46176, 80, 16, 10, 1, 40, 1,
28501 - 0, FB_VMODE_DOUBLE
28502 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28504 /* 480x300 @ 60 Hz, 37.8 kHz hsync */
28505 NULL, 60, 480, 300, 41858, 56, 16, 11, 1, 80, 2,
28506 - 0, FB_VMODE_DOUBLE
28507 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28509 /* 480x300 @ 63 Hz, 39.6 kHz hsync */
28510 NULL, 63, 480, 300, 40000, 56, 16, 11, 1, 80, 2,
28511 - 0, FB_VMODE_DOUBLE
28512 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28514 /* 480x300 @ 72 Hz, 48.0 kHz hsync */
28515 NULL, 72, 480, 300, 33386, 40, 24, 11, 19, 80, 3,
28516 - 0, FB_VMODE_DOUBLE
28517 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
28519 /* 1920x1200 @ 60 Hz, 74.5 Khz hsync */
28520 NULL, 60, 1920, 1200, 5177, 128, 336, 1, 38, 208, 3,
28521 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28522 - FB_VMODE_NONINTERLACED
28523 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28525 /* 1152x768, 60 Hz, PowerBook G4 Titanium I and II */
28526 NULL, 60, 1152, 768, 14047, 158, 26, 29, 3, 136, 6,
28527 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28528 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28530 /* 1366x768, 60 Hz, 47.403 kHz hsync, WXGA 16:9 aspect ratio */
28531 NULL, 60, 1366, 768, 13806, 120, 10, 14, 3, 32, 5,
28532 - 0, FB_VMODE_NONINTERLACED
28533 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28535 /* 1280x800, 60 Hz, 47.403 kHz hsync, WXGA 16:10 aspect ratio */
28536 NULL, 60, 1280, 800, 12048, 200, 64, 24, 1, 136, 3,
28537 - 0, FB_VMODE_NONINTERLACED
28538 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28540 /* 720x576i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
28541 NULL, 50, 720, 576, 74074, 64, 16, 39, 5, 64, 5,
28542 - 0, FB_VMODE_INTERLACED
28543 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28545 /* 800x520i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
28546 NULL, 50, 800, 520, 58823, 144, 64, 72, 28, 80, 5,
28547 - 0, FB_VMODE_INTERLACED
28548 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28552 diff -urNp linux-2.6.35.5/drivers/video/nvidia/nv_backlight.c linux-2.6.35.5/drivers/video/nvidia/nv_backlight.c
28553 --- linux-2.6.35.5/drivers/video/nvidia/nv_backlight.c 2010-08-26 19:47:12.000000000 -0400
28554 +++ linux-2.6.35.5/drivers/video/nvidia/nv_backlight.c 2010-09-17 20:12:09.000000000 -0400
28555 @@ -87,7 +87,7 @@ static int nvidia_bl_get_brightness(stru
28556 return bd->props.brightness;
28559 -static struct backlight_ops nvidia_bl_ops = {
28560 +static const struct backlight_ops nvidia_bl_ops = {
28561 .get_brightness = nvidia_bl_get_brightness,
28562 .update_status = nvidia_bl_update_status,
28564 diff -urNp linux-2.6.35.5/drivers/video/omap2/displays/panel-taal.c linux-2.6.35.5/drivers/video/omap2/displays/panel-taal.c
28565 --- linux-2.6.35.5/drivers/video/omap2/displays/panel-taal.c 2010-08-26 19:47:12.000000000 -0400
28566 +++ linux-2.6.35.5/drivers/video/omap2/displays/panel-taal.c 2010-09-17 20:12:09.000000000 -0400
28567 @@ -319,7 +319,7 @@ static int taal_bl_get_intensity(struct
28571 -static struct backlight_ops taal_bl_ops = {
28572 +static const struct backlight_ops taal_bl_ops = {
28573 .get_brightness = taal_bl_get_intensity,
28574 .update_status = taal_bl_update_status,
28576 diff -urNp linux-2.6.35.5/drivers/video/riva/fbdev.c linux-2.6.35.5/drivers/video/riva/fbdev.c
28577 --- linux-2.6.35.5/drivers/video/riva/fbdev.c 2010-08-26 19:47:12.000000000 -0400
28578 +++ linux-2.6.35.5/drivers/video/riva/fbdev.c 2010-09-17 20:12:09.000000000 -0400
28579 @@ -331,7 +331,7 @@ static int riva_bl_get_brightness(struct
28580 return bd->props.brightness;
28583 -static struct backlight_ops riva_bl_ops = {
28584 +static const struct backlight_ops riva_bl_ops = {
28585 .get_brightness = riva_bl_get_brightness,
28586 .update_status = riva_bl_update_status,
28588 diff -urNp linux-2.6.35.5/drivers/video/uvesafb.c linux-2.6.35.5/drivers/video/uvesafb.c
28589 --- linux-2.6.35.5/drivers/video/uvesafb.c 2010-08-26 19:47:12.000000000 -0400
28590 +++ linux-2.6.35.5/drivers/video/uvesafb.c 2010-09-17 20:12:09.000000000 -0400
28592 #include <linux/io.h>
28593 #include <linux/mutex.h>
28594 #include <linux/slab.h>
28595 +#include <linux/moduleloader.h>
28596 #include <video/edid.h>
28597 #include <video/uvesafb.h>
28599 @@ -121,7 +122,7 @@ static int uvesafb_helper_start(void)
28603 - return call_usermodehelper(v86d_path, argv, envp, 1);
28604 + return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
28608 @@ -569,10 +570,32 @@ static int __devinit uvesafb_vbe_getpmi(
28609 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
28610 par->pmi_setpal = par->ypan = 0;
28613 +#ifdef CONFIG_PAX_KERNEXEC
28614 +#ifdef CONFIG_MODULES
28615 + par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
28617 + if (!par->pmi_code) {
28618 + par->pmi_setpal = par->ypan = 0;
28623 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
28624 + task->t.regs.edi);
28626 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28627 + pax_open_kernel();
28628 + memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
28629 + pax_close_kernel();
28631 + par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
28632 + par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
28634 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
28635 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
28638 printk(KERN_INFO "uvesafb: protected mode interface info at "
28640 (u16)task->t.regs.es, (u16)task->t.regs.edi);
28641 @@ -1800,6 +1823,11 @@ out:
28642 if (par->vbe_modes)
28643 kfree(par->vbe_modes);
28645 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28646 + if (par->pmi_code)
28647 + module_free_exec(NULL, par->pmi_code);
28650 framebuffer_release(info);
28653 @@ -1826,6 +1854,12 @@ static int uvesafb_remove(struct platfor
28654 kfree(par->vbe_state_orig);
28655 if (par->vbe_state_saved)
28656 kfree(par->vbe_state_saved);
28658 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28659 + if (par->pmi_code)
28660 + module_free_exec(NULL, par->pmi_code);
28665 framebuffer_release(info);
28666 diff -urNp linux-2.6.35.5/drivers/video/vesafb.c linux-2.6.35.5/drivers/video/vesafb.c
28667 --- linux-2.6.35.5/drivers/video/vesafb.c 2010-08-26 19:47:12.000000000 -0400
28668 +++ linux-2.6.35.5/drivers/video/vesafb.c 2010-09-17 20:12:09.000000000 -0400
28672 #include <linux/module.h>
28673 +#include <linux/moduleloader.h>
28674 #include <linux/kernel.h>
28675 #include <linux/errno.h>
28676 #include <linux/string.h>
28677 @@ -52,8 +53,8 @@ static int vram_remap __initdata; /*
28678 static int vram_total __initdata; /* Set total amount of memory */
28679 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
28680 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
28681 -static void (*pmi_start)(void) __read_mostly;
28682 -static void (*pmi_pal) (void) __read_mostly;
28683 +static void (*pmi_start)(void) __read_only;
28684 +static void (*pmi_pal) (void) __read_only;
28685 static int depth __read_mostly;
28686 static int vga_compat __read_mostly;
28687 /* --------------------------------------------------------------------- */
28688 @@ -232,6 +233,7 @@ static int __init vesafb_probe(struct pl
28689 unsigned int size_vmode;
28690 unsigned int size_remap;
28691 unsigned int size_total;
28692 + void *pmi_code = NULL;
28694 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
28696 @@ -274,10 +276,6 @@ static int __init vesafb_probe(struct pl
28697 size_remap = size_total;
28698 vesafb_fix.smem_len = size_remap;
28701 - screen_info.vesapm_seg = 0;
28704 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
28705 printk(KERN_WARNING
28706 "vesafb: cannot reserve video memory at 0x%lx\n",
28707 @@ -319,9 +317,21 @@ static int __init vesafb_probe(struct pl
28708 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
28709 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
28713 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28714 + pmi_code = module_alloc_exec(screen_info.vesapm_size);
28716 +#elif !defined(CONFIG_PAX_KERNEXEC)
28721 + screen_info.vesapm_seg = 0;
28723 if (screen_info.vesapm_seg) {
28724 - printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
28725 - screen_info.vesapm_seg,screen_info.vesapm_off);
28726 + printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
28727 + screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
28730 if (screen_info.vesapm_seg < 0xc000)
28731 @@ -329,9 +339,25 @@ static int __init vesafb_probe(struct pl
28733 if (ypan || pmi_setpal) {
28734 unsigned short *pmi_base;
28735 - pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
28736 - pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
28737 - pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
28739 + pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
28741 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28742 + pax_open_kernel();
28743 + memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
28745 + pmi_code = pmi_base;
28748 + pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
28749 + pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
28751 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28752 + pmi_start = ktva_ktla(pmi_start);
28753 + pmi_pal = ktva_ktla(pmi_pal);
28754 + pax_close_kernel();
28757 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
28759 printk(KERN_INFO "vesafb: pmi: ports = ");
28760 @@ -473,6 +499,11 @@ static int __init vesafb_probe(struct pl
28761 info->node, info->fix.id);
28765 +#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28766 + module_free_exec(NULL, pmi_code);
28769 if (info->screen_base)
28770 iounmap(info->screen_base);
28771 framebuffer_release(info);
28772 diff -urNp linux-2.6.35.5/drivers/xen/events.c linux-2.6.35.5/drivers/xen/events.c
28773 --- linux-2.6.35.5/drivers/xen/events.c 2010-09-20 17:33:09.000000000 -0400
28774 +++ linux-2.6.35.5/drivers/xen/events.c 2010-09-21 21:22:54.000000000 -0400
28775 @@ -107,7 +107,6 @@ static inline unsigned long *cpu_evtchn_
28776 #define VALID_EVTCHN(chn) ((chn) != 0)
28778 static struct irq_chip xen_dynamic_chip;
28779 -static struct irq_chip xen_percpu_chip;
28781 /* Constructor for packed IRQ information. */
28782 static struct irq_info mk_unbound_info(void)
28783 @@ -364,7 +363,7 @@ int bind_evtchn_to_irq(unsigned int evtc
28784 irq = find_unbound_irq();
28786 set_irq_chip_and_handler_name(irq, &xen_dynamic_chip,
28787 - handle_edge_irq, "event");
28788 + handle_level_irq, "event");
28790 evtchn_to_irq[evtchn] = irq;
28791 irq_info[irq] = mk_evtchn_info(evtchn);
28792 @@ -390,8 +389,8 @@ static int bind_ipi_to_irq(unsigned int
28796 - set_irq_chip_and_handler_name(irq, &xen_percpu_chip,
28797 - handle_percpu_irq, "ipi");
28798 + set_irq_chip_and_handler_name(irq, &xen_dynamic_chip,
28799 + handle_level_irq, "ipi");
28801 bind_ipi.vcpu = cpu;
28802 if (HYPERVISOR_event_channel_op(EVTCHNOP_bind_ipi,
28803 @@ -431,8 +430,8 @@ static int bind_virq_to_irq(unsigned int
28805 irq = find_unbound_irq();
28807 - set_irq_chip_and_handler_name(irq, &xen_percpu_chip,
28808 - handle_percpu_irq, "virq");
28809 + set_irq_chip_and_handler_name(irq, &xen_dynamic_chip,
28810 + handle_level_irq, "virq");
28812 evtchn_to_irq[evtchn] = irq;
28813 irq_info[irq] = mk_virq_info(evtchn, virq);
28814 @@ -935,16 +934,6 @@ static struct irq_chip xen_dynamic_chip
28815 .retrigger = retrigger_dynirq,
28818 -static struct irq_chip en_percpu_chip __read_mostly = {
28819 - .name = "xen-percpu",
28821 - .disable = disable_dynirq,
28822 - .mask = disable_dynirq,
28823 - .unmask = enable_dynirq,
28825 - .ack = ack_dynirq,
28828 void __init xen_init_IRQ(void)
28831 diff -urNp linux-2.6.35.5/fs/9p/vfs_inode.c linux-2.6.35.5/fs/9p/vfs_inode.c
28832 --- linux-2.6.35.5/fs/9p/vfs_inode.c 2010-08-26 19:47:12.000000000 -0400
28833 +++ linux-2.6.35.5/fs/9p/vfs_inode.c 2010-09-17 20:12:09.000000000 -0400
28834 @@ -1087,7 +1087,7 @@ static void *v9fs_vfs_follow_link(struct
28836 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
28838 - char *s = nd_get_link(nd);
28839 + const char *s = nd_get_link(nd);
28841 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
28842 IS_ERR(s) ? "<error>" : s);
28843 diff -urNp linux-2.6.35.5/fs/aio.c linux-2.6.35.5/fs/aio.c
28844 --- linux-2.6.35.5/fs/aio.c 2010-08-26 19:47:12.000000000 -0400
28845 +++ linux-2.6.35.5/fs/aio.c 2010-09-20 17:24:27.000000000 -0400
28846 @@ -130,7 +130,7 @@ static int aio_setup_ring(struct kioctx
28847 size += sizeof(struct io_event) * nr_events;
28848 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
28850 - if (nr_pages < 0)
28851 + if (nr_pages <= 0)
28854 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
28855 @@ -1659,6 +1659,9 @@ long do_io_submit(aio_context_t ctx_id,
28856 if (unlikely(nr < 0))
28859 + if (unlikely(nr > LONG_MAX/sizeof(*iocbpp)))
28860 + nr = LONG_MAX/sizeof(*iocbpp);
28862 if (unlikely(!access_ok(VERIFY_READ, iocbpp, (nr*sizeof(*iocbpp)))))
28865 diff -urNp linux-2.6.35.5/fs/attr.c linux-2.6.35.5/fs/attr.c
28866 --- linux-2.6.35.5/fs/attr.c 2010-08-26 19:47:12.000000000 -0400
28867 +++ linux-2.6.35.5/fs/attr.c 2010-09-17 20:12:37.000000000 -0400
28868 @@ -82,6 +82,7 @@ int inode_newsize_ok(const struct inode
28869 unsigned long limit;
28871 limit = rlimit(RLIMIT_FSIZE);
28872 + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
28873 if (limit != RLIM_INFINITY && offset > limit)
28875 if (offset > inode->i_sb->s_maxbytes)
28876 diff -urNp linux-2.6.35.5/fs/autofs/root.c linux-2.6.35.5/fs/autofs/root.c
28877 --- linux-2.6.35.5/fs/autofs/root.c 2010-08-26 19:47:12.000000000 -0400
28878 +++ linux-2.6.35.5/fs/autofs/root.c 2010-09-17 20:12:09.000000000 -0400
28879 @@ -301,7 +301,8 @@ static int autofs_root_symlink(struct in
28880 set_bit(n,sbi->symlink_bitmap);
28881 sl = &sbi->symlink[n];
28882 sl->len = strlen(symname);
28883 - sl->data = kmalloc(slsize = sl->len+1, GFP_KERNEL);
28884 + slsize = sl->len+1;
28885 + sl->data = kmalloc(slsize, GFP_KERNEL);
28887 clear_bit(n,sbi->symlink_bitmap);
28889 diff -urNp linux-2.6.35.5/fs/autofs4/symlink.c linux-2.6.35.5/fs/autofs4/symlink.c
28890 --- linux-2.6.35.5/fs/autofs4/symlink.c 2010-08-26 19:47:12.000000000 -0400
28891 +++ linux-2.6.35.5/fs/autofs4/symlink.c 2010-09-17 20:12:09.000000000 -0400
28893 static void *autofs4_follow_link(struct dentry *dentry, struct nameidata *nd)
28895 struct autofs_info *ino = autofs4_dentry_ino(dentry);
28896 - nd_set_link(nd, (char *)ino->u.symlink);
28897 + nd_set_link(nd, ino->u.symlink);
28901 diff -urNp linux-2.6.35.5/fs/befs/linuxvfs.c linux-2.6.35.5/fs/befs/linuxvfs.c
28902 --- linux-2.6.35.5/fs/befs/linuxvfs.c 2010-08-26 19:47:12.000000000 -0400
28903 +++ linux-2.6.35.5/fs/befs/linuxvfs.c 2010-09-17 20:12:09.000000000 -0400
28904 @@ -493,7 +493,7 @@ static void befs_put_link(struct dentry
28906 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
28907 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
28908 - char *link = nd_get_link(nd);
28909 + const char *link = nd_get_link(nd);
28913 diff -urNp linux-2.6.35.5/fs/binfmt_aout.c linux-2.6.35.5/fs/binfmt_aout.c
28914 --- linux-2.6.35.5/fs/binfmt_aout.c 2010-08-26 19:47:12.000000000 -0400
28915 +++ linux-2.6.35.5/fs/binfmt_aout.c 2010-09-23 20:16:12.000000000 -0400
28917 #include <linux/string.h>
28918 #include <linux/fs.h>
28919 #include <linux/file.h>
28920 +#include <linux/security.h>
28921 #include <linux/stat.h>
28922 #include <linux/fcntl.h>
28923 #include <linux/ptrace.h>
28924 @@ -86,6 +87,8 @@ static int aout_core_dump(struct coredum
28926 # define START_STACK(u) ((void __user *)u.start_stack)
28928 + memset(&dump, 0, sizeof(dump));
28933 @@ -97,10 +100,12 @@ static int aout_core_dump(struct coredum
28935 /* If the size of the dump file exceeds the rlimit, then see what would happen
28936 if we wrote the stack, but not the data area. */
28937 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
28938 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
28941 /* Make sure we have enough room to write the stack and data areas. */
28942 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
28943 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
28946 @@ -134,10 +139,7 @@ static int aout_core_dump(struct coredum
28947 if (!dump_write(file, dump_start, dump_size))
28950 -/* Finally dump the task struct. Not be used by gdb, but could be useful */
28951 - set_fs(KERNEL_DS);
28952 - if (!dump_write(file, current, sizeof(*current)))
28953 - goto end_coredump;
28954 +/* Finally let's not dump the task struct. Not be used by gdb, but could be useful to an attacker */
28958 @@ -238,6 +240,8 @@ static int load_aout_binary(struct linux
28959 rlim = rlimit(RLIMIT_DATA);
28960 if (rlim >= RLIM_INFINITY)
28963 + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
28964 if (ex.a_data + ex.a_bss > rlim)
28967 @@ -266,6 +270,27 @@ static int load_aout_binary(struct linux
28968 install_exec_creds(bprm);
28969 current->flags &= ~PF_FORKNOEXEC;
28971 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
28972 + current->mm->pax_flags = 0UL;
28975 +#ifdef CONFIG_PAX_PAGEEXEC
28976 + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
28977 + current->mm->pax_flags |= MF_PAX_PAGEEXEC;
28979 +#ifdef CONFIG_PAX_EMUTRAMP
28980 + if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
28981 + current->mm->pax_flags |= MF_PAX_EMUTRAMP;
28984 +#ifdef CONFIG_PAX_MPROTECT
28985 + if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
28986 + current->mm->pax_flags |= MF_PAX_MPROTECT;
28992 if (N_MAGIC(ex) == OMAGIC) {
28993 unsigned long text_addr, map_size;
28995 @@ -338,7 +363,7 @@ static int load_aout_binary(struct linux
28997 down_write(¤t->mm->mmap_sem);
28998 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
28999 - PROT_READ | PROT_WRITE | PROT_EXEC,
29000 + PROT_READ | PROT_WRITE,
29001 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
29002 fd_offset + ex.a_text);
29003 up_write(¤t->mm->mmap_sem);
29004 diff -urNp linux-2.6.35.5/fs/binfmt_elf.c linux-2.6.35.5/fs/binfmt_elf.c
29005 --- linux-2.6.35.5/fs/binfmt_elf.c 2010-08-26 19:47:12.000000000 -0400
29006 +++ linux-2.6.35.5/fs/binfmt_elf.c 2010-09-17 20:12:37.000000000 -0400
29007 @@ -51,6 +51,10 @@ static int elf_core_dump(struct coredump
29008 #define elf_core_dump NULL
29011 +#ifdef CONFIG_PAX_MPROTECT
29012 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
29015 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
29016 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
29018 @@ -70,6 +74,11 @@ static struct linux_binfmt elf_format =
29019 .load_binary = load_elf_binary,
29020 .load_shlib = load_elf_library,
29021 .core_dump = elf_core_dump,
29023 +#ifdef CONFIG_PAX_MPROTECT
29024 + .handle_mprotect= elf_handle_mprotect,
29027 .min_coredump = ELF_EXEC_PAGESIZE,
29030 @@ -78,6 +87,8 @@ static struct linux_binfmt elf_format =
29032 static int set_brk(unsigned long start, unsigned long end)
29034 + unsigned long e = end;
29036 start = ELF_PAGEALIGN(start);
29037 end = ELF_PAGEALIGN(end);
29039 @@ -88,7 +99,7 @@ static int set_brk(unsigned long start,
29040 if (BAD_ADDR(addr))
29043 - current->mm->start_brk = current->mm->brk = end;
29044 + current->mm->start_brk = current->mm->brk = e;
29048 @@ -149,7 +160,7 @@ create_elf_tables(struct linux_binprm *b
29049 elf_addr_t __user *u_rand_bytes;
29050 const char *k_platform = ELF_PLATFORM;
29051 const char *k_base_platform = ELF_BASE_PLATFORM;
29052 - unsigned char k_rand_bytes[16];
29053 + u32 k_rand_bytes[4];
29055 elf_addr_t *elf_info;
29057 @@ -196,8 +207,12 @@ create_elf_tables(struct linux_binprm *b
29058 * Generate 16 random bytes for userspace PRNG seeding.
29060 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
29061 - u_rand_bytes = (elf_addr_t __user *)
29062 - STACK_ALLOC(p, sizeof(k_rand_bytes));
29063 + srandom32(k_rand_bytes[0] ^ random32());
29064 + srandom32(k_rand_bytes[1] ^ random32());
29065 + srandom32(k_rand_bytes[2] ^ random32());
29066 + srandom32(k_rand_bytes[3] ^ random32());
29067 + p = STACK_ROUND(p, sizeof(k_rand_bytes));
29068 + u_rand_bytes = (elf_addr_t __user *) p;
29069 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
29072 @@ -386,10 +401,10 @@ static unsigned long load_elf_interp(str
29074 struct elf_phdr *elf_phdata;
29075 struct elf_phdr *eppnt;
29076 - unsigned long load_addr = 0;
29077 + unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
29078 int load_addr_set = 0;
29079 unsigned long last_bss = 0, elf_bss = 0;
29080 - unsigned long error = ~0UL;
29081 + unsigned long error = -EINVAL;
29082 unsigned long total_size;
29083 int retval, i, size;
29085 @@ -435,6 +450,11 @@ static unsigned long load_elf_interp(str
29089 +#ifdef CONFIG_PAX_SEGMEXEC
29090 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
29091 + pax_task_size = SEGMEXEC_TASK_SIZE;
29094 eppnt = elf_phdata;
29095 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
29096 if (eppnt->p_type == PT_LOAD) {
29097 @@ -478,8 +498,8 @@ static unsigned long load_elf_interp(str
29098 k = load_addr + eppnt->p_vaddr;
29100 eppnt->p_filesz > eppnt->p_memsz ||
29101 - eppnt->p_memsz > TASK_SIZE ||
29102 - TASK_SIZE - eppnt->p_memsz < k) {
29103 + eppnt->p_memsz > pax_task_size ||
29104 + pax_task_size - eppnt->p_memsz < k) {
29108 @@ -533,6 +553,177 @@ out:
29112 +#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
29113 +static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
29115 + unsigned long pax_flags = 0UL;
29117 +#ifdef CONFIG_PAX_PAGEEXEC
29118 + if (elf_phdata->p_flags & PF_PAGEEXEC)
29119 + pax_flags |= MF_PAX_PAGEEXEC;
29122 +#ifdef CONFIG_PAX_SEGMEXEC
29123 + if (elf_phdata->p_flags & PF_SEGMEXEC)
29124 + pax_flags |= MF_PAX_SEGMEXEC;
29127 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29128 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29129 + if ((__supported_pte_mask & _PAGE_NX))
29130 + pax_flags &= ~MF_PAX_SEGMEXEC;
29132 + pax_flags &= ~MF_PAX_PAGEEXEC;
29136 +#ifdef CONFIG_PAX_EMUTRAMP
29137 + if (elf_phdata->p_flags & PF_EMUTRAMP)
29138 + pax_flags |= MF_PAX_EMUTRAMP;
29141 +#ifdef CONFIG_PAX_MPROTECT
29142 + if (elf_phdata->p_flags & PF_MPROTECT)
29143 + pax_flags |= MF_PAX_MPROTECT;
29146 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
29147 + if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
29148 + pax_flags |= MF_PAX_RANDMMAP;
29151 + return pax_flags;
29155 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
29156 +static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
29158 + unsigned long pax_flags = 0UL;
29160 +#ifdef CONFIG_PAX_PAGEEXEC
29161 + if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
29162 + pax_flags |= MF_PAX_PAGEEXEC;
29165 +#ifdef CONFIG_PAX_SEGMEXEC
29166 + if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
29167 + pax_flags |= MF_PAX_SEGMEXEC;
29170 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29171 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29172 + if ((__supported_pte_mask & _PAGE_NX))
29173 + pax_flags &= ~MF_PAX_SEGMEXEC;
29175 + pax_flags &= ~MF_PAX_PAGEEXEC;
29179 +#ifdef CONFIG_PAX_EMUTRAMP
29180 + if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
29181 + pax_flags |= MF_PAX_EMUTRAMP;
29184 +#ifdef CONFIG_PAX_MPROTECT
29185 + if (!(elf_phdata->p_flags & PF_NOMPROTECT))
29186 + pax_flags |= MF_PAX_MPROTECT;
29189 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
29190 + if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
29191 + pax_flags |= MF_PAX_RANDMMAP;
29194 + return pax_flags;
29198 +#ifdef CONFIG_PAX_EI_PAX
29199 +static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
29201 + unsigned long pax_flags = 0UL;
29203 +#ifdef CONFIG_PAX_PAGEEXEC
29204 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
29205 + pax_flags |= MF_PAX_PAGEEXEC;
29208 +#ifdef CONFIG_PAX_SEGMEXEC
29209 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
29210 + pax_flags |= MF_PAX_SEGMEXEC;
29213 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29214 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29215 + if ((__supported_pte_mask & _PAGE_NX))
29216 + pax_flags &= ~MF_PAX_SEGMEXEC;
29218 + pax_flags &= ~MF_PAX_PAGEEXEC;
29222 +#ifdef CONFIG_PAX_EMUTRAMP
29223 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
29224 + pax_flags |= MF_PAX_EMUTRAMP;
29227 +#ifdef CONFIG_PAX_MPROTECT
29228 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
29229 + pax_flags |= MF_PAX_MPROTECT;
29232 +#ifdef CONFIG_PAX_ASLR
29233 + if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
29234 + pax_flags |= MF_PAX_RANDMMAP;
29237 + return pax_flags;
29241 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
29242 +static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
29244 + unsigned long pax_flags = 0UL;
29246 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
29250 +#ifdef CONFIG_PAX_EI_PAX
29251 + pax_flags = pax_parse_ei_pax(elf_ex);
29254 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
29255 + for (i = 0UL; i < elf_ex->e_phnum; i++)
29256 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
29257 + if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
29258 + ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
29259 + ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
29260 + ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
29261 + ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
29264 +#ifdef CONFIG_PAX_SOFTMODE
29265 + if (pax_softmode)
29266 + pax_flags = pax_parse_softmode(&elf_phdata[i]);
29270 + pax_flags = pax_parse_hardmode(&elf_phdata[i]);
29275 + if (0 > pax_check_flags(&pax_flags))
29278 + current->mm->pax_flags = pax_flags;
29284 * These are the functions used to load ELF style executables and shared
29285 * libraries. There is no binary dependent code anywhere else.
29286 @@ -549,6 +740,11 @@ static unsigned long randomize_stack_top
29288 unsigned int random_variable = 0;
29290 +#ifdef CONFIG_PAX_RANDUSTACK
29291 + if (randomize_va_space)
29292 + return stack_top - current->mm->delta_stack;
29295 if ((current->flags & PF_RANDOMIZE) &&
29296 !(current->personality & ADDR_NO_RANDOMIZE)) {
29297 random_variable = get_random_int() & STACK_RND_MASK;
29298 @@ -567,7 +763,7 @@ static int load_elf_binary(struct linux_
29299 unsigned long load_addr = 0, load_bias = 0;
29300 int load_addr_set = 0;
29301 char * elf_interpreter = NULL;
29302 - unsigned long error;
29303 + unsigned long error = 0;
29304 struct elf_phdr *elf_ppnt, *elf_phdata;
29305 unsigned long elf_bss, elf_brk;
29307 @@ -577,11 +773,11 @@ static int load_elf_binary(struct linux_
29308 unsigned long start_code, end_code, start_data, end_data;
29309 unsigned long reloc_func_desc = 0;
29310 int executable_stack = EXSTACK_DEFAULT;
29311 - unsigned long def_flags = 0;
29313 struct elfhdr elf_ex;
29314 struct elfhdr interp_elf_ex;
29316 + unsigned long pax_task_size = TASK_SIZE;
29318 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
29320 @@ -719,11 +915,80 @@ static int load_elf_binary(struct linux_
29322 /* OK, This is the point of no return */
29323 current->flags &= ~PF_FORKNOEXEC;
29324 - current->mm->def_flags = def_flags;
29326 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
29327 + current->mm->pax_flags = 0UL;
29330 +#ifdef CONFIG_PAX_DLRESOLVE
29331 + current->mm->call_dl_resolve = 0UL;
29334 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
29335 + current->mm->call_syscall = 0UL;
29338 +#ifdef CONFIG_PAX_ASLR
29339 + current->mm->delta_mmap = 0UL;
29340 + current->mm->delta_stack = 0UL;
29343 + current->mm->def_flags = 0;
29345 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
29346 + if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
29347 + send_sig(SIGKILL, current, 0);
29348 + goto out_free_dentry;
29352 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
29353 + pax_set_initial_flags(bprm);
29354 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
29355 + if (pax_set_initial_flags_func)
29356 + (pax_set_initial_flags_func)(bprm);
29359 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
29360 + if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !(__supported_pte_mask & _PAGE_NX)) {
29361 + current->mm->context.user_cs_limit = PAGE_SIZE;
29362 + current->mm->def_flags |= VM_PAGEEXEC;
29366 +#ifdef CONFIG_PAX_SEGMEXEC
29367 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
29368 + current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
29369 + current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
29370 + pax_task_size = SEGMEXEC_TASK_SIZE;
29374 +#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
29375 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29376 + set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
29381 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
29382 may depend on the personality. */
29383 SET_PERSONALITY(loc->elf_ex);
29385 +#ifdef CONFIG_PAX_ASLR
29386 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
29387 + current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
29388 + current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
29392 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
29393 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29394 + executable_stack = EXSTACK_DISABLE_X;
29395 + current->personality &= ~READ_IMPLIES_EXEC;
29399 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
29400 current->personality |= READ_IMPLIES_EXEC;
29402 @@ -805,6 +1070,20 @@ static int load_elf_binary(struct linux_
29404 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
29407 +#ifdef CONFIG_PAX_RANDMMAP
29408 + /* PaX: randomize base address at the default exe base if requested */
29409 + if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
29410 +#ifdef CONFIG_SPARC64
29411 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
29413 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
29415 + load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
29416 + elf_flags |= MAP_FIXED;
29422 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
29423 @@ -837,9 +1116,9 @@ static int load_elf_binary(struct linux_
29424 * allowed task size. Note that p_filesz must always be
29425 * <= p_memsz so it is only necessary to check p_memsz.
29427 - if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
29428 - elf_ppnt->p_memsz > TASK_SIZE ||
29429 - TASK_SIZE - elf_ppnt->p_memsz < k) {
29430 + if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
29431 + elf_ppnt->p_memsz > pax_task_size ||
29432 + pax_task_size - elf_ppnt->p_memsz < k) {
29433 /* set_brk can never work. Avoid overflows. */
29434 send_sig(SIGKILL, current, 0);
29436 @@ -867,6 +1146,11 @@ static int load_elf_binary(struct linux_
29437 start_data += load_bias;
29438 end_data += load_bias;
29440 +#ifdef CONFIG_PAX_RANDMMAP
29441 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
29442 + elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
29445 /* Calling set_brk effectively mmaps the pages that we need
29446 * for the bss and break sections. We must do this before
29447 * mapping in the interpreter, to make sure it doesn't wind
29448 @@ -878,9 +1162,11 @@ static int load_elf_binary(struct linux_
29449 goto out_free_dentry;
29451 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
29452 - send_sig(SIGSEGV, current, 0);
29453 - retval = -EFAULT; /* Nobody gets to see this, but.. */
29454 - goto out_free_dentry;
29456 + * This bss-zeroing can fail if the ELF
29457 + * file specifies odd protections. So
29458 + * we don't check the return value
29462 if (elf_interpreter) {
29463 @@ -1091,7 +1377,7 @@ out:
29464 * Decide what to dump of a segment, part, all or none.
29466 static unsigned long vma_dump_size(struct vm_area_struct *vma,
29467 - unsigned long mm_flags)
29468 + unsigned long mm_flags, long signr)
29470 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
29472 @@ -1125,7 +1411,7 @@ static unsigned long vma_dump_size(struc
29473 if (vma->vm_file == NULL)
29476 - if (FILTER(MAPPED_PRIVATE))
29477 + if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
29481 @@ -1347,9 +1633,9 @@ static void fill_auxv_note(struct memelf
29483 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
29488 - while (auxv[i - 2] != AT_NULL);
29489 + } while (auxv[i - 2] != AT_NULL);
29490 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
29493 @@ -1855,14 +2141,14 @@ static void fill_extnum_info(struct elfh
29496 static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
29497 - unsigned long mm_flags)
29498 + struct coredump_params *cprm)
29500 struct vm_area_struct *vma;
29503 for (vma = first_vma(current, gate_vma); vma != NULL;
29504 vma = next_vma(vma, gate_vma))
29505 - size += vma_dump_size(vma, mm_flags);
29506 + size += vma_dump_size(vma, cprm->mm_flags, cprm->signr);
29510 @@ -1956,7 +2242,7 @@ static int elf_core_dump(struct coredump
29512 dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
29514 - offset += elf_core_vma_data_size(gate_vma, cprm->mm_flags);
29515 + offset += elf_core_vma_data_size(gate_vma, cprm);
29516 offset += elf_core_extra_data_size();
29519 @@ -1970,10 +2256,12 @@ static int elf_core_dump(struct coredump
29522 size += sizeof(*elf);
29523 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29524 if (size > cprm->limit || !dump_write(cprm->file, elf, sizeof(*elf)))
29527 size += sizeof(*phdr4note);
29528 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29529 if (size > cprm->limit
29530 || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
29532 @@ -1987,7 +2275,7 @@ static int elf_core_dump(struct coredump
29533 phdr.p_offset = offset;
29534 phdr.p_vaddr = vma->vm_start;
29536 - phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags);
29537 + phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags, cprm->signr);
29538 phdr.p_memsz = vma->vm_end - vma->vm_start;
29539 offset += phdr.p_filesz;
29540 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
29541 @@ -1998,6 +2286,7 @@ static int elf_core_dump(struct coredump
29542 phdr.p_align = ELF_EXEC_PAGESIZE;
29544 size += sizeof(phdr);
29545 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29546 if (size > cprm->limit
29547 || !dump_write(cprm->file, &phdr, sizeof(phdr)))
29549 @@ -2022,7 +2311,7 @@ static int elf_core_dump(struct coredump
29550 unsigned long addr;
29553 - end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags);
29554 + end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags, cprm->signr);
29556 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
29558 @@ -2031,6 +2320,7 @@ static int elf_core_dump(struct coredump
29559 page = get_dump_page(addr);
29561 void *kaddr = kmap(page);
29562 + gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
29563 stop = ((size += PAGE_SIZE) > cprm->limit) ||
29564 !dump_write(cprm->file, kaddr,
29566 @@ -2048,6 +2338,7 @@ static int elf_core_dump(struct coredump
29568 if (e_phnum == PN_XNUM) {
29569 size += sizeof(*shdr4extnum);
29570 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29571 if (size > cprm->limit
29572 || !dump_write(cprm->file, shdr4extnum,
29573 sizeof(*shdr4extnum)))
29574 @@ -2068,6 +2359,97 @@ out:
29576 #endif /* CONFIG_ELF_CORE */
29578 +#ifdef CONFIG_PAX_MPROTECT
29579 +/* PaX: non-PIC ELF libraries need relocations on their executable segments
29580 + * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
29581 + * we'll remove VM_MAYWRITE for good on RELRO segments.
29583 + * The checks favour ld-linux.so behaviour which operates on a per ELF segment
29584 + * basis because we want to allow the common case and not the special ones.
29586 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
29588 + struct elfhdr elf_h;
29589 + struct elf_phdr elf_p;
29591 + unsigned long oldflags;
29592 + bool is_textrel_rw, is_textrel_rx, is_relro;
29594 + if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
29597 + oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
29598 + newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
29600 +#ifdef CONFIG_PAX_ELFRELOCS
29601 + /* possible TEXTREL */
29602 + is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
29603 + is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
29605 + is_textrel_rw = false;
29606 + is_textrel_rx = false;
29609 + /* possible RELRO */
29610 + is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
29612 + if (!is_textrel_rw && !is_textrel_rx && !is_relro)
29615 + if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
29616 + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
29618 +#ifdef CONFIG_PAX_ETEXECRELOCS
29619 + ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
29621 + ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
29624 + (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
29625 + !elf_check_arch(&elf_h) ||
29626 + elf_h.e_phentsize != sizeof(struct elf_phdr) ||
29627 + elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
29630 + for (i = 0UL; i < elf_h.e_phnum; i++) {
29631 + if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
29633 + switch (elf_p.p_type) {
29635 + if (!is_textrel_rw && !is_textrel_rx)
29638 + while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
29641 + if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
29643 + if (dyn.d_tag == DT_NULL)
29645 + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
29646 + gr_log_textrel(vma);
29647 + if (is_textrel_rw)
29648 + vma->vm_flags |= VM_MAYWRITE;
29650 + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
29651 + vma->vm_flags &= ~VM_MAYWRITE;
29658 + case PT_GNU_RELRO:
29661 + if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
29662 + vma->vm_flags &= ~VM_MAYWRITE;
29669 static int __init init_elf_binfmt(void)
29671 return register_binfmt(&elf_format);
29672 diff -urNp linux-2.6.35.5/fs/binfmt_flat.c linux-2.6.35.5/fs/binfmt_flat.c
29673 --- linux-2.6.35.5/fs/binfmt_flat.c 2010-08-26 19:47:12.000000000 -0400
29674 +++ linux-2.6.35.5/fs/binfmt_flat.c 2010-09-17 20:12:09.000000000 -0400
29675 @@ -567,7 +567,9 @@ static int load_flat_file(struct linux_b
29676 realdatastart = (unsigned long) -ENOMEM;
29677 printk("Unable to allocate RAM for process data, errno %d\n",
29678 (int)-realdatastart);
29679 + down_write(¤t->mm->mmap_sem);
29680 do_munmap(current->mm, textpos, text_len);
29681 + up_write(¤t->mm->mmap_sem);
29682 ret = realdatastart;
29685 @@ -591,8 +593,10 @@ static int load_flat_file(struct linux_b
29687 if (IS_ERR_VALUE(result)) {
29688 printk("Unable to read data+bss, errno %d\n", (int)-result);
29689 + down_write(¤t->mm->mmap_sem);
29690 do_munmap(current->mm, textpos, text_len);
29691 do_munmap(current->mm, realdatastart, len);
29692 + up_write(¤t->mm->mmap_sem);
29696 @@ -661,8 +665,10 @@ static int load_flat_file(struct linux_b
29698 if (IS_ERR_VALUE(result)) {
29699 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
29700 + down_write(¤t->mm->mmap_sem);
29701 do_munmap(current->mm, textpos, text_len + data_len + extra +
29702 MAX_SHARED_LIBS * sizeof(unsigned long));
29703 + up_write(¤t->mm->mmap_sem);
29707 diff -urNp linux-2.6.35.5/fs/binfmt_misc.c linux-2.6.35.5/fs/binfmt_misc.c
29708 --- linux-2.6.35.5/fs/binfmt_misc.c 2010-09-20 17:33:09.000000000 -0400
29709 +++ linux-2.6.35.5/fs/binfmt_misc.c 2010-09-20 17:33:32.000000000 -0400
29710 @@ -693,7 +693,7 @@ static int bm_fill_super(struct super_bl
29711 static struct tree_descr bm_files[] = {
29712 [2] = {"status", &bm_status_operations, S_IWUSR|S_IRUGO},
29713 [3] = {"register", &bm_register_operations, S_IWUSR},
29714 - /* last one */ {""}
29715 + /* last one */ {"", NULL, 0}
29717 int err = simple_fill_super(sb, 0x42494e4d, bm_files);
29719 diff -urNp linux-2.6.35.5/fs/bio.c linux-2.6.35.5/fs/bio.c
29720 --- linux-2.6.35.5/fs/bio.c 2010-08-26 19:47:12.000000000 -0400
29721 +++ linux-2.6.35.5/fs/bio.c 2010-09-17 20:12:09.000000000 -0400
29722 @@ -1213,7 +1213,7 @@ static void bio_copy_kern_endio(struct b
29723 const int read = bio_data_dir(bio) == READ;
29724 struct bio_map_data *bmd = bio->bi_private;
29726 - char *p = bmd->sgvecs[0].iov_base;
29727 + char *p = (__force char *)bmd->sgvecs[0].iov_base;
29729 __bio_for_each_segment(bvec, bio, i, 0) {
29730 char *addr = page_address(bvec->bv_page);
29731 diff -urNp linux-2.6.35.5/fs/block_dev.c linux-2.6.35.5/fs/block_dev.c
29732 --- linux-2.6.35.5/fs/block_dev.c 2010-08-26 19:47:12.000000000 -0400
29733 +++ linux-2.6.35.5/fs/block_dev.c 2010-09-17 20:12:09.000000000 -0400
29734 @@ -647,7 +647,7 @@ static bool bd_may_claim(struct block_de
29735 else if (bdev->bd_contains == bdev)
29736 return true; /* is a whole device which isn't held */
29738 - else if (whole->bd_holder == bd_claim)
29739 + else if (whole->bd_holder == (void *)bd_claim)
29740 return true; /* is a partition of a device that is being partitioned */
29741 else if (whole->bd_holder != NULL)
29742 return false; /* is a partition of a held device */
29743 diff -urNp linux-2.6.35.5/fs/btrfs/ctree.c linux-2.6.35.5/fs/btrfs/ctree.c
29744 --- linux-2.6.35.5/fs/btrfs/ctree.c 2010-08-26 19:47:12.000000000 -0400
29745 +++ linux-2.6.35.5/fs/btrfs/ctree.c 2010-09-17 20:12:09.000000000 -0400
29746 @@ -3763,7 +3763,6 @@ setup_items_for_insert(struct btrfs_tran
29750 - struct btrfs_disk_key disk_key;
29751 btrfs_cpu_key_to_disk(&disk_key, cpu_key);
29752 ret = fixup_low_keys(trans, root, path, &disk_key, 1);
29754 diff -urNp linux-2.6.35.5/fs/btrfs/disk-io.c linux-2.6.35.5/fs/btrfs/disk-io.c
29755 --- linux-2.6.35.5/fs/btrfs/disk-io.c 2010-08-26 19:47:12.000000000 -0400
29756 +++ linux-2.6.35.5/fs/btrfs/disk-io.c 2010-09-17 20:12:09.000000000 -0400
29758 #include "tree-log.h"
29759 #include "free-space-cache.h"
29761 -static struct extent_io_ops btree_extent_io_ops;
29762 +static const struct extent_io_ops btree_extent_io_ops;
29763 static void end_workqueue_fn(struct btrfs_work *work);
29764 static void free_fs_root(struct btrfs_root *root);
29766 @@ -2597,7 +2597,7 @@ out:
29770 -static struct extent_io_ops btree_extent_io_ops = {
29771 +static const struct extent_io_ops btree_extent_io_ops = {
29772 .write_cache_pages_lock_hook = btree_lock_page_hook,
29773 .readpage_end_io_hook = btree_readpage_end_io_hook,
29774 .submit_bio_hook = btree_submit_bio_hook,
29775 diff -urNp linux-2.6.35.5/fs/btrfs/extent_io.h linux-2.6.35.5/fs/btrfs/extent_io.h
29776 --- linux-2.6.35.5/fs/btrfs/extent_io.h 2010-08-26 19:47:12.000000000 -0400
29777 +++ linux-2.6.35.5/fs/btrfs/extent_io.h 2010-09-17 20:12:09.000000000 -0400
29778 @@ -51,36 +51,36 @@ typedef int (extent_submit_bio_hook_t)(s
29779 struct bio *bio, int mirror_num,
29780 unsigned long bio_flags, u64 bio_offset);
29781 struct extent_io_ops {
29782 - int (*fill_delalloc)(struct inode *inode, struct page *locked_page,
29783 + int (* const fill_delalloc)(struct inode *inode, struct page *locked_page,
29784 u64 start, u64 end, int *page_started,
29785 unsigned long *nr_written);
29786 - int (*writepage_start_hook)(struct page *page, u64 start, u64 end);
29787 - int (*writepage_io_hook)(struct page *page, u64 start, u64 end);
29788 + int (* const writepage_start_hook)(struct page *page, u64 start, u64 end);
29789 + int (* const writepage_io_hook)(struct page *page, u64 start, u64 end);
29790 extent_submit_bio_hook_t *submit_bio_hook;
29791 - int (*merge_bio_hook)(struct page *page, unsigned long offset,
29792 + int (* const merge_bio_hook)(struct page *page, unsigned long offset,
29793 size_t size, struct bio *bio,
29794 unsigned long bio_flags);
29795 - int (*readpage_io_hook)(struct page *page, u64 start, u64 end);
29796 - int (*readpage_io_failed_hook)(struct bio *bio, struct page *page,
29797 + int (* const readpage_io_hook)(struct page *page, u64 start, u64 end);
29798 + int (* const readpage_io_failed_hook)(struct bio *bio, struct page *page,
29799 u64 start, u64 end,
29800 struct extent_state *state);
29801 - int (*writepage_io_failed_hook)(struct bio *bio, struct page *page,
29802 + int (* const writepage_io_failed_hook)(struct bio *bio, struct page *page,
29803 u64 start, u64 end,
29804 struct extent_state *state);
29805 - int (*readpage_end_io_hook)(struct page *page, u64 start, u64 end,
29806 + int (* const readpage_end_io_hook)(struct page *page, u64 start, u64 end,
29807 struct extent_state *state);
29808 - int (*writepage_end_io_hook)(struct page *page, u64 start, u64 end,
29809 + int (* const writepage_end_io_hook)(struct page *page, u64 start, u64 end,
29810 struct extent_state *state, int uptodate);
29811 - int (*set_bit_hook)(struct inode *inode, struct extent_state *state,
29812 + int (* const set_bit_hook)(struct inode *inode, struct extent_state *state,
29814 - int (*clear_bit_hook)(struct inode *inode, struct extent_state *state,
29815 + int (* const clear_bit_hook)(struct inode *inode, struct extent_state *state,
29817 - int (*merge_extent_hook)(struct inode *inode,
29818 + int (* const merge_extent_hook)(struct inode *inode,
29819 struct extent_state *new,
29820 struct extent_state *other);
29821 - int (*split_extent_hook)(struct inode *inode,
29822 + int (* const split_extent_hook)(struct inode *inode,
29823 struct extent_state *orig, u64 split);
29824 - int (*write_cache_pages_lock_hook)(struct page *page);
29825 + int (* const write_cache_pages_lock_hook)(struct page *page);
29828 struct extent_io_tree {
29829 @@ -90,7 +90,7 @@ struct extent_io_tree {
29832 spinlock_t buffer_lock;
29833 - struct extent_io_ops *ops;
29834 + const struct extent_io_ops *ops;
29837 struct extent_state {
29838 diff -urNp linux-2.6.35.5/fs/btrfs/free-space-cache.c linux-2.6.35.5/fs/btrfs/free-space-cache.c
29839 --- linux-2.6.35.5/fs/btrfs/free-space-cache.c 2010-08-26 19:47:12.000000000 -0400
29840 +++ linux-2.6.35.5/fs/btrfs/free-space-cache.c 2010-09-17 20:12:09.000000000 -0400
29841 @@ -1075,8 +1075,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
29844 if (entry->bytes < bytes || entry->offset < min_start) {
29845 - struct rb_node *node;
29847 node = rb_next(&entry->offset_index);
29850 @@ -1227,7 +1225,7 @@ again:
29852 while (entry->bitmap || found_bitmap ||
29853 (!entry->bitmap && entry->bytes < min_bytes)) {
29854 - struct rb_node *node = rb_next(&entry->offset_index);
29855 + node = rb_next(&entry->offset_index);
29857 if (entry->bitmap && entry->bytes > bytes + empty_size) {
29858 ret = btrfs_bitmap_cluster(block_group, entry, cluster,
29859 diff -urNp linux-2.6.35.5/fs/btrfs/inode.c linux-2.6.35.5/fs/btrfs/inode.c
29860 --- linux-2.6.35.5/fs/btrfs/inode.c 2010-08-26 19:47:12.000000000 -0400
29861 +++ linux-2.6.35.5/fs/btrfs/inode.c 2010-09-17 20:12:09.000000000 -0400
29862 @@ -64,7 +64,7 @@ static const struct inode_operations btr
29863 static const struct address_space_operations btrfs_aops;
29864 static const struct address_space_operations btrfs_symlink_aops;
29865 static const struct file_operations btrfs_dir_file_operations;
29866 -static struct extent_io_ops btrfs_extent_io_ops;
29867 +static const struct extent_io_ops btrfs_extent_io_ops;
29869 static struct kmem_cache *btrfs_inode_cachep;
29870 struct kmem_cache *btrfs_trans_handle_cachep;
29871 @@ -6958,7 +6958,7 @@ static const struct file_operations btrf
29872 .fsync = btrfs_sync_file,
29875 -static struct extent_io_ops btrfs_extent_io_ops = {
29876 +static const struct extent_io_ops btrfs_extent_io_ops = {
29877 .fill_delalloc = run_delalloc_range,
29878 .submit_bio_hook = btrfs_submit_bio_hook,
29879 .merge_bio_hook = btrfs_merge_bio_hook,
29880 diff -urNp linux-2.6.35.5/fs/buffer.c linux-2.6.35.5/fs/buffer.c
29881 --- linux-2.6.35.5/fs/buffer.c 2010-08-26 19:47:12.000000000 -0400
29882 +++ linux-2.6.35.5/fs/buffer.c 2010-09-17 20:12:37.000000000 -0400
29884 #include <linux/percpu.h>
29885 #include <linux/slab.h>
29886 #include <linux/capability.h>
29887 +#include <linux/security.h>
29888 #include <linux/blkdev.h>
29889 #include <linux/file.h>
29890 #include <linux/quotaops.h>
29891 diff -urNp linux-2.6.35.5/fs/cachefiles/bind.c linux-2.6.35.5/fs/cachefiles/bind.c
29892 --- linux-2.6.35.5/fs/cachefiles/bind.c 2010-08-26 19:47:12.000000000 -0400
29893 +++ linux-2.6.35.5/fs/cachefiles/bind.c 2010-09-17 20:12:09.000000000 -0400
29894 @@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachef
29897 /* start by checking things over */
29898 - ASSERT(cache->fstop_percent >= 0 &&
29899 - cache->fstop_percent < cache->fcull_percent &&
29900 + ASSERT(cache->fstop_percent < cache->fcull_percent &&
29901 cache->fcull_percent < cache->frun_percent &&
29902 cache->frun_percent < 100);
29904 - ASSERT(cache->bstop_percent >= 0 &&
29905 - cache->bstop_percent < cache->bcull_percent &&
29906 + ASSERT(cache->bstop_percent < cache->bcull_percent &&
29907 cache->bcull_percent < cache->brun_percent &&
29908 cache->brun_percent < 100);
29910 diff -urNp linux-2.6.35.5/fs/cachefiles/daemon.c linux-2.6.35.5/fs/cachefiles/daemon.c
29911 --- linux-2.6.35.5/fs/cachefiles/daemon.c 2010-08-26 19:47:12.000000000 -0400
29912 +++ linux-2.6.35.5/fs/cachefiles/daemon.c 2010-09-17 20:12:09.000000000 -0400
29913 @@ -195,7 +195,7 @@ static ssize_t cachefiles_daemon_read(st
29917 - if (copy_to_user(_buffer, buffer, n) != 0)
29918 + if (n > sizeof(buffer) || copy_to_user(_buffer, buffer, n) != 0)
29922 @@ -221,7 +221,7 @@ static ssize_t cachefiles_daemon_write(s
29923 if (test_bit(CACHEFILES_DEAD, &cache->flags))
29926 - if (datalen < 0 || datalen > PAGE_SIZE - 1)
29927 + if (datalen > PAGE_SIZE - 1)
29928 return -EOPNOTSUPP;
29930 /* drag the command string into the kernel so we can parse it */
29931 @@ -385,7 +385,7 @@ static int cachefiles_daemon_fstop(struc
29932 if (args[0] != '%' || args[1] != '\0')
29935 - if (fstop < 0 || fstop >= cache->fcull_percent)
29936 + if (fstop >= cache->fcull_percent)
29937 return cachefiles_daemon_range_error(cache, args);
29939 cache->fstop_percent = fstop;
29940 @@ -457,7 +457,7 @@ static int cachefiles_daemon_bstop(struc
29941 if (args[0] != '%' || args[1] != '\0')
29944 - if (bstop < 0 || bstop >= cache->bcull_percent)
29945 + if (bstop >= cache->bcull_percent)
29946 return cachefiles_daemon_range_error(cache, args);
29948 cache->bstop_percent = bstop;
29949 diff -urNp linux-2.6.35.5/fs/cachefiles/rdwr.c linux-2.6.35.5/fs/cachefiles/rdwr.c
29950 --- linux-2.6.35.5/fs/cachefiles/rdwr.c 2010-08-26 19:47:12.000000000 -0400
29951 +++ linux-2.6.35.5/fs/cachefiles/rdwr.c 2010-09-17 20:12:09.000000000 -0400
29952 @@ -945,7 +945,7 @@ int cachefiles_write_page(struct fscache
29955 ret = file->f_op->write(
29956 - file, (const void __user *) data, len, &pos);
29957 + file, (__force const void __user *) data, len, &pos);
29961 diff -urNp linux-2.6.35.5/fs/cifs/cifs_uniupr.h linux-2.6.35.5/fs/cifs/cifs_uniupr.h
29962 --- linux-2.6.35.5/fs/cifs/cifs_uniupr.h 2010-08-26 19:47:12.000000000 -0400
29963 +++ linux-2.6.35.5/fs/cifs/cifs_uniupr.h 2010-09-17 20:12:09.000000000 -0400
29964 @@ -132,7 +132,7 @@ const struct UniCaseRange CifsUniUpperRa
29965 {0x0490, 0x04cc, UniCaseRangeU0490},
29966 {0x1e00, 0x1ffc, UniCaseRangeU1e00},
29967 {0xff40, 0xff5a, UniCaseRangeUff40},
29973 diff -urNp linux-2.6.35.5/fs/cifs/link.c linux-2.6.35.5/fs/cifs/link.c
29974 --- linux-2.6.35.5/fs/cifs/link.c 2010-08-26 19:47:12.000000000 -0400
29975 +++ linux-2.6.35.5/fs/cifs/link.c 2010-09-17 20:12:09.000000000 -0400
29976 @@ -216,7 +216,7 @@ cifs_symlink(struct inode *inode, struct
29978 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
29980 - char *p = nd_get_link(nd);
29981 + const char *p = nd_get_link(nd);
29985 diff -urNp linux-2.6.35.5/fs/compat_binfmt_elf.c linux-2.6.35.5/fs/compat_binfmt_elf.c
29986 --- linux-2.6.35.5/fs/compat_binfmt_elf.c 2010-08-26 19:47:12.000000000 -0400
29987 +++ linux-2.6.35.5/fs/compat_binfmt_elf.c 2010-09-17 20:12:09.000000000 -0400
29988 @@ -30,11 +30,13 @@
29994 #define elfhdr elf32_hdr
29995 #define elf_phdr elf32_phdr
29996 #define elf_shdr elf32_shdr
29997 #define elf_note elf32_note
29998 +#define elf_dyn Elf32_Dyn
29999 #define elf_addr_t Elf32_Addr
30002 diff -urNp linux-2.6.35.5/fs/compat.c linux-2.6.35.5/fs/compat.c
30003 --- linux-2.6.35.5/fs/compat.c 2010-08-26 19:47:12.000000000 -0400
30004 +++ linux-2.6.35.5/fs/compat.c 2010-09-21 20:51:20.000000000 -0400
30005 @@ -1433,14 +1433,12 @@ static int compat_copy_strings(int argc,
30006 if (!kmapped_page || kpos != (pos & PAGE_MASK)) {
30009 -#ifdef CONFIG_STACK_GROWSUP
30010 ret = expand_stack_downwards(bprm->vma, pos);
30012 /* We've exceed the stack rlimit. */
30017 ret = get_user_pages(current, bprm->mm, pos,
30018 1, 1, 1, &page, NULL);
30020 @@ -1486,6 +1484,11 @@ int compat_do_execve(char * filename,
30021 compat_uptr_t __user *envp,
30022 struct pt_regs * regs)
30024 +#ifdef CONFIG_GRKERNSEC
30025 + struct file *old_exec_file;
30026 + struct acl_subject_label *old_acl;
30027 + struct rlimit old_rlim[RLIM_NLIMITS];
30029 struct linux_binprm *bprm;
30031 struct files_struct *displaced;
30032 @@ -1522,6 +1525,14 @@ int compat_do_execve(char * filename,
30033 bprm->filename = filename;
30034 bprm->interp = filename;
30036 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
30037 + retval = -EAGAIN;
30038 + if (gr_handle_nproc())
30040 + retval = -EACCES;
30041 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
30044 retval = bprm_mm_init(bprm);
30047 @@ -1551,9 +1562,40 @@ int compat_do_execve(char * filename,
30051 + if (!gr_tpe_allow(file)) {
30052 + retval = -EACCES;
30056 + if (gr_check_crash_exec(file)) {
30057 + retval = -EACCES;
30061 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
30063 + gr_handle_exec_args(bprm, (char __user * __user *)argv);
30065 +#ifdef CONFIG_GRKERNSEC
30066 + old_acl = current->acl;
30067 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
30068 + old_exec_file = current->exec_file;
30070 + current->exec_file = file;
30073 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
30074 + bprm->unsafe & LSM_UNSAFE_SHARE);
30078 retval = search_binary_handler(bprm, regs);
30082 +#ifdef CONFIG_GRKERNSEC
30083 + if (old_exec_file)
30084 + fput(old_exec_file);
30087 /* execve succeeded */
30088 current->fs->in_exec = 0;
30089 @@ -1564,6 +1606,14 @@ int compat_do_execve(char * filename,
30090 put_files_struct(displaced);
30094 +#ifdef CONFIG_GRKERNSEC
30095 + current->acl = old_acl;
30096 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
30097 + fput(current->exec_file);
30098 + current->exec_file = old_exec_file;
30104 diff -urNp linux-2.6.35.5/fs/debugfs/inode.c linux-2.6.35.5/fs/debugfs/inode.c
30105 --- linux-2.6.35.5/fs/debugfs/inode.c 2010-08-26 19:47:12.000000000 -0400
30106 +++ linux-2.6.35.5/fs/debugfs/inode.c 2010-09-17 20:12:09.000000000 -0400
30107 @@ -129,7 +129,7 @@ static inline int debugfs_positive(struc
30109 static int debug_fill_super(struct super_block *sb, void *data, int silent)
30111 - static struct tree_descr debug_files[] = {{""}};
30112 + static struct tree_descr debug_files[] = {{"", NULL, 0}};
30114 return simple_fill_super(sb, DEBUGFS_MAGIC, debug_files);
30116 diff -urNp linux-2.6.35.5/fs/dlm/lockspace.c linux-2.6.35.5/fs/dlm/lockspace.c
30117 --- linux-2.6.35.5/fs/dlm/lockspace.c 2010-08-26 19:47:12.000000000 -0400
30118 +++ linux-2.6.35.5/fs/dlm/lockspace.c 2010-09-17 20:12:09.000000000 -0400
30119 @@ -200,7 +200,7 @@ static int dlm_uevent(struct kset *kset,
30123 -static struct kset_uevent_ops dlm_uevent_ops = {
30124 +static const struct kset_uevent_ops dlm_uevent_ops = {
30125 .uevent = dlm_uevent,
30128 diff -urNp linux-2.6.35.5/fs/ecryptfs/inode.c linux-2.6.35.5/fs/ecryptfs/inode.c
30129 --- linux-2.6.35.5/fs/ecryptfs/inode.c 2010-08-26 19:47:12.000000000 -0400
30130 +++ linux-2.6.35.5/fs/ecryptfs/inode.c 2010-09-17 20:12:09.000000000 -0400
30131 @@ -658,7 +658,7 @@ static int ecryptfs_readlink_lower(struc
30134 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
30135 - (char __user *)lower_buf,
30136 + (__force char __user *)lower_buf,
30140 @@ -704,7 +704,7 @@ static void *ecryptfs_follow_link(struct
30144 - rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
30145 + rc = dentry->d_inode->i_op->readlink(dentry, (__force char __user *)buf, len);
30149 @@ -719,7 +719,7 @@ out:
30151 ecryptfs_put_link(struct dentry *dentry, struct nameidata *nd, void *ptr)
30153 - char *buf = nd_get_link(nd);
30154 + const char *buf = nd_get_link(nd);
30155 if (!IS_ERR(buf)) {
30156 /* Free the char* */
30158 diff -urNp linux-2.6.35.5/fs/ecryptfs/miscdev.c linux-2.6.35.5/fs/ecryptfs/miscdev.c
30159 --- linux-2.6.35.5/fs/ecryptfs/miscdev.c 2010-08-26 19:47:12.000000000 -0400
30160 +++ linux-2.6.35.5/fs/ecryptfs/miscdev.c 2010-09-17 20:12:09.000000000 -0400
30161 @@ -328,7 +328,7 @@ check_list:
30162 goto out_unlock_msg_ctx;
30164 if (msg_ctx->msg) {
30165 - if (copy_to_user(&buf[i], packet_length, packet_length_size))
30166 + if (packet_length_size > sizeof(packet_length) || copy_to_user(&buf[i], packet_length, packet_length_size))
30167 goto out_unlock_msg_ctx;
30168 i += packet_length_size;
30169 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
30170 diff -urNp linux-2.6.35.5/fs/exec.c linux-2.6.35.5/fs/exec.c
30171 --- linux-2.6.35.5/fs/exec.c 2010-08-26 19:47:12.000000000 -0400
30172 +++ linux-2.6.35.5/fs/exec.c 2010-09-20 17:20:42.000000000 -0400
30173 @@ -55,12 +55,24 @@
30174 #include <linux/fsnotify.h>
30175 #include <linux/fs_struct.h>
30176 #include <linux/pipe_fs_i.h>
30177 +#include <linux/random.h>
30178 +#include <linux/seq_file.h>
30180 +#ifdef CONFIG_PAX_REFCOUNT
30181 +#include <linux/kallsyms.h>
30182 +#include <linux/kdebug.h>
30185 #include <asm/uaccess.h>
30186 #include <asm/mmu_context.h>
30187 #include <asm/tlb.h>
30188 #include "internal.h"
30190 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
30191 +void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
30192 +EXPORT_SYMBOL(pax_set_initial_flags_func);
30196 char core_pattern[CORENAME_MAX_SIZE] = "core";
30197 unsigned int core_pipe_limit;
30198 @@ -114,7 +126,7 @@ SYSCALL_DEFINE1(uselib, const char __use
30201 file = do_filp_open(AT_FDCWD, tmp,
30202 - O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
30203 + O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
30204 MAY_READ | MAY_EXEC | MAY_OPEN);
30206 error = PTR_ERR(file);
30207 @@ -162,18 +174,10 @@ static struct page *get_arg_page(struct
30213 -#ifdef CONFIG_STACK_GROWSUP
30215 - ret = expand_stack_downwards(bprm->vma, pos);
30220 - ret = get_user_pages(current, bprm->mm, pos,
30221 - 1, write, 1, &page, NULL);
30223 + if (0 > expand_stack_downwards(bprm->vma, pos))
30225 + if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
30229 @@ -246,6 +250,11 @@ static int __bprm_mm_init(struct linux_b
30230 vma->vm_end = STACK_TOP_MAX;
30231 vma->vm_start = vma->vm_end - PAGE_SIZE;
30232 vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
30234 +#ifdef CONFIG_PAX_SEGMEXEC
30235 + vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
30238 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
30239 INIT_LIST_HEAD(&vma->anon_vma_chain);
30240 err = insert_vm_struct(mm, vma);
30241 @@ -255,6 +264,12 @@ static int __bprm_mm_init(struct linux_b
30242 mm->stack_vm = mm->total_vm = 1;
30243 up_write(&mm->mmap_sem);
30244 bprm->p = vma->vm_end - sizeof(void *);
30246 +#ifdef CONFIG_PAX_RANDUSTACK
30247 + if (randomize_va_space)
30248 + bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
30253 up_write(&mm->mmap_sem);
30254 @@ -377,6 +392,9 @@ static int count(char __user * __user *
30259 + if (fatal_signal_pending(current))
30260 + return -ERESTARTNOHAND;
30264 @@ -420,6 +438,12 @@ static int copy_strings(int argc, char _
30266 int offset, bytes_to_copy;
30268 + if (fatal_signal_pending(current)) {
30269 + ret = -ERESTARTNOHAND;
30274 offset = pos % PAGE_SIZE;
30276 offset = PAGE_SIZE;
30277 @@ -476,7 +500,7 @@ int copy_strings_kernel(int argc,char **
30279 mm_segment_t oldfs = get_fs();
30281 - r = copy_strings(argc, (char __user * __user *)argv, bprm);
30282 + r = copy_strings(argc, (__force char __user * __user *)argv, bprm);
30286 @@ -506,7 +530,8 @@ static int shift_arg_pages(struct vm_are
30287 unsigned long new_end = old_end - shift;
30288 struct mmu_gather *tlb;
30290 - BUG_ON(new_start > new_end);
30291 + if (new_start >= new_end || new_start < mmap_min_addr)
30295 * ensure there are no vmas between where we want to go
30296 @@ -515,6 +540,10 @@ static int shift_arg_pages(struct vm_are
30297 if (vma != find_vma(mm, new_start))
30300 +#ifdef CONFIG_PAX_SEGMEXEC
30301 + BUG_ON(pax_find_mirror_vma(vma));
30305 * cover the whole range: [new_start, old_end)
30307 @@ -605,8 +634,28 @@ int setup_arg_pages(struct linux_binprm
30308 bprm->exec -= stack_shift;
30310 down_write(&mm->mmap_sem);
30312 + /* Move stack pages down in memory. */
30313 + if (stack_shift) {
30314 + ret = shift_arg_pages(vma, stack_shift);
30319 vm_flags = VM_STACK_FLAGS;
30321 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
30322 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
30323 + vm_flags &= ~VM_EXEC;
30325 +#ifdef CONFIG_PAX_MPROTECT
30326 + if (mm->pax_flags & MF_PAX_MPROTECT)
30327 + vm_flags &= ~VM_MAYEXEC;
30334 * Adjust stack execute permissions; explicitly enable for
30335 * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
30336 @@ -625,13 +674,6 @@ int setup_arg_pages(struct linux_binprm
30338 BUG_ON(prev != vma);
30340 - /* Move stack pages down in memory. */
30341 - if (stack_shift) {
30342 - ret = shift_arg_pages(vma, stack_shift);
30347 /* mprotect_fixup is overkill to remove the temporary stack flags */
30348 vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
30350 @@ -671,7 +713,7 @@ struct file *open_exec(const char *name)
30353 file = do_filp_open(AT_FDCWD, name,
30354 - O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
30355 + O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
30356 MAY_EXEC | MAY_OPEN);
30359 @@ -708,7 +750,7 @@ int kernel_read(struct file *file, loff_
30362 /* The cast to a user pointer is valid due to the set_fs() */
30363 - result = vfs_read(file, (void __user *)addr, count, &pos);
30364 + result = vfs_read(file, (__force void __user *)addr, count, &pos);
30368 @@ -1125,7 +1167,7 @@ int check_unsafe_exec(struct linux_binpr
30372 - if (p->fs->users > n_fs) {
30373 + if (atomic_read(&p->fs->users) > n_fs) {
30374 bprm->unsafe |= LSM_UNSAFE_SHARE;
30377 @@ -1321,6 +1363,11 @@ int do_execve(char * filename,
30378 char __user *__user *envp,
30379 struct pt_regs * regs)
30381 +#ifdef CONFIG_GRKERNSEC
30382 + struct file *old_exec_file;
30383 + struct acl_subject_label *old_acl;
30384 + struct rlimit old_rlim[RLIM_NLIMITS];
30386 struct linux_binprm *bprm;
30388 struct files_struct *displaced;
30389 @@ -1357,6 +1404,18 @@ int do_execve(char * filename,
30390 bprm->filename = filename;
30391 bprm->interp = filename;
30393 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
30395 + if (gr_handle_nproc()) {
30396 + retval = -EAGAIN;
30400 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
30401 + retval = -EACCES;
30405 retval = bprm_mm_init(bprm);
30408 @@ -1386,10 +1445,41 @@ int do_execve(char * filename,
30412 + if (!gr_tpe_allow(file)) {
30413 + retval = -EACCES;
30417 + if (gr_check_crash_exec(file)) {
30418 + retval = -EACCES;
30422 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
30424 + gr_handle_exec_args(bprm, argv);
30426 +#ifdef CONFIG_GRKERNSEC
30427 + old_acl = current->acl;
30428 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
30429 + old_exec_file = current->exec_file;
30431 + current->exec_file = file;
30434 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
30435 + bprm->unsafe & LSM_UNSAFE_SHARE);
30439 current->flags &= ~PF_KTHREAD;
30440 retval = search_binary_handler(bprm,regs);
30444 +#ifdef CONFIG_GRKERNSEC
30445 + if (old_exec_file)
30446 + fput(old_exec_file);
30449 /* execve succeeded */
30450 current->fs->in_exec = 0;
30451 @@ -1400,6 +1490,14 @@ int do_execve(char * filename,
30452 put_files_struct(displaced);
30456 +#ifdef CONFIG_GRKERNSEC
30457 + current->acl = old_acl;
30458 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
30459 + fput(current->exec_file);
30460 + current->exec_file = old_exec_file;
30466 @@ -1563,6 +1661,225 @@ out:
30470 +int pax_check_flags(unsigned long *flags)
30474 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
30475 + if (*flags & MF_PAX_SEGMEXEC)
30477 + *flags &= ~MF_PAX_SEGMEXEC;
30478 + retval = -EINVAL;
30482 + if ((*flags & MF_PAX_PAGEEXEC)
30484 +#ifdef CONFIG_PAX_PAGEEXEC
30485 + && (*flags & MF_PAX_SEGMEXEC)
30490 + *flags &= ~MF_PAX_PAGEEXEC;
30491 + retval = -EINVAL;
30494 + if ((*flags & MF_PAX_MPROTECT)
30496 +#ifdef CONFIG_PAX_MPROTECT
30497 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
30502 + *flags &= ~MF_PAX_MPROTECT;
30503 + retval = -EINVAL;
30506 + if ((*flags & MF_PAX_EMUTRAMP)
30508 +#ifdef CONFIG_PAX_EMUTRAMP
30509 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
30514 + *flags &= ~MF_PAX_EMUTRAMP;
30515 + retval = -EINVAL;
30521 +EXPORT_SYMBOL(pax_check_flags);
30523 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
30524 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
30526 + struct task_struct *tsk = current;
30527 + struct mm_struct *mm = current->mm;
30528 + char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
30529 + char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
30530 + char *path_exec = NULL;
30531 + char *path_fault = NULL;
30532 + unsigned long start = 0UL, end = 0UL, offset = 0UL;
30534 + if (buffer_exec && buffer_fault) {
30535 + struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
30537 + down_read(&mm->mmap_sem);
30539 + while (vma && (!vma_exec || !vma_fault)) {
30540 + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
30542 + if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
30544 + vma = vma->vm_next;
30547 + path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
30548 + if (IS_ERR(path_exec))
30549 + path_exec = "<path too long>";
30551 + path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
30554 + path_exec = buffer_exec;
30556 + path_exec = "<path too long>";
30560 + start = vma_fault->vm_start;
30561 + end = vma_fault->vm_end;
30562 + offset = vma_fault->vm_pgoff << PAGE_SHIFT;
30563 + if (vma_fault->vm_file) {
30564 + path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
30565 + if (IS_ERR(path_fault))
30566 + path_fault = "<path too long>";
30568 + path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
30569 + if (path_fault) {
30571 + path_fault = buffer_fault;
30573 + path_fault = "<path too long>";
30576 + path_fault = "<anonymous mapping>";
30578 + up_read(&mm->mmap_sem);
30580 + if (tsk->signal->curr_ip)
30581 + printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
30583 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
30584 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
30585 + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
30586 + task_uid(tsk), task_euid(tsk), pc, sp);
30587 + free_page((unsigned long)buffer_exec);
30588 + free_page((unsigned long)buffer_fault);
30589 + pax_report_insns(pc, sp);
30590 + do_coredump(SIGKILL, SIGKILL, regs);
30594 +#ifdef CONFIG_PAX_REFCOUNT
30595 +void pax_report_refcount_overflow(struct pt_regs *regs)
30597 + if (current->signal->curr_ip)
30598 + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
30599 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
30601 + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
30602 + current->comm, task_pid_nr(current), current_uid(), current_euid());
30603 + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
30605 + force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
30609 +#ifdef CONFIG_PAX_USERCOPY
30610 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
30611 +struct stack_frame {
30612 + struct stack_frame *next_frame;
30613 + unsigned long return_address;
30617 +/* 0: not at all, 1: fully, 2: fully inside frame,
30618 + -1: partially (implies an error) */
30620 +int object_is_on_stack(const void *obj, unsigned long len)
30622 + const void *stack = task_stack_page(current);
30623 + const void *stackend = stack + THREAD_SIZE;
30625 + if (obj + len < obj)
30628 + if (stack <= obj && obj + len <= stackend) {
30629 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
30630 + void *frame = __builtin_frame_address(2);
30631 + void *oldframe = __builtin_frame_address(1);
30633 + bottom ----------------------------------------------> top
30634 + [saved bp][saved ip][args][local vars][saved bp][saved ip]
30635 + ^----------------^
30636 + allow copies only within here
30639 + /* if obj + len extends past the last frame, this
30640 + check won't pass and the next frame will be 0,
30641 + causing us to bail out and correctly report
30642 + the copy as invalid
30644 + if (obj + len <= frame) {
30645 + if (obj >= (oldframe + (2 * sizeof(void *))))
30650 + oldframe = frame;
30651 + frame = ((struct stack_frame *)frame)->next_frame;
30659 + if (obj + len <= stack || stackend <= obj)
30666 +void pax_report_leak_to_user(const void *ptr, unsigned long len)
30668 + if (current->signal->curr_ip)
30669 + printk(KERN_ERR "PAX: From %pI4: kernel memory leak attempt detected from %p (%lu bytes)\n",
30670 + ¤t->signal->curr_ip, ptr, len);
30672 + printk(KERN_ERR "PAX: kernel memory leak attempt detected from %p (%lu bytes)\n", ptr, len);
30674 + do_group_exit(SIGKILL);
30677 +void pax_report_overflow_from_user(const void *ptr, unsigned long len)
30679 + if (current->signal->curr_ip)
30680 + printk(KERN_ERR "PAX: From %pI4: kernel memory overflow attempt detected to %p (%lu bytes)\n",
30681 + ¤t->signal->curr_ip, ptr, len);
30683 + printk(KERN_ERR "PAX: kernel memory overflow attempt detected to %p (%lu bytes)\n", ptr, len);
30685 + do_group_exit(SIGKILL);
30689 static int zap_process(struct task_struct *start, int exit_code)
30691 struct task_struct *t;
30692 @@ -1773,17 +2090,17 @@ static void wait_for_dump_helpers(struct
30693 pipe = file->f_path.dentry->d_inode->i_pipe;
30698 + atomic_inc(&pipe->readers);
30699 + atomic_dec(&pipe->writers);
30701 - while ((pipe->readers > 1) && (!signal_pending(current))) {
30702 + while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
30703 wake_up_interruptible_sync(&pipe->wait);
30704 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
30710 + atomic_dec(&pipe->readers);
30711 + atomic_inc(&pipe->writers);
30715 @@ -1891,6 +2208,10 @@ void do_coredump(long signr, int exit_co
30717 clear_thread_flag(TIF_SIGPENDING);
30719 + if (signr == SIGKILL || signr == SIGILL)
30720 + gr_handle_brute_attach(current);
30721 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
30724 * lock_kernel() because format_corename() is controlled by sysctl, which
30725 * uses lock_kernel()
30726 diff -urNp linux-2.6.35.5/fs/ext2/balloc.c linux-2.6.35.5/fs/ext2/balloc.c
30727 --- linux-2.6.35.5/fs/ext2/balloc.c 2010-08-26 19:47:12.000000000 -0400
30728 +++ linux-2.6.35.5/fs/ext2/balloc.c 2010-09-17 20:12:37.000000000 -0400
30729 @@ -1193,7 +1193,7 @@ static int ext2_has_free_blocks(struct e
30731 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
30732 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
30733 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
30734 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
30735 sbi->s_resuid != current_fsuid() &&
30736 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
30738 diff -urNp linux-2.6.35.5/fs/ext2/xattr.c linux-2.6.35.5/fs/ext2/xattr.c
30739 --- linux-2.6.35.5/fs/ext2/xattr.c 2010-08-26 19:47:12.000000000 -0400
30740 +++ linux-2.6.35.5/fs/ext2/xattr.c 2010-09-17 20:12:09.000000000 -0400
30745 -# define ea_idebug(f...)
30746 -# define ea_bdebug(f...)
30747 +# define ea_idebug(inode, f...) do {} while (0)
30748 +# define ea_bdebug(bh, f...) do {} while (0)
30751 static int ext2_xattr_set2(struct inode *, struct buffer_head *,
30752 diff -urNp linux-2.6.35.5/fs/ext3/balloc.c linux-2.6.35.5/fs/ext3/balloc.c
30753 --- linux-2.6.35.5/fs/ext3/balloc.c 2010-08-26 19:47:12.000000000 -0400
30754 +++ linux-2.6.35.5/fs/ext3/balloc.c 2010-09-17 20:12:37.000000000 -0400
30755 @@ -1422,7 +1422,7 @@ static int ext3_has_free_blocks(struct e
30757 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
30758 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
30759 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
30760 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
30761 sbi->s_resuid != current_fsuid() &&
30762 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
30764 diff -urNp linux-2.6.35.5/fs/ext3/namei.c linux-2.6.35.5/fs/ext3/namei.c
30765 --- linux-2.6.35.5/fs/ext3/namei.c 2010-08-26 19:47:12.000000000 -0400
30766 +++ linux-2.6.35.5/fs/ext3/namei.c 2010-09-17 20:12:09.000000000 -0400
30767 @@ -1168,7 +1168,7 @@ static struct ext3_dir_entry_2 *do_split
30768 char *data1 = (*bh)->b_data, *data2;
30769 unsigned split, move, size;
30770 struct ext3_dir_entry_2 *de = NULL, *de2;
30774 bh2 = ext3_append (handle, dir, &newblock, &err);
30776 diff -urNp linux-2.6.35.5/fs/ext3/xattr.c linux-2.6.35.5/fs/ext3/xattr.c
30777 --- linux-2.6.35.5/fs/ext3/xattr.c 2010-08-26 19:47:12.000000000 -0400
30778 +++ linux-2.6.35.5/fs/ext3/xattr.c 2010-09-17 20:12:09.000000000 -0400
30783 -# define ea_idebug(f...)
30784 -# define ea_bdebug(f...)
30785 +# define ea_idebug(f...) do {} while (0)
30786 +# define ea_bdebug(f...) do {} while (0)
30789 static void ext3_xattr_cache_insert(struct buffer_head *);
30790 diff -urNp linux-2.6.35.5/fs/ext4/balloc.c linux-2.6.35.5/fs/ext4/balloc.c
30791 --- linux-2.6.35.5/fs/ext4/balloc.c 2010-08-26 19:47:12.000000000 -0400
30792 +++ linux-2.6.35.5/fs/ext4/balloc.c 2010-09-17 20:12:37.000000000 -0400
30793 @@ -522,7 +522,7 @@ int ext4_has_free_blocks(struct ext4_sb_
30794 /* Hm, nope. Are (enough) root reserved blocks available? */
30795 if (sbi->s_resuid == current_fsuid() ||
30796 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
30797 - capable(CAP_SYS_RESOURCE)) {
30798 + capable_nolog(CAP_SYS_RESOURCE)) {
30799 if (free_blocks >= (nblocks + dirty_blocks))
30802 diff -urNp linux-2.6.35.5/fs/ext4/namei.c linux-2.6.35.5/fs/ext4/namei.c
30803 --- linux-2.6.35.5/fs/ext4/namei.c 2010-08-26 19:47:12.000000000 -0400
30804 +++ linux-2.6.35.5/fs/ext4/namei.c 2010-09-17 20:12:09.000000000 -0400
30805 @@ -1197,7 +1197,7 @@ static struct ext4_dir_entry_2 *do_split
30806 char *data1 = (*bh)->b_data, *data2;
30807 unsigned split, move, size;
30808 struct ext4_dir_entry_2 *de = NULL, *de2;
30812 bh2 = ext4_append (handle, dir, &newblock, &err);
30814 diff -urNp linux-2.6.35.5/fs/ext4/xattr.c linux-2.6.35.5/fs/ext4/xattr.c
30815 --- linux-2.6.35.5/fs/ext4/xattr.c 2010-08-26 19:47:12.000000000 -0400
30816 +++ linux-2.6.35.5/fs/ext4/xattr.c 2010-09-17 20:12:09.000000000 -0400
30821 -# define ea_idebug(f...)
30822 -# define ea_bdebug(f...)
30823 +# define ea_idebug(inode, f...) do {} while (0)
30824 +# define ea_bdebug(bh, f...) do {} while (0)
30827 static void ext4_xattr_cache_insert(struct buffer_head *);
30828 diff -urNp linux-2.6.35.5/fs/fcntl.c linux-2.6.35.5/fs/fcntl.c
30829 --- linux-2.6.35.5/fs/fcntl.c 2010-08-26 19:47:12.000000000 -0400
30830 +++ linux-2.6.35.5/fs/fcntl.c 2010-09-17 20:12:37.000000000 -0400
30831 @@ -224,6 +224,11 @@ int __f_setown(struct file *filp, struct
30835 + if (gr_handle_chroot_fowner(pid, type))
30837 + if (gr_check_protected_task_fowner(pid, type))
30840 f_modown(filp, pid, type, force);
30843 @@ -348,6 +353,7 @@ static long do_fcntl(int fd, unsigned in
30846 case F_DUPFD_CLOEXEC:
30847 + gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
30848 if (arg >= rlimit(RLIMIT_NOFILE))
30850 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
30851 diff -urNp linux-2.6.35.5/fs/fifo.c linux-2.6.35.5/fs/fifo.c
30852 --- linux-2.6.35.5/fs/fifo.c 2010-08-26 19:47:12.000000000 -0400
30853 +++ linux-2.6.35.5/fs/fifo.c 2010-09-17 20:12:09.000000000 -0400
30854 @@ -58,10 +58,10 @@ static int fifo_open(struct inode *inode
30856 filp->f_op = &read_pipefifo_fops;
30858 - if (pipe->readers++ == 0)
30859 + if (atomic_inc_return(&pipe->readers) == 1)
30860 wake_up_partner(inode);
30862 - if (!pipe->writers) {
30863 + if (!atomic_read(&pipe->writers)) {
30864 if ((filp->f_flags & O_NONBLOCK)) {
30865 /* suppress POLLHUP until we have
30867 @@ -82,15 +82,15 @@ static int fifo_open(struct inode *inode
30868 * errno=ENXIO when there is no process reading the FIFO.
30871 - if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
30872 + if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
30875 filp->f_op = &write_pipefifo_fops;
30877 - if (!pipe->writers++)
30878 + if (atomic_inc_return(&pipe->writers) == 1)
30879 wake_up_partner(inode);
30881 - if (!pipe->readers) {
30882 + if (!atomic_read(&pipe->readers)) {
30883 wait_for_partner(inode, &pipe->r_counter);
30884 if (signal_pending(current))
30886 @@ -106,11 +106,11 @@ static int fifo_open(struct inode *inode
30888 filp->f_op = &rdwr_pipefifo_fops;
30892 + atomic_inc(&pipe->readers);
30893 + atomic_inc(&pipe->writers);
30896 - if (pipe->readers == 1 || pipe->writers == 1)
30897 + if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
30898 wake_up_partner(inode);
30901 @@ -124,19 +124,19 @@ static int fifo_open(struct inode *inode
30905 - if (!--pipe->readers)
30906 + if (atomic_dec_and_test(&pipe->readers))
30907 wake_up_interruptible(&pipe->wait);
30908 ret = -ERESTARTSYS;
30912 - if (!--pipe->writers)
30913 + if (atomic_dec_and_test(&pipe->writers))
30914 wake_up_interruptible(&pipe->wait);
30915 ret = -ERESTARTSYS;
30919 - if (!pipe->readers && !pipe->writers)
30920 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
30921 free_pipe_info(inode);
30924 diff -urNp linux-2.6.35.5/fs/file.c linux-2.6.35.5/fs/file.c
30925 --- linux-2.6.35.5/fs/file.c 2010-08-26 19:47:12.000000000 -0400
30926 +++ linux-2.6.35.5/fs/file.c 2010-09-17 20:12:37.000000000 -0400
30928 #include <linux/slab.h>
30929 #include <linux/vmalloc.h>
30930 #include <linux/file.h>
30931 +#include <linux/security.h>
30932 #include <linux/fdtable.h>
30933 #include <linux/bitops.h>
30934 #include <linux/interrupt.h>
30935 @@ -257,6 +258,7 @@ int expand_files(struct files_struct *fi
30936 * N.B. For clone tasks sharing a files structure, this test
30937 * will limit the total number of files that can be opened.
30939 + gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
30940 if (nr >= rlimit(RLIMIT_NOFILE))
30943 diff -urNp linux-2.6.35.5/fs/fs_struct.c linux-2.6.35.5/fs/fs_struct.c
30944 --- linux-2.6.35.5/fs/fs_struct.c 2010-08-26 19:47:12.000000000 -0400
30945 +++ linux-2.6.35.5/fs/fs_struct.c 2010-09-17 20:12:37.000000000 -0400
30947 #include <linux/slab.h>
30948 #include <linux/fs_struct.h>
30949 #include <linux/vserver/global.h>
30950 +#include <linux/grsecurity.h>
30953 * Replace the fs->{rootmnt,root} with {mnt,dentry}. Put the old values.
30954 @@ -17,6 +18,7 @@ void set_fs_root(struct fs_struct *fs, s
30955 old_root = fs->root;
30958 + gr_set_chroot_entries(current, path);
30959 write_unlock(&fs->lock);
30960 if (old_root.dentry)
30961 path_put(&old_root);
30962 @@ -56,6 +58,7 @@ void chroot_fs_refs(struct path *old_roo
30963 && fs->root.mnt == old_root->mnt) {
30964 path_get(new_root);
30965 fs->root = *new_root;
30966 + gr_set_chroot_entries(p, new_root);
30969 if (fs->pwd.dentry == old_root->dentry
30970 @@ -89,7 +92,8 @@ void exit_fs(struct task_struct *tsk)
30972 write_lock(&fs->lock);
30974 - kill = !--fs->users;
30975 + gr_clear_chroot_entries(tsk);
30976 + kill = !atomic_dec_return(&fs->users);
30977 write_unlock(&fs->lock);
30980 @@ -102,7 +106,7 @@ struct fs_struct *copy_fs_struct(struct
30981 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
30982 /* We don't need to lock fs - think why ;-) */
30985 + atomic_set(&fs->users, 1);
30987 rwlock_init(&fs->lock);
30988 fs->umask = old->umask;
30989 @@ -127,8 +131,9 @@ int unshare_fs_struct(void)
30991 task_lock(current);
30992 write_lock(&fs->lock);
30993 - kill = !--fs->users;
30994 + kill = !atomic_dec_return(&fs->users);
30995 current->fs = new_fs;
30996 + gr_set_chroot_entries(current, &new_fs->root);
30997 write_unlock(&fs->lock);
30998 task_unlock(current);
31000 @@ -147,7 +152,7 @@ EXPORT_SYMBOL(current_umask);
31002 /* to be mentioned only in INIT_TASK */
31003 struct fs_struct init_fs = {
31005 + .users = ATOMIC_INIT(1),
31006 .lock = __RW_LOCK_UNLOCKED(init_fs.lock),
31009 @@ -162,12 +167,13 @@ void daemonize_fs_struct(void)
31010 task_lock(current);
31012 write_lock(&init_fs.lock);
31014 + atomic_inc(&init_fs.users);
31015 write_unlock(&init_fs.lock);
31017 write_lock(&fs->lock);
31018 current->fs = &init_fs;
31019 - kill = !--fs->users;
31020 + gr_set_chroot_entries(current, ¤t->fs->root);
31021 + kill = !atomic_dec_return(&fs->users);
31022 write_unlock(&fs->lock);
31024 task_unlock(current);
31025 diff -urNp linux-2.6.35.5/fs/fuse/control.c linux-2.6.35.5/fs/fuse/control.c
31026 --- linux-2.6.35.5/fs/fuse/control.c 2010-08-26 19:47:12.000000000 -0400
31027 +++ linux-2.6.35.5/fs/fuse/control.c 2010-09-17 20:12:09.000000000 -0400
31028 @@ -293,7 +293,7 @@ void fuse_ctl_remove_conn(struct fuse_co
31030 static int fuse_ctl_fill_super(struct super_block *sb, void *data, int silent)
31032 - struct tree_descr empty_descr = {""};
31033 + struct tree_descr empty_descr = {"", NULL, 0};
31034 struct fuse_conn *fc;
31037 diff -urNp linux-2.6.35.5/fs/fuse/cuse.c linux-2.6.35.5/fs/fuse/cuse.c
31038 --- linux-2.6.35.5/fs/fuse/cuse.c 2010-08-26 19:47:12.000000000 -0400
31039 +++ linux-2.6.35.5/fs/fuse/cuse.c 2010-09-17 20:12:09.000000000 -0400
31040 @@ -529,8 +529,18 @@ static int cuse_channel_release(struct i
31044 -static struct file_operations cuse_channel_fops; /* initialized during init */
31046 +static const struct file_operations cuse_channel_fops = { /* initialized during init */
31047 + .owner = THIS_MODULE,
31048 + .llseek = no_llseek,
31049 + .read = do_sync_read,
31050 + .aio_read = fuse_dev_read,
31051 + .write = do_sync_write,
31052 + .aio_write = fuse_dev_write,
31053 + .poll = fuse_dev_poll,
31054 + .open = cuse_channel_open,
31055 + .release = cuse_channel_release,
31056 + .fasync = fuse_dev_fasync,
31059 /**************************************************************************
31060 * Misc stuff and module initializatiion
31061 @@ -576,12 +586,6 @@ static int __init cuse_init(void)
31062 for (i = 0; i < CUSE_CONNTBL_LEN; i++)
31063 INIT_LIST_HEAD(&cuse_conntbl[i]);
31065 - /* inherit and extend fuse_dev_operations */
31066 - cuse_channel_fops = fuse_dev_operations;
31067 - cuse_channel_fops.owner = THIS_MODULE;
31068 - cuse_channel_fops.open = cuse_channel_open;
31069 - cuse_channel_fops.release = cuse_channel_release;
31071 cuse_class = class_create(THIS_MODULE, "cuse");
31072 if (IS_ERR(cuse_class))
31073 return PTR_ERR(cuse_class);
31074 diff -urNp linux-2.6.35.5/fs/fuse/dev.c linux-2.6.35.5/fs/fuse/dev.c
31075 --- linux-2.6.35.5/fs/fuse/dev.c 2010-09-20 17:33:09.000000000 -0400
31076 +++ linux-2.6.35.5/fs/fuse/dev.c 2010-09-20 17:33:32.000000000 -0400
31077 @@ -1031,7 +1031,7 @@ static ssize_t fuse_dev_do_read(struct f
31081 -static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
31082 +ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
31083 unsigned long nr_segs, loff_t pos)
31085 struct fuse_copy_state cs;
31086 @@ -1045,6 +1045,8 @@ static ssize_t fuse_dev_read(struct kioc
31087 return fuse_dev_do_read(fc, file, &cs, iov_length(iov, nr_segs));
31090 +EXPORT_SYMBOL_GPL(fuse_dev_read);
31092 static int fuse_dev_pipe_buf_steal(struct pipe_inode_info *pipe,
31093 struct pipe_buffer *buf)
31095 @@ -1088,7 +1090,7 @@ static ssize_t fuse_dev_splice_read(stru
31099 - if (!pipe->readers) {
31100 + if (!atomic_read(&pipe->readers)) {
31101 send_sig(SIGPIPE, current, 0);
31104 @@ -1387,7 +1389,7 @@ static ssize_t fuse_dev_do_write(struct
31108 -static ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
31109 +ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
31110 unsigned long nr_segs, loff_t pos)
31112 struct fuse_copy_state cs;
31113 @@ -1400,6 +1402,8 @@ static ssize_t fuse_dev_write(struct kio
31114 return fuse_dev_do_write(fc, &cs, iov_length(iov, nr_segs));
31117 +EXPORT_SYMBOL_GPL(fuse_dev_write);
31119 static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
31120 struct file *out, loff_t *ppos,
31121 size_t len, unsigned int flags)
31122 @@ -1478,7 +1482,7 @@ out:
31126 -static unsigned fuse_dev_poll(struct file *file, poll_table *wait)
31127 +unsigned fuse_dev_poll(struct file *file, poll_table *wait)
31129 unsigned mask = POLLOUT | POLLWRNORM;
31130 struct fuse_conn *fc = fuse_get_conn(file);
31131 @@ -1497,6 +1501,8 @@ static unsigned fuse_dev_poll(struct fil
31135 +EXPORT_SYMBOL_GPL(fuse_dev_poll);
31138 * Abort all requests on the given list (pending or processing)
31140 @@ -1612,7 +1618,7 @@ int fuse_dev_release(struct inode *inode
31142 EXPORT_SYMBOL_GPL(fuse_dev_release);
31144 -static int fuse_dev_fasync(int fd, struct file *file, int on)
31145 +int fuse_dev_fasync(int fd, struct file *file, int on)
31147 struct fuse_conn *fc = fuse_get_conn(file);
31149 @@ -1622,6 +1628,8 @@ static int fuse_dev_fasync(int fd, struc
31150 return fasync_helper(fd, file, on, &fc->fasync);
31153 +EXPORT_SYMBOL_GPL(fuse_dev_fasync);
31155 const struct file_operations fuse_dev_operations = {
31156 .owner = THIS_MODULE,
31157 .llseek = no_llseek,
31158 diff -urNp linux-2.6.35.5/fs/fuse/dir.c linux-2.6.35.5/fs/fuse/dir.c
31159 --- linux-2.6.35.5/fs/fuse/dir.c 2010-08-26 19:47:12.000000000 -0400
31160 +++ linux-2.6.35.5/fs/fuse/dir.c 2010-09-17 20:12:09.000000000 -0400
31161 @@ -1127,7 +1127,7 @@ static char *read_link(struct dentry *de
31165 -static void free_link(char *link)
31166 +static void free_link(const char *link)
31169 free_page((unsigned long) link);
31170 diff -urNp linux-2.6.35.5/fs/fuse/fuse_i.h linux-2.6.35.5/fs/fuse/fuse_i.h
31171 --- linux-2.6.35.5/fs/fuse/fuse_i.h 2010-08-26 19:47:12.000000000 -0400
31172 +++ linux-2.6.35.5/fs/fuse/fuse_i.h 2010-09-17 20:12:09.000000000 -0400
31173 @@ -524,6 +524,16 @@ extern const struct file_operations fuse
31175 extern const struct dentry_operations fuse_dentry_operations;
31177 +extern ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
31178 + unsigned long nr_segs, loff_t pos);
31180 +extern ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
31181 + unsigned long nr_segs, loff_t pos);
31183 +extern unsigned fuse_dev_poll(struct file *file, poll_table *wait);
31185 +extern int fuse_dev_fasync(int fd, struct file *file, int on);
31188 * Inode to nodeid comparison.
31190 diff -urNp linux-2.6.35.5/fs/hfs/inode.c linux-2.6.35.5/fs/hfs/inode.c
31191 --- linux-2.6.35.5/fs/hfs/inode.c 2010-08-26 19:47:12.000000000 -0400
31192 +++ linux-2.6.35.5/fs/hfs/inode.c 2010-09-17 20:12:09.000000000 -0400
31193 @@ -423,7 +423,7 @@ int hfs_write_inode(struct inode *inode,
31195 if (S_ISDIR(main_inode->i_mode)) {
31196 if (fd.entrylength < sizeof(struct hfs_cat_dir))
31199 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
31200 sizeof(struct hfs_cat_dir));
31201 if (rec.type != HFS_CDR_DIR ||
31202 @@ -444,7 +444,7 @@ int hfs_write_inode(struct inode *inode,
31203 sizeof(struct hfs_cat_file));
31205 if (fd.entrylength < sizeof(struct hfs_cat_file))
31208 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
31209 sizeof(struct hfs_cat_file));
31210 if (rec.type != HFS_CDR_FIL ||
31211 diff -urNp linux-2.6.35.5/fs/hfsplus/inode.c linux-2.6.35.5/fs/hfsplus/inode.c
31212 --- linux-2.6.35.5/fs/hfsplus/inode.c 2010-08-26 19:47:12.000000000 -0400
31213 +++ linux-2.6.35.5/fs/hfsplus/inode.c 2010-09-17 20:12:09.000000000 -0400
31214 @@ -406,7 +406,7 @@ int hfsplus_cat_read_inode(struct inode
31215 struct hfsplus_cat_folder *folder = &entry.folder;
31217 if (fd->entrylength < sizeof(struct hfsplus_cat_folder))
31220 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
31221 sizeof(struct hfsplus_cat_folder));
31222 hfsplus_get_perms(inode, &folder->permissions, 1);
31223 @@ -423,7 +423,7 @@ int hfsplus_cat_read_inode(struct inode
31224 struct hfsplus_cat_file *file = &entry.file;
31226 if (fd->entrylength < sizeof(struct hfsplus_cat_file))
31229 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
31230 sizeof(struct hfsplus_cat_file));
31232 @@ -479,7 +479,7 @@ int hfsplus_cat_write_inode(struct inode
31233 struct hfsplus_cat_folder *folder = &entry.folder;
31235 if (fd.entrylength < sizeof(struct hfsplus_cat_folder))
31238 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
31239 sizeof(struct hfsplus_cat_folder));
31240 /* simple node checks? */
31241 @@ -501,7 +501,7 @@ int hfsplus_cat_write_inode(struct inode
31242 struct hfsplus_cat_file *file = &entry.file;
31244 if (fd.entrylength < sizeof(struct hfsplus_cat_file))
31247 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
31248 sizeof(struct hfsplus_cat_file));
31249 hfsplus_inode_write_fork(inode, &file->data_fork);
31250 diff -urNp linux-2.6.35.5/fs/hugetlbfs/inode.c linux-2.6.35.5/fs/hugetlbfs/inode.c
31251 --- linux-2.6.35.5/fs/hugetlbfs/inode.c 2010-08-26 19:47:12.000000000 -0400
31252 +++ linux-2.6.35.5/fs/hugetlbfs/inode.c 2010-09-17 20:12:37.000000000 -0400
31253 @@ -908,7 +908,7 @@ static struct file_system_type hugetlbfs
31254 .kill_sb = kill_litter_super,
31257 -static struct vfsmount *hugetlbfs_vfsmount;
31258 +struct vfsmount *hugetlbfs_vfsmount;
31260 static int can_do_hugetlb_shm(void)
31262 diff -urNp linux-2.6.35.5/fs/ioctl.c linux-2.6.35.5/fs/ioctl.c
31263 --- linux-2.6.35.5/fs/ioctl.c 2010-08-26 19:47:12.000000000 -0400
31264 +++ linux-2.6.35.5/fs/ioctl.c 2010-09-17 20:12:09.000000000 -0400
31265 @@ -97,7 +97,7 @@ int fiemap_fill_next_extent(struct fiema
31266 u64 phys, u64 len, u32 flags)
31268 struct fiemap_extent extent;
31269 - struct fiemap_extent *dest = fieinfo->fi_extents_start;
31270 + struct fiemap_extent __user *dest = fieinfo->fi_extents_start;
31272 /* only count the extents */
31273 if (fieinfo->fi_extents_max == 0) {
31274 @@ -207,7 +207,7 @@ static int ioctl_fiemap(struct file *fil
31276 fieinfo.fi_flags = fiemap.fm_flags;
31277 fieinfo.fi_extents_max = fiemap.fm_extent_count;
31278 - fieinfo.fi_extents_start = (struct fiemap_extent *)(arg + sizeof(fiemap));
31279 + fieinfo.fi_extents_start = (struct fiemap_extent __user *)(arg + sizeof(fiemap));
31281 if (fiemap.fm_extent_count != 0 &&
31282 !access_ok(VERIFY_WRITE, fieinfo.fi_extents_start,
31283 @@ -220,7 +220,7 @@ static int ioctl_fiemap(struct file *fil
31284 error = inode->i_op->fiemap(inode, &fieinfo, fiemap.fm_start, len);
31285 fiemap.fm_flags = fieinfo.fi_flags;
31286 fiemap.fm_mapped_extents = fieinfo.fi_extents_mapped;
31287 - if (copy_to_user((char *)arg, &fiemap, sizeof(fiemap)))
31288 + if (copy_to_user((__force char __user *)arg, &fiemap, sizeof(fiemap)))
31292 diff -urNp linux-2.6.35.5/fs/jffs2/debug.h linux-2.6.35.5/fs/jffs2/debug.h
31293 --- linux-2.6.35.5/fs/jffs2/debug.h 2010-08-26 19:47:12.000000000 -0400
31294 +++ linux-2.6.35.5/fs/jffs2/debug.h 2010-09-17 20:12:09.000000000 -0400
31295 @@ -52,13 +52,13 @@
31296 #if CONFIG_JFFS2_FS_DEBUG > 0
31300 +#define D1(x) do {} while (0);
31303 #if CONFIG_JFFS2_FS_DEBUG > 1
31307 +#define D2(x) do {} while (0);
31310 /* The prefixes of JFFS2 messages */
31311 @@ -114,73 +114,73 @@
31312 #ifdef JFFS2_DBG_READINODE_MESSAGES
31313 #define dbg_readinode(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31315 -#define dbg_readinode(fmt, ...)
31316 +#define dbg_readinode(fmt, ...) do {} while (0)
31318 #ifdef JFFS2_DBG_READINODE2_MESSAGES
31319 #define dbg_readinode2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31321 -#define dbg_readinode2(fmt, ...)
31322 +#define dbg_readinode2(fmt, ...) do {} while (0)
31325 /* Fragtree build debugging messages */
31326 #ifdef JFFS2_DBG_FRAGTREE_MESSAGES
31327 #define dbg_fragtree(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31329 -#define dbg_fragtree(fmt, ...)
31330 +#define dbg_fragtree(fmt, ...) do {} while (0)
31332 #ifdef JFFS2_DBG_FRAGTREE2_MESSAGES
31333 #define dbg_fragtree2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31335 -#define dbg_fragtree2(fmt, ...)
31336 +#define dbg_fragtree2(fmt, ...) do {} while (0)
31339 /* Directory entry list manilulation debugging messages */
31340 #ifdef JFFS2_DBG_DENTLIST_MESSAGES
31341 #define dbg_dentlist(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31343 -#define dbg_dentlist(fmt, ...)
31344 +#define dbg_dentlist(fmt, ...) do {} while (0)
31347 /* Print the messages about manipulating node_refs */
31348 #ifdef JFFS2_DBG_NODEREF_MESSAGES
31349 #define dbg_noderef(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31351 -#define dbg_noderef(fmt, ...)
31352 +#define dbg_noderef(fmt, ...) do {} while (0)
31355 /* Manipulations with the list of inodes (JFFS2 inocache) */
31356 #ifdef JFFS2_DBG_INOCACHE_MESSAGES
31357 #define dbg_inocache(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31359 -#define dbg_inocache(fmt, ...)
31360 +#define dbg_inocache(fmt, ...) do {} while (0)
31363 /* Summary debugging messages */
31364 #ifdef JFFS2_DBG_SUMMARY_MESSAGES
31365 #define dbg_summary(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31367 -#define dbg_summary(fmt, ...)
31368 +#define dbg_summary(fmt, ...) do {} while (0)
31371 /* File system build messages */
31372 #ifdef JFFS2_DBG_FSBUILD_MESSAGES
31373 #define dbg_fsbuild(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31375 -#define dbg_fsbuild(fmt, ...)
31376 +#define dbg_fsbuild(fmt, ...) do {} while (0)
31379 /* Watch the object allocations */
31380 #ifdef JFFS2_DBG_MEMALLOC_MESSAGES
31381 #define dbg_memalloc(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31383 -#define dbg_memalloc(fmt, ...)
31384 +#define dbg_memalloc(fmt, ...) do {} while (0)
31387 /* Watch the XATTR subsystem */
31388 #ifdef JFFS2_DBG_XATTR_MESSAGES
31389 #define dbg_xattr(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31391 -#define dbg_xattr(fmt, ...)
31392 +#define dbg_xattr(fmt, ...) do {} while (0)
31395 /* "Sanity" checks */
31396 diff -urNp linux-2.6.35.5/fs/jffs2/erase.c linux-2.6.35.5/fs/jffs2/erase.c
31397 --- linux-2.6.35.5/fs/jffs2/erase.c 2010-08-26 19:47:12.000000000 -0400
31398 +++ linux-2.6.35.5/fs/jffs2/erase.c 2010-09-17 20:12:09.000000000 -0400
31399 @@ -438,7 +438,8 @@ static void jffs2_mark_erased_block(stru
31400 struct jffs2_unknown_node marker = {
31401 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
31402 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
31403 - .totlen = cpu_to_je32(c->cleanmarker_size)
31404 + .totlen = cpu_to_je32(c->cleanmarker_size),
31405 + .hdr_crc = cpu_to_je32(0)
31408 jffs2_prealloc_raw_node_refs(c, jeb, 1);
31409 diff -urNp linux-2.6.35.5/fs/jffs2/summary.h linux-2.6.35.5/fs/jffs2/summary.h
31410 --- linux-2.6.35.5/fs/jffs2/summary.h 2010-08-26 19:47:12.000000000 -0400
31411 +++ linux-2.6.35.5/fs/jffs2/summary.h 2010-09-17 20:12:09.000000000 -0400
31412 @@ -194,18 +194,18 @@ int jffs2_sum_scan_sumnode(struct jffs2_
31414 #define jffs2_sum_active() (0)
31415 #define jffs2_sum_init(a) (0)
31416 -#define jffs2_sum_exit(a)
31417 -#define jffs2_sum_disable_collecting(a)
31418 +#define jffs2_sum_exit(a) do {} while (0)
31419 +#define jffs2_sum_disable_collecting(a) do {} while (0)
31420 #define jffs2_sum_is_disabled(a) (0)
31421 -#define jffs2_sum_reset_collected(a)
31422 +#define jffs2_sum_reset_collected(a) do {} while (0)
31423 #define jffs2_sum_add_kvec(a,b,c,d) (0)
31424 -#define jffs2_sum_move_collected(a,b)
31425 +#define jffs2_sum_move_collected(a,b) do {} while (0)
31426 #define jffs2_sum_write_sumnode(a) (0)
31427 -#define jffs2_sum_add_padding_mem(a,b)
31428 -#define jffs2_sum_add_inode_mem(a,b,c)
31429 -#define jffs2_sum_add_dirent_mem(a,b,c)
31430 -#define jffs2_sum_add_xattr_mem(a,b,c)
31431 -#define jffs2_sum_add_xref_mem(a,b,c)
31432 +#define jffs2_sum_add_padding_mem(a,b) do {} while (0)
31433 +#define jffs2_sum_add_inode_mem(a,b,c) do {} while (0)
31434 +#define jffs2_sum_add_dirent_mem(a,b,c) do {} while (0)
31435 +#define jffs2_sum_add_xattr_mem(a,b,c) do {} while (0)
31436 +#define jffs2_sum_add_xref_mem(a,b,c) do {} while (0)
31437 #define jffs2_sum_scan_sumnode(a,b,c,d,e) (0)
31439 #endif /* CONFIG_JFFS2_SUMMARY */
31440 diff -urNp linux-2.6.35.5/fs/jffs2/wbuf.c linux-2.6.35.5/fs/jffs2/wbuf.c
31441 --- linux-2.6.35.5/fs/jffs2/wbuf.c 2010-08-26 19:47:12.000000000 -0400
31442 +++ linux-2.6.35.5/fs/jffs2/wbuf.c 2010-09-17 20:12:09.000000000 -0400
31443 @@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
31445 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
31446 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
31447 - .totlen = constant_cpu_to_je32(8)
31448 + .totlen = constant_cpu_to_je32(8),
31449 + .hdr_crc = constant_cpu_to_je32(0)
31453 diff -urNp linux-2.6.35.5/fs/Kconfig.binfmt linux-2.6.35.5/fs/Kconfig.binfmt
31454 --- linux-2.6.35.5/fs/Kconfig.binfmt 2010-08-26 19:47:12.000000000 -0400
31455 +++ linux-2.6.35.5/fs/Kconfig.binfmt 2010-09-23 20:17:27.000000000 -0400
31456 @@ -86,7 +86,7 @@ config HAVE_AOUT
31459 tristate "Kernel support for a.out and ECOFF binaries"
31460 - depends on HAVE_AOUT
31461 + depends on HAVE_AOUT && BROKEN
31463 A.out (Assembler.OUTput) is a set of formats for libraries and
31464 executables used in the earliest versions of UNIX. Linux used
31465 diff -urNp linux-2.6.35.5/fs/lockd/svc.c linux-2.6.35.5/fs/lockd/svc.c
31466 --- linux-2.6.35.5/fs/lockd/svc.c 2010-08-26 19:47:12.000000000 -0400
31467 +++ linux-2.6.35.5/fs/lockd/svc.c 2010-09-17 20:12:09.000000000 -0400
31470 static struct svc_program nlmsvc_program;
31472 -struct nlmsvc_binding * nlmsvc_ops;
31473 +const struct nlmsvc_binding * nlmsvc_ops;
31474 EXPORT_SYMBOL_GPL(nlmsvc_ops);
31476 static DEFINE_MUTEX(nlmsvc_mutex);
31477 diff -urNp linux-2.6.35.5/fs/locks.c linux-2.6.35.5/fs/locks.c
31478 --- linux-2.6.35.5/fs/locks.c 2010-08-26 19:47:12.000000000 -0400
31479 +++ linux-2.6.35.5/fs/locks.c 2010-09-17 20:12:09.000000000 -0400
31480 @@ -2008,16 +2008,16 @@ void locks_remove_flock(struct file *fil
31483 if (filp->f_op && filp->f_op->flock) {
31484 - struct file_lock fl = {
31485 + struct file_lock flock = {
31486 .fl_pid = current->tgid,
31488 .fl_flags = FL_FLOCK,
31489 .fl_type = F_UNLCK,
31490 .fl_end = OFFSET_MAX,
31492 - filp->f_op->flock(filp, F_SETLKW, &fl);
31493 - if (fl.fl_ops && fl.fl_ops->fl_release_private)
31494 - fl.fl_ops->fl_release_private(&fl);
31495 + filp->f_op->flock(filp, F_SETLKW, &flock);
31496 + if (flock.fl_ops && flock.fl_ops->fl_release_private)
31497 + flock.fl_ops->fl_release_private(&flock);
31501 diff -urNp linux-2.6.35.5/fs/namei.c linux-2.6.35.5/fs/namei.c
31502 --- linux-2.6.35.5/fs/namei.c 2010-08-26 19:47:12.000000000 -0400
31503 +++ linux-2.6.35.5/fs/namei.c 2010-09-17 20:12:37.000000000 -0400
31504 @@ -548,7 +548,7 @@ __do_follow_link(struct path *path, stru
31505 *p = dentry->d_inode->i_op->follow_link(dentry, nd);
31506 error = PTR_ERR(*p);
31508 - char *s = nd_get_link(nd);
31509 + const char *s = nd_get_link(nd);
31512 error = __vfs_follow_link(nd, s);
31513 @@ -581,6 +581,13 @@ static inline int do_follow_link(struct
31514 err = security_inode_follow_link(path->dentry, nd);
31518 + if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
31519 + path->dentry->d_inode, path->dentry, nd->path.mnt)) {
31524 current->link_count++;
31525 current->total_link_count++;
31527 @@ -965,11 +972,18 @@ return_reval:
31531 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
31532 + path_put(&nd->path);
31537 path_put_conditional(&next, nd);
31540 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
31543 path_put(&nd->path);
31546 @@ -1506,12 +1520,19 @@ static int __open_namei_create(struct na
31548 struct dentry *dir = nd->path.dentry;
31550 + if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, nd->path.mnt, open_flag, mode)) {
31555 if (!IS_POSIXACL(dir->d_inode))
31556 mode &= ~current_umask();
31557 error = security_path_mknod(&nd->path, path->dentry, mode, 0);
31560 error = vfs_create(dir->d_inode, path->dentry, mode, nd);
31562 + gr_handle_create(path->dentry, nd->path.mnt);
31564 mutex_unlock(&dir->d_inode->i_mutex);
31565 dput(nd->path.dentry);
31566 @@ -1614,6 +1635,7 @@ static struct file *do_last(struct namei
31567 int mode, const char *pathname)
31569 struct dentry *dir = nd->path.dentry;
31570 + int flag = open_to_namei_flags(open_flag);
31572 int error = -EISDIR;
31574 @@ -1662,6 +1684,22 @@ static struct file *do_last(struct namei
31576 path_to_nameidata(path, nd);
31577 audit_inode(pathname, nd->path.dentry);
31579 + if (gr_handle_rofs_blockwrite(nd->path.dentry, nd->path.mnt, acc_mode)) {
31584 + if (gr_handle_rawio(nd->path.dentry->d_inode)) {
31589 + if (!gr_acl_handle_open(nd->path.dentry, nd->path.mnt, flag)) {
31597 @@ -1714,6 +1752,24 @@ static struct file *do_last(struct namei
31599 * It already exists.
31602 + if (gr_handle_rofs_blockwrite(path->dentry, nd->path.mnt, acc_mode)) {
31604 + goto exit_mutex_unlock;
31606 + if (gr_handle_rawio(path->dentry->d_inode)) {
31608 + goto exit_mutex_unlock;
31610 + if (!gr_acl_handle_open(path->dentry, nd->path.mnt, flag)) {
31612 + goto exit_mutex_unlock;
31614 + if (gr_handle_fifo(path->dentry, nd->path.mnt, dir, flag, acc_mode)) {
31616 + goto exit_mutex_unlock;
31619 mutex_unlock(&dir->d_inode->i_mutex);
31620 audit_inode(pathname, path->dentry);
31622 @@ -2034,6 +2090,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
31623 error = may_mknod(mode);
31627 + if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
31632 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
31637 error = mnt_want_write(nd.path.mnt);
31640 @@ -2054,6 +2121,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
31643 mnt_drop_write(nd.path.mnt);
31646 + gr_handle_create(dentry, nd.path.mnt);
31650 @@ -2106,6 +2176,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
31651 if (IS_ERR(dentry))
31654 + if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
31659 if (!IS_POSIXACL(nd.path.dentry->d_inode))
31660 mode &= ~current_umask();
31661 error = mnt_want_write(nd.path.mnt);
31662 @@ -2117,6 +2192,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
31663 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
31665 mnt_drop_write(nd.path.mnt);
31668 + gr_handle_create(dentry, nd.path.mnt);
31673 @@ -2198,6 +2277,8 @@ static long do_rmdir(int dfd, const char
31675 struct dentry *dentry;
31676 struct nameidata nd;
31677 + ino_t saved_ino = 0;
31678 + dev_t saved_dev = 0;
31680 error = user_path_parent(dfd, pathname, &nd, &name);
31682 @@ -2222,6 +2303,19 @@ static long do_rmdir(int dfd, const char
31683 error = PTR_ERR(dentry);
31684 if (IS_ERR(dentry))
31687 + if (dentry->d_inode != NULL) {
31688 + if (dentry->d_inode->i_nlink <= 1) {
31689 + saved_ino = dentry->d_inode->i_ino;
31690 + saved_dev = dentry->d_inode->i_sb->s_dev;
31693 + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
31699 error = mnt_want_write(nd.path.mnt);
31702 @@ -2229,6 +2323,8 @@ static long do_rmdir(int dfd, const char
31705 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
31706 + if (!error && (saved_dev || saved_ino))
31707 + gr_handle_delete(saved_ino, saved_dev);
31709 mnt_drop_write(nd.path.mnt);
31711 @@ -2291,6 +2387,8 @@ static long do_unlinkat(int dfd, const c
31712 struct dentry *dentry;
31713 struct nameidata nd;
31714 struct inode *inode = NULL;
31715 + ino_t saved_ino = 0;
31716 + dev_t saved_dev = 0;
31718 error = user_path_parent(dfd, pathname, &nd, &name);
31720 @@ -2310,8 +2408,19 @@ static long do_unlinkat(int dfd, const c
31721 if (nd.last.name[nd.last.len])
31723 inode = dentry->d_inode;
31726 + if (inode->i_nlink <= 1) {
31727 + saved_ino = inode->i_ino;
31728 + saved_dev = inode->i_sb->s_dev;
31731 atomic_inc(&inode->i_count);
31733 + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
31738 error = mnt_want_write(nd.path.mnt);
31741 @@ -2319,6 +2428,8 @@ static long do_unlinkat(int dfd, const c
31744 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
31745 + if (!error && (saved_ino || saved_dev))
31746 + gr_handle_delete(saved_ino, saved_dev);
31748 mnt_drop_write(nd.path.mnt);
31750 @@ -2396,6 +2507,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
31751 if (IS_ERR(dentry))
31754 + if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
31759 error = mnt_want_write(nd.path.mnt);
31762 @@ -2403,6 +2519,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
31764 goto out_drop_write;
31765 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
31767 + gr_handle_create(dentry, nd.path.mnt);
31769 mnt_drop_write(nd.path.mnt);
31771 @@ -2495,6 +2613,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
31772 error = PTR_ERR(new_dentry);
31773 if (IS_ERR(new_dentry))
31776 + if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
31777 + old_path.dentry->d_inode,
31778 + old_path.dentry->d_inode->i_mode, to)) {
31783 + if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
31784 + old_path.dentry, old_path.mnt, to)) {
31789 error = mnt_want_write(nd.path.mnt);
31792 @@ -2502,6 +2634,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
31794 goto out_drop_write;
31795 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
31797 + gr_handle_create(new_dentry, nd.path.mnt);
31799 mnt_drop_write(nd.path.mnt);
31801 @@ -2735,6 +2869,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
31802 if (new_dentry == trap)
31805 + error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
31806 + old_dentry, old_dir->d_inode, oldnd.path.mnt,
31811 error = mnt_want_write(oldnd.path.mnt);
31814 @@ -2744,6 +2884,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
31816 error = vfs_rename(old_dir->d_inode, old_dentry,
31817 new_dir->d_inode, new_dentry);
31819 + gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
31820 + new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
31822 mnt_drop_write(oldnd.path.mnt);
31824 diff -urNp linux-2.6.35.5/fs/namespace.c linux-2.6.35.5/fs/namespace.c
31825 --- linux-2.6.35.5/fs/namespace.c 2010-08-26 19:47:12.000000000 -0400
31826 +++ linux-2.6.35.5/fs/namespace.c 2010-09-17 20:21:58.000000000 -0400
31827 @@ -1099,6 +1099,9 @@ static int do_umount(struct vfsmount *mn
31828 if (!(sb->s_flags & MS_RDONLY))
31829 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
31830 up_write(&sb->s_umount);
31832 + gr_log_remount(mnt->mnt_devname, retval);
31837 @@ -1118,6 +1121,9 @@ static int do_umount(struct vfsmount *mn
31838 spin_unlock(&vfsmount_lock);
31839 up_write(&namespace_sem);
31840 release_mounts(&umount_list);
31842 + gr_log_unmount(mnt->mnt_devname, retval);
31847 @@ -1988,6 +1994,16 @@ long do_mount(char *dev_name, char *dir_
31848 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
31851 + if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
31856 + if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
31861 if (flags & MS_REMOUNT)
31862 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
31864 @@ -2002,6 +2018,9 @@ long do_mount(char *dev_name, char *dir_
31865 dev_name, data_page);
31869 + gr_log_mount(dev_name, dir_name, retval);
31874 @@ -2208,6 +2227,12 @@ SYSCALL_DEFINE2(pivot_root, const char _
31878 + if (gr_handle_chroot_pivot()) {
31884 read_lock(¤t->fs->lock);
31885 root = current->fs->root;
31886 path_get(¤t->fs->root);
31887 diff -urNp linux-2.6.35.5/fs/nfs/inode.c linux-2.6.35.5/fs/nfs/inode.c
31888 --- linux-2.6.35.5/fs/nfs/inode.c 2010-08-26 19:47:12.000000000 -0400
31889 +++ linux-2.6.35.5/fs/nfs/inode.c 2010-09-17 20:12:09.000000000 -0400
31890 @@ -915,16 +915,16 @@ static int nfs_size_need_update(const st
31891 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
31894 -static atomic_long_t nfs_attr_generation_counter;
31895 +static atomic_long_unchecked_t nfs_attr_generation_counter;
31897 static unsigned long nfs_read_attr_generation_counter(void)
31899 - return atomic_long_read(&nfs_attr_generation_counter);
31900 + return atomic_long_read_unchecked(&nfs_attr_generation_counter);
31903 unsigned long nfs_inc_attr_generation_counter(void)
31905 - return atomic_long_inc_return(&nfs_attr_generation_counter);
31906 + return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
31909 void nfs_fattr_init(struct nfs_fattr *fattr)
31910 diff -urNp linux-2.6.35.5/fs/nfs/nfs4proc.c linux-2.6.35.5/fs/nfs/nfs4proc.c
31911 --- linux-2.6.35.5/fs/nfs/nfs4proc.c 2010-08-26 19:47:12.000000000 -0400
31912 +++ linux-2.6.35.5/fs/nfs/nfs4proc.c 2010-09-17 20:12:09.000000000 -0400
31913 @@ -1166,7 +1166,7 @@ static int _nfs4_do_open_reclaim(struct
31914 static int nfs4_do_open_reclaim(struct nfs_open_context *ctx, struct nfs4_state *state)
31916 struct nfs_server *server = NFS_SERVER(state->inode);
31917 - struct nfs4_exception exception = { };
31918 + struct nfs4_exception exception = {0, 0};
31921 err = _nfs4_do_open_reclaim(ctx, state);
31922 @@ -1208,7 +1208,7 @@ static int _nfs4_open_delegation_recall(
31924 int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid)
31926 - struct nfs4_exception exception = { };
31927 + struct nfs4_exception exception = {0, 0};
31928 struct nfs_server *server = NFS_SERVER(state->inode);
31931 @@ -1581,7 +1581,7 @@ static int _nfs4_open_expired(struct nfs
31932 static int nfs4_do_open_expired(struct nfs_open_context *ctx, struct nfs4_state *state)
31934 struct nfs_server *server = NFS_SERVER(state->inode);
31935 - struct nfs4_exception exception = { };
31936 + struct nfs4_exception exception = {0, 0};
31940 @@ -1697,7 +1697,7 @@ out_err:
31942 static struct nfs4_state *nfs4_do_open(struct inode *dir, struct path *path, fmode_t fmode, int flags, struct iattr *sattr, struct rpc_cred *cred)
31944 - struct nfs4_exception exception = { };
31945 + struct nfs4_exception exception = {0, 0};
31946 struct nfs4_state *res;
31949 @@ -1788,7 +1788,7 @@ static int nfs4_do_setattr(struct inode
31950 struct nfs4_state *state)
31952 struct nfs_server *server = NFS_SERVER(inode);
31953 - struct nfs4_exception exception = { };
31954 + struct nfs4_exception exception = {0, 0};
31957 err = nfs4_handle_exception(server,
31958 @@ -2166,7 +2166,7 @@ static int _nfs4_server_capabilities(str
31960 int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle)
31962 - struct nfs4_exception exception = { };
31963 + struct nfs4_exception exception = {0, 0};
31966 err = nfs4_handle_exception(server,
31967 @@ -2200,7 +2200,7 @@ static int _nfs4_lookup_root(struct nfs_
31968 static int nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,
31969 struct nfs_fsinfo *info)
31971 - struct nfs4_exception exception = { };
31972 + struct nfs4_exception exception = {0, 0};
31975 err = nfs4_handle_exception(server,
31976 @@ -2289,7 +2289,7 @@ static int _nfs4_proc_getattr(struct nfs
31978 static int nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
31980 - struct nfs4_exception exception = { };
31981 + struct nfs4_exception exception = {0, 0};
31984 err = nfs4_handle_exception(server,
31985 @@ -2377,7 +2377,7 @@ static int nfs4_proc_lookupfh(struct nfs
31986 struct qstr *name, struct nfs_fh *fhandle,
31987 struct nfs_fattr *fattr)
31989 - struct nfs4_exception exception = { };
31990 + struct nfs4_exception exception = {0, 0};
31993 err = _nfs4_proc_lookupfh(server, dirfh, name, fhandle, fattr);
31994 @@ -2406,7 +2406,7 @@ static int _nfs4_proc_lookup(struct inod
31996 static int nfs4_proc_lookup(struct inode *dir, struct qstr *name, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
31998 - struct nfs4_exception exception = { };
31999 + struct nfs4_exception exception = {0, 0};
32002 err = nfs4_handle_exception(NFS_SERVER(dir),
32003 @@ -2473,7 +2473,7 @@ static int _nfs4_proc_access(struct inod
32005 static int nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry)
32007 - struct nfs4_exception exception = { };
32008 + struct nfs4_exception exception = {0, 0};
32011 err = nfs4_handle_exception(NFS_SERVER(inode),
32012 @@ -2529,7 +2529,7 @@ static int _nfs4_proc_readlink(struct in
32013 static int nfs4_proc_readlink(struct inode *inode, struct page *page,
32014 unsigned int pgbase, unsigned int pglen)
32016 - struct nfs4_exception exception = { };
32017 + struct nfs4_exception exception = {0, 0};
32020 err = nfs4_handle_exception(NFS_SERVER(inode),
32021 @@ -2625,7 +2625,7 @@ out:
32023 static int nfs4_proc_remove(struct inode *dir, struct qstr *name)
32025 - struct nfs4_exception exception = { };
32026 + struct nfs4_exception exception = {0, 0};
32029 err = nfs4_handle_exception(NFS_SERVER(dir),
32030 @@ -2700,7 +2700,7 @@ out:
32031 static int nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
32032 struct inode *new_dir, struct qstr *new_name)
32034 - struct nfs4_exception exception = { };
32035 + struct nfs4_exception exception = {0, 0};
32038 err = nfs4_handle_exception(NFS_SERVER(old_dir),
32039 @@ -2749,7 +2749,7 @@ out:
32041 static int nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *name)
32043 - struct nfs4_exception exception = { };
32044 + struct nfs4_exception exception = {0, 0};
32047 err = nfs4_handle_exception(NFS_SERVER(inode),
32048 @@ -2841,7 +2841,7 @@ out:
32049 static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
32050 struct page *page, unsigned int len, struct iattr *sattr)
32052 - struct nfs4_exception exception = { };
32053 + struct nfs4_exception exception = {0, 0};
32056 err = nfs4_handle_exception(NFS_SERVER(dir),
32057 @@ -2872,7 +2872,7 @@ out:
32058 static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
32059 struct iattr *sattr)
32061 - struct nfs4_exception exception = { };
32062 + struct nfs4_exception exception = {0, 0};
32065 err = nfs4_handle_exception(NFS_SERVER(dir),
32066 @@ -2921,7 +2921,7 @@ static int _nfs4_proc_readdir(struct den
32067 static int nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
32068 u64 cookie, struct page *page, unsigned int count, int plus)
32070 - struct nfs4_exception exception = { };
32071 + struct nfs4_exception exception = {0, 0};
32074 err = nfs4_handle_exception(NFS_SERVER(dentry->d_inode),
32075 @@ -2969,7 +2969,7 @@ out:
32076 static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
32077 struct iattr *sattr, dev_t rdev)
32079 - struct nfs4_exception exception = { };
32080 + struct nfs4_exception exception = {0, 0};
32083 err = nfs4_handle_exception(NFS_SERVER(dir),
32084 @@ -3001,7 +3001,7 @@ static int _nfs4_proc_statfs(struct nfs_
32086 static int nfs4_proc_statfs(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsstat *fsstat)
32088 - struct nfs4_exception exception = { };
32089 + struct nfs4_exception exception = {0, 0};
32092 err = nfs4_handle_exception(server,
32093 @@ -3032,7 +3032,7 @@ static int _nfs4_do_fsinfo(struct nfs_se
32095 static int nfs4_do_fsinfo(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsinfo *fsinfo)
32097 - struct nfs4_exception exception = { };
32098 + struct nfs4_exception exception = {0, 0};
32102 @@ -3078,7 +3078,7 @@ static int _nfs4_proc_pathconf(struct nf
32103 static int nfs4_proc_pathconf(struct nfs_server *server, struct nfs_fh *fhandle,
32104 struct nfs_pathconf *pathconf)
32106 - struct nfs4_exception exception = { };
32107 + struct nfs4_exception exception = {0, 0};
32111 @@ -3399,7 +3399,7 @@ out_free:
32113 static ssize_t nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
32115 - struct nfs4_exception exception = { };
32116 + struct nfs4_exception exception = {0, 0};
32119 ret = __nfs4_get_acl_uncached(inode, buf, buflen);
32120 @@ -3455,7 +3455,7 @@ static int __nfs4_proc_set_acl(struct in
32122 static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen)
32124 - struct nfs4_exception exception = { };
32125 + struct nfs4_exception exception = {0, 0};
32128 err = nfs4_handle_exception(NFS_SERVER(inode),
32129 @@ -3745,7 +3745,7 @@ out:
32130 int nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, const nfs4_stateid *stateid, int issync)
32132 struct nfs_server *server = NFS_SERVER(inode);
32133 - struct nfs4_exception exception = { };
32134 + struct nfs4_exception exception = {0, 0};
32137 err = _nfs4_proc_delegreturn(inode, cred, stateid, issync);
32138 @@ -3818,7 +3818,7 @@ out:
32140 static int nfs4_proc_getlk(struct nfs4_state *state, int cmd, struct file_lock *request)
32142 - struct nfs4_exception exception = { };
32143 + struct nfs4_exception exception = {0, 0};
32147 @@ -4232,7 +4232,7 @@ static int _nfs4_do_setlk(struct nfs4_st
32148 static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request)
32150 struct nfs_server *server = NFS_SERVER(state->inode);
32151 - struct nfs4_exception exception = { };
32152 + struct nfs4_exception exception = {0, 0};
32156 @@ -4250,7 +4250,7 @@ static int nfs4_lock_reclaim(struct nfs4
32157 static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request)
32159 struct nfs_server *server = NFS_SERVER(state->inode);
32160 - struct nfs4_exception exception = { };
32161 + struct nfs4_exception exception = {0, 0};
32164 err = nfs4_set_lock_state(state, request);
32165 @@ -4315,7 +4315,7 @@ out:
32167 static int nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock *request)
32169 - struct nfs4_exception exception = { };
32170 + struct nfs4_exception exception = {0, 0};
32174 @@ -4375,7 +4375,7 @@ nfs4_proc_lock(struct file *filp, int cm
32175 int nfs4_lock_delegation_recall(struct nfs4_state *state, struct file_lock *fl)
32177 struct nfs_server *server = NFS_SERVER(state->inode);
32178 - struct nfs4_exception exception = { };
32179 + struct nfs4_exception exception = {0, 0};
32182 err = nfs4_set_lock_state(state, fl);
32183 diff -urNp linux-2.6.35.5/fs/nfsd/lockd.c linux-2.6.35.5/fs/nfsd/lockd.c
32184 --- linux-2.6.35.5/fs/nfsd/lockd.c 2010-08-26 19:47:12.000000000 -0400
32185 +++ linux-2.6.35.5/fs/nfsd/lockd.c 2010-09-17 20:12:09.000000000 -0400
32186 @@ -61,7 +61,7 @@ nlm_fclose(struct file *filp)
32190 -static struct nlmsvc_binding nfsd_nlm_ops = {
32191 +static const struct nlmsvc_binding nfsd_nlm_ops = {
32192 .fopen = nlm_fopen, /* open file for locking */
32193 .fclose = nlm_fclose, /* close file */
32195 diff -urNp linux-2.6.35.5/fs/nfsd/nfsctl.c linux-2.6.35.5/fs/nfsd/nfsctl.c
32196 --- linux-2.6.35.5/fs/nfsd/nfsctl.c 2010-08-26 19:47:12.000000000 -0400
32197 +++ linux-2.6.35.5/fs/nfsd/nfsctl.c 2010-09-17 20:12:09.000000000 -0400
32198 @@ -163,7 +163,7 @@ static int export_features_open(struct i
32199 return single_open(file, export_features_show, NULL);
32202 -static struct file_operations export_features_operations = {
32203 +static const struct file_operations export_features_operations = {
32204 .open = export_features_open,
32206 .llseek = seq_lseek,
32207 diff -urNp linux-2.6.35.5/fs/nfsd/vfs.c linux-2.6.35.5/fs/nfsd/vfs.c
32208 --- linux-2.6.35.5/fs/nfsd/vfs.c 2010-08-26 19:47:12.000000000 -0400
32209 +++ linux-2.6.35.5/fs/nfsd/vfs.c 2010-09-17 20:12:09.000000000 -0400
32210 @@ -933,7 +933,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
32214 - host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
32215 + host_err = vfs_readv(file, (__force struct iovec __user *)vec, vlen, &offset);
32219 @@ -1056,7 +1056,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
32221 /* Write the data. */
32222 oldfs = get_fs(); set_fs(KERNEL_DS);
32223 - host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
32224 + host_err = vfs_writev(file, (__force struct iovec __user *)vec, vlen, &offset);
32228 @@ -1541,7 +1541,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
32231 oldfs = get_fs(); set_fs(KERNEL_DS);
32232 - host_err = inode->i_op->readlink(dentry, buf, *lenp);
32233 + host_err = inode->i_op->readlink(dentry, (__force char __user *)buf, *lenp);
32237 diff -urNp linux-2.6.35.5/fs/nls/nls_base.c linux-2.6.35.5/fs/nls/nls_base.c
32238 --- linux-2.6.35.5/fs/nls/nls_base.c 2010-08-26 19:47:12.000000000 -0400
32239 +++ linux-2.6.35.5/fs/nls/nls_base.c 2010-09-17 20:12:09.000000000 -0400
32240 @@ -41,7 +41,7 @@ static const struct utf8_table utf8_tabl
32241 {0xF8, 0xF0, 3*6, 0x1FFFFF, 0x10000, /* 4 byte sequence */},
32242 {0xFC, 0xF8, 4*6, 0x3FFFFFF, 0x200000, /* 5 byte sequence */},
32243 {0xFE, 0xFC, 5*6, 0x7FFFFFFF, 0x4000000, /* 6 byte sequence */},
32244 - {0, /* end of table */}
32245 + {0, 0, 0, 0, 0, /* end of table */}
32248 #define UNICODE_MAX 0x0010ffff
32249 diff -urNp linux-2.6.35.5/fs/ntfs/file.c linux-2.6.35.5/fs/ntfs/file.c
32250 --- linux-2.6.35.5/fs/ntfs/file.c 2010-08-26 19:47:12.000000000 -0400
32251 +++ linux-2.6.35.5/fs/ntfs/file.c 2010-09-17 20:12:09.000000000 -0400
32252 @@ -2223,6 +2223,6 @@ const struct inode_operations ntfs_file_
32253 #endif /* NTFS_RW */
32256 -const struct file_operations ntfs_empty_file_ops = {};
32257 +const struct file_operations ntfs_empty_file_ops __read_only;
32259 -const struct inode_operations ntfs_empty_inode_ops = {};
32260 +const struct inode_operations ntfs_empty_inode_ops __read_only;
32261 diff -urNp linux-2.6.35.5/fs/ocfs2/localalloc.c linux-2.6.35.5/fs/ocfs2/localalloc.c
32262 --- linux-2.6.35.5/fs/ocfs2/localalloc.c 2010-08-26 19:47:12.000000000 -0400
32263 +++ linux-2.6.35.5/fs/ocfs2/localalloc.c 2010-09-17 20:12:09.000000000 -0400
32264 @@ -1307,7 +1307,7 @@ static int ocfs2_local_alloc_slide_windo
32268 - atomic_inc(&osb->alloc_stats.moves);
32269 + atomic_inc_unchecked(&osb->alloc_stats.moves);
32273 diff -urNp linux-2.6.35.5/fs/ocfs2/ocfs2.h linux-2.6.35.5/fs/ocfs2/ocfs2.h
32274 --- linux-2.6.35.5/fs/ocfs2/ocfs2.h 2010-08-26 19:47:12.000000000 -0400
32275 +++ linux-2.6.35.5/fs/ocfs2/ocfs2.h 2010-09-17 20:12:09.000000000 -0400
32276 @@ -223,11 +223,11 @@ enum ocfs2_vol_state
32278 struct ocfs2_alloc_stats
32281 - atomic_t local_data;
32282 - atomic_t bitmap_data;
32283 - atomic_t bg_allocs;
32284 - atomic_t bg_extends;
32285 + atomic_unchecked_t moves;
32286 + atomic_unchecked_t local_data;
32287 + atomic_unchecked_t bitmap_data;
32288 + atomic_unchecked_t bg_allocs;
32289 + atomic_unchecked_t bg_extends;
32292 enum ocfs2_local_alloc_state
32293 diff -urNp linux-2.6.35.5/fs/ocfs2/suballoc.c linux-2.6.35.5/fs/ocfs2/suballoc.c
32294 --- linux-2.6.35.5/fs/ocfs2/suballoc.c 2010-08-26 19:47:12.000000000 -0400
32295 +++ linux-2.6.35.5/fs/ocfs2/suballoc.c 2010-09-17 20:12:09.000000000 -0400
32296 @@ -856,7 +856,7 @@ static int ocfs2_reserve_suballoc_bits(s
32297 mlog_errno(status);
32300 - atomic_inc(&osb->alloc_stats.bg_extends);
32301 + atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
32303 /* You should never ask for this much metadata */
32304 BUG_ON(bits_wanted >
32305 @@ -1968,7 +1968,7 @@ int ocfs2_claim_metadata(handle_t *handl
32306 mlog_errno(status);
32309 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
32310 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
32312 *suballoc_loc = res.sr_bg_blkno;
32313 *suballoc_bit_start = res.sr_bit_offset;
32314 @@ -2045,7 +2045,7 @@ int ocfs2_claim_new_inode(handle_t *hand
32315 mlog_errno(status);
32318 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
32319 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
32321 BUG_ON(res.sr_bits != 1);
32323 @@ -2150,7 +2150,7 @@ int __ocfs2_claim_clusters(handle_t *han
32327 - atomic_inc(&osb->alloc_stats.local_data);
32328 + atomic_inc_unchecked(&osb->alloc_stats.local_data);
32330 if (min_clusters > (osb->bitmap_cpg - 1)) {
32331 /* The only paths asking for contiguousness
32332 @@ -2176,7 +2176,7 @@ int __ocfs2_claim_clusters(handle_t *han
32333 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
32335 res.sr_bit_offset);
32336 - atomic_inc(&osb->alloc_stats.bitmap_data);
32337 + atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
32338 *num_clusters = res.sr_bits;
32341 diff -urNp linux-2.6.35.5/fs/ocfs2/super.c linux-2.6.35.5/fs/ocfs2/super.c
32342 --- linux-2.6.35.5/fs/ocfs2/super.c 2010-08-26 19:47:12.000000000 -0400
32343 +++ linux-2.6.35.5/fs/ocfs2/super.c 2010-09-17 20:12:09.000000000 -0400
32344 @@ -293,11 +293,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
32345 "%10s => GlobalAllocs: %d LocalAllocs: %d "
32346 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
32348 - atomic_read(&osb->alloc_stats.bitmap_data),
32349 - atomic_read(&osb->alloc_stats.local_data),
32350 - atomic_read(&osb->alloc_stats.bg_allocs),
32351 - atomic_read(&osb->alloc_stats.moves),
32352 - atomic_read(&osb->alloc_stats.bg_extends));
32353 + atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
32354 + atomic_read_unchecked(&osb->alloc_stats.local_data),
32355 + atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
32356 + atomic_read_unchecked(&osb->alloc_stats.moves),
32357 + atomic_read_unchecked(&osb->alloc_stats.bg_extends));
32359 out += snprintf(buf + out, len - out,
32360 "%10s => State: %u Descriptor: %llu Size: %u bits "
32361 @@ -2047,11 +2047,11 @@ static int ocfs2_initialize_super(struct
32362 spin_lock_init(&osb->osb_xattr_lock);
32363 ocfs2_init_steal_slots(osb);
32365 - atomic_set(&osb->alloc_stats.moves, 0);
32366 - atomic_set(&osb->alloc_stats.local_data, 0);
32367 - atomic_set(&osb->alloc_stats.bitmap_data, 0);
32368 - atomic_set(&osb->alloc_stats.bg_allocs, 0);
32369 - atomic_set(&osb->alloc_stats.bg_extends, 0);
32370 + atomic_set_unchecked(&osb->alloc_stats.moves, 0);
32371 + atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
32372 + atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
32373 + atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
32374 + atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
32376 /* Copy the blockcheck stats from the superblock probe */
32377 osb->osb_ecc_stats = *stats;
32378 diff -urNp linux-2.6.35.5/fs/ocfs2/symlink.c linux-2.6.35.5/fs/ocfs2/symlink.c
32379 --- linux-2.6.35.5/fs/ocfs2/symlink.c 2010-08-26 19:47:12.000000000 -0400
32380 +++ linux-2.6.35.5/fs/ocfs2/symlink.c 2010-09-17 20:12:09.000000000 -0400
32381 @@ -148,7 +148,7 @@ bail:
32383 static void ocfs2_fast_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
32385 - char *link = nd_get_link(nd);
32386 + const char *link = nd_get_link(nd);
32390 diff -urNp linux-2.6.35.5/fs/open.c linux-2.6.35.5/fs/open.c
32391 --- linux-2.6.35.5/fs/open.c 2010-08-26 19:47:12.000000000 -0400
32392 +++ linux-2.6.35.5/fs/open.c 2010-09-17 20:12:37.000000000 -0400
32393 @@ -42,6 +42,9 @@ int do_truncate(struct dentry *dentry, l
32397 + if (filp && !gr_acl_handle_truncate(dentry, filp->f_path.mnt))
32400 newattrs.ia_size = length;
32401 newattrs.ia_valid = ATTR_SIZE | time_attrs;
32403 @@ -345,6 +348,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
32404 if (__mnt_is_readonly(path.mnt))
32407 + if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
32413 @@ -371,6 +377,8 @@ SYSCALL_DEFINE1(chdir, const char __user
32417 + gr_log_chdir(path.dentry, path.mnt);
32419 set_fs_pwd(current->fs, &path);
32422 @@ -397,6 +405,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
32425 error = inode_permission(inode, MAY_EXEC | MAY_ACCESS);
32427 + if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
32431 + gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
32434 set_fs_pwd(current->fs, &file->f_path);
32436 @@ -425,7 +440,18 @@ SYSCALL_DEFINE1(chroot, const char __use
32440 + if (gr_handle_chroot_chroot(path.dentry, path.mnt))
32441 + goto dput_and_out;
32443 + if (gr_handle_chroot_caps(&path)) {
32445 + goto dput_and_out;
32448 set_fs_root(current->fs, &path);
32450 + gr_handle_chroot_chdir(&path);
32455 @@ -453,6 +479,12 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
32456 err = mnt_want_write_file(file);
32460 + if (!gr_acl_handle_fchmod(dentry, file->f_path.mnt, mode)) {
32462 + goto out_drop_write;
32465 mutex_lock(&inode->i_mutex);
32466 err = security_path_chmod(dentry, file->f_vfsmnt, mode);
32468 @@ -464,6 +496,7 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
32469 err = notify_change(dentry, &newattrs);
32471 mutex_unlock(&inode->i_mutex);
32473 mnt_drop_write(file->f_path.mnt);
32476 @@ -486,17 +519,30 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
32477 error = mnt_want_write(path.mnt);
32481 + if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
32483 + goto out_drop_write;
32486 mutex_lock(&inode->i_mutex);
32487 error = security_path_chmod(path.dentry, path.mnt, mode);
32490 if (mode == (mode_t) -1)
32491 mode = inode->i_mode;
32493 + if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
32498 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
32499 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
32500 error = notify_change(path.dentry, &newattrs);
32502 mutex_unlock(&inode->i_mutex);
32504 mnt_drop_write(path.mnt);
32507 @@ -515,6 +561,9 @@ static int chown_common(struct path *pat
32509 struct iattr newattrs;
32511 + if (!gr_acl_handle_chown(path->dentry, path->mnt))
32514 newattrs.ia_valid = ATTR_CTIME;
32515 if (user != (uid_t) -1) {
32516 newattrs.ia_valid |= ATTR_UID;
32517 diff -urNp linux-2.6.35.5/fs/pipe.c linux-2.6.35.5/fs/pipe.c
32518 --- linux-2.6.35.5/fs/pipe.c 2010-08-26 19:47:12.000000000 -0400
32519 +++ linux-2.6.35.5/fs/pipe.c 2010-09-17 20:12:37.000000000 -0400
32520 @@ -420,9 +420,9 @@ redo:
32522 if (bufs) /* More to do? */
32524 - if (!pipe->writers)
32525 + if (!atomic_read(&pipe->writers))
32527 - if (!pipe->waiting_writers) {
32528 + if (!atomic_read(&pipe->waiting_writers)) {
32529 /* syscall merging: Usually we must not sleep
32530 * if O_NONBLOCK is set, or if we got some data.
32531 * But if a writer sleeps in kernel space, then
32532 @@ -481,7 +481,7 @@ pipe_write(struct kiocb *iocb, const str
32533 mutex_lock(&inode->i_mutex);
32534 pipe = inode->i_pipe;
32536 - if (!pipe->readers) {
32537 + if (!atomic_read(&pipe->readers)) {
32538 send_sig(SIGPIPE, current, 0);
32541 @@ -530,7 +530,7 @@ redo1:
32545 - if (!pipe->readers) {
32546 + if (!atomic_read(&pipe->readers)) {
32547 send_sig(SIGPIPE, current, 0);
32550 @@ -616,9 +616,9 @@ redo2:
32551 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
32554 - pipe->waiting_writers++;
32555 + atomic_inc(&pipe->waiting_writers);
32557 - pipe->waiting_writers--;
32558 + atomic_dec(&pipe->waiting_writers);
32561 mutex_unlock(&inode->i_mutex);
32562 @@ -685,7 +685,7 @@ pipe_poll(struct file *filp, poll_table
32564 if (filp->f_mode & FMODE_READ) {
32565 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
32566 - if (!pipe->writers && filp->f_version != pipe->w_counter)
32567 + if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
32571 @@ -695,7 +695,7 @@ pipe_poll(struct file *filp, poll_table
32572 * Most Unices do not set POLLERR for FIFOs but on Linux they
32573 * behave exactly like pipes for poll().
32575 - if (!pipe->readers)
32576 + if (!atomic_read(&pipe->readers))
32580 @@ -709,10 +709,10 @@ pipe_release(struct inode *inode, int de
32582 mutex_lock(&inode->i_mutex);
32583 pipe = inode->i_pipe;
32584 - pipe->readers -= decr;
32585 - pipe->writers -= decw;
32586 + atomic_sub(decr, &pipe->readers);
32587 + atomic_sub(decw, &pipe->writers);
32589 - if (!pipe->readers && !pipe->writers) {
32590 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
32591 free_pipe_info(inode);
32593 wake_up_interruptible_sync(&pipe->wait);
32594 @@ -802,7 +802,7 @@ pipe_read_open(struct inode *inode, stru
32596 if (inode->i_pipe) {
32598 - inode->i_pipe->readers++;
32599 + atomic_inc(&inode->i_pipe->readers);
32602 mutex_unlock(&inode->i_mutex);
32603 @@ -819,7 +819,7 @@ pipe_write_open(struct inode *inode, str
32605 if (inode->i_pipe) {
32607 - inode->i_pipe->writers++;
32608 + atomic_inc(&inode->i_pipe->writers);
32611 mutex_unlock(&inode->i_mutex);
32612 @@ -837,9 +837,9 @@ pipe_rdwr_open(struct inode *inode, stru
32613 if (inode->i_pipe) {
32615 if (filp->f_mode & FMODE_READ)
32616 - inode->i_pipe->readers++;
32617 + atomic_inc(&inode->i_pipe->readers);
32618 if (filp->f_mode & FMODE_WRITE)
32619 - inode->i_pipe->writers++;
32620 + atomic_inc(&inode->i_pipe->writers);
32623 mutex_unlock(&inode->i_mutex);
32624 @@ -931,7 +931,7 @@ void free_pipe_info(struct inode *inode)
32625 inode->i_pipe = NULL;
32628 -static struct vfsmount *pipe_mnt __read_mostly;
32629 +struct vfsmount *pipe_mnt __read_mostly;
32632 * pipefs_dname() is called from d_path().
32633 @@ -959,7 +959,8 @@ static struct inode * get_pipe_inode(voi
32635 inode->i_pipe = pipe;
32637 - pipe->readers = pipe->writers = 1;
32638 + atomic_set(&pipe->readers, 1);
32639 + atomic_set(&pipe->writers, 1);
32640 inode->i_fop = &rdwr_pipefifo_fops;
32643 diff -urNp linux-2.6.35.5/fs/proc/array.c linux-2.6.35.5/fs/proc/array.c
32644 --- linux-2.6.35.5/fs/proc/array.c 2010-08-26 19:47:12.000000000 -0400
32645 +++ linux-2.6.35.5/fs/proc/array.c 2010-09-17 20:12:37.000000000 -0400
32646 @@ -337,6 +337,21 @@ static void task_cpus_allowed(struct seq
32647 seq_printf(m, "\n");
32650 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
32651 +static inline void task_pax(struct seq_file *m, struct task_struct *p)
32654 + seq_printf(m, "PaX:\t%c%c%c%c%c\n",
32655 + p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
32656 + p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
32657 + p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
32658 + p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
32659 + p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
32661 + seq_printf(m, "PaX:\t-----\n");
32665 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
32666 struct pid *pid, struct task_struct *task)
32668 @@ -357,9 +372,20 @@ int proc_pid_status(struct seq_file *m,
32669 task_show_regs(m, task);
32671 task_context_switch_counts(m, task);
32673 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
32674 + task_pax(m, task);
32680 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
32681 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
32682 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
32683 + _mm->pax_flags & MF_PAX_SEGMEXEC))
32686 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
32687 struct pid *pid, struct task_struct *task, int whole)
32689 @@ -452,6 +478,19 @@ static int do_task_stat(struct seq_file
32690 gtime = task->gtime;
32693 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
32694 + if (PAX_RAND_FLAGS(mm)) {
32700 +#ifdef CONFIG_GRKERNSEC_HIDESYM
32706 /* scale priority and nice values from timeslices to -20..20 */
32707 /* to make it look like a "normal" Unix priority/nice value */
32708 priority = task_prio(task);
32709 @@ -492,9 +531,15 @@ static int do_task_stat(struct seq_file
32711 mm ? get_mm_rss(mm) : 0,
32713 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
32714 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->start_code : 0),
32715 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->end_code : 0),
32716 + PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0),
32718 mm ? mm->start_code : 0,
32719 mm ? mm->end_code : 0,
32720 (permitted && mm) ? mm->start_stack : 0,
32724 /* The signal information here is obsolete.
32725 @@ -547,3 +592,10 @@ int proc_pid_statm(struct seq_file *m, s
32730 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
32731 +int proc_pid_ipaddr(struct task_struct *task, char *buffer)
32733 + return sprintf(buffer, "%pI4\n", &task->signal->curr_ip);
32736 diff -urNp linux-2.6.35.5/fs/proc/base.c linux-2.6.35.5/fs/proc/base.c
32737 --- linux-2.6.35.5/fs/proc/base.c 2010-08-26 19:47:12.000000000 -0400
32738 +++ linux-2.6.35.5/fs/proc/base.c 2010-09-22 18:45:42.000000000 -0400
32739 @@ -103,6 +103,22 @@ struct pid_entry {
32743 +struct getdents_callback {
32744 + struct linux_dirent __user * current_dir;
32745 + struct linux_dirent __user * previous;
32746 + struct file * file;
32751 +static int gr_fake_filldir(void * __buf, const char *name, int namlen,
32752 + loff_t offset, u64 ino, unsigned int d_type)
32754 + struct getdents_callback * buf = (struct getdents_callback *) __buf;
32755 + buf->error = -EINVAL;
32759 #define NOD(NAME, MODE, IOP, FOP, OP) { \
32761 .len = sizeof(NAME) - 1, \
32762 @@ -202,6 +218,9 @@ static int check_mem_permission(struct t
32763 if (task == current)
32766 + if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
32770 * If current is actively ptrace'ing, and would also be
32771 * permitted to freshly attach with ptrace now, permit it.
32772 @@ -249,6 +268,9 @@ static int proc_pid_cmdline(struct task_
32774 goto out_mm; /* Shh! No looking before we're done */
32776 + if (gr_acl_handle_procpidmem(task))
32779 len = mm->arg_end - mm->arg_start;
32781 if (len > PAGE_SIZE)
32782 @@ -276,12 +298,26 @@ out:
32786 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
32787 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
32788 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
32789 + _mm->pax_flags & MF_PAX_SEGMEXEC))
32792 static int proc_pid_auxv(struct task_struct *task, char *buffer)
32795 struct mm_struct *mm = get_task_mm(task);
32797 unsigned int nwords = 0;
32799 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
32800 + if (PAX_RAND_FLAGS(mm)) {
32808 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
32809 @@ -295,7 +331,7 @@ static int proc_pid_auxv(struct task_str
32813 -#ifdef CONFIG_KALLSYMS
32814 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
32816 * Provides a wchan file via kallsyms in a proper one-value-per-file format.
32817 * Returns the resolved symbol. If that fails, simply return the address.
32818 @@ -317,7 +353,7 @@ static int proc_pid_wchan(struct task_st
32820 #endif /* CONFIG_KALLSYMS */
32822 -#ifdef CONFIG_STACKTRACE
32823 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
32825 #define MAX_STACK_TRACE_DEPTH 64
32827 @@ -511,7 +547,7 @@ static int proc_pid_limits(struct task_s
32831 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
32832 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
32833 static int proc_pid_syscall(struct task_struct *task, char *buffer)
32836 @@ -920,6 +956,9 @@ static ssize_t environ_read(struct file
32840 + if (gr_acl_handle_procpidmem(task))
32843 if (!ptrace_may_access(task, PTRACE_MODE_READ))
32846 @@ -1514,7 +1553,11 @@ static struct inode *proc_pid_make_inode
32848 cred = __task_cred(task);
32849 inode->i_uid = cred->euid;
32850 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
32851 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
32853 inode->i_gid = cred->egid;
32857 security_task_to_inode(task, inode);
32858 @@ -1532,6 +1575,9 @@ static int pid_getattr(struct vfsmount *
32859 struct inode *inode = dentry->d_inode;
32860 struct task_struct *task;
32861 const struct cred *cred;
32862 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
32863 + const struct cred *tmpcred = current_cred();
32866 generic_fillattr(inode, stat);
32868 @@ -1539,12 +1585,34 @@ static int pid_getattr(struct vfsmount *
32871 task = pid_task(proc_pid(inode), PIDTYPE_PID);
32873 + if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
32874 + rcu_read_unlock();
32879 + cred = __task_cred(task);
32880 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
32881 + if (!tmpcred->uid || (tmpcred->uid == cred->uid)
32882 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
32883 + || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
32887 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
32888 +#ifdef CONFIG_GRKERNSEC_PROC_USER
32889 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
32890 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
32891 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
32893 task_dumpable(task)) {
32894 - cred = __task_cred(task);
32895 stat->uid = cred->euid;
32896 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
32897 + stat->gid = CONFIG_GRKERNSEC_PROC_GID;
32899 stat->gid = cred->egid;
32904 @@ -1576,11 +1644,20 @@ static int pid_revalidate(struct dentry
32907 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
32908 +#ifdef CONFIG_GRKERNSEC_PROC_USER
32909 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
32910 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
32911 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
32913 task_dumpable(task)) {
32915 cred = __task_cred(task);
32916 inode->i_uid = cred->euid;
32917 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
32918 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
32920 inode->i_gid = cred->egid;
32925 @@ -1701,7 +1778,8 @@ static int proc_fd_info(struct inode *in
32926 int fd = proc_fd(inode);
32929 - files = get_files_struct(task);
32930 + if (!gr_acl_handle_procpidmem(task))
32931 + files = get_files_struct(task);
32932 put_task_struct(task);
32935 @@ -1953,12 +2031,22 @@ static const struct file_operations proc
32936 static int proc_fd_permission(struct inode *inode, int mask)
32939 + struct task_struct *task;
32941 rv = generic_permission(inode, mask, NULL);
32945 if (task_pid(current) == proc_pid(inode))
32948 + task = get_proc_task(inode);
32949 + if (task == NULL)
32952 + if (gr_acl_handle_procpidmem(task))
32955 + put_task_struct(task);
32960 @@ -2067,6 +2155,9 @@ static struct dentry *proc_pident_lookup
32964 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
32968 * Yes, it does not scale. And it should not. Don't add
32969 * new entries into /proc/<tgid>/ without very good reasons.
32970 @@ -2111,6 +2202,9 @@ static int proc_pident_readdir(struct fi
32974 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
32980 @@ -2380,7 +2474,7 @@ static void *proc_self_follow_link(struc
32981 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
32984 - char *s = nd_get_link(nd);
32985 + const char *s = nd_get_link(nd);
32989 @@ -2580,7 +2674,7 @@ static const struct pid_entry tgid_base_
32990 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
32992 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
32993 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
32994 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
32995 INF("syscall", S_IRUSR, proc_pid_syscall),
32997 INF("cmdline", S_IRUGO, proc_pid_cmdline),
32998 @@ -2605,10 +2699,10 @@ static const struct pid_entry tgid_base_
32999 #ifdef CONFIG_SECURITY
33000 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
33002 -#ifdef CONFIG_KALLSYMS
33003 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33004 INF("wchan", S_IRUGO, proc_pid_wchan),
33006 -#ifdef CONFIG_STACKTRACE
33007 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33008 ONE("stack", S_IRUSR, proc_pid_stack),
33010 #ifdef CONFIG_SCHEDSTATS
33011 @@ -2638,6 +2732,9 @@ static const struct pid_entry tgid_base_
33012 INF("io", S_IRUGO, proc_tgid_io_accounting),
33014 ONE("nsproxy", S_IRUGO, proc_pid_nsproxy),
33015 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
33016 + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
33020 static int proc_tgid_base_readdir(struct file * filp,
33021 @@ -2762,7 +2859,14 @@ static struct dentry *proc_pid_instantia
33025 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33026 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
33027 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33028 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33029 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
33031 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
33033 inode->i_op = &proc_tgid_base_inode_operations;
33034 inode->i_fop = &proc_tgid_base_operations;
33035 inode->i_flags|=S_IMMUTABLE;
33036 @@ -2804,7 +2908,11 @@ struct dentry *proc_pid_lookup(struct in
33040 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
33041 + goto out_put_task;
33043 result = proc_pid_instantiate(dir, dentry, task, NULL);
33045 put_task_struct(task);
33048 @@ -2869,6 +2977,11 @@ int proc_pid_readdir(struct file * filp,
33050 unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
33051 struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
33052 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33053 + const struct cred *tmpcred = current_cred();
33054 + const struct cred *itercred;
33056 + filldir_t __filldir = filldir;
33057 struct tgid_iter iter;
33058 struct pid_namespace *ns;
33060 @@ -2887,8 +3000,27 @@ int proc_pid_readdir(struct file * filp,
33061 for (iter = next_tgid(ns, iter);
33063 iter.tgid += 1, iter = next_tgid(ns, iter)) {
33064 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33066 + itercred = __task_cred(iter.task);
33068 + if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
33069 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33070 + || (tmpcred->uid && (itercred->uid != tmpcred->uid)
33071 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33072 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
33077 + __filldir = &gr_fake_filldir;
33079 + __filldir = filldir;
33080 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33081 + rcu_read_unlock();
33083 filp->f_pos = iter.tgid + TGID_OFFSET;
33084 if (!vx_proc_task_visible(iter.task))
33086 - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
33087 + if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
33088 put_task_struct(iter.task);
33089 @@ -2915,7 +3047,7 @@ static const struct pid_entry tid_base_s
33090 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
33092 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
33093 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
33094 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
33095 INF("syscall", S_IRUSR, proc_pid_syscall),
33097 INF("cmdline", S_IRUGO, proc_pid_cmdline),
33098 @@ -2939,10 +3071,10 @@ static const struct pid_entry tid_base_s
33099 #ifdef CONFIG_SECURITY
33100 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
33102 -#ifdef CONFIG_KALLSYMS
33103 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33104 INF("wchan", S_IRUGO, proc_pid_wchan),
33106 -#ifdef CONFIG_STACKTRACE
33107 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33108 ONE("stack", S_IRUSR, proc_pid_stack),
33110 #ifdef CONFIG_SCHEDSTATS
33111 diff -urNp linux-2.6.35.5/fs/proc/cmdline.c linux-2.6.35.5/fs/proc/cmdline.c
33112 --- linux-2.6.35.5/fs/proc/cmdline.c 2010-08-26 19:47:12.000000000 -0400
33113 +++ linux-2.6.35.5/fs/proc/cmdline.c 2010-09-17 20:12:37.000000000 -0400
33114 @@ -23,7 +23,11 @@ static const struct file_operations cmdl
33116 static int __init proc_cmdline_init(void)
33118 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
33119 + proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
33121 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
33125 module_init(proc_cmdline_init);
33126 diff -urNp linux-2.6.35.5/fs/proc/devices.c linux-2.6.35.5/fs/proc/devices.c
33127 --- linux-2.6.35.5/fs/proc/devices.c 2010-08-26 19:47:12.000000000 -0400
33128 +++ linux-2.6.35.5/fs/proc/devices.c 2010-09-17 20:12:37.000000000 -0400
33129 @@ -64,7 +64,11 @@ static const struct file_operations proc
33131 static int __init proc_devices_init(void)
33133 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
33134 + proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
33136 proc_create("devices", 0, NULL, &proc_devinfo_operations);
33140 module_init(proc_devices_init);
33141 diff -urNp linux-2.6.35.5/fs/proc/inode.c linux-2.6.35.5/fs/proc/inode.c
33142 --- linux-2.6.35.5/fs/proc/inode.c 2010-08-26 19:47:12.000000000 -0400
33143 +++ linux-2.6.35.5/fs/proc/inode.c 2010-09-17 20:12:37.000000000 -0400
33144 @@ -435,7 +435,11 @@ struct inode *proc_get_inode(struct supe
33146 inode->i_mode = de->mode;
33147 inode->i_uid = de->uid;
33148 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33149 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33151 inode->i_gid = de->gid;
33155 inode->i_size = de->size;
33156 diff -urNp linux-2.6.35.5/fs/proc/internal.h linux-2.6.35.5/fs/proc/internal.h
33157 --- linux-2.6.35.5/fs/proc/internal.h 2010-08-26 19:47:12.000000000 -0400
33158 +++ linux-2.6.35.5/fs/proc/internal.h 2010-09-17 20:12:37.000000000 -0400
33159 @@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
33160 extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
33161 struct pid *pid, struct task_struct *task);
33163 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
33164 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
33166 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
33168 extern const struct file_operations proc_maps_operations;
33169 diff -urNp linux-2.6.35.5/fs/proc/Kconfig linux-2.6.35.5/fs/proc/Kconfig
33170 --- linux-2.6.35.5/fs/proc/Kconfig 2010-08-26 19:47:12.000000000 -0400
33171 +++ linux-2.6.35.5/fs/proc/Kconfig 2010-09-17 20:12:37.000000000 -0400
33172 @@ -30,12 +30,12 @@ config PROC_FS
33175 bool "/proc/kcore support" if !ARM
33176 - depends on PROC_FS && MMU
33177 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
33180 bool "/proc/vmcore support (EXPERIMENTAL)"
33181 - depends on PROC_FS && CRASH_DUMP
33183 + depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
33186 Exports the dump image of crashed kernel in ELF format.
33188 @@ -59,8 +59,8 @@ config PROC_SYSCTL
33191 config PROC_PAGE_MONITOR
33193 - depends on PROC_FS && MMU
33195 + depends on PROC_FS && MMU && !GRKERNSEC
33196 bool "Enable /proc page monitoring" if EMBEDDED
33198 Various /proc files exist to monitor process memory utilization:
33199 diff -urNp linux-2.6.35.5/fs/proc/kcore.c linux-2.6.35.5/fs/proc/kcore.c
33200 --- linux-2.6.35.5/fs/proc/kcore.c 2010-08-26 19:47:12.000000000 -0400
33201 +++ linux-2.6.35.5/fs/proc/kcore.c 2010-09-17 20:12:37.000000000 -0400
33202 @@ -478,9 +478,10 @@ read_kcore(struct file *file, char __use
33203 * the addresses in the elf_phdr on our list.
33205 start = kc_offset_to_vaddr(*fpos - elf_buflen);
33206 - if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
33207 + tsz = PAGE_SIZE - (start & ~PAGE_MASK);
33208 + if (tsz > buflen)
33213 struct kcore_list *m;
33215 @@ -509,20 +510,18 @@ read_kcore(struct file *file, char __use
33218 if (kern_addr_valid(start)) {
33222 - n = copy_to_user(buffer, (char *)start, tsz);
33224 - * We cannot distingush between fault on source
33225 - * and fault on destination. When this happens
33226 - * we clear too and hope it will trigger the
33230 - if (clear_user(buffer + tsz - n,
33232 + elf_buf = kmalloc(tsz, GFP_KERNEL);
33235 + if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) {
33236 + if (copy_to_user(buffer, elf_buf, tsz)) {
33243 if (clear_user(buffer, tsz))
33245 @@ -542,6 +541,9 @@ read_kcore(struct file *file, char __use
33247 static int open_kcore(struct inode *inode, struct file *filp)
33249 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
33252 if (!capable(CAP_SYS_RAWIO))
33254 if (kcore_need_update)
33255 diff -urNp linux-2.6.35.5/fs/proc/meminfo.c linux-2.6.35.5/fs/proc/meminfo.c
33256 --- linux-2.6.35.5/fs/proc/meminfo.c 2010-08-26 19:47:12.000000000 -0400
33257 +++ linux-2.6.35.5/fs/proc/meminfo.c 2010-09-17 20:12:09.000000000 -0400
33258 @@ -149,7 +149,7 @@ static int meminfo_proc_show(struct seq_
33260 vmi.largest_chunk >> 10
33261 #ifdef CONFIG_MEMORY_FAILURE
33262 - ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
33263 + ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
33267 diff -urNp linux-2.6.35.5/fs/proc/nommu.c linux-2.6.35.5/fs/proc/nommu.c
33268 --- linux-2.6.35.5/fs/proc/nommu.c 2010-08-26 19:47:12.000000000 -0400
33269 +++ linux-2.6.35.5/fs/proc/nommu.c 2010-09-17 20:12:09.000000000 -0400
33270 @@ -66,7 +66,7 @@ static int nommu_region_show(struct seq_
33273 seq_printf(m, "%*c", len, ' ');
33274 - seq_path(m, &file->f_path, "");
33275 + seq_path(m, &file->f_path, "\n\\");
33279 diff -urNp linux-2.6.35.5/fs/proc/proc_net.c linux-2.6.35.5/fs/proc/proc_net.c
33280 --- linux-2.6.35.5/fs/proc/proc_net.c 2010-08-26 19:47:12.000000000 -0400
33281 +++ linux-2.6.35.5/fs/proc/proc_net.c 2010-09-17 20:12:37.000000000 -0400
33282 @@ -105,6 +105,17 @@ static struct net *get_proc_task_net(str
33283 struct task_struct *task;
33284 struct nsproxy *ns;
33285 struct net *net = NULL;
33286 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33287 + const struct cred *cred = current_cred();
33290 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33293 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33294 + if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
33299 task = pid_task(proc_pid(dir), PIDTYPE_PID);
33300 diff -urNp linux-2.6.35.5/fs/proc/proc_sysctl.c linux-2.6.35.5/fs/proc/proc_sysctl.c
33301 --- linux-2.6.35.5/fs/proc/proc_sysctl.c 2010-08-26 19:47:12.000000000 -0400
33302 +++ linux-2.6.35.5/fs/proc/proc_sysctl.c 2010-09-17 20:12:37.000000000 -0400
33304 #include <linux/security.h>
33305 #include "internal.h"
33307 +extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
33309 static const struct dentry_operations proc_sys_dentry_operations;
33310 static const struct file_operations proc_sys_file_operations;
33311 static const struct inode_operations proc_sys_inode_operations;
33312 @@ -109,6 +111,9 @@ static struct dentry *proc_sys_lookup(st
33316 + if (gr_handle_sysctl(p, MAY_EXEC))
33319 err = ERR_PTR(-ENOMEM);
33320 inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
33322 @@ -228,6 +233,9 @@ static int scan(struct ctl_table_header
33323 if (*pos < file->f_pos)
33326 + if (gr_handle_sysctl(table, 0))
33329 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
33332 @@ -344,6 +352,9 @@ static int proc_sys_getattr(struct vfsmo
33334 return PTR_ERR(head);
33336 + if (table && gr_handle_sysctl(table, MAY_EXEC))
33339 generic_fillattr(inode, stat);
33341 stat->mode = (stat->mode & S_IFMT) | table->mode;
33342 diff -urNp linux-2.6.35.5/fs/proc/root.c linux-2.6.35.5/fs/proc/root.c
33343 --- linux-2.6.35.5/fs/proc/root.c 2010-08-26 19:47:12.000000000 -0400
33344 +++ linux-2.6.35.5/fs/proc/root.c 2010-09-17 20:12:37.000000000 -0400
33345 @@ -133,7 +133,15 @@ void __init proc_root_init(void)
33346 #ifdef CONFIG_PROC_DEVICETREE
33347 proc_device_tree_init();
33349 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
33350 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33351 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
33352 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33353 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
33356 proc_mkdir("bus", NULL);
33361 diff -urNp linux-2.6.35.5/fs/proc/task_mmu.c linux-2.6.35.5/fs/proc/task_mmu.c
33362 --- linux-2.6.35.5/fs/proc/task_mmu.c 2010-08-26 19:47:12.000000000 -0400
33363 +++ linux-2.6.35.5/fs/proc/task_mmu.c 2010-09-17 20:12:37.000000000 -0400
33364 @@ -49,8 +49,13 @@ void task_mem(struct seq_file *m, struct
33365 "VmExe:\t%8lu kB\n"
33366 "VmLib:\t%8lu kB\n"
33367 "VmPTE:\t%8lu kB\n"
33368 - "VmSwap:\t%8lu kB\n",
33369 - hiwater_vm << (PAGE_SHIFT-10),
33370 + "VmSwap:\t%8lu kB\n"
33372 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
33373 + "CsBase:\t%8lx\nCsLim:\t%8lx\n"
33376 + ,hiwater_vm << (PAGE_SHIFT-10),
33377 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
33378 mm->locked_vm << (PAGE_SHIFT-10),
33379 hiwater_rss << (PAGE_SHIFT-10),
33380 @@ -58,7 +63,13 @@ void task_mem(struct seq_file *m, struct
33381 data << (PAGE_SHIFT-10),
33382 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
33383 (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10,
33384 - swap << (PAGE_SHIFT-10));
33385 + swap << (PAGE_SHIFT-10)
33387 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
33388 + , mm->context.user_cs_base, mm->context.user_cs_limit
33394 unsigned long task_vsize(struct mm_struct *mm)
33395 @@ -203,6 +214,12 @@ static int do_maps_open(struct inode *in
33399 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33400 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
33401 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
33402 + _mm->pax_flags & MF_PAX_SEGMEXEC))
33405 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
33407 struct mm_struct *mm = vma->vm_mm;
33408 @@ -210,7 +227,6 @@ static void show_map_vma(struct seq_file
33409 int flags = vma->vm_flags;
33410 unsigned long ino = 0;
33411 unsigned long long pgoff = 0;
33412 - unsigned long start;
33416 @@ -221,19 +237,24 @@ static void show_map_vma(struct seq_file
33417 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
33420 - /* We don't show the stack guard page in /proc/maps */
33421 - start = vma->vm_start;
33422 - if (vma->vm_flags & VM_GROWSDOWN)
33423 - start += PAGE_SIZE;
33425 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
33427 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33428 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
33429 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
33434 flags & VM_READ ? 'r' : '-',
33435 flags & VM_WRITE ? 'w' : '-',
33436 flags & VM_EXEC ? 'x' : '-',
33437 flags & VM_MAYSHARE ? 's' : 'p',
33438 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33439 + PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
33443 MAJOR(dev), MINOR(dev), ino, &len);
33446 @@ -242,16 +263,16 @@ static void show_map_vma(struct seq_file
33449 pad_len_spaces(m, len);
33450 - seq_path(m, &file->f_path, "\n");
33451 + seq_path(m, &file->f_path, "\n\\");
33453 const char *name = arch_vma_name(vma);
33456 - if (vma->vm_start <= mm->start_brk &&
33457 - vma->vm_end >= mm->brk) {
33458 + if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
33460 - } else if (vma->vm_start <= mm->start_stack &&
33461 - vma->vm_end >= mm->start_stack) {
33462 + } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
33463 + (vma->vm_start <= mm->start_stack &&
33464 + vma->vm_end >= mm->start_stack)) {
33468 @@ -393,11 +414,16 @@ static int show_smap(struct seq_file *m,
33471 memset(&mss, 0, sizeof mss);
33473 - /* mmap_sem is held in m_start */
33474 - if (vma->vm_mm && !is_vm_hugetlb_page(vma))
33475 - walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
33477 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33478 + if (!PAX_RAND_FLAGS(vma->vm_mm)) {
33481 + /* mmap_sem is held in m_start */
33482 + if (vma->vm_mm && !is_vm_hugetlb_page(vma))
33483 + walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
33484 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33487 show_map_vma(m, vma);
33490 @@ -412,7 +438,11 @@ static int show_smap(struct seq_file *m,
33492 "KernelPageSize: %8lu kB\n"
33493 "MMUPageSize: %8lu kB\n",
33494 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33495 + PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
33497 (vma->vm_end - vma->vm_start) >> 10,
33499 mss.resident >> 10,
33500 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
33501 mss.shared_clean >> 10,
33502 diff -urNp linux-2.6.35.5/fs/proc/task_nommu.c linux-2.6.35.5/fs/proc/task_nommu.c
33503 --- linux-2.6.35.5/fs/proc/task_nommu.c 2010-08-26 19:47:12.000000000 -0400
33504 +++ linux-2.6.35.5/fs/proc/task_nommu.c 2010-09-17 20:12:09.000000000 -0400
33505 @@ -51,7 +51,7 @@ void task_mem(struct seq_file *m, struct
33507 bytes += kobjsize(mm);
33509 - if (current->fs && current->fs->users > 1)
33510 + if (current->fs && atomic_read(¤t->fs->users) > 1)
33511 sbytes += kobjsize(current->fs);
33513 bytes += kobjsize(current->fs);
33514 @@ -165,7 +165,7 @@ static int nommu_vma_show(struct seq_fil
33517 pad_len_spaces(m, len);
33518 - seq_path(m, &file->f_path, "");
33519 + seq_path(m, &file->f_path, "\n\\");
33521 if (vma->vm_start <= mm->start_stack &&
33522 vma->vm_end >= mm->start_stack) {
33523 diff -urNp linux-2.6.35.5/fs/readdir.c linux-2.6.35.5/fs/readdir.c
33524 --- linux-2.6.35.5/fs/readdir.c 2010-08-26 19:47:12.000000000 -0400
33525 +++ linux-2.6.35.5/fs/readdir.c 2010-09-17 20:12:37.000000000 -0400
33527 #include <linux/security.h>
33528 #include <linux/syscalls.h>
33529 #include <linux/unistd.h>
33530 +#include <linux/namei.h>
33532 #include <asm/uaccess.h>
33534 @@ -67,6 +68,7 @@ struct old_linux_dirent {
33536 struct readdir_callback {
33537 struct old_linux_dirent __user * dirent;
33538 + struct file * file;
33542 @@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
33543 buf->result = -EOVERFLOW;
33547 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
33551 dirent = buf->dirent;
33552 if (!access_ok(VERIFY_WRITE, dirent,
33553 @@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
33556 buf.dirent = dirent;
33559 error = vfs_readdir(file, fillonedir, &buf);
33561 @@ -142,6 +149,7 @@ struct linux_dirent {
33562 struct getdents_callback {
33563 struct linux_dirent __user * current_dir;
33564 struct linux_dirent __user * previous;
33565 + struct file * file;
33569 @@ -162,6 +170,10 @@ static int filldir(void * __buf, const c
33570 buf->error = -EOVERFLOW;
33574 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
33577 dirent = buf->previous;
33579 if (__put_user(offset, &dirent->d_off))
33580 @@ -209,6 +221,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
33581 buf.previous = NULL;
33586 error = vfs_readdir(file, filldir, &buf);
33588 @@ -228,6 +241,7 @@ out:
33589 struct getdents_callback64 {
33590 struct linux_dirent64 __user * current_dir;
33591 struct linux_dirent64 __user * previous;
33592 + struct file *file;
33596 @@ -242,6 +256,10 @@ static int filldir64(void * __buf, const
33597 buf->error = -EINVAL; /* only used if we fail.. */
33598 if (reclen > buf->count)
33601 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
33604 dirent = buf->previous;
33606 if (__put_user(offset, &dirent->d_off))
33607 @@ -289,6 +307,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
33609 buf.current_dir = dirent;
33610 buf.previous = NULL;
33615 diff -urNp linux-2.6.35.5/fs/reiserfs/do_balan.c linux-2.6.35.5/fs/reiserfs/do_balan.c
33616 --- linux-2.6.35.5/fs/reiserfs/do_balan.c 2010-08-26 19:47:12.000000000 -0400
33617 +++ linux-2.6.35.5/fs/reiserfs/do_balan.c 2010-09-17 20:12:09.000000000 -0400
33618 @@ -2051,7 +2051,7 @@ void do_balance(struct tree_balance *tb,
33622 - atomic_inc(&(fs_generation(tb->tb_sb)));
33623 + atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
33624 do_balance_starts(tb);
33626 /* balance leaf returns 0 except if combining L R and S into
33627 diff -urNp linux-2.6.35.5/fs/reiserfs/item_ops.c linux-2.6.35.5/fs/reiserfs/item_ops.c
33628 --- linux-2.6.35.5/fs/reiserfs/item_ops.c 2010-08-26 19:47:12.000000000 -0400
33629 +++ linux-2.6.35.5/fs/reiserfs/item_ops.c 2010-09-17 20:12:09.000000000 -0400
33630 @@ -102,7 +102,7 @@ static void sd_print_vi(struct virtual_i
33631 vi->vi_index, vi->vi_type, vi->vi_ih);
33634 -static struct item_operations stat_data_ops = {
33635 +static const struct item_operations stat_data_ops = {
33636 .bytes_number = sd_bytes_number,
33637 .decrement_key = sd_decrement_key,
33638 .is_left_mergeable = sd_is_left_mergeable,
33639 @@ -196,7 +196,7 @@ static void direct_print_vi(struct virtu
33640 vi->vi_index, vi->vi_type, vi->vi_ih);
33643 -static struct item_operations direct_ops = {
33644 +static const struct item_operations direct_ops = {
33645 .bytes_number = direct_bytes_number,
33646 .decrement_key = direct_decrement_key,
33647 .is_left_mergeable = direct_is_left_mergeable,
33648 @@ -341,7 +341,7 @@ static void indirect_print_vi(struct vir
33649 vi->vi_index, vi->vi_type, vi->vi_ih);
33652 -static struct item_operations indirect_ops = {
33653 +static const struct item_operations indirect_ops = {
33654 .bytes_number = indirect_bytes_number,
33655 .decrement_key = indirect_decrement_key,
33656 .is_left_mergeable = indirect_is_left_mergeable,
33657 @@ -628,7 +628,7 @@ static void direntry_print_vi(struct vir
33661 -static struct item_operations direntry_ops = {
33662 +static const struct item_operations direntry_ops = {
33663 .bytes_number = direntry_bytes_number,
33664 .decrement_key = direntry_decrement_key,
33665 .is_left_mergeable = direntry_is_left_mergeable,
33666 @@ -724,7 +724,7 @@ static void errcatch_print_vi(struct vir
33667 "Invalid item type observed, run fsck ASAP");
33670 -static struct item_operations errcatch_ops = {
33671 +static const struct item_operations errcatch_ops = {
33672 errcatch_bytes_number,
33673 errcatch_decrement_key,
33674 errcatch_is_left_mergeable,
33675 @@ -746,7 +746,7 @@ static struct item_operations errcatch_o
33676 #error Item types must use disk-format assigned values.
33679 -struct item_operations *item_ops[TYPE_ANY + 1] = {
33680 +const struct item_operations * const item_ops[TYPE_ANY + 1] = {
33684 diff -urNp linux-2.6.35.5/fs/reiserfs/procfs.c linux-2.6.35.5/fs/reiserfs/procfs.c
33685 --- linux-2.6.35.5/fs/reiserfs/procfs.c 2010-08-26 19:47:12.000000000 -0400
33686 +++ linux-2.6.35.5/fs/reiserfs/procfs.c 2010-09-17 20:12:09.000000000 -0400
33687 @@ -113,7 +113,7 @@ static int show_super(struct seq_file *m
33688 "SMALL_TAILS " : "NO_TAILS ",
33689 replay_only(sb) ? "REPLAY_ONLY " : "",
33690 convert_reiserfs(sb) ? "CONV " : "",
33691 - atomic_read(&r->s_generation_counter),
33692 + atomic_read_unchecked(&r->s_generation_counter),
33693 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
33694 SF(s_do_balance), SF(s_unneeded_left_neighbor),
33695 SF(s_good_search_by_key_reada), SF(s_bmaps),
33696 diff -urNp linux-2.6.35.5/fs/select.c linux-2.6.35.5/fs/select.c
33697 --- linux-2.6.35.5/fs/select.c 2010-08-26 19:47:12.000000000 -0400
33698 +++ linux-2.6.35.5/fs/select.c 2010-09-17 20:12:37.000000000 -0400
33700 #include <linux/module.h>
33701 #include <linux/slab.h>
33702 #include <linux/poll.h>
33703 +#include <linux/security.h>
33704 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
33705 #include <linux/file.h>
33706 #include <linux/fdtable.h>
33707 @@ -838,6 +839,7 @@ int do_sys_poll(struct pollfd __user *uf
33708 struct poll_list *walk = head;
33709 unsigned long todo = nfds;
33711 + gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
33712 if (nfds > rlimit(RLIMIT_NOFILE))
33715 diff -urNp linux-2.6.35.5/fs/seq_file.c linux-2.6.35.5/fs/seq_file.c
33716 --- linux-2.6.35.5/fs/seq_file.c 2010-08-26 19:47:12.000000000 -0400
33717 +++ linux-2.6.35.5/fs/seq_file.c 2010-09-17 20:12:09.000000000 -0400
33718 @@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
33722 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
33723 + m->size = PAGE_SIZE;
33724 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
33728 @@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
33732 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
33734 + m->buf = kmalloc(m->size, GFP_KERNEL);
33735 return !m->buf ? -ENOMEM : -EAGAIN;
33738 @@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
33739 m->version = file->f_version;
33740 /* grab buffer if we didn't have one */
33742 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
33743 + m->size = PAGE_SIZE;
33744 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
33748 @@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
33752 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
33754 + m->buf = kmalloc(m->size, GFP_KERNEL);
33758 diff -urNp linux-2.6.35.5/fs/smbfs/symlink.c linux-2.6.35.5/fs/smbfs/symlink.c
33759 --- linux-2.6.35.5/fs/smbfs/symlink.c 2010-08-26 19:47:12.000000000 -0400
33760 +++ linux-2.6.35.5/fs/smbfs/symlink.c 2010-09-17 20:12:09.000000000 -0400
33761 @@ -55,7 +55,7 @@ static void *smb_follow_link(struct dent
33763 static void smb_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
33765 - char *s = nd_get_link(nd);
33766 + const char *s = nd_get_link(nd);
33770 diff -urNp linux-2.6.35.5/fs/splice.c linux-2.6.35.5/fs/splice.c
33771 --- linux-2.6.35.5/fs/splice.c 2010-08-26 19:47:12.000000000 -0400
33772 +++ linux-2.6.35.5/fs/splice.c 2010-09-17 20:12:09.000000000 -0400
33773 @@ -186,7 +186,7 @@ ssize_t splice_to_pipe(struct pipe_inode
33777 - if (!pipe->readers) {
33778 + if (!atomic_read(&pipe->readers)) {
33779 send_sig(SIGPIPE, current, 0);
33782 @@ -240,9 +240,9 @@ ssize_t splice_to_pipe(struct pipe_inode
33786 - pipe->waiting_writers++;
33787 + atomic_inc(&pipe->waiting_writers);
33789 - pipe->waiting_writers--;
33790 + atomic_dec(&pipe->waiting_writers);
33794 @@ -566,7 +566,7 @@ static ssize_t kernel_readv(struct file
33797 /* The cast to a user pointer is valid due to the set_fs() */
33798 - res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
33799 + res = vfs_readv(file, (__force const struct iovec __user *)vec, vlen, &pos);
33803 @@ -581,7 +581,7 @@ static ssize_t kernel_write(struct file
33806 /* The cast to a user pointer is valid due to the set_fs() */
33807 - res = vfs_write(file, (const char __user *)buf, count, &pos);
33808 + res = vfs_write(file, (__force const char __user *)buf, count, &pos);
33812 @@ -634,7 +634,7 @@ ssize_t default_file_splice_read(struct
33815 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
33816 - vec[i].iov_base = (void __user *) page_address(page);
33817 + vec[i].iov_base = (__force void __user *) page_address(page);
33818 vec[i].iov_len = this_len;
33819 spd.pages[i] = page;
33821 @@ -861,10 +861,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
33822 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
33824 while (!pipe->nrbufs) {
33825 - if (!pipe->writers)
33826 + if (!atomic_read(&pipe->writers))
33829 - if (!pipe->waiting_writers && sd->num_spliced)
33830 + if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
33833 if (sd->flags & SPLICE_F_NONBLOCK)
33834 @@ -1201,7 +1201,7 @@ ssize_t splice_direct_to_actor(struct fi
33835 * out of the pipe right after the splice_to_pipe(). So set
33836 * PIPE_READERS appropriately.
33838 - pipe->readers = 1;
33839 + atomic_set(&pipe->readers, 1);
33841 current->splice_pipe = pipe;
33843 @@ -1769,9 +1769,9 @@ static int ipipe_prep(struct pipe_inode_
33844 ret = -ERESTARTSYS;
33847 - if (!pipe->writers)
33848 + if (!atomic_read(&pipe->writers))
33850 - if (!pipe->waiting_writers) {
33851 + if (!atomic_read(&pipe->waiting_writers)) {
33852 if (flags & SPLICE_F_NONBLOCK) {
33855 @@ -1803,7 +1803,7 @@ static int opipe_prep(struct pipe_inode_
33858 while (pipe->nrbufs >= pipe->buffers) {
33859 - if (!pipe->readers) {
33860 + if (!atomic_read(&pipe->readers)) {
33861 send_sig(SIGPIPE, current, 0);
33864 @@ -1816,9 +1816,9 @@ static int opipe_prep(struct pipe_inode_
33865 ret = -ERESTARTSYS;
33868 - pipe->waiting_writers++;
33869 + atomic_inc(&pipe->waiting_writers);
33871 - pipe->waiting_writers--;
33872 + atomic_dec(&pipe->waiting_writers);
33876 @@ -1854,14 +1854,14 @@ retry:
33877 pipe_double_lock(ipipe, opipe);
33880 - if (!opipe->readers) {
33881 + if (!atomic_read(&opipe->readers)) {
33882 send_sig(SIGPIPE, current, 0);
33888 - if (!ipipe->nrbufs && !ipipe->writers)
33889 + if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
33893 @@ -1961,7 +1961,7 @@ static int link_pipe(struct pipe_inode_i
33894 pipe_double_lock(ipipe, opipe);
33897 - if (!opipe->readers) {
33898 + if (!atomic_read(&opipe->readers)) {
33899 send_sig(SIGPIPE, current, 0);
33902 @@ -2006,7 +2006,7 @@ static int link_pipe(struct pipe_inode_i
33903 * return EAGAIN if we have the potential of some data in the
33904 * future, otherwise just return 0
33906 - if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
33907 + if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
33910 pipe_unlock(ipipe);
33911 diff -urNp linux-2.6.35.5/fs/sysfs/symlink.c linux-2.6.35.5/fs/sysfs/symlink.c
33912 --- linux-2.6.35.5/fs/sysfs/symlink.c 2010-08-26 19:47:12.000000000 -0400
33913 +++ linux-2.6.35.5/fs/sysfs/symlink.c 2010-09-17 20:12:09.000000000 -0400
33914 @@ -286,7 +286,7 @@ static void *sysfs_follow_link(struct de
33916 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
33918 - char *page = nd_get_link(nd);
33919 + const char *page = nd_get_link(nd);
33921 free_page((unsigned long)page);
33923 diff -urNp linux-2.6.35.5/fs/udf/misc.c linux-2.6.35.5/fs/udf/misc.c
33924 --- linux-2.6.35.5/fs/udf/misc.c 2010-08-26 19:47:12.000000000 -0400
33925 +++ linux-2.6.35.5/fs/udf/misc.c 2010-09-17 20:12:09.000000000 -0400
33926 @@ -142,8 +142,8 @@ struct genericFormat *udf_add_extendedat
33927 iinfo->i_lenEAttr += size;
33928 return (struct genericFormat *)&ea[offset];
33932 + if (loc & 0x02) {
33937 diff -urNp linux-2.6.35.5/fs/udf/udfdecl.h linux-2.6.35.5/fs/udf/udfdecl.h
33938 --- linux-2.6.35.5/fs/udf/udfdecl.h 2010-08-26 19:47:12.000000000 -0400
33939 +++ linux-2.6.35.5/fs/udf/udfdecl.h 2010-09-17 20:12:09.000000000 -0400
33940 @@ -26,7 +26,7 @@ do { \
33944 -#define udf_debug(f, a...) /**/
33945 +#define udf_debug(f, a...) do {} while (0)
33948 #define udf_info(f, a...) \
33949 diff -urNp linux-2.6.35.5/fs/utimes.c linux-2.6.35.5/fs/utimes.c
33950 --- linux-2.6.35.5/fs/utimes.c 2010-08-26 19:47:12.000000000 -0400
33951 +++ linux-2.6.35.5/fs/utimes.c 2010-09-17 20:12:37.000000000 -0400
33953 #include <linux/compiler.h>
33954 #include <linux/file.h>
33955 #include <linux/fs.h>
33956 +#include <linux/security.h>
33957 #include <linux/linkage.h>
33958 #include <linux/mount.h>
33959 #include <linux/namei.h>
33960 @@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
33961 goto mnt_drop_write_and_out;
33965 + if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
33967 + goto mnt_drop_write_and_out;
33970 mutex_lock(&inode->i_mutex);
33971 error = notify_change(path->dentry, &newattrs);
33972 mutex_unlock(&inode->i_mutex);
33973 diff -urNp linux-2.6.35.5/fs/xfs/linux-2.6/xfs_ioctl.c linux-2.6.35.5/fs/xfs/linux-2.6/xfs_ioctl.c
33974 --- linux-2.6.35.5/fs/xfs/linux-2.6/xfs_ioctl.c 2010-08-26 19:47:12.000000000 -0400
33975 +++ linux-2.6.35.5/fs/xfs/linux-2.6/xfs_ioctl.c 2010-09-17 20:12:37.000000000 -0400
33976 @@ -136,7 +136,7 @@ xfs_find_handle(
33980 - if (copy_to_user(hreq->ohandle, &handle, hsize) ||
33981 + if (hsize > sizeof(handle) || copy_to_user(hreq->ohandle, &handle, hsize) ||
33982 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
33985 diff -urNp linux-2.6.35.5/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.35.5/fs/xfs/linux-2.6/xfs_iops.c
33986 --- linux-2.6.35.5/fs/xfs/linux-2.6/xfs_iops.c 2010-08-26 19:47:12.000000000 -0400
33987 +++ linux-2.6.35.5/fs/xfs/linux-2.6/xfs_iops.c 2010-09-17 20:12:09.000000000 -0400
33988 @@ -480,7 +480,7 @@ xfs_vn_put_link(
33989 struct nameidata *nd,
33992 - char *s = nd_get_link(nd);
33993 + const char *s = nd_get_link(nd);
33997 diff -urNp linux-2.6.35.5/fs/xfs/xfs_bmap.c linux-2.6.35.5/fs/xfs/xfs_bmap.c
33998 --- linux-2.6.35.5/fs/xfs/xfs_bmap.c 2010-08-26 19:47:12.000000000 -0400
33999 +++ linux-2.6.35.5/fs/xfs/xfs_bmap.c 2010-09-17 20:12:09.000000000 -0400
34000 @@ -296,7 +296,7 @@ xfs_bmap_validate_ret(
34004 -#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
34005 +#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
34009 diff -urNp linux-2.6.35.5/grsecurity/gracl_alloc.c linux-2.6.35.5/grsecurity/gracl_alloc.c
34010 --- linux-2.6.35.5/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
34011 +++ linux-2.6.35.5/grsecurity/gracl_alloc.c 2010-09-17 20:12:37.000000000 -0400
34013 +#include <linux/kernel.h>
34014 +#include <linux/mm.h>
34015 +#include <linux/slab.h>
34016 +#include <linux/vmalloc.h>
34017 +#include <linux/gracl.h>
34018 +#include <linux/grsecurity.h>
34020 +static unsigned long alloc_stack_next = 1;
34021 +static unsigned long alloc_stack_size = 1;
34022 +static void **alloc_stack;
34024 +static __inline__ int
34027 + if (alloc_stack_next == 1)
34030 + kfree(alloc_stack[alloc_stack_next - 2]);
34032 + alloc_stack_next--;
34037 +static __inline__ int
34038 +alloc_push(void *buf)
34040 + if (alloc_stack_next >= alloc_stack_size)
34043 + alloc_stack[alloc_stack_next - 1] = buf;
34045 + alloc_stack_next++;
34051 +acl_alloc(unsigned long len)
34053 + void *ret = NULL;
34055 + if (!len || len > PAGE_SIZE)
34058 + ret = kmalloc(len, GFP_KERNEL);
34061 + if (alloc_push(ret)) {
34072 +acl_alloc_num(unsigned long num, unsigned long len)
34074 + if (!len || (num > (PAGE_SIZE / len)))
34077 + return acl_alloc(num * len);
34081 +acl_free_all(void)
34083 + if (gr_acl_is_enabled() || !alloc_stack)
34086 + while (alloc_pop()) ;
34088 + if (alloc_stack) {
34089 + if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
34090 + kfree(alloc_stack);
34092 + vfree(alloc_stack);
34095 + alloc_stack = NULL;
34096 + alloc_stack_size = 1;
34097 + alloc_stack_next = 1;
34103 +acl_alloc_stack_init(unsigned long size)
34105 + if ((size * sizeof (void *)) <= PAGE_SIZE)
34107 + (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
34109 + alloc_stack = (void **) vmalloc(size * sizeof (void *));
34111 + alloc_stack_size = size;
34113 + if (!alloc_stack)
34118 diff -urNp linux-2.6.35.5/grsecurity/gracl.c linux-2.6.35.5/grsecurity/gracl.c
34119 --- linux-2.6.35.5/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
34120 +++ linux-2.6.35.5/grsecurity/gracl.c 2010-09-17 20:18:36.000000000 -0400
34122 +#include <linux/kernel.h>
34123 +#include <linux/module.h>
34124 +#include <linux/sched.h>
34125 +#include <linux/mm.h>
34126 +#include <linux/file.h>
34127 +#include <linux/fs.h>
34128 +#include <linux/namei.h>
34129 +#include <linux/mount.h>
34130 +#include <linux/tty.h>
34131 +#include <linux/proc_fs.h>
34132 +#include <linux/smp_lock.h>
34133 +#include <linux/slab.h>
34134 +#include <linux/vmalloc.h>
34135 +#include <linux/types.h>
34136 +#include <linux/sysctl.h>
34137 +#include <linux/netdevice.h>
34138 +#include <linux/ptrace.h>
34139 +#include <linux/gracl.h>
34140 +#include <linux/gralloc.h>
34141 +#include <linux/grsecurity.h>
34142 +#include <linux/grinternal.h>
34143 +#include <linux/pid_namespace.h>
34144 +#include <linux/fdtable.h>
34145 +#include <linux/percpu.h>
34147 +#include <asm/uaccess.h>
34148 +#include <asm/errno.h>
34149 +#include <asm/mman.h>
34151 +static struct acl_role_db acl_role_set;
34152 +static struct name_db name_set;
34153 +static struct inodev_db inodev_set;
34155 +/* for keeping track of userspace pointers used for subjects, so we
34156 + can share references in the kernel as well
34159 +static struct dentry *real_root;
34160 +static struct vfsmount *real_root_mnt;
34162 +static struct acl_subj_map_db subj_map_set;
34164 +static struct acl_role_label *default_role;
34166 +static struct acl_role_label *role_list;
34168 +static u16 acl_sp_role_value;
34170 +extern char *gr_shared_page[4];
34171 +static DECLARE_MUTEX(gr_dev_sem);
34172 +DEFINE_RWLOCK(gr_inode_lock);
34174 +struct gr_arg *gr_usermode;
34176 +static unsigned int gr_status __read_only = GR_STATUS_INIT;
34178 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
34179 +extern void gr_clear_learn_entries(void);
34181 +#ifdef CONFIG_GRKERNSEC_RESLOG
34182 +extern void gr_log_resource(const struct task_struct *task,
34183 + const int res, const unsigned long wanted, const int gt);
34186 +unsigned char *gr_system_salt;
34187 +unsigned char *gr_system_sum;
34189 +static struct sprole_pw **acl_special_roles = NULL;
34190 +static __u16 num_sprole_pws = 0;
34192 +static struct acl_role_label *kernel_role = NULL;
34194 +static unsigned int gr_auth_attempts = 0;
34195 +static unsigned long gr_auth_expires = 0UL;
34197 +extern struct vfsmount *sock_mnt;
34198 +extern struct vfsmount *pipe_mnt;
34199 +extern struct vfsmount *shm_mnt;
34200 +#ifdef CONFIG_HUGETLBFS
34201 +extern struct vfsmount *hugetlbfs_vfsmount;
34204 +static struct acl_object_label *fakefs_obj;
34206 +extern int gr_init_uidset(void);
34207 +extern void gr_free_uidset(void);
34208 +extern void gr_remove_uid(uid_t uid);
34209 +extern int gr_find_uid(uid_t uid);
34211 +extern spinlock_t vfsmount_lock;
34214 +gr_acl_is_enabled(void)
34216 + return (gr_status & GR_READY);
34219 +char gr_roletype_to_char(void)
34221 + switch (current->role->roletype &
34222 + (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
34223 + GR_ROLE_SPECIAL)) {
34224 + case GR_ROLE_DEFAULT:
34226 + case GR_ROLE_USER:
34228 + case GR_ROLE_GROUP:
34230 + case GR_ROLE_SPECIAL:
34238 +gr_acl_tpe_check(void)
34240 + if (unlikely(!(gr_status & GR_READY)))
34242 + if (current->role->roletype & GR_ROLE_TPE)
34249 +gr_handle_rawio(const struct inode *inode)
34251 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
34252 + if (inode && S_ISBLK(inode->i_mode) &&
34253 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
34254 + !capable(CAP_SYS_RAWIO))
34261 +gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
34263 + if (likely(lena != lenb))
34266 + return !memcmp(a, b, lena);
34269 +static char * __our_d_path(struct dentry *dentry, struct vfsmount *vfsmnt,
34270 + struct dentry *root, struct vfsmount *rootmnt,
34271 + char *buffer, int buflen)
34273 + char * end = buffer+buflen;
34277 + spin_lock(&vfsmount_lock);
34283 + /* Get '/' right */
34288 + struct dentry * parent;
34290 + if (dentry == root && vfsmnt == rootmnt)
34292 + if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
34293 + /* Global root? */
34294 + if (vfsmnt->mnt_parent == vfsmnt) {
34295 + goto global_root;
34297 + dentry = vfsmnt->mnt_mountpoint;
34298 + vfsmnt = vfsmnt->mnt_parent;
34301 + parent = dentry->d_parent;
34302 + prefetch(parent);
34303 + namelen = dentry->d_name.len;
34304 + buflen -= namelen + 1;
34308 + memcpy(end, dentry->d_name.name, namelen);
34315 + spin_unlock(&vfsmount_lock);
34319 + namelen = dentry->d_name.len;
34320 + buflen -= namelen;
34323 + retval -= namelen-1; /* hit the slash */
34324 + memcpy(retval, dentry->d_name.name, namelen);
34327 + retval = ERR_PTR(-ENAMETOOLONG);
34332 +gen_full_path(struct dentry *dentry, struct vfsmount *vfsmnt,
34333 + struct dentry *root, struct vfsmount *rootmnt, char *buf, int buflen)
34337 + retval = __our_d_path(dentry, vfsmnt, root, rootmnt, buf, buflen);
34338 + if (unlikely(IS_ERR(retval)))
34339 + retval = strcpy(buf, "<path too long>");
34340 + else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
34341 + retval[1] = '\0';
34347 +__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
34348 + char *buf, int buflen)
34352 + /* we can use real_root, real_root_mnt, because this is only called
34353 + by the RBAC system */
34354 + res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, real_root, real_root_mnt, buf, buflen);
34360 +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
34361 + char *buf, int buflen)
34364 + struct dentry *root;
34365 + struct vfsmount *rootmnt;
34366 + struct task_struct *reaper = &init_task;
34368 + /* we can't use real_root, real_root_mnt, because they belong only to the RBAC system */
34369 + read_lock(&reaper->fs->lock);
34370 + root = dget(reaper->fs->root.dentry);
34371 + rootmnt = mntget(reaper->fs->root.mnt);
34372 + read_unlock(&reaper->fs->lock);
34374 + spin_lock(&dcache_lock);
34375 + res = gen_full_path((struct dentry *)dentry, (struct vfsmount *)vfsmnt, root, rootmnt, buf, buflen);
34376 + spin_unlock(&dcache_lock);
34384 +gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
34387 + spin_lock(&dcache_lock);
34388 + ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
34390 + spin_unlock(&dcache_lock);
34395 +gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
34397 + return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
34402 +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
34404 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
34409 +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
34411 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
34416 +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
34418 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
34423 +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
34425 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
34430 +to_gr_audit(const __u32 reqmode)
34432 + /* masks off auditable permission flags, then shifts them to create
34433 + auditing flags, and adds the special case of append auditing if
34434 + we're requesting write */
34435 + return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
34438 +struct acl_subject_label *
34439 +lookup_subject_map(const struct acl_subject_label *userp)
34441 + unsigned int index = shash(userp, subj_map_set.s_size);
34442 + struct subject_map *match;
34444 + match = subj_map_set.s_hash[index];
34446 + while (match && match->user != userp)
34447 + match = match->next;
34449 + if (match != NULL)
34450 + return match->kernel;
34456 +insert_subj_map_entry(struct subject_map *subjmap)
34458 + unsigned int index = shash(subjmap->user, subj_map_set.s_size);
34459 + struct subject_map **curr;
34461 + subjmap->prev = NULL;
34463 + curr = &subj_map_set.s_hash[index];
34464 + if (*curr != NULL)
34465 + (*curr)->prev = subjmap;
34467 + subjmap->next = *curr;
34473 +static struct acl_role_label *
34474 +lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
34477 + unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
34478 + struct acl_role_label *match;
34479 + struct role_allowed_ip *ipp;
34482 + match = acl_role_set.r_hash[index];
34485 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
34486 + for (x = 0; x < match->domain_child_num; x++) {
34487 + if (match->domain_children[x] == uid)
34490 + } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
34492 + match = match->next;
34495 + if (match == NULL) {
34497 + index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
34498 + match = acl_role_set.r_hash[index];
34501 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
34502 + for (x = 0; x < match->domain_child_num; x++) {
34503 + if (match->domain_children[x] == gid)
34506 + } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
34508 + match = match->next;
34511 + if (match == NULL)
34512 + match = default_role;
34513 + if (match->allowed_ips == NULL)
34516 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
34518 + ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
34519 + (ntohl(ipp->addr) & ipp->netmask)))
34522 + match = default_role;
34524 + } else if (match->allowed_ips == NULL) {
34527 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
34529 + ((ntohl(task->signal->curr_ip) & ipp->netmask) ==
34530 + (ntohl(ipp->addr) & ipp->netmask)))
34539 +struct acl_subject_label *
34540 +lookup_acl_subj_label(const ino_t ino, const dev_t dev,
34541 + const struct acl_role_label *role)
34543 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
34544 + struct acl_subject_label *match;
34546 + match = role->subj_hash[index];
34548 + while (match && (match->inode != ino || match->device != dev ||
34549 + (match->mode & GR_DELETED))) {
34550 + match = match->next;
34553 + if (match && !(match->mode & GR_DELETED))
34559 +struct acl_subject_label *
34560 +lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
34561 + const struct acl_role_label *role)
34563 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
34564 + struct acl_subject_label *match;
34566 + match = role->subj_hash[index];
34568 + while (match && (match->inode != ino || match->device != dev ||
34569 + !(match->mode & GR_DELETED))) {
34570 + match = match->next;
34573 + if (match && (match->mode & GR_DELETED))
34579 +static struct acl_object_label *
34580 +lookup_acl_obj_label(const ino_t ino, const dev_t dev,
34581 + const struct acl_subject_label *subj)
34583 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
34584 + struct acl_object_label *match;
34586 + match = subj->obj_hash[index];
34588 + while (match && (match->inode != ino || match->device != dev ||
34589 + (match->mode & GR_DELETED))) {
34590 + match = match->next;
34593 + if (match && !(match->mode & GR_DELETED))
34599 +static struct acl_object_label *
34600 +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
34601 + const struct acl_subject_label *subj)
34603 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
34604 + struct acl_object_label *match;
34606 + match = subj->obj_hash[index];
34608 + while (match && (match->inode != ino || match->device != dev ||
34609 + !(match->mode & GR_DELETED))) {
34610 + match = match->next;
34613 + if (match && (match->mode & GR_DELETED))
34616 + match = subj->obj_hash[index];
34618 + while (match && (match->inode != ino || match->device != dev ||
34619 + (match->mode & GR_DELETED))) {
34620 + match = match->next;
34623 + if (match && !(match->mode & GR_DELETED))
34629 +static struct name_entry *
34630 +lookup_name_entry(const char *name)
34632 + unsigned int len = strlen(name);
34633 + unsigned int key = full_name_hash(name, len);
34634 + unsigned int index = key % name_set.n_size;
34635 + struct name_entry *match;
34637 + match = name_set.n_hash[index];
34639 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
34640 + match = match->next;
34645 +static struct name_entry *
34646 +lookup_name_entry_create(const char *name)
34648 + unsigned int len = strlen(name);
34649 + unsigned int key = full_name_hash(name, len);
34650 + unsigned int index = key % name_set.n_size;
34651 + struct name_entry *match;
34653 + match = name_set.n_hash[index];
34655 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
34656 + !match->deleted))
34657 + match = match->next;
34659 + if (match && match->deleted)
34662 + match = name_set.n_hash[index];
34664 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
34666 + match = match->next;
34668 + if (match && !match->deleted)
34674 +static struct inodev_entry *
34675 +lookup_inodev_entry(const ino_t ino, const dev_t dev)
34677 + unsigned int index = fhash(ino, dev, inodev_set.i_size);
34678 + struct inodev_entry *match;
34680 + match = inodev_set.i_hash[index];
34682 + while (match && (match->nentry->inode != ino || match->nentry->device != dev))
34683 + match = match->next;
34689 +insert_inodev_entry(struct inodev_entry *entry)
34691 + unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
34692 + inodev_set.i_size);
34693 + struct inodev_entry **curr;
34695 + entry->prev = NULL;
34697 + curr = &inodev_set.i_hash[index];
34698 + if (*curr != NULL)
34699 + (*curr)->prev = entry;
34701 + entry->next = *curr;
34708 +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
34710 + unsigned int index =
34711 + rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
34712 + struct acl_role_label **curr;
34713 + struct acl_role_label *tmp;
34715 + curr = &acl_role_set.r_hash[index];
34717 + /* if role was already inserted due to domains and already has
34718 + a role in the same bucket as it attached, then we need to
34719 + combine these two buckets
34721 + if (role->next) {
34722 + tmp = role->next;
34723 + while (tmp->next)
34725 + tmp->next = *curr;
34727 + role->next = *curr;
34734 +insert_acl_role_label(struct acl_role_label *role)
34738 + if (role_list == NULL) {
34739 + role_list = role;
34740 + role->prev = NULL;
34742 + role->prev = role_list;
34743 + role_list = role;
34746 + /* used for hash chains */
34747 + role->next = NULL;
34749 + if (role->roletype & GR_ROLE_DOMAIN) {
34750 + for (i = 0; i < role->domain_child_num; i++)
34751 + __insert_acl_role_label(role, role->domain_children[i]);
34753 + __insert_acl_role_label(role, role->uidgid);
34757 +insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
34759 + struct name_entry **curr, *nentry;
34760 + struct inodev_entry *ientry;
34761 + unsigned int len = strlen(name);
34762 + unsigned int key = full_name_hash(name, len);
34763 + unsigned int index = key % name_set.n_size;
34765 + curr = &name_set.n_hash[index];
34767 + while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
34768 + curr = &((*curr)->next);
34770 + if (*curr != NULL)
34773 + nentry = acl_alloc(sizeof (struct name_entry));
34774 + if (nentry == NULL)
34776 + ientry = acl_alloc(sizeof (struct inodev_entry));
34777 + if (ientry == NULL)
34779 + ientry->nentry = nentry;
34781 + nentry->key = key;
34782 + nentry->name = name;
34783 + nentry->inode = inode;
34784 + nentry->device = device;
34785 + nentry->len = len;
34786 + nentry->deleted = deleted;
34788 + nentry->prev = NULL;
34789 + curr = &name_set.n_hash[index];
34790 + if (*curr != NULL)
34791 + (*curr)->prev = nentry;
34792 + nentry->next = *curr;
34795 + /* insert us into the table searchable by inode/dev */
34796 + insert_inodev_entry(ientry);
34802 +insert_acl_obj_label(struct acl_object_label *obj,
34803 + struct acl_subject_label *subj)
34805 + unsigned int index =
34806 + fhash(obj->inode, obj->device, subj->obj_hash_size);
34807 + struct acl_object_label **curr;
34810 + obj->prev = NULL;
34812 + curr = &subj->obj_hash[index];
34813 + if (*curr != NULL)
34814 + (*curr)->prev = obj;
34816 + obj->next = *curr;
34823 +insert_acl_subj_label(struct acl_subject_label *obj,
34824 + struct acl_role_label *role)
34826 + unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
34827 + struct acl_subject_label **curr;
34829 + obj->prev = NULL;
34831 + curr = &role->subj_hash[index];
34832 + if (*curr != NULL)
34833 + (*curr)->prev = obj;
34835 + obj->next = *curr;
34841 +/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
34844 +create_table(__u32 * len, int elementsize)
34846 + unsigned int table_sizes[] = {
34847 + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
34848 + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
34849 + 4194301, 8388593, 16777213, 33554393, 67108859
34851 + void *newtable = NULL;
34852 + unsigned int pwr = 0;
34854 + while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
34855 + table_sizes[pwr] <= *len)
34858 + if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
34861 + if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
34863 + kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
34865 + newtable = vmalloc(table_sizes[pwr] * elementsize);
34867 + *len = table_sizes[pwr];
34873 +init_variables(const struct gr_arg *arg)
34875 + struct task_struct *reaper = &init_task;
34876 + unsigned int stacksize;
34878 + subj_map_set.s_size = arg->role_db.num_subjects;
34879 + acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
34880 + name_set.n_size = arg->role_db.num_objects;
34881 + inodev_set.i_size = arg->role_db.num_objects;
34883 + if (!subj_map_set.s_size || !acl_role_set.r_size ||
34884 + !name_set.n_size || !inodev_set.i_size)
34887 + if (!gr_init_uidset())
34890 + /* set up the stack that holds allocation info */
34892 + stacksize = arg->role_db.num_pointers + 5;
34894 + if (!acl_alloc_stack_init(stacksize))
34897 + /* grab reference for the real root dentry and vfsmount */
34898 + read_lock(&reaper->fs->lock);
34899 + real_root_mnt = mntget(reaper->fs->root.mnt);
34900 + real_root = dget(reaper->fs->root.dentry);
34901 + read_unlock(&reaper->fs->lock);
34903 + fakefs_obj = acl_alloc(sizeof(struct acl_object_label));
34904 + if (fakefs_obj == NULL)
34906 + fakefs_obj->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
34908 + subj_map_set.s_hash =
34909 + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
34910 + acl_role_set.r_hash =
34911 + (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
34912 + name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
34913 + inodev_set.i_hash =
34914 + (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
34916 + if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
34917 + !name_set.n_hash || !inodev_set.i_hash)
34920 + memset(subj_map_set.s_hash, 0,
34921 + sizeof(struct subject_map *) * subj_map_set.s_size);
34922 + memset(acl_role_set.r_hash, 0,
34923 + sizeof (struct acl_role_label *) * acl_role_set.r_size);
34924 + memset(name_set.n_hash, 0,
34925 + sizeof (struct name_entry *) * name_set.n_size);
34926 + memset(inodev_set.i_hash, 0,
34927 + sizeof (struct inodev_entry *) * inodev_set.i_size);
34932 +/* free information not needed after startup
34933 + currently contains user->kernel pointer mappings for subjects
34937 +free_init_variables(void)
34941 + if (subj_map_set.s_hash) {
34942 + for (i = 0; i < subj_map_set.s_size; i++) {
34943 + if (subj_map_set.s_hash[i]) {
34944 + kfree(subj_map_set.s_hash[i]);
34945 + subj_map_set.s_hash[i] = NULL;
34949 + if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
34951 + kfree(subj_map_set.s_hash);
34953 + vfree(subj_map_set.s_hash);
34960 +free_variables(void)
34962 + struct acl_subject_label *s;
34963 + struct acl_role_label *r;
34964 + struct task_struct *task, *task2;
34967 + gr_clear_learn_entries();
34969 + read_lock(&tasklist_lock);
34970 + do_each_thread(task2, task) {
34971 + task->acl_sp_role = 0;
34972 + task->acl_role_id = 0;
34973 + task->acl = NULL;
34974 + task->role = NULL;
34975 + } while_each_thread(task2, task);
34976 + read_unlock(&tasklist_lock);
34978 + /* release the reference to the real root dentry and vfsmount */
34981 + real_root = NULL;
34982 + if (real_root_mnt)
34983 + mntput(real_root_mnt);
34984 + real_root_mnt = NULL;
34986 + /* free all object hash tables */
34988 + FOR_EACH_ROLE_START(r)
34989 + if (r->subj_hash == NULL)
34991 + FOR_EACH_SUBJECT_START(r, s, x)
34992 + if (s->obj_hash == NULL)
34994 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
34995 + kfree(s->obj_hash);
34997 + vfree(s->obj_hash);
34998 + FOR_EACH_SUBJECT_END(s, x)
34999 + FOR_EACH_NESTED_SUBJECT_START(r, s)
35000 + if (s->obj_hash == NULL)
35002 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
35003 + kfree(s->obj_hash);
35005 + vfree(s->obj_hash);
35006 + FOR_EACH_NESTED_SUBJECT_END(s)
35007 + if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
35008 + kfree(r->subj_hash);
35010 + vfree(r->subj_hash);
35011 + r->subj_hash = NULL;
35013 + FOR_EACH_ROLE_END(r)
35017 + if (acl_role_set.r_hash) {
35018 + if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
35020 + kfree(acl_role_set.r_hash);
35022 + vfree(acl_role_set.r_hash);
35024 + if (name_set.n_hash) {
35025 + if ((name_set.n_size * sizeof (struct name_entry *)) <=
35027 + kfree(name_set.n_hash);
35029 + vfree(name_set.n_hash);
35032 + if (inodev_set.i_hash) {
35033 + if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
35035 + kfree(inodev_set.i_hash);
35037 + vfree(inodev_set.i_hash);
35040 + gr_free_uidset();
35042 + memset(&name_set, 0, sizeof (struct name_db));
35043 + memset(&inodev_set, 0, sizeof (struct inodev_db));
35044 + memset(&acl_role_set, 0, sizeof (struct acl_role_db));
35045 + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
35047 + default_role = NULL;
35048 + role_list = NULL;
35054 +count_user_objs(struct acl_object_label *userp)
35056 + struct acl_object_label o_tmp;
35060 + if (copy_from_user(&o_tmp, userp,
35061 + sizeof (struct acl_object_label)))
35064 + userp = o_tmp.prev;
35071 +static struct acl_subject_label *
35072 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
35075 +copy_user_glob(struct acl_object_label *obj)
35077 + struct acl_object_label *g_tmp, **guser;
35078 + unsigned int len;
35081 + if (obj->globbed == NULL)
35084 + guser = &obj->globbed;
35086 + g_tmp = (struct acl_object_label *)
35087 + acl_alloc(sizeof (struct acl_object_label));
35088 + if (g_tmp == NULL)
35091 + if (copy_from_user(g_tmp, *guser,
35092 + sizeof (struct acl_object_label)))
35095 + len = strnlen_user(g_tmp->filename, PATH_MAX);
35097 + if (!len || len >= PATH_MAX)
35100 + if ((tmp = (char *) acl_alloc(len)) == NULL)
35103 + if (copy_from_user(tmp, g_tmp->filename, len))
35105 + tmp[len-1] = '\0';
35106 + g_tmp->filename = tmp;
35109 + guser = &(g_tmp->next);
35116 +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
35117 + struct acl_role_label *role)
35119 + struct acl_object_label *o_tmp;
35120 + unsigned int len;
35125 + if ((o_tmp = (struct acl_object_label *)
35126 + acl_alloc(sizeof (struct acl_object_label))) == NULL)
35129 + if (copy_from_user(o_tmp, userp,
35130 + sizeof (struct acl_object_label)))
35133 + userp = o_tmp->prev;
35135 + len = strnlen_user(o_tmp->filename, PATH_MAX);
35137 + if (!len || len >= PATH_MAX)
35140 + if ((tmp = (char *) acl_alloc(len)) == NULL)
35143 + if (copy_from_user(tmp, o_tmp->filename, len))
35145 + tmp[len-1] = '\0';
35146 + o_tmp->filename = tmp;
35148 + insert_acl_obj_label(o_tmp, subj);
35149 + if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
35150 + o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
35153 + ret = copy_user_glob(o_tmp);
35157 + if (o_tmp->nested) {
35158 + o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
35159 + if (IS_ERR(o_tmp->nested))
35160 + return PTR_ERR(o_tmp->nested);
35162 + /* insert into nested subject list */
35163 + o_tmp->nested->next = role->hash->first;
35164 + role->hash->first = o_tmp->nested;
35172 +count_user_subjs(struct acl_subject_label *userp)
35174 + struct acl_subject_label s_tmp;
35178 + if (copy_from_user(&s_tmp, userp,
35179 + sizeof (struct acl_subject_label)))
35182 + userp = s_tmp.prev;
35183 + /* do not count nested subjects against this count, since
35184 + they are not included in the hash table, but are
35185 + attached to objects. We have already counted
35186 + the subjects in userspace for the allocation
35189 + if (!(s_tmp.mode & GR_NESTED))
35197 +copy_user_allowedips(struct acl_role_label *rolep)
35199 + struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
35201 + ruserip = rolep->allowed_ips;
35203 + while (ruserip) {
35206 + if ((rtmp = (struct role_allowed_ip *)
35207 + acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
35210 + if (copy_from_user(rtmp, ruserip,
35211 + sizeof (struct role_allowed_ip)))
35214 + ruserip = rtmp->prev;
35217 + rtmp->prev = NULL;
35218 + rolep->allowed_ips = rtmp;
35220 + rlast->next = rtmp;
35221 + rtmp->prev = rlast;
35225 + rtmp->next = NULL;
35232 +copy_user_transitions(struct acl_role_label *rolep)
35234 + struct role_transition *rusertp, *rtmp = NULL, *rlast;
35236 + unsigned int len;
35239 + rusertp = rolep->transitions;
35241 + while (rusertp) {
35244 + if ((rtmp = (struct role_transition *)
35245 + acl_alloc(sizeof (struct role_transition))) == NULL)
35248 + if (copy_from_user(rtmp, rusertp,
35249 + sizeof (struct role_transition)))
35252 + rusertp = rtmp->prev;
35254 + len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
35256 + if (!len || len >= GR_SPROLE_LEN)
35259 + if ((tmp = (char *) acl_alloc(len)) == NULL)
35262 + if (copy_from_user(tmp, rtmp->rolename, len))
35264 + tmp[len-1] = '\0';
35265 + rtmp->rolename = tmp;
35268 + rtmp->prev = NULL;
35269 + rolep->transitions = rtmp;
35271 + rlast->next = rtmp;
35272 + rtmp->prev = rlast;
35276 + rtmp->next = NULL;
35282 +static struct acl_subject_label *
35283 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
35285 + struct acl_subject_label *s_tmp = NULL, *s_tmp2;
35286 + unsigned int len;
35289 + struct acl_ip_label **i_tmp, *i_utmp2;
35290 + struct gr_hash_struct ghash;
35291 + struct subject_map *subjmap;
35292 + unsigned int i_num;
35295 + s_tmp = lookup_subject_map(userp);
35297 + /* we've already copied this subject into the kernel, just return
35298 + the reference to it, and don't copy it over again
35303 + if ((s_tmp = (struct acl_subject_label *)
35304 + acl_alloc(sizeof (struct acl_subject_label))) == NULL)
35305 + return ERR_PTR(-ENOMEM);
35307 + subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
35308 + if (subjmap == NULL)
35309 + return ERR_PTR(-ENOMEM);
35311 + subjmap->user = userp;
35312 + subjmap->kernel = s_tmp;
35313 + insert_subj_map_entry(subjmap);
35315 + if (copy_from_user(s_tmp, userp,
35316 + sizeof (struct acl_subject_label)))
35317 + return ERR_PTR(-EFAULT);
35319 + len = strnlen_user(s_tmp->filename, PATH_MAX);
35321 + if (!len || len >= PATH_MAX)
35322 + return ERR_PTR(-EINVAL);
35324 + if ((tmp = (char *) acl_alloc(len)) == NULL)
35325 + return ERR_PTR(-ENOMEM);
35327 + if (copy_from_user(tmp, s_tmp->filename, len))
35328 + return ERR_PTR(-EFAULT);
35329 + tmp[len-1] = '\0';
35330 + s_tmp->filename = tmp;
35332 + if (!strcmp(s_tmp->filename, "/"))
35333 + role->root_label = s_tmp;
35335 + if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
35336 + return ERR_PTR(-EFAULT);
35338 + /* copy user and group transition tables */
35340 + if (s_tmp->user_trans_num) {
35343 + uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
35344 + if (uidlist == NULL)
35345 + return ERR_PTR(-ENOMEM);
35346 + if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
35347 + return ERR_PTR(-EFAULT);
35349 + s_tmp->user_transitions = uidlist;
35352 + if (s_tmp->group_trans_num) {
35355 + gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
35356 + if (gidlist == NULL)
35357 + return ERR_PTR(-ENOMEM);
35358 + if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
35359 + return ERR_PTR(-EFAULT);
35361 + s_tmp->group_transitions = gidlist;
35364 + /* set up object hash table */
35365 + num_objs = count_user_objs(ghash.first);
35367 + s_tmp->obj_hash_size = num_objs;
35368 + s_tmp->obj_hash =
35369 + (struct acl_object_label **)
35370 + create_table(&(s_tmp->obj_hash_size), sizeof(void *));
35372 + if (!s_tmp->obj_hash)
35373 + return ERR_PTR(-ENOMEM);
35375 + memset(s_tmp->obj_hash, 0,
35376 + s_tmp->obj_hash_size *
35377 + sizeof (struct acl_object_label *));
35379 + /* add in objects */
35380 + err = copy_user_objs(ghash.first, s_tmp, role);
35383 + return ERR_PTR(err);
35385 + /* set pointer for parent subject */
35386 + if (s_tmp->parent_subject) {
35387 + s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
35389 + if (IS_ERR(s_tmp2))
35392 + s_tmp->parent_subject = s_tmp2;
35395 + /* add in ip acls */
35397 + if (!s_tmp->ip_num) {
35398 + s_tmp->ips = NULL;
35403 + (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
35404 + sizeof (struct acl_ip_label *));
35407 + return ERR_PTR(-ENOMEM);
35409 + for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
35410 + *(i_tmp + i_num) =
35411 + (struct acl_ip_label *)
35412 + acl_alloc(sizeof (struct acl_ip_label));
35413 + if (!*(i_tmp + i_num))
35414 + return ERR_PTR(-ENOMEM);
35416 + if (copy_from_user
35417 + (&i_utmp2, s_tmp->ips + i_num,
35418 + sizeof (struct acl_ip_label *)))
35419 + return ERR_PTR(-EFAULT);
35421 + if (copy_from_user
35422 + (*(i_tmp + i_num), i_utmp2,
35423 + sizeof (struct acl_ip_label)))
35424 + return ERR_PTR(-EFAULT);
35426 + if ((*(i_tmp + i_num))->iface == NULL)
35429 + len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
35430 + if (!len || len >= IFNAMSIZ)
35431 + return ERR_PTR(-EINVAL);
35432 + tmp = acl_alloc(len);
35434 + return ERR_PTR(-ENOMEM);
35435 + if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
35436 + return ERR_PTR(-EFAULT);
35437 + (*(i_tmp + i_num))->iface = tmp;
35440 + s_tmp->ips = i_tmp;
35443 + if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
35444 + s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
35445 + return ERR_PTR(-ENOMEM);
35451 +copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
35453 + struct acl_subject_label s_pre;
35454 + struct acl_subject_label * ret;
35458 + if (copy_from_user(&s_pre, userp,
35459 + sizeof (struct acl_subject_label)))
35462 + /* do not add nested subjects here, add
35463 + while parsing objects
35466 + if (s_pre.mode & GR_NESTED) {
35467 + userp = s_pre.prev;
35471 + ret = do_copy_user_subj(userp, role);
35473 + err = PTR_ERR(ret);
35477 + insert_acl_subj_label(ret, role);
35479 + userp = s_pre.prev;
35486 +copy_user_acl(struct gr_arg *arg)
35488 + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
35489 + struct sprole_pw *sptmp;
35490 + struct gr_hash_struct *ghash;
35491 + uid_t *domainlist;
35492 + unsigned int r_num;
35493 + unsigned int len;
35499 + /* we need a default and kernel role */
35500 + if (arg->role_db.num_roles < 2)
35503 + /* copy special role authentication info from userspace */
35505 + num_sprole_pws = arg->num_sprole_pws;
35506 + acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
35508 + if (!acl_special_roles) {
35513 + for (i = 0; i < num_sprole_pws; i++) {
35514 + sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
35519 + if (copy_from_user(sptmp, arg->sprole_pws + i,
35520 + sizeof (struct sprole_pw))) {
35526 + strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
35528 + if (!len || len >= GR_SPROLE_LEN) {
35533 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
35538 + if (copy_from_user(tmp, sptmp->rolename, len)) {
35542 + tmp[len-1] = '\0';
35543 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
35544 + printk(KERN_ALERT "Copying special role %s\n", tmp);
35546 + sptmp->rolename = tmp;
35547 + acl_special_roles[i] = sptmp;
35550 + r_utmp = (struct acl_role_label **) arg->role_db.r_table;
35552 + for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
35553 + r_tmp = acl_alloc(sizeof (struct acl_role_label));
35560 + if (copy_from_user(&r_utmp2, r_utmp + r_num,
35561 + sizeof (struct acl_role_label *))) {
35566 + if (copy_from_user(r_tmp, r_utmp2,
35567 + sizeof (struct acl_role_label))) {
35572 + len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
35574 + if (!len || len >= PATH_MAX) {
35579 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
35583 + if (copy_from_user(tmp, r_tmp->rolename, len)) {
35587 + tmp[len-1] = '\0';
35588 + r_tmp->rolename = tmp;
35590 + if (!strcmp(r_tmp->rolename, "default")
35591 + && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
35592 + default_role = r_tmp;
35593 + } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
35594 + kernel_role = r_tmp;
35597 + if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
35601 + if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
35606 + r_tmp->hash = ghash;
35608 + num_subjs = count_user_subjs(r_tmp->hash->first);
35610 + r_tmp->subj_hash_size = num_subjs;
35611 + r_tmp->subj_hash =
35612 + (struct acl_subject_label **)
35613 + create_table(&(r_tmp->subj_hash_size), sizeof(void *));
35615 + if (!r_tmp->subj_hash) {
35620 + err = copy_user_allowedips(r_tmp);
35624 + /* copy domain info */
35625 + if (r_tmp->domain_children != NULL) {
35626 + domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
35627 + if (domainlist == NULL) {
35631 + if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
35635 + r_tmp->domain_children = domainlist;
35638 + err = copy_user_transitions(r_tmp);
35642 + memset(r_tmp->subj_hash, 0,
35643 + r_tmp->subj_hash_size *
35644 + sizeof (struct acl_subject_label *));
35646 + err = copy_user_subjs(r_tmp->hash->first, r_tmp);
35651 + /* set nested subject list to null */
35652 + r_tmp->hash->first = NULL;
35654 + insert_acl_role_label(r_tmp);
35659 + free_variables();
35666 +gracl_init(struct gr_arg *args)
35670 + memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
35671 + memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
35673 + if (init_variables(args)) {
35674 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
35676 + free_variables();
35680 + error = copy_user_acl(args);
35681 + free_init_variables();
35683 + free_variables();
35687 + if ((error = gr_set_acls(0))) {
35688 + free_variables();
35692 + pax_open_kernel();
35693 + gr_status |= GR_READY;
35694 + pax_close_kernel();
35700 +/* derived from glibc fnmatch() 0: match, 1: no match*/
35703 +glob_match(const char *p, const char *n)
35707 + while ((c = *p++) != '\0') {
35712 + else if (*n == '/')
35720 + for (c = *p++; c == '?' || c == '*'; c = *p++) {
35723 + else if (c == '?') {
35733 + const char *endp;
35735 + if ((endp = strchr(n, '/')) == NULL)
35736 + endp = n + strlen(n);
35739 + for (--p; n < endp; ++n)
35740 + if (!glob_match(p, n))
35742 + } else if (c == '/') {
35743 + while (*n != '\0' && *n != '/')
35745 + if (*n == '/' && !glob_match(p, n + 1))
35748 + for (--p; n < endp; ++n)
35749 + if (*n == c && !glob_match(p, n))
35760 + if (*n == '\0' || *n == '/')
35763 + not = (*p == '!' || *p == '^');
35769 + unsigned char fn = (unsigned char)*n;
35779 + if (c == '-' && *p != ']') {
35780 + unsigned char cend = *p++;
35782 + if (cend == '\0')
35785 + if (cold <= fn && fn <= cend)
35799 + while (c != ']') {
35826 +static struct acl_object_label *
35827 +chk_glob_label(struct acl_object_label *globbed,
35828 + struct dentry *dentry, struct vfsmount *mnt, char **path)
35830 + struct acl_object_label *tmp;
35832 + if (*path == NULL)
35833 + *path = gr_to_filename_nolock(dentry, mnt);
35838 + if (!glob_match(tmp->filename, *path))
35846 +static struct acl_object_label *
35847 +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
35848 + const ino_t curr_ino, const dev_t curr_dev,
35849 + const struct acl_subject_label *subj, char **path, const int checkglob)
35851 + struct acl_subject_label *tmpsubj;
35852 + struct acl_object_label *retval;
35853 + struct acl_object_label *retval2;
35855 + tmpsubj = (struct acl_subject_label *) subj;
35856 + read_lock(&gr_inode_lock);
35858 + retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
35860 + if (checkglob && retval->globbed) {
35861 + retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
35862 + (struct vfsmount *)orig_mnt, path);
35864 + retval = retval2;
35868 + } while ((tmpsubj = tmpsubj->parent_subject));
35869 + read_unlock(&gr_inode_lock);
35874 +static __inline__ struct acl_object_label *
35875 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
35876 + const struct dentry *curr_dentry,
35877 + const struct acl_subject_label *subj, char **path, const int checkglob)
35879 + return __full_lookup(orig_dentry, orig_mnt,
35880 + curr_dentry->d_inode->i_ino,
35881 + curr_dentry->d_inode->i_sb->s_dev, subj, path, checkglob);
35884 +static struct acl_object_label *
35885 +__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
35886 + const struct acl_subject_label *subj, char *path, const int checkglob)
35888 + struct dentry *dentry = (struct dentry *) l_dentry;
35889 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
35890 + struct acl_object_label *retval;
35892 + spin_lock(&dcache_lock);
35894 + if (unlikely(mnt == shm_mnt || mnt == pipe_mnt || mnt == sock_mnt ||
35895 +#ifdef CONFIG_HUGETLBFS
35896 + mnt == hugetlbfs_vfsmount ||
35898 + /* ignore Eric Biederman */
35899 + IS_PRIVATE(l_dentry->d_inode))) {
35900 + retval = fakefs_obj;
35905 + if (dentry == real_root && mnt == real_root_mnt)
35908 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
35909 + if (mnt->mnt_parent == mnt)
35912 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
35913 + if (retval != NULL)
35916 + dentry = mnt->mnt_mountpoint;
35917 + mnt = mnt->mnt_parent;
35921 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
35922 + if (retval != NULL)
35925 + dentry = dentry->d_parent;
35928 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
35930 + if (retval == NULL)
35931 + retval = full_lookup(l_dentry, l_mnt, real_root, subj, &path, checkglob);
35933 + spin_unlock(&dcache_lock);
35937 +static __inline__ struct acl_object_label *
35938 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
35939 + const struct acl_subject_label *subj)
35941 + char *path = NULL;
35942 + return __chk_obj_label(l_dentry, l_mnt, subj, path, 1);
35945 +static __inline__ struct acl_object_label *
35946 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
35947 + const struct acl_subject_label *subj)
35949 + char *path = NULL;
35950 + return __chk_obj_label(l_dentry, l_mnt, subj, path, 0);
35953 +static __inline__ struct acl_object_label *
35954 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
35955 + const struct acl_subject_label *subj, char *path)
35957 + return __chk_obj_label(l_dentry, l_mnt, subj, path, 1);
35960 +static struct acl_subject_label *
35961 +chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
35962 + const struct acl_role_label *role)
35964 + struct dentry *dentry = (struct dentry *) l_dentry;
35965 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
35966 + struct acl_subject_label *retval;
35968 + spin_lock(&dcache_lock);
35971 + if (dentry == real_root && mnt == real_root_mnt)
35973 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
35974 + if (mnt->mnt_parent == mnt)
35977 + read_lock(&gr_inode_lock);
35979 + lookup_acl_subj_label(dentry->d_inode->i_ino,
35980 + dentry->d_inode->i_sb->s_dev, role);
35981 + read_unlock(&gr_inode_lock);
35982 + if (retval != NULL)
35985 + dentry = mnt->mnt_mountpoint;
35986 + mnt = mnt->mnt_parent;
35990 + read_lock(&gr_inode_lock);
35991 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
35992 + dentry->d_inode->i_sb->s_dev, role);
35993 + read_unlock(&gr_inode_lock);
35994 + if (retval != NULL)
35997 + dentry = dentry->d_parent;
36000 + read_lock(&gr_inode_lock);
36001 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
36002 + dentry->d_inode->i_sb->s_dev, role);
36003 + read_unlock(&gr_inode_lock);
36005 + if (unlikely(retval == NULL)) {
36006 + read_lock(&gr_inode_lock);
36007 + retval = lookup_acl_subj_label(real_root->d_inode->i_ino,
36008 + real_root->d_inode->i_sb->s_dev, role);
36009 + read_unlock(&gr_inode_lock);
36012 + spin_unlock(&dcache_lock);
36018 +gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
36020 + struct task_struct *task = current;
36021 + const struct cred *cred = current_cred();
36023 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
36024 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
36025 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
36026 + 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->curr_ip);
36032 +gr_log_learn_sysctl(const char *path, const __u32 mode)
36034 + struct task_struct *task = current;
36035 + const struct cred *cred = current_cred();
36037 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
36038 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
36039 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
36040 + 1UL, 1UL, path, (unsigned long) mode, &task->signal->curr_ip);
36046 +gr_log_learn_id_change(const char type, const unsigned int real,
36047 + const unsigned int effective, const unsigned int fs)
36049 + struct task_struct *task = current;
36050 + const struct cred *cred = current_cred();
36052 + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
36053 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
36054 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
36055 + type, real, effective, fs, &task->signal->curr_ip);
36061 +gr_check_link(const struct dentry * new_dentry,
36062 + const struct dentry * parent_dentry,
36063 + const struct vfsmount * parent_mnt,
36064 + const struct dentry * old_dentry, const struct vfsmount * old_mnt)
36066 + struct acl_object_label *obj;
36067 + __u32 oldmode, newmode;
36070 + if (unlikely(!(gr_status & GR_READY)))
36071 + return (GR_CREATE | GR_LINK);
36073 + obj = chk_obj_label(old_dentry, old_mnt, current->acl);
36074 + oldmode = obj->mode;
36076 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
36077 + oldmode |= (GR_CREATE | GR_LINK);
36079 + needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
36080 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
36081 + needmode |= GR_SETID | GR_AUDIT_SETID;
36084 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
36085 + oldmode | needmode);
36087 + needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
36088 + GR_SETID | GR_READ | GR_FIND | GR_DELETE |
36089 + GR_INHERIT | GR_AUDIT_INHERIT);
36091 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
36094 + if ((oldmode & needmode) != needmode)
36097 + needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
36098 + if ((newmode & needmode) != needmode)
36101 + if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
36104 + needmode = oldmode;
36105 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
36106 + needmode |= GR_SETID;
36108 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
36109 + gr_log_learn(old_dentry, old_mnt, needmode);
36110 + return (GR_CREATE | GR_LINK);
36111 + } else if (newmode & GR_SUPPRESS)
36112 + return GR_SUPPRESS;
36118 +gr_search_file(const struct dentry * dentry, const __u32 mode,
36119 + const struct vfsmount * mnt)
36121 + __u32 retval = mode;
36122 + struct acl_subject_label *curracl;
36123 + struct acl_object_label *currobj;
36125 + if (unlikely(!(gr_status & GR_READY)))
36126 + return (mode & ~GR_AUDITS);
36128 + curracl = current->acl;
36130 + currobj = chk_obj_label(dentry, mnt, curracl);
36131 + retval = currobj->mode & mode;
36134 + ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
36135 + && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
36136 + __u32 new_mode = mode;
36138 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
36140 + retval = new_mode;
36142 + if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
36143 + new_mode |= GR_INHERIT;
36145 + if (!(mode & GR_NOLEARN))
36146 + gr_log_learn(dentry, mnt, new_mode);
36153 +gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
36154 + const struct vfsmount * mnt, const __u32 mode)
36156 + struct name_entry *match;
36157 + struct acl_object_label *matchpo;
36158 + struct acl_subject_label *curracl;
36162 + if (unlikely(!(gr_status & GR_READY)))
36163 + return (mode & ~GR_AUDITS);
36165 + preempt_disable();
36166 + path = gr_to_filename_rbac(new_dentry, mnt);
36167 + match = lookup_name_entry_create(path);
36170 + goto check_parent;
36172 + curracl = current->acl;
36174 + read_lock(&gr_inode_lock);
36175 + matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
36176 + read_unlock(&gr_inode_lock);
36179 + if ((matchpo->mode & mode) !=
36180 + (mode & ~(GR_AUDITS | GR_SUPPRESS))
36181 + && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
36182 + __u32 new_mode = mode;
36184 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
36186 + gr_log_learn(new_dentry, mnt, new_mode);
36188 + preempt_enable();
36191 + preempt_enable();
36192 + return (matchpo->mode & mode);
36196 + curracl = current->acl;
36198 + matchpo = chk_obj_create_label(parent, mnt, curracl, path);
36199 + retval = matchpo->mode & mode;
36201 + if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
36202 + && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
36203 + __u32 new_mode = mode;
36205 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
36207 + gr_log_learn(new_dentry, mnt, new_mode);
36208 + preempt_enable();
36212 + preempt_enable();
36217 +gr_check_hidden_task(const struct task_struct *task)
36219 + if (unlikely(!(gr_status & GR_READY)))
36222 + if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
36229 +gr_check_protected_task(const struct task_struct *task)
36231 + if (unlikely(!(gr_status & GR_READY) || !task))
36234 + if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
36235 + task->acl != current->acl)
36242 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
36244 + struct task_struct *p;
36247 + if (unlikely(!(gr_status & GR_READY) || !pid))
36250 + read_lock(&tasklist_lock);
36251 + do_each_pid_task(pid, type, p) {
36252 + if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
36253 + p->acl != current->acl) {
36257 + } while_each_pid_task(pid, type, p);
36259 + read_unlock(&tasklist_lock);
36265 +gr_copy_label(struct task_struct *tsk)
36267 + tsk->signal->used_accept = 0;
36268 + tsk->acl_sp_role = 0;
36269 + tsk->acl_role_id = current->acl_role_id;
36270 + tsk->acl = current->acl;
36271 + tsk->role = current->role;
36272 + tsk->signal->curr_ip = current->signal->curr_ip;
36273 + if (current->exec_file)
36274 + get_file(current->exec_file);
36275 + tsk->exec_file = current->exec_file;
36276 + tsk->is_writable = current->is_writable;
36277 + if (unlikely(current->signal->used_accept))
36278 + current->signal->curr_ip = 0;
36284 +gr_set_proc_res(struct task_struct *task)
36286 + struct acl_subject_label *proc;
36287 + unsigned short i;
36289 + proc = task->acl;
36291 + if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
36294 + for (i = 0; i < RLIM_NLIMITS; i++) {
36295 + if (!(proc->resmask & (1 << i)))
36298 + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
36299 + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
36306 +gr_check_user_change(int real, int effective, int fs)
36313 + int effectiveok = 0;
36316 + if (unlikely(!(gr_status & GR_READY)))
36319 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
36320 + gr_log_learn_id_change('u', real, effective, fs);
36322 + num = current->acl->user_trans_num;
36323 + uidlist = current->acl->user_transitions;
36325 + if (uidlist == NULL)
36330 + if (effective == -1)
36335 + if (current->acl->user_trans_type & GR_ID_ALLOW) {
36336 + for (i = 0; i < num; i++) {
36337 + curuid = (int)uidlist[i];
36338 + if (real == curuid)
36340 + if (effective == curuid)
36342 + if (fs == curuid)
36345 + } else if (current->acl->user_trans_type & GR_ID_DENY) {
36346 + for (i = 0; i < num; i++) {
36347 + curuid = (int)uidlist[i];
36348 + if (real == curuid)
36350 + if (effective == curuid)
36352 + if (fs == curuid)
36355 + /* not in deny list */
36363 + if (realok && effectiveok && fsok)
36366 + gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
36372 +gr_check_group_change(int real, int effective, int fs)
36379 + int effectiveok = 0;
36382 + if (unlikely(!(gr_status & GR_READY)))
36385 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
36386 + gr_log_learn_id_change('g', real, effective, fs);
36388 + num = current->acl->group_trans_num;
36389 + gidlist = current->acl->group_transitions;
36391 + if (gidlist == NULL)
36396 + if (effective == -1)
36401 + if (current->acl->group_trans_type & GR_ID_ALLOW) {
36402 + for (i = 0; i < num; i++) {
36403 + curgid = (int)gidlist[i];
36404 + if (real == curgid)
36406 + if (effective == curgid)
36408 + if (fs == curgid)
36411 + } else if (current->acl->group_trans_type & GR_ID_DENY) {
36412 + for (i = 0; i < num; i++) {
36413 + curgid = (int)gidlist[i];
36414 + if (real == curgid)
36416 + if (effective == curgid)
36418 + if (fs == curgid)
36421 + /* not in deny list */
36429 + if (realok && effectiveok && fsok)
36432 + gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
36438 +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
36440 + struct acl_role_label *role = task->role;
36441 + struct acl_subject_label *subj = NULL;
36442 + struct acl_object_label *obj;
36443 + struct file *filp;
36445 + if (unlikely(!(gr_status & GR_READY)))
36448 + filp = task->exec_file;
36450 + /* kernel process, we'll give them the kernel role */
36451 + if (unlikely(!filp)) {
36452 + task->role = kernel_role;
36453 + task->acl = kernel_role->root_label;
36455 + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
36456 + role = lookup_acl_role_label(task, uid, gid);
36458 + /* perform subject lookup in possibly new role
36459 + we can use this result below in the case where role == task->role
36461 + subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
36463 + /* if we changed uid/gid, but result in the same role
36464 + and are using inheritance, don't lose the inherited subject
36465 + if current subject is other than what normal lookup
36466 + would result in, we arrived via inheritance, don't
36469 + if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
36470 + (subj == task->acl)))
36471 + task->acl = subj;
36473 + task->role = role;
36475 + task->is_writable = 0;
36477 + /* ignore additional mmap checks for processes that are writable
36478 + by the default ACL */
36479 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
36480 + if (unlikely(obj->mode & GR_WRITE))
36481 + task->is_writable = 1;
36482 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
36483 + if (unlikely(obj->mode & GR_WRITE))
36484 + task->is_writable = 1;
36486 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
36487 + printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
36490 + gr_set_proc_res(task);
36496 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
36497 + const int unsafe_share)
36499 + struct task_struct *task = current;
36500 + struct acl_subject_label *newacl;
36501 + struct acl_object_label *obj;
36504 + if (unlikely(!(gr_status & GR_READY)))
36507 + newacl = chk_subj_label(dentry, mnt, task->role);
36510 + if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
36511 + !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
36512 + !(task->role->roletype & GR_ROLE_GOD) &&
36513 + !gr_search_file(dentry, GR_PTRACERD, mnt) &&
36514 + !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
36515 + task_unlock(task);
36516 + if (unsafe_share)
36517 + gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
36519 + gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
36522 + task_unlock(task);
36524 + obj = chk_obj_label(dentry, mnt, task->acl);
36525 + retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
36527 + if (!(task->acl->mode & GR_INHERITLEARN) &&
36528 + ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
36530 + task->acl = obj->nested;
36532 + task->acl = newacl;
36533 + } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
36534 + gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
36536 + task->is_writable = 0;
36538 + /* ignore additional mmap checks for processes that are writable
36539 + by the default ACL */
36540 + obj = chk_obj_label(dentry, mnt, default_role->root_label);
36541 + if (unlikely(obj->mode & GR_WRITE))
36542 + task->is_writable = 1;
36543 + obj = chk_obj_label(dentry, mnt, task->role->root_label);
36544 + if (unlikely(obj->mode & GR_WRITE))
36545 + task->is_writable = 1;
36547 + gr_set_proc_res(task);
36549 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
36550 + printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
36555 +/* always called with valid inodev ptr */
36557 +do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
36559 + struct acl_object_label *matchpo;
36560 + struct acl_subject_label *matchps;
36561 + struct acl_subject_label *subj;
36562 + struct acl_role_label *role;
36565 + FOR_EACH_ROLE_START(role)
36566 + FOR_EACH_SUBJECT_START(role, subj, x)
36567 + if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
36568 + matchpo->mode |= GR_DELETED;
36569 + FOR_EACH_SUBJECT_END(subj,x)
36570 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
36571 + if (subj->inode == ino && subj->device == dev)
36572 + subj->mode |= GR_DELETED;
36573 + FOR_EACH_NESTED_SUBJECT_END(subj)
36574 + if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
36575 + matchps->mode |= GR_DELETED;
36576 + FOR_EACH_ROLE_END(role)
36578 + inodev->nentry->deleted = 1;
36584 +gr_handle_delete(const ino_t ino, const dev_t dev)
36586 + struct inodev_entry *inodev;
36588 + if (unlikely(!(gr_status & GR_READY)))
36591 + write_lock(&gr_inode_lock);
36592 + inodev = lookup_inodev_entry(ino, dev);
36593 + if (inodev != NULL)
36594 + do_handle_delete(inodev, ino, dev);
36595 + write_unlock(&gr_inode_lock);
36601 +update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
36602 + const ino_t newinode, const dev_t newdevice,
36603 + struct acl_subject_label *subj)
36605 + unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
36606 + struct acl_object_label *match;
36608 + match = subj->obj_hash[index];
36610 + while (match && (match->inode != oldinode ||
36611 + match->device != olddevice ||
36612 + !(match->mode & GR_DELETED)))
36613 + match = match->next;
36615 + if (match && (match->inode == oldinode)
36616 + && (match->device == olddevice)
36617 + && (match->mode & GR_DELETED)) {
36618 + if (match->prev == NULL) {
36619 + subj->obj_hash[index] = match->next;
36620 + if (match->next != NULL)
36621 + match->next->prev = NULL;
36623 + match->prev->next = match->next;
36624 + if (match->next != NULL)
36625 + match->next->prev = match->prev;
36627 + match->prev = NULL;
36628 + match->next = NULL;
36629 + match->inode = newinode;
36630 + match->device = newdevice;
36631 + match->mode &= ~GR_DELETED;
36633 + insert_acl_obj_label(match, subj);
36640 +update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
36641 + const ino_t newinode, const dev_t newdevice,
36642 + struct acl_role_label *role)
36644 + unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
36645 + struct acl_subject_label *match;
36647 + match = role->subj_hash[index];
36649 + while (match && (match->inode != oldinode ||
36650 + match->device != olddevice ||
36651 + !(match->mode & GR_DELETED)))
36652 + match = match->next;
36654 + if (match && (match->inode == oldinode)
36655 + && (match->device == olddevice)
36656 + && (match->mode & GR_DELETED)) {
36657 + if (match->prev == NULL) {
36658 + role->subj_hash[index] = match->next;
36659 + if (match->next != NULL)
36660 + match->next->prev = NULL;
36662 + match->prev->next = match->next;
36663 + if (match->next != NULL)
36664 + match->next->prev = match->prev;
36666 + match->prev = NULL;
36667 + match->next = NULL;
36668 + match->inode = newinode;
36669 + match->device = newdevice;
36670 + match->mode &= ~GR_DELETED;
36672 + insert_acl_subj_label(match, role);
36679 +update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
36680 + const ino_t newinode, const dev_t newdevice)
36682 + unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
36683 + struct inodev_entry *match;
36685 + match = inodev_set.i_hash[index];
36687 + while (match && (match->nentry->inode != oldinode ||
36688 + match->nentry->device != olddevice || !match->nentry->deleted))
36689 + match = match->next;
36691 + if (match && (match->nentry->inode == oldinode)
36692 + && (match->nentry->device == olddevice) &&
36693 + match->nentry->deleted) {
36694 + if (match->prev == NULL) {
36695 + inodev_set.i_hash[index] = match->next;
36696 + if (match->next != NULL)
36697 + match->next->prev = NULL;
36699 + match->prev->next = match->next;
36700 + if (match->next != NULL)
36701 + match->next->prev = match->prev;
36703 + match->prev = NULL;
36704 + match->next = NULL;
36705 + match->nentry->inode = newinode;
36706 + match->nentry->device = newdevice;
36707 + match->nentry->deleted = 0;
36709 + insert_inodev_entry(match);
36716 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
36717 + const struct vfsmount *mnt)
36719 + struct acl_subject_label *subj;
36720 + struct acl_role_label *role;
36723 + FOR_EACH_ROLE_START(role)
36724 + update_acl_subj_label(matchn->inode, matchn->device,
36725 + dentry->d_inode->i_ino,
36726 + dentry->d_inode->i_sb->s_dev, role);
36728 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
36729 + if ((subj->inode == dentry->d_inode->i_ino) &&
36730 + (subj->device == dentry->d_inode->i_sb->s_dev)) {
36731 + subj->inode = dentry->d_inode->i_ino;
36732 + subj->device = dentry->d_inode->i_sb->s_dev;
36734 + FOR_EACH_NESTED_SUBJECT_END(subj)
36735 + FOR_EACH_SUBJECT_START(role, subj, x)
36736 + update_acl_obj_label(matchn->inode, matchn->device,
36737 + dentry->d_inode->i_ino,
36738 + dentry->d_inode->i_sb->s_dev, subj);
36739 + FOR_EACH_SUBJECT_END(subj,x)
36740 + FOR_EACH_ROLE_END(role)
36742 + update_inodev_entry(matchn->inode, matchn->device,
36743 + dentry->d_inode->i_ino, dentry->d_inode->i_sb->s_dev);
36749 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
36751 + struct name_entry *matchn;
36753 + if (unlikely(!(gr_status & GR_READY)))
36756 + preempt_disable();
36757 + matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
36759 + if (unlikely((unsigned long)matchn)) {
36760 + write_lock(&gr_inode_lock);
36761 + do_handle_create(matchn, dentry, mnt);
36762 + write_unlock(&gr_inode_lock);
36764 + preempt_enable();
36770 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
36771 + struct dentry *old_dentry,
36772 + struct dentry *new_dentry,
36773 + struct vfsmount *mnt, const __u8 replace)
36775 + struct name_entry *matchn;
36776 + struct inodev_entry *inodev;
36778 + /* vfs_rename swaps the name and parent link for old_dentry and
36780 + at this point, old_dentry has the new name, parent link, and inode
36781 + for the renamed file
36782 + if a file is being replaced by a rename, new_dentry has the inode
36783 + and name for the replaced file
36786 + if (unlikely(!(gr_status & GR_READY)))
36789 + preempt_disable();
36790 + matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
36792 + /* we wouldn't have to check d_inode if it weren't for
36793 + NFS silly-renaming
36796 + write_lock(&gr_inode_lock);
36797 + if (unlikely(replace && new_dentry->d_inode)) {
36798 + inodev = lookup_inodev_entry(new_dentry->d_inode->i_ino,
36799 + new_dentry->d_inode->i_sb->s_dev);
36800 + if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
36801 + do_handle_delete(inodev, new_dentry->d_inode->i_ino,
36802 + new_dentry->d_inode->i_sb->s_dev);
36805 + inodev = lookup_inodev_entry(old_dentry->d_inode->i_ino,
36806 + old_dentry->d_inode->i_sb->s_dev);
36807 + if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
36808 + do_handle_delete(inodev, old_dentry->d_inode->i_ino,
36809 + old_dentry->d_inode->i_sb->s_dev);
36811 + if (unlikely((unsigned long)matchn))
36812 + do_handle_create(matchn, old_dentry, mnt);
36814 + write_unlock(&gr_inode_lock);
36815 + preempt_enable();
36821 +lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
36822 + unsigned char **sum)
36824 + struct acl_role_label *r;
36825 + struct role_allowed_ip *ipp;
36826 + struct role_transition *trans;
36830 + /* check transition table */
36832 + for (trans = current->role->transitions; trans; trans = trans->next) {
36833 + if (!strcmp(rolename, trans->rolename)) {
36842 + /* handle special roles that do not require authentication
36845 + FOR_EACH_ROLE_START(r)
36846 + if (!strcmp(rolename, r->rolename) &&
36847 + (r->roletype & GR_ROLE_SPECIAL)) {
36849 + if (r->allowed_ips != NULL) {
36850 + for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
36851 + if ((ntohl(current->signal->curr_ip) & ipp->netmask) ==
36852 + (ntohl(ipp->addr) & ipp->netmask))
36860 + if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
36861 + ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
36867 + FOR_EACH_ROLE_END(r)
36869 + for (i = 0; i < num_sprole_pws; i++) {
36870 + if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
36871 + *salt = acl_special_roles[i]->salt;
36872 + *sum = acl_special_roles[i]->sum;
36881 +assign_special_role(char *rolename)
36883 + struct acl_object_label *obj;
36884 + struct acl_role_label *r;
36885 + struct acl_role_label *assigned = NULL;
36886 + struct task_struct *tsk;
36887 + struct file *filp;
36889 + FOR_EACH_ROLE_START(r)
36890 + if (!strcmp(rolename, r->rolename) &&
36891 + (r->roletype & GR_ROLE_SPECIAL)) {
36895 + FOR_EACH_ROLE_END(r)
36900 + read_lock(&tasklist_lock);
36901 + read_lock(&grsec_exec_file_lock);
36903 + tsk = current->parent;
36907 + filp = tsk->exec_file;
36908 + if (filp == NULL)
36911 + tsk->is_writable = 0;
36913 + tsk->acl_sp_role = 1;
36914 + tsk->acl_role_id = ++acl_sp_role_value;
36915 + tsk->role = assigned;
36916 + tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
36918 + /* ignore additional mmap checks for processes that are writable
36919 + by the default ACL */
36920 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
36921 + if (unlikely(obj->mode & GR_WRITE))
36922 + tsk->is_writable = 1;
36923 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
36924 + if (unlikely(obj->mode & GR_WRITE))
36925 + tsk->is_writable = 1;
36927 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
36928 + printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
36932 + read_unlock(&grsec_exec_file_lock);
36933 + read_unlock(&tasklist_lock);
36937 +int gr_check_secure_terminal(struct task_struct *task)
36939 + struct task_struct *p, *p2, *p3;
36940 + struct files_struct *files;
36941 + struct fdtable *fdt;
36942 + struct file *our_file = NULL, *file;
36945 + if (task->signal->tty == NULL)
36948 + files = get_files_struct(task);
36949 + if (files != NULL) {
36951 + fdt = files_fdtable(files);
36952 + for (i=0; i < fdt->max_fds; i++) {
36953 + file = fcheck_files(files, i);
36954 + if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
36959 + rcu_read_unlock();
36960 + put_files_struct(files);
36963 + if (our_file == NULL)
36966 + read_lock(&tasklist_lock);
36967 + do_each_thread(p2, p) {
36968 + files = get_files_struct(p);
36969 + if (files == NULL ||
36970 + (p->signal && p->signal->tty == task->signal->tty)) {
36971 + if (files != NULL)
36972 + put_files_struct(files);
36976 + fdt = files_fdtable(files);
36977 + for (i=0; i < fdt->max_fds; i++) {
36978 + file = fcheck_files(files, i);
36979 + if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
36980 + file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
36982 + while (p3->pid > 0) {
36989 + gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
36990 + gr_handle_alertkill(p);
36991 + rcu_read_unlock();
36992 + put_files_struct(files);
36993 + read_unlock(&tasklist_lock);
36998 + rcu_read_unlock();
36999 + put_files_struct(files);
37000 + } while_each_thread(p2, p);
37001 + read_unlock(&tasklist_lock);
37008 +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
37010 + struct gr_arg_wrapper uwrap;
37011 + unsigned char *sprole_salt = NULL;
37012 + unsigned char *sprole_sum = NULL;
37013 + int error = sizeof (struct gr_arg_wrapper);
37016 + down(&gr_dev_sem);
37018 + if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
37023 + if (count != sizeof (struct gr_arg_wrapper)) {
37024 + gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
37030 + if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
37031 + gr_auth_expires = 0;
37032 + gr_auth_attempts = 0;
37035 + if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
37040 + if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
37045 + if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
37050 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
37051 + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
37052 + time_after(gr_auth_expires, get_seconds())) {
37057 + /* if non-root trying to do anything other than use a special role,
37058 + do not attempt authentication, do not count towards authentication
37062 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
37063 + gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
37069 + /* ensure pw and special role name are null terminated */
37071 + gr_usermode->pw[GR_PW_LEN - 1] = '\0';
37072 + gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
37075 + * We have our enough of the argument structure..(we have yet
37076 + * to copy_from_user the tables themselves) . Copy the tables
37077 + * only if we need them, i.e. for loading operations. */
37079 + switch (gr_usermode->mode) {
37081 + if (gr_status & GR_READY) {
37083 + if (!gr_check_secure_terminal(current))
37088 + case GR_SHUTDOWN:
37089 + if ((gr_status & GR_READY)
37090 + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
37091 + pax_open_kernel();
37092 + gr_status &= ~GR_READY;
37093 + pax_close_kernel();
37095 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
37096 + free_variables();
37097 + memset(gr_usermode, 0, sizeof (struct gr_arg));
37098 + memset(gr_system_salt, 0, GR_SALT_LEN);
37099 + memset(gr_system_sum, 0, GR_SHA_LEN);
37100 + } else if (gr_status & GR_READY) {
37101 + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
37104 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
37109 + if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
37110 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
37112 + if (gr_status & GR_READY)
37116 + gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
37120 + if (!(gr_status & GR_READY)) {
37121 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
37123 + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
37126 + pax_open_kernel();
37127 + gr_status &= ~GR_READY;
37128 + pax_close_kernel();
37130 + free_variables();
37131 + if (!(error2 = gracl_init(gr_usermode))) {
37133 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
37137 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
37140 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
37145 + if (unlikely(!(gr_status & GR_READY))) {
37146 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
37151 + if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
37152 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
37153 + if (gr_usermode->segv_device && gr_usermode->segv_inode) {
37154 + struct acl_subject_label *segvacl;
37156 + lookup_acl_subj_label(gr_usermode->segv_inode,
37157 + gr_usermode->segv_device,
37160 + segvacl->crashes = 0;
37161 + segvacl->expires = 0;
37163 + } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
37164 + gr_remove_uid(gr_usermode->segv_uid);
37167 + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
37172 + case GR_SPROLEPAM:
37173 + if (unlikely(!(gr_status & GR_READY))) {
37174 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
37179 + if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
37180 + current->role->expires = 0;
37181 + current->role->auth_attempts = 0;
37184 + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
37185 + time_after(current->role->expires, get_seconds())) {
37190 + if (lookup_special_role_auth
37191 + (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
37192 + && ((!sprole_salt && !sprole_sum)
37193 + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
37195 + assign_special_role(gr_usermode->sp_role);
37196 + read_lock(&tasklist_lock);
37197 + if (current->parent)
37198 + p = current->parent->role->rolename;
37199 + read_unlock(&tasklist_lock);
37200 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
37201 + p, acl_sp_role_value);
37203 + gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
37205 + if(!(current->role->auth_attempts++))
37206 + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
37211 + case GR_UNSPROLE:
37212 + if (unlikely(!(gr_status & GR_READY))) {
37213 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
37218 + if (current->role->roletype & GR_ROLE_SPECIAL) {
37222 + read_lock(&tasklist_lock);
37223 + if (current->parent) {
37224 + p = current->parent->role->rolename;
37225 + i = current->parent->acl_role_id;
37227 + read_unlock(&tasklist_lock);
37229 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
37237 + gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
37242 + if (error != -EPERM)
37245 + if(!(gr_auth_attempts++))
37246 + gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
37254 +gr_set_acls(const int type)
37256 + struct acl_object_label *obj;
37257 + struct task_struct *task, *task2;
37258 + struct file *filp;
37259 + struct acl_role_label *role = current->role;
37260 + __u16 acl_role_id = current->acl_role_id;
37261 + const struct cred *cred;
37263 + struct name_entry *nmatch;
37264 + struct acl_subject_label *tmpsubj;
37267 + read_lock(&tasklist_lock);
37268 + read_lock(&grsec_exec_file_lock);
37269 + do_each_thread(task2, task) {
37270 + /* check to see if we're called from the exit handler,
37271 + if so, only replace ACLs that have inherited the admin
37274 + if (type && (task->role != role ||
37275 + task->acl_role_id != acl_role_id))
37278 + task->acl_role_id = 0;
37279 + task->acl_sp_role = 0;
37281 + if ((filp = task->exec_file)) {
37282 + cred = __task_cred(task);
37283 + task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
37285 + /* the following is to apply the correct subject
37286 + on binaries running when the RBAC system
37287 + is enabled, when the binaries have been
37288 + replaced or deleted since their execution
37290 + when the RBAC system starts, the inode/dev
37291 + from exec_file will be one the RBAC system
37292 + is unaware of. It only knows the inode/dev
37293 + of the present file on disk, or the absence
37296 + preempt_disable();
37297 + tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
37299 + nmatch = lookup_name_entry(tmpname);
37300 + preempt_enable();
37303 + if (nmatch->deleted)
37304 + tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
37306 + tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
37307 + if (tmpsubj != NULL)
37308 + task->acl = tmpsubj;
37310 + if (tmpsubj == NULL)
37311 + task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
37314 + struct acl_subject_label *curr;
37315 + curr = task->acl;
37317 + task->is_writable = 0;
37318 + /* ignore additional mmap checks for processes that are writable
37319 + by the default ACL */
37320 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
37321 + if (unlikely(obj->mode & GR_WRITE))
37322 + task->is_writable = 1;
37323 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
37324 + if (unlikely(obj->mode & GR_WRITE))
37325 + task->is_writable = 1;
37327 + gr_set_proc_res(task);
37329 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
37330 + printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
37333 + read_unlock(&grsec_exec_file_lock);
37334 + read_unlock(&tasklist_lock);
37335 + rcu_read_unlock();
37336 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
37340 + // it's a kernel process
37341 + task->role = kernel_role;
37342 + task->acl = kernel_role->root_label;
37343 +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
37344 + task->acl->mode &= ~GR_PROCFIND;
37347 + } while_each_thread(task2, task);
37348 + read_unlock(&grsec_exec_file_lock);
37349 + read_unlock(&tasklist_lock);
37350 + rcu_read_unlock();
37356 +gr_learn_resource(const struct task_struct *task,
37357 + const int res, const unsigned long wanted, const int gt)
37359 + struct acl_subject_label *acl;
37360 + const struct cred *cred;
37362 + if (unlikely((gr_status & GR_READY) &&
37363 + task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
37364 + goto skip_reslog;
37366 +#ifdef CONFIG_GRKERNSEC_RESLOG
37367 + gr_log_resource(task, res, wanted, gt);
37371 + if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
37376 + if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
37377 + !(acl->resmask & (1 << (unsigned short) res))))
37380 + if (wanted >= acl->res[res].rlim_cur) {
37381 + unsigned long res_add;
37383 + res_add = wanted;
37386 + res_add += GR_RLIM_CPU_BUMP;
37388 + case RLIMIT_FSIZE:
37389 + res_add += GR_RLIM_FSIZE_BUMP;
37391 + case RLIMIT_DATA:
37392 + res_add += GR_RLIM_DATA_BUMP;
37394 + case RLIMIT_STACK:
37395 + res_add += GR_RLIM_STACK_BUMP;
37397 + case RLIMIT_CORE:
37398 + res_add += GR_RLIM_CORE_BUMP;
37401 + res_add += GR_RLIM_RSS_BUMP;
37403 + case RLIMIT_NPROC:
37404 + res_add += GR_RLIM_NPROC_BUMP;
37406 + case RLIMIT_NOFILE:
37407 + res_add += GR_RLIM_NOFILE_BUMP;
37409 + case RLIMIT_MEMLOCK:
37410 + res_add += GR_RLIM_MEMLOCK_BUMP;
37413 + res_add += GR_RLIM_AS_BUMP;
37415 + case RLIMIT_LOCKS:
37416 + res_add += GR_RLIM_LOCKS_BUMP;
37418 + case RLIMIT_SIGPENDING:
37419 + res_add += GR_RLIM_SIGPENDING_BUMP;
37421 + case RLIMIT_MSGQUEUE:
37422 + res_add += GR_RLIM_MSGQUEUE_BUMP;
37424 + case RLIMIT_NICE:
37425 + res_add += GR_RLIM_NICE_BUMP;
37427 + case RLIMIT_RTPRIO:
37428 + res_add += GR_RLIM_RTPRIO_BUMP;
37430 + case RLIMIT_RTTIME:
37431 + res_add += GR_RLIM_RTTIME_BUMP;
37435 + acl->res[res].rlim_cur = res_add;
37437 + if (wanted > acl->res[res].rlim_max)
37438 + acl->res[res].rlim_max = res_add;
37440 + /* only log the subject filename, since resource logging is supported for
37441 + single-subject learning only */
37443 + cred = __task_cred(task);
37444 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
37445 + task->role->roletype, cred->uid, cred->gid, acl->filename,
37446 + acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
37447 + "", (unsigned long) res, &task->signal->curr_ip);
37448 + rcu_read_unlock();
37454 +#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
37456 +pax_set_initial_flags(struct linux_binprm *bprm)
37458 + struct task_struct *task = current;
37459 + struct acl_subject_label *proc;
37460 + unsigned long flags;
37462 + if (unlikely(!(gr_status & GR_READY)))
37465 + flags = pax_get_flags(task);
37467 + proc = task->acl;
37469 + if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
37470 + flags &= ~MF_PAX_PAGEEXEC;
37471 + if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
37472 + flags &= ~MF_PAX_SEGMEXEC;
37473 + if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
37474 + flags &= ~MF_PAX_RANDMMAP;
37475 + if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
37476 + flags &= ~MF_PAX_EMUTRAMP;
37477 + if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
37478 + flags &= ~MF_PAX_MPROTECT;
37480 + if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
37481 + flags |= MF_PAX_PAGEEXEC;
37482 + if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
37483 + flags |= MF_PAX_SEGMEXEC;
37484 + if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
37485 + flags |= MF_PAX_RANDMMAP;
37486 + if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
37487 + flags |= MF_PAX_EMUTRAMP;
37488 + if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
37489 + flags |= MF_PAX_MPROTECT;
37491 + pax_set_flags(task, flags);
37497 +#ifdef CONFIG_SYSCTL
37498 +/* Eric Biederman likes breaking userland ABI and every inode-based security
37499 + system to save 35kb of memory */
37501 +/* we modify the passed in filename, but adjust it back before returning */
37502 +static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
37504 + struct name_entry *nmatch;
37505 + char *p, *lastp = NULL;
37506 + struct acl_object_label *obj = NULL, *tmp;
37507 + struct acl_subject_label *tmpsubj;
37510 + read_lock(&gr_inode_lock);
37512 + p = name + len - 1;
37514 + nmatch = lookup_name_entry(name);
37515 + if (lastp != NULL)
37518 + if (nmatch == NULL)
37519 + goto next_component;
37520 + tmpsubj = current->acl;
37522 + obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
37523 + if (obj != NULL) {
37524 + tmp = obj->globbed;
37526 + if (!glob_match(tmp->filename, name)) {
37534 + } while ((tmpsubj = tmpsubj->parent_subject));
37540 + while (*p != '/')
37552 + read_unlock(&gr_inode_lock);
37553 + /* obj returned will always be non-null */
37557 +/* returns 0 when allowing, non-zero on error
37558 + op of 0 is used for readdir, so we don't log the names of hidden files
37561 +gr_handle_sysctl(const struct ctl_table *table, const int op)
37563 + struct ctl_table *tmp;
37564 + const char *proc_sys = "/proc/sys";
37566 + struct acl_object_label *obj;
37567 + unsigned short len = 0, pos = 0, depth = 0, i;
37571 + if (unlikely(!(gr_status & GR_READY)))
37574 + /* for now, ignore operations on non-sysctl entries if it's not a
37576 + if (table->child != NULL && op != 0)
37580 + /* it's only a read if it's an entry, read on dirs is for readdir */
37581 + if (op & MAY_READ)
37583 + if (op & MAY_WRITE)
37584 + mode |= GR_WRITE;
37586 + preempt_disable();
37588 + path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
37590 + /* it's only a read/write if it's an actual entry, not a dir
37591 + (which are opened for readdir)
37594 + /* convert the requested sysctl entry into a pathname */
37596 + for (tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
37597 + len += strlen(tmp->procname);
37602 + if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
37607 + memset(path, 0, PAGE_SIZE);
37609 + memcpy(path, proc_sys, strlen(proc_sys));
37611 + pos += strlen(proc_sys);
37613 + for (; depth > 0; depth--) {
37616 + for (i = 1, tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
37617 + if (depth == i) {
37618 + memcpy(path + pos, tmp->procname,
37619 + strlen(tmp->procname));
37620 + pos += strlen(tmp->procname);
37626 + obj = gr_lookup_by_name(path, pos);
37627 + err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
37629 + if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
37630 + ((err & mode) != mode))) {
37631 + __u32 new_mode = mode;
37633 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
37636 + gr_log_learn_sysctl(path, new_mode);
37637 + } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
37638 + gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
37640 + } else if (!(err & GR_FIND)) {
37642 + } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
37643 + gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
37644 + path, (mode & GR_READ) ? " reading" : "",
37645 + (mode & GR_WRITE) ? " writing" : "");
37647 + } else if ((err & mode) != mode) {
37649 + } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
37650 + gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
37651 + path, (mode & GR_READ) ? " reading" : "",
37652 + (mode & GR_WRITE) ? " writing" : "");
37658 + preempt_enable();
37665 +gr_handle_proc_ptrace(struct task_struct *task)
37667 + struct file *filp;
37668 + struct task_struct *tmp = task;
37669 + struct task_struct *curtemp = current;
37672 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
37673 + if (unlikely(!(gr_status & GR_READY)))
37677 + read_lock(&tasklist_lock);
37678 + read_lock(&grsec_exec_file_lock);
37679 + filp = task->exec_file;
37681 + while (tmp->pid > 0) {
37682 + if (tmp == curtemp)
37684 + tmp = tmp->parent;
37687 + if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
37688 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
37689 + read_unlock(&grsec_exec_file_lock);
37690 + read_unlock(&tasklist_lock);
37694 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
37695 + if (!(gr_status & GR_READY)) {
37696 + read_unlock(&grsec_exec_file_lock);
37697 + read_unlock(&tasklist_lock);
37702 + retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
37703 + read_unlock(&grsec_exec_file_lock);
37704 + read_unlock(&tasklist_lock);
37706 + if (retmode & GR_NOPTRACE)
37709 + if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
37710 + && (current->acl != task->acl || (current->acl != current->role->root_label
37711 + && current->pid != task->pid)))
37718 +gr_handle_ptrace(struct task_struct *task, const long request)
37720 + struct task_struct *tmp = task;
37721 + struct task_struct *curtemp = current;
37724 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
37725 + if (unlikely(!(gr_status & GR_READY)))
37729 + read_lock(&tasklist_lock);
37730 + while (tmp->pid > 0) {
37731 + if (tmp == curtemp)
37733 + tmp = tmp->parent;
37736 + if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
37737 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
37738 + read_unlock(&tasklist_lock);
37739 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
37742 + read_unlock(&tasklist_lock);
37744 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
37745 + if (!(gr_status & GR_READY))
37749 + read_lock(&grsec_exec_file_lock);
37750 + if (unlikely(!task->exec_file)) {
37751 + read_unlock(&grsec_exec_file_lock);
37755 + retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
37756 + read_unlock(&grsec_exec_file_lock);
37758 + if (retmode & GR_NOPTRACE) {
37759 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
37763 + if (retmode & GR_PTRACERD) {
37764 + switch (request) {
37765 + case PTRACE_POKETEXT:
37766 + case PTRACE_POKEDATA:
37767 + case PTRACE_POKEUSR:
37768 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
37769 + case PTRACE_SETREGS:
37770 + case PTRACE_SETFPREGS:
37773 + case PTRACE_SETFPXREGS:
37775 +#ifdef CONFIG_ALTIVEC
37776 + case PTRACE_SETVRREGS:
37782 + } else if (!(current->acl->mode & GR_POVERRIDE) &&
37783 + !(current->role->roletype & GR_ROLE_GOD) &&
37784 + (current->acl != task->acl)) {
37785 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
37792 +static int is_writable_mmap(const struct file *filp)
37794 + struct task_struct *task = current;
37795 + struct acl_object_label *obj, *obj2;
37797 + if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
37798 + !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && filp->f_path.mnt != shm_mnt) {
37799 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
37800 + obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
37801 + task->role->root_label);
37802 + if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
37803 + gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
37811 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
37815 + if (unlikely(!file || !(prot & PROT_EXEC)))
37818 + if (is_writable_mmap(file))
37822 + gr_search_file(file->f_path.dentry,
37823 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
37824 + file->f_path.mnt);
37826 + if (!gr_tpe_allow(file))
37829 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
37830 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
37832 + } else if (unlikely(!(mode & GR_EXEC))) {
37834 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
37835 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
37843 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
37847 + if (unlikely(!file || !(prot & PROT_EXEC)))
37850 + if (is_writable_mmap(file))
37854 + gr_search_file(file->f_path.dentry,
37855 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
37856 + file->f_path.mnt);
37858 + if (!gr_tpe_allow(file))
37861 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
37862 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
37864 + } else if (unlikely(!(mode & GR_EXEC))) {
37866 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
37867 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
37875 +gr_acl_handle_psacct(struct task_struct *task, const long code)
37877 + unsigned long runtime;
37878 + unsigned long cputime;
37879 + unsigned int wday, cday;
37883 + struct timespec timeval;
37885 + if (unlikely(!(gr_status & GR_READY) || !task->acl ||
37886 + !(task->acl->mode & GR_PROCACCT)))
37889 + do_posix_clock_monotonic_gettime(&timeval);
37890 + runtime = timeval.tv_sec - task->start_time.tv_sec;
37891 + wday = runtime / (3600 * 24);
37892 + runtime -= wday * (3600 * 24);
37893 + whr = runtime / 3600;
37894 + runtime -= whr * 3600;
37895 + wmin = runtime / 60;
37896 + runtime -= wmin * 60;
37899 + cputime = (task->utime + task->stime) / HZ;
37900 + cday = cputime / (3600 * 24);
37901 + cputime -= cday * (3600 * 24);
37902 + chr = cputime / 3600;
37903 + cputime -= chr * 3600;
37904 + cmin = cputime / 60;
37905 + cputime -= cmin * 60;
37908 + gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
37913 +void gr_set_kernel_label(struct task_struct *task)
37915 + if (gr_status & GR_READY) {
37916 + task->role = kernel_role;
37917 + task->acl = kernel_role->root_label;
37922 +#ifdef CONFIG_TASKSTATS
37923 +int gr_is_taskstats_denied(int pid)
37925 + struct task_struct *task;
37926 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
37927 + const struct cred *cred;
37931 + /* restrict taskstats viewing to un-chrooted root users
37932 + who have the 'view' subject flag if the RBAC system is enabled
37936 + read_lock(&tasklist_lock);
37937 + task = find_task_by_vpid(pid);
37939 +#ifdef CONFIG_GRKERNSEC_CHROOT
37940 + if (proc_is_chrooted(task))
37943 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
37944 + cred = __task_cred(task);
37945 +#ifdef CONFIG_GRKERNSEC_PROC_USER
37946 + if (cred->uid != 0)
37948 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
37949 + if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
37953 + if (gr_status & GR_READY) {
37954 + if (!(task->acl->mode & GR_VIEW))
37960 + read_unlock(&tasklist_lock);
37961 + rcu_read_unlock();
37967 +int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
37969 + struct task_struct *task = current;
37970 + struct dentry *dentry = file->f_path.dentry;
37971 + struct vfsmount *mnt = file->f_path.mnt;
37972 + struct acl_object_label *obj, *tmp;
37973 + struct acl_subject_label *subj;
37974 + unsigned int bufsize;
37978 + if (unlikely(!(gr_status & GR_READY)))
37981 + if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
37984 + /* ignore Eric Biederman */
37985 + if (IS_PRIVATE(dentry->d_inode))
37988 + subj = task->acl;
37990 + obj = lookup_acl_obj_label(ino, dentry->d_inode->i_sb->s_dev, subj);
37992 + return (obj->mode & GR_FIND) ? 1 : 0;
37993 + } while ((subj = subj->parent_subject));
37995 + /* this is purely an optimization since we're looking for an object
37996 + for the directory we're doing a readdir on
37997 + if it's possible for any globbed object to match the entry we're
37998 + filling into the directory, then the object we find here will be
37999 + an anchor point with attached globbed objects
38001 + obj = chk_obj_label_noglob(dentry, mnt, task->acl);
38002 + if (obj->globbed == NULL)
38003 + return (obj->mode & GR_FIND) ? 1 : 0;
38005 + is_not_root = ((obj->filename[0] == '/') &&
38006 + (obj->filename[1] == '\0')) ? 0 : 1;
38007 + bufsize = PAGE_SIZE - namelen - is_not_root;
38009 + /* check bufsize > PAGE_SIZE || bufsize == 0 */
38010 + if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
38013 + preempt_disable();
38014 + path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
38017 + bufsize = strlen(path);
38019 + /* if base is "/", don't append an additional slash */
38021 + *(path + bufsize) = '/';
38022 + memcpy(path + bufsize + is_not_root, name, namelen);
38023 + *(path + bufsize + namelen + is_not_root) = '\0';
38025 + tmp = obj->globbed;
38027 + if (!glob_match(tmp->filename, path)) {
38028 + preempt_enable();
38029 + return (tmp->mode & GR_FIND) ? 1 : 0;
38033 + preempt_enable();
38034 + return (obj->mode & GR_FIND) ? 1 : 0;
38037 +EXPORT_SYMBOL(gr_learn_resource);
38038 +EXPORT_SYMBOL(gr_set_kernel_label);
38039 +#ifdef CONFIG_SECURITY
38040 +EXPORT_SYMBOL(gr_check_user_change);
38041 +EXPORT_SYMBOL(gr_check_group_change);
38044 diff -urNp linux-2.6.35.5/grsecurity/gracl_cap.c linux-2.6.35.5/grsecurity/gracl_cap.c
38045 --- linux-2.6.35.5/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
38046 +++ linux-2.6.35.5/grsecurity/gracl_cap.c 2010-09-17 20:12:37.000000000 -0400
38048 +#include <linux/kernel.h>
38049 +#include <linux/module.h>
38050 +#include <linux/sched.h>
38051 +#include <linux/gracl.h>
38052 +#include <linux/grsecurity.h>
38053 +#include <linux/grinternal.h>
38055 +static const char *captab_log[] = {
38057 + "CAP_DAC_OVERRIDE",
38058 + "CAP_DAC_READ_SEARCH",
38065 + "CAP_LINUX_IMMUTABLE",
38066 + "CAP_NET_BIND_SERVICE",
38067 + "CAP_NET_BROADCAST",
38072 + "CAP_SYS_MODULE",
38074 + "CAP_SYS_CHROOT",
38075 + "CAP_SYS_PTRACE",
38080 + "CAP_SYS_RESOURCE",
38082 + "CAP_SYS_TTY_CONFIG",
38085 + "CAP_AUDIT_WRITE",
38086 + "CAP_AUDIT_CONTROL",
38088 + "CAP_MAC_OVERRIDE",
38092 +EXPORT_SYMBOL(gr_is_capable);
38093 +EXPORT_SYMBOL(gr_is_capable_nolog);
38096 +gr_is_capable(const int cap)
38098 + struct task_struct *task = current;
38099 + const struct cred *cred = current_cred();
38100 + struct acl_subject_label *curracl;
38101 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
38102 + kernel_cap_t cap_audit = __cap_empty_set;
38104 + if (!gr_acl_is_enabled())
38107 + curracl = task->acl;
38109 + cap_drop = curracl->cap_lower;
38110 + cap_mask = curracl->cap_mask;
38111 + cap_audit = curracl->cap_invert_audit;
38113 + while ((curracl = curracl->parent_subject)) {
38114 + /* if the cap isn't specified in the current computed mask but is specified in the
38115 + current level subject, and is lowered in the current level subject, then add
38116 + it to the set of dropped capabilities
38117 + otherwise, add the current level subject's mask to the current computed mask
38119 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
38120 + cap_raise(cap_mask, cap);
38121 + if (cap_raised(curracl->cap_lower, cap))
38122 + cap_raise(cap_drop, cap);
38123 + if (cap_raised(curracl->cap_invert_audit, cap))
38124 + cap_raise(cap_audit, cap);
38128 + if (!cap_raised(cap_drop, cap)) {
38129 + if (cap_raised(cap_audit, cap))
38130 + gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
38134 + curracl = task->acl;
38136 + if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
38137 + && cap_raised(cred->cap_effective, cap)) {
38138 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
38139 + task->role->roletype, cred->uid,
38140 + cred->gid, task->exec_file ?
38141 + gr_to_filename(task->exec_file->f_path.dentry,
38142 + task->exec_file->f_path.mnt) : curracl->filename,
38143 + curracl->filename, 0UL,
38144 + 0UL, "", (unsigned long) cap, &task->signal->curr_ip);
38148 + if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
38149 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
38154 +gr_is_capable_nolog(const int cap)
38156 + struct acl_subject_label *curracl;
38157 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
38159 + if (!gr_acl_is_enabled())
38162 + curracl = current->acl;
38164 + cap_drop = curracl->cap_lower;
38165 + cap_mask = curracl->cap_mask;
38167 + while ((curracl = curracl->parent_subject)) {
38168 + /* if the cap isn't specified in the current computed mask but is specified in the
38169 + current level subject, and is lowered in the current level subject, then add
38170 + it to the set of dropped capabilities
38171 + otherwise, add the current level subject's mask to the current computed mask
38173 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
38174 + cap_raise(cap_mask, cap);
38175 + if (cap_raised(curracl->cap_lower, cap))
38176 + cap_raise(cap_drop, cap);
38180 + if (!cap_raised(cap_drop, cap))
38186 diff -urNp linux-2.6.35.5/grsecurity/gracl_fs.c linux-2.6.35.5/grsecurity/gracl_fs.c
38187 --- linux-2.6.35.5/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
38188 +++ linux-2.6.35.5/grsecurity/gracl_fs.c 2010-09-17 20:12:37.000000000 -0400
38190 +#include <linux/kernel.h>
38191 +#include <linux/sched.h>
38192 +#include <linux/types.h>
38193 +#include <linux/fs.h>
38194 +#include <linux/file.h>
38195 +#include <linux/stat.h>
38196 +#include <linux/grsecurity.h>
38197 +#include <linux/grinternal.h>
38198 +#include <linux/gracl.h>
38201 +gr_acl_handle_hidden_file(const struct dentry * dentry,
38202 + const struct vfsmount * mnt)
38206 + if (unlikely(!dentry->d_inode))
38210 + gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
38212 + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
38213 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
38215 + } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
38216 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
38218 + } else if (unlikely(!(mode & GR_FIND)))
38225 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
38228 + __u32 reqmode = GR_FIND;
38231 + if (unlikely(!dentry->d_inode))
38234 + if (unlikely(fmode & O_APPEND))
38235 + reqmode |= GR_APPEND;
38236 + else if (unlikely(fmode & FMODE_WRITE))
38237 + reqmode |= GR_WRITE;
38238 + if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
38239 + reqmode |= GR_READ;
38240 + if ((fmode & FMODE_GREXEC) && (fmode & FMODE_EXEC))
38241 + reqmode &= ~GR_READ;
38243 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
38246 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
38247 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
38248 + reqmode & GR_READ ? " reading" : "",
38249 + reqmode & GR_WRITE ? " writing" : reqmode &
38250 + GR_APPEND ? " appending" : "");
38253 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
38255 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
38256 + reqmode & GR_READ ? " reading" : "",
38257 + reqmode & GR_WRITE ? " writing" : reqmode &
38258 + GR_APPEND ? " appending" : "");
38260 + } else if (unlikely((mode & reqmode) != reqmode))
38267 +gr_acl_handle_creat(const struct dentry * dentry,
38268 + const struct dentry * p_dentry,
38269 + const struct vfsmount * p_mnt, const int fmode,
38272 + __u32 reqmode = GR_WRITE | GR_CREATE;
38275 + if (unlikely(fmode & O_APPEND))
38276 + reqmode |= GR_APPEND;
38277 + if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
38278 + reqmode |= GR_READ;
38279 + if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
38280 + reqmode |= GR_SETID;
38283 + gr_check_create(dentry, p_dentry, p_mnt,
38284 + reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
38286 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
38287 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
38288 + reqmode & GR_READ ? " reading" : "",
38289 + reqmode & GR_WRITE ? " writing" : reqmode &
38290 + GR_APPEND ? " appending" : "");
38293 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
38295 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
38296 + reqmode & GR_READ ? " reading" : "",
38297 + reqmode & GR_WRITE ? " writing" : reqmode &
38298 + GR_APPEND ? " appending" : "");
38300 + } else if (unlikely((mode & reqmode) != reqmode))
38307 +gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
38310 + __u32 mode, reqmode = GR_FIND;
38312 + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
38313 + reqmode |= GR_EXEC;
38314 + if (fmode & S_IWOTH)
38315 + reqmode |= GR_WRITE;
38316 + if (fmode & S_IROTH)
38317 + reqmode |= GR_READ;
38320 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
38323 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
38324 + gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
38325 + reqmode & GR_READ ? " reading" : "",
38326 + reqmode & GR_WRITE ? " writing" : "",
38327 + reqmode & GR_EXEC ? " executing" : "");
38330 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
38332 + gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
38333 + reqmode & GR_READ ? " reading" : "",
38334 + reqmode & GR_WRITE ? " writing" : "",
38335 + reqmode & GR_EXEC ? " executing" : "");
38337 + } else if (unlikely((mode & reqmode) != reqmode))
38343 +static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
38347 + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
38349 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
38350 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
38352 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
38353 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
38355 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
38358 + return (reqmode);
38362 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
38364 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
38368 +gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
38370 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
38374 +gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
38376 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
38380 +gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
38382 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
38386 +gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
38389 + if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
38392 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
38393 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
38394 + GR_FCHMOD_ACL_MSG);
38396 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
38401 +gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
38404 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
38405 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
38406 + GR_CHMOD_ACL_MSG);
38408 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
38413 +gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
38415 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
38419 +gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
38421 + return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
38425 +gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
38427 + return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
38428 + GR_UNIXCONNECT_ACL_MSG);
38431 +/* hardlinks require at minimum create permission,
38432 + any additional privilege required is based on the
38433 + privilege of the file being linked to
38436 +gr_acl_handle_link(const struct dentry * new_dentry,
38437 + const struct dentry * parent_dentry,
38438 + const struct vfsmount * parent_mnt,
38439 + const struct dentry * old_dentry,
38440 + const struct vfsmount * old_mnt, const char *to)
38443 + __u32 needmode = GR_CREATE | GR_LINK;
38444 + __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
38447 + gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
38450 + if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
38451 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
38453 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
38454 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
38456 + } else if (unlikely((mode & needmode) != needmode))
38463 +gr_acl_handle_symlink(const struct dentry * new_dentry,
38464 + const struct dentry * parent_dentry,
38465 + const struct vfsmount * parent_mnt, const char *from)
38467 + __u32 needmode = GR_WRITE | GR_CREATE;
38471 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
38472 + GR_CREATE | GR_AUDIT_CREATE |
38473 + GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
38475 + if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
38476 + gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
38478 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
38479 + gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
38481 + } else if (unlikely((mode & needmode) != needmode))
38484 + return (GR_WRITE | GR_CREATE);
38487 +static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
38491 + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
38493 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
38494 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
38496 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
38497 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
38499 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
38502 + return (reqmode);
38506 +gr_acl_handle_mknod(const struct dentry * new_dentry,
38507 + const struct dentry * parent_dentry,
38508 + const struct vfsmount * parent_mnt,
38511 + __u32 reqmode = GR_WRITE | GR_CREATE;
38512 + if (unlikely(mode & (S_ISUID | S_ISGID)))
38513 + reqmode |= GR_SETID;
38515 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
38516 + reqmode, GR_MKNOD_ACL_MSG);
38520 +gr_acl_handle_mkdir(const struct dentry *new_dentry,
38521 + const struct dentry *parent_dentry,
38522 + const struct vfsmount *parent_mnt)
38524 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
38525 + GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
38528 +#define RENAME_CHECK_SUCCESS(old, new) \
38529 + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
38530 + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
38533 +gr_acl_handle_rename(struct dentry *new_dentry,
38534 + struct dentry *parent_dentry,
38535 + const struct vfsmount *parent_mnt,
38536 + struct dentry *old_dentry,
38537 + struct inode *old_parent_inode,
38538 + struct vfsmount *old_mnt, const char *newname)
38540 + __u32 comp1, comp2;
38543 + if (unlikely(!gr_acl_is_enabled()))
38546 + if (!new_dentry->d_inode) {
38547 + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
38548 + GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
38549 + GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
38550 + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
38551 + GR_DELETE | GR_AUDIT_DELETE |
38552 + GR_AUDIT_READ | GR_AUDIT_WRITE |
38553 + GR_SUPPRESS, old_mnt);
38555 + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
38556 + GR_CREATE | GR_DELETE |
38557 + GR_AUDIT_CREATE | GR_AUDIT_DELETE |
38558 + GR_AUDIT_READ | GR_AUDIT_WRITE |
38559 + GR_SUPPRESS, parent_mnt);
38561 + gr_search_file(old_dentry,
38562 + GR_READ | GR_WRITE | GR_AUDIT_READ |
38563 + GR_DELETE | GR_AUDIT_DELETE |
38564 + GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
38567 + if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
38568 + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
38569 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
38570 + else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
38571 + && !(comp2 & GR_SUPPRESS)) {
38572 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
38574 + } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
38581 +gr_acl_handle_exit(void)
38585 + struct file *exec_file;
38587 + if (unlikely(current->acl_sp_role && gr_acl_is_enabled())) {
38588 + id = current->acl_role_id;
38589 + rolename = current->role->rolename;
38591 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
38594 + write_lock(&grsec_exec_file_lock);
38595 + exec_file = current->exec_file;
38596 + current->exec_file = NULL;
38597 + write_unlock(&grsec_exec_file_lock);
38604 +gr_acl_handle_procpidmem(const struct task_struct *task)
38606 + if (unlikely(!gr_acl_is_enabled()))
38609 + if (task != current && task->acl->mode & GR_PROTPROCFD)
38614 diff -urNp linux-2.6.35.5/grsecurity/gracl_ip.c linux-2.6.35.5/grsecurity/gracl_ip.c
38615 --- linux-2.6.35.5/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
38616 +++ linux-2.6.35.5/grsecurity/gracl_ip.c 2010-09-17 20:12:37.000000000 -0400
38618 +#include <linux/kernel.h>
38619 +#include <asm/uaccess.h>
38620 +#include <asm/errno.h>
38621 +#include <net/sock.h>
38622 +#include <linux/file.h>
38623 +#include <linux/fs.h>
38624 +#include <linux/net.h>
38625 +#include <linux/in.h>
38626 +#include <linux/skbuff.h>
38627 +#include <linux/ip.h>
38628 +#include <linux/udp.h>
38629 +#include <linux/smp_lock.h>
38630 +#include <linux/types.h>
38631 +#include <linux/sched.h>
38632 +#include <linux/netdevice.h>
38633 +#include <linux/inetdevice.h>
38634 +#include <linux/gracl.h>
38635 +#include <linux/grsecurity.h>
38636 +#include <linux/grinternal.h>
38638 +#define GR_BIND 0x01
38639 +#define GR_CONNECT 0x02
38640 +#define GR_INVERT 0x04
38641 +#define GR_BINDOVERRIDE 0x08
38642 +#define GR_CONNECTOVERRIDE 0x10
38644 +static const char * gr_protocols[256] = {
38645 + "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
38646 + "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
38647 + "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
38648 + "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
38649 + "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
38650 + "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
38651 + "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
38652 + "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
38653 + "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
38654 + "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
38655 + "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
38656 + "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
38657 + "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
38658 + "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
38659 + "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
38660 + "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
38661 + "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
38662 + "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
38663 + "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
38664 + "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
38665 + "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
38666 + "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
38667 + "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
38668 + "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
38669 + "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
38670 + "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
38671 + "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
38672 + "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
38673 + "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
38674 + "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
38675 + "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
38676 + "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
38679 +static const char * gr_socktypes[11] = {
38680 + "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
38681 + "unknown:7", "unknown:8", "unknown:9", "packet"
38685 +gr_proto_to_name(unsigned char proto)
38687 + return gr_protocols[proto];
38691 +gr_socktype_to_name(unsigned char type)
38693 + return gr_socktypes[type];
38697 +gr_search_socket(const int domain, const int type, const int protocol)
38699 + struct acl_subject_label *curr;
38700 + const struct cred *cred = current_cred();
38702 + if (unlikely(!gr_acl_is_enabled()))
38705 + if ((domain < 0) || (type < 0) || (protocol < 0) || (domain != PF_INET)
38706 + || (domain >= NPROTO) || (type >= SOCK_MAX) || (protocol > 255))
38707 + goto exit; // let the kernel handle it
38709 + curr = current->acl;
38714 + if ((curr->ip_type & (1 << type)) &&
38715 + (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
38718 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
38719 + /* we don't place acls on raw sockets , and sometimes
38720 + dgram/ip sockets are opened for ioctl and not
38721 + bind/connect, so we'll fake a bind learn log */
38722 + if (type == SOCK_RAW || type == SOCK_PACKET) {
38723 + __u32 fakeip = 0;
38724 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
38725 + current->role->roletype, cred->uid,
38726 + cred->gid, current->exec_file ?
38727 + gr_to_filename(current->exec_file->f_path.dentry,
38728 + current->exec_file->f_path.mnt) :
38729 + curr->filename, curr->filename,
38730 + &fakeip, 0, type,
38731 + protocol, GR_CONNECT, ¤t->signal->curr_ip);
38732 + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
38733 + __u32 fakeip = 0;
38734 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
38735 + current->role->roletype, cred->uid,
38736 + cred->gid, current->exec_file ?
38737 + gr_to_filename(current->exec_file->f_path.dentry,
38738 + current->exec_file->f_path.mnt) :
38739 + curr->filename, curr->filename,
38740 + &fakeip, 0, type,
38741 + protocol, GR_BIND, ¤t->signal->curr_ip);
38743 + /* we'll log when they use connect or bind */
38747 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, "inet",
38748 + gr_socktype_to_name(type), gr_proto_to_name(protocol));
38755 +int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
38757 + if ((ip->mode & mode) &&
38758 + (ip_port >= ip->low) &&
38759 + (ip_port <= ip->high) &&
38760 + ((ntohl(ip_addr) & our_netmask) ==
38761 + (ntohl(our_addr) & our_netmask))
38762 + && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
38763 + && (ip->type & (1 << type))) {
38764 + if (ip->mode & GR_INVERT)
38765 + return 2; // specifically denied
38767 + return 1; // allowed
38770 + return 0; // not specifically allowed, may continue parsing
38774 +gr_search_connectbind(const int full_mode, struct sock *sk,
38775 + struct sockaddr_in *addr, const int type)
38777 + char iface[IFNAMSIZ] = {0};
38778 + struct acl_subject_label *curr;
38779 + struct acl_ip_label *ip;
38780 + struct inet_sock *isk;
38781 + struct net_device *dev;
38782 + struct in_device *idev;
38785 + int mode = full_mode & (GR_BIND | GR_CONNECT);
38786 + __u32 ip_addr = 0;
38788 + __u32 our_netmask;
38790 + __u16 ip_port = 0;
38791 + const struct cred *cred = current_cred();
38793 + if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
38796 + curr = current->acl;
38797 + isk = inet_sk(sk);
38799 + /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
38800 + if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
38801 + addr->sin_addr.s_addr = curr->inaddr_any_override;
38802 + if ((full_mode & GR_CONNECT) && isk->inet_saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
38803 + struct sockaddr_in saddr;
38806 + saddr.sin_family = AF_INET;
38807 + saddr.sin_addr.s_addr = curr->inaddr_any_override;
38808 + saddr.sin_port = isk->inet_sport;
38810 + err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
38814 + err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
38822 + ip_addr = addr->sin_addr.s_addr;
38823 + ip_port = ntohs(addr->sin_port);
38825 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
38826 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
38827 + current->role->roletype, cred->uid,
38828 + cred->gid, current->exec_file ?
38829 + gr_to_filename(current->exec_file->f_path.dentry,
38830 + current->exec_file->f_path.mnt) :
38831 + curr->filename, curr->filename,
38832 + &ip_addr, ip_port, type,
38833 + sk->sk_protocol, mode, ¤t->signal->curr_ip);
38837 + for (i = 0; i < curr->ip_num; i++) {
38838 + ip = *(curr->ips + i);
38839 + if (ip->iface != NULL) {
38840 + strncpy(iface, ip->iface, IFNAMSIZ - 1);
38841 + p = strchr(iface, ':');
38844 + dev = dev_get_by_name(sock_net(sk), iface);
38847 + idev = in_dev_get(dev);
38848 + if (idev == NULL) {
38854 + if (!strcmp(ip->iface, ifa->ifa_label)) {
38855 + our_addr = ifa->ifa_address;
38856 + our_netmask = 0xffffffff;
38857 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
38859 + rcu_read_unlock();
38860 + in_dev_put(idev);
38863 + } else if (ret == 2) {
38864 + rcu_read_unlock();
38865 + in_dev_put(idev);
38870 + } endfor_ifa(idev);
38871 + rcu_read_unlock();
38872 + in_dev_put(idev);
38875 + our_addr = ip->addr;
38876 + our_netmask = ip->netmask;
38877 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
38880 + else if (ret == 2)
38886 + if (mode == GR_BIND)
38887 + gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
38888 + else if (mode == GR_CONNECT)
38889 + gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
38895 +gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
38897 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
38901 +gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
38903 + return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
38906 +int gr_search_listen(struct socket *sock)
38908 + struct sock *sk = sock->sk;
38909 + struct sockaddr_in addr;
38911 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
38912 + addr.sin_port = inet_sk(sk)->inet_sport;
38914 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
38917 +int gr_search_accept(struct socket *sock)
38919 + struct sock *sk = sock->sk;
38920 + struct sockaddr_in addr;
38922 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
38923 + addr.sin_port = inet_sk(sk)->inet_sport;
38925 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
38929 +gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
38932 + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
38934 + struct sockaddr_in sin;
38935 + const struct inet_sock *inet = inet_sk(sk);
38937 + sin.sin_addr.s_addr = inet->inet_daddr;
38938 + sin.sin_port = inet->inet_dport;
38940 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
38945 +gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
38947 + struct sockaddr_in sin;
38949 + if (unlikely(skb->len < sizeof (struct udphdr)))
38950 + return 0; // skip this packet
38952 + sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
38953 + sin.sin_port = udp_hdr(skb)->source;
38955 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
38957 diff -urNp linux-2.6.35.5/grsecurity/gracl_learn.c linux-2.6.35.5/grsecurity/gracl_learn.c
38958 --- linux-2.6.35.5/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
38959 +++ linux-2.6.35.5/grsecurity/gracl_learn.c 2010-09-17 20:12:37.000000000 -0400
38961 +#include <linux/kernel.h>
38962 +#include <linux/mm.h>
38963 +#include <linux/sched.h>
38964 +#include <linux/poll.h>
38965 +#include <linux/smp_lock.h>
38966 +#include <linux/string.h>
38967 +#include <linux/file.h>
38968 +#include <linux/types.h>
38969 +#include <linux/vmalloc.h>
38970 +#include <linux/grinternal.h>
38972 +extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
38973 + size_t count, loff_t *ppos);
38974 +extern int gr_acl_is_enabled(void);
38976 +static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
38977 +static int gr_learn_attached;
38979 +/* use a 512k buffer */
38980 +#define LEARN_BUFFER_SIZE (512 * 1024)
38982 +static DEFINE_SPINLOCK(gr_learn_lock);
38983 +static DECLARE_MUTEX(gr_learn_user_sem);
38985 +/* we need to maintain two buffers, so that the kernel context of grlearn
38986 + uses a semaphore around the userspace copying, and the other kernel contexts
38987 + use a spinlock when copying into the buffer, since they cannot sleep
38989 +static char *learn_buffer;
38990 +static char *learn_buffer_user;
38991 +static int learn_buffer_len;
38992 +static int learn_buffer_user_len;
38995 +read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
38997 + DECLARE_WAITQUEUE(wait, current);
38998 + ssize_t retval = 0;
39000 + add_wait_queue(&learn_wait, &wait);
39001 + set_current_state(TASK_INTERRUPTIBLE);
39003 + down(&gr_learn_user_sem);
39004 + spin_lock(&gr_learn_lock);
39005 + if (learn_buffer_len)
39007 + spin_unlock(&gr_learn_lock);
39008 + up(&gr_learn_user_sem);
39009 + if (file->f_flags & O_NONBLOCK) {
39010 + retval = -EAGAIN;
39013 + if (signal_pending(current)) {
39014 + retval = -ERESTARTSYS;
39021 + memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
39022 + learn_buffer_user_len = learn_buffer_len;
39023 + retval = learn_buffer_len;
39024 + learn_buffer_len = 0;
39026 + spin_unlock(&gr_learn_lock);
39028 + if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
39029 + retval = -EFAULT;
39031 + up(&gr_learn_user_sem);
39033 + set_current_state(TASK_RUNNING);
39034 + remove_wait_queue(&learn_wait, &wait);
39038 +static unsigned int
39039 +poll_learn(struct file * file, poll_table * wait)
39041 + poll_wait(file, &learn_wait, wait);
39043 + if (learn_buffer_len)
39044 + return (POLLIN | POLLRDNORM);
39050 +gr_clear_learn_entries(void)
39054 + down(&gr_learn_user_sem);
39055 + if (learn_buffer != NULL) {
39056 + spin_lock(&gr_learn_lock);
39057 + tmp = learn_buffer;
39058 + learn_buffer = NULL;
39059 + spin_unlock(&gr_learn_lock);
39060 + vfree(learn_buffer);
39062 + if (learn_buffer_user != NULL) {
39063 + vfree(learn_buffer_user);
39064 + learn_buffer_user = NULL;
39066 + learn_buffer_len = 0;
39067 + up(&gr_learn_user_sem);
39073 +gr_add_learn_entry(const char *fmt, ...)
39076 + unsigned int len;
39078 + if (!gr_learn_attached)
39081 + spin_lock(&gr_learn_lock);
39083 + /* leave a gap at the end so we know when it's "full" but don't have to
39084 + compute the exact length of the string we're trying to append
39086 + if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
39087 + spin_unlock(&gr_learn_lock);
39088 + wake_up_interruptible(&learn_wait);
39091 + if (learn_buffer == NULL) {
39092 + spin_unlock(&gr_learn_lock);
39096 + va_start(args, fmt);
39097 + len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
39100 + learn_buffer_len += len + 1;
39102 + spin_unlock(&gr_learn_lock);
39103 + wake_up_interruptible(&learn_wait);
39109 +open_learn(struct inode *inode, struct file *file)
39111 + if (file->f_mode & FMODE_READ && gr_learn_attached)
39113 + if (file->f_mode & FMODE_READ) {
39115 + down(&gr_learn_user_sem);
39116 + if (learn_buffer == NULL)
39117 + learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
39118 + if (learn_buffer_user == NULL)
39119 + learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
39120 + if (learn_buffer == NULL) {
39121 + retval = -ENOMEM;
39124 + if (learn_buffer_user == NULL) {
39125 + retval = -ENOMEM;
39128 + learn_buffer_len = 0;
39129 + learn_buffer_user_len = 0;
39130 + gr_learn_attached = 1;
39132 + up(&gr_learn_user_sem);
39139 +close_learn(struct inode *inode, struct file *file)
39143 + if (file->f_mode & FMODE_READ) {
39144 + down(&gr_learn_user_sem);
39145 + if (learn_buffer != NULL) {
39146 + spin_lock(&gr_learn_lock);
39147 + tmp = learn_buffer;
39148 + learn_buffer = NULL;
39149 + spin_unlock(&gr_learn_lock);
39152 + if (learn_buffer_user != NULL) {
39153 + vfree(learn_buffer_user);
39154 + learn_buffer_user = NULL;
39156 + learn_buffer_len = 0;
39157 + learn_buffer_user_len = 0;
39158 + gr_learn_attached = 0;
39159 + up(&gr_learn_user_sem);
39165 +const struct file_operations grsec_fops = {
39166 + .read = read_learn,
39167 + .write = write_grsec_handler,
39168 + .open = open_learn,
39169 + .release = close_learn,
39170 + .poll = poll_learn,
39172 diff -urNp linux-2.6.35.5/grsecurity/gracl_res.c linux-2.6.35.5/grsecurity/gracl_res.c
39173 --- linux-2.6.35.5/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
39174 +++ linux-2.6.35.5/grsecurity/gracl_res.c 2010-09-17 20:12:37.000000000 -0400
39176 +#include <linux/kernel.h>
39177 +#include <linux/sched.h>
39178 +#include <linux/gracl.h>
39179 +#include <linux/grinternal.h>
39181 +static const char *restab_log[] = {
39182 + [RLIMIT_CPU] = "RLIMIT_CPU",
39183 + [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
39184 + [RLIMIT_DATA] = "RLIMIT_DATA",
39185 + [RLIMIT_STACK] = "RLIMIT_STACK",
39186 + [RLIMIT_CORE] = "RLIMIT_CORE",
39187 + [RLIMIT_RSS] = "RLIMIT_RSS",
39188 + [RLIMIT_NPROC] = "RLIMIT_NPROC",
39189 + [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
39190 + [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
39191 + [RLIMIT_AS] = "RLIMIT_AS",
39192 + [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
39193 + [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
39194 + [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
39195 + [RLIMIT_NICE] = "RLIMIT_NICE",
39196 + [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
39197 + [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
39198 + [GR_CRASH_RES] = "RLIMIT_CRASH"
39202 +gr_log_resource(const struct task_struct *task,
39203 + const int res, const unsigned long wanted, const int gt)
39205 + const struct cred *cred;
39206 + unsigned long rlim;
39208 + if (!gr_acl_is_enabled() && !grsec_resource_logging)
39211 + // not yet supported resource
39212 + if (unlikely(!restab_log[res]))
39215 + if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
39216 + rlim = task_rlimit_max(task, res);
39218 + rlim = task_rlimit(task, res);
39220 + if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
39224 + cred = __task_cred(task);
39226 + if (res == RLIMIT_NPROC &&
39227 + (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
39228 + cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
39229 + goto out_rcu_unlock;
39230 + else if (res == RLIMIT_MEMLOCK &&
39231 + cap_raised(cred->cap_effective, CAP_IPC_LOCK))
39232 + goto out_rcu_unlock;
39233 + else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
39234 + goto out_rcu_unlock;
39235 + rcu_read_unlock();
39237 + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
39241 + rcu_read_unlock();
39244 diff -urNp linux-2.6.35.5/grsecurity/gracl_segv.c linux-2.6.35.5/grsecurity/gracl_segv.c
39245 --- linux-2.6.35.5/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
39246 +++ linux-2.6.35.5/grsecurity/gracl_segv.c 2010-09-17 20:12:37.000000000 -0400
39248 +#include <linux/kernel.h>
39249 +#include <linux/mm.h>
39250 +#include <asm/uaccess.h>
39251 +#include <asm/errno.h>
39252 +#include <asm/mman.h>
39253 +#include <net/sock.h>
39254 +#include <linux/file.h>
39255 +#include <linux/fs.h>
39256 +#include <linux/net.h>
39257 +#include <linux/in.h>
39258 +#include <linux/smp_lock.h>
39259 +#include <linux/slab.h>
39260 +#include <linux/types.h>
39261 +#include <linux/sched.h>
39262 +#include <linux/timer.h>
39263 +#include <linux/gracl.h>
39264 +#include <linux/grsecurity.h>
39265 +#include <linux/grinternal.h>
39267 +static struct crash_uid *uid_set;
39268 +static unsigned short uid_used;
39269 +static DEFINE_SPINLOCK(gr_uid_lock);
39270 +extern rwlock_t gr_inode_lock;
39271 +extern struct acl_subject_label *
39272 + lookup_acl_subj_label(const ino_t inode, const dev_t dev,
39273 + struct acl_role_label *role);
39274 +extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
39277 +gr_init_uidset(void)
39280 + kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
39283 + return uid_set ? 1 : 0;
39287 +gr_free_uidset(void)
39296 +gr_find_uid(const uid_t uid)
39298 + struct crash_uid *tmp = uid_set;
39300 + int low = 0, high = uid_used - 1, mid;
39302 + while (high >= low) {
39303 + mid = (low + high) >> 1;
39304 + buid = tmp[mid].uid;
39316 +static __inline__ void
39317 +gr_insertsort(void)
39319 + unsigned short i, j;
39320 + struct crash_uid index;
39322 + for (i = 1; i < uid_used; i++) {
39323 + index = uid_set[i];
39325 + while ((j > 0) && uid_set[j - 1].uid > index.uid) {
39326 + uid_set[j] = uid_set[j - 1];
39329 + uid_set[j] = index;
39335 +static __inline__ void
39336 +gr_insert_uid(const uid_t uid, const unsigned long expires)
39340 + if (uid_used == GR_UIDTABLE_MAX)
39343 + loc = gr_find_uid(uid);
39346 + uid_set[loc].expires = expires;
39350 + uid_set[uid_used].uid = uid;
39351 + uid_set[uid_used].expires = expires;
39360 +gr_remove_uid(const unsigned short loc)
39362 + unsigned short i;
39364 + for (i = loc + 1; i < uid_used; i++)
39365 + uid_set[i - 1] = uid_set[i];
39373 +gr_check_crash_uid(const uid_t uid)
39378 + if (unlikely(!gr_acl_is_enabled()))
39381 + spin_lock(&gr_uid_lock);
39382 + loc = gr_find_uid(uid);
39387 + if (time_before_eq(uid_set[loc].expires, get_seconds()))
39388 + gr_remove_uid(loc);
39393 + spin_unlock(&gr_uid_lock);
39397 +static __inline__ int
39398 +proc_is_setxid(const struct cred *cred)
39400 + if (cred->uid != cred->euid || cred->uid != cred->suid ||
39401 + cred->uid != cred->fsuid)
39403 + if (cred->gid != cred->egid || cred->gid != cred->sgid ||
39404 + cred->gid != cred->fsgid)
39409 +static __inline__ int
39410 +gr_fake_force_sig(int sig, struct task_struct *t)
39412 + unsigned long int flags;
39413 + int ret, blocked, ignored;
39414 + struct k_sigaction *action;
39416 + spin_lock_irqsave(&t->sighand->siglock, flags);
39417 + action = &t->sighand->action[sig-1];
39418 + ignored = action->sa.sa_handler == SIG_IGN;
39419 + blocked = sigismember(&t->blocked, sig);
39420 + if (blocked || ignored) {
39421 + action->sa.sa_handler = SIG_DFL;
39423 + sigdelset(&t->blocked, sig);
39424 + recalc_sigpending_and_wake(t);
39427 + if (action->sa.sa_handler == SIG_DFL)
39428 + t->signal->flags &= ~SIGNAL_UNKILLABLE;
39429 + ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
39431 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
39437 +gr_handle_crash(struct task_struct *task, const int sig)
39439 + struct acl_subject_label *curr;
39440 + struct acl_subject_label *curr2;
39441 + struct task_struct *tsk, *tsk2;
39442 + const struct cred *cred;
39443 + const struct cred *cred2;
39445 + if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
39448 + if (unlikely(!gr_acl_is_enabled()))
39451 + curr = task->acl;
39453 + if (!(curr->resmask & (1 << GR_CRASH_RES)))
39456 + if (time_before_eq(curr->expires, get_seconds())) {
39457 + curr->expires = 0;
39458 + curr->crashes = 0;
39463 + if (!curr->expires)
39464 + curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
39466 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
39467 + time_after(curr->expires, get_seconds())) {
39469 + cred = __task_cred(task);
39470 + if (cred->uid && proc_is_setxid(cred)) {
39471 + gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
39472 + spin_lock(&gr_uid_lock);
39473 + gr_insert_uid(cred->uid, curr->expires);
39474 + spin_unlock(&gr_uid_lock);
39475 + curr->expires = 0;
39476 + curr->crashes = 0;
39477 + read_lock(&tasklist_lock);
39478 + do_each_thread(tsk2, tsk) {
39479 + cred2 = __task_cred(tsk);
39480 + if (tsk != task && cred2->uid == cred->uid)
39481 + gr_fake_force_sig(SIGKILL, tsk);
39482 + } while_each_thread(tsk2, tsk);
39483 + read_unlock(&tasklist_lock);
39485 + gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
39486 + read_lock(&tasklist_lock);
39487 + do_each_thread(tsk2, tsk) {
39488 + if (likely(tsk != task)) {
39489 + curr2 = tsk->acl;
39491 + if (curr2->device == curr->device &&
39492 + curr2->inode == curr->inode)
39493 + gr_fake_force_sig(SIGKILL, tsk);
39495 + } while_each_thread(tsk2, tsk);
39496 + read_unlock(&tasklist_lock);
39498 + rcu_read_unlock();
39505 +gr_check_crash_exec(const struct file *filp)
39507 + struct acl_subject_label *curr;
39509 + if (unlikely(!gr_acl_is_enabled()))
39512 + read_lock(&gr_inode_lock);
39513 + curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
39514 + filp->f_path.dentry->d_inode->i_sb->s_dev,
39516 + read_unlock(&gr_inode_lock);
39518 + if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
39519 + (!curr->crashes && !curr->expires))
39522 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
39523 + time_after(curr->expires, get_seconds()))
39525 + else if (time_before_eq(curr->expires, get_seconds())) {
39526 + curr->crashes = 0;
39527 + curr->expires = 0;
39534 +gr_handle_alertkill(struct task_struct *task)
39536 + struct acl_subject_label *curracl;
39538 + struct task_struct *p, *p2;
39540 + if (unlikely(!gr_acl_is_enabled()))
39543 + curracl = task->acl;
39544 + curr_ip = task->signal->curr_ip;
39546 + if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
39547 + read_lock(&tasklist_lock);
39548 + do_each_thread(p2, p) {
39549 + if (p->signal->curr_ip == curr_ip)
39550 + gr_fake_force_sig(SIGKILL, p);
39551 + } while_each_thread(p2, p);
39552 + read_unlock(&tasklist_lock);
39553 + } else if (curracl->mode & GR_KILLPROC)
39554 + gr_fake_force_sig(SIGKILL, task);
39558 diff -urNp linux-2.6.35.5/grsecurity/gracl_shm.c linux-2.6.35.5/grsecurity/gracl_shm.c
39559 --- linux-2.6.35.5/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
39560 +++ linux-2.6.35.5/grsecurity/gracl_shm.c 2010-09-17 20:12:37.000000000 -0400
39562 +#include <linux/kernel.h>
39563 +#include <linux/mm.h>
39564 +#include <linux/sched.h>
39565 +#include <linux/file.h>
39566 +#include <linux/ipc.h>
39567 +#include <linux/gracl.h>
39568 +#include <linux/grsecurity.h>
39569 +#include <linux/grinternal.h>
39572 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
39573 + const time_t shm_createtime, const uid_t cuid, const int shmid)
39575 + struct task_struct *task;
39577 + if (!gr_acl_is_enabled())
39581 + read_lock(&tasklist_lock);
39583 + task = find_task_by_vpid(shm_cprid);
39585 + if (unlikely(!task))
39586 + task = find_task_by_vpid(shm_lapid);
39588 + if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
39589 + (task->pid == shm_lapid)) &&
39590 + (task->acl->mode & GR_PROTSHM) &&
39591 + (task->acl != current->acl))) {
39592 + read_unlock(&tasklist_lock);
39593 + rcu_read_unlock();
39594 + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
39597 + read_unlock(&tasklist_lock);
39598 + rcu_read_unlock();
39602 diff -urNp linux-2.6.35.5/grsecurity/grsec_chdir.c linux-2.6.35.5/grsecurity/grsec_chdir.c
39603 --- linux-2.6.35.5/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
39604 +++ linux-2.6.35.5/grsecurity/grsec_chdir.c 2010-09-17 20:12:37.000000000 -0400
39606 +#include <linux/kernel.h>
39607 +#include <linux/sched.h>
39608 +#include <linux/fs.h>
39609 +#include <linux/file.h>
39610 +#include <linux/grsecurity.h>
39611 +#include <linux/grinternal.h>
39614 +gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
39616 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
39617 + if ((grsec_enable_chdir && grsec_enable_group &&
39618 + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
39619 + !grsec_enable_group)) {
39620 + gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
39625 diff -urNp linux-2.6.35.5/grsecurity/grsec_chroot.c linux-2.6.35.5/grsecurity/grsec_chroot.c
39626 --- linux-2.6.35.5/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
39627 +++ linux-2.6.35.5/grsecurity/grsec_chroot.c 2010-09-17 20:12:37.000000000 -0400
39629 +#include <linux/kernel.h>
39630 +#include <linux/module.h>
39631 +#include <linux/sched.h>
39632 +#include <linux/file.h>
39633 +#include <linux/fs.h>
39634 +#include <linux/mount.h>
39635 +#include <linux/types.h>
39636 +#include <linux/pid_namespace.h>
39637 +#include <linux/grsecurity.h>
39638 +#include <linux/grinternal.h>
39640 +void gr_set_chroot_entries(struct task_struct *task, struct path *path)
39642 +#ifdef CONFIG_GRKERNSEC
39643 + if (task->pid > 1 && path->dentry != init_task.fs->root.dentry &&
39644 + path->dentry != task->nsproxy->mnt_ns->root->mnt_root)
39645 + task->gr_is_chrooted = 1;
39647 + task->gr_is_chrooted = 0;
39649 + task->gr_chroot_dentry = path->dentry;
39654 +void gr_clear_chroot_entries(struct task_struct *task)
39656 +#ifdef CONFIG_GRKERNSEC
39657 + task->gr_is_chrooted = 0;
39658 + task->gr_chroot_dentry = NULL;
39664 +gr_handle_chroot_unix(const pid_t pid)
39666 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
39667 + struct pid *spid = NULL;
39669 + if (unlikely(!grsec_enable_chroot_unix))
39672 + if (likely(!proc_is_chrooted(current)))
39676 + read_lock(&tasklist_lock);
39678 + spid = find_vpid(pid);
39680 + struct task_struct *p;
39681 + p = pid_task(spid, PIDTYPE_PID);
39682 + if (unlikely(!have_same_root(current, p))) {
39683 + read_unlock(&tasklist_lock);
39684 + rcu_read_unlock();
39685 + gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
39689 + read_unlock(&tasklist_lock);
39690 + rcu_read_unlock();
39696 +gr_handle_chroot_nice(void)
39698 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
39699 + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
39700 + gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
39708 +gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
39710 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
39711 + if (grsec_enable_chroot_nice && (niceval < task_nice(p))
39712 + && proc_is_chrooted(current)) {
39713 + gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
39721 +gr_handle_chroot_rawio(const struct inode *inode)
39723 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
39724 + if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
39725 + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
39732 +gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
39734 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
39735 + struct task_struct *p;
39737 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
39740 + read_lock(&tasklist_lock);
39741 + do_each_pid_task(pid, type, p) {
39742 + if (!have_same_root(current, p)) {
39746 + } while_each_pid_task(pid, type, p);
39748 + read_unlock(&tasklist_lock);
39755 +gr_pid_is_chrooted(struct task_struct *p)
39757 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
39758 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
39761 + if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
39762 + !have_same_root(current, p)) {
39769 +EXPORT_SYMBOL(gr_pid_is_chrooted);
39771 +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
39772 +int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
39774 + struct dentry *dentry = (struct dentry *)u_dentry;
39775 + struct vfsmount *mnt = (struct vfsmount *)u_mnt;
39776 + struct dentry *realroot;
39777 + struct vfsmount *realrootmnt;
39778 + struct dentry *currentroot;
39779 + struct vfsmount *currentmnt;
39780 + struct task_struct *reaper = &init_task;
39783 + read_lock(&reaper->fs->lock);
39784 + realrootmnt = mntget(reaper->fs->root.mnt);
39785 + realroot = dget(reaper->fs->root.dentry);
39786 + read_unlock(&reaper->fs->lock);
39788 + read_lock(¤t->fs->lock);
39789 + currentmnt = mntget(current->fs->root.mnt);
39790 + currentroot = dget(current->fs->root.dentry);
39791 + read_unlock(¤t->fs->lock);
39793 + spin_lock(&dcache_lock);
39795 + if (unlikely((dentry == realroot && mnt == realrootmnt)
39796 + || (dentry == currentroot && mnt == currentmnt)))
39798 + if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
39799 + if (mnt->mnt_parent == mnt)
39801 + dentry = mnt->mnt_mountpoint;
39802 + mnt = mnt->mnt_parent;
39805 + dentry = dentry->d_parent;
39807 + spin_unlock(&dcache_lock);
39809 + dput(currentroot);
39810 + mntput(currentmnt);
39812 + /* access is outside of chroot */
39813 + if (dentry == realroot && mnt == realrootmnt)
39817 + mntput(realrootmnt);
39823 +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
39825 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
39826 + if (!grsec_enable_chroot_fchdir)
39829 + if (!proc_is_chrooted(current))
39831 + else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
39832 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
39840 +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
39841 + const time_t shm_createtime)
39843 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
39844 + struct pid *pid = NULL;
39845 + time_t starttime;
39847 + if (unlikely(!grsec_enable_chroot_shmat))
39850 + if (likely(!proc_is_chrooted(current)))
39854 + read_lock(&tasklist_lock);
39856 + pid = find_vpid(shm_cprid);
39858 + struct task_struct *p;
39859 + p = pid_task(pid, PIDTYPE_PID);
39860 + starttime = p->start_time.tv_sec;
39861 + if (unlikely(!have_same_root(current, p) &&
39862 + time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime))) {
39863 + read_unlock(&tasklist_lock);
39864 + rcu_read_unlock();
39865 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
39869 + pid = find_vpid(shm_lapid);
39871 + struct task_struct *p;
39872 + p = pid_task(pid, PIDTYPE_PID);
39873 + if (unlikely(!have_same_root(current, p))) {
39874 + read_unlock(&tasklist_lock);
39875 + rcu_read_unlock();
39876 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
39882 + read_unlock(&tasklist_lock);
39883 + rcu_read_unlock();
39889 +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
39891 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
39892 + if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
39893 + gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
39899 +gr_handle_chroot_mknod(const struct dentry *dentry,
39900 + const struct vfsmount *mnt, const int mode)
39902 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
39903 + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
39904 + proc_is_chrooted(current)) {
39905 + gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
39913 +gr_handle_chroot_mount(const struct dentry *dentry,
39914 + const struct vfsmount *mnt, const char *dev_name)
39916 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
39917 + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
39918 + gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name, dentry, mnt);
39926 +gr_handle_chroot_pivot(void)
39928 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
39929 + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
39930 + gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
39938 +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
39940 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
39941 + if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
39942 + !gr_is_outside_chroot(dentry, mnt)) {
39943 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
39951 +gr_handle_chroot_caps(struct path *path)
39953 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
39954 + if (grsec_enable_chroot_caps && current->pid > 1 && current->fs != NULL &&
39955 + (init_task.fs->root.dentry != path->dentry) &&
39956 + (current->nsproxy->mnt_ns->root->mnt_root != path->dentry)) {
39958 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
39959 + const struct cred *old = current_cred();
39960 + struct cred *new = prepare_creds();
39964 + new->cap_permitted = cap_drop(old->cap_permitted,
39966 + new->cap_inheritable = cap_drop(old->cap_inheritable,
39968 + new->cap_effective = cap_drop(old->cap_effective,
39971 + commit_creds(new);
39980 +gr_handle_chroot_sysctl(const int op)
39982 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
39983 + if (grsec_enable_chroot_sysctl && (op & MAY_WRITE) &&
39984 + proc_is_chrooted(current))
39991 +gr_handle_chroot_chdir(struct path *path)
39993 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
39994 + if (grsec_enable_chroot_chdir)
39995 + set_fs_pwd(current->fs, path);
40001 +gr_handle_chroot_chmod(const struct dentry *dentry,
40002 + const struct vfsmount *mnt, const int mode)
40004 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
40005 + if (grsec_enable_chroot_chmod &&
40006 + ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
40007 + proc_is_chrooted(current)) {
40008 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
40015 +#ifdef CONFIG_SECURITY
40016 +EXPORT_SYMBOL(gr_handle_chroot_caps);
40018 diff -urNp linux-2.6.35.5/grsecurity/grsec_disabled.c linux-2.6.35.5/grsecurity/grsec_disabled.c
40019 --- linux-2.6.35.5/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
40020 +++ linux-2.6.35.5/grsecurity/grsec_disabled.c 2010-09-17 20:12:37.000000000 -0400
40022 +#include <linux/kernel.h>
40023 +#include <linux/module.h>
40024 +#include <linux/sched.h>
40025 +#include <linux/file.h>
40026 +#include <linux/fs.h>
40027 +#include <linux/kdev_t.h>
40028 +#include <linux/net.h>
40029 +#include <linux/in.h>
40030 +#include <linux/ip.h>
40031 +#include <linux/skbuff.h>
40032 +#include <linux/sysctl.h>
40034 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
40036 +pax_set_initial_flags(struct linux_binprm *bprm)
40042 +#ifdef CONFIG_SYSCTL
40044 +gr_handle_sysctl(const struct ctl_table * table, const int op)
40050 +#ifdef CONFIG_TASKSTATS
40051 +int gr_is_taskstats_denied(int pid)
40058 +gr_acl_is_enabled(void)
40064 +gr_handle_rawio(const struct inode *inode)
40070 +gr_acl_handle_psacct(struct task_struct *task, const long code)
40076 +gr_handle_ptrace(struct task_struct *task, const long request)
40082 +gr_handle_proc_ptrace(struct task_struct *task)
40088 +gr_learn_resource(const struct task_struct *task,
40089 + const int res, const unsigned long wanted, const int gt)
40095 +gr_set_acls(const int type)
40101 +gr_check_hidden_task(const struct task_struct *tsk)
40107 +gr_check_protected_task(const struct task_struct *task)
40113 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
40119 +gr_copy_label(struct task_struct *tsk)
40125 +gr_set_pax_flags(struct task_struct *task)
40131 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
40132 + const int unsafe_share)
40138 +gr_handle_delete(const ino_t ino, const dev_t dev)
40144 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
40150 +gr_handle_crash(struct task_struct *task, const int sig)
40156 +gr_check_crash_exec(const struct file *filp)
40162 +gr_check_crash_uid(const uid_t uid)
40168 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
40169 + struct dentry *old_dentry,
40170 + struct dentry *new_dentry,
40171 + struct vfsmount *mnt, const __u8 replace)
40177 +gr_search_socket(const int family, const int type, const int protocol)
40183 +gr_search_connectbind(const int mode, const struct socket *sock,
40184 + const struct sockaddr_in *addr)
40190 +gr_is_capable(const int cap)
40196 +gr_is_capable_nolog(const int cap)
40202 +gr_handle_alertkill(struct task_struct *task)
40208 +gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
40214 +gr_acl_handle_hidden_file(const struct dentry * dentry,
40215 + const struct vfsmount * mnt)
40221 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
40228 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
40234 +gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
40240 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
40241 + unsigned int *vm_flags)
40247 +gr_acl_handle_truncate(const struct dentry * dentry,
40248 + const struct vfsmount * mnt)
40254 +gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
40260 +gr_acl_handle_access(const struct dentry * dentry,
40261 + const struct vfsmount * mnt, const int fmode)
40267 +gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
40274 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
40281 +gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
40287 +grsecurity_init(void)
40293 +gr_acl_handle_mknod(const struct dentry * new_dentry,
40294 + const struct dentry * parent_dentry,
40295 + const struct vfsmount * parent_mnt,
40302 +gr_acl_handle_mkdir(const struct dentry * new_dentry,
40303 + const struct dentry * parent_dentry,
40304 + const struct vfsmount * parent_mnt)
40310 +gr_acl_handle_symlink(const struct dentry * new_dentry,
40311 + const struct dentry * parent_dentry,
40312 + const struct vfsmount * parent_mnt, const char *from)
40318 +gr_acl_handle_link(const struct dentry * new_dentry,
40319 + const struct dentry * parent_dentry,
40320 + const struct vfsmount * parent_mnt,
40321 + const struct dentry * old_dentry,
40322 + const struct vfsmount * old_mnt, const char *to)
40328 +gr_acl_handle_rename(const struct dentry *new_dentry,
40329 + const struct dentry *parent_dentry,
40330 + const struct vfsmount *parent_mnt,
40331 + const struct dentry *old_dentry,
40332 + const struct inode *old_parent_inode,
40333 + const struct vfsmount *old_mnt, const char *newname)
40339 +gr_acl_handle_filldir(const struct file *file, const char *name,
40340 + const int namelen, const ino_t ino)
40346 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
40347 + const time_t shm_createtime, const uid_t cuid, const int shmid)
40353 +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
40359 +gr_search_accept(const struct socket *sock)
40365 +gr_search_listen(const struct socket *sock)
40371 +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
40377 +gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
40383 +gr_acl_handle_creat(const struct dentry * dentry,
40384 + const struct dentry * p_dentry,
40385 + const struct vfsmount * p_mnt, const int fmode,
40392 +gr_acl_handle_exit(void)
40398 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
40404 +gr_set_role_label(const uid_t uid, const gid_t gid)
40410 +gr_acl_handle_procpidmem(const struct task_struct *task)
40416 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
40422 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
40428 +gr_set_kernel_label(struct task_struct *task)
40434 +gr_check_user_change(int real, int effective, int fs)
40440 +gr_check_group_change(int real, int effective, int fs)
40445 +EXPORT_SYMBOL(gr_is_capable);
40446 +EXPORT_SYMBOL(gr_is_capable_nolog);
40447 +EXPORT_SYMBOL(gr_learn_resource);
40448 +EXPORT_SYMBOL(gr_set_kernel_label);
40449 +#ifdef CONFIG_SECURITY
40450 +EXPORT_SYMBOL(gr_check_user_change);
40451 +EXPORT_SYMBOL(gr_check_group_change);
40453 diff -urNp linux-2.6.35.5/grsecurity/grsec_exec.c linux-2.6.35.5/grsecurity/grsec_exec.c
40454 --- linux-2.6.35.5/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
40455 +++ linux-2.6.35.5/grsecurity/grsec_exec.c 2010-09-17 20:12:37.000000000 -0400
40457 +#include <linux/kernel.h>
40458 +#include <linux/sched.h>
40459 +#include <linux/file.h>
40460 +#include <linux/binfmts.h>
40461 +#include <linux/smp_lock.h>
40462 +#include <linux/fs.h>
40463 +#include <linux/types.h>
40464 +#include <linux/grdefs.h>
40465 +#include <linux/grinternal.h>
40466 +#include <linux/capability.h>
40468 +#include <asm/uaccess.h>
40470 +#ifdef CONFIG_GRKERNSEC_EXECLOG
40471 +static char gr_exec_arg_buf[132];
40472 +static DECLARE_MUTEX(gr_exec_arg_sem);
40476 +gr_handle_nproc(void)
40478 +#ifdef CONFIG_GRKERNSEC_EXECVE
40479 + const struct cred *cred = current_cred();
40480 + if (grsec_enable_execve && cred->user &&
40481 + (atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC)) &&
40482 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
40483 + gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
40491 +gr_handle_exec_args(struct linux_binprm *bprm, const char __user *__user *argv)
40493 +#ifdef CONFIG_GRKERNSEC_EXECLOG
40494 + char *grarg = gr_exec_arg_buf;
40495 + unsigned int i, x, execlen = 0;
40498 + if (!((grsec_enable_execlog && grsec_enable_group &&
40499 + in_group_p(grsec_audit_gid))
40500 + || (grsec_enable_execlog && !grsec_enable_group)))
40503 + down(&gr_exec_arg_sem);
40504 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
40506 + if (unlikely(argv == NULL))
40509 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
40510 + const char __user *p;
40511 + unsigned int len;
40513 + if (copy_from_user(&p, argv + i, sizeof(p)))
40517 + len = strnlen_user(p, 128 - execlen);
40518 + if (len > 128 - execlen)
40519 + len = 128 - execlen;
40520 + else if (len > 0)
40522 + if (copy_from_user(grarg + execlen, p, len))
40525 + /* rewrite unprintable characters */
40526 + for (x = 0; x < len; x++) {
40527 + c = *(grarg + execlen + x);
40528 + if (c < 32 || c > 126)
40529 + *(grarg + execlen + x) = ' ';
40533 + *(grarg + execlen) = ' ';
40534 + *(grarg + execlen + 1) = '\0';
40539 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
40540 + bprm->file->f_path.mnt, grarg);
40541 + up(&gr_exec_arg_sem);
40545 diff -urNp linux-2.6.35.5/grsecurity/grsec_fifo.c linux-2.6.35.5/grsecurity/grsec_fifo.c
40546 --- linux-2.6.35.5/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
40547 +++ linux-2.6.35.5/grsecurity/grsec_fifo.c 2010-09-17 20:12:37.000000000 -0400
40549 +#include <linux/kernel.h>
40550 +#include <linux/sched.h>
40551 +#include <linux/fs.h>
40552 +#include <linux/file.h>
40553 +#include <linux/grinternal.h>
40556 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
40557 + const struct dentry *dir, const int flag, const int acc_mode)
40559 +#ifdef CONFIG_GRKERNSEC_FIFO
40560 + const struct cred *cred = current_cred();
40562 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
40563 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
40564 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
40565 + (cred->fsuid != dentry->d_inode->i_uid)) {
40566 + if (!generic_permission(dentry->d_inode, acc_mode, NULL))
40567 + gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
40573 diff -urNp linux-2.6.35.5/grsecurity/grsec_fork.c linux-2.6.35.5/grsecurity/grsec_fork.c
40574 --- linux-2.6.35.5/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
40575 +++ linux-2.6.35.5/grsecurity/grsec_fork.c 2010-09-23 20:39:19.000000000 -0400
40577 +#include <linux/kernel.h>
40578 +#include <linux/sched.h>
40579 +#include <linux/grsecurity.h>
40580 +#include <linux/grinternal.h>
40581 +#include <linux/errno.h>
40584 +gr_log_forkfail(const int retval)
40586 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
40587 + if (grsec_enable_forkfail && (retval == -EAGAIN || retval == -ENOMEM)) {
40588 + switch (retval) {
40590 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "EAGAIN");
40593 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "ENOMEM");
40600 diff -urNp linux-2.6.35.5/grsecurity/grsec_init.c linux-2.6.35.5/grsecurity/grsec_init.c
40601 --- linux-2.6.35.5/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
40602 +++ linux-2.6.35.5/grsecurity/grsec_init.c 2010-09-17 20:12:37.000000000 -0400
40604 +#include <linux/kernel.h>
40605 +#include <linux/sched.h>
40606 +#include <linux/mm.h>
40607 +#include <linux/smp_lock.h>
40608 +#include <linux/gracl.h>
40609 +#include <linux/slab.h>
40610 +#include <linux/vmalloc.h>
40611 +#include <linux/percpu.h>
40612 +#include <linux/module.h>
40614 +int grsec_enable_link;
40615 +int grsec_enable_dmesg;
40616 +int grsec_enable_harden_ptrace;
40617 +int grsec_enable_fifo;
40618 +int grsec_enable_execve;
40619 +int grsec_enable_execlog;
40620 +int grsec_enable_signal;
40621 +int grsec_enable_forkfail;
40622 +int grsec_enable_audit_ptrace;
40623 +int grsec_enable_time;
40624 +int grsec_enable_audit_textrel;
40625 +int grsec_enable_group;
40626 +int grsec_audit_gid;
40627 +int grsec_enable_chdir;
40628 +int grsec_enable_mount;
40629 +int grsec_enable_rofs;
40630 +int grsec_enable_chroot_findtask;
40631 +int grsec_enable_chroot_mount;
40632 +int grsec_enable_chroot_shmat;
40633 +int grsec_enable_chroot_fchdir;
40634 +int grsec_enable_chroot_double;
40635 +int grsec_enable_chroot_pivot;
40636 +int grsec_enable_chroot_chdir;
40637 +int grsec_enable_chroot_chmod;
40638 +int grsec_enable_chroot_mknod;
40639 +int grsec_enable_chroot_nice;
40640 +int grsec_enable_chroot_execlog;
40641 +int grsec_enable_chroot_caps;
40642 +int grsec_enable_chroot_sysctl;
40643 +int grsec_enable_chroot_unix;
40644 +int grsec_enable_tpe;
40645 +int grsec_tpe_gid;
40646 +int grsec_enable_blackhole;
40647 +#ifdef CONFIG_IPV6_MODULE
40648 +EXPORT_SYMBOL(grsec_enable_blackhole);
40650 +int grsec_lastack_retries;
40651 +int grsec_enable_tpe_all;
40652 +int grsec_enable_tpe_invert;
40653 +int grsec_enable_socket_all;
40654 +int grsec_socket_all_gid;
40655 +int grsec_enable_socket_client;
40656 +int grsec_socket_client_gid;
40657 +int grsec_enable_socket_server;
40658 +int grsec_socket_server_gid;
40659 +int grsec_resource_logging;
40660 +int grsec_disable_privio;
40663 +DEFINE_SPINLOCK(grsec_alert_lock);
40664 +unsigned long grsec_alert_wtime = 0;
40665 +unsigned long grsec_alert_fyet = 0;
40667 +DEFINE_SPINLOCK(grsec_audit_lock);
40669 +DEFINE_RWLOCK(grsec_exec_file_lock);
40671 +char *gr_shared_page[4];
40673 +char *gr_alert_log_fmt;
40674 +char *gr_audit_log_fmt;
40675 +char *gr_alert_log_buf;
40676 +char *gr_audit_log_buf;
40678 +extern struct gr_arg *gr_usermode;
40679 +extern unsigned char *gr_system_salt;
40680 +extern unsigned char *gr_system_sum;
40683 +grsecurity_init(void)
40686 + /* create the per-cpu shared pages */
40689 + memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
40692 + for (j = 0; j < 4; j++) {
40693 + gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
40694 + if (gr_shared_page[j] == NULL) {
40695 + panic("Unable to allocate grsecurity shared page");
40700 + /* allocate log buffers */
40701 + gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
40702 + if (!gr_alert_log_fmt) {
40703 + panic("Unable to allocate grsecurity alert log format buffer");
40706 + gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
40707 + if (!gr_audit_log_fmt) {
40708 + panic("Unable to allocate grsecurity audit log format buffer");
40711 + gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
40712 + if (!gr_alert_log_buf) {
40713 + panic("Unable to allocate grsecurity alert log buffer");
40716 + gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
40717 + if (!gr_audit_log_buf) {
40718 + panic("Unable to allocate grsecurity audit log buffer");
40722 + /* allocate memory for authentication structure */
40723 + gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
40724 + gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
40725 + gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
40727 + if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
40728 + panic("Unable to allocate grsecurity authentication structure");
40733 +#ifdef CONFIG_GRKERNSEC_IO
40734 +#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
40735 + grsec_disable_privio = 1;
40736 +#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
40737 + grsec_disable_privio = 1;
40739 + grsec_disable_privio = 0;
40743 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
40744 + /* for backward compatibility, tpe_invert always defaults to on if
40745 + enabled in the kernel
40747 + grsec_enable_tpe_invert = 1;
40750 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
40751 +#ifndef CONFIG_GRKERNSEC_SYSCTL
40755 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
40756 + grsec_enable_audit_textrel = 1;
40758 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
40759 + grsec_enable_group = 1;
40760 + grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
40762 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
40763 + grsec_enable_chdir = 1;
40765 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
40766 + grsec_enable_harden_ptrace = 1;
40768 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
40769 + grsec_enable_mount = 1;
40771 +#ifdef CONFIG_GRKERNSEC_LINK
40772 + grsec_enable_link = 1;
40774 +#ifdef CONFIG_GRKERNSEC_DMESG
40775 + grsec_enable_dmesg = 1;
40777 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
40778 + grsec_enable_blackhole = 1;
40779 + grsec_lastack_retries = 4;
40781 +#ifdef CONFIG_GRKERNSEC_FIFO
40782 + grsec_enable_fifo = 1;
40784 +#ifdef CONFIG_GRKERNSEC_EXECVE
40785 + grsec_enable_execve = 1;
40787 +#ifdef CONFIG_GRKERNSEC_EXECLOG
40788 + grsec_enable_execlog = 1;
40790 +#ifdef CONFIG_GRKERNSEC_SIGNAL
40791 + grsec_enable_signal = 1;
40793 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
40794 + grsec_enable_forkfail = 1;
40796 +#ifdef CONFIG_GRKERNSEC_TIME
40797 + grsec_enable_time = 1;
40799 +#ifdef CONFIG_GRKERNSEC_RESLOG
40800 + grsec_resource_logging = 1;
40802 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
40803 + grsec_enable_chroot_findtask = 1;
40805 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
40806 + grsec_enable_chroot_unix = 1;
40808 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
40809 + grsec_enable_chroot_mount = 1;
40811 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
40812 + grsec_enable_chroot_fchdir = 1;
40814 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
40815 + grsec_enable_chroot_shmat = 1;
40817 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
40818 + grsec_enable_audit_ptrace = 1;
40820 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
40821 + grsec_enable_chroot_double = 1;
40823 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
40824 + grsec_enable_chroot_pivot = 1;
40826 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
40827 + grsec_enable_chroot_chdir = 1;
40829 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
40830 + grsec_enable_chroot_chmod = 1;
40832 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
40833 + grsec_enable_chroot_mknod = 1;
40835 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
40836 + grsec_enable_chroot_nice = 1;
40838 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
40839 + grsec_enable_chroot_execlog = 1;
40841 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
40842 + grsec_enable_chroot_caps = 1;
40844 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
40845 + grsec_enable_chroot_sysctl = 1;
40847 +#ifdef CONFIG_GRKERNSEC_TPE
40848 + grsec_enable_tpe = 1;
40849 + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
40850 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
40851 + grsec_enable_tpe_all = 1;
40854 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
40855 + grsec_enable_socket_all = 1;
40856 + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
40858 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
40859 + grsec_enable_socket_client = 1;
40860 + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
40862 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
40863 + grsec_enable_socket_server = 1;
40864 + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
40870 diff -urNp linux-2.6.35.5/grsecurity/grsec_link.c linux-2.6.35.5/grsecurity/grsec_link.c
40871 --- linux-2.6.35.5/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
40872 +++ linux-2.6.35.5/grsecurity/grsec_link.c 2010-09-17 20:12:37.000000000 -0400
40874 +#include <linux/kernel.h>
40875 +#include <linux/sched.h>
40876 +#include <linux/fs.h>
40877 +#include <linux/file.h>
40878 +#include <linux/grinternal.h>
40881 +gr_handle_follow_link(const struct inode *parent,
40882 + const struct inode *inode,
40883 + const struct dentry *dentry, const struct vfsmount *mnt)
40885 +#ifdef CONFIG_GRKERNSEC_LINK
40886 + const struct cred *cred = current_cred();
40888 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
40889 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
40890 + (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
40891 + gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
40899 +gr_handle_hardlink(const struct dentry *dentry,
40900 + const struct vfsmount *mnt,
40901 + struct inode *inode, const int mode, const char *to)
40903 +#ifdef CONFIG_GRKERNSEC_LINK
40904 + const struct cred *cred = current_cred();
40906 + if (grsec_enable_link && cred->fsuid != inode->i_uid &&
40907 + (!S_ISREG(mode) || (mode & S_ISUID) ||
40908 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
40909 + (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) &&
40910 + !capable(CAP_FOWNER) && cred->uid) {
40911 + gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
40917 diff -urNp linux-2.6.35.5/grsecurity/grsec_log.c linux-2.6.35.5/grsecurity/grsec_log.c
40918 --- linux-2.6.35.5/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
40919 +++ linux-2.6.35.5/grsecurity/grsec_log.c 2010-09-17 20:12:37.000000000 -0400
40921 +#include <linux/kernel.h>
40922 +#include <linux/sched.h>
40923 +#include <linux/file.h>
40924 +#include <linux/tty.h>
40925 +#include <linux/fs.h>
40926 +#include <linux/grinternal.h>
40928 +#ifdef CONFIG_TREE_PREEMPT_RCU
40929 +#define DISABLE_PREEMPT() preempt_disable()
40930 +#define ENABLE_PREEMPT() preempt_enable()
40932 +#define DISABLE_PREEMPT()
40933 +#define ENABLE_PREEMPT()
40936 +#define BEGIN_LOCKS(x) \
40937 + DISABLE_PREEMPT(); \
40938 + rcu_read_lock(); \
40939 + read_lock(&tasklist_lock); \
40940 + read_lock(&grsec_exec_file_lock); \
40941 + if (x != GR_DO_AUDIT) \
40942 + spin_lock(&grsec_alert_lock); \
40944 + spin_lock(&grsec_audit_lock)
40946 +#define END_LOCKS(x) \
40947 + if (x != GR_DO_AUDIT) \
40948 + spin_unlock(&grsec_alert_lock); \
40950 + spin_unlock(&grsec_audit_lock); \
40951 + read_unlock(&grsec_exec_file_lock); \
40952 + read_unlock(&tasklist_lock); \
40953 + rcu_read_unlock(); \
40954 + ENABLE_PREEMPT(); \
40955 + if (x == GR_DONT_AUDIT) \
40956 + gr_handle_alertkill(current)
40963 +extern char *gr_alert_log_fmt;
40964 +extern char *gr_audit_log_fmt;
40965 +extern char *gr_alert_log_buf;
40966 +extern char *gr_audit_log_buf;
40968 +static int gr_log_start(int audit)
40970 + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
40971 + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
40972 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
40974 + if (audit == GR_DO_AUDIT)
40977 + if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
40978 + grsec_alert_wtime = jiffies;
40979 + grsec_alert_fyet = 0;
40980 + } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
40981 + grsec_alert_fyet++;
40982 + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
40983 + grsec_alert_wtime = jiffies;
40984 + grsec_alert_fyet++;
40985 + printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
40987 + } else return FLOODING;
40990 + memset(buf, 0, PAGE_SIZE);
40991 + if (current->signal->curr_ip && gr_acl_is_enabled()) {
40992 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
40993 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
40994 + } else if (current->signal->curr_ip) {
40995 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
40996 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip);
40997 + } else if (gr_acl_is_enabled()) {
40998 + sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
40999 + snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
41001 + sprintf(fmt, "%s%s", loglevel, "grsec: ");
41002 + strcpy(buf, fmt);
41005 + return NO_FLOODING;
41008 +static void gr_log_middle(int audit, const char *msg, va_list ap)
41009 + __attribute__ ((format (printf, 2, 0)));
41011 +static void gr_log_middle(int audit, const char *msg, va_list ap)
41013 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
41014 + unsigned int len = strlen(buf);
41016 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
41021 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
41022 + __attribute__ ((format (printf, 2, 3)));
41024 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
41026 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
41027 + unsigned int len = strlen(buf);
41030 + va_start(ap, msg);
41031 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
41037 +static void gr_log_end(int audit)
41039 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
41040 + unsigned int len = strlen(buf);
41042 + snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->parent)));
41043 + printk("%s\n", buf);
41048 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
41051 + char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
41052 + char *str1, *str2, *str3;
41055 + unsigned long ulong1, ulong2;
41056 + struct dentry *dentry;
41057 + struct vfsmount *mnt;
41058 + struct file *file;
41059 + struct task_struct *task;
41060 + const struct cred *cred, *pcred;
41063 + BEGIN_LOCKS(audit);
41064 + logtype = gr_log_start(audit);
41065 + if (logtype == FLOODING) {
41066 + END_LOCKS(audit);
41069 + va_start(ap, argtypes);
41070 + switch (argtypes) {
41071 + case GR_TTYSNIFF:
41072 + task = va_arg(ap, struct task_struct *);
41073 + gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid);
41075 + case GR_SYSCTL_HIDDEN:
41076 + str1 = va_arg(ap, char *);
41077 + gr_log_middle_varargs(audit, msg, result, str1);
41080 + dentry = va_arg(ap, struct dentry *);
41081 + mnt = va_arg(ap, struct vfsmount *);
41082 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
41084 + case GR_RBAC_STR:
41085 + dentry = va_arg(ap, struct dentry *);
41086 + mnt = va_arg(ap, struct vfsmount *);
41087 + str1 = va_arg(ap, char *);
41088 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
41090 + case GR_STR_RBAC:
41091 + str1 = va_arg(ap, char *);
41092 + dentry = va_arg(ap, struct dentry *);
41093 + mnt = va_arg(ap, struct vfsmount *);
41094 + gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
41096 + case GR_RBAC_MODE2:
41097 + dentry = va_arg(ap, struct dentry *);
41098 + mnt = va_arg(ap, struct vfsmount *);
41099 + str1 = va_arg(ap, char *);
41100 + str2 = va_arg(ap, char *);
41101 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
41103 + case GR_RBAC_MODE3:
41104 + dentry = va_arg(ap, struct dentry *);
41105 + mnt = va_arg(ap, struct vfsmount *);
41106 + str1 = va_arg(ap, char *);
41107 + str2 = va_arg(ap, char *);
41108 + str3 = va_arg(ap, char *);
41109 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
41111 + case GR_FILENAME:
41112 + dentry = va_arg(ap, struct dentry *);
41113 + mnt = va_arg(ap, struct vfsmount *);
41114 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
41116 + case GR_STR_FILENAME:
41117 + str1 = va_arg(ap, char *);
41118 + dentry = va_arg(ap, struct dentry *);
41119 + mnt = va_arg(ap, struct vfsmount *);
41120 + gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
41122 + case GR_FILENAME_STR:
41123 + dentry = va_arg(ap, struct dentry *);
41124 + mnt = va_arg(ap, struct vfsmount *);
41125 + str1 = va_arg(ap, char *);
41126 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
41128 + case GR_FILENAME_TWO_INT:
41129 + dentry = va_arg(ap, struct dentry *);
41130 + mnt = va_arg(ap, struct vfsmount *);
41131 + num1 = va_arg(ap, int);
41132 + num2 = va_arg(ap, int);
41133 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
41135 + case GR_FILENAME_TWO_INT_STR:
41136 + dentry = va_arg(ap, struct dentry *);
41137 + mnt = va_arg(ap, struct vfsmount *);
41138 + num1 = va_arg(ap, int);
41139 + num2 = va_arg(ap, int);
41140 + str1 = va_arg(ap, char *);
41141 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
41144 + file = va_arg(ap, struct file *);
41145 + ulong1 = va_arg(ap, unsigned long);
41146 + ulong2 = va_arg(ap, unsigned long);
41147 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
41150 + task = va_arg(ap, struct task_struct *);
41151 + gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
41153 + case GR_RESOURCE:
41154 + task = va_arg(ap, struct task_struct *);
41155 + cred = __task_cred(task);
41156 + pcred = __task_cred(task->parent);
41157 + ulong1 = va_arg(ap, unsigned long);
41158 + str1 = va_arg(ap, char *);
41159 + ulong2 = va_arg(ap, unsigned long);
41160 + gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
41163 + task = va_arg(ap, struct task_struct *);
41164 + cred = __task_cred(task);
41165 + pcred = __task_cred(task->parent);
41166 + str1 = va_arg(ap, char *);
41167 + gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
41170 + str1 = va_arg(ap, char *);
41171 + voidptr = va_arg(ap, void *);
41172 + gr_log_middle_varargs(audit, msg, str1, voidptr);
41175 + task = va_arg(ap, struct task_struct *);
41176 + cred = __task_cred(task);
41177 + pcred = __task_cred(task->parent);
41178 + num1 = va_arg(ap, int);
41179 + gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
41182 + task = va_arg(ap, struct task_struct *);
41183 + cred = __task_cred(task);
41184 + pcred = __task_cred(task->parent);
41185 + ulong1 = va_arg(ap, unsigned long);
41186 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
41189 + task = va_arg(ap, struct task_struct *);
41190 + cred = __task_cred(task);
41191 + pcred = __task_cred(task->parent);
41192 + ulong1 = va_arg(ap, unsigned long);
41193 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
41197 + unsigned int wday, cday;
41201 + char cur_tty[64] = { 0 };
41202 + char parent_tty[64] = { 0 };
41204 + task = va_arg(ap, struct task_struct *);
41205 + wday = va_arg(ap, unsigned int);
41206 + cday = va_arg(ap, unsigned int);
41207 + whr = va_arg(ap, int);
41208 + chr = va_arg(ap, int);
41209 + wmin = va_arg(ap, int);
41210 + cmin = va_arg(ap, int);
41211 + wsec = va_arg(ap, int);
41212 + csec = va_arg(ap, int);
41213 + ulong1 = va_arg(ap, unsigned long);
41214 + cred = __task_cred(task);
41215 + pcred = __task_cred(task->parent);
41217 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->parent->comm, task->parent->pid, &task->parent->signal->curr_ip, tty_name(task->parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
41221 + gr_log_middle(audit, msg, ap);
41224 + gr_log_end(audit);
41225 + END_LOCKS(audit);
41227 diff -urNp linux-2.6.35.5/grsecurity/grsec_mem.c linux-2.6.35.5/grsecurity/grsec_mem.c
41228 --- linux-2.6.35.5/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
41229 +++ linux-2.6.35.5/grsecurity/grsec_mem.c 2010-09-17 20:12:37.000000000 -0400
41231 +#include <linux/kernel.h>
41232 +#include <linux/sched.h>
41233 +#include <linux/mm.h>
41234 +#include <linux/mman.h>
41235 +#include <linux/grinternal.h>
41238 +gr_handle_ioperm(void)
41240 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
41245 +gr_handle_iopl(void)
41247 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
41252 +gr_handle_mem_write(void)
41254 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_WRITE_MSG);
41259 +gr_handle_kmem_write(void)
41261 + gr_log_noargs(GR_DONT_AUDIT, GR_KMEM_MSG);
41266 +gr_handle_open_port(void)
41268 + gr_log_noargs(GR_DONT_AUDIT, GR_PORT_OPEN_MSG);
41273 +gr_handle_mem_mmap(const unsigned long offset, struct vm_area_struct *vma)
41275 + unsigned long start, end;
41278 + end = start + vma->vm_end - vma->vm_start;
41280 + if (start > end) {
41281 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
41285 + /* allowed ranges : ISA I/O BIOS */
41286 + if ((start >= __pa(high_memory))
41287 +#if defined(CONFIG_X86) || defined(CONFIG_PPC)
41288 + || (start >= 0x000a0000 && end <= 0x00100000)
41289 + || (start >= 0x00000000 && end <= 0x00001000)
41294 + if (vma->vm_flags & VM_WRITE) {
41295 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
41298 + vma->vm_flags &= ~VM_MAYWRITE;
41304 +gr_log_nonroot_mod_load(const char *modname)
41306 + gr_log_str(GR_DONT_AUDIT, GR_NONROOT_MODLOAD_MSG, modname);
41311 +gr_handle_vm86(void)
41313 + gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
41316 diff -urNp linux-2.6.35.5/grsecurity/grsec_mount.c linux-2.6.35.5/grsecurity/grsec_mount.c
41317 --- linux-2.6.35.5/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
41318 +++ linux-2.6.35.5/grsecurity/grsec_mount.c 2010-09-17 20:12:37.000000000 -0400
41320 +#include <linux/kernel.h>
41321 +#include <linux/sched.h>
41322 +#include <linux/mount.h>
41323 +#include <linux/grsecurity.h>
41324 +#include <linux/grinternal.h>
41327 +gr_log_remount(const char *devname, const int retval)
41329 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
41330 + if (grsec_enable_mount && (retval >= 0))
41331 + gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
41337 +gr_log_unmount(const char *devname, const int retval)
41339 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
41340 + if (grsec_enable_mount && (retval >= 0))
41341 + gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
41347 +gr_log_mount(const char *from, const char *to, const int retval)
41349 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
41350 + if (grsec_enable_mount && (retval >= 0))
41351 + gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from, to);
41357 +gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
41359 +#ifdef CONFIG_GRKERNSEC_ROFS
41360 + if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
41361 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
41370 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
41372 +#ifdef CONFIG_GRKERNSEC_ROFS
41373 + if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
41374 + dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
41375 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
41382 diff -urNp linux-2.6.35.5/grsecurity/grsec_ptrace.c linux-2.6.35.5/grsecurity/grsec_ptrace.c
41383 --- linux-2.6.35.5/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
41384 +++ linux-2.6.35.5/grsecurity/grsec_ptrace.c 2010-09-17 20:12:37.000000000 -0400
41386 +#include <linux/kernel.h>
41387 +#include <linux/sched.h>
41388 +#include <linux/grinternal.h>
41389 +#include <linux/grsecurity.h>
41392 +gr_audit_ptrace(struct task_struct *task)
41394 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
41395 + if (grsec_enable_audit_ptrace)
41396 + gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
41400 diff -urNp linux-2.6.35.5/grsecurity/grsec_sig.c linux-2.6.35.5/grsecurity/grsec_sig.c
41401 --- linux-2.6.35.5/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
41402 +++ linux-2.6.35.5/grsecurity/grsec_sig.c 2010-09-17 20:12:37.000000000 -0400
41404 +#include <linux/kernel.h>
41405 +#include <linux/sched.h>
41406 +#include <linux/delay.h>
41407 +#include <linux/grsecurity.h>
41408 +#include <linux/grinternal.h>
41410 +char *signames[] = {
41411 + [SIGSEGV] = "Segmentation fault",
41412 + [SIGILL] = "Illegal instruction",
41413 + [SIGABRT] = "Abort",
41414 + [SIGBUS] = "Invalid alignment/Bus error"
41418 +gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
41420 +#ifdef CONFIG_GRKERNSEC_SIGNAL
41421 + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
41422 + (sig == SIGABRT) || (sig == SIGBUS))) {
41423 + if (t->pid == current->pid) {
41424 + gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
41426 + gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
41434 +gr_handle_signal(const struct task_struct *p, const int sig)
41436 +#ifdef CONFIG_GRKERNSEC
41437 + if (current->pid > 1 && gr_check_protected_task(p)) {
41438 + gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
41440 + } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
41447 +void gr_handle_brute_attach(struct task_struct *p)
41449 +#ifdef CONFIG_GRKERNSEC_BRUTE
41450 + read_lock(&tasklist_lock);
41451 + read_lock(&grsec_exec_file_lock);
41452 + if (p->parent && p->parent->exec_file == p->exec_file)
41453 + p->parent->brute = 1;
41454 + read_unlock(&grsec_exec_file_lock);
41455 + read_unlock(&tasklist_lock);
41460 +void gr_handle_brute_check(void)
41462 +#ifdef CONFIG_GRKERNSEC_BRUTE
41463 + if (current->brute)
41464 + msleep(30 * 1000);
41469 diff -urNp linux-2.6.35.5/grsecurity/grsec_sock.c linux-2.6.35.5/grsecurity/grsec_sock.c
41470 --- linux-2.6.35.5/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
41471 +++ linux-2.6.35.5/grsecurity/grsec_sock.c 2010-09-17 20:12:37.000000000 -0400
41473 +#include <linux/kernel.h>
41474 +#include <linux/module.h>
41475 +#include <linux/sched.h>
41476 +#include <linux/file.h>
41477 +#include <linux/net.h>
41478 +#include <linux/in.h>
41479 +#include <linux/ip.h>
41480 +#include <net/sock.h>
41481 +#include <net/inet_sock.h>
41482 +#include <linux/grsecurity.h>
41483 +#include <linux/grinternal.h>
41484 +#include <linux/gracl.h>
41486 +kernel_cap_t gr_cap_rtnetlink(struct sock *sock);
41487 +EXPORT_SYMBOL(gr_cap_rtnetlink);
41489 +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
41490 +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
41492 +EXPORT_SYMBOL(gr_search_udp_recvmsg);
41493 +EXPORT_SYMBOL(gr_search_udp_sendmsg);
41495 +#ifdef CONFIG_UNIX_MODULE
41496 +EXPORT_SYMBOL(gr_acl_handle_unix);
41497 +EXPORT_SYMBOL(gr_acl_handle_mknod);
41498 +EXPORT_SYMBOL(gr_handle_chroot_unix);
41499 +EXPORT_SYMBOL(gr_handle_create);
41502 +#ifdef CONFIG_GRKERNSEC
41503 +#define gr_conn_table_size 32749
41504 +struct conn_table_entry {
41505 + struct conn_table_entry *next;
41506 + struct signal_struct *sig;
41509 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
41510 +DEFINE_SPINLOCK(gr_conn_table_lock);
41512 +extern const char * gr_socktype_to_name(unsigned char type);
41513 +extern const char * gr_proto_to_name(unsigned char proto);
41515 +static __inline__ int
41516 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
41518 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
41521 +static __inline__ int
41522 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
41523 + __u16 sport, __u16 dport)
41525 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
41526 + sig->gr_sport == sport && sig->gr_dport == dport))
41532 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
41534 + struct conn_table_entry **match;
41535 + unsigned int index;
41537 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
41538 + sig->gr_sport, sig->gr_dport,
41539 + gr_conn_table_size);
41541 + newent->sig = sig;
41543 + match = &gr_conn_table[index];
41544 + newent->next = *match;
41550 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
41552 + struct conn_table_entry *match, *last = NULL;
41553 + unsigned int index;
41555 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
41556 + sig->gr_sport, sig->gr_dport,
41557 + gr_conn_table_size);
41559 + match = gr_conn_table[index];
41560 + while (match && !conn_match(match->sig,
41561 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
41562 + sig->gr_dport)) {
41564 + match = match->next;
41569 + last->next = match->next;
41571 + gr_conn_table[index] = NULL;
41578 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
41579 + __u16 sport, __u16 dport)
41581 + struct conn_table_entry *match;
41582 + unsigned int index;
41584 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
41586 + match = gr_conn_table[index];
41587 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
41588 + match = match->next;
41591 + return match->sig;
41598 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
41600 +#ifdef CONFIG_GRKERNSEC
41601 + struct signal_struct *sig = task->signal;
41602 + struct conn_table_entry *newent;
41604 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
41605 + if (newent == NULL)
41607 + /* no bh lock needed since we are called with bh disabled */
41608 + spin_lock(&gr_conn_table_lock);
41609 + gr_del_task_from_ip_table_nolock(sig);
41610 + sig->gr_saddr = inet->inet_rcv_saddr;
41611 + sig->gr_daddr = inet->inet_daddr;
41612 + sig->gr_sport = inet->inet_sport;
41613 + sig->gr_dport = inet->inet_dport;
41614 + gr_add_to_task_ip_table_nolock(sig, newent);
41615 + spin_unlock(&gr_conn_table_lock);
41620 +void gr_del_task_from_ip_table(struct task_struct *task)
41622 +#ifdef CONFIG_GRKERNSEC
41623 + spin_lock_bh(&gr_conn_table_lock);
41624 + gr_del_task_from_ip_table_nolock(task->signal);
41625 + spin_unlock_bh(&gr_conn_table_lock);
41631 +gr_attach_curr_ip(const struct sock *sk)
41633 +#ifdef CONFIG_GRKERNSEC
41634 + struct signal_struct *p, *set;
41635 + const struct inet_sock *inet = inet_sk(sk);
41637 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
41640 + set = current->signal;
41642 + spin_lock_bh(&gr_conn_table_lock);
41643 + p = gr_lookup_task_ip_table(inet->inet_daddr, inet->inet_rcv_saddr,
41644 + inet->inet_dport, inet->inet_sport);
41645 + if (unlikely(p != NULL)) {
41646 + set->curr_ip = p->curr_ip;
41647 + set->used_accept = 1;
41648 + gr_del_task_from_ip_table_nolock(p);
41649 + spin_unlock_bh(&gr_conn_table_lock);
41652 + spin_unlock_bh(&gr_conn_table_lock);
41654 + set->curr_ip = inet->inet_daddr;
41655 + set->used_accept = 1;
41661 +gr_handle_sock_all(const int family, const int type, const int protocol)
41663 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
41664 + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
41665 + (family != AF_UNIX) && (family != AF_LOCAL)) {
41666 + gr_log_int_str2(GR_DONT_AUDIT, GR_SOCK2_MSG, family, gr_socktype_to_name(type), gr_proto_to_name(protocol));
41674 +gr_handle_sock_server(const struct sockaddr *sck)
41676 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
41677 + if (grsec_enable_socket_server &&
41678 + in_group_p(grsec_socket_server_gid) &&
41679 + sck && (sck->sa_family != AF_UNIX) &&
41680 + (sck->sa_family != AF_LOCAL)) {
41681 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
41689 +gr_handle_sock_server_other(const struct sock *sck)
41691 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
41692 + if (grsec_enable_socket_server &&
41693 + in_group_p(grsec_socket_server_gid) &&
41694 + sck && (sck->sk_family != AF_UNIX) &&
41695 + (sck->sk_family != AF_LOCAL)) {
41696 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
41704 +gr_handle_sock_client(const struct sockaddr *sck)
41706 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
41707 + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
41708 + sck && (sck->sa_family != AF_UNIX) &&
41709 + (sck->sa_family != AF_LOCAL)) {
41710 + gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
41718 +gr_cap_rtnetlink(struct sock *sock)
41720 +#ifdef CONFIG_GRKERNSEC
41721 + if (!gr_acl_is_enabled())
41722 + return current_cap();
41723 + else if (sock->sk_protocol == NETLINK_ISCSI &&
41724 + cap_raised(current_cap(), CAP_SYS_ADMIN) &&
41725 + gr_is_capable(CAP_SYS_ADMIN))
41726 + return current_cap();
41727 + else if (sock->sk_protocol == NETLINK_AUDIT &&
41728 + cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
41729 + gr_is_capable(CAP_AUDIT_WRITE) &&
41730 + cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
41731 + gr_is_capable(CAP_AUDIT_CONTROL))
41732 + return current_cap();
41733 + else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
41734 + ((sock->sk_protocol == NETLINK_ROUTE) ?
41735 + gr_is_capable_nolog(CAP_NET_ADMIN) :
41736 + gr_is_capable(CAP_NET_ADMIN)))
41737 + return current_cap();
41739 + return __cap_empty_set;
41741 + return current_cap();
41744 diff -urNp linux-2.6.35.5/grsecurity/grsec_sysctl.c linux-2.6.35.5/grsecurity/grsec_sysctl.c
41745 --- linux-2.6.35.5/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
41746 +++ linux-2.6.35.5/grsecurity/grsec_sysctl.c 2010-09-17 20:18:57.000000000 -0400
41748 +#include <linux/kernel.h>
41749 +#include <linux/sched.h>
41750 +#include <linux/sysctl.h>
41751 +#include <linux/grsecurity.h>
41752 +#include <linux/grinternal.h>
41755 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
41757 +#ifdef CONFIG_GRKERNSEC_SYSCTL
41758 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
41759 + gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
41766 +#ifdef CONFIG_GRKERNSEC_ROFS
41767 +static int __maybe_unused one = 1;
41770 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
41771 +struct ctl_table grsecurity_table[] = {
41772 +#ifdef CONFIG_GRKERNSEC_SYSCTL
41773 +#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
41774 +#ifdef CONFIG_GRKERNSEC_IO
41776 + .procname = "disable_priv_io",
41777 + .data = &grsec_disable_privio,
41778 + .maxlen = sizeof(int),
41780 + .proc_handler = &proc_dointvec,
41784 +#ifdef CONFIG_GRKERNSEC_LINK
41786 + .procname = "linking_restrictions",
41787 + .data = &grsec_enable_link,
41788 + .maxlen = sizeof(int),
41790 + .proc_handler = &proc_dointvec,
41793 +#ifdef CONFIG_GRKERNSEC_FIFO
41795 + .procname = "fifo_restrictions",
41796 + .data = &grsec_enable_fifo,
41797 + .maxlen = sizeof(int),
41799 + .proc_handler = &proc_dointvec,
41802 +#ifdef CONFIG_GRKERNSEC_EXECVE
41804 + .procname = "execve_limiting",
41805 + .data = &grsec_enable_execve,
41806 + .maxlen = sizeof(int),
41808 + .proc_handler = &proc_dointvec,
41811 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
41813 + .procname = "ip_blackhole",
41814 + .data = &grsec_enable_blackhole,
41815 + .maxlen = sizeof(int),
41817 + .proc_handler = &proc_dointvec,
41820 + .procname = "lastack_retries",
41821 + .data = &grsec_lastack_retries,
41822 + .maxlen = sizeof(int),
41824 + .proc_handler = &proc_dointvec,
41827 +#ifdef CONFIG_GRKERNSEC_EXECLOG
41829 + .procname = "exec_logging",
41830 + .data = &grsec_enable_execlog,
41831 + .maxlen = sizeof(int),
41833 + .proc_handler = &proc_dointvec,
41836 +#ifdef CONFIG_GRKERNSEC_SIGNAL
41838 + .procname = "signal_logging",
41839 + .data = &grsec_enable_signal,
41840 + .maxlen = sizeof(int),
41842 + .proc_handler = &proc_dointvec,
41845 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
41847 + .procname = "forkfail_logging",
41848 + .data = &grsec_enable_forkfail,
41849 + .maxlen = sizeof(int),
41851 + .proc_handler = &proc_dointvec,
41854 +#ifdef CONFIG_GRKERNSEC_TIME
41856 + .procname = "timechange_logging",
41857 + .data = &grsec_enable_time,
41858 + .maxlen = sizeof(int),
41860 + .proc_handler = &proc_dointvec,
41863 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
41865 + .procname = "chroot_deny_shmat",
41866 + .data = &grsec_enable_chroot_shmat,
41867 + .maxlen = sizeof(int),
41869 + .proc_handler = &proc_dointvec,
41872 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
41874 + .procname = "chroot_deny_unix",
41875 + .data = &grsec_enable_chroot_unix,
41876 + .maxlen = sizeof(int),
41878 + .proc_handler = &proc_dointvec,
41881 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
41883 + .procname = "chroot_deny_mount",
41884 + .data = &grsec_enable_chroot_mount,
41885 + .maxlen = sizeof(int),
41887 + .proc_handler = &proc_dointvec,
41890 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
41892 + .procname = "chroot_deny_fchdir",
41893 + .data = &grsec_enable_chroot_fchdir,
41894 + .maxlen = sizeof(int),
41896 + .proc_handler = &proc_dointvec,
41899 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
41901 + .procname = "chroot_deny_chroot",
41902 + .data = &grsec_enable_chroot_double,
41903 + .maxlen = sizeof(int),
41905 + .proc_handler = &proc_dointvec,
41908 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
41910 + .procname = "chroot_deny_pivot",
41911 + .data = &grsec_enable_chroot_pivot,
41912 + .maxlen = sizeof(int),
41914 + .proc_handler = &proc_dointvec,
41917 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
41919 + .procname = "chroot_enforce_chdir",
41920 + .data = &grsec_enable_chroot_chdir,
41921 + .maxlen = sizeof(int),
41923 + .proc_handler = &proc_dointvec,
41926 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
41928 + .procname = "chroot_deny_chmod",
41929 + .data = &grsec_enable_chroot_chmod,
41930 + .maxlen = sizeof(int),
41932 + .proc_handler = &proc_dointvec,
41935 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
41937 + .procname = "chroot_deny_mknod",
41938 + .data = &grsec_enable_chroot_mknod,
41939 + .maxlen = sizeof(int),
41941 + .proc_handler = &proc_dointvec,
41944 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
41946 + .procname = "chroot_restrict_nice",
41947 + .data = &grsec_enable_chroot_nice,
41948 + .maxlen = sizeof(int),
41950 + .proc_handler = &proc_dointvec,
41953 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
41955 + .procname = "chroot_execlog",
41956 + .data = &grsec_enable_chroot_execlog,
41957 + .maxlen = sizeof(int),
41959 + .proc_handler = &proc_dointvec,
41962 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
41964 + .procname = "chroot_caps",
41965 + .data = &grsec_enable_chroot_caps,
41966 + .maxlen = sizeof(int),
41968 + .proc_handler = &proc_dointvec,
41971 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
41973 + .procname = "chroot_deny_sysctl",
41974 + .data = &grsec_enable_chroot_sysctl,
41975 + .maxlen = sizeof(int),
41977 + .proc_handler = &proc_dointvec,
41980 +#ifdef CONFIG_GRKERNSEC_TPE
41982 + .procname = "tpe",
41983 + .data = &grsec_enable_tpe,
41984 + .maxlen = sizeof(int),
41986 + .proc_handler = &proc_dointvec,
41989 + .procname = "tpe_gid",
41990 + .data = &grsec_tpe_gid,
41991 + .maxlen = sizeof(int),
41993 + .proc_handler = &proc_dointvec,
41996 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
41998 + .procname = "tpe_invert",
41999 + .data = &grsec_enable_tpe_invert,
42000 + .maxlen = sizeof(int),
42002 + .proc_handler = &proc_dointvec,
42005 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
42007 + .procname = "tpe_restrict_all",
42008 + .data = &grsec_enable_tpe_all,
42009 + .maxlen = sizeof(int),
42011 + .proc_handler = &proc_dointvec,
42014 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
42016 + .procname = "socket_all",
42017 + .data = &grsec_enable_socket_all,
42018 + .maxlen = sizeof(int),
42020 + .proc_handler = &proc_dointvec,
42023 + .procname = "socket_all_gid",
42024 + .data = &grsec_socket_all_gid,
42025 + .maxlen = sizeof(int),
42027 + .proc_handler = &proc_dointvec,
42030 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
42032 + .procname = "socket_client",
42033 + .data = &grsec_enable_socket_client,
42034 + .maxlen = sizeof(int),
42036 + .proc_handler = &proc_dointvec,
42039 + .procname = "socket_client_gid",
42040 + .data = &grsec_socket_client_gid,
42041 + .maxlen = sizeof(int),
42043 + .proc_handler = &proc_dointvec,
42046 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
42048 + .procname = "socket_server",
42049 + .data = &grsec_enable_socket_server,
42050 + .maxlen = sizeof(int),
42052 + .proc_handler = &proc_dointvec,
42055 + .procname = "socket_server_gid",
42056 + .data = &grsec_socket_server_gid,
42057 + .maxlen = sizeof(int),
42059 + .proc_handler = &proc_dointvec,
42062 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
42064 + .procname = "audit_group",
42065 + .data = &grsec_enable_group,
42066 + .maxlen = sizeof(int),
42068 + .proc_handler = &proc_dointvec,
42071 + .procname = "audit_gid",
42072 + .data = &grsec_audit_gid,
42073 + .maxlen = sizeof(int),
42075 + .proc_handler = &proc_dointvec,
42078 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
42080 + .procname = "audit_chdir",
42081 + .data = &grsec_enable_chdir,
42082 + .maxlen = sizeof(int),
42084 + .proc_handler = &proc_dointvec,
42087 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
42089 + .procname = "audit_mount",
42090 + .data = &grsec_enable_mount,
42091 + .maxlen = sizeof(int),
42093 + .proc_handler = &proc_dointvec,
42096 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
42098 + .procname = "audit_textrel",
42099 + .data = &grsec_enable_audit_textrel,
42100 + .maxlen = sizeof(int),
42102 + .proc_handler = &proc_dointvec,
42105 +#ifdef CONFIG_GRKERNSEC_DMESG
42107 + .procname = "dmesg",
42108 + .data = &grsec_enable_dmesg,
42109 + .maxlen = sizeof(int),
42111 + .proc_handler = &proc_dointvec,
42114 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
42116 + .procname = "chroot_findtask",
42117 + .data = &grsec_enable_chroot_findtask,
42118 + .maxlen = sizeof(int),
42120 + .proc_handler = &proc_dointvec,
42123 +#ifdef CONFIG_GRKERNSEC_RESLOG
42125 + .procname = "resource_logging",
42126 + .data = &grsec_resource_logging,
42127 + .maxlen = sizeof(int),
42129 + .proc_handler = &proc_dointvec,
42132 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
42134 + .procname = "audit_ptrace",
42135 + .data = &grsec_enable_audit_ptrace,
42136 + .maxlen = sizeof(int),
42138 + .proc_handler = &proc_dointvec,
42141 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
42143 + .procname = "harden_ptrace",
42144 + .data = &grsec_enable_harden_ptrace,
42145 + .maxlen = sizeof(int),
42147 + .proc_handler = &proc_dointvec,
42151 + .procname = "grsec_lock",
42152 + .data = &grsec_lock,
42153 + .maxlen = sizeof(int),
42155 + .proc_handler = &proc_dointvec,
42158 +#ifdef CONFIG_GRKERNSEC_ROFS
42160 + .procname = "romount_protect",
42161 + .data = &grsec_enable_rofs,
42162 + .maxlen = sizeof(int),
42164 + .proc_handler = &proc_dointvec_minmax,
42172 diff -urNp linux-2.6.35.5/grsecurity/grsec_textrel.c linux-2.6.35.5/grsecurity/grsec_textrel.c
42173 --- linux-2.6.35.5/grsecurity/grsec_textrel.c 1969-12-31 19:00:00.000000000 -0500
42174 +++ linux-2.6.35.5/grsecurity/grsec_textrel.c 2010-09-17 20:12:37.000000000 -0400
42176 +#include <linux/kernel.h>
42177 +#include <linux/sched.h>
42178 +#include <linux/mm.h>
42179 +#include <linux/file.h>
42180 +#include <linux/grinternal.h>
42181 +#include <linux/grsecurity.h>
42184 +gr_log_textrel(struct vm_area_struct * vma)
42186 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
42187 + if (grsec_enable_audit_textrel)
42188 + gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
42192 diff -urNp linux-2.6.35.5/grsecurity/grsec_time.c linux-2.6.35.5/grsecurity/grsec_time.c
42193 --- linux-2.6.35.5/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
42194 +++ linux-2.6.35.5/grsecurity/grsec_time.c 2010-09-17 20:12:37.000000000 -0400
42196 +#include <linux/kernel.h>
42197 +#include <linux/sched.h>
42198 +#include <linux/grinternal.h>
42201 +gr_log_timechange(void)
42203 +#ifdef CONFIG_GRKERNSEC_TIME
42204 + if (grsec_enable_time)
42205 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
42209 diff -urNp linux-2.6.35.5/grsecurity/grsec_tpe.c linux-2.6.35.5/grsecurity/grsec_tpe.c
42210 --- linux-2.6.35.5/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
42211 +++ linux-2.6.35.5/grsecurity/grsec_tpe.c 2010-09-17 20:12:37.000000000 -0400
42213 +#include <linux/kernel.h>
42214 +#include <linux/sched.h>
42215 +#include <linux/file.h>
42216 +#include <linux/fs.h>
42217 +#include <linux/grinternal.h>
42219 +extern int gr_acl_tpe_check(void);
42222 +gr_tpe_allow(const struct file *file)
42224 +#ifdef CONFIG_GRKERNSEC
42225 + struct inode *inode = file->f_path.dentry->d_parent->d_inode;
42226 + const struct cred *cred = current_cred();
42228 + if (cred->uid && ((grsec_enable_tpe &&
42229 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
42230 + ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
42231 + (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
42233 + in_group_p(grsec_tpe_gid)
42235 + ) || gr_acl_tpe_check()) &&
42236 + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
42237 + (inode->i_mode & S_IWOTH))))) {
42238 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
42241 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
42242 + if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
42243 + ((inode->i_uid && (inode->i_uid != cred->uid)) ||
42244 + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
42245 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
42252 diff -urNp linux-2.6.35.5/grsecurity/grsum.c linux-2.6.35.5/grsecurity/grsum.c
42253 --- linux-2.6.35.5/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
42254 +++ linux-2.6.35.5/grsecurity/grsum.c 2010-09-17 20:12:37.000000000 -0400
42256 +#include <linux/err.h>
42257 +#include <linux/kernel.h>
42258 +#include <linux/sched.h>
42259 +#include <linux/mm.h>
42260 +#include <linux/scatterlist.h>
42261 +#include <linux/crypto.h>
42262 +#include <linux/gracl.h>
42265 +#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
42266 +#error "crypto and sha256 must be built into the kernel"
42270 +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
42273 + struct crypto_hash *tfm;
42274 + struct hash_desc desc;
42275 + struct scatterlist sg;
42276 + unsigned char temp_sum[GR_SHA_LEN];
42277 + volatile int retval = 0;
42278 + volatile int dummy = 0;
42281 + sg_init_table(&sg, 1);
42283 + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
42284 + if (IS_ERR(tfm)) {
42285 + /* should never happen, since sha256 should be built in */
42292 + crypto_hash_init(&desc);
42295 + sg_set_buf(&sg, p, GR_SALT_LEN);
42296 + crypto_hash_update(&desc, &sg, sg.length);
42299 + sg_set_buf(&sg, p, strlen(p));
42301 + crypto_hash_update(&desc, &sg, sg.length);
42303 + crypto_hash_final(&desc, temp_sum);
42305 + memset(entry->pw, 0, GR_PW_LEN);
42307 + for (i = 0; i < GR_SHA_LEN; i++)
42308 + if (sum[i] != temp_sum[i])
42311 + dummy = 1; // waste a cycle
42313 + crypto_free_hash(tfm);
42317 diff -urNp linux-2.6.35.5/grsecurity/Kconfig linux-2.6.35.5/grsecurity/Kconfig
42318 --- linux-2.6.35.5/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
42319 +++ linux-2.6.35.5/grsecurity/Kconfig 2010-09-17 20:12:37.000000000 -0400
42322 +# grecurity configuration
42328 + bool "Grsecurity"
42330 + select CRYPTO_SHA256
42332 + If you say Y here, you will be able to configure many features
42333 + that will enhance the security of your system. It is highly
42334 + recommended that you say Y here and read through the help
42335 + for each option so that you fully understand the features and
42336 + can evaluate their usefulness for your machine.
42339 + prompt "Security Level"
42340 + depends on GRKERNSEC
42341 + default GRKERNSEC_CUSTOM
42343 +config GRKERNSEC_LOW
42345 + select GRKERNSEC_LINK
42346 + select GRKERNSEC_FIFO
42347 + select GRKERNSEC_EXECVE
42348 + select GRKERNSEC_RANDNET
42349 + select GRKERNSEC_DMESG
42350 + select GRKERNSEC_CHROOT
42351 + select GRKERNSEC_CHROOT_CHDIR
42354 + If you choose this option, several of the grsecurity options will
42355 + be enabled that will give you greater protection against a number
42356 + of attacks, while assuring that none of your software will have any
42357 + conflicts with the additional security measures. If you run a lot
42358 + of unusual software, or you are having problems with the higher
42359 + security levels, you should say Y here. With this option, the
42360 + following features are enabled:
42362 + - Linking restrictions
42363 + - FIFO restrictions
42364 + - Enforcing RLIMIT_NPROC on execve
42365 + - Restricted dmesg
42366 + - Enforced chdir("/") on chroot
42367 + - Runtime module disabling
42369 +config GRKERNSEC_MEDIUM
42372 + select PAX_EI_PAX
42373 + select PAX_PT_PAX_FLAGS
42374 + select PAX_HAVE_ACL_FLAGS
42375 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
42376 + select GRKERNSEC_CHROOT
42377 + select GRKERNSEC_CHROOT_SYSCTL
42378 + select GRKERNSEC_LINK
42379 + select GRKERNSEC_FIFO
42380 + select GRKERNSEC_EXECVE
42381 + select GRKERNSEC_DMESG
42382 + select GRKERNSEC_RANDNET
42383 + select GRKERNSEC_FORKFAIL
42384 + select GRKERNSEC_TIME
42385 + select GRKERNSEC_SIGNAL
42386 + select GRKERNSEC_CHROOT
42387 + select GRKERNSEC_CHROOT_UNIX
42388 + select GRKERNSEC_CHROOT_MOUNT
42389 + select GRKERNSEC_CHROOT_PIVOT
42390 + select GRKERNSEC_CHROOT_DOUBLE
42391 + select GRKERNSEC_CHROOT_CHDIR
42392 + select GRKERNSEC_CHROOT_MKNOD
42393 + select GRKERNSEC_PROC
42394 + select GRKERNSEC_PROC_USERGROUP
42395 + select PAX_RANDUSTACK
42397 + select PAX_RANDMMAP
42398 + select PAX_REFCOUNT if (X86 || SPARC64)
42399 + select PAX_USERCOPY if ((X86 || SPARC32 || SPARC64 || PPC) && (SLAB || SLUB || SLOB))
42402 + If you say Y here, several features in addition to those included
42403 + in the low additional security level will be enabled. These
42404 + features provide even more security to your system, though in rare
42405 + cases they may be incompatible with very old or poorly written
42406 + software. If you enable this option, make sure that your auth
42407 + service (identd) is running as gid 1001. With this option,
42408 + the following features (in addition to those provided in the
42409 + low additional security level) will be enabled:
42411 + - Failed fork logging
42412 + - Time change logging
42414 + - Deny mounts in chroot
42415 + - Deny double chrooting
42416 + - Deny sysctl writes in chroot
42417 + - Deny mknod in chroot
42418 + - Deny access to abstract AF_UNIX sockets out of chroot
42419 + - Deny pivot_root in chroot
42420 + - Denied writes of /dev/kmem, /dev/mem, and /dev/port
42421 + - /proc restrictions with special GID set to 10 (usually wheel)
42422 + - Address Space Layout Randomization (ASLR)
42423 + - Prevent exploitation of most refcount overflows
42424 + - Bounds checking of copying between the kernel and userland
42426 +config GRKERNSEC_HIGH
42428 + select GRKERNSEC_LINK
42429 + select GRKERNSEC_FIFO
42430 + select GRKERNSEC_EXECVE
42431 + select GRKERNSEC_DMESG
42432 + select GRKERNSEC_FORKFAIL
42433 + select GRKERNSEC_TIME
42434 + select GRKERNSEC_SIGNAL
42435 + select GRKERNSEC_CHROOT
42436 + select GRKERNSEC_CHROOT_SHMAT
42437 + select GRKERNSEC_CHROOT_UNIX
42438 + select GRKERNSEC_CHROOT_MOUNT
42439 + select GRKERNSEC_CHROOT_FCHDIR
42440 + select GRKERNSEC_CHROOT_PIVOT
42441 + select GRKERNSEC_CHROOT_DOUBLE
42442 + select GRKERNSEC_CHROOT_CHDIR
42443 + select GRKERNSEC_CHROOT_MKNOD
42444 + select GRKERNSEC_CHROOT_CAPS
42445 + select GRKERNSEC_CHROOT_SYSCTL
42446 + select GRKERNSEC_CHROOT_FINDTASK
42447 + select GRKERNSEC_PROC
42448 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
42449 + select GRKERNSEC_HIDESYM
42450 + select GRKERNSEC_BRUTE
42451 + select GRKERNSEC_PROC_USERGROUP
42452 + select GRKERNSEC_KMEM
42453 + select GRKERNSEC_RESLOG
42454 + select GRKERNSEC_RANDNET
42455 + select GRKERNSEC_PROC_ADD
42456 + select GRKERNSEC_CHROOT_CHMOD
42457 + select GRKERNSEC_CHROOT_NICE
42458 + select GRKERNSEC_AUDIT_MOUNT
42459 + select GRKERNSEC_MODHARDEN if (MODULES)
42460 + select GRKERNSEC_HARDEN_PTRACE
42461 + select GRKERNSEC_VM86 if (X86_32)
42463 + select PAX_RANDUSTACK
42465 + select PAX_RANDMMAP
42466 + select PAX_NOEXEC
42467 + select PAX_MPROTECT
42468 + select PAX_EI_PAX
42469 + select PAX_PT_PAX_FLAGS
42470 + select PAX_HAVE_ACL_FLAGS
42471 + select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
42472 + select PAX_MEMORY_UDEREF if (X86 && !XEN)
42473 + select PAX_RANDKSTACK if (X86_TSC && !X86_64)
42474 + select PAX_SEGMEXEC if (X86_32)
42475 + select PAX_PAGEEXEC
42476 + select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
42477 + select PAX_EMUTRAMP if (PARISC)
42478 + select PAX_EMUSIGRT if (PARISC)
42479 + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
42480 + select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
42481 + select PAX_REFCOUNT if (X86 || SPARC64)
42482 + select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
42484 + If you say Y here, many of the features of grsecurity will be
42485 + enabled, which will protect you against many kinds of attacks
42486 + against your system. The heightened security comes at a cost
42487 + of an increased chance of incompatibilities with rare software
42488 + on your machine. Since this security level enables PaX, you should
42489 + view <http://pax.grsecurity.net> and read about the PaX
42490 + project. While you are there, download chpax and run it on
42491 + binaries that cause problems with PaX. Also remember that
42492 + since the /proc restrictions are enabled, you must run your
42493 + identd as gid 1001. This security level enables the following
42494 + features in addition to those listed in the low and medium
42497 + - Additional /proc restrictions
42498 + - Chmod restrictions in chroot
42499 + - No signals, ptrace, or viewing of processes outside of chroot
42500 + - Capability restrictions in chroot
42501 + - Deny fchdir out of chroot
42502 + - Priority restrictions in chroot
42503 + - Segmentation-based implementation of PaX
42504 + - Mprotect restrictions
42505 + - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
42506 + - Kernel stack randomization
42507 + - Mount/unmount/remount logging
42508 + - Kernel symbol hiding
42509 + - Prevention of memory exhaustion-based exploits
42510 + - Hardening of module auto-loading
42511 + - Ptrace restrictions
42512 + - Restricted vm86 mode
42514 +config GRKERNSEC_CUSTOM
42517 + If you say Y here, you will be able to configure every grsecurity
42518 + option, which allows you to enable many more features that aren't
42519 + covered in the basic security levels. These additional features
42520 + include TPE, socket restrictions, and the sysctl system for
42521 + grsecurity. It is advised that you read through the help for
42522 + each option to determine its usefulness in your situation.
42526 +menu "Address Space Protection"
42527 +depends on GRKERNSEC
42529 +config GRKERNSEC_KMEM
42530 + bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
42532 + If you say Y here, /dev/kmem and /dev/mem won't be allowed to
42533 + be written to via mmap or otherwise to modify the running kernel.
42534 + /dev/port will also not be allowed to be opened. If you have module
42535 + support disabled, enabling this will close up four ways that are
42536 + currently used to insert malicious code into the running kernel.
42537 + Even with all these features enabled, we still highly recommend that
42538 + you use the RBAC system, as it is still possible for an attacker to
42539 + modify the running kernel through privileged I/O granted by ioperm/iopl.
42540 + If you are not using XFree86, you may be able to stop this additional
42541 + case by enabling the 'Disable privileged I/O' option. Though nothing
42542 + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
42543 + but only to video memory, which is the only writing we allow in this
42544 + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
42545 + not be allowed to mprotect it with PROT_WRITE later.
42546 + It is highly recommended that you say Y here if you meet all the
42547 + conditions above.
42549 +config GRKERNSEC_VM86
42550 + bool "Restrict VM86 mode"
42551 + depends on X86_32
42554 + If you say Y here, only processes with CAP_SYS_RAWIO will be able to
42555 + make use of a special execution mode on 32bit x86 processors called
42556 + Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
42557 + video cards and will still work with this option enabled. The purpose
42558 + of the option is to prevent exploitation of emulation errors in
42559 + virtualization of vm86 mode like the one discovered in VMWare in 2009.
42560 + Nearly all users should be able to enable this option.
42562 +config GRKERNSEC_IO
42563 + bool "Disable privileged I/O"
42566 + select RTC_INTF_DEV
42567 + select RTC_DRV_CMOS
42570 + If you say Y here, all ioperm and iopl calls will return an error.
42571 + Ioperm and iopl can be used to modify the running kernel.
42572 + Unfortunately, some programs need this access to operate properly,
42573 + the most notable of which are XFree86 and hwclock. hwclock can be
42574 + remedied by having RTC support in the kernel, so real-time
42575 + clock support is enabled if this option is enabled, to ensure
42576 + that hwclock operates correctly. XFree86 still will not
42577 + operate correctly with this option enabled, so DO NOT CHOOSE Y
42578 + IF YOU USE XFree86. If you use XFree86 and you still want to
42579 + protect your kernel against modification, use the RBAC system.
42581 +config GRKERNSEC_PROC_MEMMAP
42582 + bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
42583 + default y if (PAX_NOEXEC || PAX_ASLR)
42584 + depends on PAX_NOEXEC || PAX_ASLR
42586 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
42587 + give no information about the addresses of its mappings if
42588 + PaX features that rely on random addresses are enabled on the task.
42589 + If you use PaX it is greatly recommended that you say Y here as it
42590 + closes up a hole that makes the full ASLR useless for suid
42593 +config GRKERNSEC_BRUTE
42594 + bool "Deter exploit bruteforcing"
42596 + If you say Y here, attempts to bruteforce exploits against forking
42597 + daemons such as apache or sshd will be deterred. When a child of a
42598 + forking daemon is killed by PaX or crashes due to an illegal
42599 + instruction, the parent process will be delayed 30 seconds upon every
42600 + subsequent fork until the administrator is able to assess the
42601 + situation and restart the daemon. It is recommended that you also
42602 + enable signal logging in the auditing section so that logs are
42603 + generated when a process performs an illegal instruction.
42605 +config GRKERNSEC_MODHARDEN
42606 + bool "Harden module auto-loading"
42607 + depends on MODULES
42609 + If you say Y here, module auto-loading in response to use of some
42610 + feature implemented by an unloaded module will be restricted to
42611 + root users. Enabling this option helps defend against attacks
42612 + by unprivileged users who abuse the auto-loading behavior to
42613 + cause a vulnerable module to load that is then exploited.
42615 + If this option prevents a legitimate use of auto-loading for a
42616 + non-root user, the administrator can execute modprobe manually
42617 + with the exact name of the module mentioned in the alert log.
42618 + Alternatively, the administrator can add the module to the list
42619 + of modules loaded at boot by modifying init scripts.
42621 + Modification of init scripts will most likely be needed on
42622 + Ubuntu servers with encrypted home directory support enabled,
42623 + as the first non-root user logging in will cause the ecb(aes),
42624 + ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
42626 +config GRKERNSEC_HIDESYM
42627 + bool "Hide kernel symbols"
42629 + If you say Y here, getting information on loaded modules, and
42630 + displaying all kernel symbols through a syscall will be restricted
42631 + to users with CAP_SYS_MODULE. For software compatibility reasons,
42632 + /proc/kallsyms will be restricted to the root user. The RBAC
42633 + system can hide that entry even from root.
42635 + This option also prevents leaking of kernel addresses through
42636 + several /proc entries.
42638 + Note that this option is only effective provided the following
42639 + conditions are met:
42640 + 1) The kernel using grsecurity is not precompiled by some distribution
42641 + 2) You are using the RBAC system and hiding other files such as your
42642 + kernel image and System.map. Alternatively, enabling this option
42643 + causes the permissions on /boot, /lib/modules, and the kernel
42644 + source directory to change at compile time to prevent
42645 + reading by non-root users.
42646 + If the above conditions are met, this option will aid in providing a
42647 + useful protection against local kernel exploitation of overflows
42648 + and arbitrary read/write vulnerabilities.
42651 +menu "Role Based Access Control Options"
42652 +depends on GRKERNSEC
42654 +config GRKERNSEC_NO_RBAC
42655 + bool "Disable RBAC system"
42657 + If you say Y here, the /dev/grsec device will be removed from the kernel,
42658 + preventing the RBAC system from being enabled. You should only say Y
42659 + here if you have no intention of using the RBAC system, so as to prevent
42660 + an attacker with root access from misusing the RBAC system to hide files
42661 + and processes when loadable module support and /dev/[k]mem have been
42664 +config GRKERNSEC_ACL_HIDEKERN
42665 + bool "Hide kernel processes"
42667 + If you say Y here, all kernel threads will be hidden to all
42668 + processes but those whose subject has the "view hidden processes"
42671 +config GRKERNSEC_ACL_MAXTRIES
42672 + int "Maximum tries before password lockout"
42675 + This option enforces the maximum number of times a user can attempt
42676 + to authorize themselves with the grsecurity RBAC system before being
42677 + denied the ability to attempt authorization again for a specified time.
42678 + The lower the number, the harder it will be to brute-force a password.
42680 +config GRKERNSEC_ACL_TIMEOUT
42681 + int "Time to wait after max password tries, in seconds"
42684 + This option specifies the time the user must wait after attempting to
42685 + authorize to the RBAC system with the maximum number of invalid
42686 + passwords. The higher the number, the harder it will be to brute-force
42690 +menu "Filesystem Protections"
42691 +depends on GRKERNSEC
42693 +config GRKERNSEC_PROC
42694 + bool "Proc restrictions"
42696 + If you say Y here, the permissions of the /proc filesystem
42697 + will be altered to enhance system security and privacy. You MUST
42698 + choose either a user only restriction or a user and group restriction.
42699 + Depending upon the option you choose, you can either restrict users to
42700 + see only the processes they themselves run, or choose a group that can
42701 + view all processes and files normally restricted to root if you choose
42702 + the "restrict to user only" option. NOTE: If you're running identd as
42703 + a non-root user, you will have to run it as the group you specify here.
42705 +config GRKERNSEC_PROC_USER
42706 + bool "Restrict /proc to user only"
42707 + depends on GRKERNSEC_PROC
42709 + If you say Y here, non-root users will only be able to view their own
42710 + processes, and restricts them from viewing network-related information,
42711 + and viewing kernel symbol and module information.
42713 +config GRKERNSEC_PROC_USERGROUP
42714 + bool "Allow special group"
42715 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
42717 + If you say Y here, you will be able to select a group that will be
42718 + able to view all processes, network-related information, and
42719 + kernel and symbol information. This option is useful if you want
42720 + to run identd as a non-root user.
42722 +config GRKERNSEC_PROC_GID
42723 + int "GID for special group"
42724 + depends on GRKERNSEC_PROC_USERGROUP
42727 +config GRKERNSEC_PROC_ADD
42728 + bool "Additional restrictions"
42729 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
42731 + If you say Y here, additional restrictions will be placed on
42732 + /proc that keep normal users from viewing device information and
42733 + slabinfo information that could be useful for exploits.
42735 +config GRKERNSEC_LINK
42736 + bool "Linking restrictions"
42738 + If you say Y here, /tmp race exploits will be prevented, since users
42739 + will no longer be able to follow symlinks owned by other users in
42740 + world-writable +t directories (i.e. /tmp), unless the owner of the
42741 + symlink is the owner of the directory. users will also not be
42742 + able to hardlink to files they do not own. If the sysctl option is
42743 + enabled, a sysctl option with name "linking_restrictions" is created.
42745 +config GRKERNSEC_FIFO
42746 + bool "FIFO restrictions"
42748 + If you say Y here, users will not be able to write to FIFOs they don't
42749 + own in world-writable +t directories (i.e. /tmp), unless the owner of
42750 + the FIFO is the same owner of the directory it's held in. If the sysctl
42751 + option is enabled, a sysctl option with name "fifo_restrictions" is
42754 +config GRKERNSEC_ROFS
42755 + bool "Runtime read-only mount protection"
42757 + If you say Y here, a sysctl option with name "romount_protect" will
42758 + be created. By setting this option to 1 at runtime, filesystems
42759 + will be protected in the following ways:
42760 + * No new writable mounts will be allowed
42761 + * Existing read-only mounts won't be able to be remounted read/write
42762 + * Write operations will be denied on all block devices
42763 + This option acts independently of grsec_lock: once it is set to 1,
42764 + it cannot be turned off. Therefore, please be mindful of the resulting
42765 + behavior if this option is enabled in an init script on a read-only
42766 + filesystem. This feature is mainly intended for secure embedded systems.
42768 +config GRKERNSEC_CHROOT
42769 + bool "Chroot jail restrictions"
42771 + If you say Y here, you will be able to choose several options that will
42772 + make breaking out of a chrooted jail much more difficult. If you
42773 + encounter no software incompatibilities with the following options, it
42774 + is recommended that you enable each one.
42776 +config GRKERNSEC_CHROOT_MOUNT
42777 + bool "Deny mounts"
42778 + depends on GRKERNSEC_CHROOT
42780 + If you say Y here, processes inside a chroot will not be able to
42781 + mount or remount filesystems. If the sysctl option is enabled, a
42782 + sysctl option with name "chroot_deny_mount" is created.
42784 +config GRKERNSEC_CHROOT_DOUBLE
42785 + bool "Deny double-chroots"
42786 + depends on GRKERNSEC_CHROOT
42788 + If you say Y here, processes inside a chroot will not be able to chroot
42789 + again outside the chroot. This is a widely used method of breaking
42790 + out of a chroot jail and should not be allowed. If the sysctl
42791 + option is enabled, a sysctl option with name
42792 + "chroot_deny_chroot" is created.
42794 +config GRKERNSEC_CHROOT_PIVOT
42795 + bool "Deny pivot_root in chroot"
42796 + depends on GRKERNSEC_CHROOT
42798 + If you say Y here, processes inside a chroot will not be able to use
42799 + a function called pivot_root() that was introduced in Linux 2.3.41. It
42800 + works similar to chroot in that it changes the root filesystem. This
42801 + function could be misused in a chrooted process to attempt to break out
42802 + of the chroot, and therefore should not be allowed. If the sysctl
42803 + option is enabled, a sysctl option with name "chroot_deny_pivot" is
42806 +config GRKERNSEC_CHROOT_CHDIR
42807 + bool "Enforce chdir(\"/\") on all chroots"
42808 + depends on GRKERNSEC_CHROOT
42810 + If you say Y here, the current working directory of all newly-chrooted
42811 + applications will be set to the the root directory of the chroot.
42812 + The man page on chroot(2) states:
42813 + Note that this call does not change the current working
42814 + directory, so that `.' can be outside the tree rooted at
42815 + `/'. In particular, the super-user can escape from a
42816 + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
42818 + It is recommended that you say Y here, since it's not known to break
42819 + any software. If the sysctl option is enabled, a sysctl option with
42820 + name "chroot_enforce_chdir" is created.
42822 +config GRKERNSEC_CHROOT_CHMOD
42823 + bool "Deny (f)chmod +s"
42824 + depends on GRKERNSEC_CHROOT
42826 + If you say Y here, processes inside a chroot will not be able to chmod
42827 + or fchmod files to make them have suid or sgid bits. This protects
42828 + against another published method of breaking a chroot. If the sysctl
42829 + option is enabled, a sysctl option with name "chroot_deny_chmod" is
42832 +config GRKERNSEC_CHROOT_FCHDIR
42833 + bool "Deny fchdir out of chroot"
42834 + depends on GRKERNSEC_CHROOT
42836 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
42837 + to a file descriptor of the chrooting process that points to a directory
42838 + outside the filesystem will be stopped. If the sysctl option
42839 + is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
42841 +config GRKERNSEC_CHROOT_MKNOD
42842 + bool "Deny mknod"
42843 + depends on GRKERNSEC_CHROOT
42845 + If you say Y here, processes inside a chroot will not be allowed to
42846 + mknod. The problem with using mknod inside a chroot is that it
42847 + would allow an attacker to create a device entry that is the same
42848 + as one on the physical root of your system, which could range from
42849 + anything from the console device to a device for your harddrive (which
42850 + they could then use to wipe the drive or steal data). It is recommended
42851 + that you say Y here, unless you run into software incompatibilities.
42852 + If the sysctl option is enabled, a sysctl option with name
42853 + "chroot_deny_mknod" is created.
42855 +config GRKERNSEC_CHROOT_SHMAT
42856 + bool "Deny shmat() out of chroot"
42857 + depends on GRKERNSEC_CHROOT
42859 + If you say Y here, processes inside a chroot will not be able to attach
42860 + to shared memory segments that were created outside of the chroot jail.
42861 + It is recommended that you say Y here. If the sysctl option is enabled,
42862 + a sysctl option with name "chroot_deny_shmat" is created.
42864 +config GRKERNSEC_CHROOT_UNIX
42865 + bool "Deny access to abstract AF_UNIX sockets out of chroot"
42866 + depends on GRKERNSEC_CHROOT
42868 + If you say Y here, processes inside a chroot will not be able to
42869 + connect to abstract (meaning not belonging to a filesystem) Unix
42870 + domain sockets that were bound outside of a chroot. It is recommended
42871 + that you say Y here. If the sysctl option is enabled, a sysctl option
42872 + with name "chroot_deny_unix" is created.
42874 +config GRKERNSEC_CHROOT_FINDTASK
42875 + bool "Protect outside processes"
42876 + depends on GRKERNSEC_CHROOT
42878 + If you say Y here, processes inside a chroot will not be able to
42879 + kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
42880 + getsid, or view any process outside of the chroot. If the sysctl
42881 + option is enabled, a sysctl option with name "chroot_findtask" is
42884 +config GRKERNSEC_CHROOT_NICE
42885 + bool "Restrict priority changes"
42886 + depends on GRKERNSEC_CHROOT
42888 + If you say Y here, processes inside a chroot will not be able to raise
42889 + the priority of processes in the chroot, or alter the priority of
42890 + processes outside the chroot. This provides more security than simply
42891 + removing CAP_SYS_NICE from the process' capability set. If the
42892 + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
42895 +config GRKERNSEC_CHROOT_SYSCTL
42896 + bool "Deny sysctl writes"
42897 + depends on GRKERNSEC_CHROOT
42899 + If you say Y here, an attacker in a chroot will not be able to
42900 + write to sysctl entries, either by sysctl(2) or through a /proc
42901 + interface. It is strongly recommended that you say Y here. If the
42902 + sysctl option is enabled, a sysctl option with name
42903 + "chroot_deny_sysctl" is created.
42905 +config GRKERNSEC_CHROOT_CAPS
42906 + bool "Capability restrictions"
42907 + depends on GRKERNSEC_CHROOT
42909 + If you say Y here, the capabilities on all root processes within a
42910 + chroot jail will be lowered to stop module insertion, raw i/o,
42911 + system and net admin tasks, rebooting the system, modifying immutable
42912 + files, modifying IPC owned by another, and changing the system time.
42913 + This is left an option because it can break some apps. Disable this
42914 + if your chrooted apps are having problems performing those kinds of
42915 + tasks. If the sysctl option is enabled, a sysctl option with
42916 + name "chroot_caps" is created.
42919 +menu "Kernel Auditing"
42920 +depends on GRKERNSEC
42922 +config GRKERNSEC_AUDIT_GROUP
42923 + bool "Single group for auditing"
42925 + If you say Y here, the exec, chdir, and (un)mount logging features
42926 + will only operate on a group you specify. This option is recommended
42927 + if you only want to watch certain users instead of having a large
42928 + amount of logs from the entire system. If the sysctl option is enabled,
42929 + a sysctl option with name "audit_group" is created.
42931 +config GRKERNSEC_AUDIT_GID
42932 + int "GID for auditing"
42933 + depends on GRKERNSEC_AUDIT_GROUP
42936 +config GRKERNSEC_EXECLOG
42937 + bool "Exec logging"
42939 + If you say Y here, all execve() calls will be logged (since the
42940 + other exec*() calls are frontends to execve(), all execution
42941 + will be logged). Useful for shell-servers that like to keep track
42942 + of their users. If the sysctl option is enabled, a sysctl option with
42943 + name "exec_logging" is created.
42944 + WARNING: This option when enabled will produce a LOT of logs, especially
42945 + on an active system.
42947 +config GRKERNSEC_RESLOG
42948 + bool "Resource logging"
42950 + If you say Y here, all attempts to overstep resource limits will
42951 + be logged with the resource name, the requested size, and the current
42952 + limit. It is highly recommended that you say Y here. If the sysctl
42953 + option is enabled, a sysctl option with name "resource_logging" is
42954 + created. If the RBAC system is enabled, the sysctl value is ignored.
42956 +config GRKERNSEC_CHROOT_EXECLOG
42957 + bool "Log execs within chroot"
42959 + If you say Y here, all executions inside a chroot jail will be logged
42960 + to syslog. This can cause a large amount of logs if certain
42961 + applications (eg. djb's daemontools) are installed on the system, and
42962 + is therefore left as an option. If the sysctl option is enabled, a
42963 + sysctl option with name "chroot_execlog" is created.
42965 +config GRKERNSEC_AUDIT_PTRACE
42966 + bool "Ptrace logging"
42968 + If you say Y here, all attempts to attach to a process via ptrace
42969 + will be logged. If the sysctl option is enabled, a sysctl option
42970 + with name "audit_ptrace" is created.
42972 +config GRKERNSEC_AUDIT_CHDIR
42973 + bool "Chdir logging"
42975 + If you say Y here, all chdir() calls will be logged. If the sysctl
42976 + option is enabled, a sysctl option with name "audit_chdir" is created.
42978 +config GRKERNSEC_AUDIT_MOUNT
42979 + bool "(Un)Mount logging"
42981 + If you say Y here, all mounts and unmounts will be logged. If the
42982 + sysctl option is enabled, a sysctl option with name "audit_mount" is
42985 +config GRKERNSEC_SIGNAL
42986 + bool "Signal logging"
42988 + If you say Y here, certain important signals will be logged, such as
42989 + SIGSEGV, which will as a result inform you of when a error in a program
42990 + occurred, which in some cases could mean a possible exploit attempt.
42991 + If the sysctl option is enabled, a sysctl option with name
42992 + "signal_logging" is created.
42994 +config GRKERNSEC_FORKFAIL
42995 + bool "Fork failure logging"
42997 + If you say Y here, all failed fork() attempts will be logged.
42998 + This could suggest a fork bomb, or someone attempting to overstep
42999 + their process limit. If the sysctl option is enabled, a sysctl option
43000 + with name "forkfail_logging" is created.
43002 +config GRKERNSEC_TIME
43003 + bool "Time change logging"
43005 + If you say Y here, any changes of the system clock will be logged.
43006 + If the sysctl option is enabled, a sysctl option with name
43007 + "timechange_logging" is created.
43009 +config GRKERNSEC_PROC_IPADDR
43010 + bool "/proc/<pid>/ipaddr support"
43012 + If you say Y here, a new entry will be added to each /proc/<pid>
43013 + directory that contains the IP address of the person using the task.
43014 + The IP is carried across local TCP and AF_UNIX stream sockets.
43015 + This information can be useful for IDS/IPSes to perform remote response
43016 + to a local attack. The entry is readable by only the owner of the
43017 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
43018 + the RBAC system), and thus does not create privacy concerns.
43020 +config GRKERNSEC_AUDIT_TEXTREL
43021 + bool 'ELF text relocations logging (READ HELP)'
43022 + depends on PAX_MPROTECT
43024 + If you say Y here, text relocations will be logged with the filename
43025 + of the offending library or binary. The purpose of the feature is
43026 + to help Linux distribution developers get rid of libraries and
43027 + binaries that need text relocations which hinder the future progress
43028 + of PaX. Only Linux distribution developers should say Y here, and
43029 + never on a production machine, as this option creates an information
43030 + leak that could aid an attacker in defeating the randomization of
43031 + a single memory region. If the sysctl option is enabled, a sysctl
43032 + option with name "audit_textrel" is created.
43036 +menu "Executable Protections"
43037 +depends on GRKERNSEC
43039 +config GRKERNSEC_EXECVE
43040 + bool "Enforce RLIMIT_NPROC on execs"
43042 + If you say Y here, users with a resource limit on processes will
43043 + have the value checked during execve() calls. The current system
43044 + only checks the system limit during fork() calls. If the sysctl option
43045 + is enabled, a sysctl option with name "execve_limiting" is created.
43047 +config GRKERNSEC_DMESG
43048 + bool "Dmesg(8) restriction"
43050 + If you say Y here, non-root users will not be able to use dmesg(8)
43051 + to view up to the last 4kb of messages in the kernel's log buffer.
43052 + If the sysctl option is enabled, a sysctl option with name "dmesg" is
43055 +config GRKERNSEC_HARDEN_PTRACE
43056 + bool "Deter ptrace-based process snooping"
43058 + If you say Y here, TTY sniffers and other malicious monitoring
43059 + programs implemented through ptrace will be defeated. If you
43060 + have been using the RBAC system, this option has already been
43061 + enabled for several years for all users, with the ability to make
43062 + fine-grained exceptions.
43064 + This option only affects the ability of non-root users to ptrace
43065 + processes that are not a descendent of the ptracing process.
43066 + This means that strace ./binary and gdb ./binary will still work,
43067 + but attaching to arbitrary processes will not. If the sysctl
43068 + option is enabled, a sysctl option with name "harden_ptrace" is
43071 +config GRKERNSEC_TPE
43072 + bool "Trusted Path Execution (TPE)"
43074 + If you say Y here, you will be able to choose a gid to add to the
43075 + supplementary groups of users you want to mark as "untrusted."
43076 + These users will not be able to execute any files that are not in
43077 + root-owned directories writable only by root. If the sysctl option
43078 + is enabled, a sysctl option with name "tpe" is created.
43080 +config GRKERNSEC_TPE_ALL
43081 + bool "Partially restrict all non-root users"
43082 + depends on GRKERNSEC_TPE
43084 + If you say Y here, all non-root users will be covered under
43085 + a weaker TPE restriction. This is separate from, and in addition to,
43086 + the main TPE options that you have selected elsewhere. Thus, if a
43087 + "trusted" GID is chosen, this restriction applies to even that GID.
43088 + Under this restriction, all non-root users will only be allowed to
43089 + execute files in directories they own that are not group or
43090 + world-writable, or in directories owned by root and writable only by
43091 + root. If the sysctl option is enabled, a sysctl option with name
43092 + "tpe_restrict_all" is created.
43094 +config GRKERNSEC_TPE_INVERT
43095 + bool "Invert GID option"
43096 + depends on GRKERNSEC_TPE
43098 + If you say Y here, the group you specify in the TPE configuration will
43099 + decide what group TPE restrictions will be *disabled* for. This
43100 + option is useful if you want TPE restrictions to be applied to most
43101 + users on the system. If the sysctl option is enabled, a sysctl option
43102 + with name "tpe_invert" is created. Unlike other sysctl options, this
43103 + entry will default to on for backward-compatibility.
43105 +config GRKERNSEC_TPE_GID
43106 + int "GID for untrusted users"
43107 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
43110 + Setting this GID determines what group TPE restrictions will be
43111 + *enabled* for. If the sysctl option is enabled, a sysctl option
43112 + with name "tpe_gid" is created.
43114 +config GRKERNSEC_TPE_GID
43115 + int "GID for trusted users"
43116 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
43119 + Setting this GID determines what group TPE restrictions will be
43120 + *disabled* for. If the sysctl option is enabled, a sysctl option
43121 + with name "tpe_gid" is created.
43124 +menu "Network Protections"
43125 +depends on GRKERNSEC
43127 +config GRKERNSEC_RANDNET
43128 + bool "Larger entropy pools"
43130 + If you say Y here, the entropy pools used for many features of Linux
43131 + and grsecurity will be doubled in size. Since several grsecurity
43132 + features use additional randomness, it is recommended that you say Y
43133 + here. Saying Y here has a similar effect as modifying
43134 + /proc/sys/kernel/random/poolsize.
43136 +config GRKERNSEC_BLACKHOLE
43137 + bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
43139 + If you say Y here, neither TCP resets nor ICMP
43140 + destination-unreachable packets will be sent in response to packets
43141 + sent to ports for which no associated listening process exists.
43142 + This feature supports both IPV4 and IPV6 and exempts the
43143 + loopback interface from blackholing. Enabling this feature
43144 + makes a host more resilient to DoS attacks and reduces network
43145 + visibility against scanners.
43147 + The blackhole feature as-implemented is equivalent to the FreeBSD
43148 + blackhole feature, as it prevents RST responses to all packets, not
43149 + just SYNs. Under most application behavior this causes no
43150 + problems, but applications (like haproxy) may not close certain
43151 + connections in a way that cleanly terminates them on the remote
43152 + end, leaving the remote host in LAST_ACK state. Because of this
43153 + side-effect and to prevent intentional LAST_ACK DoSes, this
43154 + feature also adds automatic mitigation against such attacks.
43155 + The mitigation drastically reduces the amount of time a socket
43156 + can spend in LAST_ACK state. If you're using haproxy and not
43157 + all servers it connects to have this option enabled, consider
43158 + disabling this feature on the haproxy host.
43160 + If the sysctl option is enabled, two sysctl options with names
43161 + "ip_blackhole" and "lastack_retries" will be created.
43162 + While "ip_blackhole" takes the standard zero/non-zero on/off
43163 + toggle, "lastack_retries" uses the same kinds of values as
43164 + "tcp_retries1" and "tcp_retries2". The default value of 4
43165 + prevents a socket from lasting more than 45 seconds in LAST_ACK
43168 +config GRKERNSEC_SOCKET
43169 + bool "Socket restrictions"
43171 + If you say Y here, you will be able to choose from several options.
43172 + If you assign a GID on your system and add it to the supplementary
43173 + groups of users you want to restrict socket access to, this patch
43174 + will perform up to three things, based on the option(s) you choose.
43176 +config GRKERNSEC_SOCKET_ALL
43177 + bool "Deny any sockets to group"
43178 + depends on GRKERNSEC_SOCKET
43180 + If you say Y here, you will be able to choose a GID of whose users will
43181 + be unable to connect to other hosts from your machine or run server
43182 + applications from your machine. If the sysctl option is enabled, a
43183 + sysctl option with name "socket_all" is created.
43185 +config GRKERNSEC_SOCKET_ALL_GID
43186 + int "GID to deny all sockets for"
43187 + depends on GRKERNSEC_SOCKET_ALL
43190 + Here you can choose the GID to disable socket access for. Remember to
43191 + add the users you want socket access disabled for to the GID
43192 + specified here. If the sysctl option is enabled, a sysctl option
43193 + with name "socket_all_gid" is created.
43195 +config GRKERNSEC_SOCKET_CLIENT
43196 + bool "Deny client sockets to group"
43197 + depends on GRKERNSEC_SOCKET
43199 + If you say Y here, you will be able to choose a GID of whose users will
43200 + be unable to connect to other hosts from your machine, but will be
43201 + able to run servers. If this option is enabled, all users in the group
43202 + you specify will have to use passive mode when initiating ftp transfers
43203 + from the shell on your machine. If the sysctl option is enabled, a
43204 + sysctl option with name "socket_client" is created.
43206 +config GRKERNSEC_SOCKET_CLIENT_GID
43207 + int "GID to deny client sockets for"
43208 + depends on GRKERNSEC_SOCKET_CLIENT
43211 + Here you can choose the GID to disable client socket access for.
43212 + Remember to add the users you want client socket access disabled for to
43213 + the GID specified here. If the sysctl option is enabled, a sysctl
43214 + option with name "socket_client_gid" is created.
43216 +config GRKERNSEC_SOCKET_SERVER
43217 + bool "Deny server sockets to group"
43218 + depends on GRKERNSEC_SOCKET
43220 + If you say Y here, you will be able to choose a GID of whose users will
43221 + be unable to run server applications from your machine. If the sysctl
43222 + option is enabled, a sysctl option with name "socket_server" is created.
43224 +config GRKERNSEC_SOCKET_SERVER_GID
43225 + int "GID to deny server sockets for"
43226 + depends on GRKERNSEC_SOCKET_SERVER
43229 + Here you can choose the GID to disable server socket access for.
43230 + Remember to add the users you want server socket access disabled for to
43231 + the GID specified here. If the sysctl option is enabled, a sysctl
43232 + option with name "socket_server_gid" is created.
43235 +menu "Sysctl support"
43236 +depends on GRKERNSEC && SYSCTL
43238 +config GRKERNSEC_SYSCTL
43239 + bool "Sysctl support"
43241 + If you say Y here, you will be able to change the options that
43242 + grsecurity runs with at bootup, without having to recompile your
43243 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
43244 + to enable (1) or disable (0) various features. All the sysctl entries
43245 + are mutable until the "grsec_lock" entry is set to a non-zero value.
43246 + All features enabled in the kernel configuration are disabled at boot
43247 + if you do not say Y to the "Turn on features by default" option.
43248 + All options should be set at startup, and the grsec_lock entry should
43249 + be set to a non-zero value after all the options are set.
43250 + *THIS IS EXTREMELY IMPORTANT*
43252 +config GRKERNSEC_SYSCTL_DISTRO
43253 + bool "Extra sysctl support for distro makers (READ HELP)"
43254 + depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
43256 + If you say Y here, additional sysctl options will be created
43257 + for features that affect processes running as root. Therefore,
43258 + it is critical when using this option that the grsec_lock entry be
43259 + enabled after boot. Only distros with prebuilt kernel packages
43260 + with this option enabled that can ensure grsec_lock is enabled
43261 + after boot should use this option.
43262 + *Failure to set grsec_lock after boot makes all grsec features
43263 + this option covers useless*
43265 + Currently this option creates the following sysctl entries:
43266 + "Disable Privileged I/O": "disable_priv_io"
43268 +config GRKERNSEC_SYSCTL_ON
43269 + bool "Turn on features by default"
43270 + depends on GRKERNSEC_SYSCTL
43272 + If you say Y here, instead of having all features enabled in the
43273 + kernel configuration disabled at boot time, the features will be
43274 + enabled at boot time. It is recommended you say Y here unless
43275 + there is some reason you would want all sysctl-tunable features to
43276 + be disabled by default. As mentioned elsewhere, it is important
43277 + to enable the grsec_lock entry once you have finished modifying
43278 + the sysctl entries.
43281 +menu "Logging Options"
43282 +depends on GRKERNSEC
43284 +config GRKERNSEC_FLOODTIME
43285 + int "Seconds in between log messages (minimum)"
43288 + This option allows you to enforce the number of seconds between
43289 + grsecurity log messages. The default should be suitable for most
43290 + people, however, if you choose to change it, choose a value small enough
43291 + to allow informative logs to be produced, but large enough to
43292 + prevent flooding.
43294 +config GRKERNSEC_FLOODBURST
43295 + int "Number of messages in a burst (maximum)"
43298 + This option allows you to choose the maximum number of messages allowed
43299 + within the flood time interval you chose in a separate option. The
43300 + default should be suitable for most people, however if you find that
43301 + many of your logs are being interpreted as flooding, you may want to
43302 + raise this value.
43307 diff -urNp linux-2.6.35.5/grsecurity/Makefile linux-2.6.35.5/grsecurity/Makefile
43308 --- linux-2.6.35.5/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
43309 +++ linux-2.6.35.5/grsecurity/Makefile 2010-09-17 20:12:37.000000000 -0400
43311 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
43312 +# during 2001-2009 it has been completely redesigned by Brad Spengler
43313 +# into an RBAC system
43315 +# All code in this directory and various hooks inserted throughout the kernel
43316 +# are copyright Brad Spengler - Open Source Security, Inc., and released
43317 +# under the GPL v2 or higher
43319 +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
43320 + grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
43321 + grsec_time.o grsec_tpe.o grsec_link.o grsec_textrel.o grsec_ptrace.o
43323 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
43324 + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
43325 + gracl_learn.o grsec_log.o
43326 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
43328 +ifndef CONFIG_GRKERNSEC
43329 +obj-y += grsec_disabled.o
43332 +ifdef CONFIG_GRKERNSEC_HIDESYM
43333 +extra-y := grsec_hidesym.o
43334 +$(obj)/grsec_hidesym.o:
43335 + @-chmod -f 500 /boot
43336 + @-chmod -f 500 /lib/modules
43338 + @echo ' grsec: protected kernel image paths'
43340 diff -urNp linux-2.6.35.5/include/acpi/acoutput.h linux-2.6.35.5/include/acpi/acoutput.h
43341 --- linux-2.6.35.5/include/acpi/acoutput.h 2010-08-26 19:47:12.000000000 -0400
43342 +++ linux-2.6.35.5/include/acpi/acoutput.h 2010-09-17 20:12:09.000000000 -0400
43343 @@ -268,8 +268,8 @@
43344 * leaving no executable debug code!
43346 #define ACPI_FUNCTION_NAME(a)
43347 -#define ACPI_DEBUG_PRINT(pl)
43348 -#define ACPI_DEBUG_PRINT_RAW(pl)
43349 +#define ACPI_DEBUG_PRINT(pl) do {} while (0)
43350 +#define ACPI_DEBUG_PRINT_RAW(pl) do {} while (0)
43352 #endif /* ACPI_DEBUG_OUTPUT */
43354 diff -urNp linux-2.6.35.5/include/acpi/acpi_drivers.h linux-2.6.35.5/include/acpi/acpi_drivers.h
43355 --- linux-2.6.35.5/include/acpi/acpi_drivers.h 2010-08-26 19:47:12.000000000 -0400
43356 +++ linux-2.6.35.5/include/acpi/acpi_drivers.h 2010-09-17 20:12:09.000000000 -0400
43357 @@ -121,8 +121,8 @@ int acpi_processor_set_thermal_limit(acp
43359 -------------------------------------------------------------------------- */
43360 struct acpi_dock_ops {
43361 - acpi_notify_handler handler;
43362 - acpi_notify_handler uevent;
43363 + const acpi_notify_handler handler;
43364 + const acpi_notify_handler uevent;
43367 #if defined(CONFIG_ACPI_DOCK) || defined(CONFIG_ACPI_DOCK_MODULE)
43368 @@ -130,7 +130,7 @@ extern int is_dock_device(acpi_handle ha
43369 extern int register_dock_notifier(struct notifier_block *nb);
43370 extern void unregister_dock_notifier(struct notifier_block *nb);
43371 extern int register_hotplug_dock_device(acpi_handle handle,
43372 - struct acpi_dock_ops *ops,
43373 + const struct acpi_dock_ops *ops,
43375 extern void unregister_hotplug_dock_device(acpi_handle handle);
43377 @@ -146,7 +146,7 @@ static inline void unregister_dock_notif
43380 static inline int register_hotplug_dock_device(acpi_handle handle,
43381 - struct acpi_dock_ops *ops,
43382 + const struct acpi_dock_ops *ops,
43386 diff -urNp linux-2.6.35.5/include/asm-generic/atomic-long.h linux-2.6.35.5/include/asm-generic/atomic-long.h
43387 --- linux-2.6.35.5/include/asm-generic/atomic-long.h 2010-08-26 19:47:12.000000000 -0400
43388 +++ linux-2.6.35.5/include/asm-generic/atomic-long.h 2010-09-17 20:12:09.000000000 -0400
43391 typedef atomic64_t atomic_long_t;
43393 +#ifdef CONFIG_PAX_REFCOUNT
43394 +typedef atomic64_unchecked_t atomic_long_unchecked_t;
43396 +typedef atomic64_t atomic_long_unchecked_t;
43399 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
43401 static inline long atomic_long_read(atomic_long_t *l)
43402 @@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
43403 return (long)atomic64_read(v);
43406 +#ifdef CONFIG_PAX_REFCOUNT
43407 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
43409 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43411 + return (long)atomic64_read_unchecked(v);
43415 static inline void atomic_long_set(atomic_long_t *l, long i)
43417 atomic64_t *v = (atomic64_t *)l;
43418 @@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
43419 atomic64_set(v, i);
43422 +#ifdef CONFIG_PAX_REFCOUNT
43423 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
43425 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43427 + atomic64_set_unchecked(v, i);
43431 static inline void atomic_long_inc(atomic_long_t *l)
43433 atomic64_t *v = (atomic64_t *)l;
43434 @@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
43438 +#ifdef CONFIG_PAX_REFCOUNT
43439 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
43441 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43443 + atomic64_inc_unchecked(v);
43447 static inline void atomic_long_dec(atomic_long_t *l)
43449 atomic64_t *v = (atomic64_t *)l;
43450 @@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomi
43454 +#ifdef CONFIG_PAX_REFCOUNT
43455 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
43457 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43459 + atomic64_dec_unchecked(v);
43463 static inline void atomic_long_add(long i, atomic_long_t *l)
43465 atomic64_t *v = (atomic64_t *)l;
43466 @@ -59,6 +101,15 @@ static inline void atomic_long_add(long
43467 atomic64_add(i, v);
43470 +#ifdef CONFIG_PAX_REFCOUNT
43471 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
43473 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43475 + atomic64_add_unchecked(i, v);
43479 static inline void atomic_long_sub(long i, atomic_long_t *l)
43481 atomic64_t *v = (atomic64_t *)l;
43482 @@ -115,6 +166,15 @@ static inline long atomic_long_inc_retur
43483 return (long)atomic64_inc_return(v);
43486 +#ifdef CONFIG_PAX_REFCOUNT
43487 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
43489 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
43491 + return (long)atomic64_inc_return_unchecked(v);
43495 static inline long atomic_long_dec_return(atomic_long_t *l)
43497 atomic64_t *v = (atomic64_t *)l;
43498 @@ -140,6 +200,12 @@ static inline long atomic_long_add_unles
43500 typedef atomic_t atomic_long_t;
43502 +#ifdef CONFIG_PAX_REFCOUNT
43503 +typedef atomic_unchecked_t atomic_long_unchecked_t;
43505 +typedef atomic_t atomic_long_unchecked_t;
43508 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
43509 static inline long atomic_long_read(atomic_long_t *l)
43511 @@ -148,6 +214,15 @@ static inline long atomic_long_read(atom
43512 return (long)atomic_read(v);
43515 +#ifdef CONFIG_PAX_REFCOUNT
43516 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
43518 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
43520 + return (long)atomic_read_unchecked(v);
43524 static inline void atomic_long_set(atomic_long_t *l, long i)
43526 atomic_t *v = (atomic_t *)l;
43527 @@ -155,6 +230,15 @@ static inline void atomic_long_set(atomi
43531 +#ifdef CONFIG_PAX_REFCOUNT
43532 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
43534 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
43536 + atomic_set_unchecked(v, i);
43540 static inline void atomic_long_inc(atomic_long_t *l)
43542 atomic_t *v = (atomic_t *)l;
43543 @@ -162,6 +246,15 @@ static inline void atomic_long_inc(atomi
43547 +#ifdef CONFIG_PAX_REFCOUNT
43548 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
43550 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
43552 + atomic_inc_unchecked(v);
43556 static inline void atomic_long_dec(atomic_long_t *l)
43558 atomic_t *v = (atomic_t *)l;
43559 @@ -169,6 +262,15 @@ static inline void atomic_long_dec(atomi
43563 +#ifdef CONFIG_PAX_REFCOUNT
43564 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
43566 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
43568 + atomic_dec_unchecked(v);
43572 static inline void atomic_long_add(long i, atomic_long_t *l)
43574 atomic_t *v = (atomic_t *)l;
43575 @@ -176,6 +278,15 @@ static inline void atomic_long_add(long
43579 +#ifdef CONFIG_PAX_REFCOUNT
43580 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
43582 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
43584 + atomic_add_unchecked(i, v);
43588 static inline void atomic_long_sub(long i, atomic_long_t *l)
43590 atomic_t *v = (atomic_t *)l;
43591 @@ -232,6 +343,15 @@ static inline long atomic_long_inc_retur
43592 return (long)atomic_inc_return(v);
43595 +#ifdef CONFIG_PAX_REFCOUNT
43596 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
43598 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
43600 + return (long)atomic_inc_return_unchecked(v);
43604 static inline long atomic_long_dec_return(atomic_long_t *l)
43606 atomic_t *v = (atomic_t *)l;
43607 @@ -255,4 +375,37 @@ static inline long atomic_long_add_unles
43609 #endif /* BITS_PER_LONG == 64 */
43611 +#ifdef CONFIG_PAX_REFCOUNT
43612 +static inline void pax_refcount_needs_these_functions(void)
43614 + atomic_read_unchecked((atomic_unchecked_t *)NULL);
43615 + atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
43616 + atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
43617 + atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
43618 + atomic_inc_unchecked((atomic_unchecked_t *)NULL);
43619 + atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
43621 + atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
43622 + atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
43623 + atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
43624 + atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
43625 + atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
43626 + atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
43629 +#define atomic_read_unchecked(v) atomic_read(v)
43630 +#define atomic_set_unchecked(v, i) atomic_set((v), (i))
43631 +#define atomic_add_unchecked(i, v) atomic_add((i), (v))
43632 +#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
43633 +#define atomic_inc_unchecked(v) atomic_inc(v)
43634 +#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
43636 +#define atomic_long_read_unchecked(v) atomic_long_read(v)
43637 +#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
43638 +#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
43639 +#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
43640 +#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
43641 +#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
43644 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
43645 diff -urNp linux-2.6.35.5/include/asm-generic/dma-mapping-common.h linux-2.6.35.5/include/asm-generic/dma-mapping-common.h
43646 --- linux-2.6.35.5/include/asm-generic/dma-mapping-common.h 2010-08-26 19:47:12.000000000 -0400
43647 +++ linux-2.6.35.5/include/asm-generic/dma-mapping-common.h 2010-09-17 20:12:09.000000000 -0400
43648 @@ -11,7 +11,7 @@ static inline dma_addr_t dma_map_single_
43649 enum dma_data_direction dir,
43650 struct dma_attrs *attrs)
43652 - struct dma_map_ops *ops = get_dma_ops(dev);
43653 + const struct dma_map_ops *ops = get_dma_ops(dev);
43656 kmemcheck_mark_initialized(ptr, size);
43657 @@ -30,7 +30,7 @@ static inline void dma_unmap_single_attr
43658 enum dma_data_direction dir,
43659 struct dma_attrs *attrs)
43661 - struct dma_map_ops *ops = get_dma_ops(dev);
43662 + const struct dma_map_ops *ops = get_dma_ops(dev);
43664 BUG_ON(!valid_dma_direction(dir));
43665 if (ops->unmap_page)
43666 @@ -42,7 +42,7 @@ static inline int dma_map_sg_attrs(struc
43667 int nents, enum dma_data_direction dir,
43668 struct dma_attrs *attrs)
43670 - struct dma_map_ops *ops = get_dma_ops(dev);
43671 + const struct dma_map_ops *ops = get_dma_ops(dev);
43673 struct scatterlist *s;
43675 @@ -59,7 +59,7 @@ static inline void dma_unmap_sg_attrs(st
43676 int nents, enum dma_data_direction dir,
43677 struct dma_attrs *attrs)
43679 - struct dma_map_ops *ops = get_dma_ops(dev);
43680 + const struct dma_map_ops *ops = get_dma_ops(dev);
43682 BUG_ON(!valid_dma_direction(dir));
43683 debug_dma_unmap_sg(dev, sg, nents, dir);
43684 @@ -71,7 +71,7 @@ static inline dma_addr_t dma_map_page(st
43685 size_t offset, size_t size,
43686 enum dma_data_direction dir)
43688 - struct dma_map_ops *ops = get_dma_ops(dev);
43689 + const struct dma_map_ops *ops = get_dma_ops(dev);
43692 kmemcheck_mark_initialized(page_address(page) + offset, size);
43693 @@ -85,7 +85,7 @@ static inline dma_addr_t dma_map_page(st
43694 static inline void dma_unmap_page(struct device *dev, dma_addr_t addr,
43695 size_t size, enum dma_data_direction dir)
43697 - struct dma_map_ops *ops = get_dma_ops(dev);
43698 + const struct dma_map_ops *ops = get_dma_ops(dev);
43700 BUG_ON(!valid_dma_direction(dir));
43701 if (ops->unmap_page)
43702 @@ -97,7 +97,7 @@ static inline void dma_sync_single_for_c
43704 enum dma_data_direction dir)
43706 - struct dma_map_ops *ops = get_dma_ops(dev);
43707 + const struct dma_map_ops *ops = get_dma_ops(dev);
43709 BUG_ON(!valid_dma_direction(dir));
43710 if (ops->sync_single_for_cpu)
43711 @@ -109,7 +109,7 @@ static inline void dma_sync_single_for_d
43712 dma_addr_t addr, size_t size,
43713 enum dma_data_direction dir)
43715 - struct dma_map_ops *ops = get_dma_ops(dev);
43716 + const struct dma_map_ops *ops = get_dma_ops(dev);
43718 BUG_ON(!valid_dma_direction(dir));
43719 if (ops->sync_single_for_device)
43720 @@ -139,7 +139,7 @@ static inline void
43721 dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg,
43722 int nelems, enum dma_data_direction dir)
43724 - struct dma_map_ops *ops = get_dma_ops(dev);
43725 + const struct dma_map_ops *ops = get_dma_ops(dev);
43727 BUG_ON(!valid_dma_direction(dir));
43728 if (ops->sync_sg_for_cpu)
43729 @@ -151,7 +151,7 @@ static inline void
43730 dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
43731 int nelems, enum dma_data_direction dir)
43733 - struct dma_map_ops *ops = get_dma_ops(dev);
43734 + const struct dma_map_ops *ops = get_dma_ops(dev);
43736 BUG_ON(!valid_dma_direction(dir));
43737 if (ops->sync_sg_for_device)
43738 diff -urNp linux-2.6.35.5/include/asm-generic/futex.h linux-2.6.35.5/include/asm-generic/futex.h
43739 --- linux-2.6.35.5/include/asm-generic/futex.h 2010-08-26 19:47:12.000000000 -0400
43740 +++ linux-2.6.35.5/include/asm-generic/futex.h 2010-09-17 20:12:09.000000000 -0400
43742 #include <asm/errno.h>
43745 -futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
43746 +futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
43748 int op = (encoded_op >> 28) & 7;
43749 int cmp = (encoded_op >> 24) & 15;
43750 @@ -48,7 +48,7 @@ futex_atomic_op_inuser (int encoded_op,
43754 -futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
43755 +futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
43759 diff -urNp linux-2.6.35.5/include/asm-generic/int-l64.h linux-2.6.35.5/include/asm-generic/int-l64.h
43760 --- linux-2.6.35.5/include/asm-generic/int-l64.h 2010-08-26 19:47:12.000000000 -0400
43761 +++ linux-2.6.35.5/include/asm-generic/int-l64.h 2010-09-17 20:12:09.000000000 -0400
43762 @@ -46,6 +46,8 @@ typedef unsigned int u32;
43763 typedef signed long s64;
43764 typedef unsigned long u64;
43766 +typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
43769 #define U8_C(x) x ## U
43771 diff -urNp linux-2.6.35.5/include/asm-generic/int-ll64.h linux-2.6.35.5/include/asm-generic/int-ll64.h
43772 --- linux-2.6.35.5/include/asm-generic/int-ll64.h 2010-08-26 19:47:12.000000000 -0400
43773 +++ linux-2.6.35.5/include/asm-generic/int-ll64.h 2010-09-17 20:12:09.000000000 -0400
43774 @@ -51,6 +51,8 @@ typedef unsigned int u32;
43775 typedef signed long long s64;
43776 typedef unsigned long long u64;
43778 +typedef unsigned long long intoverflow_t;
43781 #define U8_C(x) x ## U
43783 diff -urNp linux-2.6.35.5/include/asm-generic/kmap_types.h linux-2.6.35.5/include/asm-generic/kmap_types.h
43784 --- linux-2.6.35.5/include/asm-generic/kmap_types.h 2010-08-26 19:47:12.000000000 -0400
43785 +++ linux-2.6.35.5/include/asm-generic/kmap_types.h 2010-09-17 20:12:09.000000000 -0400
43786 @@ -29,10 +29,11 @@ KMAP_D(16) KM_IRQ_PTE,
43788 KMAP_D(18) KM_NMI_PTE,
43790 +KMAP_D(20) KM_CLEARPAGE,
43792 * Remember to update debug_kmap_atomic() when adding new kmap types!
43794 -KMAP_D(20) KM_TYPE_NR
43795 +KMAP_D(21) KM_TYPE_NR
43799 diff -urNp linux-2.6.35.5/include/asm-generic/pgtable.h linux-2.6.35.5/include/asm-generic/pgtable.h
43800 --- linux-2.6.35.5/include/asm-generic/pgtable.h 2010-08-26 19:47:12.000000000 -0400
43801 +++ linux-2.6.35.5/include/asm-generic/pgtable.h 2010-09-17 20:12:09.000000000 -0400
43802 @@ -344,6 +344,14 @@ extern void untrack_pfn_vma(struct vm_ar
43803 unsigned long size);
43806 +#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
43807 +static inline unsigned long pax_open_kernel(void) { return 0; }
43810 +#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
43811 +static inline unsigned long pax_close_kernel(void) { return 0; }
43814 #endif /* !__ASSEMBLY__ */
43816 #endif /* _ASM_GENERIC_PGTABLE_H */
43817 diff -urNp linux-2.6.35.5/include/asm-generic/pgtable-nopmd.h linux-2.6.35.5/include/asm-generic/pgtable-nopmd.h
43818 --- linux-2.6.35.5/include/asm-generic/pgtable-nopmd.h 2010-08-26 19:47:12.000000000 -0400
43819 +++ linux-2.6.35.5/include/asm-generic/pgtable-nopmd.h 2010-09-17 20:12:09.000000000 -0400
43821 #ifndef _PGTABLE_NOPMD_H
43822 #define _PGTABLE_NOPMD_H
43824 -#ifndef __ASSEMBLY__
43826 #include <asm-generic/pgtable-nopud.h>
43830 #define __PAGETABLE_PMD_FOLDED
43832 +#define PMD_SHIFT PUD_SHIFT
43833 +#define PTRS_PER_PMD 1
43834 +#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
43835 +#define PMD_MASK (~(PMD_SIZE-1))
43837 +#ifndef __ASSEMBLY__
43842 * Having the pmd type consist of a pud gets the size right, and allows
43843 * us to conceptually access the pud entry that this pmd is folded into
43844 @@ -16,11 +21,6 @@ struct mm_struct;
43846 typedef struct { pud_t pud; } pmd_t;
43848 -#define PMD_SHIFT PUD_SHIFT
43849 -#define PTRS_PER_PMD 1
43850 -#define PMD_SIZE (1UL << PMD_SHIFT)
43851 -#define PMD_MASK (~(PMD_SIZE-1))
43854 * The "pud_xxx()" functions here are trivial for a folded two-level
43855 * setup: the pmd is never bad, and a pmd always exists (as it's folded
43856 diff -urNp linux-2.6.35.5/include/asm-generic/pgtable-nopud.h linux-2.6.35.5/include/asm-generic/pgtable-nopud.h
43857 --- linux-2.6.35.5/include/asm-generic/pgtable-nopud.h 2010-08-26 19:47:12.000000000 -0400
43858 +++ linux-2.6.35.5/include/asm-generic/pgtable-nopud.h 2010-09-17 20:12:09.000000000 -0400
43860 #ifndef _PGTABLE_NOPUD_H
43861 #define _PGTABLE_NOPUD_H
43863 -#ifndef __ASSEMBLY__
43865 #define __PAGETABLE_PUD_FOLDED
43867 +#define PUD_SHIFT PGDIR_SHIFT
43868 +#define PTRS_PER_PUD 1
43869 +#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
43870 +#define PUD_MASK (~(PUD_SIZE-1))
43872 +#ifndef __ASSEMBLY__
43875 * Having the pud type consist of a pgd gets the size right, and allows
43876 * us to conceptually access the pgd entry that this pud is folded into
43879 typedef struct { pgd_t pgd; } pud_t;
43881 -#define PUD_SHIFT PGDIR_SHIFT
43882 -#define PTRS_PER_PUD 1
43883 -#define PUD_SIZE (1UL << PUD_SHIFT)
43884 -#define PUD_MASK (~(PUD_SIZE-1))
43887 * The "pgd_xxx()" functions here are trivial for a folded two-level
43888 * setup: the pud is never bad, and a pud always exists (as it's folded
43889 diff -urNp linux-2.6.35.5/include/asm-generic/vmlinux.lds.h linux-2.6.35.5/include/asm-generic/vmlinux.lds.h
43890 --- linux-2.6.35.5/include/asm-generic/vmlinux.lds.h 2010-08-26 19:47:12.000000000 -0400
43891 +++ linux-2.6.35.5/include/asm-generic/vmlinux.lds.h 2010-09-17 20:12:09.000000000 -0400
43892 @@ -213,6 +213,7 @@
43893 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
43894 VMLINUX_SYMBOL(__start_rodata) = .; \
43895 *(.rodata) *(.rodata.*) \
43896 + *(.data..read_only) \
43897 *(__vermagic) /* Kernel version magic */ \
43898 *(__markers_strings) /* Markers: strings */ \
43899 *(__tracepoints_strings)/* Tracepoints: strings */ \
43900 @@ -670,22 +671,24 @@
43901 * section in the linker script will go there too. @phdr should have
43904 - * Note that this macros defines __per_cpu_load as an absolute symbol.
43905 + * Note that this macros defines per_cpu_load as an absolute symbol.
43906 * If there is no need to put the percpu section at a predetermined
43907 * address, use PERCPU().
43909 #define PERCPU_VADDR(vaddr, phdr) \
43910 - VMLINUX_SYMBOL(__per_cpu_load) = .; \
43911 - .data..percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
43912 + per_cpu_load = .; \
43913 + .data..percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
43915 + VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
43916 VMLINUX_SYMBOL(__per_cpu_start) = .; \
43917 *(.data..percpu..first) \
43918 - *(.data..percpu..page_aligned) \
43920 + . = ALIGN(PAGE_SIZE); \
43921 + *(.data..percpu..page_aligned) \
43922 *(.data..percpu..shared_aligned) \
43923 VMLINUX_SYMBOL(__per_cpu_end) = .; \
43925 - . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data..percpu);
43926 + . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data..percpu);
43929 * PERCPU - define output section for percpu area, simple version
43930 diff -urNp linux-2.6.35.5/include/drm/drm_pciids.h linux-2.6.35.5/include/drm/drm_pciids.h
43931 --- linux-2.6.35.5/include/drm/drm_pciids.h 2010-08-26 19:47:12.000000000 -0400
43932 +++ linux-2.6.35.5/include/drm/drm_pciids.h 2010-09-17 20:12:09.000000000 -0400
43933 @@ -419,7 +419,7 @@
43934 {0x1002, 0x9713, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
43935 {0x1002, 0x9714, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
43936 {0x1002, 0x9715, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
43938 + {0, 0, 0, 0, 0, 0}
43940 #define r128_PCI_IDS \
43941 {0x1002, 0x4c45, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43942 @@ -459,14 +459,14 @@
43943 {0x1002, 0x5446, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43944 {0x1002, 0x544C, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43945 {0x1002, 0x5452, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43947 + {0, 0, 0, 0, 0, 0}
43949 #define mga_PCI_IDS \
43950 {0x102b, 0x0520, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
43951 {0x102b, 0x0521, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
43952 {0x102b, 0x0525, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G400}, \
43953 {0x102b, 0x2527, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G550}, \
43955 + {0, 0, 0, 0, 0, 0}
43957 #define mach64_PCI_IDS \
43958 {0x1002, 0x4749, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43959 @@ -489,7 +489,7 @@
43960 {0x1002, 0x4c53, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43961 {0x1002, 0x4c4d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43962 {0x1002, 0x4c4e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43964 + {0, 0, 0, 0, 0, 0}
43966 #define sisdrv_PCI_IDS \
43967 {0x1039, 0x0300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43968 @@ -500,7 +500,7 @@
43969 {0x1039, 0x7300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43970 {0x18CA, 0x0040, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
43971 {0x18CA, 0x0042, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
43973 + {0, 0, 0, 0, 0, 0}
43975 #define tdfx_PCI_IDS \
43976 {0x121a, 0x0003, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43977 @@ -509,7 +509,7 @@
43978 {0x121a, 0x0007, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43979 {0x121a, 0x0009, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43980 {0x121a, 0x000b, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43982 + {0, 0, 0, 0, 0, 0}
43984 #define viadrv_PCI_IDS \
43985 {0x1106, 0x3022, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43986 @@ -521,14 +521,14 @@
43987 {0x1106, 0x3343, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43988 {0x1106, 0x3230, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_DX9_0}, \
43989 {0x1106, 0x3157, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_PRO_GROUP_A}, \
43991 + {0, 0, 0, 0, 0, 0}
43993 #define i810_PCI_IDS \
43994 {0x8086, 0x7121, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43995 {0x8086, 0x7123, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43996 {0x8086, 0x7125, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43997 {0x8086, 0x1132, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
43999 + {0, 0, 0, 0, 0, 0}
44001 #define i830_PCI_IDS \
44002 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44003 @@ -536,11 +536,11 @@
44004 {0x8086, 0x3582, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44005 {0x8086, 0x2572, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44006 {0x8086, 0x358e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44008 + {0, 0, 0, 0, 0, 0}
44010 #define gamma_PCI_IDS \
44011 {0x3d3d, 0x0008, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44013 + {0, 0, 0, 0, 0, 0}
44015 #define savage_PCI_IDS \
44016 {0x5333, 0x8a20, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_SAVAGE3D}, \
44017 @@ -566,10 +566,10 @@
44018 {0x5333, 0x8d02, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_TWISTER}, \
44019 {0x5333, 0x8d03, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
44020 {0x5333, 0x8d04, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
44022 + {0, 0, 0, 0, 0, 0}
44024 #define ffb_PCI_IDS \
44026 + {0, 0, 0, 0, 0, 0}
44028 #define i915_PCI_IDS \
44029 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
44030 @@ -603,4 +603,4 @@
44031 {0x8086, 0x0042, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
44032 {0x8086, 0x0046, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
44033 {0x8086, 0x0102, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
44035 + {0, 0, 0, 0, 0, 0}
44036 diff -urNp linux-2.6.35.5/include/drm/drmP.h linux-2.6.35.5/include/drm/drmP.h
44037 --- linux-2.6.35.5/include/drm/drmP.h 2010-08-26 19:47:12.000000000 -0400
44038 +++ linux-2.6.35.5/include/drm/drmP.h 2010-09-17 20:12:09.000000000 -0400
44039 @@ -808,7 +808,7 @@ struct drm_driver {
44040 void (*vgaarb_irq)(struct drm_device *dev, bool state);
44042 /* Driver private ops for this object */
44043 - struct vm_operations_struct *gem_vm_ops;
44044 + const struct vm_operations_struct *gem_vm_ops;
44048 @@ -917,7 +917,7 @@ struct drm_device {
44050 /** \name Usage Counters */
44052 - int open_count; /**< Outstanding files open */
44053 + atomic_t open_count; /**< Outstanding files open */
44054 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
44055 atomic_t vma_count; /**< Outstanding vma areas open */
44056 int buf_use; /**< Buffers in use -- cannot alloc */
44057 @@ -928,7 +928,7 @@ struct drm_device {
44059 unsigned long counters;
44060 enum drm_stat_type types[15];
44061 - atomic_t counts[15];
44062 + atomic_unchecked_t counts[15];
44065 struct list_head filelist;
44066 diff -urNp linux-2.6.35.5/include/linux/a.out.h linux-2.6.35.5/include/linux/a.out.h
44067 --- linux-2.6.35.5/include/linux/a.out.h 2010-08-26 19:47:12.000000000 -0400
44068 +++ linux-2.6.35.5/include/linux/a.out.h 2010-09-17 20:12:09.000000000 -0400
44069 @@ -39,6 +39,14 @@ enum machine_type {
44070 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
44073 +/* Constants for the N_FLAGS field */
44074 +#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
44075 +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
44076 +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
44077 +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
44078 +/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
44079 +#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
44081 #if !defined (N_MAGIC)
44082 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
44084 diff -urNp linux-2.6.35.5/include/linux/atmdev.h linux-2.6.35.5/include/linux/atmdev.h
44085 --- linux-2.6.35.5/include/linux/atmdev.h 2010-08-26 19:47:12.000000000 -0400
44086 +++ linux-2.6.35.5/include/linux/atmdev.h 2010-09-17 20:12:09.000000000 -0400
44087 @@ -237,7 +237,7 @@ struct compat_atm_iobuf {
44090 struct k_atm_aal_stats {
44091 -#define __HANDLE_ITEM(i) atomic_t i
44092 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
44094 #undef __HANDLE_ITEM
44096 diff -urNp linux-2.6.35.5/include/linux/binfmts.h linux-2.6.35.5/include/linux/binfmts.h
44097 --- linux-2.6.35.5/include/linux/binfmts.h 2010-08-26 19:47:12.000000000 -0400
44098 +++ linux-2.6.35.5/include/linux/binfmts.h 2010-09-17 20:12:09.000000000 -0400
44099 @@ -87,6 +87,7 @@ struct linux_binfmt {
44100 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
44101 int (*load_shlib)(struct file *);
44102 int (*core_dump)(struct coredump_params *cprm);
44103 + void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
44104 unsigned long min_coredump; /* minimal dump size */
44107 diff -urNp linux-2.6.35.5/include/linux/blkdev.h linux-2.6.35.5/include/linux/blkdev.h
44108 --- linux-2.6.35.5/include/linux/blkdev.h 2010-08-26 19:47:12.000000000 -0400
44109 +++ linux-2.6.35.5/include/linux/blkdev.h 2010-09-17 20:12:09.000000000 -0400
44110 @@ -1331,20 +1331,20 @@ static inline int blk_integrity_rq(struc
44111 #endif /* CONFIG_BLK_DEV_INTEGRITY */
44113 struct block_device_operations {
44114 - int (*open) (struct block_device *, fmode_t);
44115 - int (*release) (struct gendisk *, fmode_t);
44116 - int (*locked_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
44117 - int (*ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
44118 - int (*compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
44119 - int (*direct_access) (struct block_device *, sector_t,
44120 + int (* const open) (struct block_device *, fmode_t);
44121 + int (* const release) (struct gendisk *, fmode_t);
44122 + int (* const locked_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
44123 + int (* const ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
44124 + int (* const compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
44125 + int (* const direct_access) (struct block_device *, sector_t,
44126 void **, unsigned long *);
44127 - int (*media_changed) (struct gendisk *);
44128 - void (*unlock_native_capacity) (struct gendisk *);
44129 - int (*revalidate_disk) (struct gendisk *);
44130 - int (*getgeo)(struct block_device *, struct hd_geometry *);
44131 + int (* const media_changed) (struct gendisk *);
44132 + void (* const unlock_native_capacity) (struct gendisk *);
44133 + int (* const revalidate_disk) (struct gendisk *);
44134 + int (*const getgeo)(struct block_device *, struct hd_geometry *);
44135 /* this callback is with swap_lock and sometimes page table lock held */
44136 - void (*swap_slot_free_notify) (struct block_device *, unsigned long);
44137 - struct module *owner;
44138 + void (* const swap_slot_free_notify) (struct block_device *, unsigned long);
44139 + struct module * const owner;
44142 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
44143 diff -urNp linux-2.6.35.5/include/linux/cache.h linux-2.6.35.5/include/linux/cache.h
44144 --- linux-2.6.35.5/include/linux/cache.h 2010-08-26 19:47:12.000000000 -0400
44145 +++ linux-2.6.35.5/include/linux/cache.h 2010-09-17 20:12:09.000000000 -0400
44147 #define __read_mostly
44150 +#ifndef __read_only
44151 +#define __read_only __read_mostly
44154 #ifndef ____cacheline_aligned
44155 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
44157 diff -urNp linux-2.6.35.5/include/linux/capability.h linux-2.6.35.5/include/linux/capability.h
44158 --- linux-2.6.35.5/include/linux/capability.h 2010-08-26 19:47:12.000000000 -0400
44159 +++ linux-2.6.35.5/include/linux/capability.h 2010-09-17 20:12:37.000000000 -0400
44160 @@ -561,6 +561,7 @@ extern const kernel_cap_t __cap_init_eff
44161 (security_real_capable_noaudit((t), (cap)) == 0)
44163 extern int capable(int cap);
44164 +int capable_nolog(int cap);
44166 /* audit system wants to get cap info from files as well */
44168 diff -urNp linux-2.6.35.5/include/linux/compiler-gcc4.h linux-2.6.35.5/include/linux/compiler-gcc4.h
44169 --- linux-2.6.35.5/include/linux/compiler-gcc4.h 2010-08-26 19:47:12.000000000 -0400
44170 +++ linux-2.6.35.5/include/linux/compiler-gcc4.h 2010-09-17 20:12:09.000000000 -0400
44175 +#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
44176 +#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
44177 +#define __bos0(ptr) __bos((ptr), 0)
44178 +#define __bos1(ptr) __bos((ptr), 1)
44181 #if __GNUC_MINOR__ > 0
44182 diff -urNp linux-2.6.35.5/include/linux/compiler.h linux-2.6.35.5/include/linux/compiler.h
44183 --- linux-2.6.35.5/include/linux/compiler.h 2010-08-26 19:47:12.000000000 -0400
44184 +++ linux-2.6.35.5/include/linux/compiler.h 2010-09-17 20:12:09.000000000 -0400
44185 @@ -267,6 +267,22 @@ void ftrace_likely_update(struct ftrace_
44189 +#ifndef __alloc_size
44190 +#define __alloc_size
44205 /* Simple shorthand for a section definition */
44207 # define __section(S) __attribute__ ((__section__(#S)))
44208 diff -urNp linux-2.6.35.5/include/linux/decompress/mm.h linux-2.6.35.5/include/linux/decompress/mm.h
44209 --- linux-2.6.35.5/include/linux/decompress/mm.h 2010-08-26 19:47:12.000000000 -0400
44210 +++ linux-2.6.35.5/include/linux/decompress/mm.h 2010-09-17 20:12:09.000000000 -0400
44211 @@ -78,7 +78,7 @@ static void free(void *where)
44212 * warnings when not needed (indeed large_malloc / large_free are not
44213 * needed by inflate */
44215 -#define malloc(a) kmalloc(a, GFP_KERNEL)
44216 +#define malloc(a) kmalloc((a), GFP_KERNEL)
44217 #define free(a) kfree(a)
44219 #define large_malloc(a) vmalloc(a)
44220 diff -urNp linux-2.6.35.5/include/linux/dma-mapping.h linux-2.6.35.5/include/linux/dma-mapping.h
44221 --- linux-2.6.35.5/include/linux/dma-mapping.h 2010-08-26 19:47:12.000000000 -0400
44222 +++ linux-2.6.35.5/include/linux/dma-mapping.h 2010-09-17 20:12:09.000000000 -0400
44223 @@ -16,40 +16,40 @@ enum dma_data_direction {
44226 struct dma_map_ops {
44227 - void* (*alloc_coherent)(struct device *dev, size_t size,
44228 + void* (* const alloc_coherent)(struct device *dev, size_t size,
44229 dma_addr_t *dma_handle, gfp_t gfp);
44230 - void (*free_coherent)(struct device *dev, size_t size,
44231 + void (* const free_coherent)(struct device *dev, size_t size,
44232 void *vaddr, dma_addr_t dma_handle);
44233 - dma_addr_t (*map_page)(struct device *dev, struct page *page,
44234 + dma_addr_t (* const map_page)(struct device *dev, struct page *page,
44235 unsigned long offset, size_t size,
44236 enum dma_data_direction dir,
44237 struct dma_attrs *attrs);
44238 - void (*unmap_page)(struct device *dev, dma_addr_t dma_handle,
44239 + void (* const unmap_page)(struct device *dev, dma_addr_t dma_handle,
44240 size_t size, enum dma_data_direction dir,
44241 struct dma_attrs *attrs);
44242 - int (*map_sg)(struct device *dev, struct scatterlist *sg,
44243 + int (* const map_sg)(struct device *dev, struct scatterlist *sg,
44244 int nents, enum dma_data_direction dir,
44245 struct dma_attrs *attrs);
44246 - void (*unmap_sg)(struct device *dev,
44247 + void (* const unmap_sg)(struct device *dev,
44248 struct scatterlist *sg, int nents,
44249 enum dma_data_direction dir,
44250 struct dma_attrs *attrs);
44251 - void (*sync_single_for_cpu)(struct device *dev,
44252 + void (* const sync_single_for_cpu)(struct device *dev,
44253 dma_addr_t dma_handle, size_t size,
44254 enum dma_data_direction dir);
44255 - void (*sync_single_for_device)(struct device *dev,
44256 + void (* const sync_single_for_device)(struct device *dev,
44257 dma_addr_t dma_handle, size_t size,
44258 enum dma_data_direction dir);
44259 - void (*sync_sg_for_cpu)(struct device *dev,
44260 + void (* const sync_sg_for_cpu)(struct device *dev,
44261 struct scatterlist *sg, int nents,
44262 enum dma_data_direction dir);
44263 - void (*sync_sg_for_device)(struct device *dev,
44264 + void (* const sync_sg_for_device)(struct device *dev,
44265 struct scatterlist *sg, int nents,
44266 enum dma_data_direction dir);
44267 - int (*mapping_error)(struct device *dev, dma_addr_t dma_addr);
44268 - int (*dma_supported)(struct device *dev, u64 mask);
44269 - int (*set_dma_mask)(struct device *dev, u64 mask);
44271 + int (* const mapping_error)(struct device *dev, dma_addr_t dma_addr);
44272 + int (* const dma_supported)(struct device *dev, u64 mask);
44273 + int (* set_dma_mask)(struct device *dev, u64 mask);
44274 + const int is_phys;
44277 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
44278 diff -urNp linux-2.6.35.5/include/linux/elf.h linux-2.6.35.5/include/linux/elf.h
44279 --- linux-2.6.35.5/include/linux/elf.h 2010-08-26 19:47:12.000000000 -0400
44280 +++ linux-2.6.35.5/include/linux/elf.h 2010-09-17 20:12:09.000000000 -0400
44281 @@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
44282 #define PT_GNU_EH_FRAME 0x6474e550
44284 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
44285 +#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
44287 +#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
44289 +/* Constants for the e_flags field */
44290 +#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
44291 +#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
44292 +#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
44293 +#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
44294 +/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
44295 +#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
44298 * Extended Numbering
44299 @@ -106,6 +117,8 @@ typedef __s64 Elf64_Sxword;
44300 #define DT_DEBUG 21
44301 #define DT_TEXTREL 22
44302 #define DT_JMPREL 23
44303 +#define DT_FLAGS 30
44304 + #define DF_TEXTREL 0x00000004
44305 #define DT_ENCODING 32
44306 #define OLD_DT_LOOS 0x60000000
44307 #define DT_LOOS 0x6000000d
44308 @@ -252,6 +265,19 @@ typedef struct elf64_hdr {
44312 +#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
44313 +#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
44314 +#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
44315 +#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
44316 +#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
44317 +#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
44318 +/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
44319 +/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
44320 +#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
44321 +#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
44322 +#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
44323 +#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
44325 typedef struct elf32_phdr{
44327 Elf32_Off p_offset;
44328 @@ -344,6 +370,8 @@ typedef struct elf64_shdr {
44334 #define ELFMAG0 0x7f /* EI_MAG */
44335 #define ELFMAG1 'E'
44336 #define ELFMAG2 'L'
44337 @@ -421,6 +449,7 @@ extern Elf32_Dyn _DYNAMIC [];
44338 #define elf_note elf32_note
44339 #define elf_addr_t Elf32_Off
44340 #define Elf_Half Elf32_Half
44341 +#define elf_dyn Elf32_Dyn
44345 @@ -431,6 +460,7 @@ extern Elf64_Dyn _DYNAMIC [];
44346 #define elf_note elf64_note
44347 #define elf_addr_t Elf64_Off
44348 #define Elf_Half Elf64_Half
44349 +#define elf_dyn Elf64_Dyn
44353 diff -urNp linux-2.6.35.5/include/linux/fs.h linux-2.6.35.5/include/linux/fs.h
44354 --- linux-2.6.35.5/include/linux/fs.h 2010-09-20 17:33:09.000000000 -0400
44355 +++ linux-2.6.35.5/include/linux/fs.h 2010-09-20 17:33:35.000000000 -0400
44356 @@ -90,6 +90,11 @@ struct inodes_stat_t {
44357 /* Expect random access pattern */
44358 #define FMODE_RANDOM ((__force fmode_t)0x1000)
44360 +/* Hack for grsec so as not to require read permission simply to execute
44363 +#define FMODE_GREXEC ((__force fmode_t)0x2000)
44366 * The below are the various read and write types that we support. Some of
44367 * them include behavioral modifiers that send information down to the
44368 @@ -572,41 +577,41 @@ typedef int (*read_actor_t)(read_descrip
44369 unsigned long, unsigned long);
44371 struct address_space_operations {
44372 - int (*writepage)(struct page *page, struct writeback_control *wbc);
44373 - int (*readpage)(struct file *, struct page *);
44374 - void (*sync_page)(struct page *);
44375 + int (* const writepage)(struct page *page, struct writeback_control *wbc);
44376 + int (* const readpage)(struct file *, struct page *);
44377 + void (* const sync_page)(struct page *);
44379 /* Write back some dirty pages from this mapping. */
44380 - int (*writepages)(struct address_space *, struct writeback_control *);
44381 + int (* const writepages)(struct address_space *, struct writeback_control *);
44383 /* Set a page dirty. Return true if this dirtied it */
44384 - int (*set_page_dirty)(struct page *page);
44385 + int (* const set_page_dirty)(struct page *page);
44387 - int (*readpages)(struct file *filp, struct address_space *mapping,
44388 + int (* const readpages)(struct file *filp, struct address_space *mapping,
44389 struct list_head *pages, unsigned nr_pages);
44391 - int (*write_begin)(struct file *, struct address_space *mapping,
44392 + int (* const write_begin)(struct file *, struct address_space *mapping,
44393 loff_t pos, unsigned len, unsigned flags,
44394 struct page **pagep, void **fsdata);
44395 - int (*write_end)(struct file *, struct address_space *mapping,
44396 + int (* const write_end)(struct file *, struct address_space *mapping,
44397 loff_t pos, unsigned len, unsigned copied,
44398 struct page *page, void *fsdata);
44400 /* Unfortunately this kludge is needed for FIBMAP. Don't use it */
44401 - sector_t (*bmap)(struct address_space *, sector_t);
44402 - void (*invalidatepage) (struct page *, unsigned long);
44403 - int (*releasepage) (struct page *, gfp_t);
44404 - ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
44405 + sector_t (* const bmap)(struct address_space *, sector_t);
44406 + void (* const invalidatepage) (struct page *, unsigned long);
44407 + int (* const releasepage) (struct page *, gfp_t);
44408 + ssize_t (* const direct_IO)(int, struct kiocb *, const struct iovec *iov,
44409 loff_t offset, unsigned long nr_segs);
44410 - int (*get_xip_mem)(struct address_space *, pgoff_t, int,
44411 + int (* const get_xip_mem)(struct address_space *, pgoff_t, int,
44412 void **, unsigned long *);
44413 /* migrate the contents of a page to the specified target */
44414 - int (*migratepage) (struct address_space *,
44415 + int (* const migratepage) (struct address_space *,
44416 struct page *, struct page *);
44417 - int (*launder_page) (struct page *);
44418 - int (*is_partially_uptodate) (struct page *, read_descriptor_t *,
44419 + int (* const launder_page) (struct page *);
44420 + int (* const is_partially_uptodate) (struct page *, read_descriptor_t *,
44422 - int (*error_remove_page)(struct address_space *, struct page *);
44423 + int (* const error_remove_page)(struct address_space *, struct page *);
44427 @@ -1036,19 +1041,19 @@ static inline int file_check_writeable(s
44428 typedef struct files_struct *fl_owner_t;
44430 struct file_lock_operations {
44431 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
44432 - void (*fl_release_private)(struct file_lock *);
44433 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
44434 + void (* const fl_release_private)(struct file_lock *);
44437 struct lock_manager_operations {
44438 - int (*fl_compare_owner)(struct file_lock *, struct file_lock *);
44439 - void (*fl_notify)(struct file_lock *); /* unblock callback */
44440 - int (*fl_grant)(struct file_lock *, struct file_lock *, int);
44441 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
44442 - void (*fl_release_private)(struct file_lock *);
44443 - void (*fl_break)(struct file_lock *);
44444 - int (*fl_mylease)(struct file_lock *, struct file_lock *);
44445 - int (*fl_change)(struct file_lock **, int);
44446 + int (* const fl_compare_owner)(struct file_lock *, struct file_lock *);
44447 + void (* const fl_notify)(struct file_lock *); /* unblock callback */
44448 + int (* const fl_grant)(struct file_lock *, struct file_lock *, int);
44449 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
44450 + void (* const fl_release_private)(struct file_lock *);
44451 + void (* const fl_break)(struct file_lock *);
44452 + int (* const fl_mylease)(struct file_lock *, struct file_lock *);
44453 + int (* const fl_change)(struct file_lock **, int);
44456 struct lock_manager {
44457 @@ -1441,7 +1446,7 @@ struct fiemap_extent_info {
44458 unsigned int fi_flags; /* Flags as passed from user */
44459 unsigned int fi_extents_mapped; /* Number of mapped extents */
44460 unsigned int fi_extents_max; /* Size of fiemap_extent array */
44461 - struct fiemap_extent *fi_extents_start; /* Start of fiemap_extent
44462 + struct fiemap_extent __user *fi_extents_start; /* Start of fiemap_extent
44465 int fiemap_fill_next_extent(struct fiemap_extent_info *info, u64 logical,
44466 diff -urNp linux-2.6.35.5/include/linux/fs_struct.h linux-2.6.35.5/include/linux/fs_struct.h
44467 --- linux-2.6.35.5/include/linux/fs_struct.h 2010-08-26 19:47:12.000000000 -0400
44468 +++ linux-2.6.35.5/include/linux/fs_struct.h 2010-09-17 20:12:09.000000000 -0400
44470 #include <linux/path.h>
44478 diff -urNp linux-2.6.35.5/include/linux/genhd.h linux-2.6.35.5/include/linux/genhd.h
44479 --- linux-2.6.35.5/include/linux/genhd.h 2010-08-26 19:47:12.000000000 -0400
44480 +++ linux-2.6.35.5/include/linux/genhd.h 2010-09-17 20:12:09.000000000 -0400
44481 @@ -162,7 +162,7 @@ struct gendisk {
44483 struct timer_rand_state *random;
44485 - atomic_t sync_io; /* RAID */
44486 + atomic_unchecked_t sync_io; /* RAID */
44487 struct work_struct async_notify;
44488 #ifdef CONFIG_BLK_DEV_INTEGRITY
44489 struct blk_integrity *integrity;
44490 diff -urNp linux-2.6.35.5/include/linux/gracl.h linux-2.6.35.5/include/linux/gracl.h
44491 --- linux-2.6.35.5/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
44492 +++ linux-2.6.35.5/include/linux/gracl.h 2010-09-17 20:12:37.000000000 -0400
44497 +#include <linux/grdefs.h>
44498 +#include <linux/resource.h>
44499 +#include <linux/capability.h>
44500 +#include <linux/dcache.h>
44501 +#include <asm/resource.h>
44503 +/* Major status information */
44505 +#define GR_VERSION "grsecurity 2.2.0"
44506 +#define GRSECURITY_VERSION 0x2200
44517 + GR_SPROLEPAM = 8,
44520 +/* Password setup definitions
44521 + * kernel/grhash.c */
44524 + GR_SALT_LEN = 16,
44529 + GR_SPROLE_LEN = 64,
44532 +#define GR_NLIMITS 32
44534 +/* Begin Data Structures */
44536 +struct sprole_pw {
44537 + unsigned char *rolename;
44538 + unsigned char salt[GR_SALT_LEN];
44539 + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
44542 +struct name_entry {
44549 + struct name_entry *prev;
44550 + struct name_entry *next;
44553 +struct inodev_entry {
44554 + struct name_entry *nentry;
44555 + struct inodev_entry *prev;
44556 + struct inodev_entry *next;
44559 +struct acl_role_db {
44560 + struct acl_role_label **r_hash;
44564 +struct inodev_db {
44565 + struct inodev_entry **i_hash;
44570 + struct name_entry **n_hash;
44574 +struct crash_uid {
44576 + unsigned long expires;
44579 +struct gr_hash_struct {
44581 + void **nametable;
44583 + __u32 table_size;
44588 +/* Userspace Grsecurity ACL data structures */
44590 +struct acl_subject_label {
44595 + kernel_cap_t cap_mask;
44596 + kernel_cap_t cap_lower;
44597 + kernel_cap_t cap_invert_audit;
44599 + struct rlimit res[GR_NLIMITS];
44602 + __u8 user_trans_type;
44603 + __u8 group_trans_type;
44604 + uid_t *user_transitions;
44605 + gid_t *group_transitions;
44606 + __u16 user_trans_num;
44607 + __u16 group_trans_num;
44609 + __u32 ip_proto[8];
44611 + struct acl_ip_label **ips;
44613 + __u32 inaddr_any_override;
44616 + unsigned long expires;
44618 + struct acl_subject_label *parent_subject;
44619 + struct gr_hash_struct *hash;
44620 + struct acl_subject_label *prev;
44621 + struct acl_subject_label *next;
44623 + struct acl_object_label **obj_hash;
44624 + __u32 obj_hash_size;
44628 +struct role_allowed_ip {
44632 + struct role_allowed_ip *prev;
44633 + struct role_allowed_ip *next;
44636 +struct role_transition {
44639 + struct role_transition *prev;
44640 + struct role_transition *next;
44643 +struct acl_role_label {
44648 + __u16 auth_attempts;
44649 + unsigned long expires;
44651 + struct acl_subject_label *root_label;
44652 + struct gr_hash_struct *hash;
44654 + struct acl_role_label *prev;
44655 + struct acl_role_label *next;
44657 + struct role_transition *transitions;
44658 + struct role_allowed_ip *allowed_ips;
44659 + uid_t *domain_children;
44660 + __u16 domain_child_num;
44662 + struct acl_subject_label **subj_hash;
44663 + __u32 subj_hash_size;
44666 +struct user_acl_role_db {
44667 + struct acl_role_label **r_table;
44668 + __u32 num_pointers; /* Number of allocations to track */
44669 + __u32 num_roles; /* Number of roles */
44670 + __u32 num_domain_children; /* Number of domain children */
44671 + __u32 num_subjects; /* Number of subjects */
44672 + __u32 num_objects; /* Number of objects */
44675 +struct acl_object_label {
44681 + struct acl_subject_label *nested;
44682 + struct acl_object_label *globbed;
44684 + /* next two structures not used */
44686 + struct acl_object_label *prev;
44687 + struct acl_object_label *next;
44690 +struct acl_ip_label {
44699 + /* next two structures not used */
44701 + struct acl_ip_label *prev;
44702 + struct acl_ip_label *next;
44706 + struct user_acl_role_db role_db;
44707 + unsigned char pw[GR_PW_LEN];
44708 + unsigned char salt[GR_SALT_LEN];
44709 + unsigned char sum[GR_SHA_LEN];
44710 + unsigned char sp_role[GR_SPROLE_LEN];
44711 + struct sprole_pw *sprole_pws;
44712 + dev_t segv_device;
44713 + ino_t segv_inode;
44715 + __u16 num_sprole_pws;
44719 +struct gr_arg_wrapper {
44720 + struct gr_arg *arg;
44725 +struct subject_map {
44726 + struct acl_subject_label *user;
44727 + struct acl_subject_label *kernel;
44728 + struct subject_map *prev;
44729 + struct subject_map *next;
44732 +struct acl_subj_map_db {
44733 + struct subject_map **s_hash;
44737 +/* End Data Structures Section */
44739 +/* Hash functions generated by empirical testing by Brad Spengler
44740 + Makes good use of the low bits of the inode. Generally 0-1 times
44741 + in loop for successful match. 0-3 for unsuccessful match.
44742 + Shift/add algorithm with modulus of table size and an XOR*/
44744 +static __inline__ unsigned int
44745 +rhash(const uid_t uid, const __u16 type, const unsigned int sz)
44747 + return ((((uid + type) << (16 + type)) ^ uid) % sz);
44750 + static __inline__ unsigned int
44751 +shash(const struct acl_subject_label *userp, const unsigned int sz)
44753 + return ((const unsigned long)userp % sz);
44756 +static __inline__ unsigned int
44757 +fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
44759 + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
44762 +static __inline__ unsigned int
44763 +nhash(const char *name, const __u16 len, const unsigned int sz)
44765 + return full_name_hash((const unsigned char *)name, len) % sz;
44768 +#define FOR_EACH_ROLE_START(role) \
44769 + role = role_list; \
44772 +#define FOR_EACH_ROLE_END(role) \
44773 + role = role->prev; \
44776 +#define FOR_EACH_SUBJECT_START(role,subj,iter) \
44779 + while (iter < role->subj_hash_size) { \
44780 + if (subj == NULL) \
44781 + subj = role->subj_hash[iter]; \
44782 + if (subj == NULL) { \
44787 +#define FOR_EACH_SUBJECT_END(subj,iter) \
44788 + subj = subj->next; \
44789 + if (subj == NULL) \
44794 +#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
44795 + subj = role->hash->first; \
44796 + while (subj != NULL) {
44798 +#define FOR_EACH_NESTED_SUBJECT_END(subj) \
44799 + subj = subj->next; \
44804 diff -urNp linux-2.6.35.5/include/linux/gralloc.h linux-2.6.35.5/include/linux/gralloc.h
44805 --- linux-2.6.35.5/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
44806 +++ linux-2.6.35.5/include/linux/gralloc.h 2010-09-17 20:12:37.000000000 -0400
44808 +#ifndef __GRALLOC_H
44809 +#define __GRALLOC_H
44811 +void acl_free_all(void);
44812 +int acl_alloc_stack_init(unsigned long size);
44813 +void *acl_alloc(unsigned long len);
44814 +void *acl_alloc_num(unsigned long num, unsigned long len);
44817 diff -urNp linux-2.6.35.5/include/linux/grdefs.h linux-2.6.35.5/include/linux/grdefs.h
44818 --- linux-2.6.35.5/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
44819 +++ linux-2.6.35.5/include/linux/grdefs.h 2010-09-17 20:12:37.000000000 -0400
44824 +/* Begin grsecurity status declarations */
44828 + GR_STATUS_INIT = 0x00 // disabled state
44831 +/* Begin ACL declarations */
44836 + GR_ROLE_USER = 0x0001,
44837 + GR_ROLE_GROUP = 0x0002,
44838 + GR_ROLE_DEFAULT = 0x0004,
44839 + GR_ROLE_SPECIAL = 0x0008,
44840 + GR_ROLE_AUTH = 0x0010,
44841 + GR_ROLE_NOPW = 0x0020,
44842 + GR_ROLE_GOD = 0x0040,
44843 + GR_ROLE_LEARN = 0x0080,
44844 + GR_ROLE_TPE = 0x0100,
44845 + GR_ROLE_DOMAIN = 0x0200,
44846 + GR_ROLE_PAM = 0x0400
44849 +/* ACL Subject and Object mode flags */
44851 + GR_DELETED = 0x80000000
44854 +/* ACL Object-only mode flags */
44856 + GR_READ = 0x00000001,
44857 + GR_APPEND = 0x00000002,
44858 + GR_WRITE = 0x00000004,
44859 + GR_EXEC = 0x00000008,
44860 + GR_FIND = 0x00000010,
44861 + GR_INHERIT = 0x00000020,
44862 + GR_SETID = 0x00000040,
44863 + GR_CREATE = 0x00000080,
44864 + GR_DELETE = 0x00000100,
44865 + GR_LINK = 0x00000200,
44866 + GR_AUDIT_READ = 0x00000400,
44867 + GR_AUDIT_APPEND = 0x00000800,
44868 + GR_AUDIT_WRITE = 0x00001000,
44869 + GR_AUDIT_EXEC = 0x00002000,
44870 + GR_AUDIT_FIND = 0x00004000,
44871 + GR_AUDIT_INHERIT= 0x00008000,
44872 + GR_AUDIT_SETID = 0x00010000,
44873 + GR_AUDIT_CREATE = 0x00020000,
44874 + GR_AUDIT_DELETE = 0x00040000,
44875 + GR_AUDIT_LINK = 0x00080000,
44876 + GR_PTRACERD = 0x00100000,
44877 + GR_NOPTRACE = 0x00200000,
44878 + GR_SUPPRESS = 0x00400000,
44879 + GR_NOLEARN = 0x00800000
44882 +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
44883 + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
44884 + GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
44886 +/* ACL subject-only mode flags */
44888 + GR_KILL = 0x00000001,
44889 + GR_VIEW = 0x00000002,
44890 + GR_PROTECTED = 0x00000004,
44891 + GR_LEARN = 0x00000008,
44892 + GR_OVERRIDE = 0x00000010,
44893 + /* just a placeholder, this mode is only used in userspace */
44894 + GR_DUMMY = 0x00000020,
44895 + GR_PROTSHM = 0x00000040,
44896 + GR_KILLPROC = 0x00000080,
44897 + GR_KILLIPPROC = 0x00000100,
44898 + /* just a placeholder, this mode is only used in userspace */
44899 + GR_NOTROJAN = 0x00000200,
44900 + GR_PROTPROCFD = 0x00000400,
44901 + GR_PROCACCT = 0x00000800,
44902 + GR_RELAXPTRACE = 0x00001000,
44903 + GR_NESTED = 0x00002000,
44904 + GR_INHERITLEARN = 0x00004000,
44905 + GR_PROCFIND = 0x00008000,
44906 + GR_POVERRIDE = 0x00010000,
44907 + GR_KERNELAUTH = 0x00020000,
44911 + GR_PAX_ENABLE_SEGMEXEC = 0x0001,
44912 + GR_PAX_ENABLE_PAGEEXEC = 0x0002,
44913 + GR_PAX_ENABLE_MPROTECT = 0x0004,
44914 + GR_PAX_ENABLE_RANDMMAP = 0x0008,
44915 + GR_PAX_ENABLE_EMUTRAMP = 0x0010,
44916 + GR_PAX_DISABLE_SEGMEXEC = 0x0100,
44917 + GR_PAX_DISABLE_PAGEEXEC = 0x0200,
44918 + GR_PAX_DISABLE_MPROTECT = 0x0400,
44919 + GR_PAX_DISABLE_RANDMMAP = 0x0800,
44920 + GR_PAX_DISABLE_EMUTRAMP = 0x1000,
44924 + GR_ID_USER = 0x01,
44925 + GR_ID_GROUP = 0x02,
44929 + GR_ID_ALLOW = 0x01,
44930 + GR_ID_DENY = 0x02,
44933 +#define GR_CRASH_RES 31
44934 +#define GR_UIDTABLE_MAX 500
44936 +/* begin resource learning section */
44938 + GR_RLIM_CPU_BUMP = 60,
44939 + GR_RLIM_FSIZE_BUMP = 50000,
44940 + GR_RLIM_DATA_BUMP = 10000,
44941 + GR_RLIM_STACK_BUMP = 1000,
44942 + GR_RLIM_CORE_BUMP = 10000,
44943 + GR_RLIM_RSS_BUMP = 500000,
44944 + GR_RLIM_NPROC_BUMP = 1,
44945 + GR_RLIM_NOFILE_BUMP = 5,
44946 + GR_RLIM_MEMLOCK_BUMP = 50000,
44947 + GR_RLIM_AS_BUMP = 500000,
44948 + GR_RLIM_LOCKS_BUMP = 2,
44949 + GR_RLIM_SIGPENDING_BUMP = 5,
44950 + GR_RLIM_MSGQUEUE_BUMP = 10000,
44951 + GR_RLIM_NICE_BUMP = 1,
44952 + GR_RLIM_RTPRIO_BUMP = 1,
44953 + GR_RLIM_RTTIME_BUMP = 1000000
44957 diff -urNp linux-2.6.35.5/include/linux/grinternal.h linux-2.6.35.5/include/linux/grinternal.h
44958 --- linux-2.6.35.5/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
44959 +++ linux-2.6.35.5/include/linux/grinternal.h 2010-09-17 20:12:37.000000000 -0400
44961 +#ifndef __GRINTERNAL_H
44962 +#define __GRINTERNAL_H
44964 +#ifdef CONFIG_GRKERNSEC
44966 +#include <linux/fs.h>
44967 +#include <linux/mnt_namespace.h>
44968 +#include <linux/nsproxy.h>
44969 +#include <linux/gracl.h>
44970 +#include <linux/grdefs.h>
44971 +#include <linux/grmsg.h>
44973 +void gr_add_learn_entry(const char *fmt, ...)
44974 + __attribute__ ((format (printf, 1, 2)));
44975 +__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
44976 + const struct vfsmount *mnt);
44977 +__u32 gr_check_create(const struct dentry *new_dentry,
44978 + const struct dentry *parent,
44979 + const struct vfsmount *mnt, const __u32 mode);
44980 +int gr_check_protected_task(const struct task_struct *task);
44981 +__u32 to_gr_audit(const __u32 reqmode);
44982 +int gr_set_acls(const int type);
44984 +int gr_acl_is_enabled(void);
44985 +char gr_roletype_to_char(void);
44987 +void gr_handle_alertkill(struct task_struct *task);
44988 +char *gr_to_filename(const struct dentry *dentry,
44989 + const struct vfsmount *mnt);
44990 +char *gr_to_filename1(const struct dentry *dentry,
44991 + const struct vfsmount *mnt);
44992 +char *gr_to_filename2(const struct dentry *dentry,
44993 + const struct vfsmount *mnt);
44994 +char *gr_to_filename3(const struct dentry *dentry,
44995 + const struct vfsmount *mnt);
44997 +extern int grsec_enable_harden_ptrace;
44998 +extern int grsec_enable_link;
44999 +extern int grsec_enable_fifo;
45000 +extern int grsec_enable_execve;
45001 +extern int grsec_enable_shm;
45002 +extern int grsec_enable_execlog;
45003 +extern int grsec_enable_signal;
45004 +extern int grsec_enable_audit_ptrace;
45005 +extern int grsec_enable_forkfail;
45006 +extern int grsec_enable_time;
45007 +extern int grsec_enable_rofs;
45008 +extern int grsec_enable_chroot_shmat;
45009 +extern int grsec_enable_chroot_findtask;
45010 +extern int grsec_enable_chroot_mount;
45011 +extern int grsec_enable_chroot_double;
45012 +extern int grsec_enable_chroot_pivot;
45013 +extern int grsec_enable_chroot_chdir;
45014 +extern int grsec_enable_chroot_chmod;
45015 +extern int grsec_enable_chroot_mknod;
45016 +extern int grsec_enable_chroot_fchdir;
45017 +extern int grsec_enable_chroot_nice;
45018 +extern int grsec_enable_chroot_execlog;
45019 +extern int grsec_enable_chroot_caps;
45020 +extern int grsec_enable_chroot_sysctl;
45021 +extern int grsec_enable_chroot_unix;
45022 +extern int grsec_enable_tpe;
45023 +extern int grsec_tpe_gid;
45024 +extern int grsec_enable_tpe_all;
45025 +extern int grsec_enable_tpe_invert;
45026 +extern int grsec_enable_socket_all;
45027 +extern int grsec_socket_all_gid;
45028 +extern int grsec_enable_socket_client;
45029 +extern int grsec_socket_client_gid;
45030 +extern int grsec_enable_socket_server;
45031 +extern int grsec_socket_server_gid;
45032 +extern int grsec_audit_gid;
45033 +extern int grsec_enable_group;
45034 +extern int grsec_enable_audit_textrel;
45035 +extern int grsec_enable_mount;
45036 +extern int grsec_enable_chdir;
45037 +extern int grsec_resource_logging;
45038 +extern int grsec_enable_blackhole;
45039 +extern int grsec_lastack_retries;
45040 +extern int grsec_lock;
45042 +extern spinlock_t grsec_alert_lock;
45043 +extern unsigned long grsec_alert_wtime;
45044 +extern unsigned long grsec_alert_fyet;
45046 +extern spinlock_t grsec_audit_lock;
45048 +extern rwlock_t grsec_exec_file_lock;
45050 +#define gr_task_fullpath(tsk) (tsk->exec_file ? \
45051 + gr_to_filename2(tsk->exec_file->f_path.dentry, \
45052 + tsk->exec_file->f_vfsmnt) : "/")
45054 +#define gr_parent_task_fullpath(tsk) (tsk->parent->exec_file ? \
45055 + gr_to_filename3(tsk->parent->exec_file->f_path.dentry, \
45056 + tsk->parent->exec_file->f_vfsmnt) : "/")
45058 +#define gr_task_fullpath0(tsk) (tsk->exec_file ? \
45059 + gr_to_filename(tsk->exec_file->f_path.dentry, \
45060 + tsk->exec_file->f_vfsmnt) : "/")
45062 +#define gr_parent_task_fullpath0(tsk) (tsk->parent->exec_file ? \
45063 + gr_to_filename1(tsk->parent->exec_file->f_path.dentry, \
45064 + tsk->parent->exec_file->f_vfsmnt) : "/")
45066 +#define proc_is_chrooted(tsk_a) (tsk_a->gr_is_chrooted)
45068 +#define have_same_root(tsk_a,tsk_b) (tsk_a->gr_chroot_dentry == tsk_b->gr_chroot_dentry)
45070 +#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), task->comm, \
45071 + task->pid, cred->uid, \
45072 + cred->euid, cred->gid, cred->egid, \
45073 + gr_parent_task_fullpath(task), \
45074 + task->parent->comm, task->parent->pid, \
45075 + pcred->uid, pcred->euid, \
45076 + pcred->gid, pcred->egid
45078 +#define GR_CHROOT_CAPS {{ \
45079 + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
45080 + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
45081 + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
45082 + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
45083 + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
45084 + CAP_TO_MASK(CAP_IPC_OWNER) , 0 }}
45086 +#define security_learn(normal_msg,args...) \
45088 + read_lock(&grsec_exec_file_lock); \
45089 + gr_add_learn_entry(normal_msg "\n", ## args); \
45090 + read_unlock(&grsec_exec_file_lock); \
45096 + GR_DONT_AUDIT_GOOD
45107 + GR_SYSCTL_HIDDEN,
45110 + GR_ONE_INT_TWO_STR,
45115 + GR_FIVE_INT_TWO_STR,
45121 + GR_FILENAME_TWO_INT,
45122 + GR_FILENAME_TWO_INT_STR,
45134 +#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
45135 +#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
45136 +#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
45137 +#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
45138 +#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
45139 +#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
45140 +#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
45141 +#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
45142 +#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
45143 +#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
45144 +#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
45145 +#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
45146 +#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
45147 +#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
45148 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
45149 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
45150 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
45151 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
45152 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
45153 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
45154 +#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
45155 +#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
45156 +#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
45157 +#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
45158 +#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
45159 +#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
45160 +#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
45161 +#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
45162 +#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
45163 +#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
45164 +#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
45165 +#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
45167 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
45172 diff -urNp linux-2.6.35.5/include/linux/grmsg.h linux-2.6.35.5/include/linux/grmsg.h
45173 --- linux-2.6.35.5/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
45174 +++ linux-2.6.35.5/include/linux/grmsg.h 2010-09-23 20:39:33.000000000 -0400
45176 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
45177 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
45178 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
45179 +#define GR_STOPMOD_MSG "denied modification of module state by "
45180 +#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
45181 +#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
45182 +#define GR_IOPERM_MSG "denied use of ioperm() by "
45183 +#define GR_IOPL_MSG "denied use of iopl() by "
45184 +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
45185 +#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
45186 +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
45187 +#define GR_KMEM_MSG "denied write of /dev/kmem by "
45188 +#define GR_PORT_OPEN_MSG "denied open of /dev/port by "
45189 +#define GR_MEM_WRITE_MSG "denied write of /dev/mem by "
45190 +#define GR_MEM_MMAP_MSG "denied mmap write of /dev/[k]mem by "
45191 +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
45192 +#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
45193 +#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
45194 +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
45195 +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
45196 +#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
45197 +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
45198 +#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
45199 +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
45200 +#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
45201 +#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
45202 +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
45203 +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
45204 +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
45205 +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
45206 +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
45207 +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
45208 +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
45209 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
45210 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
45211 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
45212 +#define GR_NPROC_MSG "denied overstep of process limit by "
45213 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
45214 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
45215 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
45216 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
45217 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
45218 +#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
45219 +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
45220 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
45221 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
45222 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
45223 +#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
45224 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
45225 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
45226 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
45227 +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
45228 +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
45229 +#define GR_INITF_ACL_MSG "init_variables() failed %s by "
45230 +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
45231 +#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
45232 +#define GR_SHUTS_ACL_MSG "shutdown auth success for "
45233 +#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
45234 +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
45235 +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
45236 +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
45237 +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
45238 +#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
45239 +#define GR_ENABLEF_ACL_MSG "unable to load %s for "
45240 +#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
45241 +#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
45242 +#define GR_RELOADF_ACL_MSG "failed reload of %s for "
45243 +#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
45244 +#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
45245 +#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
45246 +#define GR_SPROLEF_ACL_MSG "special role %s failure for "
45247 +#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
45248 +#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
45249 +#define GR_INVMODE_ACL_MSG "invalid mode %d by "
45250 +#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
45251 +#define GR_FAILFORK_MSG "failed fork with errno %s by "
45252 +#define GR_NICE_CHROOT_MSG "denied priority change by "
45253 +#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
45254 +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
45255 +#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
45256 +#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
45257 +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
45258 +#define GR_TIME_MSG "time set by "
45259 +#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
45260 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
45261 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
45262 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
45263 +#define GR_SOCK2_MSG "denied socket(%d,%.16s,%.16s) by "
45264 +#define GR_BIND_MSG "denied bind() by "
45265 +#define GR_CONNECT_MSG "denied connect() by "
45266 +#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
45267 +#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
45268 +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
45269 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
45270 +#define GR_CAP_ACL_MSG "use of %s denied for "
45271 +#define GR_CAP_ACL_MSG2 "use of %s permitted for "
45272 +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
45273 +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
45274 +#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
45275 +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
45276 +#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
45277 +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
45278 +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
45279 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
45280 +#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
45281 +#define GR_NONROOT_MODLOAD_MSG "denied kernel module auto-load of %.64s by "
45282 +#define GR_VM86_MSG "denied use of vm86 by "
45283 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
45284 diff -urNp linux-2.6.35.5/include/linux/grsecurity.h linux-2.6.35.5/include/linux/grsecurity.h
45285 --- linux-2.6.35.5/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
45286 +++ linux-2.6.35.5/include/linux/grsecurity.h 2010-09-17 20:12:37.000000000 -0400
45288 +#ifndef GR_SECURITY_H
45289 +#define GR_SECURITY_H
45290 +#include <linux/fs.h>
45291 +#include <linux/fs_struct.h>
45292 +#include <linux/binfmts.h>
45293 +#include <linux/gracl.h>
45295 +/* notify of brain-dead configs */
45296 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
45297 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
45299 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
45300 +#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
45302 +#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
45303 +#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
45305 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
45306 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
45308 +#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
45309 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
45312 +void gr_handle_brute_attach(struct task_struct *p);
45313 +void gr_handle_brute_check(void);
45315 +char gr_roletype_to_char(void);
45317 +int gr_check_user_change(int real, int effective, int fs);
45318 +int gr_check_group_change(int real, int effective, int fs);
45320 +void gr_del_task_from_ip_table(struct task_struct *p);
45322 +int gr_pid_is_chrooted(struct task_struct *p);
45323 +int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
45324 +int gr_handle_chroot_nice(void);
45325 +int gr_handle_chroot_sysctl(const int op);
45326 +int gr_handle_chroot_setpriority(struct task_struct *p,
45327 + const int niceval);
45328 +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
45329 +int gr_handle_chroot_chroot(const struct dentry *dentry,
45330 + const struct vfsmount *mnt);
45331 +int gr_handle_chroot_caps(struct path *path);
45332 +void gr_handle_chroot_chdir(struct path *path);
45333 +int gr_handle_chroot_chmod(const struct dentry *dentry,
45334 + const struct vfsmount *mnt, const int mode);
45335 +int gr_handle_chroot_mknod(const struct dentry *dentry,
45336 + const struct vfsmount *mnt, const int mode);
45337 +int gr_handle_chroot_mount(const struct dentry *dentry,
45338 + const struct vfsmount *mnt,
45339 + const char *dev_name);
45340 +int gr_handle_chroot_pivot(void);
45341 +int gr_handle_chroot_unix(const pid_t pid);
45343 +int gr_handle_rawio(const struct inode *inode);
45344 +int gr_handle_nproc(void);
45346 +void gr_handle_ioperm(void);
45347 +void gr_handle_iopl(void);
45349 +int gr_tpe_allow(const struct file *file);
45351 +void gr_set_chroot_entries(struct task_struct *task, struct path *path);
45352 +void gr_clear_chroot_entries(struct task_struct *task);
45354 +void gr_log_forkfail(const int retval);
45355 +void gr_log_timechange(void);
45356 +void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
45357 +void gr_log_chdir(const struct dentry *dentry,
45358 + const struct vfsmount *mnt);
45359 +void gr_log_chroot_exec(const struct dentry *dentry,
45360 + const struct vfsmount *mnt);
45361 +void gr_handle_exec_args(struct linux_binprm *bprm, char **argv);
45362 +void gr_log_remount(const char *devname, const int retval);
45363 +void gr_log_unmount(const char *devname, const int retval);
45364 +void gr_log_mount(const char *from, const char *to, const int retval);
45365 +void gr_log_textrel(struct vm_area_struct *vma);
45367 +int gr_handle_follow_link(const struct inode *parent,
45368 + const struct inode *inode,
45369 + const struct dentry *dentry,
45370 + const struct vfsmount *mnt);
45371 +int gr_handle_fifo(const struct dentry *dentry,
45372 + const struct vfsmount *mnt,
45373 + const struct dentry *dir, const int flag,
45374 + const int acc_mode);
45375 +int gr_handle_hardlink(const struct dentry *dentry,
45376 + const struct vfsmount *mnt,
45377 + struct inode *inode,
45378 + const int mode, const char *to);
45380 +int gr_is_capable(const int cap);
45381 +int gr_is_capable_nolog(const int cap);
45382 +void gr_learn_resource(const struct task_struct *task, const int limit,
45383 + const unsigned long wanted, const int gt);
45384 +void gr_copy_label(struct task_struct *tsk);
45385 +void gr_handle_crash(struct task_struct *task, const int sig);
45386 +int gr_handle_signal(const struct task_struct *p, const int sig);
45387 +int gr_check_crash_uid(const uid_t uid);
45388 +int gr_check_protected_task(const struct task_struct *task);
45389 +int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
45390 +int gr_acl_handle_mmap(const struct file *file,
45391 + const unsigned long prot);
45392 +int gr_acl_handle_mprotect(const struct file *file,
45393 + const unsigned long prot);
45394 +int gr_check_hidden_task(const struct task_struct *tsk);
45395 +__u32 gr_acl_handle_truncate(const struct dentry *dentry,
45396 + const struct vfsmount *mnt);
45397 +__u32 gr_acl_handle_utime(const struct dentry *dentry,
45398 + const struct vfsmount *mnt);
45399 +__u32 gr_acl_handle_access(const struct dentry *dentry,
45400 + const struct vfsmount *mnt, const int fmode);
45401 +__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
45402 + const struct vfsmount *mnt, mode_t mode);
45403 +__u32 gr_acl_handle_chmod(const struct dentry *dentry,
45404 + const struct vfsmount *mnt, mode_t mode);
45405 +__u32 gr_acl_handle_chown(const struct dentry *dentry,
45406 + const struct vfsmount *mnt);
45407 +int gr_handle_ptrace(struct task_struct *task, const long request);
45408 +int gr_handle_proc_ptrace(struct task_struct *task);
45409 +__u32 gr_acl_handle_execve(const struct dentry *dentry,
45410 + const struct vfsmount *mnt);
45411 +int gr_check_crash_exec(const struct file *filp);
45412 +int gr_acl_is_enabled(void);
45413 +void gr_set_kernel_label(struct task_struct *task);
45414 +void gr_set_role_label(struct task_struct *task, const uid_t uid,
45415 + const gid_t gid);
45416 +int gr_set_proc_label(const struct dentry *dentry,
45417 + const struct vfsmount *mnt,
45418 + const int unsafe_share);
45419 +__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
45420 + const struct vfsmount *mnt);
45421 +__u32 gr_acl_handle_open(const struct dentry *dentry,
45422 + const struct vfsmount *mnt, const int fmode);
45423 +__u32 gr_acl_handle_creat(const struct dentry *dentry,
45424 + const struct dentry *p_dentry,
45425 + const struct vfsmount *p_mnt, const int fmode,
45426 + const int imode);
45427 +void gr_handle_create(const struct dentry *dentry,
45428 + const struct vfsmount *mnt);
45429 +__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
45430 + const struct dentry *parent_dentry,
45431 + const struct vfsmount *parent_mnt,
45433 +__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
45434 + const struct dentry *parent_dentry,
45435 + const struct vfsmount *parent_mnt);
45436 +__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
45437 + const struct vfsmount *mnt);
45438 +void gr_handle_delete(const ino_t ino, const dev_t dev);
45439 +__u32 gr_acl_handle_unlink(const struct dentry *dentry,
45440 + const struct vfsmount *mnt);
45441 +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
45442 + const struct dentry *parent_dentry,
45443 + const struct vfsmount *parent_mnt,
45444 + const char *from);
45445 +__u32 gr_acl_handle_link(const struct dentry *new_dentry,
45446 + const struct dentry *parent_dentry,
45447 + const struct vfsmount *parent_mnt,
45448 + const struct dentry *old_dentry,
45449 + const struct vfsmount *old_mnt, const char *to);
45450 +int gr_acl_handle_rename(struct dentry *new_dentry,
45451 + struct dentry *parent_dentry,
45452 + const struct vfsmount *parent_mnt,
45453 + struct dentry *old_dentry,
45454 + struct inode *old_parent_inode,
45455 + struct vfsmount *old_mnt, const char *newname);
45456 +void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
45457 + struct dentry *old_dentry,
45458 + struct dentry *new_dentry,
45459 + struct vfsmount *mnt, const __u8 replace);
45460 +__u32 gr_check_link(const struct dentry *new_dentry,
45461 + const struct dentry *parent_dentry,
45462 + const struct vfsmount *parent_mnt,
45463 + const struct dentry *old_dentry,
45464 + const struct vfsmount *old_mnt);
45465 +int gr_acl_handle_filldir(const struct file *file, const char *name,
45466 + const unsigned int namelen, const ino_t ino);
45468 +__u32 gr_acl_handle_unix(const struct dentry *dentry,
45469 + const struct vfsmount *mnt);
45470 +void gr_acl_handle_exit(void);
45471 +void gr_acl_handle_psacct(struct task_struct *task, const long code);
45472 +int gr_acl_handle_procpidmem(const struct task_struct *task);
45473 +int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
45474 +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
45475 +void gr_audit_ptrace(struct task_struct *task);
45477 +#ifdef CONFIG_GRKERNSEC
45478 +void gr_log_nonroot_mod_load(const char *modname);
45479 +void gr_handle_vm86(void);
45480 +void gr_handle_mem_write(void);
45481 +void gr_handle_kmem_write(void);
45482 +void gr_handle_open_port(void);
45483 +int gr_handle_mem_mmap(const unsigned long offset,
45484 + struct vm_area_struct *vma);
45486 +extern int grsec_enable_dmesg;
45487 +extern int grsec_disable_privio;
45491 diff -urNp linux-2.6.35.5/include/linux/grsock.h linux-2.6.35.5/include/linux/grsock.h
45492 --- linux-2.6.35.5/include/linux/grsock.h 1969-12-31 19:00:00.000000000 -0500
45493 +++ linux-2.6.35.5/include/linux/grsock.h 2010-09-17 20:12:37.000000000 -0400
45495 +#ifndef __GRSOCK_H
45496 +#define __GRSOCK_H
45498 +extern void gr_attach_curr_ip(const struct sock *sk);
45499 +extern int gr_handle_sock_all(const int family, const int type,
45500 + const int protocol);
45501 +extern int gr_handle_sock_server(const struct sockaddr *sck);
45502 +extern int gr_handle_sock_server_other(const struct sock *sck);
45503 +extern int gr_handle_sock_client(const struct sockaddr *sck);
45504 +extern int gr_search_connect(struct socket * sock,
45505 + struct sockaddr_in * addr);
45506 +extern int gr_search_bind(struct socket * sock,
45507 + struct sockaddr_in * addr);
45508 +extern int gr_search_listen(struct socket * sock);
45509 +extern int gr_search_accept(struct socket * sock);
45510 +extern int gr_search_socket(const int domain, const int type,
45511 + const int protocol);
45514 diff -urNp linux-2.6.35.5/include/linux/highmem.h linux-2.6.35.5/include/linux/highmem.h
45515 --- linux-2.6.35.5/include/linux/highmem.h 2010-08-26 19:47:12.000000000 -0400
45516 +++ linux-2.6.35.5/include/linux/highmem.h 2010-09-17 20:12:09.000000000 -0400
45517 @@ -143,6 +143,18 @@ static inline void clear_highpage(struct
45518 kunmap_atomic(kaddr, KM_USER0);
45521 +static inline void sanitize_highpage(struct page *page)
45524 + unsigned long flags;
45526 + local_irq_save(flags);
45527 + kaddr = kmap_atomic(page, KM_CLEARPAGE);
45528 + clear_page(kaddr);
45529 + kunmap_atomic(kaddr, KM_CLEARPAGE);
45530 + local_irq_restore(flags);
45533 static inline void zero_user_segments(struct page *page,
45534 unsigned start1, unsigned end1,
45535 unsigned start2, unsigned end2)
45536 diff -urNp linux-2.6.35.5/include/linux/interrupt.h linux-2.6.35.5/include/linux/interrupt.h
45537 --- linux-2.6.35.5/include/linux/interrupt.h 2010-08-26 19:47:12.000000000 -0400
45538 +++ linux-2.6.35.5/include/linux/interrupt.h 2010-09-17 20:12:09.000000000 -0400
45539 @@ -392,7 +392,7 @@ enum
45540 /* map softirq index to softirq name. update 'softirq_to_name' in
45541 * kernel/softirq.c when adding a new softirq.
45543 -extern char *softirq_to_name[NR_SOFTIRQS];
45544 +extern const char * const softirq_to_name[NR_SOFTIRQS];
45546 /* softirq mask and active fields moved to irq_cpustat_t in
45547 * asm/hardirq.h to get better cache usage. KAO
45548 @@ -400,12 +400,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
45550 struct softirq_action
45552 - void (*action)(struct softirq_action *);
45553 + void (*action)(void);
45556 asmlinkage void do_softirq(void);
45557 asmlinkage void __do_softirq(void);
45558 -extern void open_softirq(int nr, void (*action)(struct softirq_action *));
45559 +extern void open_softirq(int nr, void (*action)(void));
45560 extern void softirq_init(void);
45561 #define __raise_softirq_irqoff(nr) do { or_softirq_pending(1UL << (nr)); } while (0)
45562 extern void raise_softirq_irqoff(unsigned int nr);
45563 diff -urNp linux-2.6.35.5/include/linux/jbd2.h linux-2.6.35.5/include/linux/jbd2.h
45564 --- linux-2.6.35.5/include/linux/jbd2.h 2010-08-26 19:47:12.000000000 -0400
45565 +++ linux-2.6.35.5/include/linux/jbd2.h 2010-09-17 20:12:09.000000000 -0400
45566 @@ -67,7 +67,7 @@ extern u8 jbd2_journal_enable_debug;
45570 -#define jbd_debug(f, a...) /**/
45571 +#define jbd_debug(f, a...) do {} while (0)
45574 extern void *jbd2_alloc(size_t size, gfp_t flags);
45575 diff -urNp linux-2.6.35.5/include/linux/jbd.h linux-2.6.35.5/include/linux/jbd.h
45576 --- linux-2.6.35.5/include/linux/jbd.h 2010-08-26 19:47:12.000000000 -0400
45577 +++ linux-2.6.35.5/include/linux/jbd.h 2010-09-17 20:12:09.000000000 -0400
45578 @@ -67,7 +67,7 @@ extern u8 journal_enable_debug;
45582 -#define jbd_debug(f, a...) /**/
45583 +#define jbd_debug(f, a...) do {} while (0)
45586 static inline void *jbd_alloc(size_t size, gfp_t flags)
45587 diff -urNp linux-2.6.35.5/include/linux/kallsyms.h linux-2.6.35.5/include/linux/kallsyms.h
45588 --- linux-2.6.35.5/include/linux/kallsyms.h 2010-08-26 19:47:12.000000000 -0400
45589 +++ linux-2.6.35.5/include/linux/kallsyms.h 2010-09-17 20:12:37.000000000 -0400
45594 -#ifdef CONFIG_KALLSYMS
45595 +#ifndef __INCLUDED_BY_HIDESYM
45596 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
45597 /* Lookup the address for a symbol. Returns 0 if not found. */
45598 unsigned long kallsyms_lookup_name(const char *name);
45600 @@ -92,6 +93,9 @@ static inline int lookup_symbol_attrs(un
45601 /* Stupid that this does nothing, but I didn't create this mess. */
45602 #define __print_symbol(fmt, addr)
45603 #endif /*CONFIG_KALLSYMS*/
45604 +#else /* when included by kallsyms.c, with HIDESYM enabled */
45605 +extern void __print_symbol(const char *fmt, unsigned long address);
45608 /* This macro allows us to keep printk typechecking */
45609 static void __check_printsym_format(const char *fmt, ...)
45610 diff -urNp linux-2.6.35.5/include/linux/kgdb.h linux-2.6.35.5/include/linux/kgdb.h
45611 --- linux-2.6.35.5/include/linux/kgdb.h 2010-08-26 19:47:12.000000000 -0400
45612 +++ linux-2.6.35.5/include/linux/kgdb.h 2010-09-17 20:12:09.000000000 -0400
45613 @@ -263,22 +263,22 @@ struct kgdb_arch {
45617 - int (*read_char) (void);
45618 - void (*write_char) (u8);
45619 - void (*flush) (void);
45620 - int (*init) (void);
45621 - void (*pre_exception) (void);
45622 - void (*post_exception) (void);
45623 + int (* const read_char) (void);
45624 + void (* const write_char) (u8);
45625 + void (* const flush) (void);
45626 + int (* const init) (void);
45627 + void (* const pre_exception) (void);
45628 + void (* const post_exception) (void);
45632 -extern struct kgdb_arch arch_kgdb_ops;
45633 +extern const struct kgdb_arch arch_kgdb_ops;
45635 extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
45637 -extern int kgdb_register_io_module(struct kgdb_io *local_kgdb_io_ops);
45638 -extern void kgdb_unregister_io_module(struct kgdb_io *local_kgdb_io_ops);
45639 -extern struct kgdb_io *dbg_io_ops;
45640 +extern int kgdb_register_io_module(const struct kgdb_io *local_kgdb_io_ops);
45641 +extern void kgdb_unregister_io_module(const struct kgdb_io *local_kgdb_io_ops);
45642 +extern const struct kgdb_io *dbg_io_ops;
45644 extern int kgdb_hex2long(char **ptr, unsigned long *long_val);
45645 extern int kgdb_mem2hex(char *mem, char *buf, int count);
45646 diff -urNp linux-2.6.35.5/include/linux/kvm_host.h linux-2.6.35.5/include/linux/kvm_host.h
45647 --- linux-2.6.35.5/include/linux/kvm_host.h 2010-08-26 19:47:12.000000000 -0400
45648 +++ linux-2.6.35.5/include/linux/kvm_host.h 2010-09-17 20:12:09.000000000 -0400
45649 @@ -243,7 +243,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
45650 void vcpu_load(struct kvm_vcpu *vcpu);
45651 void vcpu_put(struct kvm_vcpu *vcpu);
45653 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
45654 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
45655 struct module *module);
45656 void kvm_exit(void);
45658 @@ -367,7 +367,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
45659 struct kvm_guest_debug *dbg);
45660 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
45662 -int kvm_arch_init(void *opaque);
45663 +int kvm_arch_init(const void *opaque);
45664 void kvm_arch_exit(void);
45666 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
45667 diff -urNp linux-2.6.35.5/include/linux/libata.h linux-2.6.35.5/include/linux/libata.h
45668 --- linux-2.6.35.5/include/linux/libata.h 2010-09-20 17:33:09.000000000 -0400
45669 +++ linux-2.6.35.5/include/linux/libata.h 2010-09-20 17:33:35.000000000 -0400
45670 @@ -64,11 +64,11 @@
45671 #ifdef ATA_VERBOSE_DEBUG
45672 #define VPRINTK(fmt, args...) printk(KERN_ERR "%s: " fmt, __func__, ## args)
45674 -#define VPRINTK(fmt, args...)
45675 +#define VPRINTK(fmt, args...) do {} while (0)
45676 #endif /* ATA_VERBOSE_DEBUG */
45678 -#define DPRINTK(fmt, args...)
45679 -#define VPRINTK(fmt, args...)
45680 +#define DPRINTK(fmt, args...) do {} while (0)
45681 +#define VPRINTK(fmt, args...) do {} while (0)
45682 #endif /* ATA_DEBUG */
45684 #define BPRINTK(fmt, args...) if (ap->flags & ATA_FLAG_DEBUGMSG) printk(KERN_ERR "%s: " fmt, __func__, ## args)
45685 @@ -524,11 +524,11 @@ struct ata_ioports {
45689 - struct device *dev;
45690 + struct device *dev;
45691 void __iomem * const *iomap;
45692 unsigned int n_ports;
45693 void *private_data;
45694 - struct ata_port_operations *ops;
45695 + const struct ata_port_operations *ops;
45696 unsigned long flags;
45697 #ifdef CONFIG_ATA_ACPI
45698 acpi_handle acpi_handle;
45699 @@ -710,7 +710,7 @@ struct ata_link {
45702 struct Scsi_Host *scsi_host; /* our co-allocated scsi host */
45703 - struct ata_port_operations *ops;
45704 + const struct ata_port_operations *ops;
45706 /* Flags owned by the EH context. Only EH should touch these once the
45708 @@ -895,7 +895,7 @@ struct ata_port_info {
45709 unsigned long pio_mask;
45710 unsigned long mwdma_mask;
45711 unsigned long udma_mask;
45712 - struct ata_port_operations *port_ops;
45713 + const struct ata_port_operations *port_ops;
45714 void *private_data;
45717 @@ -919,7 +919,7 @@ extern const unsigned long sata_deb_timi
45718 extern const unsigned long sata_deb_timing_hotplug[];
45719 extern const unsigned long sata_deb_timing_long[];
45721 -extern struct ata_port_operations ata_dummy_port_ops;
45722 +extern const struct ata_port_operations ata_dummy_port_ops;
45723 extern const struct ata_port_info ata_dummy_port_info;
45725 static inline const unsigned long *
45726 @@ -963,7 +963,7 @@ extern int ata_host_activate(struct ata_
45727 struct scsi_host_template *sht);
45728 extern void ata_host_detach(struct ata_host *host);
45729 extern void ata_host_init(struct ata_host *, struct device *,
45730 - unsigned long, struct ata_port_operations *);
45731 + unsigned long, const struct ata_port_operations *);
45732 extern int ata_scsi_detect(struct scsi_host_template *sht);
45733 extern int ata_scsi_ioctl(struct scsi_device *dev, int cmd, void __user *arg);
45734 extern int ata_scsi_queuecmd(struct scsi_cmnd *cmd, void (*done)(struct scsi_cmnd *));
45735 diff -urNp linux-2.6.35.5/include/linux/lockd/bind.h linux-2.6.35.5/include/linux/lockd/bind.h
45736 --- linux-2.6.35.5/include/linux/lockd/bind.h 2010-08-26 19:47:12.000000000 -0400
45737 +++ linux-2.6.35.5/include/linux/lockd/bind.h 2010-09-17 20:12:09.000000000 -0400
45738 @@ -23,13 +23,13 @@ struct svc_rqst;
45739 * This is the set of functions for lockd->nfsd communication
45741 struct nlmsvc_binding {
45742 - __be32 (*fopen)(struct svc_rqst *,
45743 + __be32 (* const fopen)(struct svc_rqst *,
45746 - void (*fclose)(struct file *);
45747 + void (* const fclose)(struct file *);
45750 -extern struct nlmsvc_binding * nlmsvc_ops;
45751 +extern const struct nlmsvc_binding * nlmsvc_ops;
45754 * Similar to nfs_client_initdata, but without the NFS-specific
45755 diff -urNp linux-2.6.35.5/include/linux/mm.h linux-2.6.35.5/include/linux/mm.h
45756 --- linux-2.6.35.5/include/linux/mm.h 2010-08-26 19:47:12.000000000 -0400
45757 +++ linux-2.6.35.5/include/linux/mm.h 2010-09-17 20:12:09.000000000 -0400
45758 @@ -103,7 +103,14 @@ extern unsigned int kobjsize(const void
45760 #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
45761 #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
45763 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
45764 +#define VM_SAO 0x00000000 /* Strong Access Ordering (powerpc) */
45765 +#define VM_PAGEEXEC 0x20000000 /* vma->vm_page_prot needs special handling */
45767 #define VM_SAO 0x20000000 /* Strong Access Ordering (powerpc) */
45770 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
45771 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
45773 @@ -1010,6 +1017,8 @@ struct shrinker {
45774 extern void register_shrinker(struct shrinker *);
45775 extern void unregister_shrinker(struct shrinker *);
45777 +pgprot_t vm_get_page_prot(unsigned long vm_flags);
45779 int vma_wants_writenotify(struct vm_area_struct *vma);
45781 extern pte_t *get_locked_pte(struct mm_struct *mm, unsigned long addr, spinlock_t **ptl);
45782 @@ -1286,6 +1295,7 @@ out:
45785 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
45786 +extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
45788 extern unsigned long do_brk(unsigned long, unsigned long);
45790 @@ -1340,6 +1350,10 @@ extern struct vm_area_struct * find_vma(
45791 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
45792 struct vm_area_struct **pprev);
45794 +extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
45795 +extern __must_check long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
45796 +extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
45798 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
45799 NULL if none. Assume start_addr < end_addr. */
45800 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
45801 @@ -1356,7 +1370,6 @@ static inline unsigned long vma_pages(st
45802 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
45805 -pgprot_t vm_get_page_prot(unsigned long vm_flags);
45806 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
45807 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
45808 unsigned long pfn, unsigned long size, pgprot_t);
45809 @@ -1463,10 +1476,16 @@ extern int unpoison_memory(unsigned long
45810 extern int sysctl_memory_failure_early_kill;
45811 extern int sysctl_memory_failure_recovery;
45812 extern void shake_page(struct page *p, int access);
45813 -extern atomic_long_t mce_bad_pages;
45814 +extern atomic_long_unchecked_t mce_bad_pages;
45815 extern int soft_offline_page(struct page *page, int flags);
45817 extern void dump_page(struct page *page);
45819 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
45820 +extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
45822 +static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
45825 #endif /* __KERNEL__ */
45826 #endif /* _LINUX_MM_H */
45827 diff -urNp linux-2.6.35.5/include/linux/mm_types.h linux-2.6.35.5/include/linux/mm_types.h
45828 --- linux-2.6.35.5/include/linux/mm_types.h 2010-08-26 19:47:12.000000000 -0400
45829 +++ linux-2.6.35.5/include/linux/mm_types.h 2010-09-17 20:12:09.000000000 -0400
45830 @@ -183,6 +183,8 @@ struct vm_area_struct {
45832 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
45835 + struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
45838 struct core_thread {
45839 @@ -310,6 +312,24 @@ struct mm_struct {
45840 #ifdef CONFIG_MMU_NOTIFIER
45841 struct mmu_notifier_mm *mmu_notifier_mm;
45844 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
45845 + unsigned long pax_flags;
45848 +#ifdef CONFIG_PAX_DLRESOLVE
45849 + unsigned long call_dl_resolve;
45852 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
45853 + unsigned long call_syscall;
45856 +#ifdef CONFIG_PAX_ASLR
45857 + unsigned long delta_mmap; /* randomized offset */
45858 + unsigned long delta_stack; /* randomized offset */
45863 /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */
45864 diff -urNp linux-2.6.35.5/include/linux/mmu_notifier.h linux-2.6.35.5/include/linux/mmu_notifier.h
45865 --- linux-2.6.35.5/include/linux/mmu_notifier.h 2010-08-26 19:47:12.000000000 -0400
45866 +++ linux-2.6.35.5/include/linux/mmu_notifier.h 2010-09-17 20:12:09.000000000 -0400
45867 @@ -235,12 +235,12 @@ static inline void mmu_notifier_mm_destr
45869 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
45873 struct vm_area_struct *___vma = __vma; \
45874 unsigned long ___address = __address; \
45875 - __pte = ptep_clear_flush(___vma, ___address, __ptep); \
45876 + ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
45877 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
45882 #define ptep_clear_flush_young_notify(__vma, __address, __ptep) \
45883 diff -urNp linux-2.6.35.5/include/linux/mmzone.h linux-2.6.35.5/include/linux/mmzone.h
45884 --- linux-2.6.35.5/include/linux/mmzone.h 2010-08-26 19:47:12.000000000 -0400
45885 +++ linux-2.6.35.5/include/linux/mmzone.h 2010-09-17 20:12:09.000000000 -0400
45886 @@ -345,7 +345,7 @@ struct zone {
45887 unsigned long flags; /* zone flags, see below */
45889 /* Zone statistics */
45890 - atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
45891 + atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
45894 * prev_priority holds the scanning priority for this zone. It is
45895 diff -urNp linux-2.6.35.5/include/linux/mod_devicetable.h linux-2.6.35.5/include/linux/mod_devicetable.h
45896 --- linux-2.6.35.5/include/linux/mod_devicetable.h 2010-08-26 19:47:12.000000000 -0400
45897 +++ linux-2.6.35.5/include/linux/mod_devicetable.h 2010-09-17 20:12:09.000000000 -0400
45899 typedef unsigned long kernel_ulong_t;
45902 -#define PCI_ANY_ID (~0)
45903 +#define PCI_ANY_ID ((__u16)~0)
45905 struct pci_device_id {
45906 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
45907 @@ -131,7 +131,7 @@ struct usb_device_id {
45908 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
45909 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
45911 -#define HID_ANY_ID (~0)
45912 +#define HID_ANY_ID (~0U)
45914 struct hid_device_id {
45916 diff -urNp linux-2.6.35.5/include/linux/module.h linux-2.6.35.5/include/linux/module.h
45917 --- linux-2.6.35.5/include/linux/module.h 2010-08-26 19:47:12.000000000 -0400
45918 +++ linux-2.6.35.5/include/linux/module.h 2010-09-17 20:12:09.000000000 -0400
45919 @@ -297,16 +297,16 @@ struct module
45922 /* If this is non-NULL, vfree after init() returns */
45923 - void *module_init;
45924 + void *module_init_rx, *module_init_rw;
45926 /* Here is the actual code + data, vfree'd on unload. */
45927 - void *module_core;
45928 + void *module_core_rx, *module_core_rw;
45930 /* Here are the sizes of the init and core sections */
45931 - unsigned int init_size, core_size;
45932 + unsigned int init_size_rw, core_size_rw;
45934 /* The size of the executable code in each section. */
45935 - unsigned int init_text_size, core_text_size;
45936 + unsigned int init_size_rx, core_size_rx;
45938 /* Arch-specific module values */
45939 struct mod_arch_specific arch;
45940 @@ -408,16 +408,46 @@ bool is_module_address(unsigned long add
45941 bool is_module_percpu_address(unsigned long addr);
45942 bool is_module_text_address(unsigned long addr);
45944 +static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
45947 +#ifdef CONFIG_PAX_KERNEXEC
45948 + if (ktla_ktva(addr) >= (unsigned long)start &&
45949 + ktla_ktva(addr) < (unsigned long)start + size)
45953 + return ((void *)addr >= start && (void *)addr < start + size);
45956 +static inline int within_module_core_rx(unsigned long addr, struct module *mod)
45958 + return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
45961 +static inline int within_module_core_rw(unsigned long addr, struct module *mod)
45963 + return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
45966 +static inline int within_module_init_rx(unsigned long addr, struct module *mod)
45968 + return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
45971 +static inline int within_module_init_rw(unsigned long addr, struct module *mod)
45973 + return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
45976 static inline int within_module_core(unsigned long addr, struct module *mod)
45978 - return (unsigned long)mod->module_core <= addr &&
45979 - addr < (unsigned long)mod->module_core + mod->core_size;
45980 + return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
45983 static inline int within_module_init(unsigned long addr, struct module *mod)
45985 - return (unsigned long)mod->module_init <= addr &&
45986 - addr < (unsigned long)mod->module_init + mod->init_size;
45987 + return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
45990 /* Search for module by name: must hold module_mutex. */
45991 diff -urNp linux-2.6.35.5/include/linux/moduleloader.h linux-2.6.35.5/include/linux/moduleloader.h
45992 --- linux-2.6.35.5/include/linux/moduleloader.h 2010-08-26 19:47:12.000000000 -0400
45993 +++ linux-2.6.35.5/include/linux/moduleloader.h 2010-09-17 20:12:09.000000000 -0400
45994 @@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
45995 sections. Returns NULL on failure. */
45996 void *module_alloc(unsigned long size);
45998 +#ifdef CONFIG_PAX_KERNEXEC
45999 +void *module_alloc_exec(unsigned long size);
46001 +#define module_alloc_exec(x) module_alloc(x)
46004 /* Free memory returned from module_alloc. */
46005 void module_free(struct module *mod, void *module_region);
46007 +#ifdef CONFIG_PAX_KERNEXEC
46008 +void module_free_exec(struct module *mod, void *module_region);
46010 +#define module_free_exec(x, y) module_free((x), (y))
46013 /* Apply the given relocation to the (simplified) ELF. Return -error
46015 int apply_relocate(Elf_Shdr *sechdrs,
46016 diff -urNp linux-2.6.35.5/include/linux/namei.h linux-2.6.35.5/include/linux/namei.h
46017 --- linux-2.6.35.5/include/linux/namei.h 2010-08-26 19:47:12.000000000 -0400
46018 +++ linux-2.6.35.5/include/linux/namei.h 2010-09-17 20:12:09.000000000 -0400
46019 @@ -22,7 +22,7 @@ struct nameidata {
46020 unsigned int flags;
46023 - char *saved_names[MAX_NESTED_LINKS + 1];
46024 + const char *saved_names[MAX_NESTED_LINKS + 1];
46028 @@ -81,12 +81,12 @@ extern int follow_up(struct path *);
46029 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
46030 extern void unlock_rename(struct dentry *, struct dentry *);
46032 -static inline void nd_set_link(struct nameidata *nd, char *path)
46033 +static inline void nd_set_link(struct nameidata *nd, const char *path)
46035 nd->saved_names[nd->depth] = path;
46038 -static inline char *nd_get_link(struct nameidata *nd)
46039 +static inline const char *nd_get_link(const struct nameidata *nd)
46041 return nd->saved_names[nd->depth];
46043 diff -urNp linux-2.6.35.5/include/linux/oprofile.h linux-2.6.35.5/include/linux/oprofile.h
46044 --- linux-2.6.35.5/include/linux/oprofile.h 2010-08-26 19:47:12.000000000 -0400
46045 +++ linux-2.6.35.5/include/linux/oprofile.h 2010-09-17 20:12:09.000000000 -0400
46046 @@ -129,9 +129,9 @@ int oprofilefs_create_ulong(struct super
46047 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
46048 char const * name, ulong * val);
46050 -/** Create a file for read-only access to an atomic_t. */
46051 +/** Create a file for read-only access to an atomic_unchecked_t. */
46052 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
46053 - char const * name, atomic_t * val);
46054 + char const * name, atomic_unchecked_t * val);
46056 /** create a directory */
46057 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
46058 diff -urNp linux-2.6.35.5/include/linux/pipe_fs_i.h linux-2.6.35.5/include/linux/pipe_fs_i.h
46059 --- linux-2.6.35.5/include/linux/pipe_fs_i.h 2010-08-26 19:47:12.000000000 -0400
46060 +++ linux-2.6.35.5/include/linux/pipe_fs_i.h 2010-09-17 20:12:09.000000000 -0400
46061 @@ -45,9 +45,9 @@ struct pipe_buffer {
46062 struct pipe_inode_info {
46063 wait_queue_head_t wait;
46064 unsigned int nrbufs, curbuf, buffers;
46065 - unsigned int readers;
46066 - unsigned int writers;
46067 - unsigned int waiting_writers;
46068 + atomic_t readers;
46069 + atomic_t writers;
46070 + atomic_t waiting_writers;
46071 unsigned int r_counter;
46072 unsigned int w_counter;
46073 struct page *tmp_page;
46074 diff -urNp linux-2.6.35.5/include/linux/poison.h linux-2.6.35.5/include/linux/poison.h
46075 --- linux-2.6.35.5/include/linux/poison.h 2010-08-26 19:47:12.000000000 -0400
46076 +++ linux-2.6.35.5/include/linux/poison.h 2010-09-17 20:12:09.000000000 -0400
46078 * under normal circumstances, used to verify that nobody uses
46079 * non-initialized list entries.
46081 -#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
46082 -#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
46083 +#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
46084 +#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
46086 /********** include/linux/timer.h **********/
46088 diff -urNp linux-2.6.35.5/include/linux/proc_fs.h linux-2.6.35.5/include/linux/proc_fs.h
46089 --- linux-2.6.35.5/include/linux/proc_fs.h 2010-08-26 19:47:12.000000000 -0400
46090 +++ linux-2.6.35.5/include/linux/proc_fs.h 2010-09-17 20:12:37.000000000 -0400
46091 @@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
46092 return proc_create_data(name, mode, parent, proc_fops, NULL);
46095 +static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
46096 + struct proc_dir_entry *parent, const struct file_operations *proc_fops)
46098 +#ifdef CONFIG_GRKERNSEC_PROC_USER
46099 + return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
46100 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
46101 + return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
46103 + return proc_create_data(name, mode, parent, proc_fops, NULL);
46108 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
46109 mode_t mode, struct proc_dir_entry *base,
46110 read_proc_t *read_proc, void * data)
46111 diff -urNp linux-2.6.35.5/include/linux/random.h linux-2.6.35.5/include/linux/random.h
46112 --- linux-2.6.35.5/include/linux/random.h 2010-08-26 19:47:12.000000000 -0400
46113 +++ linux-2.6.35.5/include/linux/random.h 2010-09-17 20:12:09.000000000 -0400
46114 @@ -80,12 +80,17 @@ void srandom32(u32 seed);
46116 u32 prandom32(struct rnd_state *);
46118 +static inline unsigned long pax_get_random_long(void)
46120 + return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
46124 * Handle minimum values for seeds
46126 static inline u32 __seed(u32 x, u32 m)
46128 - return (x < m) ? x + m : x;
46129 + return (x <= m) ? x + m + 1 : x;
46133 diff -urNp linux-2.6.35.5/include/linux/reiserfs_fs.h linux-2.6.35.5/include/linux/reiserfs_fs.h
46134 --- linux-2.6.35.5/include/linux/reiserfs_fs.h 2010-08-26 19:47:12.000000000 -0400
46135 +++ linux-2.6.35.5/include/linux/reiserfs_fs.h 2010-09-17 20:12:09.000000000 -0400
46136 @@ -1404,7 +1404,7 @@ static inline loff_t max_reiserfs_offset
46137 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
46139 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
46140 -#define get_generation(s) atomic_read (&fs_generation(s))
46141 +#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
46142 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
46143 #define __fs_changed(gen,s) (gen != get_generation (s))
46144 #define fs_changed(gen,s) \
46145 @@ -1616,24 +1616,24 @@ static inline struct super_block *sb_fro
46148 struct item_operations {
46149 - int (*bytes_number) (struct item_head * ih, int block_size);
46150 - void (*decrement_key) (struct cpu_key *);
46151 - int (*is_left_mergeable) (struct reiserfs_key * ih,
46152 + int (* const bytes_number) (struct item_head * ih, int block_size);
46153 + void (* const decrement_key) (struct cpu_key *);
46154 + int (* const is_left_mergeable) (struct reiserfs_key * ih,
46155 unsigned long bsize);
46156 - void (*print_item) (struct item_head *, char *item);
46157 - void (*check_item) (struct item_head *, char *item);
46158 + void (* const print_item) (struct item_head *, char *item);
46159 + void (* const check_item) (struct item_head *, char *item);
46161 - int (*create_vi) (struct virtual_node * vn, struct virtual_item * vi,
46162 + int (* const create_vi) (struct virtual_node * vn, struct virtual_item * vi,
46163 int is_affected, int insert_size);
46164 - int (*check_left) (struct virtual_item * vi, int free,
46165 + int (* const check_left) (struct virtual_item * vi, int free,
46166 int start_skip, int end_skip);
46167 - int (*check_right) (struct virtual_item * vi, int free);
46168 - int (*part_size) (struct virtual_item * vi, int from, int to);
46169 - int (*unit_num) (struct virtual_item * vi);
46170 - void (*print_vi) (struct virtual_item * vi);
46171 + int (* const check_right) (struct virtual_item * vi, int free);
46172 + int (* const part_size) (struct virtual_item * vi, int from, int to);
46173 + int (* const unit_num) (struct virtual_item * vi);
46174 + void (* const print_vi) (struct virtual_item * vi);
46177 -extern struct item_operations *item_ops[TYPE_ANY + 1];
46178 +extern const struct item_operations * const item_ops[TYPE_ANY + 1];
46180 #define op_bytes_number(ih,bsize) item_ops[le_ih_k_type (ih)]->bytes_number (ih, bsize)
46181 #define op_is_left_mergeable(key,bsize) item_ops[le_key_k_type (le_key_version (key), key)]->is_left_mergeable (key, bsize)
46182 diff -urNp linux-2.6.35.5/include/linux/reiserfs_fs_sb.h linux-2.6.35.5/include/linux/reiserfs_fs_sb.h
46183 --- linux-2.6.35.5/include/linux/reiserfs_fs_sb.h 2010-08-26 19:47:12.000000000 -0400
46184 +++ linux-2.6.35.5/include/linux/reiserfs_fs_sb.h 2010-09-17 20:12:09.000000000 -0400
46185 @@ -386,7 +386,7 @@ struct reiserfs_sb_info {
46186 /* Comment? -Hans */
46187 wait_queue_head_t s_wait;
46188 /* To be obsoleted soon by per buffer seals.. -Hans */
46189 - atomic_t s_generation_counter; // increased by one every time the
46190 + atomic_unchecked_t s_generation_counter; // increased by one every time the
46191 // tree gets re-balanced
46192 unsigned long s_properties; /* File system properties. Currently holds
46193 on-disk FS format */
46194 diff -urNp linux-2.6.35.5/include/linux/rmap.h linux-2.6.35.5/include/linux/rmap.h
46195 --- linux-2.6.35.5/include/linux/rmap.h 2010-08-26 19:47:12.000000000 -0400
46196 +++ linux-2.6.35.5/include/linux/rmap.h 2010-09-17 20:12:09.000000000 -0400
46197 @@ -119,8 +119,8 @@ static inline void anon_vma_unlock(struc
46198 void anon_vma_init(void); /* create anon_vma_cachep */
46199 int anon_vma_prepare(struct vm_area_struct *);
46200 void unlink_anon_vmas(struct vm_area_struct *);
46201 -int anon_vma_clone(struct vm_area_struct *, struct vm_area_struct *);
46202 -int anon_vma_fork(struct vm_area_struct *, struct vm_area_struct *);
46203 +int anon_vma_clone(struct vm_area_struct *, const struct vm_area_struct *);
46204 +int anon_vma_fork(struct vm_area_struct *, const struct vm_area_struct *);
46205 void __anon_vma_link(struct vm_area_struct *);
46206 void anon_vma_free(struct anon_vma *);
46208 diff -urNp linux-2.6.35.5/include/linux/sched.h linux-2.6.35.5/include/linux/sched.h
46209 --- linux-2.6.35.5/include/linux/sched.h 2010-08-26 19:47:12.000000000 -0400
46210 +++ linux-2.6.35.5/include/linux/sched.h 2010-09-17 20:12:37.000000000 -0400
46211 @@ -100,6 +100,7 @@ struct robust_list_head;
46214 struct perf_event_context;
46215 +struct linux_binprm;
46218 * List of flags we want to share for kernel threads,
46219 @@ -381,10 +382,12 @@ struct user_namespace;
46220 #define DEFAULT_MAX_MAP_COUNT (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
46222 extern int sysctl_max_map_count;
46223 +extern unsigned long sysctl_heap_stack_gap;
46225 #include <linux/aio.h>
46228 +extern bool check_heap_stack_gap(struct vm_area_struct *vma, unsigned long addr, unsigned long len);
46229 extern void arch_pick_mmap_layout(struct mm_struct *mm);
46230 extern unsigned long
46231 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
46232 @@ -628,6 +631,15 @@ struct signal_struct {
46233 struct tty_audit_buf *tty_audit_buf;
46236 +#ifdef CONFIG_GRKERNSEC
46242 + u8 used_accept:1;
46245 int oom_adj; /* OOM kill score adjustment (bit shift) */
46248 @@ -1166,7 +1178,7 @@ struct rcu_node;
46250 struct task_struct {
46251 volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */
46253 + struct thread_info *stack;
46255 unsigned int flags; /* per process flags, defined below */
46256 unsigned int ptrace;
46257 @@ -1274,8 +1286,8 @@ struct task_struct {
46258 struct list_head thread_group;
46260 struct completion *vfork_done; /* for vfork() */
46261 - int __user *set_child_tid; /* CLONE_CHILD_SETTID */
46262 - int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
46263 + pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
46264 + pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
46266 cputime_t utime, stime, utimescaled, stimescaled;
46268 @@ -1291,16 +1303,6 @@ struct task_struct {
46269 struct task_cputime cputime_expires;
46270 struct list_head cpu_timers[3];
46272 -/* process credentials */
46273 - const struct cred *real_cred; /* objective and real subjective task
46274 - * credentials (COW) */
46275 - const struct cred *cred; /* effective (overridable) subjective task
46276 - * credentials (COW) */
46277 - struct mutex cred_guard_mutex; /* guard against foreign influences on
46278 - * credential calculations
46279 - * (notably. ptrace) */
46280 - struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
46282 char comm[TASK_COMM_LEN]; /* executable name excluding path
46283 - access with [gs]et_task_comm (which lock
46284 it with task_lock())
46285 @@ -1384,6 +1386,15 @@ struct task_struct {
46286 int softirqs_enabled;
46287 int softirq_context;
46290 +/* process credentials */
46291 + const struct cred *real_cred; /* objective and real subjective task
46292 + * credentials (COW) */
46293 + struct mutex cred_guard_mutex; /* guard against foreign influences on
46294 + * credential calculations
46295 + * (notably. ptrace) */
46296 + struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
46298 #ifdef CONFIG_LOCKDEP
46299 # define MAX_LOCK_DEPTH 48UL
46300 u64 curr_chain_key;
46301 @@ -1404,6 +1415,9 @@ struct task_struct {
46303 struct backing_dev_info *backing_dev_info;
46305 + const struct cred *cred; /* effective (overridable) subjective task
46306 + * credentials (COW) */
46308 struct io_context *io_context;
46310 unsigned long ptrace_message;
46311 @@ -1469,6 +1483,20 @@ struct task_struct {
46312 unsigned long default_timer_slack_ns;
46314 struct list_head *scm_work_list;
46316 +#ifdef CONFIG_GRKERNSEC
46318 + struct dentry *gr_chroot_dentry;
46319 + struct acl_subject_label *acl;
46320 + struct acl_role_label *role;
46321 + struct file *exec_file;
46326 + u8 gr_is_chrooted;
46329 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
46330 /* Index of current stored address in ret_stack */
46331 int curr_ret_stack;
46332 @@ -1500,6 +1528,52 @@ struct task_struct {
46336 +#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
46337 +#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
46338 +#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
46339 +#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
46340 +/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
46341 +#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
46343 +#ifdef CONFIG_PAX_SOFTMODE
46344 +extern unsigned int pax_softmode;
46347 +extern int pax_check_flags(unsigned long *);
46349 +/* if tsk != current then task_lock must be held on it */
46350 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
46351 +static inline unsigned long pax_get_flags(struct task_struct *tsk)
46353 + if (likely(tsk->mm))
46354 + return tsk->mm->pax_flags;
46359 +/* if tsk != current then task_lock must be held on it */
46360 +static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
46362 + if (likely(tsk->mm)) {
46363 + tsk->mm->pax_flags = flags;
46370 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
46371 +extern void pax_set_initial_flags(struct linux_binprm *bprm);
46372 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
46373 +extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
46376 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
46377 +void pax_report_insns(void *pc, void *sp);
46378 +void pax_report_refcount_overflow(struct pt_regs *regs);
46379 +void pax_report_leak_to_user(const void *ptr, unsigned long len);
46380 +void pax_report_overflow_from_user(const void *ptr, unsigned long len);
46382 /* Future-safe accessor for struct task_struct's cpus_allowed. */
46383 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
46385 @@ -2101,7 +2175,7 @@ extern void __cleanup_sighand(struct sig
46386 extern void exit_itimers(struct signal_struct *);
46387 extern void flush_itimer_signals(void);
46389 -extern NORET_TYPE void do_group_exit(int);
46390 +extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
46392 extern void daemonize(const char *, ...);
46393 extern int allow_signal(int);
46394 @@ -2217,8 +2291,8 @@ static inline void unlock_task_sighand(s
46396 #ifndef __HAVE_THREAD_FUNCTIONS
46398 -#define task_thread_info(task) ((struct thread_info *)(task)->stack)
46399 -#define task_stack_page(task) ((task)->stack)
46400 +#define task_thread_info(task) ((task)->stack)
46401 +#define task_stack_page(task) ((void *)(task)->stack)
46403 static inline void setup_thread_stack(struct task_struct *p, struct task_struct *org)
46405 @@ -2233,13 +2307,17 @@ static inline unsigned long *end_of_stac
46409 -static inline int object_is_on_stack(void *obj)
46410 +static inline int object_starts_on_stack(void *obj)
46412 - void *stack = task_stack_page(current);
46413 + const void *stack = task_stack_page(current);
46415 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
46418 +#ifdef CONFIG_PAX_USERCOPY
46419 +extern int object_is_on_stack(const void *obj, unsigned long len);
46422 extern void thread_info_cache_init(void);
46424 #ifdef CONFIG_DEBUG_STACK_USAGE
46425 diff -urNp linux-2.6.35.5/include/linux/screen_info.h linux-2.6.35.5/include/linux/screen_info.h
46426 --- linux-2.6.35.5/include/linux/screen_info.h 2010-08-26 19:47:12.000000000 -0400
46427 +++ linux-2.6.35.5/include/linux/screen_info.h 2010-09-17 20:12:09.000000000 -0400
46428 @@ -43,7 +43,8 @@ struct screen_info {
46429 __u16 pages; /* 0x32 */
46430 __u16 vesa_attributes; /* 0x34 */
46431 __u32 capabilities; /* 0x36 */
46432 - __u8 _reserved[6]; /* 0x3a */
46433 + __u16 vesapm_size; /* 0x3a */
46434 + __u8 _reserved[4]; /* 0x3c */
46435 } __attribute__((packed));
46437 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
46438 diff -urNp linux-2.6.35.5/include/linux/security.h linux-2.6.35.5/include/linux/security.h
46439 --- linux-2.6.35.5/include/linux/security.h 2010-08-26 19:47:12.000000000 -0400
46440 +++ linux-2.6.35.5/include/linux/security.h 2010-09-17 20:12:37.000000000 -0400
46442 #include <linux/key.h>
46443 #include <linux/xfrm.h>
46444 #include <linux/slab.h>
46445 +#include <linux/grsecurity.h>
46446 #include <net/flow.h>
46448 /* Maximum number of letters for an LSM name string */
46449 diff -urNp linux-2.6.35.5/include/linux/shm.h linux-2.6.35.5/include/linux/shm.h
46450 --- linux-2.6.35.5/include/linux/shm.h 2010-08-26 19:47:12.000000000 -0400
46451 +++ linux-2.6.35.5/include/linux/shm.h 2010-09-17 20:12:37.000000000 -0400
46452 @@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
46455 struct user_struct *mlock_user;
46456 +#ifdef CONFIG_GRKERNSEC
46457 + time_t shm_createtime;
46462 /* shm_mode upper byte flags */
46463 diff -urNp linux-2.6.35.5/include/linux/slab.h linux-2.6.35.5/include/linux/slab.h
46464 --- linux-2.6.35.5/include/linux/slab.h 2010-08-26 19:47:12.000000000 -0400
46465 +++ linux-2.6.35.5/include/linux/slab.h 2010-09-17 20:12:09.000000000 -0400
46468 #include <linux/gfp.h>
46469 #include <linux/types.h>
46470 +#include <linux/err.h>
46473 * Flags to pass to kmem_cache_create().
46474 @@ -87,10 +88,13 @@
46475 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
46476 * Both make kfree a no-op.
46478 -#define ZERO_SIZE_PTR ((void *)16)
46479 +#define ZERO_SIZE_PTR \
46481 + BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
46482 + (void *)(-MAX_ERRNO-1L); \
46485 -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
46486 - (unsigned long)ZERO_SIZE_PTR)
46487 +#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
46490 * struct kmem_cache related prototypes
46491 @@ -144,6 +148,7 @@ void * __must_check krealloc(const void
46492 void kfree(const void *);
46493 void kzfree(const void *);
46494 size_t ksize(const void *);
46495 +void check_object_size(const void *ptr, unsigned long n, bool to);
46498 * Allocator specific definitions. These are mainly used to establish optimized
46499 @@ -334,4 +339,37 @@ static inline void *kzalloc_node(size_t
46501 void __init kmem_cache_init_late(void);
46503 +#define kmalloc(x, y) \
46505 + void *___retval; \
46506 + intoverflow_t ___x = (intoverflow_t)x; \
46507 + if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n"))\
46508 + ___retval = NULL; \
46510 + ___retval = kmalloc((size_t)___x, (y)); \
46514 +#define kmalloc_node(x, y, z) \
46516 + void *___retval; \
46517 + intoverflow_t ___x = (intoverflow_t)x; \
46518 + if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
46519 + ___retval = NULL; \
46521 + ___retval = kmalloc_node((size_t)___x, (y), (z));\
46525 +#define kzalloc(x, y) \
46527 + void *___retval; \
46528 + intoverflow_t ___x = (intoverflow_t)x; \
46529 + if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n"))\
46530 + ___retval = NULL; \
46532 + ___retval = kzalloc((size_t)___x, (y)); \
46536 #endif /* _LINUX_SLAB_H */
46537 diff -urNp linux-2.6.35.5/include/linux/slub_def.h linux-2.6.35.5/include/linux/slub_def.h
46538 --- linux-2.6.35.5/include/linux/slub_def.h 2010-08-26 19:47:12.000000000 -0400
46539 +++ linux-2.6.35.5/include/linux/slub_def.h 2010-09-17 20:12:09.000000000 -0400
46540 @@ -79,7 +79,7 @@ struct kmem_cache {
46541 struct kmem_cache_order_objects max;
46542 struct kmem_cache_order_objects min;
46543 gfp_t allocflags; /* gfp flags to use on each alloc */
46544 - int refcount; /* Refcount for slab cache destroy */
46545 + atomic_t refcount; /* Refcount for slab cache destroy */
46546 void (*ctor)(void *);
46547 int inuse; /* Offset to metadata */
46548 int align; /* Alignment */
46549 diff -urNp linux-2.6.35.5/include/linux/sonet.h linux-2.6.35.5/include/linux/sonet.h
46550 --- linux-2.6.35.5/include/linux/sonet.h 2010-08-26 19:47:12.000000000 -0400
46551 +++ linux-2.6.35.5/include/linux/sonet.h 2010-09-17 20:12:09.000000000 -0400
46552 @@ -61,7 +61,7 @@ struct sonet_stats {
46553 #include <asm/atomic.h>
46555 struct k_sonet_stats {
46556 -#define __HANDLE_ITEM(i) atomic_t i
46557 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
46559 #undef __HANDLE_ITEM
46561 diff -urNp linux-2.6.35.5/include/linux/suspend.h linux-2.6.35.5/include/linux/suspend.h
46562 --- linux-2.6.35.5/include/linux/suspend.h 2010-08-26 19:47:12.000000000 -0400
46563 +++ linux-2.6.35.5/include/linux/suspend.h 2010-09-17 20:12:09.000000000 -0400
46564 @@ -104,15 +104,15 @@ typedef int __bitwise suspend_state_t;
46565 * which require special recovery actions in that situation.
46567 struct platform_suspend_ops {
46568 - int (*valid)(suspend_state_t state);
46569 - int (*begin)(suspend_state_t state);
46570 - int (*prepare)(void);
46571 - int (*prepare_late)(void);
46572 - int (*enter)(suspend_state_t state);
46573 - void (*wake)(void);
46574 - void (*finish)(void);
46575 - void (*end)(void);
46576 - void (*recover)(void);
46577 + int (* const valid)(suspend_state_t state);
46578 + int (* const begin)(suspend_state_t state);
46579 + int (* const prepare)(void);
46580 + int (* const prepare_late)(void);
46581 + int (* const enter)(suspend_state_t state);
46582 + void (* const wake)(void);
46583 + void (* const finish)(void);
46584 + void (* const end)(void);
46585 + void (* const recover)(void);
46588 #ifdef CONFIG_SUSPEND
46589 @@ -120,7 +120,7 @@ struct platform_suspend_ops {
46590 * suspend_set_ops - set platform dependent suspend operations
46591 * @ops: The new suspend operations to set.
46593 -extern void suspend_set_ops(struct platform_suspend_ops *ops);
46594 +extern void suspend_set_ops(const struct platform_suspend_ops *ops);
46595 extern int suspend_valid_only_mem(suspend_state_t state);
46598 @@ -145,7 +145,7 @@ extern int pm_suspend(suspend_state_t st
46599 #else /* !CONFIG_SUSPEND */
46600 #define suspend_valid_only_mem NULL
46602 -static inline void suspend_set_ops(struct platform_suspend_ops *ops) {}
46603 +static inline void suspend_set_ops(const struct platform_suspend_ops *ops) {}
46604 static inline int pm_suspend(suspend_state_t state) { return -ENOSYS; }
46605 #endif /* !CONFIG_SUSPEND */
46607 @@ -215,16 +215,16 @@ extern void mark_free_pages(struct zone
46608 * platforms which require special recovery actions in that situation.
46610 struct platform_hibernation_ops {
46611 - int (*begin)(void);
46612 - void (*end)(void);
46613 - int (*pre_snapshot)(void);
46614 - void (*finish)(void);
46615 - int (*prepare)(void);
46616 - int (*enter)(void);
46617 - void (*leave)(void);
46618 - int (*pre_restore)(void);
46619 - void (*restore_cleanup)(void);
46620 - void (*recover)(void);
46621 + int (* const begin)(void);
46622 + void (* const end)(void);
46623 + int (* const pre_snapshot)(void);
46624 + void (* const finish)(void);
46625 + int (* const prepare)(void);
46626 + int (* const enter)(void);
46627 + void (* const leave)(void);
46628 + int (* const pre_restore)(void);
46629 + void (* const restore_cleanup)(void);
46630 + void (* const recover)(void);
46633 #ifdef CONFIG_HIBERNATION
46634 @@ -243,7 +243,7 @@ extern void swsusp_set_page_free(struct
46635 extern void swsusp_unset_page_free(struct page *);
46636 extern unsigned long get_safe_page(gfp_t gfp_mask);
46638 -extern void hibernation_set_ops(struct platform_hibernation_ops *ops);
46639 +extern void hibernation_set_ops(const struct platform_hibernation_ops *ops);
46640 extern int hibernate(void);
46641 extern bool system_entering_hibernation(void);
46642 #else /* CONFIG_HIBERNATION */
46643 @@ -251,7 +251,7 @@ static inline int swsusp_page_is_forbidd
46644 static inline void swsusp_set_page_free(struct page *p) {}
46645 static inline void swsusp_unset_page_free(struct page *p) {}
46647 -static inline void hibernation_set_ops(struct platform_hibernation_ops *ops) {}
46648 +static inline void hibernation_set_ops(const struct platform_hibernation_ops *ops) {}
46649 static inline int hibernate(void) { return -ENOSYS; }
46650 static inline bool system_entering_hibernation(void) { return false; }
46651 #endif /* CONFIG_HIBERNATION */
46652 diff -urNp linux-2.6.35.5/include/linux/sysctl.h linux-2.6.35.5/include/linux/sysctl.h
46653 --- linux-2.6.35.5/include/linux/sysctl.h 2010-08-26 19:47:12.000000000 -0400
46654 +++ linux-2.6.35.5/include/linux/sysctl.h 2010-09-17 20:12:09.000000000 -0400
46655 @@ -155,7 +155,11 @@ enum
46656 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
46660 +#ifdef CONFIG_PAX_SOFTMODE
46662 + PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
46666 /* CTL_VM names: */
46668 diff -urNp linux-2.6.35.5/include/linux/sysfs.h linux-2.6.35.5/include/linux/sysfs.h
46669 --- linux-2.6.35.5/include/linux/sysfs.h 2010-08-26 19:47:12.000000000 -0400
46670 +++ linux-2.6.35.5/include/linux/sysfs.h 2010-09-17 20:12:09.000000000 -0400
46671 @@ -115,8 +115,8 @@ struct bin_attribute {
46672 #define sysfs_bin_attr_init(bin_attr) sysfs_attr_init(&(bin_attr)->attr)
46675 - ssize_t (*show)(struct kobject *, struct attribute *,char *);
46676 - ssize_t (*store)(struct kobject *,struct attribute *,const char *, size_t);
46677 + ssize_t (* const show)(struct kobject *, struct attribute *,char *);
46678 + ssize_t (* const store)(struct kobject *,struct attribute *,const char *, size_t);
46681 struct sysfs_dirent;
46682 diff -urNp linux-2.6.35.5/include/linux/thread_info.h linux-2.6.35.5/include/linux/thread_info.h
46683 --- linux-2.6.35.5/include/linux/thread_info.h 2010-08-26 19:47:12.000000000 -0400
46684 +++ linux-2.6.35.5/include/linux/thread_info.h 2010-09-17 20:12:09.000000000 -0400
46685 @@ -23,7 +23,7 @@ struct restart_block {
46687 /* For futex_wait and futex_wait_requeue_pi */
46690 + u32 __user *uaddr;
46694 diff -urNp linux-2.6.35.5/include/linux/tty.h linux-2.6.35.5/include/linux/tty.h
46695 --- linux-2.6.35.5/include/linux/tty.h 2010-08-26 19:47:12.000000000 -0400
46696 +++ linux-2.6.35.5/include/linux/tty.h 2010-09-17 20:12:09.000000000 -0400
46698 #include <linux/tty_driver.h>
46699 #include <linux/tty_ldisc.h>
46700 #include <linux/mutex.h>
46701 +#include <linux/poll.h>
46703 #include <asm/system.h>
46705 @@ -453,7 +454,6 @@ extern int tty_perform_flush(struct tty_
46706 extern dev_t tty_devnum(struct tty_struct *tty);
46707 extern void proc_clear_tty(struct task_struct *p);
46708 extern struct tty_struct *get_current_tty(void);
46709 -extern void tty_default_fops(struct file_operations *fops);
46710 extern struct tty_struct *alloc_tty_struct(void);
46711 extern void free_tty_struct(struct tty_struct *tty);
46712 extern void initialize_tty_struct(struct tty_struct *tty,
46713 @@ -514,6 +514,18 @@ extern void tty_ldisc_begin(void);
46714 /* This last one is just for the tty layer internals and shouldn't be used elsewhere */
46715 extern void tty_ldisc_enable(struct tty_struct *tty);
46718 +extern ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
46719 +extern ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
46720 +extern unsigned int tty_poll(struct file *, poll_table *);
46721 +#ifdef CONFIG_COMPAT
46722 +extern long tty_compat_ioctl(struct file *file, unsigned int cmd,
46723 + unsigned long arg);
46725 +#define tty_compat_ioctl NULL
46727 +extern int tty_release(struct inode *, struct file *);
46728 +extern int tty_fasync(int fd, struct file *filp, int on);
46731 extern struct tty_ldisc_ops tty_ldisc_N_TTY;
46732 diff -urNp linux-2.6.35.5/include/linux/tty_ldisc.h linux-2.6.35.5/include/linux/tty_ldisc.h
46733 --- linux-2.6.35.5/include/linux/tty_ldisc.h 2010-08-26 19:47:12.000000000 -0400
46734 +++ linux-2.6.35.5/include/linux/tty_ldisc.h 2010-09-17 20:12:09.000000000 -0400
46735 @@ -147,7 +147,7 @@ struct tty_ldisc_ops {
46737 struct module *owner;
46740 + atomic_t refcount;
46744 diff -urNp linux-2.6.35.5/include/linux/types.h linux-2.6.35.5/include/linux/types.h
46745 --- linux-2.6.35.5/include/linux/types.h 2010-08-26 19:47:12.000000000 -0400
46746 +++ linux-2.6.35.5/include/linux/types.h 2010-09-17 20:12:09.000000000 -0400
46747 @@ -191,10 +191,26 @@ typedef struct {
46751 +#ifdef CONFIG_PAX_REFCOUNT
46754 +} atomic_unchecked_t;
46756 +typedef atomic_t atomic_unchecked_t;
46759 #ifdef CONFIG_64BIT
46764 +#ifdef CONFIG_PAX_REFCOUNT
46767 +} atomic64_unchecked_t;
46769 +typedef atomic64_t atomic64_unchecked_t;
46774 diff -urNp linux-2.6.35.5/include/linux/uaccess.h linux-2.6.35.5/include/linux/uaccess.h
46775 --- linux-2.6.35.5/include/linux/uaccess.h 2010-08-26 19:47:12.000000000 -0400
46776 +++ linux-2.6.35.5/include/linux/uaccess.h 2010-09-17 20:12:09.000000000 -0400
46777 @@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
46779 mm_segment_t old_fs = get_fs(); \
46781 - set_fs(KERNEL_DS); \
46782 pagefault_disable(); \
46783 + set_fs(KERNEL_DS); \
46784 ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
46785 - pagefault_enable(); \
46787 + pagefault_enable(); \
46791 @@ -93,8 +93,8 @@ static inline unsigned long __copy_from_
46792 * Safely read from address @src to the buffer at @dst. If a kernel fault
46793 * happens, handle that and return -EFAULT.
46795 -extern long probe_kernel_read(void *dst, void *src, size_t size);
46796 -extern long __probe_kernel_read(void *dst, void *src, size_t size);
46797 +extern long probe_kernel_read(void *dst, const void *src, size_t size);
46798 +extern long __probe_kernel_read(void *dst, const void *src, size_t size);
46801 * probe_kernel_write(): safely attempt to write to a location
46802 @@ -105,7 +105,7 @@ extern long __probe_kernel_read(void *ds
46803 * Safely write to address @dst from the buffer at @src. If a kernel fault
46804 * happens, handle that and return -EFAULT.
46806 -extern long notrace probe_kernel_write(void *dst, void *src, size_t size);
46807 -extern long notrace __probe_kernel_write(void *dst, void *src, size_t size);
46808 +extern long notrace probe_kernel_write(void *dst, const void *src, size_t size);
46809 +extern long notrace __probe_kernel_write(void *dst, const void *src, size_t size);
46811 #endif /* __LINUX_UACCESS_H__ */
46812 diff -urNp linux-2.6.35.5/include/linux/usb/hcd.h linux-2.6.35.5/include/linux/usb/hcd.h
46813 --- linux-2.6.35.5/include/linux/usb/hcd.h 2010-08-26 19:47:12.000000000 -0400
46814 +++ linux-2.6.35.5/include/linux/usb/hcd.h 2010-09-17 20:12:09.000000000 -0400
46815 @@ -559,7 +559,7 @@ struct usb_mon_operations {
46816 /* void (*urb_unlink)(struct usb_bus *bus, struct urb *urb); */
46819 -extern struct usb_mon_operations *mon_ops;
46820 +extern const struct usb_mon_operations *mon_ops;
46822 static inline void usbmon_urb_submit(struct usb_bus *bus, struct urb *urb)
46824 @@ -581,7 +581,7 @@ static inline void usbmon_urb_complete(s
46825 (*mon_ops->urb_complete)(bus, urb, status);
46828 -int usb_mon_register(struct usb_mon_operations *ops);
46829 +int usb_mon_register(const struct usb_mon_operations *ops);
46830 void usb_mon_deregister(void);
46833 diff -urNp linux-2.6.35.5/include/linux/vmalloc.h linux-2.6.35.5/include/linux/vmalloc.h
46834 --- linux-2.6.35.5/include/linux/vmalloc.h 2010-08-26 19:47:12.000000000 -0400
46835 +++ linux-2.6.35.5/include/linux/vmalloc.h 2010-09-17 20:12:09.000000000 -0400
46836 @@ -13,6 +13,11 @@ struct vm_area_struct; /* vma defining
46837 #define VM_MAP 0x00000004 /* vmap()ed pages */
46838 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
46839 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
46841 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
46842 +#define VM_KERNEXEC 0x00000020 /* allocate from executable kernel memory range */
46845 /* bits [20..32] reserved for arch specific ioremap internals */
46848 @@ -121,4 +126,81 @@ struct vm_struct **pcpu_get_vm_areas(con
46850 void pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms);
46852 +#define vmalloc(x) \
46854 + void *___retval; \
46855 + intoverflow_t ___x = (intoverflow_t)x; \
46856 + if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
46857 + ___retval = NULL; \
46859 + ___retval = vmalloc((unsigned long)___x); \
46863 +#define __vmalloc(x, y, z) \
46865 + void *___retval; \
46866 + intoverflow_t ___x = (intoverflow_t)x; \
46867 + if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
46868 + ___retval = NULL; \
46870 + ___retval = __vmalloc((unsigned long)___x, (y), (z));\
46874 +#define vmalloc_user(x) \
46876 + void *___retval; \
46877 + intoverflow_t ___x = (intoverflow_t)x; \
46878 + if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
46879 + ___retval = NULL; \
46881 + ___retval = vmalloc_user((unsigned long)___x); \
46885 +#define vmalloc_exec(x) \
46887 + void *___retval; \
46888 + intoverflow_t ___x = (intoverflow_t)x; \
46889 + if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
46890 + ___retval = NULL; \
46892 + ___retval = vmalloc_exec((unsigned long)___x); \
46896 +#define vmalloc_node(x, y) \
46898 + void *___retval; \
46899 + intoverflow_t ___x = (intoverflow_t)x; \
46900 + if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
46901 + ___retval = NULL; \
46903 + ___retval = vmalloc_node((unsigned long)___x, (y));\
46907 +#define vmalloc_32(x) \
46909 + void *___retval; \
46910 + intoverflow_t ___x = (intoverflow_t)x; \
46911 + if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
46912 + ___retval = NULL; \
46914 + ___retval = vmalloc_32((unsigned long)___x); \
46918 +#define vmalloc_32_user(x) \
46920 + void *___retval; \
46921 + intoverflow_t ___x = (intoverflow_t)x; \
46922 + if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
46923 + ___retval = NULL; \
46925 + ___retval = vmalloc_32_user((unsigned long)___x);\
46929 #endif /* _LINUX_VMALLOC_H */
46930 diff -urNp linux-2.6.35.5/include/linux/vmstat.h linux-2.6.35.5/include/linux/vmstat.h
46931 --- linux-2.6.35.5/include/linux/vmstat.h 2010-08-26 19:47:12.000000000 -0400
46932 +++ linux-2.6.35.5/include/linux/vmstat.h 2010-09-17 20:12:09.000000000 -0400
46933 @@ -140,18 +140,18 @@ static inline void vm_events_fold_cpu(in
46935 * Zone based page accounting with per cpu differentials.
46937 -extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
46938 +extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
46940 static inline void zone_page_state_add(long x, struct zone *zone,
46941 enum zone_stat_item item)
46943 - atomic_long_add(x, &zone->vm_stat[item]);
46944 - atomic_long_add(x, &vm_stat[item]);
46945 + atomic_long_add_unchecked(x, &zone->vm_stat[item]);
46946 + atomic_long_add_unchecked(x, &vm_stat[item]);
46949 static inline unsigned long global_page_state(enum zone_stat_item item)
46951 - long x = atomic_long_read(&vm_stat[item]);
46952 + long x = atomic_long_read_unchecked(&vm_stat[item]);
46956 @@ -162,7 +162,7 @@ static inline unsigned long global_page_
46957 static inline unsigned long zone_page_state(struct zone *zone,
46958 enum zone_stat_item item)
46960 - long x = atomic_long_read(&zone->vm_stat[item]);
46961 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
46965 @@ -246,8 +246,8 @@ static inline void __mod_zone_page_state
46967 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
46969 - atomic_long_inc(&zone->vm_stat[item]);
46970 - atomic_long_inc(&vm_stat[item]);
46971 + atomic_long_inc_unchecked(&zone->vm_stat[item]);
46972 + atomic_long_inc_unchecked(&vm_stat[item]);
46975 static inline void __inc_zone_page_state(struct page *page,
46976 @@ -258,8 +258,8 @@ static inline void __inc_zone_page_state
46978 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
46980 - atomic_long_dec(&zone->vm_stat[item]);
46981 - atomic_long_dec(&vm_stat[item]);
46982 + atomic_long_dec_unchecked(&zone->vm_stat[item]);
46983 + atomic_long_dec_unchecked(&vm_stat[item]);
46986 static inline void __dec_zone_page_state(struct page *page,
46987 diff -urNp linux-2.6.35.5/include/net/irda/ircomm_tty.h linux-2.6.35.5/include/net/irda/ircomm_tty.h
46988 --- linux-2.6.35.5/include/net/irda/ircomm_tty.h 2010-08-26 19:47:12.000000000 -0400
46989 +++ linux-2.6.35.5/include/net/irda/ircomm_tty.h 2010-09-17 20:12:09.000000000 -0400
46990 @@ -105,8 +105,8 @@ struct ircomm_tty_cb {
46991 unsigned short close_delay;
46992 unsigned short closing_wait; /* time to wait before closing */
46995 - int blocked_open; /* # of blocked opens */
46996 + atomic_t open_count;
46997 + atomic_t blocked_open; /* # of blocked opens */
46999 /* Protect concurent access to :
47000 * o self->open_count
47001 diff -urNp linux-2.6.35.5/include/net/neighbour.h linux-2.6.35.5/include/net/neighbour.h
47002 --- linux-2.6.35.5/include/net/neighbour.h 2010-08-26 19:47:12.000000000 -0400
47003 +++ linux-2.6.35.5/include/net/neighbour.h 2010-09-17 20:12:09.000000000 -0400
47004 @@ -116,12 +116,12 @@ struct neighbour {
47008 - void (*solicit)(struct neighbour *, struct sk_buff*);
47009 - void (*error_report)(struct neighbour *, struct sk_buff*);
47010 - int (*output)(struct sk_buff*);
47011 - int (*connected_output)(struct sk_buff*);
47012 - int (*hh_output)(struct sk_buff*);
47013 - int (*queue_xmit)(struct sk_buff*);
47014 + void (* const solicit)(struct neighbour *, struct sk_buff*);
47015 + void (* const error_report)(struct neighbour *, struct sk_buff*);
47016 + int (* const output)(struct sk_buff*);
47017 + int (* const connected_output)(struct sk_buff*);
47018 + int (* const hh_output)(struct sk_buff*);
47019 + int (* const queue_xmit)(struct sk_buff*);
47022 struct pneigh_entry {
47023 diff -urNp linux-2.6.35.5/include/net/sctp/sctp.h linux-2.6.35.5/include/net/sctp/sctp.h
47024 --- linux-2.6.35.5/include/net/sctp/sctp.h 2010-08-26 19:47:12.000000000 -0400
47025 +++ linux-2.6.35.5/include/net/sctp/sctp.h 2010-09-17 20:12:09.000000000 -0400
47026 @@ -305,8 +305,8 @@ extern int sctp_debug_flag;
47028 #else /* SCTP_DEBUG */
47030 -#define SCTP_DEBUG_PRINTK(whatever...)
47031 -#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
47032 +#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
47033 +#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
47034 #define SCTP_ENABLE_DEBUG
47035 #define SCTP_DISABLE_DEBUG
47036 #define SCTP_ASSERT(expr, str, func)
47037 diff -urNp linux-2.6.35.5/include/net/tcp.h linux-2.6.35.5/include/net/tcp.h
47038 --- linux-2.6.35.5/include/net/tcp.h 2010-08-26 19:47:12.000000000 -0400
47039 +++ linux-2.6.35.5/include/net/tcp.h 2010-09-17 20:12:09.000000000 -0400
47040 @@ -1404,6 +1404,7 @@ enum tcp_seq_states {
47041 struct tcp_seq_afinfo {
47043 sa_family_t family;
47044 + /* cannot be const */
47045 struct file_operations seq_fops;
47046 struct seq_operations seq_ops;
47048 diff -urNp linux-2.6.35.5/include/net/udp.h linux-2.6.35.5/include/net/udp.h
47049 --- linux-2.6.35.5/include/net/udp.h 2010-08-26 19:47:12.000000000 -0400
47050 +++ linux-2.6.35.5/include/net/udp.h 2010-09-17 20:12:09.000000000 -0400
47051 @@ -221,6 +221,7 @@ struct udp_seq_afinfo {
47053 sa_family_t family;
47054 struct udp_table *udp_table;
47055 + /* cannot be const */
47056 struct file_operations seq_fops;
47057 struct seq_operations seq_ops;
47059 diff -urNp linux-2.6.35.5/include/sound/ac97_codec.h linux-2.6.35.5/include/sound/ac97_codec.h
47060 --- linux-2.6.35.5/include/sound/ac97_codec.h 2010-08-26 19:47:12.000000000 -0400
47061 +++ linux-2.6.35.5/include/sound/ac97_codec.h 2010-09-17 20:12:09.000000000 -0400
47062 @@ -419,15 +419,15 @@
47065 struct snd_ac97_build_ops {
47066 - int (*build_3d) (struct snd_ac97 *ac97);
47067 - int (*build_specific) (struct snd_ac97 *ac97);
47068 - int (*build_spdif) (struct snd_ac97 *ac97);
47069 - int (*build_post_spdif) (struct snd_ac97 *ac97);
47070 + int (* const build_3d) (struct snd_ac97 *ac97);
47071 + int (* const build_specific) (struct snd_ac97 *ac97);
47072 + int (* const build_spdif) (struct snd_ac97 *ac97);
47073 + int (* const build_post_spdif) (struct snd_ac97 *ac97);
47075 - void (*suspend) (struct snd_ac97 *ac97);
47076 - void (*resume) (struct snd_ac97 *ac97);
47077 + void (* const suspend) (struct snd_ac97 *ac97);
47078 + void (* const resume) (struct snd_ac97 *ac97);
47080 - void (*update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
47081 + void (* const update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
47084 struct snd_ac97_bus_ops {
47085 @@ -477,7 +477,7 @@ struct snd_ac97_template {
47088 /* -- lowlevel (hardware) driver specific -- */
47089 - struct snd_ac97_build_ops * build_ops;
47090 + const struct snd_ac97_build_ops * build_ops;
47091 void *private_data;
47092 void (*private_free) (struct snd_ac97 *ac97);
47094 diff -urNp linux-2.6.35.5/include/trace/events/irq.h linux-2.6.35.5/include/trace/events/irq.h
47095 --- linux-2.6.35.5/include/trace/events/irq.h 2010-08-26 19:47:12.000000000 -0400
47096 +++ linux-2.6.35.5/include/trace/events/irq.h 2010-09-17 20:12:09.000000000 -0400
47099 TRACE_EVENT(irq_handler_entry,
47101 - TP_PROTO(int irq, struct irqaction *action),
47102 + TP_PROTO(int irq, const struct irqaction *action),
47104 TP_ARGS(irq, action),
47106 @@ -64,7 +64,7 @@ TRACE_EVENT(irq_handler_entry,
47108 TRACE_EVENT(irq_handler_exit,
47110 - TP_PROTO(int irq, struct irqaction *action, int ret),
47111 + TP_PROTO(int irq, const struct irqaction *action, int ret),
47113 TP_ARGS(irq, action, ret),
47115 @@ -84,7 +84,7 @@ TRACE_EVENT(irq_handler_exit,
47117 DECLARE_EVENT_CLASS(softirq,
47119 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
47120 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
47124 @@ -113,7 +113,7 @@ DECLARE_EVENT_CLASS(softirq,
47126 DEFINE_EVENT(softirq, softirq_entry,
47128 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
47129 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
47133 @@ -131,7 +131,7 @@ DEFINE_EVENT(softirq, softirq_entry,
47135 DEFINE_EVENT(softirq, softirq_exit,
47137 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
47138 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
47142 diff -urNp linux-2.6.35.5/include/video/uvesafb.h linux-2.6.35.5/include/video/uvesafb.h
47143 --- linux-2.6.35.5/include/video/uvesafb.h 2010-08-26 19:47:12.000000000 -0400
47144 +++ linux-2.6.35.5/include/video/uvesafb.h 2010-09-17 20:12:09.000000000 -0400
47145 @@ -177,6 +177,7 @@ struct uvesafb_par {
47146 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
47147 u8 pmi_setpal; /* PMI for palette changes */
47148 u16 *pmi_base; /* protected mode interface location */
47149 + u8 *pmi_code; /* protected mode code location */
47152 u8 *vbe_state_orig; /*
47153 diff -urNp linux-2.6.35.5/init/do_mounts.c linux-2.6.35.5/init/do_mounts.c
47154 --- linux-2.6.35.5/init/do_mounts.c 2010-08-26 19:47:12.000000000 -0400
47155 +++ linux-2.6.35.5/init/do_mounts.c 2010-09-17 20:12:09.000000000 -0400
47156 @@ -217,11 +217,11 @@ static void __init get_fs_names(char *pa
47158 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
47160 - int err = sys_mount(name, "/root", fs, flags, data);
47161 + int err = sys_mount((__force char __user *)name, (__force char __user *)"/root", (__force char __user *)fs, flags, (__force void __user *)data);
47165 - sys_chdir("/root");
47166 + sys_chdir((__force char __user *)"/root");
47167 ROOT_DEV = current->fs->pwd.mnt->mnt_sb->s_dev;
47168 printk("VFS: Mounted root (%s filesystem)%s on device %u:%u.\n",
47169 current->fs->pwd.mnt->mnt_sb->s_type->name,
47170 @@ -312,18 +312,18 @@ void __init change_floppy(char *fmt, ...
47171 va_start(args, fmt);
47172 vsprintf(buf, fmt, args);
47174 - fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
47175 + fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
47177 sys_ioctl(fd, FDEJECT, 0);
47180 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
47181 - fd = sys_open("/dev/console", O_RDWR, 0);
47182 + fd = sys_open((__force const char __user *)"/dev/console", O_RDWR, 0);
47184 sys_ioctl(fd, TCGETS, (long)&termios);
47185 termios.c_lflag &= ~ICANON;
47186 sys_ioctl(fd, TCSETSF, (long)&termios);
47187 - sys_read(fd, &c, 1);
47188 + sys_read(fd, (char __user *)&c, 1);
47189 termios.c_lflag |= ICANON;
47190 sys_ioctl(fd, TCSETSF, (long)&termios);
47192 @@ -417,6 +417,6 @@ void __init prepare_namespace(void)
47195 devtmpfs_mount("dev");
47196 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
47198 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
47199 + sys_chroot((__force char __user *)".");
47201 diff -urNp linux-2.6.35.5/init/do_mounts.h linux-2.6.35.5/init/do_mounts.h
47202 --- linux-2.6.35.5/init/do_mounts.h 2010-08-26 19:47:12.000000000 -0400
47203 +++ linux-2.6.35.5/init/do_mounts.h 2010-09-17 20:12:09.000000000 -0400
47204 @@ -15,15 +15,15 @@ extern int root_mountflags;
47206 static inline int create_dev(char *name, dev_t dev)
47208 - sys_unlink(name);
47209 - return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
47210 + sys_unlink((__force char __user *)name);
47211 + return sys_mknod((__force char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
47214 #if BITS_PER_LONG == 32
47215 static inline u32 bstat(char *name)
47217 struct stat64 stat;
47218 - if (sys_stat64(name, &stat) != 0)
47219 + if (sys_stat64((__force char __user *)name, (__force struct stat64 __user *)&stat) != 0)
47221 if (!S_ISBLK(stat.st_mode))
47223 diff -urNp linux-2.6.35.5/init/do_mounts_initrd.c linux-2.6.35.5/init/do_mounts_initrd.c
47224 --- linux-2.6.35.5/init/do_mounts_initrd.c 2010-08-26 19:47:12.000000000 -0400
47225 +++ linux-2.6.35.5/init/do_mounts_initrd.c 2010-09-17 20:12:09.000000000 -0400
47226 @@ -43,13 +43,13 @@ static void __init handle_initrd(void)
47227 create_dev("/dev/root.old", Root_RAM0);
47228 /* mount initrd on rootfs' /root */
47229 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
47230 - sys_mkdir("/old", 0700);
47231 - root_fd = sys_open("/", 0, 0);
47232 - old_fd = sys_open("/old", 0, 0);
47233 + sys_mkdir((__force const char __user *)"/old", 0700);
47234 + root_fd = sys_open((__force const char __user *)"/", 0, 0);
47235 + old_fd = sys_open((__force const char __user *)"/old", 0, 0);
47236 /* move initrd over / and chdir/chroot in initrd root */
47237 - sys_chdir("/root");
47238 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
47240 + sys_chdir((__force const char __user *)"/root");
47241 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
47242 + sys_chroot((__force const char __user *)".");
47245 * In case that a resume from disk is carried out by linuxrc or one of
47246 @@ -66,15 +66,15 @@ static void __init handle_initrd(void)
47248 /* move initrd to rootfs' /old */
47249 sys_fchdir(old_fd);
47250 - sys_mount("/", ".", NULL, MS_MOVE, NULL);
47251 + sys_mount((__force char __user *)"/", (__force char __user *)".", NULL, MS_MOVE, NULL);
47252 /* switch root and cwd back to / of rootfs */
47253 sys_fchdir(root_fd);
47255 + sys_chroot((__force const char __user *)".");
47257 sys_close(root_fd);
47259 if (new_decode_dev(real_root_dev) == Root_RAM0) {
47260 - sys_chdir("/old");
47261 + sys_chdir((__force const char __user *)"/old");
47265 @@ -82,17 +82,17 @@ static void __init handle_initrd(void)
47268 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
47269 - error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
47270 + error = sys_mount((__force char __user *)"/old", (__force char __user *)"/root/initrd", NULL, MS_MOVE, NULL);
47274 - int fd = sys_open("/dev/root.old", O_RDWR, 0);
47275 + int fd = sys_open((__force const char __user *)"/dev/root.old", O_RDWR, 0);
47276 if (error == -ENOENT)
47277 printk("/initrd does not exist. Ignored.\n");
47279 printk("failed\n");
47280 printk(KERN_NOTICE "Unmounting old root\n");
47281 - sys_umount("/old", MNT_DETACH);
47282 + sys_umount((__force char __user *)"/old", MNT_DETACH);
47283 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
47286 @@ -115,11 +115,11 @@ int __init initrd_load(void)
47287 * mounted in the normal path.
47289 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
47290 - sys_unlink("/initrd.image");
47291 + sys_unlink((__force const char __user *)"/initrd.image");
47296 - sys_unlink("/initrd.image");
47297 + sys_unlink((__force const char __user *)"/initrd.image");
47300 diff -urNp linux-2.6.35.5/init/do_mounts_md.c linux-2.6.35.5/init/do_mounts_md.c
47301 --- linux-2.6.35.5/init/do_mounts_md.c 2010-08-26 19:47:12.000000000 -0400
47302 +++ linux-2.6.35.5/init/do_mounts_md.c 2010-09-17 20:12:09.000000000 -0400
47303 @@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
47304 partitioned ? "_d" : "", minor,
47305 md_setup_args[ent].device_names);
47307 - fd = sys_open(name, 0, 0);
47308 + fd = sys_open((__force char __user *)name, 0, 0);
47310 printk(KERN_ERR "md: open failed - cannot start "
47311 "array %s\n", name);
47312 @@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
47316 - fd = sys_open(name, 0, 0);
47317 + fd = sys_open((__force char __user *)name, 0, 0);
47318 sys_ioctl(fd, BLKRRPART, 0);
47321 @@ -283,7 +283,7 @@ static void __init autodetect_raid(void)
47323 wait_for_device_probe();
47325 - fd = sys_open("/dev/md0", 0, 0);
47326 + fd = sys_open((__force char __user *)"/dev/md0", 0, 0);
47328 sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
47330 diff -urNp linux-2.6.35.5/init/initramfs.c linux-2.6.35.5/init/initramfs.c
47331 --- linux-2.6.35.5/init/initramfs.c 2010-08-26 19:47:12.000000000 -0400
47332 +++ linux-2.6.35.5/init/initramfs.c 2010-09-17 20:12:09.000000000 -0400
47333 @@ -74,7 +74,7 @@ static void __init free_hash(void)
47337 -static long __init do_utime(char __user *filename, time_t mtime)
47338 +static long __init do_utime(__force char __user *filename, time_t mtime)
47340 struct timespec t[2];
47342 @@ -109,7 +109,7 @@ static void __init dir_utime(void)
47343 struct dir_entry *de, *tmp;
47344 list_for_each_entry_safe(de, tmp, &dir_list, list) {
47345 list_del(&de->list);
47346 - do_utime(de->name, de->mtime);
47347 + do_utime((__force char __user *)de->name, de->mtime);
47351 @@ -271,7 +271,7 @@ static int __init maybe_link(void)
47353 char *old = find_link(major, minor, ino, mode, collected);
47355 - return (sys_link(old, collected) < 0) ? -1 : 1;
47356 + return (sys_link((__force char __user *)old, (__force char __user *)collected) < 0) ? -1 : 1;
47360 @@ -280,11 +280,11 @@ static void __init clean_path(char *path
47364 - if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
47365 + if (!sys_newlstat((__force char __user *)path, (__force struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
47366 if (S_ISDIR(st.st_mode))
47368 + sys_rmdir((__force char __user *)path);
47370 - sys_unlink(path);
47371 + sys_unlink((__force char __user *)path);
47375 @@ -305,7 +305,7 @@ static int __init do_name(void)
47376 int openflags = O_WRONLY|O_CREAT;
47378 openflags |= O_TRUNC;
47379 - wfd = sys_open(collected, openflags, mode);
47380 + wfd = sys_open((__force char __user *)collected, openflags, mode);
47383 sys_fchown(wfd, uid, gid);
47384 @@ -317,17 +317,17 @@ static int __init do_name(void)
47387 } else if (S_ISDIR(mode)) {
47388 - sys_mkdir(collected, mode);
47389 - sys_chown(collected, uid, gid);
47390 - sys_chmod(collected, mode);
47391 + sys_mkdir((__force char __user *)collected, mode);
47392 + sys_chown((__force char __user *)collected, uid, gid);
47393 + sys_chmod((__force char __user *)collected, mode);
47394 dir_add(collected, mtime);
47395 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
47396 S_ISFIFO(mode) || S_ISSOCK(mode)) {
47397 if (maybe_link() == 0) {
47398 - sys_mknod(collected, mode, rdev);
47399 - sys_chown(collected, uid, gid);
47400 - sys_chmod(collected, mode);
47401 - do_utime(collected, mtime);
47402 + sys_mknod((__force char __user *)collected, mode, rdev);
47403 + sys_chown((__force char __user *)collected, uid, gid);
47404 + sys_chmod((__force char __user *)collected, mode);
47405 + do_utime((__force char __user *)collected, mtime);
47409 @@ -336,15 +336,15 @@ static int __init do_name(void)
47410 static int __init do_copy(void)
47412 if (count >= body_len) {
47413 - sys_write(wfd, victim, body_len);
47414 + sys_write(wfd, (__force char __user *)victim, body_len);
47416 - do_utime(vcollected, mtime);
47417 + do_utime((__force char __user *)vcollected, mtime);
47423 - sys_write(wfd, victim, count);
47424 + sys_write(wfd, (__force char __user *)victim, count);
47428 @@ -355,9 +355,9 @@ static int __init do_symlink(void)
47430 collected[N_ALIGN(name_len) + body_len] = '\0';
47431 clean_path(collected, 0);
47432 - sys_symlink(collected + N_ALIGN(name_len), collected);
47433 - sys_lchown(collected, uid, gid);
47434 - do_utime(collected, mtime);
47435 + sys_symlink((__force char __user *)collected + N_ALIGN(name_len), (__force char __user *)collected);
47436 + sys_lchown((__force char __user *)collected, uid, gid);
47437 + do_utime((__force char __user *)collected, mtime);
47439 next_state = Reset;
47441 diff -urNp linux-2.6.35.5/init/Kconfig linux-2.6.35.5/init/Kconfig
47442 --- linux-2.6.35.5/init/Kconfig 2010-08-26 19:47:12.000000000 -0400
47443 +++ linux-2.6.35.5/init/Kconfig 2010-09-17 20:12:09.000000000 -0400
47444 @@ -1063,7 +1063,7 @@ config SLUB_DEBUG
47447 bool "Disable heap randomization"
47451 Randomizing heap placement makes heap exploits harder, but it
47452 also breaks ancient binaries (including anything libc5 based).
47453 diff -urNp linux-2.6.35.5/init/main.c linux-2.6.35.5/init/main.c
47454 --- linux-2.6.35.5/init/main.c 2010-08-26 19:47:12.000000000 -0400
47455 +++ linux-2.6.35.5/init/main.c 2010-09-17 20:12:37.000000000 -0400
47456 @@ -98,6 +98,7 @@ static inline void mark_rodata_ro(void)
47458 extern void tc_init(void);
47460 +extern void grsecurity_init(void);
47462 enum system_states system_state __read_mostly;
47463 EXPORT_SYMBOL(system_state);
47464 @@ -200,6 +201,50 @@ static int __init set_reset_devices(char
47466 __setup("reset_devices", set_reset_devices);
47468 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
47469 +extern void pax_enter_kernel_user(void);
47470 +extern void pax_exit_kernel_user(void);
47471 +extern pgdval_t clone_pgd_mask;
47474 +#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
47475 +static int __init setup_pax_nouderef(char *str)
47477 +#ifdef CONFIG_X86_32
47478 + unsigned int cpu;
47480 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
47481 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].type = 3;
47482 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].limit = 0xf;
47484 + asm("mov %0, %%ds" : : "r" (__KERNEL_DS) : "memory");
47485 + asm("mov %0, %%es" : : "r" (__KERNEL_DS) : "memory");
47486 + asm("mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
47489 + p = (char *)pax_enter_kernel_user;
47491 + p = (char *)pax_exit_kernel_user;
47493 + clone_pgd_mask = ~(pgdval_t)0UL;
47498 +early_param("pax_nouderef", setup_pax_nouderef);
47501 +#ifdef CONFIG_PAX_SOFTMODE
47502 +unsigned int pax_softmode;
47504 +static int __init setup_pax_softmode(char *str)
47506 + get_option(&str, &pax_softmode);
47509 +__setup("pax_softmode=", setup_pax_softmode);
47512 static char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
47513 char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
47514 static const char *panic_later, *panic_param;
47515 @@ -725,52 +770,53 @@ int initcall_debug;
47516 core_param(initcall_debug, initcall_debug, bool, 0644);
47518 static char msgbuf[64];
47519 -static struct boot_trace_call call;
47520 -static struct boot_trace_ret ret;
47521 +static struct boot_trace_call trace_call;
47522 +static struct boot_trace_ret trace_ret;
47524 int do_one_initcall(initcall_t fn)
47526 int count = preempt_count();
47527 ktime_t calltime, delta, rettime;
47528 + const char *msg1 = "", *msg2 = "";
47530 if (initcall_debug) {
47531 - call.caller = task_pid_nr(current);
47532 - printk("calling %pF @ %i\n", fn, call.caller);
47533 + trace_call.caller = task_pid_nr(current);
47534 + printk("calling %pF @ %i\n", fn, trace_call.caller);
47535 calltime = ktime_get();
47536 - trace_boot_call(&call, fn);
47537 + trace_boot_call(&trace_call, fn);
47538 enable_boot_trace();
47541 - ret.result = fn();
47542 + trace_ret.result = fn();
47544 if (initcall_debug) {
47545 disable_boot_trace();
47546 rettime = ktime_get();
47547 delta = ktime_sub(rettime, calltime);
47548 - ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
47549 - trace_boot_ret(&ret, fn);
47550 + trace_ret.duration = (unsigned long long) ktime_to_ns(delta) >> 10;
47551 + trace_boot_ret(&trace_ret, fn);
47552 printk("initcall %pF returned %d after %Ld usecs\n", fn,
47553 - ret.result, ret.duration);
47554 + trace_ret.result, trace_ret.duration);
47559 - if (ret.result && ret.result != -ENODEV && initcall_debug)
47560 - sprintf(msgbuf, "error code %d ", ret.result);
47561 + if (trace_ret.result && trace_ret.result != -ENODEV && initcall_debug)
47562 + sprintf(msgbuf, "error code %d ", trace_ret.result);
47564 if (preempt_count() != count) {
47565 - strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
47566 + msg1 = " preemption imbalance";
47567 preempt_count() = count;
47569 if (irqs_disabled()) {
47570 - strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
47571 + msg2 = " disabled interrupts";
47572 local_irq_enable();
47575 - printk("initcall %pF returned with %s\n", fn, msgbuf);
47576 + if (msgbuf[0] || *msg1 || *msg2) {
47577 + printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
47580 - return ret.result;
47581 + return trace_ret.result;
47585 @@ -902,7 +948,7 @@ static int __init kernel_init(void * unu
47588 /* Open the /dev/console on the rootfs, this should never fail */
47589 - if (sys_open((const char __user *) "/dev/console", O_RDWR, 0) < 0)
47590 + if (sys_open((__force const char __user *) "/dev/console", O_RDWR, 0) < 0)
47591 printk(KERN_WARNING "Warning: unable to open an initial console.\n");
47594 @@ -915,11 +961,13 @@ static int __init kernel_init(void * unu
47595 if (!ramdisk_execute_command)
47596 ramdisk_execute_command = "/init";
47598 - if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
47599 + if (sys_access((__force const char __user *) ramdisk_execute_command, 0) != 0) {
47600 ramdisk_execute_command = NULL;
47601 prepare_namespace();
47604 + grsecurity_init();
47607 * Ok, we have completed the initial bootup, and
47608 * we're essentially up and running. Get rid of the
47609 diff -urNp linux-2.6.35.5/init/noinitramfs.c linux-2.6.35.5/init/noinitramfs.c
47610 --- linux-2.6.35.5/init/noinitramfs.c 2010-08-26 19:47:12.000000000 -0400
47611 +++ linux-2.6.35.5/init/noinitramfs.c 2010-09-17 20:12:09.000000000 -0400
47612 @@ -29,17 +29,17 @@ static int __init default_rootfs(void)
47616 - err = sys_mkdir("/dev", 0755);
47617 + err = sys_mkdir((const char __user *)"/dev", 0755);
47621 - err = sys_mknod((const char __user *) "/dev/console",
47622 + err = sys_mknod((__force const char __user *) "/dev/console",
47623 S_IFCHR | S_IRUSR | S_IWUSR,
47624 new_encode_dev(MKDEV(5, 1)));
47628 - err = sys_mkdir("/root", 0700);
47629 + err = sys_mkdir((const char __user *)"/root", 0700);
47633 diff -urNp linux-2.6.35.5/ipc/mqueue.c linux-2.6.35.5/ipc/mqueue.c
47634 --- linux-2.6.35.5/ipc/mqueue.c 2010-08-26 19:47:12.000000000 -0400
47635 +++ linux-2.6.35.5/ipc/mqueue.c 2010-09-17 20:12:37.000000000 -0400
47636 @@ -153,6 +153,7 @@ static struct inode *mqueue_get_inode(st
47637 mq_bytes = (mq_msg_tblsz +
47638 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
47640 + gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
47641 spin_lock(&mq_lock);
47642 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
47643 u->mq_bytes + mq_bytes >
47644 diff -urNp linux-2.6.35.5/ipc/shm.c linux-2.6.35.5/ipc/shm.c
47645 --- linux-2.6.35.5/ipc/shm.c 2010-08-26 19:47:12.000000000 -0400
47646 +++ linux-2.6.35.5/ipc/shm.c 2010-09-17 20:12:37.000000000 -0400
47647 @@ -69,6 +69,14 @@ static void shm_destroy (struct ipc_name
47648 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
47651 +#ifdef CONFIG_GRKERNSEC
47652 +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
47653 + const time_t shm_createtime, const uid_t cuid,
47654 + const int shmid);
47655 +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
47656 + const time_t shm_createtime);
47659 void shm_init_ns(struct ipc_namespace *ns)
47661 ns->shm_ctlmax = SHMMAX;
47662 @@ -395,6 +403,14 @@ static int newseg(struct ipc_namespace *
47663 shp->shm_lprid = 0;
47664 shp->shm_atim = shp->shm_dtim = 0;
47665 shp->shm_ctim = get_seconds();
47666 +#ifdef CONFIG_GRKERNSEC
47668 + struct timespec timeval;
47669 + do_posix_clock_monotonic_gettime(&timeval);
47671 + shp->shm_createtime = timeval.tv_sec;
47674 shp->shm_segsz = size;
47675 shp->shm_nattch = 0;
47676 shp->shm_file = file;
47677 @@ -877,9 +893,21 @@ long do_shmat(int shmid, char __user *sh
47681 +#ifdef CONFIG_GRKERNSEC
47682 + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
47683 + shp->shm_perm.cuid, shmid) ||
47684 + !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
47690 path = shp->shm_file->f_path;
47693 +#ifdef CONFIG_GRKERNSEC
47694 + shp->shm_lapid = current->pid;
47696 size = i_size_read(path.dentry->d_inode);
47699 diff -urNp linux-2.6.35.5/kernel/acct.c linux-2.6.35.5/kernel/acct.c
47700 --- linux-2.6.35.5/kernel/acct.c 2010-08-26 19:47:12.000000000 -0400
47701 +++ linux-2.6.35.5/kernel/acct.c 2010-09-17 20:12:09.000000000 -0400
47702 @@ -570,7 +570,7 @@ static void do_acct_process(struct bsd_a
47704 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
47705 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
47706 - file->f_op->write(file, (char *)&ac,
47707 + file->f_op->write(file, (__force char __user *)&ac,
47708 sizeof(acct_t), &file->f_pos);
47709 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
47711 diff -urNp linux-2.6.35.5/kernel/capability.c linux-2.6.35.5/kernel/capability.c
47712 --- linux-2.6.35.5/kernel/capability.c 2010-08-26 19:47:12.000000000 -0400
47713 +++ linux-2.6.35.5/kernel/capability.c 2010-09-17 20:12:37.000000000 -0400
47714 @@ -205,6 +205,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_
47715 * before modification is attempted and the application
47718 + if (tocopy > ARRAY_SIZE(kdata))
47721 if (copy_to_user(dataptr, kdata, tocopy
47722 * sizeof(struct __user_cap_data_struct))) {
47724 @@ -306,10 +309,21 @@ int capable(int cap)
47728 - if (security_capable(cap) == 0) {
47729 + if (security_capable(cap) == 0 && gr_is_capable(cap)) {
47730 + current->flags |= PF_SUPERPRIV;
47736 +int capable_nolog(int cap)
47738 + if (security_capable(cap) == 0 && gr_is_capable_nolog(cap)) {
47739 current->flags |= PF_SUPERPRIV;
47745 EXPORT_SYMBOL(capable);
47746 +EXPORT_SYMBOL(capable_nolog);
47747 diff -urNp linux-2.6.35.5/kernel/compat.c linux-2.6.35.5/kernel/compat.c
47748 --- linux-2.6.35.5/kernel/compat.c 2010-09-20 17:33:09.000000000 -0400
47749 +++ linux-2.6.35.5/kernel/compat.c 2010-09-17 20:12:37.000000000 -0400
47752 #include <linux/linkage.h>
47753 #include <linux/compat.h>
47754 +#include <linux/module.h>
47755 #include <linux/errno.h>
47756 #include <linux/time.h>
47757 #include <linux/signal.h>
47758 diff -urNp linux-2.6.35.5/kernel/configs.c linux-2.6.35.5/kernel/configs.c
47759 --- linux-2.6.35.5/kernel/configs.c 2010-08-26 19:47:12.000000000 -0400
47760 +++ linux-2.6.35.5/kernel/configs.c 2010-09-17 20:12:37.000000000 -0400
47761 @@ -73,8 +73,19 @@ static int __init ikconfig_init(void)
47762 struct proc_dir_entry *entry;
47764 /* create the current config file */
47765 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
47766 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
47767 + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
47768 + &ikconfig_file_ops);
47769 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
47770 + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
47771 + &ikconfig_file_ops);
47774 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
47775 &ikconfig_file_ops);
47781 diff -urNp linux-2.6.35.5/kernel/cred.c linux-2.6.35.5/kernel/cred.c
47782 --- linux-2.6.35.5/kernel/cred.c 2010-08-26 19:47:12.000000000 -0400
47783 +++ linux-2.6.35.5/kernel/cred.c 2010-09-17 20:12:37.000000000 -0400
47784 @@ -489,6 +489,8 @@ int commit_creds(struct cred *new)
47786 get_cred(new); /* we will require a ref for the subj creds too */
47788 + gr_set_role_label(task, new->uid, new->gid);
47790 /* dumpability changes */
47791 if (old->euid != new->euid ||
47792 old->egid != new->egid ||
47793 diff -urNp linux-2.6.35.5/kernel/debug/debug_core.c linux-2.6.35.5/kernel/debug/debug_core.c
47794 --- linux-2.6.35.5/kernel/debug/debug_core.c 2010-08-26 19:47:12.000000000 -0400
47795 +++ linux-2.6.35.5/kernel/debug/debug_core.c 2010-09-17 20:12:09.000000000 -0400
47796 @@ -71,7 +71,7 @@ int kgdb_io_module_registered;
47797 /* Guard for recursive entry */
47798 static int exception_level;
47800 -struct kgdb_io *dbg_io_ops;
47801 +const struct kgdb_io *dbg_io_ops;
47802 static DEFINE_SPINLOCK(kgdb_registration_lock);
47804 /* kgdb console driver is loaded */
47805 @@ -871,7 +871,7 @@ static void kgdb_initial_breakpoint(void
47807 * Register it with the KGDB core.
47809 -int kgdb_register_io_module(struct kgdb_io *new_dbg_io_ops)
47810 +int kgdb_register_io_module(const struct kgdb_io *new_dbg_io_ops)
47814 @@ -916,7 +916,7 @@ EXPORT_SYMBOL_GPL(kgdb_register_io_modul
47816 * Unregister it with the KGDB core.
47818 -void kgdb_unregister_io_module(struct kgdb_io *old_dbg_io_ops)
47819 +void kgdb_unregister_io_module(const struct kgdb_io *old_dbg_io_ops)
47821 BUG_ON(kgdb_connected);
47823 diff -urNp linux-2.6.35.5/kernel/debug/kdb/kdb_main.c linux-2.6.35.5/kernel/debug/kdb/kdb_main.c
47824 --- linux-2.6.35.5/kernel/debug/kdb/kdb_main.c 2010-08-26 19:47:12.000000000 -0400
47825 +++ linux-2.6.35.5/kernel/debug/kdb/kdb_main.c 2010-09-17 20:12:09.000000000 -0400
47826 @@ -1872,7 +1872,7 @@ static int kdb_lsmod(int argc, const cha
47827 list_for_each_entry(mod, kdb_modules, list) {
47829 kdb_printf("%-20s%8u 0x%p ", mod->name,
47830 - mod->core_size, (void *)mod);
47831 + mod->core_size_rx + mod->core_size_rw, (void *)mod);
47832 #ifdef CONFIG_MODULE_UNLOAD
47833 kdb_printf("%4d ", module_refcount(mod));
47835 @@ -1882,7 +1882,7 @@ static int kdb_lsmod(int argc, const cha
47836 kdb_printf(" (Loading)");
47838 kdb_printf(" (Live)");
47839 - kdb_printf(" 0x%p", mod->module_core);
47840 + kdb_printf(" 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
47842 #ifdef CONFIG_MODULE_UNLOAD
47844 diff -urNp linux-2.6.35.5/kernel/exit.c linux-2.6.35.5/kernel/exit.c
47845 --- linux-2.6.35.5/kernel/exit.c 2010-08-26 19:47:12.000000000 -0400
47846 +++ linux-2.6.35.5/kernel/exit.c 2010-09-17 20:13:49.000000000 -0400
47848 #include <asm/pgtable.h>
47849 #include <asm/mmu_context.h>
47851 +#ifdef CONFIG_GRKERNSEC
47852 +extern rwlock_t grsec_exec_file_lock;
47855 static void exit_mm(struct task_struct * tsk);
47857 static void __unhash_process(struct task_struct *p, bool group_dead)
47858 @@ -162,6 +166,8 @@ void release_task(struct task_struct * p
47859 struct task_struct *leader;
47862 + gr_del_task_from_ip_table(p);
47864 tracehook_prepare_release_task(p);
47865 /* don't need to get the RCU readlock here - the process is dead and
47866 * can't be modifying its own credentials. But shut RCU-lockdep up */
47867 @@ -331,11 +337,22 @@ static void reparent_to_kthreadd(void)
47869 write_lock_irq(&tasklist_lock);
47871 +#ifdef CONFIG_GRKERNSEC
47872 + write_lock(&grsec_exec_file_lock);
47873 + if (current->exec_file) {
47874 + fput(current->exec_file);
47875 + current->exec_file = NULL;
47877 + write_unlock(&grsec_exec_file_lock);
47880 ptrace_unlink(current);
47881 /* Reparent to init */
47882 current->real_parent = current->parent = kthreadd_task;
47883 list_move_tail(¤t->sibling, ¤t->real_parent->children);
47885 + gr_set_kernel_label(current);
47887 /* Set the exit signal to SIGCHLD so we signal init on exit */
47888 current->exit_signal = SIGCHLD;
47890 @@ -387,7 +404,7 @@ int allow_signal(int sig)
47891 * know it'll be handled, so that they don't get converted to
47892 * SIGKILL or just silently dropped.
47894 - current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
47895 + current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
47896 recalc_sigpending();
47897 spin_unlock_irq(¤t->sighand->siglock);
47899 @@ -423,6 +440,17 @@ void daemonize(const char *name, ...)
47900 vsnprintf(current->comm, sizeof(current->comm), name, args);
47903 +#ifdef CONFIG_GRKERNSEC
47904 + write_lock(&grsec_exec_file_lock);
47905 + if (current->exec_file) {
47906 + fput(current->exec_file);
47907 + current->exec_file = NULL;
47909 + write_unlock(&grsec_exec_file_lock);
47912 + gr_set_kernel_label(current);
47915 * If we were started as result of loading a module, close all of the
47916 * user space pages. We don't need them, and if we didn't close them
47917 @@ -960,6 +988,9 @@ NORET_TYPE void do_exit(long code)
47918 tsk->exit_code = code;
47919 taskstats_exit(tsk, group_dead);
47921 + gr_acl_handle_psacct(tsk, code);
47922 + gr_acl_handle_exit();
47927 diff -urNp linux-2.6.35.5/kernel/fork.c linux-2.6.35.5/kernel/fork.c
47928 --- linux-2.6.35.5/kernel/fork.c 2010-08-26 19:47:12.000000000 -0400
47929 +++ linux-2.6.35.5/kernel/fork.c 2010-09-17 20:12:37.000000000 -0400
47930 @@ -276,7 +276,7 @@ static struct task_struct *dup_task_stru
47931 *stackend = STACK_END_MAGIC; /* for overflow detection */
47933 #ifdef CONFIG_CC_STACKPROTECTOR
47934 - tsk->stack_canary = get_random_int();
47935 + tsk->stack_canary = pax_get_random_long();
47938 /* One for us, one for whoever does the "release_task()" (usually parent) */
47939 @@ -298,13 +298,78 @@ out:
47943 +static struct vm_area_struct *dup_vma(struct mm_struct *mm, struct vm_area_struct *mpnt)
47945 + struct vm_area_struct *tmp;
47946 + unsigned long charge;
47947 + struct mempolicy *pol;
47948 + struct file *file;
47951 + if (mpnt->vm_flags & VM_ACCOUNT) {
47952 + unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
47953 + if (security_vm_enough_memory(len))
47957 + tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
47962 + INIT_LIST_HEAD(&tmp->anon_vma_chain);
47963 + pol = mpol_dup(vma_policy(mpnt));
47965 + goto fail_nomem_policy;
47966 + vma_set_policy(tmp, pol);
47967 + if (anon_vma_fork(tmp, mpnt))
47968 + goto fail_nomem_anon_vma_fork;
47969 + tmp->vm_flags &= ~VM_LOCKED;
47970 + tmp->vm_next = NULL;
47971 + tmp->vm_mirror = NULL;
47972 + file = tmp->vm_file;
47974 + struct inode *inode = file->f_path.dentry->d_inode;
47975 + struct address_space *mapping = file->f_mapping;
47978 + if (tmp->vm_flags & VM_DENYWRITE)
47979 + atomic_dec(&inode->i_writecount);
47980 + spin_lock(&mapping->i_mmap_lock);
47981 + if (tmp->vm_flags & VM_SHARED)
47982 + mapping->i_mmap_writable++;
47983 + tmp->vm_truncate_count = mpnt->vm_truncate_count;
47984 + flush_dcache_mmap_lock(mapping);
47985 + /* insert tmp into the share list, just after mpnt */
47986 + vma_prio_tree_add(tmp, mpnt);
47987 + flush_dcache_mmap_unlock(mapping);
47988 + spin_unlock(&mapping->i_mmap_lock);
47992 + * Clear hugetlb-related page reserves for children. This only
47993 + * affects MAP_PRIVATE mappings. Faults generated by the child
47994 + * are not guaranteed to succeed, even if read-only
47996 + if (is_vm_hugetlb_page(tmp))
47997 + reset_vma_resv_huge_pages(tmp);
48001 +fail_nomem_anon_vma_fork:
48003 +fail_nomem_policy:
48004 + kmem_cache_free(vm_area_cachep, tmp);
48006 + vm_unacct_memory(charge);
48010 static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
48012 struct vm_area_struct *mpnt, *tmp, *prev, **pprev;
48013 struct rb_node **rb_link, *rb_parent;
48015 - unsigned long charge;
48016 - struct mempolicy *pol;
48018 down_write(&oldmm->mmap_sem);
48019 flush_cache_dup_mm(oldmm);
48020 @@ -316,8 +381,8 @@ static int dup_mmap(struct mm_struct *mm
48023 mm->mmap_cache = NULL;
48024 - mm->free_area_cache = oldmm->mmap_base;
48025 - mm->cached_hole_size = ~0UL;
48026 + mm->free_area_cache = oldmm->free_area_cache;
48027 + mm->cached_hole_size = oldmm->cached_hole_size;
48029 cpumask_clear(mm_cpumask(mm));
48030 mm->mm_rb = RB_ROOT;
48031 @@ -330,8 +395,6 @@ static int dup_mmap(struct mm_struct *mm
48034 for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) {
48035 - struct file *file;
48037 if (mpnt->vm_flags & VM_DONTCOPY) {
48038 long pages = vma_pages(mpnt);
48039 mm->total_vm -= pages;
48040 @@ -339,56 +402,13 @@ static int dup_mmap(struct mm_struct *mm
48045 - if (mpnt->vm_flags & VM_ACCOUNT) {
48046 - unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
48047 - if (security_vm_enough_memory(len))
48051 - tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
48055 - INIT_LIST_HEAD(&tmp->anon_vma_chain);
48056 - pol = mpol_dup(vma_policy(mpnt));
48057 - retval = PTR_ERR(pol);
48059 - goto fail_nomem_policy;
48060 - vma_set_policy(tmp, pol);
48061 - if (anon_vma_fork(tmp, mpnt))
48062 - goto fail_nomem_anon_vma_fork;
48063 - tmp->vm_flags &= ~VM_LOCKED;
48065 - tmp->vm_next = tmp->vm_prev = NULL;
48066 - file = tmp->vm_file;
48068 - struct inode *inode = file->f_path.dentry->d_inode;
48069 - struct address_space *mapping = file->f_mapping;
48072 - if (tmp->vm_flags & VM_DENYWRITE)
48073 - atomic_dec(&inode->i_writecount);
48074 - spin_lock(&mapping->i_mmap_lock);
48075 - if (tmp->vm_flags & VM_SHARED)
48076 - mapping->i_mmap_writable++;
48077 - tmp->vm_truncate_count = mpnt->vm_truncate_count;
48078 - flush_dcache_mmap_lock(mapping);
48079 - /* insert tmp into the share list, just after mpnt */
48080 - vma_prio_tree_add(tmp, mpnt);
48081 - flush_dcache_mmap_unlock(mapping);
48082 - spin_unlock(&mapping->i_mmap_lock);
48083 + tmp = dup_vma(mm, mpnt);
48085 + retval = -ENOMEM;
48090 - * Clear hugetlb-related page reserves for children. This only
48091 - * affects MAP_PRIVATE mappings. Faults generated by the child
48092 - * are not guaranteed to succeed, even if read-only
48094 - if (is_vm_hugetlb_page(tmp))
48095 - reset_vma_resv_huge_pages(tmp);
48098 * Link in the new vma and copy the page table entries.
48101 @@ -409,6 +429,31 @@ static int dup_mmap(struct mm_struct *mm
48106 +#ifdef CONFIG_PAX_SEGMEXEC
48107 + if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
48108 + struct vm_area_struct *mpnt_m;
48110 + for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
48111 + BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
48113 + if (!mpnt->vm_mirror)
48116 + if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
48117 + BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
48118 + mpnt->vm_mirror = mpnt_m;
48120 + BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
48121 + mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
48122 + mpnt_m->vm_mirror->vm_mirror = mpnt_m;
48123 + mpnt->vm_mirror->vm_mirror = mpnt;
48130 /* a new mm has just been created */
48131 arch_dup_mmap(oldmm, mm);
48133 @@ -417,14 +462,6 @@ out:
48134 flush_tlb_mm(oldmm);
48135 up_write(&oldmm->mmap_sem);
48137 -fail_nomem_anon_vma_fork:
48139 -fail_nomem_policy:
48140 - kmem_cache_free(vm_area_cachep, tmp);
48142 - retval = -ENOMEM;
48143 - vm_unacct_memory(charge);
48147 static inline int mm_alloc_pgd(struct mm_struct * mm)
48148 @@ -760,13 +797,14 @@ static int copy_fs(unsigned long clone_f
48149 write_unlock(&fs->lock);
48153 + atomic_inc(&fs->users);
48154 write_unlock(&fs->lock);
48157 tsk->fs = copy_fs_struct(fs);
48160 + gr_set_chroot_entries(tsk, &tsk->fs->root);
48164 @@ -1019,10 +1057,13 @@ static struct task_struct *copy_process(
48166 if (!vx_nproc_avail(1))
48167 goto bad_fork_free;
48169 + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
48171 if (atomic_read(&p->real_cred->user->processes) >=
48172 task_rlimit(p, RLIMIT_NPROC)) {
48173 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
48174 - p->real_cred->user != INIT_USER)
48175 + if (p->real_cred->user != INIT_USER &&
48176 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE))
48177 goto bad_fork_free;
48180 @@ -1176,6 +1217,8 @@ static struct task_struct *copy_process(
48181 goto bad_fork_free_pid;
48184 + gr_copy_label(p);
48186 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
48188 * Clear TID on mm_release()?
48189 @@ -1328,6 +1371,8 @@ bad_fork_cleanup_count:
48193 + gr_log_forkfail(retval);
48195 return ERR_PTR(retval);
48198 @@ -1433,6 +1478,8 @@ long do_fork(unsigned long clone_flags,
48199 if (clone_flags & CLONE_PARENT_SETTID)
48200 put_user(nr, parent_tidptr);
48202 + gr_handle_brute_check();
48204 if (clone_flags & CLONE_VFORK) {
48205 p->vfork_done = &vfork;
48206 init_completion(&vfork);
48207 @@ -1557,7 +1604,7 @@ static int unshare_fs(unsigned long unsh
48210 /* don't need lock here; in the worst case we'll do useless copy */
48211 - if (fs->users == 1)
48212 + if (atomic_read(&fs->users) == 1)
48215 *new_fsp = copy_fs_struct(fs);
48216 @@ -1680,7 +1727,8 @@ SYSCALL_DEFINE1(unshare, unsigned long,
48218 write_lock(&fs->lock);
48219 current->fs = new_fs;
48221 + gr_set_chroot_entries(current, ¤t->fs->root);
48222 + if (atomic_dec_return(&fs->users))
48226 diff -urNp linux-2.6.35.5/kernel/futex.c linux-2.6.35.5/kernel/futex.c
48227 --- linux-2.6.35.5/kernel/futex.c 2010-08-26 19:47:12.000000000 -0400
48228 +++ linux-2.6.35.5/kernel/futex.c 2010-09-17 20:12:37.000000000 -0400
48230 #include <linux/mount.h>
48231 #include <linux/pagemap.h>
48232 #include <linux/syscalls.h>
48233 +#include <linux/ptrace.h>
48234 #include <linux/signal.h>
48235 #include <linux/module.h>
48236 #include <linux/magic.h>
48237 @@ -221,6 +222,11 @@ get_futex_key(u32 __user *uaddr, int fsh
48241 +#ifdef CONFIG_PAX_SEGMEXEC
48242 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
48247 * The futex address must be "naturally" aligned.
48249 @@ -1843,7 +1849,7 @@ retry:
48251 restart = ¤t_thread_info()->restart_block;
48252 restart->fn = futex_wait_restart;
48253 - restart->futex.uaddr = (u32 *)uaddr;
48254 + restart->futex.uaddr = uaddr;
48255 restart->futex.val = val;
48256 restart->futex.time = abs_time->tv64;
48257 restart->futex.bitset = bitset;
48258 @@ -2376,7 +2382,9 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
48260 struct robust_list_head __user *head;
48262 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
48263 const struct cred *cred = current_cred(), *pcred;
48266 if (!futex_cmpxchg_enabled)
48268 @@ -2392,11 +2400,16 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
48272 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
48273 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
48276 pcred = __task_cred(p);
48277 if (cred->euid != pcred->euid &&
48278 cred->euid != pcred->uid &&
48279 !capable(CAP_SYS_PTRACE))
48282 head = p->robust_list;
48285 @@ -2458,7 +2471,7 @@ retry:
48287 static inline int fetch_robust_entry(struct robust_list __user **entry,
48288 struct robust_list __user * __user *head,
48290 + unsigned int *pi)
48292 unsigned long uentry;
48294 diff -urNp linux-2.6.35.5/kernel/futex_compat.c linux-2.6.35.5/kernel/futex_compat.c
48295 --- linux-2.6.35.5/kernel/futex_compat.c 2010-08-26 19:47:12.000000000 -0400
48296 +++ linux-2.6.35.5/kernel/futex_compat.c 2010-09-17 20:12:37.000000000 -0400
48298 #include <linux/compat.h>
48299 #include <linux/nsproxy.h>
48300 #include <linux/futex.h>
48301 +#include <linux/ptrace.h>
48303 #include <asm/uaccess.h>
48305 @@ -135,7 +136,10 @@ compat_sys_get_robust_list(int pid, comp
48307 struct compat_robust_list_head __user *head;
48309 - const struct cred *cred = current_cred(), *pcred;
48310 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
48311 + const struct cred *cred = current_cred();
48312 + const struct cred *pcred;
48315 if (!futex_cmpxchg_enabled)
48317 @@ -151,11 +155,16 @@ compat_sys_get_robust_list(int pid, comp
48321 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
48322 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
48325 pcred = __task_cred(p);
48326 if (cred->euid != pcred->euid &&
48327 cred->euid != pcred->uid &&
48328 !capable(CAP_SYS_PTRACE))
48331 head = p->compat_robust_list;
48334 diff -urNp linux-2.6.35.5/kernel/gcov/base.c linux-2.6.35.5/kernel/gcov/base.c
48335 --- linux-2.6.35.5/kernel/gcov/base.c 2010-08-26 19:47:12.000000000 -0400
48336 +++ linux-2.6.35.5/kernel/gcov/base.c 2010-09-17 20:12:09.000000000 -0400
48337 @@ -102,11 +102,6 @@ void gcov_enable_events(void)
48340 #ifdef CONFIG_MODULES
48341 -static inline int within(void *addr, void *start, unsigned long size)
48343 - return ((addr >= start) && (addr < start + size));
48346 /* Update list and generate events when modules are unloaded. */
48347 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
48349 @@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
48351 /* Remove entries located in module from linked list. */
48352 for (info = gcov_info_head; info; info = info->next) {
48353 - if (within(info, mod->module_core, mod->core_size)) {
48354 + if (within_module_core_rw((unsigned long)info, mod)) {
48356 prev->next = info->next;
48358 diff -urNp linux-2.6.35.5/kernel/hrtimer.c linux-2.6.35.5/kernel/hrtimer.c
48359 --- linux-2.6.35.5/kernel/hrtimer.c 2010-08-26 19:47:12.000000000 -0400
48360 +++ linux-2.6.35.5/kernel/hrtimer.c 2010-09-17 20:12:09.000000000 -0400
48361 @@ -1398,7 +1398,7 @@ void hrtimer_peek_ahead_timers(void)
48362 local_irq_restore(flags);
48365 -static void run_hrtimer_softirq(struct softirq_action *h)
48366 +static void run_hrtimer_softirq(void)
48368 hrtimer_peek_ahead_timers();
48370 diff -urNp linux-2.6.35.5/kernel/kallsyms.c linux-2.6.35.5/kernel/kallsyms.c
48371 --- linux-2.6.35.5/kernel/kallsyms.c 2010-08-26 19:47:12.000000000 -0400
48372 +++ linux-2.6.35.5/kernel/kallsyms.c 2010-09-17 20:12:37.000000000 -0400
48374 * Changed the compression method from stem compression to "table lookup"
48375 * compression (see scripts/kallsyms.c for a more complete description)
48377 +#ifdef CONFIG_GRKERNSEC_HIDESYM
48378 +#define __INCLUDED_BY_HIDESYM 1
48380 #include <linux/kallsyms.h>
48381 #include <linux/module.h>
48382 #include <linux/init.h>
48383 @@ -53,12 +56,33 @@ extern const unsigned long kallsyms_mark
48385 static inline int is_kernel_inittext(unsigned long addr)
48387 + if (system_state != SYSTEM_BOOTING)
48390 if (addr >= (unsigned long)_sinittext
48391 && addr <= (unsigned long)_einittext)
48396 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
48397 +#ifdef CONFIG_MODULES
48398 +static inline int is_module_text(unsigned long addr)
48400 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
48403 + addr = ktla_ktva(addr);
48404 + return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
48407 +static inline int is_module_text(unsigned long addr)
48414 static inline int is_kernel_text(unsigned long addr)
48416 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
48417 @@ -69,13 +93,28 @@ static inline int is_kernel_text(unsigne
48419 static inline int is_kernel(unsigned long addr)
48422 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
48423 + if (is_kernel_text(addr) || is_kernel_inittext(addr))
48426 + if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
48428 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
48432 return in_gate_area_no_task(addr);
48435 static int is_ksym_addr(unsigned long addr)
48438 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
48439 + if (is_module_text(addr))
48444 return is_kernel(addr);
48446 @@ -416,7 +455,6 @@ static unsigned long get_ksymbol_core(st
48448 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
48450 - iter->name[0] = '\0';
48451 iter->nameoff = get_symbol_offset(new_pos);
48452 iter->pos = new_pos;
48454 @@ -464,6 +502,11 @@ static int s_show(struct seq_file *m, vo
48456 struct kallsym_iter *iter = m->private;
48458 +#ifdef CONFIG_GRKERNSEC_HIDESYM
48459 + if (current_uid())
48463 /* Some debugging symbols have no name. Ignore them. */
48464 if (!iter->name[0])
48466 @@ -504,7 +547,7 @@ static int kallsyms_open(struct inode *i
48467 struct kallsym_iter *iter;
48470 - iter = kmalloc(sizeof(*iter), GFP_KERNEL);
48471 + iter = kzalloc(sizeof(*iter), GFP_KERNEL);
48474 reset_iter(iter, 0);
48475 diff -urNp linux-2.6.35.5/kernel/kmod.c linux-2.6.35.5/kernel/kmod.c
48476 --- linux-2.6.35.5/kernel/kmod.c 2010-08-26 19:47:12.000000000 -0400
48477 +++ linux-2.6.35.5/kernel/kmod.c 2010-09-17 20:12:37.000000000 -0400
48478 @@ -90,6 +90,18 @@ int __request_module(bool wait, const ch
48482 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
48483 + /* we could do a tighter check here, but some distros
48484 + are taking it upon themselves to remove CAP_SYS_MODULE
48485 + from even root-running apps which cause modules to be
48488 + if (current_uid()) {
48489 + gr_log_nonroot_mod_load(module_name);
48494 /* If modprobe needs a service that is in a module, we get a recursive
48495 * loop. Limit the number of running kmod threads to max_threads/2 or
48496 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
48497 diff -urNp linux-2.6.35.5/kernel/kprobes.c linux-2.6.35.5/kernel/kprobes.c
48498 --- linux-2.6.35.5/kernel/kprobes.c 2010-08-26 19:47:12.000000000 -0400
48499 +++ linux-2.6.35.5/kernel/kprobes.c 2010-09-17 20:12:09.000000000 -0400
48500 @@ -183,7 +183,7 @@ static kprobe_opcode_t __kprobes *__get_
48501 * kernel image and loaded module images reside. This is required
48502 * so x86_64 can correctly handle the %rip-relative fixups.
48504 - kip->insns = module_alloc(PAGE_SIZE);
48505 + kip->insns = module_alloc_exec(PAGE_SIZE);
48509 @@ -223,7 +223,7 @@ static int __kprobes collect_one_slot(st
48511 if (!list_is_singular(&kip->list)) {
48512 list_del(&kip->list);
48513 - module_free(NULL, kip->insns);
48514 + module_free_exec(NULL, kip->insns);
48518 @@ -1709,7 +1709,7 @@ static int __init init_kprobes(void)
48521 unsigned long offset = 0, size = 0;
48522 - char *modname, namebuf[128];
48523 + char *modname, namebuf[KSYM_NAME_LEN];
48524 const char *symbol_name;
48526 struct kprobe_blackpoint *kb;
48527 @@ -1835,7 +1835,7 @@ static int __kprobes show_kprobe_addr(st
48528 const char *sym = NULL;
48529 unsigned int i = *(loff_t *) v;
48530 unsigned long offset = 0;
48531 - char *modname, namebuf[128];
48532 + char *modname, namebuf[KSYM_NAME_LEN];
48534 head = &kprobe_table[i];
48536 diff -urNp linux-2.6.35.5/kernel/lockdep.c linux-2.6.35.5/kernel/lockdep.c
48537 --- linux-2.6.35.5/kernel/lockdep.c 2010-08-26 19:47:12.000000000 -0400
48538 +++ linux-2.6.35.5/kernel/lockdep.c 2010-09-17 20:12:09.000000000 -0400
48539 @@ -571,6 +571,10 @@ static int static_obj(void *obj)
48540 end = (unsigned long) &_end,
48541 addr = (unsigned long) obj;
48543 +#ifdef CONFIG_PAX_KERNEXEC
48544 + start = ktla_ktva(start);
48550 @@ -696,6 +700,7 @@ register_lock_class(struct lockdep_map *
48551 if (!static_obj(lock->key)) {
48553 printk("INFO: trying to register non-static key.\n");
48554 + printk("lock:%pS key:%pS.\n", lock, lock->key);
48555 printk("the code is fine but needs lockdep annotation.\n");
48556 printk("turning off the locking correctness validator.\n");
48558 diff -urNp linux-2.6.35.5/kernel/lockdep_proc.c linux-2.6.35.5/kernel/lockdep_proc.c
48559 --- linux-2.6.35.5/kernel/lockdep_proc.c 2010-08-26 19:47:12.000000000 -0400
48560 +++ linux-2.6.35.5/kernel/lockdep_proc.c 2010-09-17 20:12:09.000000000 -0400
48561 @@ -39,7 +39,7 @@ static void l_stop(struct seq_file *m, v
48563 static void print_name(struct seq_file *m, struct lock_class *class)
48566 + char str[KSYM_NAME_LEN];
48567 const char *name = class->name;
48570 diff -urNp linux-2.6.35.5/kernel/module.c linux-2.6.35.5/kernel/module.c
48571 --- linux-2.6.35.5/kernel/module.c 2010-08-26 19:47:12.000000000 -0400
48572 +++ linux-2.6.35.5/kernel/module.c 2010-09-17 20:12:37.000000000 -0400
48573 @@ -96,7 +96,8 @@ static BLOCKING_NOTIFIER_HEAD(module_not
48575 /* Bounds of module allocation, for speeding __module_address.
48576 * Protected by module_mutex. */
48577 -static unsigned long module_addr_min = -1UL, module_addr_max = 0;
48578 +static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
48579 +static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
48581 int register_module_notifier(struct notifier_block * nb)
48583 @@ -250,7 +251,7 @@ bool each_symbol(bool (*fn)(const struct
48586 list_for_each_entry_rcu(mod, &modules, list) {
48587 - struct symsearch arr[] = {
48588 + struct symsearch modarr[] = {
48589 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
48590 NOT_GPL_ONLY, false },
48591 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
48592 @@ -272,7 +273,7 @@ bool each_symbol(bool (*fn)(const struct
48596 - if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
48597 + if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
48601 @@ -383,7 +384,7 @@ static inline void __percpu *mod_percpu(
48602 static int percpu_modalloc(struct module *mod,
48603 unsigned long size, unsigned long align)
48605 - if (align > PAGE_SIZE) {
48606 + if (align-1 >= PAGE_SIZE) {
48607 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
48608 mod->name, align, PAGE_SIZE);
48610 @@ -1562,7 +1563,8 @@ static void free_module(struct module *m
48611 destroy_params(mod->kp, mod->num_kp);
48613 /* This may be NULL, but that's OK */
48614 - module_free(mod, mod->module_init);
48615 + module_free(mod, mod->module_init_rw);
48616 + module_free_exec(mod, mod->module_init_rx);
48618 percpu_modfree(mod);
48619 #if defined(CONFIG_MODULE_UNLOAD)
48620 @@ -1570,10 +1572,12 @@ static void free_module(struct module *m
48621 free_percpu(mod->refptr);
48623 /* Free lock-classes: */
48624 - lockdep_free_key_range(mod->module_core, mod->core_size);
48625 + lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
48626 + lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
48628 /* Finally, free the core (containing the module structure) */
48629 - module_free(mod, mod->module_core);
48630 + module_free_exec(mod, mod->module_core_rx);
48631 + module_free(mod, mod->module_core_rw);
48634 update_protections(current->mm);
48635 @@ -1670,7 +1674,9 @@ static int simplify_symbols(Elf_Shdr *se
48637 /* Ok if resolved. */
48638 if (ksym && !IS_ERR(ksym)) {
48639 + pax_open_kernel();
48640 sym[i].st_value = ksym->value;
48641 + pax_close_kernel();
48645 @@ -1690,7 +1696,9 @@ static int simplify_symbols(Elf_Shdr *se
48646 secbase = (unsigned long)mod_percpu(mod);
48648 secbase = sechdrs[sym[i].st_shndx].sh_addr;
48649 + pax_open_kernel();
48650 sym[i].st_value += secbase;
48651 + pax_close_kernel();
48655 @@ -1751,11 +1759,12 @@ static void layout_sections(struct modul
48656 || s->sh_entsize != ~0UL
48657 || strstarts(secstrings + s->sh_name, ".init"))
48659 - s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
48660 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
48661 + s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
48663 + s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
48664 DEBUGP("\t%s\n", secstrings + s->sh_name);
48667 - mod->core_text_size = mod->core_size;
48670 DEBUGP("Init section allocation order:\n");
48671 @@ -1768,12 +1777,13 @@ static void layout_sections(struct modul
48672 || s->sh_entsize != ~0UL
48673 || !strstarts(secstrings + s->sh_name, ".init"))
48675 - s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
48676 - | INIT_OFFSET_MASK);
48677 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
48678 + s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
48680 + s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
48681 + s->sh_entsize |= INIT_OFFSET_MASK;
48682 DEBUGP("\t%s\n", secstrings + s->sh_name);
48685 - mod->init_text_size = mod->init_size;
48689 @@ -1877,9 +1887,8 @@ static int is_exported(const char *name,
48692 static char elf_type(const Elf_Sym *sym,
48693 - Elf_Shdr *sechdrs,
48694 - const char *secstrings,
48695 - struct module *mod)
48696 + const Elf_Shdr *sechdrs,
48697 + const char *secstrings)
48699 if (ELF_ST_BIND(sym->st_info) == STB_WEAK) {
48700 if (ELF_ST_TYPE(sym->st_info) == STT_OBJECT)
48701 @@ -1954,7 +1963,7 @@ static unsigned long layout_symtab(struc
48703 /* Put symbol section at end of init part of module. */
48704 symsect->sh_flags |= SHF_ALLOC;
48705 - symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
48706 + symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
48707 symindex) | INIT_OFFSET_MASK;
48708 DEBUGP("\t%s\n", secstrings + symsect->sh_name);
48710 @@ -1971,19 +1980,19 @@ static unsigned long layout_symtab(struc
48713 /* Append room for core symbols at end of core part. */
48714 - symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
48715 - mod->core_size = symoffs + ndst * sizeof(Elf_Sym);
48716 + symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
48717 + mod->core_size_rx = symoffs + ndst * sizeof(Elf_Sym);
48719 /* Put string table section at end of init part of module. */
48720 strsect->sh_flags |= SHF_ALLOC;
48721 - strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
48722 + strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
48723 strindex) | INIT_OFFSET_MASK;
48724 DEBUGP("\t%s\n", secstrings + strsect->sh_name);
48726 /* Append room for core symbols' strings at end of core part. */
48727 - *pstroffs = mod->core_size;
48728 + *pstroffs = mod->core_size_rx;
48729 __set_bit(0, strmap);
48730 - mod->core_size += bitmap_weight(strmap, strsect->sh_size);
48731 + mod->core_size_rx += bitmap_weight(strmap, strsect->sh_size);
48735 @@ -2007,12 +2016,14 @@ static void add_kallsyms(struct module *
48736 mod->num_symtab = sechdrs[symindex].sh_size / sizeof(Elf_Sym);
48737 mod->strtab = (void *)sechdrs[strindex].sh_addr;
48739 + pax_open_kernel();
48741 /* Set types up while we still have access to sections. */
48742 for (i = 0; i < mod->num_symtab; i++)
48743 mod->symtab[i].st_info
48744 - = elf_type(&mod->symtab[i], sechdrs, secstrings, mod);
48745 + = elf_type(&mod->symtab[i], sechdrs, secstrings);
48747 - mod->core_symtab = dst = mod->module_core + symoffs;
48748 + mod->core_symtab = dst = mod->module_core_rx + symoffs;
48751 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
48752 @@ -2024,10 +2035,12 @@ static void add_kallsyms(struct module *
48754 mod->core_num_syms = ndst;
48756 - mod->core_strtab = s = mod->module_core + stroffs;
48757 + mod->core_strtab = s = mod->module_core_rx + stroffs;
48758 for (*s = 0, i = 1; i < sechdrs[strindex].sh_size; ++i)
48759 if (test_bit(i, strmap))
48760 *++s = mod->strtab[i];
48762 + pax_close_kernel();
48765 static inline unsigned long layout_symtab(struct module *mod,
48766 @@ -2070,17 +2083,33 @@ static void dynamic_debug_remove(struct
48767 ddebug_remove_module(debug->modname);
48770 -static void *module_alloc_update_bounds(unsigned long size)
48771 +static void *module_alloc_update_bounds_rw(unsigned long size)
48773 void *ret = module_alloc(size);
48776 mutex_lock(&module_mutex);
48777 /* Update module bounds. */
48778 - if ((unsigned long)ret < module_addr_min)
48779 - module_addr_min = (unsigned long)ret;
48780 - if ((unsigned long)ret + size > module_addr_max)
48781 - module_addr_max = (unsigned long)ret + size;
48782 + if ((unsigned long)ret < module_addr_min_rw)
48783 + module_addr_min_rw = (unsigned long)ret;
48784 + if ((unsigned long)ret + size > module_addr_max_rw)
48785 + module_addr_max_rw = (unsigned long)ret + size;
48786 + mutex_unlock(&module_mutex);
48791 +static void *module_alloc_update_bounds_rx(unsigned long size)
48793 + void *ret = module_alloc_exec(size);
48796 + mutex_lock(&module_mutex);
48797 + /* Update module bounds. */
48798 + if ((unsigned long)ret < module_addr_min_rx)
48799 + module_addr_min_rx = (unsigned long)ret;
48800 + if ((unsigned long)ret + size > module_addr_max_rx)
48801 + module_addr_max_rx = (unsigned long)ret + size;
48802 mutex_unlock(&module_mutex);
48805 @@ -2284,7 +2313,7 @@ static noinline struct module *load_modu
48806 secstrings, &stroffs, strmap);
48808 /* Do the allocs. */
48809 - ptr = module_alloc_update_bounds(mod->core_size);
48810 + ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
48812 * The pointer to this block is stored in the module structure
48813 * which is inside the block. Just mark it as not being a
48814 @@ -2295,23 +2324,47 @@ static noinline struct module *load_modu
48818 - memset(ptr, 0, mod->core_size);
48819 - mod->module_core = ptr;
48820 + memset(ptr, 0, mod->core_size_rw);
48821 + mod->module_core_rw = ptr;
48823 - ptr = module_alloc_update_bounds(mod->init_size);
48824 + ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
48826 * The pointer to this block is stored in the module structure
48827 * which is inside the block. This block doesn't need to be
48828 * scanned as it contains data and code that will be freed
48829 * after the module is initialized.
48831 - kmemleak_ignore(ptr);
48832 - if (!ptr && mod->init_size) {
48833 + kmemleak_not_leak(ptr);
48834 + if (!ptr && mod->init_size_rw) {
48836 + goto free_core_rw;
48838 + memset(ptr, 0, mod->init_size_rw);
48839 + mod->module_init_rw = ptr;
48841 + ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
48842 + kmemleak_not_leak(ptr);
48845 + goto free_init_rw;
48848 + pax_open_kernel();
48849 + memset(ptr, 0, mod->core_size_rx);
48850 + pax_close_kernel();
48851 + mod->module_core_rx = ptr;
48853 + ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
48854 + kmemleak_not_leak(ptr);
48855 + if (!ptr && mod->init_size_rx) {
48858 + goto free_core_rx;
48860 - memset(ptr, 0, mod->init_size);
48861 - mod->module_init = ptr;
48863 + pax_open_kernel();
48864 + memset(ptr, 0, mod->init_size_rx);
48865 + pax_close_kernel();
48866 + mod->module_init_rx = ptr;
48868 /* Transfer each section which specifies SHF_ALLOC */
48869 DEBUGP("final section addresses:\n");
48870 @@ -2321,17 +2374,41 @@ static noinline struct module *load_modu
48871 if (!(sechdrs[i].sh_flags & SHF_ALLOC))
48874 - if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK)
48875 - dest = mod->module_init
48876 - + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
48878 - dest = mod->module_core + sechdrs[i].sh_entsize;
48879 + if (sechdrs[i].sh_entsize & INIT_OFFSET_MASK) {
48880 + if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
48881 + dest = mod->module_init_rw
48882 + + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
48884 + dest = mod->module_init_rx
48885 + + (sechdrs[i].sh_entsize & ~INIT_OFFSET_MASK);
48887 + if ((sechdrs[i].sh_flags & SHF_WRITE) || !(sechdrs[i].sh_flags & SHF_ALLOC))
48888 + dest = mod->module_core_rw + sechdrs[i].sh_entsize;
48890 + dest = mod->module_core_rx + sechdrs[i].sh_entsize;
48893 + if (sechdrs[i].sh_type != SHT_NOBITS) {
48895 - if (sechdrs[i].sh_type != SHT_NOBITS)
48896 - memcpy(dest, (void *)sechdrs[i].sh_addr,
48897 - sechdrs[i].sh_size);
48898 +#ifdef CONFIG_PAX_KERNEXEC
48899 + if (!(sechdrs[i].sh_flags & SHF_WRITE) && (sechdrs[i].sh_flags & SHF_ALLOC)) {
48900 + pax_open_kernel();
48901 + memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
48902 + pax_close_kernel();
48906 + memcpy(dest, (void *)sechdrs[i].sh_addr, sechdrs[i].sh_size);
48908 /* Update sh_addr to point to copy in image. */
48909 - sechdrs[i].sh_addr = (unsigned long)dest;
48911 +#ifdef CONFIG_PAX_KERNEXEC
48912 + if (sechdrs[i].sh_flags & SHF_EXECINSTR)
48913 + sechdrs[i].sh_addr = ktva_ktla((unsigned long)dest);
48917 + sechdrs[i].sh_addr = (unsigned long)dest;
48918 DEBUGP("\t0x%lx %s\n", sechdrs[i].sh_addr, secstrings + sechdrs[i].sh_name);
48920 /* Module has been moved. */
48921 @@ -2342,7 +2419,7 @@ static noinline struct module *load_modu
48922 mod->refptr = alloc_percpu(struct module_ref);
48923 if (!mod->refptr) {
48926 + goto free_init_rx;
48929 /* Now we've moved module, initialize linked lists, etc. */
48930 @@ -2452,8 +2529,8 @@ static noinline struct module *load_modu
48932 /* Now do relocations. */
48933 for (i = 1; i < hdr->e_shnum; i++) {
48934 - const char *strtab = (char *)sechdrs[strindex].sh_addr;
48935 unsigned int info = sechdrs[i].sh_info;
48936 + strtab = (char *)sechdrs[strindex].sh_addr;
48938 /* Not a valid relocation section? */
48939 if (info >= hdr->e_shnum)
48940 @@ -2503,12 +2580,12 @@ static noinline struct module *load_modu
48941 * Do it before processing of module parameters, so the module
48942 * can provide parameter accessor functions of its own.
48944 - if (mod->module_init)
48945 - flush_icache_range((unsigned long)mod->module_init,
48946 - (unsigned long)mod->module_init
48947 - + mod->init_size);
48948 - flush_icache_range((unsigned long)mod->module_core,
48949 - (unsigned long)mod->module_core + mod->core_size);
48950 + if (mod->module_init_rx)
48951 + flush_icache_range((unsigned long)mod->module_init_rx,
48952 + (unsigned long)mod->module_init_rx
48953 + + mod->init_size_rx);
48954 + flush_icache_range((unsigned long)mod->module_core_rx,
48955 + (unsigned long)mod->module_core_rx + mod->core_size_rx);
48959 @@ -2574,12 +2651,16 @@ static noinline struct module *load_modu
48961 module_unload_free(mod);
48962 #if defined(CONFIG_MODULE_UNLOAD)
48964 free_percpu(mod->refptr);
48967 - module_free(mod, mod->module_init);
48969 - module_free(mod, mod->module_core);
48970 + module_free_exec(mod, mod->module_init_rx);
48972 + module_free_exec(mod, mod->module_core_rx);
48974 + module_free(mod, mod->module_init_rw);
48976 + module_free(mod, mod->module_core_rw);
48977 /* mod will be freed with core. Don't access it beyond this line! */
48979 free_percpu(percpu);
48980 @@ -2669,10 +2750,12 @@ SYSCALL_DEFINE3(init_module, void __user
48981 mod->symtab = mod->core_symtab;
48982 mod->strtab = mod->core_strtab;
48984 - module_free(mod, mod->module_init);
48985 - mod->module_init = NULL;
48986 - mod->init_size = 0;
48987 - mod->init_text_size = 0;
48988 + module_free(mod, mod->module_init_rw);
48989 + module_free_exec(mod, mod->module_init_rx);
48990 + mod->module_init_rw = NULL;
48991 + mod->module_init_rx = NULL;
48992 + mod->init_size_rw = 0;
48993 + mod->init_size_rx = 0;
48994 mutex_unlock(&module_mutex);
48997 @@ -2703,10 +2786,16 @@ static const char *get_ksymbol(struct mo
48998 unsigned long nextval;
49000 /* At worse, next value is at end of module */
49001 - if (within_module_init(addr, mod))
49002 - nextval = (unsigned long)mod->module_init+mod->init_text_size;
49003 + if (within_module_init_rx(addr, mod))
49004 + nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
49005 + else if (within_module_init_rw(addr, mod))
49006 + nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
49007 + else if (within_module_core_rx(addr, mod))
49008 + nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
49009 + else if (within_module_core_rw(addr, mod))
49010 + nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
49012 - nextval = (unsigned long)mod->module_core+mod->core_text_size;
49015 /* Scan for closest preceeding symbol, and next symbol. (ELF
49016 starts real symbols at 1). */
49017 @@ -2952,7 +3041,7 @@ static int m_show(struct seq_file *m, vo
49020 seq_printf(m, "%s %u",
49021 - mod->name, mod->init_size + mod->core_size);
49022 + mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
49023 print_unload_info(m, mod);
49025 /* Informative for users. */
49026 @@ -2961,7 +3050,7 @@ static int m_show(struct seq_file *m, vo
49027 mod->state == MODULE_STATE_COMING ? "Loading":
49029 /* Used by oprofile and other similar tools. */
49030 - seq_printf(m, " 0x%p", mod->module_core);
49031 + seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
49035 @@ -2997,7 +3086,17 @@ static const struct file_operations proc
49037 static int __init proc_modules_init(void)
49039 +#ifndef CONFIG_GRKERNSEC_HIDESYM
49040 +#ifdef CONFIG_GRKERNSEC_PROC_USER
49041 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
49042 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49043 + proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
49045 proc_create("modules", 0, NULL, &proc_modules_operations);
49048 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
49052 module_init(proc_modules_init);
49053 @@ -3056,12 +3155,12 @@ struct module *__module_address(unsigned
49055 struct module *mod;
49057 - if (addr < module_addr_min || addr > module_addr_max)
49058 + if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
49059 + (addr < module_addr_min_rw || addr > module_addr_max_rw))
49062 list_for_each_entry_rcu(mod, &modules, list)
49063 - if (within_module_core(addr, mod)
49064 - || within_module_init(addr, mod))
49065 + if (within_module_init(addr, mod) || within_module_core(addr, mod))
49069 @@ -3095,11 +3194,20 @@ bool is_module_text_address(unsigned lon
49071 struct module *__module_text_address(unsigned long addr)
49073 - struct module *mod = __module_address(addr);
49074 + struct module *mod;
49076 +#ifdef CONFIG_X86_32
49077 + addr = ktla_ktva(addr);
49080 + if (addr < module_addr_min_rx || addr > module_addr_max_rx)
49083 + mod = __module_address(addr);
49086 /* Make sure it's within the text section. */
49087 - if (!within(addr, mod->module_init, mod->init_text_size)
49088 - && !within(addr, mod->module_core, mod->core_text_size))
49089 + if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
49093 diff -urNp linux-2.6.35.5/kernel/panic.c linux-2.6.35.5/kernel/panic.c
49094 --- linux-2.6.35.5/kernel/panic.c 2010-08-26 19:47:12.000000000 -0400
49095 +++ linux-2.6.35.5/kernel/panic.c 2010-09-17 20:12:09.000000000 -0400
49096 @@ -429,7 +429,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
49098 void __stack_chk_fail(void)
49100 - panic("stack-protector: Kernel stack is corrupted in: %p\n",
49102 + panic("stack-protector: Kernel stack is corrupted in: %pS\n",
49103 __builtin_return_address(0));
49105 EXPORT_SYMBOL(__stack_chk_fail);
49106 diff -urNp linux-2.6.35.5/kernel/pid.c linux-2.6.35.5/kernel/pid.c
49107 --- linux-2.6.35.5/kernel/pid.c 2010-08-26 19:47:12.000000000 -0400
49108 +++ linux-2.6.35.5/kernel/pid.c 2010-09-17 20:12:37.000000000 -0400
49110 #include <linux/rculist.h>
49111 #include <linux/bootmem.h>
49112 #include <linux/hash.h>
49113 +#include <linux/security.h>
49114 #include <linux/pid_namespace.h>
49115 #include <linux/init_task.h>
49116 #include <linux/syscalls.h>
49117 @@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
49119 int pid_max = PID_MAX_DEFAULT;
49121 -#define RESERVED_PIDS 300
49122 +#define RESERVED_PIDS 500
49124 int pid_max_min = RESERVED_PIDS + 1;
49125 int pid_max_max = PID_MAX_LIMIT;
49126 @@ -382,7 +383,14 @@ EXPORT_SYMBOL(pid_task);
49128 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
49130 - return pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
49131 + struct task_struct *task;
49133 + task = pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
49135 + if (gr_pid_is_chrooted(task))
49141 struct task_struct *find_task_by_vpid(pid_t vnr)
49142 diff -urNp linux-2.6.35.5/kernel/posix-cpu-timers.c linux-2.6.35.5/kernel/posix-cpu-timers.c
49143 --- linux-2.6.35.5/kernel/posix-cpu-timers.c 2010-08-26 19:47:12.000000000 -0400
49144 +++ linux-2.6.35.5/kernel/posix-cpu-timers.c 2010-09-17 20:12:37.000000000 -0400
49146 #include <linux/posix-timers.h>
49147 #include <linux/errno.h>
49148 #include <linux/math64.h>
49149 +#include <linux/security.h>
49150 #include <asm/uaccess.h>
49151 #include <linux/kernel_stat.h>
49152 #include <trace/events/timer.h>
49153 @@ -972,6 +973,7 @@ static void check_thread_timers(struct t
49154 unsigned long hard =
49155 ACCESS_ONCE(sig->rlim[RLIMIT_RTTIME].rlim_max);
49157 + gr_learn_resource(tsk, RLIMIT_RTTIME, tsk->rt.timeout * (USEC_PER_SEC/HZ), 1);
49158 if (hard != RLIM_INFINITY &&
49159 tsk->rt.timeout > DIV_ROUND_UP(hard, USEC_PER_SEC/HZ)) {
49161 @@ -1138,6 +1140,7 @@ static void check_process_timers(struct
49162 unsigned long hard =
49163 ACCESS_ONCE(sig->rlim[RLIMIT_CPU].rlim_max);
49165 + gr_learn_resource(tsk, RLIMIT_CPU, psecs, 0);
49166 if (psecs >= hard) {
49168 * At the hard limit, we just die.
49169 diff -urNp linux-2.6.35.5/kernel/power/hibernate.c linux-2.6.35.5/kernel/power/hibernate.c
49170 --- linux-2.6.35.5/kernel/power/hibernate.c 2010-08-26 19:47:12.000000000 -0400
49171 +++ linux-2.6.35.5/kernel/power/hibernate.c 2010-09-17 20:12:09.000000000 -0400
49172 @@ -50,14 +50,14 @@ enum {
49174 static int hibernation_mode = HIBERNATION_SHUTDOWN;
49176 -static struct platform_hibernation_ops *hibernation_ops;
49177 +static const struct platform_hibernation_ops *hibernation_ops;
49180 * hibernation_set_ops - set the global hibernate operations
49181 * @ops: the hibernation operations to use in subsequent hibernation transitions
49184 -void hibernation_set_ops(struct platform_hibernation_ops *ops)
49185 +void hibernation_set_ops(const struct platform_hibernation_ops *ops)
49187 if (ops && !(ops->begin && ops->end && ops->pre_snapshot
49188 && ops->prepare && ops->finish && ops->enter && ops->pre_restore
49189 diff -urNp linux-2.6.35.5/kernel/power/poweroff.c linux-2.6.35.5/kernel/power/poweroff.c
49190 --- linux-2.6.35.5/kernel/power/poweroff.c 2010-08-26 19:47:12.000000000 -0400
49191 +++ linux-2.6.35.5/kernel/power/poweroff.c 2010-09-17 20:12:09.000000000 -0400
49192 @@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
49193 .enable_mask = SYSRQ_ENABLE_BOOT,
49196 -static int pm_sysrq_init(void)
49197 +static int __init pm_sysrq_init(void)
49199 register_sysrq_key('o', &sysrq_poweroff_op);
49201 diff -urNp linux-2.6.35.5/kernel/power/process.c linux-2.6.35.5/kernel/power/process.c
49202 --- linux-2.6.35.5/kernel/power/process.c 2010-08-26 19:47:12.000000000 -0400
49203 +++ linux-2.6.35.5/kernel/power/process.c 2010-09-17 20:12:09.000000000 -0400
49204 @@ -38,12 +38,15 @@ static int try_to_freeze_tasks(bool sig_
49205 struct timeval start, end;
49206 u64 elapsed_csecs64;
49207 unsigned int elapsed_csecs;
49208 + bool timedout = false;
49210 do_gettimeofday(&start);
49212 end_time = jiffies + TIMEOUT;
49215 + if (time_after(jiffies, end_time))
49217 read_lock(&tasklist_lock);
49218 do_each_thread(g, p) {
49219 if (frozen(p) || !freezeable(p))
49220 @@ -58,12 +61,16 @@ static int try_to_freeze_tasks(bool sig_
49221 * It is "frozen enough". If the task does wake
49222 * up, it will immediately call try_to_freeze.
49224 - if (!task_is_stopped_or_traced(p) &&
49225 - !freezer_should_skip(p))
49226 + if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
49229 + printk(KERN_ERR "Task refusing to freeze:\n");
49230 + sched_show_task(p);
49233 } while_each_thread(g, p);
49234 read_unlock(&tasklist_lock);
49235 - if (!todo || time_after(jiffies, end_time))
49236 + if (!todo || timedout)
49240 diff -urNp linux-2.6.35.5/kernel/power/suspend.c linux-2.6.35.5/kernel/power/suspend.c
49241 --- linux-2.6.35.5/kernel/power/suspend.c 2010-08-26 19:47:12.000000000 -0400
49242 +++ linux-2.6.35.5/kernel/power/suspend.c 2010-09-17 20:12:09.000000000 -0400
49243 @@ -30,13 +30,13 @@ const char *const pm_states[PM_SUSPEND_M
49244 [PM_SUSPEND_MEM] = "mem",
49247 -static struct platform_suspend_ops *suspend_ops;
49248 +static const struct platform_suspend_ops *suspend_ops;
49251 * suspend_set_ops - Set the global suspend method table.
49252 * @ops: Pointer to ops structure.
49254 -void suspend_set_ops(struct platform_suspend_ops *ops)
49255 +void suspend_set_ops(const struct platform_suspend_ops *ops)
49257 mutex_lock(&pm_mutex);
49259 diff -urNp linux-2.6.35.5/kernel/printk.c linux-2.6.35.5/kernel/printk.c
49260 --- linux-2.6.35.5/kernel/printk.c 2010-08-26 19:47:12.000000000 -0400
49261 +++ linux-2.6.35.5/kernel/printk.c 2010-09-17 20:12:37.000000000 -0400
49262 @@ -266,6 +266,11 @@ int do_syslog(int type, char __user *buf
49266 +#ifdef CONFIG_GRKERNSEC_DMESG
49267 + if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
49271 error = security_syslog(type, from_file);
49274 diff -urNp linux-2.6.35.5/kernel/ptrace.c linux-2.6.35.5/kernel/ptrace.c
49275 --- linux-2.6.35.5/kernel/ptrace.c 2010-08-26 19:47:12.000000000 -0400
49276 +++ linux-2.6.35.5/kernel/ptrace.c 2010-09-17 20:12:37.000000000 -0400
49277 @@ -140,7 +140,7 @@ int __ptrace_may_access(struct task_stru
49278 cred->gid != tcred->egid ||
49279 cred->gid != tcred->sgid ||
49280 cred->gid != tcred->gid) &&
49281 - !capable(CAP_SYS_PTRACE)) {
49282 + !capable_nolog(CAP_SYS_PTRACE)) {
49286 @@ -148,7 +148,7 @@ int __ptrace_may_access(struct task_stru
49289 dumpable = get_dumpable(task->mm);
49290 - if (!dumpable && !capable(CAP_SYS_PTRACE))
49291 + if (!dumpable && !capable_nolog(CAP_SYS_PTRACE))
49294 return security_ptrace_access_check(task, mode);
49295 @@ -198,7 +198,7 @@ int ptrace_attach(struct task_struct *ta
49296 goto unlock_tasklist;
49298 task->ptrace = PT_PTRACED;
49299 - if (capable(CAP_SYS_PTRACE))
49300 + if (capable_nolog(CAP_SYS_PTRACE))
49301 task->ptrace |= PT_PTRACE_CAP;
49303 __ptrace_link(task, current);
49304 @@ -361,7 +361,7 @@ int ptrace_readdata(struct task_struct *
49308 - if (copy_to_user(dst, buf, retval))
49309 + if (retval > sizeof(buf) || copy_to_user(dst, buf, retval))
49313 @@ -572,18 +572,18 @@ int ptrace_request(struct task_struct *c
49314 ret = ptrace_setoptions(child, data);
49316 case PTRACE_GETEVENTMSG:
49317 - ret = put_user(child->ptrace_message, (unsigned long __user *) data);
49318 + ret = put_user(child->ptrace_message, (__force unsigned long __user *) data);
49321 case PTRACE_GETSIGINFO:
49322 ret = ptrace_getsiginfo(child, &siginfo);
49324 - ret = copy_siginfo_to_user((siginfo_t __user *) data,
49325 + ret = copy_siginfo_to_user((__force siginfo_t __user *) data,
49329 case PTRACE_SETSIGINFO:
49330 - if (copy_from_user(&siginfo, (siginfo_t __user *) data,
49331 + if (copy_from_user(&siginfo, (__force siginfo_t __user *) data,
49335 @@ -703,14 +703,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
49339 + if (gr_handle_ptrace(child, request)) {
49341 + goto out_put_task_struct;
49344 if (request == PTRACE_ATTACH) {
49345 ret = ptrace_attach(child);
49347 * Some architectures need to do book-keeping after
49352 arch_ptrace_attach(child);
49353 + gr_audit_ptrace(child);
49355 goto out_put_task_struct;
49358 diff -urNp linux-2.6.35.5/kernel/rcutree.c linux-2.6.35.5/kernel/rcutree.c
49359 --- linux-2.6.35.5/kernel/rcutree.c 2010-08-26 19:47:12.000000000 -0400
49360 +++ linux-2.6.35.5/kernel/rcutree.c 2010-09-17 20:12:09.000000000 -0400
49361 @@ -1356,7 +1356,7 @@ __rcu_process_callbacks(struct rcu_state
49363 * Do softirq processing for the current CPU.
49365 -static void rcu_process_callbacks(struct softirq_action *unused)
49366 +static void rcu_process_callbacks(void)
49369 * Memory references from any prior RCU read-side critical sections
49370 diff -urNp linux-2.6.35.5/kernel/resource.c linux-2.6.35.5/kernel/resource.c
49371 --- linux-2.6.35.5/kernel/resource.c 2010-08-26 19:47:12.000000000 -0400
49372 +++ linux-2.6.35.5/kernel/resource.c 2010-09-17 20:12:37.000000000 -0400
49373 @@ -133,8 +133,18 @@ static const struct file_operations proc
49375 static int __init ioresources_init(void)
49377 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
49378 +#ifdef CONFIG_GRKERNSEC_PROC_USER
49379 + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
49380 + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
49381 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49382 + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
49383 + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
49386 proc_create("ioports", 0, NULL, &proc_ioports_operations);
49387 proc_create("iomem", 0, NULL, &proc_iomem_operations);
49391 __initcall(ioresources_init);
49392 diff -urNp linux-2.6.35.5/kernel/sched.c linux-2.6.35.5/kernel/sched.c
49393 --- linux-2.6.35.5/kernel/sched.c 2010-08-26 19:47:12.000000000 -0400
49394 +++ linux-2.6.35.5/kernel/sched.c 2010-09-17 20:12:37.000000000 -0400
49395 @@ -4266,6 +4266,8 @@ int can_nice(const struct task_struct *p
49396 /* convert nice value [19,-20] to rlimit style value [1,40] */
49397 int nice_rlim = 20 - nice;
49399 + gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
49401 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
49402 capable(CAP_SYS_NICE));
49404 @@ -4299,7 +4301,8 @@ SYSCALL_DEFINE1(nice, int, increment)
49408 - if (increment < 0 && !can_nice(current, nice))
49409 + if (increment < 0 && (!can_nice(current, nice) ||
49410 + gr_handle_chroot_nice()))
49411 return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
49413 retval = security_task_setnice(current, nice);
49414 @@ -4446,6 +4449,7 @@ recheck:
49415 rlim_rtprio = task_rlimit(p, RLIMIT_RTPRIO);
49416 unlock_task_sighand(p, &flags);
49418 + gr_learn_resource(p, RLIMIT_RTPRIO, param->sched_priority, 1);
49419 /* can't set/change the rt policy */
49420 if (policy != p->policy && !rlim_rtprio)
49422 diff -urNp linux-2.6.35.5/kernel/sched_fair.c linux-2.6.35.5/kernel/sched_fair.c
49423 --- linux-2.6.35.5/kernel/sched_fair.c 2010-08-26 19:47:12.000000000 -0400
49424 +++ linux-2.6.35.5/kernel/sched_fair.c 2010-09-17 20:12:09.000000000 -0400
49425 @@ -3390,7 +3390,7 @@ out:
49426 * In CONFIG_NO_HZ case, the idle load balance owner will do the
49427 * rebalancing for all the cpus for whom scheduler ticks are stopped.
49429 -static void run_rebalance_domains(struct softirq_action *h)
49430 +static void run_rebalance_domains(void)
49432 int this_cpu = smp_processor_id();
49433 struct rq *this_rq = cpu_rq(this_cpu);
49434 diff -urNp linux-2.6.35.5/kernel/signal.c linux-2.6.35.5/kernel/signal.c
49435 --- linux-2.6.35.5/kernel/signal.c 2010-08-26 19:47:12.000000000 -0400
49436 +++ linux-2.6.35.5/kernel/signal.c 2010-09-17 20:20:18.000000000 -0400
49437 @@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cache
49439 int print_fatal_signals __read_mostly;
49441 -static void __user *sig_handler(struct task_struct *t, int sig)
49442 +static __sighandler_t sig_handler(struct task_struct *t, int sig)
49444 return t->sighand->action[sig - 1].sa.sa_handler;
49447 -static int sig_handler_ignored(void __user *handler, int sig)
49448 +static int sig_handler_ignored(__sighandler_t handler, int sig)
49450 /* Is it explicitly or implicitly ignored? */
49451 return handler == SIG_IGN ||
49452 @@ -60,7 +60,7 @@ static int sig_handler_ignored(void __us
49453 static int sig_task_ignored(struct task_struct *t, int sig,
49454 int from_ancestor_ns)
49456 - void __user *handler;
49457 + __sighandler_t handler;
49459 handler = sig_handler(t, sig);
49461 @@ -243,6 +243,9 @@ __sigqueue_alloc(int sig, struct task_st
49462 atomic_inc(&user->sigpending);
49465 + if (!override_rlimit)
49466 + gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
49468 if (override_rlimit ||
49469 atomic_read(&user->sigpending) <=
49470 task_rlimit(t, RLIMIT_SIGPENDING)) {
49471 @@ -367,7 +370,7 @@ flush_signal_handlers(struct task_struct
49473 int unhandled_signal(struct task_struct *tsk, int sig)
49475 - void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
49476 + __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
49477 if (is_global_init(tsk))
49479 if (handler != SIG_IGN && handler != SIG_DFL)
49480 @@ -705,6 +705,10 @@ static int check_kill_permission(int sig
49481 sig, info, t, vx_task_xid(t), t->pid, current->xid);
49485 + if (gr_handle_signal(t, sig))
49489 return security_task_kill(t, info, sig, 0);
49491 @@ -1025,7 +1031,7 @@ __group_send_sig_info(int sig, struct si
49492 return send_signal(sig, info, p, 1);
49497 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
49499 return send_signal(sig, info, t, 0);
49500 @@ -1079,6 +1085,9 @@ force_sig_info(int sig, struct siginfo *
49501 ret = specific_send_sig_info(sig, info, t);
49502 spin_unlock_irqrestore(&t->sighand->siglock, flags);
49504 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
49505 + gr_handle_crash(t, sig);
49510 @@ -1136,8 +1145,11 @@ int group_send_sig_info(int sig, struct
49511 ret = check_kill_permission(sig, info, p);
49515 + if (!ret && sig) {
49516 ret = do_send_sig_info(sig, info, p, true);
49518 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
49523 diff -urNp linux-2.6.35.5/kernel/smp.c linux-2.6.35.5/kernel/smp.c
49524 --- linux-2.6.35.5/kernel/smp.c 2010-08-26 19:47:12.000000000 -0400
49525 +++ linux-2.6.35.5/kernel/smp.c 2010-09-17 20:12:09.000000000 -0400
49526 @@ -499,22 +499,22 @@ int smp_call_function(void (*func)(void
49528 EXPORT_SYMBOL(smp_call_function);
49530 -void ipi_call_lock(void)
49531 +void ipi_call_lock(void) __acquires(call_function.lock)
49533 raw_spin_lock(&call_function.lock);
49536 -void ipi_call_unlock(void)
49537 +void ipi_call_unlock(void) __releases(call_function.lock)
49539 raw_spin_unlock(&call_function.lock);
49542 -void ipi_call_lock_irq(void)
49543 +void ipi_call_lock_irq(void) __acquires(call_function.lock)
49545 raw_spin_lock_irq(&call_function.lock);
49548 -void ipi_call_unlock_irq(void)
49549 +void ipi_call_unlock_irq(void) __releases(call_function.lock)
49551 raw_spin_unlock_irq(&call_function.lock);
49553 diff -urNp linux-2.6.35.5/kernel/softirq.c linux-2.6.35.5/kernel/softirq.c
49554 --- linux-2.6.35.5/kernel/softirq.c 2010-08-26 19:47:12.000000000 -0400
49555 +++ linux-2.6.35.5/kernel/softirq.c 2010-09-17 20:12:09.000000000 -0400
49556 @@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
49558 static DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
49560 -char *softirq_to_name[NR_SOFTIRQS] = {
49561 +const char * const softirq_to_name[NR_SOFTIRQS] = {
49562 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
49563 "TASKLET", "SCHED", "HRTIMER", "RCU"
49565 @@ -190,7 +190,7 @@ EXPORT_SYMBOL(local_bh_enable_ip);
49567 asmlinkage void __do_softirq(void)
49569 - struct softirq_action *h;
49570 + const struct softirq_action *h;
49572 int max_restart = MAX_SOFTIRQ_RESTART;
49574 @@ -216,7 +216,7 @@ restart:
49575 kstat_incr_softirqs_this_cpu(h - softirq_vec);
49577 trace_softirq_entry(h, softirq_vec);
49580 trace_softirq_exit(h, softirq_vec);
49581 if (unlikely(prev_count != preempt_count())) {
49582 printk(KERN_ERR "huh, entered softirq %td %s %p"
49583 @@ -340,7 +340,7 @@ void raise_softirq(unsigned int nr)
49584 local_irq_restore(flags);
49587 -void open_softirq(int nr, void (*action)(struct softirq_action *))
49588 +void open_softirq(int nr, void (*action)(void))
49590 softirq_vec[nr].action = action;
49592 @@ -396,7 +396,7 @@ void __tasklet_hi_schedule_first(struct
49594 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
49596 -static void tasklet_action(struct softirq_action *a)
49597 +static void tasklet_action(void)
49599 struct tasklet_struct *list;
49601 @@ -431,7 +431,7 @@ static void tasklet_action(struct softir
49605 -static void tasklet_hi_action(struct softirq_action *a)
49606 +static void tasklet_hi_action(void)
49608 struct tasklet_struct *list;
49610 diff -urNp linux-2.6.35.5/kernel/sys.c linux-2.6.35.5/kernel/sys.c
49611 --- linux-2.6.35.5/kernel/sys.c 2010-08-26 19:47:12.000000000 -0400
49612 +++ linux-2.6.35.5/kernel/sys.c 2010-09-17 20:28:33.000000000 -0400
49613 @@ -134,6 +134,12 @@ static int set_one_prio(struct task_stru
49618 + if (gr_handle_chroot_setpriority(p, niceval)) {
49623 no_nice = security_task_setnice(p, niceval);
49626 @@ -511,6 +517,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
49630 + if (gr_check_group_change(new->gid, new->egid, -1))
49633 if (rgid != (gid_t) -1 ||
49634 (egid != (gid_t) -1 && egid != old->gid))
49635 new->sgid = new->egid;
49636 @@ -540,6 +549,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
49637 old = current_cred();
49641 + if (gr_check_group_change(gid, gid, gid))
49644 if (capable(CAP_SETGID))
49645 new->gid = new->egid = new->sgid = new->fsgid = gid;
49646 else if (gid == old->gid || gid == old->sgid)
49647 @@ -620,6 +633,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
49651 + if (gr_check_user_change(new->uid, new->euid, -1))
49654 if (new->uid != old->uid) {
49655 retval = set_user(new);
49657 @@ -664,6 +680,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
49658 old = current_cred();
49662 + if (gr_check_crash_uid(uid))
49664 + if (gr_check_user_change(uid, uid, uid))
49667 if (capable(CAP_SETUID)) {
49668 new->suid = new->uid = uid;
49669 if (uid != old->uid) {
49670 @@ -718,6 +740,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
49674 + if (gr_check_user_change(ruid, euid, -1))
49677 if (ruid != (uid_t) -1) {
49679 if (ruid != old->uid) {
49680 @@ -782,6 +807,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
49684 + if (gr_check_group_change(rgid, egid, -1))
49687 if (rgid != (gid_t) -1)
49689 if (egid != (gid_t) -1)
49690 @@ -828,6 +856,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
49691 old = current_cred();
49692 old_fsuid = old->fsuid;
49694 + if (gr_check_user_change(-1, -1, uid))
49697 if (uid == old->uid || uid == old->euid ||
49698 uid == old->suid || uid == old->fsuid ||
49699 capable(CAP_SETUID)) {
49700 @@ -838,6 +869,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
49708 @@ -864,12 +896,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
49709 if (gid == old->gid || gid == old->egid ||
49710 gid == old->sgid || gid == old->fsgid ||
49711 capable(CAP_SETGID)) {
49712 + if (gr_check_group_change(-1, -1, gid))
49715 if (gid != old_fsgid) {
49725 @@ -1491,7 +1527,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
49726 error = get_dumpable(me->mm);
49728 case PR_SET_DUMPABLE:
49729 - if (arg2 < 0 || arg2 > 1) {
49734 diff -urNp linux-2.6.35.5/kernel/sysctl.c linux-2.6.35.5/kernel/sysctl.c
49735 --- linux-2.6.35.5/kernel/sysctl.c 2010-08-26 19:47:12.000000000 -0400
49736 +++ linux-2.6.35.5/kernel/sysctl.c 2010-09-17 20:18:09.000000000 -0400
49740 #if defined(CONFIG_SYSCTL)
49741 +#include <linux/grsecurity.h>
49742 +#include <linux/grinternal.h>
49744 +extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
49745 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
49747 +extern int gr_handle_chroot_sysctl(const int op);
49749 /* External variables not in a header file. */
49750 extern int sysctl_overcommit_memory;
49751 @@ -185,6 +192,7 @@ static int sysrq_sysctl_handler(ctl_tabl
49755 +extern struct ctl_table grsecurity_table[];
49757 static struct ctl_table root_table[];
49758 static struct ctl_table_root sysctl_table_root;
49759 @@ -217,6 +225,20 @@ extern struct ctl_table epoll_table[];
49760 int sysctl_legacy_va_layout;
49763 +#ifdef CONFIG_PAX_SOFTMODE
49764 +static ctl_table pax_table[] = {
49766 + .procname = "softmode",
49767 + .data = &pax_softmode,
49768 + .maxlen = sizeof(unsigned int),
49770 + .proc_handler = &proc_dointvec,
49777 /* The default sysctl tables: */
49779 static struct ctl_table root_table[] = {
49780 @@ -269,6 +291,22 @@ static int max_extfrag_threshold = 1000;
49783 static struct ctl_table kern_table[] = {
49784 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
49786 + .procname = "grsecurity",
49788 + .child = grsecurity_table,
49792 +#ifdef CONFIG_PAX_SOFTMODE
49794 + .procname = "pax",
49796 + .child = pax_table,
49801 .procname = "sched_child_runs_first",
49802 .data = &sysctl_sched_child_runs_first,
49803 @@ -1171,6 +1209,13 @@ static struct ctl_table vm_table[] = {
49804 .proc_handler = proc_dointvec_minmax,
49808 + .procname = "heap_stack_gap",
49809 + .data = &sysctl_heap_stack_gap,
49810 + .maxlen = sizeof(sysctl_heap_stack_gap),
49812 + .proc_handler = proc_doulongvec_minmax,
49816 .procname = "nr_trim_pages",
49817 @@ -1686,6 +1731,16 @@ int sysctl_perm(struct ctl_table_root *r
49821 + if (table->parent != NULL && table->parent->procname != NULL &&
49822 + table->procname != NULL &&
49823 + gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
49825 + if (gr_handle_chroot_sysctl(op))
49827 + error = gr_handle_sysctl(table, op);
49831 error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
49834 @@ -2201,6 +2256,8 @@ static int proc_put_long(void __user **b
49838 + if (len > sizeof(tmp))
49839 + len = sizeof(tmp);
49840 if (copy_to_user(*buf, tmp, len))
49843 diff -urNp linux-2.6.35.5/kernel/taskstats.c linux-2.6.35.5/kernel/taskstats.c
49844 --- linux-2.6.35.5/kernel/taskstats.c 2010-08-26 19:47:12.000000000 -0400
49845 +++ linux-2.6.35.5/kernel/taskstats.c 2010-09-17 20:12:37.000000000 -0400
49847 #include <linux/cgroup.h>
49848 #include <linux/fs.h>
49849 #include <linux/file.h>
49850 +#include <linux/grsecurity.h>
49851 #include <net/genetlink.h>
49852 #include <asm/atomic.h>
49854 +extern int gr_is_taskstats_denied(int pid);
49857 * Maximum length of a cpumask that can be specified in
49858 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
49859 @@ -432,6 +435,9 @@ static int taskstats_user_cmd(struct sk_
49861 cpumask_var_t mask;
49863 + if (gr_is_taskstats_denied(current->pid))
49866 if (!alloc_cpumask_var(&mask, GFP_KERNEL))
49869 diff -urNp linux-2.6.35.5/kernel/time/tick-broadcast.c linux-2.6.35.5/kernel/time/tick-broadcast.c
49870 --- linux-2.6.35.5/kernel/time/tick-broadcast.c 2010-08-26 19:47:12.000000000 -0400
49871 +++ linux-2.6.35.5/kernel/time/tick-broadcast.c 2010-09-17 20:12:09.000000000 -0400
49872 @@ -116,7 +116,7 @@ int tick_device_uses_broadcast(struct cl
49873 * then clear the broadcast bit.
49875 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
49876 - int cpu = smp_processor_id();
49877 + cpu = smp_processor_id();
49879 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
49880 tick_broadcast_clear_oneshot(cpu);
49881 diff -urNp linux-2.6.35.5/kernel/time/timer_list.c linux-2.6.35.5/kernel/time/timer_list.c
49882 --- linux-2.6.35.5/kernel/time/timer_list.c 2010-08-26 19:47:12.000000000 -0400
49883 +++ linux-2.6.35.5/kernel/time/timer_list.c 2010-09-17 20:12:37.000000000 -0400
49884 @@ -38,12 +38,16 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base,
49886 static void print_name_offset(struct seq_file *m, void *sym)
49888 +#ifdef CONFIG_GRKERNSEC_HIDESYM
49889 + SEQ_printf(m, "<%p>", NULL);
49891 char symname[KSYM_NAME_LEN];
49893 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
49894 SEQ_printf(m, "<%p>", sym);
49896 SEQ_printf(m, "%s", symname);
49901 @@ -112,7 +116,11 @@ next_one:
49903 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
49905 +#ifdef CONFIG_GRKERNSEC_HIDESYM
49906 + SEQ_printf(m, " .base: %p\n", NULL);
49908 SEQ_printf(m, " .base: %p\n", base);
49910 SEQ_printf(m, " .index: %d\n",
49912 SEQ_printf(m, " .resolution: %Lu nsecs\n",
49913 @@ -293,7 +301,11 @@ static int __init init_timer_list_procfs
49915 struct proc_dir_entry *pe;
49917 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
49918 + pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
49920 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
49925 diff -urNp linux-2.6.35.5/kernel/time/timer_stats.c linux-2.6.35.5/kernel/time/timer_stats.c
49926 --- linux-2.6.35.5/kernel/time/timer_stats.c 2010-08-26 19:47:12.000000000 -0400
49927 +++ linux-2.6.35.5/kernel/time/timer_stats.c 2010-09-17 20:12:37.000000000 -0400
49928 @@ -269,12 +269,16 @@ void timer_stats_update_stats(void *time
49930 static void print_name_offset(struct seq_file *m, unsigned long addr)
49932 +#ifdef CONFIG_GRKERNSEC_HIDESYM
49933 + seq_printf(m, "<%p>", NULL);
49935 char symname[KSYM_NAME_LEN];
49937 if (lookup_symbol_name(addr, symname) < 0)
49938 seq_printf(m, "<%p>", (void *)addr);
49940 seq_printf(m, "%s", symname);
49944 static int tstats_show(struct seq_file *m, void *v)
49945 @@ -417,7 +421,11 @@ static int __init init_tstats_procfs(voi
49947 struct proc_dir_entry *pe;
49949 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
49950 + pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
49952 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
49957 diff -urNp linux-2.6.35.5/kernel/time.c linux-2.6.35.5/kernel/time.c
49958 --- linux-2.6.35.5/kernel/time.c 2010-08-26 19:47:12.000000000 -0400
49959 +++ linux-2.6.35.5/kernel/time.c 2010-09-17 20:12:37.000000000 -0400
49960 @@ -94,6 +94,8 @@ SYSCALL_DEFINE1(stime, time_t __user *,
49963 vx_settimeofday(&tv);
49964 + gr_log_timechange();
49969 @@ -200,6 +203,8 @@ SYSCALL_DEFINE2(settimeofday, struct tim
49973 + gr_log_timechange();
49975 return do_sys_settimeofday(tv ? &new_ts : NULL, tz ? &new_tz : NULL);
49978 @@ -238,7 +243,7 @@ EXPORT_SYMBOL(current_fs_time);
49979 * Avoid unnecessary multiplications/divisions in the
49980 * two most common HZ cases:
49982 -unsigned int inline jiffies_to_msecs(const unsigned long j)
49983 +inline unsigned int jiffies_to_msecs(const unsigned long j)
49985 #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
49986 return (MSEC_PER_SEC / HZ) * j;
49987 @@ -254,7 +259,7 @@ unsigned int inline jiffies_to_msecs(con
49989 EXPORT_SYMBOL(jiffies_to_msecs);
49991 -unsigned int inline jiffies_to_usecs(const unsigned long j)
49992 +inline unsigned int jiffies_to_usecs(const unsigned long j)
49994 #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
49995 return (USEC_PER_SEC / HZ) * j;
49996 diff -urNp linux-2.6.35.5/kernel/timer.c linux-2.6.35.5/kernel/timer.c
49997 --- linux-2.6.35.5/kernel/timer.c 2010-08-26 19:47:12.000000000 -0400
49998 +++ linux-2.6.35.5/kernel/timer.c 2010-09-17 20:12:09.000000000 -0400
49999 @@ -1272,7 +1272,7 @@ void update_process_times(int user_tick)
50001 * This function runs timers and the timer-tq in bottom half context.
50003 -static void run_timer_softirq(struct softirq_action *h)
50004 +static void run_timer_softirq(void)
50006 struct tvec_base *base = __get_cpu_var(tvec_bases);
50008 diff -urNp linux-2.6.35.5/kernel/trace/ftrace.c linux-2.6.35.5/kernel/trace/ftrace.c
50009 --- linux-2.6.35.5/kernel/trace/ftrace.c 2010-09-20 17:33:09.000000000 -0400
50010 +++ linux-2.6.35.5/kernel/trace/ftrace.c 2010-09-20 17:33:37.000000000 -0400
50011 @@ -1108,13 +1108,18 @@ ftrace_code_disable(struct module *mod,
50015 + ret = ftrace_arch_code_modify_prepare();
50016 + FTRACE_WARN_ON(ret);
50020 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
50021 + FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
50023 ftrace_bug(ret, ip);
50024 rec->flags |= FTRACE_FL_FAILED;
50028 + return ret ? 0 : 1;
50032 diff -urNp linux-2.6.35.5/kernel/trace/ring_buffer.c linux-2.6.35.5/kernel/trace/ring_buffer.c
50033 --- linux-2.6.35.5/kernel/trace/ring_buffer.c 2010-08-26 19:47:12.000000000 -0400
50034 +++ linux-2.6.35.5/kernel/trace/ring_buffer.c 2010-09-17 20:12:09.000000000 -0400
50035 @@ -635,7 +635,7 @@ static struct list_head *rb_list_head(st
50036 * the reader page). But if the next page is a header page,
50037 * its flags will be non zero.
50041 rb_is_head_page(struct ring_buffer_per_cpu *cpu_buffer,
50042 struct buffer_page *page, struct list_head *list)
50044 diff -urNp linux-2.6.35.5/kernel/trace/trace.c linux-2.6.35.5/kernel/trace/trace.c
50045 --- linux-2.6.35.5/kernel/trace/trace.c 2010-08-26 19:47:12.000000000 -0400
50046 +++ linux-2.6.35.5/kernel/trace/trace.c 2010-09-17 20:12:09.000000000 -0400
50047 @@ -3965,10 +3965,9 @@ static const struct file_operations trac
50051 -static struct dentry *d_tracer;
50053 struct dentry *tracing_init_dentry(void)
50055 + static struct dentry *d_tracer;
50059 @@ -3988,10 +3987,9 @@ struct dentry *tracing_init_dentry(void)
50063 -static struct dentry *d_percpu;
50065 struct dentry *tracing_dentry_percpu(void)
50067 + static struct dentry *d_percpu;
50069 struct dentry *d_tracer;
50071 diff -urNp linux-2.6.35.5/kernel/trace/trace_output.c linux-2.6.35.5/kernel/trace/trace_output.c
50072 --- linux-2.6.35.5/kernel/trace/trace_output.c 2010-08-26 19:47:12.000000000 -0400
50073 +++ linux-2.6.35.5/kernel/trace/trace_output.c 2010-09-17 20:12:09.000000000 -0400
50074 @@ -281,7 +281,7 @@ int trace_seq_path(struct trace_seq *s,
50076 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
50078 - p = mangle_path(s->buffer + s->len, p, "\n");
50079 + p = mangle_path(s->buffer + s->len, p, "\n\\");
50081 s->len = p - s->buffer;
50083 diff -urNp linux-2.6.35.5/kernel/trace/trace_stack.c linux-2.6.35.5/kernel/trace/trace_stack.c
50084 --- linux-2.6.35.5/kernel/trace/trace_stack.c 2010-08-26 19:47:12.000000000 -0400
50085 +++ linux-2.6.35.5/kernel/trace/trace_stack.c 2010-09-17 20:12:09.000000000 -0400
50086 @@ -50,7 +50,7 @@ static inline void check_stack(void)
50089 /* we do not handle interrupt stacks yet */
50090 - if (!object_is_on_stack(&this_size))
50091 + if (!object_starts_on_stack(&this_size))
50094 local_irq_save(flags);
50095 diff -urNp linux-2.6.35.5/lib/bug.c linux-2.6.35.5/lib/bug.c
50096 --- linux-2.6.35.5/lib/bug.c 2010-08-26 19:47:12.000000000 -0400
50097 +++ linux-2.6.35.5/lib/bug.c 2010-09-17 20:12:09.000000000 -0400
50098 @@ -135,6 +135,8 @@ enum bug_trap_type report_bug(unsigned l
50099 return BUG_TRAP_TYPE_NONE;
50101 bug = find_bug(bugaddr);
50103 + return BUG_TRAP_TYPE_NONE;
50105 printk(KERN_EMERG "------------[ cut here ]------------\n");
50107 diff -urNp linux-2.6.35.5/lib/debugobjects.c linux-2.6.35.5/lib/debugobjects.c
50108 --- linux-2.6.35.5/lib/debugobjects.c 2010-08-26 19:47:12.000000000 -0400
50109 +++ linux-2.6.35.5/lib/debugobjects.c 2010-09-17 20:12:09.000000000 -0400
50110 @@ -281,7 +281,7 @@ static void debug_object_is_on_stack(voi
50114 - is_on_stack = object_is_on_stack(addr);
50115 + is_on_stack = object_starts_on_stack(addr);
50116 if (is_on_stack == onstack)
50119 diff -urNp linux-2.6.35.5/lib/dma-debug.c linux-2.6.35.5/lib/dma-debug.c
50120 --- linux-2.6.35.5/lib/dma-debug.c 2010-08-26 19:47:12.000000000 -0400
50121 +++ linux-2.6.35.5/lib/dma-debug.c 2010-09-17 20:12:09.000000000 -0400
50122 @@ -861,7 +861,7 @@ out:
50124 static void check_for_stack(struct device *dev, void *addr)
50126 - if (object_is_on_stack(addr))
50127 + if (object_starts_on_stack(addr))
50128 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
50129 "stack [addr=%p]\n", addr);
50131 diff -urNp linux-2.6.35.5/lib/inflate.c linux-2.6.35.5/lib/inflate.c
50132 --- linux-2.6.35.5/lib/inflate.c 2010-08-26 19:47:12.000000000 -0400
50133 +++ linux-2.6.35.5/lib/inflate.c 2010-09-17 20:12:09.000000000 -0400
50134 @@ -267,7 +267,7 @@ static void free(void *where)
50135 malloc_ptr = free_mem_ptr;
50138 -#define malloc(a) kmalloc(a, GFP_KERNEL)
50139 +#define malloc(a) kmalloc((a), GFP_KERNEL)
50140 #define free(a) kfree(a)
50143 diff -urNp linux-2.6.35.5/lib/Kconfig.debug linux-2.6.35.5/lib/Kconfig.debug
50144 --- linux-2.6.35.5/lib/Kconfig.debug 2010-08-26 19:47:12.000000000 -0400
50145 +++ linux-2.6.35.5/lib/Kconfig.debug 2010-09-17 20:12:37.000000000 -0400
50146 @@ -970,7 +970,7 @@ config LATENCYTOP
50150 - depends on HAVE_LATENCYTOP_SUPPORT
50151 + depends on HAVE_LATENCYTOP_SUPPORT && !GRKERNSEC_HIDESYM
50153 Enable this option if you want to use the LatencyTOP tool
50154 to find out which userspace is blocking on what kernel operations.
50155 diff -urNp linux-2.6.35.5/lib/parser.c linux-2.6.35.5/lib/parser.c
50156 --- linux-2.6.35.5/lib/parser.c 2010-08-26 19:47:12.000000000 -0400
50157 +++ linux-2.6.35.5/lib/parser.c 2010-09-17 20:12:09.000000000 -0400
50158 @@ -129,7 +129,7 @@ static int match_number(substring_t *s,
50162 - buf = kmalloc(s->to - s->from + 1, GFP_KERNEL);
50163 + buf = kmalloc((s->to - s->from) + 1, GFP_KERNEL);
50166 memcpy(buf, s->from, s->to - s->from);
50167 diff -urNp linux-2.6.35.5/lib/radix-tree.c linux-2.6.35.5/lib/radix-tree.c
50168 --- linux-2.6.35.5/lib/radix-tree.c 2010-08-26 19:47:12.000000000 -0400
50169 +++ linux-2.6.35.5/lib/radix-tree.c 2010-09-17 20:12:09.000000000 -0400
50170 @@ -80,7 +80,7 @@ struct radix_tree_preload {
50172 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
50174 -static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
50175 +static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
50177 static inline gfp_t root_gfp_mask(struct radix_tree_root *root)
50179 diff -urNp linux-2.6.35.5/lib/vsprintf.c linux-2.6.35.5/lib/vsprintf.c
50180 --- linux-2.6.35.5/lib/vsprintf.c 2010-08-26 19:47:12.000000000 -0400
50181 +++ linux-2.6.35.5/lib/vsprintf.c 2010-09-22 19:19:27.000000000 -0400
50182 @@ -990,7 +990,7 @@ char *pointer(const char *fmt, char *buf
50183 struct printf_spec spec)
50186 - return string(buf, end, "(null)", spec);
50187 + return string(buf, end, "(nil)", spec);
50191 diff -urNp linux-2.6.35.5/localversion-grsec linux-2.6.35.5/localversion-grsec
50192 --- linux-2.6.35.5/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
50193 +++ linux-2.6.35.5/localversion-grsec 2010-09-17 20:12:37.000000000 -0400
50196 diff -urNp linux-2.6.35.5/Makefile linux-2.6.35.5/Makefile
50197 --- linux-2.6.35.5/Makefile 2010-09-20 17:33:09.000000000 -0400
50198 +++ linux-2.6.35.5/Makefile 2010-09-20 17:33:17.000000000 -0400
50199 @@ -230,8 +230,8 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
50203 -HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
50204 -HOSTCXXFLAGS = -O2
50205 +HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
50206 +HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
50208 # Decide whether to build built-in, modular, or both.
50209 # Normally, just do built-in.
50210 @@ -650,7 +650,7 @@ export mod_strip_cmd
50213 ifeq ($(KBUILD_EXTMOD),)
50214 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
50215 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
50217 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
50218 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
50219 diff -urNp linux-2.6.35.5/mm/bootmem.c linux-2.6.35.5/mm/bootmem.c
50220 --- linux-2.6.35.5/mm/bootmem.c 2010-08-26 19:47:12.000000000 -0400
50221 +++ linux-2.6.35.5/mm/bootmem.c 2010-09-17 20:12:09.000000000 -0400
50222 @@ -200,19 +200,30 @@ static void __init __free_pages_memory(u
50223 unsigned long __init free_all_memory_core_early(int nodeid)
50227 + u64 start, end, startrange, endrange;
50228 unsigned long count = 0;
50229 - struct range *range = NULL;
50230 + struct range *range = NULL, rangerange = { 0, 0 };
50233 nr_range = get_free_all_memory_range(&range, nodeid);
50234 + startrange = __pa(range) >> PAGE_SHIFT;
50235 + endrange = (__pa(range + nr_range) - 1) >> PAGE_SHIFT;
50237 for (i = 0; i < nr_range; i++) {
50238 start = range[i].start;
50239 end = range[i].end;
50240 + if (start <= endrange && startrange < end) {
50241 + BUG_ON(rangerange.start | rangerange.end);
50242 + rangerange = range[i];
50245 count += end - start;
50246 __free_pages_memory(start, end);
50248 + start = rangerange.start;
50249 + end = rangerange.end;
50250 + count += end - start;
50251 + __free_pages_memory(start, end);
50255 diff -urNp linux-2.6.35.5/mm/filemap.c linux-2.6.35.5/mm/filemap.c
50256 --- linux-2.6.35.5/mm/filemap.c 2010-08-26 19:47:12.000000000 -0400
50257 +++ linux-2.6.35.5/mm/filemap.c 2010-09-17 20:12:37.000000000 -0400
50258 @@ -1640,7 +1640,7 @@ int generic_file_mmap(struct file * file
50259 struct address_space *mapping = file->f_mapping;
50261 if (!mapping->a_ops->readpage)
50264 file_accessed(file);
50265 vma->vm_ops = &generic_file_vm_ops;
50266 vma->vm_flags |= VM_CAN_NONLINEAR;
50267 @@ -2036,6 +2036,7 @@ inline int generic_write_checks(struct f
50268 *pos = i_size_read(inode);
50270 if (limit != RLIM_INFINITY) {
50271 + gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
50272 if (*pos >= limit) {
50273 send_sig(SIGXFSZ, current, 0);
50275 diff -urNp linux-2.6.35.5/mm/fremap.c linux-2.6.35.5/mm/fremap.c
50276 --- linux-2.6.35.5/mm/fremap.c 2010-08-26 19:47:12.000000000 -0400
50277 +++ linux-2.6.35.5/mm/fremap.c 2010-09-17 20:12:09.000000000 -0400
50278 @@ -153,6 +153,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
50280 vma = find_vma(mm, start);
50282 +#ifdef CONFIG_PAX_SEGMEXEC
50283 + if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
50288 * Make sure the vma is shared, that it supports prefaulting,
50289 * and that the remapped range is valid and fully within
50290 @@ -221,7 +226,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
50292 * drop PG_Mlocked flag for over-mapped range
50294 - unsigned int saved_flags = vma->vm_flags;
50295 + unsigned long saved_flags = vma->vm_flags;
50296 munlock_vma_pages_range(vma, start, start + size);
50297 vma->vm_flags = saved_flags;
50299 diff -urNp linux-2.6.35.5/mm/highmem.c linux-2.6.35.5/mm/highmem.c
50300 --- linux-2.6.35.5/mm/highmem.c 2010-08-26 19:47:12.000000000 -0400
50301 +++ linux-2.6.35.5/mm/highmem.c 2010-09-17 20:12:09.000000000 -0400
50302 @@ -116,9 +116,10 @@ static void flush_all_zero_pkmaps(void)
50303 * So no dangers, even with speculative execution.
50305 page = pte_page(pkmap_page_table[i]);
50306 + pax_open_kernel();
50307 pte_clear(&init_mm, (unsigned long)page_address(page),
50308 &pkmap_page_table[i]);
50310 + pax_close_kernel();
50311 set_page_address(page, NULL);
50314 @@ -177,9 +178,11 @@ start:
50317 vaddr = PKMAP_ADDR(last_pkmap_nr);
50319 + pax_open_kernel();
50320 set_pte_at(&init_mm, vaddr,
50321 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
50323 + pax_close_kernel();
50324 pkmap_count[last_pkmap_nr] = 1;
50325 set_page_address(page, (void *)vaddr);
50327 diff -urNp linux-2.6.35.5/mm/hugetlb.c linux-2.6.35.5/mm/hugetlb.c
50328 --- linux-2.6.35.5/mm/hugetlb.c 2010-08-26 19:47:12.000000000 -0400
50329 +++ linux-2.6.35.5/mm/hugetlb.c 2010-09-17 20:12:09.000000000 -0400
50330 @@ -2272,6 +2272,26 @@ static int unmap_ref_private(struct mm_s
50334 +#ifdef CONFIG_PAX_SEGMEXEC
50335 +static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
50337 + struct mm_struct *mm = vma->vm_mm;
50338 + struct vm_area_struct *vma_m;
50339 + unsigned long address_m;
50342 + vma_m = pax_find_mirror_vma(vma);
50346 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
50347 + address_m = address + SEGMEXEC_TASK_SIZE;
50348 + ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
50349 + get_page(page_m);
50350 + set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
50354 static int hugetlb_cow(struct mm_struct *mm, struct vm_area_struct *vma,
50355 unsigned long address, pte_t *ptep, pte_t pte,
50356 struct page *pagecache_page)
50357 @@ -2352,6 +2372,11 @@ retry_avoidcopy:
50358 huge_ptep_clear_flush(vma, address, ptep);
50359 set_huge_pte_at(mm, address, ptep,
50360 make_huge_pte(vma, new_page, 1));
50362 +#ifdef CONFIG_PAX_SEGMEXEC
50363 + pax_mirror_huge_pte(vma, address, new_page);
50366 /* Make the old page be freed below */
50367 new_page = old_page;
50369 @@ -2483,6 +2508,10 @@ retry:
50370 && (vma->vm_flags & VM_SHARED)));
50371 set_huge_pte_at(mm, address, ptep, new_pte);
50373 +#ifdef CONFIG_PAX_SEGMEXEC
50374 + pax_mirror_huge_pte(vma, address, page);
50377 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
50378 /* Optimization, do the COW without a second fault */
50379 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
50380 @@ -2511,6 +2540,28 @@ int hugetlb_fault(struct mm_struct *mm,
50381 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
50382 struct hstate *h = hstate_vma(vma);
50384 +#ifdef CONFIG_PAX_SEGMEXEC
50385 + struct vm_area_struct *vma_m;
50387 + vma_m = pax_find_mirror_vma(vma);
50389 + unsigned long address_m;
50391 + if (vma->vm_start > vma_m->vm_start) {
50392 + address_m = address;
50393 + address -= SEGMEXEC_TASK_SIZE;
50395 + h = hstate_vma(vma);
50397 + address_m = address + SEGMEXEC_TASK_SIZE;
50399 + if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
50400 + return VM_FAULT_OOM;
50401 + address_m &= HPAGE_MASK;
50402 + unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
50406 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
50408 return VM_FAULT_OOM;
50409 diff -urNp linux-2.6.35.5/mm/Kconfig linux-2.6.35.5/mm/Kconfig
50410 --- linux-2.6.35.5/mm/Kconfig 2010-08-26 19:47:12.000000000 -0400
50411 +++ linux-2.6.35.5/mm/Kconfig 2010-09-17 20:12:37.000000000 -0400
50412 @@ -240,7 +240,7 @@ config KSM
50413 config DEFAULT_MMAP_MIN_ADDR
50414 int "Low address space to protect from user allocation"
50419 This is the portion of low virtual memory which should be protected
50420 from userspace allocation. Keeping a user from writing to low pages
50421 diff -urNp linux-2.6.35.5/mm/maccess.c linux-2.6.35.5/mm/maccess.c
50422 --- linux-2.6.35.5/mm/maccess.c 2010-08-26 19:47:12.000000000 -0400
50423 +++ linux-2.6.35.5/mm/maccess.c 2010-09-17 20:12:09.000000000 -0400
50424 @@ -15,10 +15,10 @@
50425 * happens, handle that and return -EFAULT.
50428 -long __weak probe_kernel_read(void *dst, void *src, size_t size)
50429 +long __weak probe_kernel_read(void *dst, const void *src, size_t size)
50430 __attribute__((alias("__probe_kernel_read")));
50432 -long __probe_kernel_read(void *dst, void *src, size_t size)
50433 +long __probe_kernel_read(void *dst, const void *src, size_t size)
50436 mm_segment_t old_fs = get_fs();
50437 @@ -43,10 +43,10 @@ EXPORT_SYMBOL_GPL(probe_kernel_read);
50438 * Safely write to address @dst from the buffer at @src. If a kernel fault
50439 * happens, handle that and return -EFAULT.
50441 -long __weak probe_kernel_write(void *dst, void *src, size_t size)
50442 +long __weak probe_kernel_write(void *dst, const void *src, size_t size)
50443 __attribute__((alias("__probe_kernel_write")));
50445 -long __probe_kernel_write(void *dst, void *src, size_t size)
50446 +long __probe_kernel_write(void *dst, const void *src, size_t size)
50449 mm_segment_t old_fs = get_fs();
50450 diff -urNp linux-2.6.35.5/mm/madvise.c linux-2.6.35.5/mm/madvise.c
50451 --- linux-2.6.35.5/mm/madvise.c 2010-08-26 19:47:12.000000000 -0400
50452 +++ linux-2.6.35.5/mm/madvise.c 2010-09-17 20:12:09.000000000 -0400
50453 @@ -45,6 +45,10 @@ static long madvise_behavior(struct vm_a
50455 unsigned long new_flags = vma->vm_flags;
50457 +#ifdef CONFIG_PAX_SEGMEXEC
50458 + struct vm_area_struct *vma_m;
50461 switch (behavior) {
50463 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
50464 @@ -104,6 +108,13 @@ success:
50466 * vm_flags is protected by the mmap_sem held in write mode.
50469 +#ifdef CONFIG_PAX_SEGMEXEC
50470 + vma_m = pax_find_mirror_vma(vma);
50472 + vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
50475 vma->vm_flags = new_flags;
50478 @@ -162,6 +173,11 @@ static long madvise_dontneed(struct vm_a
50479 struct vm_area_struct ** prev,
50480 unsigned long start, unsigned long end)
50483 +#ifdef CONFIG_PAX_SEGMEXEC
50484 + struct vm_area_struct *vma_m;
50488 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
50490 @@ -174,6 +190,21 @@ static long madvise_dontneed(struct vm_a
50491 zap_page_range(vma, start, end - start, &details);
50493 zap_page_range(vma, start, end - start, NULL);
50495 +#ifdef CONFIG_PAX_SEGMEXEC
50496 + vma_m = pax_find_mirror_vma(vma);
50498 + if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
50499 + struct zap_details details = {
50500 + .nonlinear_vma = vma_m,
50501 + .last_index = ULONG_MAX,
50503 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
50505 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
50512 @@ -366,6 +397,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
50516 +#ifdef CONFIG_PAX_SEGMEXEC
50517 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
50518 + if (end > SEGMEXEC_TASK_SIZE)
50523 + if (end > TASK_SIZE)
50529 diff -urNp linux-2.6.35.5/mm/memory.c linux-2.6.35.5/mm/memory.c
50530 --- linux-2.6.35.5/mm/memory.c 2010-08-26 19:47:12.000000000 -0400
50531 +++ linux-2.6.35.5/mm/memory.c 2010-09-17 20:12:09.000000000 -0400
50532 @@ -259,8 +259,12 @@ static inline void free_pmd_range(struct
50535 pmd = pmd_offset(pud, start);
50537 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
50539 pmd_free_tlb(tlb, pmd, start);
50544 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
50545 @@ -292,8 +296,12 @@ static inline void free_pud_range(struct
50548 pud = pud_offset(pgd, start);
50550 +#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
50552 pud_free_tlb(tlb, pud, start);
50558 @@ -1363,10 +1371,10 @@ int __get_user_pages(struct task_struct
50559 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
50563 + while (nr_pages) {
50564 struct vm_area_struct *vma;
50566 - vma = find_extend_vma(mm, start);
50567 + vma = find_vma(mm, start);
50568 if (!vma && in_gate_area(tsk, start)) {
50569 unsigned long pg = start & PAGE_MASK;
50570 struct vm_area_struct *gate_vma = get_gate_vma(tsk);
50571 @@ -1418,7 +1426,7 @@ int __get_user_pages(struct task_struct
50576 + if (!vma || start < vma->vm_start ||
50577 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
50578 !(vm_flags & vma->vm_flags))
50579 return i ? : -EFAULT;
50580 @@ -1493,7 +1501,7 @@ int __get_user_pages(struct task_struct
50581 start += PAGE_SIZE;
50583 } while (nr_pages && start < vma->vm_end);
50584 - } while (nr_pages);
50589 @@ -2089,6 +2097,186 @@ static inline void cow_user_page(struct
50590 copy_user_highpage(dst, src, va, vma);
50593 +#ifdef CONFIG_PAX_SEGMEXEC
50594 +static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
50596 + struct mm_struct *mm = vma->vm_mm;
50598 + pte_t *pte, entry;
50600 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
50602 + if (!pte_present(entry)) {
50603 + if (!pte_none(entry)) {
50604 + BUG_ON(pte_file(entry));
50605 + free_swap_and_cache(pte_to_swp_entry(entry));
50606 + pte_clear_not_present_full(mm, address, pte, 0);
50609 + struct page *page;
50611 + flush_cache_page(vma, address, pte_pfn(entry));
50612 + entry = ptep_clear_flush(vma, address, pte);
50613 + BUG_ON(pte_dirty(entry));
50614 + page = vm_normal_page(vma, address, entry);
50616 + update_hiwater_rss(mm);
50617 + if (PageAnon(page))
50618 + dec_mm_counter_fast(mm, MM_ANONPAGES);
50620 + dec_mm_counter_fast(mm, MM_FILEPAGES);
50621 + page_remove_rmap(page);
50622 + page_cache_release(page);
50625 + pte_unmap_unlock(pte, ptl);
50628 +/* PaX: if vma is mirrored, synchronize the mirror's PTE
50630 + * the ptl of the lower mapped page is held on entry and is not released on exit
50631 + * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
50633 +static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
50635 + struct mm_struct *mm = vma->vm_mm;
50636 + unsigned long address_m;
50637 + spinlock_t *ptl_m;
50638 + struct vm_area_struct *vma_m;
50640 + pte_t *pte_m, entry_m;
50642 + BUG_ON(!page_m || !PageAnon(page_m));
50644 + vma_m = pax_find_mirror_vma(vma);
50648 + BUG_ON(!PageLocked(page_m));
50649 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
50650 + address_m = address + SEGMEXEC_TASK_SIZE;
50651 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
50652 + pte_m = pte_offset_map_nested(pmd_m, address_m);
50653 + ptl_m = pte_lockptr(mm, pmd_m);
50654 + if (ptl != ptl_m) {
50655 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
50656 + if (!pte_none(*pte_m))
50660 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
50661 + page_cache_get(page_m);
50662 + page_add_anon_rmap(page_m, vma_m, address_m);
50663 + inc_mm_counter_fast(mm, MM_ANONPAGES);
50664 + set_pte_at(mm, address_m, pte_m, entry_m);
50665 + update_mmu_cache(vma_m, address_m, entry_m);
50667 + if (ptl != ptl_m)
50668 + spin_unlock(ptl_m);
50669 + pte_unmap_nested(pte_m);
50670 + unlock_page(page_m);
50673 +void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
50675 + struct mm_struct *mm = vma->vm_mm;
50676 + unsigned long address_m;
50677 + spinlock_t *ptl_m;
50678 + struct vm_area_struct *vma_m;
50680 + pte_t *pte_m, entry_m;
50682 + BUG_ON(!page_m || PageAnon(page_m));
50684 + vma_m = pax_find_mirror_vma(vma);
50688 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
50689 + address_m = address + SEGMEXEC_TASK_SIZE;
50690 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
50691 + pte_m = pte_offset_map_nested(pmd_m, address_m);
50692 + ptl_m = pte_lockptr(mm, pmd_m);
50693 + if (ptl != ptl_m) {
50694 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
50695 + if (!pte_none(*pte_m))
50699 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
50700 + page_cache_get(page_m);
50701 + page_add_file_rmap(page_m);
50702 + inc_mm_counter_fast(mm, MM_FILEPAGES);
50703 + set_pte_at(mm, address_m, pte_m, entry_m);
50704 + update_mmu_cache(vma_m, address_m, entry_m);
50706 + if (ptl != ptl_m)
50707 + spin_unlock(ptl_m);
50708 + pte_unmap_nested(pte_m);
50711 +static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
50713 + struct mm_struct *mm = vma->vm_mm;
50714 + unsigned long address_m;
50715 + spinlock_t *ptl_m;
50716 + struct vm_area_struct *vma_m;
50718 + pte_t *pte_m, entry_m;
50720 + vma_m = pax_find_mirror_vma(vma);
50724 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
50725 + address_m = address + SEGMEXEC_TASK_SIZE;
50726 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
50727 + pte_m = pte_offset_map_nested(pmd_m, address_m);
50728 + ptl_m = pte_lockptr(mm, pmd_m);
50729 + if (ptl != ptl_m) {
50730 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
50731 + if (!pte_none(*pte_m))
50735 + entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
50736 + set_pte_at(mm, address_m, pte_m, entry_m);
50738 + if (ptl != ptl_m)
50739 + spin_unlock(ptl_m);
50740 + pte_unmap_nested(pte_m);
50743 +static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
50745 + struct page *page_m;
50748 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
50752 + page_m = vm_normal_page(vma, address, entry);
50754 + pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
50755 + else if (PageAnon(page_m)) {
50756 + if (pax_find_mirror_vma(vma)) {
50757 + pte_unmap_unlock(pte, ptl);
50758 + lock_page(page_m);
50759 + pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
50760 + if (pte_same(entry, *pte))
50761 + pax_mirror_anon_pte(vma, address, page_m, ptl);
50763 + unlock_page(page_m);
50766 + pax_mirror_file_pte(vma, address, page_m, ptl);
50769 + pte_unmap_unlock(pte, ptl);
50774 * This routine handles present pages, when users try to write
50775 * to a shared page. It is done by copying the page to a new address
50776 @@ -2275,6 +2463,12 @@ gotten:
50778 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
50779 if (likely(pte_same(*page_table, orig_pte))) {
50781 +#ifdef CONFIG_PAX_SEGMEXEC
50782 + if (pax_find_mirror_vma(vma))
50783 + BUG_ON(!trylock_page(new_page));
50787 if (!PageAnon(old_page)) {
50788 dec_mm_counter_fast(mm, MM_FILEPAGES);
50789 @@ -2326,6 +2520,10 @@ gotten:
50790 page_remove_rmap(old_page);
50793 +#ifdef CONFIG_PAX_SEGMEXEC
50794 + pax_mirror_anon_pte(vma, address, new_page, ptl);
50797 /* Free the old page.. */
50798 new_page = old_page;
50799 ret |= VM_FAULT_WRITE;
50800 @@ -2734,6 +2932,11 @@ static int do_swap_page(struct mm_struct
50802 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
50803 try_to_free_swap(page);
50805 +#ifdef CONFIG_PAX_SEGMEXEC
50806 + if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
50811 if (flags & FAULT_FLAG_WRITE) {
50812 @@ -2745,6 +2948,11 @@ static int do_swap_page(struct mm_struct
50814 /* No need to invalidate - it was non-present before */
50815 update_mmu_cache(vma, address, page_table);
50817 +#ifdef CONFIG_PAX_SEGMEXEC
50818 + pax_mirror_anon_pte(vma, address, page, ptl);
50822 pte_unmap_unlock(page_table, ptl);
50824 @@ -3000,40 +3000,6 @@ out_release:
50828 - * This is like a special single-page "expand_{down|up}wards()",
50829 - * except we must first make sure that 'address{-|+}PAGE_SIZE'
50830 - * doesn't hit another vma.
50832 -static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
50834 - address &= PAGE_MASK;
50835 - if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
50836 - struct vm_area_struct *prev = vma->vm_prev;
50839 - * Is there a mapping abutting this one below?
50841 - * That's only ok if it's the same stack mapping
50842 - * that has gotten split..
50844 - if (prev && prev->vm_end == address)
50845 - return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
50847 - expand_stack(vma, address - PAGE_SIZE);
50849 - if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
50850 - struct vm_area_struct *next = vma->vm_next;
50852 - /* As VM_GROWSDOWN but s/below/above/ */
50853 - if (next && next->vm_start == address + PAGE_SIZE)
50854 - return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
50856 - expand_upwards(vma, address + PAGE_SIZE);
50862 * We enter with non-exclusive mmap_sem (to exclude vma changes,
50863 * but allow concurrent faults), and pte mapped but not yet locked.
50864 * We return with mmap_sem still held, but pte unmapped and unlocked.
50865 @@ -2795,27 +2976,23 @@ static int do_anonymous_page(struct mm_s
50866 unsigned long address, pte_t *page_table, pmd_t *pmd,
50867 unsigned int flags)
50869 - struct page *page;
50870 + struct page *page = NULL;
50874 - pte_unmap(page_table);
50876 - /* Check if we need to add a guard page to the stack */
50877 - if (check_stack_guard_page(vma, address) < 0)
50878 - return VM_FAULT_SIGBUS;
50880 - /* Use the zero-page for reads */
50881 if (!(flags & FAULT_FLAG_WRITE)) {
50882 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
50883 vma->vm_page_prot));
50884 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
50885 + ptl = pte_lockptr(mm, pmd);
50887 if (!pte_none(*page_table))
50892 /* Allocate our own private page. */
50893 + pte_unmap(page_table);
50895 if (unlikely(anon_vma_prepare(vma)))
50897 page = alloc_zeroed_user_highpage_movable(vma, address);
50898 @@ -2834,6 +3011,11 @@ static int do_anonymous_page(struct mm_s
50899 if (!pte_none(*page_table))
50902 +#ifdef CONFIG_PAX_SEGMEXEC
50903 + if (pax_find_mirror_vma(vma))
50904 + BUG_ON(!trylock_page(page));
50907 inc_mm_counter_fast(mm, MM_ANONPAGES);
50908 page_add_new_anon_rmap(page, vma, address);
50910 @@ -2841,6 +3023,12 @@ setpte:
50912 /* No need to invalidate - it was non-present before */
50913 update_mmu_cache(vma, address, page_table);
50915 +#ifdef CONFIG_PAX_SEGMEXEC
50917 + pax_mirror_anon_pte(vma, address, page, ptl);
50921 pte_unmap_unlock(page_table, ptl);
50923 @@ -2983,6 +3171,12 @@ static int __do_fault(struct mm_struct *
50925 /* Only go through if we didn't race with anybody else... */
50926 if (likely(pte_same(*page_table, orig_pte))) {
50928 +#ifdef CONFIG_PAX_SEGMEXEC
50929 + if (anon && pax_find_mirror_vma(vma))
50930 + BUG_ON(!trylock_page(page));
50933 flush_icache_page(vma, page);
50934 entry = mk_pte(page, vma->vm_page_prot);
50935 if (flags & FAULT_FLAG_WRITE)
50936 @@ -3002,6 +3196,14 @@ static int __do_fault(struct mm_struct *
50938 /* no need to invalidate: a not-present page won't be cached */
50939 update_mmu_cache(vma, address, page_table);
50941 +#ifdef CONFIG_PAX_SEGMEXEC
50943 + pax_mirror_anon_pte(vma, address, page, ptl);
50945 + pax_mirror_file_pte(vma, address, page, ptl);
50950 mem_cgroup_uncharge_page(page);
50951 @@ -3149,6 +3351,12 @@ static inline int handle_pte_fault(struc
50952 if (flags & FAULT_FLAG_WRITE)
50953 flush_tlb_page(vma, address);
50956 +#ifdef CONFIG_PAX_SEGMEXEC
50957 + pax_mirror_pte(vma, address, pte, pmd, ptl);
50962 pte_unmap_unlock(pte, ptl);
50964 @@ -3165,6 +3373,10 @@ int handle_mm_fault(struct mm_struct *mm
50968 +#ifdef CONFIG_PAX_SEGMEXEC
50969 + struct vm_area_struct *vma_m;
50972 __set_current_state(TASK_RUNNING);
50974 count_vm_event(PGFAULT);
50975 @@ -3175,6 +3387,34 @@ int handle_mm_fault(struct mm_struct *mm
50976 if (unlikely(is_vm_hugetlb_page(vma)))
50977 return hugetlb_fault(mm, vma, address, flags);
50979 +#ifdef CONFIG_PAX_SEGMEXEC
50980 + vma_m = pax_find_mirror_vma(vma);
50982 + unsigned long address_m;
50987 + if (vma->vm_start > vma_m->vm_start) {
50988 + address_m = address;
50989 + address -= SEGMEXEC_TASK_SIZE;
50992 + address_m = address + SEGMEXEC_TASK_SIZE;
50994 + pgd_m = pgd_offset(mm, address_m);
50995 + pud_m = pud_alloc(mm, pgd_m, address_m);
50997 + return VM_FAULT_OOM;
50998 + pmd_m = pmd_alloc(mm, pud_m, address_m);
51000 + return VM_FAULT_OOM;
51001 + if (!pmd_present(*pmd_m) && __pte_alloc(mm, pmd_m, address_m))
51002 + return VM_FAULT_OOM;
51003 + pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
51007 pgd = pgd_offset(mm, address);
51008 pud = pud_alloc(mm, pgd, address);
51010 @@ -3272,7 +3512,7 @@ static int __init gate_vma_init(void)
51011 gate_vma.vm_start = FIXADDR_USER_START;
51012 gate_vma.vm_end = FIXADDR_USER_END;
51013 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
51014 - gate_vma.vm_page_prot = __P101;
51015 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
51017 * Make sure the vDSO gets into every core dump.
51018 * Dumping its contents makes post-mortem fully interpretable later
51019 diff -urNp linux-2.6.35.5/mm/memory-failure.c linux-2.6.35.5/mm/memory-failure.c
51020 --- linux-2.6.35.5/mm/memory-failure.c 2010-08-26 19:47:12.000000000 -0400
51021 +++ linux-2.6.35.5/mm/memory-failure.c 2010-09-17 20:12:09.000000000 -0400
51022 @@ -51,7 +51,7 @@ int sysctl_memory_failure_early_kill __r
51024 int sysctl_memory_failure_recovery __read_mostly = 1;
51026 -atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
51027 +atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
51029 #if defined(CONFIG_HWPOISON_INJECT) || defined(CONFIG_HWPOISON_INJECT_MODULE)
51031 @@ -939,7 +939,7 @@ int __memory_failure(unsigned long pfn,
51035 - atomic_long_add(1, &mce_bad_pages);
51036 + atomic_long_add_unchecked(1, &mce_bad_pages);
51039 * We need/can do nothing about count=0 pages.
51040 @@ -1003,7 +1003,7 @@ int __memory_failure(unsigned long pfn,
51042 if (hwpoison_filter(p)) {
51043 if (TestClearPageHWPoison(p))
51044 - atomic_long_dec(&mce_bad_pages);
51045 + atomic_long_dec_unchecked(&mce_bad_pages);
51049 @@ -1096,7 +1096,7 @@ int unpoison_memory(unsigned long pfn)
51051 if (!get_page_unless_zero(page)) {
51052 if (TestClearPageHWPoison(p))
51053 - atomic_long_dec(&mce_bad_pages);
51054 + atomic_long_dec_unchecked(&mce_bad_pages);
51055 pr_debug("MCE: Software-unpoisoned free page %#lx\n", pfn);
51058 @@ -1110,7 +1110,7 @@ int unpoison_memory(unsigned long pfn)
51060 if (TestClearPageHWPoison(p)) {
51061 pr_debug("MCE: Software-unpoisoned page %#lx\n", pfn);
51062 - atomic_long_dec(&mce_bad_pages);
51063 + atomic_long_dec_unchecked(&mce_bad_pages);
51067 @@ -1291,7 +1291,7 @@ int soft_offline_page(struct page *page,
51071 - atomic_long_add(1, &mce_bad_pages);
51072 + atomic_long_add_unchecked(1, &mce_bad_pages);
51073 SetPageHWPoison(page);
51074 /* keep elevated page count for bad page */
51076 diff -urNp linux-2.6.35.5/mm/mempolicy.c linux-2.6.35.5/mm/mempolicy.c
51077 --- linux-2.6.35.5/mm/mempolicy.c 2010-08-26 19:47:12.000000000 -0400
51078 +++ linux-2.6.35.5/mm/mempolicy.c 2010-09-17 20:12:37.000000000 -0400
51079 @@ -642,6 +642,10 @@ static int mbind_range(struct mm_struct
51080 unsigned long vmstart;
51081 unsigned long vmend;
51083 +#ifdef CONFIG_PAX_SEGMEXEC
51084 + struct vm_area_struct *vma_m;
51087 vma = find_vma_prev(mm, start, &prev);
51088 if (!vma || vma->vm_start > start)
51090 @@ -672,6 +676,16 @@ static int mbind_range(struct mm_struct
51091 err = policy_vma(vma, new_pol);
51095 +#ifdef CONFIG_PAX_SEGMEXEC
51096 + vma_m = pax_find_mirror_vma(vma);
51098 + err = policy_vma(vma_m, new_pol);
51107 @@ -1098,6 +1112,17 @@ static long do_mbind(unsigned long start
51112 +#ifdef CONFIG_PAX_SEGMEXEC
51113 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
51114 + if (end > SEGMEXEC_TASK_SIZE)
51119 + if (end > TASK_SIZE)
51125 @@ -1303,6 +1328,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
51129 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
51130 + if (mm != current->mm &&
51131 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
51138 * Check if this process has the right to modify the specified
51139 * process. The right exists if the process has administrative
51140 @@ -1312,8 +1345,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
51142 tcred = __task_cred(task);
51143 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
51144 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
51145 - !capable(CAP_SYS_NICE)) {
51146 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
51150 @@ -2564,7 +2596,7 @@ int show_numa_map(struct seq_file *m, vo
51153 seq_printf(m, " file=");
51154 - seq_path(m, &file->f_path, "\n\t= ");
51155 + seq_path(m, &file->f_path, "\n\t\\= ");
51156 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
51157 seq_printf(m, " heap");
51158 } else if (vma->vm_start <= mm->start_stack &&
51159 diff -urNp linux-2.6.35.5/mm/migrate.c linux-2.6.35.5/mm/migrate.c
51160 --- linux-2.6.35.5/mm/migrate.c 2010-08-26 19:47:12.000000000 -0400
51161 +++ linux-2.6.35.5/mm/migrate.c 2010-09-17 20:12:37.000000000 -0400
51162 @@ -1102,6 +1102,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
51166 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
51167 + if (mm != current->mm &&
51168 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
51175 * Check if this process has the right to modify the specified
51176 * process. The right exists if the process has administrative
51177 @@ -1111,8 +1119,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
51179 tcred = __task_cred(task);
51180 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
51181 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
51182 - !capable(CAP_SYS_NICE)) {
51183 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
51187 diff -urNp linux-2.6.35.5/mm/mlock.c linux-2.6.35.5/mm/mlock.c
51188 --- linux-2.6.35.5/mm/mlock.c 2010-08-26 19:47:12.000000000 -0400
51189 +++ linux-2.6.35.5/mm/mlock.c 2010-09-17 20:12:37.000000000 -0400
51191 #include <linux/pagemap.h>
51192 #include <linux/mempolicy.h>
51193 #include <linux/syscalls.h>
51194 +#include <linux/security.h>
51195 #include <linux/sched.h>
51196 #include <linux/module.h>
51197 #include <linux/rmap.h>
51198 @@ -135,19 +136,6 @@ void munlock_vma_page(struct page *page)
51202 -/* Is the vma a continuation of the stack vma above it? */
51203 -static inline int vma_stack_continue(struct vm_area_struct *vma, unsigned long addr)
51205 - return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
51208 -static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
51210 - return (vma->vm_flags & VM_GROWSDOWN) &&
51211 - (vma->vm_start == addr) &&
51212 - !vma_stack_continue(vma->vm_prev, addr);
51216 * __mlock_vma_pages_range() - mlock a range of pages in the vma.
51218 @@ -180,12 +168,6 @@ static long __mlock_vma_pages_range(stru
51219 if (vma->vm_flags & VM_WRITE)
51220 gup_flags |= FOLL_WRITE;
51222 - /* We don't try to access the guard page of a stack vma */
51223 - if (stack_guard_page(vma, start)) {
51224 - addr += PAGE_SIZE;
51228 while (nr_pages > 0) {
51231 @@ -451,6 +433,9 @@ static int do_mlock(unsigned long start,
51235 + if (end > TASK_SIZE)
51238 vma = find_vma_prev(current->mm, start, &prev);
51239 if (!vma || vma->vm_start > start)
51241 @@ -461,6 +446,11 @@ static int do_mlock(unsigned long start,
51242 for (nstart = start ; ; ) {
51243 unsigned int newflags;
51245 +#ifdef CONFIG_PAX_SEGMEXEC
51246 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
51250 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
51252 newflags = vma->vm_flags | VM_LOCKED;
51253 @@ -510,6 +500,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
51254 lock_limit >>= PAGE_SHIFT;
51256 /* check against resource limits */
51257 + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
51258 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
51259 error = do_mlock(start, len, 1);
51260 up_write(¤t->mm->mmap_sem);
51261 @@ -531,17 +522,23 @@ SYSCALL_DEFINE2(munlock, unsigned long,
51262 static int do_mlockall(int flags)
51264 struct vm_area_struct * vma, * prev = NULL;
51265 - unsigned int def_flags = 0;
51267 if (flags & MCL_FUTURE)
51268 - def_flags = VM_LOCKED;
51269 - current->mm->def_flags = def_flags;
51270 + current->mm->def_flags |= VM_LOCKED;
51272 + current->mm->def_flags &= ~VM_LOCKED;
51273 if (flags == MCL_FUTURE)
51276 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
51277 - unsigned int newflags;
51278 + unsigned long newflags;
51280 +#ifdef CONFIG_PAX_SEGMEXEC
51281 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
51285 + BUG_ON(vma->vm_end > TASK_SIZE);
51286 newflags = vma->vm_flags | VM_LOCKED;
51287 if (!(flags & MCL_CURRENT))
51288 newflags &= ~VM_LOCKED;
51289 @@ -573,6 +570,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
51290 lock_limit >>= PAGE_SHIFT;
51293 + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
51294 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
51295 capable(CAP_IPC_LOCK))
51296 ret = do_mlockall(flags);
51297 diff -urNp linux-2.6.35.5/mm/mmap.c linux-2.6.35.5/mm/mmap.c
51298 --- linux-2.6.35.5/mm/mmap.c 2010-08-26 19:47:12.000000000 -0400
51299 +++ linux-2.6.35.5/mm/mmap.c 2010-09-17 20:12:37.000000000 -0400
51301 #define arch_rebalance_pgtables(addr, len) (addr)
51304 +static inline void verify_mm_writelocked(struct mm_struct *mm)
51306 +#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
51307 + if (unlikely(down_read_trylock(&mm->mmap_sem))) {
51308 + up_read(&mm->mmap_sem);
51314 static void unmap_region(struct mm_struct *mm,
51315 struct vm_area_struct *vma, struct vm_area_struct *prev,
51316 unsigned long start, unsigned long end);
51317 @@ -69,22 +79,32 @@ static void unmap_region(struct mm_struc
51318 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
51321 -pgprot_t protection_map[16] = {
51322 +pgprot_t protection_map[16] __read_only = {
51323 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
51324 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
51327 pgprot_t vm_get_page_prot(unsigned long vm_flags)
51329 - return __pgprot(pgprot_val(protection_map[vm_flags &
51330 + pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
51331 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
51332 pgprot_val(arch_vm_get_page_prot(vm_flags)));
51334 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
51335 + if (!(__supported_pte_mask & _PAGE_NX) &&
51336 + (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
51337 + (vm_flags & (VM_READ | VM_WRITE)))
51338 + prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
51343 EXPORT_SYMBOL(vm_get_page_prot);
51345 int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */
51346 int sysctl_overcommit_ratio = 50; /* default is 50% */
51347 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
51348 +unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
51349 struct percpu_counter vm_committed_as;
51352 @@ -230,6 +250,7 @@ static struct vm_area_struct *remove_vma
51353 struct vm_area_struct *next = vma->vm_next;
51356 + BUG_ON(vma->vm_mirror);
51357 if (vma->vm_ops && vma->vm_ops->close)
51358 vma->vm_ops->close(vma);
51359 if (vma->vm_file) {
51360 @@ -266,6 +287,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
51361 * not page aligned -Ram Gupta
51363 rlim = rlimit(RLIMIT_DATA);
51364 + gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
51365 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
51366 (mm->end_data - mm->start_data) > rlim)
51368 @@ -695,6 +717,12 @@ static int
51369 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
51370 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
51373 +#ifdef CONFIG_PAX_SEGMEXEC
51374 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
51378 if (is_mergeable_vma(vma, file, vm_flags) &&
51379 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
51380 if (vma->vm_pgoff == vm_pgoff)
51381 @@ -714,6 +742,12 @@ static int
51382 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
51383 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
51386 +#ifdef CONFIG_PAX_SEGMEXEC
51387 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
51391 if (is_mergeable_vma(vma, file, vm_flags) &&
51392 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
51394 @@ -756,13 +790,20 @@ can_vma_merge_after(struct vm_area_struc
51395 struct vm_area_struct *vma_merge(struct mm_struct *mm,
51396 struct vm_area_struct *prev, unsigned long addr,
51397 unsigned long end, unsigned long vm_flags,
51398 - struct anon_vma *anon_vma, struct file *file,
51399 + struct anon_vma *anon_vma, struct file *file,
51400 pgoff_t pgoff, struct mempolicy *policy)
51402 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
51403 struct vm_area_struct *area, *next;
51406 +#ifdef CONFIG_PAX_SEGMEXEC
51407 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
51408 + struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
51410 + BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
51414 * We later require that vma->vm_flags == vm_flags,
51415 * so this tests vma->vm_flags & VM_SPECIAL, too.
51416 @@ -778,6 +819,15 @@ struct vm_area_struct *vma_merge(struct
51417 if (next && next->vm_end == end) /* cases 6, 7, 8 */
51418 next = next->vm_next;
51420 +#ifdef CONFIG_PAX_SEGMEXEC
51422 + prev_m = pax_find_mirror_vma(prev);
51424 + area_m = pax_find_mirror_vma(area);
51426 + next_m = pax_find_mirror_vma(next);
51430 * Can it merge with the predecessor?
51432 @@ -797,9 +847,24 @@ struct vm_area_struct *vma_merge(struct
51434 err = vma_adjust(prev, prev->vm_start,
51435 next->vm_end, prev->vm_pgoff, NULL);
51436 - } else /* cases 2, 5, 7 */
51438 +#ifdef CONFIG_PAX_SEGMEXEC
51439 + if (!err && prev_m)
51440 + err = vma_adjust(prev_m, prev_m->vm_start,
51441 + next_m->vm_end, prev_m->vm_pgoff, NULL);
51444 + } else { /* cases 2, 5, 7 */
51445 err = vma_adjust(prev, prev->vm_start,
51446 end, prev->vm_pgoff, NULL);
51448 +#ifdef CONFIG_PAX_SEGMEXEC
51449 + if (!err && prev_m)
51450 + err = vma_adjust(prev_m, prev_m->vm_start,
51451 + end_m, prev_m->vm_pgoff, NULL);
51458 @@ -812,12 +877,27 @@ struct vm_area_struct *vma_merge(struct
51459 mpol_equal(policy, vma_policy(next)) &&
51460 can_vma_merge_before(next, vm_flags,
51461 anon_vma, file, pgoff+pglen)) {
51462 - if (prev && addr < prev->vm_end) /* case 4 */
51463 + if (prev && addr < prev->vm_end) { /* case 4 */
51464 err = vma_adjust(prev, prev->vm_start,
51465 addr, prev->vm_pgoff, NULL);
51466 - else /* cases 3, 8 */
51468 +#ifdef CONFIG_PAX_SEGMEXEC
51469 + if (!err && prev_m)
51470 + err = vma_adjust(prev_m, prev_m->vm_start,
51471 + addr_m, prev_m->vm_pgoff, NULL);
51474 + } else { /* cases 3, 8 */
51475 err = vma_adjust(area, addr, next->vm_end,
51476 next->vm_pgoff - pglen, NULL);
51478 +#ifdef CONFIG_PAX_SEGMEXEC
51479 + if (!err && area_m)
51480 + err = vma_adjust(area_m, addr_m, next_m->vm_end,
51481 + next_m->vm_pgoff - pglen, NULL);
51488 @@ -932,14 +1012,11 @@ none:
51489 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
51490 struct file *file, long pages)
51492 - const unsigned long stack_flags
51493 - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
51496 mm->shared_vm += pages;
51497 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
51498 mm->exec_vm += pages;
51499 - } else if (flags & stack_flags)
51500 + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
51501 mm->stack_vm += pages;
51502 if (flags & (VM_RESERVED|VM_IO))
51503 mm->reserved_vm += pages;
51504 @@ -966,7 +1043,7 @@ unsigned long do_mmap_pgoff(struct file
51505 * (the exception is when the underlying filesystem is noexec
51506 * mounted, in which case we dont add PROT_EXEC.)
51508 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
51509 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
51510 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
51513 @@ -992,7 +1069,7 @@ unsigned long do_mmap_pgoff(struct file
51514 /* Obtain the address to map to. we verify (or select) it and ensure
51515 * that it represents a valid section of the address space.
51517 - addr = get_unmapped_area(file, addr, len, pgoff, flags);
51518 + addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
51519 if (addr & ~PAGE_MASK)
51522 @@ -1003,6 +1080,28 @@ unsigned long do_mmap_pgoff(struct file
51523 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
51524 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
51526 +#ifdef CONFIG_PAX_MPROTECT
51527 + if (mm->pax_flags & MF_PAX_MPROTECT) {
51528 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
51530 +#ifdef CONFIG_PAX_EMUPLT
51531 + vm_flags &= ~VM_EXEC;
51536 + if (!(vm_flags & VM_EXEC))
51537 + vm_flags &= ~VM_MAYEXEC;
51539 + vm_flags &= ~VM_MAYWRITE;
51543 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
51544 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
51545 + vm_flags &= ~VM_PAGEEXEC;
51548 if (flags & MAP_LOCKED)
51549 if (!can_do_mlock())
51551 @@ -1014,6 +1113,7 @@ unsigned long do_mmap_pgoff(struct file
51552 locked += mm->locked_vm;
51553 lock_limit = rlimit(RLIMIT_MEMLOCK);
51554 lock_limit >>= PAGE_SHIFT;
51555 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
51556 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
51559 @@ -1084,6 +1184,9 @@ unsigned long do_mmap_pgoff(struct file
51563 + if (!gr_acl_handle_mmap(file, prot))
51566 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
51568 EXPORT_SYMBOL(do_mmap_pgoff);
51569 @@ -1160,10 +1263,10 @@ SYSCALL_DEFINE1(old_mmap, struct mmap_ar
51571 int vma_wants_writenotify(struct vm_area_struct *vma)
51573 - unsigned int vm_flags = vma->vm_flags;
51574 + unsigned long vm_flags = vma->vm_flags;
51576 /* If it was private or non-writable, the write bit is already clear */
51577 - if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
51578 + if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
51581 /* The backer wishes to know when pages are first written to? */
51582 @@ -1212,14 +1315,24 @@ unsigned long mmap_region(struct file *f
51583 unsigned long charged = 0;
51584 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
51586 +#ifdef CONFIG_PAX_SEGMEXEC
51587 + struct vm_area_struct *vma_m = NULL;
51591 + * mm->mmap_sem is required to protect against another thread
51592 + * changing the mappings in case we sleep.
51594 + verify_mm_writelocked(mm);
51596 /* Clear old maps */
51599 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
51600 if (vma && vma->vm_start < addr + len) {
51601 if (do_munmap(mm, addr, len))
51603 - goto munmap_back;
51604 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
51605 + BUG_ON(vma && vma->vm_start < addr + len);
51608 /* Check against address space limit. */
51609 @@ -1268,6 +1381,16 @@ munmap_back:
51613 +#ifdef CONFIG_PAX_SEGMEXEC
51614 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
51615 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
51624 vma->vm_start = addr;
51625 vma->vm_end = addr + len;
51626 @@ -1291,6 +1414,19 @@ munmap_back:
51627 error = file->f_op->mmap(file, vma);
51629 goto unmap_and_free_vma;
51631 +#ifdef CONFIG_PAX_SEGMEXEC
51632 + if (vma_m && (vm_flags & VM_EXECUTABLE))
51633 + added_exe_file_vma(mm);
51636 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
51637 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
51638 + vma->vm_flags |= VM_PAGEEXEC;
51639 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
51643 if (vm_flags & VM_EXECUTABLE)
51644 added_exe_file_vma(mm);
51646 @@ -1326,6 +1462,11 @@ munmap_back:
51647 vma_link(mm, vma, prev, rb_link, rb_parent);
51648 file = vma->vm_file;
51650 +#ifdef CONFIG_PAX_SEGMEXEC
51652 + BUG_ON(pax_mirror_vma(vma_m, vma));
51655 /* Once vma denies write, undo our temporary denial count */
51656 if (correct_wcount)
51657 atomic_inc(&inode->i_writecount);
51658 @@ -1334,6 +1475,7 @@ out:
51660 mm->total_vm += len >> PAGE_SHIFT;
51661 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
51662 + track_exec_limit(mm, addr, addr + len, vm_flags);
51663 if (vm_flags & VM_LOCKED) {
51664 if (!mlock_vma_pages_range(vma, addr, addr + len))
51665 mm->locked_vm += (len >> PAGE_SHIFT);
51666 @@ -1351,6 +1493,12 @@ unmap_and_free_vma:
51667 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
51671 +#ifdef CONFIG_PAX_SEGMEXEC
51673 + kmem_cache_free(vm_area_cachep, vma_m);
51676 kmem_cache_free(vm_area_cachep, vma);
51679 @@ -1358,6 +1506,33 @@ unacct_error:
51683 +bool check_heap_stack_gap(struct vm_area_struct *vma, unsigned long addr, unsigned long len)
51686 +#ifdef CONFIG_STACK_GROWSUP
51687 + if (addr > sysctl_heap_stack_gap)
51688 + vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
51690 + vma = find_vma(current->mm, 0);
51691 + if (vma && (vma->vm_flags & VM_GROWSUP))
51697 + if (addr + len > vma->vm_start)
51700 + if (vma->vm_flags & VM_GROWSDOWN)
51701 + return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
51702 +#ifdef CONFIG_STACK_GROWSUP
51703 + else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
51704 + return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap;
51710 /* Get an address range which is currently unmapped.
51711 * For shmat() with addr=0.
51713 @@ -1384,18 +1559,23 @@ arch_get_unmapped_area(struct file *filp
51714 if (flags & MAP_FIXED)
51717 +#ifdef CONFIG_PAX_RANDMMAP
51718 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
51722 addr = PAGE_ALIGN(addr);
51723 - vma = find_vma(mm, addr);
51724 - if (TASK_SIZE - len >= addr &&
51725 - (!vma || addr + len <= vma->vm_start))
51727 + if (TASK_SIZE - len >= addr) {
51728 + vma = find_vma(mm, addr);
51729 + if (check_heap_stack_gap(vma, addr, len))
51733 if (len > mm->cached_hole_size) {
51734 - start_addr = addr = mm->free_area_cache;
51735 + start_addr = addr = mm->free_area_cache;
51737 - start_addr = addr = TASK_UNMAPPED_BASE;
51738 - mm->cached_hole_size = 0;
51739 + start_addr = addr = mm->mmap_base;
51740 + mm->cached_hole_size = 0;
51744 @@ -1406,34 +1586,40 @@ full_search:
51745 * Start a new search - just in case we missed
51748 - if (start_addr != TASK_UNMAPPED_BASE) {
51749 - addr = TASK_UNMAPPED_BASE;
51750 - start_addr = addr;
51751 + if (start_addr != mm->mmap_base) {
51752 + start_addr = addr = mm->mmap_base;
51753 mm->cached_hole_size = 0;
51758 - if (!vma || addr + len <= vma->vm_start) {
51760 - * Remember the place where we stopped the search:
51762 - mm->free_area_cache = addr + len;
51765 + if (check_heap_stack_gap(vma, addr, len))
51767 if (addr + mm->cached_hole_size < vma->vm_start)
51768 mm->cached_hole_size = vma->vm_start - addr;
51769 addr = vma->vm_end;
51773 + * Remember the place where we stopped the search:
51775 + mm->free_area_cache = addr + len;
51780 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
51783 +#ifdef CONFIG_PAX_SEGMEXEC
51784 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
51789 * Is this a new hole at the lowest possible address?
51791 - if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
51792 + if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
51793 mm->free_area_cache = addr;
51794 mm->cached_hole_size = ~0UL;
51796 @@ -1451,7 +1637,7 @@ arch_get_unmapped_area_topdown(struct fi
51798 struct vm_area_struct *vma;
51799 struct mm_struct *mm = current->mm;
51800 - unsigned long addr = addr0;
51801 + unsigned long base = mm->mmap_base, addr = addr0;
51803 /* requested length too big for entire address space */
51804 if (len > TASK_SIZE)
51805 @@ -1460,13 +1646,18 @@ arch_get_unmapped_area_topdown(struct fi
51806 if (flags & MAP_FIXED)
51809 +#ifdef CONFIG_PAX_RANDMMAP
51810 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
51813 /* requesting a specific address */
51815 addr = PAGE_ALIGN(addr);
51816 - vma = find_vma(mm, addr);
51817 - if (TASK_SIZE - len >= addr &&
51818 - (!vma || addr + len <= vma->vm_start))
51820 + if (TASK_SIZE - len >= addr) {
51821 + vma = find_vma(mm, addr);
51822 + if (check_heap_stack_gap(vma, addr, len))
51827 /* check if free_area_cache is useful for us */
51828 @@ -1481,7 +1672,7 @@ arch_get_unmapped_area_topdown(struct fi
51829 /* make sure it can fit in the remaining address space */
51831 vma = find_vma(mm, addr-len);
51832 - if (!vma || addr <= vma->vm_start)
51833 + if (check_heap_stack_gap(vma, addr - len, len))
51834 /* remember the address as a hint for next time */
51835 return (mm->free_area_cache = addr-len);
51837 @@ -1498,7 +1689,7 @@ arch_get_unmapped_area_topdown(struct fi
51838 * return with success:
51840 vma = find_vma(mm, addr);
51841 - if (!vma || addr+len <= vma->vm_start)
51842 + if (check_heap_stack_gap(vma, addr, len))
51843 /* remember the address as a hint for next time */
51844 return (mm->free_area_cache = addr);
51846 @@ -1517,13 +1708,21 @@ bottomup:
51847 * can happen with large stack limits and large mmap()
51850 + mm->mmap_base = TASK_UNMAPPED_BASE;
51852 +#ifdef CONFIG_PAX_RANDMMAP
51853 + if (mm->pax_flags & MF_PAX_RANDMMAP)
51854 + mm->mmap_base += mm->delta_mmap;
51857 + mm->free_area_cache = mm->mmap_base;
51858 mm->cached_hole_size = ~0UL;
51859 - mm->free_area_cache = TASK_UNMAPPED_BASE;
51860 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
51862 * Restore the topdown base:
51864 - mm->free_area_cache = mm->mmap_base;
51865 + mm->mmap_base = base;
51866 + mm->free_area_cache = base;
51867 mm->cached_hole_size = ~0UL;
51870 @@ -1532,6 +1731,12 @@ bottomup:
51872 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
51875 +#ifdef CONFIG_PAX_SEGMEXEC
51876 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
51881 * Is this a new hole at the highest possible address?
51883 @@ -1539,8 +1744,10 @@ void arch_unmap_area_topdown(struct mm_s
51884 mm->free_area_cache = addr;
51886 /* dont allow allocations above current base */
51887 - if (mm->free_area_cache > mm->mmap_base)
51888 + if (mm->free_area_cache > mm->mmap_base) {
51889 mm->free_area_cache = mm->mmap_base;
51890 + mm->cached_hole_size = ~0UL;
51895 @@ -1648,6 +1855,34 @@ out:
51896 return prev ? prev->vm_next : vma;
51899 +#ifdef CONFIG_PAX_SEGMEXEC
51900 +struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
51902 + struct vm_area_struct *vma_m;
51904 + BUG_ON(!vma || vma->vm_start >= vma->vm_end);
51905 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
51906 + BUG_ON(vma->vm_mirror);
51909 + BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
51910 + vma_m = vma->vm_mirror;
51911 + BUG_ON(!vma_m || vma_m->vm_mirror != vma);
51912 + BUG_ON(vma->vm_file != vma_m->vm_file);
51913 + BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
51914 + BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff);
51915 + if (vma->anon_vma != vma_m->anon_vma) {
51916 + struct anon_vma_chain *avc, *avc_m;
51918 + avc = list_entry(vma->anon_vma_chain.prev, struct anon_vma_chain, same_vma);
51919 + avc_m = list_entry(vma_m->anon_vma_chain.prev, struct anon_vma_chain, same_vma);
51920 + BUG_ON(avc->anon_vma != avc_m->anon_vma);
51922 + BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED));
51928 * Verify that the stack growth is acceptable and
51929 * update accounting. This is shared with both the
51930 @@ -1664,6 +1899,7 @@ static int acct_stack_growth(struct vm_a
51933 /* Stack limit test */
51934 + gr_learn_resource(current, RLIMIT_STACK, size, 1);
51935 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
51938 @@ -1674,6 +1910,7 @@ static int acct_stack_growth(struct vm_a
51939 locked = mm->locked_vm + grow;
51940 limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
51941 limit >>= PAGE_SHIFT;
51942 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
51943 if (locked > limit && !capable(CAP_IPC_LOCK))
51946 @@ -1709,35 +1946,42 @@ static
51948 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
51951 + int error, locknext;
51953 if (!(vma->vm_flags & VM_GROWSUP))
51956 + /* Also guard against wrapping around to address 0. */
51957 + if (address < PAGE_ALIGN(address+1))
51958 + address = PAGE_ALIGN(address+1);
51963 * We must make sure the anon_vma is allocated
51964 * so that the anon_vma locking is not a noop.
51966 if (unlikely(anon_vma_prepare(vma)))
51968 + locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
51969 + if (locknext && anon_vma_prepare(vma->vm_next))
51971 anon_vma_lock(vma);
51973 + anon_vma_lock(vma->vm_next);
51976 * vma->vm_start/vm_end cannot change under us because the caller
51977 * is required to hold the mmap_sem in read mode. We need the
51978 - * anon_vma lock to serialize against concurrent expand_stacks.
51979 - * Also guard against wrapping around to address 0.
51980 + * anon_vma locks to serialize against concurrent expand_stacks
51981 + * and expand_upwards.
51983 - if (address < PAGE_ALIGN(address+4))
51984 - address = PAGE_ALIGN(address+4);
51986 - anon_vma_unlock(vma);
51991 /* Somebody else might have raced and expanded it already */
51992 - if (address > vma->vm_end) {
51993 + if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
51995 + else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
51996 unsigned long size, grow;
51998 size = address - vma->vm_start;
51999 @@ -1747,6 +1991,8 @@ int expand_upwards(struct vm_area_struct
52001 vma->vm_end = address;
52004 + anon_vma_unlock(vma->vm_next);
52005 anon_vma_unlock(vma);
52008 @@ -1758,7 +2004,8 @@ int expand_upwards(struct vm_area_struct
52009 static int expand_downwards(struct vm_area_struct *vma,
52010 unsigned long address)
52013 + int error, lockprev = 0;
52014 + struct vm_area_struct *prev;
52017 * We must make sure the anon_vma is allocated
52018 @@ -1772,6 +2019,15 @@ static int expand_downwards(struct vm_ar
52022 + prev = vma->vm_prev;
52023 +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
52024 + lockprev = prev && (prev->vm_flags & VM_GROWSUP);
52026 + if (lockprev && anon_vma_prepare(prev))
52029 + anon_vma_lock(prev);
52031 anon_vma_lock(vma);
52034 @@ -1781,9 +2037,17 @@ static int expand_downwards(struct vm_ar
52037 /* Somebody else might have raced and expanded it already */
52038 - if (address < vma->vm_start) {
52039 + if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
52041 + else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
52042 unsigned long size, grow;
52044 +#ifdef CONFIG_PAX_SEGMEXEC
52045 + struct vm_area_struct *vma_m;
52047 + vma_m = pax_find_mirror_vma(vma);
52050 size = vma->vm_end - address;
52051 grow = (vma->vm_start - address) >> PAGE_SHIFT;
52053 @@ -1791,9 +2055,20 @@ static int expand_downwards(struct vm_ar
52055 vma->vm_start = address;
52056 vma->vm_pgoff -= grow;
52057 + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
52059 +#ifdef CONFIG_PAX_SEGMEXEC
52061 + vma_m->vm_start -= grow << PAGE_SHIFT;
52062 + vma_m->vm_pgoff -= grow;
52068 anon_vma_unlock(vma);
52070 + anon_vma_unlock(prev);
52074 @@ -1867,6 +2142,13 @@ static void remove_vma_list(struct mm_st
52076 long nrpages = vma_pages(vma);
52078 +#ifdef CONFIG_PAX_SEGMEXEC
52079 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
52080 + vma = remove_vma(vma);
52085 mm->total_vm -= nrpages;
52086 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
52087 vma = remove_vma(vma);
52088 @@ -1912,6 +2194,16 @@ detach_vmas_to_be_unmapped(struct mm_str
52089 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
52090 vma->vm_prev = NULL;
52093 +#ifdef CONFIG_PAX_SEGMEXEC
52094 + if (vma->vm_mirror) {
52095 + BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
52096 + vma->vm_mirror->vm_mirror = NULL;
52097 + vma->vm_mirror->vm_flags &= ~VM_EXEC;
52098 + vma->vm_mirror = NULL;
52102 rb_erase(&vma->vm_rb, &mm->mm_rb);
52105 @@ -1940,14 +2232,33 @@ static int __split_vma(struct mm_struct
52106 struct vm_area_struct *new;
52109 +#ifdef CONFIG_PAX_SEGMEXEC
52110 + struct vm_area_struct *vma_m, *new_m = NULL;
52111 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
52114 if (is_vm_hugetlb_page(vma) && (addr &
52115 ~(huge_page_mask(hstate_vma(vma)))))
52118 +#ifdef CONFIG_PAX_SEGMEXEC
52119 + vma_m = pax_find_mirror_vma(vma);
52122 new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
52126 +#ifdef CONFIG_PAX_SEGMEXEC
52128 + new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
52130 + kmem_cache_free(vm_area_cachep, new);
52136 /* most fields are the same, copy all, and then fixup */
52139 @@ -1960,6 +2271,22 @@ static int __split_vma(struct mm_struct
52140 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
52143 +#ifdef CONFIG_PAX_SEGMEXEC
52146 + INIT_LIST_HEAD(&new_m->anon_vma_chain);
52147 + new_m->vm_mirror = new;
52148 + new->vm_mirror = new_m;
52151 + new_m->vm_end = addr_m;
52153 + new_m->vm_start = addr_m;
52154 + new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
52159 pol = mpol_dup(vma_policy(vma));
52161 err = PTR_ERR(pol);
52162 @@ -1985,6 +2312,42 @@ static int __split_vma(struct mm_struct
52164 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
52166 +#ifdef CONFIG_PAX_SEGMEXEC
52167 + if (!err && vma_m) {
52168 + if (anon_vma_clone(new_m, vma_m))
52169 + goto out_free_mpol;
52172 + vma_set_policy(new_m, pol);
52174 + if (new_m->vm_file) {
52175 + get_file(new_m->vm_file);
52176 + if (vma_m->vm_flags & VM_EXECUTABLE)
52177 + added_exe_file_vma(mm);
52180 + if (new_m->vm_ops && new_m->vm_ops->open)
52181 + new_m->vm_ops->open(new_m);
52184 + err = vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
52185 + ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
52187 + err = vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
52190 + if (new_m->vm_ops && new_m->vm_ops->close)
52191 + new_m->vm_ops->close(new_m);
52192 + if (new_m->vm_file) {
52193 + if (vma_m->vm_flags & VM_EXECUTABLE)
52194 + removed_exe_file_vma(mm);
52195 + fput(new_m->vm_file);
52205 @@ -2000,6 +2363,15 @@ static int __split_vma(struct mm_struct
52210 +#ifdef CONFIG_PAX_SEGMEXEC
52212 + unlink_anon_vmas(new_m);
52213 + kmem_cache_free(vm_area_cachep, new_m);
52217 + unlink_anon_vmas(new);
52218 kmem_cache_free(vm_area_cachep, new);
52221 @@ -2012,6 +2384,15 @@ static int __split_vma(struct mm_struct
52222 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
52223 unsigned long addr, int new_below)
52226 +#ifdef CONFIG_PAX_SEGMEXEC
52227 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
52228 + BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
52229 + if (mm->map_count >= sysctl_max_map_count-1)
52234 if (mm->map_count >= sysctl_max_map_count)
52237 @@ -2023,11 +2404,30 @@ int split_vma(struct mm_struct *mm, stru
52238 * work. This now handles partial unmappings.
52239 * Jeremy Fitzhardinge <jeremy@goop.org>
52241 +#ifdef CONFIG_PAX_SEGMEXEC
52242 +int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
52244 + int ret = __do_munmap(mm, start, len);
52245 + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
52248 + return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
52251 +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
52253 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
52257 struct vm_area_struct *vma, *prev, *last;
52260 + * mm->mmap_sem is required to protect against another thread
52261 + * changing the mappings in case we sleep.
52263 + verify_mm_writelocked(mm);
52265 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
52268 @@ -2101,6 +2501,8 @@ int do_munmap(struct mm_struct *mm, unsi
52269 /* Fix up all other VM information */
52270 remove_vma_list(mm, vma);
52272 + track_exec_limit(mm, start, end, 0UL);
52277 @@ -2113,22 +2515,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
52279 profile_munmap(addr);
52281 +#ifdef CONFIG_PAX_SEGMEXEC
52282 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
52283 + (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
52287 down_write(&mm->mmap_sem);
52288 ret = do_munmap(mm, addr, len);
52289 up_write(&mm->mmap_sem);
52293 -static inline void verify_mm_writelocked(struct mm_struct *mm)
52295 -#ifdef CONFIG_DEBUG_VM
52296 - if (unlikely(down_read_trylock(&mm->mmap_sem))) {
52298 - up_read(&mm->mmap_sem);
52304 * this is really a simplified "do_mmap". it only handles
52305 * anonymous maps. eventually we may be able to do some
52306 @@ -2142,6 +2540,7 @@ unsigned long do_brk(unsigned long addr,
52307 struct rb_node ** rb_link, * rb_parent;
52308 pgoff_t pgoff = addr >> PAGE_SHIFT;
52310 + unsigned long charged;
52312 len = PAGE_ALIGN(len);
52314 @@ -2153,16 +2552,30 @@ unsigned long do_brk(unsigned long addr,
52316 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
52318 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
52319 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
52320 + flags &= ~VM_EXEC;
52322 +#ifdef CONFIG_PAX_MPROTECT
52323 + if (mm->pax_flags & MF_PAX_MPROTECT)
52324 + flags &= ~VM_MAYEXEC;
52330 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
52331 if (error & ~PAGE_MASK)
52334 + charged = len >> PAGE_SHIFT;
52337 * mlock MCL_FUTURE?
52339 if (mm->def_flags & VM_LOCKED) {
52340 unsigned long locked, lock_limit;
52341 - locked = len >> PAGE_SHIFT;
52342 + locked = charged;
52343 locked += mm->locked_vm;
52344 lock_limit = rlimit(RLIMIT_MEMLOCK);
52345 lock_limit >>= PAGE_SHIFT;
52346 @@ -2179,22 +2592,22 @@ unsigned long do_brk(unsigned long addr,
52348 * Clear old maps. this also does some error checking for us
52351 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
52352 if (vma && vma->vm_start < addr + len) {
52353 if (do_munmap(mm, addr, len))
52355 - goto munmap_back;
52356 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
52357 + BUG_ON(vma && vma->vm_start < addr + len);
52360 /* Check against address space limits *after* clearing old maps... */
52361 - if (!may_expand_vm(mm, len >> PAGE_SHIFT))
52362 + if (!may_expand_vm(mm, charged))
52365 if (mm->map_count > sysctl_max_map_count)
52368 - if (security_vm_enough_memory(len >> PAGE_SHIFT))
52369 + if (security_vm_enough_memory(charged))
52372 /* Can we just expand an old private anonymous mapping? */
52373 @@ -2208,7 +2621,7 @@ unsigned long do_brk(unsigned long addr,
52375 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
52377 - vm_unacct_memory(len >> PAGE_SHIFT);
52378 + vm_unacct_memory(charged);
52382 @@ -2221,11 +2634,12 @@ unsigned long do_brk(unsigned long addr,
52383 vma->vm_page_prot = vm_get_page_prot(flags);
52384 vma_link(mm, vma, prev, rb_link, rb_parent);
52386 - mm->total_vm += len >> PAGE_SHIFT;
52387 + mm->total_vm += charged;
52388 if (flags & VM_LOCKED) {
52389 if (!mlock_vma_pages_range(vma, addr, addr + len))
52390 - mm->locked_vm += (len >> PAGE_SHIFT);
52391 + mm->locked_vm += charged;
52393 + track_exec_limit(mm, addr, addr + len, flags);
52397 @@ -2272,8 +2686,10 @@ void exit_mmap(struct mm_struct *mm)
52398 * Walk the list again, actually closing and freeing it,
52399 * with preemption enabled, without holding any MM locks.
52403 + vma->vm_mirror = NULL;
52404 vma = remove_vma(vma);
52407 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
52409 @@ -2287,6 +2703,10 @@ int insert_vm_struct(struct mm_struct *
52410 struct vm_area_struct * __vma, * prev;
52411 struct rb_node ** rb_link, * rb_parent;
52413 +#ifdef CONFIG_PAX_SEGMEXEC
52414 + struct vm_area_struct *vma_m = NULL;
52418 * The vm_pgoff of a purely anonymous vma should be irrelevant
52419 * until its first write fault, when page's anon_vma and index
52420 @@ -2309,7 +2729,22 @@ int insert_vm_struct(struct mm_struct *
52421 if ((vma->vm_flags & VM_ACCOUNT) &&
52422 security_vm_enough_memory_mm(mm, vma_pages(vma)))
52425 +#ifdef CONFIG_PAX_SEGMEXEC
52426 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
52427 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
52433 vma_link(mm, vma, prev, rb_link, rb_parent);
52435 +#ifdef CONFIG_PAX_SEGMEXEC
52437 + BUG_ON(pax_mirror_vma(vma_m, vma));
52443 @@ -2327,6 +2762,8 @@ struct vm_area_struct *copy_vma(struct v
52444 struct rb_node **rb_link, *rb_parent;
52445 struct mempolicy *pol;
52447 + BUG_ON(vma->vm_mirror);
52450 * If anonymous vma has not yet been faulted, update new pgoff
52451 * to match new location, to increase its chance of merging.
52452 @@ -2376,6 +2813,39 @@ struct vm_area_struct *copy_vma(struct v
52453 kmem_cache_free(vm_area_cachep, new_vma);
52457 +#ifdef CONFIG_PAX_SEGMEXEC
52458 +long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
52460 + struct vm_area_struct *prev_m;
52461 + struct rb_node **rb_link_m, *rb_parent_m;
52462 + struct mempolicy *pol_m;
52464 + BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
52465 + BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
52466 + BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
52468 + INIT_LIST_HEAD(&vma_m->anon_vma_chain);
52469 + if (anon_vma_clone(vma_m, vma))
52471 + pol_m = vma_policy(vma_m);
52473 + vma_set_policy(vma_m, pol_m);
52474 + vma_m->vm_start += SEGMEXEC_TASK_SIZE;
52475 + vma_m->vm_end += SEGMEXEC_TASK_SIZE;
52476 + vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
52477 + vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
52478 + if (vma_m->vm_file)
52479 + get_file(vma_m->vm_file);
52480 + if (vma_m->vm_ops && vma_m->vm_ops->open)
52481 + vma_m->vm_ops->open(vma_m);
52482 + find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
52483 + vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
52484 + vma_m->vm_mirror = vma;
52485 + vma->vm_mirror = vma_m;
52491 * Return true if the calling process may expand its vm space by the passed
52492 @@ -2387,7 +2857,7 @@ int may_expand_vm(struct mm_struct *mm,
52495 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
52497 + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
52498 if (cur + npages > lim)
52501 @@ -2457,6 +2927,17 @@ int install_special_mapping(struct mm_st
52502 vma->vm_start = addr;
52503 vma->vm_end = addr + len;
52505 +#ifdef CONFIG_PAX_MPROTECT
52506 + if (mm->pax_flags & MF_PAX_MPROTECT) {
52507 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
52509 + if (!(vm_flags & VM_EXEC))
52510 + vm_flags &= ~VM_MAYEXEC;
52512 + vm_flags &= ~VM_MAYWRITE;
52516 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
52517 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
52519 diff -urNp linux-2.6.35.5/mm/mprotect.c linux-2.6.35.5/mm/mprotect.c
52520 --- linux-2.6.35.5/mm/mprotect.c 2010-08-26 19:47:12.000000000 -0400
52521 +++ linux-2.6.35.5/mm/mprotect.c 2010-09-17 20:12:37.000000000 -0400
52522 @@ -23,10 +23,16 @@
52523 #include <linux/mmu_notifier.h>
52524 #include <linux/migrate.h>
52525 #include <linux/perf_event.h>
52527 +#ifdef CONFIG_PAX_MPROTECT
52528 +#include <linux/elf.h>
52531 #include <asm/uaccess.h>
52532 #include <asm/pgtable.h>
52533 #include <asm/cacheflush.h>
52534 #include <asm/tlbflush.h>
52535 +#include <asm/mmu_context.h>
52537 #ifndef pgprot_modify
52538 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
52539 @@ -131,6 +137,48 @@ static void change_protection(struct vm_
52540 flush_tlb_range(vma, start, end);
52543 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
52544 +/* called while holding the mmap semaphor for writing except stack expansion */
52545 +void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
52547 + unsigned long oldlimit, newlimit = 0UL;
52549 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || (__supported_pte_mask & _PAGE_NX))
52552 + spin_lock(&mm->page_table_lock);
52553 + oldlimit = mm->context.user_cs_limit;
52554 + if ((prot & VM_EXEC) && oldlimit < end)
52555 + /* USER_CS limit moved up */
52557 + else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
52558 + /* USER_CS limit moved down */
52559 + newlimit = start;
52562 + mm->context.user_cs_limit = newlimit;
52566 + cpus_clear(mm->context.cpu_user_cs_mask);
52567 + cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
52570 + set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
52572 + spin_unlock(&mm->page_table_lock);
52573 + if (newlimit == end) {
52574 + struct vm_area_struct *vma = find_vma(mm, oldlimit);
52576 + for (; vma && vma->vm_start < end; vma = vma->vm_next)
52577 + if (is_vm_hugetlb_page(vma))
52578 + hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
52580 + change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
52586 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
52587 unsigned long start, unsigned long end, unsigned long newflags)
52588 @@ -143,11 +191,29 @@ mprotect_fixup(struct vm_area_struct *vm
52590 int dirty_accountable = 0;
52592 +#ifdef CONFIG_PAX_SEGMEXEC
52593 + struct vm_area_struct *vma_m = NULL;
52594 + unsigned long start_m, end_m;
52596 + start_m = start + SEGMEXEC_TASK_SIZE;
52597 + end_m = end + SEGMEXEC_TASK_SIZE;
52600 if (newflags == oldflags) {
52605 + if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
52606 + struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
52608 + if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
52611 + if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
52616 * If we make a private mapping writable we increase our commit;
52617 * but (without finer accounting) cannot reduce our commit if we
52618 @@ -164,6 +230,42 @@ mprotect_fixup(struct vm_area_struct *vm
52622 +#ifdef CONFIG_PAX_SEGMEXEC
52623 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
52624 + if (start != vma->vm_start) {
52625 + error = split_vma(mm, vma, start, 1);
52628 + BUG_ON(!*pprev || (*pprev)->vm_next == vma);
52629 + *pprev = (*pprev)->vm_next;
52632 + if (end != vma->vm_end) {
52633 + error = split_vma(mm, vma, end, 0);
52638 + if (pax_find_mirror_vma(vma)) {
52639 + error = __do_munmap(mm, start_m, end_m - start_m);
52643 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
52648 + vma->vm_flags = newflags;
52649 + error = pax_mirror_vma(vma_m, vma);
52651 + vma->vm_flags = oldflags;
52659 * First try to merge with previous and/or next vma.
52661 @@ -194,9 +296,21 @@ success:
52662 * vm_flags and vm_page_prot are protected by the mmap_sem
52663 * held in write mode.
52666 +#ifdef CONFIG_PAX_SEGMEXEC
52667 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
52668 + pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
52671 vma->vm_flags = newflags;
52673 +#ifdef CONFIG_PAX_MPROTECT
52674 + if (mm->binfmt && mm->binfmt->handle_mprotect)
52675 + mm->binfmt->handle_mprotect(vma, newflags);
52678 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
52679 - vm_get_page_prot(newflags));
52680 + vm_get_page_prot(vma->vm_flags));
52682 if (vma_wants_writenotify(vma)) {
52683 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
52684 @@ -237,6 +351,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
52689 +#ifdef CONFIG_PAX_SEGMEXEC
52690 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
52691 + if (end > SEGMEXEC_TASK_SIZE)
52696 + if (end > TASK_SIZE)
52699 if (!arch_validate_prot(prot))
52702 @@ -244,7 +369,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
52704 * Does the application expect PROT_READ to imply PROT_EXEC:
52706 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
52707 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
52710 vm_flags = calc_vm_prot_bits(prot);
52711 @@ -276,6 +401,16 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
52712 if (start > vma->vm_start)
52715 + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
52720 +#ifdef CONFIG_PAX_MPROTECT
52721 + if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
52722 + current->mm->binfmt->handle_mprotect(vma, vm_flags);
52725 for (nstart = start ; ; ) {
52726 unsigned long newflags;
52728 @@ -300,6 +435,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
52731 perf_event_mmap(vma);
52733 + track_exec_limit(current->mm, nstart, tmp, vm_flags);
52737 if (nstart < prev->vm_end)
52738 diff -urNp linux-2.6.35.5/mm/mremap.c linux-2.6.35.5/mm/mremap.c
52739 --- linux-2.6.35.5/mm/mremap.c 2010-08-26 19:47:12.000000000 -0400
52740 +++ linux-2.6.35.5/mm/mremap.c 2010-09-17 20:12:09.000000000 -0400
52741 @@ -113,6 +113,12 @@ static void move_ptes(struct vm_area_str
52743 pte = ptep_clear_flush(vma, old_addr, old_pte);
52744 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
52746 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
52747 + if (!(__supported_pte_mask & _PAGE_NX) && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
52748 + pte = pte_exprotect(pte);
52751 set_pte_at(mm, new_addr, new_pte, pte);
52754 @@ -272,6 +278,11 @@ static struct vm_area_struct *vma_to_res
52755 if (is_vm_hugetlb_page(vma))
52758 +#ifdef CONFIG_PAX_SEGMEXEC
52759 + if (pax_find_mirror_vma(vma))
52763 /* We can't remap across vm area boundaries */
52764 if (old_len > vma->vm_end - addr)
52766 @@ -321,20 +332,23 @@ static unsigned long mremap_to(unsigned
52767 unsigned long ret = -EINVAL;
52768 unsigned long charged = 0;
52769 unsigned long map_flags;
52770 + unsigned long pax_task_size = TASK_SIZE;
52772 if (new_addr & ~PAGE_MASK)
52775 - if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
52776 +#ifdef CONFIG_PAX_SEGMEXEC
52777 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
52778 + pax_task_size = SEGMEXEC_TASK_SIZE;
52781 + if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
52784 /* Check if the location we're moving into overlaps the
52785 * old location at all, and fail if it does.
52787 - if ((new_addr <= addr) && (new_addr+new_len) > addr)
52790 - if ((addr <= new_addr) && (addr+old_len) > new_addr)
52791 + if (addr + old_len > new_addr && new_addr + new_len > addr)
52794 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
52795 @@ -406,6 +420,7 @@ unsigned long do_mremap(unsigned long ad
52796 struct vm_area_struct *vma;
52797 unsigned long ret = -EINVAL;
52798 unsigned long charged = 0;
52799 + unsigned long pax_task_size = TASK_SIZE;
52801 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
52803 @@ -424,6 +439,15 @@ unsigned long do_mremap(unsigned long ad
52807 +#ifdef CONFIG_PAX_SEGMEXEC
52808 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
52809 + pax_task_size = SEGMEXEC_TASK_SIZE;
52812 + if (new_len > pax_task_size || addr > pax_task_size-new_len ||
52813 + old_len > pax_task_size || addr > pax_task_size-old_len)
52816 if (flags & MREMAP_FIXED) {
52817 if (flags & MREMAP_MAYMOVE)
52818 ret = mremap_to(addr, old_len, new_addr, new_len);
52819 @@ -473,6 +497,7 @@ unsigned long do_mremap(unsigned long ad
52823 + track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
52827 @@ -499,7 +524,13 @@ unsigned long do_mremap(unsigned long ad
52828 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
52832 + map_flags = vma->vm_flags;
52833 ret = move_vma(vma, addr, old_len, new_len, new_addr);
52834 + if (!(ret & ~PAGE_MASK)) {
52835 + track_exec_limit(current->mm, addr, addr + old_len, 0UL);
52836 + track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
52840 if (ret & ~PAGE_MASK)
52841 diff -urNp linux-2.6.35.5/mm/nommu.c linux-2.6.35.5/mm/nommu.c
52842 --- linux-2.6.35.5/mm/nommu.c 2010-08-26 19:47:12.000000000 -0400
52843 +++ linux-2.6.35.5/mm/nommu.c 2010-09-17 20:12:09.000000000 -0400
52844 @@ -67,7 +67,6 @@ int sysctl_overcommit_memory = OVERCOMMI
52845 int sysctl_overcommit_ratio = 50; /* default is 50% */
52846 int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
52847 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
52848 -int heap_stack_gap = 0;
52850 atomic_long_t mmap_pages_allocated;
52852 @@ -762,15 +761,6 @@ struct vm_area_struct *find_vma(struct m
52853 EXPORT_SYMBOL(find_vma);
52857 - * - we don't extend stack VMAs under NOMMU conditions
52859 -struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
52861 - return find_vma(mm, addr);
52865 * expand a stack to a given address
52866 * - not supported under NOMMU conditions
52868 @@ -1491,6 +1481,7 @@ int split_vma(struct mm_struct *mm, stru
52870 /* most fields are the same, copy all, and then fixup */
52872 + INIT_LIST_HEAD(&new->anon_vma_chain);
52873 *region = *vma->vm_region;
52874 new->vm_region = region;
52876 diff -urNp linux-2.6.35.5/mm/page_alloc.c linux-2.6.35.5/mm/page_alloc.c
52877 --- linux-2.6.35.5/mm/page_alloc.c 2010-08-26 19:47:12.000000000 -0400
52878 +++ linux-2.6.35.5/mm/page_alloc.c 2010-09-17 20:12:09.000000000 -0400
52879 @@ -641,6 +641,10 @@ static bool free_pages_prepare(struct pa
52883 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
52884 + unsigned long index = 1UL << order;
52887 trace_mm_page_free_direct(page, order);
52888 kmemcheck_free_shadow(page, order);
52890 @@ -659,6 +663,12 @@ static bool free_pages_prepare(struct pa
52891 debug_check_no_obj_freed(page_address(page),
52892 PAGE_SIZE << order);
52895 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
52896 + for (; index; --index)
52897 + sanitize_highpage(page + index - 1);
52900 arch_free_page(page, order);
52901 kernel_map_pages(page, 1 << order, 0);
52903 @@ -773,8 +783,10 @@ static int prep_new_page(struct page *pa
52904 arch_alloc_page(page, order);
52905 kernel_map_pages(page, 1 << order, 1);
52907 +#ifndef CONFIG_PAX_MEMORY_SANITIZE
52908 if (gfp_flags & __GFP_ZERO)
52909 prep_zero_page(page, order, gfp_flags);
52912 if (order && (gfp_flags & __GFP_COMP))
52913 prep_compound_page(page, order);
52914 @@ -3973,7 +3985,7 @@ static void __init setup_usemap(struct p
52915 zone->pageblock_flags = alloc_bootmem_node(pgdat, usemapsize);
52918 -static void inline setup_usemap(struct pglist_data *pgdat,
52919 +static inline void setup_usemap(struct pglist_data *pgdat,
52920 struct zone *zone, unsigned long zonesize) {}
52921 #endif /* CONFIG_SPARSEMEM */
52923 diff -urNp linux-2.6.35.5/mm/percpu.c linux-2.6.35.5/mm/percpu.c
52924 --- linux-2.6.35.5/mm/percpu.c 2010-08-26 19:47:12.000000000 -0400
52925 +++ linux-2.6.35.5/mm/percpu.c 2010-09-17 20:12:09.000000000 -0400
52926 @@ -115,7 +115,7 @@ static unsigned int pcpu_first_unit_cpu
52927 static unsigned int pcpu_last_unit_cpu __read_mostly;
52929 /* the address of the first chunk which starts with the kernel static area */
52930 -void *pcpu_base_addr __read_mostly;
52931 +void *pcpu_base_addr __read_only;
52932 EXPORT_SYMBOL_GPL(pcpu_base_addr);
52934 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
52935 diff -urNp linux-2.6.35.5/mm/rmap.c linux-2.6.35.5/mm/rmap.c
52936 --- linux-2.6.35.5/mm/rmap.c 2010-08-26 19:47:12.000000000 -0400
52937 +++ linux-2.6.35.5/mm/rmap.c 2010-09-17 20:12:09.000000000 -0400
52938 @@ -116,6 +116,10 @@ int anon_vma_prepare(struct vm_area_stru
52939 struct anon_vma *anon_vma = vma->anon_vma;
52940 struct anon_vma_chain *avc;
52942 +#ifdef CONFIG_PAX_SEGMEXEC
52943 + struct anon_vma_chain *avc_m = NULL;
52947 if (unlikely(!anon_vma)) {
52948 struct mm_struct *mm = vma->vm_mm;
52949 @@ -125,6 +129,12 @@ int anon_vma_prepare(struct vm_area_stru
52953 +#ifdef CONFIG_PAX_SEGMEXEC
52954 + avc_m = anon_vma_chain_alloc();
52956 + goto out_enomem_free_avc;
52959 anon_vma = find_mergeable_anon_vma(vma);
52962 @@ -138,6 +148,21 @@ int anon_vma_prepare(struct vm_area_stru
52963 /* page_table_lock to protect against threads */
52964 spin_lock(&mm->page_table_lock);
52965 if (likely(!vma->anon_vma)) {
52967 +#ifdef CONFIG_PAX_SEGMEXEC
52968 + struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
52971 + BUG_ON(vma_m->anon_vma);
52972 + vma_m->anon_vma = anon_vma;
52973 + avc_m->anon_vma = anon_vma;
52974 + avc_m->vma = vma;
52975 + list_add(&avc_m->same_vma, &vma_m->anon_vma_chain);
52976 + list_add(&avc_m->same_anon_vma, &anon_vma->head);
52981 vma->anon_vma = anon_vma;
52982 avc->anon_vma = anon_vma;
52984 @@ -151,12 +176,24 @@ int anon_vma_prepare(struct vm_area_stru
52986 if (unlikely(allocated))
52987 anon_vma_free(allocated);
52989 +#ifdef CONFIG_PAX_SEGMEXEC
52990 + if (unlikely(avc_m))
52991 + anon_vma_chain_free(avc_m);
52995 anon_vma_chain_free(avc);
52999 out_enomem_free_avc:
53001 +#ifdef CONFIG_PAX_SEGMEXEC
53003 + anon_vma_chain_free(avc_m);
53006 anon_vma_chain_free(avc);
53009 @@ -179,7 +216,7 @@ static void anon_vma_chain_link(struct v
53010 * Attach the anon_vmas from src to dst.
53011 * Returns 0 on success, -ENOMEM on failure.
53013 -int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
53014 +int anon_vma_clone(struct vm_area_struct *dst, const struct vm_area_struct *src)
53016 struct anon_vma_chain *avc, *pavc;
53018 @@ -201,7 +238,7 @@ int anon_vma_clone(struct vm_area_struct
53019 * the corresponding VMA in the parent process is attached to.
53020 * Returns 0 on success, non-zero on failure.
53022 -int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
53023 +int anon_vma_fork(struct vm_area_struct *vma, const struct vm_area_struct *pvma)
53025 struct anon_vma_chain *avc;
53026 struct anon_vma *anon_vma;
53027 diff -urNp linux-2.6.35.5/mm/shmem.c linux-2.6.35.5/mm/shmem.c
53028 --- linux-2.6.35.5/mm/shmem.c 2010-08-26 19:47:12.000000000 -0400
53029 +++ linux-2.6.35.5/mm/shmem.c 2010-09-17 20:12:37.000000000 -0400
53031 #include <linux/module.h>
53032 #include <linux/swap.h>
53034 -static struct vfsmount *shm_mnt;
53035 +struct vfsmount *shm_mnt;
53037 #ifdef CONFIG_SHMEM
53039 diff -urNp linux-2.6.35.5/mm/slab.c linux-2.6.35.5/mm/slab.c
53040 --- linux-2.6.35.5/mm/slab.c 2010-08-26 19:47:12.000000000 -0400
53041 +++ linux-2.6.35.5/mm/slab.c 2010-09-17 20:12:37.000000000 -0400
53042 @@ -285,7 +285,7 @@ struct kmem_list3 {
53043 * Need this for bootstrapping a per node allocator.
53045 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
53046 -struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
53047 +struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
53048 #define CACHE_CACHE 0
53049 #define SIZE_AC MAX_NUMNODES
53050 #define SIZE_L3 (2 * MAX_NUMNODES)
53051 @@ -535,7 +535,7 @@ static inline void *index_to_obj(struct
53052 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
53054 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
53055 - const struct slab *slab, void *obj)
53056 + const struct slab *slab, const void *obj)
53058 u32 offset = (obj - slab->s_mem);
53059 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
53060 @@ -561,14 +561,14 @@ struct cache_names {
53061 static struct cache_names __initdata cache_names[] = {
53062 #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
53063 #include <linux/kmalloc_sizes.h>
53069 static struct arraycache_init initarray_cache __initdata =
53070 - { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
53071 + { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
53072 static struct arraycache_init initarray_generic =
53073 - { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
53074 + { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
53076 /* internal cache of cache description objs */
53077 static struct kmem_cache cache_cache = {
53078 @@ -4558,15 +4558,66 @@ static const struct file_operations proc
53080 static int __init slab_proc_init(void)
53082 - proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
53083 + mode_t gr_mode = S_IRUGO;
53085 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
53086 + gr_mode = S_IRUSR;
53089 + proc_create("slabinfo",S_IWUSR|gr_mode,NULL,&proc_slabinfo_operations);
53090 #ifdef CONFIG_DEBUG_SLAB_LEAK
53091 - proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
53092 + proc_create("slab_allocators", gr_mode, NULL, &proc_slabstats_operations);
53096 module_init(slab_proc_init);
53099 +void check_object_size(const void *ptr, unsigned long n, bool to)
53102 +#ifdef CONFIG_PAX_USERCOPY
53103 + struct kmem_cache *cachep;
53104 + struct slab *slabp;
53105 + struct page *page;
53106 + unsigned int objnr;
53107 + unsigned long offset;
53112 + if (ZERO_OR_NULL_PTR(ptr))
53115 + if (!virt_addr_valid(ptr))
53118 + page = virt_to_head_page(ptr);
53120 + if (!PageSlab(page)) {
53121 + if (object_is_on_stack(ptr, n) == -1)
53126 + cachep = page_get_cache(page);
53127 + slabp = page_get_slab(page);
53128 + objnr = obj_to_index(cachep, slabp, ptr);
53129 + BUG_ON(objnr >= cachep->num);
53130 + offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
53131 + if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
53136 + pax_report_leak_to_user(ptr, n);
53138 + pax_report_overflow_from_user(ptr, n);
53142 +EXPORT_SYMBOL(check_object_size);
53145 * ksize - get the actual amount of memory allocated for a given object
53146 * @objp: Pointer to the object
53147 diff -urNp linux-2.6.35.5/mm/slob.c linux-2.6.35.5/mm/slob.c
53148 --- linux-2.6.35.5/mm/slob.c 2010-08-26 19:47:12.000000000 -0400
53149 +++ linux-2.6.35.5/mm/slob.c 2010-09-17 20:12:09.000000000 -0400
53151 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
53152 * alloc_pages() directly, allocating compound pages so the page order
53153 * does not have to be separately tracked, and also stores the exact
53154 - * allocation size in page->private so that it can be used to accurately
53155 + * allocation size in slob_page->size so that it can be used to accurately
53156 * provide ksize(). These objects are detected in kfree() because slob_page()
53157 * is false for them.
53162 #include <linux/kernel.h>
53163 +#include <linux/sched.h>
53164 #include <linux/slab.h>
53165 #include <linux/mm.h>
53166 #include <linux/swap.h> /* struct reclaim_state */
53167 @@ -100,7 +101,8 @@ struct slob_page {
53168 unsigned long flags; /* mandatory */
53169 atomic_t _count; /* mandatory */
53170 slobidx_t units; /* free units left in page */
53171 - unsigned long pad[2];
53172 + unsigned long pad[1];
53173 + unsigned long size; /* size when >=PAGE_SIZE */
53174 slob_t *free; /* first free slob_t in page */
53175 struct list_head list; /* linked list of free pages */
53177 @@ -133,7 +135,7 @@ static LIST_HEAD(free_slob_large);
53179 static inline int is_slob_page(struct slob_page *sp)
53181 - return PageSlab((struct page *)sp);
53182 + return PageSlab((struct page *)sp) && !sp->size;
53185 static inline void set_slob_page(struct slob_page *sp)
53186 @@ -148,7 +150,7 @@ static inline void clear_slob_page(struc
53188 static inline struct slob_page *slob_page(const void *addr)
53190 - return (struct slob_page *)virt_to_page(addr);
53191 + return (struct slob_page *)virt_to_head_page(addr);
53195 @@ -208,7 +210,7 @@ static void set_slob(slob_t *s, slobidx_
53197 * Return the size of a slob block.
53199 -static slobidx_t slob_units(slob_t *s)
53200 +static slobidx_t slob_units(const slob_t *s)
53204 @@ -218,7 +220,7 @@ static slobidx_t slob_units(slob_t *s)
53206 * Return the next free slob block pointer after this one.
53208 -static slob_t *slob_next(slob_t *s)
53209 +static slob_t *slob_next(const slob_t *s)
53211 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
53213 @@ -233,7 +235,7 @@ static slob_t *slob_next(slob_t *s)
53215 * Returns true if s is the last free block in its page.
53217 -static int slob_last(slob_t *s)
53218 +static int slob_last(const slob_t *s)
53220 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
53222 @@ -252,6 +254,7 @@ static void *slob_new_pages(gfp_t gfp, i
53226 + set_slob_page(page);
53227 return page_address(page);
53230 @@ -368,11 +371,11 @@ static void *slob_alloc(size_t size, gfp
53234 - set_slob_page(sp);
53236 spin_lock_irqsave(&slob_lock, flags);
53237 sp->units = SLOB_UNITS(PAGE_SIZE);
53240 INIT_LIST_HEAD(&sp->list);
53241 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
53242 set_slob_page_free(sp, slob_list);
53243 @@ -467,10 +470,9 @@ out:
53244 * End of slob allocator proper. Begin kmem_cache_alloc and kmalloc frontend.
53247 -void *__kmalloc_node(size_t size, gfp_t gfp, int node)
53248 +static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
53251 - int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
53255 lockdep_trace_alloc(gfp);
53256 @@ -483,7 +485,10 @@ void *__kmalloc_node(size_t size, gfp_t
53261 + BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
53262 + BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
53263 + m[0].units = size;
53264 + m[1].units = align;
53265 ret = (void *)m + align;
53267 trace_kmalloc_node(_RET_IP_, ret,
53268 @@ -493,9 +498,9 @@ void *__kmalloc_node(size_t size, gfp_t
53270 ret = slob_new_pages(gfp | __GFP_COMP, get_order(size), node);
53272 - struct page *page;
53273 - page = virt_to_page(ret);
53274 - page->private = size;
53275 + struct slob_page *sp;
53276 + sp = slob_page(ret);
53280 trace_kmalloc_node(_RET_IP_, ret,
53281 @@ -505,6 +510,13 @@ void *__kmalloc_node(size_t size, gfp_t
53282 kmemleak_alloc(ret, size, 1, gfp);
53286 +void *__kmalloc_node(size_t size, gfp_t gfp, int node)
53288 + int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
53290 + return __kmalloc_node_align(size, gfp, node, align);
53292 EXPORT_SYMBOL(__kmalloc_node);
53294 void kfree(const void *block)
53295 @@ -520,13 +532,84 @@ void kfree(const void *block)
53296 sp = slob_page(block);
53297 if (is_slob_page(sp)) {
53298 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
53299 - unsigned int *m = (unsigned int *)(block - align);
53300 - slob_free(m, *m + align);
53302 + slob_t *m = (slob_t *)(block - align);
53303 + slob_free(m, m[0].units + align);
53305 + clear_slob_page(sp);
53306 + free_slob_page(sp);
53308 put_page(&sp->page);
53311 EXPORT_SYMBOL(kfree);
53313 +void check_object_size(const void *ptr, unsigned long n, bool to)
53316 +#ifdef CONFIG_PAX_USERCOPY
53317 + struct slob_page *sp;
53318 + const slob_t *free;
53319 + const void *base;
53324 + if (ZERO_OR_NULL_PTR(ptr))
53327 + if (!virt_addr_valid(ptr))
53330 + sp = slob_page(ptr);
53331 + if (!PageSlab((struct page*)sp)) {
53332 + if (object_is_on_stack(ptr, n) == -1)
53338 + base = page_address(&sp->page);
53339 + if (base <= ptr && n <= sp->size - (ptr - base))
53344 + /* some tricky double walking to find the chunk */
53345 + base = (void *)((unsigned long)ptr & PAGE_MASK);
53348 + while (!slob_last(free) && (void *)free <= ptr) {
53349 + base = free + slob_units(free);
53350 + free = slob_next(free);
53353 + while (base < (void *)free) {
53354 + slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
53355 + int size = SLOB_UNIT * SLOB_UNITS(m + align);
53358 + if (ptr < base + align)
53361 + offset = ptr - base - align;
53362 + if (offset < m) {
53363 + if (n <= m - offset)
53372 + pax_report_leak_to_user(ptr, n);
53374 + pax_report_overflow_from_user(ptr, n);
53378 +EXPORT_SYMBOL(check_object_size);
53380 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
53381 size_t ksize(const void *block)
53383 @@ -539,10 +622,10 @@ size_t ksize(const void *block)
53384 sp = slob_page(block);
53385 if (is_slob_page(sp)) {
53386 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
53387 - unsigned int *m = (unsigned int *)(block - align);
53388 - return SLOB_UNITS(*m) * SLOB_UNIT;
53389 + slob_t *m = (slob_t *)(block - align);
53390 + return SLOB_UNITS(m[0].units) * SLOB_UNIT;
53392 - return sp->page.private;
53395 EXPORT_SYMBOL(ksize);
53397 @@ -597,17 +680,25 @@ void *kmem_cache_alloc_node(struct kmem_
53401 +#ifdef CONFIG_PAX_USERCOPY
53402 + b = __kmalloc_node_align(c->size, flags, node, c->align);
53404 if (c->size < PAGE_SIZE) {
53405 b = slob_alloc(c->size, flags, c->align, node);
53406 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
53407 SLOB_UNITS(c->size) * SLOB_UNIT,
53410 + struct slob_page *sp;
53412 b = slob_new_pages(flags, get_order(c->size), node);
53413 + sp = slob_page(b);
53414 + sp->size = c->size;
53415 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
53416 PAGE_SIZE << get_order(c->size),
53423 @@ -619,10 +710,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
53425 static void __kmem_cache_free(void *b, int size)
53427 - if (size < PAGE_SIZE)
53428 + struct slob_page *sp = slob_page(b);
53430 + if (is_slob_page(sp))
53431 slob_free(b, size);
53434 + clear_slob_page(sp);
53435 + free_slob_page(sp);
53437 slob_free_pages(b, get_order(size));
53441 static void kmem_rcu_free(struct rcu_head *head)
53442 @@ -635,15 +732,24 @@ static void kmem_rcu_free(struct rcu_hea
53444 void kmem_cache_free(struct kmem_cache *c, void *b)
53446 + int size = c->size;
53448 +#ifdef CONFIG_PAX_USERCOPY
53449 + if (size + c->align < PAGE_SIZE) {
53450 + size += c->align;
53455 kmemleak_free_recursive(b, c->flags);
53456 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
53457 struct slob_rcu *slob_rcu;
53458 - slob_rcu = b + (c->size - sizeof(struct slob_rcu));
53459 + slob_rcu = b + (size - sizeof(struct slob_rcu));
53460 INIT_RCU_HEAD(&slob_rcu->head);
53461 - slob_rcu->size = c->size;
53462 + slob_rcu->size = size;
53463 call_rcu(&slob_rcu->head, kmem_rcu_free);
53465 - __kmem_cache_free(b, c->size);
53466 + __kmem_cache_free(b, size);
53469 trace_kmem_cache_free(_RET_IP_, b);
53470 diff -urNp linux-2.6.35.5/mm/slub.c linux-2.6.35.5/mm/slub.c
53471 --- linux-2.6.35.5/mm/slub.c 2010-08-26 19:47:12.000000000 -0400
53472 +++ linux-2.6.35.5/mm/slub.c 2010-09-17 20:12:37.000000000 -0400
53473 @@ -1873,6 +1873,8 @@ void kmem_cache_free(struct kmem_cache *
53475 page = virt_to_head_page(x);
53477 + BUG_ON(!PageSlab(page));
53479 slab_free(s, page, x, _RET_IP_);
53481 trace_kmem_cache_free(_RET_IP_, x);
53482 @@ -1917,7 +1919,7 @@ static int slub_min_objects;
53483 * Merge control. If this is set then no merging of slab caches will occur.
53484 * (Could be removed. This was introduced to pacify the merge skeptics.)
53486 -static int slub_nomerge;
53487 +static int slub_nomerge = 1;
53490 * Calculate the order of allocation given an slab object size.
53491 @@ -2344,7 +2346,7 @@ static int kmem_cache_open(struct kmem_c
53492 * list to avoid pounding the page allocator excessively.
53494 set_min_partial(s, ilog2(s->size));
53496 + atomic_set(&s->refcount, 1);
53498 s->remote_node_defrag_ratio = 1000;
53500 @@ -2487,8 +2489,7 @@ static inline int kmem_cache_close(struc
53501 void kmem_cache_destroy(struct kmem_cache *s)
53503 down_write(&slub_lock);
53505 - if (!s->refcount) {
53506 + if (atomic_dec_and_test(&s->refcount)) {
53507 list_del(&s->list);
53508 up_write(&slub_lock);
53509 if (kmem_cache_close(s)) {
53510 @@ -2780,6 +2781,46 @@ void *__kmalloc_node(size_t size, gfp_t
53511 EXPORT_SYMBOL(__kmalloc_node);
53514 +void check_object_size(const void *ptr, unsigned long n, bool to)
53517 +#ifdef CONFIG_PAX_USERCOPY
53518 + struct page *page;
53519 + struct kmem_cache *s;
53520 + unsigned long offset;
53525 + if (ZERO_OR_NULL_PTR(ptr))
53528 + if (!virt_addr_valid(ptr))
53531 + page = get_object_page(ptr);
53534 + if (object_is_on_stack(ptr, n) == -1)
53540 + offset = (ptr - page_address(page)) % s->size;
53541 + if (offset <= s->objsize && n <= s->objsize - offset)
53546 + pax_report_leak_to_user(ptr, n);
53548 + pax_report_overflow_from_user(ptr, n);
53552 +EXPORT_SYMBOL(check_object_size);
53554 size_t ksize(const void *object)
53557 @@ -3049,7 +3090,7 @@ void __init kmem_cache_init(void)
53559 create_kmalloc_cache(&kmalloc_caches[0], "kmem_cache_node",
53560 sizeof(struct kmem_cache_node), GFP_NOWAIT);
53561 - kmalloc_caches[0].refcount = -1;
53562 + atomic_set(&kmalloc_caches[0].refcount, -1);
53565 hotplug_memory_notifier(slab_memory_callback, SLAB_CALLBACK_PRI);
53566 @@ -3158,7 +3199,7 @@ static int slab_unmergeable(struct kmem_
53568 * We may have set a slab to be unmergeable during bootstrap.
53570 - if (s->refcount < 0)
53571 + if (atomic_read(&s->refcount) < 0)
53575 @@ -3216,7 +3257,7 @@ struct kmem_cache *kmem_cache_create(con
53576 down_write(&slub_lock);
53577 s = find_mergeable(size, align, flags, name, ctor);
53580 + atomic_inc(&s->refcount);
53582 * Adjust the object sizes so that we clear
53583 * the complete object on kzalloc.
53584 @@ -3227,7 +3268,7 @@ struct kmem_cache *kmem_cache_create(con
53586 if (sysfs_slab_alias(s, name)) {
53587 down_write(&slub_lock);
53589 + atomic_dec(&s->refcount);
53590 up_write(&slub_lock);
53593 @@ -3953,7 +3994,7 @@ SLAB_ATTR_RO(ctor);
53595 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
53597 - return sprintf(buf, "%d\n", s->refcount - 1);
53598 + return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
53600 SLAB_ATTR_RO(aliases);
53602 @@ -4674,7 +4715,13 @@ static const struct file_operations proc
53604 static int __init slab_proc_init(void)
53606 - proc_create("slabinfo", S_IRUGO, NULL, &proc_slabinfo_operations);
53607 + mode_t gr_mode = S_IRUGO;
53609 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
53610 + gr_mode = S_IRUSR;
53613 + proc_create("slabinfo", gr_mode, NULL, &proc_slabinfo_operations);
53616 module_init(slab_proc_init);
53617 diff -urNp linux-2.6.35.5/mm/util.c linux-2.6.35.5/mm/util.c
53618 --- linux-2.6.35.5/mm/util.c 2010-08-26 19:47:12.000000000 -0400
53619 +++ linux-2.6.35.5/mm/util.c 2010-09-17 20:12:09.000000000 -0400
53620 @@ -245,6 +245,12 @@ EXPORT_SYMBOL(strndup_user);
53621 void arch_pick_mmap_layout(struct mm_struct *mm)
53623 mm->mmap_base = TASK_UNMAPPED_BASE;
53625 +#ifdef CONFIG_PAX_RANDMMAP
53626 + if (mm->pax_flags & MF_PAX_RANDMMAP)
53627 + mm->mmap_base += mm->delta_mmap;
53630 mm->get_unmapped_area = arch_get_unmapped_area;
53631 mm->unmap_area = arch_unmap_area;
53633 diff -urNp linux-2.6.35.5/mm/vmalloc.c linux-2.6.35.5/mm/vmalloc.c
53634 --- linux-2.6.35.5/mm/vmalloc.c 2010-08-26 19:47:12.000000000 -0400
53635 +++ linux-2.6.35.5/mm/vmalloc.c 2010-09-17 20:12:09.000000000 -0400
53636 @@ -40,8 +40,19 @@ static void vunmap_pte_range(pmd_t *pmd,
53638 pte = pte_offset_kernel(pmd, addr);
53640 - pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
53641 - WARN_ON(!pte_none(ptent) && !pte_present(ptent));
53643 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
53644 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
53645 + BUG_ON(!pte_exec(*pte));
53646 + set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
53652 + pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
53653 + WARN_ON(!pte_none(ptent) && !pte_present(ptent));
53655 } while (pte++, addr += PAGE_SIZE, addr != end);
53658 @@ -92,6 +103,7 @@ static int vmap_pte_range(pmd_t *pmd, un
53659 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
53662 + int ret = -ENOMEM;
53665 * nr is a running index into the array which helps higher level
53666 @@ -101,17 +113,30 @@ static int vmap_pte_range(pmd_t *pmd, un
53667 pte = pte_alloc_kernel(pmd, addr);
53671 + pax_open_kernel();
53673 struct page *page = pages[*nr];
53675 - if (WARN_ON(!pte_none(*pte)))
53677 - if (WARN_ON(!page))
53679 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
53680 + if (pgprot_val(prot) & _PAGE_NX)
53683 + if (WARN_ON(!pte_none(*pte))) {
53687 + if (WARN_ON(!page)) {
53691 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
53693 } while (pte++, addr += PAGE_SIZE, addr != end);
53697 + pax_close_kernel();
53701 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
53702 @@ -192,11 +217,20 @@ int is_vmalloc_or_module_addr(const void
53703 * and fall back on vmalloc() if that fails. Others
53704 * just put it in the vmalloc space.
53706 -#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
53707 +#ifdef CONFIG_MODULES
53708 +#ifdef MODULES_VADDR
53709 unsigned long addr = (unsigned long)x;
53710 if (addr >= MODULES_VADDR && addr < MODULES_END)
53714 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
53715 + if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
53721 return is_vmalloc_addr(x);
53724 @@ -217,8 +251,14 @@ struct page *vmalloc_to_page(const void
53726 if (!pgd_none(*pgd)) {
53727 pud_t *pud = pud_offset(pgd, addr);
53729 + if (!pud_large(*pud))
53731 if (!pud_none(*pud)) {
53732 pmd_t *pmd = pmd_offset(pud, addr);
53734 + if (!pmd_large(*pmd))
53736 if (!pmd_none(*pmd)) {
53739 @@ -292,13 +332,13 @@ static void __insert_vmap_area(struct vm
53740 struct rb_node *tmp;
53743 - struct vmap_area *tmp;
53744 + struct vmap_area *varea;
53747 - tmp = rb_entry(parent, struct vmap_area, rb_node);
53748 - if (va->va_start < tmp->va_end)
53749 + varea = rb_entry(parent, struct vmap_area, rb_node);
53750 + if (va->va_start < varea->va_end)
53751 p = &(*p)->rb_left;
53752 - else if (va->va_end > tmp->va_start)
53753 + else if (va->va_end > varea->va_start)
53754 p = &(*p)->rb_right;
53757 @@ -1224,6 +1264,16 @@ static struct vm_struct *__get_vm_area_n
53758 struct vm_struct *area;
53760 BUG_ON(in_interrupt());
53762 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
53763 + if (flags & VM_KERNEXEC) {
53764 + if (start != VMALLOC_START || end != VMALLOC_END)
53766 + start = (unsigned long)MODULES_EXEC_VADDR;
53767 + end = (unsigned long)MODULES_EXEC_END;
53771 if (flags & VM_IOREMAP) {
53772 int bit = fls(size);
53774 @@ -1449,6 +1499,11 @@ void *vmap(struct page **pages, unsigned
53775 if (count > totalram_pages)
53778 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
53779 + if (!(pgprot_val(prot) & _PAGE_NX))
53780 + flags |= VM_KERNEXEC;
53783 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
53784 __builtin_return_address(0));
53786 @@ -1558,6 +1613,13 @@ static void *__vmalloc_node(unsigned lon
53787 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
53790 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
53791 + if (!(pgprot_val(prot) & _PAGE_NX))
53792 + area = __get_vm_area_node(size, align, VM_ALLOC | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
53793 + node, gfp_mask, caller);
53797 area = __get_vm_area_node(size, align, VM_ALLOC, VMALLOC_START,
53798 VMALLOC_END, node, gfp_mask, caller);
53800 @@ -1576,6 +1638,7 @@ static void *__vmalloc_node(unsigned lon
53805 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
53807 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
53808 @@ -1592,6 +1655,7 @@ EXPORT_SYMBOL(__vmalloc);
53809 * For tight control over page level allocator and protection flags
53810 * use __vmalloc() instead.
53813 void *vmalloc(unsigned long size)
53815 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
53816 @@ -1606,6 +1670,7 @@ EXPORT_SYMBOL(vmalloc);
53817 * The resulting memory area is zeroed so it can be mapped to userspace
53818 * without leaking data.
53820 +#undef vmalloc_user
53821 void *vmalloc_user(unsigned long size)
53823 struct vm_struct *area;
53824 @@ -1633,6 +1698,7 @@ EXPORT_SYMBOL(vmalloc_user);
53825 * For tight control over page level allocator and protection flags
53826 * use __vmalloc() instead.
53828 +#undef vmalloc_node
53829 void *vmalloc_node(unsigned long size, int node)
53831 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
53832 @@ -1655,10 +1721,10 @@ EXPORT_SYMBOL(vmalloc_node);
53833 * For tight control over page level allocator and protection flags
53834 * use __vmalloc() instead.
53837 +#undef vmalloc_exec
53838 void *vmalloc_exec(unsigned long size)
53840 - return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
53841 + return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
53842 -1, __builtin_return_address(0));
53845 @@ -1677,6 +1743,7 @@ void *vmalloc_exec(unsigned long size)
53846 * Allocate enough 32bit PA addressable pages to cover @size from the
53847 * page level allocator and map them into contiguous kernel virtual space.
53850 void *vmalloc_32(unsigned long size)
53852 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
53853 @@ -1691,6 +1758,7 @@ EXPORT_SYMBOL(vmalloc_32);
53854 * The resulting memory area is 32bit addressable and zeroed so it can be
53855 * mapped to userspace without leaking data.
53857 +#undef vmalloc_32_user
53858 void *vmalloc_32_user(unsigned long size)
53860 struct vm_struct *area;
53861 diff -urNp linux-2.6.35.5/mm/vmstat.c linux-2.6.35.5/mm/vmstat.c
53862 --- linux-2.6.35.5/mm/vmstat.c 2010-08-26 19:47:12.000000000 -0400
53863 +++ linux-2.6.35.5/mm/vmstat.c 2010-09-17 20:12:37.000000000 -0400
53864 @@ -76,7 +76,7 @@ void vm_events_fold_cpu(int cpu)
53866 * vm_stat contains the global counters
53868 -atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
53869 +atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
53870 EXPORT_SYMBOL(vm_stat);
53873 @@ -315,7 +315,7 @@ void refresh_cpu_vm_stats(int cpu)
53874 v = p->vm_stat_diff[i];
53875 p->vm_stat_diff[i] = 0;
53876 local_irq_restore(flags);
53877 - atomic_long_add(v, &zone->vm_stat[i]);
53878 + atomic_long_add_unchecked(v, &zone->vm_stat[i]);
53879 global_diff[i] += v;
53881 /* 3 seconds idle till flush */
53882 @@ -353,7 +353,7 @@ void refresh_cpu_vm_stats(int cpu)
53884 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
53885 if (global_diff[i])
53886 - atomic_long_add(global_diff[i], &vm_stat[i]);
53887 + atomic_long_add_unchecked(global_diff[i], &vm_stat[i]);
53891 @@ -1038,10 +1038,16 @@ static int __init setup_vmstat(void)
53892 start_cpu_timer(cpu);
53894 #ifdef CONFIG_PROC_FS
53895 - proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
53896 - proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
53897 - proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
53898 - proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
53900 + mode_t gr_mode = S_IRUGO;
53901 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
53902 + gr_mode = S_IRUSR;
53904 + proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
53905 + proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
53906 + proc_create("vmstat", gr_mode, NULL, &proc_vmstat_file_operations);
53907 + proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
53912 diff -urNp linux-2.6.35.5/net/8021q/vlan.c linux-2.6.35.5/net/8021q/vlan.c
53913 --- linux-2.6.35.5/net/8021q/vlan.c 2010-08-26 19:47:12.000000000 -0400
53914 +++ linux-2.6.35.5/net/8021q/vlan.c 2010-09-17 20:12:09.000000000 -0400
53915 @@ -618,8 +618,7 @@ static int vlan_ioctl_handler(struct net
53917 if (!capable(CAP_NET_ADMIN))
53919 - if ((args.u.name_type >= 0) &&
53920 - (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
53921 + if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
53922 struct vlan_net *vn;
53924 vn = net_generic(net, vlan_net_id);
53925 diff -urNp linux-2.6.35.5/net/atm/atm_misc.c linux-2.6.35.5/net/atm/atm_misc.c
53926 --- linux-2.6.35.5/net/atm/atm_misc.c 2010-08-26 19:47:12.000000000 -0400
53927 +++ linux-2.6.35.5/net/atm/atm_misc.c 2010-09-17 20:12:09.000000000 -0400
53928 @@ -17,7 +17,7 @@ int atm_charge(struct atm_vcc *vcc, int
53929 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
53931 atm_return(vcc, truesize);
53932 - atomic_inc(&vcc->stats->rx_drop);
53933 + atomic_inc_unchecked(&vcc->stats->rx_drop);
53936 EXPORT_SYMBOL(atm_charge);
53937 @@ -39,7 +39,7 @@ struct sk_buff *atm_alloc_charge(struct
53940 atm_return(vcc, guess);
53941 - atomic_inc(&vcc->stats->rx_drop);
53942 + atomic_inc_unchecked(&vcc->stats->rx_drop);
53945 EXPORT_SYMBOL(atm_alloc_charge);
53946 @@ -86,7 +86,7 @@ EXPORT_SYMBOL(atm_pcr_goal);
53948 void sonet_copy_stats(struct k_sonet_stats *from, struct sonet_stats *to)
53950 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
53951 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
53953 #undef __HANDLE_ITEM
53955 @@ -94,7 +94,7 @@ EXPORT_SYMBOL(sonet_copy_stats);
53957 void sonet_subtract_stats(struct k_sonet_stats *from, struct sonet_stats *to)
53959 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
53960 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
53962 #undef __HANDLE_ITEM
53964 diff -urNp linux-2.6.35.5/net/atm/proc.c linux-2.6.35.5/net/atm/proc.c
53965 --- linux-2.6.35.5/net/atm/proc.c 2010-08-26 19:47:12.000000000 -0400
53966 +++ linux-2.6.35.5/net/atm/proc.c 2010-09-17 20:12:37.000000000 -0400
53967 @@ -44,9 +44,9 @@ static void add_stats(struct seq_file *s
53968 const struct k_atm_aal_stats *stats)
53970 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
53971 - atomic_read(&stats->tx), atomic_read(&stats->tx_err),
53972 - atomic_read(&stats->rx), atomic_read(&stats->rx_err),
53973 - atomic_read(&stats->rx_drop));
53974 + atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
53975 + atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
53976 + atomic_read_unchecked(&stats->rx_drop));
53979 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
53980 @@ -190,7 +190,12 @@ static void vcc_info(struct seq_file *se
53982 struct sock *sk = sk_atm(vcc);
53984 +#ifdef CONFIG_GRKERNSEC_HIDESYM
53985 + seq_printf(seq, "%p ", NULL);
53987 seq_printf(seq, "%p ", vcc);
53991 seq_printf(seq, "Unassigned ");
53993 diff -urNp linux-2.6.35.5/net/atm/resources.c linux-2.6.35.5/net/atm/resources.c
53994 --- linux-2.6.35.5/net/atm/resources.c 2010-08-26 19:47:12.000000000 -0400
53995 +++ linux-2.6.35.5/net/atm/resources.c 2010-09-17 20:12:09.000000000 -0400
53996 @@ -159,7 +159,7 @@ EXPORT_SYMBOL(atm_dev_deregister);
53997 static void copy_aal_stats(struct k_atm_aal_stats *from,
53998 struct atm_aal_stats *to)
54000 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
54001 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
54003 #undef __HANDLE_ITEM
54005 @@ -167,7 +167,7 @@ static void copy_aal_stats(struct k_atm_
54006 static void subtract_aal_stats(struct k_atm_aal_stats *from,
54007 struct atm_aal_stats *to)
54009 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
54010 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
54012 #undef __HANDLE_ITEM
54014 diff -urNp linux-2.6.35.5/net/bridge/br_stp_if.c linux-2.6.35.5/net/bridge/br_stp_if.c
54015 --- linux-2.6.35.5/net/bridge/br_stp_if.c 2010-08-26 19:47:12.000000000 -0400
54016 +++ linux-2.6.35.5/net/bridge/br_stp_if.c 2010-09-17 20:12:09.000000000 -0400
54017 @@ -145,7 +145,7 @@ static void br_stp_stop(struct net_bridg
54018 char *envp[] = { NULL };
54020 if (br->stp_enabled == BR_USER_STP) {
54021 - r = call_usermodehelper(BR_STP_PROG, argv, envp, 1);
54022 + r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
54023 br_info(br, "userspace STP stopped, return code %d\n", r);
54025 /* To start timers on any ports left in blocking */
54026 diff -urNp linux-2.6.35.5/net/bridge/netfilter/ebtables.c linux-2.6.35.5/net/bridge/netfilter/ebtables.c
54027 --- linux-2.6.35.5/net/bridge/netfilter/ebtables.c 2010-08-26 19:47:12.000000000 -0400
54028 +++ linux-2.6.35.5/net/bridge/netfilter/ebtables.c 2010-09-17 20:12:09.000000000 -0400
54029 @@ -1501,7 +1501,7 @@ static int do_ebt_get_ctl(struct sock *s
54030 tmp.valid_hooks = t->table->valid_hooks;
54032 mutex_unlock(&ebt_mutex);
54033 - if (copy_to_user(user, &tmp, *len) != 0){
54034 + if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0){
54035 BUGPRINT("c2u Didn't work\n");
54038 diff -urNp linux-2.6.35.5/net/core/dev.c linux-2.6.35.5/net/core/dev.c
54039 --- linux-2.6.35.5/net/core/dev.c 2010-08-26 19:47:12.000000000 -0400
54040 +++ linux-2.6.35.5/net/core/dev.c 2010-09-17 20:12:09.000000000 -0400
54041 @@ -2541,7 +2541,7 @@ int netif_rx_ni(struct sk_buff *skb)
54043 EXPORT_SYMBOL(netif_rx_ni);
54045 -static void net_tx_action(struct softirq_action *h)
54046 +static void net_tx_action(void)
54048 struct softnet_data *sd = &__get_cpu_var(softnet_data);
54050 @@ -3474,7 +3474,7 @@ void netif_napi_del(struct napi_struct *
54052 EXPORT_SYMBOL(netif_napi_del);
54054 -static void net_rx_action(struct softirq_action *h)
54055 +static void net_rx_action(void)
54057 struct softnet_data *sd = &__get_cpu_var(softnet_data);
54058 unsigned long time_limit = jiffies + 2;
54059 diff -urNp linux-2.6.35.5/net/core/net-sysfs.c linux-2.6.35.5/net/core/net-sysfs.c
54060 --- linux-2.6.35.5/net/core/net-sysfs.c 2010-08-26 19:47:12.000000000 -0400
54061 +++ linux-2.6.35.5/net/core/net-sysfs.c 2010-09-17 20:12:09.000000000 -0400
54062 @@ -511,7 +511,7 @@ static ssize_t rx_queue_attr_store(struc
54063 return attribute->store(queue, attribute, buf, count);
54066 -static struct sysfs_ops rx_queue_sysfs_ops = {
54067 +static const struct sysfs_ops rx_queue_sysfs_ops = {
54068 .show = rx_queue_attr_show,
54069 .store = rx_queue_attr_store,
54071 diff -urNp linux-2.6.35.5/net/core/sock.c linux-2.6.35.5/net/core/sock.c
54072 --- linux-2.6.35.5/net/core/sock.c 2010-08-26 19:47:12.000000000 -0400
54073 +++ linux-2.6.35.5/net/core/sock.c 2010-09-17 20:12:09.000000000 -0400
54074 @@ -915,7 +915,7 @@ int sock_getsockopt(struct socket *sock,
54078 - if (copy_to_user(optval, address, len))
54079 + if (len > sizeof(address) || copy_to_user(optval, address, len))
54083 @@ -948,7 +948,7 @@ int sock_getsockopt(struct socket *sock,
54087 - if (copy_to_user(optval, &v, len))
54088 + if (len > sizeof(v) || copy_to_user(optval, &v, len))
54091 if (put_user(len, optlen))
54092 diff -urNp linux-2.6.35.5/net/dccp/ccids/ccid3.c linux-2.6.35.5/net/dccp/ccids/ccid3.c
54093 --- linux-2.6.35.5/net/dccp/ccids/ccid3.c 2010-08-26 19:47:12.000000000 -0400
54094 +++ linux-2.6.35.5/net/dccp/ccids/ccid3.c 2010-09-17 20:12:09.000000000 -0400
54096 static int ccid3_debug;
54097 #define ccid3_pr_debug(format, a...) DCCP_PR_DEBUG(ccid3_debug, format, ##a)
54099 -#define ccid3_pr_debug(format, a...)
54100 +#define ccid3_pr_debug(format, a...) do {} while (0)
54104 diff -urNp linux-2.6.35.5/net/dccp/dccp.h linux-2.6.35.5/net/dccp/dccp.h
54105 --- linux-2.6.35.5/net/dccp/dccp.h 2010-08-26 19:47:12.000000000 -0400
54106 +++ linux-2.6.35.5/net/dccp/dccp.h 2010-09-17 20:12:09.000000000 -0400
54107 @@ -44,9 +44,9 @@ extern int dccp_debug;
54108 #define dccp_pr_debug_cat(format, a...) DCCP_PRINTK(dccp_debug, format, ##a)
54109 #define dccp_debug(fmt, a...) dccp_pr_debug_cat(KERN_DEBUG fmt, ##a)
54111 -#define dccp_pr_debug(format, a...)
54112 -#define dccp_pr_debug_cat(format, a...)
54113 -#define dccp_debug(format, a...)
54114 +#define dccp_pr_debug(format, a...) do {} while (0)
54115 +#define dccp_pr_debug_cat(format, a...) do {} while (0)
54116 +#define dccp_debug(format, a...) do {} while (0)
54119 extern struct inet_hashinfo dccp_hashinfo;
54120 diff -urNp linux-2.6.35.5/net/decnet/sysctl_net_decnet.c linux-2.6.35.5/net/decnet/sysctl_net_decnet.c
54121 --- linux-2.6.35.5/net/decnet/sysctl_net_decnet.c 2010-08-26 19:47:12.000000000 -0400
54122 +++ linux-2.6.35.5/net/decnet/sysctl_net_decnet.c 2010-09-17 20:12:37.000000000 -0400
54123 @@ -173,7 +173,7 @@ static int dn_node_address_handler(ctl_t
54125 if (len > *lenp) len = *lenp;
54127 - if (copy_to_user(buffer, addr, len))
54128 + if (len > sizeof(addr) || copy_to_user(buffer, addr, len))
54132 @@ -236,7 +236,7 @@ static int dn_def_dev_handler(ctl_table
54134 if (len > *lenp) len = *lenp;
54136 - if (copy_to_user(buffer, devname, len))
54137 + if (len > sizeof(devname) || copy_to_user(buffer, devname, len))
54141 diff -urNp linux-2.6.35.5/net/ipv4/inet_hashtables.c linux-2.6.35.5/net/ipv4/inet_hashtables.c
54142 --- linux-2.6.35.5/net/ipv4/inet_hashtables.c 2010-08-26 19:47:12.000000000 -0400
54143 +++ linux-2.6.35.5/net/ipv4/inet_hashtables.c 2010-09-17 20:12:37.000000000 -0400
54144 @@ -18,11 +18,14 @@
54145 #include <linux/sched.h>
54146 #include <linux/slab.h>
54147 #include <linux/wait.h>
54148 +#include <linux/security.h>
54150 #include <net/inet_connection_sock.h>
54151 #include <net/inet_hashtables.h>
54152 #include <net/route.h>
54153 #include <net/ip.h>
54155 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
54158 * Allocate and initialize a new local port bind bucket.
54159 @@ -508,6 +511,8 @@ ok:
54160 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
54161 spin_unlock(&head->lock);
54163 + gr_update_task_in_ip_table(current, inet_sk(sk));
54166 inet_twsk_deschedule(tw, death_row);
54168 diff -urNp linux-2.6.35.5/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.35.5/net/ipv4/netfilter/nf_nat_snmp_basic.c
54169 --- linux-2.6.35.5/net/ipv4/netfilter/nf_nat_snmp_basic.c 2010-08-26 19:47:12.000000000 -0400
54170 +++ linux-2.6.35.5/net/ipv4/netfilter/nf_nat_snmp_basic.c 2010-09-17 20:12:09.000000000 -0400
54171 @@ -398,7 +398,7 @@ static unsigned char asn1_octets_decode(
54175 - *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
54176 + *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
54177 if (*octets == NULL) {
54178 if (net_ratelimit())
54179 pr_notice("OOM in bsalg (%d)\n", __LINE__);
54180 diff -urNp linux-2.6.35.5/net/ipv4/tcp_ipv4.c linux-2.6.35.5/net/ipv4/tcp_ipv4.c
54181 --- linux-2.6.35.5/net/ipv4/tcp_ipv4.c 2010-08-26 19:47:12.000000000 -0400
54182 +++ linux-2.6.35.5/net/ipv4/tcp_ipv4.c 2010-09-17 20:12:37.000000000 -0400
54184 int sysctl_tcp_tw_reuse __read_mostly;
54185 int sysctl_tcp_low_latency __read_mostly;
54187 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54188 +extern int grsec_enable_blackhole;
54191 #ifdef CONFIG_TCP_MD5SIG
54192 static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
54193 @@ -1593,6 +1596,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
54197 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54198 + if (!grsec_enable_blackhole)
54200 tcp_v4_send_reset(rsk, skb);
54203 @@ -1654,12 +1660,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
54204 TCP_SKB_CB(skb)->sacked = 0;
54206 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
54209 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54212 goto no_tcp_socket;
54216 - if (sk->sk_state == TCP_TIME_WAIT)
54217 + if (sk->sk_state == TCP_TIME_WAIT) {
54218 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54224 if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
54225 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
54226 @@ -1709,6 +1722,10 @@ no_tcp_socket:
54228 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
54230 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54231 + if (!grsec_enable_blackhole || (ret == 1 &&
54232 + (skb->dev->flags & IFF_LOOPBACK)))
54234 tcp_v4_send_reset(NULL, skb);
54237 @@ -2316,7 +2333,11 @@ static void get_openreq4(struct sock *sk
54238 0, /* non standard timer */
54239 0, /* open_requests have no inode */
54240 atomic_read(&sk->sk_refcnt),
54241 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54249 @@ -2366,7 +2387,12 @@ static void get_tcp4_sock(struct sock *s
54251 icsk->icsk_probes_out,
54253 - atomic_read(&sk->sk_refcnt), sk,
54254 + atomic_read(&sk->sk_refcnt),
54255 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54260 jiffies_to_clock_t(icsk->icsk_rto),
54261 jiffies_to_clock_t(icsk->icsk_ack.ato),
54262 (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
54263 @@ -2394,7 +2420,13 @@ static void get_timewait4_sock(struct in
54264 " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n",
54265 i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
54266 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
54267 - atomic_read(&tw->tw_refcnt), tw, len);
54268 + atomic_read(&tw->tw_refcnt),
54269 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54278 diff -urNp linux-2.6.35.5/net/ipv4/tcp_minisocks.c linux-2.6.35.5/net/ipv4/tcp_minisocks.c
54279 --- linux-2.6.35.5/net/ipv4/tcp_minisocks.c 2010-08-26 19:47:12.000000000 -0400
54280 +++ linux-2.6.35.5/net/ipv4/tcp_minisocks.c 2010-09-17 20:12:37.000000000 -0400
54282 #include <net/inet_common.h>
54283 #include <net/xfrm.h>
54285 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54286 +extern int grsec_enable_blackhole;
54289 int sysctl_tcp_syncookies __read_mostly = 1;
54290 EXPORT_SYMBOL(sysctl_tcp_syncookies);
54292 @@ -700,6 +704,10 @@ listen_overflow:
54295 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
54297 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54298 + if (!grsec_enable_blackhole)
54300 if (!(flg & TCP_FLAG_RST))
54301 req->rsk_ops->send_reset(sk, skb);
54303 diff -urNp linux-2.6.35.5/net/ipv4/tcp_probe.c linux-2.6.35.5/net/ipv4/tcp_probe.c
54304 --- linux-2.6.35.5/net/ipv4/tcp_probe.c 2010-08-26 19:47:12.000000000 -0400
54305 +++ linux-2.6.35.5/net/ipv4/tcp_probe.c 2010-09-17 20:12:37.000000000 -0400
54306 @@ -202,7 +202,7 @@ static ssize_t tcpprobe_read(struct file
54307 if (cnt + width >= len)
54310 - if (copy_to_user(buf + cnt, tbuf, width))
54311 + if (width > sizeof(tbuf) || copy_to_user(buf + cnt, tbuf, width))
54315 diff -urNp linux-2.6.35.5/net/ipv4/tcp_timer.c linux-2.6.35.5/net/ipv4/tcp_timer.c
54316 --- linux-2.6.35.5/net/ipv4/tcp_timer.c 2010-08-26 19:47:12.000000000 -0400
54317 +++ linux-2.6.35.5/net/ipv4/tcp_timer.c 2010-09-17 20:12:37.000000000 -0400
54319 #include <linux/gfp.h>
54320 #include <net/tcp.h>
54322 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54323 +extern int grsec_lastack_retries;
54326 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
54327 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
54328 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
54329 @@ -195,6 +199,13 @@ static int tcp_write_timeout(struct sock
54333 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54334 + if ((sk->sk_state == TCP_LAST_ACK) &&
54335 + (grsec_lastack_retries > 0) &&
54336 + (grsec_lastack_retries < retry_until))
54337 + retry_until = grsec_lastack_retries;
54340 if (retransmits_timed_out(sk, retry_until)) {
54341 /* Has it gone just too far? */
54343 diff -urNp linux-2.6.35.5/net/ipv4/udp.c linux-2.6.35.5/net/ipv4/udp.c
54344 --- linux-2.6.35.5/net/ipv4/udp.c 2010-08-26 19:47:12.000000000 -0400
54345 +++ linux-2.6.35.5/net/ipv4/udp.c 2010-09-17 20:12:37.000000000 -0400
54347 #include <linux/types.h>
54348 #include <linux/fcntl.h>
54349 #include <linux/module.h>
54350 +#include <linux/security.h>
54351 #include <linux/socket.h>
54352 #include <linux/sockios.h>
54353 #include <linux/igmp.h>
54354 @@ -107,6 +108,10 @@
54355 #include <net/xfrm.h>
54356 #include "udp_impl.h"
54358 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54359 +extern int grsec_enable_blackhole;
54362 struct udp_table udp_table __read_mostly;
54363 EXPORT_SYMBOL(udp_table);
54365 @@ -564,6 +569,9 @@ found:
54369 +extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
54370 +extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
54373 * This routine is called by the ICMP module when it gets some
54374 * sort of error condition. If err < 0 then the socket should
54375 @@ -832,9 +840,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
54376 dport = usin->sin_port;
54380 + err = gr_search_udp_sendmsg(sk, usin);
54384 if (sk->sk_state != TCP_ESTABLISHED)
54385 return -EDESTADDRREQ;
54387 + err = gr_search_udp_sendmsg(sk, NULL);
54391 daddr = inet->inet_daddr;
54392 dport = inet->inet_dport;
54393 /* Open fast path for connected socket.
54394 @@ -1141,6 +1158,10 @@ try_again:
54398 + err = gr_search_udp_recvmsg(sk, skb);
54402 ulen = skb->len - sizeof(struct udphdr);
54405 @@ -1582,6 +1603,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
54408 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
54409 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54410 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
54412 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
54415 @@ -2007,7 +2031,12 @@ static void udp4_format_sock(struct sock
54416 sk_wmem_alloc_get(sp),
54417 sk_rmem_alloc_get(sp),
54418 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
54419 - atomic_read(&sp->sk_refcnt), sp,
54420 + atomic_read(&sp->sk_refcnt),
54421 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54426 atomic_read(&sp->sk_drops), len);
54429 diff -urNp linux-2.6.35.5/net/ipv6/exthdrs.c linux-2.6.35.5/net/ipv6/exthdrs.c
54430 --- linux-2.6.35.5/net/ipv6/exthdrs.c 2010-08-26 19:47:12.000000000 -0400
54431 +++ linux-2.6.35.5/net/ipv6/exthdrs.c 2010-09-17 20:12:09.000000000 -0400
54432 @@ -636,7 +636,7 @@ static struct tlvtype_proc tlvprochopopt
54433 .type = IPV6_TLV_JUMBO,
54434 .func = ipv6_hop_jumbo,
54440 int ipv6_parse_hopopts(struct sk_buff *skb)
54441 diff -urNp linux-2.6.35.5/net/ipv6/raw.c linux-2.6.35.5/net/ipv6/raw.c
54442 --- linux-2.6.35.5/net/ipv6/raw.c 2010-08-26 19:47:12.000000000 -0400
54443 +++ linux-2.6.35.5/net/ipv6/raw.c 2010-09-17 20:12:09.000000000 -0400
54444 @@ -601,7 +601,7 @@ out:
54448 -static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
54449 +static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
54450 struct flowi *fl, struct rt6_info *rt,
54451 unsigned int flags)
54453 diff -urNp linux-2.6.35.5/net/ipv6/tcp_ipv6.c linux-2.6.35.5/net/ipv6/tcp_ipv6.c
54454 --- linux-2.6.35.5/net/ipv6/tcp_ipv6.c 2010-08-26 19:47:12.000000000 -0400
54455 +++ linux-2.6.35.5/net/ipv6/tcp_ipv6.c 2010-09-17 20:23:25.000000000 -0400
54456 @@ -92,6 +92,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
54460 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54461 +extern int grsec_enable_blackhole;
54464 static void tcp_v6_hash(struct sock *sk)
54466 if (sk->sk_state != TCP_CLOSE) {
54467 @@ -1641,6 +1645,9 @@ static int tcp_v6_do_rcv(struct sock *sk
54471 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54472 + if (!grsec_enable_blackhole)
54474 tcp_v6_send_reset(sk, skb);
54477 @@ -1720,12 +1727,20 @@ static int tcp_v6_rcv(struct sk_buff *sk
54478 TCP_SKB_CB(skb)->sacked = 0;
54480 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
54483 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54486 goto no_tcp_socket;
54490 - if (sk->sk_state == TCP_TIME_WAIT)
54491 + if (sk->sk_state == TCP_TIME_WAIT) {
54492 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54498 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
54499 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
54500 @@ -1773,6 +1788,10 @@ no_tcp_socket:
54502 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
54504 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54505 + if (!grsec_enable_blackhole || (ret == 1 &&
54506 + (skb->dev->flags & IFF_LOOPBACK)))
54508 tcp_v6_send_reset(NULL, skb);
54511 diff -urNp linux-2.6.35.5/net/ipv6/udp.c linux-2.6.35.5/net/ipv6/udp.c
54512 --- linux-2.6.35.5/net/ipv6/udp.c 2010-08-26 19:47:12.000000000 -0400
54513 +++ linux-2.6.35.5/net/ipv6/udp.c 2010-09-17 20:12:37.000000000 -0400
54515 #include <linux/seq_file.h>
54516 #include "udp_impl.h"
54518 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54519 +extern int grsec_enable_blackhole;
54522 int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
54524 const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
54525 @@ -756,6 +760,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
54526 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
54527 proto == IPPROTO_UDPLITE);
54529 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
54530 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
54532 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
54535 diff -urNp linux-2.6.35.5/net/irda/ircomm/ircomm_tty.c linux-2.6.35.5/net/irda/ircomm/ircomm_tty.c
54536 --- linux-2.6.35.5/net/irda/ircomm/ircomm_tty.c 2010-08-26 19:47:12.000000000 -0400
54537 +++ linux-2.6.35.5/net/irda/ircomm/ircomm_tty.c 2010-09-17 20:12:09.000000000 -0400
54538 @@ -281,16 +281,16 @@ static int ircomm_tty_block_til_ready(st
54539 add_wait_queue(&self->open_wait, &wait);
54541 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
54542 - __FILE__,__LINE__, tty->driver->name, self->open_count );
54543 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count) );
54545 /* As far as I can see, we protect open_count - Jean II */
54546 spin_lock_irqsave(&self->spinlock, flags);
54547 if (!tty_hung_up_p(filp)) {
54549 - self->open_count--;
54550 + atomic_dec(&self->open_count);
54552 spin_unlock_irqrestore(&self->spinlock, flags);
54553 - self->blocked_open++;
54554 + atomic_inc(&self->blocked_open);
54557 if (tty->termios->c_cflag & CBAUD) {
54558 @@ -330,7 +330,7 @@ static int ircomm_tty_block_til_ready(st
54561 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
54562 - __FILE__,__LINE__, tty->driver->name, self->open_count );
54563 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count) );
54567 @@ -341,13 +341,13 @@ static int ircomm_tty_block_til_ready(st
54569 /* ++ is not atomic, so this should be protected - Jean II */
54570 spin_lock_irqsave(&self->spinlock, flags);
54571 - self->open_count++;
54572 + atomic_inc(&self->open_count);
54573 spin_unlock_irqrestore(&self->spinlock, flags);
54575 - self->blocked_open--;
54576 + atomic_dec(&self->blocked_open);
54578 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
54579 - __FILE__,__LINE__, tty->driver->name, self->open_count);
54580 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count));
54583 self->flags |= ASYNC_NORMAL_ACTIVE;
54584 @@ -416,14 +416,14 @@ static int ircomm_tty_open(struct tty_st
54586 /* ++ is not atomic, so this should be protected - Jean II */
54587 spin_lock_irqsave(&self->spinlock, flags);
54588 - self->open_count++;
54589 + atomic_inc(&self->open_count);
54591 tty->driver_data = self;
54593 spin_unlock_irqrestore(&self->spinlock, flags);
54595 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
54596 - self->line, self->open_count);
54597 + self->line, atomic_read(&self->open_count));
54599 /* Not really used by us, but lets do it anyway */
54600 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
54601 @@ -509,7 +509,7 @@ static void ircomm_tty_close(struct tty_
54605 - if ((tty->count == 1) && (self->open_count != 1)) {
54606 + if ((tty->count == 1) && (atomic_read(&self->open_count) != 1)) {
54608 * Uh, oh. tty->count is 1, which means that the tty
54609 * structure will be freed. state->count should always
54610 @@ -519,16 +519,16 @@ static void ircomm_tty_close(struct tty_
54612 IRDA_DEBUG(0, "%s(), bad serial port count; "
54613 "tty->count is 1, state->count is %d\n", __func__ ,
54614 - self->open_count);
54615 - self->open_count = 1;
54616 + atomic_read(&self->open_count));
54617 + atomic_set(&self->open_count, 1);
54620 - if (--self->open_count < 0) {
54621 + if (atomic_dec_return(&self->open_count) < 0) {
54622 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
54623 - __func__, self->line, self->open_count);
54624 - self->open_count = 0;
54625 + __func__, self->line, atomic_read(&self->open_count));
54626 + atomic_set(&self->open_count, 0);
54628 - if (self->open_count) {
54629 + if (atomic_read(&self->open_count)) {
54630 spin_unlock_irqrestore(&self->spinlock, flags);
54632 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
54633 @@ -560,7 +560,7 @@ static void ircomm_tty_close(struct tty_
54637 - if (self->blocked_open) {
54638 + if (atomic_read(&self->blocked_open)) {
54639 if (self->close_delay)
54640 schedule_timeout_interruptible(self->close_delay);
54641 wake_up_interruptible(&self->open_wait);
54642 @@ -1012,7 +1012,7 @@ static void ircomm_tty_hangup(struct tty
54643 spin_lock_irqsave(&self->spinlock, flags);
54644 self->flags &= ~ASYNC_NORMAL_ACTIVE;
54646 - self->open_count = 0;
54647 + atomic_set(&self->open_count, 0);
54648 spin_unlock_irqrestore(&self->spinlock, flags);
54650 wake_up_interruptible(&self->open_wait);
54651 @@ -1364,7 +1364,7 @@ static void ircomm_tty_line_info(struct
54654 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
54655 - seq_printf(m, "Open count: %d\n", self->open_count);
54656 + seq_printf(m, "Open count: %d\n", atomic_read(&self->open_count));
54657 seq_printf(m, "Max data size: %d\n", self->max_data_size);
54658 seq_printf(m, "Max header size: %d\n", self->max_header_size);
54660 diff -urNp linux-2.6.35.5/net/key/af_key.c linux-2.6.35.5/net/key/af_key.c
54661 --- linux-2.6.35.5/net/key/af_key.c 2010-08-26 19:47:12.000000000 -0400
54662 +++ linux-2.6.35.5/net/key/af_key.c 2010-09-17 20:12:37.000000000 -0400
54663 @@ -3644,7 +3644,11 @@ static int pfkey_seq_show(struct seq_fil
54664 seq_printf(f ,"sk RefCnt Rmem Wmem User Inode\n");
54666 seq_printf(f ,"%p %-6d %-6u %-6u %-6u %-6lu\n",
54667 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54672 atomic_read(&s->sk_refcnt),
54673 sk_rmem_alloc_get(s),
54674 sk_wmem_alloc_get(s),
54675 diff -urNp linux-2.6.35.5/net/mac80211/ieee80211_i.h linux-2.6.35.5/net/mac80211/ieee80211_i.h
54676 --- linux-2.6.35.5/net/mac80211/ieee80211_i.h 2010-08-26 19:47:12.000000000 -0400
54677 +++ linux-2.6.35.5/net/mac80211/ieee80211_i.h 2010-09-17 20:12:09.000000000 -0400
54678 @@ -649,7 +649,7 @@ struct ieee80211_local {
54679 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
54680 spinlock_t queue_stop_reason_lock;
54683 + atomic_t open_count;
54684 int monitors, cooked_mntrs;
54685 /* number of interfaces with corresponding FIF_ flags */
54686 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll;
54687 diff -urNp linux-2.6.35.5/net/mac80211/iface.c linux-2.6.35.5/net/mac80211/iface.c
54688 --- linux-2.6.35.5/net/mac80211/iface.c 2010-08-26 19:47:12.000000000 -0400
54689 +++ linux-2.6.35.5/net/mac80211/iface.c 2010-09-17 20:12:09.000000000 -0400
54690 @@ -183,7 +183,7 @@ static int ieee80211_open(struct net_dev
54694 - if (local->open_count == 0) {
54695 + if (atomic_read(&local->open_count) == 0) {
54696 res = drv_start(local);
54699 @@ -215,7 +215,7 @@ static int ieee80211_open(struct net_dev
54700 * Validate the MAC address for this device.
54702 if (!is_valid_ether_addr(dev->dev_addr)) {
54703 - if (!local->open_count)
54704 + if (!atomic_read(&local->open_count))
54706 return -EADDRNOTAVAIL;
54708 @@ -308,7 +308,7 @@ static int ieee80211_open(struct net_dev
54710 hw_reconf_flags |= __ieee80211_recalc_idle(local);
54712 - local->open_count++;
54713 + atomic_inc(&local->open_count);
54714 if (hw_reconf_flags) {
54715 ieee80211_hw_config(local, hw_reconf_flags);
54717 @@ -336,7 +336,7 @@ static int ieee80211_open(struct net_dev
54719 drv_remove_interface(local, &sdata->vif);
54721 - if (!local->open_count)
54722 + if (!atomic_read(&local->open_count))
54726 @@ -439,7 +439,7 @@ static int ieee80211_stop(struct net_dev
54727 WARN_ON(!list_empty(&sdata->u.ap.vlans));
54730 - local->open_count--;
54731 + atomic_dec(&local->open_count);
54733 switch (sdata->vif.type) {
54734 case NL80211_IFTYPE_AP_VLAN:
54735 @@ -542,7 +542,7 @@ static int ieee80211_stop(struct net_dev
54737 ieee80211_recalc_ps(local, -1);
54739 - if (local->open_count == 0) {
54740 + if (atomic_read(&local->open_count) == 0) {
54741 ieee80211_clear_tx_pending(local);
54742 ieee80211_stop_device(local);
54744 diff -urNp linux-2.6.35.5/net/mac80211/main.c linux-2.6.35.5/net/mac80211/main.c
54745 --- linux-2.6.35.5/net/mac80211/main.c 2010-09-20 17:33:09.000000000 -0400
54746 +++ linux-2.6.35.5/net/mac80211/main.c 2010-09-20 17:33:37.000000000 -0400
54747 @@ -148,7 +148,7 @@ int ieee80211_hw_config(struct ieee80211
54748 local->hw.conf.power_level = power;
54751 - if (changed && local->open_count) {
54752 + if (changed && atomic_read(&local->open_count)) {
54753 ret = drv_config(local, changed);
54756 diff -urNp linux-2.6.35.5/net/mac80211/pm.c linux-2.6.35.5/net/mac80211/pm.c
54757 --- linux-2.6.35.5/net/mac80211/pm.c 2010-08-26 19:47:12.000000000 -0400
54758 +++ linux-2.6.35.5/net/mac80211/pm.c 2010-09-17 20:12:09.000000000 -0400
54759 @@ -101,7 +101,7 @@ int __ieee80211_suspend(struct ieee80211
54762 /* stop hardware - this must stop RX */
54763 - if (local->open_count)
54764 + if (atomic_read(&local->open_count))
54765 ieee80211_stop_device(local);
54767 local->suspended = true;
54768 diff -urNp linux-2.6.35.5/net/mac80211/rate.c linux-2.6.35.5/net/mac80211/rate.c
54769 --- linux-2.6.35.5/net/mac80211/rate.c 2010-08-26 19:47:12.000000000 -0400
54770 +++ linux-2.6.35.5/net/mac80211/rate.c 2010-09-17 20:12:09.000000000 -0400
54771 @@ -355,7 +355,7 @@ int ieee80211_init_rate_ctrl_alg(struct
54775 - if (local->open_count)
54776 + if (atomic_read(&local->open_count))
54779 if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) {
54780 diff -urNp linux-2.6.35.5/net/mac80211/rc80211_pid_debugfs.c linux-2.6.35.5/net/mac80211/rc80211_pid_debugfs.c
54781 --- linux-2.6.35.5/net/mac80211/rc80211_pid_debugfs.c 2010-08-26 19:47:12.000000000 -0400
54782 +++ linux-2.6.35.5/net/mac80211/rc80211_pid_debugfs.c 2010-09-17 20:12:09.000000000 -0400
54783 @@ -192,7 +192,7 @@ static ssize_t rate_control_pid_events_r
54785 spin_unlock_irqrestore(&events->lock, status);
54787 - if (copy_to_user(buf, pb, p))
54788 + if (p > sizeof(pb) || copy_to_user(buf, pb, p))
54792 diff -urNp linux-2.6.35.5/net/mac80211/tx.c linux-2.6.35.5/net/mac80211/tx.c
54793 --- linux-2.6.35.5/net/mac80211/tx.c 2010-08-26 19:47:12.000000000 -0400
54794 +++ linux-2.6.35.5/net/mac80211/tx.c 2010-09-17 20:12:09.000000000 -0400
54795 @@ -173,7 +173,7 @@ static __le16 ieee80211_duration(struct
54796 return cpu_to_le16(dur);
54799 -static int inline is_ieee80211_device(struct ieee80211_local *local,
54800 +static inline int is_ieee80211_device(struct ieee80211_local *local,
54801 struct net_device *dev)
54803 return local == wdev_priv(dev->ieee80211_ptr);
54804 diff -urNp linux-2.6.35.5/net/mac80211/util.c linux-2.6.35.5/net/mac80211/util.c
54805 --- linux-2.6.35.5/net/mac80211/util.c 2010-08-26 19:47:12.000000000 -0400
54806 +++ linux-2.6.35.5/net/mac80211/util.c 2010-09-17 20:12:09.000000000 -0400
54807 @@ -1097,7 +1097,7 @@ int ieee80211_reconfig(struct ieee80211_
54808 local->resuming = true;
54810 /* restart hardware */
54811 - if (local->open_count) {
54812 + if (atomic_read(&local->open_count)) {
54814 * Upon resume hardware can sometimes be goofy due to
54815 * various platform / driver / bus issues, so restarting
54816 diff -urNp linux-2.6.35.5/net/netlink/af_netlink.c linux-2.6.35.5/net/netlink/af_netlink.c
54817 --- linux-2.6.35.5/net/netlink/af_netlink.c 2010-08-26 19:47:12.000000000 -0400
54818 +++ linux-2.6.35.5/net/netlink/af_netlink.c 2010-09-17 20:12:37.000000000 -0400
54819 @@ -2001,13 +2001,21 @@ static int netlink_seq_show(struct seq_f
54820 struct netlink_sock *nlk = nlk_sk(s);
54822 seq_printf(seq, "%p %-3d %-6d %08x %-8d %-8d %p %-8d %-8d %-8lu\n",
54823 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54830 nlk->groups ? (u32)nlk->groups[0] : 0,
54831 sk_rmem_alloc_get(s),
54832 sk_wmem_alloc_get(s),
54833 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54838 atomic_read(&s->sk_refcnt),
54839 atomic_read(&s->sk_drops),
54841 diff -urNp linux-2.6.35.5/net/packet/af_packet.c linux-2.6.35.5/net/packet/af_packet.c
54842 --- linux-2.6.35.5/net/packet/af_packet.c 2010-08-26 19:47:12.000000000 -0400
54843 +++ linux-2.6.35.5/net/packet/af_packet.c 2010-09-17 20:12:37.000000000 -0400
54844 @@ -2093,7 +2093,7 @@ static int packet_getsockopt(struct sock
54845 case PACKET_HDRLEN:
54846 if (len > sizeof(int))
54848 - if (copy_from_user(&val, optval, len))
54849 + if (len > sizeof(val) || copy_from_user(&val, optval, len))
54853 @@ -2125,7 +2125,7 @@ static int packet_getsockopt(struct sock
54855 if (put_user(len, optlen))
54857 - if (copy_to_user(optval, data, len))
54858 + if (len > sizeof(st) || copy_to_user(optval, data, len))
54862 @@ -2604,7 +2604,11 @@ static int packet_seq_show(struct seq_fi
54865 "%p %-6d %-4d %04x %-5d %1d %-6u %-6u %-6lu\n",
54866 +#ifdef CONFIG_GRKERNSEC_HIDESYM
54871 atomic_read(&s->sk_refcnt),
54874 diff -urNp linux-2.6.35.5/net/rose/af_rose.c linux-2.6.35.5/net/rose/af_rose.c
54875 --- linux-2.6.35.5/net/rose/af_rose.c 2010-08-26 19:47:12.000000000 -0400
54876 +++ linux-2.6.35.5/net/rose/af_rose.c 2010-09-20 17:16:28.000000000 -0400
54877 @@ -679,7 +679,7 @@ static int rose_bind(struct socket *sock
54878 if (addr_len == sizeof(struct sockaddr_rose) && addr->srose_ndigis > 1)
54881 - if (addr->srose_ndigis > ROSE_MAX_DIGIS)
54882 + if ((unsigned int) addr->srose_ndigis > ROSE_MAX_DIGIS)
54885 if ((dev = rose_dev_get(&addr->srose_addr)) == NULL) {
54886 @@ -739,7 +739,7 @@ static int rose_connect(struct socket *s
54887 if (addr_len == sizeof(struct sockaddr_rose) && addr->srose_ndigis > 1)
54890 - if (addr->srose_ndigis > ROSE_MAX_DIGIS)
54891 + if ((unsigned int) addr->srose_ndigis > ROSE_MAX_DIGIS)
54894 /* Source + Destination digis should not exceed ROSE_MAX_DIGIS */
54895 diff -urNp linux-2.6.35.5/net/sctp/socket.c linux-2.6.35.5/net/sctp/socket.c
54896 --- linux-2.6.35.5/net/sctp/socket.c 2010-08-26 19:47:12.000000000 -0400
54897 +++ linux-2.6.35.5/net/sctp/socket.c 2010-09-17 20:12:09.000000000 -0400
54898 @@ -1483,7 +1483,7 @@ SCTP_STATIC int sctp_sendmsg(struct kioc
54899 struct sctp_sndrcvinfo *sinfo;
54900 struct sctp_initmsg *sinit;
54901 sctp_assoc_t associd = 0;
54902 - sctp_cmsgs_t cmsgs = { NULL };
54903 + sctp_cmsgs_t cmsgs = { NULL, NULL };
54905 sctp_scope_t scope;
54907 @@ -4387,7 +4387,7 @@ static int sctp_getsockopt_peer_addrs(st
54908 addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
54909 if (space_left < addrlen)
54911 - if (copy_to_user(to, &temp, addrlen))
54912 + if (addrlen > sizeof(temp) || copy_to_user(to, &temp, addrlen))
54916 diff -urNp linux-2.6.35.5/net/socket.c linux-2.6.35.5/net/socket.c
54917 --- linux-2.6.35.5/net/socket.c 2010-08-26 19:47:12.000000000 -0400
54918 +++ linux-2.6.35.5/net/socket.c 2010-09-17 20:12:37.000000000 -0400
54920 #include <linux/nsproxy.h>
54921 #include <linux/magic.h>
54922 #include <linux/slab.h>
54923 +#include <linux/in.h>
54925 #include <asm/uaccess.h>
54926 #include <asm/unistd.h>
54927 @@ -105,6 +106,8 @@
54928 #include <linux/sockios.h>
54929 #include <linux/atalk.h>
54931 +#include <linux/grsock.h>
54933 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
54934 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
54935 unsigned long nr_segs, loff_t pos);
54936 @@ -322,7 +325,7 @@ static int sockfs_get_sb(struct file_sys
54940 -static struct vfsmount *sock_mnt __read_mostly;
54941 +struct vfsmount *sock_mnt __read_mostly;
54943 static struct file_system_type sock_fs_type = {
54945 @@ -1291,6 +1294,16 @@ SYSCALL_DEFINE3(socket, int, family, int
54946 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
54947 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
54949 + if(!gr_search_socket(family, type, protocol)) {
54950 + retval = -EACCES;
54954 + if (gr_handle_sock_all(family, type, protocol)) {
54955 + retval = -EACCES;
54959 retval = sock_create(family, type, protocol, &sock);
54962 @@ -1403,6 +1416,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
54964 err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
54966 + if (gr_handle_sock_server((struct sockaddr *)&address)) {
54970 + err = gr_search_bind(sock, (struct sockaddr_in *)&address);
54974 err = security_socket_bind(sock,
54975 (struct sockaddr *)&address,
54977 @@ -1411,6 +1432,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
54978 (struct sockaddr *)
54979 &address, addrlen);
54982 fput_light(sock->file, fput_needed);
54985 @@ -1434,10 +1456,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
54986 if ((unsigned)backlog > somaxconn)
54987 backlog = somaxconn;
54989 + if (gr_handle_sock_server_other(sock->sk)) {
54994 + err = gr_search_listen(sock);
54998 err = security_socket_listen(sock, backlog);
55000 err = sock->ops->listen(sock, backlog);
55003 fput_light(sock->file, fput_needed);
55006 @@ -1480,6 +1512,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
55007 newsock->type = sock->type;
55008 newsock->ops = sock->ops;
55010 + if (gr_handle_sock_server_other(sock->sk)) {
55012 + sock_release(newsock);
55016 + err = gr_search_accept(sock);
55018 + sock_release(newsock);
55023 * We don't need try_module_get here, as the listening socket (sock)
55024 * has the protocol module (sock->ops->owner) held.
55025 @@ -1518,6 +1562,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
55026 fd_install(newfd, newfile);
55029 + gr_attach_curr_ip(newsock->sk);
55032 fput_light(sock->file, fput_needed);
55034 @@ -1550,6 +1596,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
55037 struct socket *sock;
55038 + struct sockaddr *sck;
55039 struct sockaddr_storage address;
55040 int err, fput_needed;
55042 @@ -1560,6 +1607,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
55046 + sck = (struct sockaddr *)&address;
55048 + if (gr_handle_sock_client(sck)) {
55053 + err = gr_search_connect(sock, (struct sockaddr_in *)sck);
55058 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
55060 diff -urNp linux-2.6.35.5/net/sunrpc/sched.c linux-2.6.35.5/net/sunrpc/sched.c
55061 --- linux-2.6.35.5/net/sunrpc/sched.c 2010-08-26 19:47:12.000000000 -0400
55062 +++ linux-2.6.35.5/net/sunrpc/sched.c 2010-09-17 20:12:09.000000000 -0400
55063 @@ -234,9 +234,9 @@ static int rpc_wait_bit_killable(void *w
55065 static void rpc_task_set_debuginfo(struct rpc_task *task)
55067 - static atomic_t rpc_pid;
55068 + static atomic_unchecked_t rpc_pid;
55070 - task->tk_pid = atomic_inc_return(&rpc_pid);
55071 + task->tk_pid = atomic_inc_return_unchecked(&rpc_pid);
55074 static inline void rpc_task_set_debuginfo(struct rpc_task *task)
55075 diff -urNp linux-2.6.35.5/net/sunrpc/xprtrdma/svc_rdma.c linux-2.6.35.5/net/sunrpc/xprtrdma/svc_rdma.c
55076 --- linux-2.6.35.5/net/sunrpc/xprtrdma/svc_rdma.c 2010-08-26 19:47:12.000000000 -0400
55077 +++ linux-2.6.35.5/net/sunrpc/xprtrdma/svc_rdma.c 2010-09-17 20:12:37.000000000 -0400
55078 @@ -106,7 +106,7 @@ static int read_reset_stat(ctl_table *ta
55082 - if (len && copy_to_user(buffer, str_buf, len))
55083 + if (len > sizeof(str_buf) || (len && copy_to_user(buffer, str_buf, len)))
55087 diff -urNp linux-2.6.35.5/net/sysctl_net.c linux-2.6.35.5/net/sysctl_net.c
55088 --- linux-2.6.35.5/net/sysctl_net.c 2010-08-26 19:47:12.000000000 -0400
55089 +++ linux-2.6.35.5/net/sysctl_net.c 2010-09-17 20:12:37.000000000 -0400
55090 @@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
55091 struct ctl_table *table)
55093 /* Allow network administrator to have same access as root. */
55094 - if (capable(CAP_NET_ADMIN)) {
55095 + if (capable_nolog(CAP_NET_ADMIN)) {
55096 int mode = (table->mode >> 6) & 7;
55097 return (mode << 6) | (mode << 3) | mode;
55099 diff -urNp linux-2.6.35.5/net/tipc/socket.c linux-2.6.35.5/net/tipc/socket.c
55100 --- linux-2.6.35.5/net/tipc/socket.c 2010-08-26 19:47:12.000000000 -0400
55101 +++ linux-2.6.35.5/net/tipc/socket.c 2010-09-17 20:12:09.000000000 -0400
55102 @@ -1451,8 +1451,9 @@ static int connect(struct socket *sock,
55107 - ; /* leave "res" unchanged */
55109 + /* leave "res" unchanged */
55111 sock->state = SS_DISCONNECTING;
55114 diff -urNp linux-2.6.35.5/net/unix/af_unix.c linux-2.6.35.5/net/unix/af_unix.c
55115 --- linux-2.6.35.5/net/unix/af_unix.c 2010-08-26 19:47:12.000000000 -0400
55116 +++ linux-2.6.35.5/net/unix/af_unix.c 2010-09-17 20:12:37.000000000 -0400
55117 @@ -736,6 +736,12 @@ static struct sock *unix_find_other(stru
55118 err = -ECONNREFUSED;
55119 if (!S_ISSOCK(inode->i_mode))
55122 + if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
55127 u = unix_find_socket_byinode(net, inode);
55130 @@ -756,6 +762,13 @@ static struct sock *unix_find_other(stru
55132 struct dentry *dentry;
55133 dentry = unix_sk(u)->dentry;
55135 + if (!gr_handle_chroot_unix(u->sk_peercred.pid)) {
55142 touch_atime(unix_sk(u)->mnt, dentry);
55144 @@ -841,11 +854,18 @@ static int unix_bind(struct socket *sock
55145 err = security_path_mknod(&nd.path, dentry, mode, 0);
55147 goto out_mknod_drop_write;
55148 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
55150 + goto out_mknod_drop_write;
55152 err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
55153 out_mknod_drop_write:
55154 mnt_drop_write(nd.path.mnt);
55156 goto out_mknod_dput;
55158 + gr_handle_create(dentry, nd.path.mnt);
55160 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
55161 dput(nd.path.dentry);
55162 nd.path.dentry = dentry;
55163 @@ -863,6 +883,10 @@ out_mknod_drop_write:
55167 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
55168 + sk->sk_peercred.pid = current->pid;
55171 list = &unix_socket_table[addr->hash];
55173 list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
55174 @@ -2161,7 +2185,11 @@ static int unix_seq_show(struct seq_file
55175 unix_state_lock(s);
55177 seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu",
55178 +#ifdef CONFIG_GRKERNSEC_HIDESYM
55183 atomic_read(&s->sk_refcnt),
55185 s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0,
55186 diff -urNp linux-2.6.35.5/net/wireless/reg.c linux-2.6.35.5/net/wireless/reg.c
55187 --- linux-2.6.35.5/net/wireless/reg.c 2010-08-26 19:47:12.000000000 -0400
55188 +++ linux-2.6.35.5/net/wireless/reg.c 2010-09-17 20:12:09.000000000 -0400
55190 printk(KERN_DEBUG format , ## args); \
55193 -#define REG_DBG_PRINT(args...)
55194 +#define REG_DBG_PRINT(args...) do {} while (0)
55197 /* Receipt of information from last regulatory request */
55198 diff -urNp linux-2.6.35.5/net/wireless/wext-core.c linux-2.6.35.5/net/wireless/wext-core.c
55199 --- linux-2.6.35.5/net/wireless/wext-core.c 2010-09-20 17:33:09.000000000 -0400
55200 +++ linux-2.6.35.5/net/wireless/wext-core.c 2010-09-23 19:57:26.000000000 -0400
55201 @@ -744,8 +744,7 @@ static int ioctl_standard_iw_point(struc
55204 /* Support for very large requests */
55205 - if ((descr->flags & IW_DESCR_FLAG_NOMAX) &&
55206 - (user_length > descr->max_tokens)) {
55207 + if (user_length > descr->max_tokens) {
55208 /* Allow userspace to GET more than max so
55209 * we can support any size GET requests.
55210 * There is still a limit : -ENOMEM.
55211 @@ -782,22 +781,6 @@ static int ioctl_standard_iw_point(struc
55215 - if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
55217 - * If this is a GET, but not NOMAX, it means that the extra
55218 - * data is not bounded by userspace, but by max_tokens. Thus
55219 - * set the length to max_tokens. This matches the extra data
55221 - * The driver should fill it with the number of tokens it
55222 - * provided, and it may check iwp->length rather than having
55223 - * knowledge of max_tokens. If the driver doesn't change the
55224 - * iwp->length, this ioctl just copies back max_token tokens
55225 - * filled with zeroes. Hopefully the driver isn't claiming
55226 - * them to be valid data.
55228 - iwp->length = descr->max_tokens;
55231 err = handler(dev, info, (union iwreq_data *) iwp, extra);
55233 iwp->length += essid_compat;
55234 diff -urNp linux-2.6.35.5/net/xfrm/xfrm_policy.c linux-2.6.35.5/net/xfrm/xfrm_policy.c
55235 --- linux-2.6.35.5/net/xfrm/xfrm_policy.c 2010-08-26 19:47:12.000000000 -0400
55236 +++ linux-2.6.35.5/net/xfrm/xfrm_policy.c 2010-09-17 20:12:09.000000000 -0400
55237 @@ -1502,7 +1502,7 @@ free_dst:
55243 xfrm_dst_alloc_copy(void **target, void *src, int size)
55246 @@ -1514,7 +1514,7 @@ xfrm_dst_alloc_copy(void **target, void
55252 xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel)
55254 #ifdef CONFIG_XFRM_SUB_POLICY
55255 @@ -1526,7 +1526,7 @@ xfrm_dst_update_parent(struct dst_entry
55261 xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
55263 #ifdef CONFIG_XFRM_SUB_POLICY
55264 diff -urNp linux-2.6.35.5/scripts/basic/fixdep.c linux-2.6.35.5/scripts/basic/fixdep.c
55265 --- linux-2.6.35.5/scripts/basic/fixdep.c 2010-08-26 19:47:12.000000000 -0400
55266 +++ linux-2.6.35.5/scripts/basic/fixdep.c 2010-09-17 20:12:09.000000000 -0400
55267 @@ -222,9 +222,9 @@ static void use_config(char *m, int slen
55269 static void parse_config_file(char *map, size_t len)
55271 - int *end = (int *) (map + len);
55272 + unsigned int *end = (unsigned int *) (map + len);
55273 /* start at +1, so that p can never be < map */
55274 - int *m = (int *) map + 1;
55275 + unsigned int *m = (unsigned int *) map + 1;
55278 for (; m < end; m++) {
55279 @@ -371,7 +371,7 @@ static void print_deps(void)
55280 static void traps(void)
55282 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
55283 - int *p = (int *)test;
55284 + unsigned int *p = (unsigned int *)test;
55286 if (*p != INT_CONF) {
55287 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
55288 diff -urNp linux-2.6.35.5/scripts/kallsyms.c linux-2.6.35.5/scripts/kallsyms.c
55289 --- linux-2.6.35.5/scripts/kallsyms.c 2010-08-26 19:47:12.000000000 -0400
55290 +++ linux-2.6.35.5/scripts/kallsyms.c 2010-09-17 20:12:09.000000000 -0400
55291 @@ -43,10 +43,10 @@ struct text_range {
55293 static unsigned long long _text;
55294 static struct text_range text_ranges[] = {
55295 - { "_stext", "_etext" },
55296 - { "_sinittext", "_einittext" },
55297 - { "_stext_l1", "_etext_l1" }, /* Blackfin on-chip L1 inst SRAM */
55298 - { "_stext_l2", "_etext_l2" }, /* Blackfin on-chip L2 SRAM */
55299 + { "_stext", "_etext", 0, 0 },
55300 + { "_sinittext", "_einittext", 0, 0 },
55301 + { "_stext_l1", "_etext_l1", 0, 0 }, /* Blackfin on-chip L1 inst SRAM */
55302 + { "_stext_l2", "_etext_l2", 0, 0 }, /* Blackfin on-chip L2 SRAM */
55304 #define text_range_text (&text_ranges[0])
55305 #define text_range_inittext (&text_ranges[1])
55306 diff -urNp linux-2.6.35.5/scripts/mod/file2alias.c linux-2.6.35.5/scripts/mod/file2alias.c
55307 --- linux-2.6.35.5/scripts/mod/file2alias.c 2010-08-26 19:47:12.000000000 -0400
55308 +++ linux-2.6.35.5/scripts/mod/file2alias.c 2010-09-17 20:12:09.000000000 -0400
55309 @@ -72,7 +72,7 @@ static void device_id_check(const char *
55310 unsigned long size, unsigned long id_size,
55316 if (size % id_size || size < id_size) {
55317 if (cross_build != 0)
55318 @@ -102,7 +102,7 @@ static void device_id_check(const char *
55319 /* USB is special because the bcdDevice can be matched against a numeric range */
55320 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
55321 static void do_usb_entry(struct usb_device_id *id,
55322 - unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
55323 + unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
55324 unsigned char range_lo, unsigned char range_hi,
55325 unsigned char max, struct module *mod)
55327 @@ -437,7 +437,7 @@ static void do_pnp_device_entry(void *sy
55328 for (i = 0; i < count; i++) {
55329 const char *id = (char *)devs[i].id;
55330 char acpi_id[sizeof(devs[0].id)];
55334 buf_printf(&mod->dev_table_buf,
55335 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
55336 @@ -467,7 +467,7 @@ static void do_pnp_card_entries(void *sy
55338 for (j = 0; j < PNP_MAX_DEVICES; j++) {
55339 const char *id = (char *)card->devs[j].id;
55341 + unsigned int i2, j2;
55345 @@ -493,7 +493,7 @@ static void do_pnp_card_entries(void *sy
55346 /* add an individual alias for every device entry */
55348 char acpi_id[sizeof(card->devs[0].id)];
55352 buf_printf(&mod->dev_table_buf,
55353 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
55354 @@ -768,7 +768,7 @@ static void dmi_ascii_filter(char *d, co
55355 static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
55359 + unsigned int i, j;
55361 sprintf(alias, "dmi*");
55363 diff -urNp linux-2.6.35.5/scripts/mod/modpost.c linux-2.6.35.5/scripts/mod/modpost.c
55364 --- linux-2.6.35.5/scripts/mod/modpost.c 2010-08-26 19:47:12.000000000 -0400
55365 +++ linux-2.6.35.5/scripts/mod/modpost.c 2010-09-17 20:12:09.000000000 -0400
55366 @@ -846,6 +846,7 @@ enum mismatch {
55367 ANY_INIT_TO_ANY_EXIT,
55368 ANY_EXIT_TO_ANY_INIT,
55369 EXPORT_TO_INIT_EXIT,
55373 struct sectioncheck {
55374 @@ -954,6 +955,12 @@ const struct sectioncheck sectioncheck[]
55375 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
55376 .mismatch = EXPORT_TO_INIT_EXIT,
55377 .symbol_white_list = { DEFAULT_SYMBOL_WHITE_LIST, NULL },
55379 +/* Do not reference code from writable data */
55381 + .fromsec = { DATA_SECTIONS, NULL },
55382 + .tosec = { TEXT_SECTIONS, NULL },
55383 + .mismatch = DATA_TO_TEXT
55387 @@ -1060,10 +1067,10 @@ static Elf_Sym *find_elf_symbol(struct e
55389 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
55391 - if (sym->st_value == addr)
55393 /* Find a symbol nearby - addr are maybe negative */
55394 d = sym->st_value - addr;
55398 d = addr - sym->st_value;
55399 if (d < distance) {
55400 @@ -1306,6 +1313,14 @@ static void report_sec_mismatch(const ch
55401 "or drop the export.\n",
55402 tosym, sec2annotation(tosec), sec2annotation(tosec), tosym);
55404 + case DATA_TO_TEXT:
55407 + "The variable %s references\n"
55408 + "the %s %s%s%s\n",
55409 + fromsym, to, sec2annotation(tosec), tosym, to_p);
55413 fprintf(stderr, "\n");
55415 @@ -1629,7 +1644,7 @@ void __attribute__((format(printf, 2, 3)
55419 -void buf_write(struct buffer *buf, const char *s, int len)
55420 +void buf_write(struct buffer *buf, const char *s, unsigned int len)
55422 if (buf->size - buf->pos < len) {
55423 buf->size += len + SZ;
55424 @@ -1841,7 +1856,7 @@ static void write_if_changed(struct buff
55425 if (fstat(fileno(file), &st) < 0)
55428 - if (st.st_size != b->pos)
55429 + if (st.st_size != (off_t)b->pos)
55432 tmp = NOFAIL(malloc(b->pos));
55433 diff -urNp linux-2.6.35.5/scripts/mod/modpost.h linux-2.6.35.5/scripts/mod/modpost.h
55434 --- linux-2.6.35.5/scripts/mod/modpost.h 2010-08-26 19:47:12.000000000 -0400
55435 +++ linux-2.6.35.5/scripts/mod/modpost.h 2010-09-17 20:12:09.000000000 -0400
55436 @@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
55442 + unsigned int pos;
55443 + unsigned int size;
55446 void __attribute__((format(printf, 2, 3)))
55447 buf_printf(struct buffer *buf, const char *fmt, ...);
55450 -buf_write(struct buffer *buf, const char *s, int len);
55451 +buf_write(struct buffer *buf, const char *s, unsigned int len);
55454 struct module *next;
55455 diff -urNp linux-2.6.35.5/scripts/mod/sumversion.c linux-2.6.35.5/scripts/mod/sumversion.c
55456 --- linux-2.6.35.5/scripts/mod/sumversion.c 2010-08-26 19:47:12.000000000 -0400
55457 +++ linux-2.6.35.5/scripts/mod/sumversion.c 2010-09-17 20:12:09.000000000 -0400
55458 @@ -455,7 +455,7 @@ static void write_version(const char *fi
55462 - if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
55463 + if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
55464 warn("writing sum in %s failed: %s\n",
55465 filename, strerror(errno));
55467 diff -urNp linux-2.6.35.5/scripts/pnmtologo.c linux-2.6.35.5/scripts/pnmtologo.c
55468 --- linux-2.6.35.5/scripts/pnmtologo.c 2010-08-26 19:47:12.000000000 -0400
55469 +++ linux-2.6.35.5/scripts/pnmtologo.c 2010-09-17 20:12:09.000000000 -0400
55470 @@ -237,14 +237,14 @@ static void write_header(void)
55471 fprintf(out, " * Linux logo %s\n", logoname);
55472 fputs(" */\n\n", out);
55473 fputs("#include <linux/linux_logo.h>\n\n", out);
55474 - fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
55475 + fprintf(out, "static unsigned char %s_data[] = {\n",
55479 static void write_footer(void)
55481 fputs("\n};\n\n", out);
55482 - fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
55483 + fprintf(out, "const struct linux_logo %s = {\n", logoname);
55484 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
55485 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
55486 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
55487 @@ -374,7 +374,7 @@ static void write_logo_clut224(void)
55488 fputs("\n};\n\n", out);
55490 /* write logo clut */
55491 - fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
55492 + fprintf(out, "static unsigned char %s_clut[] = {\n",
55495 for (i = 0; i < logo_clutsize; i++) {
55496 diff -urNp linux-2.6.35.5/security/commoncap.c linux-2.6.35.5/security/commoncap.c
55497 --- linux-2.6.35.5/security/commoncap.c 2010-08-26 19:47:12.000000000 -0400
55498 +++ linux-2.6.35.5/security/commoncap.c 2010-09-17 20:12:37.000000000 -0400
55500 #include <linux/securebits.h>
55501 #include <linux/syslog.h>
55502 #include <linux/vs_context.h>
55503 +#include <net/sock.h>
55506 * If a non-root user executes a setuid-root binary in
55507 @@ -51,9 +52,11 @@ static void warn_setuid_and_fcaps_mixed(
55511 +extern kernel_cap_t gr_cap_rtnetlink(struct sock *sk);
55513 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
55515 - NETLINK_CB(skb).eff_cap = vx_mbcaps(current_cap());
55516 + NETLINK_CB(skb).eff_cap = vx_mbcaps(gr_cap_rtnetlink(sk));
55520 diff -urNp linux-2.6.35.5/security/integrity/ima/ima_api.c linux-2.6.35.5/security/integrity/ima/ima_api.c
55521 --- linux-2.6.35.5/security/integrity/ima/ima_api.c 2010-08-26 19:47:12.000000000 -0400
55522 +++ linux-2.6.35.5/security/integrity/ima/ima_api.c 2010-09-17 20:12:09.000000000 -0400
55523 @@ -75,7 +75,7 @@ void ima_add_violation(struct inode *ino
55526 /* can overflow, only indicator */
55527 - atomic_long_inc(&ima_htable.violations);
55528 + atomic_long_inc_unchecked(&ima_htable.violations);
55530 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
55532 diff -urNp linux-2.6.35.5/security/integrity/ima/ima_fs.c linux-2.6.35.5/security/integrity/ima/ima_fs.c
55533 --- linux-2.6.35.5/security/integrity/ima/ima_fs.c 2010-08-26 19:47:12.000000000 -0400
55534 +++ linux-2.6.35.5/security/integrity/ima/ima_fs.c 2010-09-17 20:12:09.000000000 -0400
55535 @@ -28,12 +28,12 @@
55536 static int valid_policy = 1;
55537 #define TMPBUFLEN 12
55538 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
55539 - loff_t *ppos, atomic_long_t *val)
55540 + loff_t *ppos, atomic_long_unchecked_t *val)
55542 char tmpbuf[TMPBUFLEN];
55545 - len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
55546 + len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
55547 return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
55550 diff -urNp linux-2.6.35.5/security/integrity/ima/ima.h linux-2.6.35.5/security/integrity/ima/ima.h
55551 --- linux-2.6.35.5/security/integrity/ima/ima.h 2010-09-20 17:33:09.000000000 -0400
55552 +++ linux-2.6.35.5/security/integrity/ima/ima.h 2010-09-20 17:33:37.000000000 -0400
55553 @@ -84,8 +84,8 @@ void ima_add_violation(struct inode *ino
55554 extern spinlock_t ima_queue_lock;
55556 struct ima_h_table {
55557 - atomic_long_t len; /* number of stored measurements in the list */
55558 - atomic_long_t violations;
55559 + atomic_long_unchecked_t len; /* number of stored measurements in the list */
55560 + atomic_long_unchecked_t violations;
55561 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
55563 extern struct ima_h_table ima_htable;
55564 diff -urNp linux-2.6.35.5/security/integrity/ima/ima_queue.c linux-2.6.35.5/security/integrity/ima/ima_queue.c
55565 --- linux-2.6.35.5/security/integrity/ima/ima_queue.c 2010-08-26 19:47:12.000000000 -0400
55566 +++ linux-2.6.35.5/security/integrity/ima/ima_queue.c 2010-09-17 20:12:09.000000000 -0400
55567 @@ -79,7 +79,7 @@ static int ima_add_digest_entry(struct i
55568 INIT_LIST_HEAD(&qe->later);
55569 list_add_tail_rcu(&qe->later, &ima_measurements);
55571 - atomic_long_inc(&ima_htable.len);
55572 + atomic_long_inc_unchecked(&ima_htable.len);
55573 key = ima_hash_key(entry->digest);
55574 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
55576 diff -urNp linux-2.6.35.5/security/Kconfig linux-2.6.35.5/security/Kconfig
55577 --- linux-2.6.35.5/security/Kconfig 2010-08-26 19:47:12.000000000 -0400
55578 +++ linux-2.6.35.5/security/Kconfig 2010-09-17 20:12:37.000000000 -0400
55581 menu "Security options"
55583 +source grsecurity/Kconfig
55587 + config PAX_PER_CPU_PGD
55590 + config TASK_SIZE_MAX_SHIFT
55592 + depends on X86_64
55593 + default 47 if !PAX_PER_CPU_PGD
55594 + default 42 if PAX_PER_CPU_PGD
55596 + config PAX_ENABLE_PAE
55598 + default y if (X86_32 && (MPENTIUM4 || MK8 || MPSC || MCORE2 || MATOM))
55601 + bool "Enable various PaX features"
55602 + depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
55604 + This allows you to enable various PaX features. PaX adds
55605 + intrusion prevention mechanisms to the kernel that reduce
55606 + the risks posed by exploitable memory corruption bugs.
55608 +menu "PaX Control"
55611 +config PAX_SOFTMODE
55612 + bool 'Support soft mode'
55613 + select PAX_PT_PAX_FLAGS
55615 + Enabling this option will allow you to run PaX in soft mode, that
55616 + is, PaX features will not be enforced by default, only on executables
55617 + marked explicitly. You must also enable PT_PAX_FLAGS support as it
55618 + is the only way to mark executables for soft mode use.
55620 + Soft mode can be activated by using the "pax_softmode=1" kernel command
55621 + line option on boot. Furthermore you can control various PaX features
55622 + at runtime via the entries in /proc/sys/kernel/pax.
55625 + bool 'Use legacy ELF header marking'
55627 + Enabling this option will allow you to control PaX features on
55628 + a per executable basis via the 'chpax' utility available at
55629 + http://pax.grsecurity.net/. The control flags will be read from
55630 + an otherwise reserved part of the ELF header. This marking has
55631 + numerous drawbacks (no support for soft-mode, toolchain does not
55632 + know about the non-standard use of the ELF header) therefore it
55633 + has been deprecated in favour of PT_PAX_FLAGS support.
55635 + If you have applications not marked by the PT_PAX_FLAGS ELF
55636 + program header then you MUST enable this option otherwise they
55637 + will not get any protection.
55639 + Note that if you enable PT_PAX_FLAGS marking support as well,
55640 + the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
55642 +config PAX_PT_PAX_FLAGS
55643 + bool 'Use ELF program header marking'
55645 + Enabling this option will allow you to control PaX features on
55646 + a per executable basis via the 'paxctl' utility available at
55647 + http://pax.grsecurity.net/. The control flags will be read from
55648 + a PaX specific ELF program header (PT_PAX_FLAGS). This marking
55649 + has the benefits of supporting both soft mode and being fully
55650 + integrated into the toolchain (the binutils patch is available
55651 + from http://pax.grsecurity.net).
55653 + If you have applications not marked by the PT_PAX_FLAGS ELF
55654 + program header then you MUST enable the EI_PAX marking support
55655 + otherwise they will not get any protection.
55657 + Note that if you enable the legacy EI_PAX marking support as well,
55658 + the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
55661 + prompt 'MAC system integration'
55662 + default PAX_HAVE_ACL_FLAGS
55664 + Mandatory Access Control systems have the option of controlling
55665 + PaX flags on a per executable basis, choose the method supported
55666 + by your particular system.
55668 + - "none": if your MAC system does not interact with PaX,
55669 + - "direct": if your MAC system defines pax_set_initial_flags() itself,
55670 + - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
55672 + NOTE: this option is for developers/integrators only.
55674 + config PAX_NO_ACL_FLAGS
55677 + config PAX_HAVE_ACL_FLAGS
55680 + config PAX_HOOK_ACL_FLAGS
55686 +menu "Non-executable pages"
55690 + bool "Enforce non-executable pages"
55691 + depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
55693 + By design some architectures do not allow for protecting memory
55694 + pages against execution or even if they do, Linux does not make
55695 + use of this feature. In practice this means that if a page is
55696 + readable (such as the stack or heap) it is also executable.
55698 + There is a well known exploit technique that makes use of this
55699 + fact and a common programming mistake where an attacker can
55700 + introduce code of his choice somewhere in the attacked program's
55701 + memory (typically the stack or the heap) and then execute it.
55703 + If the attacked program was running with different (typically
55704 + higher) privileges than that of the attacker, then he can elevate
55705 + his own privilege level (e.g. get a root shell, write to files for
55706 + which he does not have write access to, etc).
55708 + Enabling this option will let you choose from various features
55709 + that prevent the injection and execution of 'foreign' code in
55712 + This will also break programs that rely on the old behaviour and
55713 + expect that dynamically allocated memory via the malloc() family
55714 + of functions is executable (which it is not). Notable examples
55715 + are the XFree86 4.x server, the java runtime and wine.
55717 +config PAX_PAGEEXEC
55718 + bool "Paging based non-executable pages"
55719 + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
55720 + select S390_SWITCH_AMODE if S390
55721 + select S390_EXEC_PROTECT if S390
55723 + This implementation is based on the paging feature of the CPU.
55724 + On i386 without hardware non-executable bit support there is a
55725 + variable but usually low performance impact, however on Intel's
55726 + P4 core based CPUs it is very high so you should not enable this
55727 + for kernels meant to be used on such CPUs.
55729 + On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
55730 + with hardware non-executable bit support there is no performance
55731 + impact, on ppc the impact is negligible.
55733 + Note that several architectures require various emulations due to
55734 + badly designed userland ABIs, this will cause a performance impact
55735 + but will disappear as soon as userland is fixed. For example, ppc
55736 + userland MUST have been built with secure-plt by a recent toolchain.
55738 +config PAX_SEGMEXEC
55739 + bool "Segmentation based non-executable pages"
55740 + depends on PAX_NOEXEC && X86_32
55742 + This implementation is based on the segmentation feature of the
55743 + CPU and has a very small performance impact, however applications
55744 + will be limited to a 1.5 GB address space instead of the normal
55747 +config PAX_EMUTRAMP
55748 + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
55749 + default y if PARISC
55751 + There are some programs and libraries that for one reason or
55752 + another attempt to execute special small code snippets from
55753 + non-executable memory pages. Most notable examples are the
55754 + signal handler return code generated by the kernel itself and
55755 + the GCC trampolines.
55757 + If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
55758 + such programs will no longer work under your kernel.
55760 + As a remedy you can say Y here and use the 'chpax' or 'paxctl'
55761 + utilities to enable trampoline emulation for the affected programs
55762 + yet still have the protection provided by the non-executable pages.
55764 + On parisc you MUST enable this option and EMUSIGRT as well, otherwise
55765 + your system will not even boot.
55767 + Alternatively you can say N here and use the 'chpax' or 'paxctl'
55768 + utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
55769 + for the affected files.
55771 + NOTE: enabling this feature *may* open up a loophole in the
55772 + protection provided by non-executable pages that an attacker
55773 + could abuse. Therefore the best solution is to not have any
55774 + files on your system that would require this option. This can
55775 + be achieved by not using libc5 (which relies on the kernel
55776 + signal handler return code) and not using or rewriting programs
55777 + that make use of the nested function implementation of GCC.
55778 + Skilled users can just fix GCC itself so that it implements
55779 + nested function calls in a way that does not interfere with PaX.
55781 +config PAX_EMUSIGRT
55782 + bool "Automatically emulate sigreturn trampolines"
55783 + depends on PAX_EMUTRAMP && PARISC
55786 + Enabling this option will have the kernel automatically detect
55787 + and emulate signal return trampolines executing on the stack
55788 + that would otherwise lead to task termination.
55790 + This solution is intended as a temporary one for users with
55791 + legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
55792 + Modula-3 runtime, etc) or executables linked to such, basically
55793 + everything that does not specify its own SA_RESTORER function in
55794 + normal executable memory like glibc 2.1+ does.
55796 + On parisc you MUST enable this option, otherwise your system will
55799 + NOTE: this feature cannot be disabled on a per executable basis
55800 + and since it *does* open up a loophole in the protection provided
55801 + by non-executable pages, the best solution is to not have any
55802 + files on your system that would require this option.
55804 +config PAX_MPROTECT
55805 + bool "Restrict mprotect()"
55806 + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
55808 + Enabling this option will prevent programs from
55809 + - changing the executable status of memory pages that were
55810 + not originally created as executable,
55811 + - making read-only executable pages writable again,
55812 + - creating executable pages from anonymous memory,
55813 + - making read-only-after-relocations (RELRO) data pages writable again.
55815 + You should say Y here to complete the protection provided by
55816 + the enforcement of non-executable pages.
55818 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
55819 + this feature on a per file basis.
55821 +config PAX_ELFRELOCS
55822 + bool "Allow ELF text relocations (read help)"
55823 + depends on PAX_MPROTECT
55826 + Non-executable pages and mprotect() restrictions are effective
55827 + in preventing the introduction of new executable code into an
55828 + attacked task's address space. There remain only two venues
55829 + for this kind of attack: if the attacker can execute already
55830 + existing code in the attacked task then he can either have it
55831 + create and mmap() a file containing his code or have it mmap()
55832 + an already existing ELF library that does not have position
55833 + independent code in it and use mprotect() on it to make it
55834 + writable and copy his code there. While protecting against
55835 + the former approach is beyond PaX, the latter can be prevented
55836 + by having only PIC ELF libraries on one's system (which do not
55837 + need to relocate their code). If you are sure this is your case,
55838 + as is the case with all modern Linux distributions, then leave
55839 + this option disabled. You should say 'n' here.
55841 +config PAX_ETEXECRELOCS
55842 + bool "Allow ELF ET_EXEC text relocations"
55843 + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
55844 + select PAX_ELFRELOCS
55847 + On some architectures there are incorrectly created applications
55848 + that require text relocations and would not work without enabling
55849 + this option. If you are an alpha, ia64 or parisc user, you should
55850 + enable this option and disable it once you have made sure that
55851 + none of your applications need it.
55854 + bool "Automatically emulate ELF PLT"
55855 + depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC)
55858 + Enabling this option will have the kernel automatically detect
55859 + and emulate the Procedure Linkage Table entries in ELF files.
55860 + On some architectures such entries are in writable memory, and
55861 + become non-executable leading to task termination. Therefore
55862 + it is mandatory that you enable this option on alpha, parisc,
55863 + sparc and sparc64, otherwise your system would not even boot.
55865 + NOTE: this feature *does* open up a loophole in the protection
55866 + provided by the non-executable pages, therefore the proper
55867 + solution is to modify the toolchain to produce a PLT that does
55868 + not need to be writable.
55870 +config PAX_DLRESOLVE
55871 + bool 'Emulate old glibc resolver stub'
55872 + depends on PAX_EMUPLT && SPARC
55875 + This option is needed if userland has an old glibc (before 2.4)
55876 + that puts a 'save' instruction into the runtime generated resolver
55877 + stub that needs special emulation.
55879 +config PAX_KERNEXEC
55880 + bool "Enforce non-executable kernel pages"
55881 + depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
55882 + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
55884 + This is the kernel land equivalent of PAGEEXEC and MPROTECT,
55885 + that is, enabling this option will make it harder to inject
55886 + and execute 'foreign' code in kernel memory itself.
55888 +config PAX_KERNEXEC_MODULE_TEXT
55889 + int "Minimum amount of memory reserved for module code"
55891 + depends on PAX_KERNEXEC && X86_32 && MODULES
55893 + Due to implementation details the kernel must reserve a fixed
55894 + amount of memory for module code at compile time that cannot be
55895 + changed at runtime. Here you can specify the minimum amount
55896 + in MB that will be reserved. Due to the same implementation
55897 + details this size will always be rounded up to the next 2/4 MB
55898 + boundary (depends on PAE) so the actually available memory for
55899 + module code will usually be more than this minimum.
55901 + The default 4 MB should be enough for most users but if you have
55902 + an excessive number of modules (e.g., most distribution configs
55903 + compile many drivers as modules) or use huge modules such as
55904 + nvidia's kernel driver, you will need to adjust this amount.
55905 + A good rule of thumb is to look at your currently loaded kernel
55906 + modules and add up their sizes.
55910 +menu "Address Space Layout Randomization"
55914 + bool "Address Space Layout Randomization"
55915 + depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
55917 + Many if not most exploit techniques rely on the knowledge of
55918 + certain addresses in the attacked program. The following options
55919 + will allow the kernel to apply a certain amount of randomization
55920 + to specific parts of the program thereby forcing an attacker to
55921 + guess them in most cases. Any failed guess will most likely crash
55922 + the attacked program which allows the kernel to detect such attempts
55923 + and react on them. PaX itself provides no reaction mechanisms,
55924 + instead it is strongly encouraged that you make use of Nergal's
55925 + segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
55926 + (http://www.grsecurity.net/) built-in crash detection features or
55927 + develop one yourself.
55929 + By saying Y here you can choose to randomize the following areas:
55930 + - top of the task's kernel stack
55931 + - top of the task's userland stack
55932 + - base address for mmap() requests that do not specify one
55933 + (this includes all libraries)
55934 + - base address of the main executable
55936 + It is strongly recommended to say Y here as address space layout
55937 + randomization has negligible impact on performance yet it provides
55938 + a very effective protection.
55940 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
55941 + this feature on a per file basis.
55943 +config PAX_RANDKSTACK
55944 + bool "Randomize kernel stack base"
55945 + depends on PAX_ASLR && X86_TSC && X86_32
55947 + By saying Y here the kernel will randomize every task's kernel
55948 + stack on every system call. This will not only force an attacker
55949 + to guess it but also prevent him from making use of possible
55950 + leaked information about it.
55952 + Since the kernel stack is a rather scarce resource, randomization
55953 + may cause unexpected stack overflows, therefore you should very
55954 + carefully test your system. Note that once enabled in the kernel
55955 + configuration, this feature cannot be disabled on a per file basis.
55957 +config PAX_RANDUSTACK
55958 + bool "Randomize user stack base"
55959 + depends on PAX_ASLR
55961 + By saying Y here the kernel will randomize every task's userland
55962 + stack. The randomization is done in two steps where the second
55963 + one may apply a big amount of shift to the top of the stack and
55964 + cause problems for programs that want to use lots of memory (more
55965 + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
55966 + For this reason the second step can be controlled by 'chpax' or
55967 + 'paxctl' on a per file basis.
55969 +config PAX_RANDMMAP
55970 + bool "Randomize mmap() base"
55971 + depends on PAX_ASLR
55973 + By saying Y here the kernel will use a randomized base address for
55974 + mmap() requests that do not specify one themselves. As a result
55975 + all dynamically loaded libraries will appear at random addresses
55976 + and therefore be harder to exploit by a technique where an attacker
55977 + attempts to execute library code for his purposes (e.g. spawn a
55978 + shell from an exploited program that is running at an elevated
55979 + privilege level).
55981 + Furthermore, if a program is relinked as a dynamic ELF file, its
55982 + base address will be randomized as well, completing the full
55983 + randomization of the address space layout. Attacking such programs
55984 + becomes a guess game. You can find an example of doing this at
55985 + http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
55986 + http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
55988 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
55989 + feature on a per file basis.
55993 +menu "Miscellaneous hardening features"
55995 +config PAX_MEMORY_SANITIZE
55996 + bool "Sanitize all freed memory"
55998 + By saying Y here the kernel will erase memory pages as soon as they
55999 + are freed. This in turn reduces the lifetime of data stored in the
56000 + pages, making it less likely that sensitive information such as
56001 + passwords, cryptographic secrets, etc stay in memory for too long.
56003 + This is especially useful for programs whose runtime is short, long
56004 + lived processes and the kernel itself benefit from this as long as
56005 + they operate on whole memory pages and ensure timely freeing of pages
56006 + that may hold sensitive information.
56008 + The tradeoff is performance impact, on a single CPU system kernel
56009 + compilation sees a 3% slowdown, other systems and workloads may vary
56010 + and you are advised to test this feature on your expected workload
56011 + before deploying it.
56013 + Note that this feature does not protect data stored in live pages,
56014 + e.g., process memory swapped to disk may stay there for a long time.
56016 +config PAX_MEMORY_UDEREF
56017 + bool "Prevent invalid userland pointer dereference"
56018 + depends on X86 && !UML_X86 && !XEN
56019 + select PAX_PER_CPU_PGD if X86_64
56021 + By saying Y here the kernel will be prevented from dereferencing
56022 + userland pointers in contexts where the kernel expects only kernel
56023 + pointers. This is both a useful runtime debugging feature and a
56024 + security measure that prevents exploiting a class of kernel bugs.
56026 + The tradeoff is that some virtualization solutions may experience
56027 + a huge slowdown and therefore you should not enable this feature
56028 + for kernels meant to run in such environments. Whether a given VM
56029 + solution is affected or not is best determined by simply trying it
56030 + out, the performance impact will be obvious right on boot as this
56031 + mechanism engages from very early on. A good rule of thumb is that
56032 + VMs running on CPUs without hardware virtualization support (i.e.,
56033 + the majority of IA-32 CPUs) will likely experience the slowdown.
56035 +config PAX_REFCOUNT
56036 + bool "Prevent various kernel object reference counter overflows"
56037 + depends on GRKERNSEC && (X86 || SPARC64)
56039 + By saying Y here the kernel will detect and prevent overflowing
56040 + various (but not all) kinds of object reference counters. Such
56041 + overflows can normally occur due to bugs only and are often, if
56042 + not always, exploitable.
56044 + The tradeoff is that data structures protected by an overflowed
56045 + refcount will never be freed and therefore will leak memory. Note
56046 + that this leak also happens even without this protection but in
56047 + that case the overflow can eventually trigger the freeing of the
56048 + data structure while it is still being used elsewhere, resulting
56049 + in the exploitable situation that this feature prevents.
56051 + Since this has a negligible performance impact, you should enable
56054 +config PAX_USERCOPY
56055 + bool "Bounds check heap object copies between kernel and userland"
56056 + depends on X86 || PPC || SPARC
56057 + depends on GRKERNSEC && (SLAB || SLUB || SLOB)
56059 + By saying Y here the kernel will enforce the size of heap objects
56060 + when they are copied in either direction between the kernel and
56061 + userland, even if only a part of the heap object is copied.
56063 + Specifically, this checking prevents information leaking from the
56064 + kernel heap during kernel to userland copies (if the kernel heap
56065 + object is otherwise fully initialized) and prevents kernel heap
56066 + overflows during userland to kernel copies.
56068 + Note that the current implementation provides the strictest checks
56069 + for the SLUB allocator.
56071 + If frame pointers are enabled on x86, this option will also
56072 + restrict copies into and out of the kernel stack to local variables
56073 + within a single frame.
56075 + Since this has a negligible performance impact, you should enable
56083 bool "Enable access key retention support"
56085 @@ -124,7 +623,7 @@ config INTEL_TXT
56086 config LSM_MMAP_MIN_ADDR
56087 int "Low address space for LSM to protect from user allocation"
56088 depends on SECURITY && SECURITY_SELINUX
56092 This is the portion of low virtual memory which should be protected
56093 from userspace allocation. Keeping a user from writing to low pages
56094 diff -urNp linux-2.6.35.5/security/min_addr.c linux-2.6.35.5/security/min_addr.c
56095 --- linux-2.6.35.5/security/min_addr.c 2010-08-26 19:47:12.000000000 -0400
56096 +++ linux-2.6.35.5/security/min_addr.c 2010-09-17 20:12:37.000000000 -0400
56097 @@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG
56099 static void update_mmap_min_addr(void)
56102 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
56103 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
56104 mmap_min_addr = dac_mmap_min_addr;
56105 @@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
56107 mmap_min_addr = dac_mmap_min_addr;
56113 diff -urNp linux-2.6.35.5/security/security.c linux-2.6.35.5/security/security.c
56114 --- linux-2.6.35.5/security/security.c 2010-08-26 19:47:12.000000000 -0400
56115 +++ linux-2.6.35.5/security/security.c 2010-09-17 20:12:37.000000000 -0400
56116 @@ -25,8 +25,8 @@ static __initdata char chosen_lsm[SECURI
56117 /* things that live in capability.c */
56118 extern void __init security_fixup_ops(struct security_operations *ops);
56120 -static struct security_operations *security_ops;
56121 -static struct security_operations default_security_ops = {
56122 +static struct security_operations *security_ops __read_only;
56123 +static struct security_operations default_security_ops __read_only = {
56127 @@ -67,7 +67,9 @@ int __init security_init(void)
56129 void reset_security_ops(void)
56131 + pax_open_kernel();
56132 security_ops = &default_security_ops;
56133 + pax_close_kernel();
56136 /* Save user chosen LSM */
56137 diff -urNp linux-2.6.35.5/security/selinux/hooks.c linux-2.6.35.5/security/selinux/hooks.c
56138 --- linux-2.6.35.5/security/selinux/hooks.c 2010-08-26 19:47:12.000000000 -0400
56139 +++ linux-2.6.35.5/security/selinux/hooks.c 2010-09-17 20:12:37.000000000 -0400
56141 #define NUM_SEL_MNT_OPTS 5
56143 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
56144 -extern struct security_operations *security_ops;
56146 /* SECMARK reference count */
56147 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
56148 @@ -5428,7 +5427,7 @@ static int selinux_key_getsecurity(struc
56152 -static struct security_operations selinux_ops = {
56153 +static struct security_operations selinux_ops __read_only = {
56156 .ptrace_access_check = selinux_ptrace_access_check,
56157 diff -urNp linux-2.6.35.5/security/smack/smack_lsm.c linux-2.6.35.5/security/smack/smack_lsm.c
56158 --- linux-2.6.35.5/security/smack/smack_lsm.c 2010-08-26 19:47:12.000000000 -0400
56159 +++ linux-2.6.35.5/security/smack/smack_lsm.c 2010-09-17 20:12:09.000000000 -0400
56160 @@ -3064,7 +3064,7 @@ static int smack_inode_getsecctx(struct
56164 -struct security_operations smack_ops = {
56165 +struct security_operations smack_ops __read_only = {
56168 .ptrace_access_check = smack_ptrace_access_check,
56169 diff -urNp linux-2.6.35.5/security/tomoyo/tomoyo.c linux-2.6.35.5/security/tomoyo/tomoyo.c
56170 --- linux-2.6.35.5/security/tomoyo/tomoyo.c 2010-08-26 19:47:12.000000000 -0400
56171 +++ linux-2.6.35.5/security/tomoyo/tomoyo.c 2010-09-17 20:12:09.000000000 -0400
56172 @@ -235,7 +235,7 @@ static int tomoyo_sb_pivotroot(struct pa
56173 * tomoyo_security_ops is a "struct security_operations" which is used for
56174 * registering TOMOYO.
56176 -static struct security_operations tomoyo_security_ops = {
56177 +static struct security_operations tomoyo_security_ops __read_only = {
56179 .cred_alloc_blank = tomoyo_cred_alloc_blank,
56180 .cred_prepare = tomoyo_cred_prepare,
56181 diff -urNp linux-2.6.35.5/sound/aoa/codecs/onyx.c linux-2.6.35.5/sound/aoa/codecs/onyx.c
56182 --- linux-2.6.35.5/sound/aoa/codecs/onyx.c 2010-08-26 19:47:12.000000000 -0400
56183 +++ linux-2.6.35.5/sound/aoa/codecs/onyx.c 2010-09-17 20:12:09.000000000 -0400
56184 @@ -54,7 +54,7 @@ struct onyx {
56189 + atomic_t open_count;
56190 struct codec_info *codec_info;
56192 /* mutex serializes concurrent access to the device
56193 @@ -753,7 +753,7 @@ static int onyx_open(struct codec_info_i
56194 struct onyx *onyx = cii->codec_data;
56196 mutex_lock(&onyx->mutex);
56197 - onyx->open_count++;
56198 + atomic_inc(&onyx->open_count);
56199 mutex_unlock(&onyx->mutex);
56202 @@ -765,8 +765,7 @@ static int onyx_close(struct codec_info_
56203 struct onyx *onyx = cii->codec_data;
56205 mutex_lock(&onyx->mutex);
56206 - onyx->open_count--;
56207 - if (!onyx->open_count)
56208 + if (atomic_dec_and_test(&onyx->open_count))
56209 onyx->spdif_locked = onyx->analog_locked = 0;
56210 mutex_unlock(&onyx->mutex);
56212 diff -urNp linux-2.6.35.5/sound/core/oss/pcm_oss.c linux-2.6.35.5/sound/core/oss/pcm_oss.c
56213 --- linux-2.6.35.5/sound/core/oss/pcm_oss.c 2010-08-26 19:47:12.000000000 -0400
56214 +++ linux-2.6.35.5/sound/core/oss/pcm_oss.c 2010-09-17 20:12:09.000000000 -0400
56215 @@ -2966,8 +2966,8 @@ static void snd_pcm_oss_proc_done(struct
56218 #else /* !CONFIG_SND_VERBOSE_PROCFS */
56219 -#define snd_pcm_oss_proc_init(pcm)
56220 -#define snd_pcm_oss_proc_done(pcm)
56221 +#define snd_pcm_oss_proc_init(pcm) do {} while (0)
56222 +#define snd_pcm_oss_proc_done(pcm) do {} while (0)
56223 #endif /* CONFIG_SND_VERBOSE_PROCFS */
56226 diff -urNp linux-2.6.35.5/sound/core/seq/seq_lock.h linux-2.6.35.5/sound/core/seq/seq_lock.h
56227 --- linux-2.6.35.5/sound/core/seq/seq_lock.h 2010-08-26 19:47:12.000000000 -0400
56228 +++ linux-2.6.35.5/sound/core/seq/seq_lock.h 2010-09-17 20:12:09.000000000 -0400
56229 @@ -23,10 +23,10 @@ void snd_use_lock_sync_helper(snd_use_lo
56230 #else /* SMP || CONFIG_SND_DEBUG */
56232 typedef spinlock_t snd_use_lock_t; /* dummy */
56233 -#define snd_use_lock_init(lockp) /**/
56234 -#define snd_use_lock_use(lockp) /**/
56235 -#define snd_use_lock_free(lockp) /**/
56236 -#define snd_use_lock_sync(lockp) /**/
56237 +#define snd_use_lock_init(lockp) do {} while (0)
56238 +#define snd_use_lock_use(lockp) do {} while (0)
56239 +#define snd_use_lock_free(lockp) do {} while (0)
56240 +#define snd_use_lock_sync(lockp) do {} while (0)
56242 #endif /* SMP || CONFIG_SND_DEBUG */
56244 diff -urNp linux-2.6.35.5/sound/drivers/mts64.c linux-2.6.35.5/sound/drivers/mts64.c
56245 --- linux-2.6.35.5/sound/drivers/mts64.c 2010-08-26 19:47:12.000000000 -0400
56246 +++ linux-2.6.35.5/sound/drivers/mts64.c 2010-09-17 20:12:09.000000000 -0400
56247 @@ -66,7 +66,7 @@ struct mts64 {
56248 struct pardevice *pardev;
56249 int pardev_claimed;
56252 + atomic_t open_count;
56253 int current_midi_output_port;
56254 int current_midi_input_port;
56255 u8 mode[MTS64_NUM_INPUT_PORTS];
56256 @@ -696,7 +696,7 @@ static int snd_mts64_rawmidi_open(struct
56258 struct mts64 *mts = substream->rmidi->private_data;
56260 - if (mts->open_count == 0) {
56261 + if (atomic_read(&mts->open_count) == 0) {
56262 /* We don't need a spinlock here, because this is just called
56263 if the device has not been opened before.
56264 So there aren't any IRQs from the device */
56265 @@ -704,7 +704,7 @@ static int snd_mts64_rawmidi_open(struct
56269 - ++(mts->open_count);
56270 + atomic_inc(&mts->open_count);
56274 @@ -714,8 +714,7 @@ static int snd_mts64_rawmidi_close(struc
56275 struct mts64 *mts = substream->rmidi->private_data;
56276 unsigned long flags;
56278 - --(mts->open_count);
56279 - if (mts->open_count == 0) {
56280 + if (atomic_dec_return(&mts->open_count) == 0) {
56281 /* We need the spinlock_irqsave here because we can still
56282 have IRQs at this point */
56283 spin_lock_irqsave(&mts->lock, flags);
56284 @@ -724,8 +723,8 @@ static int snd_mts64_rawmidi_close(struc
56288 - } else if (mts->open_count < 0)
56289 - mts->open_count = 0;
56290 + } else if (atomic_read(&mts->open_count) < 0)
56291 + atomic_set(&mts->open_count, 0);
56295 diff -urNp linux-2.6.35.5/sound/drivers/portman2x4.c linux-2.6.35.5/sound/drivers/portman2x4.c
56296 --- linux-2.6.35.5/sound/drivers/portman2x4.c 2010-08-26 19:47:12.000000000 -0400
56297 +++ linux-2.6.35.5/sound/drivers/portman2x4.c 2010-09-17 20:12:09.000000000 -0400
56298 @@ -84,7 +84,7 @@ struct portman {
56299 struct pardevice *pardev;
56300 int pardev_claimed;
56303 + atomic_t open_count;
56304 int mode[PORTMAN_NUM_INPUT_PORTS];
56305 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
56307 diff -urNp linux-2.6.35.5/sound/oss/sb_audio.c linux-2.6.35.5/sound/oss/sb_audio.c
56308 --- linux-2.6.35.5/sound/oss/sb_audio.c 2010-08-26 19:47:12.000000000 -0400
56309 +++ linux-2.6.35.5/sound/oss/sb_audio.c 2010-09-17 20:12:09.000000000 -0400
56310 @@ -901,7 +901,7 @@ sb16_copy_from_user(int dev,
56311 buf16 = (signed short *)(localbuf + localoffs);
56314 - locallen = (c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
56315 + locallen = ((unsigned)c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
56316 if (copy_from_user(lbuf8,
56317 userbuf+useroffs + p,
56319 diff -urNp linux-2.6.35.5/sound/pci/ac97/ac97_codec.c linux-2.6.35.5/sound/pci/ac97/ac97_codec.c
56320 --- linux-2.6.35.5/sound/pci/ac97/ac97_codec.c 2010-08-26 19:47:12.000000000 -0400
56321 +++ linux-2.6.35.5/sound/pci/ac97/ac97_codec.c 2010-09-17 20:12:09.000000000 -0400
56322 @@ -1962,7 +1962,7 @@ static int snd_ac97_dev_disconnect(struc
56325 /* build_ops to do nothing */
56326 -static struct snd_ac97_build_ops null_build_ops;
56327 +static const struct snd_ac97_build_ops null_build_ops;
56329 #ifdef CONFIG_SND_AC97_POWER_SAVE
56330 static void do_update_power(struct work_struct *work)
56331 diff -urNp linux-2.6.35.5/sound/pci/ac97/ac97_patch.c linux-2.6.35.5/sound/pci/ac97/ac97_patch.c
56332 --- linux-2.6.35.5/sound/pci/ac97/ac97_patch.c 2010-08-26 19:47:12.000000000 -0400
56333 +++ linux-2.6.35.5/sound/pci/ac97/ac97_patch.c 2010-09-17 20:12:09.000000000 -0400
56334 @@ -371,7 +371,7 @@ static int patch_yamaha_ymf743_build_spd
56338 -static struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
56339 +static const struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
56340 .build_spdif = patch_yamaha_ymf743_build_spdif,
56341 .build_3d = patch_yamaha_ymf7x3_3d,
56343 @@ -455,7 +455,7 @@ static int patch_yamaha_ymf753_post_spdi
56347 -static struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
56348 +static const struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
56349 .build_3d = patch_yamaha_ymf7x3_3d,
56350 .build_post_spdif = patch_yamaha_ymf753_post_spdif
56352 @@ -502,7 +502,7 @@ static int patch_wolfson_wm9703_specific
56356 -static struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
56357 +static const struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
56358 .build_specific = patch_wolfson_wm9703_specific,
56361 @@ -533,7 +533,7 @@ static int patch_wolfson_wm9704_specific
56365 -static struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
56366 +static const struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
56367 .build_specific = patch_wolfson_wm9704_specific,
56370 @@ -677,7 +677,7 @@ static int patch_wolfson_wm9711_specific
56374 -static struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
56375 +static const struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
56376 .build_specific = patch_wolfson_wm9711_specific,
56379 @@ -871,7 +871,7 @@ static void patch_wolfson_wm9713_resume
56383 -static struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
56384 +static const struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
56385 .build_specific = patch_wolfson_wm9713_specific,
56386 .build_3d = patch_wolfson_wm9713_3d,
56388 @@ -976,7 +976,7 @@ static int patch_sigmatel_stac97xx_speci
56392 -static struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
56393 +static const struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
56394 .build_3d = patch_sigmatel_stac9700_3d,
56395 .build_specific = patch_sigmatel_stac97xx_specific
56397 @@ -1023,7 +1023,7 @@ static int patch_sigmatel_stac9708_speci
56398 return patch_sigmatel_stac97xx_specific(ac97);
56401 -static struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
56402 +static const struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
56403 .build_3d = patch_sigmatel_stac9708_3d,
56404 .build_specific = patch_sigmatel_stac9708_specific
56406 @@ -1252,7 +1252,7 @@ static int patch_sigmatel_stac9758_speci
56410 -static struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
56411 +static const struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
56412 .build_3d = patch_sigmatel_stac9700_3d,
56413 .build_specific = patch_sigmatel_stac9758_specific
56415 @@ -1327,7 +1327,7 @@ static int patch_cirrus_build_spdif(stru
56419 -static struct snd_ac97_build_ops patch_cirrus_ops = {
56420 +static const struct snd_ac97_build_ops patch_cirrus_ops = {
56421 .build_spdif = patch_cirrus_build_spdif
56424 @@ -1384,7 +1384,7 @@ static int patch_conexant_build_spdif(st
56428 -static struct snd_ac97_build_ops patch_conexant_ops = {
56429 +static const struct snd_ac97_build_ops patch_conexant_ops = {
56430 .build_spdif = patch_conexant_build_spdif
56433 @@ -1486,7 +1486,7 @@ static const struct snd_ac97_res_table a
56434 { AC97_VIDEO, 0x9f1f },
56435 { AC97_AUX, 0x9f1f },
56436 { AC97_PCM, 0x9f1f },
56437 - { } /* terminator */
56438 + { 0, 0 } /* terminator */
56441 static int patch_ad1819(struct snd_ac97 * ac97)
56442 @@ -1560,7 +1560,7 @@ static void patch_ad1881_chained(struct
56446 -static struct snd_ac97_build_ops patch_ad1881_build_ops = {
56447 +static const struct snd_ac97_build_ops patch_ad1881_build_ops = {
56449 .resume = ad18xx_resume
56451 @@ -1647,7 +1647,7 @@ static int patch_ad1885_specific(struct
56455 -static struct snd_ac97_build_ops patch_ad1885_build_ops = {
56456 +static const struct snd_ac97_build_ops patch_ad1885_build_ops = {
56457 .build_specific = &patch_ad1885_specific,
56459 .resume = ad18xx_resume
56460 @@ -1674,7 +1674,7 @@ static int patch_ad1886_specific(struct
56464 -static struct snd_ac97_build_ops patch_ad1886_build_ops = {
56465 +static const struct snd_ac97_build_ops patch_ad1886_build_ops = {
56466 .build_specific = &patch_ad1886_specific,
56468 .resume = ad18xx_resume
56469 @@ -1881,7 +1881,7 @@ static int patch_ad1981a_specific(struct
56470 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
56473 -static struct snd_ac97_build_ops patch_ad1981a_build_ops = {
56474 +static const struct snd_ac97_build_ops patch_ad1981a_build_ops = {
56475 .build_post_spdif = patch_ad198x_post_spdif,
56476 .build_specific = patch_ad1981a_specific,
56478 @@ -1936,7 +1936,7 @@ static int patch_ad1981b_specific(struct
56479 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
56482 -static struct snd_ac97_build_ops patch_ad1981b_build_ops = {
56483 +static const struct snd_ac97_build_ops patch_ad1981b_build_ops = {
56484 .build_post_spdif = patch_ad198x_post_spdif,
56485 .build_specific = patch_ad1981b_specific,
56487 @@ -2075,7 +2075,7 @@ static int patch_ad1888_specific(struct
56488 return patch_build_controls(ac97, snd_ac97_ad1888_controls, ARRAY_SIZE(snd_ac97_ad1888_controls));
56491 -static struct snd_ac97_build_ops patch_ad1888_build_ops = {
56492 +static const struct snd_ac97_build_ops patch_ad1888_build_ops = {
56493 .build_post_spdif = patch_ad198x_post_spdif,
56494 .build_specific = patch_ad1888_specific,
56496 @@ -2124,7 +2124,7 @@ static int patch_ad1980_specific(struct
56497 return patch_build_controls(ac97, &snd_ac97_ad198x_2cmic, 1);
56500 -static struct snd_ac97_build_ops patch_ad1980_build_ops = {
56501 +static const struct snd_ac97_build_ops patch_ad1980_build_ops = {
56502 .build_post_spdif = patch_ad198x_post_spdif,
56503 .build_specific = patch_ad1980_specific,
56505 @@ -2239,7 +2239,7 @@ static int patch_ad1985_specific(struct
56506 ARRAY_SIZE(snd_ac97_ad1985_controls));
56509 -static struct snd_ac97_build_ops patch_ad1985_build_ops = {
56510 +static const struct snd_ac97_build_ops patch_ad1985_build_ops = {
56511 .build_post_spdif = patch_ad198x_post_spdif,
56512 .build_specific = patch_ad1985_specific,
56514 @@ -2531,7 +2531,7 @@ static int patch_ad1986_specific(struct
56515 ARRAY_SIZE(snd_ac97_ad1985_controls));
56518 -static struct snd_ac97_build_ops patch_ad1986_build_ops = {
56519 +static const struct snd_ac97_build_ops patch_ad1986_build_ops = {
56520 .build_post_spdif = patch_ad198x_post_spdif,
56521 .build_specific = patch_ad1986_specific,
56523 @@ -2636,7 +2636,7 @@ static int patch_alc650_specific(struct
56527 -static struct snd_ac97_build_ops patch_alc650_ops = {
56528 +static const struct snd_ac97_build_ops patch_alc650_ops = {
56529 .build_specific = patch_alc650_specific,
56530 .update_jacks = alc650_update_jacks
56532 @@ -2788,7 +2788,7 @@ static int patch_alc655_specific(struct
56536 -static struct snd_ac97_build_ops patch_alc655_ops = {
56537 +static const struct snd_ac97_build_ops patch_alc655_ops = {
56538 .build_specific = patch_alc655_specific,
56539 .update_jacks = alc655_update_jacks
56541 @@ -2900,7 +2900,7 @@ static int patch_alc850_specific(struct
56545 -static struct snd_ac97_build_ops patch_alc850_ops = {
56546 +static const struct snd_ac97_build_ops patch_alc850_ops = {
56547 .build_specific = patch_alc850_specific,
56548 .update_jacks = alc850_update_jacks
56550 @@ -2962,7 +2962,7 @@ static int patch_cm9738_specific(struct
56551 return patch_build_controls(ac97, snd_ac97_cm9738_controls, ARRAY_SIZE(snd_ac97_cm9738_controls));
56554 -static struct snd_ac97_build_ops patch_cm9738_ops = {
56555 +static const struct snd_ac97_build_ops patch_cm9738_ops = {
56556 .build_specific = patch_cm9738_specific,
56557 .update_jacks = cm9738_update_jacks
56559 @@ -3053,7 +3053,7 @@ static int patch_cm9739_post_spdif(struc
56560 return patch_build_controls(ac97, snd_ac97_cm9739_controls_spdif, ARRAY_SIZE(snd_ac97_cm9739_controls_spdif));
56563 -static struct snd_ac97_build_ops patch_cm9739_ops = {
56564 +static const struct snd_ac97_build_ops patch_cm9739_ops = {
56565 .build_specific = patch_cm9739_specific,
56566 .build_post_spdif = patch_cm9739_post_spdif,
56567 .update_jacks = cm9739_update_jacks
56568 @@ -3227,7 +3227,7 @@ static int patch_cm9761_specific(struct
56569 return patch_build_controls(ac97, snd_ac97_cm9761_controls, ARRAY_SIZE(snd_ac97_cm9761_controls));
56572 -static struct snd_ac97_build_ops patch_cm9761_ops = {
56573 +static const struct snd_ac97_build_ops patch_cm9761_ops = {
56574 .build_specific = patch_cm9761_specific,
56575 .build_post_spdif = patch_cm9761_post_spdif,
56576 .update_jacks = cm9761_update_jacks
56577 @@ -3323,7 +3323,7 @@ static int patch_cm9780_specific(struct
56578 return patch_build_controls(ac97, cm9780_controls, ARRAY_SIZE(cm9780_controls));
56581 -static struct snd_ac97_build_ops patch_cm9780_ops = {
56582 +static const struct snd_ac97_build_ops patch_cm9780_ops = {
56583 .build_specific = patch_cm9780_specific,
56584 .build_post_spdif = patch_cm9761_post_spdif /* identical with CM9761 */
56586 @@ -3443,7 +3443,7 @@ static int patch_vt1616_specific(struct
56590 -static struct snd_ac97_build_ops patch_vt1616_ops = {
56591 +static const struct snd_ac97_build_ops patch_vt1616_ops = {
56592 .build_specific = patch_vt1616_specific
56595 @@ -3797,7 +3797,7 @@ static int patch_it2646_specific(struct
56599 -static struct snd_ac97_build_ops patch_it2646_ops = {
56600 +static const struct snd_ac97_build_ops patch_it2646_ops = {
56601 .build_specific = patch_it2646_specific,
56602 .update_jacks = it2646_update_jacks
56604 @@ -3831,7 +3831,7 @@ static int patch_si3036_specific(struct
56608 -static struct snd_ac97_build_ops patch_si3036_ops = {
56609 +static const struct snd_ac97_build_ops patch_si3036_ops = {
56610 .build_specific = patch_si3036_specific,
56613 @@ -3864,7 +3864,7 @@ static struct snd_ac97_res_table lm4550_
56614 { AC97_AUX, 0x1f1f },
56615 { AC97_PCM, 0x1f1f },
56616 { AC97_REC_GAIN, 0x0f0f },
56617 - { } /* terminator */
56618 + { 0, 0 } /* terminator */
56621 static int patch_lm4550(struct snd_ac97 *ac97)
56622 @@ -3898,7 +3898,7 @@ static int patch_ucb1400_specific(struct
56626 -static struct snd_ac97_build_ops patch_ucb1400_ops = {
56627 +static const struct snd_ac97_build_ops patch_ucb1400_ops = {
56628 .build_specific = patch_ucb1400_specific,
56631 diff -urNp linux-2.6.35.5/sound/pci/ens1370.c linux-2.6.35.5/sound/pci/ens1370.c
56632 --- linux-2.6.35.5/sound/pci/ens1370.c 2010-08-26 19:47:12.000000000 -0400
56633 +++ linux-2.6.35.5/sound/pci/ens1370.c 2010-09-17 20:12:09.000000000 -0400
56634 @@ -452,7 +452,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_audio
56635 { PCI_VDEVICE(ENSONIQ, 0x5880), 0, }, /* ES1373 - CT5880 */
56636 { PCI_VDEVICE(ECTIVA, 0x8938), 0, }, /* Ectiva EV1938 */
56639 + { 0, 0, 0, 0, 0, 0, 0 }
56642 MODULE_DEVICE_TABLE(pci, snd_audiopci_ids);
56643 diff -urNp linux-2.6.35.5/sound/pci/hda/patch_hdmi.c linux-2.6.35.5/sound/pci/hda/patch_hdmi.c
56644 --- linux-2.6.35.5/sound/pci/hda/patch_hdmi.c 2010-08-26 19:47:12.000000000 -0400
56645 +++ linux-2.6.35.5/sound/pci/hda/patch_hdmi.c 2010-09-17 20:12:09.000000000 -0400
56646 @@ -670,10 +670,10 @@ static void hdmi_non_intrinsic_event(str
56661 diff -urNp linux-2.6.35.5/sound/pci/intel8x0.c linux-2.6.35.5/sound/pci/intel8x0.c
56662 --- linux-2.6.35.5/sound/pci/intel8x0.c 2010-08-26 19:47:12.000000000 -0400
56663 +++ linux-2.6.35.5/sound/pci/intel8x0.c 2010-09-17 20:12:09.000000000 -0400
56664 @@ -444,7 +444,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_intel
56665 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
56666 { PCI_VDEVICE(AMD, 0x7445), DEVICE_INTEL }, /* AMD768 */
56667 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
56669 + { 0, 0, 0, 0, 0, 0, 0 }
56672 MODULE_DEVICE_TABLE(pci, snd_intel8x0_ids);
56673 @@ -2135,7 +2135,7 @@ static struct ac97_quirk ac97_quirks[] _
56674 .type = AC97_TUNE_HP_ONLY
56677 - { } /* terminator */
56678 + { 0, 0, 0, 0, NULL, 0 } /* terminator */
56681 static int __devinit snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock,
56682 diff -urNp linux-2.6.35.5/sound/pci/intel8x0m.c linux-2.6.35.5/sound/pci/intel8x0m.c
56683 --- linux-2.6.35.5/sound/pci/intel8x0m.c 2010-08-26 19:47:12.000000000 -0400
56684 +++ linux-2.6.35.5/sound/pci/intel8x0m.c 2010-09-17 20:12:09.000000000 -0400
56685 @@ -239,7 +239,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_intel
56686 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
56687 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
56690 + { 0, 0, 0, 0, 0, 0, 0 }
56693 MODULE_DEVICE_TABLE(pci, snd_intel8x0m_ids);
56694 @@ -1264,7 +1264,7 @@ static struct shortname_table {
56695 { 0x5455, "ALi M5455" },
56696 { 0x746d, "AMD AMD8111" },
56702 static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
56703 diff -urNp linux-2.6.35.5/usr/gen_init_cpio.c linux-2.6.35.5/usr/gen_init_cpio.c
56704 --- linux-2.6.35.5/usr/gen_init_cpio.c 2010-08-26 19:47:12.000000000 -0400
56705 +++ linux-2.6.35.5/usr/gen_init_cpio.c 2010-09-17 20:12:09.000000000 -0400
56706 @@ -299,7 +299,7 @@ static int cpio_mkfile(const char *name,
56715 @@ -386,9 +386,10 @@ static char *cpio_replace_env(char *new_
56716 *env_var = *expanded = '\0';
56717 strncat(env_var, start + 2, end - start - 2);
56718 strncat(expanded, new_location, start - new_location);
56719 - strncat(expanded, getenv(env_var), PATH_MAX);
56720 - strncat(expanded, end + 1, PATH_MAX);
56721 + strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
56722 + strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
56723 strncpy(new_location, expanded, PATH_MAX);
56724 + new_location[PATH_MAX] = 0;
56728 diff -urNp linux-2.6.35.5/virt/kvm/kvm_main.c linux-2.6.35.5/virt/kvm/kvm_main.c
56729 --- linux-2.6.35.5/virt/kvm/kvm_main.c 2010-08-26 19:47:12.000000000 -0400
56730 +++ linux-2.6.35.5/virt/kvm/kvm_main.c 2010-09-17 20:12:09.000000000 -0400
56731 @@ -1284,6 +1284,7 @@ static int kvm_vcpu_release(struct inode
56735 +/* cannot be const */
56736 static struct file_operations kvm_vcpu_fops = {
56737 .release = kvm_vcpu_release,
56738 .unlocked_ioctl = kvm_vcpu_ioctl,
56739 @@ -1738,6 +1739,7 @@ static int kvm_vm_mmap(struct file *file
56743 +/* cannot be const */
56744 static struct file_operations kvm_vm_fops = {
56745 .release = kvm_vm_release,
56746 .unlocked_ioctl = kvm_vm_ioctl,
56747 @@ -1835,6 +1837,7 @@ out:
56751 +/* cannot be const */
56752 static struct file_operations kvm_chardev_ops = {
56753 .unlocked_ioctl = kvm_dev_ioctl,
56754 .compat_ioctl = kvm_dev_ioctl,
56755 @@ -1844,6 +1847,9 @@ static struct miscdevice kvm_dev = {
56764 static void hardware_enable(void *junk)
56765 @@ -2178,7 +2184,7 @@ static void kvm_sched_out(struct preempt
56766 kvm_arch_vcpu_put(vcpu);
56769 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
56770 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
56771 struct module *module)
projects / packages / kernel.git / blob