1 diff -urNp linux-2.6.38.1/arch/alpha/include/asm/dma-mapping.h linux-2.6.38.1-new/arch/alpha/include/asm/dma-mapping.h
2 --- linux-2.6.38.1/arch/alpha/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
3 +++ linux-2.6.38.1-new/arch/alpha/include/asm/dma-mapping.h 2011-03-21 18:31:35.000000000 -0400
6 #include <linux/dma-attrs.h>
8 -extern struct dma_map_ops *dma_ops;
9 +extern const struct dma_map_ops *dma_ops;
11 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
12 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
16 diff -urNp linux-2.6.38.1/arch/alpha/include/asm/elf.h linux-2.6.38.1-new/arch/alpha/include/asm/elf.h
17 --- linux-2.6.38.1/arch/alpha/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
18 +++ linux-2.6.38.1-new/arch/alpha/include/asm/elf.h 2011-03-21 18:31:35.000000000 -0400
19 @@ -90,6 +90,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
21 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
23 +#ifdef CONFIG_PAX_ASLR
24 +#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
26 +#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
27 +#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
30 /* $0 is set by ld.so to a pointer to a function which might be
31 registered using atexit. This provides a mean for the dynamic
32 linker to call DT_FINI functions for shared libraries that have
33 diff -urNp linux-2.6.38.1/arch/alpha/include/asm/pgtable.h linux-2.6.38.1-new/arch/alpha/include/asm/pgtable.h
34 --- linux-2.6.38.1/arch/alpha/include/asm/pgtable.h 2011-03-14 21:20:32.000000000 -0400
35 +++ linux-2.6.38.1-new/arch/alpha/include/asm/pgtable.h 2011-03-21 18:31:35.000000000 -0400
36 @@ -101,6 +101,17 @@ struct vm_area_struct;
37 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
38 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
39 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
41 +#ifdef CONFIG_PAX_PAGEEXEC
42 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
43 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
44 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
46 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
47 +# define PAGE_COPY_NOEXEC PAGE_COPY
48 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
51 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
53 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
54 diff -urNp linux-2.6.38.1/arch/alpha/kernel/module.c linux-2.6.38.1-new/arch/alpha/kernel/module.c
55 --- linux-2.6.38.1/arch/alpha/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
56 +++ linux-2.6.38.1-new/arch/alpha/kernel/module.c 2011-03-21 18:31:35.000000000 -0400
57 @@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
59 /* The small sections were sorted to the end of the segment.
60 The following should definitely cover them. */
61 - gp = (u64)me->module_core + me->core_size - 0x8000;
62 + gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
63 got = sechdrs[me->arch.gotsecindex].sh_addr;
65 for (i = 0; i < n; i++) {
66 diff -urNp linux-2.6.38.1/arch/alpha/kernel/osf_sys.c linux-2.6.38.1-new/arch/alpha/kernel/osf_sys.c
67 --- linux-2.6.38.1/arch/alpha/kernel/osf_sys.c 2011-03-14 21:20:32.000000000 -0400
68 +++ linux-2.6.38.1-new/arch/alpha/kernel/osf_sys.c 2011-03-21 18:31:35.000000000 -0400
69 @@ -1162,7 +1162,7 @@ arch_get_unmapped_area_1(unsigned long a
70 /* At this point: (!vma || addr < vma->vm_end). */
71 if (limit - len < addr)
73 - if (!vma || addr + len <= vma->vm_start)
74 + if (check_heap_stack_gap(vma, addr, len))
78 @@ -1198,6 +1198,10 @@ arch_get_unmapped_area(struct file *filp
79 merely specific addresses, but regions of memory -- perhaps
80 this feature should be incorporated into all ports? */
82 +#ifdef CONFIG_PAX_RANDMMAP
83 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
87 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
88 if (addr != (unsigned long) -ENOMEM)
89 @@ -1205,8 +1209,8 @@ arch_get_unmapped_area(struct file *filp
92 /* Next, try allocating at TASK_UNMAPPED_BASE. */
93 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
95 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
97 if (addr != (unsigned long) -ENOMEM)
100 diff -urNp linux-2.6.38.1/arch/alpha/kernel/pci_iommu.c linux-2.6.38.1-new/arch/alpha/kernel/pci_iommu.c
101 --- linux-2.6.38.1/arch/alpha/kernel/pci_iommu.c 2011-03-14 21:20:32.000000000 -0400
102 +++ linux-2.6.38.1-new/arch/alpha/kernel/pci_iommu.c 2011-03-21 18:31:35.000000000 -0400
103 @@ -950,7 +950,7 @@ static int alpha_pci_set_mask(struct dev
107 -struct dma_map_ops alpha_pci_ops = {
108 +const struct dma_map_ops alpha_pci_ops = {
109 .alloc_coherent = alpha_pci_alloc_coherent,
110 .free_coherent = alpha_pci_free_coherent,
111 .map_page = alpha_pci_map_page,
112 @@ -962,5 +962,5 @@ struct dma_map_ops alpha_pci_ops = {
113 .set_dma_mask = alpha_pci_set_mask,
116 -struct dma_map_ops *dma_ops = &alpha_pci_ops;
117 +const struct dma_map_ops *dma_ops = &alpha_pci_ops;
118 EXPORT_SYMBOL(dma_ops);
119 diff -urNp linux-2.6.38.1/arch/alpha/kernel/pci-noop.c linux-2.6.38.1-new/arch/alpha/kernel/pci-noop.c
120 --- linux-2.6.38.1/arch/alpha/kernel/pci-noop.c 2011-03-14 21:20:32.000000000 -0400
121 +++ linux-2.6.38.1-new/arch/alpha/kernel/pci-noop.c 2011-03-21 18:31:35.000000000 -0400
122 @@ -173,7 +173,7 @@ static int alpha_noop_set_mask(struct de
126 -struct dma_map_ops alpha_noop_ops = {
127 +const struct dma_map_ops alpha_noop_ops = {
128 .alloc_coherent = alpha_noop_alloc_coherent,
129 .free_coherent = alpha_noop_free_coherent,
130 .map_page = alpha_noop_map_page,
131 @@ -183,7 +183,7 @@ struct dma_map_ops alpha_noop_ops = {
132 .set_dma_mask = alpha_noop_set_mask,
135 -struct dma_map_ops *dma_ops = &alpha_noop_ops;
136 +const struct dma_map_ops *dma_ops = &alpha_noop_ops;
137 EXPORT_SYMBOL(dma_ops);
139 void __iomem *pci_iomap(struct pci_dev *dev, int bar, unsigned long maxlen)
140 diff -urNp linux-2.6.38.1/arch/alpha/mm/fault.c linux-2.6.38.1-new/arch/alpha/mm/fault.c
141 --- linux-2.6.38.1/arch/alpha/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
142 +++ linux-2.6.38.1-new/arch/alpha/mm/fault.c 2011-03-21 18:31:35.000000000 -0400
143 @@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
144 __reload_thread(pcb);
147 +#ifdef CONFIG_PAX_PAGEEXEC
149 + * PaX: decide what to do with offenders (regs->pc = fault address)
151 + * returns 1 when task should be killed
152 + * 2 when patched PLT trampoline was detected
153 + * 3 when unpatched PLT trampoline was detected
155 +static int pax_handle_fetch_fault(struct pt_regs *regs)
158 +#ifdef CONFIG_PAX_EMUPLT
161 + do { /* PaX: patched PLT emulation #1 */
162 + unsigned int ldah, ldq, jmp;
164 + err = get_user(ldah, (unsigned int *)regs->pc);
165 + err |= get_user(ldq, (unsigned int *)(regs->pc+4));
166 + err |= get_user(jmp, (unsigned int *)(regs->pc+8));
171 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
172 + (ldq & 0xFFFF0000U) == 0xA77B0000U &&
173 + jmp == 0x6BFB0000U)
175 + unsigned long r27, addr;
176 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
177 + unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
179 + addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
180 + err = get_user(r27, (unsigned long *)addr);
190 + do { /* PaX: patched PLT emulation #2 */
191 + unsigned int ldah, lda, br;
193 + err = get_user(ldah, (unsigned int *)regs->pc);
194 + err |= get_user(lda, (unsigned int *)(regs->pc+4));
195 + err |= get_user(br, (unsigned int *)(regs->pc+8));
200 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
201 + (lda & 0xFFFF0000U) == 0xA77B0000U &&
202 + (br & 0xFFE00000U) == 0xC3E00000U)
204 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
205 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
206 + unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
208 + regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
209 + regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
214 + do { /* PaX: unpatched PLT emulation */
217 + err = get_user(br, (unsigned int *)regs->pc);
219 + if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
220 + unsigned int br2, ldq, nop, jmp;
221 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
223 + addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
224 + err = get_user(br2, (unsigned int *)addr);
225 + err |= get_user(ldq, (unsigned int *)(addr+4));
226 + err |= get_user(nop, (unsigned int *)(addr+8));
227 + err |= get_user(jmp, (unsigned int *)(addr+12));
228 + err |= get_user(resolver, (unsigned long *)(addr+16));
233 + if (br2 == 0xC3600000U &&
234 + ldq == 0xA77B000CU &&
235 + nop == 0x47FF041FU &&
236 + jmp == 0x6B7B0000U)
238 + regs->r28 = regs->pc+4;
239 + regs->r27 = addr+16;
240 + regs->pc = resolver;
250 +void pax_report_insns(void *pc, void *sp)
254 + printk(KERN_ERR "PAX: bytes at PC: ");
255 + for (i = 0; i < 5; i++) {
257 + if (get_user(c, (unsigned int *)pc+i))
258 + printk(KERN_CONT "???????? ");
260 + printk(KERN_CONT "%08x ", c);
267 * This routine handles page faults. It determines the address,
268 @@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
270 si_code = SEGV_ACCERR;
272 - if (!(vma->vm_flags & VM_EXEC))
273 + if (!(vma->vm_flags & VM_EXEC)) {
275 +#ifdef CONFIG_PAX_PAGEEXEC
276 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
279 + up_read(&mm->mmap_sem);
280 + switch (pax_handle_fetch_fault(regs)) {
282 +#ifdef CONFIG_PAX_EMUPLT
289 + pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
290 + do_group_exit(SIGKILL);
297 /* Allow reads even for write-only mappings */
298 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
299 diff -urNp linux-2.6.38.1/arch/arm/include/asm/elf.h linux-2.6.38.1-new/arch/arm/include/asm/elf.h
300 --- linux-2.6.38.1/arch/arm/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
301 +++ linux-2.6.38.1-new/arch/arm/include/asm/elf.h 2011-03-21 18:31:35.000000000 -0400
302 @@ -115,7 +115,14 @@ int dump_task_regs(struct task_struct *t
303 the loader. We need to make sure that it is out of the way of the program
304 that it will "exec", and that there is sufficient room for the brk. */
306 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
307 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
309 +#ifdef CONFIG_PAX_ASLR
310 +#define PAX_ELF_ET_DYN_BASE 0x00008000UL
312 +#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
313 +#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
316 /* When the program starts, a1 contains a pointer to a function to be
317 registered with atexit, as per the SVR4 ABI. A value of 0 means we
318 @@ -125,10 +132,6 @@ int dump_task_regs(struct task_struct *t
319 extern void elf_set_personality(const struct elf32_hdr *);
320 #define SET_PERSONALITY(ex) elf_set_personality(&(ex))
323 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
324 -#define arch_randomize_brk arch_randomize_brk
326 extern int vectors_user_mapping(void);
327 #define arch_setup_additional_pages(bprm, uses_interp) vectors_user_mapping()
328 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES
329 diff -urNp linux-2.6.38.1/arch/arm/include/asm/kmap_types.h linux-2.6.38.1-new/arch/arm/include/asm/kmap_types.h
330 --- linux-2.6.38.1/arch/arm/include/asm/kmap_types.h 2011-03-14 21:20:32.000000000 -0400
331 +++ linux-2.6.38.1-new/arch/arm/include/asm/kmap_types.h 2011-03-21 18:31:35.000000000 -0400
332 @@ -21,6 +21,7 @@ enum km_type {
340 diff -urNp linux-2.6.38.1/arch/arm/include/asm/uaccess.h linux-2.6.38.1-new/arch/arm/include/asm/uaccess.h
341 --- linux-2.6.38.1/arch/arm/include/asm/uaccess.h 2011-03-14 21:20:32.000000000 -0400
342 +++ linux-2.6.38.1-new/arch/arm/include/asm/uaccess.h 2011-03-21 18:31:35.000000000 -0400
343 @@ -403,6 +403,9 @@ extern unsigned long __must_check __strn
345 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
350 if (access_ok(VERIFY_READ, from, n))
351 n = __copy_from_user(to, from, n);
352 else /* security hole - plug it */
353 @@ -412,6 +415,9 @@ static inline unsigned long __must_check
355 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
360 if (access_ok(VERIFY_WRITE, to, n))
361 n = __copy_to_user(to, from, n);
363 diff -urNp linux-2.6.38.1/arch/arm/kernel/kgdb.c linux-2.6.38.1-new/arch/arm/kernel/kgdb.c
364 --- linux-2.6.38.1/arch/arm/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
365 +++ linux-2.6.38.1-new/arch/arm/kernel/kgdb.c 2011-03-21 18:31:35.000000000 -0400
366 @@ -246,7 +246,7 @@ void kgdb_arch_exit(void)
367 * and we handle the normal undef case within the do_undefinstr
370 -struct kgdb_arch arch_kgdb_ops = {
371 +const struct kgdb_arch arch_kgdb_ops = {
373 .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7}
374 #else /* ! __ARMEB__ */
375 diff -urNp linux-2.6.38.1/arch/arm/kernel/process.c linux-2.6.38.1-new/arch/arm/kernel/process.c
376 --- linux-2.6.38.1/arch/arm/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
377 +++ linux-2.6.38.1-new/arch/arm/kernel/process.c 2011-03-21 18:31:35.000000000 -0400
379 #include <linux/tick.h>
380 #include <linux/utsname.h>
381 #include <linux/uaccess.h>
382 -#include <linux/random.h>
383 #include <linux/hw_breakpoint.h>
385 #include <asm/cacheflush.h>
386 @@ -477,12 +476,6 @@ unsigned long get_wchan(struct task_stru
390 -unsigned long arch_randomize_brk(struct mm_struct *mm)
392 - unsigned long range_end = mm->brk + 0x02000000;
393 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
398 * The vectors page is always readable from user space for the
399 diff -urNp linux-2.6.38.1/arch/arm/mach-msm/last_radio_log.c linux-2.6.38.1-new/arch/arm/mach-msm/last_radio_log.c
400 --- linux-2.6.38.1/arch/arm/mach-msm/last_radio_log.c 2011-03-14 21:20:32.000000000 -0400
401 +++ linux-2.6.38.1-new/arch/arm/mach-msm/last_radio_log.c 2011-03-21 18:31:35.000000000 -0400
402 @@ -47,7 +47,7 @@ static ssize_t last_radio_log_read(struc
406 -static struct file_operations last_radio_log_fops = {
407 +static struct file_operations last_radio_log_fops = { /* cannot be const, see msm_init_last_radio_log */
408 .read = last_radio_log_read,
409 .llseek = default_llseek,
411 diff -urNp linux-2.6.38.1/arch/arm/mach-ux500/mbox-db5500.c linux-2.6.38.1-new/arch/arm/mach-ux500/mbox-db5500.c
412 --- linux-2.6.38.1/arch/arm/mach-ux500/mbox-db5500.c 2011-03-14 21:20:32.000000000 -0400
413 +++ linux-2.6.38.1-new/arch/arm/mach-ux500/mbox-db5500.c 2011-03-21 18:31:35.000000000 -0400
414 @@ -168,7 +168,7 @@ static ssize_t mbox_read_fifo(struct dev
415 return sprintf(buf, "0x%X\n", mbox_value);
418 -static DEVICE_ATTR(fifo, S_IWUGO | S_IRUGO, mbox_read_fifo, mbox_write_fifo);
419 +static DEVICE_ATTR(fifo, S_IWUSR | S_IRUGO, mbox_read_fifo, mbox_write_fifo);
421 static int mbox_show(struct seq_file *s, void *data)
423 diff -urNp linux-2.6.38.1/arch/arm/mm/fault.c linux-2.6.38.1-new/arch/arm/mm/fault.c
424 --- linux-2.6.38.1/arch/arm/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
425 +++ linux-2.6.38.1-new/arch/arm/mm/fault.c 2011-03-21 18:31:35.000000000 -0400
426 @@ -167,6 +167,13 @@ __do_user_fault(struct task_struct *tsk,
430 +#ifdef CONFIG_PAX_PAGEEXEC
431 + if (fsr & FSR_LNX_PF) {
432 + pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
433 + do_group_exit(SIGKILL);
437 tsk->thread.address = addr;
438 tsk->thread.error_code = fsr;
439 tsk->thread.trap_no = 14;
440 @@ -364,6 +371,33 @@ do_page_fault(unsigned long addr, unsign
442 #endif /* CONFIG_MMU */
444 +#ifdef CONFIG_PAX_PAGEEXEC
445 +void pax_report_insns(void *pc, void *sp)
449 + printk(KERN_ERR "PAX: bytes at PC: ");
450 + for (i = 0; i < 20; i++) {
452 + if (get_user(c, (__force unsigned char __user *)pc+i))
453 + printk(KERN_CONT "?? ");
455 + printk(KERN_CONT "%02x ", c);
459 + printk(KERN_ERR "PAX: bytes at SP-4: ");
460 + for (i = -1; i < 20; i++) {
462 + if (get_user(c, (__force unsigned long __user *)sp+i))
463 + printk(KERN_CONT "???????? ");
465 + printk(KERN_CONT "%08lx ", c);
472 * First Level Translation Fault Handler
474 diff -urNp linux-2.6.38.1/arch/arm/mm/mmap.c linux-2.6.38.1-new/arch/arm/mm/mmap.c
475 --- linux-2.6.38.1/arch/arm/mm/mmap.c 2011-03-14 21:20:32.000000000 -0400
476 +++ linux-2.6.38.1-new/arch/arm/mm/mmap.c 2011-03-21 18:31:35.000000000 -0400
477 @@ -64,6 +64,10 @@ arch_get_unmapped_area(struct file *filp
481 +#ifdef CONFIG_PAX_RANDMMAP
482 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
487 addr = COLOUR_ALIGN(addr, pgoff);
488 @@ -71,15 +75,14 @@ arch_get_unmapped_area(struct file *filp
489 addr = PAGE_ALIGN(addr);
491 vma = find_vma(mm, addr);
492 - if (TASK_SIZE - len >= addr &&
493 - (!vma || addr + len <= vma->vm_start))
494 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
497 if (len > mm->cached_hole_size) {
498 - start_addr = addr = mm->free_area_cache;
499 + start_addr = addr = mm->free_area_cache;
501 - start_addr = addr = TASK_UNMAPPED_BASE;
502 - mm->cached_hole_size = 0;
503 + start_addr = addr = mm->mmap_base;
504 + mm->cached_hole_size = 0;
506 /* 8 bits of randomness in 20 address space bits */
507 if (current->flags & PF_RANDOMIZE)
508 @@ -98,14 +101,14 @@ full_search:
509 * Start a new search - just in case we missed
512 - if (start_addr != TASK_UNMAPPED_BASE) {
513 - start_addr = addr = TASK_UNMAPPED_BASE;
514 + if (start_addr != mm->mmap_base) {
515 + start_addr = addr = mm->mmap_base;
516 mm->cached_hole_size = 0;
521 - if (!vma || addr + len <= vma->vm_start) {
522 + if (check_heap_stack_gap(vma, addr, len)) {
524 * Remember the place where we stopped the search:
526 diff -urNp linux-2.6.38.1/arch/avr32/include/asm/elf.h linux-2.6.38.1-new/arch/avr32/include/asm/elf.h
527 --- linux-2.6.38.1/arch/avr32/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
528 +++ linux-2.6.38.1-new/arch/avr32/include/asm/elf.h 2011-03-21 18:31:35.000000000 -0400
529 @@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpreg
530 the loader. We need to make sure that it is out of the way of the program
531 that it will "exec", and that there is sufficient room for the brk. */
533 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
534 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
536 +#ifdef CONFIG_PAX_ASLR
537 +#define PAX_ELF_ET_DYN_BASE 0x00001000UL
539 +#define PAX_DELTA_MMAP_LEN 15
540 +#define PAX_DELTA_STACK_LEN 15
543 /* This yields a mask that user programs can use to figure out what
544 instruction set this CPU supports. This could be done in user space,
545 diff -urNp linux-2.6.38.1/arch/avr32/include/asm/kmap_types.h linux-2.6.38.1-new/arch/avr32/include/asm/kmap_types.h
546 --- linux-2.6.38.1/arch/avr32/include/asm/kmap_types.h 2011-03-14 21:20:32.000000000 -0400
547 +++ linux-2.6.38.1-new/arch/avr32/include/asm/kmap_types.h 2011-03-21 18:31:35.000000000 -0400
548 @@ -22,7 +22,8 @@ D(10) KM_IRQ0,
558 diff -urNp linux-2.6.38.1/arch/avr32/mm/fault.c linux-2.6.38.1-new/arch/avr32/mm/fault.c
559 --- linux-2.6.38.1/arch/avr32/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
560 +++ linux-2.6.38.1-new/arch/avr32/mm/fault.c 2011-03-21 18:31:35.000000000 -0400
561 @@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
563 int exception_trace = 1;
565 +#ifdef CONFIG_PAX_PAGEEXEC
566 +void pax_report_insns(void *pc, void *sp)
570 + printk(KERN_ERR "PAX: bytes at PC: ");
571 + for (i = 0; i < 20; i++) {
573 + if (get_user(c, (unsigned char *)pc+i))
574 + printk(KERN_CONT "???????? ");
576 + printk(KERN_CONT "%02x ", c);
583 * This routine handles page faults. It determines the address and the
584 * problem, and then passes it off to one of the appropriate routines.
585 @@ -156,6 +173,16 @@ bad_area:
586 up_read(&mm->mmap_sem);
588 if (user_mode(regs)) {
590 +#ifdef CONFIG_PAX_PAGEEXEC
591 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
592 + if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
593 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
594 + do_group_exit(SIGKILL);
599 if (exception_trace && printk_ratelimit())
600 printk("%s%s[%d]: segfault at %08lx pc %08lx "
601 "sp %08lx ecr %lu\n",
602 diff -urNp linux-2.6.38.1/arch/blackfin/kernel/kgdb.c linux-2.6.38.1-new/arch/blackfin/kernel/kgdb.c
603 --- linux-2.6.38.1/arch/blackfin/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
604 +++ linux-2.6.38.1-new/arch/blackfin/kernel/kgdb.c 2011-03-21 18:31:35.000000000 -0400
605 @@ -420,7 +420,7 @@ int kgdb_arch_handle_exception(int vecto
606 return -1; /* this means that we do not want to exit from the handler */
609 -struct kgdb_arch arch_kgdb_ops = {
610 +const struct kgdb_arch arch_kgdb_ops = {
611 .gdb_bpt_instr = {0xa1},
613 .flags = KGDB_HW_BREAKPOINT|KGDB_THR_PROC_SWAP,
614 diff -urNp linux-2.6.38.1/arch/blackfin/mm/maccess.c linux-2.6.38.1-new/arch/blackfin/mm/maccess.c
615 --- linux-2.6.38.1/arch/blackfin/mm/maccess.c 2011-03-14 21:20:32.000000000 -0400
616 +++ linux-2.6.38.1-new/arch/blackfin/mm/maccess.c 2011-03-21 18:31:35.000000000 -0400
617 @@ -16,7 +16,7 @@ static int validate_memory_access_addres
618 return bfin_mem_access_type(addr, size);
621 -long probe_kernel_read(void *dst, void *src, size_t size)
622 +long probe_kernel_read(void *dst, const void *src, size_t size)
624 unsigned long lsrc = (unsigned long)src;
626 @@ -55,7 +55,7 @@ long probe_kernel_read(void *dst, void *
630 -long probe_kernel_write(void *dst, void *src, size_t size)
631 +long probe_kernel_write(void *dst, const void *src, size_t size)
633 unsigned long ldst = (unsigned long)dst;
635 diff -urNp linux-2.6.38.1/arch/frv/include/asm/kmap_types.h linux-2.6.38.1-new/arch/frv/include/asm/kmap_types.h
636 --- linux-2.6.38.1/arch/frv/include/asm/kmap_types.h 2011-03-14 21:20:32.000000000 -0400
637 +++ linux-2.6.38.1-new/arch/frv/include/asm/kmap_types.h 2011-03-21 18:31:35.000000000 -0400
638 @@ -23,6 +23,7 @@ enum km_type {
646 diff -urNp linux-2.6.38.1/arch/frv/mm/elf-fdpic.c linux-2.6.38.1-new/arch/frv/mm/elf-fdpic.c
647 --- linux-2.6.38.1/arch/frv/mm/elf-fdpic.c 2011-03-14 21:20:32.000000000 -0400
648 +++ linux-2.6.38.1-new/arch/frv/mm/elf-fdpic.c 2011-03-21 18:31:35.000000000 -0400
649 @@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(str
651 addr = PAGE_ALIGN(addr);
652 vma = find_vma(current->mm, addr);
653 - if (TASK_SIZE - len >= addr &&
654 - (!vma || addr + len <= vma->vm_start))
655 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
659 @@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
660 for (; vma; vma = vma->vm_next) {
663 - if (addr + len <= vma->vm_start)
664 + if (check_heap_stack_gap(vma, addr, len))
668 @@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
669 for (; vma; vma = vma->vm_next) {
672 - if (addr + len <= vma->vm_start)
673 + if (check_heap_stack_gap(vma, addr, len))
677 diff -urNp linux-2.6.38.1/arch/ia64/hp/common/hwsw_iommu.c linux-2.6.38.1-new/arch/ia64/hp/common/hwsw_iommu.c
678 --- linux-2.6.38.1/arch/ia64/hp/common/hwsw_iommu.c 2011-03-14 21:20:32.000000000 -0400
679 +++ linux-2.6.38.1-new/arch/ia64/hp/common/hwsw_iommu.c 2011-03-21 18:31:35.000000000 -0400
681 #include <linux/swiotlb.h>
682 #include <asm/machvec.h>
684 -extern struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
685 +extern const struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
687 /* swiotlb declarations & definitions: */
688 extern int swiotlb_late_init_with_default_size (size_t size);
689 @@ -33,7 +33,7 @@ static inline int use_swiotlb(struct dev
690 !sba_dma_ops.dma_supported(dev, *dev->dma_mask);
693 -struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
694 +const struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
696 if (use_swiotlb(dev))
697 return &swiotlb_dma_ops;
698 diff -urNp linux-2.6.38.1/arch/ia64/hp/common/sba_iommu.c linux-2.6.38.1-new/arch/ia64/hp/common/sba_iommu.c
699 --- linux-2.6.38.1/arch/ia64/hp/common/sba_iommu.c 2011-03-14 21:20:32.000000000 -0400
700 +++ linux-2.6.38.1-new/arch/ia64/hp/common/sba_iommu.c 2011-03-21 18:31:35.000000000 -0400
701 @@ -2097,7 +2097,7 @@ static struct acpi_driver acpi_sba_ioc_d
705 -extern struct dma_map_ops swiotlb_dma_ops;
706 +extern const struct dma_map_ops swiotlb_dma_ops;
710 @@ -2211,7 +2211,7 @@ sba_page_override(char *str)
712 __setup("sbapagesize=",sba_page_override);
714 -struct dma_map_ops sba_dma_ops = {
715 +const struct dma_map_ops sba_dma_ops = {
716 .alloc_coherent = sba_alloc_coherent,
717 .free_coherent = sba_free_coherent,
718 .map_page = sba_map_page,
719 diff -urNp linux-2.6.38.1/arch/ia64/include/asm/dma-mapping.h linux-2.6.38.1-new/arch/ia64/include/asm/dma-mapping.h
720 --- linux-2.6.38.1/arch/ia64/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
721 +++ linux-2.6.38.1-new/arch/ia64/include/asm/dma-mapping.h 2011-03-21 18:31:35.000000000 -0400
724 #define ARCH_HAS_DMA_GET_REQUIRED_MASK
726 -extern struct dma_map_ops *dma_ops;
727 +extern const struct dma_map_ops *dma_ops;
728 extern struct ia64_machine_vector ia64_mv;
729 extern void set_iommu_machvec(void);
731 @@ -24,7 +24,7 @@ extern void machvec_dma_sync_sg(struct d
732 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
733 dma_addr_t *daddr, gfp_t gfp)
735 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
736 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
739 caddr = ops->alloc_coherent(dev, size, daddr, gfp);
740 @@ -35,7 +35,7 @@ static inline void *dma_alloc_coherent(s
741 static inline void dma_free_coherent(struct device *dev, size_t size,
742 void *caddr, dma_addr_t daddr)
744 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
745 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
746 debug_dma_free_coherent(dev, size, caddr, daddr);
747 ops->free_coherent(dev, size, caddr, daddr);
749 @@ -49,13 +49,13 @@ static inline void dma_free_coherent(str
751 static inline int dma_mapping_error(struct device *dev, dma_addr_t daddr)
753 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
754 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
755 return ops->mapping_error(dev, daddr);
758 static inline int dma_supported(struct device *dev, u64 mask)
760 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
761 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
762 return ops->dma_supported(dev, mask);
765 diff -urNp linux-2.6.38.1/arch/ia64/include/asm/elf.h linux-2.6.38.1-new/arch/ia64/include/asm/elf.h
766 --- linux-2.6.38.1/arch/ia64/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
767 +++ linux-2.6.38.1-new/arch/ia64/include/asm/elf.h 2011-03-21 18:31:35.000000000 -0400
770 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
772 +#ifdef CONFIG_PAX_ASLR
773 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
775 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
776 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
779 #define PT_IA_64_UNWIND 0x70000001
781 /* IA-64 relocations: */
782 diff -urNp linux-2.6.38.1/arch/ia64/include/asm/machvec.h linux-2.6.38.1-new/arch/ia64/include/asm/machvec.h
783 --- linux-2.6.38.1/arch/ia64/include/asm/machvec.h 2011-03-14 21:20:32.000000000 -0400
784 +++ linux-2.6.38.1-new/arch/ia64/include/asm/machvec.h 2011-03-21 18:31:35.000000000 -0400
785 @@ -45,7 +45,7 @@ typedef void ia64_mv_kernel_launch_event
786 /* DMA-mapping interface: */
787 typedef void ia64_mv_dma_init (void);
788 typedef u64 ia64_mv_dma_get_required_mask (struct device *);
789 -typedef struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
790 +typedef const struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
793 * WARNING: The legacy I/O space is _architected_. Platforms are
794 @@ -251,7 +251,7 @@ extern void machvec_init_from_cmdline(co
795 # endif /* CONFIG_IA64_GENERIC */
797 extern void swiotlb_dma_init(void);
798 -extern struct dma_map_ops *dma_get_ops(struct device *);
799 +extern const struct dma_map_ops *dma_get_ops(struct device *);
802 * Define default versions so we can extend machvec for new platforms without having
803 diff -urNp linux-2.6.38.1/arch/ia64/include/asm/pgtable.h linux-2.6.38.1-new/arch/ia64/include/asm/pgtable.h
804 --- linux-2.6.38.1/arch/ia64/include/asm/pgtable.h 2011-03-14 21:20:32.000000000 -0400
805 +++ linux-2.6.38.1-new/arch/ia64/include/asm/pgtable.h 2011-03-21 18:31:35.000000000 -0400
807 * David Mosberger-Tang <davidm@hpl.hp.com>
811 +#include <linux/const.h>
812 #include <asm/mman.h>
813 #include <asm/page.h>
814 #include <asm/processor.h>
816 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
817 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
818 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
820 +#ifdef CONFIG_PAX_PAGEEXEC
821 +# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
822 +# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
823 +# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
825 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
826 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
827 +# define PAGE_COPY_NOEXEC PAGE_COPY
830 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
831 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
832 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
833 diff -urNp linux-2.6.38.1/arch/ia64/include/asm/spinlock.h linux-2.6.38.1-new/arch/ia64/include/asm/spinlock.h
834 --- linux-2.6.38.1/arch/ia64/include/asm/spinlock.h 2011-03-14 21:20:32.000000000 -0400
835 +++ linux-2.6.38.1-new/arch/ia64/include/asm/spinlock.h 2011-03-21 18:31:35.000000000 -0400
836 @@ -72,7 +72,7 @@ static __always_inline void __ticket_spi
837 unsigned short *p = (unsigned short *)&lock->lock + 1, tmp;
839 asm volatile ("ld2.bias %0=[%1]" : "=r"(tmp) : "r"(p));
840 - ACCESS_ONCE(*p) = (tmp + 2) & ~1;
841 + ACCESS_ONCE_RW(*p) = (tmp + 2) & ~1;
844 static __always_inline void __ticket_spin_unlock_wait(arch_spinlock_t *lock)
845 diff -urNp linux-2.6.38.1/arch/ia64/include/asm/uaccess.h linux-2.6.38.1-new/arch/ia64/include/asm/uaccess.h
846 --- linux-2.6.38.1/arch/ia64/include/asm/uaccess.h 2011-03-14 21:20:32.000000000 -0400
847 +++ linux-2.6.38.1-new/arch/ia64/include/asm/uaccess.h 2011-03-21 18:31:35.000000000 -0400
848 @@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
849 const void *__cu_from = (from); \
850 long __cu_len = (n); \
852 - if (__access_ok(__cu_to, __cu_len, get_fs())) \
853 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
854 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
857 @@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
858 long __cu_len = (n); \
860 __chk_user_ptr(__cu_from); \
861 - if (__access_ok(__cu_from, __cu_len, get_fs())) \
862 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
863 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
866 diff -urNp linux-2.6.38.1/arch/ia64/kernel/dma-mapping.c linux-2.6.38.1-new/arch/ia64/kernel/dma-mapping.c
867 --- linux-2.6.38.1/arch/ia64/kernel/dma-mapping.c 2011-03-14 21:20:32.000000000 -0400
868 +++ linux-2.6.38.1-new/arch/ia64/kernel/dma-mapping.c 2011-03-21 18:31:35.000000000 -0400
870 /* Set this to 1 if there is a HW IOMMU in the system */
871 int iommu_detected __read_mostly;
873 -struct dma_map_ops *dma_ops;
874 +const struct dma_map_ops *dma_ops;
875 EXPORT_SYMBOL(dma_ops);
877 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
878 @@ -16,7 +16,7 @@ static int __init dma_init(void)
880 fs_initcall(dma_init);
882 -struct dma_map_ops *dma_get_ops(struct device *dev)
883 +const struct dma_map_ops *dma_get_ops(struct device *dev)
887 diff -urNp linux-2.6.38.1/arch/ia64/kernel/module.c linux-2.6.38.1-new/arch/ia64/kernel/module.c
888 --- linux-2.6.38.1/arch/ia64/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
889 +++ linux-2.6.38.1-new/arch/ia64/kernel/module.c 2011-03-21 18:31:35.000000000 -0400
890 @@ -315,8 +315,7 @@ module_alloc (unsigned long size)
892 module_free (struct module *mod, void *module_region)
894 - if (mod && mod->arch.init_unw_table &&
895 - module_region == mod->module_init) {
896 + if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
897 unw_remove_unwind_table(mod->arch.init_unw_table);
898 mod->arch.init_unw_table = NULL;
900 @@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
904 +in_init_rx (const struct module *mod, uint64_t addr)
906 + return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
910 +in_init_rw (const struct module *mod, uint64_t addr)
912 + return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
916 in_init (const struct module *mod, uint64_t addr)
918 - return addr - (uint64_t) mod->module_init < mod->init_size;
919 + return in_init_rx(mod, addr) || in_init_rw(mod, addr);
923 +in_core_rx (const struct module *mod, uint64_t addr)
925 + return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
929 +in_core_rw (const struct module *mod, uint64_t addr)
931 + return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
935 in_core (const struct module *mod, uint64_t addr)
937 - return addr - (uint64_t) mod->module_core < mod->core_size;
938 + return in_core_rx(mod, addr) || in_core_rw(mod, addr);
942 @@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
946 - val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
947 + if (in_init_rx(mod, val))
948 + val -= (uint64_t) mod->module_init_rx;
949 + else if (in_init_rw(mod, val))
950 + val -= (uint64_t) mod->module_init_rw;
951 + else if (in_core_rx(mod, val))
952 + val -= (uint64_t) mod->module_core_rx;
953 + else if (in_core_rw(mod, val))
954 + val -= (uint64_t) mod->module_core_rw;
958 @@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
959 * addresses have been selected...
962 - if (mod->core_size > MAX_LTOFF)
963 + if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
965 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
966 * at the end of the module.
968 - gp = mod->core_size - MAX_LTOFF / 2;
969 + gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
971 - gp = mod->core_size / 2;
972 - gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
973 + gp = (mod->core_size_rx + mod->core_size_rw) / 2;
974 + gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
976 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
978 diff -urNp linux-2.6.38.1/arch/ia64/kernel/pci-dma.c linux-2.6.38.1-new/arch/ia64/kernel/pci-dma.c
979 --- linux-2.6.38.1/arch/ia64/kernel/pci-dma.c 2011-03-14 21:20:32.000000000 -0400
980 +++ linux-2.6.38.1-new/arch/ia64/kernel/pci-dma.c 2011-03-21 18:31:35.000000000 -0400
981 @@ -43,7 +43,7 @@ struct device fallback_dev = {
982 .dma_mask = &fallback_dev.coherent_dma_mask,
985 -extern struct dma_map_ops intel_dma_ops;
986 +extern const struct dma_map_ops intel_dma_ops;
988 static int __init pci_iommu_init(void)
990 diff -urNp linux-2.6.38.1/arch/ia64/kernel/pci-swiotlb.c linux-2.6.38.1-new/arch/ia64/kernel/pci-swiotlb.c
991 --- linux-2.6.38.1/arch/ia64/kernel/pci-swiotlb.c 2011-03-14 21:20:32.000000000 -0400
992 +++ linux-2.6.38.1-new/arch/ia64/kernel/pci-swiotlb.c 2011-03-21 18:31:35.000000000 -0400
993 @@ -22,7 +22,7 @@ static void *ia64_swiotlb_alloc_coherent
994 return swiotlb_alloc_coherent(dev, size, dma_handle, gfp);
997 -struct dma_map_ops swiotlb_dma_ops = {
998 +const struct dma_map_ops swiotlb_dma_ops = {
999 .alloc_coherent = ia64_swiotlb_alloc_coherent,
1000 .free_coherent = swiotlb_free_coherent,
1001 .map_page = swiotlb_map_page,
1002 diff -urNp linux-2.6.38.1/arch/ia64/kernel/sys_ia64.c linux-2.6.38.1-new/arch/ia64/kernel/sys_ia64.c
1003 --- linux-2.6.38.1/arch/ia64/kernel/sys_ia64.c 2011-03-14 21:20:32.000000000 -0400
1004 +++ linux-2.6.38.1-new/arch/ia64/kernel/sys_ia64.c 2011-03-21 18:31:35.000000000 -0400
1005 @@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
1006 if (REGION_NUMBER(addr) == RGN_HPAGE)
1010 +#ifdef CONFIG_PAX_RANDMMAP
1011 + if (mm->pax_flags & MF_PAX_RANDMMAP)
1012 + addr = mm->free_area_cache;
1017 addr = mm->free_area_cache;
1019 @@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *fil
1020 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1021 /* At this point: (!vma || addr < vma->vm_end). */
1022 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
1023 - if (start_addr != TASK_UNMAPPED_BASE) {
1024 + if (start_addr != mm->mmap_base) {
1025 /* Start a new search --- just in case we missed some holes. */
1026 - addr = TASK_UNMAPPED_BASE;
1027 + addr = mm->mmap_base;
1032 - if (!vma || addr + len <= vma->vm_start) {
1033 + if (check_heap_stack_gap(vma, addr, len)) {
1034 /* Remember the address where we stopped this search: */
1035 mm->free_area_cache = addr + len;
1037 diff -urNp linux-2.6.38.1/arch/ia64/kernel/vmlinux.lds.S linux-2.6.38.1-new/arch/ia64/kernel/vmlinux.lds.S
1038 --- linux-2.6.38.1/arch/ia64/kernel/vmlinux.lds.S 2011-03-14 21:20:32.000000000 -0400
1039 +++ linux-2.6.38.1-new/arch/ia64/kernel/vmlinux.lds.S 2011-03-21 18:31:35.000000000 -0400
1040 @@ -199,7 +199,7 @@ SECTIONS {
1042 . = ALIGN(PERCPU_PAGE_SIZE);
1043 PERCPU_VADDR(PERCPU_ADDR, :percpu)
1044 - __phys_per_cpu_start = __per_cpu_load;
1045 + __phys_per_cpu_start = per_cpu_load;
1047 * ensure percpu data fits
1048 * into percpu page size
1049 diff -urNp linux-2.6.38.1/arch/ia64/mm/fault.c linux-2.6.38.1-new/arch/ia64/mm/fault.c
1050 --- linux-2.6.38.1/arch/ia64/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
1051 +++ linux-2.6.38.1-new/arch/ia64/mm/fault.c 2011-03-21 18:31:35.000000000 -0400
1052 @@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned
1053 return pte_present(pte);
1056 +#ifdef CONFIG_PAX_PAGEEXEC
1057 +void pax_report_insns(void *pc, void *sp)
1061 + printk(KERN_ERR "PAX: bytes at PC: ");
1062 + for (i = 0; i < 8; i++) {
1064 + if (get_user(c, (unsigned int *)pc+i))
1065 + printk(KERN_CONT "???????? ");
1067 + printk(KERN_CONT "%08x ", c);
1074 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1076 @@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres
1077 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1078 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1080 - if ((vma->vm_flags & mask) != mask)
1081 + if ((vma->vm_flags & mask) != mask) {
1083 +#ifdef CONFIG_PAX_PAGEEXEC
1084 + if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1085 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1088 + up_read(&mm->mmap_sem);
1089 + pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1090 + do_group_exit(SIGKILL);
1099 * If for any reason at all we couldn't handle the fault, make
1100 * sure we exit gracefully rather than endlessly redo the
1101 diff -urNp linux-2.6.38.1/arch/ia64/mm/hugetlbpage.c linux-2.6.38.1-new/arch/ia64/mm/hugetlbpage.c
1102 --- linux-2.6.38.1/arch/ia64/mm/hugetlbpage.c 2011-03-14 21:20:32.000000000 -0400
1103 +++ linux-2.6.38.1-new/arch/ia64/mm/hugetlbpage.c 2011-03-21 18:31:35.000000000 -0400
1104 @@ -171,7 +171,7 @@ unsigned long hugetlb_get_unmapped_area(
1105 /* At this point: (!vmm || addr < vmm->vm_end). */
1106 if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT)
1108 - if (!vmm || (addr + len) <= vmm->vm_start)
1109 + if (check_heap_stack_gap(vmm, addr, len))
1111 addr = ALIGN(vmm->vm_end, HPAGE_SIZE);
1113 diff -urNp linux-2.6.38.1/arch/ia64/mm/init.c linux-2.6.38.1-new/arch/ia64/mm/init.c
1114 --- linux-2.6.38.1/arch/ia64/mm/init.c 2011-03-14 21:20:32.000000000 -0400
1115 +++ linux-2.6.38.1-new/arch/ia64/mm/init.c 2011-03-21 18:31:35.000000000 -0400
1116 @@ -122,6 +122,19 @@ ia64_init_addr_space (void)
1117 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1118 vma->vm_end = vma->vm_start + PAGE_SIZE;
1119 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1121 +#ifdef CONFIG_PAX_PAGEEXEC
1122 + if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1123 + vma->vm_flags &= ~VM_EXEC;
1125 +#ifdef CONFIG_PAX_MPROTECT
1126 + if (current->mm->pax_flags & MF_PAX_MPROTECT)
1127 + vma->vm_flags &= ~VM_MAYEXEC;
1133 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1134 down_write(¤t->mm->mmap_sem);
1135 if (insert_vm_struct(current->mm, vma)) {
1136 diff -urNp linux-2.6.38.1/arch/ia64/sn/pci/pci_dma.c linux-2.6.38.1-new/arch/ia64/sn/pci/pci_dma.c
1137 --- linux-2.6.38.1/arch/ia64/sn/pci/pci_dma.c 2011-03-14 21:20:32.000000000 -0400
1138 +++ linux-2.6.38.1-new/arch/ia64/sn/pci/pci_dma.c 2011-03-21 18:31:35.000000000 -0400
1139 @@ -465,7 +465,7 @@ int sn_pci_legacy_write(struct pci_bus *
1143 -static struct dma_map_ops sn_dma_ops = {
1144 +static const struct dma_map_ops sn_dma_ops = {
1145 .alloc_coherent = sn_dma_alloc_coherent,
1146 .free_coherent = sn_dma_free_coherent,
1147 .map_page = sn_dma_map_page,
1148 diff -urNp linux-2.6.38.1/arch/m32r/lib/usercopy.c linux-2.6.38.1-new/arch/m32r/lib/usercopy.c
1149 --- linux-2.6.38.1/arch/m32r/lib/usercopy.c 2011-03-14 21:20:32.000000000 -0400
1150 +++ linux-2.6.38.1-new/arch/m32r/lib/usercopy.c 2011-03-21 18:31:35.000000000 -0400
1153 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1159 if (access_ok(VERIFY_WRITE, to, n))
1160 __copy_user(to,from,n);
1161 @@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1163 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
1169 if (access_ok(VERIFY_READ, from, n))
1170 __copy_user_zeroing(to,from,n);
1171 diff -urNp linux-2.6.38.1/arch/microblaze/include/asm/device.h linux-2.6.38.1-new/arch/microblaze/include/asm/device.h
1172 --- linux-2.6.38.1/arch/microblaze/include/asm/device.h 2011-03-14 21:20:32.000000000 -0400
1173 +++ linux-2.6.38.1-new/arch/microblaze/include/asm/device.h 2011-03-21 18:31:35.000000000 -0400
1174 @@ -13,7 +13,7 @@ struct device_node;
1176 struct dev_archdata {
1177 /* DMA operations on that device */
1178 - struct dma_map_ops *dma_ops;
1179 + const struct dma_map_ops *dma_ops;
1183 diff -urNp linux-2.6.38.1/arch/microblaze/include/asm/dma-mapping.h linux-2.6.38.1-new/arch/microblaze/include/asm/dma-mapping.h
1184 --- linux-2.6.38.1/arch/microblaze/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
1185 +++ linux-2.6.38.1-new/arch/microblaze/include/asm/dma-mapping.h 2011-03-21 18:31:35.000000000 -0400
1186 @@ -43,14 +43,14 @@ static inline unsigned long device_to_ma
1187 return 0xfffffffful;
1190 -extern struct dma_map_ops *dma_ops;
1191 +extern const struct dma_map_ops *dma_ops;
1194 * Available generic sets of operations
1196 -extern struct dma_map_ops dma_direct_ops;
1197 +extern const struct dma_map_ops dma_direct_ops;
1199 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
1200 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
1202 /* We don't handle the NULL dev case for ISA for now. We could
1203 * do it via an out of line call but it is not needed for now. The
1204 @@ -63,14 +63,14 @@ static inline struct dma_map_ops *get_dm
1205 return dev->archdata.dma_ops;
1208 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
1209 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
1211 dev->archdata.dma_ops = ops;
1214 static inline int dma_supported(struct device *dev, u64 mask)
1216 - struct dma_map_ops *ops = get_dma_ops(dev);
1217 + const struct dma_map_ops *ops = get_dma_ops(dev);
1221 @@ -81,7 +81,7 @@ static inline int dma_supported(struct d
1223 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
1225 - struct dma_map_ops *ops = get_dma_ops(dev);
1226 + const struct dma_map_ops *ops = get_dma_ops(dev);
1228 if (unlikely(ops == NULL))
1230 @@ -97,7 +97,7 @@ static inline int dma_set_mask(struct de
1232 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
1234 - struct dma_map_ops *ops = get_dma_ops(dev);
1235 + const struct dma_map_ops *ops = get_dma_ops(dev);
1236 if (ops->mapping_error)
1237 return ops->mapping_error(dev, dma_addr);
1239 @@ -110,7 +110,7 @@ static inline int dma_mapping_error(stru
1240 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
1241 dma_addr_t *dma_handle, gfp_t flag)
1243 - struct dma_map_ops *ops = get_dma_ops(dev);
1244 + const struct dma_map_ops *ops = get_dma_ops(dev);
1248 @@ -124,7 +124,7 @@ static inline void *dma_alloc_coherent(s
1249 static inline void dma_free_coherent(struct device *dev, size_t size,
1250 void *cpu_addr, dma_addr_t dma_handle)
1252 - struct dma_map_ops *ops = get_dma_ops(dev);
1253 + const struct dma_map_ops *ops = get_dma_ops(dev);
1256 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
1257 diff -urNp linux-2.6.38.1/arch/microblaze/include/asm/pci.h linux-2.6.38.1-new/arch/microblaze/include/asm/pci.h
1258 --- linux-2.6.38.1/arch/microblaze/include/asm/pci.h 2011-03-14 21:20:32.000000000 -0400
1259 +++ linux-2.6.38.1-new/arch/microblaze/include/asm/pci.h 2011-03-21 18:31:35.000000000 -0400
1260 @@ -54,8 +54,8 @@ static inline void pcibios_penalize_isa_
1264 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
1265 -extern struct dma_map_ops *get_pci_dma_ops(void);
1266 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
1267 +extern const struct dma_map_ops *get_pci_dma_ops(void);
1268 #else /* CONFIG_PCI */
1269 #define set_pci_dma_ops(d)
1270 #define get_pci_dma_ops() NULL
1271 diff -urNp linux-2.6.38.1/arch/microblaze/kernel/dma.c linux-2.6.38.1-new/arch/microblaze/kernel/dma.c
1272 --- linux-2.6.38.1/arch/microblaze/kernel/dma.c 2011-03-14 21:20:32.000000000 -0400
1273 +++ linux-2.6.38.1-new/arch/microblaze/kernel/dma.c 2011-03-21 18:31:35.000000000 -0400
1274 @@ -133,7 +133,7 @@ static inline void dma_direct_unmap_page
1275 __dma_sync_page(dma_address, 0 , size, direction);
1278 -struct dma_map_ops dma_direct_ops = {
1279 +const struct dma_map_ops dma_direct_ops = {
1280 .alloc_coherent = dma_direct_alloc_coherent,
1281 .free_coherent = dma_direct_free_coherent,
1282 .map_sg = dma_direct_map_sg,
1283 diff -urNp linux-2.6.38.1/arch/microblaze/kernel/kgdb.c linux-2.6.38.1-new/arch/microblaze/kernel/kgdb.c
1284 --- linux-2.6.38.1/arch/microblaze/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
1285 +++ linux-2.6.38.1-new/arch/microblaze/kernel/kgdb.c 2011-03-21 18:31:35.000000000 -0400
1286 @@ -141,10 +141,11 @@ void kgdb_arch_exit(void)
1290 -struct kgdb_arch arch_kgdb_ops = {
1291 +const struct kgdb_arch arch_kgdb_ops = {
1292 #ifdef __MICROBLAZEEL__
1293 .gdb_bpt_instr = {0x18, 0x00, 0x0c, 0xba}, /* brki r16, 0x18 */
1296 .gdb_bpt_instr = {0xba, 0x0c, 0x00, 0x18}, /* brki r16, 0x18 */
1299 diff -urNp linux-2.6.38.1/arch/microblaze/pci/pci-common.c linux-2.6.38.1-new/arch/microblaze/pci/pci-common.c
1300 --- linux-2.6.38.1/arch/microblaze/pci/pci-common.c 2011-03-14 21:20:32.000000000 -0400
1301 +++ linux-2.6.38.1-new/arch/microblaze/pci/pci-common.c 2011-03-21 18:31:35.000000000 -0400
1302 @@ -47,14 +47,14 @@ resource_size_t isa_mem_base;
1303 /* Default PCI flags is 0 on ppc32, modified at boot on ppc64 */
1304 unsigned int pci_flags;
1306 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
1307 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
1309 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
1310 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
1312 pci_dma_ops = dma_ops;
1315 -struct dma_map_ops *get_pci_dma_ops(void)
1316 +const struct dma_map_ops *get_pci_dma_ops(void)
1320 diff -urNp linux-2.6.38.1/arch/mips/cavium-octeon/dma-octeon.c linux-2.6.38.1-new/arch/mips/cavium-octeon/dma-octeon.c
1321 --- linux-2.6.38.1/arch/mips/cavium-octeon/dma-octeon.c 2011-03-14 21:20:32.000000000 -0400
1322 +++ linux-2.6.38.1-new/arch/mips/cavium-octeon/dma-octeon.c 2011-03-21 18:31:35.000000000 -0400
1323 @@ -202,7 +202,7 @@ static phys_addr_t octeon_unity_dma_to_p
1326 struct octeon_dma_map_ops {
1327 - struct dma_map_ops dma_map_ops;
1328 + const struct dma_map_ops dma_map_ops;
1329 dma_addr_t (*phys_to_dma)(struct device *dev, phys_addr_t paddr);
1330 phys_addr_t (*dma_to_phys)(struct device *dev, dma_addr_t daddr);
1332 @@ -324,7 +324,7 @@ static struct octeon_dma_map_ops _octeon
1336 -struct dma_map_ops *octeon_pci_dma_map_ops;
1337 +const struct dma_map_ops *octeon_pci_dma_map_ops;
1339 void __init octeon_pci_dma_init(void)
1341 diff -urNp linux-2.6.38.1/arch/mips/include/asm/device.h linux-2.6.38.1-new/arch/mips/include/asm/device.h
1342 --- linux-2.6.38.1/arch/mips/include/asm/device.h 2011-03-14 21:20:32.000000000 -0400
1343 +++ linux-2.6.38.1-new/arch/mips/include/asm/device.h 2011-03-21 18:31:35.000000000 -0400
1344 @@ -10,7 +10,7 @@ struct dma_map_ops;
1346 struct dev_archdata {
1347 /* DMA operations on that device */
1348 - struct dma_map_ops *dma_ops;
1349 + const struct dma_map_ops *dma_ops;
1352 struct pdev_archdata {
1353 diff -urNp linux-2.6.38.1/arch/mips/include/asm/dma-mapping.h linux-2.6.38.1-new/arch/mips/include/asm/dma-mapping.h
1354 --- linux-2.6.38.1/arch/mips/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
1355 +++ linux-2.6.38.1-new/arch/mips/include/asm/dma-mapping.h 2011-03-21 18:31:35.000000000 -0400
1358 #include <dma-coherence.h>
1360 -extern struct dma_map_ops *mips_dma_map_ops;
1361 +extern const struct dma_map_ops *mips_dma_map_ops;
1363 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
1364 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
1366 if (dev && dev->archdata.dma_ops)
1367 return dev->archdata.dma_ops;
1368 @@ -31,13 +31,13 @@ static inline void dma_mark_clean(void *
1370 static inline int dma_supported(struct device *dev, u64 mask)
1372 - struct dma_map_ops *ops = get_dma_ops(dev);
1373 + const struct dma_map_ops *ops = get_dma_ops(dev);
1374 return ops->dma_supported(dev, mask);
1377 static inline int dma_mapping_error(struct device *dev, u64 mask)
1379 - struct dma_map_ops *ops = get_dma_ops(dev);
1380 + const struct dma_map_ops *ops = get_dma_ops(dev);
1381 return ops->mapping_error(dev, mask);
1384 @@ -59,7 +59,7 @@ static inline void *dma_alloc_coherent(s
1385 dma_addr_t *dma_handle, gfp_t gfp)
1388 - struct dma_map_ops *ops = get_dma_ops(dev);
1389 + const struct dma_map_ops *ops = get_dma_ops(dev);
1391 ret = ops->alloc_coherent(dev, size, dma_handle, gfp);
1393 @@ -71,7 +71,7 @@ static inline void *dma_alloc_coherent(s
1394 static inline void dma_free_coherent(struct device *dev, size_t size,
1395 void *vaddr, dma_addr_t dma_handle)
1397 - struct dma_map_ops *ops = get_dma_ops(dev);
1398 + const struct dma_map_ops *ops = get_dma_ops(dev);
1400 ops->free_coherent(dev, size, vaddr, dma_handle);
1402 diff -urNp linux-2.6.38.1/arch/mips/include/asm/elf.h linux-2.6.38.1-new/arch/mips/include/asm/elf.h
1403 --- linux-2.6.38.1/arch/mips/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
1404 +++ linux-2.6.38.1-new/arch/mips/include/asm/elf.h 2011-03-21 18:31:35.000000000 -0400
1405 @@ -372,13 +372,16 @@ extern const char *__elf_platform;
1406 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1409 +#ifdef CONFIG_PAX_ASLR
1410 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1412 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1413 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1416 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
1417 struct linux_binprm;
1418 extern int arch_setup_additional_pages(struct linux_binprm *bprm,
1422 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
1423 -#define arch_randomize_brk arch_randomize_brk
1425 #endif /* _ASM_ELF_H */
1426 diff -urNp linux-2.6.38.1/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h linux-2.6.38.1-new/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h
1427 --- linux-2.6.38.1/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h 2011-03-14 21:20:32.000000000 -0400
1428 +++ linux-2.6.38.1-new/arch/mips/include/asm/mach-cavium-octeon/dma-coherence.h 2011-03-21 18:31:35.000000000 -0400
1429 @@ -66,7 +66,7 @@ dma_addr_t phys_to_dma(struct device *de
1430 phys_addr_t dma_to_phys(struct device *dev, dma_addr_t daddr);
1433 -extern struct dma_map_ops *octeon_pci_dma_map_ops;
1434 +extern const struct dma_map_ops *octeon_pci_dma_map_ops;
1435 extern char *octeon_swiotlb;
1437 #endif /* __ASM_MACH_CAVIUM_OCTEON_DMA_COHERENCE_H */
1438 diff -urNp linux-2.6.38.1/arch/mips/include/asm/page.h linux-2.6.38.1-new/arch/mips/include/asm/page.h
1439 --- linux-2.6.38.1/arch/mips/include/asm/page.h 2011-03-14 21:20:32.000000000 -0400
1440 +++ linux-2.6.38.1-new/arch/mips/include/asm/page.h 2011-03-21 18:31:35.000000000 -0400
1441 @@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
1442 #ifdef CONFIG_CPU_MIPS32
1443 typedef struct { unsigned long pte_low, pte_high; } pte_t;
1444 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
1445 - #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
1446 + #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
1448 typedef struct { unsigned long long pte; } pte_t;
1449 #define pte_val(x) ((x).pte)
1450 diff -urNp linux-2.6.38.1/arch/mips/include/asm/system.h linux-2.6.38.1-new/arch/mips/include/asm/system.h
1451 --- linux-2.6.38.1/arch/mips/include/asm/system.h 2011-03-14 21:20:32.000000000 -0400
1452 +++ linux-2.6.38.1-new/arch/mips/include/asm/system.h 2011-03-21 18:31:35.000000000 -0400
1454 #include <asm/dsp.h>
1455 #include <asm/watch.h>
1456 #include <asm/war.h>
1457 +#include <asm/asm.h>
1461 @@ -230,6 +231,6 @@ extern void per_cpu_trap_init(void);
1463 #define __ARCH_WANT_UNLOCKED_CTXSW
1465 -extern unsigned long arch_align_stack(unsigned long sp);
1466 +#define arch_align_stack(x) ((x) & ALMASK)
1468 #endif /* _ASM_SYSTEM_H */
1469 diff -urNp linux-2.6.38.1/arch/mips/kernel/binfmt_elfn32.c linux-2.6.38.1-new/arch/mips/kernel/binfmt_elfn32.c
1470 --- linux-2.6.38.1/arch/mips/kernel/binfmt_elfn32.c 2011-03-14 21:20:32.000000000 -0400
1471 +++ linux-2.6.38.1-new/arch/mips/kernel/binfmt_elfn32.c 2011-03-21 18:31:35.000000000 -0400
1472 @@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1473 #undef ELF_ET_DYN_BASE
1474 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1476 +#ifdef CONFIG_PAX_ASLR
1477 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1479 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1480 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1483 #include <asm/processor.h>
1484 #include <linux/module.h>
1485 #include <linux/elfcore.h>
1486 diff -urNp linux-2.6.38.1/arch/mips/kernel/binfmt_elfo32.c linux-2.6.38.1-new/arch/mips/kernel/binfmt_elfo32.c
1487 --- linux-2.6.38.1/arch/mips/kernel/binfmt_elfo32.c 2011-03-14 21:20:32.000000000 -0400
1488 +++ linux-2.6.38.1-new/arch/mips/kernel/binfmt_elfo32.c 2011-03-21 18:31:35.000000000 -0400
1489 @@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1490 #undef ELF_ET_DYN_BASE
1491 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1493 +#ifdef CONFIG_PAX_ASLR
1494 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1496 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1497 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1500 #include <asm/processor.h>
1503 diff -urNp linux-2.6.38.1/arch/mips/kernel/kgdb.c linux-2.6.38.1-new/arch/mips/kernel/kgdb.c
1504 --- linux-2.6.38.1/arch/mips/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
1505 +++ linux-2.6.38.1-new/arch/mips/kernel/kgdb.c 2011-03-21 18:31:35.000000000 -0400
1506 @@ -351,7 +351,7 @@ int kgdb_arch_handle_exception(int vecto
1510 -struct kgdb_arch arch_kgdb_ops;
1511 +struct kgdb_arch arch_kgdb_ops; /* cannot be const, see kgdb_arch_init */
1514 * We use kgdb_early_setup so that functions we need to call now don't
1515 diff -urNp linux-2.6.38.1/arch/mips/kernel/process.c linux-2.6.38.1-new/arch/mips/kernel/process.c
1516 --- linux-2.6.38.1/arch/mips/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
1517 +++ linux-2.6.38.1-new/arch/mips/kernel/process.c 2011-03-21 18:31:35.000000000 -0400
1518 @@ -473,15 +473,3 @@ unsigned long get_wchan(struct task_stru
1524 - * Don't forget that the stack pointer must be aligned on a 8 bytes
1525 - * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
1527 -unsigned long arch_align_stack(unsigned long sp)
1529 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
1530 - sp -= get_random_int() & ~PAGE_MASK;
1532 - return sp & ALMASK;
1534 diff -urNp linux-2.6.38.1/arch/mips/kernel/syscall.c linux-2.6.38.1-new/arch/mips/kernel/syscall.c
1535 --- linux-2.6.38.1/arch/mips/kernel/syscall.c 2011-03-14 21:20:32.000000000 -0400
1536 +++ linux-2.6.38.1-new/arch/mips/kernel/syscall.c 2011-03-21 18:31:35.000000000 -0400
1537 @@ -108,14 +108,18 @@ unsigned long arch_get_unmapped_area(str
1539 if (filp || (flags & MAP_SHARED))
1542 +#ifdef CONFIG_PAX_RANDMMAP
1543 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
1548 addr = COLOUR_ALIGN(addr, pgoff);
1550 addr = PAGE_ALIGN(addr);
1551 vmm = find_vma(current->mm, addr);
1552 - if (task_size - len >= addr &&
1553 - (!vmm || addr + len <= vmm->vm_start))
1554 + if (task_size - len >= addr && check_heap_stack_gap(vmm, addr, len))
1557 addr = current->mm->mmap_base;
1558 @@ -128,7 +132,7 @@ unsigned long arch_get_unmapped_area(str
1559 /* At this point: (!vmm || addr < vmm->vm_end). */
1560 if (task_size - len < addr)
1562 - if (!vmm || addr + len <= vmm->vm_start)
1563 + if (check_heap_stack_gap(vmm, addr, len))
1567 @@ -168,19 +172,6 @@ static inline unsigned long brk_rnd(void
1571 -unsigned long arch_randomize_brk(struct mm_struct *mm)
1573 - unsigned long base = mm->brk;
1574 - unsigned long ret;
1576 - ret = PAGE_ALIGN(base + brk_rnd());
1578 - if (ret < mm->brk)
1584 SYSCALL_DEFINE6(mips_mmap, unsigned long, addr, unsigned long, len,
1585 unsigned long, prot, unsigned long, flags, unsigned long,
1587 diff -urNp linux-2.6.38.1/arch/mips/mm/dma-default.c linux-2.6.38.1-new/arch/mips/mm/dma-default.c
1588 --- linux-2.6.38.1/arch/mips/mm/dma-default.c 2011-03-14 21:20:32.000000000 -0400
1589 +++ linux-2.6.38.1-new/arch/mips/mm/dma-default.c 2011-03-21 18:31:35.000000000 -0400
1590 @@ -300,7 +300,7 @@ void dma_cache_sync(struct device *dev,
1592 EXPORT_SYMBOL(dma_cache_sync);
1594 -static struct dma_map_ops mips_default_dma_map_ops = {
1595 +static const struct dma_map_ops mips_default_dma_map_ops = {
1596 .alloc_coherent = mips_dma_alloc_coherent,
1597 .free_coherent = mips_dma_free_coherent,
1598 .map_page = mips_dma_map_page,
1599 @@ -315,7 +315,7 @@ static struct dma_map_ops mips_default_d
1600 .dma_supported = mips_dma_supported
1603 -struct dma_map_ops *mips_dma_map_ops = &mips_default_dma_map_ops;
1604 +const struct dma_map_ops *mips_dma_map_ops = &mips_default_dma_map_ops;
1605 EXPORT_SYMBOL(mips_dma_map_ops);
1607 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
1608 diff -urNp linux-2.6.38.1/arch/mips/mm/fault.c linux-2.6.38.1-new/arch/mips/mm/fault.c
1609 --- linux-2.6.38.1/arch/mips/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
1610 +++ linux-2.6.38.1-new/arch/mips/mm/fault.c 2011-03-21 18:31:35.000000000 -0400
1612 #include <asm/highmem.h> /* For VMALLOC_END */
1613 #include <linux/kdebug.h>
1615 +#ifdef CONFIG_PAX_PAGEEXEC
1616 +void pax_report_insns(void *pc, void *sp)
1620 + printk(KERN_ERR "PAX: bytes at PC: ");
1621 + for (i = 0; i < 5; i++) {
1623 + if (get_user(c, (unsigned int *)pc+i))
1624 + printk(KERN_CONT "???????? ");
1626 + printk(KERN_CONT "%08x ", c);
1633 * This routine handles page faults. It determines the address,
1634 * and the problem, and then passes it off to one of the appropriate
1635 diff -urNp linux-2.6.38.1/arch/parisc/include/asm/elf.h linux-2.6.38.1-new/arch/parisc/include/asm/elf.h
1636 --- linux-2.6.38.1/arch/parisc/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
1637 +++ linux-2.6.38.1-new/arch/parisc/include/asm/elf.h 2011-03-21 18:31:35.000000000 -0400
1638 @@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration..
1640 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
1642 +#ifdef CONFIG_PAX_ASLR
1643 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
1645 +#define PAX_DELTA_MMAP_LEN 16
1646 +#define PAX_DELTA_STACK_LEN 16
1649 /* This yields a mask that user programs can use to figure out what
1650 instruction set this CPU supports. This could be done in user space,
1651 but it's not easy, and we've already done it here. */
1652 diff -urNp linux-2.6.38.1/arch/parisc/include/asm/pgtable.h linux-2.6.38.1-new/arch/parisc/include/asm/pgtable.h
1653 --- linux-2.6.38.1/arch/parisc/include/asm/pgtable.h 2011-03-14 21:20:32.000000000 -0400
1654 +++ linux-2.6.38.1-new/arch/parisc/include/asm/pgtable.h 2011-03-21 18:31:35.000000000 -0400
1655 @@ -209,6 +209,17 @@ struct vm_area_struct;
1656 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
1657 #define PAGE_COPY PAGE_EXECREAD
1658 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
1660 +#ifdef CONFIG_PAX_PAGEEXEC
1661 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
1662 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1663 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1665 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1666 +# define PAGE_COPY_NOEXEC PAGE_COPY
1667 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1670 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
1671 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
1672 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
1673 diff -urNp linux-2.6.38.1/arch/parisc/kernel/module.c linux-2.6.38.1-new/arch/parisc/kernel/module.c
1674 --- linux-2.6.38.1/arch/parisc/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
1675 +++ linux-2.6.38.1-new/arch/parisc/kernel/module.c 2011-03-21 18:31:35.000000000 -0400
1678 /* three functions to determine where in the module core
1679 * or init pieces the location is */
1680 +static inline int in_init_rx(struct module *me, void *loc)
1682 + return (loc >= me->module_init_rx &&
1683 + loc < (me->module_init_rx + me->init_size_rx));
1686 +static inline int in_init_rw(struct module *me, void *loc)
1688 + return (loc >= me->module_init_rw &&
1689 + loc < (me->module_init_rw + me->init_size_rw));
1692 static inline int in_init(struct module *me, void *loc)
1694 - return (loc >= me->module_init &&
1695 - loc <= (me->module_init + me->init_size));
1696 + return in_init_rx(me, loc) || in_init_rw(me, loc);
1699 +static inline int in_core_rx(struct module *me, void *loc)
1701 + return (loc >= me->module_core_rx &&
1702 + loc < (me->module_core_rx + me->core_size_rx));
1705 +static inline int in_core_rw(struct module *me, void *loc)
1707 + return (loc >= me->module_core_rw &&
1708 + loc < (me->module_core_rw + me->core_size_rw));
1711 static inline int in_core(struct module *me, void *loc)
1713 - return (loc >= me->module_core &&
1714 - loc <= (me->module_core + me->core_size));
1715 + return in_core_rx(me, loc) || in_core_rw(me, loc);
1718 static inline int in_local(struct module *me, void *loc)
1719 @@ -365,13 +387,13 @@ int module_frob_arch_sections(CONST Elf_
1722 /* align things a bit */
1723 - me->core_size = ALIGN(me->core_size, 16);
1724 - me->arch.got_offset = me->core_size;
1725 - me->core_size += gots * sizeof(struct got_entry);
1727 - me->core_size = ALIGN(me->core_size, 16);
1728 - me->arch.fdesc_offset = me->core_size;
1729 - me->core_size += fdescs * sizeof(Elf_Fdesc);
1730 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1731 + me->arch.got_offset = me->core_size_rw;
1732 + me->core_size_rw += gots * sizeof(struct got_entry);
1734 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1735 + me->arch.fdesc_offset = me->core_size_rw;
1736 + me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
1738 me->arch.got_max = gots;
1739 me->arch.fdesc_max = fdescs;
1740 @@ -389,7 +411,7 @@ static Elf64_Word get_got(struct module
1744 - got = me->module_core + me->arch.got_offset;
1745 + got = me->module_core_rw + me->arch.got_offset;
1746 for (i = 0; got[i].addr; i++)
1747 if (got[i].addr == value)
1749 @@ -407,7 +429,7 @@ static Elf64_Word get_got(struct module
1751 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
1753 - Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
1754 + Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
1757 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
1758 @@ -425,7 +447,7 @@ static Elf_Addr get_fdesc(struct module
1760 /* Create new one */
1761 fdesc->addr = value;
1762 - fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1763 + fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1764 return (Elf_Addr)fdesc;
1766 #endif /* CONFIG_64BIT */
1767 @@ -849,7 +871,7 @@ register_unwind_table(struct module *me,
1769 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
1770 end = table + sechdrs[me->arch.unwind_section].sh_size;
1771 - gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1772 + gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1774 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
1775 me->arch.unwind_section, table, end, gp);
1776 diff -urNp linux-2.6.38.1/arch/parisc/kernel/sys_parisc.c linux-2.6.38.1-new/arch/parisc/kernel/sys_parisc.c
1777 --- linux-2.6.38.1/arch/parisc/kernel/sys_parisc.c 2011-03-14 21:20:32.000000000 -0400
1778 +++ linux-2.6.38.1-new/arch/parisc/kernel/sys_parisc.c 2011-03-21 18:31:35.000000000 -0400
1779 @@ -43,7 +43,7 @@ static unsigned long get_unshared_area(u
1780 /* At this point: (!vma || addr < vma->vm_end). */
1781 if (TASK_SIZE - len < addr)
1783 - if (!vma || addr + len <= vma->vm_start)
1784 + if (check_heap_stack_gap(vma, addr, len))
1788 @@ -79,7 +79,7 @@ static unsigned long get_shared_area(str
1789 /* At this point: (!vma || addr < vma->vm_end). */
1790 if (TASK_SIZE - len < addr)
1792 - if (!vma || addr + len <= vma->vm_start)
1793 + if (check_heap_stack_gap(vma, addr, len))
1795 addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
1796 if (addr < vma->vm_end) /* handle wraparound */
1797 @@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
1798 if (flags & MAP_FIXED)
1801 - addr = TASK_UNMAPPED_BASE;
1802 + addr = current->mm->mmap_base;
1805 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
1806 diff -urNp linux-2.6.38.1/arch/parisc/kernel/traps.c linux-2.6.38.1-new/arch/parisc/kernel/traps.c
1807 --- linux-2.6.38.1/arch/parisc/kernel/traps.c 2011-03-14 21:20:32.000000000 -0400
1808 +++ linux-2.6.38.1-new/arch/parisc/kernel/traps.c 2011-03-21 18:31:35.000000000 -0400
1809 @@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
1811 down_read(¤t->mm->mmap_sem);
1812 vma = find_vma(current->mm,regs->iaoq[0]);
1813 - if (vma && (regs->iaoq[0] >= vma->vm_start)
1814 - && (vma->vm_flags & VM_EXEC)) {
1816 + if (vma && (regs->iaoq[0] >= vma->vm_start)) {
1817 fault_address = regs->iaoq[0];
1818 fault_space = regs->iasq[0];
1820 diff -urNp linux-2.6.38.1/arch/parisc/mm/fault.c linux-2.6.38.1-new/arch/parisc/mm/fault.c
1821 --- linux-2.6.38.1/arch/parisc/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
1822 +++ linux-2.6.38.1-new/arch/parisc/mm/fault.c 2011-03-21 18:31:35.000000000 -0400
1824 #include <linux/sched.h>
1825 #include <linux/interrupt.h>
1826 #include <linux/module.h>
1827 +#include <linux/unistd.h>
1829 #include <asm/uaccess.h>
1830 #include <asm/traps.h>
1831 @@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
1832 static unsigned long
1833 parisc_acctyp(unsigned long code, unsigned int inst)
1835 - if (code == 6 || code == 16)
1836 + if (code == 6 || code == 7 || code == 16)
1839 switch (inst & 0xf0000000) {
1840 @@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
1844 +#ifdef CONFIG_PAX_PAGEEXEC
1846 + * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
1848 + * returns 1 when task should be killed
1849 + * 2 when rt_sigreturn trampoline was detected
1850 + * 3 when unpatched PLT trampoline was detected
1852 +static int pax_handle_fetch_fault(struct pt_regs *regs)
1855 +#ifdef CONFIG_PAX_EMUPLT
1858 + do { /* PaX: unpatched PLT emulation */
1859 + unsigned int bl, depwi;
1861 + err = get_user(bl, (unsigned int *)instruction_pointer(regs));
1862 + err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
1867 + if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
1868 + unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
1870 + err = get_user(ldw, (unsigned int *)addr);
1871 + err |= get_user(bv, (unsigned int *)(addr+4));
1872 + err |= get_user(ldw2, (unsigned int *)(addr+8));
1877 + if (ldw == 0x0E801096U &&
1878 + bv == 0xEAC0C000U &&
1879 + ldw2 == 0x0E881095U)
1881 + unsigned int resolver, map;
1883 + err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
1884 + err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
1888 + regs->gr[20] = instruction_pointer(regs)+8;
1889 + regs->gr[21] = map;
1890 + regs->gr[22] = resolver;
1891 + regs->iaoq[0] = resolver | 3UL;
1892 + regs->iaoq[1] = regs->iaoq[0] + 4;
1899 +#ifdef CONFIG_PAX_EMUTRAMP
1901 +#ifndef CONFIG_PAX_EMUSIGRT
1902 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
1906 + do { /* PaX: rt_sigreturn emulation */
1907 + unsigned int ldi1, ldi2, bel, nop;
1909 + err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
1910 + err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
1911 + err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
1912 + err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
1917 + if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
1918 + ldi2 == 0x3414015AU &&
1919 + bel == 0xE4008200U &&
1920 + nop == 0x08000240U)
1922 + regs->gr[25] = (ldi1 & 2) >> 1;
1923 + regs->gr[20] = __NR_rt_sigreturn;
1924 + regs->gr[31] = regs->iaoq[1] + 16;
1925 + regs->sr[0] = regs->iasq[1];
1926 + regs->iaoq[0] = 0x100UL;
1927 + regs->iaoq[1] = regs->iaoq[0] + 4;
1928 + regs->iasq[0] = regs->sr[2];
1929 + regs->iasq[1] = regs->sr[2];
1938 +void pax_report_insns(void *pc, void *sp)
1942 + printk(KERN_ERR "PAX: bytes at PC: ");
1943 + for (i = 0; i < 5; i++) {
1945 + if (get_user(c, (unsigned int *)pc+i))
1946 + printk(KERN_CONT "???????? ");
1948 + printk(KERN_CONT "%08x ", c);
1954 int fixup_exception(struct pt_regs *regs)
1956 const struct exception_table_entry *fix;
1957 @@ -192,8 +303,33 @@ good_area:
1959 acc_type = parisc_acctyp(code,regs->iir);
1961 - if ((vma->vm_flags & acc_type) != acc_type)
1962 + if ((vma->vm_flags & acc_type) != acc_type) {
1964 +#ifdef CONFIG_PAX_PAGEEXEC
1965 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
1966 + (address & ~3UL) == instruction_pointer(regs))
1968 + up_read(&mm->mmap_sem);
1969 + switch (pax_handle_fetch_fault(regs)) {
1971 +#ifdef CONFIG_PAX_EMUPLT
1976 +#ifdef CONFIG_PAX_EMUTRAMP
1982 + pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
1983 + do_group_exit(SIGKILL);
1991 * If for any reason at all we couldn't handle the fault, make
1992 diff -urNp linux-2.6.38.1/arch/powerpc/include/asm/device.h linux-2.6.38.1-new/arch/powerpc/include/asm/device.h
1993 --- linux-2.6.38.1/arch/powerpc/include/asm/device.h 2011-03-14 21:20:32.000000000 -0400
1994 +++ linux-2.6.38.1-new/arch/powerpc/include/asm/device.h 2011-03-21 18:31:35.000000000 -0400
1995 @@ -17,7 +17,7 @@ struct device_node;
1997 struct dev_archdata {
1998 /* DMA operations on that device */
1999 - struct dma_map_ops *dma_ops;
2000 + const struct dma_map_ops *dma_ops;
2003 * When an iommu is in use, dma_data is used as a ptr to the base of the
2004 diff -urNp linux-2.6.38.1/arch/powerpc/include/asm/dma-mapping.h linux-2.6.38.1-new/arch/powerpc/include/asm/dma-mapping.h
2005 --- linux-2.6.38.1/arch/powerpc/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
2006 +++ linux-2.6.38.1-new/arch/powerpc/include/asm/dma-mapping.h 2011-03-21 18:31:35.000000000 -0400
2007 @@ -66,12 +66,13 @@ static inline unsigned long device_to_ma
2009 * Available generic sets of operations
2011 +/* cannot be const */
2013 -extern struct dma_map_ops dma_iommu_ops;
2014 +extern const struct dma_map_ops dma_iommu_ops;
2016 -extern struct dma_map_ops dma_direct_ops;
2017 +extern const struct dma_map_ops dma_direct_ops;
2019 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
2020 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
2022 /* We don't handle the NULL dev case for ISA for now. We could
2023 * do it via an out of line call but it is not needed for now. The
2024 @@ -84,7 +85,7 @@ static inline struct dma_map_ops *get_dm
2025 return dev->archdata.dma_ops;
2028 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
2029 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
2031 dev->archdata.dma_ops = ops;
2033 @@ -118,7 +119,7 @@ static inline void set_dma_offset(struct
2035 static inline int dma_supported(struct device *dev, u64 mask)
2037 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2038 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2040 if (unlikely(dma_ops == NULL))
2042 @@ -132,7 +133,7 @@ extern int dma_set_mask(struct device *d
2043 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
2044 dma_addr_t *dma_handle, gfp_t flag)
2046 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2047 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2051 @@ -147,7 +148,7 @@ static inline void *dma_alloc_coherent(s
2052 static inline void dma_free_coherent(struct device *dev, size_t size,
2053 void *cpu_addr, dma_addr_t dma_handle)
2055 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2056 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2060 @@ -158,7 +159,7 @@ static inline void dma_free_coherent(str
2062 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
2064 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2065 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2067 if (dma_ops->mapping_error)
2068 return dma_ops->mapping_error(dev, dma_addr);
2069 diff -urNp linux-2.6.38.1/arch/powerpc/include/asm/elf.h linux-2.6.38.1-new/arch/powerpc/include/asm/elf.h
2070 --- linux-2.6.38.1/arch/powerpc/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
2071 +++ linux-2.6.38.1-new/arch/powerpc/include/asm/elf.h 2011-03-21 18:31:35.000000000 -0400
2072 @@ -178,8 +178,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
2073 the loader. We need to make sure that it is out of the way of the program
2074 that it will "exec", and that there is sufficient room for the brk. */
2076 -extern unsigned long randomize_et_dyn(unsigned long base);
2077 -#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
2078 +#define ELF_ET_DYN_BASE (0x20000000)
2080 +#ifdef CONFIG_PAX_ASLR
2081 +#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
2083 +#ifdef __powerpc64__
2084 +#define PAX_DELTA_MMAP_LEN (is_32bit_task() ? 16 : 28)
2085 +#define PAX_DELTA_STACK_LEN (is_32bit_task() ? 16 : 28)
2087 +#define PAX_DELTA_MMAP_LEN 15
2088 +#define PAX_DELTA_STACK_LEN 15
2093 * Our registers are always unsigned longs, whether we're a 32 bit
2094 @@ -274,9 +285,6 @@ extern int arch_setup_additional_pages(s
2095 (0x7ff >> (PAGE_SHIFT - 12)) : \
2096 (0x3ffff >> (PAGE_SHIFT - 12)))
2098 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
2099 -#define arch_randomize_brk arch_randomize_brk
2101 #endif /* __KERNEL__ */
2104 diff -urNp linux-2.6.38.1/arch/powerpc/include/asm/iommu.h linux-2.6.38.1-new/arch/powerpc/include/asm/iommu.h
2105 --- linux-2.6.38.1/arch/powerpc/include/asm/iommu.h 2011-03-14 21:20:32.000000000 -0400
2106 +++ linux-2.6.38.1-new/arch/powerpc/include/asm/iommu.h 2011-03-21 18:31:35.000000000 -0400
2107 @@ -116,6 +116,9 @@ extern void iommu_init_early_iSeries(voi
2108 extern void iommu_init_early_dart(void);
2109 extern void iommu_init_early_pasemi(void);
2112 +extern int dma_iommu_dma_supported(struct device *dev, u64 mask);
2115 extern void pci_iommu_init(void);
2116 extern void pci_direct_iommu_init(void);
2117 diff -urNp linux-2.6.38.1/arch/powerpc/include/asm/kmap_types.h linux-2.6.38.1-new/arch/powerpc/include/asm/kmap_types.h
2118 --- linux-2.6.38.1/arch/powerpc/include/asm/kmap_types.h 2011-03-14 21:20:32.000000000 -0400
2119 +++ linux-2.6.38.1-new/arch/powerpc/include/asm/kmap_types.h 2011-03-21 18:31:35.000000000 -0400
2120 @@ -27,6 +27,7 @@ enum km_type {
2128 diff -urNp linux-2.6.38.1/arch/powerpc/include/asm/page_64.h linux-2.6.38.1-new/arch/powerpc/include/asm/page_64.h
2129 --- linux-2.6.38.1/arch/powerpc/include/asm/page_64.h 2011-03-14 21:20:32.000000000 -0400
2130 +++ linux-2.6.38.1-new/arch/powerpc/include/asm/page_64.h 2011-03-21 18:31:35.000000000 -0400
2131 @@ -172,15 +172,18 @@ do { \
2132 * stack by default, so in the absense of a PT_GNU_STACK program header
2133 * we turn execute permission off.
2135 -#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2136 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2137 +#define VM_STACK_DEFAULT_FLAGS32 \
2138 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2139 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2141 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2142 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2144 +#ifndef CONFIG_PAX_PAGEEXEC
2145 #define VM_STACK_DEFAULT_FLAGS \
2146 (is_32bit_task() ? \
2147 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
2150 #include <asm-generic/getorder.h>
2152 diff -urNp linux-2.6.38.1/arch/powerpc/include/asm/page.h linux-2.6.38.1-new/arch/powerpc/include/asm/page.h
2153 --- linux-2.6.38.1/arch/powerpc/include/asm/page.h 2011-03-14 21:20:32.000000000 -0400
2154 +++ linux-2.6.38.1-new/arch/powerpc/include/asm/page.h 2011-03-21 18:31:35.000000000 -0400
2155 @@ -129,8 +129,9 @@ extern phys_addr_t kernstart_addr;
2156 * and needs to be executable. This means the whole heap ends
2157 * up being executable.
2159 -#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2160 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2161 +#define VM_DATA_DEFAULT_FLAGS32 \
2162 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2163 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2165 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2166 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2167 @@ -158,6 +159,9 @@ extern phys_addr_t kernstart_addr;
2168 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
2171 +#define ktla_ktva(addr) (addr)
2172 +#define ktva_ktla(addr) (addr)
2174 #ifndef __ASSEMBLY__
2176 #undef STRICT_MM_TYPECHECKS
2177 diff -urNp linux-2.6.38.1/arch/powerpc/include/asm/pci.h linux-2.6.38.1-new/arch/powerpc/include/asm/pci.h
2178 --- linux-2.6.38.1/arch/powerpc/include/asm/pci.h 2011-03-14 21:20:32.000000000 -0400
2179 +++ linux-2.6.38.1-new/arch/powerpc/include/asm/pci.h 2011-03-21 18:31:35.000000000 -0400
2180 @@ -65,8 +65,8 @@ static inline int pci_get_legacy_ide_irq
2184 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
2185 -extern struct dma_map_ops *get_pci_dma_ops(void);
2186 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
2187 +extern const struct dma_map_ops *get_pci_dma_ops(void);
2188 #else /* CONFIG_PCI */
2189 #define set_pci_dma_ops(d)
2190 #define get_pci_dma_ops() NULL
2191 diff -urNp linux-2.6.38.1/arch/powerpc/include/asm/pgtable.h linux-2.6.38.1-new/arch/powerpc/include/asm/pgtable.h
2192 --- linux-2.6.38.1/arch/powerpc/include/asm/pgtable.h 2011-03-14 21:20:32.000000000 -0400
2193 +++ linux-2.6.38.1-new/arch/powerpc/include/asm/pgtable.h 2011-03-21 18:31:35.000000000 -0400
2195 #define _ASM_POWERPC_PGTABLE_H
2198 +#include <linux/const.h>
2199 #ifndef __ASSEMBLY__
2200 #include <asm/processor.h> /* For TASK_SIZE */
2201 #include <asm/mmu.h>
2202 diff -urNp linux-2.6.38.1/arch/powerpc/include/asm/pte-hash32.h linux-2.6.38.1-new/arch/powerpc/include/asm/pte-hash32.h
2203 --- linux-2.6.38.1/arch/powerpc/include/asm/pte-hash32.h 2011-03-14 21:20:32.000000000 -0400
2204 +++ linux-2.6.38.1-new/arch/powerpc/include/asm/pte-hash32.h 2011-03-21 18:31:35.000000000 -0400
2206 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
2207 #define _PAGE_USER 0x004 /* usermode access allowed */
2208 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
2209 +#define _PAGE_EXEC _PAGE_GUARDED
2210 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
2211 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
2212 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
2213 diff -urNp linux-2.6.38.1/arch/powerpc/include/asm/reg.h linux-2.6.38.1-new/arch/powerpc/include/asm/reg.h
2214 --- linux-2.6.38.1/arch/powerpc/include/asm/reg.h 2011-03-23 17:20:06.000000000 -0400
2215 +++ linux-2.6.38.1-new/arch/powerpc/include/asm/reg.h 2011-03-23 17:21:43.000000000 -0400
2217 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
2218 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
2219 #define DSISR_NOHPTE 0x40000000 /* no translation found */
2220 +#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
2221 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
2222 #define DSISR_ISSTORE 0x02000000 /* access was a store */
2223 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
2224 diff -urNp linux-2.6.38.1/arch/powerpc/include/asm/swiotlb.h linux-2.6.38.1-new/arch/powerpc/include/asm/swiotlb.h
2225 --- linux-2.6.38.1/arch/powerpc/include/asm/swiotlb.h 2011-03-14 21:20:32.000000000 -0400
2226 +++ linux-2.6.38.1-new/arch/powerpc/include/asm/swiotlb.h 2011-03-21 18:31:35.000000000 -0400
2229 #include <linux/swiotlb.h>
2231 -extern struct dma_map_ops swiotlb_dma_ops;
2232 +extern const struct dma_map_ops swiotlb_dma_ops;
2234 static inline void dma_mark_clean(void *addr, size_t size) {}
2236 diff -urNp linux-2.6.38.1/arch/powerpc/include/asm/system.h linux-2.6.38.1-new/arch/powerpc/include/asm/system.h
2237 --- linux-2.6.38.1/arch/powerpc/include/asm/system.h 2011-03-14 21:20:32.000000000 -0400
2238 +++ linux-2.6.38.1-new/arch/powerpc/include/asm/system.h 2011-03-21 18:31:35.000000000 -0400
2239 @@ -533,7 +533,7 @@ __cmpxchg_local(volatile void *ptr, unsi
2240 #define cmpxchg64_local(ptr, o, n) __cmpxchg64_local_generic((ptr), (o), (n))
2243 -extern unsigned long arch_align_stack(unsigned long sp);
2244 +#define arch_align_stack(x) ((x) & ~0xfUL)
2246 /* Used in very early kernel initialization. */
2247 extern unsigned long reloc_offset(void);
2248 diff -urNp linux-2.6.38.1/arch/powerpc/include/asm/uaccess.h linux-2.6.38.1-new/arch/powerpc/include/asm/uaccess.h
2249 --- linux-2.6.38.1/arch/powerpc/include/asm/uaccess.h 2011-03-14 21:20:32.000000000 -0400
2250 +++ linux-2.6.38.1-new/arch/powerpc/include/asm/uaccess.h 2011-03-21 18:31:35.000000000 -0400
2252 #define VERIFY_READ 0
2253 #define VERIFY_WRITE 1
2255 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
2258 * The fs value determines whether argument validity checking should be
2259 * performed or not. If get_fs() == USER_DS, checking is performed, with
2260 @@ -327,52 +329,6 @@ do { \
2261 extern unsigned long __copy_tofrom_user(void __user *to,
2262 const void __user *from, unsigned long size);
2264 -#ifndef __powerpc64__
2266 -static inline unsigned long copy_from_user(void *to,
2267 - const void __user *from, unsigned long n)
2269 - unsigned long over;
2271 - if (access_ok(VERIFY_READ, from, n))
2272 - return __copy_tofrom_user((__force void __user *)to, from, n);
2273 - if ((unsigned long)from < TASK_SIZE) {
2274 - over = (unsigned long)from + n - TASK_SIZE;
2275 - return __copy_tofrom_user((__force void __user *)to, from,
2281 -static inline unsigned long copy_to_user(void __user *to,
2282 - const void *from, unsigned long n)
2284 - unsigned long over;
2286 - if (access_ok(VERIFY_WRITE, to, n))
2287 - return __copy_tofrom_user(to, (__force void __user *)from, n);
2288 - if ((unsigned long)to < TASK_SIZE) {
2289 - over = (unsigned long)to + n - TASK_SIZE;
2290 - return __copy_tofrom_user(to, (__force void __user *)from,
2296 -#else /* __powerpc64__ */
2298 -#define __copy_in_user(to, from, size) \
2299 - __copy_tofrom_user((to), (from), (size))
2301 -extern unsigned long copy_from_user(void *to, const void __user *from,
2303 -extern unsigned long copy_to_user(void __user *to, const void *from,
2305 -extern unsigned long copy_in_user(void __user *to, const void __user *from,
2308 -#endif /* __powerpc64__ */
2310 static inline unsigned long __copy_from_user_inatomic(void *to,
2311 const void __user *from, unsigned long n)
2313 @@ -396,6 +352,10 @@ static inline unsigned long __copy_from_
2318 + if (!__builtin_constant_p(n))
2319 + check_object_size(to, n, false);
2321 return __copy_tofrom_user((__force void __user *)to, from, n);
2324 @@ -422,6 +382,10 @@ static inline unsigned long __copy_to_us
2329 + if (!__builtin_constant_p(n))
2330 + check_object_size(from, n, true);
2332 return __copy_tofrom_user(to, (__force const void __user *)from, n);
2335 @@ -439,6 +403,92 @@ static inline unsigned long __copy_to_us
2336 return __copy_to_user_inatomic(to, from, size);
2339 +#ifndef __powerpc64__
2341 +static inline unsigned long __must_check copy_from_user(void *to,
2342 + const void __user *from, unsigned long n)
2344 + unsigned long over;
2349 + if (access_ok(VERIFY_READ, from, n)) {
2350 + if (!__builtin_constant_p(n))
2351 + check_object_size(to, n, false);
2352 + return __copy_tofrom_user((__force void __user *)to, from, n);
2354 + if ((unsigned long)from < TASK_SIZE) {
2355 + over = (unsigned long)from + n - TASK_SIZE;
2356 + if (!__builtin_constant_p(n - over))
2357 + check_object_size(to, n - over, false);
2358 + return __copy_tofrom_user((__force void __user *)to, from,
2364 +static inline unsigned long __must_check copy_to_user(void __user *to,
2365 + const void *from, unsigned long n)
2367 + unsigned long over;
2372 + if (access_ok(VERIFY_WRITE, to, n)) {
2373 + if (!__builtin_constant_p(n))
2374 + check_object_size(from, n, true);
2375 + return __copy_tofrom_user(to, (__force void __user *)from, n);
2377 + if ((unsigned long)to < TASK_SIZE) {
2378 + over = (unsigned long)to + n - TASK_SIZE;
2379 + if (!__builtin_constant_p(n))
2380 + check_object_size(from, n - over, true);
2381 + return __copy_tofrom_user(to, (__force void __user *)from,
2387 +#else /* __powerpc64__ */
2389 +#define __copy_in_user(to, from, size) \
2390 + __copy_tofrom_user((to), (from), (size))
2392 +static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
2394 + if ((long)n < 0 || n > INT_MAX)
2397 + if (!__builtin_constant_p(n))
2398 + check_object_size(to, n, false);
2400 + if (likely(access_ok(VERIFY_READ, from, n)))
2401 + n = __copy_from_user(to, from, n);
2407 +static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
2409 + if ((long)n < 0 || n > INT_MAX)
2412 + if (likely(access_ok(VERIFY_WRITE, to, n))) {
2413 + if (!__builtin_constant_p(n))
2414 + check_object_size(from, n, true);
2415 + n = __copy_to_user(to, from, n);
2420 +extern unsigned long copy_in_user(void __user *to, const void __user *from,
2423 +#endif /* __powerpc64__ */
2425 extern unsigned long __clear_user(void __user *addr, unsigned long size);
2427 static inline unsigned long clear_user(void __user *addr, unsigned long size)
2428 diff -urNp linux-2.6.38.1/arch/powerpc/kernel/dma.c linux-2.6.38.1-new/arch/powerpc/kernel/dma.c
2429 --- linux-2.6.38.1/arch/powerpc/kernel/dma.c 2011-03-14 21:20:32.000000000 -0400
2430 +++ linux-2.6.38.1-new/arch/powerpc/kernel/dma.c 2011-03-21 18:31:35.000000000 -0400
2431 @@ -136,7 +136,7 @@ static inline void dma_direct_sync_singl
2435 -struct dma_map_ops dma_direct_ops = {
2436 +const struct dma_map_ops dma_direct_ops = {
2437 .alloc_coherent = dma_direct_alloc_coherent,
2438 .free_coherent = dma_direct_free_coherent,
2439 .map_sg = dma_direct_map_sg,
2440 @@ -157,7 +157,7 @@ EXPORT_SYMBOL(dma_direct_ops);
2442 int dma_set_mask(struct device *dev, u64 dma_mask)
2444 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2445 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2447 if (ppc_md.dma_set_mask)
2448 return ppc_md.dma_set_mask(dev, dma_mask);
2449 diff -urNp linux-2.6.38.1/arch/powerpc/kernel/dma-iommu.c linux-2.6.38.1-new/arch/powerpc/kernel/dma-iommu.c
2450 --- linux-2.6.38.1/arch/powerpc/kernel/dma-iommu.c 2011-03-14 21:20:32.000000000 -0400
2451 +++ linux-2.6.38.1-new/arch/powerpc/kernel/dma-iommu.c 2011-03-21 18:31:35.000000000 -0400
2452 @@ -70,7 +70,7 @@ static void dma_iommu_unmap_sg(struct de
2455 /* We support DMA to/from any memory page via the iommu */
2456 -static int dma_iommu_dma_supported(struct device *dev, u64 mask)
2457 +int dma_iommu_dma_supported(struct device *dev, u64 mask)
2459 struct iommu_table *tbl = get_iommu_table_base(dev);
2461 @@ -90,7 +90,7 @@ static int dma_iommu_dma_supported(struc
2465 -struct dma_map_ops dma_iommu_ops = {
2466 +struct dma_map_ops dma_iommu_ops = { /* cannot be const, see arch/powerpc/platforms/cell/iommu.c */
2467 .alloc_coherent = dma_iommu_alloc_coherent,
2468 .free_coherent = dma_iommu_free_coherent,
2469 .map_sg = dma_iommu_map_sg,
2470 diff -urNp linux-2.6.38.1/arch/powerpc/kernel/dma-swiotlb.c linux-2.6.38.1-new/arch/powerpc/kernel/dma-swiotlb.c
2471 --- linux-2.6.38.1/arch/powerpc/kernel/dma-swiotlb.c 2011-03-14 21:20:32.000000000 -0400
2472 +++ linux-2.6.38.1-new/arch/powerpc/kernel/dma-swiotlb.c 2011-03-21 18:31:35.000000000 -0400
2473 @@ -31,7 +31,7 @@ unsigned int ppc_swiotlb_enable;
2474 * map_page, and unmap_page on highmem, use normal dma_ops
2475 * for everything else.
2477 -struct dma_map_ops swiotlb_dma_ops = {
2478 +const struct dma_map_ops swiotlb_dma_ops = {
2479 .alloc_coherent = dma_direct_alloc_coherent,
2480 .free_coherent = dma_direct_free_coherent,
2481 .map_sg = swiotlb_map_sg_attrs,
2482 diff -urNp linux-2.6.38.1/arch/powerpc/kernel/exceptions-64e.S linux-2.6.38.1-new/arch/powerpc/kernel/exceptions-64e.S
2483 --- linux-2.6.38.1/arch/powerpc/kernel/exceptions-64e.S 2011-03-14 21:20:32.000000000 -0400
2484 +++ linux-2.6.38.1-new/arch/powerpc/kernel/exceptions-64e.S 2011-03-21 18:31:35.000000000 -0400
2485 @@ -495,6 +495,7 @@ storage_fault_common:
2488 addi r3,r1,STACK_FRAME_OVERHEAD
2492 ld r14,PACA_EXGEN+EX_R14(r13)
2493 @@ -504,8 +505,7 @@ storage_fault_common:
2496 b .ret_from_except_lite
2500 addi r3,r1,STACK_FRAME_OVERHEAD
2503 diff -urNp linux-2.6.38.1/arch/powerpc/kernel/exceptions-64s.S linux-2.6.38.1-new/arch/powerpc/kernel/exceptions-64s.S
2504 --- linux-2.6.38.1/arch/powerpc/kernel/exceptions-64s.S 2011-03-14 21:20:32.000000000 -0400
2505 +++ linux-2.6.38.1-new/arch/powerpc/kernel/exceptions-64s.S 2011-03-21 18:31:35.000000000 -0400
2506 @@ -848,10 +848,10 @@ handle_page_fault:
2509 addi r3,r1,STACK_FRAME_OVERHEAD
2516 addi r3,r1,STACK_FRAME_OVERHEAD
2518 diff -urNp linux-2.6.38.1/arch/powerpc/kernel/ibmebus.c linux-2.6.38.1-new/arch/powerpc/kernel/ibmebus.c
2519 --- linux-2.6.38.1/arch/powerpc/kernel/ibmebus.c 2011-03-14 21:20:32.000000000 -0400
2520 +++ linux-2.6.38.1-new/arch/powerpc/kernel/ibmebus.c 2011-03-21 18:31:35.000000000 -0400
2521 @@ -128,7 +128,7 @@ static int ibmebus_dma_supported(struct
2525 -static struct dma_map_ops ibmebus_dma_ops = {
2526 +static const struct dma_map_ops ibmebus_dma_ops = {
2527 .alloc_coherent = ibmebus_alloc_coherent,
2528 .free_coherent = ibmebus_free_coherent,
2529 .map_sg = ibmebus_map_sg,
2530 diff -urNp linux-2.6.38.1/arch/powerpc/kernel/kgdb.c linux-2.6.38.1-new/arch/powerpc/kernel/kgdb.c
2531 --- linux-2.6.38.1/arch/powerpc/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
2532 +++ linux-2.6.38.1-new/arch/powerpc/kernel/kgdb.c 2011-03-21 18:31:35.000000000 -0400
2533 @@ -422,7 +422,7 @@ int kgdb_arch_handle_exception(int vecto
2537 -struct kgdb_arch arch_kgdb_ops = {
2538 +const struct kgdb_arch arch_kgdb_ops = {
2539 .gdb_bpt_instr = {0x7d, 0x82, 0x10, 0x08},
2542 diff -urNp linux-2.6.38.1/arch/powerpc/kernel/module_32.c linux-2.6.38.1-new/arch/powerpc/kernel/module_32.c
2543 --- linux-2.6.38.1/arch/powerpc/kernel/module_32.c 2011-03-14 21:20:32.000000000 -0400
2544 +++ linux-2.6.38.1-new/arch/powerpc/kernel/module_32.c 2011-03-21 18:31:35.000000000 -0400
2545 @@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
2546 me->arch.core_plt_section = i;
2548 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
2549 - printk("Module doesn't contain .plt or .init.plt sections.\n");
2550 + printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
2554 @@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
2556 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
2557 /* Init, or core PLT? */
2558 - if (location >= mod->module_core
2559 - && location < mod->module_core + mod->core_size)
2560 + if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
2561 + (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
2562 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
2564 + else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
2565 + (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
2566 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
2568 + printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
2572 /* Find this entry, or if that fails, the next avail. entry */
2573 while (entry->jump[0]) {
2574 diff -urNp linux-2.6.38.1/arch/powerpc/kernel/module.c linux-2.6.38.1-new/arch/powerpc/kernel/module.c
2575 --- linux-2.6.38.1/arch/powerpc/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
2576 +++ linux-2.6.38.1-new/arch/powerpc/kernel/module.c 2011-03-21 18:31:35.000000000 -0400
2579 LIST_HEAD(module_bug_list);
2581 +#ifdef CONFIG_PAX_KERNEXEC
2582 void *module_alloc(unsigned long size)
2587 + return vmalloc(size);
2590 +void *module_alloc_exec(unsigned long size)
2592 +void *module_alloc(unsigned long size)
2599 return vmalloc_exec(size);
2602 @@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
2603 vfree(module_region);
2606 +#ifdef CONFIG_PAX_KERNEXEC
2607 +void module_free_exec(struct module *mod, void *module_region)
2609 + module_free(mod, module_region);
2613 static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
2614 const Elf_Shdr *sechdrs,
2616 diff -urNp linux-2.6.38.1/arch/powerpc/kernel/pci-common.c linux-2.6.38.1-new/arch/powerpc/kernel/pci-common.c
2617 --- linux-2.6.38.1/arch/powerpc/kernel/pci-common.c 2011-03-14 21:20:32.000000000 -0400
2618 +++ linux-2.6.38.1-new/arch/powerpc/kernel/pci-common.c 2011-03-21 18:31:35.000000000 -0400
2619 @@ -52,14 +52,14 @@ resource_size_t isa_mem_base;
2620 unsigned int ppc_pci_flags = 0;
2623 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2624 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2626 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
2627 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
2629 pci_dma_ops = dma_ops;
2632 -struct dma_map_ops *get_pci_dma_ops(void)
2633 +const struct dma_map_ops *get_pci_dma_ops(void)
2637 diff -urNp linux-2.6.38.1/arch/powerpc/kernel/process.c linux-2.6.38.1-new/arch/powerpc/kernel/process.c
2638 --- linux-2.6.38.1/arch/powerpc/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
2639 +++ linux-2.6.38.1-new/arch/powerpc/kernel/process.c 2011-03-21 18:31:35.000000000 -0400
2640 @@ -655,8 +655,8 @@ void show_regs(struct pt_regs * regs)
2641 * Lookup NIP late so we have the best change of getting the
2642 * above info out without failing
2644 - printk("NIP ["REG"] %pS\n", regs->nip, (void *)regs->nip);
2645 - printk("LR ["REG"] %pS\n", regs->link, (void *)regs->link);
2646 + printk("NIP ["REG"] %pA\n", regs->nip, (void *)regs->nip);
2647 + printk("LR ["REG"] %pA\n", regs->link, (void *)regs->link);
2649 show_stack(current, (unsigned long *) regs->gpr[1]);
2650 if (!user_mode(regs))
2651 @@ -1146,10 +1146,10 @@ void show_stack(struct task_struct *tsk,
2653 ip = stack[STACK_FRAME_LR_SAVE];
2654 if (!firstframe || ip != lr) {
2655 - printk("["REG"] ["REG"] %pS", sp, ip, (void *)ip);
2656 + printk("["REG"] ["REG"] %pA", sp, ip, (void *)ip);
2657 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
2658 if ((ip == rth || ip == mrth) && curr_frame >= 0) {
2661 (void *)current->ret_stack[curr_frame].ret);
2664 @@ -1169,7 +1169,7 @@ void show_stack(struct task_struct *tsk,
2665 struct pt_regs *regs = (struct pt_regs *)
2666 (sp + STACK_FRAME_OVERHEAD);
2668 - printk("--- Exception: %lx at %pS\n LR = %pS\n",
2669 + printk("--- Exception: %lx at %pA\n LR = %pA\n",
2670 regs->trap, (void *)regs->nip, (void *)lr);
2673 @@ -1244,58 +1244,3 @@ void thread_info_cache_init(void)
2676 #endif /* THREAD_SHIFT < PAGE_SHIFT */
2678 -unsigned long arch_align_stack(unsigned long sp)
2680 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
2681 - sp -= get_random_int() & ~PAGE_MASK;
2685 -static inline unsigned long brk_rnd(void)
2687 - unsigned long rnd = 0;
2689 - /* 8MB for 32bit, 1GB for 64bit */
2690 - if (is_32bit_task())
2691 - rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
2693 - rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
2695 - return rnd << PAGE_SHIFT;
2698 -unsigned long arch_randomize_brk(struct mm_struct *mm)
2700 - unsigned long base = mm->brk;
2701 - unsigned long ret;
2703 -#ifdef CONFIG_PPC_STD_MMU_64
2705 - * If we are using 1TB segments and we are allowed to randomise
2706 - * the heap, we can put it above 1TB so it is backed by a 1TB
2707 - * segment. Otherwise the heap will be in the bottom 1TB
2708 - * which always uses 256MB segments and this may result in a
2709 - * performance penalty.
2711 - if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
2712 - base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
2715 - ret = PAGE_ALIGN(base + brk_rnd());
2717 - if (ret < mm->brk)
2723 -unsigned long randomize_et_dyn(unsigned long base)
2725 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2732 diff -urNp linux-2.6.38.1/arch/powerpc/kernel/signal_32.c linux-2.6.38.1-new/arch/powerpc/kernel/signal_32.c
2733 --- linux-2.6.38.1/arch/powerpc/kernel/signal_32.c 2011-03-14 21:20:32.000000000 -0400
2734 +++ linux-2.6.38.1-new/arch/powerpc/kernel/signal_32.c 2011-03-21 18:31:35.000000000 -0400
2735 @@ -858,7 +858,7 @@ int handle_rt_signal32(unsigned long sig
2736 /* Save user registers on the stack */
2737 frame = &rt_sf->uc.uc_mcontext;
2739 - if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
2740 + if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2741 if (save_user_regs(regs, frame, 0, 1))
2743 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
2744 diff -urNp linux-2.6.38.1/arch/powerpc/kernel/signal_64.c linux-2.6.38.1-new/arch/powerpc/kernel/signal_64.c
2745 --- linux-2.6.38.1/arch/powerpc/kernel/signal_64.c 2011-03-14 21:20:32.000000000 -0400
2746 +++ linux-2.6.38.1-new/arch/powerpc/kernel/signal_64.c 2011-03-21 18:31:35.000000000 -0400
2747 @@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct
2748 current->thread.fpscr.val = 0;
2750 /* Set up to return from userspace. */
2751 - if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
2752 + if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2753 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
2755 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
2756 diff -urNp linux-2.6.38.1/arch/powerpc/kernel/vdso.c linux-2.6.38.1-new/arch/powerpc/kernel/vdso.c
2757 --- linux-2.6.38.1/arch/powerpc/kernel/vdso.c 2011-03-14 21:20:32.000000000 -0400
2758 +++ linux-2.6.38.1-new/arch/powerpc/kernel/vdso.c 2011-03-21 18:31:35.000000000 -0400
2760 #include <asm/firmware.h>
2761 #include <asm/vdso.h>
2762 #include <asm/vdso_datapage.h>
2763 +#include <asm/mman.h>
2767 @@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
2768 vdso_base = VDSO32_MBASE;
2771 - current->mm->context.vdso_base = 0;
2772 + current->mm->context.vdso_base = ~0UL;
2774 /* vDSO has a problem and was disabled, just don't "enable" it for the
2776 @@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
2777 vdso_base = get_unmapped_area(NULL, vdso_base,
2778 (vdso_pages << PAGE_SHIFT) +
2779 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
2781 + 0, MAP_PRIVATE | MAP_EXECUTABLE);
2782 if (IS_ERR_VALUE(vdso_base)) {
2785 diff -urNp linux-2.6.38.1/arch/powerpc/kernel/vio.c linux-2.6.38.1-new/arch/powerpc/kernel/vio.c
2786 --- linux-2.6.38.1/arch/powerpc/kernel/vio.c 2011-03-14 21:20:32.000000000 -0400
2787 +++ linux-2.6.38.1-new/arch/powerpc/kernel/vio.c 2011-03-21 18:31:35.000000000 -0400
2788 @@ -605,11 +605,12 @@ static int vio_dma_iommu_dma_supported(s
2789 return dma_iommu_ops.dma_supported(dev, mask);
2792 -struct dma_map_ops vio_dma_mapping_ops = {
2793 +const struct dma_map_ops vio_dma_mapping_ops = {
2794 .alloc_coherent = vio_dma_iommu_alloc_coherent,
2795 .free_coherent = vio_dma_iommu_free_coherent,
2796 .map_sg = vio_dma_iommu_map_sg,
2797 .unmap_sg = vio_dma_iommu_unmap_sg,
2798 + .dma_supported = dma_iommu_dma_supported,
2799 .map_page = vio_dma_iommu_map_page,
2800 .unmap_page = vio_dma_iommu_unmap_page,
2801 .dma_supported = vio_dma_iommu_dma_supported,
2802 diff -urNp linux-2.6.38.1/arch/powerpc/lib/usercopy_64.c linux-2.6.38.1-new/arch/powerpc/lib/usercopy_64.c
2803 --- linux-2.6.38.1/arch/powerpc/lib/usercopy_64.c 2011-03-14 21:20:32.000000000 -0400
2804 +++ linux-2.6.38.1-new/arch/powerpc/lib/usercopy_64.c 2011-03-21 18:31:35.000000000 -0400
2806 #include <linux/module.h>
2807 #include <asm/uaccess.h>
2809 -unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
2811 - if (likely(access_ok(VERIFY_READ, from, n)))
2812 - n = __copy_from_user(to, from, n);
2818 -unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
2820 - if (likely(access_ok(VERIFY_WRITE, to, n)))
2821 - n = __copy_to_user(to, from, n);
2825 unsigned long copy_in_user(void __user *to, const void __user *from,
2828 @@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
2832 -EXPORT_SYMBOL(copy_from_user);
2833 -EXPORT_SYMBOL(copy_to_user);
2834 EXPORT_SYMBOL(copy_in_user);
2836 diff -urNp linux-2.6.38.1/arch/powerpc/mm/fault.c linux-2.6.38.1-new/arch/powerpc/mm/fault.c
2837 --- linux-2.6.38.1/arch/powerpc/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
2838 +++ linux-2.6.38.1-new/arch/powerpc/mm/fault.c 2011-03-21 18:31:35.000000000 -0400
2840 #include <linux/kdebug.h>
2841 #include <linux/perf_event.h>
2842 #include <linux/magic.h>
2843 +#include <linux/slab.h>
2844 +#include <linux/pagemap.h>
2845 +#include <linux/compiler.h>
2846 +#include <linux/unistd.h>
2848 #include <asm/firmware.h>
2849 #include <asm/page.h>
2851 #include <asm/tlbflush.h>
2852 #include <asm/siginfo.h>
2853 #include <mm/mmu_decl.h>
2854 +#include <asm/ptrace.h>
2856 #ifdef CONFIG_KPROBES
2857 static inline int notify_page_fault(struct pt_regs *regs)
2858 @@ -65,6 +70,33 @@ static inline int notify_page_fault(stru
2862 +#ifdef CONFIG_PAX_PAGEEXEC
2864 + * PaX: decide what to do with offenders (regs->nip = fault address)
2866 + * returns 1 when task should be killed
2868 +static int pax_handle_fetch_fault(struct pt_regs *regs)
2873 +void pax_report_insns(void *pc, void *sp)
2877 + printk(KERN_ERR "PAX: bytes at PC: ");
2878 + for (i = 0; i < 5; i++) {
2880 + if (get_user(c, (unsigned int __user *)pc+i))
2881 + printk(KERN_CONT "???????? ");
2883 + printk(KERN_CONT "%08x ", c);
2890 * Check whether the instruction at regs->nip is a store using
2891 * an update addressing form which will update r1.
2892 @@ -135,7 +167,7 @@ int __kprobes do_page_fault(struct pt_re
2893 * indicate errors in DSISR but can validly be set in SRR1.
2896 - error_code &= 0x48200000;
2897 + error_code &= 0x58200000;
2899 is_write = error_code & DSISR_ISSTORE;
2901 @@ -258,7 +290,7 @@ good_area:
2902 * "undefined". Of those that can be set, this is the only
2903 * one which seems bad.
2905 - if (error_code & 0x10000000)
2906 + if (error_code & DSISR_GUARDED)
2907 /* Guarded storage error. */
2909 #endif /* CONFIG_8xx */
2910 @@ -273,7 +305,7 @@ good_area:
2911 * processors use the same I/D cache coherency mechanism
2914 - if (error_code & DSISR_PROTFAULT)
2915 + if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
2917 #endif /* CONFIG_PPC_STD_MMU */
2919 @@ -342,6 +374,23 @@ bad_area:
2920 bad_area_nosemaphore:
2921 /* User mode accesses cause a SIGSEGV */
2922 if (user_mode(regs)) {
2924 +#ifdef CONFIG_PAX_PAGEEXEC
2925 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
2926 +#ifdef CONFIG_PPC_STD_MMU
2927 + if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
2929 + if (is_exec && regs->nip == address) {
2931 + switch (pax_handle_fetch_fault(regs)) {
2934 + pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
2935 + do_group_exit(SIGKILL);
2940 _exception(SIGSEGV, regs, code, address);
2943 diff -urNp linux-2.6.38.1/arch/powerpc/mm/mmap_64.c linux-2.6.38.1-new/arch/powerpc/mm/mmap_64.c
2944 --- linux-2.6.38.1/arch/powerpc/mm/mmap_64.c 2011-03-14 21:20:32.000000000 -0400
2945 +++ linux-2.6.38.1-new/arch/powerpc/mm/mmap_64.c 2011-03-21 18:31:35.000000000 -0400
2946 @@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
2948 if (mmap_is_legacy()) {
2949 mm->mmap_base = TASK_UNMAPPED_BASE;
2951 +#ifdef CONFIG_PAX_RANDMMAP
2952 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2953 + mm->mmap_base += mm->delta_mmap;
2956 mm->get_unmapped_area = arch_get_unmapped_area;
2957 mm->unmap_area = arch_unmap_area;
2959 mm->mmap_base = mmap_base();
2961 +#ifdef CONFIG_PAX_RANDMMAP
2962 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2963 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2966 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
2967 mm->unmap_area = arch_unmap_area_topdown;
2969 diff -urNp linux-2.6.38.1/arch/powerpc/mm/slice.c linux-2.6.38.1-new/arch/powerpc/mm/slice.c
2970 --- linux-2.6.38.1/arch/powerpc/mm/slice.c 2011-03-14 21:20:32.000000000 -0400
2971 +++ linux-2.6.38.1-new/arch/powerpc/mm/slice.c 2011-03-21 23:47:41.000000000 -0400
2972 @@ -98,7 +98,7 @@ static int slice_area_is_free(struct mm_
2973 if ((mm->task_size - len) < addr)
2975 vma = find_vma(mm, addr);
2976 - return (!vma || (addr + len) <= vma->vm_start);
2977 + return check_heap_stack_gap(vma, addr, len);
2980 static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
2981 @@ -256,7 +256,7 @@ full_search:
2982 addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT);
2985 - if (!vma || addr + len <= vma->vm_start) {
2986 + if (check_heap_stack_gap(vma, addr, len)) {
2988 * Remember the place where we stopped the search:
2990 @@ -313,10 +313,14 @@ static unsigned long slice_find_area_top
2994 - addr = mm->mmap_base;
2995 - while (addr > len) {
2996 + if (mm->mmap_base < len)
2999 + addr = mm->mmap_base - len;
3001 + while (!IS_ERR_VALUE(addr)) {
3002 /* Go down by chunk size */
3003 - addr = _ALIGN_DOWN(addr - len, 1ul << pshift);
3004 + addr = _ALIGN_DOWN(addr, 1ul << pshift);
3006 /* Check for hit with different page size */
3007 mask = slice_range_to_mask(addr, len);
3008 @@ -336,7 +340,7 @@ static unsigned long slice_find_area_top
3009 * return with success:
3011 vma = find_vma(mm, addr);
3012 - if (!vma || (addr + len) <= vma->vm_start) {
3013 + if (check_heap_stack_gap(vma, addr, len)) {
3014 /* remember the address as a hint for next time */
3016 mm->free_area_cache = addr;
3017 @@ -348,7 +352,7 @@ static unsigned long slice_find_area_top
3018 mm->cached_hole_size = vma->vm_start - addr;
3020 /* try just below the current vma->vm_start */
3021 - addr = vma->vm_start;
3022 + addr = skip_heap_stack_gap(vma, len);
3026 @@ -426,6 +430,11 @@ unsigned long slice_get_unmapped_area(un
3027 if (fixed && addr > (mm->task_size - len))
3030 +#ifdef CONFIG_PAX_RANDMMAP
3031 + if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
3035 /* If hint, make sure it matches our alignment restrictions */
3036 if (!fixed && addr) {
3037 addr = _ALIGN_UP(addr, 1ul << pshift);
3038 diff -urNp linux-2.6.38.1/arch/powerpc/platforms/cell/iommu.c linux-2.6.38.1-new/arch/powerpc/platforms/cell/iommu.c
3039 --- linux-2.6.38.1/arch/powerpc/platforms/cell/iommu.c 2011-03-14 21:20:32.000000000 -0400
3040 +++ linux-2.6.38.1-new/arch/powerpc/platforms/cell/iommu.c 2011-03-21 18:31:35.000000000 -0400
3041 @@ -642,7 +642,7 @@ static int dma_fixed_dma_supported(struc
3043 static int dma_set_mask_and_switch(struct device *dev, u64 dma_mask);
3045 -struct dma_map_ops dma_iommu_fixed_ops = {
3046 +const struct dma_map_ops dma_iommu_fixed_ops = {
3047 .alloc_coherent = dma_fixed_alloc_coherent,
3048 .free_coherent = dma_fixed_free_coherent,
3049 .map_sg = dma_fixed_map_sg,
3050 diff -urNp linux-2.6.38.1/arch/powerpc/platforms/ps3/system-bus.c linux-2.6.38.1-new/arch/powerpc/platforms/ps3/system-bus.c
3051 --- linux-2.6.38.1/arch/powerpc/platforms/ps3/system-bus.c 2011-03-14 21:20:32.000000000 -0400
3052 +++ linux-2.6.38.1-new/arch/powerpc/platforms/ps3/system-bus.c 2011-03-21 18:31:35.000000000 -0400
3053 @@ -695,7 +695,7 @@ static int ps3_dma_supported(struct devi
3054 return mask >= DMA_BIT_MASK(32);
3057 -static struct dma_map_ops ps3_sb_dma_ops = {
3058 +static const struct dma_map_ops ps3_sb_dma_ops = {
3059 .alloc_coherent = ps3_alloc_coherent,
3060 .free_coherent = ps3_free_coherent,
3061 .map_sg = ps3_sb_map_sg,
3062 @@ -705,7 +705,7 @@ static struct dma_map_ops ps3_sb_dma_ops
3063 .unmap_page = ps3_unmap_page,
3066 -static struct dma_map_ops ps3_ioc0_dma_ops = {
3067 +static const struct dma_map_ops ps3_ioc0_dma_ops = {
3068 .alloc_coherent = ps3_alloc_coherent,
3069 .free_coherent = ps3_free_coherent,
3070 .map_sg = ps3_ioc0_map_sg,
3071 diff -urNp linux-2.6.38.1/arch/powerpc/sysdev/ppc4xx_cpm.c linux-2.6.38.1-new/arch/powerpc/sysdev/ppc4xx_cpm.c
3072 --- linux-2.6.38.1/arch/powerpc/sysdev/ppc4xx_cpm.c 2011-03-14 21:20:32.000000000 -0400
3073 +++ linux-2.6.38.1-new/arch/powerpc/sysdev/ppc4xx_cpm.c 2011-03-21 18:31:35.000000000 -0400
3074 @@ -240,7 +240,7 @@ static int cpm_suspend_enter(suspend_sta
3078 -static struct platform_suspend_ops cpm_suspend_ops = {
3079 +static const struct platform_suspend_ops cpm_suspend_ops = {
3080 .valid = cpm_suspend_valid,
3081 .enter = cpm_suspend_enter,
3083 diff -urNp linux-2.6.38.1/arch/s390/include/asm/elf.h linux-2.6.38.1-new/arch/s390/include/asm/elf.h
3084 --- linux-2.6.38.1/arch/s390/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
3085 +++ linux-2.6.38.1-new/arch/s390/include/asm/elf.h 2011-03-21 18:31:35.000000000 -0400
3086 @@ -162,8 +162,14 @@ extern unsigned int vdso_enabled;
3087 the loader. We need to make sure that it is out of the way of the program
3088 that it will "exec", and that there is sufficient room for the brk. */
3090 -extern unsigned long randomize_et_dyn(unsigned long base);
3091 -#define ELF_ET_DYN_BASE (randomize_et_dyn(STACK_TOP / 3 * 2))
3092 +#define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
3094 +#ifdef CONFIG_PAX_ASLR
3095 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
3097 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3098 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3101 /* This yields a mask that user programs can use to figure out what
3102 instruction set this CPU supports. */
3103 @@ -222,7 +228,4 @@ struct linux_binprm;
3104 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
3105 int arch_setup_additional_pages(struct linux_binprm *, int);
3107 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
3108 -#define arch_randomize_brk arch_randomize_brk
3111 diff -urNp linux-2.6.38.1/arch/s390/include/asm/system.h linux-2.6.38.1-new/arch/s390/include/asm/system.h
3112 --- linux-2.6.38.1/arch/s390/include/asm/system.h 2011-03-14 21:20:32.000000000 -0400
3113 +++ linux-2.6.38.1-new/arch/s390/include/asm/system.h 2011-03-21 18:31:35.000000000 -0400
3114 @@ -449,7 +449,7 @@ extern void (*_machine_restart)(char *co
3115 extern void (*_machine_halt)(void);
3116 extern void (*_machine_power_off)(void);
3118 -extern unsigned long arch_align_stack(unsigned long sp);
3119 +#define arch_align_stack(x) ((x) & ~0xfUL)
3121 static inline int tprot(unsigned long addr)
3123 diff -urNp linux-2.6.38.1/arch/s390/include/asm/uaccess.h linux-2.6.38.1-new/arch/s390/include/asm/uaccess.h
3124 --- linux-2.6.38.1/arch/s390/include/asm/uaccess.h 2011-03-14 21:20:32.000000000 -0400
3125 +++ linux-2.6.38.1-new/arch/s390/include/asm/uaccess.h 2011-03-21 18:31:35.000000000 -0400
3126 @@ -234,6 +234,10 @@ static inline unsigned long __must_check
3127 copy_to_user(void __user *to, const void *from, unsigned long n)
3134 if (access_ok(VERIFY_WRITE, to, n))
3135 n = __copy_to_user(to, from, n);
3137 @@ -259,6 +263,9 @@ copy_to_user(void __user *to, const void
3138 static inline unsigned long __must_check
3139 __copy_from_user(void *to, const void __user *from, unsigned long n)
3144 if (__builtin_constant_p(n) && (n <= 256))
3145 return uaccess.copy_from_user_small(n, from, to);
3147 @@ -293,6 +300,10 @@ copy_from_user(void *to, const void __us
3148 unsigned int sz = __compiletime_object_size(to);
3155 if (unlikely(sz != -1 && sz < n)) {
3156 copy_from_user_overflow();
3158 diff -urNp linux-2.6.38.1/arch/s390/Kconfig linux-2.6.38.1-new/arch/s390/Kconfig
3159 --- linux-2.6.38.1/arch/s390/Kconfig 2011-03-14 21:20:32.000000000 -0400
3160 +++ linux-2.6.38.1-new/arch/s390/Kconfig 2011-03-21 18:31:35.000000000 -0400
3161 @@ -233,11 +233,9 @@ config S390_EXEC_PROTECT
3162 prompt "Data execute protection"
3164 This option allows to enable a buffer overflow protection for user
3165 - space programs and it also selects the addressing mode option above.
3166 - The kernel parameter noexec=on will enable this feature and also
3167 - switch the addressing modes, default is disabled. Enabling this (via
3168 - kernel parameter) on machines earlier than IBM System z9 this will
3169 - reduce system performance.
3171 + Enabling this (via kernel parameter) on machines earlier than IBM
3172 + System z9 this will reduce system performance.
3174 comment "Code generation options"
3176 diff -urNp linux-2.6.38.1/arch/s390/kernel/module.c linux-2.6.38.1-new/arch/s390/kernel/module.c
3177 --- linux-2.6.38.1/arch/s390/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
3178 +++ linux-2.6.38.1-new/arch/s390/kernel/module.c 2011-03-21 18:31:35.000000000 -0400
3179 @@ -168,11 +168,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
3181 /* Increase core size by size of got & plt and set start
3182 offsets for got and plt. */
3183 - me->core_size = ALIGN(me->core_size, 4);
3184 - me->arch.got_offset = me->core_size;
3185 - me->core_size += me->arch.got_size;
3186 - me->arch.plt_offset = me->core_size;
3187 - me->core_size += me->arch.plt_size;
3188 + me->core_size_rw = ALIGN(me->core_size_rw, 4);
3189 + me->arch.got_offset = me->core_size_rw;
3190 + me->core_size_rw += me->arch.got_size;
3191 + me->arch.plt_offset = me->core_size_rx;
3192 + me->core_size_rx += me->arch.plt_size;
3196 @@ -258,7 +258,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3197 if (info->got_initialized == 0) {
3200 - gotent = me->module_core + me->arch.got_offset +
3201 + gotent = me->module_core_rw + me->arch.got_offset +
3204 info->got_initialized = 1;
3205 @@ -282,7 +282,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3206 else if (r_type == R_390_GOTENT ||
3207 r_type == R_390_GOTPLTENT)
3208 *(unsigned int *) loc =
3209 - (val + (Elf_Addr) me->module_core - loc) >> 1;
3210 + (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
3211 else if (r_type == R_390_GOT64 ||
3212 r_type == R_390_GOTPLT64)
3213 *(unsigned long *) loc = val;
3214 @@ -296,7 +296,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3215 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
3216 if (info->plt_initialized == 0) {
3218 - ip = me->module_core + me->arch.plt_offset +
3219 + ip = me->module_core_rx + me->arch.plt_offset +
3221 #ifndef CONFIG_64BIT
3222 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
3223 @@ -321,7 +321,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3224 val - loc + 0xffffUL < 0x1ffffeUL) ||
3225 (r_type == R_390_PLT32DBL &&
3226 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
3227 - val = (Elf_Addr) me->module_core +
3228 + val = (Elf_Addr) me->module_core_rx +
3229 me->arch.plt_offset +
3231 val += rela->r_addend - loc;
3232 @@ -343,7 +343,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3233 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
3234 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
3235 val = val + rela->r_addend -
3236 - ((Elf_Addr) me->module_core + me->arch.got_offset);
3237 + ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
3238 if (r_type == R_390_GOTOFF16)
3239 *(unsigned short *) loc = val;
3240 else if (r_type == R_390_GOTOFF32)
3241 @@ -353,7 +353,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3243 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
3244 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
3245 - val = (Elf_Addr) me->module_core + me->arch.got_offset +
3246 + val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
3247 rela->r_addend - loc;
3248 if (r_type == R_390_GOTPC)
3249 *(unsigned int *) loc = val;
3250 diff -urNp linux-2.6.38.1/arch/s390/kernel/process.c linux-2.6.38.1-new/arch/s390/kernel/process.c
3251 --- linux-2.6.38.1/arch/s390/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
3252 +++ linux-2.6.38.1-new/arch/s390/kernel/process.c 2011-03-21 18:31:35.000000000 -0400
3253 @@ -334,39 +334,3 @@ unsigned long get_wchan(struct task_stru
3258 -unsigned long arch_align_stack(unsigned long sp)
3260 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
3261 - sp -= get_random_int() & ~PAGE_MASK;
3265 -static inline unsigned long brk_rnd(void)
3267 - /* 8MB for 32bit, 1GB for 64bit */
3268 - if (is_32bit_task())
3269 - return (get_random_int() & 0x7ffUL) << PAGE_SHIFT;
3271 - return (get_random_int() & 0x3ffffUL) << PAGE_SHIFT;
3274 -unsigned long arch_randomize_brk(struct mm_struct *mm)
3276 - unsigned long ret = PAGE_ALIGN(mm->brk + brk_rnd());
3278 - if (ret < mm->brk)
3283 -unsigned long randomize_et_dyn(unsigned long base)
3285 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
3287 - if (!(current->flags & PF_RANDOMIZE))
3293 diff -urNp linux-2.6.38.1/arch/s390/kernel/setup.c linux-2.6.38.1-new/arch/s390/kernel/setup.c
3294 --- linux-2.6.38.1/arch/s390/kernel/setup.c 2011-03-14 21:20:32.000000000 -0400
3295 +++ linux-2.6.38.1-new/arch/s390/kernel/setup.c 2011-03-21 18:31:35.000000000 -0400
3296 @@ -281,7 +281,7 @@ static int __init early_parse_mem(char *
3298 early_param("mem", early_parse_mem);
3300 -unsigned int user_mode = HOME_SPACE_MODE;
3301 +unsigned int user_mode = SECONDARY_SPACE_MODE;
3302 EXPORT_SYMBOL_GPL(user_mode);
3304 static int set_amode_and_uaccess(unsigned long user_amode,
3305 @@ -310,17 +310,6 @@ static int set_amode_and_uaccess(unsigne
3310 - * Switch kernel/user addressing modes?
3312 -static int __init early_parse_switch_amode(char *p)
3314 - if (user_mode != SECONDARY_SPACE_MODE)
3315 - user_mode = PRIMARY_SPACE_MODE;
3318 -early_param("switch_amode", early_parse_switch_amode);
3320 static int __init early_parse_user_mode(char *p)
3322 if (p && strcmp(p, "primary") == 0)
3323 @@ -337,20 +326,6 @@ static int __init early_parse_user_mode(
3325 early_param("user_mode", early_parse_user_mode);
3327 -#ifdef CONFIG_S390_EXEC_PROTECT
3329 - * Enable execute protection?
3331 -static int __init early_parse_noexec(char *p)
3333 - if (!strncmp(p, "off", 3))
3335 - user_mode = SECONDARY_SPACE_MODE;
3338 -early_param("noexec", early_parse_noexec);
3339 -#endif /* CONFIG_S390_EXEC_PROTECT */
3341 static void setup_addressing_mode(void)
3343 if (user_mode == SECONDARY_SPACE_MODE) {
3344 diff -urNp linux-2.6.38.1/arch/s390/mm/maccess.c linux-2.6.38.1-new/arch/s390/mm/maccess.c
3345 --- linux-2.6.38.1/arch/s390/mm/maccess.c 2011-03-14 21:20:32.000000000 -0400
3346 +++ linux-2.6.38.1-new/arch/s390/mm/maccess.c 2011-03-21 18:31:35.000000000 -0400
3347 @@ -45,7 +45,7 @@ static long probe_kernel_write_odd(void
3348 return rc ? rc : count;
3351 -long probe_kernel_write(void *dst, void *src, size_t size)
3352 +long probe_kernel_write(void *dst, const void *src, size_t size)
3356 diff -urNp linux-2.6.38.1/arch/s390/mm/mmap.c linux-2.6.38.1-new/arch/s390/mm/mmap.c
3357 --- linux-2.6.38.1/arch/s390/mm/mmap.c 2011-03-14 21:20:32.000000000 -0400
3358 +++ linux-2.6.38.1-new/arch/s390/mm/mmap.c 2011-03-21 18:31:35.000000000 -0400
3359 @@ -91,10 +91,22 @@ void arch_pick_mmap_layout(struct mm_str
3361 if (mmap_is_legacy()) {
3362 mm->mmap_base = TASK_UNMAPPED_BASE;
3364 +#ifdef CONFIG_PAX_RANDMMAP
3365 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3366 + mm->mmap_base += mm->delta_mmap;
3369 mm->get_unmapped_area = arch_get_unmapped_area;
3370 mm->unmap_area = arch_unmap_area;
3372 mm->mmap_base = mmap_base();
3374 +#ifdef CONFIG_PAX_RANDMMAP
3375 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3376 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3379 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3380 mm->unmap_area = arch_unmap_area_topdown;
3382 @@ -166,10 +178,22 @@ void arch_pick_mmap_layout(struct mm_str
3384 if (mmap_is_legacy()) {
3385 mm->mmap_base = TASK_UNMAPPED_BASE;
3387 +#ifdef CONFIG_PAX_RANDMMAP
3388 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3389 + mm->mmap_base += mm->delta_mmap;
3392 mm->get_unmapped_area = s390_get_unmapped_area;
3393 mm->unmap_area = arch_unmap_area;
3395 mm->mmap_base = mmap_base();
3397 +#ifdef CONFIG_PAX_RANDMMAP
3398 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3399 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3402 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
3403 mm->unmap_area = arch_unmap_area_topdown;
3405 diff -urNp linux-2.6.38.1/arch/score/include/asm/system.h linux-2.6.38.1-new/arch/score/include/asm/system.h
3406 --- linux-2.6.38.1/arch/score/include/asm/system.h 2011-03-14 21:20:32.000000000 -0400
3407 +++ linux-2.6.38.1-new/arch/score/include/asm/system.h 2011-03-21 18:31:35.000000000 -0400
3408 @@ -17,7 +17,7 @@ do { \
3409 #define finish_arch_switch(prev) do {} while (0)
3411 typedef void (*vi_handler_t)(void);
3412 -extern unsigned long arch_align_stack(unsigned long sp);
3413 +#define arch_align_stack(x) (x)
3415 #define mb() barrier()
3416 #define rmb() barrier()
3417 diff -urNp linux-2.6.38.1/arch/score/kernel/process.c linux-2.6.38.1-new/arch/score/kernel/process.c
3418 --- linux-2.6.38.1/arch/score/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
3419 +++ linux-2.6.38.1-new/arch/score/kernel/process.c 2011-03-21 18:31:35.000000000 -0400
3420 @@ -161,8 +161,3 @@ unsigned long get_wchan(struct task_stru
3422 return task_pt_regs(task)->cp0_epc;
3425 -unsigned long arch_align_stack(unsigned long sp)
3429 diff -urNp linux-2.6.38.1/arch/sh/include/asm/dma-mapping.h linux-2.6.38.1-new/arch/sh/include/asm/dma-mapping.h
3430 --- linux-2.6.38.1/arch/sh/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
3431 +++ linux-2.6.38.1-new/arch/sh/include/asm/dma-mapping.h 2011-03-21 18:31:35.000000000 -0400
3433 #ifndef __ASM_SH_DMA_MAPPING_H
3434 #define __ASM_SH_DMA_MAPPING_H
3436 -extern struct dma_map_ops *dma_ops;
3437 +extern const struct dma_map_ops *dma_ops;
3438 extern void no_iommu_init(void);
3440 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3441 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3445 @@ -14,7 +14,7 @@ static inline struct dma_map_ops *get_dm
3447 static inline int dma_supported(struct device *dev, u64 mask)
3449 - struct dma_map_ops *ops = get_dma_ops(dev);
3450 + const struct dma_map_ops *ops = get_dma_ops(dev);
3452 if (ops->dma_supported)
3453 return ops->dma_supported(dev, mask);
3454 @@ -24,7 +24,7 @@ static inline int dma_supported(struct d
3456 static inline int dma_set_mask(struct device *dev, u64 mask)
3458 - struct dma_map_ops *ops = get_dma_ops(dev);
3459 + const struct dma_map_ops *ops = get_dma_ops(dev);
3461 if (!dev->dma_mask || !dma_supported(dev, mask))
3463 @@ -44,7 +44,7 @@ void dma_cache_sync(struct device *dev,
3465 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
3467 - struct dma_map_ops *ops = get_dma_ops(dev);
3468 + const struct dma_map_ops *ops = get_dma_ops(dev);
3470 if (ops->mapping_error)
3471 return ops->mapping_error(dev, dma_addr);
3472 @@ -55,7 +55,7 @@ static inline int dma_mapping_error(stru
3473 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3474 dma_addr_t *dma_handle, gfp_t gfp)
3476 - struct dma_map_ops *ops = get_dma_ops(dev);
3477 + const struct dma_map_ops *ops = get_dma_ops(dev);
3480 if (dma_alloc_from_coherent(dev, size, dma_handle, &memory))
3481 @@ -72,7 +72,7 @@ static inline void *dma_alloc_coherent(s
3482 static inline void dma_free_coherent(struct device *dev, size_t size,
3483 void *vaddr, dma_addr_t dma_handle)
3485 - struct dma_map_ops *ops = get_dma_ops(dev);
3486 + const struct dma_map_ops *ops = get_dma_ops(dev);
3488 if (dma_release_from_coherent(dev, get_order(size), vaddr))
3490 diff -urNp linux-2.6.38.1/arch/sh/kernel/dma-nommu.c linux-2.6.38.1-new/arch/sh/kernel/dma-nommu.c
3491 --- linux-2.6.38.1/arch/sh/kernel/dma-nommu.c 2011-03-14 21:20:32.000000000 -0400
3492 +++ linux-2.6.38.1-new/arch/sh/kernel/dma-nommu.c 2011-03-21 18:31:35.000000000 -0400
3493 @@ -62,7 +62,7 @@ static void nommu_sync_sg(struct device
3497 -struct dma_map_ops nommu_dma_ops = {
3498 +const struct dma_map_ops nommu_dma_ops = {
3499 .alloc_coherent = dma_generic_alloc_coherent,
3500 .free_coherent = dma_generic_free_coherent,
3501 .map_page = nommu_map_page,
3502 diff -urNp linux-2.6.38.1/arch/sh/kernel/kgdb.c linux-2.6.38.1-new/arch/sh/kernel/kgdb.c
3503 --- linux-2.6.38.1/arch/sh/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
3504 +++ linux-2.6.38.1-new/arch/sh/kernel/kgdb.c 2011-03-21 18:31:35.000000000 -0400
3505 @@ -319,7 +319,7 @@ void kgdb_arch_exit(void)
3506 unregister_die_notifier(&kgdb_notifier);
3509 -struct kgdb_arch arch_kgdb_ops = {
3510 +const struct kgdb_arch arch_kgdb_ops = {
3511 /* Breakpoint instruction: trapa #0x3c */
3512 #ifdef CONFIG_CPU_LITTLE_ENDIAN
3513 .gdb_bpt_instr = { 0x3c, 0xc3 },
3514 diff -urNp linux-2.6.38.1/arch/sh/mm/consistent.c linux-2.6.38.1-new/arch/sh/mm/consistent.c
3515 --- linux-2.6.38.1/arch/sh/mm/consistent.c 2011-03-14 21:20:32.000000000 -0400
3516 +++ linux-2.6.38.1-new/arch/sh/mm/consistent.c 2011-03-21 18:31:35.000000000 -0400
3519 #define PREALLOC_DMA_DEBUG_ENTRIES 4096
3521 -struct dma_map_ops *dma_ops;
3522 +const struct dma_map_ops *dma_ops;
3523 EXPORT_SYMBOL(dma_ops);
3525 static int __init dma_init(void)
3526 diff -urNp linux-2.6.38.1/arch/sh/mm/mmap.c linux-2.6.38.1-new/arch/sh/mm/mmap.c
3527 --- linux-2.6.38.1/arch/sh/mm/mmap.c 2011-03-14 21:20:32.000000000 -0400
3528 +++ linux-2.6.38.1-new/arch/sh/mm/mmap.c 2011-03-21 23:47:41.000000000 -0400
3529 @@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(str
3530 addr = PAGE_ALIGN(addr);
3532 vma = find_vma(mm, addr);
3533 - if (TASK_SIZE - len >= addr &&
3534 - (!vma || addr + len <= vma->vm_start))
3535 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3539 @@ -106,7 +105,7 @@ full_search:
3543 - if (likely(!vma || addr + len <= vma->vm_start)) {
3544 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3546 * Remember the place where we stopped the search:
3548 @@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct fi
3549 addr = PAGE_ALIGN(addr);
3551 vma = find_vma(mm, addr);
3552 - if (TASK_SIZE - len >= addr &&
3553 - (!vma || addr + len <= vma->vm_start))
3554 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3558 @@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct fi
3559 /* make sure it can fit in the remaining address space */
3560 if (likely(addr > len)) {
3561 vma = find_vma(mm, addr-len);
3562 - if (!vma || addr <= vma->vm_start) {
3563 + if (check_heap_stack_gap(vma, addr - len, len)) {
3564 /* remember the address as a hint for next time */
3565 return (mm->free_area_cache = addr-len);
3567 @@ -188,18 +186,18 @@ arch_get_unmapped_area_topdown(struct fi
3568 if (unlikely(mm->mmap_base < len))
3571 - addr = mm->mmap_base-len;
3572 - if (do_colour_align)
3573 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3574 + addr = mm->mmap_base - len;
3577 + if (do_colour_align)
3578 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3580 * Lookup failure means no vma is above this address,
3581 * else if new region fits below vma->vm_start,
3582 * return with success:
3584 vma = find_vma(mm, addr);
3585 - if (likely(!vma || addr+len <= vma->vm_start)) {
3586 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3587 /* remember the address as a hint for next time */
3588 return (mm->free_area_cache = addr);
3590 @@ -209,10 +207,8 @@ arch_get_unmapped_area_topdown(struct fi
3591 mm->cached_hole_size = vma->vm_start - addr;
3593 /* try just below the current vma->vm_start */
3594 - addr = vma->vm_start-len;
3595 - if (do_colour_align)
3596 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
3597 - } while (likely(len < vma->vm_start));
3598 + addr = skip_heap_stack_gap(vma, len);
3599 + } while (!IS_ERR_VALUE(addr));
3603 diff -urNp linux-2.6.38.1/arch/sparc/include/asm/atomic_64.h linux-2.6.38.1-new/arch/sparc/include/asm/atomic_64.h
3604 --- linux-2.6.38.1/arch/sparc/include/asm/atomic_64.h 2011-03-14 21:20:32.000000000 -0400
3605 +++ linux-2.6.38.1-new/arch/sparc/include/asm/atomic_64.h 2011-03-21 18:31:35.000000000 -0400
3607 #define ATOMIC64_INIT(i) { (i) }
3609 #define atomic_read(v) (*(volatile int *)&(v)->counter)
3610 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
3612 + return v->counter;
3614 #define atomic64_read(v) (*(volatile long *)&(v)->counter)
3615 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
3617 + return v->counter;
3620 #define atomic_set(v, i) (((v)->counter) = i)
3621 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
3625 #define atomic64_set(v, i) (((v)->counter) = i)
3626 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
3631 extern void atomic_add(int, atomic_t *);
3632 +extern void atomic_add_unchecked(int, atomic_unchecked_t *);
3633 extern void atomic64_add(long, atomic64_t *);
3634 +extern void atomic64_add_unchecked(long, atomic64_unchecked_t *);
3635 extern void atomic_sub(int, atomic_t *);
3636 +extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
3637 extern void atomic64_sub(long, atomic64_t *);
3638 +extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *);
3640 extern int atomic_add_ret(int, atomic_t *);
3641 +extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *);
3642 extern long atomic64_add_ret(long, atomic64_t *);
3643 +extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *);
3644 extern int atomic_sub_ret(int, atomic_t *);
3645 extern long atomic64_sub_ret(long, atomic64_t *);
3647 @@ -33,12 +55,24 @@ extern long atomic64_sub_ret(long, atomi
3648 #define atomic64_dec_return(v) atomic64_sub_ret(1, v)
3650 #define atomic_inc_return(v) atomic_add_ret(1, v)
3651 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
3653 + return atomic_add_ret_unchecked(1, v);
3655 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
3656 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
3658 + return atomic64_add_ret_unchecked(1, v);
3661 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
3662 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
3664 #define atomic_add_return(i, v) atomic_add_ret(i, v)
3665 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
3667 + return atomic_add_ret_unchecked(i, v);
3669 #define atomic64_add_return(i, v) atomic64_add_ret(i, v)
3672 @@ -59,10 +93,26 @@ extern long atomic64_sub_ret(long, atomi
3673 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
3675 #define atomic_inc(v) atomic_add(1, v)
3676 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
3678 + atomic_add_unchecked(1, v);
3680 #define atomic64_inc(v) atomic64_add(1, v)
3681 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
3683 + atomic64_add_unchecked(1, v);
3686 #define atomic_dec(v) atomic_sub(1, v)
3687 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
3689 + atomic_sub_unchecked(1, v);
3691 #define atomic64_dec(v) atomic64_sub(1, v)
3692 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
3694 + atomic64_sub_unchecked(1, v);
3697 #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0)
3698 #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0)
3699 @@ -72,17 +122,28 @@ extern long atomic64_sub_ret(long, atomi
3701 static inline int atomic_add_unless(atomic_t *v, int a, int u)
3707 - if (unlikely(c == (u)))
3708 + if (unlikely(c == u))
3710 - old = atomic_cmpxchg((v), c, c + (a));
3712 + asm volatile("addcc %2, %0, %0\n"
3714 +#ifdef CONFIG_PAX_REFCOUNT
3719 + : "0" (c), "ir" (a)
3722 + old = atomic_cmpxchg(v, c, new);
3723 if (likely(old == c))
3731 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
3732 @@ -93,17 +154,28 @@ static inline int atomic_add_unless(atom
3734 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
3738 c = atomic64_read(v);
3740 - if (unlikely(c == (u)))
3741 + if (unlikely(c == u))
3743 - old = atomic64_cmpxchg((v), c, c + (a));
3745 + asm volatile("addcc %2, %0, %0\n"
3747 +#ifdef CONFIG_PAX_REFCOUNT
3752 + : "0" (c), "ir" (a)
3755 + old = atomic64_cmpxchg(v, c, new);
3756 if (likely(old == c))
3764 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
3765 diff -urNp linux-2.6.38.1/arch/sparc/include/asm/dma-mapping.h linux-2.6.38.1-new/arch/sparc/include/asm/dma-mapping.h
3766 --- linux-2.6.38.1/arch/sparc/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
3767 +++ linux-2.6.38.1-new/arch/sparc/include/asm/dma-mapping.h 2011-03-21 18:31:35.000000000 -0400
3768 @@ -12,10 +12,10 @@ extern int dma_supported(struct device *
3769 #define dma_alloc_noncoherent(d, s, h, f) dma_alloc_coherent(d, s, h, f)
3770 #define dma_free_noncoherent(d, s, v, h) dma_free_coherent(d, s, v, h)
3772 -extern struct dma_map_ops *dma_ops, pci32_dma_ops;
3773 +extern const struct dma_map_ops *dma_ops, pci32_dma_ops;
3774 extern struct bus_type pci_bus_type;
3776 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3777 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3779 #if defined(CONFIG_SPARC32) && defined(CONFIG_PCI)
3780 if (dev->bus == &pci_bus_type)
3781 @@ -29,7 +29,7 @@ static inline struct dma_map_ops *get_dm
3782 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3783 dma_addr_t *dma_handle, gfp_t flag)
3785 - struct dma_map_ops *ops = get_dma_ops(dev);
3786 + const struct dma_map_ops *ops = get_dma_ops(dev);
3789 cpu_addr = ops->alloc_coherent(dev, size, dma_handle, flag);
3790 @@ -40,7 +40,7 @@ static inline void *dma_alloc_coherent(s
3791 static inline void dma_free_coherent(struct device *dev, size_t size,
3792 void *cpu_addr, dma_addr_t dma_handle)
3794 - struct dma_map_ops *ops = get_dma_ops(dev);
3795 + const struct dma_map_ops *ops = get_dma_ops(dev);
3797 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
3798 ops->free_coherent(dev, size, cpu_addr, dma_handle);
3799 diff -urNp linux-2.6.38.1/arch/sparc/include/asm/elf_32.h linux-2.6.38.1-new/arch/sparc/include/asm/elf_32.h
3800 --- linux-2.6.38.1/arch/sparc/include/asm/elf_32.h 2011-03-14 21:20:32.000000000 -0400
3801 +++ linux-2.6.38.1-new/arch/sparc/include/asm/elf_32.h 2011-03-21 18:31:35.000000000 -0400
3802 @@ -114,6 +114,13 @@ typedef struct {
3804 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
3806 +#ifdef CONFIG_PAX_ASLR
3807 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
3809 +#define PAX_DELTA_MMAP_LEN 16
3810 +#define PAX_DELTA_STACK_LEN 16
3813 /* This yields a mask that user programs can use to figure out what
3814 instruction set this cpu supports. This can NOT be done in userspace
3816 diff -urNp linux-2.6.38.1/arch/sparc/include/asm/elf_64.h linux-2.6.38.1-new/arch/sparc/include/asm/elf_64.h
3817 --- linux-2.6.38.1/arch/sparc/include/asm/elf_64.h 2011-03-14 21:20:32.000000000 -0400
3818 +++ linux-2.6.38.1-new/arch/sparc/include/asm/elf_64.h 2011-03-21 18:31:35.000000000 -0400
3819 @@ -162,6 +162,12 @@ typedef struct {
3820 #define ELF_ET_DYN_BASE 0x0000010000000000UL
3821 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
3823 +#ifdef CONFIG_PAX_ASLR
3824 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
3826 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
3827 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
3830 /* This yields a mask that user programs can use to figure out what
3831 instruction set this cpu supports. */
3832 diff -urNp linux-2.6.38.1/arch/sparc/include/asm/pgtable_32.h linux-2.6.38.1-new/arch/sparc/include/asm/pgtable_32.h
3833 --- linux-2.6.38.1/arch/sparc/include/asm/pgtable_32.h 2011-03-14 21:20:32.000000000 -0400
3834 +++ linux-2.6.38.1-new/arch/sparc/include/asm/pgtable_32.h 2011-03-21 18:31:35.000000000 -0400
3835 @@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
3836 BTFIXUPDEF_INT(page_none)
3837 BTFIXUPDEF_INT(page_copy)
3838 BTFIXUPDEF_INT(page_readonly)
3840 +#ifdef CONFIG_PAX_PAGEEXEC
3841 +BTFIXUPDEF_INT(page_shared_noexec)
3842 +BTFIXUPDEF_INT(page_copy_noexec)
3843 +BTFIXUPDEF_INT(page_readonly_noexec)
3846 BTFIXUPDEF_INT(page_kernel)
3848 #define PMD_SHIFT SUN4C_PMD_SHIFT
3849 @@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED;
3850 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
3851 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
3853 +#ifdef CONFIG_PAX_PAGEEXEC
3854 +extern pgprot_t PAGE_SHARED_NOEXEC;
3855 +# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
3856 +# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
3858 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
3859 +# define PAGE_COPY_NOEXEC PAGE_COPY
3860 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
3863 extern unsigned long page_kernel;
3866 diff -urNp linux-2.6.38.1/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.38.1-new/arch/sparc/include/asm/pgtsrmmu.h
3867 --- linux-2.6.38.1/arch/sparc/include/asm/pgtsrmmu.h 2011-03-14 21:20:32.000000000 -0400
3868 +++ linux-2.6.38.1-new/arch/sparc/include/asm/pgtsrmmu.h 2011-03-21 18:31:35.000000000 -0400
3869 @@ -115,6 +115,13 @@
3870 SRMMU_EXEC | SRMMU_REF)
3871 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
3872 SRMMU_EXEC | SRMMU_REF)
3874 +#ifdef CONFIG_PAX_PAGEEXEC
3875 +#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
3876 +#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3877 +#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3880 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
3881 SRMMU_DIRTY | SRMMU_REF)
3883 diff -urNp linux-2.6.38.1/arch/sparc/include/asm/spinlock_64.h linux-2.6.38.1-new/arch/sparc/include/asm/spinlock_64.h
3884 --- linux-2.6.38.1/arch/sparc/include/asm/spinlock_64.h 2011-03-14 21:20:32.000000000 -0400
3885 +++ linux-2.6.38.1-new/arch/sparc/include/asm/spinlock_64.h 2011-03-21 18:31:35.000000000 -0400
3886 @@ -99,7 +99,12 @@ static void inline arch_read_lock(arch_r
3887 __asm__ __volatile__ (
3888 "1: ldsw [%2], %0\n"
3890 -"4: add %0, 1, %1\n"
3891 +"4: addcc %0, 1, %1\n"
3893 +#ifdef CONFIG_PAX_REFCOUNT
3897 " cas [%2], %0, %1\n"
3899 " bne,pn %%icc, 1b\n"
3900 @@ -112,7 +117,7 @@ static void inline arch_read_lock(arch_r
3902 : "=&r" (tmp1), "=&r" (tmp2)
3905 + : "memory", "cc");
3908 static int inline arch_read_trylock(arch_rwlock_t *lock)
3909 @@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch
3910 "1: ldsw [%2], %0\n"
3911 " brlz,a,pn %0, 2f\n"
3914 +" addcc %0, 1, %1\n"
3916 +#ifdef CONFIG_PAX_REFCOUNT
3920 " cas [%2], %0, %1\n"
3922 " bne,pn %%icc, 1b\n"
3923 @@ -142,7 +152,12 @@ static void inline arch_read_unlock(arch
3925 __asm__ __volatile__(
3926 "1: lduw [%2], %0\n"
3928 +" subcc %0, 1, %1\n"
3930 +#ifdef CONFIG_PAX_REFCOUNT
3934 " cas [%2], %0, %1\n"
3936 " bne,pn %%xcc, 1b\n"
3937 diff -urNp linux-2.6.38.1/arch/sparc/include/asm/uaccess_32.h linux-2.6.38.1-new/arch/sparc/include/asm/uaccess_32.h
3938 --- linux-2.6.38.1/arch/sparc/include/asm/uaccess_32.h 2011-03-14 21:20:32.000000000 -0400
3939 +++ linux-2.6.38.1-new/arch/sparc/include/asm/uaccess_32.h 2011-03-21 18:31:35.000000000 -0400
3940 @@ -249,27 +249,46 @@ extern unsigned long __copy_user(void __
3942 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
3944 - if (n && __access_ok((unsigned long) to, n))
3948 + if (n && __access_ok((unsigned long) to, n)) {
3949 + if (!__builtin_constant_p(n))
3950 + check_object_size(from, n, true);
3951 return __copy_user(to, (__force void __user *) from, n);
3957 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
3962 + if (!__builtin_constant_p(n))
3963 + check_object_size(from, n, true);
3965 return __copy_user(to, (__force void __user *) from, n);
3968 static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
3970 - if (n && __access_ok((unsigned long) from, n))
3974 + if (n && __access_ok((unsigned long) from, n)) {
3975 + if (!__builtin_constant_p(n))
3976 + check_object_size(to, n, false);
3977 return __copy_user((__force void __user *) to, from, n);
3983 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
3988 return __copy_user((__force void __user *) to, from, n);
3991 diff -urNp linux-2.6.38.1/arch/sparc/include/asm/uaccess_64.h linux-2.6.38.1-new/arch/sparc/include/asm/uaccess_64.h
3992 --- linux-2.6.38.1/arch/sparc/include/asm/uaccess_64.h 2011-03-14 21:20:32.000000000 -0400
3993 +++ linux-2.6.38.1-new/arch/sparc/include/asm/uaccess_64.h 2011-03-21 18:31:35.000000000 -0400
3995 #include <linux/compiler.h>
3996 #include <linux/string.h>
3997 #include <linux/thread_info.h>
3998 +#include <linux/kernel.h>
3999 #include <asm/asi.h>
4000 #include <asm/system.h>
4001 #include <asm/spitfire.h>
4002 @@ -213,8 +214,15 @@ extern unsigned long copy_from_user_fixu
4003 static inline unsigned long __must_check
4004 copy_from_user(void *to, const void __user *from, unsigned long size)
4006 - unsigned long ret = ___copy_from_user(to, from, size);
4007 + unsigned long ret;
4009 + if ((long)size < 0 || size > INT_MAX)
4012 + if (!__builtin_constant_p(size))
4013 + check_object_size(to, size, false);
4015 + ret = ___copy_from_user(to, from, size);
4017 ret = copy_from_user_fixup(to, from, size);
4019 @@ -230,8 +238,15 @@ extern unsigned long copy_to_user_fixup(
4020 static inline unsigned long __must_check
4021 copy_to_user(void __user *to, const void *from, unsigned long size)
4023 - unsigned long ret = ___copy_to_user(to, from, size);
4024 + unsigned long ret;
4026 + if ((long)size < 0 || size > INT_MAX)
4029 + if (!__builtin_constant_p(size))
4030 + check_object_size(from, size, true);
4032 + ret = ___copy_to_user(to, from, size);
4034 ret = copy_to_user_fixup(to, from, size);
4036 diff -urNp linux-2.6.38.1/arch/sparc/include/asm/uaccess.h linux-2.6.38.1-new/arch/sparc/include/asm/uaccess.h
4037 --- linux-2.6.38.1/arch/sparc/include/asm/uaccess.h 2011-03-14 21:20:32.000000000 -0400
4038 +++ linux-2.6.38.1-new/arch/sparc/include/asm/uaccess.h 2011-03-21 18:31:35.000000000 -0400
4040 #ifndef ___ASM_SPARC_UACCESS_H
4041 #define ___ASM_SPARC_UACCESS_H
4044 +#ifndef __ASSEMBLY__
4045 +#include <linux/types.h>
4046 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
4050 #if defined(__sparc__) && defined(__arch64__)
4051 #include <asm/uaccess_64.h>
4053 diff -urNp linux-2.6.38.1/arch/sparc/kernel/iommu.c linux-2.6.38.1-new/arch/sparc/kernel/iommu.c
4054 --- linux-2.6.38.1/arch/sparc/kernel/iommu.c 2011-03-14 21:20:32.000000000 -0400
4055 +++ linux-2.6.38.1-new/arch/sparc/kernel/iommu.c 2011-03-21 18:31:35.000000000 -0400
4056 @@ -827,7 +827,7 @@ static void dma_4u_sync_sg_for_cpu(struc
4057 spin_unlock_irqrestore(&iommu->lock, flags);
4060 -static struct dma_map_ops sun4u_dma_ops = {
4061 +static const struct dma_map_ops sun4u_dma_ops = {
4062 .alloc_coherent = dma_4u_alloc_coherent,
4063 .free_coherent = dma_4u_free_coherent,
4064 .map_page = dma_4u_map_page,
4065 @@ -838,7 +838,7 @@ static struct dma_map_ops sun4u_dma_ops
4066 .sync_sg_for_cpu = dma_4u_sync_sg_for_cpu,
4069 -struct dma_map_ops *dma_ops = &sun4u_dma_ops;
4070 +const struct dma_map_ops *dma_ops = &sun4u_dma_ops;
4071 EXPORT_SYMBOL(dma_ops);
4073 extern int pci64_dma_supported(struct pci_dev *pdev, u64 device_mask);
4074 diff -urNp linux-2.6.38.1/arch/sparc/kernel/ioport.c linux-2.6.38.1-new/arch/sparc/kernel/ioport.c
4075 --- linux-2.6.38.1/arch/sparc/kernel/ioport.c 2011-03-14 21:20:32.000000000 -0400
4076 +++ linux-2.6.38.1-new/arch/sparc/kernel/ioport.c 2011-03-21 18:31:35.000000000 -0400
4077 @@ -397,7 +397,7 @@ static void sbus_sync_sg_for_device(stru
4081 -struct dma_map_ops sbus_dma_ops = {
4082 +const struct dma_map_ops sbus_dma_ops = {
4083 .alloc_coherent = sbus_alloc_coherent,
4084 .free_coherent = sbus_free_coherent,
4085 .map_page = sbus_map_page,
4086 @@ -408,7 +408,7 @@ struct dma_map_ops sbus_dma_ops = {
4087 .sync_sg_for_device = sbus_sync_sg_for_device,
4090 -struct dma_map_ops *dma_ops = &sbus_dma_ops;
4091 +const struct dma_map_ops *dma_ops = &sbus_dma_ops;
4092 EXPORT_SYMBOL(dma_ops);
4094 static int __init sparc_register_ioport(void)
4095 @@ -645,7 +645,7 @@ static void pci32_sync_sg_for_device(str
4099 -struct dma_map_ops pci32_dma_ops = {
4100 +const struct dma_map_ops pci32_dma_ops = {
4101 .alloc_coherent = pci32_alloc_coherent,
4102 .free_coherent = pci32_free_coherent,
4103 .map_page = pci32_map_page,
4104 diff -urNp linux-2.6.38.1/arch/sparc/kernel/kgdb_32.c linux-2.6.38.1-new/arch/sparc/kernel/kgdb_32.c
4105 --- linux-2.6.38.1/arch/sparc/kernel/kgdb_32.c 2011-03-14 21:20:32.000000000 -0400
4106 +++ linux-2.6.38.1-new/arch/sparc/kernel/kgdb_32.c 2011-03-21 18:31:35.000000000 -0400
4107 @@ -164,7 +164,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
4108 regs->npc = regs->pc + 4;
4111 -struct kgdb_arch arch_kgdb_ops = {
4112 +const struct kgdb_arch arch_kgdb_ops = {
4113 /* Breakpoint instruction: ta 0x7d */
4114 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x7d },
4116 diff -urNp linux-2.6.38.1/arch/sparc/kernel/kgdb_64.c linux-2.6.38.1-new/arch/sparc/kernel/kgdb_64.c
4117 --- linux-2.6.38.1/arch/sparc/kernel/kgdb_64.c 2011-03-14 21:20:32.000000000 -0400
4118 +++ linux-2.6.38.1-new/arch/sparc/kernel/kgdb_64.c 2011-03-21 18:31:35.000000000 -0400
4119 @@ -187,7 +187,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
4120 regs->tnpc = regs->tpc + 4;
4123 -struct kgdb_arch arch_kgdb_ops = {
4124 +const struct kgdb_arch arch_kgdb_ops = {
4125 /* Breakpoint instruction: ta 0x72 */
4126 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x72 },
4128 diff -urNp linux-2.6.38.1/arch/sparc/kernel/Makefile linux-2.6.38.1-new/arch/sparc/kernel/Makefile
4129 --- linux-2.6.38.1/arch/sparc/kernel/Makefile 2011-03-14 21:20:32.000000000 -0400
4130 +++ linux-2.6.38.1-new/arch/sparc/kernel/Makefile 2011-03-21 18:31:35.000000000 -0400
4135 -ccflags-y := -Werror
4136 +#ccflags-y := -Werror
4138 extra-y := head_$(BITS).o
4139 extra-y += init_task.o
4140 diff -urNp linux-2.6.38.1/arch/sparc/kernel/pci_sun4v.c linux-2.6.38.1-new/arch/sparc/kernel/pci_sun4v.c
4141 --- linux-2.6.38.1/arch/sparc/kernel/pci_sun4v.c 2011-03-14 21:20:32.000000000 -0400
4142 +++ linux-2.6.38.1-new/arch/sparc/kernel/pci_sun4v.c 2011-03-21 18:31:35.000000000 -0400
4143 @@ -525,7 +525,7 @@ static void dma_4v_unmap_sg(struct devic
4144 spin_unlock_irqrestore(&iommu->lock, flags);
4147 -static struct dma_map_ops sun4v_dma_ops = {
4148 +static const struct dma_map_ops sun4v_dma_ops = {
4149 .alloc_coherent = dma_4v_alloc_coherent,
4150 .free_coherent = dma_4v_free_coherent,
4151 .map_page = dma_4v_map_page,
4152 diff -urNp linux-2.6.38.1/arch/sparc/kernel/process_32.c linux-2.6.38.1-new/arch/sparc/kernel/process_32.c
4153 --- linux-2.6.38.1/arch/sparc/kernel/process_32.c 2011-03-14 21:20:32.000000000 -0400
4154 +++ linux-2.6.38.1-new/arch/sparc/kernel/process_32.c 2011-03-21 18:31:35.000000000 -0400
4155 @@ -196,7 +196,7 @@ void __show_backtrace(unsigned long fp)
4156 rw->ins[4], rw->ins[5],
4159 - printk("%pS\n", (void *) rw->ins[7]);
4160 + printk("%pA\n", (void *) rw->ins[7]);
4161 rw = (struct reg_window32 *) rw->ins[6];
4163 spin_unlock_irqrestore(&sparc_backtrace_lock, flags);
4164 @@ -263,14 +263,14 @@ void show_regs(struct pt_regs *r)
4166 printk("PSR: %08lx PC: %08lx NPC: %08lx Y: %08lx %s\n",
4167 r->psr, r->pc, r->npc, r->y, print_tainted());
4168 - printk("PC: <%pS>\n", (void *) r->pc);
4169 + printk("PC: <%pA>\n", (void *) r->pc);
4170 printk("%%G: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4171 r->u_regs[0], r->u_regs[1], r->u_regs[2], r->u_regs[3],
4172 r->u_regs[4], r->u_regs[5], r->u_regs[6], r->u_regs[7]);
4173 printk("%%O: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4174 r->u_regs[8], r->u_regs[9], r->u_regs[10], r->u_regs[11],
4175 r->u_regs[12], r->u_regs[13], r->u_regs[14], r->u_regs[15]);
4176 - printk("RPC: <%pS>\n", (void *) r->u_regs[15]);
4177 + printk("RPC: <%pA>\n", (void *) r->u_regs[15]);
4179 printk("%%L: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4180 rw->locals[0], rw->locals[1], rw->locals[2], rw->locals[3],
4181 @@ -305,7 +305,7 @@ void show_stack(struct task_struct *tsk,
4182 rw = (struct reg_window32 *) fp;
4184 printk("[%08lx : ", pc);
4185 - printk("%pS ] ", (void *) pc);
4186 + printk("%pA ] ", (void *) pc);
4188 } while (++count < 16);
4190 diff -urNp linux-2.6.38.1/arch/sparc/kernel/process_64.c linux-2.6.38.1-new/arch/sparc/kernel/process_64.c
4191 --- linux-2.6.38.1/arch/sparc/kernel/process_64.c 2011-03-14 21:20:32.000000000 -0400
4192 +++ linux-2.6.38.1-new/arch/sparc/kernel/process_64.c 2011-03-21 18:31:35.000000000 -0400
4193 @@ -180,14 +180,14 @@ static void show_regwindow(struct pt_reg
4194 printk("i4: %016lx i5: %016lx i6: %016lx i7: %016lx\n",
4195 rwk->ins[4], rwk->ins[5], rwk->ins[6], rwk->ins[7]);
4196 if (regs->tstate & TSTATE_PRIV)
4197 - printk("I7: <%pS>\n", (void *) rwk->ins[7]);
4198 + printk("I7: <%pA>\n", (void *) rwk->ins[7]);
4201 void show_regs(struct pt_regs *regs)
4203 printk("TSTATE: %016lx TPC: %016lx TNPC: %016lx Y: %08x %s\n", regs->tstate,
4204 regs->tpc, regs->tnpc, regs->y, print_tainted());
4205 - printk("TPC: <%pS>\n", (void *) regs->tpc);
4206 + printk("TPC: <%pA>\n", (void *) regs->tpc);
4207 printk("g0: %016lx g1: %016lx g2: %016lx g3: %016lx\n",
4208 regs->u_regs[0], regs->u_regs[1], regs->u_regs[2],
4210 @@ -200,7 +200,7 @@ void show_regs(struct pt_regs *regs)
4211 printk("o4: %016lx o5: %016lx sp: %016lx ret_pc: %016lx\n",
4212 regs->u_regs[12], regs->u_regs[13], regs->u_regs[14],
4214 - printk("RPC: <%pS>\n", (void *) regs->u_regs[15]);
4215 + printk("RPC: <%pA>\n", (void *) regs->u_regs[15]);
4216 show_regwindow(regs);
4217 show_stack(current, (unsigned long *) regs->u_regs[UREG_FP]);
4219 @@ -285,7 +285,7 @@ void arch_trigger_all_cpu_backtrace(void
4220 ((tp && tp->task) ? tp->task->pid : -1));
4222 if (gp->tstate & TSTATE_PRIV) {
4223 - printk(" TPC[%pS] O7[%pS] I7[%pS] RPC[%pS]\n",
4224 + printk(" TPC[%pA] O7[%pA] I7[%pA] RPC[%pA]\n",
4228 diff -urNp linux-2.6.38.1/arch/sparc/kernel/sys_sparc_32.c linux-2.6.38.1-new/arch/sparc/kernel/sys_sparc_32.c
4229 --- linux-2.6.38.1/arch/sparc/kernel/sys_sparc_32.c 2011-03-14 21:20:32.000000000 -0400
4230 +++ linux-2.6.38.1-new/arch/sparc/kernel/sys_sparc_32.c 2011-03-21 18:31:35.000000000 -0400
4231 @@ -56,7 +56,7 @@ unsigned long arch_get_unmapped_area(str
4232 if (ARCH_SUN4C && len > 0x20000000)
4235 - addr = TASK_UNMAPPED_BASE;
4236 + addr = current->mm->mmap_base;
4238 if (flags & MAP_SHARED)
4239 addr = COLOUR_ALIGN(addr);
4240 @@ -71,7 +71,7 @@ unsigned long arch_get_unmapped_area(str
4242 if (TASK_SIZE - PAGE_SIZE - len < addr)
4244 - if (!vmm || addr + len <= vmm->vm_start)
4245 + if (check_heap_stack_gap(vmm, addr, len))
4248 if (flags & MAP_SHARED)
4249 diff -urNp linux-2.6.38.1/arch/sparc/kernel/sys_sparc_64.c linux-2.6.38.1-new/arch/sparc/kernel/sys_sparc_64.c
4250 --- linux-2.6.38.1/arch/sparc/kernel/sys_sparc_64.c 2011-03-14 21:20:32.000000000 -0400
4251 +++ linux-2.6.38.1-new/arch/sparc/kernel/sys_sparc_64.c 2011-03-21 23:47:41.000000000 -0400
4252 @@ -124,7 +124,7 @@ unsigned long arch_get_unmapped_area(str
4253 /* We do not accept a shared mapping if it would violate
4254 * cache aliasing constraints.
4256 - if ((flags & MAP_SHARED) &&
4257 + if ((filp || (flags & MAP_SHARED)) &&
4258 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4261 @@ -139,6 +139,10 @@ unsigned long arch_get_unmapped_area(str
4262 if (filp || (flags & MAP_SHARED))
4265 +#ifdef CONFIG_PAX_RANDMMAP
4266 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4271 addr = COLOUR_ALIGN(addr, pgoff);
4272 @@ -146,15 +150,14 @@ unsigned long arch_get_unmapped_area(str
4273 addr = PAGE_ALIGN(addr);
4275 vma = find_vma(mm, addr);
4276 - if (task_size - len >= addr &&
4277 - (!vma || addr + len <= vma->vm_start))
4278 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4282 if (len > mm->cached_hole_size) {
4283 - start_addr = addr = mm->free_area_cache;
4284 + start_addr = addr = mm->free_area_cache;
4286 - start_addr = addr = TASK_UNMAPPED_BASE;
4287 + start_addr = addr = mm->mmap_base;
4288 mm->cached_hole_size = 0;
4291 @@ -174,14 +177,14 @@ full_search:
4292 vma = find_vma(mm, VA_EXCLUDE_END);
4294 if (unlikely(task_size < addr)) {
4295 - if (start_addr != TASK_UNMAPPED_BASE) {
4296 - start_addr = addr = TASK_UNMAPPED_BASE;
4297 + if (start_addr != mm->mmap_base) {
4298 + start_addr = addr = mm->mmap_base;
4299 mm->cached_hole_size = 0;
4304 - if (likely(!vma || addr + len <= vma->vm_start)) {
4305 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4307 * Remember the place where we stopped the search:
4309 @@ -215,7 +218,7 @@ arch_get_unmapped_area_topdown(struct fi
4310 /* We do not accept a shared mapping if it would violate
4311 * cache aliasing constraints.
4313 - if ((flags & MAP_SHARED) &&
4314 + if ((filp || (flags & MAP_SHARED)) &&
4315 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4318 @@ -236,8 +239,7 @@ arch_get_unmapped_area_topdown(struct fi
4319 addr = PAGE_ALIGN(addr);
4321 vma = find_vma(mm, addr);
4322 - if (task_size - len >= addr &&
4323 - (!vma || addr + len <= vma->vm_start))
4324 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4328 @@ -258,7 +260,7 @@ arch_get_unmapped_area_topdown(struct fi
4329 /* make sure it can fit in the remaining address space */
4330 if (likely(addr > len)) {
4331 vma = find_vma(mm, addr-len);
4332 - if (!vma || addr <= vma->vm_start) {
4333 + if (check_heap_stack_gap(vma, addr - len, len)) {
4334 /* remember the address as a hint for next time */
4335 return (mm->free_area_cache = addr-len);
4337 @@ -267,18 +269,18 @@ arch_get_unmapped_area_topdown(struct fi
4338 if (unlikely(mm->mmap_base < len))
4341 - addr = mm->mmap_base-len;
4342 - if (do_color_align)
4343 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4344 + addr = mm->mmap_base - len;
4347 + if (do_color_align)
4348 + addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4350 * Lookup failure means no vma is above this address,
4351 * else if new region fits below vma->vm_start,
4352 * return with success:
4354 vma = find_vma(mm, addr);
4355 - if (likely(!vma || addr+len <= vma->vm_start)) {
4356 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4357 /* remember the address as a hint for next time */
4358 return (mm->free_area_cache = addr);
4360 @@ -288,10 +290,8 @@ arch_get_unmapped_area_topdown(struct fi
4361 mm->cached_hole_size = vma->vm_start - addr;
4363 /* try just below the current vma->vm_start */
4364 - addr = vma->vm_start-len;
4365 - if (do_color_align)
4366 - addr = COLOUR_ALIGN_DOWN(addr, pgoff);
4367 - } while (likely(len < vma->vm_start));
4368 + addr = skip_heap_stack_gap(vma, len);
4369 + } while (!IS_ERR_VALUE(addr));
4373 @@ -385,6 +385,12 @@ void arch_pick_mmap_layout(struct mm_str
4374 gap == RLIM_INFINITY ||
4375 sysctl_legacy_va_layout) {
4376 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
4378 +#ifdef CONFIG_PAX_RANDMMAP
4379 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4380 + mm->mmap_base += mm->delta_mmap;
4383 mm->get_unmapped_area = arch_get_unmapped_area;
4384 mm->unmap_area = arch_unmap_area;
4386 @@ -397,6 +403,12 @@ void arch_pick_mmap_layout(struct mm_str
4387 gap = (task_size / 6 * 5);
4389 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
4391 +#ifdef CONFIG_PAX_RANDMMAP
4392 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4393 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4396 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4397 mm->unmap_area = arch_unmap_area_topdown;
4399 diff -urNp linux-2.6.38.1/arch/sparc/kernel/traps_32.c linux-2.6.38.1-new/arch/sparc/kernel/traps_32.c
4400 --- linux-2.6.38.1/arch/sparc/kernel/traps_32.c 2011-03-14 21:20:32.000000000 -0400
4401 +++ linux-2.6.38.1-new/arch/sparc/kernel/traps_32.c 2011-03-21 18:31:35.000000000 -0400
4402 @@ -76,7 +76,7 @@ void die_if_kernel(char *str, struct pt_
4404 (((unsigned long) rw) >= PAGE_OFFSET) &&
4405 !(((unsigned long) rw) & 0x7)) {
4406 - printk("Caller[%08lx]: %pS\n", rw->ins[7],
4407 + printk("Caller[%08lx]: %pA\n", rw->ins[7],
4408 (void *) rw->ins[7]);
4409 rw = (struct reg_window32 *)rw->ins[6];
4411 diff -urNp linux-2.6.38.1/arch/sparc/kernel/traps_64.c linux-2.6.38.1-new/arch/sparc/kernel/traps_64.c
4412 --- linux-2.6.38.1/arch/sparc/kernel/traps_64.c 2011-03-14 21:20:32.000000000 -0400
4413 +++ linux-2.6.38.1-new/arch/sparc/kernel/traps_64.c 2011-03-21 18:31:35.000000000 -0400
4414 @@ -75,7 +75,7 @@ static void dump_tl1_traplog(struct tl1_
4416 p->trapstack[i].tstate, p->trapstack[i].tpc,
4417 p->trapstack[i].tnpc, p->trapstack[i].tt);
4418 - printk("TRAPLOG: TPC<%pS>\n", (void *) p->trapstack[i].tpc);
4419 + printk("TRAPLOG: TPC<%pA>\n", (void *) p->trapstack[i].tpc);
4423 @@ -95,6 +95,12 @@ void bad_trap(struct pt_regs *regs, long
4426 if (regs->tstate & TSTATE_PRIV) {
4428 +#ifdef CONFIG_PAX_REFCOUNT
4430 + pax_report_refcount_overflow(regs);
4433 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
4434 die_if_kernel(buffer, regs);
4436 @@ -113,11 +119,16 @@ void bad_trap(struct pt_regs *regs, long
4437 void bad_trap_tl1(struct pt_regs *regs, long lvl)
4442 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
4443 0, lvl, SIGTRAP) == NOTIFY_STOP)
4446 +#ifdef CONFIG_PAX_REFCOUNT
4448 + pax_report_refcount_overflow(regs);
4451 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
4453 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
4454 @@ -1141,7 +1152,7 @@ static void cheetah_log_errors(struct pt
4455 regs->tpc, regs->tnpc, regs->u_regs[UREG_I7], regs->tstate);
4456 printk("%s" "ERROR(%d): ",
4457 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id());
4458 - printk("TPC<%pS>\n", (void *) regs->tpc);
4459 + printk("TPC<%pA>\n", (void *) regs->tpc);
4460 printk("%s" "ERROR(%d): M_SYND(%lx), E_SYND(%lx)%s%s\n",
4461 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id(),
4462 (afsr & CHAFSR_M_SYNDROME) >> CHAFSR_M_SYNDROME_SHIFT,
4463 @@ -1748,7 +1759,7 @@ void cheetah_plus_parity_error(int type,
4465 (type & 0x1) ? 'I' : 'D',
4467 - printk(KERN_EMERG "TPC<%pS>\n", (void *) regs->tpc);
4468 + printk(KERN_EMERG "TPC<%pA>\n", (void *) regs->tpc);
4469 panic("Irrecoverable Cheetah+ parity error.");
4472 @@ -1756,7 +1767,7 @@ void cheetah_plus_parity_error(int type,
4474 (type & 0x1) ? 'I' : 'D',
4476 - printk(KERN_WARNING "TPC<%pS>\n", (void *) regs->tpc);
4477 + printk(KERN_WARNING "TPC<%pA>\n", (void *) regs->tpc);
4480 struct sun4v_error_entry {
4481 @@ -1963,9 +1974,9 @@ void sun4v_itlb_error_report(struct pt_r
4483 printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n",
4485 - printk(KERN_EMERG "SUN4V-ITLB: TPC<%pS>\n", (void *) regs->tpc);
4486 + printk(KERN_EMERG "SUN4V-ITLB: TPC<%pA>\n", (void *) regs->tpc);
4487 printk(KERN_EMERG "SUN4V-ITLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
4488 - printk(KERN_EMERG "SUN4V-ITLB: O7<%pS>\n",
4489 + printk(KERN_EMERG "SUN4V-ITLB: O7<%pA>\n",
4490 (void *) regs->u_regs[UREG_I7]);
4491 printk(KERN_EMERG "SUN4V-ITLB: vaddr[%lx] ctx[%lx] "
4492 "pte[%lx] error[%lx]\n",
4493 @@ -1987,9 +1998,9 @@ void sun4v_dtlb_error_report(struct pt_r
4495 printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n",
4497 - printk(KERN_EMERG "SUN4V-DTLB: TPC<%pS>\n", (void *) regs->tpc);
4498 + printk(KERN_EMERG "SUN4V-DTLB: TPC<%pA>\n", (void *) regs->tpc);
4499 printk(KERN_EMERG "SUN4V-DTLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
4500 - printk(KERN_EMERG "SUN4V-DTLB: O7<%pS>\n",
4501 + printk(KERN_EMERG "SUN4V-DTLB: O7<%pA>\n",
4502 (void *) regs->u_regs[UREG_I7]);
4503 printk(KERN_EMERG "SUN4V-DTLB: vaddr[%lx] ctx[%lx] "
4504 "pte[%lx] error[%lx]\n",
4505 @@ -2196,13 +2207,13 @@ void show_stack(struct task_struct *tsk,
4506 fp = (unsigned long)sf->fp + STACK_BIAS;
4509 - printk(" [%016lx] %pS\n", pc, (void *) pc);
4510 + printk(" [%016lx] %pA\n", pc, (void *) pc);
4511 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
4512 if ((pc + 8UL) == (unsigned long) &return_to_handler) {
4513 int index = tsk->curr_ret_stack;
4514 if (tsk->ret_stack && index >= graph) {
4515 pc = tsk->ret_stack[index - graph].ret;
4516 - printk(" [%016lx] %pS\n", pc, (void *) pc);
4517 + printk(" [%016lx] %pA\n", pc, (void *) pc);
4521 @@ -2255,7 +2266,7 @@ void die_if_kernel(char *str, struct pt_
4524 kstack_valid(tp, (unsigned long) rw)) {
4525 - printk("Caller[%016lx]: %pS\n", rw->ins[7],
4526 + printk("Caller[%016lx]: %pA\n", rw->ins[7],
4527 (void *) rw->ins[7]);
4529 rw = kernel_stack_up(rw);
4530 diff -urNp linux-2.6.38.1/arch/sparc/kernel/unaligned_64.c linux-2.6.38.1-new/arch/sparc/kernel/unaligned_64.c
4531 --- linux-2.6.38.1/arch/sparc/kernel/unaligned_64.c 2011-03-14 21:20:32.000000000 -0400
4532 +++ linux-2.6.38.1-new/arch/sparc/kernel/unaligned_64.c 2011-03-21 18:31:35.000000000 -0400
4533 @@ -278,7 +278,7 @@ static void log_unaligned(struct pt_regs
4534 static DEFINE_RATELIMIT_STATE(ratelimit, 5 * HZ, 5);
4536 if (__ratelimit(&ratelimit)) {
4537 - printk("Kernel unaligned access at TPC[%lx] %pS\n",
4538 + printk("Kernel unaligned access at TPC[%lx] %pA\n",
4539 regs->tpc, (void *) regs->tpc);
4542 diff -urNp linux-2.6.38.1/arch/sparc/lib/atomic_64.S linux-2.6.38.1-new/arch/sparc/lib/atomic_64.S
4543 --- linux-2.6.38.1/arch/sparc/lib/atomic_64.S 2011-03-14 21:20:32.000000000 -0400
4544 +++ linux-2.6.38.1-new/arch/sparc/lib/atomic_64.S 2011-03-21 18:31:35.000000000 -0400
4546 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
4550 + addcc %g1, %o0, %g7
4552 +#ifdef CONFIG_PAX_REFCOUNT
4558 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4559 @@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
4560 2: BACKOFF_SPIN(%o2, %o3, 1b)
4561 .size atomic_add, .-atomic_add
4563 + .globl atomic_add_unchecked
4564 + .type atomic_add_unchecked,#function
4565 +atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4566 + BACKOFF_SETUP(%o2)
4569 + cas [%o1], %g1, %g7
4575 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4576 + .size atomic_add_unchecked, .-atomic_add_unchecked
4579 .type atomic_sub,#function
4580 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4584 + subcc %g1, %o0, %g7
4586 +#ifdef CONFIG_PAX_REFCOUNT
4592 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4593 @@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
4594 2: BACKOFF_SPIN(%o2, %o3, 1b)
4595 .size atomic_sub, .-atomic_sub
4597 + .globl atomic_sub_unchecked
4598 + .type atomic_sub_unchecked,#function
4599 +atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4600 + BACKOFF_SETUP(%o2)
4603 + cas [%o1], %g1, %g7
4609 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4610 + .size atomic_sub_unchecked, .-atomic_sub_unchecked
4612 .globl atomic_add_ret
4613 .type atomic_add_ret,#function
4614 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4618 + addcc %g1, %o0, %g7
4620 +#ifdef CONFIG_PAX_REFCOUNT
4626 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4627 @@ -58,12 +103,33 @@ atomic_add_ret: /* %o0 = increment, %o1
4628 2: BACKOFF_SPIN(%o2, %o3, 1b)
4629 .size atomic_add_ret, .-atomic_add_ret
4631 + .globl atomic_add_ret_unchecked
4632 + .type atomic_add_ret_unchecked,#function
4633 +atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4634 + BACKOFF_SETUP(%o2)
4636 + addcc %g1, %o0, %g7
4637 + cas [%o1], %g1, %g7
4644 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4645 + .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked
4647 .globl atomic_sub_ret
4648 .type atomic_sub_ret,#function
4649 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4653 + subcc %g1, %o0, %g7
4655 +#ifdef CONFIG_PAX_REFCOUNT
4661 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4662 @@ -78,7 +144,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
4663 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
4667 + addcc %g1, %o0, %g7
4669 +#ifdef CONFIG_PAX_REFCOUNT
4673 casx [%o1], %g1, %g7
4675 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4676 @@ -88,12 +159,32 @@ atomic64_add: /* %o0 = increment, %o1 =
4677 2: BACKOFF_SPIN(%o2, %o3, 1b)
4678 .size atomic64_add, .-atomic64_add
4680 + .globl atomic64_add_unchecked
4681 + .type atomic64_add_unchecked,#function
4682 +atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4683 + BACKOFF_SETUP(%o2)
4685 + addcc %g1, %o0, %g7
4686 + casx [%o1], %g1, %g7
4692 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4693 + .size atomic64_add_unchecked, .-atomic64_add_unchecked
4696 .type atomic64_sub,#function
4697 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4701 + subcc %g1, %o0, %g7
4703 +#ifdef CONFIG_PAX_REFCOUNT
4707 casx [%o1], %g1, %g7
4709 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4710 @@ -103,12 +194,32 @@ atomic64_sub: /* %o0 = decrement, %o1 =
4711 2: BACKOFF_SPIN(%o2, %o3, 1b)
4712 .size atomic64_sub, .-atomic64_sub
4714 + .globl atomic64_sub_unchecked
4715 + .type atomic64_sub_unchecked,#function
4716 +atomic64_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4717 + BACKOFF_SETUP(%o2)
4719 + subcc %g1, %o0, %g7
4720 + casx [%o1], %g1, %g7
4726 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4727 + .size atomic64_sub_unchecked, .-atomic64_sub_unchecked
4729 .globl atomic64_add_ret
4730 .type atomic64_add_ret,#function
4731 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4735 + addcc %g1, %o0, %g7
4737 +#ifdef CONFIG_PAX_REFCOUNT
4741 casx [%o1], %g1, %g7
4743 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4744 @@ -118,12 +229,33 @@ atomic64_add_ret: /* %o0 = increment, %o
4745 2: BACKOFF_SPIN(%o2, %o3, 1b)
4746 .size atomic64_add_ret, .-atomic64_add_ret
4748 + .globl atomic64_add_ret_unchecked
4749 + .type atomic64_add_ret_unchecked,#function
4750 +atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4751 + BACKOFF_SETUP(%o2)
4753 + addcc %g1, %o0, %g7
4754 + casx [%o1], %g1, %g7
4761 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4762 + .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
4764 .globl atomic64_sub_ret
4765 .type atomic64_sub_ret,#function
4766 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4770 + subcc %g1, %o0, %g7
4772 +#ifdef CONFIG_PAX_REFCOUNT
4776 casx [%o1], %g1, %g7
4778 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4779 diff -urNp linux-2.6.38.1/arch/sparc/lib/ksyms.c linux-2.6.38.1-new/arch/sparc/lib/ksyms.c
4780 --- linux-2.6.38.1/arch/sparc/lib/ksyms.c 2011-03-14 21:20:32.000000000 -0400
4781 +++ linux-2.6.38.1-new/arch/sparc/lib/ksyms.c 2011-03-21 18:31:35.000000000 -0400
4782 @@ -142,12 +142,17 @@ EXPORT_SYMBOL(__downgrade_write);
4784 /* Atomic counter implementation. */
4785 EXPORT_SYMBOL(atomic_add);
4786 +EXPORT_SYMBOL(atomic_add_unchecked);
4787 EXPORT_SYMBOL(atomic_add_ret);
4788 EXPORT_SYMBOL(atomic_sub);
4789 +EXPORT_SYMBOL(atomic_sub_unchecked);
4790 EXPORT_SYMBOL(atomic_sub_ret);
4791 EXPORT_SYMBOL(atomic64_add);
4792 +EXPORT_SYMBOL(atomic64_add_unchecked);
4793 EXPORT_SYMBOL(atomic64_add_ret);
4794 +EXPORT_SYMBOL(atomic64_add_ret_unchecked);
4795 EXPORT_SYMBOL(atomic64_sub);
4796 +EXPORT_SYMBOL(atomic64_sub_unchecked);
4797 EXPORT_SYMBOL(atomic64_sub_ret);
4799 /* Atomic bit operations. */
4800 diff -urNp linux-2.6.38.1/arch/sparc/Makefile linux-2.6.38.1-new/arch/sparc/Makefile
4801 --- linux-2.6.38.1/arch/sparc/Makefile 2011-03-14 21:20:32.000000000 -0400
4802 +++ linux-2.6.38.1-new/arch/sparc/Makefile 2011-03-21 18:31:35.000000000 -0400
4803 @@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
4804 # Export what is needed by arch/sparc/boot/Makefile
4805 export VMLINUX_INIT VMLINUX_MAIN
4806 VMLINUX_INIT := $(head-y) $(init-y)
4807 -VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
4808 +VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
4809 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
4810 VMLINUX_MAIN += $(drivers-y) $(net-y)
4812 diff -urNp linux-2.6.38.1/arch/sparc/mm/fault_32.c linux-2.6.38.1-new/arch/sparc/mm/fault_32.c
4813 --- linux-2.6.38.1/arch/sparc/mm/fault_32.c 2011-03-14 21:20:32.000000000 -0400
4814 +++ linux-2.6.38.1-new/arch/sparc/mm/fault_32.c 2011-03-21 18:31:35.000000000 -0400
4816 #include <linux/interrupt.h>
4817 #include <linux/module.h>
4818 #include <linux/kdebug.h>
4819 +#include <linux/slab.h>
4820 +#include <linux/pagemap.h>
4821 +#include <linux/compiler.h>
4823 #include <asm/system.h>
4824 #include <asm/page.h>
4825 @@ -209,6 +212,268 @@ static unsigned long compute_si_addr(str
4826 return safe_compute_effective_address(regs, insn);
4829 +#ifdef CONFIG_PAX_PAGEEXEC
4830 +#ifdef CONFIG_PAX_DLRESOLVE
4831 +static void pax_emuplt_close(struct vm_area_struct *vma)
4833 + vma->vm_mm->call_dl_resolve = 0UL;
4836 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4838 + unsigned int *kaddr;
4840 + vmf->page = alloc_page(GFP_HIGHUSER);
4842 + return VM_FAULT_OOM;
4844 + kaddr = kmap(vmf->page);
4845 + memset(kaddr, 0, PAGE_SIZE);
4846 + kaddr[0] = 0x9DE3BFA8U; /* save */
4847 + flush_dcache_page(vmf->page);
4848 + kunmap(vmf->page);
4849 + return VM_FAULT_MAJOR;
4852 +static const struct vm_operations_struct pax_vm_ops = {
4853 + .close = pax_emuplt_close,
4854 + .fault = pax_emuplt_fault
4857 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4861 + INIT_LIST_HEAD(&vma->anon_vma_chain);
4862 + vma->vm_mm = current->mm;
4863 + vma->vm_start = addr;
4864 + vma->vm_end = addr + PAGE_SIZE;
4865 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4866 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4867 + vma->vm_ops = &pax_vm_ops;
4869 + ret = insert_vm_struct(current->mm, vma);
4873 + ++current->mm->total_vm;
4879 + * PaX: decide what to do with offenders (regs->pc = fault address)
4881 + * returns 1 when task should be killed
4882 + * 2 when patched PLT trampoline was detected
4883 + * 3 when unpatched PLT trampoline was detected
4885 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4888 +#ifdef CONFIG_PAX_EMUPLT
4891 + do { /* PaX: patched PLT emulation #1 */
4892 + unsigned int sethi1, sethi2, jmpl;
4894 + err = get_user(sethi1, (unsigned int *)regs->pc);
4895 + err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
4896 + err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
4901 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4902 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
4903 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
4905 + unsigned int addr;
4907 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4908 + addr = regs->u_regs[UREG_G1];
4909 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4911 + regs->npc = addr+4;
4916 + { /* PaX: patched PLT emulation #2 */
4919 + err = get_user(ba, (unsigned int *)regs->pc);
4921 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4922 + unsigned int addr;
4924 + addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4926 + regs->npc = addr+4;
4931 + do { /* PaX: patched PLT emulation #3 */
4932 + unsigned int sethi, jmpl, nop;
4934 + err = get_user(sethi, (unsigned int *)regs->pc);
4935 + err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
4936 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
4941 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4942 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
4943 + nop == 0x01000000U)
4945 + unsigned int addr;
4947 + addr = (sethi & 0x003FFFFFU) << 10;
4948 + regs->u_regs[UREG_G1] = addr;
4949 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4951 + regs->npc = addr+4;
4956 + do { /* PaX: unpatched PLT emulation step 1 */
4957 + unsigned int sethi, ba, nop;
4959 + err = get_user(sethi, (unsigned int *)regs->pc);
4960 + err |= get_user(ba, (unsigned int *)(regs->pc+4));
4961 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
4966 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4967 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
4968 + nop == 0x01000000U)
4970 + unsigned int addr, save, call;
4972 + if ((ba & 0xFFC00000U) == 0x30800000U)
4973 + addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4975 + addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
4977 + err = get_user(save, (unsigned int *)addr);
4978 + err |= get_user(call, (unsigned int *)(addr+4));
4979 + err |= get_user(nop, (unsigned int *)(addr+8));
4983 +#ifdef CONFIG_PAX_DLRESOLVE
4984 + if (save == 0x9DE3BFA8U &&
4985 + (call & 0xC0000000U) == 0x40000000U &&
4986 + nop == 0x01000000U)
4988 + struct vm_area_struct *vma;
4989 + unsigned long call_dl_resolve;
4991 + down_read(¤t->mm->mmap_sem);
4992 + call_dl_resolve = current->mm->call_dl_resolve;
4993 + up_read(¤t->mm->mmap_sem);
4994 + if (likely(call_dl_resolve))
4997 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
4999 + down_write(¤t->mm->mmap_sem);
5000 + if (current->mm->call_dl_resolve) {
5001 + call_dl_resolve = current->mm->call_dl_resolve;
5002 + up_write(¤t->mm->mmap_sem);
5004 + kmem_cache_free(vm_area_cachep, vma);
5008 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5009 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5010 + up_write(¤t->mm->mmap_sem);
5012 + kmem_cache_free(vm_area_cachep, vma);
5016 + if (pax_insert_vma(vma, call_dl_resolve)) {
5017 + up_write(¤t->mm->mmap_sem);
5018 + kmem_cache_free(vm_area_cachep, vma);
5022 + current->mm->call_dl_resolve = call_dl_resolve;
5023 + up_write(¤t->mm->mmap_sem);
5026 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5027 + regs->pc = call_dl_resolve;
5028 + regs->npc = addr+4;
5033 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5034 + if ((save & 0xFFC00000U) == 0x05000000U &&
5035 + (call & 0xFFFFE000U) == 0x85C0A000U &&
5036 + nop == 0x01000000U)
5038 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5039 + regs->u_regs[UREG_G2] = addr + 4;
5040 + addr = (save & 0x003FFFFFU) << 10;
5041 + addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
5043 + regs->npc = addr+4;
5049 + do { /* PaX: unpatched PLT emulation step 2 */
5050 + unsigned int save, call, nop;
5052 + err = get_user(save, (unsigned int *)(regs->pc-4));
5053 + err |= get_user(call, (unsigned int *)regs->pc);
5054 + err |= get_user(nop, (unsigned int *)(regs->pc+4));
5058 + if (save == 0x9DE3BFA8U &&
5059 + (call & 0xC0000000U) == 0x40000000U &&
5060 + nop == 0x01000000U)
5062 + unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
5064 + regs->u_regs[UREG_RETPC] = regs->pc;
5065 + regs->pc = dl_resolve;
5066 + regs->npc = dl_resolve+4;
5075 +void pax_report_insns(void *pc, void *sp)
5079 + printk(KERN_ERR "PAX: bytes at PC: ");
5080 + for (i = 0; i < 8; i++) {
5082 + if (get_user(c, (unsigned int *)pc+i))
5083 + printk(KERN_CONT "???????? ");
5085 + printk(KERN_CONT "%08x ", c);
5091 static noinline void do_fault_siginfo(int code, int sig, struct pt_regs *regs,
5094 @@ -282,6 +547,24 @@ good_area:
5095 if(!(vma->vm_flags & VM_WRITE))
5099 +#ifdef CONFIG_PAX_PAGEEXEC
5100 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
5101 + up_read(&mm->mmap_sem);
5102 + switch (pax_handle_fetch_fault(regs)) {
5104 +#ifdef CONFIG_PAX_EMUPLT
5111 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
5112 + do_group_exit(SIGKILL);
5116 /* Allow reads even for write-only mappings */
5117 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
5119 diff -urNp linux-2.6.38.1/arch/sparc/mm/fault_64.c linux-2.6.38.1-new/arch/sparc/mm/fault_64.c
5120 --- linux-2.6.38.1/arch/sparc/mm/fault_64.c 2011-03-14 21:20:32.000000000 -0400
5121 +++ linux-2.6.38.1-new/arch/sparc/mm/fault_64.c 2011-03-21 18:31:35.000000000 -0400
5123 #include <linux/kprobes.h>
5124 #include <linux/kdebug.h>
5125 #include <linux/percpu.h>
5126 +#include <linux/slab.h>
5127 +#include <linux/pagemap.h>
5128 +#include <linux/compiler.h>
5130 #include <asm/page.h>
5131 #include <asm/pgtable.h>
5132 @@ -74,7 +77,7 @@ static void __kprobes bad_kernel_pc(stru
5133 printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n",
5135 printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]);
5136 - printk("OOPS: RPC <%pS>\n", (void *) regs->u_regs[15]);
5137 + printk("OOPS: RPC <%pA>\n", (void *) regs->u_regs[15]);
5138 printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr);
5140 unhandled_fault(regs->tpc, current, regs);
5141 @@ -272,6 +275,457 @@ static void noinline __kprobes bogus_32b
5145 +#ifdef CONFIG_PAX_PAGEEXEC
5146 +#ifdef CONFIG_PAX_DLRESOLVE
5147 +static void pax_emuplt_close(struct vm_area_struct *vma)
5149 + vma->vm_mm->call_dl_resolve = 0UL;
5152 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
5154 + unsigned int *kaddr;
5156 + vmf->page = alloc_page(GFP_HIGHUSER);
5158 + return VM_FAULT_OOM;
5160 + kaddr = kmap(vmf->page);
5161 + memset(kaddr, 0, PAGE_SIZE);
5162 + kaddr[0] = 0x9DE3BFA8U; /* save */
5163 + flush_dcache_page(vmf->page);
5164 + kunmap(vmf->page);
5165 + return VM_FAULT_MAJOR;
5168 +static const struct vm_operations_struct pax_vm_ops = {
5169 + .close = pax_emuplt_close,
5170 + .fault = pax_emuplt_fault
5173 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
5177 + INIT_LIST_HEAD(&vma->anon_vma_chain);
5178 + vma->vm_mm = current->mm;
5179 + vma->vm_start = addr;
5180 + vma->vm_end = addr + PAGE_SIZE;
5181 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
5182 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
5183 + vma->vm_ops = &pax_vm_ops;
5185 + ret = insert_vm_struct(current->mm, vma);
5189 + ++current->mm->total_vm;
5195 + * PaX: decide what to do with offenders (regs->tpc = fault address)
5197 + * returns 1 when task should be killed
5198 + * 2 when patched PLT trampoline was detected
5199 + * 3 when unpatched PLT trampoline was detected
5201 +static int pax_handle_fetch_fault(struct pt_regs *regs)
5204 +#ifdef CONFIG_PAX_EMUPLT
5207 + do { /* PaX: patched PLT emulation #1 */
5208 + unsigned int sethi1, sethi2, jmpl;
5210 + err = get_user(sethi1, (unsigned int *)regs->tpc);
5211 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
5212 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
5217 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
5218 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
5219 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
5221 + unsigned long addr;
5223 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
5224 + addr = regs->u_regs[UREG_G1];
5225 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5227 + if (test_thread_flag(TIF_32BIT))
5228 + addr &= 0xFFFFFFFFUL;
5231 + regs->tnpc = addr+4;
5236 + { /* PaX: patched PLT emulation #2 */
5239 + err = get_user(ba, (unsigned int *)regs->tpc);
5241 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
5242 + unsigned long addr;
5244 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5246 + if (test_thread_flag(TIF_32BIT))
5247 + addr &= 0xFFFFFFFFUL;
5250 + regs->tnpc = addr+4;
5255 + do { /* PaX: patched PLT emulation #3 */
5256 + unsigned int sethi, jmpl, nop;
5258 + err = get_user(sethi, (unsigned int *)regs->tpc);
5259 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
5260 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5265 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5266 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
5267 + nop == 0x01000000U)
5269 + unsigned long addr;
5271 + addr = (sethi & 0x003FFFFFU) << 10;
5272 + regs->u_regs[UREG_G1] = addr;
5273 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5275 + if (test_thread_flag(TIF_32BIT))
5276 + addr &= 0xFFFFFFFFUL;
5279 + regs->tnpc = addr+4;
5284 + do { /* PaX: patched PLT emulation #4 */
5285 + unsigned int sethi, mov1, call, mov2;
5287 + err = get_user(sethi, (unsigned int *)regs->tpc);
5288 + err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
5289 + err |= get_user(call, (unsigned int *)(regs->tpc+8));
5290 + err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
5295 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5296 + mov1 == 0x8210000FU &&
5297 + (call & 0xC0000000U) == 0x40000000U &&
5298 + mov2 == 0x9E100001U)
5300 + unsigned long addr;
5302 + regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
5303 + addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5305 + if (test_thread_flag(TIF_32BIT))
5306 + addr &= 0xFFFFFFFFUL;
5309 + regs->tnpc = addr+4;
5314 + do { /* PaX: patched PLT emulation #5 */
5315 + unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
5317 + err = get_user(sethi, (unsigned int *)regs->tpc);
5318 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5319 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5320 + err |= get_user(or1, (unsigned int *)(regs->tpc+12));
5321 + err |= get_user(or2, (unsigned int *)(regs->tpc+16));
5322 + err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
5323 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
5324 + err |= get_user(nop, (unsigned int *)(regs->tpc+28));
5329 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5330 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5331 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5332 + (or1 & 0xFFFFE000U) == 0x82106000U &&
5333 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5334 + sllx == 0x83287020U &&
5335 + jmpl == 0x81C04005U &&
5336 + nop == 0x01000000U)
5338 + unsigned long addr;
5340 + regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5341 + regs->u_regs[UREG_G1] <<= 32;
5342 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5343 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5345 + regs->tnpc = addr+4;
5350 + do { /* PaX: patched PLT emulation #6 */
5351 + unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
5353 + err = get_user(sethi, (unsigned int *)regs->tpc);
5354 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5355 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5356 + err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
5357 + err |= get_user(or, (unsigned int *)(regs->tpc+16));
5358 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
5359 + err |= get_user(nop, (unsigned int *)(regs->tpc+24));
5364 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5365 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5366 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5367 + sllx == 0x83287020U &&
5368 + (or & 0xFFFFE000U) == 0x8A116000U &&
5369 + jmpl == 0x81C04005U &&
5370 + nop == 0x01000000U)
5372 + unsigned long addr;
5374 + regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
5375 + regs->u_regs[UREG_G1] <<= 32;
5376 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
5377 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5379 + regs->tnpc = addr+4;
5384 + do { /* PaX: unpatched PLT emulation step 1 */
5385 + unsigned int sethi, ba, nop;
5387 + err = get_user(sethi, (unsigned int *)regs->tpc);
5388 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5389 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5394 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5395 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5396 + nop == 0x01000000U)
5398 + unsigned long addr;
5399 + unsigned int save, call;
5400 + unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
5402 + if ((ba & 0xFFC00000U) == 0x30800000U)
5403 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5405 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5407 + if (test_thread_flag(TIF_32BIT))
5408 + addr &= 0xFFFFFFFFUL;
5410 + err = get_user(save, (unsigned int *)addr);
5411 + err |= get_user(call, (unsigned int *)(addr+4));
5412 + err |= get_user(nop, (unsigned int *)(addr+8));
5416 +#ifdef CONFIG_PAX_DLRESOLVE
5417 + if (save == 0x9DE3BFA8U &&
5418 + (call & 0xC0000000U) == 0x40000000U &&
5419 + nop == 0x01000000U)
5421 + struct vm_area_struct *vma;
5422 + unsigned long call_dl_resolve;
5424 + down_read(¤t->mm->mmap_sem);
5425 + call_dl_resolve = current->mm->call_dl_resolve;
5426 + up_read(¤t->mm->mmap_sem);
5427 + if (likely(call_dl_resolve))
5430 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
5432 + down_write(¤t->mm->mmap_sem);
5433 + if (current->mm->call_dl_resolve) {
5434 + call_dl_resolve = current->mm->call_dl_resolve;
5435 + up_write(¤t->mm->mmap_sem);
5437 + kmem_cache_free(vm_area_cachep, vma);
5441 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5442 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5443 + up_write(¤t->mm->mmap_sem);
5445 + kmem_cache_free(vm_area_cachep, vma);
5449 + if (pax_insert_vma(vma, call_dl_resolve)) {
5450 + up_write(¤t->mm->mmap_sem);
5451 + kmem_cache_free(vm_area_cachep, vma);
5455 + current->mm->call_dl_resolve = call_dl_resolve;
5456 + up_write(¤t->mm->mmap_sem);
5459 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5460 + regs->tpc = call_dl_resolve;
5461 + regs->tnpc = addr+4;
5466 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5467 + if ((save & 0xFFC00000U) == 0x05000000U &&
5468 + (call & 0xFFFFE000U) == 0x85C0A000U &&
5469 + nop == 0x01000000U)
5471 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5472 + regs->u_regs[UREG_G2] = addr + 4;
5473 + addr = (save & 0x003FFFFFU) << 10;
5474 + addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5476 + if (test_thread_flag(TIF_32BIT))
5477 + addr &= 0xFFFFFFFFUL;
5480 + regs->tnpc = addr+4;
5484 + /* PaX: 64-bit PLT stub */
5485 + err = get_user(sethi1, (unsigned int *)addr);
5486 + err |= get_user(sethi2, (unsigned int *)(addr+4));
5487 + err |= get_user(or1, (unsigned int *)(addr+8));
5488 + err |= get_user(or2, (unsigned int *)(addr+12));
5489 + err |= get_user(sllx, (unsigned int *)(addr+16));
5490 + err |= get_user(add, (unsigned int *)(addr+20));
5491 + err |= get_user(jmpl, (unsigned int *)(addr+24));
5492 + err |= get_user(nop, (unsigned int *)(addr+28));
5496 + if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
5497 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5498 + (or1 & 0xFFFFE000U) == 0x88112000U &&
5499 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5500 + sllx == 0x89293020U &&
5501 + add == 0x8A010005U &&
5502 + jmpl == 0x89C14000U &&
5503 + nop == 0x01000000U)
5505 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5506 + regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5507 + regs->u_regs[UREG_G4] <<= 32;
5508 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5509 + regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
5510 + regs->u_regs[UREG_G4] = addr + 24;
5511 + addr = regs->u_regs[UREG_G5];
5513 + regs->tnpc = addr+4;
5519 +#ifdef CONFIG_PAX_DLRESOLVE
5520 + do { /* PaX: unpatched PLT emulation step 2 */
5521 + unsigned int save, call, nop;
5523 + err = get_user(save, (unsigned int *)(regs->tpc-4));
5524 + err |= get_user(call, (unsigned int *)regs->tpc);
5525 + err |= get_user(nop, (unsigned int *)(regs->tpc+4));
5529 + if (save == 0x9DE3BFA8U &&
5530 + (call & 0xC0000000U) == 0x40000000U &&
5531 + nop == 0x01000000U)
5533 + unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5535 + if (test_thread_flag(TIF_32BIT))
5536 + dl_resolve &= 0xFFFFFFFFUL;
5538 + regs->u_regs[UREG_RETPC] = regs->tpc;
5539 + regs->tpc = dl_resolve;
5540 + regs->tnpc = dl_resolve+4;
5546 + do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
5547 + unsigned int sethi, ba, nop;
5549 + err = get_user(sethi, (unsigned int *)regs->tpc);
5550 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5551 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5556 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5557 + (ba & 0xFFF00000U) == 0x30600000U &&
5558 + nop == 0x01000000U)
5560 + unsigned long addr;
5562 + addr = (sethi & 0x003FFFFFU) << 10;
5563 + regs->u_regs[UREG_G1] = addr;
5564 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5566 + if (test_thread_flag(TIF_32BIT))
5567 + addr &= 0xFFFFFFFFUL;
5570 + regs->tnpc = addr+4;
5580 +void pax_report_insns(void *pc, void *sp)
5584 + printk(KERN_ERR "PAX: bytes at PC: ");
5585 + for (i = 0; i < 8; i++) {
5587 + if (get_user(c, (unsigned int *)pc+i))
5588 + printk(KERN_CONT "???????? ");
5590 + printk(KERN_CONT "%08x ", c);
5596 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
5598 struct mm_struct *mm = current->mm;
5599 @@ -340,6 +794,29 @@ asmlinkage void __kprobes do_sparc64_fau
5603 +#ifdef CONFIG_PAX_PAGEEXEC
5604 + /* PaX: detect ITLB misses on non-exec pages */
5605 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
5606 + !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
5608 + if (address != regs->tpc)
5611 + up_read(&mm->mmap_sem);
5612 + switch (pax_handle_fetch_fault(regs)) {
5614 +#ifdef CONFIG_PAX_EMUPLT
5621 + pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
5622 + do_group_exit(SIGKILL);
5626 /* Pure DTLB misses do not tell us whether the fault causing
5627 * load/store/atomic was a write or not, it only says that there
5628 * was no match. So in such a case we (carefully) read the
5629 diff -urNp linux-2.6.38.1/arch/sparc/mm/hugetlbpage.c linux-2.6.38.1-new/arch/sparc/mm/hugetlbpage.c
5630 --- linux-2.6.38.1/arch/sparc/mm/hugetlbpage.c 2011-03-14 21:20:32.000000000 -0400
5631 +++ linux-2.6.38.1-new/arch/sparc/mm/hugetlbpage.c 2011-03-21 23:47:41.000000000 -0400
5632 @@ -68,7 +68,7 @@ full_search:
5636 - if (likely(!vma || addr + len <= vma->vm_start)) {
5637 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5639 * Remember the place where we stopped the search:
5641 @@ -107,7 +107,7 @@ hugetlb_get_unmapped_area_topdown(struct
5642 /* make sure it can fit in the remaining address space */
5643 if (likely(addr > len)) {
5644 vma = find_vma(mm, addr-len);
5645 - if (!vma || addr <= vma->vm_start) {
5646 + if (check_heap_stack_gap(vma, addr - len, len)) {
5647 /* remember the address as a hint for next time */
5648 return (mm->free_area_cache = addr-len);
5650 @@ -116,16 +116,17 @@ hugetlb_get_unmapped_area_topdown(struct
5651 if (unlikely(mm->mmap_base < len))
5654 - addr = (mm->mmap_base-len) & HPAGE_MASK;
5655 + addr = mm->mmap_base - len;
5658 + addr &= HPAGE_MASK;
5660 * Lookup failure means no vma is above this address,
5661 * else if new region fits below vma->vm_start,
5662 * return with success:
5664 vma = find_vma(mm, addr);
5665 - if (likely(!vma || addr+len <= vma->vm_start)) {
5666 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5667 /* remember the address as a hint for next time */
5668 return (mm->free_area_cache = addr);
5670 @@ -135,8 +136,8 @@ hugetlb_get_unmapped_area_topdown(struct
5671 mm->cached_hole_size = vma->vm_start - addr;
5673 /* try just below the current vma->vm_start */
5674 - addr = (vma->vm_start-len) & HPAGE_MASK;
5675 - } while (likely(len < vma->vm_start));
5676 + addr = skip_heap_stack_gap(vma, len);
5677 + } while (!IS_ERR_VALUE(addr));
5681 @@ -182,8 +183,7 @@ hugetlb_get_unmapped_area(struct file *f
5683 addr = ALIGN(addr, HPAGE_SIZE);
5684 vma = find_vma(mm, addr);
5685 - if (task_size - len >= addr &&
5686 - (!vma || addr + len <= vma->vm_start))
5687 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
5690 if (mm->get_unmapped_area == arch_get_unmapped_area)
5691 diff -urNp linux-2.6.38.1/arch/sparc/mm/init_32.c linux-2.6.38.1-new/arch/sparc/mm/init_32.c
5692 --- linux-2.6.38.1/arch/sparc/mm/init_32.c 2011-03-14 21:20:32.000000000 -0400
5693 +++ linux-2.6.38.1-new/arch/sparc/mm/init_32.c 2011-03-21 18:31:35.000000000 -0400
5694 @@ -318,6 +318,9 @@ extern void device_scan(void);
5695 pgprot_t PAGE_SHARED __read_mostly;
5696 EXPORT_SYMBOL(PAGE_SHARED);
5698 +pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
5699 +EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
5701 void __init paging_init(void)
5703 switch(sparc_cpu_model) {
5704 @@ -346,17 +349,17 @@ void __init paging_init(void)
5706 /* Initialize the protection map with non-constant, MMU dependent values. */
5707 protection_map[0] = PAGE_NONE;
5708 - protection_map[1] = PAGE_READONLY;
5709 - protection_map[2] = PAGE_COPY;
5710 - protection_map[3] = PAGE_COPY;
5711 + protection_map[1] = PAGE_READONLY_NOEXEC;
5712 + protection_map[2] = PAGE_COPY_NOEXEC;
5713 + protection_map[3] = PAGE_COPY_NOEXEC;
5714 protection_map[4] = PAGE_READONLY;
5715 protection_map[5] = PAGE_READONLY;
5716 protection_map[6] = PAGE_COPY;
5717 protection_map[7] = PAGE_COPY;
5718 protection_map[8] = PAGE_NONE;
5719 - protection_map[9] = PAGE_READONLY;
5720 - protection_map[10] = PAGE_SHARED;
5721 - protection_map[11] = PAGE_SHARED;
5722 + protection_map[9] = PAGE_READONLY_NOEXEC;
5723 + protection_map[10] = PAGE_SHARED_NOEXEC;
5724 + protection_map[11] = PAGE_SHARED_NOEXEC;
5725 protection_map[12] = PAGE_READONLY;
5726 protection_map[13] = PAGE_READONLY;
5727 protection_map[14] = PAGE_SHARED;
5728 diff -urNp linux-2.6.38.1/arch/sparc/mm/Makefile linux-2.6.38.1-new/arch/sparc/mm/Makefile
5729 --- linux-2.6.38.1/arch/sparc/mm/Makefile 2011-03-14 21:20:32.000000000 -0400
5730 +++ linux-2.6.38.1-new/arch/sparc/mm/Makefile 2011-03-21 18:31:35.000000000 -0400
5735 -ccflags-y := -Werror
5736 +#ccflags-y := -Werror
5738 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
5739 obj-y += fault_$(BITS).o
5740 diff -urNp linux-2.6.38.1/arch/sparc/mm/srmmu.c linux-2.6.38.1-new/arch/sparc/mm/srmmu.c
5741 --- linux-2.6.38.1/arch/sparc/mm/srmmu.c 2011-03-14 21:20:32.000000000 -0400
5742 +++ linux-2.6.38.1-new/arch/sparc/mm/srmmu.c 2011-03-21 18:31:35.000000000 -0400
5743 @@ -2200,6 +2200,13 @@ void __init ld_mmu_srmmu(void)
5744 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
5745 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
5746 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
5748 +#ifdef CONFIG_PAX_PAGEEXEC
5749 + PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
5750 + BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
5751 + BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
5754 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
5755 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
5757 diff -urNp linux-2.6.38.1/arch/um/include/asm/kmap_types.h linux-2.6.38.1-new/arch/um/include/asm/kmap_types.h
5758 --- linux-2.6.38.1/arch/um/include/asm/kmap_types.h 2011-03-14 21:20:32.000000000 -0400
5759 +++ linux-2.6.38.1-new/arch/um/include/asm/kmap_types.h 2011-03-21 18:31:35.000000000 -0400
5760 @@ -23,6 +23,7 @@ enum km_type {
5768 diff -urNp linux-2.6.38.1/arch/um/include/asm/page.h linux-2.6.38.1-new/arch/um/include/asm/page.h
5769 --- linux-2.6.38.1/arch/um/include/asm/page.h 2011-03-14 21:20:32.000000000 -0400
5770 +++ linux-2.6.38.1-new/arch/um/include/asm/page.h 2011-03-21 18:31:35.000000000 -0400
5772 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
5773 #define PAGE_MASK (~(PAGE_SIZE-1))
5775 +#define ktla_ktva(addr) (addr)
5776 +#define ktva_ktla(addr) (addr)
5778 #ifndef __ASSEMBLY__
5781 diff -urNp linux-2.6.38.1/arch/um/kernel/process.c linux-2.6.38.1-new/arch/um/kernel/process.c
5782 --- linux-2.6.38.1/arch/um/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
5783 +++ linux-2.6.38.1-new/arch/um/kernel/process.c 2011-03-21 18:31:35.000000000 -0400
5784 @@ -404,22 +404,6 @@ int singlestepping(void * t)
5789 - * Only x86 and x86_64 have an arch_align_stack().
5790 - * All other arches have "#define arch_align_stack(x) (x)"
5791 - * in their asm/system.h
5792 - * As this is included in UML from asm-um/system-generic.h,
5793 - * we can use it to behave as the subarch does.
5795 -#ifndef arch_align_stack
5796 -unsigned long arch_align_stack(unsigned long sp)
5798 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
5799 - sp -= get_random_int() % 8192;
5804 unsigned long get_wchan(struct task_struct *p)
5806 unsigned long stack_page, sp, ip;
5807 diff -urNp linux-2.6.38.1/arch/um/sys-i386/syscalls.c linux-2.6.38.1-new/arch/um/sys-i386/syscalls.c
5808 --- linux-2.6.38.1/arch/um/sys-i386/syscalls.c 2011-03-14 21:20:32.000000000 -0400
5809 +++ linux-2.6.38.1-new/arch/um/sys-i386/syscalls.c 2011-03-21 18:31:35.000000000 -0400
5811 #include "asm/uaccess.h"
5812 #include "asm/unistd.h"
5814 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
5816 + unsigned long pax_task_size = TASK_SIZE;
5818 +#ifdef CONFIG_PAX_SEGMEXEC
5819 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
5820 + pax_task_size = SEGMEXEC_TASK_SIZE;
5823 + if (len > pax_task_size || addr > pax_task_size - len)
5830 * The prototype on i386 is:
5832 diff -urNp linux-2.6.38.1/arch/x86/boot/bitops.h linux-2.6.38.1-new/arch/x86/boot/bitops.h
5833 --- linux-2.6.38.1/arch/x86/boot/bitops.h 2011-03-14 21:20:32.000000000 -0400
5834 +++ linux-2.6.38.1-new/arch/x86/boot/bitops.h 2011-03-21 18:31:35.000000000 -0400
5835 @@ -26,7 +26,7 @@ static inline int variable_test_bit(int
5837 const u32 *p = (const u32 *)addr;
5839 - asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5840 + asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5844 @@ -37,7 +37,7 @@ static inline int variable_test_bit(int
5846 static inline void set_bit(int nr, void *addr)
5848 - asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5849 + asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5852 #endif /* BOOT_BITOPS_H */
5853 diff -urNp linux-2.6.38.1/arch/x86/boot/boot.h linux-2.6.38.1-new/arch/x86/boot/boot.h
5854 --- linux-2.6.38.1/arch/x86/boot/boot.h 2011-03-14 21:20:32.000000000 -0400
5855 +++ linux-2.6.38.1-new/arch/x86/boot/boot.h 2011-03-21 18:31:35.000000000 -0400
5856 @@ -85,7 +85,7 @@ static inline void io_delay(void)
5857 static inline u16 ds(void)
5860 - asm("movw %%ds,%0" : "=rm" (seg));
5861 + asm volatile("movw %%ds,%0" : "=rm" (seg));
5865 @@ -181,7 +181,7 @@ static inline void wrgs32(u32 v, addr_t
5866 static inline int memcmp(const void *s1, const void *s2, size_t len)
5869 - asm("repe; cmpsb; setnz %0"
5870 + asm volatile("repe; cmpsb; setnz %0"
5871 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
5874 diff -urNp linux-2.6.38.1/arch/x86/boot/compressed/head_32.S linux-2.6.38.1-new/arch/x86/boot/compressed/head_32.S
5875 --- linux-2.6.38.1/arch/x86/boot/compressed/head_32.S 2011-03-14 21:20:32.000000000 -0400
5876 +++ linux-2.6.38.1-new/arch/x86/boot/compressed/head_32.S 2011-03-21 18:31:35.000000000 -0400
5877 @@ -76,7 +76,7 @@ ENTRY(startup_32)
5881 - movl $LOAD_PHYSICAL_ADDR, %ebx
5882 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5885 /* Target address to relocate to for decompression */
5886 @@ -162,7 +162,7 @@ relocated:
5887 * and where it was actually loaded.
5890 - subl $LOAD_PHYSICAL_ADDR, %ebx
5891 + subl $____LOAD_PHYSICAL_ADDR, %ebx
5892 jz 2f /* Nothing to be done if loaded at compiled addr. */
5894 * Process relocations.
5895 @@ -170,8 +170,7 @@ relocated:
5902 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
5905 diff -urNp linux-2.6.38.1/arch/x86/boot/compressed/head_64.S linux-2.6.38.1-new/arch/x86/boot/compressed/head_64.S
5906 --- linux-2.6.38.1/arch/x86/boot/compressed/head_64.S 2011-03-14 21:20:32.000000000 -0400
5907 +++ linux-2.6.38.1-new/arch/x86/boot/compressed/head_64.S 2011-03-21 18:31:35.000000000 -0400
5908 @@ -91,7 +91,7 @@ ENTRY(startup_32)
5912 - movl $LOAD_PHYSICAL_ADDR, %ebx
5913 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5916 /* Target address to relocate to for decompression */
5917 @@ -233,7 +233,7 @@ ENTRY(startup_64)
5921 - movq $LOAD_PHYSICAL_ADDR, %rbp
5922 + movq $____LOAD_PHYSICAL_ADDR, %rbp
5925 /* Target address to relocate to for decompression */
5926 diff -urNp linux-2.6.38.1/arch/x86/boot/compressed/misc.c linux-2.6.38.1-new/arch/x86/boot/compressed/misc.c
5927 --- linux-2.6.38.1/arch/x86/boot/compressed/misc.c 2011-03-14 21:20:32.000000000 -0400
5928 +++ linux-2.6.38.1-new/arch/x86/boot/compressed/misc.c 2011-03-21 18:31:35.000000000 -0400
5929 @@ -310,7 +310,7 @@ static void parse_elf(void *output)
5931 #ifdef CONFIG_RELOCATABLE
5933 - dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
5934 + dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
5936 dest = (void *)(phdr->p_paddr);
5938 @@ -363,7 +363,7 @@ asmlinkage void decompress_kernel(void *
5939 error("Destination address too large");
5941 #ifndef CONFIG_RELOCATABLE
5942 - if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
5943 + if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
5944 error("Wrong destination address");
5947 diff -urNp linux-2.6.38.1/arch/x86/boot/compressed/relocs.c linux-2.6.38.1-new/arch/x86/boot/compressed/relocs.c
5948 --- linux-2.6.38.1/arch/x86/boot/compressed/relocs.c 2011-03-14 21:20:32.000000000 -0400
5949 +++ linux-2.6.38.1-new/arch/x86/boot/compressed/relocs.c 2011-03-21 18:31:35.000000000 -0400
5952 static void die(char *fmt, ...);
5954 +#include "../../../../include/generated/autoconf.h"
5956 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
5957 static Elf32_Ehdr ehdr;
5958 +static Elf32_Phdr *phdr;
5959 static unsigned long reloc_count, reloc_idx;
5960 static unsigned long *relocs;
5962 @@ -270,9 +273,39 @@ static void read_ehdr(FILE *fp)
5966 +static void read_phdrs(FILE *fp)
5970 + phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
5972 + die("Unable to allocate %d program headers\n",
5975 + if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
5976 + die("Seek to %d failed: %s\n",
5977 + ehdr.e_phoff, strerror(errno));
5979 + if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
5980 + die("Cannot read ELF program headers: %s\n",
5983 + for(i = 0; i < ehdr.e_phnum; i++) {
5984 + phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
5985 + phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
5986 + phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
5987 + phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
5988 + phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
5989 + phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
5990 + phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
5991 + phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
5996 static void read_shdrs(FILE *fp)
6002 secs = calloc(ehdr.e_shnum, sizeof(struct section));
6003 @@ -307,7 +340,7 @@ static void read_shdrs(FILE *fp)
6005 static void read_strtabs(FILE *fp)
6009 for (i = 0; i < ehdr.e_shnum; i++) {
6010 struct section *sec = &secs[i];
6011 if (sec->shdr.sh_type != SHT_STRTAB) {
6012 @@ -332,7 +365,7 @@ static void read_strtabs(FILE *fp)
6014 static void read_symtabs(FILE *fp)
6018 for (i = 0; i < ehdr.e_shnum; i++) {
6019 struct section *sec = &secs[i];
6020 if (sec->shdr.sh_type != SHT_SYMTAB) {
6021 @@ -365,7 +398,9 @@ static void read_symtabs(FILE *fp)
6023 static void read_relocs(FILE *fp)
6029 for (i = 0; i < ehdr.e_shnum; i++) {
6030 struct section *sec = &secs[i];
6031 if (sec->shdr.sh_type != SHT_REL) {
6032 @@ -385,9 +420,18 @@ static void read_relocs(FILE *fp)
6033 die("Cannot read symbol table: %s\n",
6037 + for (j = 0; j < ehdr.e_phnum; j++) {
6038 + if (phdr[j].p_type != PT_LOAD )
6040 + if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
6042 + base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
6045 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
6046 Elf32_Rel *rel = &sec->reltab[j];
6047 - rel->r_offset = elf32_to_cpu(rel->r_offset);
6048 + rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
6049 rel->r_info = elf32_to_cpu(rel->r_info);
6052 @@ -396,14 +440,14 @@ static void read_relocs(FILE *fp)
6054 static void print_absolute_symbols(void)
6058 printf("Absolute symbols\n");
6059 printf(" Num: Value Size Type Bind Visibility Name\n");
6060 for (i = 0; i < ehdr.e_shnum; i++) {
6061 struct section *sec = &secs[i];
6063 Elf32_Sym *sh_symtab;
6067 if (sec->shdr.sh_type != SHT_SYMTAB) {
6069 @@ -431,14 +475,14 @@ static void print_absolute_symbols(void)
6071 static void print_absolute_relocs(void)
6073 - int i, printed = 0;
6074 + unsigned int i, printed = 0;
6076 for (i = 0; i < ehdr.e_shnum; i++) {
6077 struct section *sec = &secs[i];
6078 struct section *sec_applies, *sec_symtab;
6080 Elf32_Sym *sh_symtab;
6083 if (sec->shdr.sh_type != SHT_REL) {
6086 @@ -499,13 +543,13 @@ static void print_absolute_relocs(void)
6088 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
6092 /* Walk through the relocations */
6093 for (i = 0; i < ehdr.e_shnum; i++) {
6095 Elf32_Sym *sh_symtab;
6096 struct section *sec_applies, *sec_symtab;
6099 struct section *sec = &secs[i];
6101 if (sec->shdr.sh_type != SHT_REL) {
6102 @@ -530,6 +574,22 @@ static void walk_relocs(void (*visit)(El
6103 !is_rel_reloc(sym_name(sym_strtab, sym))) {
6106 + /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
6107 + if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
6110 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
6111 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
6112 + if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
6114 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
6116 + if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
6118 + if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
6125 @@ -571,7 +631,7 @@ static int cmp_relocs(const void *va, co
6127 static void emit_relocs(int as_text)
6131 /* Count how many relocations I have and allocate space for them. */
6133 walk_relocs(count_reloc);
6134 @@ -665,6 +725,7 @@ int main(int argc, char **argv)
6135 fname, strerror(errno));
6142 diff -urNp linux-2.6.38.1/arch/x86/boot/cpucheck.c linux-2.6.38.1-new/arch/x86/boot/cpucheck.c
6143 --- linux-2.6.38.1/arch/x86/boot/cpucheck.c 2011-03-14 21:20:32.000000000 -0400
6144 +++ linux-2.6.38.1-new/arch/x86/boot/cpucheck.c 2011-03-21 18:31:35.000000000 -0400
6145 @@ -74,7 +74,7 @@ static int has_fpu(void)
6146 u16 fcw = -1, fsw = -1;
6149 - asm("movl %%cr0,%0" : "=r" (cr0));
6150 + asm volatile("movl %%cr0,%0" : "=r" (cr0));
6151 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
6152 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
6153 asm volatile("movl %0,%%cr0" : : "r" (cr0));
6154 @@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
6159 + asm volatile("pushfl ; "
6163 @@ -115,7 +115,7 @@ static void get_flags(void)
6164 set_bit(X86_FEATURE_FPU, cpu.flags);
6166 if (has_eflag(X86_EFLAGS_ID)) {
6168 + asm volatile("cpuid"
6169 : "=a" (max_intel_level),
6170 "=b" (cpu_vendor[0]),
6171 "=d" (cpu_vendor[1]),
6172 @@ -124,7 +124,7 @@ static void get_flags(void)
6174 if (max_intel_level >= 0x00000001 &&
6175 max_intel_level <= 0x0000ffff) {
6177 + asm volatile("cpuid"
6179 "=c" (cpu.flags[4]),
6181 @@ -136,7 +136,7 @@ static void get_flags(void)
6182 cpu.model += ((tfms >> 16) & 0xf) << 4;
6186 + asm volatile("cpuid"
6187 : "=a" (max_amd_level)
6189 : "ebx", "ecx", "edx");
6190 @@ -144,7 +144,7 @@ static void get_flags(void)
6191 if (max_amd_level >= 0x80000001 &&
6192 max_amd_level <= 0x8000ffff) {
6193 u32 eax = 0x80000001;
6195 + asm volatile("cpuid"
6197 "=c" (cpu.flags[6]),
6199 @@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
6200 u32 ecx = MSR_K7_HWCR;
6203 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6204 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6206 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6207 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6209 get_flags(); /* Make sure it really did something */
6210 err = check_flags();
6211 @@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
6212 u32 ecx = MSR_VIA_FCR;
6215 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6216 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6217 eax |= (1<<1)|(1<<7);
6218 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6219 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6221 set_bit(X86_FEATURE_CX8, cpu.flags);
6222 err = check_flags();
6223 @@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
6227 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6228 - asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
6230 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6231 + asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
6232 + asm volatile("cpuid"
6233 : "+a" (level), "=d" (cpu.flags[0])
6235 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6236 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6238 err = check_flags();
6240 diff -urNp linux-2.6.38.1/arch/x86/boot/header.S linux-2.6.38.1-new/arch/x86/boot/header.S
6241 --- linux-2.6.38.1/arch/x86/boot/header.S 2011-03-14 21:20:32.000000000 -0400
6242 +++ linux-2.6.38.1-new/arch/x86/boot/header.S 2011-03-21 18:31:35.000000000 -0400
6243 @@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
6244 # single linked list of
6247 -pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
6248 +pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
6250 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
6251 #define VO_INIT_SIZE (VO__end - VO__text)
6252 diff -urNp linux-2.6.38.1/arch/x86/boot/memory.c linux-2.6.38.1-new/arch/x86/boot/memory.c
6253 --- linux-2.6.38.1/arch/x86/boot/memory.c 2011-03-14 21:20:32.000000000 -0400
6254 +++ linux-2.6.38.1-new/arch/x86/boot/memory.c 2011-03-21 18:31:35.000000000 -0400
6257 static int detect_memory_e820(void)
6260 + unsigned int count = 0;
6261 struct biosregs ireg, oreg;
6262 struct e820entry *desc = boot_params.e820_map;
6263 static struct e820entry buf; /* static so it is zeroed */
6264 diff -urNp linux-2.6.38.1/arch/x86/boot/video.c linux-2.6.38.1-new/arch/x86/boot/video.c
6265 --- linux-2.6.38.1/arch/x86/boot/video.c 2011-03-14 21:20:32.000000000 -0400
6266 +++ linux-2.6.38.1-new/arch/x86/boot/video.c 2011-03-21 18:31:35.000000000 -0400
6267 @@ -96,7 +96,7 @@ static void store_mode_params(void)
6268 static unsigned int get_entry(void)
6272 + unsigned int i, len = 0;
6276 diff -urNp linux-2.6.38.1/arch/x86/boot/video-vesa.c linux-2.6.38.1-new/arch/x86/boot/video-vesa.c
6277 --- linux-2.6.38.1/arch/x86/boot/video-vesa.c 2011-03-14 21:20:32.000000000 -0400
6278 +++ linux-2.6.38.1-new/arch/x86/boot/video-vesa.c 2011-03-21 18:31:35.000000000 -0400
6279 @@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
6281 boot_params.screen_info.vesapm_seg = oreg.es;
6282 boot_params.screen_info.vesapm_off = oreg.di;
6283 + boot_params.screen_info.vesapm_size = oreg.cx;
6287 diff -urNp linux-2.6.38.1/arch/x86/ia32/ia32_aout.c linux-2.6.38.1-new/arch/x86/ia32/ia32_aout.c
6288 --- linux-2.6.38.1/arch/x86/ia32/ia32_aout.c 2011-03-14 21:20:32.000000000 -0400
6289 +++ linux-2.6.38.1-new/arch/x86/ia32/ia32_aout.c 2011-03-21 18:31:35.000000000 -0400
6290 @@ -162,6 +162,8 @@ static int aout_core_dump(long signr, st
6291 unsigned long dump_start, dump_size;
6294 + memset(&dump, 0, sizeof(dump));
6299 diff -urNp linux-2.6.38.1/arch/x86/ia32/ia32entry.S linux-2.6.38.1-new/arch/x86/ia32/ia32entry.S
6300 --- linux-2.6.38.1/arch/x86/ia32/ia32entry.S 2011-03-14 21:20:32.000000000 -0400
6301 +++ linux-2.6.38.1-new/arch/x86/ia32/ia32entry.S 2011-03-21 18:31:35.000000000 -0400
6303 #include <asm/thread_info.h>
6304 #include <asm/segment.h>
6305 #include <asm/irqflags.h>
6306 +#include <asm/pgtable.h>
6307 #include <linux/linkage.h>
6309 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
6310 @@ -93,6 +94,18 @@ ENTRY(native_irq_enable_sysexit)
6311 ENDPROC(native_irq_enable_sysexit)
6314 + .macro pax_enter_kernel_user
6315 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6316 + call pax_enter_kernel_user
6320 + .macro pax_exit_kernel_user
6321 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6322 + call pax_exit_kernel_user
6327 * 32bit SYSENTER instruction entry.
6329 @@ -120,6 +133,7 @@ ENTRY(ia32_sysenter_target)
6331 movq PER_CPU_VAR(kernel_stack), %rsp
6332 addq $(KERNEL_STACK_OFFSET),%rsp
6333 + pax_enter_kernel_user
6335 * No need to follow this irqs on/off section: the syscall
6336 * disabled irqs, here we enable it straight after entry:
6337 @@ -150,6 +164,12 @@ ENTRY(ia32_sysenter_target)
6339 /* no need to do an access_ok check here because rbp has been
6340 32bit zero extended */
6342 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6343 + mov $PAX_USER_SHADOW_BASE,%r10
6348 .section __ex_table,"a"
6349 .quad 1b,ia32_badarg
6350 @@ -172,6 +192,7 @@ sysenter_dispatch:
6351 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6353 sysexit_from_sys_call:
6354 + pax_exit_kernel_user
6355 andl $~TS_COMPAT,TI_status(%r10)
6356 /* clear IF, that popfq doesn't enable interrupts early */
6357 andl $~0x200,EFLAGS-R11(%rsp)
6358 @@ -290,6 +311,11 @@ ENTRY(ia32_cstar_target)
6361 movq PER_CPU_VAR(kernel_stack),%rsp
6363 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6364 + pax_enter_kernel_user
6368 * No need to follow this irqs on/off section: the syscall
6369 * disabled irqs and here we enable it straight after entry:
6370 @@ -311,6 +337,12 @@ ENTRY(ia32_cstar_target)
6371 /* no need to do an access_ok check here because r8 has been
6372 32bit zero extended */
6373 /* hardware stack frame is complete now */
6375 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6376 + mov $PAX_USER_SHADOW_BASE,%r10
6381 .section __ex_table,"a"
6382 .quad 1b,ia32_badarg
6383 @@ -333,6 +365,7 @@ cstar_dispatch:
6384 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6386 sysretl_from_sys_call:
6387 + pax_exit_kernel_user
6388 andl $~TS_COMPAT,TI_status(%r10)
6389 RESTORE_ARGS 1,-ARG_SKIP,1,1,1
6390 movl RIP-ARGOFFSET(%rsp),%ecx
6391 @@ -415,6 +448,7 @@ ENTRY(ia32_syscall)
6392 CFI_REL_OFFSET rip,RIP-RIP
6393 PARAVIRT_ADJUST_EXCEPTION_FRAME
6395 + pax_enter_kernel_user
6397 * No need to follow this irqs on/off section: the syscall
6398 * disabled irqs and here we enable it straight after entry:
6399 diff -urNp linux-2.6.38.1/arch/x86/ia32/ia32_signal.c linux-2.6.38.1-new/arch/x86/ia32/ia32_signal.c
6400 --- linux-2.6.38.1/arch/x86/ia32/ia32_signal.c 2011-03-14 21:20:32.000000000 -0400
6401 +++ linux-2.6.38.1-new/arch/x86/ia32/ia32_signal.c 2011-03-21 18:31:35.000000000 -0400
6402 @@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
6404 /* Align the stack pointer according to the i386 ABI,
6405 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
6406 - sp = ((sp + 4) & -16ul) - 4;
6407 + sp = ((sp - 12) & -16ul) - 4;
6408 return (void __user *) sp;
6411 @@ -461,7 +461,7 @@ int ia32_setup_frame(int sig, struct k_s
6412 * These are actually not used anymore, but left because some
6413 * gdb versions depend on them as a marker.
6415 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
6416 + put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode);
6417 } put_user_catch(err);
6420 @@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
6422 __NR_ia32_rt_sigreturn,
6428 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
6429 @@ -533,16 +533,18 @@ int ia32_setup_rt_frame(int sig, struct
6431 if (ka->sa.sa_flags & SA_RESTORER)
6432 restorer = ka->sa.sa_restorer;
6433 + else if (current->mm->context.vdso)
6434 + /* Return stub is in 32bit vsyscall page */
6435 + restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
6437 - restorer = VDSO32_SYMBOL(current->mm->context.vdso,
6439 + restorer = &frame->retcode;
6440 put_user_ex(ptr_to_compat(restorer), &frame->pretcode);
6443 * Not actually used anymore, but left because some gdb
6446 - put_user_ex(*((u64 *)&code), (u64 *)frame->retcode);
6447 + put_user_ex(*((const u64 *)&code), (u64 *)frame->retcode);
6448 } put_user_catch(err);
6451 diff -urNp linux-2.6.38.1/arch/x86/include/asm/alternative.h linux-2.6.38.1-new/arch/x86/include/asm/alternative.h
6452 --- linux-2.6.38.1/arch/x86/include/asm/alternative.h 2011-03-14 21:20:32.000000000 -0400
6453 +++ linux-2.6.38.1-new/arch/x86/include/asm/alternative.h 2011-03-21 18:31:35.000000000 -0400
6454 @@ -94,7 +94,7 @@ static inline int alternatives_text_rese
6455 ".section .discard,\"aw\",@progbits\n" \
6456 " .byte 0xff + (664f-663f) - (662b-661b)\n" /* rlen <= slen */ \
6458 - ".section .altinstr_replacement, \"ax\"\n" \
6459 + ".section .altinstr_replacement, \"a\"\n" \
6460 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
6463 diff -urNp linux-2.6.38.1/arch/x86/include/asm/apm.h linux-2.6.38.1-new/arch/x86/include/asm/apm.h
6464 --- linux-2.6.38.1/arch/x86/include/asm/apm.h 2011-03-14 21:20:32.000000000 -0400
6465 +++ linux-2.6.38.1-new/arch/x86/include/asm/apm.h 2011-03-21 18:31:35.000000000 -0400
6466 @@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
6467 __asm__ __volatile__(APM_DO_ZERO_SEGS
6470 - "lcall *%%cs:apm_bios_entry\n\t"
6471 + "lcall *%%ss:apm_bios_entry\n\t"
6475 @@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
6476 __asm__ __volatile__(APM_DO_ZERO_SEGS
6479 - "lcall *%%cs:apm_bios_entry\n\t"
6480 + "lcall *%%ss:apm_bios_entry\n\t"
6484 diff -urNp linux-2.6.38.1/arch/x86/include/asm/atomic64_32.h linux-2.6.38.1-new/arch/x86/include/asm/atomic64_32.h
6485 --- linux-2.6.38.1/arch/x86/include/asm/atomic64_32.h 2011-03-14 21:20:32.000000000 -0400
6486 +++ linux-2.6.38.1-new/arch/x86/include/asm/atomic64_32.h 2011-03-21 18:31:35.000000000 -0400
6487 @@ -12,6 +12,14 @@ typedef struct {
6488 u64 __aligned(8) counter;
6491 +#ifdef CONFIG_PAX_REFCOUNT
6493 + u64 __aligned(8) counter;
6494 +} atomic64_unchecked_t;
6496 +typedef atomic64_t atomic64_unchecked_t;
6499 #define ATOMIC64_INIT(val) { (val) }
6501 #ifdef CONFIG_X86_CMPXCHG64
6502 diff -urNp linux-2.6.38.1/arch/x86/include/asm/atomic64_64.h linux-2.6.38.1-new/arch/x86/include/asm/atomic64_64.h
6503 --- linux-2.6.38.1/arch/x86/include/asm/atomic64_64.h 2011-03-14 21:20:32.000000000 -0400
6504 +++ linux-2.6.38.1-new/arch/x86/include/asm/atomic64_64.h 2011-03-21 18:31:35.000000000 -0400
6507 static inline long atomic64_read(const atomic64_t *v)
6509 - return (*(volatile long *)&(v)->counter);
6510 + return (*(volatile const long *)&(v)->counter);
6514 + * atomic64_read_unchecked - read atomic64 variable
6515 + * @v: pointer of type atomic64_unchecked_t
6517 + * Atomically reads the value of @v.
6518 + * Doesn't imply a read memory barrier.
6520 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
6522 + return (*(volatile const long *)&(v)->counter);
6526 @@ -34,6 +46,18 @@ static inline void atomic64_set(atomic64
6530 + * atomic64_set_unchecked - set atomic64 variable
6531 + * @v: pointer to type atomic64_unchecked_t
6532 + * @i: required value
6534 + * Atomically sets the value of @v to @i.
6536 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
6542 * atomic64_add - add integer to atomic64 variable
6543 * @i: integer value to add
6544 * @v: pointer to type atomic64_t
6545 @@ -42,6 +66,28 @@ static inline void atomic64_set(atomic64
6547 static inline void atomic64_add(long i, atomic64_t *v)
6549 + asm volatile(LOCK_PREFIX "addq %1,%0\n"
6551 +#ifdef CONFIG_PAX_REFCOUNT
6553 + LOCK_PREFIX "subq %1,%0\n"
6555 + _ASM_EXTABLE(0b, 0b)
6558 + : "=m" (v->counter)
6559 + : "er" (i), "m" (v->counter));
6563 + * atomic64_add_unchecked - add integer to atomic64 variable
6564 + * @i: integer value to add
6565 + * @v: pointer to type atomic64_unchecked_t
6567 + * Atomically adds @i to @v.
6569 +static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
6571 asm volatile(LOCK_PREFIX "addq %1,%0"
6573 : "er" (i), "m" (v->counter));
6574 @@ -56,7 +102,29 @@ static inline void atomic64_add(long i,
6576 static inline void atomic64_sub(long i, atomic64_t *v)
6578 - asm volatile(LOCK_PREFIX "subq %1,%0"
6579 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
6581 +#ifdef CONFIG_PAX_REFCOUNT
6583 + LOCK_PREFIX "addq %1,%0\n"
6585 + _ASM_EXTABLE(0b, 0b)
6588 + : "=m" (v->counter)
6589 + : "er" (i), "m" (v->counter));
6593 + * atomic64_sub_unchecked - subtract the atomic64 variable
6594 + * @i: integer value to subtract
6595 + * @v: pointer to type atomic64_unchecked_t
6597 + * Atomically subtracts @i from @v.
6599 +static inline void atomic64_sub_unchecked(long i, atomic64_unchecked_t *v)
6601 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
6603 : "er" (i), "m" (v->counter));
6605 @@ -74,7 +142,16 @@ static inline int atomic64_sub_and_test(
6609 - asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
6610 + asm volatile(LOCK_PREFIX "subq %2,%0\n"
6612 +#ifdef CONFIG_PAX_REFCOUNT
6614 + LOCK_PREFIX "addq %2,%0\n"
6616 + _ASM_EXTABLE(0b, 0b)
6620 : "=m" (v->counter), "=qm" (c)
6621 : "er" (i), "m" (v->counter) : "memory");
6623 @@ -88,6 +165,27 @@ static inline int atomic64_sub_and_test(
6625 static inline void atomic64_inc(atomic64_t *v)
6627 + asm volatile(LOCK_PREFIX "incq %0\n"
6629 +#ifdef CONFIG_PAX_REFCOUNT
6631 + LOCK_PREFIX "decq %0\n"
6633 + _ASM_EXTABLE(0b, 0b)
6636 + : "=m" (v->counter)
6637 + : "m" (v->counter));
6641 + * atomic64_inc_unchecked - increment atomic64 variable
6642 + * @v: pointer to type atomic64_unchecked_t
6644 + * Atomically increments @v by 1.
6646 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
6648 asm volatile(LOCK_PREFIX "incq %0"
6650 : "m" (v->counter));
6651 @@ -101,7 +199,28 @@ static inline void atomic64_inc(atomic64
6653 static inline void atomic64_dec(atomic64_t *v)
6655 - asm volatile(LOCK_PREFIX "decq %0"
6656 + asm volatile(LOCK_PREFIX "decq %0\n"
6658 +#ifdef CONFIG_PAX_REFCOUNT
6660 + LOCK_PREFIX "incq %0\n"
6662 + _ASM_EXTABLE(0b, 0b)
6665 + : "=m" (v->counter)
6666 + : "m" (v->counter));
6670 + * atomic64_dec_unchecked - decrement atomic64 variable
6671 + * @v: pointer to type atomic64_t
6673 + * Atomically decrements @v by 1.
6675 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
6677 + asm volatile(LOCK_PREFIX "decq %0\n"
6679 : "m" (v->counter));
6681 @@ -118,7 +237,16 @@ static inline int atomic64_dec_and_test(
6685 - asm volatile(LOCK_PREFIX "decq %0; sete %1"
6686 + asm volatile(LOCK_PREFIX "decq %0\n"
6688 +#ifdef CONFIG_PAX_REFCOUNT
6690 + LOCK_PREFIX "incq %0\n"
6692 + _ASM_EXTABLE(0b, 0b)
6696 : "=m" (v->counter), "=qm" (c)
6697 : "m" (v->counter) : "memory");
6699 @@ -136,7 +264,16 @@ static inline int atomic64_inc_and_test(
6703 - asm volatile(LOCK_PREFIX "incq %0; sete %1"
6704 + asm volatile(LOCK_PREFIX "incq %0\n"
6706 +#ifdef CONFIG_PAX_REFCOUNT
6708 + LOCK_PREFIX "decq %0\n"
6710 + _ASM_EXTABLE(0b, 0b)
6714 : "=m" (v->counter), "=qm" (c)
6715 : "m" (v->counter) : "memory");
6717 @@ -155,7 +292,16 @@ static inline int atomic64_add_negative(
6721 - asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
6722 + asm volatile(LOCK_PREFIX "addq %2,%0\n"
6724 +#ifdef CONFIG_PAX_REFCOUNT
6726 + LOCK_PREFIX "subq %2,%0\n"
6728 + _ASM_EXTABLE(0b, 0b)
6732 : "=m" (v->counter), "=qm" (c)
6733 : "er" (i), "m" (v->counter) : "memory");
6735 @@ -171,7 +317,31 @@ static inline int atomic64_add_negative(
6736 static inline long atomic64_add_return(long i, atomic64_t *v)
6739 - asm volatile(LOCK_PREFIX "xaddq %0, %1;"
6740 + asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
6742 +#ifdef CONFIG_PAX_REFCOUNT
6746 + _ASM_EXTABLE(0b, 0b)
6749 + : "+r" (i), "+m" (v->counter)
6755 + * atomic64_add_return_unchecked - add and return
6756 + * @i: integer value to add
6757 + * @v: pointer to type atomic64_unchecked_t
6759 + * Atomically adds @i to @v and returns @i + @v
6761 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
6764 + asm volatile(LOCK_PREFIX "xaddq %0, %1"
6765 : "+r" (i), "+m" (v->counter)
6768 @@ -183,6 +353,10 @@ static inline long atomic64_sub_return(l
6771 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
6772 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
6774 + return atomic64_add_return_unchecked(1, v);
6776 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
6778 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
6779 @@ -206,17 +380,30 @@ static inline long atomic64_xchg(atomic6
6781 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
6785 c = atomic64_read(v);
6787 - if (unlikely(c == (u)))
6788 + if (unlikely(c == u))
6790 - old = atomic64_cmpxchg((v), c, c + (a));
6792 + asm volatile("add %2,%0\n"
6794 +#ifdef CONFIG_PAX_REFCOUNT
6798 + _ASM_EXTABLE(0b, 0b)
6802 + : "0" (c), "ir" (a));
6804 + old = atomic64_cmpxchg(v, c, new);
6805 if (likely(old == c))
6813 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
6814 diff -urNp linux-2.6.38.1/arch/x86/include/asm/atomic.h linux-2.6.38.1-new/arch/x86/include/asm/atomic.h
6815 --- linux-2.6.38.1/arch/x86/include/asm/atomic.h 2011-03-14 21:20:32.000000000 -0400
6816 +++ linux-2.6.38.1-new/arch/x86/include/asm/atomic.h 2011-03-21 18:31:35.000000000 -0400
6819 static inline int atomic_read(const atomic_t *v)
6821 - return (*(volatile int *)&(v)->counter);
6822 + return (*(volatile const int *)&(v)->counter);
6826 + * atomic_read_unchecked - read atomic variable
6827 + * @v: pointer of type atomic_unchecked_t
6829 + * Atomically reads the value of @v.
6831 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
6833 + return (*(volatile const int *)&(v)->counter);
6837 @@ -38,6 +49,18 @@ static inline void atomic_set(atomic_t *
6841 + * atomic_set_unchecked - set atomic variable
6842 + * @v: pointer of type atomic_unchecked_t
6843 + * @i: required value
6845 + * Atomically sets the value of @v to @i.
6847 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
6853 * atomic_add - add integer to atomic variable
6854 * @i: integer value to add
6855 * @v: pointer of type atomic_t
6856 @@ -46,7 +69,29 @@ static inline void atomic_set(atomic_t *
6858 static inline void atomic_add(int i, atomic_t *v)
6860 - asm volatile(LOCK_PREFIX "addl %1,%0"
6861 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6863 +#ifdef CONFIG_PAX_REFCOUNT
6865 + LOCK_PREFIX "subl %1,%0\n"
6867 + _ASM_EXTABLE(0b, 0b)
6870 + : "+m" (v->counter)
6875 + * atomic_add_unchecked - add integer to atomic variable
6876 + * @i: integer value to add
6877 + * @v: pointer of type atomic_unchecked_t
6879 + * Atomically adds @i to @v.
6881 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
6883 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6887 @@ -60,7 +105,29 @@ static inline void atomic_add(int i, ato
6889 static inline void atomic_sub(int i, atomic_t *v)
6891 - asm volatile(LOCK_PREFIX "subl %1,%0"
6892 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
6894 +#ifdef CONFIG_PAX_REFCOUNT
6896 + LOCK_PREFIX "addl %1,%0\n"
6898 + _ASM_EXTABLE(0b, 0b)
6901 + : "+m" (v->counter)
6906 + * atomic_sub_unchecked - subtract integer from atomic variable
6907 + * @i: integer value to subtract
6908 + * @v: pointer of type atomic_t
6910 + * Atomically subtracts @i from @v.
6912 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
6914 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
6918 @@ -78,7 +145,16 @@ static inline int atomic_sub_and_test(in
6922 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
6923 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
6925 +#ifdef CONFIG_PAX_REFCOUNT
6927 + LOCK_PREFIX "addl %2,%0\n"
6929 + _ASM_EXTABLE(0b, 0b)
6933 : "+m" (v->counter), "=qm" (c)
6934 : "ir" (i) : "memory");
6936 @@ -92,7 +168,27 @@ static inline int atomic_sub_and_test(in
6938 static inline void atomic_inc(atomic_t *v)
6940 - asm volatile(LOCK_PREFIX "incl %0"
6941 + asm volatile(LOCK_PREFIX "incl %0\n"
6943 +#ifdef CONFIG_PAX_REFCOUNT
6945 + LOCK_PREFIX "decl %0\n"
6947 + _ASM_EXTABLE(0b, 0b)
6950 + : "+m" (v->counter));
6954 + * atomic_inc_unchecked - increment atomic variable
6955 + * @v: pointer of type atomic_unchecked_t
6957 + * Atomically increments @v by 1.
6959 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
6961 + asm volatile(LOCK_PREFIX "incl %0\n"
6962 : "+m" (v->counter));
6965 @@ -104,7 +200,27 @@ static inline void atomic_inc(atomic_t *
6967 static inline void atomic_dec(atomic_t *v)
6969 - asm volatile(LOCK_PREFIX "decl %0"
6970 + asm volatile(LOCK_PREFIX "decl %0\n"
6972 +#ifdef CONFIG_PAX_REFCOUNT
6974 + LOCK_PREFIX "incl %0\n"
6976 + _ASM_EXTABLE(0b, 0b)
6979 + : "+m" (v->counter));
6983 + * atomic_dec_unchecked - decrement atomic variable
6984 + * @v: pointer of type atomic_t
6986 + * Atomically decrements @v by 1.
6988 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
6990 + asm volatile(LOCK_PREFIX "decl %0\n"
6991 : "+m" (v->counter));
6994 @@ -120,7 +236,16 @@ static inline int atomic_dec_and_test(at
6998 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
6999 + asm volatile(LOCK_PREFIX "decl %0\n"
7001 +#ifdef CONFIG_PAX_REFCOUNT
7003 + LOCK_PREFIX "incl %0\n"
7005 + _ASM_EXTABLE(0b, 0b)
7009 : "+m" (v->counter), "=qm" (c)
7012 @@ -138,7 +263,16 @@ static inline int atomic_inc_and_test(at
7016 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
7017 + asm volatile(LOCK_PREFIX "incl %0\n"
7019 +#ifdef CONFIG_PAX_REFCOUNT
7021 + LOCK_PREFIX "decl %0\n"
7023 + _ASM_EXTABLE(0b, 0b)
7027 : "+m" (v->counter), "=qm" (c)
7030 @@ -157,7 +291,16 @@ static inline int atomic_add_negative(in
7034 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
7035 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
7037 +#ifdef CONFIG_PAX_REFCOUNT
7039 + LOCK_PREFIX "subl %2,%0\n"
7041 + _ASM_EXTABLE(0b, 0b)
7045 : "+m" (v->counter), "=qm" (c)
7046 : "ir" (i) : "memory");
7048 @@ -180,6 +323,46 @@ static inline int atomic_add_return(int
7050 /* Modern 486+ processor */
7052 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
7054 +#ifdef CONFIG_PAX_REFCOUNT
7058 + _ASM_EXTABLE(0b, 0b)
7061 + : "+r" (i), "+m" (v->counter)
7066 +no_xadd: /* Legacy 386 processor */
7067 + local_irq_save(flags);
7068 + __i = atomic_read(v);
7069 + atomic_set(v, i + __i);
7070 + local_irq_restore(flags);
7076 + * atomic_add_return_unchecked - add integer and return
7077 + * @v: pointer of type atomic_unchecked_t
7078 + * @i: integer value to add
7080 + * Atomically adds @i to @v and returns @i + @v
7082 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
7086 + unsigned long flags;
7087 + if (unlikely(boot_cpu_data.x86 <= 3))
7090 + /* Modern 486+ processor */
7092 asm volatile(LOCK_PREFIX "xaddl %0, %1"
7093 : "+r" (i), "+m" (v->counter)
7095 @@ -208,6 +391,10 @@ static inline int atomic_sub_return(int
7098 #define atomic_inc_return(v) (atomic_add_return(1, v))
7099 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
7101 + return atomic_add_return_unchecked(1, v);
7103 #define atomic_dec_return(v) (atomic_sub_return(1, v))
7105 static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
7106 @@ -231,21 +418,77 @@ static inline int atomic_xchg(atomic_t *
7108 static inline int atomic_add_unless(atomic_t *v, int a, int u)
7114 - if (unlikely(c == (u)))
7115 + if (unlikely(c == u))
7117 - old = atomic_cmpxchg((v), c, c + (a));
7119 + asm volatile("addl %2,%0\n"
7121 +#ifdef CONFIG_PAX_REFCOUNT
7125 + _ASM_EXTABLE(0b, 0b)
7129 + : "0" (c), "ir" (a));
7131 + old = atomic_cmpxchg(v, c, new);
7132 if (likely(old == c))
7140 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
7143 + * atomic_inc_not_zero_hint - increment if not null
7144 + * @v: pointer of type atomic_t
7145 + * @hint: probable value of the atomic before the increment
7147 + * This version of atomic_inc_not_zero() gives a hint of probable
7148 + * value of the atomic. This helps processor to not read the memory
7149 + * before doing the atomic read/modify/write cycle, lowering
7150 + * number of bus transactions on some arches.
7152 + * Returns: 0 if increment was not done, 1 otherwise.
7154 +#define atomic_inc_not_zero_hint atomic_inc_not_zero_hint
7155 +static inline int atomic_inc_not_zero_hint(atomic_t *v, int hint)
7157 + int val, c = hint, new;
7159 + /* sanity test, should be removed by compiler if hint is a constant */
7161 + return atomic_inc_not_zero(v);
7164 + asm volatile("incl %0\n"
7166 +#ifdef CONFIG_PAX_REFCOUNT
7170 + _ASM_EXTABLE(0b, 0b)
7176 + val = atomic_cmpxchg(v, c, new);
7186 * atomic_dec_if_positive - decrement by 1 if old value positive
7187 * @v: pointer of type atomic_t
7188 diff -urNp linux-2.6.38.1/arch/x86/include/asm/bitops.h linux-2.6.38.1-new/arch/x86/include/asm/bitops.h
7189 --- linux-2.6.38.1/arch/x86/include/asm/bitops.h 2011-03-14 21:20:32.000000000 -0400
7190 +++ linux-2.6.38.1-new/arch/x86/include/asm/bitops.h 2011-03-21 18:31:35.000000000 -0400
7192 * a mask operation on a byte.
7194 #define IS_IMMEDIATE(nr) (__builtin_constant_p(nr))
7195 -#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((void *)(addr) + ((nr)>>3))
7196 +#define CONST_MASK_ADDR(nr, addr) BITOP_ADDR((volatile void *)(addr) + ((nr)>>3))
7197 #define CONST_MASK(nr) (1 << ((nr) & 7))
7200 diff -urNp linux-2.6.38.1/arch/x86/include/asm/boot.h linux-2.6.38.1-new/arch/x86/include/asm/boot.h
7201 --- linux-2.6.38.1/arch/x86/include/asm/boot.h 2011-03-14 21:20:32.000000000 -0400
7202 +++ linux-2.6.38.1-new/arch/x86/include/asm/boot.h 2011-03-21 18:31:35.000000000 -0400
7204 #include <asm/pgtable_types.h>
7206 /* Physical address where kernel should be loaded. */
7207 -#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
7208 +#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
7209 + (CONFIG_PHYSICAL_ALIGN - 1)) \
7210 & ~(CONFIG_PHYSICAL_ALIGN - 1))
7212 +#ifndef __ASSEMBLY__
7213 +extern unsigned char __LOAD_PHYSICAL_ADDR[];
7214 +#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
7217 /* Minimum kernel alignment, as a power of two */
7218 #ifdef CONFIG_X86_64
7219 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
7220 diff -urNp linux-2.6.38.1/arch/x86/include/asm/cacheflush.h linux-2.6.38.1-new/arch/x86/include/asm/cacheflush.h
7221 --- linux-2.6.38.1/arch/x86/include/asm/cacheflush.h 2011-03-14 21:20:32.000000000 -0400
7222 +++ linux-2.6.38.1-new/arch/x86/include/asm/cacheflush.h 2011-03-21 18:31:35.000000000 -0400
7223 @@ -26,7 +26,7 @@ static inline unsigned long get_page_mem
7224 unsigned long pg_flags = pg->flags & _PGMT_MASK;
7226 if (pg_flags == _PGMT_DEFAULT)
7229 else if (pg_flags == _PGMT_WC)
7230 return _PAGE_CACHE_WC;
7231 else if (pg_flags == _PGMT_UC_MINUS)
7232 diff -urNp linux-2.6.38.1/arch/x86/include/asm/cache.h linux-2.6.38.1-new/arch/x86/include/asm/cache.h
7233 --- linux-2.6.38.1/arch/x86/include/asm/cache.h 2011-03-14 21:20:32.000000000 -0400
7234 +++ linux-2.6.38.1-new/arch/x86/include/asm/cache.h 2011-03-21 18:31:35.000000000 -0400
7236 #define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
7238 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
7239 +#define __read_only __attribute__((__section__(".data..read_only")))
7241 #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT
7242 #define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT)
7243 diff -urNp linux-2.6.38.1/arch/x86/include/asm/checksum_32.h linux-2.6.38.1-new/arch/x86/include/asm/checksum_32.h
7244 --- linux-2.6.38.1/arch/x86/include/asm/checksum_32.h 2011-03-14 21:20:32.000000000 -0400
7245 +++ linux-2.6.38.1-new/arch/x86/include/asm/checksum_32.h 2011-03-21 18:31:35.000000000 -0400
7246 @@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
7247 int len, __wsum sum,
7248 int *src_err_ptr, int *dst_err_ptr);
7250 +asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
7251 + int len, __wsum sum,
7252 + int *src_err_ptr, int *dst_err_ptr);
7254 +asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
7255 + int len, __wsum sum,
7256 + int *src_err_ptr, int *dst_err_ptr);
7259 * Note: when you get a NULL pointer exception here this means someone
7260 * passed in an incorrect kernel address to one of these functions.
7261 @@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
7265 - return csum_partial_copy_generic((__force void *)src, dst,
7266 + return csum_partial_copy_generic_from_user((__force void *)src, dst,
7267 len, sum, err_ptr, NULL);
7270 @@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
7273 if (access_ok(VERIFY_WRITE, dst, len))
7274 - return csum_partial_copy_generic(src, (__force void *)dst,
7275 + return csum_partial_copy_generic_to_user(src, (__force void *)dst,
7276 len, sum, NULL, err_ptr);
7279 diff -urNp linux-2.6.38.1/arch/x86/include/asm/cpufeature.h linux-2.6.38.1-new/arch/x86/include/asm/cpufeature.h
7280 --- linux-2.6.38.1/arch/x86/include/asm/cpufeature.h 2011-03-14 21:20:32.000000000 -0400
7281 +++ linux-2.6.38.1-new/arch/x86/include/asm/cpufeature.h 2011-03-21 18:31:35.000000000 -0400
7282 @@ -349,7 +349,7 @@ static __always_inline __pure bool __sta
7283 ".section .discard,\"aw\",@progbits\n"
7284 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
7286 - ".section .altinstr_replacement,\"ax\"\n"
7287 + ".section .altinstr_replacement,\"a\"\n"
7291 diff -urNp linux-2.6.38.1/arch/x86/include/asm/desc_defs.h linux-2.6.38.1-new/arch/x86/include/asm/desc_defs.h
7292 --- linux-2.6.38.1/arch/x86/include/asm/desc_defs.h 2011-03-14 21:20:32.000000000 -0400
7293 +++ linux-2.6.38.1-new/arch/x86/include/asm/desc_defs.h 2011-03-21 18:31:35.000000000 -0400
7294 @@ -31,6 +31,12 @@ struct desc_struct {
7295 unsigned base1: 8, type: 4, s: 1, dpl: 2, p: 1;
7296 unsigned limit: 4, avl: 1, l: 1, d: 1, g: 1, base2: 8;
7301 + unsigned reserved: 8, type: 4, s: 1, dpl: 2, p: 1;
7302 + unsigned offset_high: 16;
7305 } __attribute__((packed));
7307 diff -urNp linux-2.6.38.1/arch/x86/include/asm/desc.h linux-2.6.38.1-new/arch/x86/include/asm/desc.h
7308 --- linux-2.6.38.1/arch/x86/include/asm/desc.h 2011-03-14 21:20:32.000000000 -0400
7309 +++ linux-2.6.38.1-new/arch/x86/include/asm/desc.h 2011-03-21 18:31:35.000000000 -0400
7311 #include <asm/desc_defs.h>
7312 #include <asm/ldt.h>
7313 #include <asm/mmu.h>
7314 +#include <asm/pgtable.h>
7315 #include <linux/smp.h>
7317 static inline void fill_ldt(struct desc_struct *desc,
7318 @@ -15,6 +16,7 @@ static inline void fill_ldt(struct desc_
7319 desc->base1 = (info->base_addr & 0x00ff0000) >> 16;
7320 desc->type = (info->read_exec_only ^ 1) << 1;
7321 desc->type |= info->contents << 2;
7322 + desc->type |= info->seg_not_present ^ 1;
7325 desc->p = info->seg_not_present ^ 1;
7326 @@ -31,16 +33,12 @@ static inline void fill_ldt(struct desc_
7329 extern struct desc_ptr idt_descr;
7330 -extern gate_desc idt_table[];
7333 - struct desc_struct gdt[GDT_ENTRIES];
7334 -} __attribute__((aligned(PAGE_SIZE)));
7335 -DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
7336 +extern gate_desc idt_table[256];
7338 +extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
7339 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
7341 - return per_cpu(gdt_page, cpu).gdt;
7342 + return cpu_gdt_table[cpu];
7345 #ifdef CONFIG_X86_64
7346 @@ -65,9 +63,14 @@ static inline void pack_gate(gate_desc *
7347 unsigned long base, unsigned dpl, unsigned flags,
7350 - gate->a = (seg << 16) | (base & 0xffff);
7351 - gate->b = (base & 0xffff0000) |
7352 - (((0x80 | type | (dpl << 5)) & 0xff) << 8);
7353 + gate->gate.offset_low = base;
7354 + gate->gate.seg = seg;
7355 + gate->gate.reserved = 0;
7356 + gate->gate.type = type;
7358 + gate->gate.dpl = dpl;
7360 + gate->gate.offset_high = base >> 16;
7364 @@ -115,19 +118,24 @@ static inline void paravirt_free_ldt(str
7365 static inline void native_write_idt_entry(gate_desc *idt, int entry,
7366 const gate_desc *gate)
7368 + pax_open_kernel();
7369 memcpy(&idt[entry], gate, sizeof(*gate));
7370 + pax_close_kernel();
7373 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry,
7376 + pax_open_kernel();
7377 memcpy(&ldt[entry], desc, 8);
7378 + pax_close_kernel();
7381 static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry,
7382 const void *desc, int type)
7388 size = sizeof(tss_desc);
7389 @@ -139,7 +147,10 @@ static inline void native_write_gdt_entr
7390 size = sizeof(struct desc_struct);
7394 + pax_open_kernel();
7395 memcpy(&gdt[entry], desc, size);
7396 + pax_close_kernel();
7399 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
7400 @@ -211,7 +222,9 @@ static inline void native_set_ldt(const
7402 static inline void native_load_tr_desc(void)
7404 + pax_open_kernel();
7405 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
7406 + pax_close_kernel();
7409 static inline void native_load_gdt(const struct desc_ptr *dtr)
7410 @@ -246,8 +259,10 @@ static inline void native_load_tls(struc
7412 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
7414 + pax_open_kernel();
7415 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
7416 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
7417 + pax_close_kernel();
7420 #define _LDT_empty(info) \
7421 @@ -309,7 +324,7 @@ static inline void set_desc_limit(struct
7422 desc->limit = (limit >> 16) & 0xf;
7425 -static inline void _set_gate(int gate, unsigned type, void *addr,
7426 +static inline void _set_gate(int gate, unsigned type, const void *addr,
7427 unsigned dpl, unsigned ist, unsigned seg)
7430 @@ -327,7 +342,7 @@ static inline void _set_gate(int gate, u
7431 * Pentium F0 0F bugfix can have resulted in the mapped
7432 * IDT being write-protected.
7434 -static inline void set_intr_gate(unsigned int n, void *addr)
7435 +static inline void set_intr_gate(unsigned int n, const void *addr)
7437 BUG_ON((unsigned)n > 0xFF);
7438 _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
7439 @@ -356,19 +371,19 @@ static inline void alloc_intr_gate(unsig
7441 * This routine sets up an interrupt gate at directory privilege level 3.
7443 -static inline void set_system_intr_gate(unsigned int n, void *addr)
7444 +static inline void set_system_intr_gate(unsigned int n, const void *addr)
7446 BUG_ON((unsigned)n > 0xFF);
7447 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
7450 -static inline void set_system_trap_gate(unsigned int n, void *addr)
7451 +static inline void set_system_trap_gate(unsigned int n, const void *addr)
7453 BUG_ON((unsigned)n > 0xFF);
7454 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
7457 -static inline void set_trap_gate(unsigned int n, void *addr)
7458 +static inline void set_trap_gate(unsigned int n, const void *addr)
7460 BUG_ON((unsigned)n > 0xFF);
7461 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
7462 @@ -377,19 +392,31 @@ static inline void set_trap_gate(unsigne
7463 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
7465 BUG_ON((unsigned)n > 0xFF);
7466 - _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
7467 + _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
7470 -static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
7471 +static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
7473 BUG_ON((unsigned)n > 0xFF);
7474 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
7477 -static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
7478 +static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
7480 BUG_ON((unsigned)n > 0xFF);
7481 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
7484 +#ifdef CONFIG_X86_32
7485 +static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
7487 + struct desc_struct d;
7489 + if (likely(limit))
7490 + limit = (limit - 1UL) >> PAGE_SHIFT;
7491 + pack_descriptor(&d, base, limit, 0xFB, 0xC);
7492 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
7496 #endif /* _ASM_X86_DESC_H */
7497 diff -urNp linux-2.6.38.1/arch/x86/include/asm/device.h linux-2.6.38.1-new/arch/x86/include/asm/device.h
7498 --- linux-2.6.38.1/arch/x86/include/asm/device.h 2011-03-14 21:20:32.000000000 -0400
7499 +++ linux-2.6.38.1-new/arch/x86/include/asm/device.h 2011-03-21 18:31:35.000000000 -0400
7500 @@ -6,7 +6,7 @@ struct dev_archdata {
7503 #ifdef CONFIG_X86_64
7504 -struct dma_map_ops *dma_ops;
7505 + const struct dma_map_ops *dma_ops;
7507 #if defined(CONFIG_DMAR) || defined(CONFIG_AMD_IOMMU)
7508 void *iommu; /* hook for IOMMU specific extension */
7509 diff -urNp linux-2.6.38.1/arch/x86/include/asm/dma-mapping.h linux-2.6.38.1-new/arch/x86/include/asm/dma-mapping.h
7510 --- linux-2.6.38.1/arch/x86/include/asm/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
7511 +++ linux-2.6.38.1-new/arch/x86/include/asm/dma-mapping.h 2011-03-21 18:31:35.000000000 -0400
7512 @@ -26,9 +26,9 @@ extern int iommu_merge;
7513 extern struct device x86_dma_fallback_dev;
7514 extern int panic_on_overflow;
7516 -extern struct dma_map_ops *dma_ops;
7517 +extern const struct dma_map_ops *dma_ops;
7519 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
7520 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
7522 #ifdef CONFIG_X86_32
7524 @@ -45,7 +45,7 @@ static inline struct dma_map_ops *get_dm
7525 /* Make sure we keep the same behaviour */
7526 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
7528 - struct dma_map_ops *ops = get_dma_ops(dev);
7529 + const struct dma_map_ops *ops = get_dma_ops(dev);
7530 if (ops->mapping_error)
7531 return ops->mapping_error(dev, dma_addr);
7533 @@ -115,7 +115,7 @@ static inline void *
7534 dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_handle,
7537 - struct dma_map_ops *ops = get_dma_ops(dev);
7538 + const struct dma_map_ops *ops = get_dma_ops(dev);
7541 gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32);
7542 @@ -142,7 +142,7 @@ dma_alloc_coherent(struct device *dev, s
7543 static inline void dma_free_coherent(struct device *dev, size_t size,
7544 void *vaddr, dma_addr_t bus)
7546 - struct dma_map_ops *ops = get_dma_ops(dev);
7547 + const struct dma_map_ops *ops = get_dma_ops(dev);
7549 WARN_ON(irqs_disabled()); /* for portability */
7551 diff -urNp linux-2.6.38.1/arch/x86/include/asm/e820.h linux-2.6.38.1-new/arch/x86/include/asm/e820.h
7552 --- linux-2.6.38.1/arch/x86/include/asm/e820.h 2011-03-14 21:20:32.000000000 -0400
7553 +++ linux-2.6.38.1-new/arch/x86/include/asm/e820.h 2011-03-21 18:31:35.000000000 -0400
7554 @@ -69,7 +69,7 @@ struct e820map {
7555 #define ISA_START_ADDRESS 0xa0000
7556 #define ISA_END_ADDRESS 0x100000
7558 -#define BIOS_BEGIN 0x000a0000
7559 +#define BIOS_BEGIN 0x000c0000
7560 #define BIOS_END 0x00100000
7562 #define BIOS_ROM_BASE 0xffe00000
7563 diff -urNp linux-2.6.38.1/arch/x86/include/asm/elf.h linux-2.6.38.1-new/arch/x86/include/asm/elf.h
7564 --- linux-2.6.38.1/arch/x86/include/asm/elf.h 2011-03-14 21:20:32.000000000 -0400
7565 +++ linux-2.6.38.1-new/arch/x86/include/asm/elf.h 2011-03-21 18:31:35.000000000 -0400
7566 @@ -237,7 +237,25 @@ extern int force_personality32;
7567 the loader. We need to make sure that it is out of the way of the program
7568 that it will "exec", and that there is sufficient room for the brk. */
7570 +#ifdef CONFIG_PAX_SEGMEXEC
7571 +#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
7573 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
7576 +#ifdef CONFIG_PAX_ASLR
7577 +#ifdef CONFIG_X86_32
7578 +#define PAX_ELF_ET_DYN_BASE 0x10000000UL
7580 +#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7581 +#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7583 +#define PAX_ELF_ET_DYN_BASE 0x400000UL
7585 +#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7586 +#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7590 /* This yields a mask that user programs can use to figure out what
7591 instruction set this CPU supports. This could be done in user space,
7592 @@ -291,8 +309,7 @@ do { \
7593 #define ARCH_DLINFO \
7596 - NEW_AUX_ENT(AT_SYSINFO_EHDR, \
7597 - (unsigned long)current->mm->context.vdso); \
7598 + NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
7601 #define AT_SYSINFO 32
7602 @@ -303,7 +320,7 @@ do { \
7604 #endif /* !CONFIG_X86_32 */
7606 -#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
7607 +#define VDSO_CURRENT_BASE (current->mm->context.vdso)
7609 #define VDSO_ENTRY \
7610 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
7611 @@ -317,7 +334,4 @@ extern int arch_setup_additional_pages(s
7612 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
7613 #define compat_arch_setup_additional_pages syscall32_setup_pages
7615 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
7616 -#define arch_randomize_brk arch_randomize_brk
7618 #endif /* _ASM_X86_ELF_H */
7619 diff -urNp linux-2.6.38.1/arch/x86/include/asm/futex.h linux-2.6.38.1-new/arch/x86/include/asm/futex.h
7620 --- linux-2.6.38.1/arch/x86/include/asm/futex.h 2011-03-14 21:20:32.000000000 -0400
7621 +++ linux-2.6.38.1-new/arch/x86/include/asm/futex.h 2011-03-21 18:31:35.000000000 -0400
7623 #include <asm/system.h>
7625 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
7626 + typecheck(u32 *, uaddr); \
7627 asm volatile("1:\t" insn "\n" \
7628 "2:\t.section .fixup,\"ax\"\n" \
7629 "3:\tmov\t%3, %1\n" \
7632 _ASM_EXTABLE(1b, 3b) \
7633 - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
7634 + : "=r" (oldval), "=r" (ret), "+m" (*(u32 *)____m(uaddr))\
7635 : "i" (-EFAULT), "0" (oparg), "1" (0))
7637 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
7638 + typecheck(u32 *, uaddr); \
7639 asm volatile("1:\tmovl %2, %0\n" \
7640 "\tmovl\t%0, %3\n" \
7643 _ASM_EXTABLE(1b, 4b) \
7644 _ASM_EXTABLE(2b, 4b) \
7645 : "=&a" (oldval), "=&r" (ret), \
7646 - "+m" (*uaddr), "=&r" (tem) \
7647 + "+m" (*(u32 *)____m(uaddr)), "=&r" (tem) \
7648 : "r" (oparg), "i" (-EFAULT), "1" (0))
7650 -static inline int futex_atomic_op_inuser(int encoded_op, int __user *uaddr)
7651 +static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
7653 int op = (encoded_op >> 28) & 7;
7654 int cmp = (encoded_op >> 24) & 15;
7655 @@ -61,10 +63,10 @@ static inline int futex_atomic_op_inuser
7659 - __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
7660 + __futex_atomic_op1(__copyuser_seg"xchgl %0, %2", ret, oldval, uaddr, oparg);
7663 - __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
7664 + __futex_atomic_op1(LOCK_PREFIX __copyuser_seg"xaddl %0, %2", ret, oldval,
7668 @@ -109,7 +111,7 @@ static inline int futex_atomic_op_inuser
7672 -static inline int futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval,
7673 +static inline int futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval,
7677 @@ -119,16 +121,16 @@ static inline int futex_atomic_cmpxchg_i
7681 - if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
7682 + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
7685 - asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
7686 + asm volatile("1:\t" LOCK_PREFIX __copyuser_seg"cmpxchgl %3, %1\n"
7687 "2:\t.section .fixup, \"ax\"\n"
7691 _ASM_EXTABLE(1b, 3b)
7692 - : "=a" (oldval), "+m" (*uaddr)
7693 + : "=a" (oldval), "+m" (*(u32 *)____m(uaddr))
7694 : "i" (-EFAULT), "r" (newval), "0" (oldval)
7697 diff -urNp linux-2.6.38.1/arch/x86/include/asm/i387.h linux-2.6.38.1-new/arch/x86/include/asm/i387.h
7698 --- linux-2.6.38.1/arch/x86/include/asm/i387.h 2011-03-14 21:20:32.000000000 -0400
7699 +++ linux-2.6.38.1-new/arch/x86/include/asm/i387.h 2011-03-21 18:31:35.000000000 -0400
7700 @@ -92,6 +92,11 @@ static inline int fxrstor_checking(struc
7704 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7705 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7706 + fx = (struct i387_fxsave_struct *)((void *)fx + PAX_USER_SHADOW_BASE);
7709 /* See comment in fxsave() below. */
7710 #ifdef CONFIG_AS_FXSAVEQ
7711 asm volatile("1: fxrstorq %[fx]\n\t"
7712 @@ -121,6 +126,11 @@ static inline int fxsave_user(struct i38
7716 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7717 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7718 + fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE);
7722 * Clear the bytes not touched by the fxsave and reserved
7724 @@ -213,13 +223,8 @@ static inline void fpu_fxsave(struct fpu
7725 #endif /* CONFIG_X86_64 */
7727 /* We need a safe address that is cheap to find and that is already
7728 - in L1 during context switch. The best choices are unfortunately
7729 - different for UP and SMP */
7731 -#define safe_address (__per_cpu_offset[0])
7733 -#define safe_address (kstat_cpu(0).cpustat.user)
7735 + in L1 during context switch. */
7736 +#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
7739 * These must be called with preempt disabled
7740 diff -urNp linux-2.6.38.1/arch/x86/include/asm/io.h linux-2.6.38.1-new/arch/x86/include/asm/io.h
7741 --- linux-2.6.38.1/arch/x86/include/asm/io.h 2011-03-14 21:20:32.000000000 -0400
7742 +++ linux-2.6.38.1-new/arch/x86/include/asm/io.h 2011-03-21 18:31:35.000000000 -0400
7743 @@ -216,6 +216,17 @@ extern void set_iounmap_nonlazy(void);
7745 #include <linux/vmalloc.h>
7747 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
7748 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
7750 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7753 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
7755 + return (pfn + (count >> PAGE_SHIFT)) < (1ULL << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7759 * Convert a virtual cached pointer to an uncached pointer
7761 diff -urNp linux-2.6.38.1/arch/x86/include/asm/iommu.h linux-2.6.38.1-new/arch/x86/include/asm/iommu.h
7762 --- linux-2.6.38.1/arch/x86/include/asm/iommu.h 2011-03-14 21:20:32.000000000 -0400
7763 +++ linux-2.6.38.1-new/arch/x86/include/asm/iommu.h 2011-03-21 18:31:35.000000000 -0400
7765 #ifndef _ASM_X86_IOMMU_H
7766 #define _ASM_X86_IOMMU_H
7768 -extern struct dma_map_ops nommu_dma_ops;
7769 +extern const struct dma_map_ops nommu_dma_ops;
7770 extern int force_iommu, no_iommu;
7771 extern int iommu_detected;
7772 extern int iommu_pass_through;
7773 diff -urNp linux-2.6.38.1/arch/x86/include/asm/irqflags.h linux-2.6.38.1-new/arch/x86/include/asm/irqflags.h
7774 --- linux-2.6.38.1/arch/x86/include/asm/irqflags.h 2011-03-14 21:20:32.000000000 -0400
7775 +++ linux-2.6.38.1-new/arch/x86/include/asm/irqflags.h 2011-03-21 18:31:35.000000000 -0400
7776 @@ -140,6 +140,11 @@ static inline unsigned long arch_local_i
7780 +#define GET_CR0_INTO_RDI mov %cr0, %rdi
7781 +#define SET_RDI_INTO_CR0 mov %rdi, %cr0
7782 +#define GET_CR3_INTO_RDI mov %cr3, %rdi
7783 +#define SET_RDI_INTO_CR3 mov %rdi, %cr3
7786 #define INTERRUPT_RETURN iret
7787 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
7788 diff -urNp linux-2.6.38.1/arch/x86/include/asm/kvm_host.h linux-2.6.38.1-new/arch/x86/include/asm/kvm_host.h
7789 --- linux-2.6.38.1/arch/x86/include/asm/kvm_host.h 2011-03-14 21:20:32.000000000 -0400
7790 +++ linux-2.6.38.1-new/arch/x86/include/asm/kvm_host.h 2011-03-21 18:31:35.000000000 -0400
7791 @@ -603,7 +603,7 @@ struct kvm_arch_async_pf {
7795 -extern struct kvm_x86_ops *kvm_x86_ops;
7796 +extern const struct kvm_x86_ops *kvm_x86_ops;
7798 int kvm_mmu_module_init(void);
7799 void kvm_mmu_module_exit(void);
7800 diff -urNp linux-2.6.38.1/arch/x86/include/asm/local.h linux-2.6.38.1-new/arch/x86/include/asm/local.h
7801 --- linux-2.6.38.1/arch/x86/include/asm/local.h 2011-03-14 21:20:32.000000000 -0400
7802 +++ linux-2.6.38.1-new/arch/x86/include/asm/local.h 2011-03-21 18:31:35.000000000 -0400
7803 @@ -18,26 +18,58 @@ typedef struct {
7805 static inline void local_inc(local_t *l)
7807 - asm volatile(_ASM_INC "%0"
7808 + asm volatile(_ASM_INC "%0\n"
7810 +#ifdef CONFIG_PAX_REFCOUNT
7814 + _ASM_EXTABLE(0b, 0b)
7817 : "+m" (l->a.counter));
7820 static inline void local_dec(local_t *l)
7822 - asm volatile(_ASM_DEC "%0"
7823 + asm volatile(_ASM_DEC "%0\n"
7825 +#ifdef CONFIG_PAX_REFCOUNT
7829 + _ASM_EXTABLE(0b, 0b)
7832 : "+m" (l->a.counter));
7835 static inline void local_add(long i, local_t *l)
7837 - asm volatile(_ASM_ADD "%1,%0"
7838 + asm volatile(_ASM_ADD "%1,%0\n"
7840 +#ifdef CONFIG_PAX_REFCOUNT
7842 + _ASM_SUB "%1,%0\n"
7844 + _ASM_EXTABLE(0b, 0b)
7847 : "+m" (l->a.counter)
7851 static inline void local_sub(long i, local_t *l)
7853 - asm volatile(_ASM_SUB "%1,%0"
7854 + asm volatile(_ASM_SUB "%1,%0\n"
7856 +#ifdef CONFIG_PAX_REFCOUNT
7858 + _ASM_ADD "%1,%0\n"
7860 + _ASM_EXTABLE(0b, 0b)
7863 : "+m" (l->a.counter)
7866 @@ -55,7 +87,16 @@ static inline int local_sub_and_test(lon
7870 - asm volatile(_ASM_SUB "%2,%0; sete %1"
7871 + asm volatile(_ASM_SUB "%2,%0\n"
7873 +#ifdef CONFIG_PAX_REFCOUNT
7875 + _ASM_ADD "%2,%0\n"
7877 + _ASM_EXTABLE(0b, 0b)
7881 : "+m" (l->a.counter), "=qm" (c)
7882 : "ir" (i) : "memory");
7884 @@ -73,7 +114,16 @@ static inline int local_dec_and_test(loc
7888 - asm volatile(_ASM_DEC "%0; sete %1"
7889 + asm volatile(_ASM_DEC "%0\n"
7891 +#ifdef CONFIG_PAX_REFCOUNT
7895 + _ASM_EXTABLE(0b, 0b)
7899 : "+m" (l->a.counter), "=qm" (c)
7902 @@ -91,7 +141,16 @@ static inline int local_inc_and_test(loc
7906 - asm volatile(_ASM_INC "%0; sete %1"
7907 + asm volatile(_ASM_INC "%0\n"
7909 +#ifdef CONFIG_PAX_REFCOUNT
7913 + _ASM_EXTABLE(0b, 0b)
7917 : "+m" (l->a.counter), "=qm" (c)
7920 @@ -110,7 +169,16 @@ static inline int local_add_negative(lon
7924 - asm volatile(_ASM_ADD "%2,%0; sets %1"
7925 + asm volatile(_ASM_ADD "%2,%0\n"
7927 +#ifdef CONFIG_PAX_REFCOUNT
7929 + _ASM_SUB "%2,%0\n"
7931 + _ASM_EXTABLE(0b, 0b)
7935 : "+m" (l->a.counter), "=qm" (c)
7936 : "ir" (i) : "memory");
7938 @@ -133,7 +201,15 @@ static inline long local_add_return(long
7940 /* Modern 486+ processor */
7942 - asm volatile(_ASM_XADD "%0, %1;"
7943 + asm volatile(_ASM_XADD "%0, %1\n"
7945 +#ifdef CONFIG_PAX_REFCOUNT
7947 + _ASM_MOV "%0,%1\n"
7949 + _ASM_EXTABLE(0b, 0b)
7952 : "+r" (i), "+m" (l->a.counter)
7955 diff -urNp linux-2.6.38.1/arch/x86/include/asm/mc146818rtc.h linux-2.6.38.1-new/arch/x86/include/asm/mc146818rtc.h
7956 --- linux-2.6.38.1/arch/x86/include/asm/mc146818rtc.h 2011-03-14 21:20:32.000000000 -0400
7957 +++ linux-2.6.38.1-new/arch/x86/include/asm/mc146818rtc.h 2011-03-21 18:31:35.000000000 -0400
7958 @@ -81,8 +81,8 @@ static inline unsigned char current_lock
7960 #define lock_cmos_prefix(reg) do {} while (0)
7961 #define lock_cmos_suffix(reg) do {} while (0)
7962 -#define lock_cmos(reg)
7963 -#define unlock_cmos()
7964 +#define lock_cmos(reg) do {} while (0)
7965 +#define unlock_cmos() do {} while (0)
7966 #define do_i_have_lock_cmos() 0
7967 #define current_lock_cmos_reg() 0
7969 diff -urNp linux-2.6.38.1/arch/x86/include/asm/mce.h linux-2.6.38.1-new/arch/x86/include/asm/mce.h
7970 --- linux-2.6.38.1/arch/x86/include/asm/mce.h 2011-03-14 21:20:32.000000000 -0400
7971 +++ linux-2.6.38.1-new/arch/x86/include/asm/mce.h 2011-03-21 18:31:35.000000000 -0400
7972 @@ -198,7 +198,7 @@ int mce_notify_irq(void);
7973 void mce_notify_process(void);
7975 DECLARE_PER_CPU(struct mce, injectm);
7976 -extern struct file_operations mce_chrdev_ops;
7977 +extern struct file_operations mce_chrdev_ops; /* cannot be const, see arch/x86/kernel/cpu/mcheck/mce. */
7981 diff -urNp linux-2.6.38.1/arch/x86/include/asm/microcode.h linux-2.6.38.1-new/arch/x86/include/asm/microcode.h
7982 --- linux-2.6.38.1/arch/x86/include/asm/microcode.h 2011-03-14 21:20:32.000000000 -0400
7983 +++ linux-2.6.38.1-new/arch/x86/include/asm/microcode.h 2011-03-21 18:31:35.000000000 -0400
7984 @@ -12,13 +12,13 @@ struct device;
7985 enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND };
7987 struct microcode_ops {
7988 - enum ucode_state (*request_microcode_user) (int cpu,
7989 + enum ucode_state (* const request_microcode_user) (int cpu,
7990 const void __user *buf, size_t size);
7992 - enum ucode_state (*request_microcode_fw) (int cpu,
7993 + enum ucode_state (* const request_microcode_fw) (int cpu,
7994 struct device *device);
7996 - void (*microcode_fini_cpu) (int cpu);
7997 + void (* const microcode_fini_cpu) (int cpu);
8000 * The generic 'microcode_core' part guarantees that
8001 @@ -38,16 +38,16 @@ struct ucode_cpu_info {
8002 extern struct ucode_cpu_info ucode_cpu_info[];
8004 #ifdef CONFIG_MICROCODE_INTEL
8005 -extern struct microcode_ops * __init init_intel_microcode(void);
8006 +extern const struct microcode_ops * __init init_intel_microcode(void);
8008 -static inline struct microcode_ops * __init init_intel_microcode(void)
8009 +static inline const struct microcode_ops * __init init_intel_microcode(void)
8013 #endif /* CONFIG_MICROCODE_INTEL */
8015 #ifdef CONFIG_MICROCODE_AMD
8016 -extern struct microcode_ops * __init init_amd_microcode(void);
8017 +extern const struct microcode_ops * __init init_amd_microcode(void);
8019 static inline void get_ucode_data(void *to, const u8 *from, size_t n)
8021 @@ -55,7 +55,7 @@ static inline void get_ucode_data(void *
8025 -static inline struct microcode_ops * __init init_amd_microcode(void)
8026 +static inline const struct microcode_ops * __init init_amd_microcode(void)
8030 diff -urNp linux-2.6.38.1/arch/x86/include/asm/mman.h linux-2.6.38.1-new/arch/x86/include/asm/mman.h
8031 --- linux-2.6.38.1/arch/x86/include/asm/mman.h 2011-03-14 21:20:32.000000000 -0400
8032 +++ linux-2.6.38.1-new/arch/x86/include/asm/mman.h 2011-03-21 18:31:35.000000000 -0400
8035 #include <asm-generic/mman.h>
8038 +#ifndef __ASSEMBLY__
8039 +#ifdef CONFIG_X86_32
8040 +#define arch_mmap_check i386_mmap_check
8041 +int i386_mmap_check(unsigned long addr, unsigned long len,
8042 + unsigned long flags);
8047 #endif /* _ASM_X86_MMAN_H */
8048 diff -urNp linux-2.6.38.1/arch/x86/include/asm/mmu_context.h linux-2.6.38.1-new/arch/x86/include/asm/mmu_context.h
8049 --- linux-2.6.38.1/arch/x86/include/asm/mmu_context.h 2011-03-14 21:20:32.000000000 -0400
8050 +++ linux-2.6.38.1-new/arch/x86/include/asm/mmu_context.h 2011-03-21 18:31:35.000000000 -0400
8051 @@ -24,6 +24,21 @@ void destroy_context(struct mm_struct *m
8053 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
8056 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8060 + pax_open_kernel();
8061 + pgd = get_cpu_pgd(smp_processor_id());
8062 + for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
8063 + if (paravirt_enabled())
8064 + set_pgd(pgd+i, native_make_pgd(0));
8066 + pgd[i] = native_make_pgd(0);
8067 + pax_close_kernel();
8071 if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
8072 percpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
8073 @@ -34,17 +49,30 @@ static inline void switch_mm(struct mm_s
8074 struct task_struct *tsk)
8076 unsigned cpu = smp_processor_id();
8077 +#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
8078 + int tlbstate = TLBSTATE_OK;
8081 if (likely(prev != next)) {
8083 +#ifdef CONFIG_X86_32
8084 + tlbstate = percpu_read(cpu_tlbstate.state);
8086 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
8087 percpu_write(cpu_tlbstate.active_mm, next);
8089 cpumask_set_cpu(cpu, mm_cpumask(next));
8091 /* Re-load page tables */
8092 +#ifdef CONFIG_PAX_PER_CPU_PGD
8093 + pax_open_kernel();
8094 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
8095 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
8096 + pax_close_kernel();
8097 + load_cr3(get_cpu_pgd(cpu));
8099 load_cr3(next->pgd);
8102 /* stop flush ipis for the previous mm */
8103 cpumask_clear_cpu(cpu, mm_cpumask(prev));
8105 @@ -53,9 +81,38 @@ static inline void switch_mm(struct mm_s
8107 if (unlikely(prev->context.ldt != next->context.ldt))
8108 load_LDT_nolock(&next->context);
8111 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
8112 + if (!(__supported_pte_mask & _PAGE_NX)) {
8113 + smp_mb__before_clear_bit();
8114 + cpu_clear(cpu, prev->context.cpu_user_cs_mask);
8115 + smp_mb__after_clear_bit();
8116 + cpu_set(cpu, next->context.cpu_user_cs_mask);
8120 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
8121 + if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
8122 + prev->context.user_cs_limit != next->context.user_cs_limit))
8123 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
8125 + else if (unlikely(tlbstate != TLBSTATE_OK))
8126 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
8133 +#ifdef CONFIG_PAX_PER_CPU_PGD
8134 + pax_open_kernel();
8135 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
8136 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
8137 + pax_close_kernel();
8138 + load_cr3(get_cpu_pgd(cpu));
8142 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
8143 BUG_ON(percpu_read(cpu_tlbstate.active_mm) != next);
8145 @@ -64,11 +121,28 @@ static inline void switch_mm(struct mm_s
8146 * tlb flush IPI delivery. We must reload CR3
8147 * to make sure to use no freed page tables.
8150 +#ifndef CONFIG_PAX_PER_CPU_PGD
8151 load_cr3(next->pgd);
8154 load_LDT_nolock(&next->context);
8156 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
8157 + if (!(__supported_pte_mask & _PAGE_NX))
8158 + cpu_set(cpu, next->context.cpu_user_cs_mask);
8161 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
8162 +#ifdef CONFIG_PAX_PAGEEXEC
8163 + if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX)))
8165 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
8174 #define activate_mm(prev, next) \
8175 diff -urNp linux-2.6.38.1/arch/x86/include/asm/mmu.h linux-2.6.38.1-new/arch/x86/include/asm/mmu.h
8176 --- linux-2.6.38.1/arch/x86/include/asm/mmu.h 2011-03-14 21:20:32.000000000 -0400
8177 +++ linux-2.6.38.1-new/arch/x86/include/asm/mmu.h 2011-03-21 18:31:35.000000000 -0400
8179 * we put the segment information here.
8183 + struct desc_struct *ldt;
8187 + unsigned long vdso;
8189 +#ifdef CONFIG_X86_32
8190 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
8191 + unsigned long user_cs_base;
8192 + unsigned long user_cs_limit;
8194 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
8195 + cpumask_t cpu_user_cs_mask;
8204 diff -urNp linux-2.6.38.1/arch/x86/include/asm/module.h linux-2.6.38.1-new/arch/x86/include/asm/module.h
8205 --- linux-2.6.38.1/arch/x86/include/asm/module.h 2011-03-14 21:20:32.000000000 -0400
8206 +++ linux-2.6.38.1-new/arch/x86/include/asm/module.h 2011-03-21 18:31:35.000000000 -0400
8208 #error unknown processor family
8211 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8212 +#define MODULE_PAX_UDEREF "UDEREF "
8214 +#define MODULE_PAX_UDEREF ""
8217 #ifdef CONFIG_X86_32
8218 -# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY
8219 +# ifdef CONFIG_PAX_KERNEXEC
8220 +# define MODULE_PAX_KERNEXEC "KERNEXEC "
8222 +# define MODULE_PAX_KERNEXEC ""
8224 +# ifdef CONFIG_GRKERNSEC
8225 +# define MODULE_GRSEC "GRSECURITY "
8227 +# define MODULE_GRSEC ""
8229 +# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_GRSEC MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF
8231 +# define MODULE_ARCH_VERMAGIC MODULE_PAX_UDEREF
8234 #endif /* _ASM_X86_MODULE_H */
8235 diff -urNp linux-2.6.38.1/arch/x86/include/asm/page_64_types.h linux-2.6.38.1-new/arch/x86/include/asm/page_64_types.h
8236 --- linux-2.6.38.1/arch/x86/include/asm/page_64_types.h 2011-03-14 21:20:32.000000000 -0400
8237 +++ linux-2.6.38.1-new/arch/x86/include/asm/page_64_types.h 2011-03-21 18:31:35.000000000 -0400
8238 @@ -56,7 +56,7 @@ void copy_page(void *to, void *from);
8240 /* duplicated to the one in bootmem.h */
8241 extern unsigned long max_pfn;
8242 -extern unsigned long phys_base;
8243 +extern const unsigned long phys_base;
8245 extern unsigned long __phys_addr(unsigned long);
8246 #define __phys_reloc_hide(x) (x)
8247 diff -urNp linux-2.6.38.1/arch/x86/include/asm/paravirt.h linux-2.6.38.1-new/arch/x86/include/asm/paravirt.h
8248 --- linux-2.6.38.1/arch/x86/include/asm/paravirt.h 2011-03-14 21:20:32.000000000 -0400
8249 +++ linux-2.6.38.1-new/arch/x86/include/asm/paravirt.h 2011-03-21 18:31:35.000000000 -0400
8250 @@ -739,6 +739,21 @@ static inline void __set_fixmap(unsigned
8251 pv_mmu_ops.set_fixmap(idx, phys, flags);
8254 +#ifdef CONFIG_PAX_KERNEXEC
8255 +static inline unsigned long pax_open_kernel(void)
8257 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
8260 +static inline unsigned long pax_close_kernel(void)
8262 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
8265 +static inline unsigned long pax_open_kernel(void) { return 0; }
8266 +static inline unsigned long pax_close_kernel(void) { return 0; }
8269 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
8271 static inline int arch_spin_is_locked(struct arch_spinlock *lock)
8272 @@ -955,7 +970,7 @@ extern void default_banner(void);
8274 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
8275 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
8276 -#define PARA_INDIRECT(addr) *%cs:addr
8277 +#define PARA_INDIRECT(addr) *%ss:addr
8280 #define INTERRUPT_RETURN \
8281 @@ -1032,6 +1047,21 @@ extern void default_banner(void);
8282 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
8284 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
8286 +#define GET_CR0_INTO_RDI \
8287 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
8290 +#define SET_RDI_INTO_CR0 \
8291 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
8293 +#define GET_CR3_INTO_RDI \
8294 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
8297 +#define SET_RDI_INTO_CR3 \
8298 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
8300 #endif /* CONFIG_X86_32 */
8302 #endif /* __ASSEMBLY__ */
8303 diff -urNp linux-2.6.38.1/arch/x86/include/asm/paravirt_types.h linux-2.6.38.1-new/arch/x86/include/asm/paravirt_types.h
8304 --- linux-2.6.38.1/arch/x86/include/asm/paravirt_types.h 2011-03-14 21:20:32.000000000 -0400
8305 +++ linux-2.6.38.1-new/arch/x86/include/asm/paravirt_types.h 2011-03-21 18:31:35.000000000 -0400
8306 @@ -317,6 +317,12 @@ struct pv_mmu_ops {
8307 an mfn. We can tell which is which from the index. */
8308 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
8309 phys_addr_t phys, pgprot_t flags);
8311 +#ifdef CONFIG_PAX_KERNEXEC
8312 + unsigned long (*pax_open_kernel)(void);
8313 + unsigned long (*pax_close_kernel)(void);
8318 struct arch_spinlock;
8319 diff -urNp linux-2.6.38.1/arch/x86/include/asm/pci_x86.h linux-2.6.38.1-new/arch/x86/include/asm/pci_x86.h
8320 --- linux-2.6.38.1/arch/x86/include/asm/pci_x86.h 2011-03-14 21:20:32.000000000 -0400
8321 +++ linux-2.6.38.1-new/arch/x86/include/asm/pci_x86.h 2011-03-21 18:31:35.000000000 -0400
8322 @@ -93,16 +93,16 @@ extern int (*pcibios_enable_irq)(struct
8323 extern void (*pcibios_disable_irq)(struct pci_dev *dev);
8325 struct pci_raw_ops {
8326 - int (*read)(unsigned int domain, unsigned int bus, unsigned int devfn,
8327 + int (* const read)(unsigned int domain, unsigned int bus, unsigned int devfn,
8328 int reg, int len, u32 *val);
8329 - int (*write)(unsigned int domain, unsigned int bus, unsigned int devfn,
8330 + int (* const write)(unsigned int domain, unsigned int bus, unsigned int devfn,
8331 int reg, int len, u32 val);
8334 -extern struct pci_raw_ops *raw_pci_ops;
8335 -extern struct pci_raw_ops *raw_pci_ext_ops;
8336 +extern const struct pci_raw_ops *raw_pci_ops;
8337 +extern const struct pci_raw_ops *raw_pci_ext_ops;
8339 -extern struct pci_raw_ops pci_direct_conf1;
8340 +extern const struct pci_raw_ops pci_direct_conf1;
8341 extern bool port_cf9_safe;
8343 /* arch_initcall level */
8344 diff -urNp linux-2.6.38.1/arch/x86/include/asm/pgalloc.h linux-2.6.38.1-new/arch/x86/include/asm/pgalloc.h
8345 --- linux-2.6.38.1/arch/x86/include/asm/pgalloc.h 2011-03-14 21:20:32.000000000 -0400
8346 +++ linux-2.6.38.1-new/arch/x86/include/asm/pgalloc.h 2011-03-21 18:31:35.000000000 -0400
8347 @@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
8348 pmd_t *pmd, pte_t *pte)
8350 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8351 + set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
8354 +static inline void pmd_populate_user(struct mm_struct *mm,
8355 + pmd_t *pmd, pte_t *pte)
8357 + paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8358 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
8361 diff -urNp linux-2.6.38.1/arch/x86/include/asm/pgtable-2level.h linux-2.6.38.1-new/arch/x86/include/asm/pgtable-2level.h
8362 --- linux-2.6.38.1/arch/x86/include/asm/pgtable-2level.h 2011-03-14 21:20:32.000000000 -0400
8363 +++ linux-2.6.38.1-new/arch/x86/include/asm/pgtable-2level.h 2011-03-21 18:31:35.000000000 -0400
8364 @@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
8366 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8368 + pax_open_kernel();
8370 + pax_close_kernel();
8373 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
8374 diff -urNp linux-2.6.38.1/arch/x86/include/asm/pgtable_32.h linux-2.6.38.1-new/arch/x86/include/asm/pgtable_32.h
8375 --- linux-2.6.38.1/arch/x86/include/asm/pgtable_32.h 2011-03-14 21:20:32.000000000 -0400
8376 +++ linux-2.6.38.1-new/arch/x86/include/asm/pgtable_32.h 2011-03-21 18:31:35.000000000 -0400
8379 struct vm_area_struct;
8381 -extern pgd_t swapper_pg_dir[1024];
8382 -extern pgd_t initial_page_table[1024];
8384 static inline void pgtable_cache_init(void) { }
8385 static inline void check_pgt_cache(void) { }
8386 void paging_init(void);
8387 @@ -48,6 +45,12 @@ extern void set_pmd_pfn(unsigned long, u
8388 # include <asm/pgtable-2level.h>
8391 +extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
8392 +extern pgd_t initial_page_table[PTRS_PER_PGD];
8393 +#ifdef CONFIG_X86_PAE
8394 +extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
8397 #if defined(CONFIG_HIGHPTE)
8398 #define pte_offset_map(dir, address) \
8399 ((pte_t *)kmap_atomic(pmd_page(*(dir))) + \
8400 @@ -62,7 +65,9 @@ extern void set_pmd_pfn(unsigned long, u
8401 /* Clear a kernel PTE and flush it from the TLB */
8402 #define kpte_clear_flush(ptep, vaddr) \
8404 + pax_open_kernel(); \
8405 pte_clear(&init_mm, (vaddr), (ptep)); \
8406 + pax_close_kernel(); \
8407 __flush_tlb_one((vaddr)); \
8410 @@ -74,6 +79,9 @@ do { \
8412 #endif /* !__ASSEMBLY__ */
8414 +#define HAVE_ARCH_UNMAPPED_AREA
8415 +#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
8418 * kern_addr_valid() is (1) for FLATMEM and (0) for
8419 * SPARSEMEM and DISCONTIGMEM
8420 diff -urNp linux-2.6.38.1/arch/x86/include/asm/pgtable_32_types.h linux-2.6.38.1-new/arch/x86/include/asm/pgtable_32_types.h
8421 --- linux-2.6.38.1/arch/x86/include/asm/pgtable_32_types.h 2011-03-14 21:20:32.000000000 -0400
8422 +++ linux-2.6.38.1-new/arch/x86/include/asm/pgtable_32_types.h 2011-03-21 18:31:35.000000000 -0400
8425 #ifdef CONFIG_X86_PAE
8426 # include <asm/pgtable-3level_types.h>
8427 -# define PMD_SIZE (1UL << PMD_SHIFT)
8428 +# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
8429 # define PMD_MASK (~(PMD_SIZE - 1))
8431 # include <asm/pgtable-2level_types.h>
8432 @@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
8433 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
8436 +#ifdef CONFIG_PAX_KERNEXEC
8437 +#ifndef __ASSEMBLY__
8438 +extern unsigned char MODULES_EXEC_VADDR[];
8439 +extern unsigned char MODULES_EXEC_END[];
8441 +#include <asm/boot.h>
8442 +#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
8443 +#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
8445 +#define ktla_ktva(addr) (addr)
8446 +#define ktva_ktla(addr) (addr)
8449 #define MODULES_VADDR VMALLOC_START
8450 #define MODULES_END VMALLOC_END
8451 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
8452 diff -urNp linux-2.6.38.1/arch/x86/include/asm/pgtable-3level.h linux-2.6.38.1-new/arch/x86/include/asm/pgtable-3level.h
8453 --- linux-2.6.38.1/arch/x86/include/asm/pgtable-3level.h 2011-03-23 17:20:06.000000000 -0400
8454 +++ linux-2.6.38.1-new/arch/x86/include/asm/pgtable-3level.h 2011-03-23 17:21:43.000000000 -0400
8455 @@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
8457 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8459 + pax_open_kernel();
8460 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
8461 + pax_close_kernel();
8464 static inline void native_set_pud(pud_t *pudp, pud_t pud)
8466 + pax_open_kernel();
8467 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
8468 + pax_close_kernel();
8472 diff -urNp linux-2.6.38.1/arch/x86/include/asm/pgtable_64.h linux-2.6.38.1-new/arch/x86/include/asm/pgtable_64.h
8473 --- linux-2.6.38.1/arch/x86/include/asm/pgtable_64.h 2011-03-14 21:20:32.000000000 -0400
8474 +++ linux-2.6.38.1-new/arch/x86/include/asm/pgtable_64.h 2011-03-21 18:31:35.000000000 -0400
8477 extern pud_t level3_kernel_pgt[512];
8478 extern pud_t level3_ident_pgt[512];
8479 +extern pud_t level3_vmalloc_pgt[512];
8480 +extern pud_t level3_vmemmap_pgt[512];
8481 +extern pud_t level2_vmemmap_pgt[512];
8482 extern pmd_t level2_kernel_pgt[512];
8483 extern pmd_t level2_fixmap_pgt[512];
8484 -extern pmd_t level2_ident_pgt[512];
8485 -extern pgd_t init_level4_pgt[];
8486 +extern pmd_t level2_ident_pgt[512*2];
8487 +extern pgd_t init_level4_pgt[512];
8489 #define swapper_pg_dir init_level4_pgt
8491 @@ -61,7 +64,9 @@ static inline void native_set_pte_atomic
8493 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8495 + pax_open_kernel();
8497 + pax_close_kernel();
8500 static inline void native_pmd_clear(pmd_t *pmd)
8501 @@ -107,7 +112,9 @@ static inline void native_pud_clear(pud_
8503 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
8505 + pax_open_kernel();
8507 + pax_close_kernel();
8510 static inline void native_pgd_clear(pgd_t *pgd)
8511 diff -urNp linux-2.6.38.1/arch/x86/include/asm/pgtable_64_types.h linux-2.6.38.1-new/arch/x86/include/asm/pgtable_64_types.h
8512 --- linux-2.6.38.1/arch/x86/include/asm/pgtable_64_types.h 2011-03-14 21:20:32.000000000 -0400
8513 +++ linux-2.6.38.1-new/arch/x86/include/asm/pgtable_64_types.h 2011-03-21 18:31:35.000000000 -0400
8514 @@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t;
8515 #define MODULES_VADDR _AC(0xffffffffa0000000, UL)
8516 #define MODULES_END _AC(0xffffffffff000000, UL)
8517 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
8518 +#define MODULES_EXEC_VADDR MODULES_VADDR
8519 +#define MODULES_EXEC_END MODULES_END
8521 +#define ktla_ktva(addr) (addr)
8522 +#define ktva_ktla(addr) (addr)
8524 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
8525 diff -urNp linux-2.6.38.1/arch/x86/include/asm/pgtable.h linux-2.6.38.1-new/arch/x86/include/asm/pgtable.h
8526 --- linux-2.6.38.1/arch/x86/include/asm/pgtable.h 2011-03-14 21:20:32.000000000 -0400
8527 +++ linux-2.6.38.1-new/arch/x86/include/asm/pgtable.h 2011-03-21 18:31:35.000000000 -0400
8528 @@ -81,12 +81,51 @@ extern struct mm_struct *pgd_page_get_mm
8530 #define arch_end_context_switch(prev) do {} while(0)
8532 +#define pax_open_kernel() native_pax_open_kernel()
8533 +#define pax_close_kernel() native_pax_close_kernel()
8534 #endif /* CONFIG_PARAVIRT */
8536 +#define __HAVE_ARCH_PAX_OPEN_KERNEL
8537 +#define __HAVE_ARCH_PAX_CLOSE_KERNEL
8539 +#ifdef CONFIG_PAX_KERNEXEC
8540 +static inline unsigned long native_pax_open_kernel(void)
8542 + unsigned long cr0;
8544 + preempt_disable();
8546 + cr0 = read_cr0() ^ X86_CR0_WP;
8547 + BUG_ON(unlikely(cr0 & X86_CR0_WP));
8549 + return cr0 ^ X86_CR0_WP;
8552 +static inline unsigned long native_pax_close_kernel(void)
8554 + unsigned long cr0;
8556 + cr0 = read_cr0() ^ X86_CR0_WP;
8557 + BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
8560 + preempt_enable_no_resched();
8561 + return cr0 ^ X86_CR0_WP;
8564 +static inline unsigned long native_pax_open_kernel(void) { return 0; }
8565 +static inline unsigned long native_pax_close_kernel(void) { return 0; }
8569 * The following only work if pte_present() is true.
8570 * Undefined behaviour if not..
8572 +static inline int pte_user(pte_t pte)
8574 + return pte_val(pte) & _PAGE_USER;
8577 static inline int pte_dirty(pte_t pte)
8579 return pte_flags(pte) & _PAGE_DIRTY;
8580 @@ -196,9 +235,29 @@ static inline pte_t pte_wrprotect(pte_t
8581 return pte_clear_flags(pte, _PAGE_RW);
8584 +static inline pte_t pte_mkread(pte_t pte)
8586 + return __pte(pte_val(pte) | _PAGE_USER);
8589 static inline pte_t pte_mkexec(pte_t pte)
8591 - return pte_clear_flags(pte, _PAGE_NX);
8592 +#ifdef CONFIG_X86_PAE
8593 + if (__supported_pte_mask & _PAGE_NX)
8594 + return pte_clear_flags(pte, _PAGE_NX);
8597 + return pte_set_flags(pte, _PAGE_USER);
8600 +static inline pte_t pte_exprotect(pte_t pte)
8602 +#ifdef CONFIG_X86_PAE
8603 + if (__supported_pte_mask & _PAGE_NX)
8604 + return pte_set_flags(pte, _PAGE_NX);
8607 + return pte_clear_flags(pte, _PAGE_USER);
8610 static inline pte_t pte_mkdirty(pte_t pte)
8611 @@ -390,6 +449,15 @@ pte_t *populate_extra_pte(unsigned long
8614 #ifndef __ASSEMBLY__
8616 +#ifdef CONFIG_PAX_PER_CPU_PGD
8617 +extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD];
8618 +static inline pgd_t *get_cpu_pgd(unsigned int cpu)
8620 + return cpu_pgd[cpu];
8624 #include <linux/mm_types.h>
8626 static inline int pte_none(pte_t pte)
8627 @@ -560,7 +628,7 @@ static inline pud_t *pud_offset(pgd_t *p
8629 static inline int pgd_bad(pgd_t pgd)
8631 - return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
8632 + return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
8635 static inline int pgd_none(pgd_t pgd)
8636 @@ -583,7 +651,12 @@ static inline int pgd_none(pgd_t pgd)
8637 * pgd_offset() returns a (pgd_t *)
8638 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
8640 -#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
8641 +#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
8643 +#ifdef CONFIG_PAX_PER_CPU_PGD
8644 +#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address))
8648 * a shortcut which implies the use of the kernel's pgd, instead
8650 @@ -594,6 +667,20 @@ static inline int pgd_none(pgd_t pgd)
8651 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
8652 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
8654 +#ifdef CONFIG_X86_32
8655 +#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
8657 +#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
8658 +#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
8660 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8661 +#define PAX_USER_SHADOW_BASE (_AC(1,UL) << TASK_SIZE_MAX_SHIFT)
8663 +#define PAX_USER_SHADOW_BASE (_AC(0,UL))
8668 #ifndef __ASSEMBLY__
8670 extern int direct_gbpages;
8671 @@ -758,11 +845,23 @@ static inline void pmdp_set_wrprotect(st
8672 * dst and src can be on the same page, but the range must not overlap,
8673 * and must not cross a page boundary.
8675 -static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
8676 +static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
8678 - memcpy(dst, src, count * sizeof(pgd_t));
8679 + pax_open_kernel();
8682 + pax_close_kernel();
8685 +#ifdef CONFIG_PAX_PER_CPU_PGD
8686 +extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8689 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8690 +extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8692 +static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
8695 #include <asm-generic/pgtable.h>
8696 #endif /* __ASSEMBLY__ */
8697 diff -urNp linux-2.6.38.1/arch/x86/include/asm/pgtable_types.h linux-2.6.38.1-new/arch/x86/include/asm/pgtable_types.h
8698 --- linux-2.6.38.1/arch/x86/include/asm/pgtable_types.h 2011-03-14 21:20:32.000000000 -0400
8699 +++ linux-2.6.38.1-new/arch/x86/include/asm/pgtable_types.h 2011-03-21 18:31:35.000000000 -0400
8701 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
8702 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
8703 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
8704 -#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
8705 +#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
8706 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
8707 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
8708 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
8709 -#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
8710 -#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
8711 -#define _PAGE_BIT_SPLITTING _PAGE_BIT_UNUSED1 /* only valid on a PSE pmd */
8712 +#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
8713 +#define _PAGE_BIT_SPLITTING _PAGE_BIT_SPECIAL /* only valid on a PSE pmd */
8714 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
8716 /* If _PAGE_BIT_PRESENT is clear, we use these: */
8718 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
8719 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
8720 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
8721 -#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
8722 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
8723 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
8724 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
8727 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
8728 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
8730 +#elif defined(CONFIG_KMEMCHECK)
8731 #define _PAGE_NX (_AT(pteval_t, 0))
8733 +#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
8736 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
8738 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
8741 +#define PAGE_READONLY_NOEXEC PAGE_READONLY
8742 +#define PAGE_SHARED_NOEXEC PAGE_SHARED
8744 #define __PAGE_KERNEL_EXEC \
8745 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
8746 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
8748 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
8749 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
8750 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
8751 -#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
8752 -#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
8753 +#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
8754 +#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
8755 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
8756 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
8757 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
8759 * bits are combined, this will alow user to access the high address mapped
8760 * VDSO in the presence of CONFIG_COMPAT_VDSO
8762 -#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
8763 -#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
8764 +#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8765 +#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8766 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
8769 @@ -205,7 +208,17 @@ static inline pgdval_t pgd_flags(pgd_t p
8771 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
8775 +#if PAGETABLE_LEVELS == 3
8776 +#include <asm-generic/pgtable-nopud.h>
8779 +#if PAGETABLE_LEVELS == 2
8780 +#include <asm-generic/pgtable-nopmd.h>
8783 +#ifndef __ASSEMBLY__
8784 #if PAGETABLE_LEVELS > 3
8785 typedef struct { pudval_t pud; } pud_t;
8787 @@ -219,8 +232,6 @@ static inline pudval_t native_pud_val(pu
8791 -#include <asm-generic/pgtable-nopud.h>
8793 static inline pudval_t native_pud_val(pud_t pud)
8795 return native_pgd_val(pud.pgd);
8796 @@ -240,8 +251,6 @@ static inline pmdval_t native_pmd_val(pm
8800 -#include <asm-generic/pgtable-nopmd.h>
8802 static inline pmdval_t native_pmd_val(pmd_t pmd)
8804 return native_pgd_val(pmd.pud.pgd);
8805 @@ -281,7 +290,6 @@ typedef struct page *pgtable_t;
8807 extern pteval_t __supported_pte_mask;
8808 extern void set_nx(void);
8809 -extern int nx_enabled;
8811 #define pgprot_writecombine pgprot_writecombine
8812 extern pgprot_t pgprot_writecombine(pgprot_t prot);
8813 diff -urNp linux-2.6.38.1/arch/x86/include/asm/processor.h linux-2.6.38.1-new/arch/x86/include/asm/processor.h
8814 --- linux-2.6.38.1/arch/x86/include/asm/processor.h 2011-03-14 21:20:32.000000000 -0400
8815 +++ linux-2.6.38.1-new/arch/x86/include/asm/processor.h 2011-03-21 18:31:35.000000000 -0400
8816 @@ -270,7 +270,7 @@ struct tss_struct {
8818 } ____cacheline_aligned;
8820 -DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
8821 +extern struct tss_struct init_tss[NR_CPUS];
8824 * Save the original ist values for checking stack pointers during debugging
8825 @@ -864,8 +864,15 @@ static inline void spin_lock_prefetch(co
8827 #define TASK_SIZE PAGE_OFFSET
8828 #define TASK_SIZE_MAX TASK_SIZE
8830 +#ifdef CONFIG_PAX_SEGMEXEC
8831 +#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
8832 +#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
8834 #define STACK_TOP TASK_SIZE
8835 -#define STACK_TOP_MAX STACK_TOP
8838 +#define STACK_TOP_MAX TASK_SIZE
8840 #define INIT_THREAD { \
8841 .sp0 = sizeof(init_stack) + (long)&init_stack, \
8842 @@ -882,7 +889,7 @@ static inline void spin_lock_prefetch(co
8844 #define INIT_TSS { \
8846 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
8847 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
8848 .ss0 = __KERNEL_DS, \
8849 .ss1 = __KERNEL_CS, \
8850 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
8851 @@ -893,11 +900,7 @@ static inline void spin_lock_prefetch(co
8852 extern unsigned long thread_saved_pc(struct task_struct *tsk);
8854 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
8855 -#define KSTK_TOP(info) \
8857 - unsigned long *__ptr = (unsigned long *)(info); \
8858 - (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
8860 +#define KSTK_TOP(info) ((info)->task.thread.sp0)
8863 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
8864 @@ -912,7 +915,7 @@ extern unsigned long thread_saved_pc(str
8865 #define task_pt_regs(task) \
8867 struct pt_regs *__regs__; \
8868 - __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
8869 + __regs__ = (struct pt_regs *)((task)->thread.sp0); \
8873 @@ -922,13 +925,13 @@ extern unsigned long thread_saved_pc(str
8875 * User space process size. 47bits minus one guard page.
8877 -#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
8878 +#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
8880 /* This decides where the kernel will search for a free chunk of vm
8881 * space during mmap's.
8883 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
8884 - 0xc0000000 : 0xFFFFe000)
8885 + 0xc0000000 : 0xFFFFf000)
8887 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
8888 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
8889 @@ -965,6 +968,10 @@ extern void start_thread(struct pt_regs
8891 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
8893 +#ifdef CONFIG_PAX_SEGMEXEC
8894 +#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
8897 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
8899 /* Get/set a process' ability to use the timestamp counter instruction */
8900 diff -urNp linux-2.6.38.1/arch/x86/include/asm/ptrace.h linux-2.6.38.1-new/arch/x86/include/asm/ptrace.h
8901 --- linux-2.6.38.1/arch/x86/include/asm/ptrace.h 2011-03-14 21:20:32.000000000 -0400
8902 +++ linux-2.6.38.1-new/arch/x86/include/asm/ptrace.h 2011-03-21 18:31:35.000000000 -0400
8903 @@ -152,28 +152,29 @@ static inline unsigned long regs_return_
8907 - * user_mode_vm(regs) determines whether a register set came from user mode.
8908 + * user_mode(regs) determines whether a register set came from user mode.
8909 * This is true if V8086 mode was enabled OR if the register set was from
8910 * protected mode with RPL-3 CS value. This tricky test checks that with
8911 * one comparison. Many places in the kernel can bypass this full check
8912 - * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
8913 + * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
8916 -static inline int user_mode(struct pt_regs *regs)
8917 +static inline int user_mode_novm(struct pt_regs *regs)
8919 #ifdef CONFIG_X86_32
8920 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
8922 - return !!(regs->cs & 3);
8923 + return !!(regs->cs & SEGMENT_RPL_MASK);
8927 -static inline int user_mode_vm(struct pt_regs *regs)
8928 +static inline int user_mode(struct pt_regs *regs)
8930 #ifdef CONFIG_X86_32
8931 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
8934 - return user_mode(regs);
8935 + return user_mode_novm(regs);
8939 diff -urNp linux-2.6.38.1/arch/x86/include/asm/reboot.h linux-2.6.38.1-new/arch/x86/include/asm/reboot.h
8940 --- linux-2.6.38.1/arch/x86/include/asm/reboot.h 2011-03-14 21:20:32.000000000 -0400
8941 +++ linux-2.6.38.1-new/arch/x86/include/asm/reboot.h 2011-03-21 18:31:35.000000000 -0400
8942 @@ -18,7 +18,7 @@ extern struct machine_ops machine_ops;
8944 void native_machine_crash_shutdown(struct pt_regs *regs);
8945 void native_machine_shutdown(void);
8946 -void machine_real_restart(const unsigned char *code, int length);
8947 +void machine_real_restart(const unsigned char *code, unsigned int length);
8949 typedef void (*nmi_shootdown_cb)(int, struct die_args*);
8950 void nmi_shootdown_cpus(nmi_shootdown_cb callback);
8951 diff -urNp linux-2.6.38.1/arch/x86/include/asm/rwsem.h linux-2.6.38.1-new/arch/x86/include/asm/rwsem.h
8952 --- linux-2.6.38.1/arch/x86/include/asm/rwsem.h 2011-03-14 21:20:32.000000000 -0400
8953 +++ linux-2.6.38.1-new/arch/x86/include/asm/rwsem.h 2011-03-21 18:31:35.000000000 -0400
8954 @@ -118,6 +118,14 @@ static inline void __down_read(struct rw
8956 asm volatile("# beginning down_read\n\t"
8957 LOCK_PREFIX _ASM_INC "(%1)\n\t"
8959 +#ifdef CONFIG_PAX_REFCOUNT
8961 + LOCK_PREFIX _ASM_DEC "(%1)\n"
8963 + _ASM_EXTABLE(0b, 0b)
8966 /* adds 0x00000001 */
8968 " call call_rwsem_down_read_failed\n"
8969 @@ -139,6 +147,14 @@ static inline int __down_read_trylock(st
8974 +#ifdef CONFIG_PAX_REFCOUNT
8978 + _ASM_EXTABLE(0b, 0b)
8982 LOCK_PREFIX " cmpxchg %2,%0\n\t"
8984 @@ -158,6 +174,14 @@ static inline void __down_write_nested(s
8986 asm volatile("# beginning down_write\n\t"
8987 LOCK_PREFIX " xadd %1,(%2)\n\t"
8989 +#ifdef CONFIG_PAX_REFCOUNT
8993 + _ASM_EXTABLE(0b, 0b)
8996 /* adds 0xffff0001, returns the old value */
8998 /* was the count 0 before? */
8999 @@ -196,6 +220,14 @@ static inline void __up_read(struct rw_s
9001 asm volatile("# beginning __up_read\n\t"
9002 LOCK_PREFIX " xadd %1,(%2)\n\t"
9004 +#ifdef CONFIG_PAX_REFCOUNT
9008 + _ASM_EXTABLE(0b, 0b)
9011 /* subtracts 1, returns the old value */
9013 " call call_rwsem_wake\n" /* expects old value in %edx */
9014 @@ -214,6 +246,14 @@ static inline void __up_write(struct rw_
9016 asm volatile("# beginning __up_write\n\t"
9017 LOCK_PREFIX " xadd %1,(%2)\n\t"
9019 +#ifdef CONFIG_PAX_REFCOUNT
9023 + _ASM_EXTABLE(0b, 0b)
9026 /* subtracts 0xffff0001, returns the old value */
9028 " call call_rwsem_wake\n" /* expects old value in %edx */
9029 @@ -231,6 +271,14 @@ static inline void __downgrade_write(str
9031 asm volatile("# beginning __downgrade_write\n\t"
9032 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
9034 +#ifdef CONFIG_PAX_REFCOUNT
9036 + LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
9038 + _ASM_EXTABLE(0b, 0b)
9042 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
9043 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
9044 @@ -250,7 +298,15 @@ static inline void __downgrade_write(str
9045 static inline void rwsem_atomic_add(rwsem_count_t delta,
9046 struct rw_semaphore *sem)
9048 - asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
9049 + asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
9051 +#ifdef CONFIG_PAX_REFCOUNT
9053 + LOCK_PREFIX _ASM_SUB "%1,%0\n"
9055 + _ASM_EXTABLE(0b, 0b)
9061 @@ -263,7 +319,15 @@ static inline rwsem_count_t rwsem_atomic
9063 rwsem_count_t tmp = delta;
9065 - asm volatile(LOCK_PREFIX "xadd %0,%1"
9066 + asm volatile(LOCK_PREFIX "xadd %0,%1\n"
9068 +#ifdef CONFIG_PAX_REFCOUNT
9072 + _ASM_EXTABLE(0b, 0b)
9075 : "+r" (tmp), "+m" (sem->count)
9078 diff -urNp linux-2.6.38.1/arch/x86/include/asm/segment.h linux-2.6.38.1-new/arch/x86/include/asm/segment.h
9079 --- linux-2.6.38.1/arch/x86/include/asm/segment.h 2011-03-14 21:20:32.000000000 -0400
9080 +++ linux-2.6.38.1-new/arch/x86/include/asm/segment.h 2011-03-21 18:31:35.000000000 -0400
9082 * 26 - ESPFIX small SS
9083 * 27 - per-cpu [ offset to per-cpu data area ]
9084 * 28 - stack_canary-20 [ for stack protector ]
9087 + * 29 - PCI BIOS CS
9088 + * 30 - PCI BIOS DS
9089 * 31 - TSS for double fault handler
9091 #define GDT_ENTRY_TLS_MIN 6
9094 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE+0)
9096 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
9098 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE+1)
9100 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE+4)
9101 @@ -102,6 +104,12 @@
9102 #define __KERNEL_STACK_CANARY 0
9105 +#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE+17)
9106 +#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
9108 +#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE+18)
9109 +#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
9111 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
9117 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
9118 -#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
9119 +#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
9124 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3)
9125 #define __USER32_DS __USER_DS
9127 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
9129 #define GDT_ENTRY_TSS 8 /* needs two entries */
9130 #define GDT_ENTRY_LDT 10 /* needs two entries */
9131 #define GDT_ENTRY_TLS_MIN 12
9135 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS*8)
9136 +#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS*8)
9137 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS*8)
9138 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS*8+3)
9139 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS*8+3)
9140 diff -urNp linux-2.6.38.1/arch/x86/include/asm/smp.h linux-2.6.38.1-new/arch/x86/include/asm/smp.h
9141 --- linux-2.6.38.1/arch/x86/include/asm/smp.h 2011-03-14 21:20:32.000000000 -0400
9142 +++ linux-2.6.38.1-new/arch/x86/include/asm/smp.h 2011-03-21 18:31:35.000000000 -0400
9143 @@ -24,7 +24,7 @@ extern unsigned int num_processors;
9144 DECLARE_PER_CPU(cpumask_var_t, cpu_sibling_map);
9145 DECLARE_PER_CPU(cpumask_var_t, cpu_core_map);
9146 DECLARE_PER_CPU(u16, cpu_llc_id);
9147 -DECLARE_PER_CPU(int, cpu_number);
9148 +DECLARE_PER_CPU(unsigned int, cpu_number);
9150 static inline struct cpumask *cpu_sibling_mask(int cpu)
9152 diff -urNp linux-2.6.38.1/arch/x86/include/asm/spinlock.h linux-2.6.38.1-new/arch/x86/include/asm/spinlock.h
9153 --- linux-2.6.38.1/arch/x86/include/asm/spinlock.h 2011-03-14 21:20:32.000000000 -0400
9154 +++ linux-2.6.38.1-new/arch/x86/include/asm/spinlock.h 2011-03-21 18:31:35.000000000 -0400
9155 @@ -249,6 +249,14 @@ static inline int arch_write_can_lock(ar
9156 static inline void arch_read_lock(arch_rwlock_t *rw)
9158 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
9160 +#ifdef CONFIG_PAX_REFCOUNT
9162 + LOCK_PREFIX " addl $1,(%0)\n"
9164 + _ASM_EXTABLE(0b, 0b)
9168 "call __read_lock_failed\n\t"
9170 @@ -258,6 +266,14 @@ static inline void arch_read_lock(arch_r
9171 static inline void arch_write_lock(arch_rwlock_t *rw)
9173 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
9175 +#ifdef CONFIG_PAX_REFCOUNT
9177 + LOCK_PREFIX " addl %1,(%0)\n"
9179 + _ASM_EXTABLE(0b, 0b)
9183 "call __write_lock_failed\n\t"
9185 @@ -286,12 +302,29 @@ static inline int arch_write_trylock(arc
9187 static inline void arch_read_unlock(arch_rwlock_t *rw)
9189 - asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
9190 + asm volatile(LOCK_PREFIX "incl %0\n"
9192 +#ifdef CONFIG_PAX_REFCOUNT
9194 + LOCK_PREFIX "decl %0\n"
9196 + _ASM_EXTABLE(0b, 0b)
9199 + :"+m" (rw->lock) : : "memory");
9202 static inline void arch_write_unlock(arch_rwlock_t *rw)
9204 - asm volatile(LOCK_PREFIX "addl %1, %0"
9205 + asm volatile(LOCK_PREFIX "addl %1, %0\n"
9207 +#ifdef CONFIG_PAX_REFCOUNT
9209 + LOCK_PREFIX "subl %1, %0\n"
9211 + _ASM_EXTABLE(0b, 0b)
9214 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
9217 diff -urNp linux-2.6.38.1/arch/x86/include/asm/stackprotector.h linux-2.6.38.1-new/arch/x86/include/asm/stackprotector.h
9218 --- linux-2.6.38.1/arch/x86/include/asm/stackprotector.h 2011-03-14 21:20:32.000000000 -0400
9219 +++ linux-2.6.38.1-new/arch/x86/include/asm/stackprotector.h 2011-03-21 18:31:35.000000000 -0400
9220 @@ -113,7 +113,7 @@ static inline void setup_stack_canary_se
9222 static inline void load_stack_canary_segment(void)
9224 -#ifdef CONFIG_X86_32
9225 +#if defined(CONFIG_X86_32) && !defined(CONFIG_PAX_MEMORY_UDEREF)
9226 asm volatile ("mov %0, %%gs" : : "r" (0));
9229 diff -urNp linux-2.6.38.1/arch/x86/include/asm/system.h linux-2.6.38.1-new/arch/x86/include/asm/system.h
9230 --- linux-2.6.38.1/arch/x86/include/asm/system.h 2011-03-14 21:20:32.000000000 -0400
9231 +++ linux-2.6.38.1-new/arch/x86/include/asm/system.h 2011-03-21 18:31:35.000000000 -0400
9232 @@ -202,7 +202,7 @@ static inline unsigned long get_limit(un
9234 unsigned long __limit;
9235 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
9236 - return __limit + 1;
9240 static inline void native_clts(void)
9241 @@ -342,7 +342,7 @@ void enable_hlt(void);
9243 void cpu_idle_wait(void);
9245 -extern unsigned long arch_align_stack(unsigned long sp);
9246 +#define arch_align_stack(x) ((x) & ~0xfUL)
9247 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
9249 void default_idle(void);
9250 diff -urNp linux-2.6.38.1/arch/x86/include/asm/uaccess_32.h linux-2.6.38.1-new/arch/x86/include/asm/uaccess_32.h
9251 --- linux-2.6.38.1/arch/x86/include/asm/uaccess_32.h 2011-03-14 21:20:32.000000000 -0400
9252 +++ linux-2.6.38.1-new/arch/x86/include/asm/uaccess_32.h 2011-03-21 18:31:35.000000000 -0400
9253 @@ -44,6 +44,9 @@ unsigned long __must_check __copy_from_u
9254 static __always_inline unsigned long __must_check
9255 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
9260 if (__builtin_constant_p(n)) {
9263 @@ -62,6 +65,8 @@ __copy_to_user_inatomic(void __user *to,
9267 + if (!__builtin_constant_p(n))
9268 + check_object_size(from, n, true);
9269 return __copy_to_user_ll(to, from, n);
9272 @@ -89,6 +94,9 @@ __copy_to_user(void __user *to, const vo
9273 static __always_inline unsigned long
9274 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
9279 /* Avoid zeroing the tail if the copy fails..
9280 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
9281 * but as the zeroing behaviour is only significant when n is not
9282 @@ -138,6 +146,10 @@ static __always_inline unsigned long
9283 __copy_from_user(void *to, const void __user *from, unsigned long n)
9290 if (__builtin_constant_p(n)) {
9293 @@ -153,6 +165,8 @@ __copy_from_user(void *to, const void __
9297 + if (!__builtin_constant_p(n))
9298 + check_object_size(to, n, false);
9299 return __copy_from_user_ll(to, from, n);
9302 @@ -160,6 +174,10 @@ static __always_inline unsigned long __c
9303 const void __user *from, unsigned long n)
9310 if (__builtin_constant_p(n)) {
9313 @@ -182,15 +200,19 @@ static __always_inline unsigned long
9314 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
9317 - return __copy_from_user_ll_nocache_nozero(to, from, n);
9322 -unsigned long __must_check copy_to_user(void __user *to,
9323 - const void *from, unsigned long n);
9324 -unsigned long __must_check _copy_from_user(void *to,
9325 - const void __user *from,
9327 + return __copy_from_user_ll_nocache_nozero(to, from, n);
9330 +extern void copy_to_user_overflow(void)
9331 +#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9332 + __compiletime_error("copy_to_user() buffer size is not provably correct")
9334 + __compiletime_warning("copy_to_user() buffer size is not provably correct")
9338 extern void copy_from_user_overflow(void)
9339 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9340 @@ -200,17 +222,61 @@ extern void copy_from_user_overflow(void
9344 -static inline unsigned long __must_check copy_from_user(void *to,
9345 - const void __user *from,
9348 + * copy_to_user: - Copy a block of data into user space.
9349 + * @to: Destination address, in user space.
9350 + * @from: Source address, in kernel space.
9351 + * @n: Number of bytes to copy.
9353 + * Context: User context only. This function may sleep.
9355 + * Copy data from kernel space to user space.
9357 + * Returns number of bytes that could not be copied.
9358 + * On success, this will be zero.
9360 +static inline unsigned long __must_check
9361 +copy_to_user(void __user *to, const void *from, unsigned long n)
9363 + int sz = __compiletime_object_size(from);
9365 + if (unlikely(sz != -1 && sz < n))
9366 + copy_to_user_overflow();
9367 + else if (access_ok(VERIFY_WRITE, to, n))
9368 + n = __copy_to_user(to, from, n);
9373 + * copy_from_user: - Copy a block of data from user space.
9374 + * @to: Destination address, in kernel space.
9375 + * @from: Source address, in user space.
9376 + * @n: Number of bytes to copy.
9378 + * Context: User context only. This function may sleep.
9380 + * Copy data from user space to kernel space.
9382 + * Returns number of bytes that could not be copied.
9383 + * On success, this will be zero.
9385 + * If some data could not be copied, this function will pad the copied
9386 + * data to the requested size using zero bytes.
9388 +static inline unsigned long __must_check
9389 +copy_from_user(void *to, const void __user *from, unsigned long n)
9391 int sz = __compiletime_object_size(to);
9393 - if (likely(sz == -1 || sz >= n))
9394 - n = _copy_from_user(to, from, n);
9396 + if (unlikely(sz != -1 && sz < n))
9397 copy_from_user_overflow();
9399 + else if (access_ok(VERIFY_READ, from, n))
9400 + n = __copy_from_user(to, from, n);
9401 + else if ((long)n > 0) {
9402 + if (!__builtin_constant_p(n))
9403 + check_object_size(to, n, false);
9409 diff -urNp linux-2.6.38.1/arch/x86/include/asm/uaccess_64.h linux-2.6.38.1-new/arch/x86/include/asm/uaccess_64.h
9410 --- linux-2.6.38.1/arch/x86/include/asm/uaccess_64.h 2011-03-14 21:20:32.000000000 -0400
9411 +++ linux-2.6.38.1-new/arch/x86/include/asm/uaccess_64.h 2011-03-21 18:31:35.000000000 -0400
9413 #include <asm/alternative.h>
9414 #include <asm/cpufeature.h>
9415 #include <asm/page.h>
9416 +#include <asm/pgtable.h>
9418 +#define set_fs(x) (current_thread_info()->addr_limit = (x))
9421 * Copy To/From Userspace
9422 @@ -37,26 +40,26 @@ copy_user_generic(void *to, const void *
9426 -__must_check unsigned long
9427 -_copy_to_user(void __user *to, const void *from, unsigned len);
9428 -__must_check unsigned long
9429 -_copy_from_user(void *to, const void __user *from, unsigned len);
9430 +static __always_inline __must_check unsigned long
9431 +__copy_to_user(void __user *to, const void *from, unsigned len);
9432 +static __always_inline __must_check unsigned long
9433 +__copy_from_user(void *to, const void __user *from, unsigned len);
9434 __must_check unsigned long
9435 copy_in_user(void __user *to, const void __user *from, unsigned len);
9437 static inline unsigned long __must_check copy_from_user(void *to,
9438 const void __user *from,
9442 - int sz = __compiletime_object_size(to);
9445 - if (likely(sz == -1 || sz >= n))
9446 - n = _copy_from_user(to, from, n);
9447 -#ifdef CONFIG_DEBUG_VM
9449 - WARN(1, "Buffer overflow detected!\n");
9452 + if (access_ok(VERIFY_READ, from, n))
9453 + n = __copy_from_user(to, from, n);
9454 + else if ((int)n > 0) {
9455 + if (!__builtin_constant_p(n))
9456 + check_object_size(to, n, false);
9462 @@ -65,110 +68,174 @@ int copy_to_user(void __user *dst, const
9466 - return _copy_to_user(dst, src, size);
9467 + if (access_ok(VERIFY_WRITE, dst, size))
9468 + size = __copy_to_user(dst, src, size);
9472 static __always_inline __must_check
9473 -int __copy_from_user(void *dst, const void __user *src, unsigned size)
9474 +unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
9477 + int sz = __compiletime_object_size(dst);
9481 - if (!__builtin_constant_p(size))
9482 - return copy_user_generic(dst, (__force void *)src, size);
9484 + if ((int)size < 0)
9487 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9488 + if (!__access_ok(VERIFY_READ, src, size))
9492 + if (unlikely(sz != -1 && sz < size)) {
9493 +#ifdef CONFIG_DEBUG_VM
9494 + WARN(1, "Buffer overflow detected!\n");
9499 + if (!__builtin_constant_p(size)) {
9500 + check_object_size(dst, size, false);
9501 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9502 + src += PAX_USER_SHADOW_BASE;
9503 + return copy_user_generic(dst, (__force const void *)src, size);
9506 - case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
9507 + case 1:__get_user_asm(*(u8 *)dst, (const u8 __user *)src,
9508 ret, "b", "b", "=q", 1);
9510 - case 2:__get_user_asm(*(u16 *)dst, (u16 __user *)src,
9511 + case 2:__get_user_asm(*(u16 *)dst, (const u16 __user *)src,
9512 ret, "w", "w", "=r", 2);
9514 - case 4:__get_user_asm(*(u32 *)dst, (u32 __user *)src,
9515 + case 4:__get_user_asm(*(u32 *)dst, (const u32 __user *)src,
9516 ret, "l", "k", "=r", 4);
9518 - case 8:__get_user_asm(*(u64 *)dst, (u64 __user *)src,
9519 + case 8:__get_user_asm(*(u64 *)dst, (const u64 __user *)src,
9520 ret, "q", "", "=r", 8);
9523 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
9524 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
9525 ret, "q", "", "=r", 10);
9528 __get_user_asm(*(u16 *)(8 + (char *)dst),
9529 - (u16 __user *)(8 + (char __user *)src),
9530 + (const u16 __user *)(8 + (const char __user *)src),
9531 ret, "w", "w", "=r", 2);
9534 - __get_user_asm(*(u64 *)dst, (u64 __user *)src,
9535 + __get_user_asm(*(u64 *)dst, (const u64 __user *)src,
9536 ret, "q", "", "=r", 16);
9539 __get_user_asm(*(u64 *)(8 + (char *)dst),
9540 - (u64 __user *)(8 + (char __user *)src),
9541 + (const u64 __user *)(8 + (const char __user *)src),
9542 ret, "q", "", "=r", 8);
9545 - return copy_user_generic(dst, (__force void *)src, size);
9546 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9547 + src += PAX_USER_SHADOW_BASE;
9548 + return copy_user_generic(dst, (__force const void *)src, size);
9552 static __always_inline __must_check
9553 -int __copy_to_user(void __user *dst, const void *src, unsigned size)
9554 +unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
9557 + int sz = __compiletime_object_size(src);
9561 - if (!__builtin_constant_p(size))
9563 + if ((int)size < 0)
9566 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9567 + if (!__access_ok(VERIFY_WRITE, dst, size))
9571 + if (unlikely(sz != -1 && sz < size)) {
9572 +#ifdef CONFIG_DEBUG_VM
9573 + WARN(1, "Buffer overflow detected!\n");
9578 + if (!__builtin_constant_p(size)) {
9579 + check_object_size(src, size, true);
9580 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9581 + dst += PAX_USER_SHADOW_BASE;
9582 return copy_user_generic((__force void *)dst, src, size);
9585 - case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
9586 + case 1:__put_user_asm(*(const u8 *)src, (u8 __user *)dst,
9587 ret, "b", "b", "iq", 1);
9589 - case 2:__put_user_asm(*(u16 *)src, (u16 __user *)dst,
9590 + case 2:__put_user_asm(*(const u16 *)src, (u16 __user *)dst,
9591 ret, "w", "w", "ir", 2);
9593 - case 4:__put_user_asm(*(u32 *)src, (u32 __user *)dst,
9594 + case 4:__put_user_asm(*(const u32 *)src, (u32 __user *)dst,
9595 ret, "l", "k", "ir", 4);
9597 - case 8:__put_user_asm(*(u64 *)src, (u64 __user *)dst,
9598 + case 8:__put_user_asm(*(const u64 *)src, (u64 __user *)dst,
9599 ret, "q", "", "er", 8);
9602 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
9603 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
9604 ret, "q", "", "er", 10);
9608 - __put_user_asm(4[(u16 *)src], 4 + (u16 __user *)dst,
9609 + __put_user_asm(4[(const u16 *)src], 4 + (u16 __user *)dst,
9610 ret, "w", "w", "ir", 2);
9613 - __put_user_asm(*(u64 *)src, (u64 __user *)dst,
9614 + __put_user_asm(*(const u64 *)src, (u64 __user *)dst,
9615 ret, "q", "", "er", 16);
9619 - __put_user_asm(1[(u64 *)src], 1 + (u64 __user *)dst,
9620 + __put_user_asm(1[(const u64 *)src], 1 + (u64 __user *)dst,
9621 ret, "q", "", "er", 8);
9624 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9625 + dst += PAX_USER_SHADOW_BASE;
9626 return copy_user_generic((__force void *)dst, src, size);
9630 static __always_inline __must_check
9631 -int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
9632 +unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
9638 - if (!__builtin_constant_p(size))
9640 + if ((int)size < 0)
9643 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9644 + if (!__access_ok(VERIFY_READ, src, size))
9646 + if (!__access_ok(VERIFY_WRITE, dst, size))
9650 + if (!__builtin_constant_p(size)) {
9651 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9652 + src += PAX_USER_SHADOW_BASE;
9653 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9654 + dst += PAX_USER_SHADOW_BASE;
9655 return copy_user_generic((__force void *)dst,
9656 - (__force void *)src, size);
9657 + (__force const void *)src, size);
9662 - __get_user_asm(tmp, (u8 __user *)src,
9663 + __get_user_asm(tmp, (const u8 __user *)src,
9664 ret, "b", "b", "=q", 1);
9666 __put_user_asm(tmp, (u8 __user *)dst,
9667 @@ -177,7 +244,7 @@ int __copy_in_user(void __user *dst, con
9671 - __get_user_asm(tmp, (u16 __user *)src,
9672 + __get_user_asm(tmp, (const u16 __user *)src,
9673 ret, "w", "w", "=r", 2);
9675 __put_user_asm(tmp, (u16 __user *)dst,
9676 @@ -187,7 +254,7 @@ int __copy_in_user(void __user *dst, con
9680 - __get_user_asm(tmp, (u32 __user *)src,
9681 + __get_user_asm(tmp, (const u32 __user *)src,
9682 ret, "l", "k", "=r", 4);
9684 __put_user_asm(tmp, (u32 __user *)dst,
9685 @@ -196,7 +263,7 @@ int __copy_in_user(void __user *dst, con
9689 - __get_user_asm(tmp, (u64 __user *)src,
9690 + __get_user_asm(tmp, (const u64 __user *)src,
9691 ret, "q", "", "=r", 8);
9693 __put_user_asm(tmp, (u64 __user *)dst,
9694 @@ -204,8 +271,12 @@ int __copy_in_user(void __user *dst, con
9698 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9699 + src += PAX_USER_SHADOW_BASE;
9700 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9701 + dst += PAX_USER_SHADOW_BASE;
9702 return copy_user_generic((__force void *)dst,
9703 - (__force void *)src, size);
9704 + (__force const void *)src, size);
9708 @@ -222,33 +293,68 @@ __must_check unsigned long __clear_user(
9709 static __must_check __always_inline int
9710 __copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
9712 + if ((int)size < 0)
9715 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9716 + if (!__access_ok(VERIFY_READ, src, size))
9720 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9721 + src += PAX_USER_SHADOW_BASE;
9722 return copy_user_generic(dst, (__force const void *)src, size);
9725 -static __must_check __always_inline int
9726 +static __must_check __always_inline unsigned long
9727 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
9729 + if ((int)size < 0)
9732 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9733 + if (!__access_ok(VERIFY_WRITE, dst, size))
9737 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9738 + dst += PAX_USER_SHADOW_BASE;
9739 return copy_user_generic((__force void *)dst, src, size);
9742 -extern long __copy_user_nocache(void *dst, const void __user *src,
9743 +extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
9744 unsigned size, int zerorest);
9747 -__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
9748 +static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
9752 + if ((int)size < 0)
9755 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9756 + if (!__access_ok(VERIFY_READ, src, size))
9760 return __copy_user_nocache(dst, src, size, 1);
9764 -__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
9765 +static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
9768 + if ((int)size < 0)
9771 +#ifdef CONFIG_PAX_MEMORY_UDEREF
9772 + if (!__access_ok(VERIFY_READ, src, size))
9776 return __copy_user_nocache(dst, src, size, 0);
9780 +extern unsigned long
9781 copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
9783 #endif /* _ASM_X86_UACCESS_64_H */
9784 diff -urNp linux-2.6.38.1/arch/x86/include/asm/uaccess.h linux-2.6.38.1-new/arch/x86/include/asm/uaccess.h
9785 --- linux-2.6.38.1/arch/x86/include/asm/uaccess.h 2011-03-14 21:20:32.000000000 -0400
9786 +++ linux-2.6.38.1-new/arch/x86/include/asm/uaccess.h 2011-03-21 18:31:35.000000000 -0400
9788 #include <linux/thread_info.h>
9789 #include <linux/prefetch.h>
9790 #include <linux/string.h>
9791 +#include <linux/sched.h>
9792 #include <asm/asm.h>
9793 #include <asm/page.h>
9795 #define VERIFY_READ 0
9796 #define VERIFY_WRITE 1
9798 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
9801 * The fs value determines whether argument validity checking should be
9802 * performed or not. If get_fs() == USER_DS, checking is performed, with
9805 #define get_ds() (KERNEL_DS)
9806 #define get_fs() (current_thread_info()->addr_limit)
9807 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
9808 +void __set_fs(mm_segment_t x);
9809 +void set_fs(mm_segment_t x);
9811 #define set_fs(x) (current_thread_info()->addr_limit = (x))
9814 #define segment_eq(a, b) ((a).seg == (b).seg)
9817 * checks that the pointer is in the user space range - after calling
9818 * this function, memory access functions may still return -EFAULT.
9820 -#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
9821 +#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
9822 +#define access_ok(type, addr, size) \
9824 + long __size = size; \
9825 + unsigned long __addr = (unsigned long)addr; \
9826 + unsigned long __addr_ao = __addr & PAGE_MASK; \
9827 + unsigned long __end_ao = __addr + __size - 1; \
9828 + bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
9829 + if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
9830 + while(__addr_ao <= __end_ao) { \
9832 + __addr_ao += PAGE_SIZE; \
9833 + if (__size > PAGE_SIZE) \
9835 + if (__get_user(__c_ao, (char __user *)__addr)) \
9837 + if (type != VERIFY_WRITE) { \
9838 + __addr = __addr_ao; \
9841 + if (__put_user(__c_ao, (char __user *)__addr)) \
9843 + __addr = __addr_ao; \
9850 * The exception table consists of pairs of addresses: the first is the
9851 @@ -183,12 +217,20 @@ extern int __get_user_bad(void);
9852 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
9853 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
9856 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
9857 +#define __copyuser_seg "gs;"
9858 +#define __COPYUSER_SET_ES "pushl %%gs; popl %%es\n"
9859 +#define __COPYUSER_RESTORE_ES "pushl %%ss; popl %%es\n"
9861 +#define __copyuser_seg
9862 +#define __COPYUSER_SET_ES
9863 +#define __COPYUSER_RESTORE_ES
9866 #ifdef CONFIG_X86_32
9867 #define __put_user_asm_u64(x, addr, err, errret) \
9868 - asm volatile("1: movl %%eax,0(%2)\n" \
9869 - "2: movl %%edx,4(%2)\n" \
9870 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%2)\n" \
9871 + "2: "__copyuser_seg"movl %%edx,4(%2)\n" \
9873 ".section .fixup,\"ax\"\n" \
9875 @@ -200,8 +242,8 @@ extern int __get_user_bad(void);
9876 : "A" (x), "r" (addr), "i" (errret), "0" (err))
9878 #define __put_user_asm_ex_u64(x, addr) \
9879 - asm volatile("1: movl %%eax,0(%1)\n" \
9880 - "2: movl %%edx,4(%1)\n" \
9881 + asm volatile("1: "__copyuser_seg"movl %%eax,0(%1)\n" \
9882 + "2: "__copyuser_seg"movl %%edx,4(%1)\n" \
9884 _ASM_EXTABLE(1b, 2b - 1b) \
9885 _ASM_EXTABLE(2b, 3b - 2b) \
9886 @@ -374,7 +416,7 @@ do { \
9889 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
9890 - asm volatile("1: mov"itype" %2,%"rtype"1\n" \
9891 + asm volatile("1: "__copyuser_seg"mov"itype" %2,%"rtype"1\n"\
9893 ".section .fixup,\"ax\"\n" \
9895 @@ -382,7 +424,7 @@ do { \
9898 _ASM_EXTABLE(1b, 3b) \
9899 - : "=r" (err), ltype(x) \
9900 + : "=r" (err), ltype (x) \
9901 : "m" (__m(addr)), "i" (errret), "0" (err))
9903 #define __get_user_size_ex(x, ptr, size) \
9904 @@ -407,7 +449,7 @@ do { \
9907 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
9908 - asm volatile("1: mov"itype" %1,%"rtype"0\n" \
9909 + asm volatile("1: "__copyuser_seg"mov"itype" %1,%"rtype"0\n"\
9911 _ASM_EXTABLE(1b, 2b - 1b) \
9912 : ltype(x) : "m" (__m(addr)))
9913 @@ -424,13 +466,24 @@ do { \
9915 unsigned long __gu_val; \
9916 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
9917 - (x) = (__force __typeof__(*(ptr)))__gu_val; \
9918 + (x) = (__typeof__(*(ptr)))__gu_val; \
9922 /* FIXME: this hack is definitely wrong -AK */
9923 struct __large_struct { unsigned long buf[100]; };
9924 -#define __m(x) (*(struct __large_struct __user *)(x))
9925 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9928 + unsigned long ____x = (unsigned long)(x); \
9929 + if (____x < PAX_USER_SHADOW_BASE) \
9930 + ____x += PAX_USER_SHADOW_BASE; \
9931 + (void __user *)____x; \
9934 +#define ____m(x) (x)
9936 +#define __m(x) (*(struct __large_struct __user *)____m(x))
9939 * Tell gcc we read from memory instead of writing: this is because
9940 @@ -438,7 +491,7 @@ struct __large_struct { unsigned long bu
9943 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
9944 - asm volatile("1: mov"itype" %"rtype"1,%2\n" \
9945 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"1,%2\n"\
9947 ".section .fixup,\"ax\"\n" \
9949 @@ -446,10 +499,10 @@ struct __large_struct { unsigned long bu
9951 _ASM_EXTABLE(1b, 3b) \
9953 - : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
9954 + : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err))
9956 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
9957 - asm volatile("1: mov"itype" %"rtype"0,%1\n" \
9958 + asm volatile("1: "__copyuser_seg"mov"itype" %"rtype"0,%1\n"\
9960 _ASM_EXTABLE(1b, 2b - 1b) \
9961 : : ltype(x), "m" (__m(addr)))
9962 @@ -488,8 +541,12 @@ struct __large_struct { unsigned long bu
9963 * On error, the variable @x is set to zero.
9966 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9967 +#define __get_user(x, ptr) get_user((x), (ptr))
9969 #define __get_user(x, ptr) \
9970 __get_user_nocheck((x), (ptr), sizeof(*(ptr)))
9974 * __put_user: - Write a simple value into user space, with less checking.
9975 @@ -511,8 +568,12 @@ struct __large_struct { unsigned long bu
9976 * Returns zero on success, or -EFAULT on error.
9979 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9980 +#define __put_user(x, ptr) put_user((x), (ptr))
9982 #define __put_user(x, ptr) \
9983 __put_user_nocheck((__typeof__(*(ptr)))(x), (ptr), sizeof(*(ptr)))
9986 #define __get_user_unaligned __get_user
9987 #define __put_user_unaligned __put_user
9988 @@ -530,7 +591,7 @@ struct __large_struct { unsigned long bu
9989 #define get_user_ex(x, ptr) do { \
9990 unsigned long __gue_val; \
9991 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
9992 - (x) = (__force __typeof__(*(ptr)))__gue_val; \
9993 + (x) = (__typeof__(*(ptr)))__gue_val; \
9996 #ifdef CONFIG_X86_WP_WORKS_OK
9997 @@ -567,6 +628,7 @@ extern struct movsl_mask {
9999 #define ARCH_HAS_NOCACHE_UACCESS 1
10001 +#define ARCH_HAS_SORT_EXTABLE
10002 #ifdef CONFIG_X86_32
10003 # include "uaccess_32.h"
10005 diff -urNp linux-2.6.38.1/arch/x86/include/asm/vgtod.h linux-2.6.38.1-new/arch/x86/include/asm/vgtod.h
10006 --- linux-2.6.38.1/arch/x86/include/asm/vgtod.h 2011-03-14 21:20:32.000000000 -0400
10007 +++ linux-2.6.38.1-new/arch/x86/include/asm/vgtod.h 2011-03-21 18:31:35.000000000 -0400
10008 @@ -14,6 +14,7 @@ struct vsyscall_gtod_data {
10009 int sysctl_enabled;
10010 struct timezone sys_tz;
10011 struct { /* extract of a clocksource struct */
10013 cycle_t (*vread)(void);
10014 cycle_t cycle_last;
10016 diff -urNp linux-2.6.38.1/arch/x86/include/asm/vsyscall.h linux-2.6.38.1-new/arch/x86/include/asm/vsyscall.h
10017 --- linux-2.6.38.1/arch/x86/include/asm/vsyscall.h 2011-03-14 21:20:32.000000000 -0400
10018 +++ linux-2.6.38.1-new/arch/x86/include/asm/vsyscall.h 2011-03-21 18:31:35.000000000 -0400
10019 @@ -15,9 +15,10 @@ enum vsyscall_num {
10022 #include <linux/seqlock.h>
10023 +#include <linux/getcpu.h>
10024 +#include <linux/time.h>
10026 #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16)))
10027 -#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16)))
10029 /* Definitions for CONFIG_GENERIC_TIME definitions */
10030 #define __section_vsyscall_gtod_data __attribute__ \
10031 @@ -31,7 +32,6 @@ enum vsyscall_num {
10032 #define VGETCPU_LSL 2
10034 extern int __vgetcpu_mode;
10035 -extern volatile unsigned long __jiffies;
10037 /* kernel space (writeable) */
10038 extern int vgetcpu_mode;
10039 @@ -39,6 +39,9 @@ extern struct timezone sys_tz;
10041 extern void map_vsyscall(void);
10043 +extern int vgettimeofday(struct timeval * tv, struct timezone * tz);
10044 +extern time_t vtime(time_t *t);
10045 +extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache);
10046 #endif /* __KERNEL__ */
10048 #endif /* _ASM_X86_VSYSCALL_H */
10049 diff -urNp linux-2.6.38.1/arch/x86/include/asm/xsave.h linux-2.6.38.1-new/arch/x86/include/asm/xsave.h
10050 --- linux-2.6.38.1/arch/x86/include/asm/xsave.h 2011-03-14 21:20:32.000000000 -0400
10051 +++ linux-2.6.38.1-new/arch/x86/include/asm/xsave.h 2011-03-21 18:31:35.000000000 -0400
10052 @@ -65,6 +65,11 @@ static inline int xsave_user(struct xsav
10056 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10057 + if ((unsigned long)buf < PAX_USER_SHADOW_BASE)
10058 + buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE);
10062 * Clear the xsave header first, so that reserved fields are
10063 * initialized to zero.
10064 @@ -100,6 +105,11 @@ static inline int xrestore_user(struct x
10066 u32 hmask = mask >> 32;
10068 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
10069 + if ((unsigned long)xstate < PAX_USER_SHADOW_BASE)
10070 + xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE);
10073 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
10075 ".section .fixup,\"ax\"\n"
10076 diff -urNp linux-2.6.38.1/arch/x86/Kconfig linux-2.6.38.1-new/arch/x86/Kconfig
10077 --- linux-2.6.38.1/arch/x86/Kconfig 2011-03-14 21:20:32.000000000 -0400
10078 +++ linux-2.6.38.1-new/arch/x86/Kconfig 2011-03-21 18:31:35.000000000 -0400
10079 @@ -223,7 +223,7 @@ config X86_TRAMPOLINE
10081 config X86_32_LAZY_GS
10083 - depends on X86_32 && !CC_STACKPROTECTOR
10084 + depends on X86_32 && !CC_STACKPROTECTOR && !PAX_MEMORY_UDEREF
10086 config ARCH_HWEIGHT_CFLAGS
10088 @@ -1019,7 +1019,7 @@ choice
10092 - depends on !X86_NUMAQ
10093 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
10095 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
10096 However, the address space of 32-bit x86 processors is only 4
10097 @@ -1056,7 +1056,7 @@ config NOHIGHMEM
10101 - depends on !X86_NUMAQ
10102 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
10104 Select this if you have a 32-bit processor and between 1 and 4
10105 gigabytes of physical RAM.
10106 @@ -1110,7 +1110,7 @@ config PAGE_OFFSET
10108 default 0xB0000000 if VMSPLIT_3G_OPT
10109 default 0x80000000 if VMSPLIT_2G
10110 - default 0x78000000 if VMSPLIT_2G_OPT
10111 + default 0x70000000 if VMSPLIT_2G_OPT
10112 default 0x40000000 if VMSPLIT_1G
10115 @@ -1454,7 +1454,7 @@ config ARCH_USES_PG_UNCACHED
10118 bool "EFI runtime service support"
10120 + depends on ACPI && !PAX_KERNEXEC
10122 This enables the kernel to use EFI runtime services that are
10123 available (such as the EFI variable services).
10124 @@ -1484,6 +1484,7 @@ config SECCOMP
10126 config CC_STACKPROTECTOR
10127 bool "Enable -fstack-protector buffer overflow detection (EXPERIMENTAL)"
10128 + depends on X86_64 || !PAX_MEMORY_UDEREF
10130 This option turns on the -fstack-protector GCC feature. This
10131 feature puts, at the beginning of functions, a canary value on
10132 @@ -1541,6 +1542,7 @@ config KEXEC_JUMP
10133 config PHYSICAL_START
10134 hex "Physical address where the kernel is loaded" if (EXPERT || CRASH_DUMP)
10135 default "0x1000000"
10136 + range 0x400000 0x40000000
10138 This gives the physical address where the kernel is loaded.
10140 @@ -1604,6 +1606,7 @@ config X86_NEED_RELOCS
10141 config PHYSICAL_ALIGN
10142 hex "Alignment value to which kernel should be aligned" if X86_32
10143 default "0x1000000"
10144 + range 0x400000 0x1000000 if PAX_KERNEXEC
10145 range 0x2000 0x1000000
10147 This value puts the alignment restrictions on physical address
10148 @@ -1635,9 +1638,10 @@ config HOTPLUG_CPU
10149 Say N if you want to disable CPU hotplug.
10154 prompt "Compat VDSO support"
10155 depends on X86_32 || IA32_EMULATION
10156 + depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
10158 Map the 32-bit VDSO to the predictable old-style address too.
10160 diff -urNp linux-2.6.38.1/arch/x86/Kconfig.cpu linux-2.6.38.1-new/arch/x86/Kconfig.cpu
10161 --- linux-2.6.38.1/arch/x86/Kconfig.cpu 2011-03-14 21:20:32.000000000 -0400
10162 +++ linux-2.6.38.1-new/arch/x86/Kconfig.cpu 2011-03-21 18:31:35.000000000 -0400
10163 @@ -339,7 +339,7 @@ config X86_PPRO_FENCE
10165 config X86_F00F_BUG
10167 - depends on M586MMX || M586TSC || M586 || M486 || M386
10168 + depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
10170 config X86_INVD_BUG
10172 @@ -363,7 +363,7 @@ config X86_POPAD_OK
10174 config X86_ALIGNMENT_16
10176 - depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
10177 + depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
10179 config X86_INTEL_USERCOPY
10181 @@ -409,7 +409,7 @@ config X86_CMPXCHG64
10185 - depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
10186 + depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
10188 config X86_MINIMUM_CPU_FAMILY
10190 diff -urNp linux-2.6.38.1/arch/x86/Kconfig.debug linux-2.6.38.1-new/arch/x86/Kconfig.debug
10191 --- linux-2.6.38.1/arch/x86/Kconfig.debug 2011-03-14 21:20:32.000000000 -0400
10192 +++ linux-2.6.38.1-new/arch/x86/Kconfig.debug 2011-03-21 18:31:35.000000000 -0400
10193 @@ -101,7 +101,7 @@ config X86_PTDUMP
10194 config DEBUG_RODATA
10195 bool "Write protect kernel read-only data structures"
10197 - depends on DEBUG_KERNEL
10198 + depends on DEBUG_KERNEL && BROKEN
10200 Mark the kernel read-only data as write-protected in the pagetables,
10201 in order to catch accidental (and incorrect) writes to such const
10202 @@ -119,7 +119,7 @@ config DEBUG_RODATA_TEST
10204 config DEBUG_SET_MODULE_RONX
10205 bool "Set loadable kernel module data as NX and text as RO"
10206 - depends on MODULES
10207 + depends on MODULES && BROKEN
10209 This option helps catch unintended modifications to loadable
10210 kernel module's text and read-only data. It also prevents execution
10211 diff -urNp linux-2.6.38.1/arch/x86/kernel/acpi/boot.c linux-2.6.38.1-new/arch/x86/kernel/acpi/boot.c
10212 --- linux-2.6.38.1/arch/x86/kernel/acpi/boot.c 2011-03-14 21:20:32.000000000 -0400
10213 +++ linux-2.6.38.1-new/arch/x86/kernel/acpi/boot.c 2011-03-21 18:31:35.000000000 -0400
10214 @@ -1472,7 +1472,7 @@ static struct dmi_system_id __initdata a
10215 DMI_MATCH(DMI_PRODUCT_NAME, "HP Compaq 6715b"),
10219 + { NULL, NULL, {{0, {0}}}, NULL}
10223 diff -urNp linux-2.6.38.1/arch/x86/kernel/acpi/sleep.c linux-2.6.38.1-new/arch/x86/kernel/acpi/sleep.c
10224 --- linux-2.6.38.1/arch/x86/kernel/acpi/sleep.c 2011-03-14 21:20:32.000000000 -0400
10225 +++ linux-2.6.38.1-new/arch/x86/kernel/acpi/sleep.c 2011-03-21 18:31:35.000000000 -0400
10227 #include "realmode/wakeup.h"
10230 -unsigned long acpi_wakeup_address;
10231 +unsigned long acpi_wakeup_address = 0x2000;
10232 unsigned long acpi_realmode_flags;
10234 /* address in low memory of the wakeup routine. */
10235 @@ -99,8 +99,12 @@ int acpi_save_state_mem(void)
10236 header->trampoline_segment = setup_trampoline() >> 4;
10238 stack_start = (unsigned long)temp_stack + sizeof(temp_stack);
10240 + pax_open_kernel();
10241 early_gdt_descr.address =
10242 (unsigned long)get_cpu_gdt_table(smp_processor_id());
10243 + pax_close_kernel();
10245 initial_gs = per_cpu_offset(smp_processor_id());
10247 initial_code = (unsigned long)wakeup_long64;
10248 diff -urNp linux-2.6.38.1/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.38.1-new/arch/x86/kernel/acpi/wakeup_32.S
10249 --- linux-2.6.38.1/arch/x86/kernel/acpi/wakeup_32.S 2011-03-14 21:20:32.000000000 -0400
10250 +++ linux-2.6.38.1-new/arch/x86/kernel/acpi/wakeup_32.S 2011-03-21 18:31:35.000000000 -0400
10251 @@ -30,13 +30,11 @@ wakeup_pmode_return:
10252 # and restore the stack ... but you need gdt for this to work
10253 movl saved_context_esp, %esp
10255 - movl %cs:saved_magic, %eax
10256 - cmpl $0x12345678, %eax
10257 + cmpl $0x12345678, saved_magic
10260 # jump to place where we left off
10261 - movl saved_eip, %eax
10267 diff -urNp linux-2.6.38.1/arch/x86/kernel/alternative.c linux-2.6.38.1-new/arch/x86/kernel/alternative.c
10268 --- linux-2.6.38.1/arch/x86/kernel/alternative.c 2011-03-23 17:20:06.000000000 -0400
10269 +++ linux-2.6.38.1-new/arch/x86/kernel/alternative.c 2011-03-21 23:47:41.000000000 -0400
10270 @@ -248,7 +248,7 @@ static void alternatives_smp_lock(const
10271 if (!*poff || ptr < text || ptr >= text_end)
10273 /* turn DS segment override prefix into lock prefix */
10274 - if (*ptr == 0x3e)
10275 + if (*ktla_ktva(ptr) == 0x3e)
10276 text_poke(ptr, ((unsigned char []){0xf0}), 1);
10278 mutex_unlock(&text_mutex);
10279 @@ -269,7 +269,7 @@ static void alternatives_smp_unlock(cons
10280 if (!*poff || ptr < text || ptr >= text_end)
10282 /* turn lock prefix into DS segment override prefix */
10283 - if (*ptr == 0xf0)
10284 + if (*ktla_ktva(ptr) == 0xf0)
10285 text_poke(ptr, ((unsigned char []){0x3E}), 1);
10287 mutex_unlock(&text_mutex);
10288 @@ -438,7 +438,7 @@ void __init_or_module apply_paravirt(str
10290 BUG_ON(p->len > MAX_PATCH_LEN);
10291 /* prep the buffer with the original instructions */
10292 - memcpy(insnbuf, p->instr, p->len);
10293 + memcpy(insnbuf, ktla_ktva(p->instr), p->len);
10294 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
10295 (unsigned long)p->instr, p->len);
10297 @@ -506,7 +506,7 @@ void __init alternative_instructions(voi
10299 free_init_pages("SMP alternatives",
10300 (unsigned long)__smp_locks,
10301 - (unsigned long)__smp_locks_end);
10302 + PAGE_ALIGN((unsigned long)__smp_locks_end));
10306 @@ -523,13 +523,17 @@ void __init alternative_instructions(voi
10307 * instructions. And on the local CPU you need to be protected again NMI or MCE
10308 * handlers seeing an inconsistent instruction while you patch.
10310 -void *__init_or_module text_poke_early(void *addr, const void *opcode,
10311 +void *__kprobes text_poke_early(void *addr, const void *opcode,
10314 unsigned long flags;
10315 local_irq_save(flags);
10316 - memcpy(addr, opcode, len);
10318 + pax_open_kernel();
10319 + memcpy(ktla_ktva(addr), opcode, len);
10321 + pax_close_kernel();
10323 local_irq_restore(flags);
10324 /* Could also do a CLFLUSH here to speed up CPU recovery; but
10325 that causes hangs on some VIA CPUs. */
10326 @@ -551,36 +555,22 @@ void *__init_or_module text_poke_early(v
10328 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
10330 - unsigned long flags;
10332 + unsigned char *vaddr = ktla_ktva(addr);
10333 struct page *pages[2];
10337 if (!core_kernel_text((unsigned long)addr)) {
10338 - pages[0] = vmalloc_to_page(addr);
10339 - pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
10340 + pages[0] = vmalloc_to_page(vaddr);
10341 + pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
10343 - pages[0] = virt_to_page(addr);
10344 + pages[0] = virt_to_page(vaddr);
10345 WARN_ON(!PageReserved(pages[0]));
10346 - pages[1] = virt_to_page(addr + PAGE_SIZE);
10347 + pages[1] = virt_to_page(vaddr + PAGE_SIZE);
10350 - local_irq_save(flags);
10351 - set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
10353 - set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
10354 - vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
10355 - memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
10356 - clear_fixmap(FIX_TEXT_POKE0);
10358 - clear_fixmap(FIX_TEXT_POKE1);
10359 - local_flush_tlb();
10361 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
10362 - that causes hangs on some VIA CPUs. */
10363 + text_poke_early(addr, opcode, len);
10364 for (i = 0; i < len; i++)
10365 - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
10366 - local_irq_restore(flags);
10367 + BUG_ON((vaddr)[i] != ((const unsigned char *)opcode)[i]);
10371 @@ -682,9 +672,9 @@ void __kprobes text_poke_smp_batch(struc
10372 #if defined(CONFIG_DYNAMIC_FTRACE) || defined(HAVE_JUMP_LABEL)
10374 #ifdef CONFIG_X86_64
10375 -unsigned char ideal_nop5[5] = { 0x66, 0x66, 0x66, 0x66, 0x90 };
10376 +unsigned char ideal_nop5[5] __read_only = { 0x66, 0x66, 0x66, 0x66, 0x90 };
10378 -unsigned char ideal_nop5[5] = { 0x3e, 0x8d, 0x74, 0x26, 0x00 };
10379 +unsigned char ideal_nop5[5] __read_only = { 0x3e, 0x8d, 0x74, 0x26, 0x00 };
10382 void __init arch_init_ideal_nop5(void)
10383 diff -urNp linux-2.6.38.1/arch/x86/kernel/amd_iommu.c linux-2.6.38.1-new/arch/x86/kernel/amd_iommu.c
10384 --- linux-2.6.38.1/arch/x86/kernel/amd_iommu.c 2011-03-14 21:20:32.000000000 -0400
10385 +++ linux-2.6.38.1-new/arch/x86/kernel/amd_iommu.c 2011-03-21 18:31:35.000000000 -0400
10386 @@ -2286,7 +2286,7 @@ static void prealloc_protection_domains(
10390 -static struct dma_map_ops amd_iommu_dma_ops = {
10391 +static const struct dma_map_ops amd_iommu_dma_ops = {
10392 .alloc_coherent = alloc_coherent,
10393 .free_coherent = free_coherent,
10394 .map_page = map_page,
10395 diff -urNp linux-2.6.38.1/arch/x86/kernel/apic/io_apic.c linux-2.6.38.1-new/arch/x86/kernel/apic/io_apic.c
10396 --- linux-2.6.38.1/arch/x86/kernel/apic/io_apic.c 2011-03-14 21:20:32.000000000 -0400
10397 +++ linux-2.6.38.1-new/arch/x86/kernel/apic/io_apic.c 2011-03-21 18:31:35.000000000 -0400
10398 @@ -617,7 +617,7 @@ struct IO_APIC_route_entry **alloc_ioapi
10399 ioapic_entries = kzalloc(sizeof(*ioapic_entries) * nr_ioapics,
10401 if (!ioapic_entries)
10405 for (apic = 0; apic < nr_ioapics; apic++) {
10406 ioapic_entries[apic] =
10407 @@ -634,7 +634,7 @@ nomem:
10408 kfree(ioapic_entries[apic]);
10409 kfree(ioapic_entries);
10416 @@ -1044,7 +1044,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
10418 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
10420 -void lock_vector_lock(void)
10421 +void lock_vector_lock(void) __acquires(vector_lock)
10423 /* Used to the online set of cpus does not change
10424 * during assign_irq_vector.
10425 @@ -1052,7 +1052,7 @@ void lock_vector_lock(void)
10426 raw_spin_lock(&vector_lock);
10429 -void unlock_vector_lock(void)
10430 +void unlock_vector_lock(void) __releases(vector_lock)
10432 raw_spin_unlock(&vector_lock);
10434 diff -urNp linux-2.6.38.1/arch/x86/kernel/apm_32.c linux-2.6.38.1-new/arch/x86/kernel/apm_32.c
10435 --- linux-2.6.38.1/arch/x86/kernel/apm_32.c 2011-03-14 21:20:32.000000000 -0400
10436 +++ linux-2.6.38.1-new/arch/x86/kernel/apm_32.c 2011-03-21 18:31:35.000000000 -0400
10437 @@ -410,7 +410,7 @@ static DEFINE_MUTEX(apm_mutex);
10438 * This is for buggy BIOS's that refer to (real mode) segment 0x40
10439 * even though they are called in protected mode.
10441 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
10442 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
10443 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
10445 static const char driver_version[] = "1.16ac"; /* no spaces */
10446 @@ -588,7 +588,10 @@ static long __apm_bios_call(void *_call)
10448 gdt = get_cpu_gdt_table(cpu);
10449 save_desc_40 = gdt[0x40 / 8];
10451 + pax_open_kernel();
10452 gdt[0x40 / 8] = bad_bios_desc;
10453 + pax_close_kernel();
10455 apm_irq_save(flags);
10457 @@ -597,7 +600,11 @@ static long __apm_bios_call(void *_call)
10459 APM_DO_RESTORE_SEGS;
10460 apm_irq_restore(flags);
10462 + pax_open_kernel();
10463 gdt[0x40 / 8] = save_desc_40;
10464 + pax_close_kernel();
10468 return call->eax & 0xff;
10469 @@ -664,7 +671,10 @@ static long __apm_bios_call_simple(void
10471 gdt = get_cpu_gdt_table(cpu);
10472 save_desc_40 = gdt[0x40 / 8];
10474 + pax_open_kernel();
10475 gdt[0x40 / 8] = bad_bios_desc;
10476 + pax_close_kernel();
10478 apm_irq_save(flags);
10480 @@ -672,7 +682,11 @@ static long __apm_bios_call_simple(void
10482 APM_DO_RESTORE_SEGS;
10483 apm_irq_restore(flags);
10485 + pax_open_kernel();
10486 gdt[0x40 / 8] = save_desc_40;
10487 + pax_close_kernel();
10492 @@ -975,7 +989,7 @@ recalc:
10494 static void apm_power_off(void)
10496 - unsigned char po_bios_call[] = {
10497 + const unsigned char po_bios_call[] = {
10498 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
10499 0x8e, 0xd0, /* movw ax,ss */
10500 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
10501 @@ -1932,7 +1946,10 @@ static const struct file_operations apm_
10502 static struct miscdevice apm_device = {
10513 @@ -2253,7 +2270,7 @@ static struct dmi_system_id __initdata a
10514 { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
10518 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
10522 @@ -2356,12 +2373,15 @@ static int __init apm_init(void)
10523 * code to that CPU.
10525 gdt = get_cpu_gdt_table(0);
10527 + pax_open_kernel();
10528 set_desc_base(&gdt[APM_CS >> 3],
10529 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
10530 set_desc_base(&gdt[APM_CS_16 >> 3],
10531 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
10532 set_desc_base(&gdt[APM_DS >> 3],
10533 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
10534 + pax_close_kernel();
10536 proc_create("apm", 0, NULL, &apm_file_ops);
10538 diff -urNp linux-2.6.38.1/arch/x86/kernel/asm-offsets_32.c linux-2.6.38.1-new/arch/x86/kernel/asm-offsets_32.c
10539 --- linux-2.6.38.1/arch/x86/kernel/asm-offsets_32.c 2011-03-14 21:20:32.000000000 -0400
10540 +++ linux-2.6.38.1-new/arch/x86/kernel/asm-offsets_32.c 2011-03-21 18:31:35.000000000 -0400
10541 @@ -113,6 +113,11 @@ void foo(void)
10542 OFFSET(PV_CPU_iret, pv_cpu_ops, iret);
10543 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
10544 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
10546 +#ifdef CONFIG_PAX_KERNEXEC
10547 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
10553 diff -urNp linux-2.6.38.1/arch/x86/kernel/asm-offsets_64.c linux-2.6.38.1-new/arch/x86/kernel/asm-offsets_64.c
10554 --- linux-2.6.38.1/arch/x86/kernel/asm-offsets_64.c 2011-03-14 21:20:32.000000000 -0400
10555 +++ linux-2.6.38.1-new/arch/x86/kernel/asm-offsets_64.c 2011-03-21 18:31:35.000000000 -0400
10556 @@ -63,6 +63,18 @@ int main(void)
10557 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
10558 OFFSET(PV_CPU_swapgs, pv_cpu_ops, swapgs);
10559 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
10561 +#ifdef CONFIG_PAX_KERNEXEC
10562 + OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
10563 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
10566 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10567 + OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
10568 + OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
10569 + OFFSET(PV_MMU_set_pgd, pv_mmu_ops, set_pgd);
10575 @@ -115,6 +127,7 @@ int main(void)
10579 + DEFINE(TSS_size, sizeof(struct tss_struct));
10580 DEFINE(TSS_ist, offsetof(struct tss_struct, x86_tss.ist));
10582 DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx));
10583 diff -urNp linux-2.6.38.1/arch/x86/kernel/cpu/common.c linux-2.6.38.1-new/arch/x86/kernel/cpu/common.c
10584 --- linux-2.6.38.1/arch/x86/kernel/cpu/common.c 2011-03-14 21:20:32.000000000 -0400
10585 +++ linux-2.6.38.1-new/arch/x86/kernel/cpu/common.c 2011-03-21 18:31:35.000000000 -0400
10586 @@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
10588 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
10590 -DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
10591 -#ifdef CONFIG_X86_64
10593 - * We need valid kernel segments for data and code in long mode too
10594 - * IRET will check the segment types kkeil 2000/10/28
10595 - * Also sysret mandates a special GDT layout
10597 - * TLS descriptors are currently at a different place compared to i386.
10598 - * Hopefully nobody expects them at a fixed place (Wine?)
10600 - [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
10601 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
10602 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
10603 - [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
10604 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
10605 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
10607 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
10608 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10609 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
10610 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
10612 - * Segments used for calling PnP BIOS have byte granularity.
10613 - * They code segments and data segments have fixed 64k limits,
10614 - * the transfer segment sizes are set at run time.
10616 - /* 32-bit code */
10617 - [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
10618 - /* 16-bit code */
10619 - [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
10620 - /* 16-bit data */
10621 - [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
10622 - /* 16-bit data */
10623 - [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
10624 - /* 16-bit data */
10625 - [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
10627 - * The APM segments have byte granularity and their bases
10628 - * are set at run time. All have 64k limits.
10630 - /* 32-bit code */
10631 - [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
10632 - /* 16-bit code */
10633 - [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
10635 - [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
10637 - [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10638 - [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10639 - GDT_STACK_CANARY_INIT
10642 -EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
10644 static int __init x86_xsave_setup(char *s)
10646 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
10647 @@ -352,7 +298,7 @@ void switch_to_new_gdt(int cpu)
10649 struct desc_ptr gdt_descr;
10651 - gdt_descr.address = (long)get_cpu_gdt_table(cpu);
10652 + gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
10653 gdt_descr.size = GDT_SIZE - 1;
10654 load_gdt(&gdt_descr);
10655 /* Reload the per-cpu base */
10656 @@ -825,6 +771,10 @@ static void __cpuinit identify_cpu(struc
10657 /* Filter out anything that depends on CPUID levels we don't have */
10658 filter_cpuid_features(c, true);
10660 +#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
10661 + setup_clear_cpu_cap(X86_FEATURE_SEP);
10664 /* If the model name is still unset, do table lookup. */
10665 if (!c->x86_model_id[0]) {
10667 @@ -1084,7 +1034,7 @@ struct pt_regs * __cpuinit idle_regs(str
10669 memset(regs, 0, sizeof(struct pt_regs));
10670 regs->fs = __KERNEL_PERCPU;
10671 - regs->gs = __KERNEL_STACK_CANARY;
10672 + savesegment(gs, regs->gs);
10676 @@ -1139,7 +1089,7 @@ void __cpuinit cpu_init(void)
10679 cpu = stack_smp_processor_id();
10680 - t = &per_cpu(init_tss, cpu);
10681 + t = init_tss + cpu;
10682 oist = &per_cpu(orig_ist, cpu);
10685 @@ -1165,7 +1115,7 @@ void __cpuinit cpu_init(void)
10686 switch_to_new_gdt(cpu);
10687 loadsegment(fs, 0);
10689 - load_idt((const struct desc_ptr *)&idt_descr);
10690 + load_idt(&idt_descr);
10692 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
10694 @@ -1174,7 +1124,6 @@ void __cpuinit cpu_init(void)
10695 wrmsrl(MSR_KERNEL_GS_BASE, 0);
10698 - x86_configure_nx();
10702 @@ -1228,7 +1177,7 @@ void __cpuinit cpu_init(void)
10704 int cpu = smp_processor_id();
10705 struct task_struct *curr = current;
10706 - struct tss_struct *t = &per_cpu(init_tss, cpu);
10707 + struct tss_struct *t = init_tss + cpu;
10708 struct thread_struct *thread = &curr->thread;
10710 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
10711 diff -urNp linux-2.6.38.1/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c linux-2.6.38.1-new/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c
10712 --- linux-2.6.38.1/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2011-03-14 21:20:32.000000000 -0400
10713 +++ linux-2.6.38.1-new/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2011-03-21 18:31:35.000000000 -0400
10714 @@ -481,7 +481,7 @@ static const struct dmi_system_id sw_any
10715 DMI_MATCH(DMI_PRODUCT_NAME, "X6DLP"),
10719 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
10722 static int acpi_cpufreq_blacklist(struct cpuinfo_x86 *c)
10723 diff -urNp linux-2.6.38.1/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c linux-2.6.38.1-new/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c
10724 --- linux-2.6.38.1/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2011-03-14 21:20:32.000000000 -0400
10725 +++ linux-2.6.38.1-new/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2011-03-21 18:31:35.000000000 -0400
10726 @@ -226,7 +226,7 @@ static struct cpu_model models[] =
10727 { &cpu_ids[CPU_MP4HT_D0], NULL, 0, NULL },
10728 { &cpu_ids[CPU_MP4HT_E0], NULL, 0, NULL },
10731 + { NULL, NULL, 0, NULL}
10735 diff -urNp linux-2.6.38.1/arch/x86/kernel/cpu/intel.c linux-2.6.38.1-new/arch/x86/kernel/cpu/intel.c
10736 --- linux-2.6.38.1/arch/x86/kernel/cpu/intel.c 2011-03-14 21:20:32.000000000 -0400
10737 +++ linux-2.6.38.1-new/arch/x86/kernel/cpu/intel.c 2011-03-21 18:31:35.000000000 -0400
10738 @@ -161,7 +161,7 @@ static void __cpuinit trap_init_f00f_bug
10739 * Update the IDT descriptor and reload the IDT so that
10740 * it uses the read-only mapped virtual address.
10742 - idt_descr.address = fix_to_virt(FIX_F00F_IDT);
10743 + idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
10744 load_idt(&idt_descr);
10747 diff -urNp linux-2.6.38.1/arch/x86/kernel/cpu/Makefile linux-2.6.38.1-new/arch/x86/kernel/cpu/Makefile
10748 --- linux-2.6.38.1/arch/x86/kernel/cpu/Makefile 2011-03-14 21:20:32.000000000 -0400
10749 +++ linux-2.6.38.1-new/arch/x86/kernel/cpu/Makefile 2011-03-21 18:31:35.000000000 -0400
10750 @@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg
10751 CFLAGS_REMOVE_perf_event.o = -pg
10754 -# Make sure load_percpu_segment has no stackprotector
10755 -nostackp := $(call cc-option, -fno-stack-protector)
10756 -CFLAGS_common.o := $(nostackp)
10758 obj-y := intel_cacheinfo.o scattered.o topology.o
10759 obj-y += proc.o capflags.o powerflags.o common.o
10760 obj-y += vmware.o hypervisor.o sched.o mshyperv.o
10761 diff -urNp linux-2.6.38.1/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.38.1-new/arch/x86/kernel/cpu/mcheck/mce.c
10762 --- linux-2.6.38.1/arch/x86/kernel/cpu/mcheck/mce.c 2011-03-14 21:20:32.000000000 -0400
10763 +++ linux-2.6.38.1-new/arch/x86/kernel/cpu/mcheck/mce.c 2011-03-21 18:31:35.000000000 -0400
10765 #include <asm/ipi.h>
10766 #include <asm/mce.h>
10767 #include <asm/msr.h>
10768 +#include <asm/local.h>
10770 #include "mce-internal.h"
10772 @@ -219,7 +220,7 @@ static void print_mce(struct mce *m)
10773 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
10776 - if (m->cs == __KERNEL_CS)
10777 + if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
10778 print_symbol("{%s}", m->ip);
10781 @@ -1460,14 +1461,14 @@ void __cpuinit mcheck_cpu_init(struct cp
10784 static DEFINE_SPINLOCK(mce_state_lock);
10785 -static int open_count; /* #times opened */
10786 +static local_t open_count; /* #times opened */
10787 static int open_exclu; /* already open exclusive? */
10789 static int mce_open(struct inode *inode, struct file *file)
10791 spin_lock(&mce_state_lock);
10793 - if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
10794 + if (open_exclu || (local_read(&open_count) && (file->f_flags & O_EXCL))) {
10795 spin_unlock(&mce_state_lock);
10798 @@ -1475,7 +1476,7 @@ static int mce_open(struct inode *inode,
10800 if (file->f_flags & O_EXCL)
10803 + local_inc(&open_count);
10805 spin_unlock(&mce_state_lock);
10807 @@ -1486,7 +1487,7 @@ static int mce_release(struct inode *ino
10809 spin_lock(&mce_state_lock);
10812 + local_dec(&open_count);
10815 spin_unlock(&mce_state_lock);
10816 @@ -1658,8 +1659,7 @@ static long mce_ioctl(struct file *f, un
10820 -/* Modified in mce-inject.c, so not static or const */
10821 -struct file_operations mce_chrdev_ops = {
10822 +struct file_operations mce_chrdev_ops = { /* Modified in mce-inject.c, so not static or const */
10824 .release = mce_release,
10826 @@ -1673,6 +1673,7 @@ static struct miscdevice mce_log_device
10830 + {NULL, NULL}, NULL, NULL
10834 diff -urNp linux-2.6.38.1/arch/x86/kernel/cpu/mtrr/generic.c linux-2.6.38.1-new/arch/x86/kernel/cpu/mtrr/generic.c
10835 --- linux-2.6.38.1/arch/x86/kernel/cpu/mtrr/generic.c 2011-03-14 21:20:32.000000000 -0400
10836 +++ linux-2.6.38.1-new/arch/x86/kernel/cpu/mtrr/generic.c 2011-03-21 18:31:35.000000000 -0400
10837 @@ -28,7 +28,7 @@ static struct fixed_range_block fixed_ra
10838 { MSR_MTRRfix64K_00000, 1 }, /* one 64k MTRR */
10839 { MSR_MTRRfix16K_80000, 2 }, /* two 16k MTRRs */
10840 { MSR_MTRRfix4K_C0000, 8 }, /* eight 4k MTRRs */
10845 static unsigned long smp_changes_mask;
10846 diff -urNp linux-2.6.38.1/arch/x86/kernel/cpu/mtrr/main.c linux-2.6.38.1-new/arch/x86/kernel/cpu/mtrr/main.c
10847 --- linux-2.6.38.1/arch/x86/kernel/cpu/mtrr/main.c 2011-03-14 21:20:32.000000000 -0400
10848 +++ linux-2.6.38.1-new/arch/x86/kernel/cpu/mtrr/main.c 2011-03-21 18:31:35.000000000 -0400
10849 @@ -61,7 +61,7 @@ static DEFINE_MUTEX(mtrr_mutex);
10850 u64 size_or_mask, size_and_mask;
10851 static bool mtrr_aps_delayed_init;
10853 -static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
10854 +static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
10856 const struct mtrr_ops *mtrr_if;
10858 diff -urNp linux-2.6.38.1/arch/x86/kernel/cpu/mtrr/mtrr.h linux-2.6.38.1-new/arch/x86/kernel/cpu/mtrr/mtrr.h
10859 --- linux-2.6.38.1/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-03-14 21:20:32.000000000 -0400
10860 +++ linux-2.6.38.1-new/arch/x86/kernel/cpu/mtrr/mtrr.h 2011-03-21 18:31:35.000000000 -0400
10861 @@ -12,19 +12,19 @@
10862 extern unsigned int mtrr_usage_table[MTRR_MAX_VAR_RANGES];
10866 - u32 use_intel_if;
10867 - void (*set)(unsigned int reg, unsigned long base,
10868 + const u32 vendor;
10869 + const u32 use_intel_if;
10870 + void (* const set)(unsigned int reg, unsigned long base,
10871 unsigned long size, mtrr_type type);
10872 - void (*set_all)(void);
10873 + void (* const set_all)(void);
10875 - void (*get)(unsigned int reg, unsigned long *base,
10876 + void (* const get)(unsigned int reg, unsigned long *base,
10877 unsigned long *size, mtrr_type *type);
10878 - int (*get_free_region)(unsigned long base, unsigned long size,
10879 + int (* const get_free_region)(unsigned long base, unsigned long size,
10881 - int (*validate_add_page)(unsigned long base, unsigned long size,
10882 + int (* const validate_add_page)(unsigned long base, unsigned long size,
10883 unsigned int type);
10884 - int (*have_wrcomb)(void);
10885 + int (* const have_wrcomb)(void);
10888 extern int generic_get_free_region(unsigned long base, unsigned long size,
10889 diff -urNp linux-2.6.38.1/arch/x86/kernel/cpu/perf_event.c linux-2.6.38.1-new/arch/x86/kernel/cpu/perf_event.c
10890 --- linux-2.6.38.1/arch/x86/kernel/cpu/perf_event.c 2011-03-14 21:20:32.000000000 -0400
10891 +++ linux-2.6.38.1-new/arch/x86/kernel/cpu/perf_event.c 2011-03-21 18:31:35.000000000 -0400
10892 @@ -1781,7 +1781,7 @@ perf_callchain_user(struct perf_callchai
10895 perf_callchain_store(entry, frame.return_address);
10896 - fp = frame.next_frame;
10897 + fp = (__force const void __user *)frame.next_frame;
10901 diff -urNp linux-2.6.38.1/arch/x86/kernel/crash.c linux-2.6.38.1-new/arch/x86/kernel/crash.c
10902 --- linux-2.6.38.1/arch/x86/kernel/crash.c 2011-03-14 21:20:32.000000000 -0400
10903 +++ linux-2.6.38.1-new/arch/x86/kernel/crash.c 2011-03-21 18:31:35.000000000 -0400
10904 @@ -42,7 +42,7 @@ static void kdump_nmi_callback(int cpu,
10907 #ifdef CONFIG_X86_32
10908 - if (!user_mode_vm(regs)) {
10909 + if (!user_mode(regs)) {
10910 crash_fixup_ss_esp(&fixed_regs, regs);
10911 regs = &fixed_regs;
10913 diff -urNp linux-2.6.38.1/arch/x86/kernel/doublefault_32.c linux-2.6.38.1-new/arch/x86/kernel/doublefault_32.c
10914 --- linux-2.6.38.1/arch/x86/kernel/doublefault_32.c 2011-03-14 21:20:32.000000000 -0400
10915 +++ linux-2.6.38.1-new/arch/x86/kernel/doublefault_32.c 2011-03-21 18:31:35.000000000 -0400
10918 #define DOUBLEFAULT_STACKSIZE (1024)
10919 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
10920 -#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
10921 +#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
10923 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
10925 @@ -21,7 +21,7 @@ static void doublefault_fn(void)
10926 unsigned long gdt, tss;
10928 store_gdt(&gdt_desc);
10929 - gdt = gdt_desc.address;
10930 + gdt = (unsigned long)gdt_desc.address;
10932 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
10934 @@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
10935 /* 0x2 bit is always set */
10936 .flags = X86_EFLAGS_SF | 0x2,
10939 + .es = __KERNEL_DS,
10943 + .ds = __KERNEL_DS,
10944 .fs = __KERNEL_PERCPU,
10946 .__cr3 = __pa_nodebug(swapper_pg_dir),
10947 diff -urNp linux-2.6.38.1/arch/x86/kernel/dumpstack_32.c linux-2.6.38.1-new/arch/x86/kernel/dumpstack_32.c
10948 --- linux-2.6.38.1/arch/x86/kernel/dumpstack_32.c 2011-03-14 21:20:32.000000000 -0400
10949 +++ linux-2.6.38.1-new/arch/x86/kernel/dumpstack_32.c 2011-03-21 18:31:35.000000000 -0400
10950 @@ -95,21 +95,22 @@ void show_registers(struct pt_regs *regs
10951 * When in-kernel, we also print out the stack and code at the
10952 * time of the fault..
10954 - if (!user_mode_vm(regs)) {
10955 + if (!user_mode(regs)) {
10956 unsigned int code_prologue = code_bytes * 43 / 64;
10957 unsigned int code_len = code_bytes;
10960 + unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
10962 printk(KERN_EMERG "Stack:\n");
10963 show_stack_log_lvl(NULL, regs, ®s->sp, KERN_EMERG);
10965 printk(KERN_EMERG "Code: ");
10967 - ip = (u8 *)regs->ip - code_prologue;
10968 + ip = (u8 *)regs->ip - code_prologue + cs_base;
10969 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
10970 /* try starting at IP */
10971 - ip = (u8 *)regs->ip;
10972 + ip = (u8 *)regs->ip + cs_base;
10973 code_len = code_len - code_prologue + 1;
10975 for (i = 0; i < code_len; i++, ip++) {
10976 @@ -118,7 +119,7 @@ void show_registers(struct pt_regs *regs
10977 printk(" Bad EIP value.");
10980 - if (ip == (u8 *)regs->ip)
10981 + if (ip == (u8 *)regs->ip + cs_base)
10982 printk("<%02x> ", c);
10984 printk("%02x ", c);
10985 @@ -131,6 +132,7 @@ int is_valid_bugaddr(unsigned long ip)
10987 unsigned short ud2;
10989 + ip = ktla_ktva(ip);
10990 if (ip < PAGE_OFFSET)
10992 if (probe_kernel_address((unsigned short *)ip, ud2))
10993 diff -urNp linux-2.6.38.1/arch/x86/kernel/dumpstack.c linux-2.6.38.1-new/arch/x86/kernel/dumpstack.c
10994 --- linux-2.6.38.1/arch/x86/kernel/dumpstack.c 2011-03-14 21:20:32.000000000 -0400
10995 +++ linux-2.6.38.1-new/arch/x86/kernel/dumpstack.c 2011-03-21 18:31:35.000000000 -0400
10997 * Copyright (C) 1991, 1992 Linus Torvalds
10998 * Copyright (C) 2000, 2001, 2002 Andi Kleen, SuSE Labs
11000 +#ifdef CONFIG_GRKERNSEC_HIDESYM
11001 +#define __INCLUDED_BY_HIDESYM 1
11003 #include <linux/kallsyms.h>
11004 #include <linux/kprobes.h>
11005 #include <linux/uaccess.h>
11006 @@ -27,7 +30,7 @@ static int die_counter;
11008 void printk_address(unsigned long address, int reliable)
11010 - printk(" [<%p>] %s%pS\n", (void *) address,
11011 + printk(" [<%p>] %s%pA\n", (void *) address,
11012 reliable ? "" : "? ", (void *) address);
11015 @@ -200,7 +203,7 @@ void dump_stack(void)
11016 unsigned long stack;
11018 printk("Pid: %d, comm: %.20s xid: #%u %s %s %.*s\n",
11019 - current->pid, current->comm, current->xid, print_tainted(),
11020 + task_pid_nr(current), current->comm, current->xid, print_tainted(),
11021 init_utsname()->release,
11022 (int)strcspn(init_utsname()->version, " "),
11023 init_utsname()->version);
11024 @@ -257,7 +260,7 @@ void __kprobes oops_end(unsigned long fl
11025 panic("Fatal exception in interrupt");
11027 panic("Fatal exception");
11029 + do_group_exit(signr);
11032 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
11033 @@ -284,7 +287,7 @@ int __kprobes __die(const char *str, str
11035 show_registers(regs);
11036 #ifdef CONFIG_X86_32
11037 - if (user_mode_vm(regs)) {
11038 + if (user_mode(regs)) {
11040 ss = regs->ss & 0xffff;
11042 @@ -312,7 +315,7 @@ void die(const char *str, struct pt_regs
11043 unsigned long flags = oops_begin();
11046 - if (!user_mode_vm(regs))
11047 + if (!user_mode(regs))
11048 report_bug(regs->ip, regs);
11050 if (__die(str, regs, err))
11051 diff -urNp linux-2.6.38.1/arch/x86/kernel/entry_32.S linux-2.6.38.1-new/arch/x86/kernel/entry_32.S
11052 --- linux-2.6.38.1/arch/x86/kernel/entry_32.S 2011-03-14 21:20:32.000000000 -0400
11053 +++ linux-2.6.38.1-new/arch/x86/kernel/entry_32.S 2011-03-21 18:31:35.000000000 -0400
11054 @@ -183,13 +183,81 @@
11055 /*CFI_REL_OFFSET gs, PT_GS*/
11057 .macro SET_KERNEL_GS reg
11059 +#ifdef CONFIG_CC_STACKPROTECTOR
11060 movl $(__KERNEL_STACK_CANARY), \reg
11061 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
11062 + movl $(__USER_DS), \reg
11070 #endif /* CONFIG_X86_32_LAZY_GS */
11073 +.macro PAX_EXIT_KERNEL
11074 +#ifdef CONFIG_PAX_KERNEXEC
11075 +#ifdef CONFIG_PARAVIRT
11076 + push %eax; push %ecx
11079 + cmp $__KERNEXEC_KERNEL_CS, %esi
11081 +#ifdef CONFIG_PARAVIRT
11082 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
11088 + ljmp $__KERNEL_CS, $1f
11090 +#ifdef CONFIG_PARAVIRT
11092 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
11097 +#ifdef CONFIG_PARAVIRT
11098 + pop %ecx; pop %eax
11103 +.macro PAX_ENTER_KERNEL
11104 +#ifdef CONFIG_PAX_KERNEXEC
11105 +#ifdef CONFIG_PARAVIRT
11106 + push %eax; push %ecx
11107 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
11115 + cmp $__KERNEL_CS, %esi
11117 + ljmp $__KERNEL_CS, $3f
11118 +1: ljmp $__KERNEXEC_KERNEL_CS, $2f
11120 +#ifdef CONFIG_PARAVIRT
11122 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
11127 +#ifdef CONFIG_PARAVIRT
11128 + pop %ecx; pop %eax
11133 +.macro __SAVE_ALL _DS
11137 @@ -212,7 +280,7 @@
11138 CFI_REL_OFFSET ecx, 0
11140 CFI_REL_OFFSET ebx, 0
11141 - movl $(__USER_DS), %edx
11145 movl $(__KERNEL_PERCPU), %edx
11146 @@ -220,6 +288,15 @@
11151 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
11152 + __SAVE_ALL __KERNEL_DS
11155 + __SAVE_ALL __USER_DS
11159 .macro RESTORE_INT_REGS
11162 @@ -330,7 +407,15 @@ check_userspace:
11163 movb PT_CS(%esp), %al
11164 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
11165 cmpl $USER_RPL, %eax
11167 +#ifdef CONFIG_PAX_KERNEXEC
11168 + jae resume_userspace
11171 + jmp resume_kernel
11173 jb resume_kernel # not returning to v8086 or userspace
11176 ENTRY(resume_userspace)
11178 @@ -392,10 +477,9 @@ sysenter_past_esp:
11179 /*CFI_REL_OFFSET cs, 0*/
11181 * Push current_thread_info()->sysenter_return to the stack.
11182 - * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
11183 - * pushed above; +8 corresponds to copy_thread's esp0 setting.
11185 - pushl_cfi ((TI_sysenter_return)-THREAD_SIZE_asm+8+4*4)(%esp)
11186 + GET_THREAD_INFO(%ebp)
11187 + pushl_cfi TI_sysenter_return(%ebp)
11188 CFI_REL_OFFSET eip, 0
11191 @@ -406,9 +490,19 @@ sysenter_past_esp:
11192 * Load the potential sixth argument from user stack.
11193 * Careful about security.
11195 + movl PT_OLDESP(%esp),%ebp
11197 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11198 + mov PT_OLDSS(%esp),%ds
11199 +1: movl %ds:(%ebp),%ebp
11203 cmpl $__PAGE_OFFSET-3,%ebp
11205 1: movl (%ebp),%ebp
11208 movl %ebp,PT_EBP(%esp)
11209 .section __ex_table,"a"
11211 @@ -431,12 +525,23 @@ sysenter_do_call:
11212 testl $_TIF_ALLWORK_MASK, %ecx
11216 +#ifdef CONFIG_PAX_RANDKSTACK
11218 + CFI_ADJUST_CFA_OFFSET 4
11219 + call pax_randomize_kstack
11221 + CFI_ADJUST_CFA_OFFSET -4
11224 /* if something modifies registers it must also disable sysexit */
11225 movl PT_EIP(%esp), %edx
11226 movl PT_OLDESP(%esp), %ecx
11229 1: mov PT_FS(%esp), %fs
11230 +2: mov PT_DS(%esp), %ds
11231 +3: mov PT_ES(%esp), %es
11233 ENABLE_INTERRUPTS_SYSEXIT
11235 @@ -479,11 +584,17 @@ sysexit_audit:
11238 .pushsection .fixup,"ax"
11239 -2: movl $0,PT_FS(%esp)
11240 +4: movl $0,PT_FS(%esp)
11242 +5: movl $0,PT_DS(%esp)
11244 +6: movl $0,PT_ES(%esp)
11246 .section __ex_table,"a"
11254 ENDPROC(ia32_sysenter_target)
11255 @@ -516,6 +627,10 @@ syscall_exit:
11256 testl $_TIF_ALLWORK_MASK, %ecx # current->work
11257 jne syscall_exit_work
11259 +#ifdef CONFIG_PAX_RANDKSTACK
11260 + call pax_randomize_kstack
11265 restore_all_notrace:
11266 @@ -575,14 +690,21 @@ ldt_ss:
11267 * compensating for the offset by changing to the ESPFIX segment with
11268 * a base address that matches for the difference.
11270 -#define GDT_ESPFIX_SS PER_CPU_VAR(gdt_page) + (GDT_ENTRY_ESPFIX_SS * 8)
11271 +#define GDT_ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)(%ebx)
11272 mov %esp, %edx /* load kernel esp */
11273 mov PT_OLDESP(%esp), %eax /* load userspace esp */
11274 mov %dx, %ax /* eax: new kernel esp */
11275 sub %eax, %edx /* offset (low word is 0) */
11277 + movl PER_CPU_VAR(cpu_number), %ebx
11278 + shll $PAGE_SHIFT_asm, %ebx
11279 + addl $cpu_gdt_table, %ebx
11281 + movl $cpu_gdt_table, %ebx
11284 - mov %dl, GDT_ESPFIX_SS + 4 /* bits 16..23 */
11285 - mov %dh, GDT_ESPFIX_SS + 7 /* bits 24..31 */
11286 + mov %dl, 4 + GDT_ESPFIX_SS /* bits 16..23 */
11287 + mov %dh, 7 + GDT_ESPFIX_SS /* bits 24..31 */
11288 pushl_cfi $__ESPFIX_SS
11289 pushl_cfi %eax /* new kernel esp */
11290 /* Disable interrupts, but do not irqtrace this section: we
11291 @@ -617,23 +739,17 @@ work_resched:
11293 work_notifysig: # deal with pending signals and
11294 # notify-resume requests
11297 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
11299 - jne work_notifysig_v86 # returning to kernel-space or
11300 + jz 1f # returning to kernel-space or
11303 - call do_notify_resume
11304 - jmp resume_userspace_sig
11307 -work_notifysig_v86:
11308 pushl_cfi %ecx # save ti_flags for do_notify_resume
11309 call save_v86_state # %eax contains pt_regs pointer
11317 call do_notify_resume
11318 @@ -668,6 +784,10 @@ END(syscall_exit_work)
11320 RING0_INT_FRAME # can't unwind into user space anyway
11322 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11326 GET_THREAD_INFO(%ebp)
11327 movl $-EFAULT,PT_EAX(%esp)
11328 jmp resume_userspace
11329 @@ -750,6 +870,36 @@ ptregs_clone:
11331 ENDPROC(ptregs_clone)
11334 +ENTRY(kernel_execve)
11337 + sub $PT_OLDSS+4,%esp
11341 + lea 3*4(%esp),%edi
11342 + mov $PT_OLDSS/4+1,%ecx
11348 + movl $X86_EFLAGS_IF,PT_EFLAGS(%esp)
11352 + CFI_ADJUST_CFA_OFFSET -4
11353 + GET_THREAD_INFO(%ebp)
11356 + add $PT_OLDSS+4,%esp
11357 + CFI_ADJUST_CFA_OFFSET -PT_OLDSS-4
11361 +ENDPROC(kernel_execve)
11363 .macro FIXUP_ESPFIX_STACK
11365 * Switch back for ESPFIX stack to the normal zerobased stack
11366 @@ -759,8 +909,15 @@ ENDPROC(ptregs_clone)
11367 * normal stack and adjusts ESP with the matching offset.
11369 /* fixup the stack */
11370 - mov GDT_ESPFIX_SS + 4, %al /* bits 16..23 */
11371 - mov GDT_ESPFIX_SS + 7, %ah /* bits 24..31 */
11373 + movl PER_CPU_VAR(cpu_number), %ebx
11374 + shll $PAGE_SHIFT_asm, %ebx
11375 + addl $cpu_gdt_table, %ebx
11377 + movl $cpu_gdt_table, %ebx
11379 + mov 4 + GDT_ESPFIX_SS, %al /* bits 16..23 */
11380 + mov 7 + GDT_ESPFIX_SS, %ah /* bits 24..31 */
11382 addl %esp, %eax /* the adjusted stack pointer */
11383 pushl_cfi $__KERNEL_DS
11384 @@ -1211,7 +1368,6 @@ return_to_handler:
11388 -.section .rodata,"a"
11389 #include "syscall_table_32.S"
11391 syscall_table_size=(.-sys_call_table)
11392 @@ -1257,9 +1413,12 @@ error_code:
11393 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
11396 - movl $(__USER_DS), %ecx
11397 + movl $(__KERNEL_DS), %ecx
11404 movl %esp,%eax # pt_regs pointer
11406 @@ -1344,6 +1503,9 @@ nmi_stack_correct:
11407 xorl %edx,%edx # zero error code
11408 movl %esp,%eax # pt_regs pointer
11413 jmp restore_all_notrace
11416 @@ -1380,6 +1542,9 @@ nmi_espfix_stack:
11417 FIXUP_ESPFIX_STACK # %eax == %esp
11418 xorl %edx,%edx # zero error code
11424 lss 12+4(%esp), %esp # back to espfix stack
11425 CFI_ADJUST_CFA_OFFSET -24
11426 diff -urNp linux-2.6.38.1/arch/x86/kernel/entry_64.S linux-2.6.38.1-new/arch/x86/kernel/entry_64.S
11427 --- linux-2.6.38.1/arch/x86/kernel/entry_64.S 2011-03-23 17:20:06.000000000 -0400
11428 +++ linux-2.6.38.1-new/arch/x86/kernel/entry_64.S 2011-03-23 17:21:49.000000000 -0400
11430 #include <asm/paravirt.h>
11431 #include <asm/ftrace.h>
11432 #include <asm/percpu.h>
11433 +#include <asm/pgtable.h>
11435 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
11436 #include <linux/elf-em.h>
11437 @@ -174,6 +175,201 @@ ENTRY(native_usergs_sysret64)
11438 ENDPROC(native_usergs_sysret64)
11439 #endif /* CONFIG_PARAVIRT */
11441 + .macro ljmpq sel, off
11442 +#if defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
11443 + .byte 0x48; ljmp *1234f(%rip)
11444 + .pushsection .rodata
11446 + 1234: .quad \off; .word \sel
11455 + .macro pax_enter_kernel
11456 +#ifdef CONFIG_PAX_KERNEXEC
11457 + call pax_enter_kernel
11461 + .macro pax_exit_kernel
11462 +#ifdef CONFIG_PAX_KERNEXEC
11463 + call pax_exit_kernel
11467 +#ifdef CONFIG_PAX_KERNEXEC
11468 +ENTRY(pax_enter_kernel)
11471 +#ifdef CONFIG_PARAVIRT
11472 + PV_SAVE_REGS(CLBR_RDI)
11479 + cmp $__KERNEL_CS,%edi
11481 + ljmpq __KERNEL_CS,3f
11482 +1: ljmpq __KERNEXEC_KERNEL_CS,2f
11483 +2: SET_RDI_INTO_CR0
11486 +#ifdef CONFIG_PARAVIRT
11487 + PV_RESTORE_REGS(CLBR_RDI)
11492 +ENDPROC(pax_enter_kernel)
11494 +ENTRY(pax_exit_kernel)
11497 +#ifdef CONFIG_PARAVIRT
11498 + PV_SAVE_REGS(CLBR_RDI)
11502 + cmp $__KERNEXEC_KERNEL_CS,%edi
11506 + ljmpq __KERNEL_CS,1f
11507 +1: SET_RDI_INTO_CR0
11510 +#ifdef CONFIG_PARAVIRT
11511 + PV_RESTORE_REGS(CLBR_RDI);
11516 +ENDPROC(pax_exit_kernel)
11519 + .macro pax_enter_kernel_user
11520 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11521 + call pax_enter_kernel_user
11525 + .macro pax_exit_kernel_user
11526 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11527 + call pax_exit_kernel_user
11531 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11532 +ENTRY(pax_enter_kernel_user)
11536 +#ifdef CONFIG_PARAVIRT
11537 + PV_SAVE_REGS(CLBR_RDI)
11542 + add $__START_KERNEL_map,%rbx
11543 + sub phys_base(%rip),%rbx
11545 +#ifdef CONFIG_PARAVIRT
11547 + cmpl $0, pv_info+PARAVIRT_enabled
11550 + .rept USER_PGD_PTRS
11551 + mov i*8(%rbx),%rsi
11553 + lea i*8(%rbx),%rdi
11554 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
11562 + .rept USER_PGD_PTRS
11563 + movb $0,i*8(%rbx)
11567 +#ifdef CONFIG_PARAVIRT
11572 +#ifdef CONFIG_PAX_KERNEXEC
11578 +#ifdef CONFIG_PARAVIRT
11579 + PV_RESTORE_REGS(CLBR_RDI)
11585 +ENDPROC(pax_enter_kernel_user)
11587 +ENTRY(pax_exit_kernel_user)
11590 +#ifdef CONFIG_PARAVIRT
11592 + PV_SAVE_REGS(CLBR_RDI)
11595 +#ifdef CONFIG_PAX_KERNEXEC
11602 + add $__START_KERNEL_map,%rdi
11603 + sub phys_base(%rip),%rdi
11605 +#ifdef CONFIG_PARAVIRT
11606 + cmpl $0, pv_info+PARAVIRT_enabled
11610 + .rept USER_PGD_PTRS
11611 + mov i*8(%rbx),%rsi
11613 + lea i*8(%rbx),%rdi
11614 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
11622 + .rept USER_PGD_PTRS
11623 + movb $0x67,i*8(%rdi)
11627 +#ifdef CONFIG_PARAVIRT
11628 +2: PV_RESTORE_REGS(CLBR_RDI)
11634 +ENDPROC(pax_exit_kernel_user)
11637 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
11638 #ifdef CONFIG_TRACE_IRQFLAGS
11639 @@ -316,7 +512,7 @@ ENTRY(save_args)
11640 leaq -RBP+8(%rsp),%rdi /* arg1 for handler */
11641 movq_cfi rbp, 8 /* push %rbp */
11642 leaq 8(%rsp), %rbp /* mov %rsp, %ebp */
11643 - testl $3, CS(%rdi)
11644 + testb $3, CS(%rdi)
11648 @@ -407,7 +603,7 @@ ENTRY(ret_from_fork)
11652 - testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
11653 + testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
11654 je int_ret_from_sys_call
11656 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
11657 @@ -466,6 +662,7 @@ ENTRY(system_call_after_swapgs)
11659 movq %rsp,PER_CPU_VAR(old_rsp)
11660 movq PER_CPU_VAR(kernel_stack),%rsp
11661 + pax_enter_kernel_user
11663 * No need to follow this irqs off/on section - it's straight
11665 @@ -500,6 +697,7 @@ sysret_check:
11669 + pax_exit_kernel_user
11671 * sysretq will re-enable interrupts:
11673 @@ -609,7 +807,7 @@ tracesys:
11674 GLOBAL(int_ret_from_sys_call)
11675 DISABLE_INTERRUPTS(CLBR_NONE)
11677 - testl $3,CS-ARGOFFSET(%rsp)
11678 + testb $3,CS-ARGOFFSET(%rsp)
11679 je retint_restore_args
11680 movl $_TIF_ALLWORK_MASK,%edi
11681 /* edi: mask to check */
11682 @@ -791,6 +989,16 @@ END(interrupt)
11683 CFI_ADJUST_CFA_OFFSET ORIG_RAX-RBP
11686 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11687 + testb $3, CS(%rdi)
11691 +1: pax_enter_kernel_user
11699 @@ -823,7 +1031,7 @@ ret_from_intr:
11700 CFI_ADJUST_CFA_OFFSET -8
11702 GET_THREAD_INFO(%rcx)
11703 - testl $3,CS-ARGOFFSET(%rsp)
11704 + testb $3,CS-ARGOFFSET(%rsp)
11707 /* Interrupt came from user space */
11708 @@ -845,12 +1053,14 @@ retint_swapgs: /* return to user-space
11709 * The iretq could re-enable interrupts:
11711 DISABLE_INTERRUPTS(CLBR_ANY)
11712 + pax_exit_kernel_user
11717 retint_restore_args: /* return to kernel space */
11718 DISABLE_INTERRUPTS(CLBR_ANY)
11721 * The iretq could re-enable interrupts:
11723 @@ -1022,6 +1232,16 @@ ENTRY(\sym)
11724 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
11727 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11728 + testb $3, CS(%rsp)
11732 +1: pax_enter_kernel_user
11737 movq %rsp,%rdi /* pt_regs pointer */
11738 xorl %esi,%esi /* no error code */
11740 @@ -1039,6 +1259,16 @@ ENTRY(\sym)
11741 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
11744 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11745 + testb $3, CS(%rsp)
11749 +1: pax_enter_kernel_user
11754 movq %rsp,%rdi /* pt_regs pointer */
11755 xorl %esi,%esi /* no error code */
11757 @@ -1047,7 +1277,7 @@ ENTRY(\sym)
11761 -#define INIT_TSS_IST(x) PER_CPU_VAR(init_tss) + (TSS_ist + ((x) - 1) * 8)
11762 +#define INIT_TSS_IST(x) (TSS_ist + ((x) - 1) * 8)(%r12)
11763 .macro paranoidzeroentry_ist sym do_sym ist
11766 @@ -1057,8 +1287,24 @@ ENTRY(\sym)
11767 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
11770 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11771 + testb $3, CS(%rsp)
11775 +1: pax_enter_kernel_user
11780 movq %rsp,%rdi /* pt_regs pointer */
11781 xorl %esi,%esi /* no error code */
11783 + imul $TSS_size, PER_CPU_VAR(cpu_number), %r12d
11784 + lea init_tss(%r12), %r12
11786 + lea init_tss(%rip), %r12
11788 subq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
11790 addq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
11791 @@ -1075,6 +1321,16 @@ ENTRY(\sym)
11792 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
11795 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11796 + testb $3, CS(%rsp)
11800 +1: pax_enter_kernel_user
11805 movq %rsp,%rdi /* pt_regs pointer */
11806 movq ORIG_RAX(%rsp),%rsi /* get error code */
11807 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
11808 @@ -1094,6 +1350,16 @@ ENTRY(\sym)
11812 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11813 + testb $3, CS(%rsp)
11817 +1: pax_enter_kernel_user
11822 movq %rsp,%rdi /* pt_regs pointer */
11823 movq ORIG_RAX(%rsp),%rsi /* get error code */
11824 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
11825 @@ -1356,14 +1622,27 @@ ENTRY(paranoid_exit)
11827 testl %ebx,%ebx /* swapgs needed? */
11828 jnz paranoid_restore
11829 - testl $3,CS(%rsp)
11830 + testb $3,CS(%rsp)
11831 jnz paranoid_userspace
11832 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11834 + TRACE_IRQS_IRETQ 0
11835 + SWAPGS_UNSAFE_STACK
11840 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11841 + pax_exit_kernel_user
11846 SWAPGS_UNSAFE_STACK
11854 @@ -1421,7 +1700,7 @@ ENTRY(error_entry)
11855 movq_cfi r14, R14+8
11856 movq_cfi r15, R15+8
11858 - testl $3,CS+8(%rsp)
11859 + testb $3,CS+8(%rsp)
11860 je error_kernelspace
11863 @@ -1485,6 +1764,16 @@ ENTRY(nmi)
11864 CFI_ADJUST_CFA_OFFSET ORIG_RAX-R15
11867 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11868 + testb $3, CS(%rsp)
11872 +1: pax_enter_kernel_user
11877 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
11880 @@ -1495,11 +1784,25 @@ ENTRY(nmi)
11881 DISABLE_INTERRUPTS(CLBR_NONE)
11882 testl %ebx,%ebx /* swapgs needed? */
11884 - testl $3,CS(%rsp)
11885 + testb $3,CS(%rsp)
11887 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11889 + SWAPGS_UNSAFE_STACK
11894 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11895 + pax_exit_kernel_user
11899 SWAPGS_UNSAFE_STACK
11907 diff -urNp linux-2.6.38.1/arch/x86/kernel/ftrace.c linux-2.6.38.1-new/arch/x86/kernel/ftrace.c
11908 --- linux-2.6.38.1/arch/x86/kernel/ftrace.c 2011-03-14 21:20:32.000000000 -0400
11909 +++ linux-2.6.38.1-new/arch/x86/kernel/ftrace.c 2011-03-21 18:31:35.000000000 -0400
11910 @@ -177,7 +177,9 @@ void ftrace_nmi_enter(void)
11912 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
11914 + pax_open_kernel();
11916 + pax_close_kernel();
11917 atomic_inc(&nmi_update_count);
11919 /* Must have previous changes seen before executions */
11920 @@ -271,6 +273,8 @@ ftrace_modify_code(unsigned long ip, uns
11922 unsigned char replaced[MCOUNT_INSN_SIZE];
11924 + ip = ktla_ktva(ip);
11927 * Note: Due to modules and __init, code can
11928 * disappear and change, we need to protect against faulting
11929 @@ -327,7 +331,7 @@ int ftrace_update_ftrace_func(ftrace_fun
11930 unsigned char old[MCOUNT_INSN_SIZE], *new;
11933 - memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
11934 + memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
11935 new = ftrace_call_replace(ip, (unsigned long)func);
11936 ret = ftrace_modify_code(ip, old, new);
11938 @@ -353,6 +357,8 @@ static int ftrace_mod_jmp(unsigned long
11940 unsigned char code[MCOUNT_INSN_SIZE];
11942 + ip = ktla_ktva(ip);
11944 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
11947 diff -urNp linux-2.6.38.1/arch/x86/kernel/head32.c linux-2.6.38.1-new/arch/x86/kernel/head32.c
11948 --- linux-2.6.38.1/arch/x86/kernel/head32.c 2011-03-14 21:20:32.000000000 -0400
11949 +++ linux-2.6.38.1-new/arch/x86/kernel/head32.c 2011-03-21 18:31:35.000000000 -0400
11951 #include <asm/io_apic.h>
11952 #include <asm/bios_ebda.h>
11953 #include <asm/tlbflush.h>
11954 +#include <asm/boot.h>
11956 static void __init i386_default_early_setup(void)
11958 @@ -43,7 +44,7 @@ void __init i386_start_kernel(void)
11959 memblock_x86_reserve_range(PAGE_SIZE, PAGE_SIZE + PAGE_SIZE, "EX TRAMPOLINE");
11962 - memblock_x86_reserve_range(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
11963 + memblock_x86_reserve_range(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
11965 #ifdef CONFIG_BLK_DEV_INITRD
11966 /* Reserve INITRD */
11967 diff -urNp linux-2.6.38.1/arch/x86/kernel/head_32.S linux-2.6.38.1-new/arch/x86/kernel/head_32.S
11968 --- linux-2.6.38.1/arch/x86/kernel/head_32.S 2011-03-14 21:20:32.000000000 -0400
11969 +++ linux-2.6.38.1-new/arch/x86/kernel/head_32.S 2011-03-21 18:31:35.000000000 -0400
11971 /* Physical address */
11972 #define pa(X) ((X) - __PAGE_OFFSET)
11974 +#ifdef CONFIG_PAX_KERNEXEC
11977 +#define ta(X) ((X) - __PAGE_OFFSET)
11981 * References to members of the new_cpu_data structure.
11984 * and small than max_low_pfn, otherwise will waste some page table entries
11987 -#if PTRS_PER_PMD > 1
11988 -#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
11990 -#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
11992 +#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
11994 /* Number of possible pages in the lowmem region */
11995 LOWMEM_PAGES = (((1<<32) - __PAGE_OFFSET) >> PAGE_SHIFT)
11996 @@ -77,6 +79,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
11997 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
12000 + * Real beginning of normal "text" segment
12006 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
12007 * %esi points to the real-mode code as a 32-bit pointer.
12008 * CS and DS must be 4 GB flat segments, but we don't depend on
12009 @@ -84,6 +92,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
12014 +#ifdef CONFIG_PAX_KERNEXEC
12016 +/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
12017 +.fill PAGE_SIZE-5,1,0xcc
12021 movl pa(stack_start),%ecx
12023 @@ -105,6 +120,57 @@ ENTRY(startup_32)
12025 leal -__PAGE_OFFSET(%ecx),%esp
12028 + movl $pa(cpu_gdt_table),%edi
12029 + movl $__per_cpu_load,%eax
12030 + movw %ax,__KERNEL_PERCPU + 2(%edi)
12032 + movb %al,__KERNEL_PERCPU + 4(%edi)
12033 + movb %ah,__KERNEL_PERCPU + 7(%edi)
12034 + movl $__per_cpu_end - 1,%eax
12035 + subl $__per_cpu_start,%eax
12036 + movw %ax,__KERNEL_PERCPU + 0(%edi)
12039 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12040 + movl $NR_CPUS,%ecx
12041 + movl $pa(cpu_gdt_table),%edi
12043 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
12044 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0fb00),GDT_ENTRY_DEFAULT_USER_CS * 8 + 4(%edi)
12045 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c0f300),GDT_ENTRY_DEFAULT_USER_DS * 8 + 4(%edi)
12046 + addl $PAGE_SIZE_asm,%edi
12050 +#ifdef CONFIG_PAX_KERNEXEC
12051 + movl $pa(boot_gdt),%edi
12052 + movl $__LOAD_PHYSICAL_ADDR,%eax
12053 + movw %ax,__BOOT_CS + 2(%edi)
12055 + movb %al,__BOOT_CS + 4(%edi)
12056 + movb %ah,__BOOT_CS + 7(%edi)
12059 + ljmp $(__BOOT_CS),$1f
12062 + movl $NR_CPUS,%ecx
12063 + movl $pa(cpu_gdt_table),%edi
12064 + addl $__PAGE_OFFSET,%eax
12066 + movw %ax,__KERNEL_CS + 2(%edi)
12067 + movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
12069 + movb %al,__KERNEL_CS + 4(%edi)
12070 + movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
12071 + movb %ah,__KERNEL_CS + 7(%edi)
12072 + movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
12074 + addl $PAGE_SIZE_asm,%edi
12079 * Clear BSS first so that there are no surprises...
12081 @@ -195,8 +261,11 @@ ENTRY(startup_32)
12082 movl %eax, pa(max_pfn_mapped)
12084 /* Do early initialization of the fixmap area */
12085 - movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
12086 - movl %eax,pa(initial_pg_pmd+0x1000*KPMDS-8)
12087 +#ifdef CONFIG_COMPAT_VDSO
12088 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_pg_pmd+0x1000*KPMDS-8)
12090 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_pg_pmd+0x1000*KPMDS-8)
12092 #else /* Not PAE */
12094 page_pde_offset = (__PAGE_OFFSET >> 20);
12095 @@ -226,8 +295,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
12096 movl %eax, pa(max_pfn_mapped)
12098 /* Do early initialization of the fixmap area */
12099 - movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,%eax
12100 - movl %eax,pa(initial_page_table+0xffc)
12101 +#ifdef CONFIG_COMPAT_VDSO
12102 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(initial_page_table+0xffc)
12104 + movl $pa(initial_pg_fixmap)+PDE_IDENT_ATTR,pa(initial_page_table+0xffc)
12108 #ifdef CONFIG_PARAVIRT
12109 @@ -241,9 +313,7 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
12110 cmpl $num_subarch_entries, %eax
12113 - movl pa(subarch_entries)(,%eax,4), %eax
12114 - subl $__PAGE_OFFSET, %eax
12116 + jmp *pa(subarch_entries)(,%eax,4)
12120 @@ -255,10 +325,10 @@ WEAK(xen_entry)
12124 - .long default_entry /* normal x86/PC */
12125 - .long lguest_entry /* lguest hypervisor */
12126 - .long xen_entry /* Xen hypervisor */
12127 - .long default_entry /* Moorestown MID */
12128 + .long pa(default_entry) /* normal x86/PC */
12129 + .long pa(lguest_entry) /* lguest hypervisor */
12130 + .long pa(xen_entry) /* Xen hypervisor */
12131 + .long pa(default_entry) /* Moorestown MID */
12132 num_subarch_entries = (. - subarch_entries) / 4
12135 @@ -312,6 +382,7 @@ default_entry:
12139 +#ifdef CONFIG_X86_PAE
12140 testb $X86_CR4_PAE, %al # check if PAE is enabled
12143 @@ -340,6 +411,9 @@ default_entry:
12144 /* Make changes effective */
12147 + btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
12153 @@ -443,7 +517,7 @@ is386: movl $2,%ecx # set MP
12154 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
12155 movl %eax,%ss # after changing gdt.
12157 - movl $(__USER_DS),%eax # DS/ES contains default USER segment
12158 +# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
12162 @@ -457,15 +531,22 @@ is386: movl $2,%ecx # set MP
12166 - movl $gdt_page,%eax
12167 + movl $cpu_gdt_table,%eax
12168 movl $stack_canary,%ecx
12170 + addl $__per_cpu_load,%ecx
12172 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
12174 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
12175 movb %ch, 8 * GDT_ENTRY_STACK_CANARY + 7(%eax)
12178 movl $(__KERNEL_STACK_CANARY),%eax
12179 +#elif defined(CONFIG_PAX_MEMORY_UDEREF)
12180 + movl $(__USER_DS),%eax
12186 xorl %eax,%eax # Clear LDT
12187 @@ -558,22 +639,22 @@ early_page_fault:
12192 #ifdef CONFIG_PRINTK
12193 + cmpl $1,%ss:early_recursion_flag
12195 + incl %ss:early_recursion_flag
12198 movl $(__KERNEL_DS),%eax
12201 - cmpl $2,early_recursion_flag
12203 - incl early_recursion_flag
12206 pushl %edx /* trapno */
12215 @@ -581,8 +662,11 @@ hlt_loop:
12216 /* This is the default interrupt "handler" :-) */
12220 #ifdef CONFIG_PRINTK
12221 + cmpl $2,%ss:early_recursion_flag
12223 + incl %ss:early_recursion_flag
12228 @@ -591,9 +675,6 @@ ignore_int:
12229 movl $(__KERNEL_DS),%eax
12232 - cmpl $2,early_recursion_flag
12234 - incl early_recursion_flag
12238 @@ -622,29 +703,43 @@ ENTRY(initial_code)
12242 -__PAGE_ALIGNED_BSS
12243 - .align PAGE_SIZE_asm
12244 #ifdef CONFIG_X86_PAE
12245 +.section .initial_pg_pmd,"a",@progbits
12247 .fill 1024*KPMDS,4,0
12249 +.section .initial_page_table,"a",@progbits
12250 ENTRY(initial_page_table)
12253 +.section .initial_pg_fixmap,"a",@progbits
12256 +.section .empty_zero_page,"a",@progbits
12257 ENTRY(empty_zero_page)
12259 +.section .swapper_pg_dir,"a",@progbits
12260 ENTRY(swapper_pg_dir)
12261 +#ifdef CONFIG_X86_PAE
12268 + * The IDT has to be page-aligned to simplify the Pentium
12269 + * F0 0F bug workaround.. We have a special link segment
12272 +.section .idt,"a",@progbits
12277 * This starts the data section.
12279 #ifdef CONFIG_X86_PAE
12280 -__PAGE_ALIGNED_DATA
12281 - /* Page-aligned for the benefit of paravirt? */
12282 - .align PAGE_SIZE_asm
12283 +.section .initial_page_table,"a",@progbits
12284 ENTRY(initial_page_table)
12285 .long pa(initial_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
12287 @@ -663,13 +758,22 @@ ENTRY(initial_page_table)
12288 # error "Kernel PMDs should be 1, 2 or 3"
12290 .align PAGE_SIZE_asm /* needs to be page-sized too */
12292 +#ifdef CONFIG_PAX_PER_CPU_PGD
12304 - .long init_thread_union+THREAD_SIZE
12305 + .long init_thread_union+THREAD_SIZE-8
12307 +.section .rodata,"a",@progbits
12308 early_recursion_flag:
12311 @@ -707,7 +811,7 @@ fault_msg:
12312 .word 0 # 32 bit align gdt_desc.address
12315 - .long boot_gdt - __PAGE_OFFSET
12316 + .long pa(boot_gdt)
12318 .word 0 # 32-bit align idt_desc.address
12320 @@ -718,7 +822,7 @@ idt_descr:
12321 .word 0 # 32 bit align gdt_desc.address
12322 ENTRY(early_gdt_descr)
12323 .word GDT_ENTRIES*8-1
12324 - .long gdt_page /* Overwritten for secondary CPUs */
12325 + .long cpu_gdt_table /* Overwritten for secondary CPUs */
12328 * The boot_gdt must mirror the equivalent in setup.S and is
12329 @@ -727,5 +831,65 @@ ENTRY(early_gdt_descr)
12330 .align L1_CACHE_BYTES
12332 .fill GDT_ENTRY_BOOT_CS,8,0
12333 - .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
12334 - .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
12335 + .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
12336 + .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
12338 + .align PAGE_SIZE_asm
12339 +ENTRY(cpu_gdt_table)
12341 + .quad 0x0000000000000000 /* NULL descriptor */
12342 + .quad 0x0000000000000000 /* 0x0b reserved */
12343 + .quad 0x0000000000000000 /* 0x13 reserved */
12344 + .quad 0x0000000000000000 /* 0x1b reserved */
12346 +#ifdef CONFIG_PAX_KERNEXEC
12347 + .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
12349 + .quad 0x0000000000000000 /* 0x20 unused */
12352 + .quad 0x0000000000000000 /* 0x28 unused */
12353 + .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
12354 + .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
12355 + .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
12356 + .quad 0x0000000000000000 /* 0x4b reserved */
12357 + .quad 0x0000000000000000 /* 0x53 reserved */
12358 + .quad 0x0000000000000000 /* 0x5b reserved */
12360 + .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
12361 + .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
12362 + .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
12363 + .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
12365 + .quad 0x0000000000000000 /* 0x80 TSS descriptor */
12366 + .quad 0x0000000000000000 /* 0x88 LDT descriptor */
12369 + * Segments used for calling PnP BIOS have byte granularity.
12370 + * The code segments and data segments have fixed 64k limits,
12371 + * the transfer segment sizes are set at run time.
12373 + .quad 0x00409b000000ffff /* 0x90 32-bit code */
12374 + .quad 0x00009b000000ffff /* 0x98 16-bit code */
12375 + .quad 0x000093000000ffff /* 0xa0 16-bit data */
12376 + .quad 0x0000930000000000 /* 0xa8 16-bit data */
12377 + .quad 0x0000930000000000 /* 0xb0 16-bit data */
12380 + * The APM segments have byte granularity and their bases
12381 + * are set at run time. All have 64k limits.
12383 + .quad 0x00409b000000ffff /* 0xb8 APM CS code */
12384 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
12385 + .quad 0x004093000000ffff /* 0xc8 APM DS data */
12387 + .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
12388 + .quad 0x0040930000000000 /* 0xd8 - PERCPU */
12389 + .quad 0x0040910000000018 /* 0xe0 - STACK_CANARY */
12390 + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
12391 + .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
12392 + .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
12394 + /* Be sure this is zeroed to avoid false validations in Xen */
12395 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0
12397 diff -urNp linux-2.6.38.1/arch/x86/kernel/head_64.S linux-2.6.38.1-new/arch/x86/kernel/head_64.S
12398 --- linux-2.6.38.1/arch/x86/kernel/head_64.S 2011-03-14 21:20:32.000000000 -0400
12399 +++ linux-2.6.38.1-new/arch/x86/kernel/head_64.S 2011-03-21 18:31:35.000000000 -0400
12401 #include <asm/cache.h>
12402 #include <asm/processor-flags.h>
12403 #include <asm/percpu.h>
12404 +#include <asm/cpufeature.h>
12406 #ifdef CONFIG_PARAVIRT
12407 #include <asm/asm-offsets.h>
12408 @@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
12409 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
12410 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
12411 L3_START_KERNEL = pud_index(__START_KERNEL_map)
12412 +L4_VMALLOC_START = pgd_index(VMALLOC_START)
12413 +L3_VMALLOC_START = pud_index(VMALLOC_START)
12414 +L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
12415 +L3_VMEMMAP_START = pud_index(VMEMMAP_START)
12419 @@ -85,35 +90,22 @@ startup_64:
12421 addq %rbp, init_level4_pgt + 0(%rip)
12422 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
12423 + addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
12424 + addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
12425 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
12427 addq %rbp, level3_ident_pgt + 0(%rip)
12428 +#ifndef CONFIG_XEN
12429 + addq %rbp, level3_ident_pgt + 8(%rip)
12432 - addq %rbp, level3_kernel_pgt + (510*8)(%rip)
12433 - addq %rbp, level3_kernel_pgt + (511*8)(%rip)
12434 + addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
12436 - addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
12437 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
12438 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
12440 - /* Add an Identity mapping if I am above 1G */
12441 - leaq _text(%rip), %rdi
12442 - andq $PMD_PAGE_MASK, %rdi
12445 - shrq $PUD_SHIFT, %rax
12446 - andq $(PTRS_PER_PUD - 1), %rax
12447 - jz ident_complete
12449 - leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
12450 - leaq level3_ident_pgt(%rip), %rbx
12451 - movq %rdx, 0(%rbx, %rax, 8)
12454 - shrq $PMD_SHIFT, %rax
12455 - andq $(PTRS_PER_PMD - 1), %rax
12456 - leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
12457 - leaq level2_spare_pgt(%rip), %rbx
12458 - movq %rdx, 0(%rbx, %rax, 8)
12460 + addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
12461 + addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
12464 * Fixup the kernel text+data virtual addresses. Note that
12465 @@ -161,8 +153,8 @@ ENTRY(secondary_startup_64)
12466 * after the boot processor executes this code.
12469 - /* Enable PAE mode and PGE */
12470 - movl $(X86_CR4_PAE | X86_CR4_PGE), %eax
12471 + /* Enable PAE mode and PSE/PGE */
12472 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
12475 /* Setup early boot stage 4 level pagetables. */
12476 @@ -184,9 +176,14 @@ ENTRY(secondary_startup_64)
12477 movl $MSR_EFER, %ecx
12479 btsl $_EFER_SCE, %eax /* Enable System Call */
12480 - btl $20,%edi /* No Execute supported? */
12481 + btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
12483 btsl $_EFER_NX, %eax
12484 + leaq init_level4_pgt(%rip), %rdi
12485 + btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
12486 + btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
12487 + btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
12488 + btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip)
12489 1: wrmsr /* Make changes effective */
12492 @@ -270,7 +267,7 @@ ENTRY(secondary_startup_64)
12496 - .section ".init.text","ax"
12498 #ifdef CONFIG_EARLY_PRINTK
12499 .globl early_idt_handlers
12500 early_idt_handlers:
12501 @@ -315,18 +312,23 @@ ENTRY(early_idt_handler)
12502 #endif /* EARLY_PRINTK */
12507 #ifdef CONFIG_EARLY_PRINTK
12509 early_recursion_flag:
12513 + .section .rodata,"a",@progbits
12515 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
12518 -#endif /* CONFIG_EARLY_PRINTK */
12520 +#endif /* CONFIG_EARLY_PRINTK */
12522 + .section .rodata,"a",@progbits
12523 #define NEXT_PAGE(name) \
12524 .balign PAGE_SIZE; \
12526 @@ -339,7 +341,6 @@ ENTRY(name)
12532 * This default setting generates an ident mapping at address 0x100000
12533 * and a mapping for the kernel that precisely maps virtual address
12534 @@ -350,13 +351,36 @@ NEXT_PAGE(init_level4_pgt)
12535 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12536 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
12537 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12538 + .org init_level4_pgt + L4_VMALLOC_START*8, 0
12539 + .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
12540 + .org init_level4_pgt + L4_VMEMMAP_START*8, 0
12541 + .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
12542 .org init_level4_pgt + L4_START_KERNEL*8, 0
12543 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
12544 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
12546 +#ifdef CONFIG_PAX_PER_CPU_PGD
12547 +NEXT_PAGE(cpu_pgd)
12553 NEXT_PAGE(level3_ident_pgt)
12554 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12558 + .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
12562 +NEXT_PAGE(level3_vmalloc_pgt)
12565 +NEXT_PAGE(level3_vmemmap_pgt)
12566 + .fill L3_VMEMMAP_START,8,0
12567 + .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
12569 NEXT_PAGE(level3_kernel_pgt)
12570 .fill L3_START_KERNEL,8,0
12571 @@ -364,20 +388,23 @@ NEXT_PAGE(level3_kernel_pgt)
12572 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
12573 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
12575 +NEXT_PAGE(level2_vmemmap_pgt)
12578 NEXT_PAGE(level2_fixmap_pgt)
12580 - .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
12581 - /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
12584 + .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
12585 + /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
12588 -NEXT_PAGE(level1_fixmap_pgt)
12589 +NEXT_PAGE(level1_vsyscall_pgt)
12592 -NEXT_PAGE(level2_ident_pgt)
12593 - /* Since I easily can, map the first 1G.
12594 + /* Since I easily can, map the first 2G.
12595 * Don't set NX because code runs from these pages.
12597 - PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
12598 +NEXT_PAGE(level2_ident_pgt)
12599 + PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
12601 NEXT_PAGE(level2_kernel_pgt)
12603 @@ -390,33 +417,55 @@ NEXT_PAGE(level2_kernel_pgt)
12604 * If you want to increase this then increase MODULES_VADDR
12607 - PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
12608 - KERNEL_IMAGE_SIZE/PMD_SIZE)
12610 -NEXT_PAGE(level2_spare_pgt)
12612 + PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
12619 +ENTRY(cpu_gdt_table)
12621 + .quad 0x0000000000000000 /* NULL descriptor */
12622 + .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
12623 + .quad 0x00af9b000000ffff /* __KERNEL_CS */
12624 + .quad 0x00cf93000000ffff /* __KERNEL_DS */
12625 + .quad 0x00cffb000000ffff /* __USER32_CS */
12626 + .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
12627 + .quad 0x00affb000000ffff /* __USER_CS */
12629 +#ifdef CONFIG_PAX_KERNEXEC
12630 + .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
12632 + .quad 0x0 /* unused */
12635 + .quad 0,0 /* TSS */
12636 + .quad 0,0 /* LDT */
12637 + .quad 0,0,0 /* three TLS descriptors */
12638 + .quad 0x0000f40000000000 /* node/CPU stored in limit */
12639 + /* asm/segment.h:GDT_ENTRIES must match this */
12641 + /* zero the remaining page */
12642 + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
12646 .globl early_gdt_descr
12648 .word GDT_ENTRIES*8-1
12649 early_gdt_descr_base:
12650 - .quad INIT_PER_CPU_VAR(gdt_page)
12651 + .quad cpu_gdt_table
12654 /* This must match the first entry in level2_kernel_pgt */
12655 .quad 0x0000000000000000
12657 #include "../../x86/xen/xen-head.S"
12659 - .section .bss, "aw", @nobits
12661 + .section .rodata,"a",@progbits
12662 .align L1_CACHE_BYTES
12664 - .skip IDT_ENTRIES * 16
12669 diff -urNp linux-2.6.38.1/arch/x86/kernel/i386_ksyms_32.c linux-2.6.38.1-new/arch/x86/kernel/i386_ksyms_32.c
12670 --- linux-2.6.38.1/arch/x86/kernel/i386_ksyms_32.c 2011-03-14 21:20:32.000000000 -0400
12671 +++ linux-2.6.38.1-new/arch/x86/kernel/i386_ksyms_32.c 2011-03-21 18:31:35.000000000 -0400
12672 @@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
12673 EXPORT_SYMBOL(cmpxchg8b_emu);
12676 +EXPORT_SYMBOL_GPL(cpu_gdt_table);
12678 /* Networking helper routines. */
12679 EXPORT_SYMBOL(csum_partial_copy_generic);
12680 +EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
12681 +EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
12683 EXPORT_SYMBOL(__get_user_1);
12684 EXPORT_SYMBOL(__get_user_2);
12685 @@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
12687 EXPORT_SYMBOL(csum_partial);
12688 EXPORT_SYMBOL(empty_zero_page);
12690 +#ifdef CONFIG_PAX_KERNEXEC
12691 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
12693 diff -urNp linux-2.6.38.1/arch/x86/kernel/init_task.c linux-2.6.38.1-new/arch/x86/kernel/init_task.c
12694 --- linux-2.6.38.1/arch/x86/kernel/init_task.c 2011-03-14 21:20:32.000000000 -0400
12695 +++ linux-2.6.38.1-new/arch/x86/kernel/init_task.c 2011-03-21 18:31:35.000000000 -0400
12696 @@ -38,5 +38,5 @@ EXPORT_SYMBOL(init_task);
12697 * section. Since TSS's are completely CPU-local, we want them
12698 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
12700 -DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
12702 +struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
12703 +EXPORT_SYMBOL(init_tss);
12704 diff -urNp linux-2.6.38.1/arch/x86/kernel/ioport.c linux-2.6.38.1-new/arch/x86/kernel/ioport.c
12705 --- linux-2.6.38.1/arch/x86/kernel/ioport.c 2011-03-14 21:20:32.000000000 -0400
12706 +++ linux-2.6.38.1-new/arch/x86/kernel/ioport.c 2011-03-21 18:31:35.000000000 -0400
12708 #include <linux/sched.h>
12709 #include <linux/kernel.h>
12710 #include <linux/capability.h>
12711 +#include <linux/security.h>
12712 #include <linux/errno.h>
12713 #include <linux/types.h>
12714 #include <linux/ioport.h>
12715 @@ -41,6 +42,12 @@ asmlinkage long sys_ioperm(unsigned long
12717 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
12719 +#ifdef CONFIG_GRKERNSEC_IO
12720 + if (turn_on && grsec_disable_privio) {
12721 + gr_handle_ioperm();
12725 if (turn_on && !capable(CAP_SYS_RAWIO))
12728 @@ -67,7 +74,7 @@ asmlinkage long sys_ioperm(unsigned long
12729 * because the ->io_bitmap_max value must match the bitmap
12732 - tss = &per_cpu(init_tss, get_cpu());
12733 + tss = init_tss + get_cpu();
12735 set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
12737 @@ -112,6 +119,12 @@ long sys_iopl(unsigned int level, struct
12739 /* Trying to gain more privileges? */
12741 +#ifdef CONFIG_GRKERNSEC_IO
12742 + if (grsec_disable_privio) {
12743 + gr_handle_iopl();
12747 if (!capable(CAP_SYS_RAWIO))
12750 diff -urNp linux-2.6.38.1/arch/x86/kernel/irq_32.c linux-2.6.38.1-new/arch/x86/kernel/irq_32.c
12751 --- linux-2.6.38.1/arch/x86/kernel/irq_32.c 2011-03-14 21:20:32.000000000 -0400
12752 +++ linux-2.6.38.1-new/arch/x86/kernel/irq_32.c 2011-03-21 18:31:35.000000000 -0400
12753 @@ -91,7 +91,7 @@ execute_on_irq_stack(int overflow, struc
12756 /* build the stack frame on the IRQ stack */
12757 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
12758 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
12759 irqctx->tinfo.task = curctx->tinfo.task;
12760 irqctx->tinfo.previous_esp = current_stack_pointer;
12762 @@ -103,6 +103,10 @@ execute_on_irq_stack(int overflow, struc
12763 (irqctx->tinfo.preempt_count & ~SOFTIRQ_MASK) |
12764 (curctx->tinfo.preempt_count & SOFTIRQ_MASK);
12766 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12767 + __set_fs(irqctx->tinfo.addr_limit);
12770 if (unlikely(overflow))
12771 call_on_stack(print_stack_overflow, isp);
12773 @@ -113,6 +117,11 @@ execute_on_irq_stack(int overflow, struc
12774 : "0" (irq), "1" (desc), "2" (isp),
12775 "D" (desc->handle_irq)
12776 : "memory", "cc", "ecx");
12778 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12779 + __set_fs(curctx->tinfo.addr_limit);
12785 @@ -168,9 +177,18 @@ asmlinkage void do_softirq(void)
12786 irqctx->tinfo.previous_esp = current_stack_pointer;
12788 /* build the stack frame on the softirq stack */
12789 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
12790 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
12792 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12793 + __set_fs(irqctx->tinfo.addr_limit);
12796 call_on_stack(__do_softirq, isp);
12798 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12799 + __set_fs(curctx->addr_limit);
12803 * Shouldnt happen, we returned above if in_interrupt():
12805 diff -urNp linux-2.6.38.1/arch/x86/kernel/kgdb.c linux-2.6.38.1-new/arch/x86/kernel/kgdb.c
12806 --- linux-2.6.38.1/arch/x86/kernel/kgdb.c 2011-03-14 21:20:32.000000000 -0400
12807 +++ linux-2.6.38.1-new/arch/x86/kernel/kgdb.c 2011-03-21 18:31:35.000000000 -0400
12808 @@ -124,11 +124,11 @@ char *dbg_get_reg(int regno, void *mem,
12810 #ifdef CONFIG_X86_32
12812 - if (!user_mode_vm(regs))
12813 + if (!user_mode(regs))
12814 *(unsigned long *)mem = __KERNEL_DS;
12817 - if (!user_mode_vm(regs))
12818 + if (!user_mode(regs))
12819 *(unsigned long *)mem = kernel_stack_pointer(regs);
12822 @@ -719,7 +719,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
12826 -struct kgdb_arch arch_kgdb_ops = {
12827 +const struct kgdb_arch arch_kgdb_ops = {
12828 /* Breakpoint instruction: */
12829 .gdb_bpt_instr = { 0xcc },
12830 .flags = KGDB_HW_BREAKPOINT,
12831 diff -urNp linux-2.6.38.1/arch/x86/kernel/kprobes.c linux-2.6.38.1-new/arch/x86/kernel/kprobes.c
12832 --- linux-2.6.38.1/arch/x86/kernel/kprobes.c 2011-03-14 21:20:32.000000000 -0400
12833 +++ linux-2.6.38.1-new/arch/x86/kernel/kprobes.c 2011-03-21 18:31:35.000000000 -0400
12834 @@ -115,8 +115,11 @@ static void __kprobes __synthesize_relat
12835 } __attribute__((packed)) *insn;
12837 insn = (struct __arch_relative_insn *)from;
12839 + pax_open_kernel();
12840 insn->raddr = (s32)((long)(to) - ((long)(from) + 5));
12842 + pax_close_kernel();
12845 /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/
12846 @@ -153,7 +156,7 @@ static int __kprobes can_boost(kprobe_op
12847 kprobe_opcode_t opcode;
12848 kprobe_opcode_t *orig_opcodes = opcodes;
12850 - if (search_exception_tables((unsigned long)opcodes))
12851 + if (search_exception_tables(ktva_ktla((unsigned long)opcodes)))
12852 return 0; /* Page fault may occur on this address. */
12855 @@ -314,7 +317,9 @@ static int __kprobes __copy_instruction(
12858 insn_get_length(&insn);
12859 + pax_open_kernel();
12860 memcpy(dest, insn.kaddr, insn.length);
12861 + pax_close_kernel();
12863 #ifdef CONFIG_X86_64
12864 if (insn_rip_relative(&insn)) {
12865 @@ -338,7 +343,9 @@ static int __kprobes __copy_instruction(
12867 BUG_ON((s64) (s32) newdisp != newdisp); /* Sanity check. */
12868 disp = (u8 *) dest + insn_offset_displacement(&insn);
12869 + pax_open_kernel();
12870 *(s32 *) disp = (s32) newdisp;
12871 + pax_close_kernel();
12874 return insn.length;
12875 @@ -352,12 +359,12 @@ static void __kprobes arch_copy_kprobe(s
12877 __copy_instruction(p->ainsn.insn, p->addr, 0);
12879 - if (can_boost(p->addr))
12880 + if (can_boost(ktla_ktva(p->addr)))
12881 p->ainsn.boostable = 0;
12883 p->ainsn.boostable = -1;
12885 - p->opcode = *p->addr;
12886 + p->opcode = *(ktla_ktva(p->addr));
12889 int __kprobes arch_prepare_kprobe(struct kprobe *p)
12890 @@ -474,7 +481,7 @@ static void __kprobes setup_singlestep(s
12891 * nor set current_kprobe, because it doesn't use single
12894 - regs->ip = (unsigned long)p->ainsn.insn;
12895 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
12896 preempt_enable_no_resched();
12899 @@ -493,7 +500,7 @@ static void __kprobes setup_singlestep(s
12900 if (p->opcode == BREAKPOINT_INSTRUCTION)
12901 regs->ip = (unsigned long)p->addr;
12903 - regs->ip = (unsigned long)p->ainsn.insn;
12904 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
12908 @@ -572,7 +579,7 @@ static int __kprobes kprobe_handler(stru
12909 setup_singlestep(p, regs, kcb, 0);
12912 - } else if (*addr != BREAKPOINT_INSTRUCTION) {
12913 + } else if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
12915 * The breakpoint instruction was removed right
12916 * after we hit it. Another cpu has removed
12917 @@ -817,7 +824,7 @@ static void __kprobes resume_execution(s
12918 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
12920 unsigned long *tos = stack_addr(regs);
12921 - unsigned long copy_ip = (unsigned long)p->ainsn.insn;
12922 + unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
12923 unsigned long orig_ip = (unsigned long)p->addr;
12924 kprobe_opcode_t *insn = p->ainsn.insn;
12926 @@ -999,7 +1006,7 @@ int __kprobes kprobe_exceptions_notify(s
12927 struct die_args *args = data;
12928 int ret = NOTIFY_DONE;
12930 - if (args->regs && user_mode_vm(args->regs))
12931 + if (args->regs && user_mode(args->regs))
12935 @@ -1372,7 +1379,7 @@ int __kprobes arch_prepare_optimized_kpr
12936 * Verify if the address gap is in 2GB range, because this uses
12939 - rel = (long)op->optinsn.insn - (long)op->kp.addr + RELATIVEJUMP_SIZE;
12940 + rel = (long)op->optinsn.insn - ktla_ktva((long)op->kp.addr) + RELATIVEJUMP_SIZE;
12941 if (abs(rel) > 0x7fffffff)
12944 @@ -1393,11 +1400,11 @@ int __kprobes arch_prepare_optimized_kpr
12945 synthesize_set_arg1(buf + TMPL_MOVE_IDX, (unsigned long)op);
12947 /* Set probe function call */
12948 - synthesize_relcall(buf + TMPL_CALL_IDX, optimized_callback);
12949 + synthesize_relcall(buf + TMPL_CALL_IDX, ktla_ktva(optimized_callback));
12951 /* Set returning jmp instruction at the tail of out-of-line buffer */
12952 synthesize_reljump(buf + TMPL_END_IDX + op->optinsn.size,
12953 - (u8 *)op->kp.addr + op->optinsn.size);
12954 + (u8 *)ktla_ktva(op->kp.addr) + op->optinsn.size);
12956 flush_icache_range((unsigned long) buf,
12957 (unsigned long) buf + TMPL_END_IDX +
12958 @@ -1419,7 +1426,7 @@ static void __kprobes setup_optimize_kpr
12959 ((long)op->kp.addr + RELATIVEJUMP_SIZE));
12961 /* Backup instructions which will be replaced by jump address */
12962 - memcpy(op->optinsn.copied_insn, op->kp.addr + INT3_SIZE,
12963 + memcpy(op->optinsn.copied_insn, ktla_ktva(op->kp.addr) + INT3_SIZE,
12964 RELATIVE_ADDR_SIZE);
12966 insn_buf[0] = RELATIVEJUMP_OPCODE;
12967 diff -urNp linux-2.6.38.1/arch/x86/kernel/ldt.c linux-2.6.38.1-new/arch/x86/kernel/ldt.c
12968 --- linux-2.6.38.1/arch/x86/kernel/ldt.c 2011-03-14 21:20:32.000000000 -0400
12969 +++ linux-2.6.38.1-new/arch/x86/kernel/ldt.c 2011-03-21 18:31:35.000000000 -0400
12970 @@ -67,13 +67,13 @@ static int alloc_ldt(mm_context_t *pc, i
12975 + load_LDT_nolock(pc);
12976 if (!cpumask_equal(mm_cpumask(current->mm),
12977 cpumask_of(smp_processor_id())))
12978 smp_call_function(flush_ldt, current->mm, 1);
12982 + load_LDT_nolock(pc);
12986 @@ -95,7 +95,7 @@ static inline int copy_ldt(mm_context_t
12989 for (i = 0; i < old->size; i++)
12990 - write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
12991 + write_ldt_entry(new->ldt, i, old->ldt + i);
12995 @@ -116,6 +116,24 @@ int init_new_context(struct task_struct
12996 retval = copy_ldt(&mm->context, &old_mm->context);
12997 mutex_unlock(&old_mm->context.lock);
13000 + if (tsk == current) {
13001 + mm->context.vdso = 0;
13003 +#ifdef CONFIG_X86_32
13004 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
13005 + mm->context.user_cs_base = 0UL;
13006 + mm->context.user_cs_limit = ~0UL;
13008 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
13009 + cpus_clear(mm->context.cpu_user_cs_mask);
13020 @@ -230,6 +248,13 @@ static int write_ldt(void __user *ptr, u
13024 +#ifdef CONFIG_PAX_SEGMEXEC
13025 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
13031 fill_ldt(&ldt, &ldt_info);
13034 diff -urNp linux-2.6.38.1/arch/x86/kernel/machine_kexec_32.c linux-2.6.38.1-new/arch/x86/kernel/machine_kexec_32.c
13035 --- linux-2.6.38.1/arch/x86/kernel/machine_kexec_32.c 2011-03-14 21:20:32.000000000 -0400
13036 +++ linux-2.6.38.1-new/arch/x86/kernel/machine_kexec_32.c 2011-03-21 18:31:35.000000000 -0400
13038 #include <asm/cacheflush.h>
13039 #include <asm/debugreg.h>
13041 -static void set_idt(void *newidt, __u16 limit)
13042 +static void set_idt(struct desc_struct *newidt, __u16 limit)
13044 struct desc_ptr curidt;
13046 @@ -39,7 +39,7 @@ static void set_idt(void *newidt, __u16
13050 -static void set_gdt(void *newgdt, __u16 limit)
13051 +static void set_gdt(struct desc_struct *newgdt, __u16 limit)
13053 struct desc_ptr curgdt;
13055 @@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
13058 control_page = page_address(image->control_code_page);
13059 - memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
13060 + memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
13062 relocate_kernel_ptr = control_page;
13063 page_list[PA_CONTROL_PAGE] = __pa(control_page);
13064 diff -urNp linux-2.6.38.1/arch/x86/kernel/microcode_amd.c linux-2.6.38.1-new/arch/x86/kernel/microcode_amd.c
13065 --- linux-2.6.38.1/arch/x86/kernel/microcode_amd.c 2011-03-14 21:20:32.000000000 -0400
13066 +++ linux-2.6.38.1-new/arch/x86/kernel/microcode_amd.c 2011-03-21 18:31:35.000000000 -0400
13067 @@ -317,7 +317,7 @@ static void microcode_fini_cpu_amd(int c
13071 -static struct microcode_ops microcode_amd_ops = {
13072 +static const struct microcode_ops microcode_amd_ops = {
13073 .request_microcode_user = request_microcode_user,
13074 .request_microcode_fw = request_microcode_fw,
13075 .collect_cpu_info = collect_cpu_info_amd,
13076 @@ -325,7 +325,7 @@ static struct microcode_ops microcode_am
13077 .microcode_fini_cpu = microcode_fini_cpu_amd,
13080 -struct microcode_ops * __init init_amd_microcode(void)
13081 +const struct microcode_ops * __init init_amd_microcode(void)
13083 return µcode_amd_ops;
13085 diff -urNp linux-2.6.38.1/arch/x86/kernel/microcode_core.c linux-2.6.38.1-new/arch/x86/kernel/microcode_core.c
13086 --- linux-2.6.38.1/arch/x86/kernel/microcode_core.c 2011-03-14 21:20:32.000000000 -0400
13087 +++ linux-2.6.38.1-new/arch/x86/kernel/microcode_core.c 2011-03-21 18:31:35.000000000 -0400
13088 @@ -92,7 +92,7 @@ MODULE_LICENSE("GPL");
13090 #define MICROCODE_VERSION "2.00"
13092 -static struct microcode_ops *microcode_ops;
13093 +static const struct microcode_ops *microcode_ops;
13097 diff -urNp linux-2.6.38.1/arch/x86/kernel/microcode_intel.c linux-2.6.38.1-new/arch/x86/kernel/microcode_intel.c
13098 --- linux-2.6.38.1/arch/x86/kernel/microcode_intel.c 2011-03-14 21:20:32.000000000 -0400
13099 +++ linux-2.6.38.1-new/arch/x86/kernel/microcode_intel.c 2011-03-21 18:31:35.000000000 -0400
13100 @@ -440,13 +440,13 @@ static enum ucode_state request_microcod
13102 static int get_ucode_user(void *to, const void *from, size_t n)
13104 - return copy_from_user(to, from, n);
13105 + return copy_from_user(to, (__force const void __user *)from, n);
13108 static enum ucode_state
13109 request_microcode_user(int cpu, const void __user *buf, size_t size)
13111 - return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
13112 + return generic_load_microcode(cpu, (__force void *)buf, size, &get_ucode_user);
13115 static void microcode_fini_cpu(int cpu)
13116 @@ -457,7 +457,7 @@ static void microcode_fini_cpu(int cpu)
13120 -static struct microcode_ops microcode_intel_ops = {
13121 +static const struct microcode_ops microcode_intel_ops = {
13122 .request_microcode_user = request_microcode_user,
13123 .request_microcode_fw = request_microcode_fw,
13124 .collect_cpu_info = collect_cpu_info,
13125 @@ -465,7 +465,7 @@ static struct microcode_ops microcode_in
13126 .microcode_fini_cpu = microcode_fini_cpu,
13129 -struct microcode_ops * __init init_intel_microcode(void)
13130 +const struct microcode_ops * __init init_intel_microcode(void)
13132 return µcode_intel_ops;
13134 diff -urNp linux-2.6.38.1/arch/x86/kernel/module.c linux-2.6.38.1-new/arch/x86/kernel/module.c
13135 --- linux-2.6.38.1/arch/x86/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
13136 +++ linux-2.6.38.1-new/arch/x86/kernel/module.c 2011-03-21 18:31:35.000000000 -0400
13137 @@ -35,21 +35,66 @@
13138 #define DEBUGP(fmt...)
13141 -void *module_alloc(unsigned long size)
13142 +static inline void *__module_alloc(unsigned long size, pgprot_t prot)
13144 if (PAGE_ALIGN(size) > MODULES_LEN)
13146 return __vmalloc_node_range(size, 1, MODULES_VADDR, MODULES_END,
13147 - GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
13148 + GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot,
13149 -1, __builtin_return_address(0));
13152 +void *module_alloc(unsigned long size)
13155 +#ifdef CONFIG_PAX_KERNEXEC
13156 + return __module_alloc(size, PAGE_KERNEL);
13158 + return __module_alloc(size, PAGE_KERNEL_EXEC);
13163 /* Free memory returned from module_alloc */
13164 void module_free(struct module *mod, void *module_region)
13166 vfree(module_region);
13169 +#ifdef CONFIG_PAX_KERNEXEC
13170 +#ifdef CONFIG_X86_32
13171 +void *module_alloc_exec(unsigned long size)
13173 + struct vm_struct *area;
13178 + area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
13179 + return area ? area->addr : NULL;
13181 +EXPORT_SYMBOL(module_alloc_exec);
13183 +void module_free_exec(struct module *mod, void *module_region)
13185 + vunmap(module_region);
13187 +EXPORT_SYMBOL(module_free_exec);
13189 +void module_free_exec(struct module *mod, void *module_region)
13191 + module_free(mod, module_region);
13193 +EXPORT_SYMBOL(module_free_exec);
13195 +void *module_alloc_exec(unsigned long size)
13197 + return __module_alloc(size, PAGE_KERNEL_RX);
13199 +EXPORT_SYMBOL(module_alloc_exec);
13203 /* We don't need anything special. */
13204 int module_frob_arch_sections(Elf_Ehdr *hdr,
13206 @@ -69,14 +114,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
13208 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
13210 - uint32_t *location;
13211 + uint32_t *plocation, location;
13213 DEBUGP("Applying relocate section %u to %u\n", relsec,
13214 sechdrs[relsec].sh_info);
13215 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
13216 /* This is where to make the change */
13217 - location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
13218 - + rel[i].r_offset;
13219 + plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
13220 + location = (uint32_t)plocation;
13221 + if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
13222 + plocation = ktla_ktva((void *)plocation);
13223 /* This is the symbol it is referring to. Note that all
13224 undefined symbols have been resolved. */
13225 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
13226 @@ -85,11 +132,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
13227 switch (ELF32_R_TYPE(rel[i].r_info)) {
13229 /* We add the value into the location given */
13230 - *location += sym->st_value;
13231 + pax_open_kernel();
13232 + *plocation += sym->st_value;
13233 + pax_close_kernel();
13236 /* Add the value, subtract its postition */
13237 - *location += sym->st_value - (uint32_t)location;
13238 + pax_open_kernel();
13239 + *plocation += sym->st_value - location;
13240 + pax_close_kernel();
13243 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
13244 @@ -145,21 +196,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
13245 case R_X86_64_NONE:
13248 + pax_open_kernel();
13250 + pax_close_kernel();
13253 + pax_open_kernel();
13255 + pax_close_kernel();
13256 if (val != *(u32 *)loc)
13260 + pax_open_kernel();
13262 + pax_close_kernel();
13263 if ((s64)val != *(s32 *)loc)
13266 case R_X86_64_PC32:
13268 + pax_open_kernel();
13270 + pax_close_kernel();
13273 if ((s64)val != *(s32 *)loc)
13275 diff -urNp linux-2.6.38.1/arch/x86/kernel/paravirt.c linux-2.6.38.1-new/arch/x86/kernel/paravirt.c
13276 --- linux-2.6.38.1/arch/x86/kernel/paravirt.c 2011-03-14 21:20:32.000000000 -0400
13277 +++ linux-2.6.38.1-new/arch/x86/kernel/paravirt.c 2011-03-21 18:31:35.000000000 -0400
13278 @@ -122,7 +122,7 @@ unsigned paravirt_patch_jmp(void *insnbu
13279 * corresponding structure. */
13280 static void *get_call_destination(u8 type)
13282 - struct paravirt_patch_template tmpl = {
13283 + const struct paravirt_patch_template tmpl = {
13284 .pv_init_ops = pv_init_ops,
13285 .pv_time_ops = pv_time_ops,
13286 .pv_cpu_ops = pv_cpu_ops,
13287 @@ -145,14 +145,14 @@ unsigned paravirt_patch_default(u8 type,
13288 if (opfunc == NULL)
13289 /* If there's no function, patch it with a ud2a (BUG) */
13290 ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
13291 - else if (opfunc == _paravirt_nop)
13292 + else if (opfunc == (void *)_paravirt_nop)
13293 /* If the operation is a nop, then nop the callsite */
13294 ret = paravirt_patch_nop();
13296 /* identity functions just return their single argument */
13297 - else if (opfunc == _paravirt_ident_32)
13298 + else if (opfunc == (void *)_paravirt_ident_32)
13299 ret = paravirt_patch_ident_32(insnbuf, len);
13300 - else if (opfunc == _paravirt_ident_64)
13301 + else if (opfunc == (void *)_paravirt_ident_64)
13302 ret = paravirt_patch_ident_64(insnbuf, len);
13304 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
13305 @@ -178,7 +178,7 @@ unsigned paravirt_patch_insns(void *insn
13306 if (insn_len > len || start == NULL)
13309 - memcpy(insnbuf, start, insn_len);
13310 + memcpy(insnbuf, ktla_ktva(start), insn_len);
13314 @@ -294,22 +294,22 @@ void arch_flush_lazy_mmu_mode(void)
13318 -struct pv_info pv_info = {
13319 +struct pv_info pv_info __read_only = {
13320 .name = "bare hardware",
13321 .paravirt_enabled = 0,
13323 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
13326 -struct pv_init_ops pv_init_ops = {
13327 +struct pv_init_ops pv_init_ops __read_only = {
13328 .patch = native_patch,
13331 -struct pv_time_ops pv_time_ops = {
13332 +struct pv_time_ops pv_time_ops __read_only = {
13333 .sched_clock = native_sched_clock,
13336 -struct pv_irq_ops pv_irq_ops = {
13337 +struct pv_irq_ops pv_irq_ops __read_only = {
13338 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
13339 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
13340 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
13341 @@ -321,7 +321,7 @@ struct pv_irq_ops pv_irq_ops = {
13345 -struct pv_cpu_ops pv_cpu_ops = {
13346 +struct pv_cpu_ops pv_cpu_ops __read_only = {
13347 .cpuid = native_cpuid,
13348 .get_debugreg = native_get_debugreg,
13349 .set_debugreg = native_set_debugreg,
13350 @@ -382,7 +382,7 @@ struct pv_cpu_ops pv_cpu_ops = {
13351 .end_context_switch = paravirt_nop,
13354 -struct pv_apic_ops pv_apic_ops = {
13355 +struct pv_apic_ops pv_apic_ops __read_only = {
13356 #ifdef CONFIG_X86_LOCAL_APIC
13357 .startup_ipi_hook = paravirt_nop,
13359 @@ -396,7 +396,7 @@ struct pv_apic_ops pv_apic_ops = {
13360 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
13363 -struct pv_mmu_ops pv_mmu_ops = {
13364 +struct pv_mmu_ops pv_mmu_ops __read_only = {
13366 .read_cr2 = native_read_cr2,
13367 .write_cr2 = native_write_cr2,
13368 @@ -465,6 +465,12 @@ struct pv_mmu_ops pv_mmu_ops = {
13371 .set_fixmap = native_set_fixmap,
13373 +#ifdef CONFIG_PAX_KERNEXEC
13374 + .pax_open_kernel = native_pax_open_kernel,
13375 + .pax_close_kernel = native_pax_close_kernel,
13380 EXPORT_SYMBOL_GPL(pv_time_ops);
13381 diff -urNp linux-2.6.38.1/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.38.1-new/arch/x86/kernel/paravirt-spinlocks.c
13382 --- linux-2.6.38.1/arch/x86/kernel/paravirt-spinlocks.c 2011-03-14 21:20:32.000000000 -0400
13383 +++ linux-2.6.38.1-new/arch/x86/kernel/paravirt-spinlocks.c 2011-03-21 18:31:35.000000000 -0400
13384 @@ -13,7 +13,7 @@ default_spin_lock_flags(arch_spinlock_t
13385 arch_spin_lock(lock);
13388 -struct pv_lock_ops pv_lock_ops = {
13389 +struct pv_lock_ops pv_lock_ops __read_only = {
13391 .spin_is_locked = __ticket_spin_is_locked,
13392 .spin_is_contended = __ticket_spin_is_contended,
13393 diff -urNp linux-2.6.38.1/arch/x86/kernel/pci-calgary_64.c linux-2.6.38.1-new/arch/x86/kernel/pci-calgary_64.c
13394 --- linux-2.6.38.1/arch/x86/kernel/pci-calgary_64.c 2011-03-14 21:20:32.000000000 -0400
13395 +++ linux-2.6.38.1-new/arch/x86/kernel/pci-calgary_64.c 2011-03-21 18:31:35.000000000 -0400
13396 @@ -476,7 +476,7 @@ static void calgary_free_coherent(struct
13397 free_pages((unsigned long)vaddr, get_order(size));
13400 -static struct dma_map_ops calgary_dma_ops = {
13401 +static const struct dma_map_ops calgary_dma_ops = {
13402 .alloc_coherent = calgary_alloc_coherent,
13403 .free_coherent = calgary_free_coherent,
13404 .map_sg = calgary_map_sg,
13405 diff -urNp linux-2.6.38.1/arch/x86/kernel/pci-dma.c linux-2.6.38.1-new/arch/x86/kernel/pci-dma.c
13406 --- linux-2.6.38.1/arch/x86/kernel/pci-dma.c 2011-03-14 21:20:32.000000000 -0400
13407 +++ linux-2.6.38.1-new/arch/x86/kernel/pci-dma.c 2011-03-21 18:31:35.000000000 -0400
13410 static int forbid_dac __read_mostly;
13412 -struct dma_map_ops *dma_ops = &nommu_dma_ops;
13413 +const struct dma_map_ops *dma_ops = &nommu_dma_ops;
13414 EXPORT_SYMBOL(dma_ops);
13416 static int iommu_sac_force __read_mostly;
13417 @@ -250,7 +250,7 @@ early_param("iommu", iommu_setup);
13419 int dma_supported(struct device *dev, u64 mask)
13421 - struct dma_map_ops *ops = get_dma_ops(dev);
13422 + const struct dma_map_ops *ops = get_dma_ops(dev);
13425 if (mask > 0xffffffff && forbid_dac > 0) {
13426 diff -urNp linux-2.6.38.1/arch/x86/kernel/pci-gart_64.c linux-2.6.38.1-new/arch/x86/kernel/pci-gart_64.c
13427 --- linux-2.6.38.1/arch/x86/kernel/pci-gart_64.c 2011-03-14 21:20:32.000000000 -0400
13428 +++ linux-2.6.38.1-new/arch/x86/kernel/pci-gart_64.c 2011-03-21 18:31:35.000000000 -0400
13429 @@ -706,7 +706,7 @@ static __init int init_amd_gatt(struct a
13433 -static struct dma_map_ops gart_dma_ops = {
13434 +static const struct dma_map_ops gart_dma_ops = {
13435 .map_sg = gart_map_sg,
13436 .unmap_sg = gart_unmap_sg,
13437 .map_page = gart_map_page,
13438 diff -urNp linux-2.6.38.1/arch/x86/kernel/pci-nommu.c linux-2.6.38.1-new/arch/x86/kernel/pci-nommu.c
13439 --- linux-2.6.38.1/arch/x86/kernel/pci-nommu.c 2011-03-14 21:20:32.000000000 -0400
13440 +++ linux-2.6.38.1-new/arch/x86/kernel/pci-nommu.c 2011-03-21 18:31:35.000000000 -0400
13441 @@ -95,7 +95,7 @@ static void nommu_sync_sg_for_device(str
13442 flush_write_buffers();
13445 -struct dma_map_ops nommu_dma_ops = {
13446 +const struct dma_map_ops nommu_dma_ops = {
13447 .alloc_coherent = dma_generic_alloc_coherent,
13448 .free_coherent = nommu_free_coherent,
13449 .map_sg = nommu_map_sg,
13450 diff -urNp linux-2.6.38.1/arch/x86/kernel/pci-swiotlb.c linux-2.6.38.1-new/arch/x86/kernel/pci-swiotlb.c
13451 --- linux-2.6.38.1/arch/x86/kernel/pci-swiotlb.c 2011-03-14 21:20:32.000000000 -0400
13452 +++ linux-2.6.38.1-new/arch/x86/kernel/pci-swiotlb.c 2011-03-21 18:31:35.000000000 -0400
13453 @@ -26,7 +26,7 @@ static void *x86_swiotlb_alloc_coherent(
13454 return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
13457 -static struct dma_map_ops swiotlb_dma_ops = {
13458 +static const struct dma_map_ops swiotlb_dma_ops = {
13459 .mapping_error = swiotlb_dma_mapping_error,
13460 .alloc_coherent = x86_swiotlb_alloc_coherent,
13461 .free_coherent = swiotlb_free_coherent,
13462 diff -urNp linux-2.6.38.1/arch/x86/kernel/process_32.c linux-2.6.38.1-new/arch/x86/kernel/process_32.c
13463 --- linux-2.6.38.1/arch/x86/kernel/process_32.c 2011-03-14 21:20:32.000000000 -0400
13464 +++ linux-2.6.38.1-new/arch/x86/kernel/process_32.c 2011-03-21 18:31:35.000000000 -0400
13465 @@ -65,6 +65,7 @@ asmlinkage void ret_from_fork(void) __as
13466 unsigned long thread_saved_pc(struct task_struct *tsk)
13468 return ((unsigned long *)tsk->thread.sp)[3];
13469 +//XXX return tsk->thread.eip;
13473 @@ -126,15 +127,14 @@ void __show_regs(struct pt_regs *regs, i
13475 unsigned short ss, gs;
13477 - if (user_mode_vm(regs)) {
13478 + if (user_mode(regs)) {
13480 ss = regs->ss & 0xffff;
13481 - gs = get_user_gs(regs);
13483 sp = kernel_stack_pointer(regs);
13484 savesegment(ss, ss);
13485 - savesegment(gs, gs);
13487 + gs = get_user_gs(regs);
13489 show_regs_common();
13491 @@ -196,7 +196,7 @@ int copy_thread(unsigned long clone_flag
13492 struct task_struct *tsk;
13495 - childregs = task_pt_regs(p);
13496 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
13497 *childregs = *regs;
13499 childregs->sp = sp;
13500 @@ -293,7 +293,7 @@ __switch_to(struct task_struct *prev_p,
13501 struct thread_struct *prev = &prev_p->thread,
13502 *next = &next_p->thread;
13503 int cpu = smp_processor_id();
13504 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
13505 + struct tss_struct *tss = init_tss + cpu;
13508 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
13509 @@ -328,6 +328,10 @@ __switch_to(struct task_struct *prev_p,
13511 lazy_save_gs(prev->gs);
13513 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13514 + __set_fs(task_thread_info(next_p)->addr_limit);
13518 * Load the per-thread Thread-Local Storage descriptor.
13520 @@ -404,3 +408,27 @@ unsigned long get_wchan(struct task_stru
13524 +#ifdef CONFIG_PAX_RANDKSTACK
13525 +asmlinkage void pax_randomize_kstack(void)
13527 + struct thread_struct *thread = ¤t->thread;
13528 + unsigned long time;
13530 + if (!randomize_va_space)
13535 + /* P4 seems to return a 0 LSB, ignore it */
13536 +#ifdef CONFIG_MPENTIUM4
13544 + thread->sp0 ^= time;
13545 + load_sp0(init_tss + smp_processor_id(), thread);
13548 diff -urNp linux-2.6.38.1/arch/x86/kernel/process_64.c linux-2.6.38.1-new/arch/x86/kernel/process_64.c
13549 --- linux-2.6.38.1/arch/x86/kernel/process_64.c 2011-03-14 21:20:32.000000000 -0400
13550 +++ linux-2.6.38.1-new/arch/x86/kernel/process_64.c 2011-03-21 18:31:35.000000000 -0400
13551 @@ -87,7 +87,7 @@ static void __exit_idle(void)
13552 void exit_idle(void)
13554 /* idle loop has pid 0 */
13555 - if (current->pid)
13556 + if (task_pid_nr(current))
13560 @@ -376,7 +376,7 @@ __switch_to(struct task_struct *prev_p,
13561 struct thread_struct *prev = &prev_p->thread;
13562 struct thread_struct *next = &next_p->thread;
13563 int cpu = smp_processor_id();
13564 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
13565 + struct tss_struct *tss = init_tss + cpu;
13566 unsigned fsindex, gsindex;
13569 @@ -529,12 +529,11 @@ unsigned long get_wchan(struct task_stru
13570 if (!p || p == current || p->state == TASK_RUNNING)
13572 stack = (unsigned long)task_stack_page(p);
13573 - if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
13574 + if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-8-sizeof(u64))
13576 fp = *(u64 *)(p->thread.sp);
13578 - if (fp < (unsigned long)stack ||
13579 - fp >= (unsigned long)stack+THREAD_SIZE)
13580 + if (fp < stack || fp > stack+THREAD_SIZE-8-sizeof(u64))
13582 ip = *(u64 *)(fp+8);
13583 if (!in_sched_functions(ip))
13584 diff -urNp linux-2.6.38.1/arch/x86/kernel/process.c linux-2.6.38.1-new/arch/x86/kernel/process.c
13585 --- linux-2.6.38.1/arch/x86/kernel/process.c 2011-03-14 21:20:32.000000000 -0400
13586 +++ linux-2.6.38.1-new/arch/x86/kernel/process.c 2011-03-21 18:31:35.000000000 -0400
13587 @@ -70,7 +70,7 @@ void exit_thread(void)
13588 unsigned long *bp = t->io_bitmap_ptr;
13591 - struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
13592 + struct tss_struct *tss = init_tss + get_cpu();
13594 t->io_bitmap_ptr = NULL;
13595 clear_thread_flag(TIF_IO_BITMAP);
13596 @@ -97,6 +97,7 @@ void show_regs_common(void)
13597 vendor = dmi_get_system_info(DMI_SYS_VENDOR);
13601 product = dmi_get_system_info(DMI_PRODUCT_NAME);
13604 @@ -105,8 +106,8 @@ void show_regs_common(void)
13605 board = dmi_get_system_info(DMI_BOARD_NAME);
13607 printk(KERN_CONT "\n");
13608 - printk(KERN_DEFAULT "Pid: %d, xid: #%u, comm: %.20s %s %s %.*s",
13609 - current->pid, current->xid, current->comm, print_tainted(),
13610 + printk(KERN_DEFAULT "Pid: %d, comm: %.20s %s %s %.*s\n",
13611 + task_pid_nr(current), current->comm, print_tainted(),
13612 init_utsname()->release,
13613 (int)strcspn(init_utsname()->version, " "),
13614 init_utsname()->version);
13615 @@ -123,6 +124,9 @@ void flush_thread(void)
13617 struct task_struct *tsk = current;
13619 +#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR) && !defined(CONFIG_PAX_MEMORY_UDEREF)
13620 + loadsegment(gs, 0);
13622 flush_ptrace_hw_breakpoint(tsk);
13623 memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
13625 @@ -285,10 +289,10 @@ int kernel_thread(int (*fn)(void *), voi
13626 regs.di = (unsigned long) arg;
13628 #ifdef CONFIG_X86_32
13629 - regs.ds = __USER_DS;
13630 - regs.es = __USER_DS;
13631 + regs.ds = __KERNEL_DS;
13632 + regs.es = __KERNEL_DS;
13633 regs.fs = __KERNEL_PERCPU;
13634 - regs.gs = __KERNEL_STACK_CANARY;
13635 + savesegment(gs, regs.gs);
13637 regs.ss = __KERNEL_DS;
13639 @@ -667,17 +671,3 @@ static int __init idle_setup(char *str)
13642 early_param("idle", idle_setup);
13644 -unsigned long arch_align_stack(unsigned long sp)
13646 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
13647 - sp -= get_random_int() % 8192;
13648 - return sp & ~0xf;
13651 -unsigned long arch_randomize_brk(struct mm_struct *mm)
13653 - unsigned long range_end = mm->brk + 0x02000000;
13654 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
13657 diff -urNp linux-2.6.38.1/arch/x86/kernel/ptrace.c linux-2.6.38.1-new/arch/x86/kernel/ptrace.c
13658 --- linux-2.6.38.1/arch/x86/kernel/ptrace.c 2011-03-14 21:20:32.000000000 -0400
13659 +++ linux-2.6.38.1-new/arch/x86/kernel/ptrace.c 2011-03-21 18:31:35.000000000 -0400
13660 @@ -805,7 +805,7 @@ long arch_ptrace(struct task_struct *chi
13661 unsigned long addr, unsigned long data)
13664 - unsigned long __user *datap = (unsigned long __user *)data;
13665 + unsigned long __user *datap = (__force unsigned long __user *)data;
13668 /* read the word at location addr in the USER area. */
13669 @@ -890,14 +890,14 @@ long arch_ptrace(struct task_struct *chi
13670 if ((int) addr < 0)
13672 ret = do_get_thread_area(child, addr,
13673 - (struct user_desc __user *)data);
13674 + (__force struct user_desc __user *) data);
13677 case PTRACE_SET_THREAD_AREA:
13678 if ((int) addr < 0)
13680 ret = do_set_thread_area(child, addr,
13681 - (struct user_desc __user *)data, 0);
13682 + (__force struct user_desc __user *) data, 0);
13686 @@ -1314,7 +1314,7 @@ static void fill_sigtrap_info(struct tas
13687 memset(info, 0, sizeof(*info));
13688 info->si_signo = SIGTRAP;
13689 info->si_code = si_code;
13690 - info->si_addr = user_mode_vm(regs) ? (void __user *)regs->ip : NULL;
13691 + info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL;
13694 void user_single_step_siginfo(struct task_struct *tsk,
13695 @@ -1347,7 +1347,7 @@ void send_sigtrap(struct task_struct *ts
13696 * We must return the syscall number to actually look up in the table.
13697 * This can be -1L to skip running any syscall at all.
13699 -asmregparm long syscall_trace_enter(struct pt_regs *regs)
13700 +long syscall_trace_enter(struct pt_regs *regs)
13704 @@ -1392,7 +1392,7 @@ asmregparm long syscall_trace_enter(stru
13705 return ret ?: regs->orig_ax;
13708 -asmregparm void syscall_trace_leave(struct pt_regs *regs)
13709 +void syscall_trace_leave(struct pt_regs *regs)
13713 diff -urNp linux-2.6.38.1/arch/x86/kernel/reboot.c linux-2.6.38.1-new/arch/x86/kernel/reboot.c
13714 --- linux-2.6.38.1/arch/x86/kernel/reboot.c 2011-03-14 21:20:32.000000000 -0400
13715 +++ linux-2.6.38.1-new/arch/x86/kernel/reboot.c 2011-03-21 18:31:35.000000000 -0400
13716 @@ -34,7 +34,7 @@ void (*pm_power_off)(void);
13717 EXPORT_SYMBOL(pm_power_off);
13719 static const struct desc_ptr no_idt = {};
13720 -static int reboot_mode;
13721 +static unsigned short reboot_mode;
13722 enum reboot_type reboot_type = BOOT_KBD;
13725 @@ -293,7 +293,7 @@ static struct dmi_system_id __initdata r
13726 DMI_MATCH(DMI_BOARD_NAME, "VersaLogic Menlow board"),
13730 + { NULL, NULL, {{0, {0}}}, NULL}
13733 static int __init reboot_init(void)
13734 @@ -309,12 +309,12 @@ core_initcall(reboot_init);
13735 controller to pulse the CPU reset line, which is more thorough, but
13736 doesn't work with at least one type of 486 motherboard. It is easy
13737 to stop this code working; hence the copious comments. */
13738 -static const unsigned long long
13739 -real_mode_gdt_entries [3] =
13740 +static struct desc_struct
13741 +real_mode_gdt_entries [3] __read_only =
13743 - 0x0000000000000000ULL, /* Null descriptor */
13744 - 0x00009b000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
13745 - 0x000093000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
13746 + GDT_ENTRY_INIT(0, 0, 0), /* Null descriptor */
13747 + GDT_ENTRY_INIT(0x9b, 0, 0xffff), /* 16-bit real-mode 64k code at 0x00000000 */
13748 + GDT_ENTRY_INIT(0x93, 0x100, 0xffff) /* 16-bit real-mode 64k data at 0x00000100 */
13751 static const struct desc_ptr
13752 @@ -363,7 +363,7 @@ static const unsigned char jump_to_bios
13753 * specified by the code and length parameters.
13754 * We assume that length will aways be less that 100!
13756 -void machine_real_restart(const unsigned char *code, int length)
13757 +void machine_real_restart(const unsigned char *code, unsigned int length)
13759 local_irq_disable();
13761 @@ -390,16 +390,15 @@ void machine_real_restart(const unsigned
13762 boot)". This seems like a fairly standard thing that gets set by
13763 REBOOT.COM programs, and the previous reset routine did this
13765 - *((unsigned short *)0x472) = reboot_mode;
13766 + *(unsigned short *)(__va(0x472)) = reboot_mode;
13768 /* For the switch to real mode, copy some code to low memory. It has
13769 to be in the first 64k because it is running in 16-bit mode, and it
13770 has to have the same physical and virtual address, because it turns
13771 off paging. Copy it near the end of the first page, out of the way
13772 of BIOS variables. */
13773 - memcpy((void *)(0x1000 - sizeof(real_mode_switch) - 100),
13774 - real_mode_switch, sizeof (real_mode_switch));
13775 - memcpy((void *)(0x1000 - 100), code, length);
13776 + memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
13777 + memcpy(__va(0x1000 - 100), code, length);
13779 /* Set up the IDT for real mode. */
13780 load_idt(&real_mode_idt);
13781 diff -urNp linux-2.6.38.1/arch/x86/kernel/setup.c linux-2.6.38.1-new/arch/x86/kernel/setup.c
13782 --- linux-2.6.38.1/arch/x86/kernel/setup.c 2011-03-14 21:20:32.000000000 -0400
13783 +++ linux-2.6.38.1-new/arch/x86/kernel/setup.c 2011-03-21 18:31:35.000000000 -0400
13784 @@ -654,7 +654,7 @@ static void __init trim_bios_range(void)
13785 * area (640->1Mb) as ram even though it is not.
13788 - e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1);
13789 + e820_remove_range(ISA_START_ADDRESS, ISA_END_ADDRESS - ISA_START_ADDRESS, E820_RAM, 1);
13790 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
13793 @@ -790,14 +790,14 @@ void __init setup_arch(char **cmdline_p)
13795 if (!boot_params.hdr.root_flags)
13796 root_mountflags &= ~MS_RDONLY;
13797 - init_mm.start_code = (unsigned long) _text;
13798 - init_mm.end_code = (unsigned long) _etext;
13799 + init_mm.start_code = ktla_ktva((unsigned long) _text);
13800 + init_mm.end_code = ktla_ktva((unsigned long) _etext);
13801 init_mm.end_data = (unsigned long) _edata;
13802 init_mm.brk = _brk_end;
13804 - code_resource.start = virt_to_phys(_text);
13805 - code_resource.end = virt_to_phys(_etext)-1;
13806 - data_resource.start = virt_to_phys(_etext);
13807 + code_resource.start = virt_to_phys(ktla_ktva(_text));
13808 + code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
13809 + data_resource.start = virt_to_phys(_sdata);
13810 data_resource.end = virt_to_phys(_edata)-1;
13811 bss_resource.start = virt_to_phys(&__bss_start);
13812 bss_resource.end = virt_to_phys(&__bss_stop)-1;
13813 diff -urNp linux-2.6.38.1/arch/x86/kernel/setup_percpu.c linux-2.6.38.1-new/arch/x86/kernel/setup_percpu.c
13814 --- linux-2.6.38.1/arch/x86/kernel/setup_percpu.c 2011-03-14 21:20:32.000000000 -0400
13815 +++ linux-2.6.38.1-new/arch/x86/kernel/setup_percpu.c 2011-03-21 18:31:35.000000000 -0400
13816 @@ -21,19 +21,17 @@
13817 #include <asm/cpu.h>
13818 #include <asm/stackprotector.h>
13820 -DEFINE_PER_CPU(int, cpu_number);
13822 +DEFINE_PER_CPU(unsigned int, cpu_number);
13823 EXPORT_PER_CPU_SYMBOL(cpu_number);
13826 -#ifdef CONFIG_X86_64
13827 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
13829 -#define BOOT_PERCPU_OFFSET 0
13832 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
13833 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
13835 -unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
13836 +unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
13837 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
13839 EXPORT_SYMBOL(__per_cpu_offset);
13840 @@ -155,10 +153,10 @@ static inline void setup_percpu_segment(
13842 #ifdef CONFIG_X86_32
13843 struct desc_struct gdt;
13844 + unsigned long base = per_cpu_offset(cpu);
13846 - pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
13847 - 0x2 | DESCTYPE_S, 0x8);
13849 + pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
13850 + 0x83 | DESCTYPE_S, 0xC);
13851 write_gdt_entry(get_cpu_gdt_table(cpu),
13852 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
13854 @@ -207,6 +205,11 @@ void __init setup_per_cpu_areas(void)
13855 /* alrighty, percpu areas up and running */
13856 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
13857 for_each_possible_cpu(cpu) {
13858 +#ifdef CONFIG_CC_STACKPROTECTOR
13859 +#ifdef CONFIG_x86_32
13860 + unsigned long canary = per_cpu(stack_canary, cpu);
13863 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
13864 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
13865 per_cpu(cpu_number, cpu) = cpu;
13866 @@ -243,6 +246,12 @@ void __init setup_per_cpu_areas(void)
13867 set_cpu_numa_node(cpu, early_cpu_to_node(cpu));
13870 +#ifdef CONFIG_CC_STACKPROTECTOR
13871 +#ifdef CONFIG_x86_32
13872 + if (cpu == boot_cpu_id)
13873 + per_cpu(stack_canary, cpu) = canary;
13877 * Up to this point, the boot CPU has been using .init.data
13878 * area. Reload any changed state for the boot CPU.
13879 diff -urNp linux-2.6.38.1/arch/x86/kernel/signal.c linux-2.6.38.1-new/arch/x86/kernel/signal.c
13880 --- linux-2.6.38.1/arch/x86/kernel/signal.c 2011-03-14 21:20:32.000000000 -0400
13881 +++ linux-2.6.38.1-new/arch/x86/kernel/signal.c 2011-03-21 18:31:35.000000000 -0400
13882 @@ -198,7 +198,7 @@ static unsigned long align_sigframe(unsi
13883 * Align the stack pointer according to the i386 ABI,
13884 * i.e. so that on function entry ((sp + 4) & 15) == 0.
13886 - sp = ((sp + 4) & -16ul) - 4;
13887 + sp = ((sp - 12) & -16ul) - 4;
13888 #else /* !CONFIG_X86_32 */
13889 sp = round_down(sp, 16) - 8;
13891 @@ -249,11 +249,11 @@ get_sigframe(struct k_sigaction *ka, str
13892 * Return an always-bogus address instead so we will die with SIGSEGV.
13894 if (onsigstack && !likely(on_sig_stack(sp)))
13895 - return (void __user *)-1L;
13896 + return (__force void __user *)-1L;
13898 /* save i387 state */
13899 if (used_math() && save_i387_xstate(*fpstate) < 0)
13900 - return (void __user *)-1L;
13901 + return (__force void __user *)-1L;
13903 return (void __user *)sp;
13905 @@ -308,9 +308,9 @@ __setup_frame(int sig, struct k_sigactio
13908 if (current->mm->context.vdso)
13909 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
13910 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
13912 - restorer = &frame->retcode;
13913 + restorer = (void __user *)&frame->retcode;
13914 if (ka->sa.sa_flags & SA_RESTORER)
13915 restorer = ka->sa.sa_restorer;
13917 @@ -324,7 +324,7 @@ __setup_frame(int sig, struct k_sigactio
13918 * reasons and because gdb uses it as a signature to notice
13919 * signal handler stack frames.
13921 - err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
13922 + err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
13926 @@ -378,7 +378,10 @@ static int __setup_rt_frame(int sig, str
13927 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
13929 /* Set up to return from userspace. */
13930 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
13931 + if (current->mm->context.vdso)
13932 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
13934 + restorer = (void __user *)&frame->retcode;
13935 if (ka->sa.sa_flags & SA_RESTORER)
13936 restorer = ka->sa.sa_restorer;
13937 put_user_ex(restorer, &frame->pretcode);
13938 @@ -390,7 +393,7 @@ static int __setup_rt_frame(int sig, str
13939 * reasons and because gdb uses it as a signature to notice
13940 * signal handler stack frames.
13942 - put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
13943 + put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
13944 } put_user_catch(err);
13947 @@ -780,7 +783,7 @@ static void do_signal(struct pt_regs *re
13948 * X86_32: vm86 regs switched out by assembly code before reaching
13949 * here, so testing against kernel CS suffices.
13951 - if (!user_mode(regs))
13952 + if (!user_mode_novm(regs))
13955 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
13956 diff -urNp linux-2.6.38.1/arch/x86/kernel/smpboot.c linux-2.6.38.1-new/arch/x86/kernel/smpboot.c
13957 --- linux-2.6.38.1/arch/x86/kernel/smpboot.c 2011-03-14 21:20:32.000000000 -0400
13958 +++ linux-2.6.38.1-new/arch/x86/kernel/smpboot.c 2011-03-21 18:31:35.000000000 -0400
13959 @@ -783,7 +783,11 @@ do_rest:
13960 (unsigned long)task_stack_page(c_idle.idle) -
13961 KERNEL_STACK_OFFSET + THREAD_SIZE;
13964 + pax_open_kernel();
13965 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
13966 + pax_close_kernel();
13968 initial_code = (unsigned long)start_secondary;
13969 stack_start = c_idle.idle->thread.sp;
13971 @@ -923,6 +927,12 @@ int __cpuinit native_cpu_up(unsigned int
13973 per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
13975 +#ifdef CONFIG_PAX_PER_CPU_PGD
13976 + clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY,
13977 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13978 + KERNEL_PGD_PTRS);
13981 err = do_boot_cpu(apicid, cpu);
13983 pr_debug("do_boot_cpu failed %d\n", err);
13984 diff -urNp linux-2.6.38.1/arch/x86/kernel/step.c linux-2.6.38.1-new/arch/x86/kernel/step.c
13985 --- linux-2.6.38.1/arch/x86/kernel/step.c 2011-03-14 21:20:32.000000000 -0400
13986 +++ linux-2.6.38.1-new/arch/x86/kernel/step.c 2011-03-21 18:31:35.000000000 -0400
13987 @@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
13988 struct desc_struct *desc;
13989 unsigned long base;
13994 mutex_lock(&child->mm->context.lock);
13995 - if (unlikely((seg >> 3) >= child->mm->context.size))
13996 + if (unlikely(seg >= child->mm->context.size))
13997 addr = -1L; /* bogus selector, access would fault */
13999 desc = child->mm->context.ldt + seg;
14000 @@ -42,7 +42,8 @@ unsigned long convert_ip_to_linear(struc
14003 mutex_unlock(&child->mm->context.lock);
14005 + } else if (seg == __KERNEL_CS || seg == __KERNEXEC_KERNEL_CS)
14006 + addr = ktla_ktva(addr);
14010 @@ -53,6 +54,9 @@ static int is_setting_trap_flag(struct t
14011 unsigned char opcode[15];
14012 unsigned long addr = convert_ip_to_linear(child, regs);
14014 + if (addr == -EINVAL)
14017 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
14018 for (i = 0; i < copied; i++) {
14019 switch (opcode[i]) {
14020 @@ -74,7 +78,7 @@ static int is_setting_trap_flag(struct t
14022 #ifdef CONFIG_X86_64
14023 case 0x40 ... 0x4f:
14024 - if (regs->cs != __USER_CS)
14025 + if ((regs->cs & 0xffff) != __USER_CS)
14026 /* 32-bit mode: register increment */
14028 /* 64-bit mode: REX prefix */
14029 diff -urNp linux-2.6.38.1/arch/x86/kernel/syscall_table_32.S linux-2.6.38.1-new/arch/x86/kernel/syscall_table_32.S
14030 --- linux-2.6.38.1/arch/x86/kernel/syscall_table_32.S 2011-03-14 21:20:32.000000000 -0400
14031 +++ linux-2.6.38.1-new/arch/x86/kernel/syscall_table_32.S 2011-03-21 18:31:35.000000000 -0400
14033 +.section .rodata,"a",@progbits
14034 ENTRY(sys_call_table)
14035 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
14037 diff -urNp linux-2.6.38.1/arch/x86/kernel/sys_i386_32.c linux-2.6.38.1-new/arch/x86/kernel/sys_i386_32.c
14038 --- linux-2.6.38.1/arch/x86/kernel/sys_i386_32.c 2011-03-14 21:20:32.000000000 -0400
14039 +++ linux-2.6.38.1-new/arch/x86/kernel/sys_i386_32.c 2011-03-21 23:47:41.000000000 -0400
14040 @@ -24,17 +24,224 @@
14042 #include <asm/syscalls.h>
14045 - * Do a system call from kernel instead of calling sys_execve so we
14046 - * end up with proper pt_regs.
14048 -int kernel_execve(const char *filename,
14049 - const char *const argv[],
14050 - const char *const envp[])
14051 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
14054 - asm volatile ("int $0x80"
14056 - : "0" (__NR_execve), "b" (filename), "c" (argv), "d" (envp) : "memory");
14058 + unsigned long pax_task_size = TASK_SIZE;
14060 +#ifdef CONFIG_PAX_SEGMEXEC
14061 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
14062 + pax_task_size = SEGMEXEC_TASK_SIZE;
14065 + if (len > pax_task_size || addr > pax_task_size - len)
14072 +arch_get_unmapped_area(struct file *filp, unsigned long addr,
14073 + unsigned long len, unsigned long pgoff, unsigned long flags)
14075 + struct mm_struct *mm = current->mm;
14076 + struct vm_area_struct *vma;
14077 + unsigned long start_addr, pax_task_size = TASK_SIZE;
14079 +#ifdef CONFIG_PAX_SEGMEXEC
14080 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
14081 + pax_task_size = SEGMEXEC_TASK_SIZE;
14084 + pax_task_size -= PAGE_SIZE;
14086 + if (len > pax_task_size)
14089 + if (flags & MAP_FIXED)
14092 +#ifdef CONFIG_PAX_RANDMMAP
14093 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14097 + addr = PAGE_ALIGN(addr);
14098 + if (pax_task_size - len >= addr) {
14099 + vma = find_vma(mm, addr);
14100 + if (check_heap_stack_gap(vma, addr, len))
14104 + if (len > mm->cached_hole_size) {
14105 + start_addr = addr = mm->free_area_cache;
14107 + start_addr = addr = mm->mmap_base;
14108 + mm->cached_hole_size = 0;
14111 +#ifdef CONFIG_PAX_PAGEEXEC
14112 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
14113 + start_addr = 0x00110000UL;
14115 +#ifdef CONFIG_PAX_RANDMMAP
14116 + if (mm->pax_flags & MF_PAX_RANDMMAP)
14117 + start_addr += mm->delta_mmap & 0x03FFF000UL;
14120 + if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
14121 + start_addr = addr = mm->mmap_base;
14123 + addr = start_addr;
14128 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
14129 + /* At this point: (!vma || addr < vma->vm_end). */
14130 + if (pax_task_size - len < addr) {
14132 + * Start a new search - just in case we missed
14135 + if (start_addr != mm->mmap_base) {
14136 + start_addr = addr = mm->mmap_base;
14137 + mm->cached_hole_size = 0;
14138 + goto full_search;
14142 + if (check_heap_stack_gap(vma, addr, len))
14144 + if (addr + mm->cached_hole_size < vma->vm_start)
14145 + mm->cached_hole_size = vma->vm_start - addr;
14146 + addr = vma->vm_end;
14147 + if (mm->start_brk <= addr && addr < mm->mmap_base) {
14148 + start_addr = addr = mm->mmap_base;
14149 + mm->cached_hole_size = 0;
14150 + goto full_search;
14155 + * Remember the place where we stopped the search:
14157 + mm->free_area_cache = addr + len;
14162 +arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
14163 + const unsigned long len, const unsigned long pgoff,
14164 + const unsigned long flags)
14166 + struct vm_area_struct *vma;
14167 + struct mm_struct *mm = current->mm;
14168 + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
14170 +#ifdef CONFIG_PAX_SEGMEXEC
14171 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
14172 + pax_task_size = SEGMEXEC_TASK_SIZE;
14175 + pax_task_size -= PAGE_SIZE;
14177 + /* requested length too big for entire address space */
14178 + if (len > pax_task_size)
14181 + if (flags & MAP_FIXED)
14184 +#ifdef CONFIG_PAX_PAGEEXEC
14185 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
14189 +#ifdef CONFIG_PAX_RANDMMAP
14190 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14193 + /* requesting a specific address */
14195 + addr = PAGE_ALIGN(addr);
14196 + if (pax_task_size - len >= addr) {
14197 + vma = find_vma(mm, addr);
14198 + if (check_heap_stack_gap(vma, addr, len))
14203 + /* check if free_area_cache is useful for us */
14204 + if (len <= mm->cached_hole_size) {
14205 + mm->cached_hole_size = 0;
14206 + mm->free_area_cache = mm->mmap_base;
14209 + /* either no address requested or can't fit in requested address hole */
14210 + addr = mm->free_area_cache;
14212 + /* make sure it can fit in the remaining address space */
14213 + if (addr > len) {
14214 + vma = find_vma(mm, addr-len);
14215 + if (check_heap_stack_gap(vma, addr - len, len))
14216 + /* remember the address as a hint for next time */
14217 + return (mm->free_area_cache = addr-len);
14220 + if (mm->mmap_base < len)
14223 + addr = mm->mmap_base-len;
14227 + * Lookup failure means no vma is above this address,
14228 + * else if new region fits below vma->vm_start,
14229 + * return with success:
14231 + vma = find_vma(mm, addr);
14232 + if (check_heap_stack_gap(vma, addr, len))
14233 + /* remember the address as a hint for next time */
14234 + return (mm->free_area_cache = addr);
14236 + /* remember the largest hole we saw so far */
14237 + if (addr + mm->cached_hole_size < vma->vm_start)
14238 + mm->cached_hole_size = vma->vm_start - addr;
14240 + /* try just below the current vma->vm_start */
14241 + addr = skip_heap_stack_gap(vma, len);
14242 + } while (!IS_ERR_VALUE(addr));
14246 + * A failed mmap() very likely causes application failure,
14247 + * so fall back to the bottom-up function here. This scenario
14248 + * can happen with large stack limits and large mmap()
14252 +#ifdef CONFIG_PAX_SEGMEXEC
14253 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
14254 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
14258 + mm->mmap_base = TASK_UNMAPPED_BASE;
14260 +#ifdef CONFIG_PAX_RANDMMAP
14261 + if (mm->pax_flags & MF_PAX_RANDMMAP)
14262 + mm->mmap_base += mm->delta_mmap;
14265 + mm->free_area_cache = mm->mmap_base;
14266 + mm->cached_hole_size = ~0UL;
14267 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
14269 + * Restore the topdown base:
14271 + mm->mmap_base = base;
14272 + mm->free_area_cache = base;
14273 + mm->cached_hole_size = ~0UL;
14277 diff -urNp linux-2.6.38.1/arch/x86/kernel/sys_x86_64.c linux-2.6.38.1-new/arch/x86/kernel/sys_x86_64.c
14278 --- linux-2.6.38.1/arch/x86/kernel/sys_x86_64.c 2011-03-14 21:20:32.000000000 -0400
14279 +++ linux-2.6.38.1-new/arch/x86/kernel/sys_x86_64.c 2011-03-21 23:47:41.000000000 -0400
14280 @@ -32,8 +32,8 @@ out:
14284 -static void find_start_end(unsigned long flags, unsigned long *begin,
14285 - unsigned long *end)
14286 +static void find_start_end(struct mm_struct *mm, unsigned long flags,
14287 + unsigned long *begin, unsigned long *end)
14289 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
14290 unsigned long new_begin;
14291 @@ -52,7 +52,7 @@ static void find_start_end(unsigned long
14292 *begin = new_begin;
14295 - *begin = TASK_UNMAPPED_BASE;
14296 + *begin = mm->mmap_base;
14300 @@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp
14301 if (flags & MAP_FIXED)
14304 - find_start_end(flags, &begin, &end);
14305 + find_start_end(mm, flags, &begin, &end);
14310 +#ifdef CONFIG_PAX_RANDMMAP
14311 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14315 addr = PAGE_ALIGN(addr);
14316 vma = find_vma(mm, addr);
14317 - if (end - len >= addr &&
14318 - (!vma || addr + len <= vma->vm_start))
14319 + if (end - len >= addr && check_heap_stack_gap(vma, addr, len))
14322 if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32))
14323 @@ -106,7 +109,7 @@ full_search:
14327 - if (!vma || addr + len <= vma->vm_start) {
14328 + if (check_heap_stack_gap(vma, addr, len)) {
14330 * Remember the place where we stopped the search:
14332 @@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct fi
14334 struct vm_area_struct *vma;
14335 struct mm_struct *mm = current->mm;
14336 - unsigned long addr = addr0;
14337 + unsigned long base = mm->mmap_base, addr = addr0;
14339 /* requested length too big for entire address space */
14340 if (len > TASK_SIZE)
14341 @@ -141,13 +144,18 @@ arch_get_unmapped_area_topdown(struct fi
14342 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
14345 +#ifdef CONFIG_PAX_RANDMMAP
14346 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14349 /* requesting a specific address */
14351 addr = PAGE_ALIGN(addr);
14352 - vma = find_vma(mm, addr);
14353 - if (TASK_SIZE - len >= addr &&
14354 - (!vma || addr + len <= vma->vm_start))
14356 + if (TASK_SIZE - len >= addr) {
14357 + vma = find_vma(mm, addr);
14358 + if (check_heap_stack_gap(vma, addr, len))
14363 /* check if free_area_cache is useful for us */
14364 @@ -162,7 +170,7 @@ arch_get_unmapped_area_topdown(struct fi
14365 /* make sure it can fit in the remaining address space */
14367 vma = find_vma(mm, addr-len);
14368 - if (!vma || addr <= vma->vm_start)
14369 + if (check_heap_stack_gap(vma, addr - len, len))
14370 /* remember the address as a hint for next time */
14371 return mm->free_area_cache = addr-len;
14373 @@ -179,7 +187,7 @@ arch_get_unmapped_area_topdown(struct fi
14374 * return with success:
14376 vma = find_vma(mm, addr);
14377 - if (!vma || addr+len <= vma->vm_start)
14378 + if (check_heap_stack_gap(vma, addr, len))
14379 /* remember the address as a hint for next time */
14380 return mm->free_area_cache = addr;
14382 @@ -188,8 +196,8 @@ arch_get_unmapped_area_topdown(struct fi
14383 mm->cached_hole_size = vma->vm_start - addr;
14385 /* try just below the current vma->vm_start */
14386 - addr = vma->vm_start-len;
14387 - } while (len < vma->vm_start);
14388 + addr = skip_heap_stack_gap(vma, len);
14389 + } while (!IS_ERR_VALUE(addr));
14393 @@ -198,13 +206,21 @@ bottomup:
14394 * can happen with large stack limits and large mmap()
14397 + mm->mmap_base = TASK_UNMAPPED_BASE;
14399 +#ifdef CONFIG_PAX_RANDMMAP
14400 + if (mm->pax_flags & MF_PAX_RANDMMAP)
14401 + mm->mmap_base += mm->delta_mmap;
14404 + mm->free_area_cache = mm->mmap_base;
14405 mm->cached_hole_size = ~0UL;
14406 - mm->free_area_cache = TASK_UNMAPPED_BASE;
14407 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
14409 * Restore the topdown base:
14411 - mm->free_area_cache = mm->mmap_base;
14412 + mm->mmap_base = base;
14413 + mm->free_area_cache = base;
14414 mm->cached_hole_size = ~0UL;
14417 diff -urNp linux-2.6.38.1/arch/x86/kernel/time.c linux-2.6.38.1-new/arch/x86/kernel/time.c
14418 --- linux-2.6.38.1/arch/x86/kernel/time.c 2011-03-14 21:20:32.000000000 -0400
14419 +++ linux-2.6.38.1-new/arch/x86/kernel/time.c 2011-03-21 18:31:35.000000000 -0400
14420 @@ -22,17 +22,13 @@
14421 #include <asm/hpet.h>
14422 #include <asm/time.h>
14424 -#ifdef CONFIG_X86_64
14425 -volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES;
14428 unsigned long profile_pc(struct pt_regs *regs)
14430 unsigned long pc = instruction_pointer(regs);
14432 - if (!user_mode_vm(regs) && in_lock_functions(pc)) {
14433 + if (!user_mode(regs) && in_lock_functions(pc)) {
14434 #ifdef CONFIG_FRAME_POINTER
14435 - return *(unsigned long *)(regs->bp + sizeof(long));
14436 + return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
14438 unsigned long *sp =
14439 (unsigned long *)kernel_stack_pointer(regs);
14440 @@ -41,11 +37,17 @@ unsigned long profile_pc(struct pt_regs
14441 * or above a saved flags. Eflags has bits 22-31 zero,
14442 * kernel addresses don't.
14445 +#ifdef CONFIG_PAX_KERNEXEC
14446 + return ktla_ktva(sp[0]);
14458 diff -urNp linux-2.6.38.1/arch/x86/kernel/tls.c linux-2.6.38.1-new/arch/x86/kernel/tls.c
14459 --- linux-2.6.38.1/arch/x86/kernel/tls.c 2011-03-14 21:20:32.000000000 -0400
14460 +++ linux-2.6.38.1-new/arch/x86/kernel/tls.c 2011-03-21 18:31:35.000000000 -0400
14461 @@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
14462 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
14465 +#ifdef CONFIG_PAX_SEGMEXEC
14466 + if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
14470 set_tls_desc(p, idx, &info, 1);
14473 diff -urNp linux-2.6.38.1/arch/x86/kernel/trampoline_32.S linux-2.6.38.1-new/arch/x86/kernel/trampoline_32.S
14474 --- linux-2.6.38.1/arch/x86/kernel/trampoline_32.S 2011-03-14 21:20:32.000000000 -0400
14475 +++ linux-2.6.38.1-new/arch/x86/kernel/trampoline_32.S 2011-03-21 18:31:35.000000000 -0400
14477 #include <asm/segment.h>
14478 #include <asm/page_types.h>
14480 +#ifdef CONFIG_PAX_KERNEXEC
14483 +#define ta(X) ((X) - __PAGE_OFFSET)
14486 /* We can free up trampoline after bootup if cpu hotplug is not supported. */
14489 @@ -60,7 +66,7 @@ r_base = .
14490 inc %ax # protected mode (PE) bit
14491 lmsw %ax # into protected mode
14492 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
14493 - ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
14494 + ljmpl $__BOOT_CS, $ta(startup_32_smp)
14496 # These need to be in the same 64K segment as the above;
14497 # hence we don't use the boot_gdt_descr defined in head.S
14498 diff -urNp linux-2.6.38.1/arch/x86/kernel/trampoline_64.S linux-2.6.38.1-new/arch/x86/kernel/trampoline_64.S
14499 --- linux-2.6.38.1/arch/x86/kernel/trampoline_64.S 2011-03-14 21:20:32.000000000 -0400
14500 +++ linux-2.6.38.1-new/arch/x86/kernel/trampoline_64.S 2011-03-21 18:31:35.000000000 -0400
14501 @@ -91,7 +91,7 @@ startup_32:
14502 movl $__KERNEL_DS, %eax # Initialize the %ds segment register
14505 - movl $X86_CR4_PAE, %eax
14506 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
14507 movl %eax, %cr4 # Enable PAE mode
14509 # Setup trampoline 4 level pagetables
14510 @@ -138,7 +138,7 @@ tidt:
14511 # so the kernel can live anywhere
14514 - .short tgdt_end - tgdt # gdt limit
14515 + .short tgdt_end - tgdt - 1 # gdt limit
14516 .long tgdt - r_base
14518 .quad 0x00cf9b000000ffff # __KERNEL32_CS
14519 diff -urNp linux-2.6.38.1/arch/x86/kernel/traps.c linux-2.6.38.1-new/arch/x86/kernel/traps.c
14520 --- linux-2.6.38.1/arch/x86/kernel/traps.c 2011-03-14 21:20:32.000000000 -0400
14521 +++ linux-2.6.38.1-new/arch/x86/kernel/traps.c 2011-03-21 18:31:35.000000000 -0400
14522 @@ -70,12 +70,6 @@ asmlinkage int system_call(void);
14524 /* Do we ignore FPU interrupts ? */
14525 char ignore_fpu_irq;
14528 - * The IDT has to be page-aligned to simplify the Pentium
14529 - * F0 0F bug workaround.
14531 -gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
14534 DECLARE_BITMAP(used_vectors, NR_VECTORS);
14535 @@ -117,13 +111,13 @@ static inline void preempt_conditional_c
14538 static void __kprobes
14539 -do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
14540 +do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
14541 long error_code, siginfo_t *info)
14543 struct task_struct *tsk = current;
14545 #ifdef CONFIG_X86_32
14546 - if (regs->flags & X86_VM_MASK) {
14547 + if (v8086_mode(regs)) {
14549 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
14550 * On nmi (interrupt 2), do_trap should not be called.
14551 @@ -134,7 +128,7 @@ do_trap(int trapnr, int signr, char *str
14555 - if (!user_mode(regs))
14556 + if (!user_mode_novm(regs))
14559 #ifdef CONFIG_X86_32
14560 @@ -157,7 +151,7 @@ trap_signal:
14561 printk_ratelimit()) {
14563 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
14564 - tsk->comm, tsk->pid, str,
14565 + tsk->comm, task_pid_nr(tsk), str,
14566 regs->ip, regs->sp, error_code);
14567 print_vma_addr(" in ", regs->ip);
14569 @@ -174,8 +168,20 @@ kernel_trap:
14570 if (!fixup_exception(regs)) {
14571 tsk->thread.error_code = error_code;
14572 tsk->thread.trap_no = trapnr;
14574 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14575 + if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
14576 + str = "PAX: suspicious stack segment fault";
14579 die(str, regs, error_code);
14582 +#ifdef CONFIG_PAX_REFCOUNT
14584 + pax_report_refcount_overflow(regs);
14589 #ifdef CONFIG_X86_32
14590 @@ -264,14 +270,30 @@ do_general_protection(struct pt_regs *re
14591 conditional_sti(regs);
14593 #ifdef CONFIG_X86_32
14594 - if (regs->flags & X86_VM_MASK)
14595 + if (v8086_mode(regs))
14600 - if (!user_mode(regs))
14601 + if (!user_mode_novm(regs))
14604 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
14605 + if (!(__supported_pte_mask & _PAGE_NX) && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
14606 + struct mm_struct *mm = tsk->mm;
14607 + unsigned long limit;
14609 + down_write(&mm->mmap_sem);
14610 + limit = mm->context.user_cs_limit;
14611 + if (limit < TASK_SIZE) {
14612 + track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
14613 + up_write(&mm->mmap_sem);
14616 + up_write(&mm->mmap_sem);
14620 tsk->thread.error_code = error_code;
14621 tsk->thread.trap_no = 13;
14623 @@ -304,6 +326,13 @@ gp_in_kernel:
14624 if (notify_die(DIE_GPF, "general protection fault", regs,
14625 error_code, 13, SIGSEGV) == NOTIFY_STOP)
14628 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14629 + if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
14630 + die("PAX: suspicious general protection fault", regs, error_code);
14634 die("general protection fault", regs, error_code);
14637 @@ -569,7 +598,7 @@ dotraplinkage void __kprobes do_debug(st
14638 /* It's safe to allow irq's after DR6 has been saved */
14639 preempt_conditional_sti(regs);
14641 - if (regs->flags & X86_VM_MASK) {
14642 + if (v8086_mode(regs)) {
14643 handle_vm86_trap((struct kernel_vm86_regs *) regs,
14645 preempt_conditional_cli(regs);
14646 @@ -583,7 +612,7 @@ dotraplinkage void __kprobes do_debug(st
14647 * We already checked v86 mode above, so we can check for kernel mode
14648 * by just checking the CPL of CS.
14650 - if ((dr6 & DR_STEP) && !user_mode(regs)) {
14651 + if ((dr6 & DR_STEP) && !user_mode_novm(regs)) {
14652 tsk->thread.debugreg6 &= ~DR_STEP;
14653 set_tsk_thread_flag(tsk, TIF_SINGLESTEP);
14654 regs->flags &= ~X86_EFLAGS_TF;
14655 @@ -612,7 +641,7 @@ void math_error(struct pt_regs *regs, in
14657 conditional_sti(regs);
14659 - if (!user_mode_vm(regs))
14660 + if (!user_mode(regs))
14662 if (!fixup_exception(regs)) {
14663 task->thread.error_code = error_code;
14664 diff -urNp linux-2.6.38.1/arch/x86/kernel/tsc.c linux-2.6.38.1-new/arch/x86/kernel/tsc.c
14665 --- linux-2.6.38.1/arch/x86/kernel/tsc.c 2011-03-14 21:20:32.000000000 -0400
14666 +++ linux-2.6.38.1-new/arch/x86/kernel/tsc.c 2011-03-21 18:31:35.000000000 -0400
14667 @@ -837,7 +837,7 @@ static struct dmi_system_id __initdata b
14668 DMI_MATCH(DMI_BOARD_NAME, "2635FA0"),
14672 + { NULL, NULL, {{0, {0}}}, NULL}
14675 static void __init check_system_tsc_reliable(void)
14676 diff -urNp linux-2.6.38.1/arch/x86/kernel/vm86_32.c linux-2.6.38.1-new/arch/x86/kernel/vm86_32.c
14677 --- linux-2.6.38.1/arch/x86/kernel/vm86_32.c 2011-03-14 21:20:32.000000000 -0400
14678 +++ linux-2.6.38.1-new/arch/x86/kernel/vm86_32.c 2011-03-21 18:31:35.000000000 -0400
14680 #include <linux/ptrace.h>
14681 #include <linux/audit.h>
14682 #include <linux/stddef.h>
14683 +#include <linux/grsecurity.h>
14685 #include <asm/uaccess.h>
14686 #include <asm/io.h>
14687 @@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
14691 - tss = &per_cpu(init_tss, get_cpu());
14692 + tss = init_tss + get_cpu();
14693 current->thread.sp0 = current->thread.saved_sp0;
14694 current->thread.sysenter_cs = __KERNEL_CS;
14695 load_sp0(tss, ¤t->thread);
14696 @@ -208,6 +209,13 @@ int sys_vm86old(struct vm86_struct __use
14697 struct task_struct *tsk;
14698 int tmp, ret = -EPERM;
14700 +#ifdef CONFIG_GRKERNSEC_VM86
14701 + if (!capable(CAP_SYS_RAWIO)) {
14702 + gr_handle_vm86();
14708 if (tsk->thread.saved_sp0)
14710 @@ -238,6 +246,14 @@ int sys_vm86(unsigned long cmd, unsigned
14712 struct vm86plus_struct __user *v86;
14714 +#ifdef CONFIG_GRKERNSEC_VM86
14715 + if (!capable(CAP_SYS_RAWIO)) {
14716 + gr_handle_vm86();
14724 case VM86_REQUEST_IRQ:
14725 @@ -324,7 +340,7 @@ static void do_sys_vm86(struct kernel_vm
14726 tsk->thread.saved_fs = info->regs32->fs;
14727 tsk->thread.saved_gs = get_user_gs(info->regs32);
14729 - tss = &per_cpu(init_tss, get_cpu());
14730 + tss = init_tss + get_cpu();
14731 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
14733 tsk->thread.sysenter_cs = 0;
14734 @@ -529,7 +545,7 @@ static void do_int(struct kernel_vm86_re
14735 goto cannot_handle;
14736 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
14737 goto cannot_handle;
14738 - intr_ptr = (unsigned long __user *) (i << 2);
14739 + intr_ptr = (__force unsigned long __user *) (i << 2);
14740 if (get_user(segoffs, intr_ptr))
14741 goto cannot_handle;
14742 if ((segoffs >> 16) == BIOSSEG)
14743 diff -urNp linux-2.6.38.1/arch/x86/kernel/vmlinux.lds.S linux-2.6.38.1-new/arch/x86/kernel/vmlinux.lds.S
14744 --- linux-2.6.38.1/arch/x86/kernel/vmlinux.lds.S 2011-03-14 21:20:32.000000000 -0400
14745 +++ linux-2.6.38.1-new/arch/x86/kernel/vmlinux.lds.S 2011-03-21 18:31:35.000000000 -0400
14747 #include <asm/page_types.h>
14748 #include <asm/cache.h>
14749 #include <asm/boot.h>
14750 +#include <asm/segment.h>
14752 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14753 +#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
14755 +#define __KERNEL_TEXT_OFFSET 0
14758 #undef i386 /* in case the preprocessor is a 32bit one */
14760 @@ -34,11 +41,9 @@ OUTPUT_FORMAT(CONFIG_OUTPUT_FORMAT, CONF
14761 #ifdef CONFIG_X86_32
14763 ENTRY(phys_startup_32)
14764 -jiffies = jiffies_64;
14766 OUTPUT_ARCH(i386:x86-64)
14767 ENTRY(phys_startup_64)
14768 -jiffies_64 = jiffies;
14771 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
14772 @@ -69,31 +74,46 @@ jiffies_64 = jiffies;
14775 text PT_LOAD FLAGS(5); /* R_E */
14776 +#ifdef CONFIG_X86_32
14777 + module PT_LOAD FLAGS(5); /* R_E */
14780 + rodata PT_LOAD FLAGS(5); /* R_E */
14782 + rodata PT_LOAD FLAGS(4); /* R__ */
14784 data PT_LOAD FLAGS(6); /* RW_ */
14785 #ifdef CONFIG_X86_64
14786 user PT_LOAD FLAGS(5); /* R_E */
14788 + init.begin PT_LOAD FLAGS(6); /* RW_ */
14790 percpu PT_LOAD FLAGS(6); /* RW_ */
14792 + text.init PT_LOAD FLAGS(5); /* R_E */
14793 + text.exit PT_LOAD FLAGS(5); /* R_E */
14794 init PT_LOAD FLAGS(7); /* RWE */
14796 note PT_NOTE FLAGS(0); /* ___ */
14801 #ifdef CONFIG_X86_32
14802 - . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
14803 - phys_startup_32 = startup_32 - LOAD_OFFSET;
14804 + . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
14806 - . = __START_KERNEL;
14807 - phys_startup_64 = startup_64 - LOAD_OFFSET;
14808 + . = __START_KERNEL;
14811 /* Text and read-only data */
14812 - .text : AT(ADDR(.text) - LOAD_OFFSET) {
14814 + .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
14815 /* bootstrapping code */
14816 +#ifdef CONFIG_X86_32
14817 + phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
14819 + phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
14821 + __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
14824 #ifdef CONFIG_X86_32
14825 . = ALIGN(PAGE_SIZE);
14826 @@ -108,13 +128,47 @@ SECTIONS
14830 - /* End of text section */
14834 - NOTES :text :note
14835 + . += __KERNEL_TEXT_OFFSET;
14837 +#ifdef CONFIG_X86_32
14838 + . = ALIGN(PAGE_SIZE);
14839 + .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
14841 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
14842 + MODULES_EXEC_VADDR = .;
14844 + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
14845 + . = ALIGN(HPAGE_SIZE);
14846 + MODULES_EXEC_END = . - 1;
14852 + .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
14853 + /* End of text section */
14854 + _etext = . - __KERNEL_TEXT_OFFSET;
14857 - EXCEPTION_TABLE(16) :text = 0x9090
14858 +#ifdef CONFIG_X86_32
14859 + . = ALIGN(PAGE_SIZE);
14860 + .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
14862 + . = ALIGN(PAGE_SIZE);
14863 + *(.empty_zero_page)
14864 + *(.initial_pg_fixmap)
14865 + *(.initial_pg_pmd)
14866 + *(.initial_page_table)
14867 + *(.swapper_pg_dir)
14871 + . = ALIGN(PAGE_SIZE);
14872 + NOTES :rodata :note
14874 + EXCEPTION_TABLE(16) :rodata
14876 #if defined(CONFIG_DEBUG_RODATA)
14877 /* .text should occupy whole number of pages */
14878 @@ -126,16 +180,20 @@ SECTIONS
14881 .data : AT(ADDR(.data) - LOAD_OFFSET) {
14883 +#ifdef CONFIG_PAX_KERNEXEC
14884 + . = ALIGN(HPAGE_SIZE);
14886 + . = ALIGN(PAGE_SIZE);
14889 /* Start of data section */
14893 INIT_TASK_DATA(THREAD_SIZE)
14895 -#ifdef CONFIG_X86_32
14896 - /* 32 bit has nosave before _edata */
14900 PAGE_ALIGNED_DATA(PAGE_SIZE)
14902 @@ -144,6 +202,8 @@ SECTIONS
14906 + jiffies = jiffies_64;
14908 /* rarely changed data like cpu maps */
14909 READ_MOSTLY_DATA(INTERNODE_CACHE_BYTES)
14911 @@ -198,12 +258,6 @@ SECTIONS
14913 vgetcpu_mode = VVIRT(.vgetcpu_mode);
14915 - . = ALIGN(L1_CACHE_BYTES);
14916 - .jiffies : AT(VLOAD(.jiffies)) {
14919 - jiffies = VVIRT(.jiffies);
14921 .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
14924 @@ -219,12 +273,19 @@ SECTIONS
14925 #endif /* CONFIG_X86_64 */
14927 /* Init code and data - will be freed after init */
14928 - . = ALIGN(PAGE_SIZE);
14929 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
14932 +#ifdef CONFIG_PAX_KERNEXEC
14933 + . = ALIGN(HPAGE_SIZE);
14935 + . = ALIGN(PAGE_SIZE);
14938 __init_begin = .; /* paired with __init_end */
14942 -#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
14945 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
14946 * output PHDR, so the next output section - .init.text - should
14947 @@ -233,12 +294,27 @@ SECTIONS
14948 PERCPU_VADDR(0, :percpu)
14951 - INIT_TEXT_SECTION(PAGE_SIZE)
14952 -#ifdef CONFIG_X86_64
14955 + . = ALIGN(PAGE_SIZE);
14957 + .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
14958 + VMLINUX_SYMBOL(_sinittext) = .;
14960 + VMLINUX_SYMBOL(_einittext) = .;
14961 + . = ALIGN(PAGE_SIZE);
14964 - INIT_DATA_SECTION(16)
14966 + * .exit.text is discard at runtime, not link time, to deal with
14967 + * references from .altinstructions and .eh_frame
14969 + .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
14973 + . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
14975 + . = ALIGN(PAGE_SIZE);
14976 + INIT_DATA_SECTION(16) :init
14978 .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
14979 __x86_cpu_dev_start = .;
14980 @@ -292,19 +368,12 @@ SECTIONS
14981 __iommu_table_end = .;
14985 - * .exit.text is discard at runtime, not link time, to deal with
14986 - * references from .altinstructions and .eh_frame
14988 - .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
14992 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
14996 -#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
14997 +#ifndef CONFIG_SMP
14998 PERCPU(THREAD_SIZE)
15001 @@ -323,16 +392,10 @@ SECTIONS
15002 .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
15005 - . = ALIGN(PAGE_SIZE);
15006 __smp_locks_end = .;
15007 + . = ALIGN(PAGE_SIZE);
15010 -#ifdef CONFIG_X86_64
15011 - .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
15017 . = ALIGN(PAGE_SIZE);
15018 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
15019 @@ -348,6 +411,7 @@ SECTIONS
15021 . += 64 * 1024; /* 64k alignment slop space */
15022 *(.brk_reservation) /* areas brk users have reserved */
15023 + . = ALIGN(HPAGE_SIZE);
15027 @@ -374,13 +438,12 @@ SECTIONS
15028 * for the boot processor.
15030 #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load
15031 -INIT_PER_CPU(gdt_page);
15032 INIT_PER_CPU(irq_stack_union);
15035 * Build-time check on the image size:
15037 -. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
15038 +. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
15039 "kernel image bigger than KERNEL_IMAGE_SIZE");
15042 diff -urNp linux-2.6.38.1/arch/x86/kernel/vsyscall_64.c linux-2.6.38.1-new/arch/x86/kernel/vsyscall_64.c
15043 --- linux-2.6.38.1/arch/x86/kernel/vsyscall_64.c 2011-03-14 21:20:32.000000000 -0400
15044 +++ linux-2.6.38.1-new/arch/x86/kernel/vsyscall_64.c 2011-03-21 18:31:35.000000000 -0400
15045 @@ -80,6 +80,7 @@ void update_vsyscall(struct timespec *wa
15047 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
15048 /* copy vsyscall data */
15049 + strlcpy(vsyscall_gtod_data.clock.name, clock->name, sizeof vsyscall_gtod_data.clock.name);
15050 vsyscall_gtod_data.clock.vread = clock->vread;
15051 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
15052 vsyscall_gtod_data.clock.mask = clock->mask;
15053 @@ -208,7 +209,7 @@ vgetcpu(unsigned *cpu, unsigned *node, s
15054 We do this here because otherwise user space would do it on
15055 its own in a likely inferior way (no access to jiffies).
15056 If you don't like it pass NULL. */
15057 - if (tcache && tcache->blob[0] == (j = __jiffies)) {
15058 + if (tcache && tcache->blob[0] == (j = jiffies)) {
15059 p = tcache->blob[1];
15060 } else if (__vgetcpu_mode == VGETCPU_RDTSCP) {
15061 /* Load per CPU data from RDTSCP */
15062 diff -urNp linux-2.6.38.1/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.38.1-new/arch/x86/kernel/x8664_ksyms_64.c
15063 --- linux-2.6.38.1/arch/x86/kernel/x8664_ksyms_64.c 2011-03-14 21:20:32.000000000 -0400
15064 +++ linux-2.6.38.1-new/arch/x86/kernel/x8664_ksyms_64.c 2011-03-21 18:31:35.000000000 -0400
15065 @@ -29,8 +29,6 @@ EXPORT_SYMBOL(__put_user_8);
15066 EXPORT_SYMBOL(copy_user_generic_string);
15067 EXPORT_SYMBOL(copy_user_generic_unrolled);
15068 EXPORT_SYMBOL(__copy_user_nocache);
15069 -EXPORT_SYMBOL(_copy_from_user);
15070 -EXPORT_SYMBOL(_copy_to_user);
15072 EXPORT_SYMBOL(copy_page);
15073 EXPORT_SYMBOL(clear_page);
15074 diff -urNp linux-2.6.38.1/arch/x86/kernel/xsave.c linux-2.6.38.1-new/arch/x86/kernel/xsave.c
15075 --- linux-2.6.38.1/arch/x86/kernel/xsave.c 2011-03-14 21:20:32.000000000 -0400
15076 +++ linux-2.6.38.1-new/arch/x86/kernel/xsave.c 2011-03-21 18:31:35.000000000 -0400
15077 @@ -130,7 +130,7 @@ int check_for_xstate(struct i387_fxsave_
15078 fx_sw_user->xstate_size > fx_sw_user->extended_size)
15081 - err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
15082 + err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
15083 fx_sw_user->extended_size -
15084 FP_XSTATE_MAGIC2_SIZE));
15086 @@ -267,7 +267,7 @@ fx_only:
15087 * the other extended state.
15089 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
15090 - return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
15091 + return fxrstor_checking((struct i387_fxsave_struct __user *)buf);
15095 @@ -299,7 +299,7 @@ int restore_i387_xstate(void __user *buf
15097 err = restore_user_xstate(buf);
15099 - err = fxrstor_checking((__force struct i387_fxsave_struct *)
15100 + err = fxrstor_checking((struct i387_fxsave_struct __user *)
15102 if (unlikely(err)) {
15104 diff -urNp linux-2.6.38.1/arch/x86/kvm/emulate.c linux-2.6.38.1-new/arch/x86/kvm/emulate.c
15105 --- linux-2.6.38.1/arch/x86/kvm/emulate.c 2011-03-14 21:20:32.000000000 -0400
15106 +++ linux-2.6.38.1-new/arch/x86/kvm/emulate.c 2011-03-21 18:31:35.000000000 -0400
15108 #define Src2ImmByte (2<<29)
15109 #define Src2One (3<<29)
15110 #define Src2Imm (4<<29)
15111 -#define Src2Mask (7<<29)
15112 +#define Src2Mask (7U<<29)
15114 #define X2(x...) x, x
15115 #define X3(x...) X2(x), x
15116 @@ -189,6 +189,7 @@ struct group_dual {
15118 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix, _dsttype) \
15120 + unsigned long _tmp; \
15121 __asm__ __volatile__ ( \
15122 _PRE_EFLAGS("0", "4", "2") \
15123 _op _suffix " %"_x"3,%1; " \
15124 @@ -202,8 +203,6 @@ struct group_dual {
15125 /* Raw emulation: instruction has two explicit operands. */
15126 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
15128 - unsigned long _tmp; \
15130 switch ((_dst).bytes) { \
15132 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w",u16);\
15133 @@ -219,7 +218,6 @@ struct group_dual {
15135 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
15137 - unsigned long _tmp; \
15138 switch ((_dst).bytes) { \
15140 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b",u8); \
15141 diff -urNp linux-2.6.38.1/arch/x86/kvm/lapic.c linux-2.6.38.1-new/arch/x86/kvm/lapic.c
15142 --- linux-2.6.38.1/arch/x86/kvm/lapic.c 2011-03-14 21:20:32.000000000 -0400
15143 +++ linux-2.6.38.1-new/arch/x86/kvm/lapic.c 2011-03-21 18:31:35.000000000 -0400
15145 #define APIC_BUS_CYCLE_NS 1
15147 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
15148 -#define apic_debug(fmt, arg...)
15149 +#define apic_debug(fmt, arg...) do {} while (0)
15151 #define APIC_LVT_NUM 6
15152 /* 14 is the version for Xeon and Pentium 8.4.8*/
15153 diff -urNp linux-2.6.38.1/arch/x86/kvm/svm.c linux-2.6.38.1-new/arch/x86/kvm/svm.c
15154 --- linux-2.6.38.1/arch/x86/kvm/svm.c 2011-03-14 21:20:32.000000000 -0400
15155 +++ linux-2.6.38.1-new/arch/x86/kvm/svm.c 2011-03-21 18:31:35.000000000 -0400
15156 @@ -3273,7 +3273,11 @@ static void reload_tss(struct kvm_vcpu *
15157 int cpu = raw_smp_processor_id();
15159 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
15161 + pax_open_kernel();
15162 sd->tss_desc->type = 9; /* available 32/64-bit TSS */
15163 + pax_close_kernel();
15168 @@ -3850,7 +3854,7 @@ static void svm_fpu_deactivate(struct kv
15169 update_cr0_intercept(svm);
15172 -static struct kvm_x86_ops svm_x86_ops = {
15173 +static const struct kvm_x86_ops svm_x86_ops = {
15174 .cpu_has_kvm_support = has_svm,
15175 .disabled_by_bios = is_disabled,
15176 .hardware_setup = svm_hardware_setup,
15177 diff -urNp linux-2.6.38.1/arch/x86/kvm/vmx.c linux-2.6.38.1-new/arch/x86/kvm/vmx.c
15178 --- linux-2.6.38.1/arch/x86/kvm/vmx.c 2011-03-14 21:20:32.000000000 -0400
15179 +++ linux-2.6.38.1-new/arch/x86/kvm/vmx.c 2011-03-21 18:31:35.000000000 -0400
15180 @@ -725,7 +725,11 @@ static void reload_tss(void)
15181 struct desc_struct *descs;
15183 descs = (void *)gdt->address;
15185 + pax_open_kernel();
15186 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
15187 + pax_close_kernel();
15192 @@ -1642,8 +1646,11 @@ static __init int hardware_setup(void)
15193 if (!cpu_has_vmx_flexpriority())
15194 flexpriority_enabled = 0;
15196 - if (!cpu_has_vmx_tpr_shadow())
15197 - kvm_x86_ops->update_cr8_intercept = NULL;
15198 + if (!cpu_has_vmx_tpr_shadow()) {
15199 + pax_open_kernel();
15200 + *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
15201 + pax_close_kernel();
15204 if (enable_ept && !cpu_has_vmx_ept_2m_page())
15205 kvm_disable_largepages();
15206 @@ -2640,7 +2647,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
15207 vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
15209 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
15210 - vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
15211 + vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
15212 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
15213 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
15214 vmcs_write64(VM_EXIT_MSR_LOAD_ADDR, __pa(vmx->msr_autoload.host));
15215 @@ -4031,6 +4038,12 @@ static void vmx_vcpu_run(struct kvm_vcpu
15216 "jmp .Lkvm_vmx_return \n\t"
15217 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
15218 ".Lkvm_vmx_return: "
15220 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15221 + "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
15222 + ".Lkvm_vmx_return2: "
15225 /* Save guest registers, load host registers, keep flags */
15226 "xchg %0, (%%"R"sp) \n\t"
15227 "mov %%"R"ax, %c[rax](%0) \n\t"
15228 @@ -4077,6 +4090,11 @@ static void vmx_vcpu_run(struct kvm_vcpu
15229 [r15]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R15])),
15231 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2))
15233 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15234 + ,[cs]"i"(__KERNEL_CS)
15238 , R"ax", R"bx", R"di", R"si"
15239 #ifdef CONFIG_X86_64
15240 @@ -4091,7 +4109,7 @@ static void vmx_vcpu_run(struct kvm_vcpu
15242 vmx->idt_vectoring_info = vmcs_read32(IDT_VECTORING_INFO_FIELD);
15244 - asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
15245 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r"(__KERNEL_DS));
15248 vmx->exit_reason = vmcs_read32(VM_EXIT_REASON);
15249 @@ -4326,7 +4344,7 @@ static void vmx_set_supported_cpuid(u32
15253 -static struct kvm_x86_ops vmx_x86_ops = {
15254 +static const struct kvm_x86_ops vmx_x86_ops = {
15255 .cpu_has_kvm_support = cpu_has_kvm_support,
15256 .disabled_by_bios = vmx_disabled_by_bios,
15257 .hardware_setup = hardware_setup,
15258 diff -urNp linux-2.6.38.1/arch/x86/kvm/x86.c linux-2.6.38.1-new/arch/x86/kvm/x86.c
15259 --- linux-2.6.38.1/arch/x86/kvm/x86.c 2011-03-14 21:20:32.000000000 -0400
15260 +++ linux-2.6.38.1-new/arch/x86/kvm/x86.c 2011-03-21 18:31:35.000000000 -0400
15261 @@ -93,7 +93,7 @@ static void update_cr8_intercept(struct
15262 static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
15263 struct kvm_cpuid_entry2 __user *entries);
15265 -struct kvm_x86_ops *kvm_x86_ops;
15266 +const struct kvm_x86_ops *kvm_x86_ops;
15267 EXPORT_SYMBOL_GPL(kvm_x86_ops);
15269 int ignore_msrs = 0;
15270 @@ -119,38 +119,38 @@ static struct kvm_shared_msrs_global __r
15271 static DEFINE_PER_CPU(struct kvm_shared_msrs, shared_msrs);
15273 struct kvm_stats_debugfs_item debugfs_entries[] = {
15274 - { "pf_fixed", VCPU_STAT(pf_fixed) },
15275 - { "pf_guest", VCPU_STAT(pf_guest) },
15276 - { "tlb_flush", VCPU_STAT(tlb_flush) },
15277 - { "invlpg", VCPU_STAT(invlpg) },
15278 - { "exits", VCPU_STAT(exits) },
15279 - { "io_exits", VCPU_STAT(io_exits) },
15280 - { "mmio_exits", VCPU_STAT(mmio_exits) },
15281 - { "signal_exits", VCPU_STAT(signal_exits) },
15282 - { "irq_window", VCPU_STAT(irq_window_exits) },
15283 - { "nmi_window", VCPU_STAT(nmi_window_exits) },
15284 - { "halt_exits", VCPU_STAT(halt_exits) },
15285 - { "halt_wakeup", VCPU_STAT(halt_wakeup) },
15286 - { "hypercalls", VCPU_STAT(hypercalls) },
15287 - { "request_irq", VCPU_STAT(request_irq_exits) },
15288 - { "irq_exits", VCPU_STAT(irq_exits) },
15289 - { "host_state_reload", VCPU_STAT(host_state_reload) },
15290 - { "efer_reload", VCPU_STAT(efer_reload) },
15291 - { "fpu_reload", VCPU_STAT(fpu_reload) },
15292 - { "insn_emulation", VCPU_STAT(insn_emulation) },
15293 - { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail) },
15294 - { "irq_injections", VCPU_STAT(irq_injections) },
15295 - { "nmi_injections", VCPU_STAT(nmi_injections) },
15296 - { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped) },
15297 - { "mmu_pte_write", VM_STAT(mmu_pte_write) },
15298 - { "mmu_pte_updated", VM_STAT(mmu_pte_updated) },
15299 - { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped) },
15300 - { "mmu_flooded", VM_STAT(mmu_flooded) },
15301 - { "mmu_recycled", VM_STAT(mmu_recycled) },
15302 - { "mmu_cache_miss", VM_STAT(mmu_cache_miss) },
15303 - { "mmu_unsync", VM_STAT(mmu_unsync) },
15304 - { "remote_tlb_flush", VM_STAT(remote_tlb_flush) },
15305 - { "largepages", VM_STAT(lpages) },
15306 + { "pf_fixed", VCPU_STAT(pf_fixed), NULL },
15307 + { "pf_guest", VCPU_STAT(pf_guest), NULL },
15308 + { "tlb_flush", VCPU_STAT(tlb_flush), NULL },
15309 + { "invlpg", VCPU_STAT(invlpg), NULL },
15310 + { "exits", VCPU_STAT(exits), NULL },
15311 + { "io_exits", VCPU_STAT(io_exits), NULL },
15312 + { "mmio_exits", VCPU_STAT(mmio_exits), NULL },
15313 + { "signal_exits", VCPU_STAT(signal_exits), NULL },
15314 + { "irq_window", VCPU_STAT(irq_window_exits), NULL },
15315 + { "nmi_window", VCPU_STAT(nmi_window_exits), NULL },
15316 + { "halt_exits", VCPU_STAT(halt_exits), NULL },
15317 + { "halt_wakeup", VCPU_STAT(halt_wakeup), NULL },
15318 + { "hypercalls", VCPU_STAT(hypercalls), NULL },
15319 + { "request_irq", VCPU_STAT(request_irq_exits), NULL },
15320 + { "irq_exits", VCPU_STAT(irq_exits), NULL },
15321 + { "host_state_reload", VCPU_STAT(host_state_reload), NULL },
15322 + { "efer_reload", VCPU_STAT(efer_reload), NULL },
15323 + { "fpu_reload", VCPU_STAT(fpu_reload), NULL },
15324 + { "insn_emulation", VCPU_STAT(insn_emulation), NULL },
15325 + { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail), NULL },
15326 + { "irq_injections", VCPU_STAT(irq_injections), NULL },
15327 + { "nmi_injections", VCPU_STAT(nmi_injections), NULL },
15328 + { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped), NULL },
15329 + { "mmu_pte_write", VM_STAT(mmu_pte_write), NULL },
15330 + { "mmu_pte_updated", VM_STAT(mmu_pte_updated), NULL },
15331 + { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped), NULL },
15332 + { "mmu_flooded", VM_STAT(mmu_flooded), NULL },
15333 + { "mmu_recycled", VM_STAT(mmu_recycled), NULL },
15334 + { "mmu_cache_miss", VM_STAT(mmu_cache_miss), NULL },
15335 + { "mmu_unsync", VM_STAT(mmu_unsync), NULL },
15336 + { "remote_tlb_flush", VM_STAT(remote_tlb_flush), NULL },
15337 + { "largepages", VM_STAT(lpages), NULL },
15341 @@ -2023,6 +2023,8 @@ long kvm_arch_dev_ioctl(struct file *fil
15342 if (n < msr_list.nmsrs)
15345 + if (num_msrs_to_save > ARRAY_SIZE(msrs_to_save))
15347 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
15348 num_msrs_to_save * sizeof(u32)))
15350 @@ -2499,7 +2501,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
15351 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
15352 struct kvm_interrupt *irq)
15354 - if (irq->irq < 0 || irq->irq >= 256)
15355 + if (irq->irq >= 256)
15357 if (irqchip_in_kernel(vcpu->kvm))
15359 @@ -4687,10 +4689,10 @@ void kvm_after_handle_nmi(struct kvm_vcp
15361 EXPORT_SYMBOL_GPL(kvm_after_handle_nmi);
15363 -int kvm_arch_init(void *opaque)
15364 +int kvm_arch_init(const void *opaque)
15367 - struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
15368 + const struct kvm_x86_ops *ops = (const struct kvm_x86_ops *)opaque;
15371 printk(KERN_ERR "kvm: already loaded the other module\n");
15372 diff -urNp linux-2.6.38.1/arch/x86/lib/atomic64_cx8_32.S linux-2.6.38.1-new/arch/x86/lib/atomic64_cx8_32.S
15373 --- linux-2.6.38.1/arch/x86/lib/atomic64_cx8_32.S 2011-03-14 21:20:32.000000000 -0400
15374 +++ linux-2.6.38.1-new/arch/x86/lib/atomic64_cx8_32.S 2011-03-21 18:31:35.000000000 -0400
15375 @@ -86,13 +86,23 @@ ENTRY(atomic64_\func\()_return_cx8)
15377 \ins\()l %esi, %ebx
15378 \insc\()l %edi, %ecx
15380 +#ifdef CONFIG_PAX_REFCOUNT
15383 + _ASM_EXTABLE(2b, 3f)
15394 +#ifdef CONFIG_PAX_REFCOUNT
15401 @@ -116,13 +126,24 @@ ENTRY(atomic64_\func\()_return_cx8)
15406 +#ifdef CONFIG_PAX_REFCOUNT
15409 + _ASM_EXTABLE(2b, 3f)
15420 +#ifdef CONFIG_PAX_REFCOUNT
15427 @@ -176,6 +197,13 @@ ENTRY(atomic64_add_unless_cx8)
15432 +#ifdef CONFIG_PAX_REFCOUNT
15435 + _ASM_EXTABLE(1234b, 1234b)
15441 @@ -208,6 +236,13 @@ ENTRY(atomic64_inc_not_zero_cx8)
15446 +#ifdef CONFIG_PAX_REFCOUNT
15449 + _ASM_EXTABLE(1234b, 1234b)
15455 diff -urNp linux-2.6.38.1/arch/x86/lib/checksum_32.S linux-2.6.38.1-new/arch/x86/lib/checksum_32.S
15456 --- linux-2.6.38.1/arch/x86/lib/checksum_32.S 2011-03-14 21:20:32.000000000 -0400
15457 +++ linux-2.6.38.1-new/arch/x86/lib/checksum_32.S 2011-03-21 18:31:35.000000000 -0400
15459 #include <linux/linkage.h>
15460 #include <asm/dwarf2.h>
15461 #include <asm/errno.h>
15463 +#include <asm/segment.h>
15466 * computes a partial checksum, e.g. for TCP/UDP fragments
15468 @@ -304,9 +305,28 @@ unsigned int csum_partial_copy_generic (
15473 -ENTRY(csum_partial_copy_generic)
15475 +ENTRY(csum_partial_copy_generic_to_user)
15478 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15480 + CFI_ADJUST_CFA_OFFSET 4
15482 + CFI_ADJUST_CFA_OFFSET -4
15483 + jmp csum_partial_copy_generic
15486 +ENTRY(csum_partial_copy_generic_from_user)
15488 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15490 + CFI_ADJUST_CFA_OFFSET 4
15492 + CFI_ADJUST_CFA_OFFSET -4
15495 +ENTRY(csum_partial_copy_generic)
15497 CFI_ADJUST_CFA_OFFSET 4
15499 @@ -331,7 +351,7 @@ ENTRY(csum_partial_copy_generic)
15501 SRC(1: movw (%esi), %bx )
15503 -DST( movw %bx, (%edi) )
15504 +DST( movw %bx, %es:(%edi) )
15508 @@ -343,30 +363,30 @@ DST( movw %bx, (%edi) )
15509 SRC(1: movl (%esi), %ebx )
15510 SRC( movl 4(%esi), %edx )
15512 -DST( movl %ebx, (%edi) )
15513 +DST( movl %ebx, %es:(%edi) )
15515 -DST( movl %edx, 4(%edi) )
15516 +DST( movl %edx, %es:4(%edi) )
15518 SRC( movl 8(%esi), %ebx )
15519 SRC( movl 12(%esi), %edx )
15521 -DST( movl %ebx, 8(%edi) )
15522 +DST( movl %ebx, %es:8(%edi) )
15524 -DST( movl %edx, 12(%edi) )
15525 +DST( movl %edx, %es:12(%edi) )
15527 SRC( movl 16(%esi), %ebx )
15528 SRC( movl 20(%esi), %edx )
15530 -DST( movl %ebx, 16(%edi) )
15531 +DST( movl %ebx, %es:16(%edi) )
15533 -DST( movl %edx, 20(%edi) )
15534 +DST( movl %edx, %es:20(%edi) )
15536 SRC( movl 24(%esi), %ebx )
15537 SRC( movl 28(%esi), %edx )
15539 -DST( movl %ebx, 24(%edi) )
15540 +DST( movl %ebx, %es:24(%edi) )
15542 -DST( movl %edx, 28(%edi) )
15543 +DST( movl %edx, %es:28(%edi) )
15547 @@ -380,7 +400,7 @@ DST( movl %edx, 28(%edi) )
15548 shrl $2, %edx # This clears CF
15549 SRC(3: movl (%esi), %ebx )
15551 -DST( movl %ebx, (%edi) )
15552 +DST( movl %ebx, %es:(%edi) )
15556 @@ -392,12 +412,12 @@ DST( movl %ebx, (%edi) )
15558 SRC( movw (%esi), %cx )
15560 -DST( movw %cx, (%edi) )
15561 +DST( movw %cx, %es:(%edi) )
15565 SRC(5: movb (%esi), %cl )
15566 -DST( movb %cl, (%edi) )
15567 +DST( movb %cl, %es:(%edi) )
15571 @@ -408,7 +428,7 @@ DST( movb %cl, (%edi) )
15574 movl ARGBASE+20(%esp), %ebx # src_err_ptr
15575 - movl $-EFAULT, (%ebx)
15576 + movl $-EFAULT, %ss:(%ebx)
15578 # zero the complete destination - computing the rest
15580 @@ -421,11 +441,19 @@ DST( movb %cl, (%edi) )
15583 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
15584 - movl $-EFAULT,(%ebx)
15585 + movl $-EFAULT,%ss:(%ebx)
15591 + CFI_ADJUST_CFA_OFFSET 4
15593 + CFI_ADJUST_CFA_OFFSET -4
15595 + CFI_ADJUST_CFA_OFFSET 4
15597 + CFI_ADJUST_CFA_OFFSET -4
15599 CFI_ADJUST_CFA_OFFSET -4
15601 @@ -439,26 +467,47 @@ DST( movb %cl, (%edi) )
15602 CFI_ADJUST_CFA_OFFSET -4
15605 -ENDPROC(csum_partial_copy_generic)
15606 +ENDPROC(csum_partial_copy_generic_to_user)
15610 /* Version for PentiumII/PPro */
15612 #define ROUND1(x) \
15614 SRC(movl x(%esi), %ebx ) ; \
15615 addl %ebx, %eax ; \
15616 - DST(movl %ebx, x(%edi) ) ;
15617 + DST(movl %ebx, %es:x(%edi)) ;
15621 SRC(movl x(%esi), %ebx ) ; \
15622 adcl %ebx, %eax ; \
15623 - DST(movl %ebx, x(%edi) ) ;
15624 + DST(movl %ebx, %es:x(%edi)) ;
15628 -ENTRY(csum_partial_copy_generic)
15630 +ENTRY(csum_partial_copy_generic_to_user)
15633 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15635 + CFI_ADJUST_CFA_OFFSET 4
15637 + CFI_ADJUST_CFA_OFFSET -4
15638 + jmp csum_partial_copy_generic
15641 +ENTRY(csum_partial_copy_generic_from_user)
15643 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15645 + CFI_ADJUST_CFA_OFFSET 4
15647 + CFI_ADJUST_CFA_OFFSET -4
15650 +ENTRY(csum_partial_copy_generic)
15652 CFI_ADJUST_CFA_OFFSET 4
15653 CFI_REL_OFFSET ebx, 0
15654 @@ -482,7 +531,7 @@ ENTRY(csum_partial_copy_generic)
15658 - lea 3f(%ebx,%ebx), %ebx
15659 + lea 3f(%ebx,%ebx,2), %ebx
15663 @@ -503,19 +552,19 @@ ENTRY(csum_partial_copy_generic)
15665 SRC( movw (%esi), %dx )
15667 -DST( movw %dx, (%edi) )
15668 +DST( movw %dx, %es:(%edi) )
15673 SRC( movb (%esi), %dl )
15674 -DST( movb %dl, (%edi) )
15675 +DST( movb %dl, %es:(%edi) )
15679 .section .fixup, "ax"
15680 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
15681 - movl $-EFAULT, (%ebx)
15682 + movl $-EFAULT, %ss:(%ebx)
15683 # zero the complete destination (computing the rest is too much work)
15684 movl ARGBASE+8(%esp),%edi # dst
15685 movl ARGBASE+12(%esp),%ecx # len
15686 @@ -523,10 +572,21 @@ DST( movb %dl, (%edi) )
15689 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
15690 - movl $-EFAULT, (%ebx)
15691 + movl $-EFAULT, %ss:(%ebx)
15695 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15697 + CFI_ADJUST_CFA_OFFSET 4
15699 + CFI_ADJUST_CFA_OFFSET -4
15701 + CFI_ADJUST_CFA_OFFSET 4
15703 + CFI_ADJUST_CFA_OFFSET -4
15707 CFI_ADJUST_CFA_OFFSET -4
15709 @@ -538,7 +598,7 @@ DST( movb %dl, (%edi) )
15713 -ENDPROC(csum_partial_copy_generic)
15714 +ENDPROC(csum_partial_copy_generic_to_user)
15718 diff -urNp linux-2.6.38.1/arch/x86/lib/clear_page_64.S linux-2.6.38.1-new/arch/x86/lib/clear_page_64.S
15719 --- linux-2.6.38.1/arch/x86/lib/clear_page_64.S 2011-03-14 21:20:32.000000000 -0400
15720 +++ linux-2.6.38.1-new/arch/x86/lib/clear_page_64.S 2011-03-21 18:31:35.000000000 -0400
15721 @@ -43,7 +43,7 @@ ENDPROC(clear_page)
15723 #include <asm/cpufeature.h>
15725 - .section .altinstr_replacement,"ax"
15726 + .section .altinstr_replacement,"a"
15727 1: .byte 0xeb /* jmp <disp8> */
15728 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
15730 diff -urNp linux-2.6.38.1/arch/x86/lib/copy_page_64.S linux-2.6.38.1-new/arch/x86/lib/copy_page_64.S
15731 --- linux-2.6.38.1/arch/x86/lib/copy_page_64.S 2011-03-14 21:20:32.000000000 -0400
15732 +++ linux-2.6.38.1-new/arch/x86/lib/copy_page_64.S 2011-03-21 18:31:35.000000000 -0400
15733 @@ -104,7 +104,7 @@ ENDPROC(copy_page)
15735 #include <asm/cpufeature.h>
15737 - .section .altinstr_replacement,"ax"
15738 + .section .altinstr_replacement,"a"
15739 1: .byte 0xeb /* jmp <disp8> */
15740 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
15742 diff -urNp linux-2.6.38.1/arch/x86/lib/copy_user_64.S linux-2.6.38.1-new/arch/x86/lib/copy_user_64.S
15743 --- linux-2.6.38.1/arch/x86/lib/copy_user_64.S 2011-03-14 21:20:32.000000000 -0400
15744 +++ linux-2.6.38.1-new/arch/x86/lib/copy_user_64.S 2011-03-21 18:31:35.000000000 -0400
15745 @@ -15,13 +15,14 @@
15746 #include <asm/asm-offsets.h>
15747 #include <asm/thread_info.h>
15748 #include <asm/cpufeature.h>
15749 +#include <asm/pgtable.h>
15751 .macro ALTERNATIVE_JUMP feature,orig,alt
15753 .byte 0xe9 /* 32bit jump */
15754 .long \orig-1f /* by default jump to orig */
15756 - .section .altinstr_replacement,"ax"
15757 + .section .altinstr_replacement,"a"
15758 2: .byte 0xe9 /* near jump with 32bit immediate */
15759 .long \alt-1b /* offset */ /* or alternatively to alt */
15761 @@ -64,37 +65,13 @@
15765 -/* Standard copy_to_user with segment limit checking */
15766 -ENTRY(_copy_to_user)
15768 - GET_THREAD_INFO(%rax)
15772 - cmpq TI_addr_limit(%rax),%rcx
15774 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
15776 -ENDPROC(_copy_to_user)
15778 -/* Standard copy_from_user with segment limit checking */
15779 -ENTRY(_copy_from_user)
15781 - GET_THREAD_INFO(%rax)
15785 - cmpq TI_addr_limit(%rax),%rcx
15786 - jae bad_from_user
15787 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
15789 -ENDPROC(_copy_from_user)
15791 .section .fixup,"ax"
15792 /* must zero dest */
15793 ENTRY(bad_from_user)
15801 diff -urNp linux-2.6.38.1/arch/x86/lib/copy_user_nocache_64.S linux-2.6.38.1-new/arch/x86/lib/copy_user_nocache_64.S
15802 --- linux-2.6.38.1/arch/x86/lib/copy_user_nocache_64.S 2011-03-14 21:20:32.000000000 -0400
15803 +++ linux-2.6.38.1-new/arch/x86/lib/copy_user_nocache_64.S 2011-03-21 18:31:35.000000000 -0400
15805 #include <asm/current.h>
15806 #include <asm/asm-offsets.h>
15807 #include <asm/thread_info.h>
15808 +#include <asm/pgtable.h>
15810 .macro ALIGN_DESTINATION
15811 #ifdef FIX_ALIGNMENT
15814 ENTRY(__copy_user_nocache)
15817 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15818 + mov $PAX_USER_SHADOW_BASE,%rcx
15826 jb 20f /* less then 8 bytes, go to byte copy loop */
15828 diff -urNp linux-2.6.38.1/arch/x86/lib/csum-wrappers_64.c linux-2.6.38.1-new/arch/x86/lib/csum-wrappers_64.c
15829 --- linux-2.6.38.1/arch/x86/lib/csum-wrappers_64.c 2011-03-14 21:20:32.000000000 -0400
15830 +++ linux-2.6.38.1-new/arch/x86/lib/csum-wrappers_64.c 2011-03-21 18:31:35.000000000 -0400
15831 @@ -52,6 +52,8 @@ csum_partial_copy_from_user(const void _
15835 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
15836 + src += PAX_USER_SHADOW_BASE;
15837 isum = csum_partial_copy_generic((__force const void *)src,
15838 dst, len, isum, errp, NULL);
15839 if (unlikely(*errp))
15840 @@ -105,6 +107,8 @@ csum_partial_copy_to_user(const void *sr
15844 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
15845 + dst += PAX_USER_SHADOW_BASE;
15846 return csum_partial_copy_generic(src, (void __force *)dst,
15847 len, isum, NULL, errp);
15849 diff -urNp linux-2.6.38.1/arch/x86/lib/getuser.S linux-2.6.38.1-new/arch/x86/lib/getuser.S
15850 --- linux-2.6.38.1/arch/x86/lib/getuser.S 2011-03-14 21:20:32.000000000 -0400
15851 +++ linux-2.6.38.1-new/arch/x86/lib/getuser.S 2011-03-21 18:31:35.000000000 -0400
15852 @@ -33,14 +33,35 @@
15853 #include <asm/asm-offsets.h>
15854 #include <asm/thread_info.h>
15855 #include <asm/asm.h>
15856 +#include <asm/segment.h>
15857 +#include <asm/pgtable.h>
15859 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15860 +#define __copyuser_seg gs;
15862 +#define __copyuser_seg
15866 ENTRY(__get_user_1)
15869 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
15870 GET_THREAD_INFO(%_ASM_DX)
15871 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15873 -1: movzb (%_ASM_AX),%edx
15875 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15876 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15877 + cmp %_ASM_DX,%_ASM_AX
15879 + add %_ASM_DX,%_ASM_AX
15885 +1: __copyuser_seg movzb (%_ASM_AX),%edx
15889 @@ -49,11 +70,24 @@ ENDPROC(__get_user_1)
15890 ENTRY(__get_user_2)
15894 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
15896 GET_THREAD_INFO(%_ASM_DX)
15897 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15899 -2: movzwl -1(%_ASM_AX),%edx
15901 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15902 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15903 + cmp %_ASM_DX,%_ASM_AX
15905 + add %_ASM_DX,%_ASM_AX
15911 +2: __copyuser_seg movzwl -1(%_ASM_AX),%edx
15915 @@ -62,11 +96,24 @@ ENDPROC(__get_user_2)
15916 ENTRY(__get_user_4)
15920 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
15922 GET_THREAD_INFO(%_ASM_DX)
15923 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15925 -3: mov -3(%_ASM_AX),%edx
15927 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15928 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15929 + cmp %_ASM_DX,%_ASM_AX
15931 + add %_ASM_DX,%_ASM_AX
15937 +3: __copyuser_seg mov -3(%_ASM_AX),%edx
15941 @@ -80,6 +127,15 @@ ENTRY(__get_user_8)
15942 GET_THREAD_INFO(%_ASM_DX)
15943 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15946 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15947 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15948 + cmp %_ASM_DX,%_ASM_AX
15950 + add %_ASM_DX,%_ASM_AX
15954 4: movq -7(%_ASM_AX),%_ASM_DX
15957 diff -urNp linux-2.6.38.1/arch/x86/lib/insn.c linux-2.6.38.1-new/arch/x86/lib/insn.c
15958 --- linux-2.6.38.1/arch/x86/lib/insn.c 2011-03-14 21:20:32.000000000 -0400
15959 +++ linux-2.6.38.1-new/arch/x86/lib/insn.c 2011-03-21 18:31:35.000000000 -0400
15961 #include <linux/string.h>
15962 #include <asm/inat.h>
15963 #include <asm/insn.h>
15965 +#include <asm/pgtable_types.h>
15967 +#define ktla_ktva(addr) addr
15970 #define get_next(t, insn) \
15971 ({t r; r = *(t*)insn->next_byte; insn->next_byte += sizeof(t); r; })
15973 void insn_init(struct insn *insn, const void *kaddr, int x86_64)
15975 memset(insn, 0, sizeof(*insn));
15976 - insn->kaddr = kaddr;
15977 - insn->next_byte = kaddr;
15978 + insn->kaddr = ktla_ktva(kaddr);
15979 + insn->next_byte = ktla_ktva(kaddr);
15980 insn->x86_64 = x86_64 ? 1 : 0;
15981 insn->opnd_bytes = 4;
15983 diff -urNp linux-2.6.38.1/arch/x86/lib/mmx_32.c linux-2.6.38.1-new/arch/x86/lib/mmx_32.c
15984 --- linux-2.6.38.1/arch/x86/lib/mmx_32.c 2011-03-14 21:20:32.000000000 -0400
15985 +++ linux-2.6.38.1-new/arch/x86/lib/mmx_32.c 2011-03-21 18:31:35.000000000 -0400
15986 @@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
15990 + unsigned long cr0;
15992 if (unlikely(in_interrupt()))
15993 return __memcpy(to, from, len);
15994 @@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
15995 kernel_fpu_begin();
15997 __asm__ __volatile__ (
15998 - "1: prefetch (%0)\n" /* This set is 28 bytes */
15999 - " prefetch 64(%0)\n"
16000 - " prefetch 128(%0)\n"
16001 - " prefetch 192(%0)\n"
16002 - " prefetch 256(%0)\n"
16003 + "1: prefetch (%1)\n" /* This set is 28 bytes */
16004 + " prefetch 64(%1)\n"
16005 + " prefetch 128(%1)\n"
16006 + " prefetch 192(%1)\n"
16007 + " prefetch 256(%1)\n"
16009 ".section .fixup, \"ax\"\n"
16010 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16013 +#ifdef CONFIG_PAX_KERNEXEC
16014 + " movl %%cr0, %0\n"
16015 + " movl %0, %%eax\n"
16016 + " andl $0xFFFEFFFF, %%eax\n"
16017 + " movl %%eax, %%cr0\n"
16020 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16022 +#ifdef CONFIG_PAX_KERNEXEC
16023 + " movl %0, %%cr0\n"
16028 _ASM_EXTABLE(1b, 3b)
16030 + : "=&r" (cr0) : "r" (from) : "ax");
16032 for ( ; i > 5; i--) {
16033 __asm__ __volatile__ (
16034 - "1: prefetch 320(%0)\n"
16035 - "2: movq (%0), %%mm0\n"
16036 - " movq 8(%0), %%mm1\n"
16037 - " movq 16(%0), %%mm2\n"
16038 - " movq 24(%0), %%mm3\n"
16039 - " movq %%mm0, (%1)\n"
16040 - " movq %%mm1, 8(%1)\n"
16041 - " movq %%mm2, 16(%1)\n"
16042 - " movq %%mm3, 24(%1)\n"
16043 - " movq 32(%0), %%mm0\n"
16044 - " movq 40(%0), %%mm1\n"
16045 - " movq 48(%0), %%mm2\n"
16046 - " movq 56(%0), %%mm3\n"
16047 - " movq %%mm0, 32(%1)\n"
16048 - " movq %%mm1, 40(%1)\n"
16049 - " movq %%mm2, 48(%1)\n"
16050 - " movq %%mm3, 56(%1)\n"
16051 + "1: prefetch 320(%1)\n"
16052 + "2: movq (%1), %%mm0\n"
16053 + " movq 8(%1), %%mm1\n"
16054 + " movq 16(%1), %%mm2\n"
16055 + " movq 24(%1), %%mm3\n"
16056 + " movq %%mm0, (%2)\n"
16057 + " movq %%mm1, 8(%2)\n"
16058 + " movq %%mm2, 16(%2)\n"
16059 + " movq %%mm3, 24(%2)\n"
16060 + " movq 32(%1), %%mm0\n"
16061 + " movq 40(%1), %%mm1\n"
16062 + " movq 48(%1), %%mm2\n"
16063 + " movq 56(%1), %%mm3\n"
16064 + " movq %%mm0, 32(%2)\n"
16065 + " movq %%mm1, 40(%2)\n"
16066 + " movq %%mm2, 48(%2)\n"
16067 + " movq %%mm3, 56(%2)\n"
16068 ".section .fixup, \"ax\"\n"
16069 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16072 +#ifdef CONFIG_PAX_KERNEXEC
16073 + " movl %%cr0, %0\n"
16074 + " movl %0, %%eax\n"
16075 + " andl $0xFFFEFFFF, %%eax\n"
16076 + " movl %%eax, %%cr0\n"
16079 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16081 +#ifdef CONFIG_PAX_KERNEXEC
16082 + " movl %0, %%cr0\n"
16087 _ASM_EXTABLE(1b, 3b)
16088 - : : "r" (from), "r" (to) : "memory");
16089 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
16093 @@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
16094 static void fast_copy_page(void *to, void *from)
16097 + unsigned long cr0;
16099 kernel_fpu_begin();
16101 @@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
16102 * but that is for later. -AV
16104 __asm__ __volatile__(
16105 - "1: prefetch (%0)\n"
16106 - " prefetch 64(%0)\n"
16107 - " prefetch 128(%0)\n"
16108 - " prefetch 192(%0)\n"
16109 - " prefetch 256(%0)\n"
16110 + "1: prefetch (%1)\n"
16111 + " prefetch 64(%1)\n"
16112 + " prefetch 128(%1)\n"
16113 + " prefetch 192(%1)\n"
16114 + " prefetch 256(%1)\n"
16116 ".section .fixup, \"ax\"\n"
16117 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16120 +#ifdef CONFIG_PAX_KERNEXEC
16121 + " movl %%cr0, %0\n"
16122 + " movl %0, %%eax\n"
16123 + " andl $0xFFFEFFFF, %%eax\n"
16124 + " movl %%eax, %%cr0\n"
16127 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16129 +#ifdef CONFIG_PAX_KERNEXEC
16130 + " movl %0, %%cr0\n"
16135 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
16136 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
16138 for (i = 0; i < (4096-320)/64; i++) {
16139 __asm__ __volatile__ (
16140 - "1: prefetch 320(%0)\n"
16141 - "2: movq (%0), %%mm0\n"
16142 - " movntq %%mm0, (%1)\n"
16143 - " movq 8(%0), %%mm1\n"
16144 - " movntq %%mm1, 8(%1)\n"
16145 - " movq 16(%0), %%mm2\n"
16146 - " movntq %%mm2, 16(%1)\n"
16147 - " movq 24(%0), %%mm3\n"
16148 - " movntq %%mm3, 24(%1)\n"
16149 - " movq 32(%0), %%mm4\n"
16150 - " movntq %%mm4, 32(%1)\n"
16151 - " movq 40(%0), %%mm5\n"
16152 - " movntq %%mm5, 40(%1)\n"
16153 - " movq 48(%0), %%mm6\n"
16154 - " movntq %%mm6, 48(%1)\n"
16155 - " movq 56(%0), %%mm7\n"
16156 - " movntq %%mm7, 56(%1)\n"
16157 + "1: prefetch 320(%1)\n"
16158 + "2: movq (%1), %%mm0\n"
16159 + " movntq %%mm0, (%2)\n"
16160 + " movq 8(%1), %%mm1\n"
16161 + " movntq %%mm1, 8(%2)\n"
16162 + " movq 16(%1), %%mm2\n"
16163 + " movntq %%mm2, 16(%2)\n"
16164 + " movq 24(%1), %%mm3\n"
16165 + " movntq %%mm3, 24(%2)\n"
16166 + " movq 32(%1), %%mm4\n"
16167 + " movntq %%mm4, 32(%2)\n"
16168 + " movq 40(%1), %%mm5\n"
16169 + " movntq %%mm5, 40(%2)\n"
16170 + " movq 48(%1), %%mm6\n"
16171 + " movntq %%mm6, 48(%2)\n"
16172 + " movq 56(%1), %%mm7\n"
16173 + " movntq %%mm7, 56(%2)\n"
16174 ".section .fixup, \"ax\"\n"
16175 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16178 +#ifdef CONFIG_PAX_KERNEXEC
16179 + " movl %%cr0, %0\n"
16180 + " movl %0, %%eax\n"
16181 + " andl $0xFFFEFFFF, %%eax\n"
16182 + " movl %%eax, %%cr0\n"
16185 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16187 +#ifdef CONFIG_PAX_KERNEXEC
16188 + " movl %0, %%cr0\n"
16193 - _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
16194 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
16198 @@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
16199 static void fast_copy_page(void *to, void *from)
16202 + unsigned long cr0;
16204 kernel_fpu_begin();
16206 __asm__ __volatile__ (
16207 - "1: prefetch (%0)\n"
16208 - " prefetch 64(%0)\n"
16209 - " prefetch 128(%0)\n"
16210 - " prefetch 192(%0)\n"
16211 - " prefetch 256(%0)\n"
16212 + "1: prefetch (%1)\n"
16213 + " prefetch 64(%1)\n"
16214 + " prefetch 128(%1)\n"
16215 + " prefetch 192(%1)\n"
16216 + " prefetch 256(%1)\n"
16218 ".section .fixup, \"ax\"\n"
16219 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16222 +#ifdef CONFIG_PAX_KERNEXEC
16223 + " movl %%cr0, %0\n"
16224 + " movl %0, %%eax\n"
16225 + " andl $0xFFFEFFFF, %%eax\n"
16226 + " movl %%eax, %%cr0\n"
16229 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16231 +#ifdef CONFIG_PAX_KERNEXEC
16232 + " movl %0, %%cr0\n"
16237 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
16238 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
16240 for (i = 0; i < 4096/64; i++) {
16241 __asm__ __volatile__ (
16242 - "1: prefetch 320(%0)\n"
16243 - "2: movq (%0), %%mm0\n"
16244 - " movq 8(%0), %%mm1\n"
16245 - " movq 16(%0), %%mm2\n"
16246 - " movq 24(%0), %%mm3\n"
16247 - " movq %%mm0, (%1)\n"
16248 - " movq %%mm1, 8(%1)\n"
16249 - " movq %%mm2, 16(%1)\n"
16250 - " movq %%mm3, 24(%1)\n"
16251 - " movq 32(%0), %%mm0\n"
16252 - " movq 40(%0), %%mm1\n"
16253 - " movq 48(%0), %%mm2\n"
16254 - " movq 56(%0), %%mm3\n"
16255 - " movq %%mm0, 32(%1)\n"
16256 - " movq %%mm1, 40(%1)\n"
16257 - " movq %%mm2, 48(%1)\n"
16258 - " movq %%mm3, 56(%1)\n"
16259 + "1: prefetch 320(%1)\n"
16260 + "2: movq (%1), %%mm0\n"
16261 + " movq 8(%1), %%mm1\n"
16262 + " movq 16(%1), %%mm2\n"
16263 + " movq 24(%1), %%mm3\n"
16264 + " movq %%mm0, (%2)\n"
16265 + " movq %%mm1, 8(%2)\n"
16266 + " movq %%mm2, 16(%2)\n"
16267 + " movq %%mm3, 24(%2)\n"
16268 + " movq 32(%1), %%mm0\n"
16269 + " movq 40(%1), %%mm1\n"
16270 + " movq 48(%1), %%mm2\n"
16271 + " movq 56(%1), %%mm3\n"
16272 + " movq %%mm0, 32(%2)\n"
16273 + " movq %%mm1, 40(%2)\n"
16274 + " movq %%mm2, 48(%2)\n"
16275 + " movq %%mm3, 56(%2)\n"
16276 ".section .fixup, \"ax\"\n"
16277 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16280 +#ifdef CONFIG_PAX_KERNEXEC
16281 + " movl %%cr0, %0\n"
16282 + " movl %0, %%eax\n"
16283 + " andl $0xFFFEFFFF, %%eax\n"
16284 + " movl %%eax, %%cr0\n"
16287 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16289 +#ifdef CONFIG_PAX_KERNEXEC
16290 + " movl %0, %%cr0\n"
16295 _ASM_EXTABLE(1b, 3b)
16296 - : : "r" (from), "r" (to) : "memory");
16297 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
16301 diff -urNp linux-2.6.38.1/arch/x86/lib/putuser.S linux-2.6.38.1-new/arch/x86/lib/putuser.S
16302 --- linux-2.6.38.1/arch/x86/lib/putuser.S 2011-03-14 21:20:32.000000000 -0400
16303 +++ linux-2.6.38.1-new/arch/x86/lib/putuser.S 2011-03-21 18:31:35.000000000 -0400
16305 #include <asm/thread_info.h>
16306 #include <asm/errno.h>
16307 #include <asm/asm.h>
16309 +#include <asm/segment.h>
16310 +#include <asm/pgtable.h>
16314 @@ -29,52 +30,119 @@
16315 * as they get called from within inline assembly.
16318 -#define ENTER CFI_STARTPROC ; \
16319 - GET_THREAD_INFO(%_ASM_BX)
16320 +#define ENTER CFI_STARTPROC
16321 #define EXIT ret ; \
16324 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16325 +#define _DEST %_ASM_CX,%_ASM_BX
16327 +#define _DEST %_ASM_CX
16330 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16331 +#define __copyuser_seg gs;
16333 +#define __copyuser_seg
16337 ENTRY(__put_user_1)
16340 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
16341 + GET_THREAD_INFO(%_ASM_BX)
16342 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
16344 -1: movb %al,(%_ASM_CX)
16346 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16347 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16348 + cmp %_ASM_BX,%_ASM_CX
16356 +1: __copyuser_seg movb %al,(_DEST)
16359 ENDPROC(__put_user_1)
16361 ENTRY(__put_user_2)
16364 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
16365 + GET_THREAD_INFO(%_ASM_BX)
16366 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16368 cmp %_ASM_BX,%_ASM_CX
16370 -2: movw %ax,(%_ASM_CX)
16372 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16373 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16374 + cmp %_ASM_BX,%_ASM_CX
16382 +2: __copyuser_seg movw %ax,(_DEST)
16385 ENDPROC(__put_user_2)
16387 ENTRY(__put_user_4)
16390 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
16391 + GET_THREAD_INFO(%_ASM_BX)
16392 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16394 cmp %_ASM_BX,%_ASM_CX
16396 -3: movl %eax,(%_ASM_CX)
16398 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16399 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16400 + cmp %_ASM_BX,%_ASM_CX
16408 +3: __copyuser_seg movl %eax,(_DEST)
16411 ENDPROC(__put_user_4)
16413 ENTRY(__put_user_8)
16416 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_MEMORY_UDEREF)
16417 + GET_THREAD_INFO(%_ASM_BX)
16418 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16420 cmp %_ASM_BX,%_ASM_CX
16422 -4: mov %_ASM_AX,(%_ASM_CX)
16424 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16425 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16426 + cmp %_ASM_BX,%_ASM_CX
16434 +4: __copyuser_seg mov %_ASM_AX,(_DEST)
16435 #ifdef CONFIG_X86_32
16436 -5: movl %edx,4(%_ASM_CX)
16437 +5: __copyuser_seg movl %edx,4(_DEST)
16441 diff -urNp linux-2.6.38.1/arch/x86/lib/usercopy_32.c linux-2.6.38.1-new/arch/x86/lib/usercopy_32.c
16442 --- linux-2.6.38.1/arch/x86/lib/usercopy_32.c 2011-03-14 21:20:32.000000000 -0400
16443 +++ linux-2.6.38.1-new/arch/x86/lib/usercopy_32.c 2011-03-21 18:31:35.000000000 -0400
16444 @@ -43,7 +43,7 @@ do { \
16445 __asm__ __volatile__( \
16449 + "0: "__copyuser_seg"lodsb\n" \
16451 " testb %%al,%%al\n" \
16453 @@ -128,10 +128,12 @@ do { \
16456 __asm__ __volatile__( \
16457 + __COPYUSER_SET_ES \
16458 "0: rep; stosl\n" \
16460 "1: rep; stosb\n" \
16462 + __COPYUSER_RESTORE_ES \
16463 ".section .fixup,\"ax\"\n" \
16464 "3: lea 0(%2,%0,4),%0\n" \
16466 @@ -200,6 +202,7 @@ long strnlen_user(const char __user *s,
16469 __asm__ __volatile__(
16470 + __COPYUSER_SET_ES
16474 @@ -208,6 +211,7 @@ long strnlen_user(const char __user *s,
16478 + __COPYUSER_RESTORE_ES
16479 ".section .fixup,\"ax\"\n"
16480 "2: xorl %%eax,%%eax\n"
16482 @@ -227,7 +231,7 @@ EXPORT_SYMBOL(strnlen_user);
16484 #ifdef CONFIG_X86_INTEL_USERCOPY
16485 static unsigned long
16486 -__copy_user_intel(void __user *to, const void *from, unsigned long size)
16487 +__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
16490 __asm__ __volatile__(
16491 @@ -239,36 +243,36 @@ __copy_user_intel(void __user *to, const
16493 "3: movl 0(%4), %%eax\n"
16494 "4: movl 4(%4), %%edx\n"
16495 - "5: movl %%eax, 0(%3)\n"
16496 - "6: movl %%edx, 4(%3)\n"
16497 + "5: "__copyuser_seg" movl %%eax, 0(%3)\n"
16498 + "6: "__copyuser_seg" movl %%edx, 4(%3)\n"
16499 "7: movl 8(%4), %%eax\n"
16500 "8: movl 12(%4),%%edx\n"
16501 - "9: movl %%eax, 8(%3)\n"
16502 - "10: movl %%edx, 12(%3)\n"
16503 + "9: "__copyuser_seg" movl %%eax, 8(%3)\n"
16504 + "10: "__copyuser_seg" movl %%edx, 12(%3)\n"
16505 "11: movl 16(%4), %%eax\n"
16506 "12: movl 20(%4), %%edx\n"
16507 - "13: movl %%eax, 16(%3)\n"
16508 - "14: movl %%edx, 20(%3)\n"
16509 + "13: "__copyuser_seg" movl %%eax, 16(%3)\n"
16510 + "14: "__copyuser_seg" movl %%edx, 20(%3)\n"
16511 "15: movl 24(%4), %%eax\n"
16512 "16: movl 28(%4), %%edx\n"
16513 - "17: movl %%eax, 24(%3)\n"
16514 - "18: movl %%edx, 28(%3)\n"
16515 + "17: "__copyuser_seg" movl %%eax, 24(%3)\n"
16516 + "18: "__copyuser_seg" movl %%edx, 28(%3)\n"
16517 "19: movl 32(%4), %%eax\n"
16518 "20: movl 36(%4), %%edx\n"
16519 - "21: movl %%eax, 32(%3)\n"
16520 - "22: movl %%edx, 36(%3)\n"
16521 + "21: "__copyuser_seg" movl %%eax, 32(%3)\n"
16522 + "22: "__copyuser_seg" movl %%edx, 36(%3)\n"
16523 "23: movl 40(%4), %%eax\n"
16524 "24: movl 44(%4), %%edx\n"
16525 - "25: movl %%eax, 40(%3)\n"
16526 - "26: movl %%edx, 44(%3)\n"
16527 + "25: "__copyuser_seg" movl %%eax, 40(%3)\n"
16528 + "26: "__copyuser_seg" movl %%edx, 44(%3)\n"
16529 "27: movl 48(%4), %%eax\n"
16530 "28: movl 52(%4), %%edx\n"
16531 - "29: movl %%eax, 48(%3)\n"
16532 - "30: movl %%edx, 52(%3)\n"
16533 + "29: "__copyuser_seg" movl %%eax, 48(%3)\n"
16534 + "30: "__copyuser_seg" movl %%edx, 52(%3)\n"
16535 "31: movl 56(%4), %%eax\n"
16536 "32: movl 60(%4), %%edx\n"
16537 - "33: movl %%eax, 56(%3)\n"
16538 - "34: movl %%edx, 60(%3)\n"
16539 + "33: "__copyuser_seg" movl %%eax, 56(%3)\n"
16540 + "34: "__copyuser_seg" movl %%edx, 60(%3)\n"
16544 @@ -278,10 +282,119 @@ __copy_user_intel(void __user *to, const
16546 " andl $3, %%eax\n"
16548 + __COPYUSER_SET_ES
16550 "36: movl %%eax, %0\n"
16553 + __COPYUSER_RESTORE_ES
16554 + ".section .fixup,\"ax\"\n"
16555 + "101: lea 0(%%eax,%0,4),%0\n"
16558 + ".section __ex_table,\"a\"\n"
16560 + " .long 1b,100b\n"
16561 + " .long 2b,100b\n"
16562 + " .long 3b,100b\n"
16563 + " .long 4b,100b\n"
16564 + " .long 5b,100b\n"
16565 + " .long 6b,100b\n"
16566 + " .long 7b,100b\n"
16567 + " .long 8b,100b\n"
16568 + " .long 9b,100b\n"
16569 + " .long 10b,100b\n"
16570 + " .long 11b,100b\n"
16571 + " .long 12b,100b\n"
16572 + " .long 13b,100b\n"
16573 + " .long 14b,100b\n"
16574 + " .long 15b,100b\n"
16575 + " .long 16b,100b\n"
16576 + " .long 17b,100b\n"
16577 + " .long 18b,100b\n"
16578 + " .long 19b,100b\n"
16579 + " .long 20b,100b\n"
16580 + " .long 21b,100b\n"
16581 + " .long 22b,100b\n"
16582 + " .long 23b,100b\n"
16583 + " .long 24b,100b\n"
16584 + " .long 25b,100b\n"
16585 + " .long 26b,100b\n"
16586 + " .long 27b,100b\n"
16587 + " .long 28b,100b\n"
16588 + " .long 29b,100b\n"
16589 + " .long 30b,100b\n"
16590 + " .long 31b,100b\n"
16591 + " .long 32b,100b\n"
16592 + " .long 33b,100b\n"
16593 + " .long 34b,100b\n"
16594 + " .long 35b,100b\n"
16595 + " .long 36b,100b\n"
16596 + " .long 37b,100b\n"
16597 + " .long 99b,101b\n"
16599 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
16600 + : "1"(to), "2"(from), "0"(size)
16601 + : "eax", "edx", "memory");
16605 +static unsigned long
16606 +__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
16609 + __asm__ __volatile__(
16610 + " .align 2,0x90\n"
16611 + "1: "__copyuser_seg" movl 32(%4), %%eax\n"
16612 + " cmpl $67, %0\n"
16614 + "2: "__copyuser_seg" movl 64(%4), %%eax\n"
16615 + " .align 2,0x90\n"
16616 + "3: "__copyuser_seg" movl 0(%4), %%eax\n"
16617 + "4: "__copyuser_seg" movl 4(%4), %%edx\n"
16618 + "5: movl %%eax, 0(%3)\n"
16619 + "6: movl %%edx, 4(%3)\n"
16620 + "7: "__copyuser_seg" movl 8(%4), %%eax\n"
16621 + "8: "__copyuser_seg" movl 12(%4),%%edx\n"
16622 + "9: movl %%eax, 8(%3)\n"
16623 + "10: movl %%edx, 12(%3)\n"
16624 + "11: "__copyuser_seg" movl 16(%4), %%eax\n"
16625 + "12: "__copyuser_seg" movl 20(%4), %%edx\n"
16626 + "13: movl %%eax, 16(%3)\n"
16627 + "14: movl %%edx, 20(%3)\n"
16628 + "15: "__copyuser_seg" movl 24(%4), %%eax\n"
16629 + "16: "__copyuser_seg" movl 28(%4), %%edx\n"
16630 + "17: movl %%eax, 24(%3)\n"
16631 + "18: movl %%edx, 28(%3)\n"
16632 + "19: "__copyuser_seg" movl 32(%4), %%eax\n"
16633 + "20: "__copyuser_seg" movl 36(%4), %%edx\n"
16634 + "21: movl %%eax, 32(%3)\n"
16635 + "22: movl %%edx, 36(%3)\n"
16636 + "23: "__copyuser_seg" movl 40(%4), %%eax\n"
16637 + "24: "__copyuser_seg" movl 44(%4), %%edx\n"
16638 + "25: movl %%eax, 40(%3)\n"
16639 + "26: movl %%edx, 44(%3)\n"
16640 + "27: "__copyuser_seg" movl 48(%4), %%eax\n"
16641 + "28: "__copyuser_seg" movl 52(%4), %%edx\n"
16642 + "29: movl %%eax, 48(%3)\n"
16643 + "30: movl %%edx, 52(%3)\n"
16644 + "31: "__copyuser_seg" movl 56(%4), %%eax\n"
16645 + "32: "__copyuser_seg" movl 60(%4), %%edx\n"
16646 + "33: movl %%eax, 56(%3)\n"
16647 + "34: movl %%edx, 60(%3)\n"
16648 + " addl $-64, %0\n"
16649 + " addl $64, %4\n"
16650 + " addl $64, %3\n"
16651 + " cmpl $63, %0\n"
16653 + "35: movl %0, %%eax\n"
16655 + " andl $3, %%eax\n"
16657 + "99: rep; "__copyuser_seg" movsl\n"
16658 + "36: movl %%eax, %0\n"
16659 + "37: rep; "__copyuser_seg" movsb\n"
16661 ".section .fixup,\"ax\"\n"
16662 "101: lea 0(%%eax,%0,4),%0\n"
16664 @@ -339,41 +452,41 @@ __copy_user_zeroing_intel(void *to, cons
16666 __asm__ __volatile__(
16668 - "0: movl 32(%4), %%eax\n"
16669 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
16672 - "1: movl 64(%4), %%eax\n"
16673 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
16675 - "2: movl 0(%4), %%eax\n"
16676 - "21: movl 4(%4), %%edx\n"
16677 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
16678 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
16679 " movl %%eax, 0(%3)\n"
16680 " movl %%edx, 4(%3)\n"
16681 - "3: movl 8(%4), %%eax\n"
16682 - "31: movl 12(%4),%%edx\n"
16683 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
16684 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
16685 " movl %%eax, 8(%3)\n"
16686 " movl %%edx, 12(%3)\n"
16687 - "4: movl 16(%4), %%eax\n"
16688 - "41: movl 20(%4), %%edx\n"
16689 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
16690 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
16691 " movl %%eax, 16(%3)\n"
16692 " movl %%edx, 20(%3)\n"
16693 - "10: movl 24(%4), %%eax\n"
16694 - "51: movl 28(%4), %%edx\n"
16695 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
16696 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
16697 " movl %%eax, 24(%3)\n"
16698 " movl %%edx, 28(%3)\n"
16699 - "11: movl 32(%4), %%eax\n"
16700 - "61: movl 36(%4), %%edx\n"
16701 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
16702 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
16703 " movl %%eax, 32(%3)\n"
16704 " movl %%edx, 36(%3)\n"
16705 - "12: movl 40(%4), %%eax\n"
16706 - "71: movl 44(%4), %%edx\n"
16707 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
16708 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
16709 " movl %%eax, 40(%3)\n"
16710 " movl %%edx, 44(%3)\n"
16711 - "13: movl 48(%4), %%eax\n"
16712 - "81: movl 52(%4), %%edx\n"
16713 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
16714 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
16715 " movl %%eax, 48(%3)\n"
16716 " movl %%edx, 52(%3)\n"
16717 - "14: movl 56(%4), %%eax\n"
16718 - "91: movl 60(%4), %%edx\n"
16719 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
16720 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
16721 " movl %%eax, 56(%3)\n"
16722 " movl %%edx, 60(%3)\n"
16724 @@ -385,9 +498,9 @@ __copy_user_zeroing_intel(void *to, cons
16726 " andl $3, %%eax\n"
16728 - "6: rep; movsl\n"
16729 + "6: rep; "__copyuser_seg" movsl\n"
16731 - "7: rep; movsb\n"
16732 + "7: rep; "__copyuser_seg" movsb\n"
16734 ".section .fixup,\"ax\"\n"
16735 "9: lea 0(%%eax,%0,4),%0\n"
16736 @@ -440,41 +553,41 @@ static unsigned long __copy_user_zeroing
16738 __asm__ __volatile__(
16740 - "0: movl 32(%4), %%eax\n"
16741 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
16744 - "1: movl 64(%4), %%eax\n"
16745 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
16747 - "2: movl 0(%4), %%eax\n"
16748 - "21: movl 4(%4), %%edx\n"
16749 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
16750 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
16751 " movnti %%eax, 0(%3)\n"
16752 " movnti %%edx, 4(%3)\n"
16753 - "3: movl 8(%4), %%eax\n"
16754 - "31: movl 12(%4),%%edx\n"
16755 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
16756 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
16757 " movnti %%eax, 8(%3)\n"
16758 " movnti %%edx, 12(%3)\n"
16759 - "4: movl 16(%4), %%eax\n"
16760 - "41: movl 20(%4), %%edx\n"
16761 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
16762 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
16763 " movnti %%eax, 16(%3)\n"
16764 " movnti %%edx, 20(%3)\n"
16765 - "10: movl 24(%4), %%eax\n"
16766 - "51: movl 28(%4), %%edx\n"
16767 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
16768 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
16769 " movnti %%eax, 24(%3)\n"
16770 " movnti %%edx, 28(%3)\n"
16771 - "11: movl 32(%4), %%eax\n"
16772 - "61: movl 36(%4), %%edx\n"
16773 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
16774 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
16775 " movnti %%eax, 32(%3)\n"
16776 " movnti %%edx, 36(%3)\n"
16777 - "12: movl 40(%4), %%eax\n"
16778 - "71: movl 44(%4), %%edx\n"
16779 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
16780 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
16781 " movnti %%eax, 40(%3)\n"
16782 " movnti %%edx, 44(%3)\n"
16783 - "13: movl 48(%4), %%eax\n"
16784 - "81: movl 52(%4), %%edx\n"
16785 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
16786 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
16787 " movnti %%eax, 48(%3)\n"
16788 " movnti %%edx, 52(%3)\n"
16789 - "14: movl 56(%4), %%eax\n"
16790 - "91: movl 60(%4), %%edx\n"
16791 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
16792 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
16793 " movnti %%eax, 56(%3)\n"
16794 " movnti %%edx, 60(%3)\n"
16796 @@ -487,9 +600,9 @@ static unsigned long __copy_user_zeroing
16798 " andl $3, %%eax\n"
16800 - "6: rep; movsl\n"
16801 + "6: rep; "__copyuser_seg" movsl\n"
16803 - "7: rep; movsb\n"
16804 + "7: rep; "__copyuser_seg" movsb\n"
16806 ".section .fixup,\"ax\"\n"
16807 "9: lea 0(%%eax,%0,4),%0\n"
16808 @@ -537,41 +650,41 @@ static unsigned long __copy_user_intel_n
16810 __asm__ __volatile__(
16812 - "0: movl 32(%4), %%eax\n"
16813 + "0: "__copyuser_seg" movl 32(%4), %%eax\n"
16816 - "1: movl 64(%4), %%eax\n"
16817 + "1: "__copyuser_seg" movl 64(%4), %%eax\n"
16819 - "2: movl 0(%4), %%eax\n"
16820 - "21: movl 4(%4), %%edx\n"
16821 + "2: "__copyuser_seg" movl 0(%4), %%eax\n"
16822 + "21: "__copyuser_seg" movl 4(%4), %%edx\n"
16823 " movnti %%eax, 0(%3)\n"
16824 " movnti %%edx, 4(%3)\n"
16825 - "3: movl 8(%4), %%eax\n"
16826 - "31: movl 12(%4),%%edx\n"
16827 + "3: "__copyuser_seg" movl 8(%4), %%eax\n"
16828 + "31: "__copyuser_seg" movl 12(%4),%%edx\n"
16829 " movnti %%eax, 8(%3)\n"
16830 " movnti %%edx, 12(%3)\n"
16831 - "4: movl 16(%4), %%eax\n"
16832 - "41: movl 20(%4), %%edx\n"
16833 + "4: "__copyuser_seg" movl 16(%4), %%eax\n"
16834 + "41: "__copyuser_seg" movl 20(%4), %%edx\n"
16835 " movnti %%eax, 16(%3)\n"
16836 " movnti %%edx, 20(%3)\n"
16837 - "10: movl 24(%4), %%eax\n"
16838 - "51: movl 28(%4), %%edx\n"
16839 + "10: "__copyuser_seg" movl 24(%4), %%eax\n"
16840 + "51: "__copyuser_seg" movl 28(%4), %%edx\n"
16841 " movnti %%eax, 24(%3)\n"
16842 " movnti %%edx, 28(%3)\n"
16843 - "11: movl 32(%4), %%eax\n"
16844 - "61: movl 36(%4), %%edx\n"
16845 + "11: "__copyuser_seg" movl 32(%4), %%eax\n"
16846 + "61: "__copyuser_seg" movl 36(%4), %%edx\n"
16847 " movnti %%eax, 32(%3)\n"
16848 " movnti %%edx, 36(%3)\n"
16849 - "12: movl 40(%4), %%eax\n"
16850 - "71: movl 44(%4), %%edx\n"
16851 + "12: "__copyuser_seg" movl 40(%4), %%eax\n"
16852 + "71: "__copyuser_seg" movl 44(%4), %%edx\n"
16853 " movnti %%eax, 40(%3)\n"
16854 " movnti %%edx, 44(%3)\n"
16855 - "13: movl 48(%4), %%eax\n"
16856 - "81: movl 52(%4), %%edx\n"
16857 + "13: "__copyuser_seg" movl 48(%4), %%eax\n"
16858 + "81: "__copyuser_seg" movl 52(%4), %%edx\n"
16859 " movnti %%eax, 48(%3)\n"
16860 " movnti %%edx, 52(%3)\n"
16861 - "14: movl 56(%4), %%eax\n"
16862 - "91: movl 60(%4), %%edx\n"
16863 + "14: "__copyuser_seg" movl 56(%4), %%eax\n"
16864 + "91: "__copyuser_seg" movl 60(%4), %%edx\n"
16865 " movnti %%eax, 56(%3)\n"
16866 " movnti %%edx, 60(%3)\n"
16868 @@ -584,9 +697,9 @@ static unsigned long __copy_user_intel_n
16870 " andl $3, %%eax\n"
16872 - "6: rep; movsl\n"
16873 + "6: rep; "__copyuser_seg" movsl\n"
16875 - "7: rep; movsb\n"
16876 + "7: rep; "__copyuser_seg" movsb\n"
16878 ".section .fixup,\"ax\"\n"
16879 "9: lea 0(%%eax,%0,4),%0\n"
16880 @@ -629,32 +742,36 @@ static unsigned long __copy_user_intel_n
16882 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
16883 unsigned long size);
16884 -unsigned long __copy_user_intel(void __user *to, const void *from,
16885 +unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
16886 + unsigned long size);
16887 +unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
16888 unsigned long size);
16889 unsigned long __copy_user_zeroing_intel_nocache(void *to,
16890 const void __user *from, unsigned long size);
16891 #endif /* CONFIG_X86_INTEL_USERCOPY */
16893 /* Generic arbitrary sized copy. */
16894 -#define __copy_user(to, from, size) \
16895 +#define __copy_user(to, from, size, prefix, set, restore) \
16897 int __d0, __d1, __d2; \
16898 __asm__ __volatile__( \
16906 - "4: rep; movsb\n" \
16907 + "4: rep; "prefix"movsb\n" \
16911 " .align 2,0x90\n" \
16912 - "0: rep; movsl\n" \
16913 + "0: rep; "prefix"movsl\n" \
16915 - "1: rep; movsb\n" \
16916 + "1: rep; "prefix"movsb\n" \
16919 ".section .fixup,\"ax\"\n" \
16920 "5: addl %3,%0\n" \
16922 @@ -682,14 +799,14 @@ do { \
16926 - "4: rep; movsb\n" \
16927 + "4: rep; "__copyuser_seg"movsb\n" \
16931 " .align 2,0x90\n" \
16932 - "0: rep; movsl\n" \
16933 + "0: rep; "__copyuser_seg"movsl\n" \
16935 - "1: rep; movsb\n" \
16936 + "1: rep; "__copyuser_seg"movsb\n" \
16938 ".section .fixup,\"ax\"\n" \
16939 "5: addl %3,%0\n" \
16940 @@ -775,9 +892,9 @@ survive:
16943 if (movsl_is_ok(to, from, n))
16944 - __copy_user(to, from, n);
16945 + __copy_user(to, from, n, "", __COPYUSER_SET_ES, __COPYUSER_RESTORE_ES);
16947 - n = __copy_user_intel(to, from, n);
16948 + n = __generic_copy_to_user_intel(to, from, n);
16951 EXPORT_SYMBOL(__copy_to_user_ll);
16952 @@ -797,10 +914,9 @@ unsigned long __copy_from_user_ll_nozero
16955 if (movsl_is_ok(to, from, n))
16956 - __copy_user(to, from, n);
16957 + __copy_user(to, from, n, __copyuser_seg, "", "");
16959 - n = __copy_user_intel((void __user *)to,
16960 - (const void *)from, n);
16961 + n = __generic_copy_from_user_intel(to, from, n);
16964 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
16965 @@ -827,65 +943,49 @@ unsigned long __copy_from_user_ll_nocach
16966 if (n > 64 && cpu_has_xmm2)
16967 n = __copy_user_intel_nocache(to, from, n);
16969 - __copy_user(to, from, n);
16970 + __copy_user(to, from, n, __copyuser_seg, "", "");
16972 - __copy_user(to, from, n);
16973 + __copy_user(to, from, n, __copyuser_seg, "", "");
16977 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
16980 - * copy_to_user: - Copy a block of data into user space.
16981 - * @to: Destination address, in user space.
16982 - * @from: Source address, in kernel space.
16983 - * @n: Number of bytes to copy.
16985 - * Context: User context only. This function may sleep.
16987 - * Copy data from kernel space to user space.
16989 - * Returns number of bytes that could not be copied.
16990 - * On success, this will be zero.
16993 -copy_to_user(void __user *to, const void *from, unsigned long n)
16994 +void copy_from_user_overflow(void)
16996 - if (access_ok(VERIFY_WRITE, to, n))
16997 - n = __copy_to_user(to, from, n);
16999 + WARN(1, "Buffer overflow detected!\n");
17001 -EXPORT_SYMBOL(copy_to_user);
17002 +EXPORT_SYMBOL(copy_from_user_overflow);
17005 - * copy_from_user: - Copy a block of data from user space.
17006 - * @to: Destination address, in kernel space.
17007 - * @from: Source address, in user space.
17008 - * @n: Number of bytes to copy.
17010 - * Context: User context only. This function may sleep.
17012 - * Copy data from user space to kernel space.
17014 - * Returns number of bytes that could not be copied.
17015 - * On success, this will be zero.
17017 - * If some data could not be copied, this function will pad the copied
17018 - * data to the requested size using zero bytes.
17021 -_copy_from_user(void *to, const void __user *from, unsigned long n)
17022 +void copy_to_user_overflow(void)
17024 - if (access_ok(VERIFY_READ, from, n))
17025 - n = __copy_from_user(to, from, n);
17027 - memset(to, 0, n);
17029 + WARN(1, "Buffer overflow detected!\n");
17031 -EXPORT_SYMBOL(_copy_from_user);
17032 +EXPORT_SYMBOL(copy_to_user_overflow);
17034 -void copy_from_user_overflow(void)
17035 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17036 +void __set_fs(mm_segment_t x)
17038 - WARN(1, "Buffer overflow detected!\n");
17041 + loadsegment(gs, 0);
17043 + case TASK_SIZE_MAX:
17044 + loadsegment(gs, __USER_DS);
17047 + loadsegment(gs, __KERNEL_DS);
17054 -EXPORT_SYMBOL(copy_from_user_overflow);
17056 +void set_fs(mm_segment_t x)
17058 + current_thread_info()->addr_limit = x;
17061 +EXPORT_SYMBOL(set_fs);
17063 diff -urNp linux-2.6.38.1/arch/x86/lib/usercopy_64.c linux-2.6.38.1-new/arch/x86/lib/usercopy_64.c
17064 --- linux-2.6.38.1/arch/x86/lib/usercopy_64.c 2011-03-14 21:20:32.000000000 -0400
17065 +++ linux-2.6.38.1-new/arch/x86/lib/usercopy_64.c 2011-03-21 18:31:35.000000000 -0400
17066 @@ -42,6 +42,8 @@ long
17067 __strncpy_from_user(char *dst, const char __user *src, long count)
17070 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
17071 + src += PAX_USER_SHADOW_BASE;
17072 __do_strncpy_from_user(dst, src, count, res);
17075 @@ -65,6 +67,8 @@ unsigned long __clear_user(void __user *
17079 + if ((unsigned long)addr < PAX_USER_SHADOW_BASE)
17080 + addr += PAX_USER_SHADOW_BASE;
17081 /* no memory constraint because it doesn't change any memory gcc knows
17084 @@ -151,10 +155,14 @@ EXPORT_SYMBOL(strlen_user);
17086 unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
17088 - if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
17089 + if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
17090 + if ((unsigned long)to < PAX_USER_SHADOW_BASE)
17091 + to += PAX_USER_SHADOW_BASE;
17092 + if ((unsigned long)from < PAX_USER_SHADOW_BASE)
17093 + from += PAX_USER_SHADOW_BASE;
17094 return copy_user_generic((__force void *)to, (__force void *)from, len);
17100 EXPORT_SYMBOL(copy_in_user);
17102 diff -urNp linux-2.6.38.1/arch/x86/Makefile linux-2.6.38.1-new/arch/x86/Makefile
17103 --- linux-2.6.38.1/arch/x86/Makefile 2011-03-14 21:20:32.000000000 -0400
17104 +++ linux-2.6.38.1-new/arch/x86/Makefile 2011-03-21 18:31:35.000000000 -0400
17105 @@ -195,3 +195,12 @@ define archhelp
17106 echo ' FDARGS="..." arguments for the booted kernel'
17107 echo ' FDINITRD=file initrd for the booted kernel'
17112 +*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
17113 +*** Please upgrade your binutils to 2.18 or newer
17117 + $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
17118 diff -urNp linux-2.6.38.1/arch/x86/mm/extable.c linux-2.6.38.1-new/arch/x86/mm/extable.c
17119 --- linux-2.6.38.1/arch/x86/mm/extable.c 2011-03-14 21:20:32.000000000 -0400
17120 +++ linux-2.6.38.1-new/arch/x86/mm/extable.c 2011-03-21 18:31:35.000000000 -0400
17122 #include <linux/module.h>
17123 #include <linux/spinlock.h>
17124 +#include <linux/sort.h>
17125 #include <asm/uaccess.h>
17126 +#include <asm/pgtable.h>
17129 + * The exception table needs to be sorted so that the binary
17130 + * search that we use to find entries in it works properly.
17131 + * This is used both for the kernel exception table and for
17132 + * the exception tables of modules that get loaded.
17134 +static int cmp_ex(const void *a, const void *b)
17136 + const struct exception_table_entry *x = a, *y = b;
17138 + /* avoid overflow */
17139 + if (x->insn > y->insn)
17141 + if (x->insn < y->insn)
17146 +static void swap_ex(void *a, void *b, int size)
17148 + struct exception_table_entry t, *x = a, *y = b;
17152 + pax_open_kernel();
17155 + pax_close_kernel();
17158 +void sort_extable(struct exception_table_entry *start,
17159 + struct exception_table_entry *finish)
17161 + sort(start, finish - start, sizeof(struct exception_table_entry),
17162 + cmp_ex, swap_ex);
17165 +#ifdef CONFIG_MODULES
17167 + * If the exception table is sorted, any referring to the module init
17168 + * will be at the beginning or the end.
17170 +void trim_init_extable(struct module *m)
17172 + /*trim the beginning*/
17173 + while (m->num_exentries && within_module_init(m->extable[0].insn, m)) {
17175 + m->num_exentries--;
17178 + while (m->num_exentries &&
17179 + within_module_init(m->extable[m->num_exentries-1].insn, m))
17180 + m->num_exentries--;
17182 +#endif /* CONFIG_MODULES */
17184 int fixup_exception(struct pt_regs *regs)
17186 const struct exception_table_entry *fixup;
17188 #ifdef CONFIG_PNPBIOS
17189 - if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
17190 + if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
17191 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
17192 extern u32 pnp_bios_is_utter_crap;
17193 pnp_bios_is_utter_crap = 1;
17194 diff -urNp linux-2.6.38.1/arch/x86/mm/fault.c linux-2.6.38.1-new/arch/x86/mm/fault.c
17195 --- linux-2.6.38.1/arch/x86/mm/fault.c 2011-03-14 21:20:32.000000000 -0400
17196 +++ linux-2.6.38.1-new/arch/x86/mm/fault.c 2011-03-21 23:48:53.000000000 -0400
17197 @@ -12,10 +12,18 @@
17198 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
17199 #include <linux/perf_event.h> /* perf_sw_event */
17200 #include <linux/hugetlb.h> /* hstate_index_to_shift */
17201 +#include <linux/unistd.h>
17202 +#include <linux/compiler.h>
17204 #include <asm/traps.h> /* dotraplinkage, ... */
17205 #include <asm/pgalloc.h> /* pgd_*(), ... */
17206 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
17207 +#include <asm/vsyscall.h>
17208 +#include <asm/tlbflush.h>
17210 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17211 +#include <asm/stacktrace.h>
17215 * Page fault error code bits:
17216 @@ -53,7 +61,7 @@ static inline int __kprobes notify_page_
17219 /* kprobe_running() needs smp_processor_id() */
17220 - if (kprobes_built_in() && !user_mode_vm(regs)) {
17221 + if (kprobes_built_in() && !user_mode(regs)) {
17223 if (kprobe_running() && kprobe_fault_handler(regs, 14))
17225 @@ -114,7 +122,10 @@ check_prefetch_opcode(struct pt_regs *re
17226 return !instr_lo || (instr_lo>>1) == 1;
17228 /* Prefetch instruction is 0x0F0D or 0x0F18 */
17229 - if (probe_kernel_address(instr, opcode))
17230 + if (user_mode(regs)) {
17231 + if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1))
17233 + } else if (probe_kernel_address(instr, opcode))
17236 *prefetch = (instr_lo == 0xF) &&
17237 @@ -148,7 +159,10 @@ is_prefetch(struct pt_regs *regs, unsign
17238 while (instr < max_instr) {
17239 unsigned char opcode;
17241 - if (probe_kernel_address(instr, opcode))
17242 + if (user_mode(regs)) {
17243 + if (__copy_from_user_inatomic(&opcode, (__force unsigned char __user *)(instr), 1))
17245 + } else if (probe_kernel_address(instr, opcode))
17249 @@ -179,6 +193,30 @@ force_sig_info_fault(int si_signo, int s
17250 force_sig_info(si_signo, &info, tsk);
17253 +#ifdef CONFIG_PAX_EMUTRAMP
17254 +static int pax_handle_fetch_fault(struct pt_regs *regs);
17257 +#ifdef CONFIG_PAX_PAGEEXEC
17258 +static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
17264 + pgd = pgd_offset(mm, address);
17265 + if (!pgd_present(*pgd))
17267 + pud = pud_offset(pgd, address);
17268 + if (!pud_present(*pud))
17270 + pmd = pmd_offset(pud, address);
17271 + if (!pmd_present(*pmd))
17277 DEFINE_SPINLOCK(pgd_lock);
17278 LIST_HEAD(pgd_list);
17280 @@ -229,10 +267,22 @@ void vmalloc_sync_all(void)
17281 for (address = VMALLOC_START & PMD_MASK;
17282 address >= TASK_SIZE && address < FIXADDR_TOP;
17283 address += PMD_SIZE) {
17285 +#ifdef CONFIG_PAX_PER_CPU_PGD
17286 + unsigned long cpu;
17291 spin_lock(&pgd_lock);
17293 +#ifdef CONFIG_PAX_PER_CPU_PGD
17294 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
17295 + pgd_t *pgd = get_cpu_pgd(cpu);
17298 list_for_each_entry(page, &pgd_list, lru) {
17299 + pgd_t *pgd = page_address(page);
17300 spinlock_t *pgt_lock;
17303 @@ -240,8 +290,13 @@ void vmalloc_sync_all(void)
17304 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
17306 spin_lock(pgt_lock);
17307 - ret = vmalloc_sync_one(page_address(page), address);
17310 + ret = vmalloc_sync_one(pgd, address);
17312 +#ifndef CONFIG_PAX_PER_CPU_PGD
17313 spin_unlock(pgt_lock);
17318 @@ -275,6 +330,11 @@ static noinline __kprobes int vmalloc_fa
17319 * an interrupt in the middle of a task switch..
17321 pgd_paddr = read_cr3();
17323 +#ifdef CONFIG_PAX_PER_CPU_PGD
17324 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK));
17327 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
17330 @@ -370,7 +430,14 @@ static noinline __kprobes int vmalloc_fa
17331 * happen within a race in page table update. In the later
17335 +#ifdef CONFIG_PAX_PER_CPU_PGD
17336 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK));
17337 + pgd = pgd_offset_cpu(smp_processor_id(), address);
17339 pgd = pgd_offset(current->active_mm, address);
17342 pgd_ref = pgd_offset_k(address);
17343 if (pgd_none(*pgd_ref))
17345 @@ -532,7 +599,7 @@ static int is_errata93(struct pt_regs *r
17346 static int is_errata100(struct pt_regs *regs, unsigned long address)
17348 #ifdef CONFIG_X86_64
17349 - if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
17350 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
17354 @@ -559,7 +626,7 @@ static int is_f00f_bug(struct pt_regs *r
17357 static const char nx_warning[] = KERN_CRIT
17358 -"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
17359 +"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
17362 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
17363 @@ -568,15 +635,26 @@ show_fault_oops(struct pt_regs *regs, un
17364 if (!oops_may_print())
17367 - if (error_code & PF_INSTR) {
17368 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) {
17369 unsigned int level;
17371 pte_t *pte = lookup_address(address, &level);
17373 if (pte && pte_present(*pte) && !pte_exec(*pte))
17374 - printk(nx_warning, current_uid());
17375 + printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
17378 +#ifdef CONFIG_PAX_KERNEXEC
17379 + if (init_mm.start_code <= address && address < init_mm.end_code) {
17380 + if (current->signal->curr_ip)
17381 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
17382 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
17384 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
17385 + current->comm, task_pid_nr(current), current_uid(), current_euid());
17389 printk(KERN_ALERT "BUG: unable to handle kernel ");
17390 if (address < PAGE_SIZE)
17391 printk(KERN_CONT "NULL pointer dereference");
17392 @@ -701,6 +779,68 @@ __bad_area_nosemaphore(struct pt_regs *r
17393 unsigned long address, int si_code)
17395 struct task_struct *tsk = current;
17396 + struct mm_struct *mm = tsk->mm;
17398 +#ifdef CONFIG_X86_64
17399 + if (mm && (error_code & PF_INSTR) && mm->context.vdso) {
17400 + if (regs->ip == (unsigned long)vgettimeofday) {
17401 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday);
17403 + } else if (regs->ip == (unsigned long)vtime) {
17404 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_time);
17406 + } else if (regs->ip == (unsigned long)vgetcpu) {
17407 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, getcpu);
17413 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
17414 + if (mm && (error_code & PF_USER)) {
17415 + unsigned long ip = regs->ip;
17417 + if (v8086_mode(regs))
17418 + ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff);
17421 + * It's possible to have interrupts off here:
17423 + local_irq_enable();
17425 +#ifdef CONFIG_PAX_PAGEEXEC
17426 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
17427 + (((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && ip == address))) {
17429 +#ifdef CONFIG_PAX_EMUTRAMP
17430 + switch (pax_handle_fetch_fault(regs)) {
17436 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
17437 + do_group_exit(SIGKILL);
17441 +#ifdef CONFIG_PAX_SEGMEXEC
17442 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address)) {
17444 +#ifdef CONFIG_PAX_EMUTRAMP
17445 + switch (pax_handle_fetch_fault(regs)) {
17451 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
17452 + do_group_exit(SIGKILL);
17459 /* User mode accesses just cause a SIGSEGV */
17460 if (error_code & PF_USER) {
17461 @@ -855,6 +995,99 @@ static int spurious_fault_check(unsigned
17465 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
17466 +static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
17471 + unsigned char pte_mask;
17473 + if ((__supported_pte_mask & _PAGE_NX) || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
17474 + !(mm->pax_flags & MF_PAX_PAGEEXEC))
17477 + /* PaX: it's our fault, let's handle it if we can */
17479 + /* PaX: take a look at read faults before acquiring any locks */
17480 + if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
17481 + /* instruction fetch attempt from a protected page in user mode */
17482 + up_read(&mm->mmap_sem);
17484 +#ifdef CONFIG_PAX_EMUTRAMP
17485 + switch (pax_handle_fetch_fault(regs)) {
17491 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
17492 + do_group_exit(SIGKILL);
17495 + pmd = pax_get_pmd(mm, address);
17496 + if (unlikely(!pmd))
17499 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
17500 + if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
17501 + pte_unmap_unlock(pte, ptl);
17505 + if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
17506 + /* write attempt to a protected page in user mode */
17507 + pte_unmap_unlock(pte, ptl);
17512 + if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
17514 + if (likely(address > get_limit(regs->cs)))
17517 + set_pte(pte, pte_mkread(*pte));
17518 + __flush_tlb_one(address);
17519 + pte_unmap_unlock(pte, ptl);
17520 + up_read(&mm->mmap_sem);
17524 + pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
17527 + * PaX: fill DTLB with user rights and retry
17529 + __asm__ __volatile__ (
17531 +#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
17533 + * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
17534 + * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
17535 + * page fault when examined during a TLB load attempt. this is true not only
17536 + * for PTEs holding a non-present entry but also present entries that will
17537 + * raise a page fault (such as those set up by PaX, or the copy-on-write
17538 + * mechanism). in effect it means that we do *not* need to flush the TLBs
17539 + * for our target pages since their PTEs are simply not in the TLBs at all.
17541 + * the best thing in omitting it is that we gain around 15-20% speed in the
17542 + * fast path of the page fault handler and can get rid of tracing since we
17543 + * can no longer flush unintended entries.
17547 + __copyuser_seg"testb $0,(%0)\n"
17550 + : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER)
17551 + : "memory", "cc");
17552 + pte_unmap_unlock(pte, ptl);
17553 + up_read(&mm->mmap_sem);
17559 * Handle a spurious fault caused by a stale TLB entry.
17561 @@ -927,6 +1160,9 @@ int show_unhandled_signals = 1;
17563 access_error(unsigned long error_code, struct vm_area_struct *vma)
17565 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
17568 if (error_code & PF_WRITE) {
17569 /* write, present and write, not present: */
17570 if (unlikely(!(vma->vm_flags & VM_WRITE)))
17571 @@ -960,19 +1196,33 @@ do_page_fault(struct pt_regs *regs, unsi
17573 struct vm_area_struct *vma;
17574 struct task_struct *tsk;
17575 - unsigned long address;
17576 struct mm_struct *mm;
17578 int write = error_code & PF_WRITE;
17579 unsigned int flags = FAULT_FLAG_ALLOW_RETRY |
17580 (write ? FAULT_FLAG_WRITE : 0);
17582 + /* Get the faulting address: */
17583 + unsigned long address = read_cr2();
17585 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17586 + if (!user_mode(regs) && address < 2 * PAX_USER_SHADOW_BASE) {
17587 + if (!search_exception_tables(regs->ip)) {
17588 + bad_area_nosemaphore(regs, error_code, address);
17591 + if (address < PAX_USER_SHADOW_BASE) {
17592 + printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n");
17593 + printk(KERN_ERR "PAX: faulting IP: %pA\n", (void *)regs->ip);
17594 + show_trace_log_lvl(NULL, NULL, (void *)regs->sp, KERN_ERR);
17596 + address -= PAX_USER_SHADOW_BASE;
17603 - /* Get the faulting address: */
17604 - address = read_cr2();
17607 * Detect and handle instructions that would cause a page fault for
17608 * both a tracked kernel page and a userspace page.
17609 @@ -1032,7 +1282,7 @@ do_page_fault(struct pt_regs *regs, unsi
17610 * User-mode registers count as a user access even for any
17611 * potential system fault or CPU buglet:
17613 - if (user_mode_vm(regs)) {
17614 + if (user_mode(regs)) {
17615 local_irq_enable();
17616 error_code |= PF_USER;
17618 @@ -1087,6 +1337,11 @@ retry:
17622 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
17623 + if (pax_handle_pageexec_fault(regs, mm, address, error_code))
17627 vma = find_vma(mm, address);
17628 if (unlikely(!vma)) {
17629 bad_area(regs, error_code, address);
17630 @@ -1098,18 +1353,24 @@ retry:
17631 bad_area(regs, error_code, address);
17634 - if (error_code & PF_USER) {
17636 - * Accessing the stack below %sp is always a bug.
17637 - * The large cushion allows instructions like enter
17638 - * and pusha to work. ("enter $65535, $31" pushes
17639 - * 32 pointers and then decrements %sp by 65535.)
17641 - if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
17642 - bad_area(regs, error_code, address);
17646 + * Accessing the stack below %sp is always a bug.
17647 + * The large cushion allows instructions like enter
17648 + * and pusha to work. ("enter $65535, $31" pushes
17649 + * 32 pointers and then decrements %sp by 65535.)
17651 + if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
17652 + bad_area(regs, error_code, address);
17656 +#ifdef CONFIG_PAX_SEGMEXEC
17657 + if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
17658 + bad_area(regs, error_code, address);
17663 if (unlikely(expand_stack(vma, address))) {
17664 bad_area(regs, error_code, address);
17666 @@ -1164,3 +1425,199 @@ good_area:
17668 up_read(&mm->mmap_sem);
17671 +#ifdef CONFIG_PAX_EMUTRAMP
17672 +static int pax_handle_fetch_fault_32(struct pt_regs *regs)
17676 + do { /* PaX: gcc trampoline emulation #1 */
17677 + unsigned char mov1, mov2;
17678 + unsigned short jmp;
17679 + unsigned int addr1, addr2;
17681 +#ifdef CONFIG_X86_64
17682 + if ((regs->ip + 11) >> 32)
17686 + err = get_user(mov1, (unsigned char __user *)regs->ip);
17687 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
17688 + err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
17689 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
17690 + err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
17695 + if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
17696 + regs->cx = addr1;
17697 + regs->ax = addr2;
17698 + regs->ip = addr2;
17703 + do { /* PaX: gcc trampoline emulation #2 */
17704 + unsigned char mov, jmp;
17705 + unsigned int addr1, addr2;
17707 +#ifdef CONFIG_X86_64
17708 + if ((regs->ip + 9) >> 32)
17712 + err = get_user(mov, (unsigned char __user *)regs->ip);
17713 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
17714 + err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
17715 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
17720 + if (mov == 0xB9 && jmp == 0xE9) {
17721 + regs->cx = addr1;
17722 + regs->ip = (unsigned int)(regs->ip + addr2 + 10);
17727 + return 1; /* PaX in action */
17730 +#ifdef CONFIG_X86_64
17731 +static int pax_handle_fetch_fault_64(struct pt_regs *regs)
17735 + do { /* PaX: gcc trampoline emulation #1 */
17736 + unsigned short mov1, mov2, jmp1;
17737 + unsigned char jmp2;
17738 + unsigned int addr1;
17739 + unsigned long addr2;
17741 + err = get_user(mov1, (unsigned short __user *)regs->ip);
17742 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
17743 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
17744 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
17745 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
17746 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
17751 + if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
17752 + regs->r11 = addr1;
17753 + regs->r10 = addr2;
17754 + regs->ip = addr1;
17759 + do { /* PaX: gcc trampoline emulation #2 */
17760 + unsigned short mov1, mov2, jmp1;
17761 + unsigned char jmp2;
17762 + unsigned long addr1, addr2;
17764 + err = get_user(mov1, (unsigned short __user *)regs->ip);
17765 + err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
17766 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
17767 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
17768 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
17769 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
17774 + if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
17775 + regs->r11 = addr1;
17776 + regs->r10 = addr2;
17777 + regs->ip = addr1;
17782 + return 1; /* PaX in action */
17787 + * PaX: decide what to do with offenders (regs->ip = fault address)
17789 + * returns 1 when task should be killed
17790 + * 2 when gcc trampoline was detected
17792 +static int pax_handle_fetch_fault(struct pt_regs *regs)
17794 + if (v8086_mode(regs))
17797 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
17800 +#ifdef CONFIG_X86_32
17801 + return pax_handle_fetch_fault_32(regs);
17803 + if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
17804 + return pax_handle_fetch_fault_32(regs);
17806 + return pax_handle_fetch_fault_64(regs);
17811 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
17812 +void pax_report_insns(void *pc, void *sp)
17816 + printk(KERN_ERR "PAX: bytes at PC: ");
17817 + for (i = 0; i < 20; i++) {
17819 + if (get_user(c, (__force unsigned char __user *)pc+i))
17820 + printk(KERN_CONT "?? ");
17822 + printk(KERN_CONT "%02x ", c);
17826 + printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
17827 + for (i = -1; i < 80 / (long)sizeof(long); i++) {
17829 + if (get_user(c, (__force unsigned long __user *)sp+i))
17830 +#ifdef CONFIG_X86_32
17831 + printk(KERN_CONT "???????? ");
17833 + printk(KERN_CONT "???????????????? ");
17836 + printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
17843 + * probe_kernel_write(): safely attempt to write to a location
17844 + * @dst: address to write to
17845 + * @src: pointer to the data that shall be written
17846 + * @size: size of the data chunk
17848 + * Safely write to address @dst from the buffer at @src. If a kernel fault
17849 + * happens, handle that and return -EFAULT.
17851 +long notrace probe_kernel_write(void *dst, const void *src, size_t size)
17854 + mm_segment_t old_fs = get_fs();
17856 + set_fs(KERNEL_DS);
17857 + pagefault_disable();
17858 + pax_open_kernel();
17859 + ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
17860 + pax_close_kernel();
17861 + pagefault_enable();
17864 + return ret ? -EFAULT : 0;
17866 diff -urNp linux-2.6.38.1/arch/x86/mm/gup.c linux-2.6.38.1-new/arch/x86/mm/gup.c
17867 --- linux-2.6.38.1/arch/x86/mm/gup.c 2011-03-14 21:20:32.000000000 -0400
17868 +++ linux-2.6.38.1-new/arch/x86/mm/gup.c 2011-03-21 18:31:35.000000000 -0400
17869 @@ -263,7 +263,7 @@ int __get_user_pages_fast(unsigned long
17871 len = (unsigned long) nr_pages << PAGE_SHIFT;
17873 - if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
17874 + if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
17875 (void __user *)start, len)))
17878 diff -urNp linux-2.6.38.1/arch/x86/mm/highmem_32.c linux-2.6.38.1-new/arch/x86/mm/highmem_32.c
17879 --- linux-2.6.38.1/arch/x86/mm/highmem_32.c 2011-03-14 21:20:32.000000000 -0400
17880 +++ linux-2.6.38.1-new/arch/x86/mm/highmem_32.c 2011-03-21 18:31:35.000000000 -0400
17881 @@ -44,7 +44,10 @@ void *kmap_atomic_prot(struct page *page
17882 idx = type + KM_TYPE_NR*smp_processor_id();
17883 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
17884 BUG_ON(!pte_none(*(kmap_pte-idx)));
17886 + pax_open_kernel();
17887 set_pte(kmap_pte-idx, mk_pte(page, prot));
17888 + pax_close_kernel();
17890 return (void *)vaddr;
17892 diff -urNp linux-2.6.38.1/arch/x86/mm/hugetlbpage.c linux-2.6.38.1-new/arch/x86/mm/hugetlbpage.c
17893 --- linux-2.6.38.1/arch/x86/mm/hugetlbpage.c 2011-03-14 21:20:32.000000000 -0400
17894 +++ linux-2.6.38.1-new/arch/x86/mm/hugetlbpage.c 2011-03-21 23:47:41.000000000 -0400
17895 @@ -266,13 +266,20 @@ static unsigned long hugetlb_get_unmappe
17896 struct hstate *h = hstate_file(file);
17897 struct mm_struct *mm = current->mm;
17898 struct vm_area_struct *vma;
17899 - unsigned long start_addr;
17900 + unsigned long start_addr, pax_task_size = TASK_SIZE;
17902 +#ifdef CONFIG_PAX_SEGMEXEC
17903 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
17904 + pax_task_size = SEGMEXEC_TASK_SIZE;
17907 + pax_task_size -= PAGE_SIZE;
17909 if (len > mm->cached_hole_size) {
17910 - start_addr = mm->free_area_cache;
17911 + start_addr = mm->free_area_cache;
17913 - start_addr = TASK_UNMAPPED_BASE;
17914 - mm->cached_hole_size = 0;
17915 + start_addr = mm->mmap_base;
17916 + mm->cached_hole_size = 0;
17920 @@ -280,26 +287,27 @@ full_search:
17922 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
17923 /* At this point: (!vma || addr < vma->vm_end). */
17924 - if (TASK_SIZE - len < addr) {
17925 + if (pax_task_size - len < addr) {
17927 * Start a new search - just in case we missed
17930 - if (start_addr != TASK_UNMAPPED_BASE) {
17931 - start_addr = TASK_UNMAPPED_BASE;
17932 + if (start_addr != mm->mmap_base) {
17933 + start_addr = mm->mmap_base;
17934 mm->cached_hole_size = 0;
17939 - if (!vma || addr + len <= vma->vm_start) {
17940 - mm->free_area_cache = addr + len;
17943 + if (check_heap_stack_gap(vma, addr, len))
17945 if (addr + mm->cached_hole_size < vma->vm_start)
17946 mm->cached_hole_size = vma->vm_start - addr;
17947 addr = ALIGN(vma->vm_end, huge_page_size(h));
17950 + mm->free_area_cache = addr + len;
17954 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
17955 @@ -308,10 +316,9 @@ static unsigned long hugetlb_get_unmappe
17957 struct hstate *h = hstate_file(file);
17958 struct mm_struct *mm = current->mm;
17959 - struct vm_area_struct *vma, *prev_vma;
17960 - unsigned long base = mm->mmap_base, addr = addr0;
17961 + struct vm_area_struct *vma;
17962 + unsigned long base = mm->mmap_base, addr;
17963 unsigned long largest_hole = mm->cached_hole_size;
17964 - int first_time = 1;
17966 /* don't allow allocations above current base */
17967 if (mm->free_area_cache > base)
17968 @@ -321,64 +328,63 @@ static unsigned long hugetlb_get_unmappe
17970 mm->free_area_cache = base;
17974 /* make sure it can fit in the remaining address space */
17975 if (mm->free_area_cache < len)
17978 /* either no address requested or cant fit in requested address hole */
17979 - addr = (mm->free_area_cache - len) & huge_page_mask(h);
17980 + addr = (mm->free_area_cache - len);
17982 + addr &= huge_page_mask(h);
17983 + vma = find_vma(mm, addr);
17985 * Lookup failure means no vma is above this address,
17986 * i.e. return with success:
17988 - if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
17992 * new region fits between prev_vma->vm_end and
17993 * vma->vm_start, use it:
17995 - if (addr + len <= vma->vm_start &&
17996 - (!prev_vma || (addr >= prev_vma->vm_end))) {
17997 + if (check_heap_stack_gap(vma, addr, len)) {
17998 /* remember the address as a hint for next time */
17999 - mm->cached_hole_size = largest_hole;
18000 - return (mm->free_area_cache = addr);
18002 - /* pull free_area_cache down to the first hole */
18003 - if (mm->free_area_cache == vma->vm_end) {
18004 - mm->free_area_cache = vma->vm_start;
18005 - mm->cached_hole_size = largest_hole;
18007 + mm->cached_hole_size = largest_hole;
18008 + return (mm->free_area_cache = addr);
18010 + /* pull free_area_cache down to the first hole */
18011 + if (mm->free_area_cache == vma->vm_end) {
18012 + mm->free_area_cache = vma->vm_start;
18013 + mm->cached_hole_size = largest_hole;
18016 /* remember the largest hole we saw so far */
18017 if (addr + largest_hole < vma->vm_start)
18018 - largest_hole = vma->vm_start - addr;
18019 + largest_hole = vma->vm_start - addr;
18021 /* try just below the current vma->vm_start */
18022 - addr = (vma->vm_start - len) & huge_page_mask(h);
18023 - } while (len <= vma->vm_start);
18024 + addr = skip_heap_stack_gap(vma, len);
18025 + } while (!IS_ERR_VALUE(addr));
18029 - * if hint left us with no space for the requested
18030 - * mapping then try again:
18032 - if (first_time) {
18033 - mm->free_area_cache = base;
18034 - largest_hole = 0;
18039 * A failed mmap() very likely causes application failure,
18040 * so fall back to the bottom-up function here. This scenario
18041 * can happen with large stack limits and large mmap()
18044 - mm->free_area_cache = TASK_UNMAPPED_BASE;
18046 +#ifdef CONFIG_PAX_SEGMEXEC
18047 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18048 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
18052 + mm->mmap_base = TASK_UNMAPPED_BASE;
18054 +#ifdef CONFIG_PAX_RANDMMAP
18055 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18056 + mm->mmap_base += mm->delta_mmap;
18059 + mm->free_area_cache = mm->mmap_base;
18060 mm->cached_hole_size = ~0UL;
18061 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
18062 len, pgoff, flags);
18063 @@ -386,6 +392,7 @@ fail:
18065 * Restore the topdown base:
18067 + mm->mmap_base = base;
18068 mm->free_area_cache = base;
18069 mm->cached_hole_size = ~0UL;
18071 @@ -399,10 +406,19 @@ hugetlb_get_unmapped_area(struct file *f
18072 struct hstate *h = hstate_file(file);
18073 struct mm_struct *mm = current->mm;
18074 struct vm_area_struct *vma;
18075 + unsigned long pax_task_size = TASK_SIZE;
18077 if (len & ~huge_page_mask(h))
18079 - if (len > TASK_SIZE)
18081 +#ifdef CONFIG_PAX_SEGMEXEC
18082 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18083 + pax_task_size = SEGMEXEC_TASK_SIZE;
18086 + pax_task_size -= PAGE_SIZE;
18088 + if (len > pax_task_size)
18091 if (flags & MAP_FIXED) {
18092 @@ -414,8 +430,7 @@ hugetlb_get_unmapped_area(struct file *f
18094 addr = ALIGN(addr, huge_page_size(h));
18095 vma = find_vma(mm, addr);
18096 - if (TASK_SIZE - len >= addr &&
18097 - (!vma || addr + len <= vma->vm_start))
18098 + if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
18101 if (mm->get_unmapped_area == arch_get_unmapped_area)
18102 diff -urNp linux-2.6.38.1/arch/x86/mm/init_32.c linux-2.6.38.1-new/arch/x86/mm/init_32.c
18103 --- linux-2.6.38.1/arch/x86/mm/init_32.c 2011-03-14 21:20:32.000000000 -0400
18104 +++ linux-2.6.38.1-new/arch/x86/mm/init_32.c 2011-03-21 18:31:35.000000000 -0400
18105 @@ -74,36 +74,6 @@ static __init void *alloc_low_page(void)
18109 - * Creates a middle page table and puts a pointer to it in the
18110 - * given global directory entry. This only returns the gd entry
18111 - * in non-PAE compilation mode, since the middle layer is folded.
18113 -static pmd_t * __init one_md_table_init(pgd_t *pgd)
18116 - pmd_t *pmd_table;
18118 -#ifdef CONFIG_X86_PAE
18119 - if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
18120 - if (after_bootmem)
18121 - pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
18123 - pmd_table = (pmd_t *)alloc_low_page();
18124 - paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
18125 - set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
18126 - pud = pud_offset(pgd, 0);
18127 - BUG_ON(pmd_table != pmd_offset(pud, 0));
18129 - return pmd_table;
18132 - pud = pud_offset(pgd, 0);
18133 - pmd_table = pmd_offset(pud, 0);
18135 - return pmd_table;
18139 * Create a page table and place a pointer to it in a middle page
18142 @@ -123,13 +93,28 @@ static pte_t * __init one_page_table_ini
18143 page_table = (pte_t *)alloc_low_page();
18145 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
18146 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
18147 + set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
18149 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
18151 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
18154 return pte_offset_kernel(pmd, 0);
18157 +static pmd_t * __init one_md_table_init(pgd_t *pgd)
18160 + pmd_t *pmd_table;
18162 + pud = pud_offset(pgd, 0);
18163 + pmd_table = pmd_offset(pud, 0);
18165 + return pmd_table;
18168 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
18170 int pgd_idx = pgd_index(vaddr);
18171 @@ -203,6 +188,7 @@ page_table_range_init(unsigned long star
18172 int pgd_idx, pmd_idx;
18173 unsigned long vaddr;
18179 @@ -212,8 +198,13 @@ page_table_range_init(unsigned long star
18180 pgd = pgd_base + pgd_idx;
18182 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
18183 - pmd = one_md_table_init(pgd);
18184 - pmd = pmd + pmd_index(vaddr);
18185 + pud = pud_offset(pgd, vaddr);
18186 + pmd = pmd_offset(pud, vaddr);
18188 +#ifdef CONFIG_X86_PAE
18189 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
18192 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
18193 pmd++, pmd_idx++) {
18194 pte = page_table_kmap_check(one_page_table_init(pmd),
18195 @@ -225,11 +216,20 @@ page_table_range_init(unsigned long star
18199 -static inline int is_kernel_text(unsigned long addr)
18200 +static inline int is_kernel_text(unsigned long start, unsigned long end)
18202 - if (addr >= (unsigned long)_text && addr <= (unsigned long)__init_end)
18205 + if ((start > ktla_ktva((unsigned long)_etext) ||
18206 + end <= ktla_ktva((unsigned long)_stext)) &&
18207 + (start > ktla_ktva((unsigned long)_einittext) ||
18208 + end <= ktla_ktva((unsigned long)_sinittext)) &&
18210 +#ifdef CONFIG_ACPI_SLEEP
18211 + (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
18214 + (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
18220 @@ -246,9 +246,10 @@ kernel_physical_mapping_init(unsigned lo
18221 unsigned long last_map_addr = end;
18222 unsigned long start_pfn, end_pfn;
18223 pgd_t *pgd_base = swapper_pg_dir;
18224 - int pgd_idx, pmd_idx, pte_ofs;
18225 + unsigned int pgd_idx, pmd_idx, pte_ofs;
18231 unsigned pages_2m, pages_4k;
18232 @@ -281,8 +282,13 @@ repeat:
18234 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
18235 pgd = pgd_base + pgd_idx;
18236 - for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
18237 - pmd = one_md_table_init(pgd);
18238 + for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
18239 + pud = pud_offset(pgd, 0);
18240 + pmd = pmd_offset(pud, 0);
18242 +#ifdef CONFIG_X86_PAE
18243 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
18246 if (pfn >= end_pfn)
18248 @@ -294,14 +300,13 @@ repeat:
18250 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
18251 pmd++, pmd_idx++) {
18252 - unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
18253 + unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
18256 * Map with big pages if possible, otherwise
18257 * create normal page tables:
18260 - unsigned int addr2;
18261 pgprot_t prot = PAGE_KERNEL_LARGE;
18263 * first pass will use the same initial
18264 @@ -311,11 +316,7 @@ repeat:
18265 __pgprot(PTE_IDENT_ATTR |
18268 - addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
18269 - PAGE_OFFSET + PAGE_SIZE-1;
18271 - if (is_kernel_text(addr) ||
18272 - is_kernel_text(addr2))
18273 + if (is_kernel_text(address, address + PMD_SIZE))
18274 prot = PAGE_KERNEL_LARGE_EXEC;
18277 @@ -332,7 +333,7 @@ repeat:
18278 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
18280 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
18281 - pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
18282 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
18283 pgprot_t prot = PAGE_KERNEL;
18285 * first pass will use the same initial
18286 @@ -340,7 +341,7 @@ repeat:
18288 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
18290 - if (is_kernel_text(addr))
18291 + if (is_kernel_text(address, address + PAGE_SIZE))
18292 prot = PAGE_KERNEL_EXEC;
18295 @@ -472,7 +473,7 @@ void __init native_pagetable_setup_start
18297 pud = pud_offset(pgd, va);
18298 pmd = pmd_offset(pud, va);
18299 - if (!pmd_present(*pmd))
18300 + if (!pmd_present(*pmd) || pmd_huge(*pmd))
18303 pte = pte_offset_kernel(pmd, va);
18304 @@ -524,12 +525,10 @@ void __init early_ioremap_page_table_ran
18306 static void __init pagetable_init(void)
18308 - pgd_t *pgd_base = swapper_pg_dir;
18310 - permanent_kmaps_init(pgd_base);
18311 + permanent_kmaps_init(swapper_pg_dir);
18314 -pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
18315 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
18316 EXPORT_SYMBOL_GPL(__supported_pte_mask);
18318 /* user-defined highmem size */
18319 @@ -755,6 +754,12 @@ void __init mem_init(void)
18323 +#ifdef CONFIG_PAX_PER_CPU_PGD
18324 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
18325 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
18326 + KERNEL_PGD_PTRS);
18329 #ifdef CONFIG_FLATMEM
18332 @@ -772,7 +777,7 @@ void __init mem_init(void)
18333 set_highmem_pages_init();
18335 codesize = (unsigned long) &_etext - (unsigned long) &_text;
18336 - datasize = (unsigned long) &_edata - (unsigned long) &_etext;
18337 + datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
18338 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
18340 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
18341 @@ -813,10 +818,10 @@ void __init mem_init(void)
18342 ((unsigned long)&__init_end -
18343 (unsigned long)&__init_begin) >> 10,
18345 - (unsigned long)&_etext, (unsigned long)&_edata,
18346 - ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
18347 + (unsigned long)&_sdata, (unsigned long)&_edata,
18348 + ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
18350 - (unsigned long)&_text, (unsigned long)&_etext,
18351 + ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
18352 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
18355 @@ -894,6 +899,7 @@ void set_kernel_text_rw(void)
18356 if (!kernel_set_to_readonly)
18359 + start = ktla_ktva(start);
18360 pr_debug("Set kernel text: %lx - %lx for read write\n",
18361 start, start+size);
18363 @@ -908,6 +914,7 @@ void set_kernel_text_ro(void)
18364 if (!kernel_set_to_readonly)
18367 + start = ktla_ktva(start);
18368 pr_debug("Set kernel text: %lx - %lx for read only\n",
18369 start, start+size);
18371 @@ -936,6 +943,7 @@ void mark_rodata_ro(void)
18372 unsigned long start = PFN_ALIGN(_text);
18373 unsigned long size = PFN_ALIGN(_etext) - start;
18375 + start = ktla_ktva(start);
18376 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
18377 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
18379 diff -urNp linux-2.6.38.1/arch/x86/mm/init_64.c linux-2.6.38.1-new/arch/x86/mm/init_64.c
18380 --- linux-2.6.38.1/arch/x86/mm/init_64.c 2011-03-14 21:20:32.000000000 -0400
18381 +++ linux-2.6.38.1-new/arch/x86/mm/init_64.c 2011-03-21 18:31:35.000000000 -0400
18382 @@ -72,7 +72,7 @@ early_param("gbpages", parse_direct_gbpa
18383 * around without checking the pgd every time.
18386 -pteval_t __supported_pte_mask __read_mostly = ~_PAGE_IOMAP;
18387 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_IOMAP);
18388 EXPORT_SYMBOL_GPL(__supported_pte_mask);
18390 int force_personality32;
18391 @@ -105,12 +105,22 @@ void sync_global_pgds(unsigned long star
18393 for (address = start; address <= end; address += PGDIR_SIZE) {
18394 const pgd_t *pgd_ref = pgd_offset_k(address);
18396 +#ifdef CONFIG_PAX_PER_CPU_PGD
18397 + unsigned long cpu;
18402 if (pgd_none(*pgd_ref))
18405 spin_lock(&pgd_lock);
18407 +#ifdef CONFIG_PAX_PER_CPU_PGD
18408 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
18409 + pgd_t *pgd = pgd_offset_cpu(cpu, address);
18411 list_for_each_entry(page, &pgd_list, lru) {
18413 spinlock_t *pgt_lock;
18414 @@ -119,6 +129,7 @@ void sync_global_pgds(unsigned long star
18415 /* the pgt_lock only for Xen */
18416 pgt_lock = &pgd_page_get_mm(page)->page_table_lock;
18417 spin_lock(pgt_lock);
18420 if (pgd_none(*pgd))
18421 set_pgd(pgd, *pgd_ref);
18422 @@ -126,7 +137,10 @@ void sync_global_pgds(unsigned long star
18423 BUG_ON(pgd_page_vaddr(*pgd)
18424 != pgd_page_vaddr(*pgd_ref));
18426 +#ifndef CONFIG_PAX_PER_CPU_PGD
18427 spin_unlock(pgt_lock);
18431 spin_unlock(&pgd_lock);
18433 @@ -200,7 +214,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
18434 pmd = fill_pmd(pud, vaddr);
18435 pte = fill_pte(pmd, vaddr);
18437 + pax_open_kernel();
18438 set_pte(pte, new_pte);
18439 + pax_close_kernel();
18442 * It's enough to flush this one mapping.
18443 @@ -259,14 +275,12 @@ static void __init __init_extra_mapping(
18444 pgd = pgd_offset_k((unsigned long)__va(phys));
18445 if (pgd_none(*pgd)) {
18446 pud = (pud_t *) spp_getpage();
18447 - set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
18449 + set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
18451 pud = pud_offset(pgd, (unsigned long)__va(phys));
18452 if (pud_none(*pud)) {
18453 pmd = (pmd_t *) spp_getpage();
18454 - set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
18456 + set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
18458 pmd = pmd_offset(pud, phys);
18459 BUG_ON(!pmd_none(*pmd));
18460 @@ -706,6 +720,12 @@ void __init mem_init(void)
18464 +#ifdef CONFIG_PAX_PER_CPU_PGD
18465 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
18466 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
18467 + KERNEL_PGD_PTRS);
18470 /* clear_bss() already clear the empty_zero_page */
18473 @@ -866,8 +886,8 @@ int kern_addr_valid(unsigned long addr)
18474 static struct vm_area_struct gate_vma = {
18475 .vm_start = VSYSCALL_START,
18476 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
18477 - .vm_page_prot = PAGE_READONLY_EXEC,
18478 - .vm_flags = VM_READ | VM_EXEC
18479 + .vm_page_prot = PAGE_READONLY,
18480 + .vm_flags = VM_READ
18483 struct vm_area_struct *get_gate_vma(struct task_struct *tsk)
18484 @@ -901,7 +921,7 @@ int in_gate_area_no_task(unsigned long a
18486 const char *arch_vma_name(struct vm_area_struct *vma)
18488 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
18489 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
18491 if (vma == &gate_vma)
18492 return "[vsyscall]";
18493 diff -urNp linux-2.6.38.1/arch/x86/mm/init.c linux-2.6.38.1-new/arch/x86/mm/init.c
18494 --- linux-2.6.38.1/arch/x86/mm/init.c 2011-03-14 21:20:32.000000000 -0400
18495 +++ linux-2.6.38.1-new/arch/x86/mm/init.c 2011-03-21 18:31:35.000000000 -0400
18496 @@ -72,11 +72,7 @@ static void __init find_early_table_spac
18497 * cause a hotspot and fill up ZONE_DMA. The page tables
18498 * need roughly 0.5KB per GB.
18500 -#ifdef CONFIG_X86_32
18505 + start = 0x100000;
18506 base = memblock_find_in_range(start, max_pfn_mapped<<PAGE_SHIFT,
18507 tables, PAGE_SIZE);
18508 if (base == MEMBLOCK_ERROR)
18509 @@ -323,7 +319,13 @@ unsigned long __init_refok init_memory_m
18511 int devmem_is_allowed(unsigned long pagenr)
18513 - if (pagenr <= 256)
18516 +#ifdef CONFIG_VM86
18517 + if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
18520 + if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
18522 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
18524 @@ -383,6 +385,86 @@ void free_init_pages(char *what, unsigne
18526 void free_initmem(void)
18529 +#ifdef CONFIG_PAX_KERNEXEC
18530 +#ifdef CONFIG_X86_32
18531 + /* PaX: limit KERNEL_CS to actual size */
18532 + unsigned long addr, limit;
18533 + struct desc_struct d;
18536 + limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
18537 + limit = (limit - 1UL) >> PAGE_SHIFT;
18539 + memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
18540 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
18541 + pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
18542 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
18545 + /* PaX: make KERNEL_CS read-only */
18546 + addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
18547 + if (!paravirt_enabled())
18548 + set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
18550 + for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
18551 + pgd = pgd_offset_k(addr);
18552 + pud = pud_offset(pgd, addr);
18553 + pmd = pmd_offset(pud, addr);
18554 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
18557 +#ifdef CONFIG_X86_PAE
18558 + set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
18560 + for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
18561 + pgd = pgd_offset_k(addr);
18562 + pud = pud_offset(pgd, addr);
18563 + pmd = pmd_offset(pud, addr);
18564 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
18569 +#ifdef CONFIG_MODULES
18570 + set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
18577 + unsigned long addr, end;
18579 + /* PaX: make kernel code/rodata read-only, rest non-executable */
18580 + for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
18581 + pgd = pgd_offset_k(addr);
18582 + pud = pud_offset(pgd, addr);
18583 + pmd = pmd_offset(pud, addr);
18584 + if (!pmd_present(*pmd))
18586 + if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
18587 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
18589 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
18592 + addr = (unsigned long)__va(__pa(__START_KERNEL_map));
18593 + end = addr + KERNEL_IMAGE_SIZE;
18594 + for (; addr < end; addr += PMD_SIZE) {
18595 + pgd = pgd_offset_k(addr);
18596 + pud = pud_offset(pgd, addr);
18597 + pmd = pmd_offset(pud, addr);
18598 + if (!pmd_present(*pmd))
18600 + if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
18601 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
18608 free_init_pages("unused kernel memory",
18609 (unsigned long)(&__init_begin),
18610 (unsigned long)(&__init_end));
18611 diff -urNp linux-2.6.38.1/arch/x86/mm/iomap_32.c linux-2.6.38.1-new/arch/x86/mm/iomap_32.c
18612 --- linux-2.6.38.1/arch/x86/mm/iomap_32.c 2011-03-14 21:20:32.000000000 -0400
18613 +++ linux-2.6.38.1-new/arch/x86/mm/iomap_32.c 2011-03-21 18:31:35.000000000 -0400
18614 @@ -64,7 +64,11 @@ void *kmap_atomic_prot_pfn(unsigned long
18615 type = kmap_atomic_idx_push();
18616 idx = type + KM_TYPE_NR * smp_processor_id();
18617 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
18619 + pax_open_kernel();
18620 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
18621 + pax_close_kernel();
18623 arch_flush_lazy_mmu_mode();
18625 return (void *)vaddr;
18626 diff -urNp linux-2.6.38.1/arch/x86/mm/ioremap.c linux-2.6.38.1-new/arch/x86/mm/ioremap.c
18627 --- linux-2.6.38.1/arch/x86/mm/ioremap.c 2011-03-14 21:20:32.000000000 -0400
18628 +++ linux-2.6.38.1-new/arch/x86/mm/ioremap.c 2011-03-21 18:31:35.000000000 -0400
18629 @@ -104,7 +104,7 @@ static void __iomem *__ioremap_caller(re
18630 for (pfn = phys_addr >> PAGE_SHIFT; pfn <= last_pfn; pfn++) {
18631 int is_ram = page_is_ram(pfn);
18633 - if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
18634 + if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
18636 WARN_ON_ONCE(is_ram);
18638 @@ -344,7 +344,7 @@ static int __init early_ioremap_debug_se
18639 early_param("early_ioremap_debug", early_ioremap_debug_setup);
18641 static __initdata int after_paging_init;
18642 -static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
18643 +static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
18645 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
18647 @@ -381,8 +381,7 @@ void __init early_ioremap_init(void)
18648 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
18650 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
18651 - memset(bm_pte, 0, sizeof(bm_pte));
18652 - pmd_populate_kernel(&init_mm, pmd, bm_pte);
18653 + pmd_populate_user(&init_mm, pmd, bm_pte);
18656 * The boot-ioremap range spans multiple pmds, for which
18657 diff -urNp linux-2.6.38.1/arch/x86/mm/kmemcheck/kmemcheck.c linux-2.6.38.1-new/arch/x86/mm/kmemcheck/kmemcheck.c
18658 --- linux-2.6.38.1/arch/x86/mm/kmemcheck/kmemcheck.c 2011-03-14 21:20:32.000000000 -0400
18659 +++ linux-2.6.38.1-new/arch/x86/mm/kmemcheck/kmemcheck.c 2011-03-21 18:31:35.000000000 -0400
18660 @@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
18661 * memory (e.g. tracked pages)? For now, we need this to avoid
18662 * invoking kmemcheck for PnP BIOS calls.
18664 - if (regs->flags & X86_VM_MASK)
18665 + if (v8086_mode(regs))
18667 - if (regs->cs != __KERNEL_CS)
18668 + if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
18671 pte = kmemcheck_pte_lookup(address);
18672 diff -urNp linux-2.6.38.1/arch/x86/mm/mmap.c linux-2.6.38.1-new/arch/x86/mm/mmap.c
18673 --- linux-2.6.38.1/arch/x86/mm/mmap.c 2011-03-14 21:20:32.000000000 -0400
18674 +++ linux-2.6.38.1-new/arch/x86/mm/mmap.c 2011-03-21 18:31:35.000000000 -0400
18675 @@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
18676 * Leave an at least ~128 MB hole with possible stack randomization.
18678 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
18679 -#define MAX_GAP (TASK_SIZE/6*5)
18680 +#define MAX_GAP (pax_task_size/6*5)
18683 * True on X86_32 or when emulating IA32 on X86_64
18684 @@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
18685 return rnd << PAGE_SHIFT;
18688 -static unsigned long mmap_base(void)
18689 +static unsigned long mmap_base(struct mm_struct *mm)
18691 unsigned long gap = rlimit(RLIMIT_STACK);
18692 + unsigned long pax_task_size = TASK_SIZE;
18694 +#ifdef CONFIG_PAX_SEGMEXEC
18695 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18696 + pax_task_size = SEGMEXEC_TASK_SIZE;
18701 else if (gap > MAX_GAP)
18704 - return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
18705 + return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
18709 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
18710 * does, but not when emulating X86_32
18712 -static unsigned long mmap_legacy_base(void)
18713 +static unsigned long mmap_legacy_base(struct mm_struct *mm)
18715 - if (mmap_is_ia32())
18716 + if (mmap_is_ia32()) {
18718 +#ifdef CONFIG_PAX_SEGMEXEC
18719 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18720 + return SEGMEXEC_TASK_UNMAPPED_BASE;
18724 return TASK_UNMAPPED_BASE;
18727 return TASK_UNMAPPED_BASE + mmap_rnd();
18730 @@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
18731 void arch_pick_mmap_layout(struct mm_struct *mm)
18733 if (mmap_is_legacy()) {
18734 - mm->mmap_base = mmap_legacy_base();
18735 + mm->mmap_base = mmap_legacy_base(mm);
18737 +#ifdef CONFIG_PAX_RANDMMAP
18738 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18739 + mm->mmap_base += mm->delta_mmap;
18742 mm->get_unmapped_area = arch_get_unmapped_area;
18743 mm->unmap_area = arch_unmap_area;
18745 - mm->mmap_base = mmap_base();
18746 + mm->mmap_base = mmap_base(mm);
18748 +#ifdef CONFIG_PAX_RANDMMAP
18749 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18750 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
18753 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
18754 mm->unmap_area = arch_unmap_area_topdown;
18756 diff -urNp linux-2.6.38.1/arch/x86/mm/numa_32.c linux-2.6.38.1-new/arch/x86/mm/numa_32.c
18757 --- linux-2.6.38.1/arch/x86/mm/numa_32.c 2011-03-14 21:20:32.000000000 -0400
18758 +++ linux-2.6.38.1-new/arch/x86/mm/numa_32.c 2011-03-21 18:31:35.000000000 -0400
18759 @@ -99,7 +99,6 @@ unsigned long node_memmap_size_bytes(int
18763 -extern unsigned long find_max_low_pfn(void);
18764 extern unsigned long highend_pfn, highstart_pfn;
18766 #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
18767 diff -urNp linux-2.6.38.1/arch/x86/mm/pageattr.c linux-2.6.38.1-new/arch/x86/mm/pageattr.c
18768 --- linux-2.6.38.1/arch/x86/mm/pageattr.c 2011-03-14 21:20:32.000000000 -0400
18769 +++ linux-2.6.38.1-new/arch/x86/mm/pageattr.c 2011-03-21 18:31:35.000000000 -0400
18770 @@ -261,7 +261,7 @@ static inline pgprot_t static_protection
18772 #ifdef CONFIG_PCI_BIOS
18773 if (pcibios_enabled && within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
18774 - pgprot_val(forbidden) |= _PAGE_NX;
18775 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
18779 @@ -269,9 +269,10 @@ static inline pgprot_t static_protection
18780 * Does not cover __inittext since that is gone later on. On
18781 * 64bit we do not enforce !NX on the low mapping
18783 - if (within(address, (unsigned long)_text, (unsigned long)_etext))
18784 - pgprot_val(forbidden) |= _PAGE_NX;
18785 + if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
18786 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
18788 +#ifdef CONFIG_DEBUG_RODATA
18790 * The .rodata section needs to be read-only. Using the pfn
18791 * catches all aliases.
18792 @@ -279,6 +280,7 @@ static inline pgprot_t static_protection
18793 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
18794 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
18795 pgprot_val(forbidden) |= _PAGE_RW;
18798 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
18800 @@ -317,6 +319,13 @@ static inline pgprot_t static_protection
18804 +#ifdef CONFIG_PAX_KERNEXEC
18805 + if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) {
18806 + pgprot_val(forbidden) |= _PAGE_RW;
18807 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
18811 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
18814 @@ -369,23 +378,37 @@ EXPORT_SYMBOL_GPL(lookup_address);
18815 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
18817 /* change init_mm */
18818 + pax_open_kernel();
18819 set_pte_atomic(kpte, pte);
18821 #ifdef CONFIG_X86_32
18822 if (!SHARED_KERNEL_PMD) {
18824 +#ifdef CONFIG_PAX_PER_CPU_PGD
18825 + unsigned long cpu;
18830 +#ifdef CONFIG_PAX_PER_CPU_PGD
18831 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
18832 + pgd_t *pgd = get_cpu_pgd(cpu);
18834 list_for_each_entry(page, &pgd_list, lru) {
18836 + pgd_t *pgd = (pgd_t *)page_address(page);
18842 - pgd = (pgd_t *)page_address(page) + pgd_index(address);
18843 + pgd += pgd_index(address);
18844 pud = pud_offset(pgd, address);
18845 pmd = pmd_offset(pud, address);
18846 set_pte_atomic((pte_t *)pmd, pte);
18850 + pax_close_kernel();
18854 diff -urNp linux-2.6.38.1/arch/x86/mm/pageattr-test.c linux-2.6.38.1-new/arch/x86/mm/pageattr-test.c
18855 --- linux-2.6.38.1/arch/x86/mm/pageattr-test.c 2011-03-14 21:20:32.000000000 -0400
18856 +++ linux-2.6.38.1-new/arch/x86/mm/pageattr-test.c 2011-03-21 18:31:35.000000000 -0400
18857 @@ -36,7 +36,7 @@ enum {
18859 static int pte_testbit(pte_t pte)
18861 - return pte_flags(pte) & _PAGE_UNUSED1;
18862 + return pte_flags(pte) & _PAGE_CPA_TEST;
18865 struct split_state {
18866 diff -urNp linux-2.6.38.1/arch/x86/mm/pat.c linux-2.6.38.1-new/arch/x86/mm/pat.c
18867 --- linux-2.6.38.1/arch/x86/mm/pat.c 2011-03-14 21:20:32.000000000 -0400
18868 +++ linux-2.6.38.1-new/arch/x86/mm/pat.c 2011-03-21 18:31:35.000000000 -0400
18869 @@ -361,7 +361,7 @@ int free_memtype(u64 start, u64 end)
18872 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
18873 - current->comm, current->pid, start, end);
18874 + current->comm, task_pid_nr(current), start, end);
18878 @@ -492,8 +492,8 @@ static inline int range_is_allowed(unsig
18879 while (cursor < to) {
18880 if (!devmem_is_allowed(pfn)) {
18882 - "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
18883 - current->comm, from, to);
18884 + "Program %s tried to access /dev/mem between %Lx->%Lx (%Lx).\n",
18885 + current->comm, from, to, cursor);
18888 cursor += PAGE_SIZE;
18889 @@ -557,7 +557,7 @@ int kernel_map_sync_memtype(u64 base, un
18891 "%s:%d ioremap_change_attr failed %s "
18893 - current->comm, current->pid,
18894 + current->comm, task_pid_nr(current),
18896 base, (unsigned long long)(base + size));
18898 @@ -593,7 +593,7 @@ static int reserve_pfn_range(u64 paddr,
18899 if (want_flags != flags) {
18900 printk(KERN_WARNING
18901 "%s:%d map pfn RAM range req %s for %Lx-%Lx, got %s\n",
18902 - current->comm, current->pid,
18903 + current->comm, task_pid_nr(current),
18904 cattr_name(want_flags),
18905 (unsigned long long)paddr,
18906 (unsigned long long)(paddr + size),
18907 @@ -615,7 +615,7 @@ static int reserve_pfn_range(u64 paddr,
18908 free_memtype(paddr, paddr + size);
18909 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
18910 " for %Lx-%Lx, got %s\n",
18911 - current->comm, current->pid,
18912 + current->comm, task_pid_nr(current),
18913 cattr_name(want_flags),
18914 (unsigned long long)paddr,
18915 (unsigned long long)(paddr + size),
18916 diff -urNp linux-2.6.38.1/arch/x86/mm/pgtable_32.c linux-2.6.38.1-new/arch/x86/mm/pgtable_32.c
18917 --- linux-2.6.38.1/arch/x86/mm/pgtable_32.c 2011-03-14 21:20:32.000000000 -0400
18918 +++ linux-2.6.38.1-new/arch/x86/mm/pgtable_32.c 2011-03-21 18:31:35.000000000 -0400
18919 @@ -48,10 +48,13 @@ void set_pte_vaddr(unsigned long vaddr,
18922 pte = pte_offset_kernel(pmd, vaddr);
18924 + pax_open_kernel();
18925 if (pte_val(pteval))
18926 set_pte_at(&init_mm, vaddr, pte, pteval);
18928 pte_clear(&init_mm, vaddr, pte);
18929 + pax_close_kernel();
18932 * It's enough to flush this one mapping.
18933 diff -urNp linux-2.6.38.1/arch/x86/mm/pgtable.c linux-2.6.38.1-new/arch/x86/mm/pgtable.c
18934 --- linux-2.6.38.1/arch/x86/mm/pgtable.c 2011-03-23 17:20:06.000000000 -0400
18935 +++ linux-2.6.38.1-new/arch/x86/mm/pgtable.c 2011-03-24 23:22:14.000000000 -0400
18936 @@ -84,9 +84,58 @@ static inline void pgd_list_del(pgd_t *p
18937 list_del(&page->lru);
18940 -#define UNSHARED_PTRS_PER_PGD \
18941 - (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
18942 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18943 +pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
18945 +void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
18948 + *dst++ = __pgd((pgd_val(*src++) | (_PAGE_NX & __supported_pte_mask)) & ~_PAGE_USER);
18952 +#ifdef CONFIG_PAX_PER_CPU_PGD
18953 +void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count)
18957 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18958 + *dst++ = __pgd(pgd_val(*src++) & clone_pgd_mask);
18966 +#ifdef CONFIG_PAX_PER_CPU_PGD
18967 +static inline void pgd_ctor(struct mm_struct *mm, pgd_t *pgd) {}
18968 +static inline void pgd_dtor(pgd_t *pgd) {}
18969 +#ifdef CONFIG_X86_64
18970 +#define pxd_t pud_t
18971 +#define pyd_t pgd_t
18972 +#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
18973 +#define pxd_free(mm, pud) pud_free((mm), (pud))
18974 +#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
18975 +#define pyd_offset(mm ,address) pgd_offset((mm), (address))
18976 +#define PYD_SIZE PGDIR_SIZE
18978 +#define pxd_t pmd_t
18979 +#define pyd_t pud_t
18980 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
18981 +#define pxd_free(mm, pud) pmd_free((mm), (pud))
18982 +#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
18983 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
18984 +#define PYD_SIZE PUD_SIZE
18987 +#define pxd_t pmd_t
18988 +#define pyd_t pud_t
18989 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
18990 +#define pxd_free(mm, pmd) pmd_free((mm), (pmd))
18991 +#define pyd_populate(mm, pud, pmd) pud_populate((mm), (pud), (pmd))
18992 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
18993 +#define PYD_SIZE PUD_SIZE
18995 static void pgd_set_mm(pgd_t *pgd, struct mm_struct *mm)
18997 @@ -128,6 +177,7 @@ static void pgd_dtor(pgd_t *pgd)
18999 spin_unlock(&pgd_lock);
19004 * List of all pgd's needed for non-PAE so it can invalidate entries
19005 @@ -140,7 +190,7 @@ static void pgd_dtor(pgd_t *pgd)
19009 -#ifdef CONFIG_X86_PAE
19010 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
19012 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
19013 * updating the top-level pagetable entries to guarantee the
19014 @@ -152,7 +202,7 @@ static void pgd_dtor(pgd_t *pgd)
19015 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
19016 * and initialize the kernel pmds here.
19018 -#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
19019 +#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
19021 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
19023 @@ -170,36 +220,38 @@ void pud_populate(struct mm_struct *mm,
19027 +#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
19028 +#define PREALLOCATED_PXDS USER_PGD_PTRS
19029 #else /* !CONFIG_X86_PAE */
19031 /* No need to prepopulate any pagetable entries in non-PAE modes. */
19032 -#define PREALLOCATED_PMDS 0
19033 +#define PREALLOCATED_PXDS 0
19035 #endif /* CONFIG_X86_PAE */
19037 -static void free_pmds(pmd_t *pmds[])
19038 +static void free_pxds(pxd_t *pxds[])
19042 - for(i = 0; i < PREALLOCATED_PMDS; i++)
19044 - free_page((unsigned long)pmds[i]);
19045 + for(i = 0; i < PREALLOCATED_PXDS; i++)
19047 + free_page((unsigned long)pxds[i]);
19050 -static int preallocate_pmds(pmd_t *pmds[])
19051 +static int preallocate_pxds(pxd_t *pxds[])
19054 bool failed = false;
19056 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
19057 - pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
19059 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
19060 + pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
19073 @@ -212,51 +264,55 @@ static int preallocate_pmds(pmd_t *pmds[
19074 * preallocate which never got a corresponding vma will need to be
19077 -static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
19078 +static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
19082 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
19083 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
19084 pgd_t pgd = pgdp[i];
19086 if (pgd_val(pgd) != 0) {
19087 - pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
19088 + pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
19090 - pgdp[i] = native_make_pgd(0);
19091 + set_pgd(pgdp + i, native_make_pgd(0));
19093 - paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
19094 - pmd_free(mm, pmd);
19095 + paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
19096 + pxd_free(mm, pxd);
19101 -static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
19102 +static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
19106 unsigned long addr;
19109 - if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
19110 + if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
19113 - pud = pud_offset(pgd, 0);
19114 +#ifdef CONFIG_X86_64
19115 + pyd = pyd_offset(mm, 0L);
19117 + pyd = pyd_offset(pgd, 0L);
19120 - for (addr = i = 0; i < PREALLOCATED_PMDS;
19121 - i++, pud++, addr += PUD_SIZE) {
19122 - pmd_t *pmd = pmds[i];
19123 + for (addr = i = 0; i < PREALLOCATED_PXDS;
19124 + i++, pyd++, addr += PYD_SIZE) {
19125 + pxd_t *pxd = pxds[i];
19127 if (i >= KERNEL_PGD_BOUNDARY)
19128 - memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
19129 - sizeof(pmd_t) * PTRS_PER_PMD);
19130 + memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
19131 + sizeof(pxd_t) * PTRS_PER_PMD);
19133 - pud_populate(mm, pud, pmd);
19134 + pyd_populate(mm, pyd, pxd);
19138 pgd_t *pgd_alloc(struct mm_struct *mm)
19141 - pmd_t *pmds[PREALLOCATED_PMDS];
19142 + pxd_t *pxds[PREALLOCATED_PXDS];
19144 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
19146 @@ -265,11 +321,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
19150 - if (preallocate_pmds(pmds) != 0)
19151 + if (preallocate_pxds(pxds) != 0)
19154 if (paravirt_pgd_alloc(mm) != 0)
19155 - goto out_free_pmds;
19156 + goto out_free_pxds;
19159 * Make sure that pre-populating the pmds is atomic with
19160 @@ -279,14 +335,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
19161 spin_lock(&pgd_lock);
19164 - pgd_prepopulate_pmd(mm, pgd, pmds);
19165 + pgd_prepopulate_pxd(mm, pgd, pxds);
19167 spin_unlock(&pgd_lock);
19176 free_page((unsigned long)pgd);
19178 @@ -295,7 +351,7 @@ out:
19180 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
19182 - pgd_mop_up_pmds(mm, pgd);
19183 + pgd_mop_up_pxds(mm, pgd);
19185 paravirt_pgd_free(mm, pgd);
19186 free_page((unsigned long)pgd);
19187 diff -urNp linux-2.6.38.1/arch/x86/mm/setup_nx.c linux-2.6.38.1-new/arch/x86/mm/setup_nx.c
19188 --- linux-2.6.38.1/arch/x86/mm/setup_nx.c 2011-03-14 21:20:32.000000000 -0400
19189 +++ linux-2.6.38.1-new/arch/x86/mm/setup_nx.c 2011-03-21 18:31:35.000000000 -0400
19191 #include <asm/pgtable.h>
19192 #include <asm/proto.h>
19194 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
19195 static int disable_nx __cpuinitdata;
19197 +#ifndef CONFIG_PAX_PAGEEXEC
19201 @@ -28,12 +30,17 @@ static int __init noexec_setup(char *str
19204 early_param("noexec", noexec_setup);
19209 void __cpuinit x86_configure_nx(void)
19211 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
19212 if (cpu_has_nx && !disable_nx)
19213 __supported_pte_mask |= _PAGE_NX;
19216 __supported_pte_mask &= ~_PAGE_NX;
19219 diff -urNp linux-2.6.38.1/arch/x86/mm/tlb.c linux-2.6.38.1-new/arch/x86/mm/tlb.c
19220 --- linux-2.6.38.1/arch/x86/mm/tlb.c 2011-03-14 21:20:32.000000000 -0400
19221 +++ linux-2.6.38.1-new/arch/x86/mm/tlb.c 2011-03-21 18:31:35.000000000 -0400
19223 #include <asm/uv/uv.h>
19225 DEFINE_PER_CPU_SHARED_ALIGNED(struct tlb_state, cpu_tlbstate)
19226 - = { &init_mm, 0, };
19227 + = { &init_mm, 0 };
19230 * Smarter SMP flushing macros.
19231 @@ -65,7 +65,11 @@ void leave_mm(int cpu)
19233 cpumask_clear_cpu(cpu,
19234 mm_cpumask(percpu_read(cpu_tlbstate.active_mm)));
19236 +#ifndef CONFIG_PAX_PER_CPU_PGD
19237 load_cr3(swapper_pg_dir);
19241 EXPORT_SYMBOL_GPL(leave_mm);
19243 diff -urNp linux-2.6.38.1/arch/x86/oprofile/backtrace.c linux-2.6.38.1-new/arch/x86/oprofile/backtrace.c
19244 --- linux-2.6.38.1/arch/x86/oprofile/backtrace.c 2011-03-14 21:20:32.000000000 -0400
19245 +++ linux-2.6.38.1-new/arch/x86/oprofile/backtrace.c 2011-03-21 18:31:35.000000000 -0400
19246 @@ -57,7 +57,7 @@ dump_user_backtrace_32(struct stack_fram
19247 struct stack_frame_ia32 *fp;
19249 /* Also check accessibility of one struct frame_head beyond */
19250 - if (!access_ok(VERIFY_READ, head, sizeof(bufhead)))
19251 + if (!__access_ok(VERIFY_READ, head, sizeof(bufhead)))
19253 if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead)))
19255 @@ -123,7 +123,7 @@ x86_backtrace(struct pt_regs * const reg
19257 struct stack_frame *head = (struct stack_frame *)frame_pointer(regs);
19259 - if (!user_mode_vm(regs)) {
19260 + if (!user_mode(regs)) {
19261 unsigned long stack = kernel_stack_pointer(regs);
19263 dump_trace(NULL, regs, (unsigned long *)stack,
19264 diff -urNp linux-2.6.38.1/arch/x86/oprofile/op_model_p4.c linux-2.6.38.1-new/arch/x86/oprofile/op_model_p4.c
19265 --- linux-2.6.38.1/arch/x86/oprofile/op_model_p4.c 2011-03-14 21:20:32.000000000 -0400
19266 +++ linux-2.6.38.1-new/arch/x86/oprofile/op_model_p4.c 2011-03-21 18:31:35.000000000 -0400
19267 @@ -50,7 +50,7 @@ static inline void setup_num_counters(vo
19271 -static int inline addr_increment(void)
19272 +static inline int addr_increment(void)
19275 return smp_num_siblings == 2 ? 2 : 1;
19276 diff -urNp linux-2.6.38.1/arch/x86/pci/ce4100.c linux-2.6.38.1-new/arch/x86/pci/ce4100.c
19277 --- linux-2.6.38.1/arch/x86/pci/ce4100.c 2011-03-14 21:20:32.000000000 -0400
19278 +++ linux-2.6.38.1-new/arch/x86/pci/ce4100.c 2011-03-21 18:31:35.000000000 -0400
19279 @@ -302,7 +302,7 @@ static int ce4100_conf_write(unsigned in
19280 return pci_direct_conf1.write(seg, bus, devfn, reg, len, value);
19283 -struct pci_raw_ops ce4100_pci_conf = {
19284 +const struct pci_raw_ops ce4100_pci_conf = {
19285 .read = ce4100_conf_read,
19286 .write = ce4100_conf_write,
19288 diff -urNp linux-2.6.38.1/arch/x86/pci/common.c linux-2.6.38.1-new/arch/x86/pci/common.c
19289 --- linux-2.6.38.1/arch/x86/pci/common.c 2011-03-14 21:20:32.000000000 -0400
19290 +++ linux-2.6.38.1-new/arch/x86/pci/common.c 2011-03-21 18:31:35.000000000 -0400
19291 @@ -33,8 +33,8 @@ int noioapicreroute = 1;
19292 int pcibios_last_bus = -1;
19293 unsigned long pirq_table_addr;
19294 struct pci_bus *pci_root_bus;
19295 -struct pci_raw_ops *raw_pci_ops;
19296 -struct pci_raw_ops *raw_pci_ext_ops;
19297 +const struct pci_raw_ops *raw_pci_ops;
19298 +const struct pci_raw_ops *raw_pci_ext_ops;
19300 int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
19301 int reg, int len, u32 *val)
19302 @@ -423,7 +423,7 @@ static const struct dmi_system_id __devi
19303 DMI_MATCH(DMI_PRODUCT_NAME, "ProLiant DL585 G2"),
19307 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
19310 void __init dmi_check_pciprobe(void)
19311 diff -urNp linux-2.6.38.1/arch/x86/pci/direct.c linux-2.6.38.1-new/arch/x86/pci/direct.c
19312 --- linux-2.6.38.1/arch/x86/pci/direct.c 2011-03-14 21:20:32.000000000 -0400
19313 +++ linux-2.6.38.1-new/arch/x86/pci/direct.c 2011-03-21 18:31:35.000000000 -0400
19314 @@ -79,7 +79,7 @@ static int pci_conf1_write(unsigned int
19316 #undef PCI_CONF1_ADDRESS
19318 -struct pci_raw_ops pci_direct_conf1 = {
19319 +const struct pci_raw_ops pci_direct_conf1 = {
19320 .read = pci_conf1_read,
19321 .write = pci_conf1_write,
19323 @@ -173,7 +173,7 @@ static int pci_conf2_write(unsigned int
19325 #undef PCI_CONF2_ADDRESS
19327 -struct pci_raw_ops pci_direct_conf2 = {
19328 +const struct pci_raw_ops pci_direct_conf2 = {
19329 .read = pci_conf2_read,
19330 .write = pci_conf2_write,
19332 @@ -189,7 +189,7 @@ struct pci_raw_ops pci_direct_conf2 = {
19333 * This should be close to trivial, but it isn't, because there are buggy
19334 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
19336 -static int __init pci_sanity_check(struct pci_raw_ops *o)
19337 +static int __init pci_sanity_check(const struct pci_raw_ops *o)
19341 diff -urNp linux-2.6.38.1/arch/x86/pci/fixup.c linux-2.6.38.1-new/arch/x86/pci/fixup.c
19342 --- linux-2.6.38.1/arch/x86/pci/fixup.c 2011-03-14 21:20:32.000000000 -0400
19343 +++ linux-2.6.38.1-new/arch/x86/pci/fixup.c 2011-03-21 18:31:35.000000000 -0400
19344 @@ -364,7 +364,7 @@ static const struct dmi_system_id __devi
19345 DMI_MATCH(DMI_PRODUCT_NAME, "MS-6702E"),
19349 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19353 @@ -435,7 +435,7 @@ static const struct dmi_system_id __devi
19354 DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
19358 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19361 static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
19362 diff -urNp linux-2.6.38.1/arch/x86/pci/irq.c linux-2.6.38.1-new/arch/x86/pci/irq.c
19363 --- linux-2.6.38.1/arch/x86/pci/irq.c 2011-03-14 21:20:32.000000000 -0400
19364 +++ linux-2.6.38.1-new/arch/x86/pci/irq.c 2011-03-21 18:31:35.000000000 -0400
19365 @@ -542,7 +542,7 @@ static __init int intel_router_probe(str
19366 static struct pci_device_id __initdata pirq_440gx[] = {
19367 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0) },
19368 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_2) },
19370 + { PCI_DEVICE(0, 0) }
19373 /* 440GX has a proprietary PIRQ router -- don't use it */
19374 @@ -1115,7 +1115,7 @@ static struct dmi_system_id __initdata p
19375 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
19379 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19382 void __init pcibios_irq_init(void)
19383 diff -urNp linux-2.6.38.1/arch/x86/pci/mmconfig_32.c linux-2.6.38.1-new/arch/x86/pci/mmconfig_32.c
19384 --- linux-2.6.38.1/arch/x86/pci/mmconfig_32.c 2011-03-14 21:20:32.000000000 -0400
19385 +++ linux-2.6.38.1-new/arch/x86/pci/mmconfig_32.c 2011-03-21 18:31:35.000000000 -0400
19386 @@ -117,7 +117,7 @@ static int pci_mmcfg_write(unsigned int
19390 -static struct pci_raw_ops pci_mmcfg = {
19391 +static const struct pci_raw_ops pci_mmcfg = {
19392 .read = pci_mmcfg_read,
19393 .write = pci_mmcfg_write,
19395 diff -urNp linux-2.6.38.1/arch/x86/pci/mmconfig_64.c linux-2.6.38.1-new/arch/x86/pci/mmconfig_64.c
19396 --- linux-2.6.38.1/arch/x86/pci/mmconfig_64.c 2011-03-14 21:20:32.000000000 -0400
19397 +++ linux-2.6.38.1-new/arch/x86/pci/mmconfig_64.c 2011-03-21 18:31:35.000000000 -0400
19398 @@ -81,7 +81,7 @@ static int pci_mmcfg_write(unsigned int
19402 -static struct pci_raw_ops pci_mmcfg = {
19403 +static const struct pci_raw_ops pci_mmcfg = {
19404 .read = pci_mmcfg_read,
19405 .write = pci_mmcfg_write,
19407 diff -urNp linux-2.6.38.1/arch/x86/pci/numaq_32.c linux-2.6.38.1-new/arch/x86/pci/numaq_32.c
19408 --- linux-2.6.38.1/arch/x86/pci/numaq_32.c 2011-03-14 21:20:32.000000000 -0400
19409 +++ linux-2.6.38.1-new/arch/x86/pci/numaq_32.c 2011-03-21 18:31:35.000000000 -0400
19410 @@ -108,7 +108,7 @@ static int pci_conf1_mq_write(unsigned i
19412 #undef PCI_CONF1_MQ_ADDRESS
19414 -static struct pci_raw_ops pci_direct_conf1_mq = {
19415 +static const struct pci_raw_ops pci_direct_conf1_mq = {
19416 .read = pci_conf1_mq_read,
19417 .write = pci_conf1_mq_write
19419 diff -urNp linux-2.6.38.1/arch/x86/pci/olpc.c linux-2.6.38.1-new/arch/x86/pci/olpc.c
19420 --- linux-2.6.38.1/arch/x86/pci/olpc.c 2011-03-14 21:20:32.000000000 -0400
19421 +++ linux-2.6.38.1-new/arch/x86/pci/olpc.c 2011-03-21 18:31:35.000000000 -0400
19422 @@ -297,7 +297,7 @@ static int pci_olpc_write(unsigned int s
19426 -static struct pci_raw_ops pci_olpc_conf = {
19427 +static const struct pci_raw_ops pci_olpc_conf = {
19428 .read = pci_olpc_read,
19429 .write = pci_olpc_write,
19431 diff -urNp linux-2.6.38.1/arch/x86/pci/pcbios.c linux-2.6.38.1-new/arch/x86/pci/pcbios.c
19432 --- linux-2.6.38.1/arch/x86/pci/pcbios.c 2011-03-14 21:20:32.000000000 -0400
19433 +++ linux-2.6.38.1-new/arch/x86/pci/pcbios.c 2011-03-21 18:31:35.000000000 -0400
19434 @@ -79,50 +79,93 @@ union bios32 {
19436 unsigned long address;
19437 unsigned short segment;
19438 -} bios32_indirect = { 0, __KERNEL_CS };
19439 +} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
19442 * Returns the entry point for the given service, NULL on error
19445 -static unsigned long bios32_service(unsigned long service)
19446 +static unsigned long __devinit bios32_service(unsigned long service)
19448 unsigned char return_code; /* %al */
19449 unsigned long address; /* %ebx */
19450 unsigned long length; /* %ecx */
19451 unsigned long entry; /* %edx */
19452 unsigned long flags;
19453 + struct desc_struct d, *gdt;
19455 local_irq_save(flags);
19456 - __asm__("lcall *(%%edi); cld"
19458 + gdt = get_cpu_gdt_table(smp_processor_id());
19460 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
19461 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
19462 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
19463 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
19465 + __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
19466 : "=a" (return_code),
19472 - "D" (&bios32_indirect));
19473 + "D" (&bios32_indirect),
19474 + "r"(__PCIBIOS_DS)
19477 + pax_open_kernel();
19478 + gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
19479 + gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
19480 + gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
19481 + gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
19482 + pax_close_kernel();
19484 local_irq_restore(flags);
19486 switch (return_code) {
19488 - return address + entry;
19489 - case 0x80: /* Not present */
19490 - printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
19492 - default: /* Shouldn't happen */
19493 - printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
19494 - service, return_code);
19497 + unsigned char flags;
19499 + printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
19500 + if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
19501 + printk(KERN_WARNING "bios32_service: not valid\n");
19504 + address = address + PAGE_OFFSET;
19505 + length += 16UL; /* some BIOSs underreport this... */
19507 + if (length >= 64*1024*1024) {
19508 + length >>= PAGE_SHIFT;
19512 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
19513 + gdt = get_cpu_gdt_table(cpu);
19514 + pack_descriptor(&d, address, length, 0x9b, flags);
19515 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
19516 + pack_descriptor(&d, address, length, 0x93, flags);
19517 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
19521 + case 0x80: /* Not present */
19522 + printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
19524 + default: /* Shouldn't happen */
19525 + printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
19526 + service, return_code);
19532 unsigned long address;
19533 unsigned short segment;
19534 -} pci_indirect = { 0, __KERNEL_CS };
19535 +} pci_indirect __read_only = { 0, __PCIBIOS_CS };
19537 -static int pci_bios_present;
19538 +static int pci_bios_present __read_only;
19540 static int __devinit check_pcibios(void)
19542 @@ -131,11 +174,13 @@ static int __devinit check_pcibios(void)
19543 unsigned long flags, pcibios_entry;
19545 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
19546 - pci_indirect.address = pcibios_entry + PAGE_OFFSET;
19547 + pci_indirect.address = pcibios_entry;
19549 local_irq_save(flags);
19551 - "lcall *(%%edi); cld\n\t"
19552 + __asm__("movw %w6, %%ds\n\t"
19553 + "lcall *%%ss:(%%edi); cld\n\t"
19559 @@ -144,7 +189,8 @@ static int __devinit check_pcibios(void)
19562 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
19563 - "D" (&pci_indirect)
19564 + "D" (&pci_indirect),
19565 + "r" (__PCIBIOS_DS)
19567 local_irq_restore(flags);
19569 @@ -188,7 +234,10 @@ static int pci_bios_read(unsigned int se
19573 - __asm__("lcall *(%%esi); cld\n\t"
19574 + __asm__("movw %w6, %%ds\n\t"
19575 + "lcall *%%ss:(%%esi); cld\n\t"
19581 @@ -197,7 +246,8 @@ static int pci_bios_read(unsigned int se
19582 : "1" (PCIBIOS_READ_CONFIG_BYTE),
19585 - "S" (&pci_indirect));
19586 + "S" (&pci_indirect),
19587 + "r" (__PCIBIOS_DS));
19589 * Zero-extend the result beyond 8 bits, do not trust the
19590 * BIOS having done it:
19591 @@ -205,7 +255,10 @@ static int pci_bios_read(unsigned int se
19595 - __asm__("lcall *(%%esi); cld\n\t"
19596 + __asm__("movw %w6, %%ds\n\t"
19597 + "lcall *%%ss:(%%esi); cld\n\t"
19603 @@ -214,7 +267,8 @@ static int pci_bios_read(unsigned int se
19604 : "1" (PCIBIOS_READ_CONFIG_WORD),
19607 - "S" (&pci_indirect));
19608 + "S" (&pci_indirect),
19609 + "r" (__PCIBIOS_DS));
19611 * Zero-extend the result beyond 16 bits, do not trust the
19612 * BIOS having done it:
19613 @@ -222,7 +276,10 @@ static int pci_bios_read(unsigned int se
19617 - __asm__("lcall *(%%esi); cld\n\t"
19618 + __asm__("movw %w6, %%ds\n\t"
19619 + "lcall *%%ss:(%%esi); cld\n\t"
19625 @@ -231,7 +288,8 @@ static int pci_bios_read(unsigned int se
19626 : "1" (PCIBIOS_READ_CONFIG_DWORD),
19629 - "S" (&pci_indirect));
19630 + "S" (&pci_indirect),
19631 + "r" (__PCIBIOS_DS));
19635 @@ -254,7 +312,10 @@ static int pci_bios_write(unsigned int s
19639 - __asm__("lcall *(%%esi); cld\n\t"
19640 + __asm__("movw %w6, %%ds\n\t"
19641 + "lcall *%%ss:(%%esi); cld\n\t"
19647 @@ -263,10 +324,14 @@ static int pci_bios_write(unsigned int s
19651 - "S" (&pci_indirect));
19652 + "S" (&pci_indirect),
19653 + "r" (__PCIBIOS_DS));
19656 - __asm__("lcall *(%%esi); cld\n\t"
19657 + __asm__("movw %w6, %%ds\n\t"
19658 + "lcall *%%ss:(%%esi); cld\n\t"
19664 @@ -275,10 +340,14 @@ static int pci_bios_write(unsigned int s
19668 - "S" (&pci_indirect));
19669 + "S" (&pci_indirect),
19670 + "r" (__PCIBIOS_DS));
19673 - __asm__("lcall *(%%esi); cld\n\t"
19674 + __asm__("movw %w6, %%ds\n\t"
19675 + "lcall *%%ss:(%%esi); cld\n\t"
19681 @@ -287,7 +356,8 @@ static int pci_bios_write(unsigned int s
19685 - "S" (&pci_indirect));
19686 + "S" (&pci_indirect),
19687 + "r" (__PCIBIOS_DS));
19691 @@ -301,7 +371,7 @@ static int pci_bios_write(unsigned int s
19692 * Function table for BIOS32 access
19695 -static struct pci_raw_ops pci_bios_access = {
19696 +static const struct pci_raw_ops pci_bios_access = {
19697 .read = pci_bios_read,
19698 .write = pci_bios_write
19700 @@ -310,7 +380,7 @@ static struct pci_raw_ops pci_bios_acces
19701 * Try to find PCI BIOS.
19704 -static struct pci_raw_ops * __devinit pci_find_bios(void)
19705 +static const struct pci_raw_ops * __devinit pci_find_bios(void)
19707 union bios32 *check;
19709 @@ -392,10 +462,13 @@ struct irq_routing_table * pcibios_get_i
19711 DBG("PCI: Fetching IRQ routing table... ");
19712 __asm__("push %%es\n\t"
19713 + "movw %w8, %%ds\n\t"
19716 - "lcall *(%%esi); cld\n\t"
19717 + "lcall *%%ss:(%%esi); cld\n\t"
19724 @@ -406,7 +479,8 @@ struct irq_routing_table * pcibios_get_i
19727 "S" (&pci_indirect),
19730 + "r" (__PCIBIOS_DS)
19732 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
19734 @@ -430,7 +504,10 @@ int pcibios_set_irq_routing(struct pci_d
19738 - __asm__("lcall *(%%esi); cld\n\t"
19739 + __asm__("movw %w5, %%ds\n\t"
19740 + "lcall *%%ss:(%%esi); cld\n\t"
19746 @@ -438,7 +515,8 @@ int pcibios_set_irq_routing(struct pci_d
19747 : "0" (PCIBIOS_SET_PCI_HW_INT),
19748 "b" ((dev->bus->number << 8) | dev->devfn),
19749 "c" ((irq << 8) | (pin + 10)),
19750 - "S" (&pci_indirect));
19751 + "S" (&pci_indirect),
19752 + "r" (__PCIBIOS_DS));
19753 return !(ret & 0xff00);
19755 EXPORT_SYMBOL(pcibios_set_irq_routing);
19756 diff -urNp linux-2.6.38.1/arch/x86/platform/efi/efi_32.c linux-2.6.38.1-new/arch/x86/platform/efi/efi_32.c
19757 --- linux-2.6.38.1/arch/x86/platform/efi/efi_32.c 2011-03-14 21:20:32.000000000 -0400
19758 +++ linux-2.6.38.1-new/arch/x86/platform/efi/efi_32.c 2011-03-21 18:31:35.000000000 -0400
19759 @@ -38,70 +38,37 @@
19762 static unsigned long efi_rt_eflags;
19763 -static pgd_t efi_bak_pg_dir_pointer[2];
19764 +static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
19766 -void efi_call_phys_prelog(void)
19767 +void __init efi_call_phys_prelog(void)
19769 - unsigned long cr4;
19770 - unsigned long temp;
19771 struct desc_ptr gdt_descr;
19773 local_irq_save(efi_rt_eflags);
19776 - * If I don't have PAE, I should just duplicate two entries in page
19777 - * directory. If I have PAE, I just need to duplicate one entry in
19778 - * page directory.
19780 - cr4 = read_cr4_safe();
19782 - if (cr4 & X86_CR4_PAE) {
19783 - efi_bak_pg_dir_pointer[0].pgd =
19784 - swapper_pg_dir[pgd_index(0)].pgd;
19785 - swapper_pg_dir[0].pgd =
19786 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
19788 - efi_bak_pg_dir_pointer[0].pgd =
19789 - swapper_pg_dir[pgd_index(0)].pgd;
19790 - efi_bak_pg_dir_pointer[1].pgd =
19791 - swapper_pg_dir[pgd_index(0x400000)].pgd;
19792 - swapper_pg_dir[pgd_index(0)].pgd =
19793 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
19794 - temp = PAGE_OFFSET + 0x400000;
19795 - swapper_pg_dir[pgd_index(0x400000)].pgd =
19796 - swapper_pg_dir[pgd_index(temp)].pgd;
19798 + clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
19799 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
19800 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
19803 * After the lock is released, the original page table is restored.
19807 - gdt_descr.address = __pa(get_cpu_gdt_table(0));
19808 + gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0));
19809 gdt_descr.size = GDT_SIZE - 1;
19810 load_gdt(&gdt_descr);
19813 -void efi_call_phys_epilog(void)
19814 +void __init efi_call_phys_epilog(void)
19816 - unsigned long cr4;
19817 struct desc_ptr gdt_descr;
19819 - gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
19820 + gdt_descr.address = get_cpu_gdt_table(0);
19821 gdt_descr.size = GDT_SIZE - 1;
19822 load_gdt(&gdt_descr);
19824 - cr4 = read_cr4_safe();
19826 - if (cr4 & X86_CR4_PAE) {
19827 - swapper_pg_dir[pgd_index(0)].pgd =
19828 - efi_bak_pg_dir_pointer[0].pgd;
19830 - swapper_pg_dir[pgd_index(0)].pgd =
19831 - efi_bak_pg_dir_pointer[0].pgd;
19832 - swapper_pg_dir[pgd_index(0x400000)].pgd =
19833 - efi_bak_pg_dir_pointer[1].pgd;
19835 + clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
19838 * After the lock is released, the original page table is restored.
19839 diff -urNp linux-2.6.38.1/arch/x86/platform/efi/efi_stub_32.S linux-2.6.38.1-new/arch/x86/platform/efi/efi_stub_32.S
19840 --- linux-2.6.38.1/arch/x86/platform/efi/efi_stub_32.S 2011-03-14 21:20:32.000000000 -0400
19841 +++ linux-2.6.38.1-new/arch/x86/platform/efi/efi_stub_32.S 2011-03-21 18:31:35.000000000 -0400
19845 #include <linux/linkage.h>
19846 +#include <linux/init.h>
19847 #include <asm/page_types.h>
19851 * service functions will comply with gcc calling convention, too.
19856 ENTRY(efi_call_phys)
19858 * 0. The function can only be called in Linux kernel. So CS has been
19859 @@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
19860 * The mapping of lower virtual memory has been created in prelog and
19864 - subl $__PAGE_OFFSET, %edx
19866 + jmp 1f-__PAGE_OFFSET
19870 @@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
19871 * parameter 2, ..., param n. To make things easy, we save the return
19872 * address of efi_call_phys in a global variable.
19875 - movl %edx, saved_return_addr
19876 - /* get the function pointer into ECX*/
19878 - movl %ecx, efi_rt_function_ptr
19880 - subl $__PAGE_OFFSET, %edx
19882 + popl (saved_return_addr)
19883 + popl (efi_rt_function_ptr)
19886 * 3. Clear PG bit in %CR0.
19887 @@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
19889 * 5. Call the physical function.
19892 + call *(efi_rt_function_ptr-__PAGE_OFFSET)
19896 * 6. After EFI runtime service returns, control will return to
19897 * following instruction. We'd better readjust stack pointer first.
19898 @@ -88,35 +80,28 @@ ENTRY(efi_call_phys)
19900 orl $0x80000000, %edx
19906 * 8. Now restore the virtual mode from flat mode by
19907 * adding EIP with PAGE_OFFSET.
19911 + jmp 1f+__PAGE_OFFSET
19915 * 9. Balance the stack. And because EAX contain the return value,
19916 * we'd better not clobber it.
19918 - leal efi_rt_function_ptr, %edx
19919 - movl (%edx), %ecx
19921 + pushl (efi_rt_function_ptr)
19924 - * 10. Push the saved return address onto the stack and return.
19925 + * 10. Return to the saved return address.
19927 - leal saved_return_addr, %edx
19928 - movl (%edx), %ecx
19931 + jmpl *(saved_return_addr)
19932 ENDPROC(efi_call_phys)
19939 efi_rt_function_ptr:
19940 diff -urNp linux-2.6.38.1/arch/x86/power/cpu.c linux-2.6.38.1-new/arch/x86/power/cpu.c
19941 --- linux-2.6.38.1/arch/x86/power/cpu.c 2011-03-14 21:20:32.000000000 -0400
19942 +++ linux-2.6.38.1-new/arch/x86/power/cpu.c 2011-03-21 18:31:35.000000000 -0400
19943 @@ -130,7 +130,7 @@ static void do_fpu_end(void)
19944 static void fix_processor_context(void)
19946 int cpu = smp_processor_id();
19947 - struct tss_struct *t = &per_cpu(init_tss, cpu);
19948 + struct tss_struct *t = init_tss + cpu;
19950 set_tss_desc(cpu, t); /*
19951 * This just modifies memory; should not be
19952 @@ -140,7 +140,9 @@ static void fix_processor_context(void)
19955 #ifdef CONFIG_X86_64
19956 + pax_open_kernel();
19957 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
19958 + pax_close_kernel();
19960 syscall_init(); /* This sets MSR_*STAR and related */
19962 diff -urNp linux-2.6.38.1/arch/x86/vdso/Makefile linux-2.6.38.1-new/arch/x86/vdso/Makefile
19963 --- linux-2.6.38.1/arch/x86/vdso/Makefile 2011-03-14 21:20:32.000000000 -0400
19964 +++ linux-2.6.38.1-new/arch/x86/vdso/Makefile 2011-03-21 18:31:35.000000000 -0400
19965 @@ -123,7 +123,7 @@ quiet_cmd_vdso = VDSO $@
19966 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^) && \
19967 sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
19969 -VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
19970 +VDSO_LDFLAGS = -fPIC -shared --no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
19974 diff -urNp linux-2.6.38.1/arch/x86/vdso/vclock_gettime.c linux-2.6.38.1-new/arch/x86/vdso/vclock_gettime.c
19975 --- linux-2.6.38.1/arch/x86/vdso/vclock_gettime.c 2011-03-14 21:20:32.000000000 -0400
19976 +++ linux-2.6.38.1-new/arch/x86/vdso/vclock_gettime.c 2011-03-21 18:31:35.000000000 -0400
19977 @@ -22,24 +22,48 @@
19978 #include <asm/hpet.h>
19979 #include <asm/unistd.h>
19980 #include <asm/io.h>
19981 +#include <asm/fixmap.h>
19982 #include "vextern.h"
19984 #define gtod vdso_vsyscall_gtod_data
19986 +notrace noinline long __vdso_fallback_time(long *t)
19989 + asm volatile("syscall"
19991 + : "0" (__NR_time),"D" (t) : "r11", "cx", "memory");
19995 notrace static long vdso_fallback_gettime(long clock, struct timespec *ts)
19998 asm("syscall" : "=a" (ret) :
19999 - "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "memory");
20000 + "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "r11", "cx", "memory");
20004 +notrace static inline cycle_t __vdso_vread_hpet(void)
20006 + return readl((const void __iomem *)fix_to_virt(VSYSCALL_HPET) + 0xf0);
20009 +notrace static inline cycle_t __vdso_vread_tsc(void)
20011 + cycle_t ret = (cycle_t)vget_cycles();
20013 + return ret >= gtod->clock.cycle_last ? ret : gtod->clock.cycle_last;
20016 notrace static inline long vgetns(void)
20019 - cycles_t (*vread)(void);
20020 - vread = gtod->clock.vread;
20021 - v = (vread() - gtod->clock.cycle_last) & gtod->clock.mask;
20022 + if (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3])
20023 + v = __vdso_vread_tsc();
20025 + v = __vdso_vread_hpet();
20026 + v = (v - gtod->clock.cycle_last) & gtod->clock.mask;
20027 return (v * gtod->clock.mult) >> gtod->clock.shift;
20030 @@ -113,7 +137,9 @@ notrace static noinline int do_monotonic
20032 notrace int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
20034 - if (likely(gtod->sysctl_enabled))
20035 + if (likely(gtod->sysctl_enabled &&
20036 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
20037 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
20039 case CLOCK_REALTIME:
20040 if (likely(gtod->clock.vread))
20041 @@ -133,10 +159,20 @@ notrace int __vdso_clock_gettime(clockid
20042 int clock_gettime(clockid_t, struct timespec *)
20043 __attribute__((weak, alias("__vdso_clock_gettime")));
20045 -notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
20046 +notrace noinline int __vdso_fallback_gettimeofday(struct timeval *tv, struct timezone *tz)
20049 - if (likely(gtod->sysctl_enabled && gtod->clock.vread)) {
20050 + asm("syscall" : "=a" (ret) :
20051 + "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "r11", "cx", "memory");
20055 +notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
20057 + if (likely(gtod->sysctl_enabled &&
20058 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
20059 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
20061 if (likely(tv != NULL)) {
20062 BUILD_BUG_ON(offsetof(struct timeval, tv_usec) !=
20063 offsetof(struct timespec, tv_nsec) ||
20064 @@ -151,9 +187,7 @@ notrace int __vdso_gettimeofday(struct t
20068 - asm("syscall" : "=a" (ret) :
20069 - "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
20071 + return __vdso_fallback_gettimeofday(tv, tz);
20073 int gettimeofday(struct timeval *, struct timezone *)
20074 __attribute__((weak, alias("__vdso_gettimeofday")));
20075 diff -urNp linux-2.6.38.1/arch/x86/vdso/vdso32-setup.c linux-2.6.38.1-new/arch/x86/vdso/vdso32-setup.c
20076 --- linux-2.6.38.1/arch/x86/vdso/vdso32-setup.c 2011-03-14 21:20:32.000000000 -0400
20077 +++ linux-2.6.38.1-new/arch/x86/vdso/vdso32-setup.c 2011-03-21 18:31:35.000000000 -0400
20079 #include <asm/tlbflush.h>
20080 #include <asm/vdso.h>
20081 #include <asm/proto.h>
20082 +#include <asm/mman.h>
20086 @@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
20087 void enable_sep_cpu(void)
20089 int cpu = get_cpu();
20090 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
20091 + struct tss_struct *tss = init_tss + cpu;
20093 if (!boot_cpu_has(X86_FEATURE_SEP)) {
20095 @@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
20096 gate_vma.vm_start = FIXADDR_USER_START;
20097 gate_vma.vm_end = FIXADDR_USER_END;
20098 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
20099 - gate_vma.vm_page_prot = __P101;
20100 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
20102 * Make sure the vDSO gets into every core dump.
20103 * Dumping its contents makes post-mortem fully interpretable later
20104 @@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
20106 addr = VDSO_HIGH_BASE;
20108 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
20109 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
20110 if (IS_ERR_VALUE(addr)) {
20116 - current->mm->context.vdso = (void *)addr;
20117 + current->mm->context.vdso = addr;
20119 if (compat_uses_vma || !compat) {
20121 @@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
20124 current_thread_info()->sysenter_return =
20125 - VDSO32_SYMBOL(addr, SYSENTER_RETURN);
20126 + (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
20130 - current->mm->context.vdso = NULL;
20131 + current->mm->context.vdso = 0;
20133 up_write(&mm->mmap_sem);
20135 @@ -412,8 +413,14 @@ __initcall(ia32_binfmt_init);
20137 const char *arch_vma_name(struct vm_area_struct *vma)
20139 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
20140 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
20143 +#ifdef CONFIG_PAX_SEGMEXEC
20144 + if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
20151 @@ -422,7 +429,7 @@ struct vm_area_struct *get_gate_vma(stru
20152 struct mm_struct *mm = tsk->mm;
20154 /* Check to see if this task was created in compat vdso mode */
20155 - if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
20156 + if (mm && mm->context.vdso == VDSO_HIGH_BASE)
20160 diff -urNp linux-2.6.38.1/arch/x86/vdso/vdso.lds.S linux-2.6.38.1-new/arch/x86/vdso/vdso.lds.S
20161 --- linux-2.6.38.1/arch/x86/vdso/vdso.lds.S 2011-03-14 21:20:32.000000000 -0400
20162 +++ linux-2.6.38.1-new/arch/x86/vdso/vdso.lds.S 2011-03-21 18:31:35.000000000 -0400
20163 @@ -35,3 +35,9 @@ VDSO64_PRELINK = VDSO_PRELINK;
20164 #define VEXTERN(x) VDSO64_ ## x = vdso_ ## x;
20165 #include "vextern.h"
20168 +#define VEXTERN(x) VDSO64_ ## x = __vdso_ ## x;
20169 +VEXTERN(fallback_gettimeofday)
20170 +VEXTERN(fallback_time)
20173 diff -urNp linux-2.6.38.1/arch/x86/vdso/vextern.h linux-2.6.38.1-new/arch/x86/vdso/vextern.h
20174 --- linux-2.6.38.1/arch/x86/vdso/vextern.h 2011-03-14 21:20:32.000000000 -0400
20175 +++ linux-2.6.38.1-new/arch/x86/vdso/vextern.h 2011-03-21 18:31:35.000000000 -0400
20177 put into vextern.h and be referenced as a pointer with vdso prefix.
20178 The main kernel later fills in the values. */
20181 VEXTERN(vgetcpu_mode)
20182 VEXTERN(vsyscall_gtod_data)
20183 diff -urNp linux-2.6.38.1/arch/x86/vdso/vma.c linux-2.6.38.1-new/arch/x86/vdso/vma.c
20184 --- linux-2.6.38.1/arch/x86/vdso/vma.c 2011-03-14 21:20:32.000000000 -0400
20185 +++ linux-2.6.38.1-new/arch/x86/vdso/vma.c 2011-03-21 18:31:35.000000000 -0400
20186 @@ -58,7 +58,7 @@ static int __init init_vdso_vars(void)
20190 - if (memcmp(vbase, "\177ELF", 4)) {
20191 + if (memcmp(vbase, ELFMAG, SELFMAG)) {
20192 printk("VDSO: I'm broken; not ELF\n");
20195 @@ -118,7 +118,7 @@ int arch_setup_additional_pages(struct l
20199 - current->mm->context.vdso = (void *)addr;
20200 + current->mm->context.vdso = addr;
20202 ret = install_special_mapping(mm, addr, vdso_size,
20204 @@ -126,7 +126,7 @@ int arch_setup_additional_pages(struct l
20208 - current->mm->context.vdso = NULL;
20209 + current->mm->context.vdso = 0;
20213 @@ -134,10 +134,3 @@ up_fail:
20214 up_write(&mm->mmap_sem);
20218 -static __init int vdso_setup(char *s)
20220 - vdso_enabled = simple_strtoul(s, NULL, 0);
20223 -__setup("vdso=", vdso_setup);
20224 diff -urNp linux-2.6.38.1/arch/x86/xen/enlighten.c linux-2.6.38.1-new/arch/x86/xen/enlighten.c
20225 --- linux-2.6.38.1/arch/x86/xen/enlighten.c 2011-03-14 21:20:32.000000000 -0400
20226 +++ linux-2.6.38.1-new/arch/x86/xen/enlighten.c 2011-03-21 18:31:35.000000000 -0400
20227 @@ -85,8 +85,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
20229 struct shared_info xen_dummy_shared_info;
20231 -void *xen_initial_gdt;
20233 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
20234 __read_mostly int xen_have_vector_callback;
20235 EXPORT_SYMBOL_GPL(xen_have_vector_callback);
20236 @@ -1134,7 +1132,17 @@ asmlinkage void __init xen_start_kernel(
20237 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
20239 /* Work out if we support NX */
20240 - x86_configure_nx();
20241 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
20242 + if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
20243 + (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
20246 + __supported_pte_mask |= _PAGE_NX;
20247 + rdmsr(MSR_EFER, l, h);
20249 + wrmsr(MSR_EFER, l, h);
20253 xen_setup_features();
20255 @@ -1165,13 +1173,6 @@ asmlinkage void __init xen_start_kernel(
20257 machine_ops = xen_machine_ops;
20260 - * The only reliable way to retain the initial address of the
20261 - * percpu gdt_page is to remember it here, so we can go and
20262 - * mark it RW later, when the initial percpu area is freed.
20264 - xen_initial_gdt = &per_cpu(gdt_page, 0);
20268 #ifdef CONFIG_ACPI_NUMA
20269 diff -urNp linux-2.6.38.1/arch/x86/xen/mmu.c linux-2.6.38.1-new/arch/x86/xen/mmu.c
20270 --- linux-2.6.38.1/arch/x86/xen/mmu.c 2011-03-14 21:20:32.000000000 -0400
20271 +++ linux-2.6.38.1-new/arch/x86/xen/mmu.c 2011-03-21 18:31:35.000000000 -0400
20272 @@ -1718,6 +1718,8 @@ __init pgd_t *xen_setup_kernel_pagetable
20273 convert_pfn_mfn(init_level4_pgt);
20274 convert_pfn_mfn(level3_ident_pgt);
20275 convert_pfn_mfn(level3_kernel_pgt);
20276 + convert_pfn_mfn(level3_vmalloc_pgt);
20277 + convert_pfn_mfn(level3_vmemmap_pgt);
20279 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
20280 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
20281 @@ -1736,7 +1738,10 @@ __init pgd_t *xen_setup_kernel_pagetable
20282 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
20283 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
20284 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
20285 + set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
20286 + set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
20287 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
20288 + set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
20289 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
20290 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
20292 diff -urNp linux-2.6.38.1/arch/x86/xen/pci-swiotlb-xen.c linux-2.6.38.1-new/arch/x86/xen/pci-swiotlb-xen.c
20293 --- linux-2.6.38.1/arch/x86/xen/pci-swiotlb-xen.c 2011-03-14 21:20:32.000000000 -0400
20294 +++ linux-2.6.38.1-new/arch/x86/xen/pci-swiotlb-xen.c 2011-03-21 18:31:35.000000000 -0400
20297 int xen_swiotlb __read_mostly;
20299 -static struct dma_map_ops xen_swiotlb_dma_ops = {
20300 +static const struct dma_map_ops xen_swiotlb_dma_ops = {
20301 .mapping_error = xen_swiotlb_dma_mapping_error,
20302 .alloc_coherent = xen_swiotlb_alloc_coherent,
20303 .free_coherent = xen_swiotlb_free_coherent,
20304 diff -urNp linux-2.6.38.1/arch/x86/xen/smp.c linux-2.6.38.1-new/arch/x86/xen/smp.c
20305 --- linux-2.6.38.1/arch/x86/xen/smp.c 2011-03-14 21:20:32.000000000 -0400
20306 +++ linux-2.6.38.1-new/arch/x86/xen/smp.c 2011-03-21 18:31:35.000000000 -0400
20307 @@ -194,11 +194,6 @@ static void __init xen_smp_prepare_boot_
20309 BUG_ON(smp_processor_id() != 0);
20310 native_smp_prepare_boot_cpu();
20312 - /* We've switched to the "real" per-cpu gdt, so make sure the
20313 - old memory can be recycled */
20314 - make_lowmem_page_readwrite(xen_initial_gdt);
20316 xen_filter_cpu_maps();
20317 xen_setup_vcpu_info_placement();
20319 @@ -259,12 +254,12 @@ cpu_initialize_context(unsigned int cpu,
20320 gdt = get_cpu_gdt_table(cpu);
20322 ctxt->flags = VGCF_IN_KERNEL;
20323 - ctxt->user_regs.ds = __USER_DS;
20324 - ctxt->user_regs.es = __USER_DS;
20325 + ctxt->user_regs.ds = __KERNEL_DS;
20326 + ctxt->user_regs.es = __KERNEL_DS;
20327 ctxt->user_regs.ss = __KERNEL_DS;
20328 #ifdef CONFIG_X86_32
20329 ctxt->user_regs.fs = __KERNEL_PERCPU;
20330 - ctxt->user_regs.gs = __KERNEL_STACK_CANARY;
20331 + savesegment(gs, ctxt->user_regs.gs);
20333 ctxt->gs_base_kernel = per_cpu_offset(cpu);
20335 diff -urNp linux-2.6.38.1/arch/x86/xen/xen-head.S linux-2.6.38.1-new/arch/x86/xen/xen-head.S
20336 --- linux-2.6.38.1/arch/x86/xen/xen-head.S 2011-03-14 21:20:32.000000000 -0400
20337 +++ linux-2.6.38.1-new/arch/x86/xen/xen-head.S 2011-03-21 18:31:35.000000000 -0400
20338 @@ -19,6 +19,17 @@ ENTRY(startup_xen)
20339 #ifdef CONFIG_X86_32
20340 mov %esi,xen_start_info
20341 mov $init_thread_union+THREAD_SIZE,%esp
20343 + movl $cpu_gdt_table,%edi
20344 + movl $__per_cpu_load,%eax
20345 + movw %ax,__KERNEL_PERCPU + 2(%edi)
20347 + movb %al,__KERNEL_PERCPU + 4(%edi)
20348 + movb %ah,__KERNEL_PERCPU + 7(%edi)
20349 + movl $__per_cpu_end - 1,%eax
20350 + subl $__per_cpu_start,%eax
20351 + movw %ax,__KERNEL_PERCPU + 0(%edi)
20354 mov %rsi,xen_start_info
20355 mov $init_thread_union+THREAD_SIZE,%rsp
20356 diff -urNp linux-2.6.38.1/arch/x86/xen/xen-ops.h linux-2.6.38.1-new/arch/x86/xen/xen-ops.h
20357 --- linux-2.6.38.1/arch/x86/xen/xen-ops.h 2011-03-14 21:20:32.000000000 -0400
20358 +++ linux-2.6.38.1-new/arch/x86/xen/xen-ops.h 2011-03-21 18:31:35.000000000 -0400
20360 extern const char xen_hypervisor_callback[];
20361 extern const char xen_failsafe_callback[];
20363 -extern void *xen_initial_gdt;
20366 void xen_copy_trap_info(struct trap_info *traps);
20368 diff -urNp linux-2.6.38.1/block/blk-iopoll.c linux-2.6.38.1-new/block/blk-iopoll.c
20369 --- linux-2.6.38.1/block/blk-iopoll.c 2011-03-14 21:20:32.000000000 -0400
20370 +++ linux-2.6.38.1-new/block/blk-iopoll.c 2011-03-21 18:31:35.000000000 -0400
20371 @@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
20373 EXPORT_SYMBOL(blk_iopoll_complete);
20375 -static void blk_iopoll_softirq(struct softirq_action *h)
20376 +static void blk_iopoll_softirq(void)
20378 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
20379 int rearm = 0, budget = blk_iopoll_budget;
20380 diff -urNp linux-2.6.38.1/block/blk-map.c linux-2.6.38.1-new/block/blk-map.c
20381 --- linux-2.6.38.1/block/blk-map.c 2011-03-14 21:20:32.000000000 -0400
20382 +++ linux-2.6.38.1-new/block/blk-map.c 2011-03-21 18:31:35.000000000 -0400
20383 @@ -301,7 +301,7 @@ int blk_rq_map_kern(struct request_queue
20387 - do_copy = !blk_rq_aligned(q, addr, len) || object_is_on_stack(kbuf);
20388 + do_copy = !blk_rq_aligned(q, addr, len) || object_starts_on_stack(kbuf);
20390 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
20392 diff -urNp linux-2.6.38.1/block/blk-softirq.c linux-2.6.38.1-new/block/blk-softirq.c
20393 --- linux-2.6.38.1/block/blk-softirq.c 2011-03-14 21:20:32.000000000 -0400
20394 +++ linux-2.6.38.1-new/block/blk-softirq.c 2011-03-21 18:31:35.000000000 -0400
20395 @@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
20396 * Softirq action handler - move entries to local list and loop over them
20397 * while passing them to the queue registered handler.
20399 -static void blk_done_softirq(struct softirq_action *h)
20400 +static void blk_done_softirq(void)
20402 struct list_head *cpu_list, local_list;
20404 diff -urNp linux-2.6.38.1/crypto/lrw.c linux-2.6.38.1-new/crypto/lrw.c
20405 --- linux-2.6.38.1/crypto/lrw.c 2011-03-14 21:20:32.000000000 -0400
20406 +++ linux-2.6.38.1-new/crypto/lrw.c 2011-03-21 18:31:35.000000000 -0400
20407 @@ -60,7 +60,7 @@ static int setkey(struct crypto_tfm *par
20408 struct priv *ctx = crypto_tfm_ctx(parent);
20409 struct crypto_cipher *child = ctx->child;
20411 - be128 tmp = { 0 };
20412 + be128 tmp = { 0, 0 };
20413 int bsize = crypto_cipher_blocksize(child);
20415 crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
20416 diff -urNp linux-2.6.38.1/Documentation/dontdiff linux-2.6.38.1-new/Documentation/dontdiff
20417 --- linux-2.6.38.1/Documentation/dontdiff 2011-03-14 21:20:32.000000000 -0400
20418 +++ linux-2.6.38.1-new/Documentation/dontdiff 2011-03-21 18:31:35.000000000 -0400
20438 @@ -49,11 +52,16 @@
20455 @@ -82,6 +90,8 @@ bvmlinux
20464 @@ -106,16 +116,19 @@ fore200e_mkfirm
20479 initramfs_data.cpio
20480 +initramfs_data.cpio.bz2
20481 initramfs_data.cpio.gz
20484 @@ -125,7 +138,6 @@ int32.c
20492 @@ -149,7 +161,9 @@ mkboot
20502 @@ -165,6 +179,7 @@ parse.h
20510 @@ -180,6 +195,7 @@ r600_reg_safe.h
20518 @@ -189,6 +205,7 @@ setup
20526 @@ -213,13 +230,17 @@ version.h*
20544 diff -urNp linux-2.6.38.1/Documentation/filesystems/sysfs.txt linux-2.6.38.1-new/Documentation/filesystems/sysfs.txt
20545 --- linux-2.6.38.1/Documentation/filesystems/sysfs.txt 2011-03-14 21:20:32.000000000 -0400
20546 +++ linux-2.6.38.1-new/Documentation/filesystems/sysfs.txt 2011-03-21 18:31:35.000000000 -0400
20547 @@ -123,8 +123,8 @@ set of sysfs operations for forwarding r
20548 show and store methods of the attribute owners.
20551 - ssize_t (*show)(struct kobject *, struct attribute *, char *);
20552 - ssize_t (*store)(struct kobject *, struct attribute *, const char *, size_t);
20553 + ssize_t (* const show)(struct kobject *, struct attribute *, char *);
20554 + ssize_t (* const store)(struct kobject *, struct attribute *, const char *, size_t);
20557 [ Subsystems should have already defined a struct kobj_type as a
20558 diff -urNp linux-2.6.38.1/Documentation/kernel-parameters.txt linux-2.6.38.1-new/Documentation/kernel-parameters.txt
20559 --- linux-2.6.38.1/Documentation/kernel-parameters.txt 2011-03-14 21:20:32.000000000 -0400
20560 +++ linux-2.6.38.1-new/Documentation/kernel-parameters.txt 2011-03-21 18:31:35.000000000 -0400
20561 @@ -1853,6 +1853,13 @@ bytes respectively. Such letter suffixes
20562 the specified number of seconds. This is to be used if
20563 your oopses keep scrolling off the screen.
20565 + pax_nouderef [X86] disables UDEREF. Most likely needed under certain
20566 + virtualization environments that don't cope well with the
20567 + expand down segment used by UDEREF on X86-32 or the frequent
20568 + page table updates on X86-64.
20570 + pax_softmode= 0/1 to disable/enable PaX softmode on boot already.
20575 diff -urNp linux-2.6.38.1/drivers/acpi/battery.c linux-2.6.38.1-new/drivers/acpi/battery.c
20576 --- linux-2.6.38.1/drivers/acpi/battery.c 2011-03-14 21:20:32.000000000 -0400
20577 +++ linux-2.6.38.1-new/drivers/acpi/battery.c 2011-03-21 18:31:35.000000000 -0400
20578 @@ -862,7 +862,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
20581 static struct battery_file {
20582 - struct file_operations ops;
20583 + const struct file_operations ops;
20586 } acpi_battery_file[] = {
20587 diff -urNp linux-2.6.38.1/drivers/acpi/blacklist.c linux-2.6.38.1-new/drivers/acpi/blacklist.c
20588 --- linux-2.6.38.1/drivers/acpi/blacklist.c 2011-03-14 21:20:32.000000000 -0400
20589 +++ linux-2.6.38.1-new/drivers/acpi/blacklist.c 2011-03-21 18:31:35.000000000 -0400
20590 @@ -73,7 +73,7 @@ static struct acpi_blacklist_item acpi_b
20591 {"IBM ", "TP600E ", 0x00000105, ACPI_SIG_DSDT, less_than_or_equal,
20592 "Incorrect _ADR", 1},
20595 + {"", "", 0, NULL, all_versions, NULL, 0}
20598 #if CONFIG_ACPI_BLACKLIST_YEAR
20599 diff -urNp linux-2.6.38.1/drivers/acpi/dock.c linux-2.6.38.1-new/drivers/acpi/dock.c
20600 --- linux-2.6.38.1/drivers/acpi/dock.c 2011-03-14 21:20:32.000000000 -0400
20601 +++ linux-2.6.38.1-new/drivers/acpi/dock.c 2011-03-21 18:31:35.000000000 -0400
20602 @@ -77,7 +77,7 @@ struct dock_dependent_device {
20603 struct list_head list;
20604 struct list_head hotplug_list;
20605 acpi_handle handle;
20606 - struct acpi_dock_ops *ops;
20607 + const struct acpi_dock_ops *ops;
20611 @@ -589,7 +589,7 @@ EXPORT_SYMBOL_GPL(unregister_dock_notifi
20612 * the dock driver after _DCK is executed.
20615 -register_hotplug_dock_device(acpi_handle handle, struct acpi_dock_ops *ops,
20616 +register_hotplug_dock_device(acpi_handle handle, const struct acpi_dock_ops *ops,
20619 struct dock_dependent_device *dd;
20620 diff -urNp linux-2.6.38.1/drivers/acpi/ec_sys.c linux-2.6.38.1-new/drivers/acpi/ec_sys.c
20621 --- linux-2.6.38.1/drivers/acpi/ec_sys.c 2011-03-14 21:20:32.000000000 -0400
20622 +++ linux-2.6.38.1-new/drivers/acpi/ec_sys.c 2011-03-21 18:31:35.000000000 -0400
20623 @@ -96,7 +96,7 @@ static ssize_t acpi_ec_write_io(struct f
20627 -static struct file_operations acpi_ec_io_ops = {
20628 +static const struct file_operations acpi_ec_io_ops = {
20629 .owner = THIS_MODULE,
20630 .open = acpi_ec_open_io,
20631 .read = acpi_ec_read_io,
20632 diff -urNp linux-2.6.38.1/drivers/acpi/power_meter.c linux-2.6.38.1-new/drivers/acpi/power_meter.c
20633 --- linux-2.6.38.1/drivers/acpi/power_meter.c 2011-03-14 21:20:32.000000000 -0400
20634 +++ linux-2.6.38.1-new/drivers/acpi/power_meter.c 2011-03-21 18:31:35.000000000 -0400
20635 @@ -316,8 +316,6 @@ static ssize_t set_trip(struct device *d
20642 mutex_lock(&resource->lock);
20643 resource->trip[attr->index - 7] = temp;
20644 diff -urNp linux-2.6.38.1/drivers/acpi/proc.c linux-2.6.38.1-new/drivers/acpi/proc.c
20645 --- linux-2.6.38.1/drivers/acpi/proc.c 2011-03-14 21:20:32.000000000 -0400
20646 +++ linux-2.6.38.1-new/drivers/acpi/proc.c 2011-03-21 18:31:35.000000000 -0400
20647 @@ -342,19 +342,13 @@ acpi_system_write_wakeup_device(struct f
20648 size_t count, loff_t * ppos)
20650 struct list_head *node, *next;
20652 - char str[5] = "";
20653 - unsigned int len = count;
20659 + char strbuf[5] = {0};
20661 - if (copy_from_user(strbuf, buffer, len))
20664 + if (copy_from_user(strbuf, buffer, count))
20666 - strbuf[len] = '\0';
20667 - sscanf(strbuf, "%s", str);
20668 + strbuf[count] = '\0';
20670 mutex_lock(&acpi_device_lock);
20671 list_for_each_safe(node, next, &acpi_wakeup_device_list) {
20672 @@ -363,7 +357,7 @@ acpi_system_write_wakeup_device(struct f
20673 if (!dev->wakeup.flags.valid)
20676 - if (!strncmp(dev->pnp.bus_id, str, 4)) {
20677 + if (!strncmp(dev->pnp.bus_id, strbuf, 4)) {
20678 if (device_can_wakeup(&dev->dev)) {
20679 bool enable = !device_may_wakeup(&dev->dev);
20680 device_set_wakeup_enable(&dev->dev, enable);
20681 diff -urNp linux-2.6.38.1/drivers/acpi/processor_driver.c linux-2.6.38.1-new/drivers/acpi/processor_driver.c
20682 --- linux-2.6.38.1/drivers/acpi/processor_driver.c 2011-03-14 21:20:32.000000000 -0400
20683 +++ linux-2.6.38.1-new/drivers/acpi/processor_driver.c 2011-03-21 18:31:35.000000000 -0400
20684 @@ -473,7 +473,7 @@ static int __cpuinit acpi_processor_add(
20688 - BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
20689 + BUG_ON(pr->id >= nr_cpu_ids);
20693 diff -urNp linux-2.6.38.1/drivers/acpi/processor_idle.c linux-2.6.38.1-new/drivers/acpi/processor_idle.c
20694 --- linux-2.6.38.1/drivers/acpi/processor_idle.c 2011-03-14 21:20:32.000000000 -0400
20695 +++ linux-2.6.38.1-new/drivers/acpi/processor_idle.c 2011-03-21 18:31:35.000000000 -0400
20696 @@ -121,7 +121,7 @@ static struct dmi_system_id __cpuinitdat
20697 DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."),
20698 DMI_MATCH(DMI_PRODUCT_NAME,"L8400B series Notebook PC")},
20701 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL},
20705 diff -urNp linux-2.6.38.1/drivers/ata/acard-ahci.c linux-2.6.38.1-new/drivers/ata/acard-ahci.c
20706 --- linux-2.6.38.1/drivers/ata/acard-ahci.c 2011-03-14 21:20:32.000000000 -0400
20707 +++ linux-2.6.38.1-new/drivers/ata/acard-ahci.c 2011-03-21 18:31:35.000000000 -0400
20708 @@ -87,7 +87,7 @@ static struct scsi_host_template acard_a
20709 AHCI_SHT("acard-ahci"),
20712 -static struct ata_port_operations acard_ops = {
20713 +static const struct ata_port_operations acard_ops = {
20714 .inherits = &ahci_ops,
20715 .qc_prep = acard_ahci_qc_prep,
20716 .qc_fill_rtf = acard_ahci_qc_fill_rtf,
20717 diff -urNp linux-2.6.38.1/drivers/ata/ahci.c linux-2.6.38.1-new/drivers/ata/ahci.c
20718 --- linux-2.6.38.1/drivers/ata/ahci.c 2011-03-23 17:20:06.000000000 -0400
20719 +++ linux-2.6.38.1-new/drivers/ata/ahci.c 2011-03-23 17:21:49.000000000 -0400
20720 @@ -94,17 +94,17 @@ static struct scsi_host_template ahci_sh
20724 -static struct ata_port_operations ahci_vt8251_ops = {
20725 +static const struct ata_port_operations ahci_vt8251_ops = {
20726 .inherits = &ahci_ops,
20727 .hardreset = ahci_vt8251_hardreset,
20730 -static struct ata_port_operations ahci_p5wdh_ops = {
20731 +static const struct ata_port_operations ahci_p5wdh_ops = {
20732 .inherits = &ahci_ops,
20733 .hardreset = ahci_p5wdh_hardreset,
20736 -static struct ata_port_operations ahci_sb600_ops = {
20737 +static const struct ata_port_operations ahci_sb600_ops = {
20738 .inherits = &ahci_ops,
20739 .softreset = ahci_sb600_softreset,
20740 .pmp_softreset = ahci_sb600_softreset,
20741 @@ -394,7 +394,7 @@ static const struct pci_device_id ahci_p
20742 { PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
20743 PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci },
20745 - { } /* terminate list */
20746 + { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
20750 diff -urNp linux-2.6.38.1/drivers/ata/ahci.h linux-2.6.38.1-new/drivers/ata/ahci.h
20751 --- linux-2.6.38.1/drivers/ata/ahci.h 2011-03-14 21:20:32.000000000 -0400
20752 +++ linux-2.6.38.1-new/drivers/ata/ahci.h 2011-03-21 18:31:35.000000000 -0400
20753 @@ -309,7 +309,7 @@ extern struct device_attribute *ahci_sde
20754 .shost_attrs = ahci_shost_attrs, \
20755 .sdev_attrs = ahci_sdev_attrs
20757 -extern struct ata_port_operations ahci_ops;
20758 +extern const struct ata_port_operations ahci_ops;
20760 void ahci_fill_cmd_slot(struct ahci_port_priv *pp, unsigned int tag,
20762 diff -urNp linux-2.6.38.1/drivers/ata/ata_generic.c linux-2.6.38.1-new/drivers/ata/ata_generic.c
20763 --- linux-2.6.38.1/drivers/ata/ata_generic.c 2011-03-14 21:20:32.000000000 -0400
20764 +++ linux-2.6.38.1-new/drivers/ata/ata_generic.c 2011-03-21 18:31:35.000000000 -0400
20765 @@ -101,7 +101,7 @@ static struct scsi_host_template generic
20766 ATA_BMDMA_SHT(DRV_NAME),
20769 -static struct ata_port_operations generic_port_ops = {
20770 +static const struct ata_port_operations generic_port_ops = {
20771 .inherits = &ata_bmdma_port_ops,
20772 .cable_detect = ata_cable_unknown,
20773 .set_mode = generic_set_mode,
20774 diff -urNp linux-2.6.38.1/drivers/ata/ata_piix.c linux-2.6.38.1-new/drivers/ata/ata_piix.c
20775 --- linux-2.6.38.1/drivers/ata/ata_piix.c 2011-03-14 21:20:32.000000000 -0400
20776 +++ linux-2.6.38.1-new/drivers/ata/ata_piix.c 2011-03-21 18:31:35.000000000 -0400
20777 @@ -309,7 +309,7 @@ static const struct pci_device_id piix_p
20778 { 0x8086, 0x1d00, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata },
20779 /* SATA Controller IDE (PBG) */
20780 { 0x8086, 0x1d08, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
20781 - { } /* terminate list */
20782 + { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
20785 static struct pci_driver piix_pci_driver = {
20786 @@ -327,12 +327,12 @@ static struct scsi_host_template piix_sh
20787 ATA_BMDMA_SHT(DRV_NAME),
20790 -static struct ata_port_operations piix_sata_ops = {
20791 +static const struct ata_port_operations piix_sata_ops = {
20792 .inherits = &ata_bmdma32_port_ops,
20793 .sff_irq_check = piix_irq_check,
20796 -static struct ata_port_operations piix_pata_ops = {
20797 +static const struct ata_port_operations piix_pata_ops = {
20798 .inherits = &piix_sata_ops,
20799 .cable_detect = ata_cable_40wire,
20800 .set_piomode = piix_set_piomode,
20801 @@ -340,12 +340,12 @@ static struct ata_port_operations piix_p
20802 .prereset = piix_pata_prereset,
20805 -static struct ata_port_operations piix_vmw_ops = {
20806 +static const struct ata_port_operations piix_vmw_ops = {
20807 .inherits = &piix_pata_ops,
20808 .bmdma_status = piix_vmw_bmdma_status,
20811 -static struct ata_port_operations ich_pata_ops = {
20812 +static const struct ata_port_operations ich_pata_ops = {
20813 .inherits = &piix_pata_ops,
20814 .cable_detect = ich_pata_cable_detect,
20815 .set_dmamode = ich_set_dmamode,
20816 @@ -361,7 +361,7 @@ static struct scsi_host_template piix_si
20817 .shost_attrs = piix_sidpr_shost_attrs,
20820 -static struct ata_port_operations piix_sidpr_sata_ops = {
20821 +static const struct ata_port_operations piix_sidpr_sata_ops = {
20822 .inherits = &piix_sata_ops,
20823 .hardreset = sata_std_hardreset,
20824 .scr_read = piix_sidpr_scr_read,
20825 @@ -638,7 +638,7 @@ static const struct ich_laptop ich_lapto
20826 { 0x2653, 0x1043, 0x82D8 }, /* ICH6M on Asus Eee 701 */
20827 { 0x27df, 0x104d, 0x900e }, /* ICH7 on Sony TZ-90 */
20834 @@ -1130,7 +1130,7 @@ static int piix_broken_suspend(void)
20838 - { } /* terminate list */
20839 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL } /* terminate list */
20841 static const char *oemstrs[] = {
20843 diff -urNp linux-2.6.38.1/drivers/ata/libahci.c linux-2.6.38.1-new/drivers/ata/libahci.c
20844 --- linux-2.6.38.1/drivers/ata/libahci.c 2011-03-14 21:20:32.000000000 -0400
20845 +++ linux-2.6.38.1-new/drivers/ata/libahci.c 2011-03-21 18:31:35.000000000 -0400
20846 @@ -137,7 +137,7 @@ struct device_attribute *ahci_sdev_attrs
20848 EXPORT_SYMBOL_GPL(ahci_sdev_attrs);
20850 -struct ata_port_operations ahci_ops = {
20851 +const struct ata_port_operations ahci_ops = {
20852 .inherits = &sata_pmp_port_ops,
20854 .qc_defer = ahci_pmp_qc_defer,
20855 diff -urNp linux-2.6.38.1/drivers/ata/libata-acpi.c linux-2.6.38.1-new/drivers/ata/libata-acpi.c
20856 --- linux-2.6.38.1/drivers/ata/libata-acpi.c 2011-03-14 21:20:32.000000000 -0400
20857 +++ linux-2.6.38.1-new/drivers/ata/libata-acpi.c 2011-03-21 18:31:35.000000000 -0400
20858 @@ -218,12 +218,12 @@ static void ata_acpi_dev_uevent(acpi_han
20859 ata_acpi_uevent(dev->link->ap, dev, event);
20862 -static struct acpi_dock_ops ata_acpi_dev_dock_ops = {
20863 +static const struct acpi_dock_ops ata_acpi_dev_dock_ops = {
20864 .handler = ata_acpi_dev_notify_dock,
20865 .uevent = ata_acpi_dev_uevent,
20868 -static struct acpi_dock_ops ata_acpi_ap_dock_ops = {
20869 +static const struct acpi_dock_ops ata_acpi_ap_dock_ops = {
20870 .handler = ata_acpi_ap_notify_dock,
20871 .uevent = ata_acpi_ap_uevent,
20873 diff -urNp linux-2.6.38.1/drivers/ata/libata-core.c linux-2.6.38.1-new/drivers/ata/libata-core.c
20874 --- linux-2.6.38.1/drivers/ata/libata-core.c 2011-03-14 21:20:32.000000000 -0400
20875 +++ linux-2.6.38.1-new/drivers/ata/libata-core.c 2011-03-21 18:31:35.000000000 -0400
20876 @@ -897,7 +897,7 @@ static const struct ata_xfer_ent {
20877 { ATA_SHIFT_PIO, ATA_NR_PIO_MODES, XFER_PIO_0 },
20878 { ATA_SHIFT_MWDMA, ATA_NR_MWDMA_MODES, XFER_MW_DMA_0 },
20879 { ATA_SHIFT_UDMA, ATA_NR_UDMA_MODES, XFER_UDMA_0 },
20885 @@ -2885,7 +2885,7 @@ static const struct ata_timing ata_timin
20886 { XFER_UDMA_5, 0, 0, 0, 0, 0, 0, 0, 0, 20 },
20887 { XFER_UDMA_6, 0, 0, 0, 0, 0, 0, 0, 0, 15 },
20890 + { 0xFF, 0, 0, 0, 0, 0, 0, 0, 0 }
20893 #define ENOUGH(v, unit) (((v)-1)/(unit)+1)
20894 @@ -4141,7 +4141,7 @@ static const struct ata_blacklist_entry
20895 { "PIONEER DVD-RW DVR-212D", "1.28", ATA_HORKAGE_NOSETXFER },
20899 + { NULL, NULL, 0 }
20903 @@ -4746,7 +4746,7 @@ void ata_qc_free(struct ata_queued_cmd *
20904 struct ata_port *ap;
20907 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
20908 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
20912 @@ -4762,7 +4762,7 @@ void __ata_qc_complete(struct ata_queued
20913 struct ata_port *ap;
20914 struct ata_link *link;
20916 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
20917 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
20918 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
20920 link = qc->dev->link;
20921 @@ -5755,7 +5755,7 @@ static void ata_host_stop(struct device
20925 -static void ata_finalize_port_ops(struct ata_port_operations *ops)
20926 +static void ata_finalize_port_ops(const struct ata_port_operations *ops)
20928 static DEFINE_SPINLOCK(lock);
20929 const struct ata_port_operations *cur;
20930 @@ -5767,6 +5767,7 @@ static void ata_finalize_port_ops(struct
20934 + pax_open_kernel();
20936 for (cur = ops->inherits; cur; cur = cur->inherits) {
20937 void **inherit = (void **)cur;
20938 @@ -5780,8 +5781,9 @@ static void ata_finalize_port_ops(struct
20942 - ops->inherits = NULL;
20943 + ((struct ata_port_operations *)ops)->inherits = NULL;
20945 + pax_close_kernel();
20946 spin_unlock(&lock);
20949 @@ -5878,7 +5880,7 @@ int ata_host_start(struct ata_host *host
20951 /* KILLME - the only user left is ipr */
20952 void ata_host_init(struct ata_host *host, struct device *dev,
20953 - unsigned long flags, struct ata_port_operations *ops)
20954 + unsigned long flags, const struct ata_port_operations *ops)
20956 spin_lock_init(&host->lock);
20957 mutex_init(&host->eh_mutex);
20958 @@ -6584,7 +6586,7 @@ static void ata_dummy_error_handler(stru
20962 -struct ata_port_operations ata_dummy_port_ops = {
20963 +const struct ata_port_operations ata_dummy_port_ops = {
20964 .qc_prep = ata_noop_qc_prep,
20965 .qc_issue = ata_dummy_qc_issue,
20966 .error_handler = ata_dummy_error_handler,
20967 diff -urNp linux-2.6.38.1/drivers/ata/libata-eh.c linux-2.6.38.1-new/drivers/ata/libata-eh.c
20968 --- linux-2.6.38.1/drivers/ata/libata-eh.c 2011-03-23 17:20:06.000000000 -0400
20969 +++ linux-2.6.38.1-new/drivers/ata/libata-eh.c 2011-03-23 17:21:49.000000000 -0400
20970 @@ -3880,7 +3880,7 @@ void ata_do_eh(struct ata_port *ap, ata_
20972 void ata_std_error_handler(struct ata_port *ap)
20974 - struct ata_port_operations *ops = ap->ops;
20975 + const struct ata_port_operations *ops = ap->ops;
20976 ata_reset_fn_t hardreset = ops->hardreset;
20978 /* ignore built-in hardreset if SCR access is not available */
20979 diff -urNp linux-2.6.38.1/drivers/ata/libata-pmp.c linux-2.6.38.1-new/drivers/ata/libata-pmp.c
20980 --- linux-2.6.38.1/drivers/ata/libata-pmp.c 2011-03-14 21:20:32.000000000 -0400
20981 +++ linux-2.6.38.1-new/drivers/ata/libata-pmp.c 2011-03-21 18:31:35.000000000 -0400
20982 @@ -912,7 +912,7 @@ static int sata_pmp_handle_link_fail(str
20984 static int sata_pmp_eh_recover(struct ata_port *ap)
20986 - struct ata_port_operations *ops = ap->ops;
20987 + const struct ata_port_operations *ops = ap->ops;
20988 int pmp_tries, link_tries[SATA_PMP_MAX_PORTS];
20989 struct ata_link *pmp_link = &ap->link;
20990 struct ata_device *pmp_dev = pmp_link->device;
20991 diff -urNp linux-2.6.38.1/drivers/ata/pata_acpi.c linux-2.6.38.1-new/drivers/ata/pata_acpi.c
20992 --- linux-2.6.38.1/drivers/ata/pata_acpi.c 2011-03-14 21:20:32.000000000 -0400
20993 +++ linux-2.6.38.1-new/drivers/ata/pata_acpi.c 2011-03-21 18:31:35.000000000 -0400
20994 @@ -216,7 +216,7 @@ static struct scsi_host_template pacpi_s
20995 ATA_BMDMA_SHT(DRV_NAME),
20998 -static struct ata_port_operations pacpi_ops = {
20999 +static const struct ata_port_operations pacpi_ops = {
21000 .inherits = &ata_bmdma_port_ops,
21001 .qc_issue = pacpi_qc_issue,
21002 .cable_detect = pacpi_cable_detect,
21003 diff -urNp linux-2.6.38.1/drivers/ata/pata_ali.c linux-2.6.38.1-new/drivers/ata/pata_ali.c
21004 --- linux-2.6.38.1/drivers/ata/pata_ali.c 2011-03-14 21:20:32.000000000 -0400
21005 +++ linux-2.6.38.1-new/drivers/ata/pata_ali.c 2011-03-21 18:31:35.000000000 -0400
21006 @@ -363,7 +363,7 @@ static struct scsi_host_template ali_sht
21007 * Port operations for PIO only ALi
21010 -static struct ata_port_operations ali_early_port_ops = {
21011 +static const struct ata_port_operations ali_early_port_ops = {
21012 .inherits = &ata_sff_port_ops,
21013 .cable_detect = ata_cable_40wire,
21014 .set_piomode = ali_set_piomode,
21015 @@ -380,7 +380,7 @@ static const struct ata_port_operations
21016 * Port operations for DMA capable ALi without cable
21019 -static struct ata_port_operations ali_20_port_ops = {
21020 +static const struct ata_port_operations ali_20_port_ops = {
21021 .inherits = &ali_dma_base_ops,
21022 .cable_detect = ata_cable_40wire,
21023 .mode_filter = ali_20_filter,
21024 @@ -391,7 +391,7 @@ static struct ata_port_operations ali_20
21026 * Port operations for DMA capable ALi with cable detect
21028 -static struct ata_port_operations ali_c2_port_ops = {
21029 +static const struct ata_port_operations ali_c2_port_ops = {
21030 .inherits = &ali_dma_base_ops,
21031 .check_atapi_dma = ali_check_atapi_dma,
21032 .cable_detect = ali_c2_cable_detect,
21033 @@ -402,7 +402,7 @@ static struct ata_port_operations ali_c2
21035 * Port operations for DMA capable ALi with cable detect
21037 -static struct ata_port_operations ali_c4_port_ops = {
21038 +static const struct ata_port_operations ali_c4_port_ops = {
21039 .inherits = &ali_dma_base_ops,
21040 .check_atapi_dma = ali_check_atapi_dma,
21041 .cable_detect = ali_c2_cable_detect,
21042 @@ -412,7 +412,7 @@ static struct ata_port_operations ali_c4
21044 * Port operations for DMA capable ALi with cable detect and LBA48
21046 -static struct ata_port_operations ali_c5_port_ops = {
21047 +static const struct ata_port_operations ali_c5_port_ops = {
21048 .inherits = &ali_dma_base_ops,
21049 .check_atapi_dma = ali_check_atapi_dma,
21050 .dev_config = ali_warn_atapi_dma,
21051 diff -urNp linux-2.6.38.1/drivers/ata/pata_amd.c linux-2.6.38.1-new/drivers/ata/pata_amd.c
21052 --- linux-2.6.38.1/drivers/ata/pata_amd.c 2011-03-14 21:20:32.000000000 -0400
21053 +++ linux-2.6.38.1-new/drivers/ata/pata_amd.c 2011-03-21 18:31:35.000000000 -0400
21054 @@ -397,28 +397,28 @@ static const struct ata_port_operations
21055 .prereset = amd_pre_reset,
21058 -static struct ata_port_operations amd33_port_ops = {
21059 +static const struct ata_port_operations amd33_port_ops = {
21060 .inherits = &amd_base_port_ops,
21061 .cable_detect = ata_cable_40wire,
21062 .set_piomode = amd33_set_piomode,
21063 .set_dmamode = amd33_set_dmamode,
21066 -static struct ata_port_operations amd66_port_ops = {
21067 +static const struct ata_port_operations amd66_port_ops = {
21068 .inherits = &amd_base_port_ops,
21069 .cable_detect = ata_cable_unknown,
21070 .set_piomode = amd66_set_piomode,
21071 .set_dmamode = amd66_set_dmamode,
21074 -static struct ata_port_operations amd100_port_ops = {
21075 +static const struct ata_port_operations amd100_port_ops = {
21076 .inherits = &amd_base_port_ops,
21077 .cable_detect = ata_cable_unknown,
21078 .set_piomode = amd100_set_piomode,
21079 .set_dmamode = amd100_set_dmamode,
21082 -static struct ata_port_operations amd133_port_ops = {
21083 +static const struct ata_port_operations amd133_port_ops = {
21084 .inherits = &amd_base_port_ops,
21085 .cable_detect = amd_cable_detect,
21086 .set_piomode = amd133_set_piomode,
21087 @@ -433,13 +433,13 @@ static const struct ata_port_operations
21088 .host_stop = nv_host_stop,
21091 -static struct ata_port_operations nv100_port_ops = {
21092 +static const struct ata_port_operations nv100_port_ops = {
21093 .inherits = &nv_base_port_ops,
21094 .set_piomode = nv100_set_piomode,
21095 .set_dmamode = nv100_set_dmamode,
21098 -static struct ata_port_operations nv133_port_ops = {
21099 +static const struct ata_port_operations nv133_port_ops = {
21100 .inherits = &nv_base_port_ops,
21101 .set_piomode = nv133_set_piomode,
21102 .set_dmamode = nv133_set_dmamode,
21103 diff -urNp linux-2.6.38.1/drivers/ata/pata_artop.c linux-2.6.38.1-new/drivers/ata/pata_artop.c
21104 --- linux-2.6.38.1/drivers/ata/pata_artop.c 2011-03-14 21:20:32.000000000 -0400
21105 +++ linux-2.6.38.1-new/drivers/ata/pata_artop.c 2011-03-21 18:31:35.000000000 -0400
21106 @@ -312,7 +312,7 @@ static struct scsi_host_template artop_s
21107 ATA_BMDMA_SHT(DRV_NAME),
21110 -static struct ata_port_operations artop6210_ops = {
21111 +static const struct ata_port_operations artop6210_ops = {
21112 .inherits = &ata_bmdma_port_ops,
21113 .cable_detect = ata_cable_40wire,
21114 .set_piomode = artop6210_set_piomode,
21115 @@ -321,7 +321,7 @@ static struct ata_port_operations artop6
21116 .qc_defer = artop6210_qc_defer,
21119 -static struct ata_port_operations artop6260_ops = {
21120 +static const struct ata_port_operations artop6260_ops = {
21121 .inherits = &ata_bmdma_port_ops,
21122 .cable_detect = artop6260_cable_detect,
21123 .set_piomode = artop6260_set_piomode,
21124 diff -urNp linux-2.6.38.1/drivers/ata/pata_at32.c linux-2.6.38.1-new/drivers/ata/pata_at32.c
21125 --- linux-2.6.38.1/drivers/ata/pata_at32.c 2011-03-14 21:20:32.000000000 -0400
21126 +++ linux-2.6.38.1-new/drivers/ata/pata_at32.c 2011-03-21 18:31:35.000000000 -0400
21127 @@ -173,7 +173,7 @@ static struct scsi_host_template at32_sh
21128 ATA_PIO_SHT(DRV_NAME),
21131 -static struct ata_port_operations at32_port_ops = {
21132 +static const struct ata_port_operations at32_port_ops = {
21133 .inherits = &ata_sff_port_ops,
21134 .cable_detect = ata_cable_40wire,
21135 .set_piomode = pata_at32_set_piomode,
21136 diff -urNp linux-2.6.38.1/drivers/ata/pata_at91.c linux-2.6.38.1-new/drivers/ata/pata_at91.c
21137 --- linux-2.6.38.1/drivers/ata/pata_at91.c 2011-03-14 21:20:32.000000000 -0400
21138 +++ linux-2.6.38.1-new/drivers/ata/pata_at91.c 2011-03-21 18:31:35.000000000 -0400
21139 @@ -196,7 +196,7 @@ static struct scsi_host_template pata_at
21140 ATA_PIO_SHT(DRV_NAME),
21143 -static struct ata_port_operations pata_at91_port_ops = {
21144 +static const struct ata_port_operations pata_at91_port_ops = {
21145 .inherits = &ata_sff_port_ops,
21147 .sff_data_xfer = pata_at91_data_xfer_noirq,
21148 diff -urNp linux-2.6.38.1/drivers/ata/pata_atiixp.c linux-2.6.38.1-new/drivers/ata/pata_atiixp.c
21149 --- linux-2.6.38.1/drivers/ata/pata_atiixp.c 2011-03-14 21:20:32.000000000 -0400
21150 +++ linux-2.6.38.1-new/drivers/ata/pata_atiixp.c 2011-03-21 18:31:35.000000000 -0400
21151 @@ -214,7 +214,7 @@ static struct scsi_host_template atiixp_
21152 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21155 -static struct ata_port_operations atiixp_port_ops = {
21156 +static const struct ata_port_operations atiixp_port_ops = {
21157 .inherits = &ata_bmdma_port_ops,
21159 .qc_prep = ata_bmdma_dumb_qc_prep,
21160 diff -urNp linux-2.6.38.1/drivers/ata/pata_atp867x.c linux-2.6.38.1-new/drivers/ata/pata_atp867x.c
21161 --- linux-2.6.38.1/drivers/ata/pata_atp867x.c 2011-03-14 21:20:32.000000000 -0400
21162 +++ linux-2.6.38.1-new/drivers/ata/pata_atp867x.c 2011-03-21 18:31:35.000000000 -0400
21163 @@ -275,7 +275,7 @@ static struct scsi_host_template atp867x
21164 ATA_BMDMA_SHT(DRV_NAME),
21167 -static struct ata_port_operations atp867x_ops = {
21168 +static const struct ata_port_operations atp867x_ops = {
21169 .inherits = &ata_bmdma_port_ops,
21170 .cable_detect = atp867x_cable_detect,
21171 .set_piomode = atp867x_set_piomode,
21172 diff -urNp linux-2.6.38.1/drivers/ata/pata_bf54x.c linux-2.6.38.1-new/drivers/ata/pata_bf54x.c
21173 --- linux-2.6.38.1/drivers/ata/pata_bf54x.c 2011-03-14 21:20:32.000000000 -0400
21174 +++ linux-2.6.38.1-new/drivers/ata/pata_bf54x.c 2011-03-21 18:31:35.000000000 -0400
21175 @@ -1420,7 +1420,7 @@ static struct scsi_host_template bfin_sh
21176 .dma_boundary = ATA_DMA_BOUNDARY,
21179 -static struct ata_port_operations bfin_pata_ops = {
21180 +static const struct ata_port_operations bfin_pata_ops = {
21181 .inherits = &ata_bmdma_port_ops,
21183 .set_piomode = bfin_set_piomode,
21184 diff -urNp linux-2.6.38.1/drivers/ata/pata_cmd640.c linux-2.6.38.1-new/drivers/ata/pata_cmd640.c
21185 --- linux-2.6.38.1/drivers/ata/pata_cmd640.c 2011-03-14 21:20:32.000000000 -0400
21186 +++ linux-2.6.38.1-new/drivers/ata/pata_cmd640.c 2011-03-21 18:31:35.000000000 -0400
21187 @@ -176,7 +176,7 @@ static struct scsi_host_template cmd640_
21188 ATA_PIO_SHT(DRV_NAME),
21191 -static struct ata_port_operations cmd640_port_ops = {
21192 +static const struct ata_port_operations cmd640_port_ops = {
21193 .inherits = &ata_sff_port_ops,
21194 /* In theory xfer_noirq is not needed once we kill the prefetcher */
21195 .sff_data_xfer = ata_sff_data_xfer_noirq,
21196 diff -urNp linux-2.6.38.1/drivers/ata/pata_cmd64x.c linux-2.6.38.1-new/drivers/ata/pata_cmd64x.c
21197 --- linux-2.6.38.1/drivers/ata/pata_cmd64x.c 2011-03-14 21:20:32.000000000 -0400
21198 +++ linux-2.6.38.1-new/drivers/ata/pata_cmd64x.c 2011-03-21 18:31:35.000000000 -0400
21199 @@ -268,18 +268,18 @@ static const struct ata_port_operations
21200 .set_dmamode = cmd64x_set_dmamode,
21203 -static struct ata_port_operations cmd64x_port_ops = {
21204 +static const struct ata_port_operations cmd64x_port_ops = {
21205 .inherits = &cmd64x_base_ops,
21206 .cable_detect = ata_cable_40wire,
21209 -static struct ata_port_operations cmd646r1_port_ops = {
21210 +static const struct ata_port_operations cmd646r1_port_ops = {
21211 .inherits = &cmd64x_base_ops,
21212 .bmdma_stop = cmd646r1_bmdma_stop,
21213 .cable_detect = ata_cable_40wire,
21216 -static struct ata_port_operations cmd648_port_ops = {
21217 +static const struct ata_port_operations cmd648_port_ops = {
21218 .inherits = &cmd64x_base_ops,
21219 .bmdma_stop = cmd648_bmdma_stop,
21220 .cable_detect = cmd648_cable_detect,
21221 diff -urNp linux-2.6.38.1/drivers/ata/pata_cs5520.c linux-2.6.38.1-new/drivers/ata/pata_cs5520.c
21222 --- linux-2.6.38.1/drivers/ata/pata_cs5520.c 2011-03-14 21:20:32.000000000 -0400
21223 +++ linux-2.6.38.1-new/drivers/ata/pata_cs5520.c 2011-03-21 18:31:35.000000000 -0400
21224 @@ -108,7 +108,7 @@ static struct scsi_host_template cs5520_
21225 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21228 -static struct ata_port_operations cs5520_port_ops = {
21229 +static const struct ata_port_operations cs5520_port_ops = {
21230 .inherits = &ata_bmdma_port_ops,
21231 .qc_prep = ata_bmdma_dumb_qc_prep,
21232 .cable_detect = ata_cable_40wire,
21233 diff -urNp linux-2.6.38.1/drivers/ata/pata_cs5530.c linux-2.6.38.1-new/drivers/ata/pata_cs5530.c
21234 --- linux-2.6.38.1/drivers/ata/pata_cs5530.c 2011-03-14 21:20:32.000000000 -0400
21235 +++ linux-2.6.38.1-new/drivers/ata/pata_cs5530.c 2011-03-21 18:31:35.000000000 -0400
21236 @@ -164,7 +164,7 @@ static struct scsi_host_template cs5530_
21237 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21240 -static struct ata_port_operations cs5530_port_ops = {
21241 +static const struct ata_port_operations cs5530_port_ops = {
21242 .inherits = &ata_bmdma_port_ops,
21244 .qc_prep = ata_bmdma_dumb_qc_prep,
21245 diff -urNp linux-2.6.38.1/drivers/ata/pata_cs5535.c linux-2.6.38.1-new/drivers/ata/pata_cs5535.c
21246 --- linux-2.6.38.1/drivers/ata/pata_cs5535.c 2011-03-14 21:20:32.000000000 -0400
21247 +++ linux-2.6.38.1-new/drivers/ata/pata_cs5535.c 2011-03-21 18:31:35.000000000 -0400
21248 @@ -160,7 +160,7 @@ static struct scsi_host_template cs5535_
21249 ATA_BMDMA_SHT(DRV_NAME),
21252 -static struct ata_port_operations cs5535_port_ops = {
21253 +static const struct ata_port_operations cs5535_port_ops = {
21254 .inherits = &ata_bmdma_port_ops,
21255 .cable_detect = cs5535_cable_detect,
21256 .set_piomode = cs5535_set_piomode,
21257 diff -urNp linux-2.6.38.1/drivers/ata/pata_cs5536.c linux-2.6.38.1-new/drivers/ata/pata_cs5536.c
21258 --- linux-2.6.38.1/drivers/ata/pata_cs5536.c 2011-03-14 21:20:32.000000000 -0400
21259 +++ linux-2.6.38.1-new/drivers/ata/pata_cs5536.c 2011-03-21 18:31:35.000000000 -0400
21260 @@ -233,7 +233,7 @@ static struct scsi_host_template cs5536_
21261 ATA_BMDMA_SHT(DRV_NAME),
21264 -static struct ata_port_operations cs5536_port_ops = {
21265 +static const struct ata_port_operations cs5536_port_ops = {
21266 .inherits = &ata_bmdma32_port_ops,
21267 .cable_detect = cs5536_cable_detect,
21268 .set_piomode = cs5536_set_piomode,
21269 diff -urNp linux-2.6.38.1/drivers/ata/pata_cypress.c linux-2.6.38.1-new/drivers/ata/pata_cypress.c
21270 --- linux-2.6.38.1/drivers/ata/pata_cypress.c 2011-03-14 21:20:32.000000000 -0400
21271 +++ linux-2.6.38.1-new/drivers/ata/pata_cypress.c 2011-03-21 18:31:35.000000000 -0400
21272 @@ -115,7 +115,7 @@ static struct scsi_host_template cy82c69
21273 ATA_BMDMA_SHT(DRV_NAME),
21276 -static struct ata_port_operations cy82c693_port_ops = {
21277 +static const struct ata_port_operations cy82c693_port_ops = {
21278 .inherits = &ata_bmdma_port_ops,
21279 .cable_detect = ata_cable_40wire,
21280 .set_piomode = cy82c693_set_piomode,
21281 diff -urNp linux-2.6.38.1/drivers/ata/pata_efar.c linux-2.6.38.1-new/drivers/ata/pata_efar.c
21282 --- linux-2.6.38.1/drivers/ata/pata_efar.c 2011-03-14 21:20:32.000000000 -0400
21283 +++ linux-2.6.38.1-new/drivers/ata/pata_efar.c 2011-03-21 18:31:35.000000000 -0400
21284 @@ -238,7 +238,7 @@ static struct scsi_host_template efar_sh
21285 ATA_BMDMA_SHT(DRV_NAME),
21288 -static struct ata_port_operations efar_ops = {
21289 +static const struct ata_port_operations efar_ops = {
21290 .inherits = &ata_bmdma_port_ops,
21291 .cable_detect = efar_cable_detect,
21292 .set_piomode = efar_set_piomode,
21293 diff -urNp linux-2.6.38.1/drivers/ata/pata_hpt366.c linux-2.6.38.1-new/drivers/ata/pata_hpt366.c
21294 --- linux-2.6.38.1/drivers/ata/pata_hpt366.c 2011-03-14 21:20:32.000000000 -0400
21295 +++ linux-2.6.38.1-new/drivers/ata/pata_hpt366.c 2011-03-21 18:31:35.000000000 -0400
21296 @@ -275,7 +275,7 @@ static struct scsi_host_template hpt36x_
21297 * Configuration for HPT366/68
21300 -static struct ata_port_operations hpt366_port_ops = {
21301 +static const struct ata_port_operations hpt366_port_ops = {
21302 .inherits = &ata_bmdma_port_ops,
21303 .cable_detect = hpt36x_cable_detect,
21304 .mode_filter = hpt366_filter,
21305 diff -urNp linux-2.6.38.1/drivers/ata/pata_hpt37x.c linux-2.6.38.1-new/drivers/ata/pata_hpt37x.c
21306 --- linux-2.6.38.1/drivers/ata/pata_hpt37x.c 2011-03-14 21:20:32.000000000 -0400
21307 +++ linux-2.6.38.1-new/drivers/ata/pata_hpt37x.c 2011-03-21 18:31:35.000000000 -0400
21308 @@ -587,7 +587,7 @@ static struct scsi_host_template hpt37x_
21309 * Configuration for HPT370
21312 -static struct ata_port_operations hpt370_port_ops = {
21313 +static const struct ata_port_operations hpt370_port_ops = {
21314 .inherits = &ata_bmdma_port_ops,
21316 .bmdma_stop = hpt370_bmdma_stop,
21317 @@ -603,7 +603,7 @@ static struct ata_port_operations hpt370
21318 * Configuration for HPT370A. Close to 370 but less filters
21321 -static struct ata_port_operations hpt370a_port_ops = {
21322 +static const struct ata_port_operations hpt370a_port_ops = {
21323 .inherits = &hpt370_port_ops,
21324 .mode_filter = hpt370a_filter,
21326 @@ -613,7 +613,7 @@ static struct ata_port_operations hpt370
21327 * mode setting functionality.
21330 -static struct ata_port_operations hpt302_port_ops = {
21331 +static const struct ata_port_operations hpt302_port_ops = {
21332 .inherits = &ata_bmdma_port_ops,
21334 .bmdma_stop = hpt37x_bmdma_stop,
21335 @@ -629,7 +629,7 @@ static struct ata_port_operations hpt302
21336 * but we have a mode filter.
21339 -static struct ata_port_operations hpt372_port_ops = {
21340 +static const struct ata_port_operations hpt372_port_ops = {
21341 .inherits = &hpt302_port_ops,
21342 .mode_filter = hpt372_filter,
21344 @@ -639,7 +639,7 @@ static struct ata_port_operations hpt372
21345 * but we have a different cable detection procedure for function 1.
21348 -static struct ata_port_operations hpt374_fn1_port_ops = {
21349 +static const struct ata_port_operations hpt374_fn1_port_ops = {
21350 .inherits = &hpt372_port_ops,
21351 .cable_detect = hpt374_fn1_cable_detect,
21353 diff -urNp linux-2.6.38.1/drivers/ata/pata_hpt3x2n.c linux-2.6.38.1-new/drivers/ata/pata_hpt3x2n.c
21354 --- linux-2.6.38.1/drivers/ata/pata_hpt3x2n.c 2011-03-14 21:20:32.000000000 -0400
21355 +++ linux-2.6.38.1-new/drivers/ata/pata_hpt3x2n.c 2011-03-21 18:31:35.000000000 -0400
21356 @@ -348,7 +348,7 @@ static struct scsi_host_template hpt3x2n
21357 * Configuration for HPT302N/371N.
21360 -static struct ata_port_operations hpt3xxn_port_ops = {
21361 +static const struct ata_port_operations hpt3xxn_port_ops = {
21362 .inherits = &ata_bmdma_port_ops,
21364 .bmdma_stop = hpt3x2n_bmdma_stop,
21365 @@ -366,7 +366,7 @@ static struct ata_port_operations hpt3xx
21366 * Configuration for HPT372N. Same as 302N/371N but we have a mode filter.
21369 -static struct ata_port_operations hpt372n_port_ops = {
21370 +static const struct ata_port_operations hpt372n_port_ops = {
21371 .inherits = &hpt3xxn_port_ops,
21372 .mode_filter = &hpt372n_filter,
21374 diff -urNp linux-2.6.38.1/drivers/ata/pata_hpt3x3.c linux-2.6.38.1-new/drivers/ata/pata_hpt3x3.c
21375 --- linux-2.6.38.1/drivers/ata/pata_hpt3x3.c 2011-03-14 21:20:32.000000000 -0400
21376 +++ linux-2.6.38.1-new/drivers/ata/pata_hpt3x3.c 2011-03-21 18:31:35.000000000 -0400
21377 @@ -141,7 +141,7 @@ static struct scsi_host_template hpt3x3_
21378 ATA_BMDMA_SHT(DRV_NAME),
21381 -static struct ata_port_operations hpt3x3_port_ops = {
21382 +static const struct ata_port_operations hpt3x3_port_ops = {
21383 .inherits = &ata_bmdma_port_ops,
21384 .cable_detect = ata_cable_40wire,
21385 .set_piomode = hpt3x3_set_piomode,
21386 diff -urNp linux-2.6.38.1/drivers/ata/pata_icside.c linux-2.6.38.1-new/drivers/ata/pata_icside.c
21387 --- linux-2.6.38.1/drivers/ata/pata_icside.c 2011-03-14 21:20:32.000000000 -0400
21388 +++ linux-2.6.38.1-new/drivers/ata/pata_icside.c 2011-03-21 18:31:35.000000000 -0400
21389 @@ -320,7 +320,7 @@ static void pata_icside_postreset(struct
21393 -static struct ata_port_operations pata_icside_port_ops = {
21394 +static const struct ata_port_operations pata_icside_port_ops = {
21395 .inherits = &ata_bmdma_port_ops,
21396 /* no need to build any PRD tables for DMA */
21397 .qc_prep = ata_noop_qc_prep,
21398 diff -urNp linux-2.6.38.1/drivers/ata/pata_isapnp.c linux-2.6.38.1-new/drivers/ata/pata_isapnp.c
21399 --- linux-2.6.38.1/drivers/ata/pata_isapnp.c 2011-03-14 21:20:32.000000000 -0400
21400 +++ linux-2.6.38.1-new/drivers/ata/pata_isapnp.c 2011-03-21 18:31:35.000000000 -0400
21401 @@ -23,12 +23,12 @@ static struct scsi_host_template isapnp_
21402 ATA_PIO_SHT(DRV_NAME),
21405 -static struct ata_port_operations isapnp_port_ops = {
21406 +static const struct ata_port_operations isapnp_port_ops = {
21407 .inherits = &ata_sff_port_ops,
21408 .cable_detect = ata_cable_40wire,
21411 -static struct ata_port_operations isapnp_noalt_port_ops = {
21412 +static const struct ata_port_operations isapnp_noalt_port_ops = {
21413 .inherits = &ata_sff_port_ops,
21414 .cable_detect = ata_cable_40wire,
21415 /* No altstatus so we don't want to use the lost interrupt poll */
21416 diff -urNp linux-2.6.38.1/drivers/ata/pata_it8213.c linux-2.6.38.1-new/drivers/ata/pata_it8213.c
21417 --- linux-2.6.38.1/drivers/ata/pata_it8213.c 2011-03-14 21:20:32.000000000 -0400
21418 +++ linux-2.6.38.1-new/drivers/ata/pata_it8213.c 2011-03-21 18:31:35.000000000 -0400
21419 @@ -233,7 +233,7 @@ static struct scsi_host_template it8213_
21423 -static struct ata_port_operations it8213_ops = {
21424 +static const struct ata_port_operations it8213_ops = {
21425 .inherits = &ata_bmdma_port_ops,
21426 .cable_detect = it8213_cable_detect,
21427 .set_piomode = it8213_set_piomode,
21428 diff -urNp linux-2.6.38.1/drivers/ata/pata_it821x.c linux-2.6.38.1-new/drivers/ata/pata_it821x.c
21429 --- linux-2.6.38.1/drivers/ata/pata_it821x.c 2011-03-14 21:20:32.000000000 -0400
21430 +++ linux-2.6.38.1-new/drivers/ata/pata_it821x.c 2011-03-21 18:31:35.000000000 -0400
21431 @@ -801,7 +801,7 @@ static struct scsi_host_template it821x_
21432 ATA_BMDMA_SHT(DRV_NAME),
21435 -static struct ata_port_operations it821x_smart_port_ops = {
21436 +static const struct ata_port_operations it821x_smart_port_ops = {
21437 .inherits = &ata_bmdma_port_ops,
21439 .check_atapi_dma= it821x_check_atapi_dma,
21440 @@ -815,7 +815,7 @@ static struct ata_port_operations it821x
21441 .port_start = it821x_port_start,
21444 -static struct ata_port_operations it821x_passthru_port_ops = {
21445 +static const struct ata_port_operations it821x_passthru_port_ops = {
21446 .inherits = &ata_bmdma_port_ops,
21448 .check_atapi_dma= it821x_check_atapi_dma,
21449 @@ -831,7 +831,7 @@ static struct ata_port_operations it821x
21450 .port_start = it821x_port_start,
21453 -static struct ata_port_operations it821x_rdc_port_ops = {
21454 +static const struct ata_port_operations it821x_rdc_port_ops = {
21455 .inherits = &ata_bmdma_port_ops,
21457 .check_atapi_dma= it821x_check_atapi_dma,
21458 diff -urNp linux-2.6.38.1/drivers/ata/pata_ixp4xx_cf.c linux-2.6.38.1-new/drivers/ata/pata_ixp4xx_cf.c
21459 --- linux-2.6.38.1/drivers/ata/pata_ixp4xx_cf.c 2011-03-14 21:20:32.000000000 -0400
21460 +++ linux-2.6.38.1-new/drivers/ata/pata_ixp4xx_cf.c 2011-03-21 18:31:35.000000000 -0400
21461 @@ -89,7 +89,7 @@ static struct scsi_host_template ixp4xx_
21462 ATA_PIO_SHT(DRV_NAME),
21465 -static struct ata_port_operations ixp4xx_port_ops = {
21466 +static const struct ata_port_operations ixp4xx_port_ops = {
21467 .inherits = &ata_sff_port_ops,
21468 .sff_data_xfer = ixp4xx_mmio_data_xfer,
21469 .cable_detect = ata_cable_40wire,
21470 diff -urNp linux-2.6.38.1/drivers/ata/pata_jmicron.c linux-2.6.38.1-new/drivers/ata/pata_jmicron.c
21471 --- linux-2.6.38.1/drivers/ata/pata_jmicron.c 2011-03-14 21:20:32.000000000 -0400
21472 +++ linux-2.6.38.1-new/drivers/ata/pata_jmicron.c 2011-03-21 18:31:35.000000000 -0400
21473 @@ -111,7 +111,7 @@ static struct scsi_host_template jmicron
21474 ATA_BMDMA_SHT(DRV_NAME),
21477 -static struct ata_port_operations jmicron_ops = {
21478 +static const struct ata_port_operations jmicron_ops = {
21479 .inherits = &ata_bmdma_port_ops,
21480 .prereset = jmicron_pre_reset,
21482 diff -urNp linux-2.6.38.1/drivers/ata/pata_legacy.c linux-2.6.38.1-new/drivers/ata/pata_legacy.c
21483 --- linux-2.6.38.1/drivers/ata/pata_legacy.c 2011-03-14 21:20:32.000000000 -0400
21484 +++ linux-2.6.38.1-new/drivers/ata/pata_legacy.c 2011-03-21 18:31:35.000000000 -0400
21485 @@ -116,7 +116,7 @@ struct legacy_probe {
21487 struct legacy_controller {
21489 - struct ata_port_operations *ops;
21490 + const struct ata_port_operations *ops;
21491 unsigned int pio_mask;
21492 unsigned int flags;
21493 unsigned int pflags;
21494 @@ -239,12 +239,12 @@ static const struct ata_port_operations
21495 * pio_mask as well.
21498 -static struct ata_port_operations simple_port_ops = {
21499 +static const struct ata_port_operations simple_port_ops = {
21500 .inherits = &legacy_base_port_ops,
21501 .sff_data_xfer = ata_sff_data_xfer_noirq,
21504 -static struct ata_port_operations legacy_port_ops = {
21505 +static const struct ata_port_operations legacy_port_ops = {
21506 .inherits = &legacy_base_port_ops,
21507 .sff_data_xfer = ata_sff_data_xfer_noirq,
21508 .set_mode = legacy_set_mode,
21509 @@ -340,7 +340,7 @@ static unsigned int pdc_data_xfer_vlb(st
21513 -static struct ata_port_operations pdc20230_port_ops = {
21514 +static const struct ata_port_operations pdc20230_port_ops = {
21515 .inherits = &legacy_base_port_ops,
21516 .set_piomode = pdc20230_set_piomode,
21517 .sff_data_xfer = pdc_data_xfer_vlb,
21518 @@ -373,7 +373,7 @@ static void ht6560a_set_piomode(struct a
21519 ioread8(ap->ioaddr.status_addr);
21522 -static struct ata_port_operations ht6560a_port_ops = {
21523 +static const struct ata_port_operations ht6560a_port_ops = {
21524 .inherits = &legacy_base_port_ops,
21525 .set_piomode = ht6560a_set_piomode,
21527 @@ -416,7 +416,7 @@ static void ht6560b_set_piomode(struct a
21528 ioread8(ap->ioaddr.status_addr);
21531 -static struct ata_port_operations ht6560b_port_ops = {
21532 +static const struct ata_port_operations ht6560b_port_ops = {
21533 .inherits = &legacy_base_port_ops,
21534 .set_piomode = ht6560b_set_piomode,
21536 @@ -515,7 +515,7 @@ static void opti82c611a_set_piomode(stru
21540 -static struct ata_port_operations opti82c611a_port_ops = {
21541 +static const struct ata_port_operations opti82c611a_port_ops = {
21542 .inherits = &legacy_base_port_ops,
21543 .set_piomode = opti82c611a_set_piomode,
21545 @@ -625,7 +625,7 @@ static unsigned int opti82c46x_qc_issue(
21546 return ata_sff_qc_issue(qc);
21549 -static struct ata_port_operations opti82c46x_port_ops = {
21550 +static const struct ata_port_operations opti82c46x_port_ops = {
21551 .inherits = &legacy_base_port_ops,
21552 .set_piomode = opti82c46x_set_piomode,
21553 .qc_issue = opti82c46x_qc_issue,
21554 @@ -787,20 +787,20 @@ static int qdi_port(struct platform_devi
21558 -static struct ata_port_operations qdi6500_port_ops = {
21559 +static const struct ata_port_operations qdi6500_port_ops = {
21560 .inherits = &legacy_base_port_ops,
21561 .set_piomode = qdi6500_set_piomode,
21562 .qc_issue = qdi_qc_issue,
21563 .sff_data_xfer = vlb32_data_xfer,
21566 -static struct ata_port_operations qdi6580_port_ops = {
21567 +static const struct ata_port_operations qdi6580_port_ops = {
21568 .inherits = &legacy_base_port_ops,
21569 .set_piomode = qdi6580_set_piomode,
21570 .sff_data_xfer = vlb32_data_xfer,
21573 -static struct ata_port_operations qdi6580dp_port_ops = {
21574 +static const struct ata_port_operations qdi6580dp_port_ops = {
21575 .inherits = &legacy_base_port_ops,
21576 .set_piomode = qdi6580dp_set_piomode,
21577 .qc_issue = qdi_qc_issue,
21578 @@ -872,7 +872,7 @@ static int winbond_port(struct platform_
21582 -static struct ata_port_operations winbond_port_ops = {
21583 +static const struct ata_port_operations winbond_port_ops = {
21584 .inherits = &legacy_base_port_ops,
21585 .set_piomode = winbond_set_piomode,
21586 .sff_data_xfer = vlb32_data_xfer,
21587 @@ -995,7 +995,7 @@ static __init int legacy_init_one(struct
21588 int pio_modes = controller->pio_mask;
21589 unsigned long io = probe->port;
21590 u32 mask = (1 << probe->slot);
21591 - struct ata_port_operations *ops = controller->ops;
21592 + const struct ata_port_operations *ops = controller->ops;
21593 struct legacy_data *ld = &legacy_data[probe->slot];
21594 struct ata_host *host = NULL;
21595 struct ata_port *ap;
21596 diff -urNp linux-2.6.38.1/drivers/ata/pata_macio.c linux-2.6.38.1-new/drivers/ata/pata_macio.c
21597 --- linux-2.6.38.1/drivers/ata/pata_macio.c 2011-03-14 21:20:32.000000000 -0400
21598 +++ linux-2.6.38.1-new/drivers/ata/pata_macio.c 2011-03-21 18:31:35.000000000 -0400
21599 @@ -918,9 +918,8 @@ static struct scsi_host_template pata_ma
21600 .slave_configure = pata_macio_slave_config,
21603 -static struct ata_port_operations pata_macio_ops = {
21604 +static const struct ata_port_operations pata_macio_ops = {
21605 .inherits = &ata_bmdma_port_ops,
21607 .freeze = pata_macio_freeze,
21608 .set_piomode = pata_macio_set_timings,
21609 .set_dmamode = pata_macio_set_timings,
21610 diff -urNp linux-2.6.38.1/drivers/ata/pata_marvell.c linux-2.6.38.1-new/drivers/ata/pata_marvell.c
21611 --- linux-2.6.38.1/drivers/ata/pata_marvell.c 2011-03-14 21:20:32.000000000 -0400
21612 +++ linux-2.6.38.1-new/drivers/ata/pata_marvell.c 2011-03-21 18:31:35.000000000 -0400
21613 @@ -100,7 +100,7 @@ static struct scsi_host_template marvell
21614 ATA_BMDMA_SHT(DRV_NAME),
21617 -static struct ata_port_operations marvell_ops = {
21618 +static const struct ata_port_operations marvell_ops = {
21619 .inherits = &ata_bmdma_port_ops,
21620 .cable_detect = marvell_cable_detect,
21621 .prereset = marvell_pre_reset,
21622 diff -urNp linux-2.6.38.1/drivers/ata/pata_mpc52xx.c linux-2.6.38.1-new/drivers/ata/pata_mpc52xx.c
21623 --- linux-2.6.38.1/drivers/ata/pata_mpc52xx.c 2011-03-14 21:20:32.000000000 -0400
21624 +++ linux-2.6.38.1-new/drivers/ata/pata_mpc52xx.c 2011-03-21 18:31:35.000000000 -0400
21625 @@ -609,7 +609,7 @@ static struct scsi_host_template mpc52xx
21626 ATA_PIO_SHT(DRV_NAME),
21629 -static struct ata_port_operations mpc52xx_ata_port_ops = {
21630 +static const struct ata_port_operations mpc52xx_ata_port_ops = {
21631 .inherits = &ata_bmdma_port_ops,
21632 .sff_dev_select = mpc52xx_ata_dev_select,
21633 .set_piomode = mpc52xx_ata_set_piomode,
21634 diff -urNp linux-2.6.38.1/drivers/ata/pata_mpiix.c linux-2.6.38.1-new/drivers/ata/pata_mpiix.c
21635 --- linux-2.6.38.1/drivers/ata/pata_mpiix.c 2011-03-14 21:20:32.000000000 -0400
21636 +++ linux-2.6.38.1-new/drivers/ata/pata_mpiix.c 2011-03-21 18:31:35.000000000 -0400
21637 @@ -140,7 +140,7 @@ static struct scsi_host_template mpiix_s
21638 ATA_PIO_SHT(DRV_NAME),
21641 -static struct ata_port_operations mpiix_port_ops = {
21642 +static const struct ata_port_operations mpiix_port_ops = {
21643 .inherits = &ata_sff_port_ops,
21644 .qc_issue = mpiix_qc_issue,
21645 .cable_detect = ata_cable_40wire,
21646 diff -urNp linux-2.6.38.1/drivers/ata/pata_netcell.c linux-2.6.38.1-new/drivers/ata/pata_netcell.c
21647 --- linux-2.6.38.1/drivers/ata/pata_netcell.c 2011-03-14 21:20:32.000000000 -0400
21648 +++ linux-2.6.38.1-new/drivers/ata/pata_netcell.c 2011-03-21 18:31:35.000000000 -0400
21649 @@ -34,7 +34,7 @@ static struct scsi_host_template netcell
21650 ATA_BMDMA_SHT(DRV_NAME),
21653 -static struct ata_port_operations netcell_ops = {
21654 +static const struct ata_port_operations netcell_ops = {
21655 .inherits = &ata_bmdma_port_ops,
21656 .cable_detect = ata_cable_80wire,
21657 .read_id = netcell_read_id,
21658 diff -urNp linux-2.6.38.1/drivers/ata/pata_ninja32.c linux-2.6.38.1-new/drivers/ata/pata_ninja32.c
21659 --- linux-2.6.38.1/drivers/ata/pata_ninja32.c 2011-03-14 21:20:32.000000000 -0400
21660 +++ linux-2.6.38.1-new/drivers/ata/pata_ninja32.c 2011-03-21 18:31:35.000000000 -0400
21661 @@ -81,7 +81,7 @@ static struct scsi_host_template ninja32
21662 ATA_BMDMA_SHT(DRV_NAME),
21665 -static struct ata_port_operations ninja32_port_ops = {
21666 +static const struct ata_port_operations ninja32_port_ops = {
21667 .inherits = &ata_bmdma_port_ops,
21668 .sff_dev_select = ninja32_dev_select,
21669 .cable_detect = ata_cable_40wire,
21670 diff -urNp linux-2.6.38.1/drivers/ata/pata_ns87410.c linux-2.6.38.1-new/drivers/ata/pata_ns87410.c
21671 --- linux-2.6.38.1/drivers/ata/pata_ns87410.c 2011-03-14 21:20:32.000000000 -0400
21672 +++ linux-2.6.38.1-new/drivers/ata/pata_ns87410.c 2011-03-21 18:31:35.000000000 -0400
21673 @@ -132,7 +132,7 @@ static struct scsi_host_template ns87410
21674 ATA_PIO_SHT(DRV_NAME),
21677 -static struct ata_port_operations ns87410_port_ops = {
21678 +static const struct ata_port_operations ns87410_port_ops = {
21679 .inherits = &ata_sff_port_ops,
21680 .qc_issue = ns87410_qc_issue,
21681 .cable_detect = ata_cable_40wire,
21682 diff -urNp linux-2.6.38.1/drivers/ata/pata_ns87415.c linux-2.6.38.1-new/drivers/ata/pata_ns87415.c
21683 --- linux-2.6.38.1/drivers/ata/pata_ns87415.c 2011-03-14 21:20:32.000000000 -0400
21684 +++ linux-2.6.38.1-new/drivers/ata/pata_ns87415.c 2011-03-21 18:31:35.000000000 -0400
21685 @@ -299,7 +299,7 @@ static u8 ns87560_bmdma_status(struct at
21687 #endif /* 87560 SuperIO Support */
21689 -static struct ata_port_operations ns87415_pata_ops = {
21690 +static const struct ata_port_operations ns87415_pata_ops = {
21691 .inherits = &ata_bmdma_port_ops,
21693 .check_atapi_dma = ns87415_check_atapi_dma,
21694 @@ -313,7 +313,7 @@ static struct ata_port_operations ns8741
21697 #if defined(CONFIG_SUPERIO)
21698 -static struct ata_port_operations ns87560_pata_ops = {
21699 +static const struct ata_port_operations ns87560_pata_ops = {
21700 .inherits = &ns87415_pata_ops,
21701 .sff_tf_read = ns87560_tf_read,
21702 .sff_check_status = ns87560_check_status,
21703 diff -urNp linux-2.6.38.1/drivers/ata/pata_octeon_cf.c linux-2.6.38.1-new/drivers/ata/pata_octeon_cf.c
21704 --- linux-2.6.38.1/drivers/ata/pata_octeon_cf.c 2011-03-14 21:20:32.000000000 -0400
21705 +++ linux-2.6.38.1-new/drivers/ata/pata_octeon_cf.c 2011-03-21 18:31:35.000000000 -0400
21706 @@ -780,7 +780,7 @@ static unsigned int octeon_cf_qc_issue(s
21710 -static struct ata_port_operations octeon_cf_ops = {
21711 +static struct ata_port_operations octeon_cf_ops = { /* cannot be const */
21712 .inherits = &ata_sff_port_ops,
21713 .check_atapi_dma = octeon_cf_check_atapi_dma,
21714 .qc_prep = ata_noop_qc_prep,
21715 diff -urNp linux-2.6.38.1/drivers/ata/pata_oldpiix.c linux-2.6.38.1-new/drivers/ata/pata_oldpiix.c
21716 --- linux-2.6.38.1/drivers/ata/pata_oldpiix.c 2011-03-14 21:20:32.000000000 -0400
21717 +++ linux-2.6.38.1-new/drivers/ata/pata_oldpiix.c 2011-03-21 18:31:35.000000000 -0400
21718 @@ -208,7 +208,7 @@ static struct scsi_host_template oldpiix
21719 ATA_BMDMA_SHT(DRV_NAME),
21722 -static struct ata_port_operations oldpiix_pata_ops = {
21723 +static const struct ata_port_operations oldpiix_pata_ops = {
21724 .inherits = &ata_bmdma_port_ops,
21725 .qc_issue = oldpiix_qc_issue,
21726 .cable_detect = ata_cable_40wire,
21727 diff -urNp linux-2.6.38.1/drivers/ata/pata_opti.c linux-2.6.38.1-new/drivers/ata/pata_opti.c
21728 --- linux-2.6.38.1/drivers/ata/pata_opti.c 2011-03-14 21:20:32.000000000 -0400
21729 +++ linux-2.6.38.1-new/drivers/ata/pata_opti.c 2011-03-21 18:31:35.000000000 -0400
21730 @@ -152,7 +152,7 @@ static struct scsi_host_template opti_sh
21731 ATA_PIO_SHT(DRV_NAME),
21734 -static struct ata_port_operations opti_port_ops = {
21735 +static const struct ata_port_operations opti_port_ops = {
21736 .inherits = &ata_sff_port_ops,
21737 .cable_detect = ata_cable_40wire,
21738 .set_piomode = opti_set_piomode,
21739 diff -urNp linux-2.6.38.1/drivers/ata/pata_optidma.c linux-2.6.38.1-new/drivers/ata/pata_optidma.c
21740 --- linux-2.6.38.1/drivers/ata/pata_optidma.c 2011-03-14 21:20:32.000000000 -0400
21741 +++ linux-2.6.38.1-new/drivers/ata/pata_optidma.c 2011-03-21 18:31:35.000000000 -0400
21742 @@ -337,7 +337,7 @@ static struct scsi_host_template optidma
21743 ATA_BMDMA_SHT(DRV_NAME),
21746 -static struct ata_port_operations optidma_port_ops = {
21747 +static const struct ata_port_operations optidma_port_ops = {
21748 .inherits = &ata_bmdma_port_ops,
21749 .cable_detect = ata_cable_40wire,
21750 .set_piomode = optidma_set_pio_mode,
21751 @@ -346,7 +346,7 @@ static struct ata_port_operations optidm
21752 .prereset = optidma_pre_reset,
21755 -static struct ata_port_operations optiplus_port_ops = {
21756 +static const struct ata_port_operations optiplus_port_ops = {
21757 .inherits = &optidma_port_ops,
21758 .set_piomode = optiplus_set_pio_mode,
21759 .set_dmamode = optiplus_set_dma_mode,
21760 diff -urNp linux-2.6.38.1/drivers/ata/pata_palmld.c linux-2.6.38.1-new/drivers/ata/pata_palmld.c
21761 --- linux-2.6.38.1/drivers/ata/pata_palmld.c 2011-03-14 21:20:32.000000000 -0400
21762 +++ linux-2.6.38.1-new/drivers/ata/pata_palmld.c 2011-03-21 18:31:35.000000000 -0400
21763 @@ -37,7 +37,7 @@ static struct scsi_host_template palmld_
21764 ATA_PIO_SHT(DRV_NAME),
21767 -static struct ata_port_operations palmld_port_ops = {
21768 +static const struct ata_port_operations palmld_port_ops = {
21769 .inherits = &ata_sff_port_ops,
21770 .sff_data_xfer = ata_sff_data_xfer_noirq,
21771 .cable_detect = ata_cable_40wire,
21772 diff -urNp linux-2.6.38.1/drivers/ata/pata_pcmcia.c linux-2.6.38.1-new/drivers/ata/pata_pcmcia.c
21773 --- linux-2.6.38.1/drivers/ata/pata_pcmcia.c 2011-03-14 21:20:32.000000000 -0400
21774 +++ linux-2.6.38.1-new/drivers/ata/pata_pcmcia.c 2011-03-21 18:31:35.000000000 -0400
21775 @@ -151,14 +151,14 @@ static struct scsi_host_template pcmcia_
21776 ATA_PIO_SHT(DRV_NAME),
21779 -static struct ata_port_operations pcmcia_port_ops = {
21780 +static const struct ata_port_operations pcmcia_port_ops = {
21781 .inherits = &ata_sff_port_ops,
21782 .sff_data_xfer = ata_sff_data_xfer_noirq,
21783 .cable_detect = ata_cable_40wire,
21784 .set_mode = pcmcia_set_mode,
21787 -static struct ata_port_operations pcmcia_8bit_port_ops = {
21788 +static const struct ata_port_operations pcmcia_8bit_port_ops = {
21789 .inherits = &ata_sff_port_ops,
21790 .sff_data_xfer = ata_data_xfer_8bit,
21791 .cable_detect = ata_cable_40wire,
21792 @@ -205,7 +205,7 @@ static int pcmcia_init_one(struct pcmcia
21793 unsigned long io_base, ctl_base;
21794 void __iomem *io_addr, *ctl_addr;
21796 - struct ata_port_operations *ops = &pcmcia_port_ops;
21797 + const struct ata_port_operations *ops = &pcmcia_port_ops;
21799 /* Set up attributes in order to probe card and get resources */
21800 pdev->config_flags |= CONF_ENABLE_IRQ | CONF_AUTO_SET_IO |
21801 diff -urNp linux-2.6.38.1/drivers/ata/pata_pdc2027x.c linux-2.6.38.1-new/drivers/ata/pata_pdc2027x.c
21802 --- linux-2.6.38.1/drivers/ata/pata_pdc2027x.c 2011-03-14 21:20:32.000000000 -0400
21803 +++ linux-2.6.38.1-new/drivers/ata/pata_pdc2027x.c 2011-03-21 18:31:35.000000000 -0400
21804 @@ -132,14 +132,14 @@ static struct scsi_host_template pdc2027
21805 ATA_BMDMA_SHT(DRV_NAME),
21808 -static struct ata_port_operations pdc2027x_pata100_ops = {
21809 +static const struct ata_port_operations pdc2027x_pata100_ops = {
21810 .inherits = &ata_bmdma_port_ops,
21811 .check_atapi_dma = pdc2027x_check_atapi_dma,
21812 .cable_detect = pdc2027x_cable_detect,
21813 .prereset = pdc2027x_prereset,
21816 -static struct ata_port_operations pdc2027x_pata133_ops = {
21817 +static const struct ata_port_operations pdc2027x_pata133_ops = {
21818 .inherits = &pdc2027x_pata100_ops,
21819 .mode_filter = pdc2027x_mode_filter,
21820 .set_piomode = pdc2027x_set_piomode,
21821 diff -urNp linux-2.6.38.1/drivers/ata/pata_pdc202xx_old.c linux-2.6.38.1-new/drivers/ata/pata_pdc202xx_old.c
21822 --- linux-2.6.38.1/drivers/ata/pata_pdc202xx_old.c 2011-03-14 21:20:32.000000000 -0400
21823 +++ linux-2.6.38.1-new/drivers/ata/pata_pdc202xx_old.c 2011-03-21 18:31:35.000000000 -0400
21824 @@ -295,7 +295,7 @@ static struct scsi_host_template pdc202x
21825 ATA_BMDMA_SHT(DRV_NAME),
21828 -static struct ata_port_operations pdc2024x_port_ops = {
21829 +static const struct ata_port_operations pdc2024x_port_ops = {
21830 .inherits = &ata_bmdma_port_ops,
21832 .cable_detect = ata_cable_40wire,
21833 @@ -306,7 +306,7 @@ static struct ata_port_operations pdc202
21834 .sff_irq_check = pdc202xx_irq_check,
21837 -static struct ata_port_operations pdc2026x_port_ops = {
21838 +static const struct ata_port_operations pdc2026x_port_ops = {
21839 .inherits = &pdc2024x_port_ops,
21841 .check_atapi_dma = pdc2026x_check_atapi_dma,
21842 diff -urNp linux-2.6.38.1/drivers/ata/pata_piccolo.c linux-2.6.38.1-new/drivers/ata/pata_piccolo.c
21843 --- linux-2.6.38.1/drivers/ata/pata_piccolo.c 2011-03-14 21:20:32.000000000 -0400
21844 +++ linux-2.6.38.1-new/drivers/ata/pata_piccolo.c 2011-03-21 18:31:35.000000000 -0400
21845 @@ -67,7 +67,7 @@ static struct scsi_host_template tosh_sh
21846 ATA_BMDMA_SHT(DRV_NAME),
21849 -static struct ata_port_operations tosh_port_ops = {
21850 +static const struct ata_port_operations tosh_port_ops = {
21851 .inherits = &ata_bmdma_port_ops,
21852 .cable_detect = ata_cable_unknown,
21853 .set_piomode = tosh_set_piomode,
21854 diff -urNp linux-2.6.38.1/drivers/ata/pata_platform.c linux-2.6.38.1-new/drivers/ata/pata_platform.c
21855 --- linux-2.6.38.1/drivers/ata/pata_platform.c 2011-03-14 21:20:32.000000000 -0400
21856 +++ linux-2.6.38.1-new/drivers/ata/pata_platform.c 2011-03-21 18:31:35.000000000 -0400
21857 @@ -48,7 +48,7 @@ static struct scsi_host_template pata_pl
21858 ATA_PIO_SHT(DRV_NAME),
21861 -static struct ata_port_operations pata_platform_port_ops = {
21862 +static const struct ata_port_operations pata_platform_port_ops = {
21863 .inherits = &ata_sff_port_ops,
21864 .sff_data_xfer = ata_sff_data_xfer_noirq,
21865 .cable_detect = ata_cable_unknown,
21866 diff -urNp linux-2.6.38.1/drivers/ata/pata_pxa.c linux-2.6.38.1-new/drivers/ata/pata_pxa.c
21867 --- linux-2.6.38.1/drivers/ata/pata_pxa.c 2011-03-14 21:20:32.000000000 -0400
21868 +++ linux-2.6.38.1-new/drivers/ata/pata_pxa.c 2011-03-21 18:31:35.000000000 -0400
21869 @@ -198,7 +198,7 @@ static struct scsi_host_template pxa_ata
21870 ATA_BMDMA_SHT(DRV_NAME),
21873 -static struct ata_port_operations pxa_ata_port_ops = {
21874 +static const struct ata_port_operations pxa_ata_port_ops = {
21875 .inherits = &ata_bmdma_port_ops,
21876 .cable_detect = ata_cable_40wire,
21878 diff -urNp linux-2.6.38.1/drivers/ata/pata_qdi.c linux-2.6.38.1-new/drivers/ata/pata_qdi.c
21879 --- linux-2.6.38.1/drivers/ata/pata_qdi.c 2011-03-14 21:20:32.000000000 -0400
21880 +++ linux-2.6.38.1-new/drivers/ata/pata_qdi.c 2011-03-21 18:31:35.000000000 -0400
21881 @@ -157,7 +157,7 @@ static struct scsi_host_template qdi_sht
21882 ATA_PIO_SHT(DRV_NAME),
21885 -static struct ata_port_operations qdi6500_port_ops = {
21886 +static const struct ata_port_operations qdi6500_port_ops = {
21887 .inherits = &ata_sff_port_ops,
21888 .qc_issue = qdi_qc_issue,
21889 .sff_data_xfer = qdi_data_xfer,
21890 @@ -165,7 +165,7 @@ static struct ata_port_operations qdi650
21891 .set_piomode = qdi6500_set_piomode,
21894 -static struct ata_port_operations qdi6580_port_ops = {
21895 +static const struct ata_port_operations qdi6580_port_ops = {
21896 .inherits = &qdi6500_port_ops,
21897 .set_piomode = qdi6580_set_piomode,
21899 diff -urNp linux-2.6.38.1/drivers/ata/pata_radisys.c linux-2.6.38.1-new/drivers/ata/pata_radisys.c
21900 --- linux-2.6.38.1/drivers/ata/pata_radisys.c 2011-03-14 21:20:32.000000000 -0400
21901 +++ linux-2.6.38.1-new/drivers/ata/pata_radisys.c 2011-03-21 18:31:35.000000000 -0400
21902 @@ -187,7 +187,7 @@ static struct scsi_host_template radisys
21903 ATA_BMDMA_SHT(DRV_NAME),
21906 -static struct ata_port_operations radisys_pata_ops = {
21907 +static const struct ata_port_operations radisys_pata_ops = {
21908 .inherits = &ata_bmdma_port_ops,
21909 .qc_issue = radisys_qc_issue,
21910 .cable_detect = ata_cable_unknown,
21911 diff -urNp linux-2.6.38.1/drivers/ata/pata_rb532_cf.c linux-2.6.38.1-new/drivers/ata/pata_rb532_cf.c
21912 --- linux-2.6.38.1/drivers/ata/pata_rb532_cf.c 2011-03-14 21:20:32.000000000 -0400
21913 +++ linux-2.6.38.1-new/drivers/ata/pata_rb532_cf.c 2011-03-21 18:31:35.000000000 -0400
21914 @@ -69,7 +69,7 @@ static irqreturn_t rb532_pata_irq_handle
21915 return IRQ_HANDLED;
21918 -static struct ata_port_operations rb532_pata_port_ops = {
21919 +static const struct ata_port_operations rb532_pata_port_ops = {
21920 .inherits = &ata_sff_port_ops,
21921 .sff_data_xfer = ata_sff_data_xfer32,
21923 diff -urNp linux-2.6.38.1/drivers/ata/pata_rdc.c linux-2.6.38.1-new/drivers/ata/pata_rdc.c
21924 --- linux-2.6.38.1/drivers/ata/pata_rdc.c 2011-03-14 21:20:32.000000000 -0400
21925 +++ linux-2.6.38.1-new/drivers/ata/pata_rdc.c 2011-03-21 18:31:35.000000000 -0400
21926 @@ -273,7 +273,7 @@ static void rdc_set_dmamode(struct ata_p
21927 pci_write_config_byte(dev, 0x48, udma_enable);
21930 -static struct ata_port_operations rdc_pata_ops = {
21931 +static const struct ata_port_operations rdc_pata_ops = {
21932 .inherits = &ata_bmdma32_port_ops,
21933 .cable_detect = rdc_pata_cable_detect,
21934 .set_piomode = rdc_set_piomode,
21935 diff -urNp linux-2.6.38.1/drivers/ata/pata_rz1000.c linux-2.6.38.1-new/drivers/ata/pata_rz1000.c
21936 --- linux-2.6.38.1/drivers/ata/pata_rz1000.c 2011-03-14 21:20:32.000000000 -0400
21937 +++ linux-2.6.38.1-new/drivers/ata/pata_rz1000.c 2011-03-21 18:31:35.000000000 -0400
21938 @@ -54,7 +54,7 @@ static struct scsi_host_template rz1000_
21939 ATA_PIO_SHT(DRV_NAME),
21942 -static struct ata_port_operations rz1000_port_ops = {
21943 +static const struct ata_port_operations rz1000_port_ops = {
21944 .inherits = &ata_sff_port_ops,
21945 .cable_detect = ata_cable_40wire,
21946 .set_mode = rz1000_set_mode,
21947 diff -urNp linux-2.6.38.1/drivers/ata/pata_samsung_cf.c linux-2.6.38.1-new/drivers/ata/pata_samsung_cf.c
21948 --- linux-2.6.38.1/drivers/ata/pata_samsung_cf.c 2011-03-14 21:20:32.000000000 -0400
21949 +++ linux-2.6.38.1-new/drivers/ata/pata_samsung_cf.c 2011-03-21 18:31:35.000000000 -0400
21950 @@ -399,7 +399,7 @@ static struct scsi_host_template pata_s3
21951 ATA_PIO_SHT(DRV_NAME),
21954 -static struct ata_port_operations pata_s3c_port_ops = {
21955 +static const struct ata_port_operations pata_s3c_port_ops = {
21956 .inherits = &ata_sff_port_ops,
21957 .sff_check_status = pata_s3c_check_status,
21958 .sff_check_altstatus = pata_s3c_check_altstatus,
21959 @@ -413,7 +413,7 @@ static struct ata_port_operations pata_s
21960 .set_piomode = pata_s3c_set_piomode,
21963 -static struct ata_port_operations pata_s5p_port_ops = {
21964 +static const struct ata_port_operations pata_s5p_port_ops = {
21965 .inherits = &ata_sff_port_ops,
21966 .set_piomode = pata_s3c_set_piomode,
21968 diff -urNp linux-2.6.38.1/drivers/ata/pata_sc1200.c linux-2.6.38.1-new/drivers/ata/pata_sc1200.c
21969 --- linux-2.6.38.1/drivers/ata/pata_sc1200.c 2011-03-14 21:20:32.000000000 -0400
21970 +++ linux-2.6.38.1-new/drivers/ata/pata_sc1200.c 2011-03-21 18:31:35.000000000 -0400
21971 @@ -207,7 +207,7 @@ static struct scsi_host_template sc1200_
21972 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21975 -static struct ata_port_operations sc1200_port_ops = {
21976 +static const struct ata_port_operations sc1200_port_ops = {
21977 .inherits = &ata_bmdma_port_ops,
21978 .qc_prep = ata_bmdma_dumb_qc_prep,
21979 .qc_issue = sc1200_qc_issue,
21980 diff -urNp linux-2.6.38.1/drivers/ata/pata_scc.c linux-2.6.38.1-new/drivers/ata/pata_scc.c
21981 --- linux-2.6.38.1/drivers/ata/pata_scc.c 2011-03-14 21:20:32.000000000 -0400
21982 +++ linux-2.6.38.1-new/drivers/ata/pata_scc.c 2011-03-21 18:31:35.000000000 -0400
21983 @@ -926,7 +926,7 @@ static struct scsi_host_template scc_sht
21984 ATA_BMDMA_SHT(DRV_NAME),
21987 -static struct ata_port_operations scc_pata_ops = {
21988 +static const struct ata_port_operations scc_pata_ops = {
21989 .inherits = &ata_bmdma_port_ops,
21991 .set_piomode = scc_set_piomode,
21992 diff -urNp linux-2.6.38.1/drivers/ata/pata_sch.c linux-2.6.38.1-new/drivers/ata/pata_sch.c
21993 --- linux-2.6.38.1/drivers/ata/pata_sch.c 2011-03-14 21:20:32.000000000 -0400
21994 +++ linux-2.6.38.1-new/drivers/ata/pata_sch.c 2011-03-21 18:31:35.000000000 -0400
21995 @@ -75,7 +75,7 @@ static struct scsi_host_template sch_sht
21996 ATA_BMDMA_SHT(DRV_NAME),
21999 -static struct ata_port_operations sch_pata_ops = {
22000 +static const struct ata_port_operations sch_pata_ops = {
22001 .inherits = &ata_bmdma_port_ops,
22002 .cable_detect = ata_cable_unknown,
22003 .set_piomode = sch_set_piomode,
22004 diff -urNp linux-2.6.38.1/drivers/ata/pata_serverworks.c linux-2.6.38.1-new/drivers/ata/pata_serverworks.c
22005 --- linux-2.6.38.1/drivers/ata/pata_serverworks.c 2011-03-14 21:20:32.000000000 -0400
22006 +++ linux-2.6.38.1-new/drivers/ata/pata_serverworks.c 2011-03-21 18:31:35.000000000 -0400
22007 @@ -300,7 +300,7 @@ static struct scsi_host_template serverw
22008 ATA_BMDMA_SHT(DRV_NAME),
22011 -static struct ata_port_operations serverworks_osb4_port_ops = {
22012 +static const struct ata_port_operations serverworks_osb4_port_ops = {
22013 .inherits = &ata_bmdma_port_ops,
22014 .cable_detect = serverworks_cable_detect,
22015 .mode_filter = serverworks_osb4_filter,
22016 @@ -308,7 +308,7 @@ static struct ata_port_operations server
22017 .set_dmamode = serverworks_set_dmamode,
22020 -static struct ata_port_operations serverworks_csb_port_ops = {
22021 +static const struct ata_port_operations serverworks_csb_port_ops = {
22022 .inherits = &serverworks_osb4_port_ops,
22023 .mode_filter = serverworks_csb_filter,
22025 diff -urNp linux-2.6.38.1/drivers/ata/pata_sil680.c linux-2.6.38.1-new/drivers/ata/pata_sil680.c
22026 --- linux-2.6.38.1/drivers/ata/pata_sil680.c 2011-03-14 21:20:32.000000000 -0400
22027 +++ linux-2.6.38.1-new/drivers/ata/pata_sil680.c 2011-03-21 18:31:35.000000000 -0400
22028 @@ -225,8 +225,7 @@ static struct scsi_host_template sil680_
22029 ATA_BMDMA_SHT(DRV_NAME),
22033 -static struct ata_port_operations sil680_port_ops = {
22034 +static const struct ata_port_operations sil680_port_ops = {
22035 .inherits = &ata_bmdma32_port_ops,
22036 .sff_exec_command = sil680_sff_exec_command,
22037 .sff_irq_check = sil680_sff_irq_check,
22038 diff -urNp linux-2.6.38.1/drivers/ata/pata_sis.c linux-2.6.38.1-new/drivers/ata/pata_sis.c
22039 --- linux-2.6.38.1/drivers/ata/pata_sis.c 2011-03-14 21:20:32.000000000 -0400
22040 +++ linux-2.6.38.1-new/drivers/ata/pata_sis.c 2011-03-21 18:31:35.000000000 -0400
22041 @@ -503,47 +503,47 @@ static struct scsi_host_template sis_sht
22042 ATA_BMDMA_SHT(DRV_NAME),
22045 -static struct ata_port_operations sis_133_for_sata_ops = {
22046 +static const struct ata_port_operations sis_133_for_sata_ops = {
22047 .inherits = &ata_bmdma_port_ops,
22048 .set_piomode = sis_133_set_piomode,
22049 .set_dmamode = sis_133_set_dmamode,
22050 .cable_detect = sis_133_cable_detect,
22053 -static struct ata_port_operations sis_base_ops = {
22054 +static const struct ata_port_operations sis_base_ops = {
22055 .inherits = &ata_bmdma_port_ops,
22056 .prereset = sis_pre_reset,
22059 -static struct ata_port_operations sis_133_ops = {
22060 +static const struct ata_port_operations sis_133_ops = {
22061 .inherits = &sis_base_ops,
22062 .set_piomode = sis_133_set_piomode,
22063 .set_dmamode = sis_133_set_dmamode,
22064 .cable_detect = sis_133_cable_detect,
22067 -static struct ata_port_operations sis_133_early_ops = {
22068 +static const struct ata_port_operations sis_133_early_ops = {
22069 .inherits = &sis_base_ops,
22070 .set_piomode = sis_100_set_piomode,
22071 .set_dmamode = sis_133_early_set_dmamode,
22072 .cable_detect = sis_66_cable_detect,
22075 -static struct ata_port_operations sis_100_ops = {
22076 +static const struct ata_port_operations sis_100_ops = {
22077 .inherits = &sis_base_ops,
22078 .set_piomode = sis_100_set_piomode,
22079 .set_dmamode = sis_100_set_dmamode,
22080 .cable_detect = sis_66_cable_detect,
22083 -static struct ata_port_operations sis_66_ops = {
22084 +static const struct ata_port_operations sis_66_ops = {
22085 .inherits = &sis_base_ops,
22086 .set_piomode = sis_old_set_piomode,
22087 .set_dmamode = sis_66_set_dmamode,
22088 .cable_detect = sis_66_cable_detect,
22091 -static struct ata_port_operations sis_old_ops = {
22092 +static const struct ata_port_operations sis_old_ops = {
22093 .inherits = &sis_base_ops,
22094 .set_piomode = sis_old_set_piomode,
22095 .set_dmamode = sis_old_set_dmamode,
22096 diff -urNp linux-2.6.38.1/drivers/ata/pata_sl82c105.c linux-2.6.38.1-new/drivers/ata/pata_sl82c105.c
22097 --- linux-2.6.38.1/drivers/ata/pata_sl82c105.c 2011-03-14 21:20:32.000000000 -0400
22098 +++ linux-2.6.38.1-new/drivers/ata/pata_sl82c105.c 2011-03-21 18:31:35.000000000 -0400
22099 @@ -241,7 +241,7 @@ static struct scsi_host_template sl82c10
22100 ATA_BMDMA_SHT(DRV_NAME),
22103 -static struct ata_port_operations sl82c105_port_ops = {
22104 +static const struct ata_port_operations sl82c105_port_ops = {
22105 .inherits = &ata_bmdma_port_ops,
22106 .qc_defer = sl82c105_qc_defer,
22107 .bmdma_start = sl82c105_bmdma_start,
22108 diff -urNp linux-2.6.38.1/drivers/ata/pata_triflex.c linux-2.6.38.1-new/drivers/ata/pata_triflex.c
22109 --- linux-2.6.38.1/drivers/ata/pata_triflex.c 2011-03-14 21:20:32.000000000 -0400
22110 +++ linux-2.6.38.1-new/drivers/ata/pata_triflex.c 2011-03-21 18:31:35.000000000 -0400
22111 @@ -178,7 +178,7 @@ static struct scsi_host_template triflex
22112 ATA_BMDMA_SHT(DRV_NAME),
22115 -static struct ata_port_operations triflex_port_ops = {
22116 +static const struct ata_port_operations triflex_port_ops = {
22117 .inherits = &ata_bmdma_port_ops,
22118 .bmdma_start = triflex_bmdma_start,
22119 .bmdma_stop = triflex_bmdma_stop,
22120 diff -urNp linux-2.6.38.1/drivers/ata/pata_via.c linux-2.6.38.1-new/drivers/ata/pata_via.c
22121 --- linux-2.6.38.1/drivers/ata/pata_via.c 2011-03-14 21:20:32.000000000 -0400
22122 +++ linux-2.6.38.1-new/drivers/ata/pata_via.c 2011-03-21 18:31:35.000000000 -0400
22123 @@ -441,7 +441,7 @@ static struct scsi_host_template via_sht
22124 ATA_BMDMA_SHT(DRV_NAME),
22127 -static struct ata_port_operations via_port_ops = {
22128 +static const struct ata_port_operations via_port_ops = {
22129 .inherits = &ata_bmdma_port_ops,
22130 .cable_detect = via_cable_detect,
22131 .set_piomode = via_set_piomode,
22132 @@ -452,7 +452,7 @@ static struct ata_port_operations via_po
22133 .mode_filter = via_mode_filter,
22136 -static struct ata_port_operations via_port_ops_noirq = {
22137 +static const struct ata_port_operations via_port_ops_noirq = {
22138 .inherits = &via_port_ops,
22139 .sff_data_xfer = ata_sff_data_xfer_noirq,
22141 diff -urNp linux-2.6.38.1/drivers/ata/pdc_adma.c linux-2.6.38.1-new/drivers/ata/pdc_adma.c
22142 --- linux-2.6.38.1/drivers/ata/pdc_adma.c 2011-03-14 21:20:32.000000000 -0400
22143 +++ linux-2.6.38.1-new/drivers/ata/pdc_adma.c 2011-03-21 18:31:35.000000000 -0400
22144 @@ -146,7 +146,7 @@ static struct scsi_host_template adma_at
22145 .dma_boundary = ADMA_DMA_BOUNDARY,
22148 -static struct ata_port_operations adma_ata_ops = {
22149 +static const struct ata_port_operations adma_ata_ops = {
22150 .inherits = &ata_sff_port_ops,
22152 .lost_interrupt = ATA_OP_NULL,
22153 diff -urNp linux-2.6.38.1/drivers/ata/sata_dwc_460ex.c linux-2.6.38.1-new/drivers/ata/sata_dwc_460ex.c
22154 --- linux-2.6.38.1/drivers/ata/sata_dwc_460ex.c 2011-03-14 21:20:32.000000000 -0400
22155 +++ linux-2.6.38.1-new/drivers/ata/sata_dwc_460ex.c 2011-03-21 18:31:35.000000000 -0400
22156 @@ -1560,7 +1560,7 @@ static struct scsi_host_template sata_dw
22157 .dma_boundary = ATA_DMA_BOUNDARY,
22160 -static struct ata_port_operations sata_dwc_ops = {
22161 +static const struct ata_port_operations sata_dwc_ops = {
22162 .inherits = &ata_sff_port_ops,
22164 .error_handler = sata_dwc_error_handler,
22165 diff -urNp linux-2.6.38.1/drivers/ata/sata_fsl.c linux-2.6.38.1-new/drivers/ata/sata_fsl.c
22166 --- linux-2.6.38.1/drivers/ata/sata_fsl.c 2011-03-14 21:20:32.000000000 -0400
22167 +++ linux-2.6.38.1-new/drivers/ata/sata_fsl.c 2011-03-21 18:31:35.000000000 -0400
22168 @@ -1258,7 +1258,7 @@ static struct scsi_host_template sata_fs
22169 .dma_boundary = ATA_DMA_BOUNDARY,
22172 -static struct ata_port_operations sata_fsl_ops = {
22173 +static const struct ata_port_operations sata_fsl_ops = {
22174 .inherits = &sata_pmp_port_ops,
22176 .qc_defer = ata_std_qc_defer,
22177 diff -urNp linux-2.6.38.1/drivers/ata/sata_inic162x.c linux-2.6.38.1-new/drivers/ata/sata_inic162x.c
22178 --- linux-2.6.38.1/drivers/ata/sata_inic162x.c 2011-03-14 21:20:32.000000000 -0400
22179 +++ linux-2.6.38.1-new/drivers/ata/sata_inic162x.c 2011-03-21 18:31:35.000000000 -0400
22180 @@ -705,7 +705,7 @@ static int inic_port_start(struct ata_po
22184 -static struct ata_port_operations inic_port_ops = {
22185 +static const struct ata_port_operations inic_port_ops = {
22186 .inherits = &sata_port_ops,
22188 .check_atapi_dma = inic_check_atapi_dma,
22189 diff -urNp linux-2.6.38.1/drivers/ata/sata_mv.c linux-2.6.38.1-new/drivers/ata/sata_mv.c
22190 --- linux-2.6.38.1/drivers/ata/sata_mv.c 2011-03-14 21:20:32.000000000 -0400
22191 +++ linux-2.6.38.1-new/drivers/ata/sata_mv.c 2011-03-21 18:31:35.000000000 -0400
22192 @@ -663,7 +663,7 @@ static struct scsi_host_template mv6_sht
22193 .dma_boundary = MV_DMA_BOUNDARY,
22196 -static struct ata_port_operations mv5_ops = {
22197 +static const struct ata_port_operations mv5_ops = {
22198 .inherits = &ata_sff_port_ops,
22200 .lost_interrupt = ATA_OP_NULL,
22201 @@ -683,7 +683,7 @@ static struct ata_port_operations mv5_op
22202 .port_stop = mv_port_stop,
22205 -static struct ata_port_operations mv6_ops = {
22206 +static const struct ata_port_operations mv6_ops = {
22207 .inherits = &ata_bmdma_port_ops,
22209 .lost_interrupt = ATA_OP_NULL,
22210 @@ -717,7 +717,7 @@ static struct ata_port_operations mv6_op
22211 .port_stop = mv_port_stop,
22214 -static struct ata_port_operations mv_iie_ops = {
22215 +static const struct ata_port_operations mv_iie_ops = {
22216 .inherits = &mv6_ops,
22217 .dev_config = ATA_OP_NULL,
22218 .qc_prep = mv_qc_prep_iie,
22219 diff -urNp linux-2.6.38.1/drivers/ata/sata_nv.c linux-2.6.38.1-new/drivers/ata/sata_nv.c
22220 --- linux-2.6.38.1/drivers/ata/sata_nv.c 2011-03-14 21:20:32.000000000 -0400
22221 +++ linux-2.6.38.1-new/drivers/ata/sata_nv.c 2011-03-21 18:31:35.000000000 -0400
22222 @@ -465,7 +465,7 @@ static struct scsi_host_template nv_swnc
22223 * cases. Define nv_hardreset() which only kicks in for post-boot
22224 * probing and use it for all variants.
22226 -static struct ata_port_operations nv_generic_ops = {
22227 +static const struct ata_port_operations nv_generic_ops = {
22228 .inherits = &ata_bmdma_port_ops,
22229 .lost_interrupt = ATA_OP_NULL,
22230 .scr_read = nv_scr_read,
22231 @@ -473,20 +473,20 @@ static struct ata_port_operations nv_gen
22232 .hardreset = nv_hardreset,
22235 -static struct ata_port_operations nv_nf2_ops = {
22236 +static const struct ata_port_operations nv_nf2_ops = {
22237 .inherits = &nv_generic_ops,
22238 .freeze = nv_nf2_freeze,
22239 .thaw = nv_nf2_thaw,
22242 -static struct ata_port_operations nv_ck804_ops = {
22243 +static const struct ata_port_operations nv_ck804_ops = {
22244 .inherits = &nv_generic_ops,
22245 .freeze = nv_ck804_freeze,
22246 .thaw = nv_ck804_thaw,
22247 .host_stop = nv_ck804_host_stop,
22250 -static struct ata_port_operations nv_adma_ops = {
22251 +static const struct ata_port_operations nv_adma_ops = {
22252 .inherits = &nv_ck804_ops,
22254 .check_atapi_dma = nv_adma_check_atapi_dma,
22255 @@ -510,7 +510,7 @@ static struct ata_port_operations nv_adm
22256 .host_stop = nv_adma_host_stop,
22259 -static struct ata_port_operations nv_swncq_ops = {
22260 +static const struct ata_port_operations nv_swncq_ops = {
22261 .inherits = &nv_generic_ops,
22263 .qc_defer = ata_std_qc_defer,
22264 diff -urNp linux-2.6.38.1/drivers/ata/sata_promise.c linux-2.6.38.1-new/drivers/ata/sata_promise.c
22265 --- linux-2.6.38.1/drivers/ata/sata_promise.c 2011-03-14 21:20:32.000000000 -0400
22266 +++ linux-2.6.38.1-new/drivers/ata/sata_promise.c 2011-03-21 18:31:35.000000000 -0400
22267 @@ -196,7 +196,7 @@ static const struct ata_port_operations
22268 .error_handler = pdc_error_handler,
22271 -static struct ata_port_operations pdc_sata_ops = {
22272 +static const struct ata_port_operations pdc_sata_ops = {
22273 .inherits = &pdc_common_ops,
22274 .cable_detect = pdc_sata_cable_detect,
22275 .freeze = pdc_sata_freeze,
22276 @@ -209,14 +209,14 @@ static struct ata_port_operations pdc_sa
22278 /* First-generation chips need a more restrictive ->check_atapi_dma op,
22279 and ->freeze/thaw that ignore the hotplug controls. */
22280 -static struct ata_port_operations pdc_old_sata_ops = {
22281 +static const struct ata_port_operations pdc_old_sata_ops = {
22282 .inherits = &pdc_sata_ops,
22283 .freeze = pdc_freeze,
22285 .check_atapi_dma = pdc_old_sata_check_atapi_dma,
22288 -static struct ata_port_operations pdc_pata_ops = {
22289 +static const struct ata_port_operations pdc_pata_ops = {
22290 .inherits = &pdc_common_ops,
22291 .cable_detect = pdc_pata_cable_detect,
22292 .freeze = pdc_freeze,
22293 diff -urNp linux-2.6.38.1/drivers/ata/sata_qstor.c linux-2.6.38.1-new/drivers/ata/sata_qstor.c
22294 --- linux-2.6.38.1/drivers/ata/sata_qstor.c 2011-03-14 21:20:32.000000000 -0400
22295 +++ linux-2.6.38.1-new/drivers/ata/sata_qstor.c 2011-03-21 18:31:35.000000000 -0400
22296 @@ -131,7 +131,7 @@ static struct scsi_host_template qs_ata_
22297 .dma_boundary = QS_DMA_BOUNDARY,
22300 -static struct ata_port_operations qs_ata_ops = {
22301 +static const struct ata_port_operations qs_ata_ops = {
22302 .inherits = &ata_sff_port_ops,
22304 .check_atapi_dma = qs_check_atapi_dma,
22305 diff -urNp linux-2.6.38.1/drivers/ata/sata_sil24.c linux-2.6.38.1-new/drivers/ata/sata_sil24.c
22306 --- linux-2.6.38.1/drivers/ata/sata_sil24.c 2011-03-14 21:20:32.000000000 -0400
22307 +++ linux-2.6.38.1-new/drivers/ata/sata_sil24.c 2011-03-21 18:31:35.000000000 -0400
22308 @@ -389,7 +389,7 @@ static struct scsi_host_template sil24_s
22309 .dma_boundary = ATA_DMA_BOUNDARY,
22312 -static struct ata_port_operations sil24_ops = {
22313 +static const struct ata_port_operations sil24_ops = {
22314 .inherits = &sata_pmp_port_ops,
22316 .qc_defer = sil24_qc_defer,
22317 diff -urNp linux-2.6.38.1/drivers/ata/sata_sil.c linux-2.6.38.1-new/drivers/ata/sata_sil.c
22318 --- linux-2.6.38.1/drivers/ata/sata_sil.c 2011-03-14 21:20:32.000000000 -0400
22319 +++ linux-2.6.38.1-new/drivers/ata/sata_sil.c 2011-03-21 18:31:35.000000000 -0400
22320 @@ -182,7 +182,7 @@ static struct scsi_host_template sil_sht
22321 .sg_tablesize = ATA_MAX_PRD
22324 -static struct ata_port_operations sil_ops = {
22325 +static const struct ata_port_operations sil_ops = {
22326 .inherits = &ata_bmdma32_port_ops,
22327 .dev_config = sil_dev_config,
22328 .set_mode = sil_set_mode,
22329 diff -urNp linux-2.6.38.1/drivers/ata/sata_sis.c linux-2.6.38.1-new/drivers/ata/sata_sis.c
22330 --- linux-2.6.38.1/drivers/ata/sata_sis.c 2011-03-14 21:20:32.000000000 -0400
22331 +++ linux-2.6.38.1-new/drivers/ata/sata_sis.c 2011-03-21 18:31:35.000000000 -0400
22332 @@ -89,7 +89,7 @@ static struct scsi_host_template sis_sht
22333 ATA_BMDMA_SHT(DRV_NAME),
22336 -static struct ata_port_operations sis_ops = {
22337 +static const struct ata_port_operations sis_ops = {
22338 .inherits = &ata_bmdma_port_ops,
22339 .scr_read = sis_scr_read,
22340 .scr_write = sis_scr_write,
22341 diff -urNp linux-2.6.38.1/drivers/ata/sata_svw.c linux-2.6.38.1-new/drivers/ata/sata_svw.c
22342 --- linux-2.6.38.1/drivers/ata/sata_svw.c 2011-03-14 21:20:32.000000000 -0400
22343 +++ linux-2.6.38.1-new/drivers/ata/sata_svw.c 2011-03-21 18:31:35.000000000 -0400
22344 @@ -344,7 +344,7 @@ static struct scsi_host_template k2_sata
22348 -static struct ata_port_operations k2_sata_ops = {
22349 +static const struct ata_port_operations k2_sata_ops = {
22350 .inherits = &ata_bmdma_port_ops,
22351 .sff_tf_load = k2_sata_tf_load,
22352 .sff_tf_read = k2_sata_tf_read,
22353 diff -urNp linux-2.6.38.1/drivers/ata/sata_sx4.c linux-2.6.38.1-new/drivers/ata/sata_sx4.c
22354 --- linux-2.6.38.1/drivers/ata/sata_sx4.c 2011-03-14 21:20:32.000000000 -0400
22355 +++ linux-2.6.38.1-new/drivers/ata/sata_sx4.c 2011-03-21 18:31:35.000000000 -0400
22356 @@ -249,7 +249,7 @@ static struct scsi_host_template pdc_sat
22359 /* TODO: inherit from base port_ops after converting to new EH */
22360 -static struct ata_port_operations pdc_20621_ops = {
22361 +static const struct ata_port_operations pdc_20621_ops = {
22362 .inherits = &ata_sff_port_ops,
22364 .check_atapi_dma = pdc_check_atapi_dma,
22365 diff -urNp linux-2.6.38.1/drivers/ata/sata_uli.c linux-2.6.38.1-new/drivers/ata/sata_uli.c
22366 --- linux-2.6.38.1/drivers/ata/sata_uli.c 2011-03-14 21:20:32.000000000 -0400
22367 +++ linux-2.6.38.1-new/drivers/ata/sata_uli.c 2011-03-21 18:31:35.000000000 -0400
22368 @@ -80,7 +80,7 @@ static struct scsi_host_template uli_sht
22369 ATA_BMDMA_SHT(DRV_NAME),
22372 -static struct ata_port_operations uli_ops = {
22373 +static const struct ata_port_operations uli_ops = {
22374 .inherits = &ata_bmdma_port_ops,
22375 .scr_read = uli_scr_read,
22376 .scr_write = uli_scr_write,
22377 diff -urNp linux-2.6.38.1/drivers/ata/sata_via.c linux-2.6.38.1-new/drivers/ata/sata_via.c
22378 --- linux-2.6.38.1/drivers/ata/sata_via.c 2011-03-14 21:20:32.000000000 -0400
22379 +++ linux-2.6.38.1-new/drivers/ata/sata_via.c 2011-03-21 18:31:35.000000000 -0400
22380 @@ -115,32 +115,32 @@ static struct scsi_host_template svia_sh
22381 ATA_BMDMA_SHT(DRV_NAME),
22384 -static struct ata_port_operations svia_base_ops = {
22385 +static const struct ata_port_operations svia_base_ops = {
22386 .inherits = &ata_bmdma_port_ops,
22387 .sff_tf_load = svia_tf_load,
22390 -static struct ata_port_operations vt6420_sata_ops = {
22391 +static const struct ata_port_operations vt6420_sata_ops = {
22392 .inherits = &svia_base_ops,
22393 .freeze = svia_noop_freeze,
22394 .prereset = vt6420_prereset,
22395 .bmdma_start = vt6420_bmdma_start,
22398 -static struct ata_port_operations vt6421_pata_ops = {
22399 +static const struct ata_port_operations vt6421_pata_ops = {
22400 .inherits = &svia_base_ops,
22401 .cable_detect = vt6421_pata_cable_detect,
22402 .set_piomode = vt6421_set_pio_mode,
22403 .set_dmamode = vt6421_set_dma_mode,
22406 -static struct ata_port_operations vt6421_sata_ops = {
22407 +static const struct ata_port_operations vt6421_sata_ops = {
22408 .inherits = &svia_base_ops,
22409 .scr_read = svia_scr_read,
22410 .scr_write = svia_scr_write,
22413 -static struct ata_port_operations vt8251_ops = {
22414 +static const struct ata_port_operations vt8251_ops = {
22415 .inherits = &svia_base_ops,
22416 .hardreset = sata_std_hardreset,
22417 .scr_read = vt8251_scr_read,
22418 diff -urNp linux-2.6.38.1/drivers/ata/sata_vsc.c linux-2.6.38.1-new/drivers/ata/sata_vsc.c
22419 --- linux-2.6.38.1/drivers/ata/sata_vsc.c 2011-03-14 21:20:32.000000000 -0400
22420 +++ linux-2.6.38.1-new/drivers/ata/sata_vsc.c 2011-03-21 18:31:35.000000000 -0400
22421 @@ -300,7 +300,7 @@ static struct scsi_host_template vsc_sat
22425 -static struct ata_port_operations vsc_sata_ops = {
22426 +static const struct ata_port_operations vsc_sata_ops = {
22427 .inherits = &ata_bmdma_port_ops,
22428 /* The IRQ handling is not quite standard SFF behaviour so we
22429 cannot use the default lost interrupt handler */
22430 diff -urNp linux-2.6.38.1/drivers/atm/adummy.c linux-2.6.38.1-new/drivers/atm/adummy.c
22431 --- linux-2.6.38.1/drivers/atm/adummy.c 2011-03-14 21:20:32.000000000 -0400
22432 +++ linux-2.6.38.1-new/drivers/atm/adummy.c 2011-03-21 18:31:35.000000000 -0400
22433 @@ -114,7 +114,7 @@ adummy_send(struct atm_vcc *vcc, struct
22434 vcc->pop(vcc, skb);
22436 dev_kfree_skb_any(skb);
22437 - atomic_inc(&vcc->stats->tx);
22438 + atomic_inc_unchecked(&vcc->stats->tx);
22442 diff -urNp linux-2.6.38.1/drivers/atm/ambassador.c linux-2.6.38.1-new/drivers/atm/ambassador.c
22443 --- linux-2.6.38.1/drivers/atm/ambassador.c 2011-03-14 21:20:32.000000000 -0400
22444 +++ linux-2.6.38.1-new/drivers/atm/ambassador.c 2011-03-21 18:31:35.000000000 -0400
22445 @@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev,
22446 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
22449 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
22450 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
22452 // free the descriptor
22454 @@ -495,7 +495,7 @@ static void rx_complete (amb_dev * dev,
22455 dump_skb ("<<<", vc, skb);
22458 - atomic_inc(&atm_vcc->stats->rx);
22459 + atomic_inc_unchecked(&atm_vcc->stats->rx);
22460 __net_timestamp(skb);
22461 // end of our responsability
22462 atm_vcc->push (atm_vcc, skb);
22463 @@ -510,7 +510,7 @@ static void rx_complete (amb_dev * dev,
22465 PRINTK (KERN_INFO, "dropped over-size frame");
22466 // should we count this?
22467 - atomic_inc(&atm_vcc->stats->rx_drop);
22468 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
22472 @@ -1342,7 +1342,7 @@ static int amb_send (struct atm_vcc * at
22475 if (check_area (skb->data, skb->len)) {
22476 - atomic_inc(&atm_vcc->stats->tx_err);
22477 + atomic_inc_unchecked(&atm_vcc->stats->tx_err);
22478 return -ENOMEM; // ?
22481 diff -urNp linux-2.6.38.1/drivers/atm/atmtcp.c linux-2.6.38.1-new/drivers/atm/atmtcp.c
22482 --- linux-2.6.38.1/drivers/atm/atmtcp.c 2011-03-14 21:20:32.000000000 -0400
22483 +++ linux-2.6.38.1-new/drivers/atm/atmtcp.c 2011-03-21 18:31:35.000000000 -0400
22484 @@ -207,7 +207,7 @@ static int atmtcp_v_send(struct atm_vcc
22485 if (vcc->pop) vcc->pop(vcc,skb);
22486 else dev_kfree_skb(skb);
22487 if (dev_data) return 0;
22488 - atomic_inc(&vcc->stats->tx_err);
22489 + atomic_inc_unchecked(&vcc->stats->tx_err);
22492 size = skb->len+sizeof(struct atmtcp_hdr);
22493 @@ -215,7 +215,7 @@ static int atmtcp_v_send(struct atm_vcc
22495 if (vcc->pop) vcc->pop(vcc,skb);
22496 else dev_kfree_skb(skb);
22497 - atomic_inc(&vcc->stats->tx_err);
22498 + atomic_inc_unchecked(&vcc->stats->tx_err);
22501 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
22502 @@ -226,8 +226,8 @@ static int atmtcp_v_send(struct atm_vcc
22503 if (vcc->pop) vcc->pop(vcc,skb);
22504 else dev_kfree_skb(skb);
22505 out_vcc->push(out_vcc,new_skb);
22506 - atomic_inc(&vcc->stats->tx);
22507 - atomic_inc(&out_vcc->stats->rx);
22508 + atomic_inc_unchecked(&vcc->stats->tx);
22509 + atomic_inc_unchecked(&out_vcc->stats->rx);
22513 @@ -301,7 +301,7 @@ static int atmtcp_c_send(struct atm_vcc
22514 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
22515 read_unlock(&vcc_sklist_lock);
22517 - atomic_inc(&vcc->stats->tx_err);
22518 + atomic_inc_unchecked(&vcc->stats->tx_err);
22521 skb_pull(skb,sizeof(struct atmtcp_hdr));
22522 @@ -313,8 +313,8 @@ static int atmtcp_c_send(struct atm_vcc
22523 __net_timestamp(new_skb);
22524 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
22525 out_vcc->push(out_vcc,new_skb);
22526 - atomic_inc(&vcc->stats->tx);
22527 - atomic_inc(&out_vcc->stats->rx);
22528 + atomic_inc_unchecked(&vcc->stats->tx);
22529 + atomic_inc_unchecked(&out_vcc->stats->rx);
22531 if (vcc->pop) vcc->pop(vcc,skb);
22532 else dev_kfree_skb(skb);
22533 diff -urNp linux-2.6.38.1/drivers/atm/eni.c linux-2.6.38.1-new/drivers/atm/eni.c
22534 --- linux-2.6.38.1/drivers/atm/eni.c 2011-03-14 21:20:32.000000000 -0400
22535 +++ linux-2.6.38.1-new/drivers/atm/eni.c 2011-03-21 18:31:35.000000000 -0400
22536 @@ -526,7 +526,7 @@ static int rx_aal0(struct atm_vcc *vcc)
22537 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
22540 - atomic_inc(&vcc->stats->rx_err);
22541 + atomic_inc_unchecked(&vcc->stats->rx_err);
22544 length = ATM_CELL_SIZE-1; /* no HEC */
22545 @@ -581,7 +581,7 @@ static int rx_aal5(struct atm_vcc *vcc)
22549 - atomic_inc(&vcc->stats->rx_err);
22550 + atomic_inc_unchecked(&vcc->stats->rx_err);
22553 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
22554 @@ -598,7 +598,7 @@ static int rx_aal5(struct atm_vcc *vcc)
22555 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
22556 vcc->dev->number,vcc->vci,length,size << 2,descr);
22558 - atomic_inc(&vcc->stats->rx_err);
22559 + atomic_inc_unchecked(&vcc->stats->rx_err);
22562 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
22563 @@ -771,7 +771,7 @@ rx_dequeued++;
22564 vcc->push(vcc,skb);
22567 - atomic_inc(&vcc->stats->rx);
22568 + atomic_inc_unchecked(&vcc->stats->rx);
22570 wake_up(&eni_dev->rx_wait);
22572 @@ -1228,7 +1228,7 @@ static void dequeue_tx(struct atm_dev *d
22574 if (vcc->pop) vcc->pop(vcc,skb);
22575 else dev_kfree_skb_irq(skb);
22576 - atomic_inc(&vcc->stats->tx);
22577 + atomic_inc_unchecked(&vcc->stats->tx);
22578 wake_up(&eni_dev->tx_wait);
22581 diff -urNp linux-2.6.38.1/drivers/atm/firestream.c linux-2.6.38.1-new/drivers/atm/firestream.c
22582 --- linux-2.6.38.1/drivers/atm/firestream.c 2011-03-14 21:20:32.000000000 -0400
22583 +++ linux-2.6.38.1-new/drivers/atm/firestream.c 2011-03-21 18:31:35.000000000 -0400
22584 @@ -749,7 +749,7 @@ static void process_txdone_queue (struct
22588 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
22589 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
22591 fs_dprintk (FS_DEBUG_TXMEM, "i");
22592 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
22593 @@ -816,7 +816,7 @@ static void process_incoming (struct fs_
22595 skb_put (skb, qe->p1 & 0xffff);
22596 ATM_SKB(skb)->vcc = atm_vcc;
22597 - atomic_inc(&atm_vcc->stats->rx);
22598 + atomic_inc_unchecked(&atm_vcc->stats->rx);
22599 __net_timestamp(skb);
22600 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
22601 atm_vcc->push (atm_vcc, skb);
22602 @@ -837,12 +837,12 @@ static void process_incoming (struct fs_
22606 - atomic_inc(&atm_vcc->stats->rx_drop);
22607 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
22609 case 0x1f: /* Reassembly abort: no buffers. */
22610 /* Silently increment error counter. */
22612 - atomic_inc(&atm_vcc->stats->rx_drop);
22613 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
22615 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
22616 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
22617 diff -urNp linux-2.6.38.1/drivers/atm/fore200e.c linux-2.6.38.1-new/drivers/atm/fore200e.c
22618 --- linux-2.6.38.1/drivers/atm/fore200e.c 2011-03-14 21:20:32.000000000 -0400
22619 +++ linux-2.6.38.1-new/drivers/atm/fore200e.c 2011-03-21 18:31:35.000000000 -0400
22620 @@ -933,9 +933,9 @@ fore200e_tx_irq(struct fore200e* fore200
22622 /* check error condition */
22623 if (*entry->status & STATUS_ERROR)
22624 - atomic_inc(&vcc->stats->tx_err);
22625 + atomic_inc_unchecked(&vcc->stats->tx_err);
22627 - atomic_inc(&vcc->stats->tx);
22628 + atomic_inc_unchecked(&vcc->stats->tx);
22632 @@ -1084,7 +1084,7 @@ fore200e_push_rpd(struct fore200e* fore2
22634 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
22636 - atomic_inc(&vcc->stats->rx_drop);
22637 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22641 @@ -1127,14 +1127,14 @@ fore200e_push_rpd(struct fore200e* fore2
22643 dev_kfree_skb_any(skb);
22645 - atomic_inc(&vcc->stats->rx_drop);
22646 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22650 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
22652 vcc->push(vcc, skb);
22653 - atomic_inc(&vcc->stats->rx);
22654 + atomic_inc_unchecked(&vcc->stats->rx);
22656 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
22658 @@ -1212,7 +1212,7 @@ fore200e_rx_irq(struct fore200e* fore200
22659 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
22660 fore200e->atm_dev->number,
22661 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
22662 - atomic_inc(&vcc->stats->rx_err);
22663 + atomic_inc_unchecked(&vcc->stats->rx_err);
22667 @@ -1657,7 +1657,7 @@ fore200e_send(struct atm_vcc *vcc, struc
22671 - atomic_inc(&vcc->stats->tx_err);
22672 + atomic_inc_unchecked(&vcc->stats->tx_err);
22674 fore200e->tx_sat++;
22675 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
22676 diff -urNp linux-2.6.38.1/drivers/atm/he.c linux-2.6.38.1-new/drivers/atm/he.c
22677 --- linux-2.6.38.1/drivers/atm/he.c 2011-03-14 21:20:32.000000000 -0400
22678 +++ linux-2.6.38.1-new/drivers/atm/he.c 2011-03-21 18:31:35.000000000 -0400
22679 @@ -1709,7 +1709,7 @@ he_service_rbrq(struct he_dev *he_dev, i
22681 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
22682 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
22683 - atomic_inc(&vcc->stats->rx_drop);
22684 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22685 goto return_host_buffers;
22688 @@ -1736,7 +1736,7 @@ he_service_rbrq(struct he_dev *he_dev, i
22689 RBRQ_LEN_ERR(he_dev->rbrq_head)
22691 vcc->vpi, vcc->vci);
22692 - atomic_inc(&vcc->stats->rx_err);
22693 + atomic_inc_unchecked(&vcc->stats->rx_err);
22694 goto return_host_buffers;
22697 @@ -1788,7 +1788,7 @@ he_service_rbrq(struct he_dev *he_dev, i
22698 vcc->push(vcc, skb);
22699 spin_lock(&he_dev->global_lock);
22701 - atomic_inc(&vcc->stats->rx);
22702 + atomic_inc_unchecked(&vcc->stats->rx);
22704 return_host_buffers:
22706 @@ -2114,7 +2114,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
22707 tpd->vcc->pop(tpd->vcc, tpd->skb);
22709 dev_kfree_skb_any(tpd->skb);
22710 - atomic_inc(&tpd->vcc->stats->tx_err);
22711 + atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
22713 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
22715 @@ -2526,7 +2526,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22716 vcc->pop(vcc, skb);
22718 dev_kfree_skb_any(skb);
22719 - atomic_inc(&vcc->stats->tx_err);
22720 + atomic_inc_unchecked(&vcc->stats->tx_err);
22724 @@ -2537,7 +2537,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22725 vcc->pop(vcc, skb);
22727 dev_kfree_skb_any(skb);
22728 - atomic_inc(&vcc->stats->tx_err);
22729 + atomic_inc_unchecked(&vcc->stats->tx_err);
22733 @@ -2549,7 +2549,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22734 vcc->pop(vcc, skb);
22736 dev_kfree_skb_any(skb);
22737 - atomic_inc(&vcc->stats->tx_err);
22738 + atomic_inc_unchecked(&vcc->stats->tx_err);
22739 spin_unlock_irqrestore(&he_dev->global_lock, flags);
22742 @@ -2591,7 +2591,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22743 vcc->pop(vcc, skb);
22745 dev_kfree_skb_any(skb);
22746 - atomic_inc(&vcc->stats->tx_err);
22747 + atomic_inc_unchecked(&vcc->stats->tx_err);
22748 spin_unlock_irqrestore(&he_dev->global_lock, flags);
22751 @@ -2622,7 +2622,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
22752 __enqueue_tpd(he_dev, tpd, cid);
22753 spin_unlock_irqrestore(&he_dev->global_lock, flags);
22755 - atomic_inc(&vcc->stats->tx);
22756 + atomic_inc_unchecked(&vcc->stats->tx);
22760 diff -urNp linux-2.6.38.1/drivers/atm/horizon.c linux-2.6.38.1-new/drivers/atm/horizon.c
22761 --- linux-2.6.38.1/drivers/atm/horizon.c 2011-03-14 21:20:32.000000000 -0400
22762 +++ linux-2.6.38.1-new/drivers/atm/horizon.c 2011-03-21 18:31:35.000000000 -0400
22763 @@ -1034,7 +1034,7 @@ static void rx_schedule (hrz_dev * dev,
22765 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
22767 - atomic_inc(&vcc->stats->rx);
22768 + atomic_inc_unchecked(&vcc->stats->rx);
22769 __net_timestamp(skb);
22770 // end of our responsability
22771 vcc->push (vcc, skb);
22772 @@ -1186,7 +1186,7 @@ static void tx_schedule (hrz_dev * const
22773 dev->tx_iovec = NULL;
22776 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
22777 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
22780 hrz_kfree_skb (skb);
22781 diff -urNp linux-2.6.38.1/drivers/atm/idt77252.c linux-2.6.38.1-new/drivers/atm/idt77252.c
22782 --- linux-2.6.38.1/drivers/atm/idt77252.c 2011-03-14 21:20:32.000000000 -0400
22783 +++ linux-2.6.38.1-new/drivers/atm/idt77252.c 2011-03-21 18:31:35.000000000 -0400
22784 @@ -811,7 +811,7 @@ drain_scq(struct idt77252_dev *card, str
22786 dev_kfree_skb(skb);
22788 - atomic_inc(&vcc->stats->tx);
22789 + atomic_inc_unchecked(&vcc->stats->tx);
22792 atomic_dec(&scq->used);
22793 @@ -1074,13 +1074,13 @@ dequeue_rx(struct idt77252_dev *card, st
22794 if ((sb = dev_alloc_skb(64)) == NULL) {
22795 printk("%s: Can't allocate buffers for aal0.\n",
22797 - atomic_add(i, &vcc->stats->rx_drop);
22798 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
22801 if (!atm_charge(vcc, sb->truesize)) {
22802 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
22804 - atomic_add(i - 1, &vcc->stats->rx_drop);
22805 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
22809 @@ -1097,7 +1097,7 @@ dequeue_rx(struct idt77252_dev *card, st
22810 ATM_SKB(sb)->vcc = vcc;
22811 __net_timestamp(sb);
22812 vcc->push(vcc, sb);
22813 - atomic_inc(&vcc->stats->rx);
22814 + atomic_inc_unchecked(&vcc->stats->rx);
22816 cell += ATM_CELL_PAYLOAD;
22818 @@ -1134,13 +1134,13 @@ dequeue_rx(struct idt77252_dev *card, st
22820 card->name, len, rpp->len, readl(SAR_REG_CDC));
22821 recycle_rx_pool_skb(card, rpp);
22822 - atomic_inc(&vcc->stats->rx_err);
22823 + atomic_inc_unchecked(&vcc->stats->rx_err);
22826 if (stat & SAR_RSQE_CRC) {
22827 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
22828 recycle_rx_pool_skb(card, rpp);
22829 - atomic_inc(&vcc->stats->rx_err);
22830 + atomic_inc_unchecked(&vcc->stats->rx_err);
22833 if (skb_queue_len(&rpp->queue) > 1) {
22834 @@ -1151,7 +1151,7 @@ dequeue_rx(struct idt77252_dev *card, st
22835 RXPRINTK("%s: Can't alloc RX skb.\n",
22837 recycle_rx_pool_skb(card, rpp);
22838 - atomic_inc(&vcc->stats->rx_err);
22839 + atomic_inc_unchecked(&vcc->stats->rx_err);
22842 if (!atm_charge(vcc, skb->truesize)) {
22843 @@ -1170,7 +1170,7 @@ dequeue_rx(struct idt77252_dev *card, st
22844 __net_timestamp(skb);
22846 vcc->push(vcc, skb);
22847 - atomic_inc(&vcc->stats->rx);
22848 + atomic_inc_unchecked(&vcc->stats->rx);
22852 @@ -1192,7 +1192,7 @@ dequeue_rx(struct idt77252_dev *card, st
22853 __net_timestamp(skb);
22855 vcc->push(vcc, skb);
22856 - atomic_inc(&vcc->stats->rx);
22857 + atomic_inc_unchecked(&vcc->stats->rx);
22859 if (skb->truesize > SAR_FB_SIZE_3)
22860 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
22861 @@ -1304,14 +1304,14 @@ idt77252_rx_raw(struct idt77252_dev *car
22862 if (vcc->qos.aal != ATM_AAL0) {
22863 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
22864 card->name, vpi, vci);
22865 - atomic_inc(&vcc->stats->rx_drop);
22866 + atomic_inc_unchecked(&vcc->stats->rx_drop);
22870 if ((sb = dev_alloc_skb(64)) == NULL) {
22871 printk("%s: Can't allocate buffers for AAL0.\n",
22873 - atomic_inc(&vcc->stats->rx_err);
22874 + atomic_inc_unchecked(&vcc->stats->rx_err);
22878 @@ -1330,7 +1330,7 @@ idt77252_rx_raw(struct idt77252_dev *car
22879 ATM_SKB(sb)->vcc = vcc;
22880 __net_timestamp(sb);
22881 vcc->push(vcc, sb);
22882 - atomic_inc(&vcc->stats->rx);
22883 + atomic_inc_unchecked(&vcc->stats->rx);
22886 skb_pull(queue, 64);
22887 @@ -1955,13 +1955,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
22890 printk("%s: NULL connection in send().\n", card->name);
22891 - atomic_inc(&vcc->stats->tx_err);
22892 + atomic_inc_unchecked(&vcc->stats->tx_err);
22893 dev_kfree_skb(skb);
22896 if (!test_bit(VCF_TX, &vc->flags)) {
22897 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
22898 - atomic_inc(&vcc->stats->tx_err);
22899 + atomic_inc_unchecked(&vcc->stats->tx_err);
22900 dev_kfree_skb(skb);
22903 @@ -1973,14 +1973,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
22906 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
22907 - atomic_inc(&vcc->stats->tx_err);
22908 + atomic_inc_unchecked(&vcc->stats->tx_err);
22909 dev_kfree_skb(skb);
22913 if (skb_shinfo(skb)->nr_frags != 0) {
22914 printk("%s: No scatter-gather yet.\n", card->name);
22915 - atomic_inc(&vcc->stats->tx_err);
22916 + atomic_inc_unchecked(&vcc->stats->tx_err);
22917 dev_kfree_skb(skb);
22920 @@ -1988,7 +1988,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
22922 err = queue_skb(card, vc, skb, oam);
22924 - atomic_inc(&vcc->stats->tx_err);
22925 + atomic_inc_unchecked(&vcc->stats->tx_err);
22926 dev_kfree_skb(skb);
22929 @@ -2011,7 +2011,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
22930 skb = dev_alloc_skb(64);
22932 printk("%s: Out of memory in send_oam().\n", card->name);
22933 - atomic_inc(&vcc->stats->tx_err);
22934 + atomic_inc_unchecked(&vcc->stats->tx_err);
22937 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
22938 diff -urNp linux-2.6.38.1/drivers/atm/iphase.c linux-2.6.38.1-new/drivers/atm/iphase.c
22939 --- linux-2.6.38.1/drivers/atm/iphase.c 2011-03-14 21:20:32.000000000 -0400
22940 +++ linux-2.6.38.1-new/drivers/atm/iphase.c 2011-03-21 18:31:35.000000000 -0400
22941 @@ -1124,7 +1124,7 @@ static int rx_pkt(struct atm_dev *dev)
22942 status = (u_short) (buf_desc_ptr->desc_mode);
22943 if (status & (RX_CER | RX_PTE | RX_OFL))
22945 - atomic_inc(&vcc->stats->rx_err);
22946 + atomic_inc_unchecked(&vcc->stats->rx_err);
22947 IF_ERR(printk("IA: bad packet, dropping it");)
22948 if (status & RX_CER) {
22949 IF_ERR(printk(" cause: packet CRC error\n");)
22950 @@ -1147,7 +1147,7 @@ static int rx_pkt(struct atm_dev *dev)
22951 len = dma_addr - buf_addr;
22952 if (len > iadev->rx_buf_sz) {
22953 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
22954 - atomic_inc(&vcc->stats->rx_err);
22955 + atomic_inc_unchecked(&vcc->stats->rx_err);
22956 goto out_free_desc;
22959 @@ -1297,7 +1297,7 @@ static void rx_dle_intr(struct atm_dev *
22960 ia_vcc = INPH_IA_VCC(vcc);
22961 if (ia_vcc == NULL)
22963 - atomic_inc(&vcc->stats->rx_err);
22964 + atomic_inc_unchecked(&vcc->stats->rx_err);
22965 dev_kfree_skb_any(skb);
22966 atm_return(vcc, atm_guess_pdu2truesize(len));
22968 @@ -1309,7 +1309,7 @@ static void rx_dle_intr(struct atm_dev *
22969 if ((length > iadev->rx_buf_sz) || (length >
22970 (skb->len - sizeof(struct cpcs_trailer))))
22972 - atomic_inc(&vcc->stats->rx_err);
22973 + atomic_inc_unchecked(&vcc->stats->rx_err);
22974 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
22975 length, skb->len);)
22976 dev_kfree_skb_any(skb);
22977 @@ -1325,7 +1325,7 @@ static void rx_dle_intr(struct atm_dev *
22979 IF_RX(printk("rx_dle_intr: skb push");)
22980 vcc->push(vcc,skb);
22981 - atomic_inc(&vcc->stats->rx);
22982 + atomic_inc_unchecked(&vcc->stats->rx);
22983 iadev->rx_pkt_cnt++;
22986 @@ -2807,15 +2807,15 @@ static int ia_ioctl(struct atm_dev *dev,
22988 struct k_sonet_stats *stats;
22989 stats = &PRIV(_ia_dev[board])->sonet_stats;
22990 - printk("section_bip: %d\n", atomic_read(&stats->section_bip));
22991 - printk("line_bip : %d\n", atomic_read(&stats->line_bip));
22992 - printk("path_bip : %d\n", atomic_read(&stats->path_bip));
22993 - printk("line_febe : %d\n", atomic_read(&stats->line_febe));
22994 - printk("path_febe : %d\n", atomic_read(&stats->path_febe));
22995 - printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
22996 - printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
22997 - printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
22998 - printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
22999 + printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
23000 + printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
23001 + printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
23002 + printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
23003 + printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
23004 + printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
23005 + printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
23006 + printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
23007 + printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
23009 ia_cmds.status = 0;
23011 @@ -2920,7 +2920,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
23012 if ((desc == 0) || (desc > iadev->num_tx_desc))
23014 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
23015 - atomic_inc(&vcc->stats->tx);
23016 + atomic_inc_unchecked(&vcc->stats->tx);
23018 vcc->pop(vcc, skb);
23020 @@ -3025,14 +3025,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
23021 ATM_DESC(skb) = vcc->vci;
23022 skb_queue_tail(&iadev->tx_dma_q, skb);
23024 - atomic_inc(&vcc->stats->tx);
23025 + atomic_inc_unchecked(&vcc->stats->tx);
23026 iadev->tx_pkt_cnt++;
23027 /* Increment transaction counter */
23028 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
23031 /* add flow control logic */
23032 - if (atomic_read(&vcc->stats->tx) % 20 == 0) {
23033 + if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
23034 if (iavcc->vc_desc_cnt > 10) {
23035 vcc->tx_quota = vcc->tx_quota * 3 / 4;
23036 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
23037 diff -urNp linux-2.6.38.1/drivers/atm/lanai.c linux-2.6.38.1-new/drivers/atm/lanai.c
23038 --- linux-2.6.38.1/drivers/atm/lanai.c 2011-03-14 21:20:32.000000000 -0400
23039 +++ linux-2.6.38.1-new/drivers/atm/lanai.c 2011-03-21 18:31:35.000000000 -0400
23040 @@ -1303,7 +1303,7 @@ static void lanai_send_one_aal5(struct l
23041 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
23042 lanai_endtx(lanai, lvcc);
23043 lanai_free_skb(lvcc->tx.atmvcc, skb);
23044 - atomic_inc(&lvcc->tx.atmvcc->stats->tx);
23045 + atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
23048 /* Try to fill the buffer - don't call unless there is backlog */
23049 @@ -1426,7 +1426,7 @@ static void vcc_rx_aal5(struct lanai_vcc
23050 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
23051 __net_timestamp(skb);
23052 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
23053 - atomic_inc(&lvcc->rx.atmvcc->stats->rx);
23054 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
23056 lvcc->rx.buf.ptr = end;
23057 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
23058 @@ -1668,7 +1668,7 @@ static int handle_service(struct lanai_d
23059 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
23060 "vcc %d\n", lanai->number, (unsigned int) s, vci);
23061 lanai->stats.service_rxnotaal5++;
23062 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23063 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23066 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
23067 @@ -1680,7 +1680,7 @@ static int handle_service(struct lanai_d
23069 read_unlock(&vcc_sklist_lock);
23070 DPRINTK("got trashed rx pdu on vci %d\n", vci);
23071 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23072 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23073 lvcc->stats.x.aal5.service_trash++;
23074 bytes = (SERVICE_GET_END(s) * 16) -
23075 (((unsigned long) lvcc->rx.buf.ptr) -
23076 @@ -1692,7 +1692,7 @@ static int handle_service(struct lanai_d
23078 if (s & SERVICE_STREAM) {
23079 read_unlock(&vcc_sklist_lock);
23080 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23081 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23082 lvcc->stats.x.aal5.service_stream++;
23083 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
23084 "PDU on VCI %d!\n", lanai->number, vci);
23085 @@ -1700,7 +1700,7 @@ static int handle_service(struct lanai_d
23088 DPRINTK("got rx crc error on vci %d\n", vci);
23089 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23090 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23091 lvcc->stats.x.aal5.service_rxcrc++;
23092 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
23093 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
23094 diff -urNp linux-2.6.38.1/drivers/atm/nicstar.c linux-2.6.38.1-new/drivers/atm/nicstar.c
23095 --- linux-2.6.38.1/drivers/atm/nicstar.c 2011-03-14 21:20:32.000000000 -0400
23096 +++ linux-2.6.38.1-new/drivers/atm/nicstar.c 2011-03-21 18:31:35.000000000 -0400
23097 @@ -1654,7 +1654,7 @@ static int ns_send(struct atm_vcc *vcc,
23098 if ((vc = (vc_map *) vcc->dev_data) == NULL) {
23099 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n",
23101 - atomic_inc(&vcc->stats->tx_err);
23102 + atomic_inc_unchecked(&vcc->stats->tx_err);
23103 dev_kfree_skb_any(skb);
23106 @@ -1662,7 +1662,7 @@ static int ns_send(struct atm_vcc *vcc,
23108 printk("nicstar%d: Trying to transmit on a non-tx VC.\n",
23110 - atomic_inc(&vcc->stats->tx_err);
23111 + atomic_inc_unchecked(&vcc->stats->tx_err);
23112 dev_kfree_skb_any(skb);
23115 @@ -1670,14 +1670,14 @@ static int ns_send(struct atm_vcc *vcc,
23116 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0) {
23117 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n",
23119 - atomic_inc(&vcc->stats->tx_err);
23120 + atomic_inc_unchecked(&vcc->stats->tx_err);
23121 dev_kfree_skb_any(skb);
23125 if (skb_shinfo(skb)->nr_frags != 0) {
23126 printk("nicstar%d: No scatter-gather yet.\n", card->index);
23127 - atomic_inc(&vcc->stats->tx_err);
23128 + atomic_inc_unchecked(&vcc->stats->tx_err);
23129 dev_kfree_skb_any(skb);
23132 @@ -1725,11 +1725,11 @@ static int ns_send(struct atm_vcc *vcc,
23135 if (push_scqe(card, vc, scq, &scqe, skb) != 0) {
23136 - atomic_inc(&vcc->stats->tx_err);
23137 + atomic_inc_unchecked(&vcc->stats->tx_err);
23138 dev_kfree_skb_any(skb);
23141 - atomic_inc(&vcc->stats->tx);
23142 + atomic_inc_unchecked(&vcc->stats->tx);
23146 @@ -2046,14 +2046,14 @@ static void dequeue_rx(ns_dev * card, ns
23148 ("nicstar%d: Can't allocate buffers for aal0.\n",
23150 - atomic_add(i, &vcc->stats->rx_drop);
23151 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
23154 if (!atm_charge(vcc, sb->truesize)) {
23156 ("nicstar%d: atm_charge() dropped aal0 packets.\n",
23158 - atomic_add(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
23159 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
23160 dev_kfree_skb_any(sb);
23163 @@ -2068,7 +2068,7 @@ static void dequeue_rx(ns_dev * card, ns
23164 ATM_SKB(sb)->vcc = vcc;
23165 __net_timestamp(sb);
23166 vcc->push(vcc, sb);
23167 - atomic_inc(&vcc->stats->rx);
23168 + atomic_inc_unchecked(&vcc->stats->rx);
23169 cell += ATM_CELL_PAYLOAD;
23172 @@ -2085,7 +2085,7 @@ static void dequeue_rx(ns_dev * card, ns
23173 if (iovb == NULL) {
23174 printk("nicstar%d: Out of iovec buffers.\n",
23176 - atomic_inc(&vcc->stats->rx_drop);
23177 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23178 recycle_rx_buf(card, skb);
23181 @@ -2109,7 +2109,7 @@ static void dequeue_rx(ns_dev * card, ns
23182 small or large buffer itself. */
23183 } else if (NS_PRV_IOVCNT(iovb) >= NS_MAX_IOVECS) {
23184 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
23185 - atomic_inc(&vcc->stats->rx_err);
23186 + atomic_inc_unchecked(&vcc->stats->rx_err);
23187 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
23189 NS_PRV_IOVCNT(iovb) = 0;
23190 @@ -2129,7 +2129,7 @@ static void dequeue_rx(ns_dev * card, ns
23191 ("nicstar%d: Expected a small buffer, and this is not one.\n",
23193 which_list(card, skb);
23194 - atomic_inc(&vcc->stats->rx_err);
23195 + atomic_inc_unchecked(&vcc->stats->rx_err);
23196 recycle_rx_buf(card, skb);
23198 recycle_iov_buf(card, iovb);
23199 @@ -2142,7 +2142,7 @@ static void dequeue_rx(ns_dev * card, ns
23200 ("nicstar%d: Expected a large buffer, and this is not one.\n",
23202 which_list(card, skb);
23203 - atomic_inc(&vcc->stats->rx_err);
23204 + atomic_inc_unchecked(&vcc->stats->rx_err);
23205 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
23206 NS_PRV_IOVCNT(iovb));
23208 @@ -2165,7 +2165,7 @@ static void dequeue_rx(ns_dev * card, ns
23209 printk(" - PDU size mismatch.\n");
23212 - atomic_inc(&vcc->stats->rx_err);
23213 + atomic_inc_unchecked(&vcc->stats->rx_err);
23214 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
23215 NS_PRV_IOVCNT(iovb));
23217 @@ -2179,7 +2179,7 @@ static void dequeue_rx(ns_dev * card, ns
23218 /* skb points to a small buffer */
23219 if (!atm_charge(vcc, skb->truesize)) {
23220 push_rxbufs(card, skb);
23221 - atomic_inc(&vcc->stats->rx_drop);
23222 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23225 dequeue_sm_buf(card, skb);
23226 @@ -2189,7 +2189,7 @@ static void dequeue_rx(ns_dev * card, ns
23227 ATM_SKB(skb)->vcc = vcc;
23228 __net_timestamp(skb);
23229 vcc->push(vcc, skb);
23230 - atomic_inc(&vcc->stats->rx);
23231 + atomic_inc_unchecked(&vcc->stats->rx);
23233 } else if (NS_PRV_IOVCNT(iovb) == 2) { /* One small plus one large buffer */
23234 struct sk_buff *sb;
23235 @@ -2200,7 +2200,7 @@ static void dequeue_rx(ns_dev * card, ns
23236 if (len <= NS_SMBUFSIZE) {
23237 if (!atm_charge(vcc, sb->truesize)) {
23238 push_rxbufs(card, sb);
23239 - atomic_inc(&vcc->stats->rx_drop);
23240 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23243 dequeue_sm_buf(card, sb);
23244 @@ -2210,7 +2210,7 @@ static void dequeue_rx(ns_dev * card, ns
23245 ATM_SKB(sb)->vcc = vcc;
23246 __net_timestamp(sb);
23247 vcc->push(vcc, sb);
23248 - atomic_inc(&vcc->stats->rx);
23249 + atomic_inc_unchecked(&vcc->stats->rx);
23252 push_rxbufs(card, skb);
23253 @@ -2219,7 +2219,7 @@ static void dequeue_rx(ns_dev * card, ns
23255 if (!atm_charge(vcc, skb->truesize)) {
23256 push_rxbufs(card, skb);
23257 - atomic_inc(&vcc->stats->rx_drop);
23258 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23260 dequeue_lg_buf(card, skb);
23261 #ifdef NS_USE_DESTRUCTORS
23262 @@ -2232,7 +2232,7 @@ static void dequeue_rx(ns_dev * card, ns
23263 ATM_SKB(skb)->vcc = vcc;
23264 __net_timestamp(skb);
23265 vcc->push(vcc, skb);
23266 - atomic_inc(&vcc->stats->rx);
23267 + atomic_inc_unchecked(&vcc->stats->rx);
23270 push_rxbufs(card, sb);
23271 @@ -2253,7 +2253,7 @@ static void dequeue_rx(ns_dev * card, ns
23273 ("nicstar%d: Out of huge buffers.\n",
23275 - atomic_inc(&vcc->stats->rx_drop);
23276 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23277 recycle_iovec_rx_bufs(card,
23280 @@ -2304,7 +2304,7 @@ static void dequeue_rx(ns_dev * card, ns
23281 card->hbpool.count++;
23283 dev_kfree_skb_any(hb);
23284 - atomic_inc(&vcc->stats->rx_drop);
23285 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23287 /* Copy the small buffer to the huge buffer */
23288 sb = (struct sk_buff *)iov->iov_base;
23289 @@ -2341,7 +2341,7 @@ static void dequeue_rx(ns_dev * card, ns
23290 #endif /* NS_USE_DESTRUCTORS */
23291 __net_timestamp(hb);
23292 vcc->push(vcc, hb);
23293 - atomic_inc(&vcc->stats->rx);
23294 + atomic_inc_unchecked(&vcc->stats->rx);
23298 diff -urNp linux-2.6.38.1/drivers/atm/solos-pci.c linux-2.6.38.1-new/drivers/atm/solos-pci.c
23299 --- linux-2.6.38.1/drivers/atm/solos-pci.c 2011-03-14 21:20:32.000000000 -0400
23300 +++ linux-2.6.38.1-new/drivers/atm/solos-pci.c 2011-03-21 18:31:35.000000000 -0400
23301 @@ -717,7 +717,7 @@ void solos_bh(unsigned long card_arg)
23303 atm_charge(vcc, skb->truesize);
23304 vcc->push(vcc, skb);
23305 - atomic_inc(&vcc->stats->rx);
23306 + atomic_inc_unchecked(&vcc->stats->rx);
23310 @@ -1026,7 +1026,7 @@ static uint32_t fpga_tx(struct solos_car
23311 vcc = SKB_CB(oldskb)->vcc;
23314 - atomic_inc(&vcc->stats->tx);
23315 + atomic_inc_unchecked(&vcc->stats->tx);
23316 solos_pop(vcc, oldskb);
23318 dev_kfree_skb_irq(oldskb);
23319 diff -urNp linux-2.6.38.1/drivers/atm/suni.c linux-2.6.38.1-new/drivers/atm/suni.c
23320 --- linux-2.6.38.1/drivers/atm/suni.c 2011-03-14 21:20:32.000000000 -0400
23321 +++ linux-2.6.38.1-new/drivers/atm/suni.c 2011-03-21 18:31:35.000000000 -0400
23322 @@ -50,8 +50,8 @@ static DEFINE_SPINLOCK(sunis_lock);
23325 #define ADD_LIMITED(s,v) \
23326 - atomic_add((v),&stats->s); \
23327 - if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
23328 + atomic_add_unchecked((v),&stats->s); \
23329 + if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
23332 static void suni_hz(unsigned long from_timer)
23333 diff -urNp linux-2.6.38.1/drivers/atm/uPD98402.c linux-2.6.38.1-new/drivers/atm/uPD98402.c
23334 --- linux-2.6.38.1/drivers/atm/uPD98402.c 2011-03-14 21:20:32.000000000 -0400
23335 +++ linux-2.6.38.1-new/drivers/atm/uPD98402.c 2011-03-21 18:31:35.000000000 -0400
23336 @@ -42,7 +42,7 @@ static int fetch_stats(struct atm_dev *d
23337 struct sonet_stats tmp;
23340 - atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
23341 + atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
23342 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
23343 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
23344 if (zero && !error) {
23345 @@ -161,9 +161,9 @@ static int uPD98402_ioctl(struct atm_dev
23348 #define ADD_LIMITED(s,v) \
23349 - { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
23350 - if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
23351 - atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
23352 + { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
23353 + if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
23354 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
23357 static void stat_event(struct atm_dev *dev)
23358 @@ -194,7 +194,7 @@ static void uPD98402_int(struct atm_dev
23359 if (reason & uPD98402_INT_PFM) stat_event(dev);
23360 if (reason & uPD98402_INT_PCO) {
23361 (void) GET(PCOCR); /* clear interrupt cause */
23362 - atomic_add(GET(HECCT),
23363 + atomic_add_unchecked(GET(HECCT),
23364 &PRIV(dev)->sonet_stats.uncorr_hcs);
23366 if ((reason & uPD98402_INT_RFO) &&
23367 @@ -222,9 +222,9 @@ static int uPD98402_start(struct atm_dev
23368 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
23369 uPD98402_INT_LOS),PIMR); /* enable them */
23370 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
23371 - atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
23372 - atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
23373 - atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
23374 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
23375 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
23376 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
23380 diff -urNp linux-2.6.38.1/drivers/atm/zatm.c linux-2.6.38.1-new/drivers/atm/zatm.c
23381 --- linux-2.6.38.1/drivers/atm/zatm.c 2011-03-14 21:20:32.000000000 -0400
23382 +++ linux-2.6.38.1-new/drivers/atm/zatm.c 2011-03-21 18:31:35.000000000 -0400
23383 @@ -459,7 +459,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
23386 dev_kfree_skb_irq(skb);
23387 - if (vcc) atomic_inc(&vcc->stats->rx_err);
23388 + if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
23391 if (!atm_charge(vcc,skb->truesize)) {
23392 @@ -469,7 +469,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
23394 ATM_SKB(skb)->vcc = vcc;
23395 vcc->push(vcc,skb);
23396 - atomic_inc(&vcc->stats->rx);
23397 + atomic_inc_unchecked(&vcc->stats->rx);
23399 zout(pos & 0xffff,MTA(mbx));
23400 #if 0 /* probably a stupid idea */
23401 @@ -733,7 +733,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
23402 skb_queue_head(&zatm_vcc->backlog,skb);
23405 - atomic_inc(&vcc->stats->tx);
23406 + atomic_inc_unchecked(&vcc->stats->tx);
23407 wake_up(&zatm_vcc->tx_wait);
23410 diff -urNp linux-2.6.38.1/drivers/block/cciss.c linux-2.6.38.1-new/drivers/block/cciss.c
23411 --- linux-2.6.38.1/drivers/block/cciss.c 2011-03-14 21:20:32.000000000 -0400
23412 +++ linux-2.6.38.1-new/drivers/block/cciss.c 2011-03-21 18:31:35.000000000 -0400
23413 @@ -1112,6 +1112,8 @@ static int cciss_ioctl32_passthru(struct
23417 + memset(&arg64, 0, sizeof(arg64));
23421 copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
23422 diff -urNp linux-2.6.38.1/drivers/char/agp/frontend.c linux-2.6.38.1-new/drivers/char/agp/frontend.c
23423 --- linux-2.6.38.1/drivers/char/agp/frontend.c 2011-03-14 21:20:32.000000000 -0400
23424 +++ linux-2.6.38.1-new/drivers/char/agp/frontend.c 2011-03-21 18:31:35.000000000 -0400
23425 @@ -817,7 +817,7 @@ static int agpioc_reserve_wrap(struct ag
23426 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
23429 - if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
23430 + if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
23433 client = agp_find_client_by_pid(reserve.pid);
23434 diff -urNp linux-2.6.38.1/drivers/char/agp/intel-agp.c linux-2.6.38.1-new/drivers/char/agp/intel-agp.c
23435 --- linux-2.6.38.1/drivers/char/agp/intel-agp.c 2011-03-14 21:20:32.000000000 -0400
23436 +++ linux-2.6.38.1-new/drivers/char/agp/intel-agp.c 2011-03-21 18:31:35.000000000 -0400
23437 @@ -903,7 +903,7 @@ static struct pci_device_id agp_intel_pc
23438 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_HB),
23439 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_M_HB),
23440 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_S_HB),
23442 + { 0, 0, 0, 0, 0, 0, 0 }
23445 MODULE_DEVICE_TABLE(pci, agp_intel_pci_table);
23446 diff -urNp linux-2.6.38.1/drivers/char/hpet.c linux-2.6.38.1-new/drivers/char/hpet.c
23447 --- linux-2.6.38.1/drivers/char/hpet.c 2011-03-14 21:20:32.000000000 -0400
23448 +++ linux-2.6.38.1-new/drivers/char/hpet.c 2011-03-21 18:31:35.000000000 -0400
23449 @@ -553,7 +553,7 @@ static inline unsigned long hpet_time_di
23453 -hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg,
23454 +hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg,
23455 struct hpet_info *info)
23457 struct hpet_timer __iomem *timer;
23458 @@ -1043,7 +1043,7 @@ static struct acpi_driver hpet_acpi_driv
23462 -static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops };
23463 +static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops, {NULL, NULL}, NULL, NULL };
23465 static int __init hpet_init(void)
23467 diff -urNp linux-2.6.38.1/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.38.1-new/drivers/char/ipmi/ipmi_msghandler.c
23468 --- linux-2.6.38.1/drivers/char/ipmi/ipmi_msghandler.c 2011-03-14 21:20:32.000000000 -0400
23469 +++ linux-2.6.38.1-new/drivers/char/ipmi/ipmi_msghandler.c 2011-03-21 18:31:35.000000000 -0400
23470 @@ -414,7 +414,7 @@ struct ipmi_smi {
23471 struct proc_dir_entry *proc_dir;
23472 char proc_dir_name[10];
23474 - atomic_t stats[IPMI_NUM_STATS];
23475 + atomic_unchecked_t stats[IPMI_NUM_STATS];
23478 * run_to_completion duplicate of smb_info, smi_info
23479 @@ -447,9 +447,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
23482 #define ipmi_inc_stat(intf, stat) \
23483 - atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
23484 + atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
23485 #define ipmi_get_stat(intf, stat) \
23486 - ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
23487 + ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
23489 static int is_lan_addr(struct ipmi_addr *addr)
23491 @@ -2844,7 +2844,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
23492 INIT_LIST_HEAD(&intf->cmd_rcvrs);
23493 init_waitqueue_head(&intf->waitq);
23494 for (i = 0; i < IPMI_NUM_STATS; i++)
23495 - atomic_set(&intf->stats[i], 0);
23496 + atomic_set_unchecked(&intf->stats[i], 0);
23498 intf->proc_dir = NULL;
23500 diff -urNp linux-2.6.38.1/drivers/char/ipmi/ipmi_si_intf.c linux-2.6.38.1-new/drivers/char/ipmi/ipmi_si_intf.c
23501 --- linux-2.6.38.1/drivers/char/ipmi/ipmi_si_intf.c 2011-03-14 21:20:32.000000000 -0400
23502 +++ linux-2.6.38.1-new/drivers/char/ipmi/ipmi_si_intf.c 2011-03-21 18:31:35.000000000 -0400
23503 @@ -285,7 +285,7 @@ struct smi_info {
23504 unsigned char slave_addr;
23506 /* Counters and things for the proc filesystem. */
23507 - atomic_t stats[SI_NUM_STATS];
23508 + atomic_unchecked_t stats[SI_NUM_STATS];
23510 struct task_struct *thread;
23512 @@ -294,9 +294,9 @@ struct smi_info {
23515 #define smi_inc_stat(smi, stat) \
23516 - atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
23517 + atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
23518 #define smi_get_stat(smi, stat) \
23519 - ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
23520 + ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
23522 #define SI_MAX_PARMS 4
23524 @@ -3202,7 +3202,7 @@ static int try_smi_init(struct smi_info
23525 atomic_set(&new_smi->req_events, 0);
23526 new_smi->run_to_completion = 0;
23527 for (i = 0; i < SI_NUM_STATS; i++)
23528 - atomic_set(&new_smi->stats[i], 0);
23529 + atomic_set_unchecked(&new_smi->stats[i], 0);
23531 new_smi->interrupt_disabled = 1;
23532 atomic_set(&new_smi->stop_operation, 0);
23533 diff -urNp linux-2.6.38.1/drivers/char/mem.c linux-2.6.38.1-new/drivers/char/mem.c
23534 --- linux-2.6.38.1/drivers/char/mem.c 2011-03-14 21:20:32.000000000 -0400
23535 +++ linux-2.6.38.1-new/drivers/char/mem.c 2011-03-21 18:31:35.000000000 -0400
23537 #include <linux/raw.h>
23538 #include <linux/tty.h>
23539 #include <linux/capability.h>
23540 +#include <linux/security.h>
23541 #include <linux/ptrace.h>
23542 #include <linux/device.h>
23543 #include <linux/highmem.h>
23545 # include <linux/efi.h>
23548 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
23549 +extern struct file_operations grsec_fops;
23552 static inline unsigned long size_inside_page(unsigned long start,
23553 unsigned long size)
23555 @@ -120,6 +125,7 @@ static ssize_t read_mem(struct file *fil
23557 while (count > 0) {
23558 unsigned long remaining;
23561 sz = size_inside_page(p, count);
23563 @@ -135,7 +141,23 @@ static ssize_t read_mem(struct file *fil
23567 - remaining = copy_to_user(buf, ptr, sz);
23568 +#ifdef CONFIG_PAX_USERCOPY
23569 + temp = kmalloc(sz, GFP_KERNEL);
23571 + unxlate_dev_mem_ptr(p, ptr);
23574 + memcpy(temp, ptr, sz);
23579 + remaining = copy_to_user(buf, temp, sz);
23581 +#ifdef CONFIG_PAX_USERCOPY
23585 unxlate_dev_mem_ptr(p, ptr);
23588 @@ -161,6 +183,11 @@ static ssize_t write_mem(struct file *fi
23589 if (!valid_phys_addr_range(p, count))
23592 +#ifdef CONFIG_GRKERNSEC_KMEM
23593 + gr_handle_mem_write();
23599 #ifdef __ARCH_HAS_NO_PAGE_ZERO_MAPPED
23600 @@ -316,6 +343,11 @@ static int mmap_mem(struct file *file, s
23601 &vma->vm_page_prot))
23604 +#ifdef CONFIG_GRKERNSEC_KMEM
23605 + if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
23609 vma->vm_page_prot = phys_mem_access_prot(file, vma->vm_pgoff,
23611 vma->vm_page_prot);
23612 @@ -398,9 +430,8 @@ static ssize_t read_kmem(struct file *fi
23613 size_t count, loff_t *ppos)
23615 unsigned long p = *ppos;
23616 - ssize_t low_count, read, sz;
23617 + ssize_t low_count, read, sz, err = 0;
23618 char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
23622 if (p < (unsigned long) high_memory) {
23623 @@ -422,6 +453,8 @@ static ssize_t read_kmem(struct file *fi
23626 while (low_count > 0) {
23629 sz = size_inside_page(p, low_count);
23632 @@ -431,7 +464,22 @@ static ssize_t read_kmem(struct file *fi
23634 kbuf = xlate_dev_kmem_ptr((char *)p);
23636 - if (copy_to_user(buf, kbuf, sz))
23637 +#ifdef CONFIG_PAX_USERCOPY
23638 + temp = kmalloc(sz, GFP_KERNEL);
23641 + memcpy(temp, kbuf, sz);
23646 + err = copy_to_user(buf, temp, sz);
23648 +#ifdef CONFIG_PAX_USERCOPY
23656 @@ -530,6 +578,11 @@ static ssize_t write_kmem(struct file *f
23657 char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
23660 +#ifdef CONFIG_GRKERNSEC_KMEM
23661 + gr_handle_kmem_write();
23665 if (p < (unsigned long) high_memory) {
23666 unsigned long to_write = min_t(unsigned long, count,
23667 (unsigned long)high_memory - p);
23668 @@ -731,6 +784,16 @@ static loff_t memory_lseek(struct file *
23670 static int open_port(struct inode * inode, struct file * filp)
23672 +#ifdef CONFIG_GRKERNSEC_KMEM
23673 + gr_handle_open_port();
23677 + return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
23680 +static int open_mem(struct inode * inode, struct file * filp)
23682 return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
23685 @@ -738,7 +801,6 @@ static int open_port(struct inode * inod
23686 #define full_lseek null_lseek
23687 #define write_zero write_null
23688 #define read_full read_zero
23689 -#define open_mem open_port
23690 #define open_kmem open_mem
23691 #define open_oldmem open_mem
23693 @@ -857,6 +919,9 @@ static const struct memdev {
23694 #ifdef CONFIG_CRASH_DUMP
23695 [12] = { "oldmem", 0, &oldmem_fops, NULL },
23697 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
23698 + [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
23702 static int memory_open(struct inode *inode, struct file *filp)
23703 diff -urNp linux-2.6.38.1/drivers/char/nvram.c linux-2.6.38.1-new/drivers/char/nvram.c
23704 --- linux-2.6.38.1/drivers/char/nvram.c 2011-03-14 21:20:32.000000000 -0400
23705 +++ linux-2.6.38.1-new/drivers/char/nvram.c 2011-03-21 18:31:35.000000000 -0400
23706 @@ -246,7 +246,7 @@ static ssize_t nvram_read(struct file *f
23708 spin_unlock_irq(&rtc_lock);
23710 - if (copy_to_user(buf, contents, tmp - contents))
23711 + if (tmp - contents > sizeof(contents) || copy_to_user(buf, contents, tmp - contents))
23715 @@ -435,7 +435,10 @@ static const struct file_operations nvra
23716 static struct miscdevice nvram_dev = {
23726 static int __init nvram_init(void)
23727 diff -urNp linux-2.6.38.1/drivers/char/pcmcia/ipwireless/tty.c linux-2.6.38.1-new/drivers/char/pcmcia/ipwireless/tty.c
23728 --- linux-2.6.38.1/drivers/char/pcmcia/ipwireless/tty.c 2011-03-14 21:20:32.000000000 -0400
23729 +++ linux-2.6.38.1-new/drivers/char/pcmcia/ipwireless/tty.c 2011-03-21 18:31:35.000000000 -0400
23731 #include <linux/tty_driver.h>
23732 #include <linux/tty_flip.h>
23733 #include <linux/uaccess.h>
23734 +#include <asm/local.h>
23737 #include "network.h"
23738 @@ -51,7 +52,7 @@ struct ipw_tty {
23740 struct ipw_network *network;
23741 struct tty_struct *linux_tty;
23743 + local_t open_count;
23744 unsigned int control_lines;
23745 struct mutex ipw_tty_mutex;
23746 int tx_bytes_queued;
23747 @@ -127,10 +128,10 @@ static int ipw_open(struct tty_struct *l
23748 mutex_unlock(&tty->ipw_tty_mutex);
23751 - if (tty->open_count == 0)
23752 + if (local_read(&tty->open_count) == 0)
23753 tty->tx_bytes_queued = 0;
23755 - tty->open_count++;
23756 + local_inc(&tty->open_count);
23758 tty->linux_tty = linux_tty;
23759 linux_tty->driver_data = tty;
23760 @@ -146,9 +147,7 @@ static int ipw_open(struct tty_struct *l
23762 static void do_ipw_close(struct ipw_tty *tty)
23764 - tty->open_count--;
23766 - if (tty->open_count == 0) {
23767 + if (local_dec_return(&tty->open_count) == 0) {
23768 struct tty_struct *linux_tty = tty->linux_tty;
23770 if (linux_tty != NULL) {
23771 @@ -169,7 +168,7 @@ static void ipw_hangup(struct tty_struct
23774 mutex_lock(&tty->ipw_tty_mutex);
23775 - if (tty->open_count == 0) {
23776 + if (local_read(&tty->open_count) == 0) {
23777 mutex_unlock(&tty->ipw_tty_mutex);
23780 @@ -198,7 +197,7 @@ void ipwireless_tty_received(struct ipw_
23784 - if (!tty->open_count) {
23785 + if (!local_read(&tty->open_count)) {
23786 mutex_unlock(&tty->ipw_tty_mutex);
23789 @@ -240,7 +239,7 @@ static int ipw_write(struct tty_struct *
23792 mutex_lock(&tty->ipw_tty_mutex);
23793 - if (!tty->open_count) {
23794 + if (!local_read(&tty->open_count)) {
23795 mutex_unlock(&tty->ipw_tty_mutex);
23798 @@ -280,7 +279,7 @@ static int ipw_write_room(struct tty_str
23802 - if (!tty->open_count)
23803 + if (!local_read(&tty->open_count))
23806 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
23807 @@ -322,7 +321,7 @@ static int ipw_chars_in_buffer(struct tt
23811 - if (!tty->open_count)
23812 + if (!local_read(&tty->open_count))
23815 return tty->tx_bytes_queued;
23816 @@ -403,7 +402,7 @@ static int ipw_tiocmget(struct tty_struc
23820 - if (!tty->open_count)
23821 + if (!local_read(&tty->open_count))
23824 return get_control_lines(tty);
23825 @@ -419,7 +418,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
23829 - if (!tty->open_count)
23830 + if (!local_read(&tty->open_count))
23833 return set_control_lines(tty, set, clear);
23834 @@ -433,7 +432,7 @@ static int ipw_ioctl(struct tty_struct *
23838 - if (!tty->open_count)
23839 + if (!local_read(&tty->open_count))
23842 /* FIXME: Exactly how is the tty object locked here .. */
23843 @@ -582,7 +581,7 @@ void ipwireless_tty_free(struct ipw_tty
23844 against a parallel ioctl etc */
23845 mutex_lock(&ttyj->ipw_tty_mutex);
23847 - while (ttyj->open_count)
23848 + while (local_read(&ttyj->open_count))
23849 do_ipw_close(ttyj);
23850 ipwireless_disassociate_network_ttys(network,
23851 ttyj->channel_idx);
23852 diff -urNp linux-2.6.38.1/drivers/char/random.c linux-2.6.38.1-new/drivers/char/random.c
23853 --- linux-2.6.38.1/drivers/char/random.c 2011-03-14 21:20:32.000000000 -0400
23854 +++ linux-2.6.38.1-new/drivers/char/random.c 2011-03-21 18:31:35.000000000 -0400
23855 @@ -254,8 +254,13 @@
23857 * Configuration information
23859 +#ifdef CONFIG_GRKERNSEC_RANDNET
23860 +#define INPUT_POOL_WORDS 512
23861 +#define OUTPUT_POOL_WORDS 128
23863 #define INPUT_POOL_WORDS 128
23864 #define OUTPUT_POOL_WORDS 32
23866 #define SEC_XFER_SIZE 512
23867 #define EXTRACT_SIZE 10
23869 @@ -293,10 +298,17 @@ static struct poolinfo {
23871 int tap1, tap2, tap3, tap4, tap5;
23872 } poolinfo_table[] = {
23873 +#ifdef CONFIG_GRKERNSEC_RANDNET
23874 + /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
23875 + { 512, 411, 308, 208, 104, 1 },
23876 + /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
23877 + { 128, 103, 76, 51, 25, 1 },
23879 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
23880 { 128, 103, 76, 51, 25, 1 },
23881 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
23882 { 32, 26, 20, 14, 7, 1 },
23885 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
23886 { 2048, 1638, 1231, 819, 411, 1 },
23887 @@ -902,7 +914,7 @@ static ssize_t extract_entropy_user(stru
23889 extract_buf(r, tmp);
23890 i = min_t(int, nbytes, EXTRACT_SIZE);
23891 - if (copy_to_user(buf, tmp, i)) {
23892 + if (i > sizeof(tmp) || copy_to_user(buf, tmp, i)) {
23896 @@ -1207,7 +1219,7 @@ EXPORT_SYMBOL(generate_random_uuid);
23897 #include <linux/sysctl.h>
23899 static int min_read_thresh = 8, min_write_thresh;
23900 -static int max_read_thresh = INPUT_POOL_WORDS * 32;
23901 +static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
23902 static int max_write_thresh = INPUT_POOL_WORDS * 32;
23903 static char sysctl_bootid[16];
23905 diff -urNp linux-2.6.38.1/drivers/char/sonypi.c linux-2.6.38.1-new/drivers/char/sonypi.c
23906 --- linux-2.6.38.1/drivers/char/sonypi.c 2011-03-14 21:20:32.000000000 -0400
23907 +++ linux-2.6.38.1-new/drivers/char/sonypi.c 2011-03-21 18:31:35.000000000 -0400
23909 #include <asm/uaccess.h>
23910 #include <asm/io.h>
23911 #include <asm/system.h>
23912 +#include <asm/local.h>
23914 #include <linux/sonypi.h>
23916 @@ -491,7 +492,7 @@ static struct sonypi_device {
23917 spinlock_t fifo_lock;
23918 wait_queue_head_t fifo_proc_list;
23919 struct fasync_struct *fifo_async;
23921 + local_t open_count;
23923 struct input_dev *input_jog_dev;
23924 struct input_dev *input_key_dev;
23925 @@ -898,7 +899,7 @@ static int sonypi_misc_fasync(int fd, st
23926 static int sonypi_misc_release(struct inode *inode, struct file *file)
23928 mutex_lock(&sonypi_device.lock);
23929 - sonypi_device.open_count--;
23930 + local_dec(&sonypi_device.open_count);
23931 mutex_unlock(&sonypi_device.lock);
23934 @@ -907,9 +908,9 @@ static int sonypi_misc_open(struct inode
23936 mutex_lock(&sonypi_device.lock);
23937 /* Flush input queue on first open */
23938 - if (!sonypi_device.open_count)
23939 + if (!local_read(&sonypi_device.open_count))
23940 kfifo_reset(&sonypi_device.fifo);
23941 - sonypi_device.open_count++;
23942 + local_inc(&sonypi_device.open_count);
23943 mutex_unlock(&sonypi_device.lock);
23946 diff -urNp linux-2.6.38.1/drivers/char/tpm/tpm_bios.c linux-2.6.38.1-new/drivers/char/tpm/tpm_bios.c
23947 --- linux-2.6.38.1/drivers/char/tpm/tpm_bios.c 2011-03-14 21:20:32.000000000 -0400
23948 +++ linux-2.6.38.1-new/drivers/char/tpm/tpm_bios.c 2011-03-21 18:31:35.000000000 -0400
23949 @@ -173,7 +173,7 @@ static void *tpm_bios_measurements_start
23952 if ((event->event_type == 0 && event->event_size == 0) ||
23953 - ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
23954 + (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
23958 @@ -198,7 +198,7 @@ static void *tpm_bios_measurements_next(
23961 if ((event->event_type == 0 && event->event_size == 0) ||
23962 - ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
23963 + (event->event_size >= limit - v - sizeof(struct tcpa_event)))
23967 @@ -291,7 +291,8 @@ static int tpm_binary_bios_measurements_
23970 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
23971 - seq_putc(m, data[i]);
23972 + if (!seq_putc(m, data[i]))
23977 @@ -410,6 +411,11 @@ static int read_log(struct tpm_bios_log
23978 log->bios_event_log_end = log->bios_event_log + len;
23980 virt = acpi_os_map_memory(start, len);
23982 + kfree(log->bios_event_log);
23983 + log->bios_event_log = NULL;
23987 memcpy(log->bios_event_log, virt, len);
23989 diff -urNp linux-2.6.38.1/drivers/char/tpm/tpm.c linux-2.6.38.1-new/drivers/char/tpm/tpm.c
23990 --- linux-2.6.38.1/drivers/char/tpm/tpm.c 2011-03-14 21:20:32.000000000 -0400
23991 +++ linux-2.6.38.1-new/drivers/char/tpm/tpm.c 2011-03-21 18:31:35.000000000 -0400
23992 @@ -411,7 +411,7 @@ static ssize_t tpm_transmit(struct tpm_c
23993 chip->vendor.req_complete_val)
23996 - if ((status == chip->vendor.req_canceled)) {
23997 + if (status == chip->vendor.req_canceled) {
23998 dev_err(chip->dev, "Operation Canceled\n");
24001 diff -urNp linux-2.6.38.1/drivers/cpuidle/sysfs.c linux-2.6.38.1-new/drivers/cpuidle/sysfs.c
24002 --- linux-2.6.38.1/drivers/cpuidle/sysfs.c 2011-03-14 21:20:32.000000000 -0400
24003 +++ linux-2.6.38.1-new/drivers/cpuidle/sysfs.c 2011-03-21 18:31:35.000000000 -0400
24004 @@ -300,7 +300,7 @@ static struct kobj_type ktype_state_cpui
24005 .release = cpuidle_state_sysfs_release,
24008 -static void inline cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
24009 +static inline void cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
24011 kobject_put(&device->kobjs[i]->kobj);
24012 wait_for_completion(&device->kobjs[i]->kobj_unregister);
24013 diff -urNp linux-2.6.38.1/drivers/edac/edac_core.h linux-2.6.38.1-new/drivers/edac/edac_core.h
24014 --- linux-2.6.38.1/drivers/edac/edac_core.h 2011-03-14 21:20:32.000000000 -0400
24015 +++ linux-2.6.38.1-new/drivers/edac/edac_core.h 2011-03-21 18:31:35.000000000 -0400
24016 @@ -88,11 +88,11 @@ extern int edac_debug_level;
24018 #else /* !CONFIG_EDAC_DEBUG */
24020 -#define debugf0( ... )
24021 -#define debugf1( ... )
24022 -#define debugf2( ... )
24023 -#define debugf3( ... )
24024 -#define debugf4( ... )
24025 +#define debugf0( ... ) do {} while (0)
24026 +#define debugf1( ... ) do {} while (0)
24027 +#define debugf2( ... ) do {} while (0)
24028 +#define debugf3( ... ) do {} while (0)
24029 +#define debugf4( ... ) do {} while (0)
24031 #endif /* !CONFIG_EDAC_DEBUG */
24033 diff -urNp linux-2.6.38.1/drivers/edac/edac_mc_sysfs.c linux-2.6.38.1-new/drivers/edac/edac_mc_sysfs.c
24034 --- linux-2.6.38.1/drivers/edac/edac_mc_sysfs.c 2011-03-14 21:20:32.000000000 -0400
24035 +++ linux-2.6.38.1-new/drivers/edac/edac_mc_sysfs.c 2011-03-21 18:31:35.000000000 -0400
24036 @@ -761,7 +761,7 @@ static void edac_inst_grp_release(struct
24039 /* Intermediate show/store table */
24040 -static struct sysfs_ops inst_grp_ops = {
24041 +static const struct sysfs_ops inst_grp_ops = {
24042 .show = inst_grp_show,
24043 .store = inst_grp_store
24045 diff -urNp linux-2.6.38.1/drivers/firewire/core-cdev.c linux-2.6.38.1-new/drivers/firewire/core-cdev.c
24046 --- linux-2.6.38.1/drivers/firewire/core-cdev.c 2011-03-14 21:20:32.000000000 -0400
24047 +++ linux-2.6.38.1-new/drivers/firewire/core-cdev.c 2011-03-21 18:31:35.000000000 -0400
24048 @@ -1329,8 +1329,7 @@ static int init_iso_resource(struct clie
24051 if ((request->channels == 0 && request->bandwidth == 0) ||
24052 - request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL ||
24053 - request->bandwidth < 0)
24054 + request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL)
24057 r = kmalloc(sizeof(*r), GFP_KERNEL);
24058 diff -urNp linux-2.6.38.1/drivers/firmware/dmi_scan.c linux-2.6.38.1-new/drivers/firmware/dmi_scan.c
24059 --- linux-2.6.38.1/drivers/firmware/dmi_scan.c 2011-03-14 21:20:32.000000000 -0400
24060 +++ linux-2.6.38.1-new/drivers/firmware/dmi_scan.c 2011-03-21 18:31:35.000000000 -0400
24061 @@ -449,11 +449,6 @@ void __init dmi_scan_machine(void)
24066 - * no iounmap() for that ioremap(); it would be a no-op, but
24067 - * it's so early in setup that sucker gets confused into doing
24068 - * what it shouldn't if we actually call it.
24070 p = dmi_ioremap(0xF0000, 0x10000);
24073 diff -urNp linux-2.6.38.1/drivers/gpu/drm/drm_crtc_helper.c linux-2.6.38.1-new/drivers/gpu/drm/drm_crtc_helper.c
24074 --- linux-2.6.38.1/drivers/gpu/drm/drm_crtc_helper.c 2011-03-14 21:20:32.000000000 -0400
24075 +++ linux-2.6.38.1-new/drivers/gpu/drm/drm_crtc_helper.c 2011-03-21 18:31:35.000000000 -0400
24076 @@ -276,7 +276,7 @@ static bool drm_encoder_crtc_ok(struct d
24077 struct drm_crtc *tmp;
24080 - WARN(!crtc, "checking null crtc?\n");
24085 diff -urNp linux-2.6.38.1/drivers/gpu/drm/drm_drv.c linux-2.6.38.1-new/drivers/gpu/drm/drm_drv.c
24086 --- linux-2.6.38.1/drivers/gpu/drm/drm_drv.c 2011-03-14 21:20:32.000000000 -0400
24087 +++ linux-2.6.38.1-new/drivers/gpu/drm/drm_drv.c 2011-03-21 18:31:35.000000000 -0400
24088 @@ -425,7 +425,7 @@ long drm_ioctl(struct file *filp,
24090 dev = file_priv->minor->dev;
24091 atomic_inc(&dev->ioctl_count);
24092 - atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
24093 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
24094 ++file_priv->ioctl_count;
24096 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
24097 diff -urNp linux-2.6.38.1/drivers/gpu/drm/drm_fops.c linux-2.6.38.1-new/drivers/gpu/drm/drm_fops.c
24098 --- linux-2.6.38.1/drivers/gpu/drm/drm_fops.c 2011-03-14 21:20:32.000000000 -0400
24099 +++ linux-2.6.38.1-new/drivers/gpu/drm/drm_fops.c 2011-03-21 18:31:35.000000000 -0400
24100 @@ -70,7 +70,7 @@ static int drm_setup(struct drm_device *
24103 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
24104 - atomic_set(&dev->counts[i], 0);
24105 + atomic_set_unchecked(&dev->counts[i], 0);
24107 dev->sigdata.lock = NULL;
24109 @@ -134,8 +134,8 @@ int drm_open(struct inode *inode, struct
24111 retcode = drm_open_helper(inode, filp, dev);
24113 - atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
24114 - if (!dev->open_count++)
24115 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
24116 + if (local_inc_return(&dev->open_count) == 1)
24117 retcode = drm_setup(dev);
24120 @@ -472,7 +472,7 @@ int drm_release(struct inode *inode, str
24122 mutex_lock(&drm_global_mutex);
24124 - DRM_DEBUG("open_count = %d\n", dev->open_count);
24125 + DRM_DEBUG("open_count = %d\n", local_read(&dev->open_count));
24127 if (dev->driver->preclose)
24128 dev->driver->preclose(dev, file_priv);
24129 @@ -484,7 +484,7 @@ int drm_release(struct inode *inode, str
24130 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
24131 task_pid_nr(current),
24132 (long)old_encode_dev(file_priv->minor->device),
24133 - dev->open_count);
24134 + local_read(&dev->open_count));
24136 /* if the master has gone away we can't do anything with the lock */
24137 if (file_priv->minor->master)
24138 @@ -565,8 +565,8 @@ int drm_release(struct inode *inode, str
24139 * End inline drm_release
24142 - atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
24143 - if (!--dev->open_count) {
24144 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
24145 + if (local_dec_and_test(&dev->open_count)) {
24146 if (atomic_read(&dev->ioctl_count)) {
24147 DRM_ERROR("Device busy: %d\n",
24148 atomic_read(&dev->ioctl_count));
24149 diff -urNp linux-2.6.38.1/drivers/gpu/drm/drm_global.c linux-2.6.38.1-new/drivers/gpu/drm/drm_global.c
24150 --- linux-2.6.38.1/drivers/gpu/drm/drm_global.c 2011-03-14 21:20:32.000000000 -0400
24151 +++ linux-2.6.38.1-new/drivers/gpu/drm/drm_global.c 2011-03-21 18:31:35.000000000 -0400
24153 struct drm_global_item {
24154 struct mutex mutex;
24157 + atomic_t refcount;
24160 static struct drm_global_item glob[DRM_GLOBAL_NUM];
24161 @@ -49,7 +49,7 @@ void drm_global_init(void)
24162 struct drm_global_item *item = &glob[i];
24163 mutex_init(&item->mutex);
24164 item->object = NULL;
24165 - item->refcount = 0;
24166 + atomic_set(&item->refcount, 0);
24170 @@ -59,7 +59,7 @@ void drm_global_release(void)
24171 for (i = 0; i < DRM_GLOBAL_NUM; ++i) {
24172 struct drm_global_item *item = &glob[i];
24173 BUG_ON(item->object != NULL);
24174 - BUG_ON(item->refcount != 0);
24175 + BUG_ON(atomic_read(&item->refcount) != 0);
24179 @@ -70,7 +70,7 @@ int drm_global_item_ref(struct drm_globa
24182 mutex_lock(&item->mutex);
24183 - if (item->refcount == 0) {
24184 + if (atomic_read(&item->refcount) == 0) {
24185 item->object = kzalloc(ref->size, GFP_KERNEL);
24186 if (unlikely(item->object == NULL)) {
24188 @@ -83,7 +83,7 @@ int drm_global_item_ref(struct drm_globa
24192 - ++item->refcount;
24193 + atomic_inc(&item->refcount);
24194 ref->object = item->object;
24195 object = item->object;
24196 mutex_unlock(&item->mutex);
24197 @@ -100,9 +100,9 @@ void drm_global_item_unref(struct drm_gl
24198 struct drm_global_item *item = &glob[ref->global_type];
24200 mutex_lock(&item->mutex);
24201 - BUG_ON(item->refcount == 0);
24202 + BUG_ON(atomic_read(&item->refcount) == 0);
24203 BUG_ON(ref->object != item->object);
24204 - if (--item->refcount == 0) {
24205 + if (atomic_dec_and_test(&item->refcount)) {
24207 item->object = NULL;
24209 diff -urNp linux-2.6.38.1/drivers/gpu/drm/drm_info.c linux-2.6.38.1-new/drivers/gpu/drm/drm_info.c
24210 --- linux-2.6.38.1/drivers/gpu/drm/drm_info.c 2011-03-14 21:20:32.000000000 -0400
24211 +++ linux-2.6.38.1-new/drivers/gpu/drm/drm_info.c 2011-03-21 18:31:35.000000000 -0400
24212 @@ -86,10 +86,14 @@ int drm_vm_info(struct seq_file *m, void
24213 struct drm_local_map *map;
24214 struct drm_map_list *r_list;
24216 - /* Hardcoded from _DRM_FRAME_BUFFER,
24217 - _DRM_REGISTERS, _DRM_SHM, _DRM_AGP, and
24218 - _DRM_SCATTER_GATHER and _DRM_CONSISTENT */
24219 - const char *types[] = { "FB", "REG", "SHM", "AGP", "SG", "PCI" };
24220 + static const char * const types[] = {
24221 + [_DRM_FRAME_BUFFER] = "FB",
24222 + [_DRM_REGISTERS] = "REG",
24223 + [_DRM_SHM] = "SHM",
24224 + [_DRM_AGP] = "AGP",
24225 + [_DRM_SCATTER_GATHER] = "SG",
24226 + [_DRM_CONSISTENT] = "PCI",
24227 + [_DRM_GEM] = "GEM" };
24231 @@ -100,7 +104,7 @@ int drm_vm_info(struct seq_file *m, void
24235 - if (map->type < 0 || map->type > 5)
24236 + if (map->type >= ARRAY_SIZE(types))
24239 type = types[map->type];
24240 @@ -301,7 +305,11 @@ int drm_vma_info(struct seq_file *m, voi
24241 vma->vm_flags & VM_MAYSHARE ? 's' : 'p',
24242 vma->vm_flags & VM_LOCKED ? 'l' : '-',
24243 vma->vm_flags & VM_IO ? 'i' : '-',
24244 +#ifdef CONFIG_GRKERNSEC_HIDESYM
24250 #if defined(__i386__)
24251 pgprot = pgprot_val(vma->vm_page_prot);
24252 diff -urNp linux-2.6.38.1/drivers/gpu/drm/drm_ioctl.c linux-2.6.38.1-new/drivers/gpu/drm/drm_ioctl.c
24253 --- linux-2.6.38.1/drivers/gpu/drm/drm_ioctl.c 2011-03-14 21:20:32.000000000 -0400
24254 +++ linux-2.6.38.1-new/drivers/gpu/drm/drm_ioctl.c 2011-03-21 18:31:35.000000000 -0400
24255 @@ -353,7 +353,7 @@ int drm_getstats(struct drm_device *dev,
24256 stats->data[i].value =
24257 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
24259 - stats->data[i].value = atomic_read(&dev->counts[i]);
24260 + stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
24261 stats->data[i].type = dev->types[i];
24264 diff -urNp linux-2.6.38.1/drivers/gpu/drm/drm_lock.c linux-2.6.38.1-new/drivers/gpu/drm/drm_lock.c
24265 --- linux-2.6.38.1/drivers/gpu/drm/drm_lock.c 2011-03-14 21:20:32.000000000 -0400
24266 +++ linux-2.6.38.1-new/drivers/gpu/drm/drm_lock.c 2011-03-21 18:31:35.000000000 -0400
24267 @@ -89,7 +89,7 @@ int drm_lock(struct drm_device *dev, voi
24268 if (drm_lock_take(&master->lock, lock->context)) {
24269 master->lock.file_priv = file_priv;
24270 master->lock.lock_time = jiffies;
24271 - atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
24272 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
24273 break; /* Got lock */
24276 @@ -160,7 +160,7 @@ int drm_unlock(struct drm_device *dev, v
24280 - atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
24281 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
24283 if (drm_lock_free(&master->lock, lock->context)) {
24284 /* FIXME: Should really bail out here. */
24285 diff -urNp linux-2.6.38.1/drivers/gpu/drm/i810/i810_dma.c linux-2.6.38.1-new/drivers/gpu/drm/i810/i810_dma.c
24286 --- linux-2.6.38.1/drivers/gpu/drm/i810/i810_dma.c 2011-03-14 21:20:32.000000000 -0400
24287 +++ linux-2.6.38.1-new/drivers/gpu/drm/i810/i810_dma.c 2011-03-21 18:31:35.000000000 -0400
24288 @@ -953,8 +953,8 @@ static int i810_dma_vertex(struct drm_de
24289 dma->buflist[vertex->idx],
24290 vertex->discard, vertex->used);
24292 - atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
24293 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
24294 + atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
24295 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
24296 sarea_priv->last_enqueue = dev_priv->counter - 1;
24297 sarea_priv->last_dispatch = (int)hw_status[5];
24299 @@ -1114,8 +1114,8 @@ static int i810_dma_mc(struct drm_device
24300 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
24303 - atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
24304 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
24305 + atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
24306 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
24307 sarea_priv->last_enqueue = dev_priv->counter - 1;
24308 sarea_priv->last_dispatch = (int)hw_status[5];
24310 diff -urNp linux-2.6.38.1/drivers/gpu/drm/i915/dvo_ch7017.c linux-2.6.38.1-new/drivers/gpu/drm/i915/dvo_ch7017.c
24311 --- linux-2.6.38.1/drivers/gpu/drm/i915/dvo_ch7017.c 2011-03-14 21:20:32.000000000 -0400
24312 +++ linux-2.6.38.1-new/drivers/gpu/drm/i915/dvo_ch7017.c 2011-03-21 18:31:35.000000000 -0400
24313 @@ -390,7 +390,7 @@ static void ch7017_destroy(struct intel_
24317 -struct intel_dvo_dev_ops ch7017_ops = {
24318 +const struct intel_dvo_dev_ops ch7017_ops = {
24319 .init = ch7017_init,
24320 .detect = ch7017_detect,
24321 .mode_valid = ch7017_mode_valid,
24322 diff -urNp linux-2.6.38.1/drivers/gpu/drm/i915/dvo_ch7xxx.c linux-2.6.38.1-new/drivers/gpu/drm/i915/dvo_ch7xxx.c
24323 --- linux-2.6.38.1/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-03-14 21:20:32.000000000 -0400
24324 +++ linux-2.6.38.1-new/drivers/gpu/drm/i915/dvo_ch7xxx.c 2011-03-21 18:31:35.000000000 -0400
24325 @@ -320,7 +320,7 @@ static void ch7xxx_destroy(struct intel_
24329 -struct intel_dvo_dev_ops ch7xxx_ops = {
24330 +const struct intel_dvo_dev_ops ch7xxx_ops = {
24331 .init = ch7xxx_init,
24332 .detect = ch7xxx_detect,
24333 .mode_valid = ch7xxx_mode_valid,
24334 diff -urNp linux-2.6.38.1/drivers/gpu/drm/i915/dvo.h linux-2.6.38.1-new/drivers/gpu/drm/i915/dvo.h
24335 --- linux-2.6.38.1/drivers/gpu/drm/i915/dvo.h 2011-03-14 21:20:32.000000000 -0400
24336 +++ linux-2.6.38.1-new/drivers/gpu/drm/i915/dvo.h 2011-03-21 18:31:35.000000000 -0400
24337 @@ -122,23 +122,23 @@ struct intel_dvo_dev_ops {
24339 * \return singly-linked list of modes or NULL if no modes found.
24341 - struct drm_display_mode *(*get_modes)(struct intel_dvo_device *dvo);
24342 + struct drm_display_mode *(* const get_modes)(struct intel_dvo_device *dvo);
24345 * Clean up driver-specific bits of the output
24347 - void (*destroy) (struct intel_dvo_device *dvo);
24348 + void (* const destroy) (struct intel_dvo_device *dvo);
24351 * Debugging hook to dump device registers to log file
24353 - void (*dump_regs)(struct intel_dvo_device *dvo);
24354 + void (* const dump_regs)(struct intel_dvo_device *dvo);
24357 -extern struct intel_dvo_dev_ops sil164_ops;
24358 -extern struct intel_dvo_dev_ops ch7xxx_ops;
24359 -extern struct intel_dvo_dev_ops ivch_ops;
24360 -extern struct intel_dvo_dev_ops tfp410_ops;
24361 -extern struct intel_dvo_dev_ops ch7017_ops;
24362 +extern const struct intel_dvo_dev_ops sil164_ops;
24363 +extern const struct intel_dvo_dev_ops ch7xxx_ops;
24364 +extern const struct intel_dvo_dev_ops ivch_ops;
24365 +extern const struct intel_dvo_dev_ops tfp410_ops;
24366 +extern const struct intel_dvo_dev_ops ch7017_ops;
24368 #endif /* _INTEL_DVO_H */
24369 diff -urNp linux-2.6.38.1/drivers/gpu/drm/i915/dvo_ivch.c linux-2.6.38.1-new/drivers/gpu/drm/i915/dvo_ivch.c
24370 --- linux-2.6.38.1/drivers/gpu/drm/i915/dvo_ivch.c 2011-03-14 21:20:32.000000000 -0400
24371 +++ linux-2.6.38.1-new/drivers/gpu/drm/i915/dvo_ivch.c 2011-03-21 18:31:35.000000000 -0400
24372 @@ -410,7 +410,7 @@ static void ivch_destroy(struct intel_dv
24376 -struct intel_dvo_dev_ops ivch_ops= {
24377 +const struct intel_dvo_dev_ops ivch_ops= {
24380 .mode_valid = ivch_mode_valid,
24381 diff -urNp linux-2.6.38.1/drivers/gpu/drm/i915/dvo_sil164.c linux-2.6.38.1-new/drivers/gpu/drm/i915/dvo_sil164.c
24382 --- linux-2.6.38.1/drivers/gpu/drm/i915/dvo_sil164.c 2011-03-14 21:20:32.000000000 -0400
24383 +++ linux-2.6.38.1-new/drivers/gpu/drm/i915/dvo_sil164.c 2011-03-21 18:31:35.000000000 -0400
24384 @@ -252,7 +252,7 @@ static void sil164_destroy(struct intel_
24388 -struct intel_dvo_dev_ops sil164_ops = {
24389 +const struct intel_dvo_dev_ops sil164_ops = {
24390 .init = sil164_init,
24391 .detect = sil164_detect,
24392 .mode_valid = sil164_mode_valid,
24393 diff -urNp linux-2.6.38.1/drivers/gpu/drm/i915/dvo_tfp410.c linux-2.6.38.1-new/drivers/gpu/drm/i915/dvo_tfp410.c
24394 --- linux-2.6.38.1/drivers/gpu/drm/i915/dvo_tfp410.c 2011-03-14 21:20:32.000000000 -0400
24395 +++ linux-2.6.38.1-new/drivers/gpu/drm/i915/dvo_tfp410.c 2011-03-21 18:31:35.000000000 -0400
24396 @@ -293,7 +293,7 @@ static void tfp410_destroy(struct intel_
24400 -struct intel_dvo_dev_ops tfp410_ops = {
24401 +const struct intel_dvo_dev_ops tfp410_ops = {
24402 .init = tfp410_init,
24403 .detect = tfp410_detect,
24404 .mode_valid = tfp410_mode_valid,
24405 diff -urNp linux-2.6.38.1/drivers/gpu/drm/i915/i915_dma.c linux-2.6.38.1-new/drivers/gpu/drm/i915/i915_dma.c
24406 --- linux-2.6.38.1/drivers/gpu/drm/i915/i915_dma.c 2011-03-14 21:20:32.000000000 -0400
24407 +++ linux-2.6.38.1-new/drivers/gpu/drm/i915/i915_dma.c 2011-03-21 18:31:35.000000000 -0400
24408 @@ -1159,7 +1159,7 @@ static bool i915_switcheroo_can_switch(s
24411 spin_lock(&dev->count_lock);
24412 - can_switch = (dev->open_count == 0);
24413 + can_switch = (local_read(&dev->open_count) == 0);
24414 spin_unlock(&dev->count_lock);
24417 diff -urNp linux-2.6.38.1/drivers/gpu/drm/i915/i915_drv.c linux-2.6.38.1-new/drivers/gpu/drm/i915/i915_drv.c
24418 --- linux-2.6.38.1/drivers/gpu/drm/i915/i915_drv.c 2011-03-14 21:20:32.000000000 -0400
24419 +++ linux-2.6.38.1-new/drivers/gpu/drm/i915/i915_drv.c 2011-03-21 18:31:35.000000000 -0400
24420 @@ -673,7 +673,7 @@ static const struct dev_pm_ops i915_pm_o
24421 .restore = i915_pm_resume,
24424 -static struct vm_operations_struct i915_gem_vm_ops = {
24425 +static const struct vm_operations_struct i915_gem_vm_ops = {
24426 .fault = i915_gem_fault,
24427 .open = drm_gem_vm_open,
24428 .close = drm_gem_vm_close,
24429 diff -urNp linux-2.6.38.1/drivers/gpu/drm/nouveau/nouveau_state.c linux-2.6.38.1-new/drivers/gpu/drm/nouveau/nouveau_state.c
24430 --- linux-2.6.38.1/drivers/gpu/drm/nouveau/nouveau_state.c 2011-03-14 21:20:32.000000000 -0400
24431 +++ linux-2.6.38.1-new/drivers/gpu/drm/nouveau/nouveau_state.c 2011-03-21 18:31:35.000000000 -0400
24432 @@ -621,7 +621,7 @@ static bool nouveau_switcheroo_can_switc
24435 spin_lock(&dev->count_lock);
24436 - can_switch = (dev->open_count == 0);
24437 + can_switch = (local_read(&dev->open_count) == 0);
24438 spin_unlock(&dev->count_lock);
24441 diff -urNp linux-2.6.38.1/drivers/gpu/drm/radeon/mkregtable.c linux-2.6.38.1-new/drivers/gpu/drm/radeon/mkregtable.c
24442 --- linux-2.6.38.1/drivers/gpu/drm/radeon/mkregtable.c 2011-03-14 21:20:32.000000000 -0400
24443 +++ linux-2.6.38.1-new/drivers/gpu/drm/radeon/mkregtable.c 2011-03-21 18:31:35.000000000 -0400
24444 @@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
24446 regmatch_t match[4];
24454 struct offset *offset;
24455 char last_reg_s[10];
24457 + unsigned long last_reg;
24460 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
24461 diff -urNp linux-2.6.38.1/drivers/gpu/drm/radeon/radeon_device.c linux-2.6.38.1-new/drivers/gpu/drm/radeon/radeon_device.c
24462 --- linux-2.6.38.1/drivers/gpu/drm/radeon/radeon_device.c 2011-03-14 21:20:32.000000000 -0400
24463 +++ linux-2.6.38.1-new/drivers/gpu/drm/radeon/radeon_device.c 2011-03-21 18:31:35.000000000 -0400
24464 @@ -673,7 +673,7 @@ static bool radeon_switcheroo_can_switch
24467 spin_lock(&dev->count_lock);
24468 - can_switch = (dev->open_count == 0);
24469 + can_switch = (local_read(&dev->open_count) == 0);
24470 spin_unlock(&dev->count_lock);
24473 diff -urNp linux-2.6.38.1/drivers/gpu/drm/radeon/radeon_state.c linux-2.6.38.1-new/drivers/gpu/drm/radeon/radeon_state.c
24474 --- linux-2.6.38.1/drivers/gpu/drm/radeon/radeon_state.c 2011-03-14 21:20:32.000000000 -0400
24475 +++ linux-2.6.38.1-new/drivers/gpu/drm/radeon/radeon_state.c 2011-03-21 18:31:35.000000000 -0400
24476 @@ -2168,7 +2168,7 @@ static int radeon_cp_clear(struct drm_de
24477 if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS)
24478 sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS;
24480 - if (DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
24481 + if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS || DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
24482 sarea_priv->nbox * sizeof(depth_boxes[0])))
24485 @@ -3031,7 +3031,7 @@ static int radeon_cp_getparam(struct drm
24487 drm_radeon_private_t *dev_priv = dev->dev_private;
24488 drm_radeon_getparam_t *param = data;
24492 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
24494 diff -urNp linux-2.6.38.1/drivers/gpu/drm/radeon/radeon_ttm.c linux-2.6.38.1-new/drivers/gpu/drm/radeon/radeon_ttm.c
24495 --- linux-2.6.38.1/drivers/gpu/drm/radeon/radeon_ttm.c 2011-03-14 21:20:32.000000000 -0400
24496 +++ linux-2.6.38.1-new/drivers/gpu/drm/radeon/radeon_ttm.c 2011-03-21 18:31:35.000000000 -0400
24497 @@ -603,8 +603,9 @@ void radeon_ttm_set_active_vram_size(str
24498 man->size = size >> PAGE_SHIFT;
24501 -static struct vm_operations_struct radeon_ttm_vm_ops;
24502 -static const struct vm_operations_struct *ttm_vm_ops = NULL;
24503 +extern int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf);
24504 +extern void ttm_bo_vm_open(struct vm_area_struct *vma);
24505 +extern void ttm_bo_vm_close(struct vm_area_struct *vma);
24507 static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
24509 @@ -612,17 +613,22 @@ static int radeon_ttm_fault(struct vm_ar
24510 struct radeon_device *rdev;
24513 - bo = (struct ttm_buffer_object *)vma->vm_private_data;
24514 - if (bo == NULL) {
24515 + bo = (struct ttm_buffer_object *)vma->vm_private_data;
24517 return VM_FAULT_NOPAGE;
24519 rdev = radeon_get_rdev(bo->bdev);
24520 mutex_lock(&rdev->vram_mutex);
24521 - r = ttm_vm_ops->fault(vma, vmf);
24522 + r = ttm_bo_vm_fault(vma, vmf);
24523 mutex_unlock(&rdev->vram_mutex);
24527 +static const struct vm_operations_struct radeon_ttm_vm_ops = {
24528 + .fault = radeon_ttm_fault,
24529 + .open = ttm_bo_vm_open,
24530 + .close = ttm_bo_vm_close
24533 int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
24535 struct drm_file *file_priv;
24536 @@ -635,18 +641,11 @@ int radeon_mmap(struct file *filp, struc
24538 file_priv = filp->private_data;
24539 rdev = file_priv->minor->dev->dev_private;
24540 - if (rdev == NULL) {
24544 r = ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
24545 - if (unlikely(r != 0)) {
24549 - if (unlikely(ttm_vm_ops == NULL)) {
24550 - ttm_vm_ops = vma->vm_ops;
24551 - radeon_ttm_vm_ops = *ttm_vm_ops;
24552 - radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
24554 vma->vm_ops = &radeon_ttm_vm_ops;
24557 diff -urNp linux-2.6.38.1/drivers/gpu/drm/ttm/ttm_bo.c linux-2.6.38.1-new/drivers/gpu/drm/ttm/ttm_bo.c
24558 --- linux-2.6.38.1/drivers/gpu/drm/ttm/ttm_bo.c 2011-03-14 21:20:32.000000000 -0400
24559 +++ linux-2.6.38.1-new/drivers/gpu/drm/ttm/ttm_bo.c 2011-03-21 18:31:35.000000000 -0400
24561 #include <asm/atomic.h>
24563 #define TTM_ASSERT_LOCKED(param)
24564 -#define TTM_DEBUG(fmt, arg...)
24565 +#define TTM_DEBUG(fmt, arg...) do {} while (0)
24566 #define TTM_BO_HASH_ORDER 13
24568 static int ttm_bo_setup_vm(struct ttm_buffer_object *bo);
24569 diff -urNp linux-2.6.38.1/drivers/gpu/drm/ttm/ttm_bo_vm.c linux-2.6.38.1-new/drivers/gpu/drm/ttm/ttm_bo_vm.c
24570 --- linux-2.6.38.1/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-03-14 21:20:32.000000000 -0400
24571 +++ linux-2.6.38.1-new/drivers/gpu/drm/ttm/ttm_bo_vm.c 2011-03-21 18:31:35.000000000 -0400
24572 @@ -69,11 +69,11 @@ static struct ttm_buffer_object *ttm_bo_
24576 -static int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
24577 +int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
24579 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)
24580 vma->vm_private_data;
24581 - struct ttm_bo_device *bdev = bo->bdev;
24582 + struct ttm_bo_device *bdev;
24583 unsigned long page_offset;
24584 unsigned long page_last;
24586 @@ -83,8 +83,12 @@ static int ttm_bo_vm_fault(struct vm_are
24588 unsigned long address = (unsigned long)vmf->virtual_address;
24589 int retval = VM_FAULT_NOPAGE;
24590 - struct ttm_mem_type_manager *man =
24591 - &bdev->man[bo->mem.mem_type];
24592 + struct ttm_mem_type_manager *man;
24595 + return VM_FAULT_NOPAGE;
24597 + man = &bdev->man[bo->mem.mem_type];
24600 * Work around locking order reversal in fault / nopfn
24601 @@ -219,22 +223,25 @@ out_unlock:
24602 ttm_bo_unreserve(bo);
24605 +EXPORT_SYMBOL(ttm_bo_vm_fault);
24607 -static void ttm_bo_vm_open(struct vm_area_struct *vma)
24608 +void ttm_bo_vm_open(struct vm_area_struct *vma)
24610 struct ttm_buffer_object *bo =
24611 (struct ttm_buffer_object *)vma->vm_private_data;
24613 (void)ttm_bo_reference(bo);
24615 +EXPORT_SYMBOL(ttm_bo_vm_open);
24617 -static void ttm_bo_vm_close(struct vm_area_struct *vma)
24618 +void ttm_bo_vm_close(struct vm_area_struct *vma)
24620 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)vma->vm_private_data;
24623 vma->vm_private_data = NULL;
24625 +EXPORT_SYMBOL(ttm_bo_vm_close);
24627 static const struct vm_operations_struct ttm_bo_vm_ops = {
24628 .fault = ttm_bo_vm_fault,
24629 diff -urNp linux-2.6.38.1/drivers/hid/usbhid/hiddev.c linux-2.6.38.1-new/drivers/hid/usbhid/hiddev.c
24630 --- linux-2.6.38.1/drivers/hid/usbhid/hiddev.c 2011-03-14 21:20:32.000000000 -0400
24631 +++ linux-2.6.38.1-new/drivers/hid/usbhid/hiddev.c 2011-03-21 18:31:35.000000000 -0400
24632 @@ -613,7 +613,7 @@ static long hiddev_ioctl(struct file *fi
24635 case HIDIOCAPPLICATION:
24636 - if (arg < 0 || arg >= hid->maxapplication)
24637 + if (arg >= hid->maxapplication)
24640 for (i = 0; i < hid->maxcollection; i++)
24641 diff -urNp linux-2.6.38.1/drivers/hwmon/k8temp.c linux-2.6.38.1-new/drivers/hwmon/k8temp.c
24642 --- linux-2.6.38.1/drivers/hwmon/k8temp.c 2011-03-14 21:20:32.000000000 -0400
24643 +++ linux-2.6.38.1-new/drivers/hwmon/k8temp.c 2011-03-21 18:31:35.000000000 -0400
24644 @@ -138,7 +138,7 @@ static DEVICE_ATTR(name, S_IRUGO, show_n
24646 static const struct pci_device_id k8temp_ids[] = {
24647 { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_K8_NB_MISC) },
24649 + { 0, 0, 0, 0, 0, 0, 0 },
24652 MODULE_DEVICE_TABLE(pci, k8temp_ids);
24653 diff -urNp linux-2.6.38.1/drivers/hwmon/sis5595.c linux-2.6.38.1-new/drivers/hwmon/sis5595.c
24654 --- linux-2.6.38.1/drivers/hwmon/sis5595.c 2011-03-14 21:20:32.000000000 -0400
24655 +++ linux-2.6.38.1-new/drivers/hwmon/sis5595.c 2011-03-21 18:31:35.000000000 -0400
24656 @@ -701,7 +701,7 @@ static struct sis5595_data *sis5595_upda
24658 static const struct pci_device_id sis5595_pci_ids[] = {
24659 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
24661 + { 0, 0, 0, 0, 0, 0, 0 }
24664 MODULE_DEVICE_TABLE(pci, sis5595_pci_ids);
24665 diff -urNp linux-2.6.38.1/drivers/hwmon/via686a.c linux-2.6.38.1-new/drivers/hwmon/via686a.c
24666 --- linux-2.6.38.1/drivers/hwmon/via686a.c 2011-03-14 21:20:32.000000000 -0400
24667 +++ linux-2.6.38.1-new/drivers/hwmon/via686a.c 2011-03-21 18:31:35.000000000 -0400
24668 @@ -779,7 +779,7 @@ static struct via686a_data *via686a_upda
24670 static const struct pci_device_id via686a_pci_ids[] = {
24671 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_4) },
24673 + { 0, 0, 0, 0, 0, 0, 0 }
24676 MODULE_DEVICE_TABLE(pci, via686a_pci_ids);
24677 diff -urNp linux-2.6.38.1/drivers/hwmon/vt8231.c linux-2.6.38.1-new/drivers/hwmon/vt8231.c
24678 --- linux-2.6.38.1/drivers/hwmon/vt8231.c 2011-03-14 21:20:32.000000000 -0400
24679 +++ linux-2.6.38.1-new/drivers/hwmon/vt8231.c 2011-03-21 18:31:35.000000000 -0400
24680 @@ -701,7 +701,7 @@ static struct platform_driver vt8231_dri
24682 static const struct pci_device_id vt8231_pci_ids[] = {
24683 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_8231_4) },
24685 + { 0, 0, 0, 0, 0, 0, 0 }
24688 MODULE_DEVICE_TABLE(pci, vt8231_pci_ids);
24689 diff -urNp linux-2.6.38.1/drivers/hwmon/w83791d.c linux-2.6.38.1-new/drivers/hwmon/w83791d.c
24690 --- linux-2.6.38.1/drivers/hwmon/w83791d.c 2011-03-14 21:20:32.000000000 -0400
24691 +++ linux-2.6.38.1-new/drivers/hwmon/w83791d.c 2011-03-21 18:31:35.000000000 -0400
24692 @@ -329,8 +329,8 @@ static int w83791d_detect(struct i2c_cli
24693 struct i2c_board_info *info);
24694 static int w83791d_remove(struct i2c_client *client);
24696 -static int w83791d_read(struct i2c_client *client, u8 register);
24697 -static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
24698 +static int w83791d_read(struct i2c_client *client, u8 reg);
24699 +static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
24700 static struct w83791d_data *w83791d_update_device(struct device *dev);
24703 diff -urNp linux-2.6.38.1/drivers/i2c/busses/i2c-i801.c linux-2.6.38.1-new/drivers/i2c/busses/i2c-i801.c
24704 --- linux-2.6.38.1/drivers/i2c/busses/i2c-i801.c 2011-03-14 21:20:32.000000000 -0400
24705 +++ linux-2.6.38.1-new/drivers/i2c/busses/i2c-i801.c 2011-03-21 18:31:35.000000000 -0400
24706 @@ -621,7 +621,7 @@ static const struct pci_device_id i801_i
24707 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PATSBURG_SMBUS_IDF0) },
24708 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PATSBURG_SMBUS_IDF1) },
24709 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PATSBURG_SMBUS_IDF2) },
24711 + { 0, 0, 0, 0, 0, 0, 0 }
24714 MODULE_DEVICE_TABLE(pci, i801_ids);
24715 diff -urNp linux-2.6.38.1/drivers/i2c/busses/i2c-piix4.c linux-2.6.38.1-new/drivers/i2c/busses/i2c-piix4.c
24716 --- linux-2.6.38.1/drivers/i2c/busses/i2c-piix4.c 2011-03-14 21:20:32.000000000 -0400
24717 +++ linux-2.6.38.1-new/drivers/i2c/busses/i2c-piix4.c 2011-03-21 18:31:35.000000000 -0400
24718 @@ -124,7 +124,7 @@ static struct dmi_system_id __devinitdat
24720 .matches = { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
24723 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
24726 static int __devinit piix4_setup(struct pci_dev *PIIX4_dev,
24727 @@ -491,7 +491,7 @@ static const struct pci_device_id piix4_
24728 PCI_DEVICE_ID_SERVERWORKS_HT1000SB) },
24729 { PCI_DEVICE(PCI_VENDOR_ID_SERVERWORKS,
24730 PCI_DEVICE_ID_SERVERWORKS_HT1100LD) },
24732 + { 0, 0, 0, 0, 0, 0, 0 }
24735 MODULE_DEVICE_TABLE (pci, piix4_ids);
24736 diff -urNp linux-2.6.38.1/drivers/i2c/busses/i2c-sis630.c linux-2.6.38.1-new/drivers/i2c/busses/i2c-sis630.c
24737 --- linux-2.6.38.1/drivers/i2c/busses/i2c-sis630.c 2011-03-14 21:20:32.000000000 -0400
24738 +++ linux-2.6.38.1-new/drivers/i2c/busses/i2c-sis630.c 2011-03-21 18:31:35.000000000 -0400
24739 @@ -471,7 +471,7 @@ static struct i2c_adapter sis630_adapter
24740 static const struct pci_device_id sis630_ids[] __devinitconst = {
24741 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
24742 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_LPC) },
24744 + { 0, 0, 0, 0, 0, 0, 0 }
24747 MODULE_DEVICE_TABLE (pci, sis630_ids);
24748 diff -urNp linux-2.6.38.1/drivers/i2c/busses/i2c-sis96x.c linux-2.6.38.1-new/drivers/i2c/busses/i2c-sis96x.c
24749 --- linux-2.6.38.1/drivers/i2c/busses/i2c-sis96x.c 2011-03-14 21:20:32.000000000 -0400
24750 +++ linux-2.6.38.1-new/drivers/i2c/busses/i2c-sis96x.c 2011-03-21 18:31:35.000000000 -0400
24751 @@ -247,7 +247,7 @@ static struct i2c_adapter sis96x_adapter
24753 static const struct pci_device_id sis96x_ids[] = {
24754 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_SMBUS) },
24756 + { 0, 0, 0, 0, 0, 0, 0 }
24759 MODULE_DEVICE_TABLE (pci, sis96x_ids);
24760 diff -urNp linux-2.6.38.1/drivers/ide/ide-cd.c linux-2.6.38.1-new/drivers/ide/ide-cd.c
24761 --- linux-2.6.38.1/drivers/ide/ide-cd.c 2011-03-14 21:20:32.000000000 -0400
24762 +++ linux-2.6.38.1-new/drivers/ide/ide-cd.c 2011-03-21 18:31:35.000000000 -0400
24763 @@ -776,7 +776,7 @@ static void cdrom_do_block_pc(ide_drive_
24764 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
24765 if ((unsigned long)buf & alignment
24766 || blk_rq_bytes(rq) & q->dma_pad_mask
24767 - || object_is_on_stack(buf))
24768 + || object_starts_on_stack(buf))
24772 diff -urNp linux-2.6.38.1/drivers/infiniband/core/cm.c linux-2.6.38.1-new/drivers/infiniband/core/cm.c
24773 --- linux-2.6.38.1/drivers/infiniband/core/cm.c 2011-03-23 17:20:07.000000000 -0400
24774 +++ linux-2.6.38.1-new/drivers/infiniband/core/cm.c 2011-03-23 17:21:50.000000000 -0400
24775 @@ -113,7 +113,7 @@ static char const counter_group_names[CM
24777 struct cm_counter_group {
24778 struct kobject obj;
24779 - atomic_long_t counter[CM_ATTR_COUNT];
24780 + atomic_long_unchecked_t counter[CM_ATTR_COUNT];
24783 struct cm_counter_attribute {
24784 @@ -1387,7 +1387,7 @@ static void cm_dup_req_handler(struct cm
24785 struct ib_mad_send_buf *msg = NULL;
24788 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
24789 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
24790 counter[CM_REQ_COUNTER]);
24792 /* Quick state check to discard duplicate REQs. */
24793 @@ -1765,7 +1765,7 @@ static void cm_dup_rep_handler(struct cm
24797 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
24798 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
24799 counter[CM_REP_COUNTER]);
24800 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
24802 @@ -1932,7 +1932,7 @@ static int cm_rtu_handler(struct cm_work
24803 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
24804 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
24805 spin_unlock_irq(&cm_id_priv->lock);
24806 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
24807 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
24808 counter[CM_RTU_COUNTER]);
24811 @@ -2111,7 +2111,7 @@ static int cm_dreq_handler(struct cm_wor
24812 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
24813 dreq_msg->local_comm_id);
24815 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
24816 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
24817 counter[CM_DREQ_COUNTER]);
24818 cm_issue_drep(work->port, work->mad_recv_wc);
24820 @@ -2132,7 +2132,7 @@ static int cm_dreq_handler(struct cm_wor
24821 case IB_CM_MRA_REP_RCVD:
24823 case IB_CM_TIMEWAIT:
24824 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
24825 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
24826 counter[CM_DREQ_COUNTER]);
24827 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
24829 @@ -2146,7 +2146,7 @@ static int cm_dreq_handler(struct cm_wor
24832 case IB_CM_DREQ_RCVD:
24833 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
24834 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
24835 counter[CM_DREQ_COUNTER]);
24838 @@ -2504,7 +2504,7 @@ static int cm_mra_handler(struct cm_work
24839 ib_modify_mad(cm_id_priv->av.port->mad_agent,
24840 cm_id_priv->msg, timeout)) {
24841 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
24842 - atomic_long_inc(&work->port->
24843 + atomic_long_inc_unchecked(&work->port->
24844 counter_group[CM_RECV_DUPLICATES].
24845 counter[CM_MRA_COUNTER]);
24847 @@ -2513,7 +2513,7 @@ static int cm_mra_handler(struct cm_work
24849 case IB_CM_MRA_REQ_RCVD:
24850 case IB_CM_MRA_REP_RCVD:
24851 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
24852 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
24853 counter[CM_MRA_COUNTER]);
24856 @@ -2675,7 +2675,7 @@ static int cm_lap_handler(struct cm_work
24857 case IB_CM_LAP_IDLE:
24859 case IB_CM_MRA_LAP_SENT:
24860 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
24861 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
24862 counter[CM_LAP_COUNTER]);
24863 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
24865 @@ -2691,7 +2691,7 @@ static int cm_lap_handler(struct cm_work
24868 case IB_CM_LAP_RCVD:
24869 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
24870 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
24871 counter[CM_LAP_COUNTER]);
24874 @@ -2975,7 +2975,7 @@ static int cm_sidr_req_handler(struct cm
24875 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
24876 if (cur_cm_id_priv) {
24877 spin_unlock_irq(&cm.lock);
24878 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
24879 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
24880 counter[CM_SIDR_REQ_COUNTER]);
24881 goto out; /* Duplicate message. */
24883 @@ -3187,10 +3187,10 @@ static void cm_send_handler(struct ib_ma
24884 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
24887 - atomic_long_add(1 + msg->retries,
24888 + atomic_long_add_unchecked(1 + msg->retries,
24889 &port->counter_group[CM_XMIT].counter[attr_index]);
24891 - atomic_long_add(msg->retries,
24892 + atomic_long_add_unchecked(msg->retries,
24893 &port->counter_group[CM_XMIT_RETRIES].
24894 counter[attr_index]);
24896 @@ -3400,7 +3400,7 @@ static void cm_recv_handler(struct ib_ma
24899 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
24900 - atomic_long_inc(&port->counter_group[CM_RECV].
24901 + atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
24902 counter[attr_id - CM_ATTR_ID_OFFSET]);
24904 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
24905 @@ -3598,7 +3598,7 @@ static ssize_t cm_show_counter(struct ko
24906 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
24908 return sprintf(buf, "%ld\n",
24909 - atomic_long_read(&group->counter[cm_attr->index]));
24910 + atomic_long_read_unchecked(&group->counter[cm_attr->index]));
24913 static const struct sysfs_ops cm_counter_ops = {
24914 diff -urNp linux-2.6.38.1/drivers/infiniband/hw/qib/qib.h linux-2.6.38.1-new/drivers/infiniband/hw/qib/qib.h
24915 --- linux-2.6.38.1/drivers/infiniband/hw/qib/qib.h 2011-03-14 21:20:32.000000000 -0400
24916 +++ linux-2.6.38.1-new/drivers/infiniband/hw/qib/qib.h 2011-03-21 18:31:35.000000000 -0400
24918 #include <linux/completion.h>
24919 #include <linux/kref.h>
24920 #include <linux/sched.h>
24921 +#include <linux/slab.h>
24923 #include "qib_common.h"
24924 #include "qib_verbs.h"
24925 diff -urNp linux-2.6.38.1/drivers/input/keyboard/atkbd.c linux-2.6.38.1-new/drivers/input/keyboard/atkbd.c
24926 --- linux-2.6.38.1/drivers/input/keyboard/atkbd.c 2011-03-14 21:20:32.000000000 -0400
24927 +++ linux-2.6.38.1-new/drivers/input/keyboard/atkbd.c 2011-03-21 18:31:35.000000000 -0400
24928 @@ -1250,7 +1250,7 @@ static struct serio_device_id atkbd_seri
24930 .extra = SERIO_ANY,
24936 MODULE_DEVICE_TABLE(serio, atkbd_serio_ids);
24937 diff -urNp linux-2.6.38.1/drivers/input/mouse/lifebook.c linux-2.6.38.1-new/drivers/input/mouse/lifebook.c
24938 --- linux-2.6.38.1/drivers/input/mouse/lifebook.c 2011-03-14 21:20:32.000000000 -0400
24939 +++ linux-2.6.38.1-new/drivers/input/mouse/lifebook.c 2011-03-21 18:31:35.000000000 -0400
24940 @@ -123,7 +123,7 @@ static const struct dmi_system_id __init
24941 DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook B142"),
24945 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
24948 void __init lifebook_module_init(void)
24949 diff -urNp linux-2.6.38.1/drivers/input/mouse/psmouse-base.c linux-2.6.38.1-new/drivers/input/mouse/psmouse-base.c
24950 --- linux-2.6.38.1/drivers/input/mouse/psmouse-base.c 2011-03-14 21:20:32.000000000 -0400
24951 +++ linux-2.6.38.1-new/drivers/input/mouse/psmouse-base.c 2011-03-21 18:31:35.000000000 -0400
24952 @@ -1462,7 +1462,7 @@ static struct serio_device_id psmouse_se
24954 .extra = SERIO_ANY,
24960 MODULE_DEVICE_TABLE(serio, psmouse_serio_ids);
24961 diff -urNp linux-2.6.38.1/drivers/input/mouse/synaptics.c linux-2.6.38.1-new/drivers/input/mouse/synaptics.c
24962 --- linux-2.6.38.1/drivers/input/mouse/synaptics.c 2011-03-14 21:20:32.000000000 -0400
24963 +++ linux-2.6.38.1-new/drivers/input/mouse/synaptics.c 2011-03-21 18:31:35.000000000 -0400
24964 @@ -559,7 +559,7 @@ static void synaptics_process_packet(str
24967 if (SYN_MODEL_PEN(priv->model_id))
24968 - ; /* Nothing, treat a pen as a single finger */
24969 + break; /* Nothing, treat a pen as a single finger */
24972 if (SYN_CAP_PALMDETECT(priv->capabilities))
24973 @@ -825,7 +825,6 @@ static const struct dmi_system_id __init
24974 DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
24975 DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE M300"),
24980 /* Toshiba Portege M300 */
24981 @@ -834,9 +833,8 @@ static const struct dmi_system_id __init
24982 DMI_MATCH(DMI_PRODUCT_NAME, "Portable PC"),
24983 DMI_MATCH(DMI_PRODUCT_VERSION, "Version 1.0"),
24988 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
24992 diff -urNp linux-2.6.38.1/drivers/input/mousedev.c linux-2.6.38.1-new/drivers/input/mousedev.c
24993 --- linux-2.6.38.1/drivers/input/mousedev.c 2011-03-14 21:20:32.000000000 -0400
24994 +++ linux-2.6.38.1-new/drivers/input/mousedev.c 2011-03-21 18:31:35.000000000 -0400
24995 @@ -764,7 +764,7 @@ static ssize_t mousedev_read(struct file
24997 spin_unlock_irq(&client->packet_lock);
24999 - if (copy_to_user(buffer, data, count))
25000 + if (count > sizeof(data) || copy_to_user(buffer, data, count))
25004 @@ -1067,7 +1067,7 @@ static struct input_handler mousedev_han
25006 #ifdef CONFIG_INPUT_MOUSEDEV_PSAUX
25007 static struct miscdevice psaux_mouse = {
25008 - PSMOUSE_MINOR, "psaux", &mousedev_fops
25009 + PSMOUSE_MINOR, "psaux", &mousedev_fops, {NULL, NULL}, NULL, NULL
25011 static int psaux_registered;
25013 diff -urNp linux-2.6.38.1/drivers/input/serio/i8042-x86ia64io.h linux-2.6.38.1-new/drivers/input/serio/i8042-x86ia64io.h
25014 --- linux-2.6.38.1/drivers/input/serio/i8042-x86ia64io.h 2011-03-14 21:20:32.000000000 -0400
25015 +++ linux-2.6.38.1-new/drivers/input/serio/i8042-x86ia64io.h 2011-03-21 18:31:35.000000000 -0400
25016 @@ -183,7 +183,7 @@ static const struct dmi_system_id __init
25017 DMI_MATCH(DMI_PRODUCT_VERSION, "Rev 1"),
25021 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25025 @@ -431,7 +431,7 @@ static const struct dmi_system_id __init
25026 DMI_MATCH(DMI_PRODUCT_NAME, "Vostro V13"),
25030 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25033 static const struct dmi_system_id __initconst i8042_dmi_reset_table[] = {
25034 @@ -505,7 +505,7 @@ static const struct dmi_system_id __init
25035 DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 1720"),
25039 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25043 @@ -524,7 +524,7 @@ static const struct dmi_system_id __init
25044 DMI_MATCH(DMI_BOARD_VENDOR, "MICRO-STAR INTERNATIONAL CO., LTD"),
25048 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25051 static const struct dmi_system_id __initconst i8042_dmi_laptop_table[] = {
25052 @@ -548,7 +548,7 @@ static const struct dmi_system_id __init
25053 DMI_MATCH(DMI_CHASSIS_TYPE, "14"), /* Sub-Notebook */
25057 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25061 @@ -640,7 +640,7 @@ static const struct dmi_system_id __init
25062 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 4280"),
25066 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25069 #endif /* CONFIG_X86 */
25070 diff -urNp linux-2.6.38.1/drivers/input/serio/serio_raw.c linux-2.6.38.1-new/drivers/input/serio/serio_raw.c
25071 --- linux-2.6.38.1/drivers/input/serio/serio_raw.c 2011-03-14 21:20:32.000000000 -0400
25072 +++ linux-2.6.38.1-new/drivers/input/serio/serio_raw.c 2011-03-21 18:31:35.000000000 -0400
25073 @@ -376,7 +376,7 @@ static struct serio_device_id serio_raw_
25075 .extra = SERIO_ANY,
25081 MODULE_DEVICE_TABLE(serio, serio_raw_serio_ids);
25082 diff -urNp linux-2.6.38.1/drivers/isdn/gigaset/common.c linux-2.6.38.1-new/drivers/isdn/gigaset/common.c
25083 --- linux-2.6.38.1/drivers/isdn/gigaset/common.c 2011-03-14 21:20:32.000000000 -0400
25084 +++ linux-2.6.38.1-new/drivers/isdn/gigaset/common.c 2011-03-21 18:31:35.000000000 -0400
25085 @@ -723,7 +723,7 @@ struct cardstate *gigaset_initcs(struct
25086 cs->commands_pending = 0;
25087 cs->cur_at_seq = 0;
25089 - cs->open_count = 0;
25090 + local_set(&cs->open_count, 0);
25093 cs->tty_dev = NULL;
25094 diff -urNp linux-2.6.38.1/drivers/isdn/gigaset/gigaset.h linux-2.6.38.1-new/drivers/isdn/gigaset/gigaset.h
25095 --- linux-2.6.38.1/drivers/isdn/gigaset/gigaset.h 2011-03-14 21:20:32.000000000 -0400
25096 +++ linux-2.6.38.1-new/drivers/isdn/gigaset/gigaset.h 2011-03-21 18:31:35.000000000 -0400
25098 #include <linux/tty_driver.h>
25099 #include <linux/list.h>
25100 #include <asm/atomic.h>
25101 +#include <asm/local.h>
25103 #define GIG_VERSION {0, 5, 0, 0}
25104 #define GIG_COMPAT {0, 4, 0, 0}
25105 @@ -433,7 +434,7 @@ struct cardstate {
25106 spinlock_t cmdlock;
25107 unsigned curlen, cmdbytes;
25109 - unsigned open_count;
25110 + local_t open_count;
25111 struct tty_struct *tty;
25112 struct tasklet_struct if_wake_tasklet;
25113 unsigned control_state;
25114 diff -urNp linux-2.6.38.1/drivers/isdn/gigaset/interface.c linux-2.6.38.1-new/drivers/isdn/gigaset/interface.c
25115 --- linux-2.6.38.1/drivers/isdn/gigaset/interface.c 2011-03-14 21:20:32.000000000 -0400
25116 +++ linux-2.6.38.1-new/drivers/isdn/gigaset/interface.c 2011-03-21 18:31:35.000000000 -0400
25117 @@ -160,9 +160,7 @@ static int if_open(struct tty_struct *tt
25118 return -ERESTARTSYS;
25119 tty->driver_data = cs;
25121 - ++cs->open_count;
25123 - if (cs->open_count == 1) {
25124 + if (local_inc_return(&cs->open_count) == 1) {
25125 spin_lock_irqsave(&cs->lock, flags);
25127 spin_unlock_irqrestore(&cs->lock, flags);
25128 @@ -190,10 +188,10 @@ static void if_close(struct tty_struct *
25130 if (!cs->connected)
25131 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
25132 - else if (!cs->open_count)
25133 + else if (!local_read(&cs->open_count))
25134 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25136 - if (!--cs->open_count) {
25137 + if (!local_dec_return(&cs->open_count)) {
25138 spin_lock_irqsave(&cs->lock, flags);
25140 spin_unlock_irqrestore(&cs->lock, flags);
25141 @@ -228,7 +226,7 @@ static int if_ioctl(struct tty_struct *t
25142 if (!cs->connected) {
25143 gig_dbg(DEBUG_IF, "not connected");
25145 - } else if (!cs->open_count)
25146 + } else if (!local_read(&cs->open_count))
25147 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25150 @@ -358,7 +356,7 @@ static int if_write(struct tty_struct *t
25154 - if (!cs->open_count) {
25155 + if (!local_read(&cs->open_count)) {
25156 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25159 @@ -411,7 +409,7 @@ static int if_write_room(struct tty_stru
25160 if (!cs->connected) {
25161 gig_dbg(DEBUG_IF, "not connected");
25163 - } else if (!cs->open_count)
25164 + } else if (!local_read(&cs->open_count))
25165 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25166 else if (cs->mstate != MS_LOCKED) {
25167 dev_warn(cs->dev, "can't write to unlocked device\n");
25168 @@ -441,7 +439,7 @@ static int if_chars_in_buffer(struct tty
25170 if (!cs->connected)
25171 gig_dbg(DEBUG_IF, "not connected");
25172 - else if (!cs->open_count)
25173 + else if (!local_read(&cs->open_count))
25174 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25175 else if (cs->mstate != MS_LOCKED)
25176 dev_warn(cs->dev, "can't write to unlocked device\n");
25177 @@ -469,7 +467,7 @@ static void if_throttle(struct tty_struc
25179 if (!cs->connected)
25180 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
25181 - else if (!cs->open_count)
25182 + else if (!local_read(&cs->open_count))
25183 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25185 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
25186 @@ -493,7 +491,7 @@ static void if_unthrottle(struct tty_str
25188 if (!cs->connected)
25189 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
25190 - else if (!cs->open_count)
25191 + else if (!local_read(&cs->open_count))
25192 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25194 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
25195 @@ -524,7 +522,7 @@ static void if_set_termios(struct tty_st
25199 - if (!cs->open_count) {
25200 + if (!local_read(&cs->open_count)) {
25201 dev_warn(cs->dev, "%s: device not opened\n", __func__);
25204 diff -urNp linux-2.6.38.1/drivers/isdn/hardware/avm/b1.c linux-2.6.38.1-new/drivers/isdn/hardware/avm/b1.c
25205 --- linux-2.6.38.1/drivers/isdn/hardware/avm/b1.c 2011-03-14 21:20:32.000000000 -0400
25206 +++ linux-2.6.38.1-new/drivers/isdn/hardware/avm/b1.c 2011-03-21 18:31:35.000000000 -0400
25207 @@ -176,7 +176,7 @@ int b1_load_t4file(avmcard *card, capilo
25210 if (t4file->user) {
25211 - if (copy_from_user(buf, dp, left))
25212 + if (left > sizeof buf || copy_from_user(buf, dp, left))
25215 memcpy(buf, dp, left);
25216 @@ -224,7 +224,7 @@ int b1_load_config(avmcard *card, capilo
25219 if (config->user) {
25220 - if (copy_from_user(buf, dp, left))
25221 + if (left > sizeof buf || copy_from_user(buf, dp, left))
25224 memcpy(buf, dp, left);
25225 diff -urNp linux-2.6.38.1/drivers/isdn/icn/icn.c linux-2.6.38.1-new/drivers/isdn/icn/icn.c
25226 --- linux-2.6.38.1/drivers/isdn/icn/icn.c 2011-03-14 21:20:32.000000000 -0400
25227 +++ linux-2.6.38.1-new/drivers/isdn/icn/icn.c 2011-03-21 18:31:35.000000000 -0400
25228 @@ -1045,7 +1045,7 @@ icn_writecmd(const u_char * buf, int len
25232 - if (copy_from_user(msg, buf, count))
25233 + if (count > sizeof msg || copy_from_user(msg, buf, count))
25236 memcpy(msg, buf, count);
25237 diff -urNp linux-2.6.38.1/drivers/leds/leds-lp5521.c linux-2.6.38.1-new/drivers/leds/leds-lp5521.c
25238 --- linux-2.6.38.1/drivers/leds/leds-lp5521.c 2011-03-14 21:20:32.000000000 -0400
25239 +++ linux-2.6.38.1-new/drivers/leds/leds-lp5521.c 2011-03-21 18:31:35.000000000 -0400
25240 @@ -534,7 +534,7 @@ static ssize_t lp5521_selftest(struct de
25243 /* led class device attributes */
25244 -static DEVICE_ATTR(led_current, S_IRUGO | S_IWUGO, show_current, store_current);
25245 +static DEVICE_ATTR(led_current, S_IRUGO | S_IWUSR, show_current, store_current);
25246 static DEVICE_ATTR(max_current, S_IRUGO , show_max_current, NULL);
25248 static struct attribute *lp5521_led_attributes[] = {
25249 @@ -548,15 +548,15 @@ static struct attribute_group lp5521_led
25252 /* device attributes */
25253 -static DEVICE_ATTR(engine1_mode, S_IRUGO | S_IWUGO,
25254 +static DEVICE_ATTR(engine1_mode, S_IRUGO | S_IWUSR,
25255 show_engine1_mode, store_engine1_mode);
25256 -static DEVICE_ATTR(engine2_mode, S_IRUGO | S_IWUGO,
25257 +static DEVICE_ATTR(engine2_mode, S_IRUGO | S_IWUSR,
25258 show_engine2_mode, store_engine2_mode);
25259 -static DEVICE_ATTR(engine3_mode, S_IRUGO | S_IWUGO,
25260 +static DEVICE_ATTR(engine3_mode, S_IRUGO | S_IWUSR,
25261 show_engine3_mode, store_engine3_mode);
25262 -static DEVICE_ATTR(engine1_load, S_IWUGO, NULL, store_engine1_load);
25263 -static DEVICE_ATTR(engine2_load, S_IWUGO, NULL, store_engine2_load);
25264 -static DEVICE_ATTR(engine3_load, S_IWUGO, NULL, store_engine3_load);
25265 +static DEVICE_ATTR(engine1_load, S_IWUSR, NULL, store_engine1_load);
25266 +static DEVICE_ATTR(engine2_load, S_IWUSR, NULL, store_engine2_load);
25267 +static DEVICE_ATTR(engine3_load, S_IWUSR, NULL, store_engine3_load);
25268 static DEVICE_ATTR(selftest, S_IRUGO, lp5521_selftest, NULL);
25270 static struct attribute *lp5521_attributes[] = {
25271 diff -urNp linux-2.6.38.1/drivers/leds/leds-lp5523.c linux-2.6.38.1-new/drivers/leds/leds-lp5523.c
25272 --- linux-2.6.38.1/drivers/leds/leds-lp5523.c 2011-03-14 21:20:32.000000000 -0400
25273 +++ linux-2.6.38.1-new/drivers/leds/leds-lp5523.c 2011-03-21 18:31:35.000000000 -0400
25274 @@ -713,7 +713,7 @@ static ssize_t store_current(struct devi
25277 /* led class device attributes */
25278 -static DEVICE_ATTR(led_current, S_IRUGO | S_IWUGO, show_current, store_current);
25279 +static DEVICE_ATTR(led_current, S_IRUGO | S_IWUSR, show_current, store_current);
25280 static DEVICE_ATTR(max_current, S_IRUGO , show_max_current, NULL);
25282 static struct attribute *lp5523_led_attributes[] = {
25283 @@ -727,21 +727,21 @@ static struct attribute_group lp5523_led
25286 /* device attributes */
25287 -static DEVICE_ATTR(engine1_mode, S_IRUGO | S_IWUGO,
25288 +static DEVICE_ATTR(engine1_mode, S_IRUGO | S_IWUSR,
25289 show_engine1_mode, store_engine1_mode);
25290 -static DEVICE_ATTR(engine2_mode, S_IRUGO | S_IWUGO,
25291 +static DEVICE_ATTR(engine2_mode, S_IRUGO | S_IWUSR,
25292 show_engine2_mode, store_engine2_mode);
25293 -static DEVICE_ATTR(engine3_mode, S_IRUGO | S_IWUGO,
25294 +static DEVICE_ATTR(engine3_mode, S_IRUGO | S_IWUSR,
25295 show_engine3_mode, store_engine3_mode);
25296 -static DEVICE_ATTR(engine1_leds, S_IRUGO | S_IWUGO,
25297 +static DEVICE_ATTR(engine1_leds, S_IRUGO | S_IWUSR,
25298 show_engine1_leds, store_engine1_leds);
25299 -static DEVICE_ATTR(engine2_leds, S_IRUGO | S_IWUGO,
25300 +static DEVICE_ATTR(engine2_leds, S_IRUGO | S_IWUSR,
25301 show_engine2_leds, store_engine2_leds);
25302 -static DEVICE_ATTR(engine3_leds, S_IRUGO | S_IWUGO,
25303 +static DEVICE_ATTR(engine3_leds, S_IRUGO | S_IWUSR,
25304 show_engine3_leds, store_engine3_leds);
25305 -static DEVICE_ATTR(engine1_load, S_IWUGO, NULL, store_engine1_load);
25306 -static DEVICE_ATTR(engine2_load, S_IWUGO, NULL, store_engine2_load);
25307 -static DEVICE_ATTR(engine3_load, S_IWUGO, NULL, store_engine3_load);
25308 +static DEVICE_ATTR(engine1_load, S_IWUSR, NULL, store_engine1_load);
25309 +static DEVICE_ATTR(engine2_load, S_IWUSR, NULL, store_engine2_load);
25310 +static DEVICE_ATTR(engine3_load, S_IWUSR, NULL, store_engine3_load);
25311 static DEVICE_ATTR(selftest, S_IRUGO, lp5523_selftest, NULL);
25313 static struct attribute *lp5523_attributes[] = {
25314 diff -urNp linux-2.6.38.1/drivers/lguest/core.c linux-2.6.38.1-new/drivers/lguest/core.c
25315 --- linux-2.6.38.1/drivers/lguest/core.c 2011-03-14 21:20:32.000000000 -0400
25316 +++ linux-2.6.38.1-new/drivers/lguest/core.c 2011-03-21 18:31:35.000000000 -0400
25317 @@ -92,9 +92,17 @@ static __init int map_switcher(void)
25318 * it's worked so far. The end address needs +1 because __get_vm_area
25319 * allocates an extra guard page, so we need space for that.
25322 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
25323 + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
25324 + VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
25325 + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
25327 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
25328 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
25329 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
25332 if (!switcher_vma) {
25334 printk("lguest: could not map switcher pages high\n");
25335 @@ -119,7 +127,7 @@ static __init int map_switcher(void)
25336 * Now the Switcher is mapped at the right address, we can't fail!
25337 * Copy in the compiled-in Switcher code (from <arch>_switcher.S).
25339 - memcpy(switcher_vma->addr, start_switcher_text,
25340 + memcpy(switcher_vma->addr, ktla_ktva(start_switcher_text),
25341 end_switcher_text - start_switcher_text);
25343 printk(KERN_INFO "lguest: mapped switcher at %p\n",
25344 diff -urNp linux-2.6.38.1/drivers/lguest/x86/core.c linux-2.6.38.1-new/drivers/lguest/x86/core.c
25345 --- linux-2.6.38.1/drivers/lguest/x86/core.c 2011-03-14 21:20:32.000000000 -0400
25346 +++ linux-2.6.38.1-new/drivers/lguest/x86/core.c 2011-03-21 18:31:35.000000000 -0400
25347 @@ -59,7 +59,7 @@ static struct {
25348 /* Offset from where switcher.S was compiled to where we've copied it */
25349 static unsigned long switcher_offset(void)
25351 - return SWITCHER_ADDR - (unsigned long)start_switcher_text;
25352 + return SWITCHER_ADDR - (unsigned long)ktla_ktva(start_switcher_text);
25355 /* This cpu's struct lguest_pages. */
25356 @@ -100,7 +100,13 @@ static void copy_in_guest_info(struct lg
25357 * These copies are pretty cheap, so we do them unconditionally: */
25358 /* Save the current Host top-level page directory.
25361 +#ifdef CONFIG_PAX_PER_CPU_PGD
25362 + pages->state.host_cr3 = read_cr3();
25364 pages->state.host_cr3 = __pa(current->mm->pgd);
25368 * Set up the Guest's page tables to see this CPU's pages (and no
25369 * other CPU's pages).
25370 @@ -547,7 +553,7 @@ void __init lguest_arch_host_init(void)
25371 * compiled-in switcher code and the high-mapped copy we just made.
25373 for (i = 0; i < IDT_ENTRIES; i++)
25374 - default_idt_entries[i] += switcher_offset();
25375 + default_idt_entries[i] = ktla_ktva(default_idt_entries[i]) + switcher_offset();
25378 * Set up the Switcher's per-cpu areas.
25379 @@ -630,7 +636,7 @@ void __init lguest_arch_host_init(void)
25380 * it will be undisturbed when we switch. To change %cs and jump we
25381 * need this structure to feed to Intel's "lcall" instruction.
25383 - lguest_entry.offset = (long)switch_to_guest + switcher_offset();
25384 + lguest_entry.offset = (long)ktla_ktva(switch_to_guest) + switcher_offset();
25385 lguest_entry.segment = LGUEST_CS;
25388 diff -urNp linux-2.6.38.1/drivers/lguest/x86/switcher_32.S linux-2.6.38.1-new/drivers/lguest/x86/switcher_32.S
25389 --- linux-2.6.38.1/drivers/lguest/x86/switcher_32.S 2011-03-14 21:20:32.000000000 -0400
25390 +++ linux-2.6.38.1-new/drivers/lguest/x86/switcher_32.S 2011-03-21 18:31:35.000000000 -0400
25392 #include <asm/page.h>
25393 #include <asm/segment.h>
25394 #include <asm/lguest.h>
25395 +#include <asm/processor-flags.h>
25397 // We mark the start of the code to copy
25398 // It's placed in .text tho it's never run here
25399 @@ -149,6 +150,13 @@ ENTRY(switch_to_guest)
25400 // Changes type when we load it: damn Intel!
25401 // For after we switch over our page tables
25402 // That entry will be read-only: we'd crash.
25404 +#ifdef CONFIG_PAX_KERNEXEC
25406 + xor $X86_CR0_WP, %edx
25410 movl $(GDT_ENTRY_TSS*8), %edx
25413 @@ -157,9 +165,15 @@ ENTRY(switch_to_guest)
25414 // Let's clear it again for our return.
25415 // The GDT descriptor of the Host
25416 // Points to the table after two "size" bytes
25417 - movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %edx
25418 + movl (LGUEST_PAGES_host_gdt_desc+2)(%eax), %eax
25419 // Clear "used" from type field (byte 5, bit 2)
25420 - andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%edx)
25421 + andb $0xFD, (GDT_ENTRY_TSS*8 + 5)(%eax)
25423 +#ifdef CONFIG_PAX_KERNEXEC
25425 + xor $X86_CR0_WP, %eax
25429 // Once our page table's switched, the Guest is live!
25430 // The Host fades as we run this final step.
25431 @@ -295,13 +309,12 @@ deliver_to_host:
25432 // I consulted gcc, and it gave
25433 // These instructions, which I gladly credit:
25434 leal (%edx,%ebx,8), %eax
25435 - movzwl (%eax),%edx
25436 - movl 4(%eax), %eax
25439 + movl 4(%eax), %edx
25441 // Now the address of the handler's in %edx
25442 // We call it now: its "iret" drops us home.
25444 + ljmp $__KERNEL_CS, $1f
25447 // Every interrupt can come to us here
25448 // But we must truly tell each apart.
25449 diff -urNp linux-2.6.38.1/drivers/md/bitmap.c linux-2.6.38.1-new/drivers/md/bitmap.c
25450 --- linux-2.6.38.1/drivers/md/bitmap.c 2011-03-14 21:20:32.000000000 -0400
25451 +++ linux-2.6.38.1-new/drivers/md/bitmap.c 2011-03-21 18:31:35.000000000 -0400
25454 # define PRINTK(x...) printk(KERN_DEBUG x)
25456 -# define PRINTK(x...)
25457 +# define PRINTK(x...) do {} while (0)
25461 diff -urNp linux-2.6.38.1/drivers/md/dm-ioctl.c linux-2.6.38.1-new/drivers/md/dm-ioctl.c
25462 --- linux-2.6.38.1/drivers/md/dm-ioctl.c 2011-03-14 21:20:32.000000000 -0400
25463 +++ linux-2.6.38.1-new/drivers/md/dm-ioctl.c 2011-03-21 18:31:35.000000000 -0400
25464 @@ -1541,7 +1541,7 @@ static int validate_params(uint cmd, str
25465 cmd == DM_LIST_VERSIONS_CMD)
25468 - if ((cmd == DM_DEV_CREATE_CMD)) {
25469 + if (cmd == DM_DEV_CREATE_CMD) {
25470 if (!*param->name) {
25471 DMWARN("name not supplied when creating device");
25473 diff -urNp linux-2.6.38.1/drivers/md/dm-table.c linux-2.6.38.1-new/drivers/md/dm-table.c
25474 --- linux-2.6.38.1/drivers/md/dm-table.c 2011-03-14 21:20:32.000000000 -0400
25475 +++ linux-2.6.38.1-new/drivers/md/dm-table.c 2011-03-21 18:31:35.000000000 -0400
25476 @@ -372,7 +372,7 @@ static int device_area_is_invalid(struct
25480 - if ((start >= dev_size) || (start + len > dev_size)) {
25481 + if ((start >= dev_size) || (len > dev_size - start)) {
25482 DMWARN("%s: %s too small for target: "
25483 "start=%llu, len=%llu, dev_size=%llu",
25484 dm_device_name(ti->table->md), bdevname(bdev, b),
25485 diff -urNp linux-2.6.38.1/drivers/md/md.c linux-2.6.38.1-new/drivers/md/md.c
25486 --- linux-2.6.38.1/drivers/md/md.c 2011-03-14 21:20:32.000000000 -0400
25487 +++ linux-2.6.38.1-new/drivers/md/md.c 2011-03-21 18:31:35.000000000 -0400
25488 @@ -1889,7 +1889,7 @@ static int bind_rdev_to_array(mdk_rdev_t
25490 ko = &part_to_dev(rdev->bdev->bd_part)->kobj;
25491 if (sysfs_create_link(&rdev->kobj, ko, "block"))
25492 - /* failure here is OK */;
25493 + /* failure here is OK */{}
25494 rdev->sysfs_state = sysfs_get_dirent_safe(rdev->kobj.sd, "state");
25496 list_add_rcu(&rdev->same_set, &mddev->disks);
25497 @@ -2499,7 +2499,7 @@ slot_store(mdk_rdev_t *rdev, const char
25498 sysfs_notify_dirent_safe(rdev->sysfs_state);
25499 sprintf(nm, "rd%d", rdev->raid_disk);
25500 if (sysfs_create_link(&rdev->mddev->kobj, &rdev->kobj, nm))
25501 - /* failure here is OK */;
25502 + /* failure here is OK */{}
25503 /* don't wakeup anyone, leave that to userspace. */
25505 if (slot >= rdev->mddev->raid_disks &&
25506 @@ -4594,7 +4594,7 @@ int md_run(mddev_t *mddev)
25508 sprintf(nm, "rd%d", rdev->raid_disk);
25509 if (sysfs_create_link(&mddev->kobj, &rdev->kobj, nm))
25510 - /* failure here is OK */;
25511 + /* failure here is OK */{}
25514 set_bit(MD_RECOVERY_NEEDED, &mddev->recovery);
25515 @@ -6462,7 +6462,7 @@ static int md_seq_show(struct seq_file *
25516 chunk_kb ? "KB" : "B");
25517 if (bitmap->file) {
25518 seq_printf(seq, ", file: ");
25519 - seq_path(seq, &bitmap->file->f_path, " \t\n");
25520 + seq_path(seq, &bitmap->file->f_path, " \t\n\\");
25523 seq_printf(seq, "\n");
25524 @@ -6556,7 +6556,7 @@ static int is_mddev_idle(mddev_t *mddev,
25525 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
25526 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
25527 (int)part_stat_read(&disk->part0, sectors[1]) -
25528 - atomic_read(&disk->sync_io);
25529 + atomic_read_unchecked(&disk->sync_io);
25530 /* sync IO will cause sync_io to increase before the disk_stats
25531 * as sync_io is counted when a request starts, and
25532 * disk_stats is counted when it completes.
25533 @@ -7070,7 +7070,7 @@ static int remove_and_add_spares(mddev_t
25534 sprintf(nm, "rd%d", rdev->raid_disk);
25535 if (sysfs_create_link(&mddev->kobj,
25537 - /* failure here is OK */;
25538 + /* failure here is OK */{}
25540 md_new_event(mddev);
25541 set_bit(MD_CHANGE_DEVS, &mddev->flags);
25542 diff -urNp linux-2.6.38.1/drivers/md/md.h linux-2.6.38.1-new/drivers/md/md.h
25543 --- linux-2.6.38.1/drivers/md/md.h 2011-03-14 21:20:32.000000000 -0400
25544 +++ linux-2.6.38.1-new/drivers/md/md.h 2011-03-21 18:31:35.000000000 -0400
25545 @@ -360,7 +360,7 @@ static inline void rdev_dec_pending(mdk_
25547 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
25549 - atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
25550 + atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
25553 struct mdk_personality
25554 diff -urNp linux-2.6.38.1/drivers/media/dvb/dvb-core/dvbdev.c linux-2.6.38.1-new/drivers/media/dvb/dvb-core/dvbdev.c
25555 --- linux-2.6.38.1/drivers/media/dvb/dvb-core/dvbdev.c 2011-03-14 21:20:32.000000000 -0400
25556 +++ linux-2.6.38.1-new/drivers/media/dvb/dvb-core/dvbdev.c 2011-03-21 18:31:35.000000000 -0400
25557 @@ -192,7 +192,7 @@ int dvb_register_device(struct dvb_adapt
25558 const struct dvb_device *template, void *priv, int type)
25560 struct dvb_device *dvbdev;
25561 - struct file_operations *dvbdevfops;
25562 + struct file_operations *dvbdevfops; /* cannot be const, see this function */
25563 struct device *clsdev;
25566 diff -urNp linux-2.6.38.1/drivers/media/radio/radio-cadet.c linux-2.6.38.1-new/drivers/media/radio/radio-cadet.c
25567 --- linux-2.6.38.1/drivers/media/radio/radio-cadet.c 2011-03-14 21:20:32.000000000 -0400
25568 +++ linux-2.6.38.1-new/drivers/media/radio/radio-cadet.c 2011-03-21 18:31:35.000000000 -0400
25569 @@ -349,7 +349,7 @@ static ssize_t cadet_read(struct file *f
25570 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
25571 mutex_unlock(&dev->lock);
25573 - if (copy_to_user(data, readbuf, i))
25574 + if (i > sizeof readbuf || copy_to_user(data, readbuf, i))
25578 diff -urNp linux-2.6.38.1/drivers/media/rc/ir-lirc-codec.c linux-2.6.38.1-new/drivers/media/rc/ir-lirc-codec.c
25579 --- linux-2.6.38.1/drivers/media/rc/ir-lirc-codec.c 2011-03-14 21:20:32.000000000 -0400
25580 +++ linux-2.6.38.1-new/drivers/media/rc/ir-lirc-codec.c 2011-03-21 18:31:35.000000000 -0400
25581 @@ -277,7 +277,7 @@ static void ir_lirc_close(void *data)
25585 -static struct file_operations lirc_fops = {
25586 +static const struct file_operations lirc_fops = {
25587 .owner = THIS_MODULE,
25588 .write = ir_lirc_transmit_ir,
25589 .unlocked_ioctl = ir_lirc_ioctl,
25590 diff -urNp linux-2.6.38.1/drivers/media/rc/lirc_dev.c linux-2.6.38.1-new/drivers/media/rc/lirc_dev.c
25591 --- linux-2.6.38.1/drivers/media/rc/lirc_dev.c 2011-03-14 21:20:32.000000000 -0400
25592 +++ linux-2.6.38.1-new/drivers/media/rc/lirc_dev.c 2011-03-21 18:31:35.000000000 -0400
25593 @@ -151,7 +151,7 @@ static int lirc_thread(void *irctl)
25597 -static struct file_operations lirc_dev_fops = {
25598 +static const struct file_operations lirc_dev_fops = {
25599 .owner = THIS_MODULE,
25600 .read = lirc_dev_fop_read,
25601 .write = lirc_dev_fop_write,
25602 diff -urNp linux-2.6.38.1/drivers/media/video/sn9c102/sn9c102_core.c linux-2.6.38.1-new/drivers/media/video/sn9c102/sn9c102_core.c
25603 --- linux-2.6.38.1/drivers/media/video/sn9c102/sn9c102_core.c 2011-03-14 21:20:32.000000000 -0400
25604 +++ linux-2.6.38.1-new/drivers/media/video/sn9c102/sn9c102_core.c 2011-03-21 18:31:35.000000000 -0400
25605 @@ -1430,9 +1430,9 @@ static DEVICE_ATTR(i2c_reg, S_IRUGO | S_
25606 sn9c102_show_i2c_reg, sn9c102_store_i2c_reg);
25607 static DEVICE_ATTR(i2c_val, S_IRUGO | S_IWUSR,
25608 sn9c102_show_i2c_val, sn9c102_store_i2c_val);
25609 -static DEVICE_ATTR(green, S_IWUGO, NULL, sn9c102_store_green);
25610 -static DEVICE_ATTR(blue, S_IWUGO, NULL, sn9c102_store_blue);
25611 -static DEVICE_ATTR(red, S_IWUGO, NULL, sn9c102_store_red);
25612 +static DEVICE_ATTR(green, S_IWUSR, NULL, sn9c102_store_green);
25613 +static DEVICE_ATTR(blue, S_IWUSR, NULL, sn9c102_store_blue);
25614 +static DEVICE_ATTR(red, S_IWUSR, NULL, sn9c102_store_red);
25615 static DEVICE_ATTR(frame_header, S_IRUGO, sn9c102_show_frame_header, NULL);
25618 diff -urNp linux-2.6.38.1/drivers/message/fusion/mptbase.c linux-2.6.38.1-new/drivers/message/fusion/mptbase.c
25619 --- linux-2.6.38.1/drivers/message/fusion/mptbase.c 2011-03-14 21:20:32.000000000 -0400
25620 +++ linux-2.6.38.1-new/drivers/message/fusion/mptbase.c 2011-03-21 18:31:35.000000000 -0400
25621 @@ -6683,8 +6683,13 @@ static int mpt_iocinfo_proc_show(struct
25622 seq_printf(m, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
25623 seq_printf(m, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
25625 +#ifdef CONFIG_GRKERNSEC_HIDESYM
25626 + seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n", NULL, NULL);
25628 seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
25629 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
25633 * Rounding UP to nearest 4-kB boundary here...
25635 diff -urNp linux-2.6.38.1/drivers/message/fusion/mptdebug.h linux-2.6.38.1-new/drivers/message/fusion/mptdebug.h
25636 --- linux-2.6.38.1/drivers/message/fusion/mptdebug.h 2011-03-14 21:20:32.000000000 -0400
25637 +++ linux-2.6.38.1-new/drivers/message/fusion/mptdebug.h 2011-03-21 18:31:35.000000000 -0400
25642 -#define MPT_CHECK_LOGGING(IOC, CMD, BITS)
25643 +#define MPT_CHECK_LOGGING(IOC, CMD, BITS) do {} while (0)
25647 diff -urNp linux-2.6.38.1/drivers/message/fusion/mptsas.c linux-2.6.38.1-new/drivers/message/fusion/mptsas.c
25648 --- linux-2.6.38.1/drivers/message/fusion/mptsas.c 2011-03-14 21:20:32.000000000 -0400
25649 +++ linux-2.6.38.1-new/drivers/message/fusion/mptsas.c 2011-03-21 18:31:35.000000000 -0400
25650 @@ -439,6 +439,23 @@ mptsas_is_end_device(struct mptsas_devin
25654 +static inline void
25655 +mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
25657 + if (phy_info->port_details) {
25658 + phy_info->port_details->rphy = rphy;
25659 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
25660 + ioc->name, rphy));
25664 + dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
25665 + &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
25666 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
25667 + ioc->name, rphy, rphy->dev.release));
25673 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
25674 @@ -477,23 +494,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *p
25678 -static inline void
25679 -mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
25681 - if (phy_info->port_details) {
25682 - phy_info->port_details->rphy = rphy;
25683 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
25684 - ioc->name, rphy));
25688 - dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
25689 - &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
25690 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
25691 - ioc->name, rphy, rphy->dev.release));
25695 static inline struct sas_port *
25696 mptsas_get_port(struct mptsas_phyinfo *phy_info)
25698 diff -urNp linux-2.6.38.1/drivers/message/fusion/mptscsih.c linux-2.6.38.1-new/drivers/message/fusion/mptscsih.c
25699 --- linux-2.6.38.1/drivers/message/fusion/mptscsih.c 2011-03-14 21:20:32.000000000 -0400
25700 +++ linux-2.6.38.1-new/drivers/message/fusion/mptscsih.c 2011-03-21 18:31:35.000000000 -0400
25701 @@ -1268,15 +1268,16 @@ mptscsih_info(struct Scsi_Host *SChost)
25703 h = shost_priv(SChost);
25706 - if (h->info_kbuf == NULL)
25707 - if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
25708 - return h->info_kbuf;
25709 - h->info_kbuf[0] = '\0';
25713 - mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
25714 - h->info_kbuf[size-1] = '\0';
25716 + if (h->info_kbuf == NULL)
25717 + if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
25718 + return h->info_kbuf;
25719 + h->info_kbuf[0] = '\0';
25721 + mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
25722 + h->info_kbuf[size-1] = '\0';
25724 return h->info_kbuf;
25726 diff -urNp linux-2.6.38.1/drivers/message/i2o/i2o_proc.c linux-2.6.38.1-new/drivers/message/i2o/i2o_proc.c
25727 --- linux-2.6.38.1/drivers/message/i2o/i2o_proc.c 2011-03-14 21:20:32.000000000 -0400
25728 +++ linux-2.6.38.1-new/drivers/message/i2o/i2o_proc.c 2011-03-21 18:31:35.000000000 -0400
25729 @@ -255,13 +255,6 @@ static char *scsi_devices[] = {
25730 "Array Controller Device"
25733 -static char *chtostr(u8 * chars, int n)
25737 - return strncat(tmp, (char *)chars, n);
25740 static int i2o_report_query_status(struct seq_file *seq, int block_status,
25743 @@ -838,8 +831,7 @@ static int i2o_seq_show_ddm_table(struct
25745 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
25746 seq_printf(seq, "%-#8x", ddm_table.module_id);
25747 - seq_printf(seq, "%-29s",
25748 - chtostr(ddm_table.module_name_version, 28));
25749 + seq_printf(seq, "%-.28s", ddm_table.module_name_version);
25750 seq_printf(seq, "%9d ", ddm_table.data_size);
25751 seq_printf(seq, "%8d", ddm_table.code_size);
25753 @@ -940,8 +932,8 @@ static int i2o_seq_show_drivers_stored(s
25755 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
25756 seq_printf(seq, "%-#8x", dst->module_id);
25757 - seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
25758 - seq_printf(seq, "%-9s", chtostr(dst->date, 8));
25759 + seq_printf(seq, "%-.28s", dst->module_name_version);
25760 + seq_printf(seq, "%-.8s", dst->date);
25761 seq_printf(seq, "%8d ", dst->module_size);
25762 seq_printf(seq, "%8d ", dst->mpb_size);
25763 seq_printf(seq, "0x%04x", dst->module_flags);
25764 @@ -1272,14 +1264,10 @@ static int i2o_seq_show_dev_identity(str
25765 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
25766 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
25767 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
25768 - seq_printf(seq, "Vendor info : %s\n",
25769 - chtostr((u8 *) (work32 + 2), 16));
25770 - seq_printf(seq, "Product info : %s\n",
25771 - chtostr((u8 *) (work32 + 6), 16));
25772 - seq_printf(seq, "Description : %s\n",
25773 - chtostr((u8 *) (work32 + 10), 16));
25774 - seq_printf(seq, "Product rev. : %s\n",
25775 - chtostr((u8 *) (work32 + 14), 8));
25776 + seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
25777 + seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
25778 + seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
25779 + seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
25781 seq_printf(seq, "Serial number : ");
25782 print_serial_number(seq, (u8 *) (work32 + 16),
25783 @@ -1324,10 +1312,8 @@ static int i2o_seq_show_ddm_identity(str
25786 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
25787 - seq_printf(seq, "Module name : %s\n",
25788 - chtostr(result.module_name, 24));
25789 - seq_printf(seq, "Module revision : %s\n",
25790 - chtostr(result.module_rev, 8));
25791 + seq_printf(seq, "Module name : %.24s\n", result.module_name);
25792 + seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
25794 seq_printf(seq, "Serial number : ");
25795 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
25796 @@ -1358,14 +1344,10 @@ static int i2o_seq_show_uinfo(struct seq
25800 - seq_printf(seq, "Device name : %s\n",
25801 - chtostr(result.device_name, 64));
25802 - seq_printf(seq, "Service name : %s\n",
25803 - chtostr(result.service_name, 64));
25804 - seq_printf(seq, "Physical name : %s\n",
25805 - chtostr(result.physical_location, 64));
25806 - seq_printf(seq, "Instance number : %s\n",
25807 - chtostr(result.instance_number, 4));
25808 + seq_printf(seq, "Device name : %.64s\n", result.device_name);
25809 + seq_printf(seq, "Service name : %.64s\n", result.service_name);
25810 + seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
25811 + seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
25815 diff -urNp linux-2.6.38.1/drivers/mfd/ab3100-core.c linux-2.6.38.1-new/drivers/mfd/ab3100-core.c
25816 --- linux-2.6.38.1/drivers/mfd/ab3100-core.c 2011-03-14 21:20:32.000000000 -0400
25817 +++ linux-2.6.38.1-new/drivers/mfd/ab3100-core.c 2011-03-21 18:31:35.000000000 -0400
25818 @@ -613,7 +613,7 @@ static void ab3100_setup_debugfs(struct
25819 ab3100_get_priv.ab3100 = ab3100;
25820 ab3100_get_priv.mode = false;
25821 ab3100_get_reg_file = debugfs_create_file("get_reg",
25822 - S_IWUGO, ab3100_dir, &ab3100_get_priv,
25823 + S_IWUSR, ab3100_dir, &ab3100_get_priv,
25824 &ab3100_get_set_reg_fops);
25825 if (!ab3100_get_reg_file) {
25827 @@ -623,7 +623,7 @@ static void ab3100_setup_debugfs(struct
25828 ab3100_set_priv.ab3100 = ab3100;
25829 ab3100_set_priv.mode = true;
25830 ab3100_set_reg_file = debugfs_create_file("set_reg",
25831 - S_IWUGO, ab3100_dir, &ab3100_set_priv,
25832 + S_IWUSR, ab3100_dir, &ab3100_set_priv,
25833 &ab3100_get_set_reg_fops);
25834 if (!ab3100_set_reg_file) {
25836 diff -urNp linux-2.6.38.1/drivers/mfd/ab3550-core.c linux-2.6.38.1-new/drivers/mfd/ab3550-core.c
25837 --- linux-2.6.38.1/drivers/mfd/ab3550-core.c 2011-03-14 21:20:32.000000000 -0400
25838 +++ linux-2.6.38.1-new/drivers/mfd/ab3550-core.c 2011-03-21 18:31:35.000000000 -0400
25839 @@ -1053,17 +1053,17 @@ static inline void ab3550_setup_debugfs(
25840 goto exit_destroy_dir;
25842 ab3550_bank_file = debugfs_create_file("register-bank",
25843 - (S_IRUGO | S_IWUGO), ab3550_dir, ab, &ab3550_bank_fops);
25844 + (S_IRUGO | S_IWUSR), ab3550_dir, ab, &ab3550_bank_fops);
25845 if (!ab3550_bank_file)
25846 goto exit_destroy_reg;
25848 ab3550_address_file = debugfs_create_file("register-address",
25849 - (S_IRUGO | S_IWUGO), ab3550_dir, ab, &ab3550_address_fops);
25850 + (S_IRUGO | S_IWUSR), ab3550_dir, ab, &ab3550_address_fops);
25851 if (!ab3550_address_file)
25852 goto exit_destroy_bank;
25854 ab3550_val_file = debugfs_create_file("register-value",
25855 - (S_IRUGO | S_IWUGO), ab3550_dir, ab, &ab3550_val_fops);
25856 + (S_IRUGO | S_IWUSR), ab3550_dir, ab, &ab3550_val_fops);
25857 if (!ab3550_val_file)
25858 goto exit_destroy_address;
25860 diff -urNp linux-2.6.38.1/drivers/mfd/ab8500-debugfs.c linux-2.6.38.1-new/drivers/mfd/ab8500-debugfs.c
25861 --- linux-2.6.38.1/drivers/mfd/ab8500-debugfs.c 2011-03-14 21:20:32.000000000 -0400
25862 +++ linux-2.6.38.1-new/drivers/mfd/ab8500-debugfs.c 2011-03-21 18:31:35.000000000 -0400
25863 @@ -585,18 +585,18 @@ static int __devinit ab8500_debug_probe(
25864 goto exit_destroy_dir;
25866 ab8500_bank_file = debugfs_create_file("register-bank",
25867 - (S_IRUGO | S_IWUGO), ab8500_dir, &plf->dev, &ab8500_bank_fops);
25868 + (S_IRUGO | S_IWUSR), ab8500_dir, &plf->dev, &ab8500_bank_fops);
25869 if (!ab8500_bank_file)
25870 goto exit_destroy_reg;
25872 ab8500_address_file = debugfs_create_file("register-address",
25873 - (S_IRUGO | S_IWUGO), ab8500_dir, &plf->dev,
25874 + (S_IRUGO | S_IWUSR), ab8500_dir, &plf->dev,
25875 &ab8500_address_fops);
25876 if (!ab8500_address_file)
25877 goto exit_destroy_bank;
25879 ab8500_val_file = debugfs_create_file("register-value",
25880 - (S_IRUGO | S_IWUGO), ab8500_dir, &plf->dev, &ab8500_val_fops);
25881 + (S_IRUGO | S_IWUSR), ab8500_dir, &plf->dev, &ab8500_val_fops);
25882 if (!ab8500_val_file)
25883 goto exit_destroy_address;
25885 diff -urNp linux-2.6.38.1/drivers/mfd/janz-cmodio.c linux-2.6.38.1-new/drivers/mfd/janz-cmodio.c
25886 --- linux-2.6.38.1/drivers/mfd/janz-cmodio.c 2011-03-14 21:20:32.000000000 -0400
25887 +++ linux-2.6.38.1-new/drivers/mfd/janz-cmodio.c 2011-03-21 18:31:35.000000000 -0400
25890 #include <linux/kernel.h>
25891 #include <linux/module.h>
25892 +#include <linux/slab.h>
25893 #include <linux/init.h>
25894 #include <linux/pci.h>
25895 #include <linux/interrupt.h>
25896 diff -urNp linux-2.6.38.1/drivers/misc/ep93xx_pwm.c linux-2.6.38.1-new/drivers/misc/ep93xx_pwm.c
25897 --- linux-2.6.38.1/drivers/misc/ep93xx_pwm.c 2011-03-14 21:20:32.000000000 -0400
25898 +++ linux-2.6.38.1-new/drivers/misc/ep93xx_pwm.c 2011-03-21 18:31:35.000000000 -0400
25899 @@ -249,11 +249,11 @@ static ssize_t ep93xx_pwm_set_invert(str
25901 static DEVICE_ATTR(min_freq, S_IRUGO, ep93xx_pwm_get_min_freq, NULL);
25902 static DEVICE_ATTR(max_freq, S_IRUGO, ep93xx_pwm_get_max_freq, NULL);
25903 -static DEVICE_ATTR(freq, S_IWUGO | S_IRUGO,
25904 +static DEVICE_ATTR(freq, S_IWUSR | S_IRUGO,
25905 ep93xx_pwm_get_freq, ep93xx_pwm_set_freq);
25906 -static DEVICE_ATTR(duty_percent, S_IWUGO | S_IRUGO,
25907 +static DEVICE_ATTR(duty_percent, S_IWUSR | S_IRUGO,
25908 ep93xx_pwm_get_duty_percent, ep93xx_pwm_set_duty_percent);
25909 -static DEVICE_ATTR(invert, S_IWUGO | S_IRUGO,
25910 +static DEVICE_ATTR(invert, S_IWUSR | S_IRUGO,
25911 ep93xx_pwm_get_invert, ep93xx_pwm_set_invert);
25913 static struct attribute *ep93xx_pwm_attrs[] = {
25914 diff -urNp linux-2.6.38.1/drivers/misc/kgdbts.c linux-2.6.38.1-new/drivers/misc/kgdbts.c
25915 --- linux-2.6.38.1/drivers/misc/kgdbts.c 2011-03-14 21:20:32.000000000 -0400
25916 +++ linux-2.6.38.1-new/drivers/misc/kgdbts.c 2011-03-21 18:31:35.000000000 -0400
25917 @@ -118,7 +118,7 @@
25919 #define MAX_CONFIG_LEN 40
25921 -static struct kgdb_io kgdbts_io_ops;
25922 +static const struct kgdb_io kgdbts_io_ops;
25923 static char get_buf[BUFMAX];
25924 static int get_buf_cnt;
25925 static char put_buf[BUFMAX];
25926 @@ -1103,7 +1103,7 @@ static void kgdbts_post_exp_handler(void
25927 module_put(THIS_MODULE);
25930 -static struct kgdb_io kgdbts_io_ops = {
25931 +static const struct kgdb_io kgdbts_io_ops = {
25933 .read_char = kgdbts_get_char,
25934 .write_char = kgdbts_put_char,
25935 diff -urNp linux-2.6.38.1/drivers/misc/sgi-gru/gruhandles.c linux-2.6.38.1-new/drivers/misc/sgi-gru/gruhandles.c
25936 --- linux-2.6.38.1/drivers/misc/sgi-gru/gruhandles.c 2011-03-14 21:20:32.000000000 -0400
25937 +++ linux-2.6.38.1-new/drivers/misc/sgi-gru/gruhandles.c 2011-03-21 18:31:35.000000000 -0400
25938 @@ -44,8 +44,8 @@ static void update_mcs_stats(enum mcs_op
25939 unsigned long nsec;
25941 nsec = CLKS2NSEC(clks);
25942 - atomic_long_inc(&mcs_op_statistics[op].count);
25943 - atomic_long_add(nsec, &mcs_op_statistics[op].total);
25944 + atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
25945 + atomic_long_add_unchecked(nsec, &mcs_op_statistics[op].total);
25946 if (mcs_op_statistics[op].max < nsec)
25947 mcs_op_statistics[op].max = nsec;
25949 diff -urNp linux-2.6.38.1/drivers/misc/sgi-gru/gruprocfs.c linux-2.6.38.1-new/drivers/misc/sgi-gru/gruprocfs.c
25950 --- linux-2.6.38.1/drivers/misc/sgi-gru/gruprocfs.c 2011-03-14 21:20:32.000000000 -0400
25951 +++ linux-2.6.38.1-new/drivers/misc/sgi-gru/gruprocfs.c 2011-03-21 18:31:35.000000000 -0400
25954 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
25956 -static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
25957 +static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
25959 - unsigned long val = atomic_long_read(v);
25960 + unsigned long val = atomic_long_read_unchecked(v);
25962 seq_printf(s, "%16lu %s\n", val, id);
25964 @@ -134,8 +134,8 @@ static int mcs_statistics_show(struct se
25966 seq_printf(s, "%-20s%12s%12s%12s\n", "#id", "count", "aver-clks", "max-clks");
25967 for (op = 0; op < mcsop_last; op++) {
25968 - count = atomic_long_read(&mcs_op_statistics[op].count);
25969 - total = atomic_long_read(&mcs_op_statistics[op].total);
25970 + count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
25971 + total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
25972 max = mcs_op_statistics[op].max;
25973 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
25974 count ? total / count : 0, max);
25975 diff -urNp linux-2.6.38.1/drivers/misc/sgi-gru/grutables.h linux-2.6.38.1-new/drivers/misc/sgi-gru/grutables.h
25976 --- linux-2.6.38.1/drivers/misc/sgi-gru/grutables.h 2011-03-14 21:20:32.000000000 -0400
25977 +++ linux-2.6.38.1-new/drivers/misc/sgi-gru/grutables.h 2011-03-21 18:31:35.000000000 -0400
25978 @@ -167,82 +167,82 @@ extern unsigned int gru_max_gids;
25981 struct gru_stats_s {
25982 - atomic_long_t vdata_alloc;
25983 - atomic_long_t vdata_free;
25984 - atomic_long_t gts_alloc;
25985 - atomic_long_t gts_free;
25986 - atomic_long_t gms_alloc;
25987 - atomic_long_t gms_free;
25988 - atomic_long_t gts_double_allocate;
25989 - atomic_long_t assign_context;
25990 - atomic_long_t assign_context_failed;
25991 - atomic_long_t free_context;
25992 - atomic_long_t load_user_context;
25993 - atomic_long_t load_kernel_context;
25994 - atomic_long_t lock_kernel_context;
25995 - atomic_long_t unlock_kernel_context;
25996 - atomic_long_t steal_user_context;
25997 - atomic_long_t steal_kernel_context;
25998 - atomic_long_t steal_context_failed;
25999 - atomic_long_t nopfn;
26000 - atomic_long_t asid_new;
26001 - atomic_long_t asid_next;
26002 - atomic_long_t asid_wrap;
26003 - atomic_long_t asid_reuse;
26004 - atomic_long_t intr;
26005 - atomic_long_t intr_cbr;
26006 - atomic_long_t intr_tfh;
26007 - atomic_long_t intr_spurious;
26008 - atomic_long_t intr_mm_lock_failed;
26009 - atomic_long_t call_os;
26010 - atomic_long_t call_os_wait_queue;
26011 - atomic_long_t user_flush_tlb;
26012 - atomic_long_t user_unload_context;
26013 - atomic_long_t user_exception;
26014 - atomic_long_t set_context_option;
26015 - atomic_long_t check_context_retarget_intr;
26016 - atomic_long_t check_context_unload;
26017 - atomic_long_t tlb_dropin;
26018 - atomic_long_t tlb_preload_page;
26019 - atomic_long_t tlb_dropin_fail_no_asid;
26020 - atomic_long_t tlb_dropin_fail_upm;
26021 - atomic_long_t tlb_dropin_fail_invalid;
26022 - atomic_long_t tlb_dropin_fail_range_active;
26023 - atomic_long_t tlb_dropin_fail_idle;
26024 - atomic_long_t tlb_dropin_fail_fmm;
26025 - atomic_long_t tlb_dropin_fail_no_exception;
26026 - atomic_long_t tfh_stale_on_fault;
26027 - atomic_long_t mmu_invalidate_range;
26028 - atomic_long_t mmu_invalidate_page;
26029 - atomic_long_t flush_tlb;
26030 - atomic_long_t flush_tlb_gru;
26031 - atomic_long_t flush_tlb_gru_tgh;
26032 - atomic_long_t flush_tlb_gru_zero_asid;
26034 - atomic_long_t copy_gpa;
26035 - atomic_long_t read_gpa;
26037 - atomic_long_t mesq_receive;
26038 - atomic_long_t mesq_receive_none;
26039 - atomic_long_t mesq_send;
26040 - atomic_long_t mesq_send_failed;
26041 - atomic_long_t mesq_noop;
26042 - atomic_long_t mesq_send_unexpected_error;
26043 - atomic_long_t mesq_send_lb_overflow;
26044 - atomic_long_t mesq_send_qlimit_reached;
26045 - atomic_long_t mesq_send_amo_nacked;
26046 - atomic_long_t mesq_send_put_nacked;
26047 - atomic_long_t mesq_page_overflow;
26048 - atomic_long_t mesq_qf_locked;
26049 - atomic_long_t mesq_qf_noop_not_full;
26050 - atomic_long_t mesq_qf_switch_head_failed;
26051 - atomic_long_t mesq_qf_unexpected_error;
26052 - atomic_long_t mesq_noop_unexpected_error;
26053 - atomic_long_t mesq_noop_lb_overflow;
26054 - atomic_long_t mesq_noop_qlimit_reached;
26055 - atomic_long_t mesq_noop_amo_nacked;
26056 - atomic_long_t mesq_noop_put_nacked;
26057 - atomic_long_t mesq_noop_page_overflow;
26058 + atomic_long_unchecked_t vdata_alloc;
26059 + atomic_long_unchecked_t vdata_free;
26060 + atomic_long_unchecked_t gts_alloc;
26061 + atomic_long_unchecked_t gts_free;
26062 + atomic_long_unchecked_t gms_alloc;
26063 + atomic_long_unchecked_t gms_free;
26064 + atomic_long_unchecked_t gts_double_allocate;
26065 + atomic_long_unchecked_t assign_context;
26066 + atomic_long_unchecked_t assign_context_failed;
26067 + atomic_long_unchecked_t free_context;
26068 + atomic_long_unchecked_t load_user_context;
26069 + atomic_long_unchecked_t load_kernel_context;
26070 + atomic_long_unchecked_t lock_kernel_context;
26071 + atomic_long_unchecked_t unlock_kernel_context;
26072 + atomic_long_unchecked_t steal_user_context;
26073 + atomic_long_unchecked_t steal_kernel_context;
26074 + atomic_long_unchecked_t steal_context_failed;
26075 + atomic_long_unchecked_t nopfn;
26076 + atomic_long_unchecked_t asid_new;
26077 + atomic_long_unchecked_t asid_next;
26078 + atomic_long_unchecked_t asid_wrap;
26079 + atomic_long_unchecked_t asid_reuse;
26080 + atomic_long_unchecked_t intr;
26081 + atomic_long_unchecked_t intr_cbr;
26082 + atomic_long_unchecked_t intr_tfh;
26083 + atomic_long_unchecked_t intr_spurious;
26084 + atomic_long_unchecked_t intr_mm_lock_failed;
26085 + atomic_long_unchecked_t call_os;
26086 + atomic_long_unchecked_t call_os_wait_queue;
26087 + atomic_long_unchecked_t user_flush_tlb;
26088 + atomic_long_unchecked_t user_unload_context;
26089 + atomic_long_unchecked_t user_exception;
26090 + atomic_long_unchecked_t set_context_option;
26091 + atomic_long_unchecked_t check_context_retarget_intr;
26092 + atomic_long_unchecked_t check_context_unload;
26093 + atomic_long_unchecked_t tlb_dropin;
26094 + atomic_long_unchecked_t tlb_preload_page;
26095 + atomic_long_unchecked_t tlb_dropin_fail_no_asid;
26096 + atomic_long_unchecked_t tlb_dropin_fail_upm;
26097 + atomic_long_unchecked_t tlb_dropin_fail_invalid;
26098 + atomic_long_unchecked_t tlb_dropin_fail_range_active;
26099 + atomic_long_unchecked_t tlb_dropin_fail_idle;
26100 + atomic_long_unchecked_t tlb_dropin_fail_fmm;
26101 + atomic_long_unchecked_t tlb_dropin_fail_no_exception;
26102 + atomic_long_unchecked_t tfh_stale_on_fault;
26103 + atomic_long_unchecked_t mmu_invalidate_range;
26104 + atomic_long_unchecked_t mmu_invalidate_page;
26105 + atomic_long_unchecked_t flush_tlb;
26106 + atomic_long_unchecked_t flush_tlb_gru;
26107 + atomic_long_unchecked_t flush_tlb_gru_tgh;
26108 + atomic_long_unchecked_t flush_tlb_gru_zero_asid;
26110 + atomic_long_unchecked_t copy_gpa;
26111 + atomic_long_unchecked_t read_gpa;
26113 + atomic_long_unchecked_t mesq_receive;
26114 + atomic_long_unchecked_t mesq_receive_none;
26115 + atomic_long_unchecked_t mesq_send;
26116 + atomic_long_unchecked_t mesq_send_failed;
26117 + atomic_long_unchecked_t mesq_noop;
26118 + atomic_long_unchecked_t mesq_send_unexpected_error;
26119 + atomic_long_unchecked_t mesq_send_lb_overflow;
26120 + atomic_long_unchecked_t mesq_send_qlimit_reached;
26121 + atomic_long_unchecked_t mesq_send_amo_nacked;
26122 + atomic_long_unchecked_t mesq_send_put_nacked;
26123 + atomic_long_unchecked_t mesq_page_overflow;
26124 + atomic_long_unchecked_t mesq_qf_locked;
26125 + atomic_long_unchecked_t mesq_qf_noop_not_full;
26126 + atomic_long_unchecked_t mesq_qf_switch_head_failed;
26127 + atomic_long_unchecked_t mesq_qf_unexpected_error;
26128 + atomic_long_unchecked_t mesq_noop_unexpected_error;
26129 + atomic_long_unchecked_t mesq_noop_lb_overflow;
26130 + atomic_long_unchecked_t mesq_noop_qlimit_reached;
26131 + atomic_long_unchecked_t mesq_noop_amo_nacked;
26132 + atomic_long_unchecked_t mesq_noop_put_nacked;
26133 + atomic_long_unchecked_t mesq_noop_page_overflow;
26137 @@ -251,8 +251,8 @@ enum mcs_op {cchop_allocate, cchop_start
26138 tghop_invalidate, mcsop_last};
26140 struct mcs_op_statistic {
26141 - atomic_long_t count;
26142 - atomic_long_t total;
26143 + atomic_long_unchecked_t count;
26144 + atomic_long_unchecked_t total;
26148 @@ -275,7 +275,7 @@ extern struct mcs_op_statistic mcs_op_st
26150 #define STAT(id) do { \
26151 if (gru_options & OPT_STATS) \
26152 - atomic_long_inc(&gru_stats.id); \
26153 + atomic_long_inc_unchecked(&gru_stats.id); \
26156 #ifdef CONFIG_SGI_GRU_DEBUG
26157 diff -urNp linux-2.6.38.1/drivers/mtd/devices/doc2000.c linux-2.6.38.1-new/drivers/mtd/devices/doc2000.c
26158 --- linux-2.6.38.1/drivers/mtd/devices/doc2000.c 2011-03-14 21:20:32.000000000 -0400
26159 +++ linux-2.6.38.1-new/drivers/mtd/devices/doc2000.c 2011-03-21 18:31:35.000000000 -0400
26160 @@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
26162 /* The ECC will not be calculated correctly if less than 512 is written */
26164 - if (len != 0x200 && eccbuf)
26165 + if (len != 0x200)
26166 printk(KERN_WARNING
26167 "ECC needs a full sector write (adr: %lx size %lx)\n",
26168 (long) to, (long) len);
26169 diff -urNp linux-2.6.38.1/drivers/mtd/devices/doc2001.c linux-2.6.38.1-new/drivers/mtd/devices/doc2001.c
26170 --- linux-2.6.38.1/drivers/mtd/devices/doc2001.c 2011-03-14 21:20:32.000000000 -0400
26171 +++ linux-2.6.38.1-new/drivers/mtd/devices/doc2001.c 2011-03-21 18:31:35.000000000 -0400
26172 @@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
26173 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
26175 /* Don't allow read past end of device */
26176 - if (from >= this->totlen)
26177 + if (from >= this->totlen || !len)
26180 /* Don't allow a single read to cross a 512-byte block boundary */
26181 diff -urNp linux-2.6.38.1/drivers/mtd/nand/denali.c linux-2.6.38.1-new/drivers/mtd/nand/denali.c
26182 --- linux-2.6.38.1/drivers/mtd/nand/denali.c 2011-03-14 21:20:32.000000000 -0400
26183 +++ linux-2.6.38.1-new/drivers/mtd/nand/denali.c 2011-03-21 18:31:35.000000000 -0400
26185 #include <linux/pci.h>
26186 #include <linux/mtd/mtd.h>
26187 #include <linux/module.h>
26188 +#include <linux/slab.h>
26190 #include "denali.h"
26192 diff -urNp linux-2.6.38.1/drivers/mtd/ubi/build.c linux-2.6.38.1-new/drivers/mtd/ubi/build.c
26193 --- linux-2.6.38.1/drivers/mtd/ubi/build.c 2011-03-14 21:20:32.000000000 -0400
26194 +++ linux-2.6.38.1-new/drivers/mtd/ubi/build.c 2011-03-21 18:31:35.000000000 -0400
26195 @@ -1285,7 +1285,7 @@ module_exit(ubi_exit);
26196 static int __init bytes_str_to_int(const char *str)
26199 - unsigned long result;
26200 + unsigned long result, scale = 1;
26202 result = simple_strtoul(str, &endp, 0);
26203 if (str == endp || result >= INT_MAX) {
26204 @@ -1296,11 +1296,11 @@ static int __init bytes_str_to_int(const
26216 if (endp[1] == 'i' && endp[2] == 'B')
26219 @@ -1311,7 +1311,13 @@ static int __init bytes_str_to_int(const
26224 + if ((intoverflow_t)result*scale >= INT_MAX) {
26225 + printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
26230 + return result*scale;
26234 diff -urNp linux-2.6.38.1/drivers/net/e1000e/82571.c linux-2.6.38.1-new/drivers/net/e1000e/82571.c
26235 --- linux-2.6.38.1/drivers/net/e1000e/82571.c 2011-03-14 21:20:32.000000000 -0400
26236 +++ linux-2.6.38.1-new/drivers/net/e1000e/82571.c 2011-03-21 18:31:35.000000000 -0400
26237 @@ -239,7 +239,7 @@ static s32 e1000_init_mac_params_82571(s
26239 struct e1000_hw *hw = &adapter->hw;
26240 struct e1000_mac_info *mac = &hw->mac;
26241 - struct e1000_mac_operations *func = &mac->ops;
26242 + struct e1000_mac_operations *func = &mac->ops; /* cannot be const */
26245 bool force_clear_smbi = false;
26246 @@ -1930,7 +1930,7 @@ static void e1000_clear_hw_cntrs_82571(s
26250 -static struct e1000_mac_operations e82571_mac_ops = {
26251 +static const struct e1000_mac_operations e82571_mac_ops = {
26252 /* .check_mng_mode: mac type dependent */
26253 /* .check_for_link: media type dependent */
26254 .id_led_init = e1000e_id_led_init,
26255 @@ -1952,7 +1952,7 @@ static struct e1000_mac_operations e8257
26256 .read_mac_addr = e1000_read_mac_addr_82571,
26259 -static struct e1000_phy_operations e82_phy_ops_igp = {
26260 +static const struct e1000_phy_operations e82_phy_ops_igp = {
26261 .acquire = e1000_get_hw_semaphore_82571,
26262 .check_polarity = e1000_check_polarity_igp,
26263 .check_reset_block = e1000e_check_reset_block_generic,
26264 @@ -1970,7 +1970,7 @@ static struct e1000_phy_operations e82_p
26265 .cfg_on_link_up = NULL,
26268 -static struct e1000_phy_operations e82_phy_ops_m88 = {
26269 +static const struct e1000_phy_operations e82_phy_ops_m88 = {
26270 .acquire = e1000_get_hw_semaphore_82571,
26271 .check_polarity = e1000_check_polarity_m88,
26272 .check_reset_block = e1000e_check_reset_block_generic,
26273 @@ -1988,7 +1988,7 @@ static struct e1000_phy_operations e82_p
26274 .cfg_on_link_up = NULL,
26277 -static struct e1000_phy_operations e82_phy_ops_bm = {
26278 +static const struct e1000_phy_operations e82_phy_ops_bm = {
26279 .acquire = e1000_get_hw_semaphore_82571,
26280 .check_polarity = e1000_check_polarity_m88,
26281 .check_reset_block = e1000e_check_reset_block_generic,
26282 @@ -2006,7 +2006,7 @@ static struct e1000_phy_operations e82_p
26283 .cfg_on_link_up = NULL,
26286 -static struct e1000_nvm_operations e82571_nvm_ops = {
26287 +static const struct e1000_nvm_operations e82571_nvm_ops = {
26288 .acquire = e1000_acquire_nvm_82571,
26289 .read = e1000e_read_nvm_eerd,
26290 .release = e1000_release_nvm_82571,
26291 diff -urNp linux-2.6.38.1/drivers/net/e1000e/e1000.h linux-2.6.38.1-new/drivers/net/e1000e/e1000.h
26292 --- linux-2.6.38.1/drivers/net/e1000e/e1000.h 2011-03-14 21:20:32.000000000 -0400
26293 +++ linux-2.6.38.1-new/drivers/net/e1000e/e1000.h 2011-03-21 18:31:35.000000000 -0400
26294 @@ -408,9 +408,9 @@ struct e1000_info {
26296 u32 max_hw_frame_size;
26297 s32 (*get_variants)(struct e1000_adapter *);
26298 - struct e1000_mac_operations *mac_ops;
26299 - struct e1000_phy_operations *phy_ops;
26300 - struct e1000_nvm_operations *nvm_ops;
26301 + const struct e1000_mac_operations *mac_ops;
26302 + const struct e1000_phy_operations *phy_ops;
26303 + const struct e1000_nvm_operations *nvm_ops;
26306 /* hardware capability, feature, and workaround flags */
26307 diff -urNp linux-2.6.38.1/drivers/net/e1000e/es2lan.c linux-2.6.38.1-new/drivers/net/e1000e/es2lan.c
26308 --- linux-2.6.38.1/drivers/net/e1000e/es2lan.c 2011-03-14 21:20:32.000000000 -0400
26309 +++ linux-2.6.38.1-new/drivers/net/e1000e/es2lan.c 2011-03-21 18:31:35.000000000 -0400
26310 @@ -205,7 +205,7 @@ static s32 e1000_init_mac_params_80003es
26312 struct e1000_hw *hw = &adapter->hw;
26313 struct e1000_mac_info *mac = &hw->mac;
26314 - struct e1000_mac_operations *func = &mac->ops;
26315 + struct e1000_mac_operations *func = &mac->ops; /* cannot be const */
26317 /* Set media type */
26318 switch (adapter->pdev->device) {
26319 @@ -1431,7 +1431,7 @@ static void e1000_clear_hw_cntrs_80003es
26323 -static struct e1000_mac_operations es2_mac_ops = {
26324 +static const struct e1000_mac_operations es2_mac_ops = {
26325 .read_mac_addr = e1000_read_mac_addr_80003es2lan,
26326 .id_led_init = e1000e_id_led_init,
26327 .check_mng_mode = e1000e_check_mng_mode_generic,
26328 @@ -1453,7 +1453,7 @@ static struct e1000_mac_operations es2_m
26329 .setup_led = e1000e_setup_led_generic,
26332 -static struct e1000_phy_operations es2_phy_ops = {
26333 +static const struct e1000_phy_operations es2_phy_ops = {
26334 .acquire = e1000_acquire_phy_80003es2lan,
26335 .check_polarity = e1000_check_polarity_m88,
26336 .check_reset_block = e1000e_check_reset_block_generic,
26337 @@ -1471,7 +1471,7 @@ static struct e1000_phy_operations es2_p
26338 .cfg_on_link_up = e1000_cfg_on_link_up_80003es2lan,
26341 -static struct e1000_nvm_operations es2_nvm_ops = {
26342 +static const struct e1000_nvm_operations es2_nvm_ops = {
26343 .acquire = e1000_acquire_nvm_80003es2lan,
26344 .read = e1000e_read_nvm_eerd,
26345 .release = e1000_release_nvm_80003es2lan,
26346 diff -urNp linux-2.6.38.1/drivers/net/e1000e/hw.h linux-2.6.38.1-new/drivers/net/e1000e/hw.h
26347 --- linux-2.6.38.1/drivers/net/e1000e/hw.h 2011-03-14 21:20:32.000000000 -0400
26348 +++ linux-2.6.38.1-new/drivers/net/e1000e/hw.h 2011-03-21 18:31:35.000000000 -0400
26349 @@ -801,16 +801,17 @@ struct e1000_phy_operations {
26351 /* Function pointers for the NVM. */
26352 struct e1000_nvm_operations {
26353 - s32 (*acquire)(struct e1000_hw *);
26354 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
26355 - void (*release)(struct e1000_hw *);
26356 - s32 (*update)(struct e1000_hw *);
26357 - s32 (*valid_led_default)(struct e1000_hw *, u16 *);
26358 - s32 (*validate)(struct e1000_hw *);
26359 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
26360 + s32 (* acquire)(struct e1000_hw *); /* cannot be const, see drivers/net/e1000e/82571.c e1000_init_nvm_params_82571() */
26361 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
26362 + void (* release)(struct e1000_hw *); /* cannot be const, see drivers/net/e1000e/82571.c e1000_init_nvm_params_82571() */
26363 + s32 (* const update)(struct e1000_hw *);
26364 + s32 (* const valid_led_default)(struct e1000_hw *, u16 *);
26365 + s32 (* const validate)(struct e1000_hw *);
26366 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
26369 struct e1000_mac_info {
26370 + /* cannot be const see e1000_init_mac_params_ich8lan */
26371 struct e1000_mac_operations ops;
26374 @@ -853,6 +854,7 @@ struct e1000_mac_info {
26377 struct e1000_phy_info {
26378 + /* Cannot be const see e1000_init_phy_params_82571() */
26379 struct e1000_phy_operations ops;
26381 enum e1000_phy_type type;
26382 @@ -887,6 +889,7 @@ struct e1000_phy_info {
26385 struct e1000_nvm_info {
26386 + /* cannot be const */
26387 struct e1000_nvm_operations ops;
26389 enum e1000_nvm_type type;
26390 diff -urNp linux-2.6.38.1/drivers/net/e1000e/ich8lan.c linux-2.6.38.1-new/drivers/net/e1000e/ich8lan.c
26391 --- linux-2.6.38.1/drivers/net/e1000e/ich8lan.c 2011-03-14 21:20:32.000000000 -0400
26392 +++ linux-2.6.38.1-new/drivers/net/e1000e/ich8lan.c 2011-03-21 18:31:35.000000000 -0400
26393 @@ -3840,7 +3840,7 @@ static void e1000_clear_hw_cntrs_ich8lan
26397 -static struct e1000_mac_operations ich8_mac_ops = {
26398 +static const struct e1000_mac_operations ich8_mac_ops = {
26399 .id_led_init = e1000e_id_led_init,
26400 /* check_mng_mode dependent on mac type */
26401 .check_for_link = e1000_check_for_copper_link_ich8lan,
26402 @@ -3859,7 +3859,7 @@ static struct e1000_mac_operations ich8_
26403 /* id_led_init dependent on mac type */
26406 -static struct e1000_phy_operations ich8_phy_ops = {
26407 +static const struct e1000_phy_operations ich8_phy_ops = {
26408 .acquire = e1000_acquire_swflag_ich8lan,
26409 .check_reset_block = e1000_check_reset_block_ich8lan,
26411 @@ -3873,7 +3873,7 @@ static struct e1000_phy_operations ich8_
26412 .write_reg = e1000e_write_phy_reg_igp,
26415 -static struct e1000_nvm_operations ich8_nvm_ops = {
26416 +static const struct e1000_nvm_operations ich8_nvm_ops = {
26417 .acquire = e1000_acquire_nvm_ich8lan,
26418 .read = e1000_read_nvm_ich8lan,
26419 .release = e1000_release_nvm_ich8lan,
26420 diff -urNp linux-2.6.38.1/drivers/net/igb/e1000_82575.c linux-2.6.38.1-new/drivers/net/igb/e1000_82575.c
26421 --- linux-2.6.38.1/drivers/net/igb/e1000_82575.c 2011-03-14 21:20:32.000000000 -0400
26422 +++ linux-2.6.38.1-new/drivers/net/igb/e1000_82575.c 2011-03-21 18:31:35.000000000 -0400
26423 @@ -1747,7 +1747,7 @@ u16 igb_rxpbs_adjust_82580(u32 data)
26427 -static struct e1000_mac_operations e1000_mac_ops_82575 = {
26428 +static const struct e1000_mac_operations e1000_mac_ops_82575 = {
26429 .init_hw = igb_init_hw_82575,
26430 .check_for_link = igb_check_for_link_82575,
26431 .rar_set = igb_rar_set,
26432 @@ -1755,13 +1755,13 @@ static struct e1000_mac_operations e1000
26433 .get_speed_and_duplex = igb_get_speed_and_duplex_copper,
26436 -static struct e1000_phy_operations e1000_phy_ops_82575 = {
26437 +static const struct e1000_phy_operations e1000_phy_ops_82575 = {
26438 .acquire = igb_acquire_phy_82575,
26439 .get_cfg_done = igb_get_cfg_done_82575,
26440 .release = igb_release_phy_82575,
26443 -static struct e1000_nvm_operations e1000_nvm_ops_82575 = {
26444 +static const struct e1000_nvm_operations e1000_nvm_ops_82575 = {
26445 .acquire = igb_acquire_nvm_82575,
26446 .read = igb_read_nvm_eerd,
26447 .release = igb_release_nvm_82575,
26448 diff -urNp linux-2.6.38.1/drivers/net/igb/e1000_hw.h linux-2.6.38.1-new/drivers/net/igb/e1000_hw.h
26449 --- linux-2.6.38.1/drivers/net/igb/e1000_hw.h 2011-03-14 21:20:32.000000000 -0400
26450 +++ linux-2.6.38.1-new/drivers/net/igb/e1000_hw.h 2011-03-21 18:31:35.000000000 -0400
26451 @@ -327,22 +327,23 @@ struct e1000_phy_operations {
26454 struct e1000_nvm_operations {
26455 - s32 (*acquire)(struct e1000_hw *);
26456 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
26457 - void (*release)(struct e1000_hw *);
26458 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
26459 + s32 (* const acquire)(struct e1000_hw *);
26460 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
26461 + void (* const release)(struct e1000_hw *);
26462 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
26465 struct e1000_info {
26466 s32 (*get_invariants)(struct e1000_hw *);
26467 - struct e1000_mac_operations *mac_ops;
26468 - struct e1000_phy_operations *phy_ops;
26469 - struct e1000_nvm_operations *nvm_ops;
26470 + const struct e1000_mac_operations *mac_ops;
26471 + const struct e1000_phy_operations *phy_ops;
26472 + const struct e1000_nvm_operations *nvm_ops;
26475 extern const struct e1000_info e1000_82575_info;
26477 struct e1000_mac_info {
26478 + /* cannot be const see igb_get_invariants_82575() */
26479 struct e1000_mac_operations ops;
26482 @@ -381,6 +382,7 @@ struct e1000_mac_info {
26485 struct e1000_phy_info {
26486 + /* cannot be const see igb_get_invariants_82575() */
26487 struct e1000_phy_operations ops;
26489 enum e1000_phy_type type;
26490 @@ -416,6 +418,7 @@ struct e1000_phy_info {
26493 struct e1000_nvm_info {
26494 + /* cannot be const */
26495 struct e1000_nvm_operations ops;
26497 enum e1000_nvm_type type;
26498 diff -urNp linux-2.6.38.1/drivers/net/igbvf/vf.h linux-2.6.38.1-new/drivers/net/igbvf/vf.h
26499 --- linux-2.6.38.1/drivers/net/igbvf/vf.h 2011-03-14 21:20:32.000000000 -0400
26500 +++ linux-2.6.38.1-new/drivers/net/igbvf/vf.h 2011-03-21 18:31:35.000000000 -0400
26501 @@ -191,6 +191,7 @@ struct e1000_mac_operations {
26504 struct e1000_mac_info {
26505 + /* cannot be const see e1000_init_mac_params_vf() */
26506 struct e1000_mac_operations ops;
26509 diff -urNp linux-2.6.38.1/drivers/net/irda/vlsi_ir.c linux-2.6.38.1-new/drivers/net/irda/vlsi_ir.c
26510 --- linux-2.6.38.1/drivers/net/irda/vlsi_ir.c 2011-03-14 21:20:32.000000000 -0400
26511 +++ linux-2.6.38.1-new/drivers/net/irda/vlsi_ir.c 2011-03-21 18:31:35.000000000 -0400
26512 @@ -907,13 +907,12 @@ static netdev_tx_t vlsi_hard_start_xmit(
26513 /* no race - tx-ring already empty */
26514 vlsi_set_baud(idev, iobase);
26515 netif_wake_queue(ndev);
26520 /* keep the speed change pending like it would
26521 * for any len>0 packet. tx completion interrupt
26522 * will apply it when the tx ring becomes empty.
26525 spin_unlock_irqrestore(&idev->lock, flags);
26526 dev_kfree_skb_any(skb);
26527 return NETDEV_TX_OK;
26528 diff -urNp linux-2.6.38.1/drivers/net/pcnet32.c linux-2.6.38.1-new/drivers/net/pcnet32.c
26529 --- linux-2.6.38.1/drivers/net/pcnet32.c 2011-03-14 21:20:32.000000000 -0400
26530 +++ linux-2.6.38.1-new/drivers/net/pcnet32.c 2011-03-21 18:31:35.000000000 -0400
26531 @@ -82,7 +82,7 @@ static int cards_found;
26533 * VLB I/O addresses
26535 -static unsigned int pcnet32_portlist[] __initdata =
26536 +static unsigned int pcnet32_portlist[] __devinitdata =
26537 { 0x300, 0x320, 0x340, 0x360, 0 };
26539 static int pcnet32_debug;
26540 diff -urNp linux-2.6.38.1/drivers/net/ppp_generic.c linux-2.6.38.1-new/drivers/net/ppp_generic.c
26541 --- linux-2.6.38.1/drivers/net/ppp_generic.c 2011-03-14 21:20:32.000000000 -0400
26542 +++ linux-2.6.38.1-new/drivers/net/ppp_generic.c 2011-03-21 18:31:35.000000000 -0400
26543 @@ -986,7 +986,6 @@ ppp_net_ioctl(struct net_device *dev, st
26544 void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
26545 struct ppp_stats stats;
26546 struct ppp_comp_stats cstats;
26550 case SIOCGPPPSTATS:
26551 @@ -1008,8 +1007,7 @@ ppp_net_ioctl(struct net_device *dev, st
26555 - vers = PPP_VERSION;
26556 - if (copy_to_user(addr, vers, strlen(vers) + 1))
26557 + if (copy_to_user(addr, PPP_VERSION, sizeof(PPP_VERSION)))
26561 diff -urNp linux-2.6.38.1/drivers/net/tg3.h linux-2.6.38.1-new/drivers/net/tg3.h
26562 --- linux-2.6.38.1/drivers/net/tg3.h 2011-03-14 21:20:32.000000000 -0400
26563 +++ linux-2.6.38.1-new/drivers/net/tg3.h 2011-03-21 18:31:35.000000000 -0400
26564 @@ -131,6 +131,7 @@
26565 #define CHIPREV_ID_5750_A0 0x4000
26566 #define CHIPREV_ID_5750_A1 0x4001
26567 #define CHIPREV_ID_5750_A3 0x4003
26568 +#define CHIPREV_ID_5750_C1 0x4201
26569 #define CHIPREV_ID_5750_C2 0x4202
26570 #define CHIPREV_ID_5752_A0_HW 0x5000
26571 #define CHIPREV_ID_5752_A0 0x6000
26572 diff -urNp linux-2.6.38.1/drivers/net/tulip/de4x5.c linux-2.6.38.1-new/drivers/net/tulip/de4x5.c
26573 --- linux-2.6.38.1/drivers/net/tulip/de4x5.c 2011-03-14 21:20:32.000000000 -0400
26574 +++ linux-2.6.38.1-new/drivers/net/tulip/de4x5.c 2011-03-21 18:31:35.000000000 -0400
26575 @@ -5401,7 +5401,7 @@ de4x5_ioctl(struct net_device *dev, stru
26576 for (i=0; i<ETH_ALEN; i++) {
26577 tmp.addr[i] = dev->dev_addr[i];
26579 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
26580 + if (ioc->len > sizeof tmp.addr || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
26583 case DE4X5_SET_HWADDR: /* Set the hardware address */
26584 @@ -5441,7 +5441,7 @@ de4x5_ioctl(struct net_device *dev, stru
26585 spin_lock_irqsave(&lp->lock, flags);
26586 memcpy(&statbuf, &lp->pktStats, ioc->len);
26587 spin_unlock_irqrestore(&lp->lock, flags);
26588 - if (copy_to_user(ioc->data, &statbuf, ioc->len))
26589 + if (ioc->len > sizeof statbuf || copy_to_user(ioc->data, &statbuf, ioc->len))
26593 diff -urNp linux-2.6.38.1/drivers/net/usb/hso.c linux-2.6.38.1-new/drivers/net/usb/hso.c
26594 --- linux-2.6.38.1/drivers/net/usb/hso.c 2011-03-14 21:20:32.000000000 -0400
26595 +++ linux-2.6.38.1-new/drivers/net/usb/hso.c 2011-03-21 18:31:35.000000000 -0400
26597 #include <asm/byteorder.h>
26598 #include <linux/serial_core.h>
26599 #include <linux/serial.h>
26601 +#include <asm/local.h>
26603 #define MOD_AUTHOR "Option Wireless"
26604 #define MOD_DESCRIPTION "USB High Speed Option driver"
26605 @@ -257,7 +257,7 @@ struct hso_serial {
26607 /* from usb_serial_port */
26608 struct tty_struct *tty;
26610 + local_t open_count;
26611 spinlock_t serial_lock;
26613 int (*write_data) (struct hso_serial *serial);
26614 @@ -1190,7 +1190,7 @@ static void put_rxbuf_data_and_resubmit_
26617 urb = serial->rx_urb[0];
26618 - if (serial->open_count > 0) {
26619 + if (local_read(&serial->open_count) > 0) {
26620 count = put_rxbuf_data(urb, serial);
26623 @@ -1226,7 +1226,7 @@ static void hso_std_serial_read_bulk_cal
26624 DUMP1(urb->transfer_buffer, urb->actual_length);
26626 /* Anyone listening? */
26627 - if (serial->open_count == 0)
26628 + if (local_read(&serial->open_count) == 0)
26632 @@ -1311,8 +1311,7 @@ static int hso_serial_open(struct tty_st
26633 spin_unlock_irq(&serial->serial_lock);
26635 /* check for port already opened, if not set the termios */
26636 - serial->open_count++;
26637 - if (serial->open_count == 1) {
26638 + if (local_inc_return(&serial->open_count) == 1) {
26639 serial->rx_state = RX_IDLE;
26640 /* Force default termio settings */
26641 _hso_serial_set_termios(tty, NULL);
26642 @@ -1324,7 +1323,7 @@ static int hso_serial_open(struct tty_st
26643 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
26645 hso_stop_serial_device(serial->parent);
26646 - serial->open_count--;
26647 + local_dec(&serial->open_count);
26648 kref_put(&serial->parent->ref, hso_serial_ref_free);
26651 @@ -1361,10 +1360,10 @@ static void hso_serial_close(struct tty_
26653 /* reset the rts and dtr */
26654 /* do the actual close */
26655 - serial->open_count--;
26656 + local_dec(&serial->open_count);
26658 - if (serial->open_count <= 0) {
26659 - serial->open_count = 0;
26660 + if (local_read(&serial->open_count) <= 0) {
26661 + local_set(&serial->open_count, 0);
26662 spin_lock_irq(&serial->serial_lock);
26663 if (serial->tty == tty) {
26664 serial->tty->driver_data = NULL;
26665 @@ -1446,7 +1445,7 @@ static void hso_serial_set_termios(struc
26667 /* the actual setup */
26668 spin_lock_irqsave(&serial->serial_lock, flags);
26669 - if (serial->open_count)
26670 + if (local_read(&serial->open_count))
26671 _hso_serial_set_termios(tty, old);
26673 tty->termios = old;
26674 @@ -1905,7 +1904,7 @@ static void intr_callback(struct urb *ur
26675 D1("Pending read interrupt on port %d\n", i);
26676 spin_lock(&serial->serial_lock);
26677 if (serial->rx_state == RX_IDLE &&
26678 - serial->open_count > 0) {
26679 + local_read(&serial->open_count) > 0) {
26680 /* Setup and send a ctrl req read on
26682 if (!serial->rx_urb_filled[0]) {
26683 @@ -3097,7 +3096,7 @@ static int hso_resume(struct usb_interfa
26684 /* Start all serial ports */
26685 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
26686 if (serial_table[i] && (serial_table[i]->interface == iface)) {
26687 - if (dev2ser(serial_table[i])->open_count) {
26688 + if (local_read(&dev2ser(serial_table[i])->open_count)) {
26690 hso_start_serial_device(serial_table[i], GFP_NOIO);
26691 hso_kick_transmit(dev2ser(serial_table[i]));
26692 diff -urNp linux-2.6.38.1/drivers/net/wireless/b43/debugfs.c linux-2.6.38.1-new/drivers/net/wireless/b43/debugfs.c
26693 --- linux-2.6.38.1/drivers/net/wireless/b43/debugfs.c 2011-03-14 21:20:32.000000000 -0400
26694 +++ linux-2.6.38.1-new/drivers/net/wireless/b43/debugfs.c 2011-03-21 18:31:35.000000000 -0400
26695 @@ -43,7 +43,7 @@ static struct dentry *rootdir;
26696 struct b43_debugfs_fops {
26697 ssize_t (*read)(struct b43_wldev *dev, char *buf, size_t bufsize);
26698 int (*write)(struct b43_wldev *dev, const char *buf, size_t count);
26699 - struct file_operations fops;
26700 + const struct file_operations fops;
26701 /* Offset of struct b43_dfs_file in struct b43_dfsentry */
26702 size_t file_struct_offset;
26704 diff -urNp linux-2.6.38.1/drivers/net/wireless/b43legacy/debugfs.c linux-2.6.38.1-new/drivers/net/wireless/b43legacy/debugfs.c
26705 --- linux-2.6.38.1/drivers/net/wireless/b43legacy/debugfs.c 2011-03-14 21:20:32.000000000 -0400
26706 +++ linux-2.6.38.1-new/drivers/net/wireless/b43legacy/debugfs.c 2011-03-21 18:31:35.000000000 -0400
26707 @@ -44,7 +44,7 @@ static struct dentry *rootdir;
26708 struct b43legacy_debugfs_fops {
26709 ssize_t (*read)(struct b43legacy_wldev *dev, char *buf, size_t bufsize);
26710 int (*write)(struct b43legacy_wldev *dev, const char *buf, size_t count);
26711 - struct file_operations fops;
26712 + const struct file_operations fops;
26713 /* Offset of struct b43legacy_dfs_file in struct b43legacy_dfsentry */
26714 size_t file_struct_offset;
26715 /* Take wl->irq_lock before calling read/write? */
26716 diff -urNp linux-2.6.38.1/drivers/net/wireless/iwlwifi/iwl-debug.h linux-2.6.38.1-new/drivers/net/wireless/iwlwifi/iwl-debug.h
26717 --- linux-2.6.38.1/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-03-14 21:20:32.000000000 -0400
26718 +++ linux-2.6.38.1-new/drivers/net/wireless/iwlwifi/iwl-debug.h 2011-03-21 18:31:35.000000000 -0400
26719 @@ -68,8 +68,8 @@ do {
26723 -#define IWL_DEBUG(__priv, level, fmt, args...)
26724 -#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...)
26725 +#define IWL_DEBUG(__priv, level, fmt, args...) do {} while (0)
26726 +#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...) do {} while (0)
26727 static inline void iwl_print_hex_dump(struct iwl_priv *priv, int level,
26728 const void *p, u32 len)
26730 diff -urNp linux-2.6.38.1/drivers/net/wireless/libertas/debugfs.c linux-2.6.38.1-new/drivers/net/wireless/libertas/debugfs.c
26731 --- linux-2.6.38.1/drivers/net/wireless/libertas/debugfs.c 2011-03-14 21:20:32.000000000 -0400
26732 +++ linux-2.6.38.1-new/drivers/net/wireless/libertas/debugfs.c 2011-03-21 18:31:35.000000000 -0400
26733 @@ -702,7 +702,7 @@ out_unlock:
26734 struct lbs_debugfs_files {
26737 - struct file_operations fops;
26738 + const struct file_operations fops;
26741 static const struct lbs_debugfs_files debugfs_files[] = {
26742 diff -urNp linux-2.6.38.1/drivers/net/wireless/rndis_wlan.c linux-2.6.38.1-new/drivers/net/wireless/rndis_wlan.c
26743 --- linux-2.6.38.1/drivers/net/wireless/rndis_wlan.c 2011-03-14 21:20:32.000000000 -0400
26744 +++ linux-2.6.38.1-new/drivers/net/wireless/rndis_wlan.c 2011-03-21 18:31:35.000000000 -0400
26745 @@ -1277,7 +1277,7 @@ static int set_rts_threshold(struct usbn
26747 netdev_dbg(usbdev->net, "%s(): %i\n", __func__, rts_threshold);
26749 - if (rts_threshold < 0 || rts_threshold > 2347)
26750 + if (rts_threshold > 2347)
26751 rts_threshold = 2347;
26753 tmp = cpu_to_le32(rts_threshold);
26754 diff -urNp linux-2.6.38.1/drivers/oprofile/buffer_sync.c linux-2.6.38.1-new/drivers/oprofile/buffer_sync.c
26755 --- linux-2.6.38.1/drivers/oprofile/buffer_sync.c 2011-03-14 21:20:32.000000000 -0400
26756 +++ linux-2.6.38.1-new/drivers/oprofile/buffer_sync.c 2011-03-21 18:31:35.000000000 -0400
26757 @@ -342,7 +342,7 @@ static void add_data(struct op_entry *en
26758 if (cookie == NO_COOKIE)
26760 if (cookie == INVALID_COOKIE) {
26761 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
26762 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
26765 if (cookie != last_cookie) {
26766 @@ -386,14 +386,14 @@ add_sample(struct mm_struct *mm, struct
26767 /* add userspace sample */
26770 - atomic_inc(&oprofile_stats.sample_lost_no_mm);
26771 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
26775 cookie = lookup_dcookie(mm, s->eip, &offset);
26777 if (cookie == INVALID_COOKIE) {
26778 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
26779 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
26783 @@ -562,7 +562,7 @@ void sync_buffer(int cpu)
26784 /* ignore backtraces if failed to add a sample */
26785 if (state == sb_bt_start) {
26786 state = sb_bt_ignore;
26787 - atomic_inc(&oprofile_stats.bt_lost_no_mapping);
26788 + atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
26792 diff -urNp linux-2.6.38.1/drivers/oprofile/event_buffer.c linux-2.6.38.1-new/drivers/oprofile/event_buffer.c
26793 --- linux-2.6.38.1/drivers/oprofile/event_buffer.c 2011-03-14 21:20:32.000000000 -0400
26794 +++ linux-2.6.38.1-new/drivers/oprofile/event_buffer.c 2011-03-21 18:31:35.000000000 -0400
26795 @@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
26798 if (buffer_pos == buffer_size) {
26799 - atomic_inc(&oprofile_stats.event_lost_overflow);
26800 + atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
26804 diff -urNp linux-2.6.38.1/drivers/oprofile/oprof.c linux-2.6.38.1-new/drivers/oprofile/oprof.c
26805 --- linux-2.6.38.1/drivers/oprofile/oprof.c 2011-03-14 21:20:32.000000000 -0400
26806 +++ linux-2.6.38.1-new/drivers/oprofile/oprof.c 2011-03-21 18:31:35.000000000 -0400
26807 @@ -110,7 +110,7 @@ static void switch_worker(struct work_st
26808 if (oprofile_ops.switch_events())
26811 - atomic_inc(&oprofile_stats.multiplex_counter);
26812 + atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
26813 start_switch_worker();
26816 diff -urNp linux-2.6.38.1/drivers/oprofile/oprofilefs.c linux-2.6.38.1-new/drivers/oprofile/oprofilefs.c
26817 --- linux-2.6.38.1/drivers/oprofile/oprofilefs.c 2011-03-14 21:20:32.000000000 -0400
26818 +++ linux-2.6.38.1-new/drivers/oprofile/oprofilefs.c 2011-03-21 18:31:35.000000000 -0400
26819 @@ -186,7 +186,7 @@ static const struct file_operations atom
26822 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
26823 - char const *name, atomic_t *val)
26824 + char const *name, atomic_unchecked_t *val)
26826 return __oprofilefs_create_file(sb, root, name,
26827 &atomic_ro_fops, 0444, val);
26828 diff -urNp linux-2.6.38.1/drivers/oprofile/oprofile_stats.c linux-2.6.38.1-new/drivers/oprofile/oprofile_stats.c
26829 --- linux-2.6.38.1/drivers/oprofile/oprofile_stats.c 2011-03-14 21:20:32.000000000 -0400
26830 +++ linux-2.6.38.1-new/drivers/oprofile/oprofile_stats.c 2011-03-21 18:31:35.000000000 -0400
26831 @@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
26832 cpu_buf->sample_invalid_eip = 0;
26835 - atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
26836 - atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
26837 - atomic_set(&oprofile_stats.event_lost_overflow, 0);
26838 - atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
26839 - atomic_set(&oprofile_stats.multiplex_counter, 0);
26840 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
26841 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
26842 + atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
26843 + atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
26844 + atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
26848 diff -urNp linux-2.6.38.1/drivers/oprofile/oprofile_stats.h linux-2.6.38.1-new/drivers/oprofile/oprofile_stats.h
26849 --- linux-2.6.38.1/drivers/oprofile/oprofile_stats.h 2011-03-14 21:20:32.000000000 -0400
26850 +++ linux-2.6.38.1-new/drivers/oprofile/oprofile_stats.h 2011-03-21 18:31:35.000000000 -0400
26851 @@ -13,11 +13,11 @@
26852 #include <asm/atomic.h>
26854 struct oprofile_stat_struct {
26855 - atomic_t sample_lost_no_mm;
26856 - atomic_t sample_lost_no_mapping;
26857 - atomic_t bt_lost_no_mapping;
26858 - atomic_t event_lost_overflow;
26859 - atomic_t multiplex_counter;
26860 + atomic_unchecked_t sample_lost_no_mm;
26861 + atomic_unchecked_t sample_lost_no_mapping;
26862 + atomic_unchecked_t bt_lost_no_mapping;
26863 + atomic_unchecked_t event_lost_overflow;
26864 + atomic_unchecked_t multiplex_counter;
26867 extern struct oprofile_stat_struct oprofile_stats;
26868 diff -urNp linux-2.6.38.1/drivers/parport/procfs.c linux-2.6.38.1-new/drivers/parport/procfs.c
26869 --- linux-2.6.38.1/drivers/parport/procfs.c 2011-03-14 21:20:32.000000000 -0400
26870 +++ linux-2.6.38.1-new/drivers/parport/procfs.c 2011-03-21 18:31:35.000000000 -0400
26871 @@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
26875 - return copy_to_user(result, buffer, len) ? -EFAULT : 0;
26876 + return (len > sizeof buffer || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
26879 #ifdef CONFIG_PARPORT_1284
26880 @@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
26884 - return copy_to_user (result, buffer, len) ? -EFAULT : 0;
26885 + return (len > sizeof buffer || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
26887 #endif /* IEEE1284.3 support. */
26889 diff -urNp linux-2.6.38.1/drivers/pci/hotplug/acpiphp_glue.c linux-2.6.38.1-new/drivers/pci/hotplug/acpiphp_glue.c
26890 --- linux-2.6.38.1/drivers/pci/hotplug/acpiphp_glue.c 2011-03-14 21:20:32.000000000 -0400
26891 +++ linux-2.6.38.1-new/drivers/pci/hotplug/acpiphp_glue.c 2011-03-21 18:31:35.000000000 -0400
26892 @@ -110,7 +110,7 @@ static int post_dock_fixups(struct notif
26896 -static struct acpi_dock_ops acpiphp_dock_ops = {
26897 +static const struct acpi_dock_ops acpiphp_dock_ops = {
26898 .handler = handle_hotplug_event_func,
26901 diff -urNp linux-2.6.38.1/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.38.1-new/drivers/pci/hotplug/cpqphp_nvram.c
26902 --- linux-2.6.38.1/drivers/pci/hotplug/cpqphp_nvram.c 2011-03-14 21:20:32.000000000 -0400
26903 +++ linux-2.6.38.1-new/drivers/pci/hotplug/cpqphp_nvram.c 2011-03-21 18:31:35.000000000 -0400
26904 @@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
26906 void compaq_nvram_init (void __iomem *rom_start)
26909 +#ifndef CONFIG_PAX_KERNEXEC
26911 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
26915 dbg("int15 entry = %p\n", compaq_int15_entry_point);
26917 /* initialize our int15 lock */
26918 diff -urNp linux-2.6.38.1/drivers/pci/intel-iommu.c linux-2.6.38.1-new/drivers/pci/intel-iommu.c
26919 --- linux-2.6.38.1/drivers/pci/intel-iommu.c 2011-03-14 21:20:32.000000000 -0400
26920 +++ linux-2.6.38.1-new/drivers/pci/intel-iommu.c 2011-03-21 18:31:35.000000000 -0400
26921 @@ -2934,7 +2934,7 @@ static int intel_mapping_error(struct de
26925 -struct dma_map_ops intel_dma_ops = {
26926 +const struct dma_map_ops intel_dma_ops = {
26927 .alloc_coherent = intel_alloc_coherent,
26928 .free_coherent = intel_free_coherent,
26929 .map_sg = intel_map_sg,
26930 diff -urNp linux-2.6.38.1/drivers/pci/pcie/aspm.c linux-2.6.38.1-new/drivers/pci/pcie/aspm.c
26931 --- linux-2.6.38.1/drivers/pci/pcie/aspm.c 2011-03-14 21:20:32.000000000 -0400
26932 +++ linux-2.6.38.1-new/drivers/pci/pcie/aspm.c 2011-03-21 18:31:35.000000000 -0400
26934 #define MODULE_PARAM_PREFIX "pcie_aspm."
26936 /* Note: those are not register definitions */
26937 -#define ASPM_STATE_L0S_UP (1) /* Upstream direction L0s state */
26938 -#define ASPM_STATE_L0S_DW (2) /* Downstream direction L0s state */
26939 -#define ASPM_STATE_L1 (4) /* L1 state */
26940 +#define ASPM_STATE_L0S_UP (1U) /* Upstream direction L0s state */
26941 +#define ASPM_STATE_L0S_DW (2U) /* Downstream direction L0s state */
26942 +#define ASPM_STATE_L1 (4U) /* L1 state */
26943 #define ASPM_STATE_L0S (ASPM_STATE_L0S_UP | ASPM_STATE_L0S_DW)
26944 #define ASPM_STATE_ALL (ASPM_STATE_L0S | ASPM_STATE_L1)
26946 diff -urNp linux-2.6.38.1/drivers/pci/pcie/portdrv_pci.c linux-2.6.38.1-new/drivers/pci/pcie/portdrv_pci.c
26947 --- linux-2.6.38.1/drivers/pci/pcie/portdrv_pci.c 2011-03-14 21:20:32.000000000 -0400
26948 +++ linux-2.6.38.1-new/drivers/pci/pcie/portdrv_pci.c 2011-03-21 18:31:35.000000000 -0400
26949 @@ -307,7 +307,7 @@ static void pcie_portdrv_err_resume(stru
26950 static const struct pci_device_id port_pci_ids[] = { {
26951 /* handle any PCI-Express port */
26952 PCI_DEVICE_CLASS(((PCI_CLASS_BRIDGE_PCI << 8) | 0x00), ~0),
26953 - }, { /* end: all zeroes */ }
26954 + }, { 0, 0, 0, 0, 0, 0, 0 }
26956 MODULE_DEVICE_TABLE(pci, port_pci_ids);
26958 diff -urNp linux-2.6.38.1/drivers/pci/probe.c linux-2.6.38.1-new/drivers/pci/probe.c
26959 --- linux-2.6.38.1/drivers/pci/probe.c 2011-03-14 21:20:32.000000000 -0400
26960 +++ linux-2.6.38.1-new/drivers/pci/probe.c 2011-03-21 18:31:35.000000000 -0400
26961 @@ -62,14 +62,14 @@ static ssize_t pci_bus_show_cpuaffinity(
26965 -static ssize_t inline pci_bus_show_cpumaskaffinity(struct device *dev,
26966 +static inline ssize_t pci_bus_show_cpumaskaffinity(struct device *dev,
26967 struct device_attribute *attr,
26970 return pci_bus_show_cpuaffinity(dev, 0, attr, buf);
26973 -static ssize_t inline pci_bus_show_cpulistaffinity(struct device *dev,
26974 +static inline ssize_t pci_bus_show_cpulistaffinity(struct device *dev,
26975 struct device_attribute *attr,
26978 @@ -165,7 +165,7 @@ int __pci_read_base(struct pci_dev *dev,
26982 - mask = type ? PCI_ROM_ADDRESS_MASK : ~0;
26983 + mask = type ? (u32)PCI_ROM_ADDRESS_MASK : ~0;
26985 if (!dev->mmio_always_on) {
26986 pci_read_config_word(dev, PCI_COMMAND, &orig_cmd);
26987 diff -urNp linux-2.6.38.1/drivers/pci/proc.c linux-2.6.38.1-new/drivers/pci/proc.c
26988 --- linux-2.6.38.1/drivers/pci/proc.c 2011-03-14 21:20:32.000000000 -0400
26989 +++ linux-2.6.38.1-new/drivers/pci/proc.c 2011-03-21 18:31:35.000000000 -0400
26990 @@ -476,7 +476,16 @@ static const struct file_operations proc
26991 static int __init pci_proc_init(void)
26993 struct pci_dev *dev = NULL;
26995 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
26996 +#ifdef CONFIG_GRKERNSEC_PROC_USER
26997 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
26998 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
26999 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
27002 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
27004 proc_create("devices", 0, proc_bus_pci_dir,
27005 &proc_bus_pci_dev_operations);
27006 proc_initialized = 1;
27007 diff -urNp linux-2.6.38.1/drivers/pcmcia/ti113x.h linux-2.6.38.1-new/drivers/pcmcia/ti113x.h
27008 --- linux-2.6.38.1/drivers/pcmcia/ti113x.h 2011-03-14 21:20:32.000000000 -0400
27009 +++ linux-2.6.38.1-new/drivers/pcmcia/ti113x.h 2011-03-21 18:31:35.000000000 -0400
27010 @@ -936,7 +936,7 @@ static struct pci_device_id ene_tune_tbl
27011 DEVID(PCI_VENDOR_ID_MOTOROLA, 0x3410, 0xECC0, PCI_ANY_ID,
27012 ENE_TEST_C9_TLTENABLE | ENE_TEST_C9_PFENABLE, ENE_TEST_C9_TLTENABLE),
27015 + { 0, 0, 0, 0, 0, 0, 0 }
27018 static void ene_tune_bridge(struct pcmcia_socket *sock, struct pci_bus *bus)
27019 diff -urNp linux-2.6.38.1/drivers/pcmcia/yenta_socket.c linux-2.6.38.1-new/drivers/pcmcia/yenta_socket.c
27020 --- linux-2.6.38.1/drivers/pcmcia/yenta_socket.c 2011-03-14 21:20:32.000000000 -0400
27021 +++ linux-2.6.38.1-new/drivers/pcmcia/yenta_socket.c 2011-03-21 18:31:35.000000000 -0400
27022 @@ -1426,7 +1426,7 @@ static struct pci_device_id yenta_table[
27024 /* match any cardbus bridge */
27025 CB_ID(PCI_ANY_ID, PCI_ANY_ID, DEFAULT),
27026 - { /* all zeroes */ }
27027 + { 0, 0, 0, 0, 0, 0, 0 }
27029 MODULE_DEVICE_TABLE(pci, yenta_table);
27031 diff -urNp linux-2.6.38.1/drivers/platform/x86/asus-laptop.c linux-2.6.38.1-new/drivers/platform/x86/asus-laptop.c
27032 --- linux-2.6.38.1/drivers/platform/x86/asus-laptop.c 2011-03-14 21:20:32.000000000 -0400
27033 +++ linux-2.6.38.1-new/drivers/platform/x86/asus-laptop.c 2011-03-21 18:31:35.000000000 -0400
27034 @@ -243,7 +243,6 @@ struct asus_laptop {
27035 struct asus_led gled;
27036 struct asus_led kled;
27037 struct workqueue_struct *led_workqueue;
27039 int wireless_status;
27042 diff -urNp linux-2.6.38.1/drivers/pnp/pnpbios/bioscalls.c linux-2.6.38.1-new/drivers/pnp/pnpbios/bioscalls.c
27043 --- linux-2.6.38.1/drivers/pnp/pnpbios/bioscalls.c 2011-03-14 21:20:32.000000000 -0400
27044 +++ linux-2.6.38.1-new/drivers/pnp/pnpbios/bioscalls.c 2011-03-21 18:31:35.000000000 -0400
27045 @@ -59,7 +59,7 @@ do { \
27046 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
27049 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
27050 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
27051 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
27054 @@ -96,7 +96,10 @@ static inline u16 call_pnp_bios(u16 func
27057 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
27059 + pax_open_kernel();
27060 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
27061 + pax_close_kernel();
27063 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
27064 spin_lock_irqsave(&pnp_bios_lock, flags);
27065 @@ -134,7 +137,10 @@ static inline u16 call_pnp_bios(u16 func
27067 spin_unlock_irqrestore(&pnp_bios_lock, flags);
27069 + pax_open_kernel();
27070 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
27071 + pax_close_kernel();
27075 /* If we get here and this is set then the PnP BIOS faulted on us. */
27076 @@ -468,7 +474,7 @@ int pnp_bios_read_escd(char *data, u32 n
27080 -void pnpbios_calls_init(union pnp_bios_install_struct *header)
27081 +void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
27085 @@ -476,6 +482,8 @@ void pnpbios_calls_init(union pnp_bios_i
27086 pnp_bios_callpoint.offset = header->fields.pm16offset;
27087 pnp_bios_callpoint.segment = PNP_CS16;
27089 + pax_open_kernel();
27091 for_each_possible_cpu(i) {
27092 struct desc_struct *gdt = get_cpu_gdt_table(i);
27094 @@ -487,4 +495,6 @@ void pnpbios_calls_init(union pnp_bios_i
27095 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
27096 (unsigned long)__va(header->fields.pm16dseg));
27099 + pax_close_kernel();
27101 diff -urNp linux-2.6.38.1/drivers/pnp/quirks.c linux-2.6.38.1-new/drivers/pnp/quirks.c
27102 --- linux-2.6.38.1/drivers/pnp/quirks.c 2011-03-14 21:20:32.000000000 -0400
27103 +++ linux-2.6.38.1-new/drivers/pnp/quirks.c 2011-03-21 18:31:35.000000000 -0400
27104 @@ -322,7 +322,7 @@ static struct pnp_fixup pnp_fixups[] = {
27105 /* PnP resources that might overlap PCI BARs */
27106 {"PNP0c01", quirk_system_pci_resources},
27107 {"PNP0c02", quirk_system_pci_resources},
27112 void pnp_fixup_device(struct pnp_dev *dev)
27113 diff -urNp linux-2.6.38.1/drivers/pnp/resource.c linux-2.6.38.1-new/drivers/pnp/resource.c
27114 --- linux-2.6.38.1/drivers/pnp/resource.c 2011-03-14 21:20:32.000000000 -0400
27115 +++ linux-2.6.38.1-new/drivers/pnp/resource.c 2011-03-21 18:31:35.000000000 -0400
27116 @@ -360,7 +360,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
27119 /* check if the resource is valid */
27120 - if (*irq < 0 || *irq > 15)
27124 /* check if the resource is reserved */
27125 @@ -424,7 +424,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
27128 /* check if the resource is valid */
27129 - if (*dma < 0 || *dma == 4 || *dma > 7)
27130 + if (*dma == 4 || *dma > 7)
27133 /* check if the resource is reserved */
27134 diff -urNp linux-2.6.38.1/drivers/rtc/rtc-dev.c linux-2.6.38.1-new/drivers/rtc/rtc-dev.c
27135 --- linux-2.6.38.1/drivers/rtc/rtc-dev.c 2011-03-14 21:20:32.000000000 -0400
27136 +++ linux-2.6.38.1-new/drivers/rtc/rtc-dev.c 2011-03-21 18:31:35.000000000 -0400
27138 #include <linux/module.h>
27139 #include <linux/rtc.h>
27140 #include <linux/sched.h>
27141 +#include <linux/grsecurity.h>
27142 #include "rtc-core.h"
27144 static dev_t rtc_devt;
27145 @@ -345,6 +346,8 @@ static long rtc_dev_ioctl(struct file *f
27146 if (copy_from_user(&tm, uarg, sizeof(tm)))
27149 + gr_log_timechange();
27151 return rtc_set_time(rtc, &tm);
27154 diff -urNp linux-2.6.38.1/drivers/rtc/rtc-ds1511.c linux-2.6.38.1-new/drivers/rtc/rtc-ds1511.c
27155 --- linux-2.6.38.1/drivers/rtc/rtc-ds1511.c 2011-03-14 21:20:32.000000000 -0400
27156 +++ linux-2.6.38.1-new/drivers/rtc/rtc-ds1511.c 2011-03-21 18:31:35.000000000 -0400
27157 @@ -485,7 +485,7 @@ ds1511_nvram_write(struct file *filp, st
27158 static struct bin_attribute ds1511_nvram_attr = {
27161 - .mode = S_IRUGO | S_IWUGO,
27162 + .mode = S_IRUGO | S_IWUSR,
27164 .size = DS1511_RAM_MAX,
27165 .read = ds1511_nvram_read,
27166 diff -urNp linux-2.6.38.1/drivers/s390/cio/qdio_debug.c linux-2.6.38.1-new/drivers/s390/cio/qdio_debug.c
27167 --- linux-2.6.38.1/drivers/s390/cio/qdio_debug.c 2011-03-14 21:20:32.000000000 -0400
27168 +++ linux-2.6.38.1-new/drivers/s390/cio/qdio_debug.c 2011-03-21 18:31:35.000000000 -0400
27169 @@ -225,7 +225,7 @@ static int qperf_seq_open(struct inode *
27170 filp->f_path.dentry->d_inode->i_private);
27173 -static struct file_operations debugfs_perf_fops = {
27174 +static const struct file_operations debugfs_perf_fops = {
27175 .owner = THIS_MODULE,
27176 .open = qperf_seq_open,
27178 diff -urNp linux-2.6.38.1/drivers/scsi/aic94xx/aic94xx_init.c linux-2.6.38.1-new/drivers/scsi/aic94xx/aic94xx_init.c
27179 --- linux-2.6.38.1/drivers/scsi/aic94xx/aic94xx_init.c 2011-03-14 21:20:32.000000000 -0400
27180 +++ linux-2.6.38.1-new/drivers/scsi/aic94xx/aic94xx_init.c 2011-03-21 18:31:35.000000000 -0400
27181 @@ -486,7 +486,7 @@ static ssize_t asd_show_update_bios(stru
27182 flash_error_table[i].reason);
27185 -static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUGO,
27186 +static DEVICE_ATTR(update_bios, S_IRUGO|S_IWUSR,
27187 asd_show_update_bios, asd_store_update_bios);
27189 static int asd_create_dev_attrs(struct asd_ha_struct *asd_ha)
27190 diff -urNp linux-2.6.38.1/drivers/scsi/hpsa.c linux-2.6.38.1-new/drivers/scsi/hpsa.c
27191 --- linux-2.6.38.1/drivers/scsi/hpsa.c 2011-03-14 21:20:32.000000000 -0400
27192 +++ linux-2.6.38.1-new/drivers/scsi/hpsa.c 2011-03-21 18:31:35.000000000 -0400
27193 @@ -2281,6 +2281,8 @@ static int hpsa_ioctl32_passthru(struct
27197 + memset(&arg64, 0, sizeof(arg64));
27200 err |= copy_from_user(&arg64.LUN_info, &arg32->LUN_info,
27201 sizeof(arg64.LUN_info));
27202 diff -urNp linux-2.6.38.1/drivers/scsi/ipr.c linux-2.6.38.1-new/drivers/scsi/ipr.c
27203 --- linux-2.6.38.1/drivers/scsi/ipr.c 2011-03-14 21:20:32.000000000 -0400
27204 +++ linux-2.6.38.1-new/drivers/scsi/ipr.c 2011-03-21 18:31:35.000000000 -0400
27205 @@ -6207,7 +6207,7 @@ static bool ipr_qc_fill_rtf(struct ata_q
27209 -static struct ata_port_operations ipr_sata_ops = {
27210 +static const struct ata_port_operations ipr_sata_ops = {
27211 .phy_reset = ipr_ata_phy_reset,
27212 .hardreset = ipr_sata_reset,
27213 .post_internal_cmd = ipr_ata_post_internal,
27214 diff -urNp linux-2.6.38.1/drivers/scsi/libfc/fc_exch.c linux-2.6.38.1-new/drivers/scsi/libfc/fc_exch.c
27215 --- linux-2.6.38.1/drivers/scsi/libfc/fc_exch.c 2011-03-14 21:20:32.000000000 -0400
27216 +++ linux-2.6.38.1-new/drivers/scsi/libfc/fc_exch.c 2011-03-21 18:31:35.000000000 -0400
27217 @@ -105,12 +105,12 @@ struct fc_exch_mgr {
27218 * all together if not used XXX
27221 - atomic_t no_free_exch;
27222 - atomic_t no_free_exch_xid;
27223 - atomic_t xid_not_found;
27224 - atomic_t xid_busy;
27225 - atomic_t seq_not_found;
27226 - atomic_t non_bls_resp;
27227 + atomic_unchecked_t no_free_exch;
27228 + atomic_unchecked_t no_free_exch_xid;
27229 + atomic_unchecked_t xid_not_found;
27230 + atomic_unchecked_t xid_busy;
27231 + atomic_unchecked_t seq_not_found;
27232 + atomic_unchecked_t non_bls_resp;
27236 @@ -687,7 +687,7 @@ static struct fc_exch *fc_exch_em_alloc(
27237 /* allocate memory for exchange */
27238 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
27240 - atomic_inc(&mp->stats.no_free_exch);
27241 + atomic_inc_unchecked(&mp->stats.no_free_exch);
27244 memset(ep, 0, sizeof(*ep));
27245 @@ -748,7 +748,7 @@ out:
27248 spin_unlock_bh(&pool->lock);
27249 - atomic_inc(&mp->stats.no_free_exch_xid);
27250 + atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
27251 mempool_free(ep, mp->ep_pool);
27254 @@ -893,7 +893,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27255 xid = ntohs(fh->fh_ox_id); /* we originated exch */
27256 ep = fc_exch_find(mp, xid);
27258 - atomic_inc(&mp->stats.xid_not_found);
27259 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27260 reject = FC_RJT_OX_ID;
27263 @@ -923,7 +923,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27264 ep = fc_exch_find(mp, xid);
27265 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
27267 - atomic_inc(&mp->stats.xid_busy);
27268 + atomic_inc_unchecked(&mp->stats.xid_busy);
27269 reject = FC_RJT_RX_ID;
27272 @@ -934,7 +934,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27274 xid = ep->xid; /* get our XID */
27276 - atomic_inc(&mp->stats.xid_not_found);
27277 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27278 reject = FC_RJT_RX_ID; /* XID not found */
27281 @@ -951,7 +951,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27284 if (sp->id != fh->fh_seq_id) {
27285 - atomic_inc(&mp->stats.seq_not_found);
27286 + atomic_inc_unchecked(&mp->stats.seq_not_found);
27287 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
27290 @@ -1368,22 +1368,22 @@ static void fc_exch_recv_seq_resp(struct
27292 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
27294 - atomic_inc(&mp->stats.xid_not_found);
27295 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27298 if (ep->esb_stat & ESB_ST_COMPLETE) {
27299 - atomic_inc(&mp->stats.xid_not_found);
27300 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27303 if (ep->rxid == FC_XID_UNKNOWN)
27304 ep->rxid = ntohs(fh->fh_rx_id);
27305 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
27306 - atomic_inc(&mp->stats.xid_not_found);
27307 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27310 if (ep->did != ntoh24(fh->fh_s_id) &&
27311 ep->did != FC_FID_FLOGI) {
27312 - atomic_inc(&mp->stats.xid_not_found);
27313 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27317 @@ -1392,7 +1392,7 @@ static void fc_exch_recv_seq_resp(struct
27318 sp->ssb_stat |= SSB_ST_RESP;
27319 sp->id = fh->fh_seq_id;
27320 } else if (sp->id != fh->fh_seq_id) {
27321 - atomic_inc(&mp->stats.seq_not_found);
27322 + atomic_inc_unchecked(&mp->stats.seq_not_found);
27326 @@ -1455,9 +1455,9 @@ static void fc_exch_recv_resp(struct fc_
27327 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
27330 - atomic_inc(&mp->stats.xid_not_found);
27331 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27333 - atomic_inc(&mp->stats.non_bls_resp);
27334 + atomic_inc_unchecked(&mp->stats.non_bls_resp);
27338 diff -urNp linux-2.6.38.1/drivers/scsi/libsas/sas_ata.c linux-2.6.38.1-new/drivers/scsi/libsas/sas_ata.c
27339 --- linux-2.6.38.1/drivers/scsi/libsas/sas_ata.c 2011-03-14 21:20:32.000000000 -0400
27340 +++ linux-2.6.38.1-new/drivers/scsi/libsas/sas_ata.c 2011-03-21 18:31:35.000000000 -0400
27341 @@ -348,10 +348,10 @@ static int sas_ata_scr_read(struct ata_l
27345 -static struct ata_port_operations sas_sata_ops = {
27346 +static const struct ata_port_operations sas_sata_ops = {
27347 .phy_reset = sas_ata_phy_reset,
27348 .post_internal_cmd = sas_ata_post_internal,
27349 - .qc_defer = ata_std_qc_defer,
27350 + .qc_defer = ata_std_qc_defer,
27351 .qc_prep = ata_noop_qc_prep,
27352 .qc_issue = sas_ata_qc_issue,
27353 .qc_fill_rtf = sas_ata_qc_fill_rtf,
27354 diff -urNp linux-2.6.38.1/drivers/scsi/mpt2sas/mpt2sas_debug.h linux-2.6.38.1-new/drivers/scsi/mpt2sas/mpt2sas_debug.h
27355 --- linux-2.6.38.1/drivers/scsi/mpt2sas/mpt2sas_debug.h 2011-03-14 21:20:32.000000000 -0400
27356 +++ linux-2.6.38.1-new/drivers/scsi/mpt2sas/mpt2sas_debug.h 2011-03-21 18:31:35.000000000 -0400
27361 -#define MPT_CHECK_LOGGING(IOC, CMD, BITS)
27362 +#define MPT_CHECK_LOGGING(IOC, CMD, BITS) do {} while (0)
27363 #endif /* CONFIG_SCSI_MPT2SAS_LOGGING */
27366 diff -urNp linux-2.6.38.1/drivers/scsi/qla2xxx/qla_os.c linux-2.6.38.1-new/drivers/scsi/qla2xxx/qla_os.c
27367 --- linux-2.6.38.1/drivers/scsi/qla2xxx/qla_os.c 2011-03-14 21:20:32.000000000 -0400
27368 +++ linux-2.6.38.1-new/drivers/scsi/qla2xxx/qla_os.c 2011-03-21 18:31:35.000000000 -0400
27369 @@ -4096,7 +4096,7 @@ static struct pci_driver qla2xxx_pci_dri
27370 .err_handler = &qla2xxx_err_handler,
27373 -static struct file_operations apidev_fops = {
27374 +static const struct file_operations apidev_fops = {
27375 .owner = THIS_MODULE,
27376 .llseek = noop_llseek,
27378 diff -urNp linux-2.6.38.1/drivers/scsi/scsi_logging.h linux-2.6.38.1-new/drivers/scsi/scsi_logging.h
27379 --- linux-2.6.38.1/drivers/scsi/scsi_logging.h 2011-03-14 21:20:32.000000000 -0400
27380 +++ linux-2.6.38.1-new/drivers/scsi/scsi_logging.h 2011-03-21 18:31:35.000000000 -0400
27381 @@ -51,7 +51,7 @@ do { \
27385 -#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD)
27386 +#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD) do {} while (0)
27387 #endif /* CONFIG_SCSI_LOGGING */
27390 diff -urNp linux-2.6.38.1/drivers/scsi/scsi_transport_iscsi.c linux-2.6.38.1-new/drivers/scsi/scsi_transport_iscsi.c
27391 --- linux-2.6.38.1/drivers/scsi/scsi_transport_iscsi.c 2011-03-14 21:20:32.000000000 -0400
27392 +++ linux-2.6.38.1-new/drivers/scsi/scsi_transport_iscsi.c 2011-03-21 18:31:35.000000000 -0400
27393 @@ -1847,7 +1847,7 @@ store_priv_session_##field(struct device
27394 #define iscsi_priv_session_rw_attr(field, format) \
27395 iscsi_priv_session_attr_show(field, format) \
27396 iscsi_priv_session_attr_store(field) \
27397 -static ISCSI_CLASS_ATTR(priv_sess, field, S_IRUGO | S_IWUGO, \
27398 +static ISCSI_CLASS_ATTR(priv_sess, field, S_IRUGO | S_IWUSR, \
27399 show_priv_session_##field, \
27400 store_priv_session_##field)
27401 iscsi_priv_session_rw_attr(recovery_tmo, "%d");
27402 diff -urNp linux-2.6.38.1/drivers/scsi/sg.c linux-2.6.38.1-new/drivers/scsi/sg.c
27403 --- linux-2.6.38.1/drivers/scsi/sg.c 2011-03-14 21:20:32.000000000 -0400
27404 +++ linux-2.6.38.1-new/drivers/scsi/sg.c 2011-03-21 18:31:35.000000000 -0400
27405 @@ -2310,7 +2310,7 @@ struct sg_proc_leaf {
27406 const struct file_operations * fops;
27409 -static struct sg_proc_leaf sg_proc_leaf_arr[] = {
27410 +static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
27411 {"allow_dio", &adio_fops},
27412 {"debug", &debug_fops},
27413 {"def_reserved_size", &dressz_fops},
27414 @@ -2325,7 +2325,7 @@ sg_proc_init(void)
27417 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
27418 - struct sg_proc_leaf * leaf;
27419 + const struct sg_proc_leaf * leaf;
27421 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
27423 diff -urNp linux-2.6.38.1/drivers/staging/autofs/root.c linux-2.6.38.1-new/drivers/staging/autofs/root.c
27424 --- linux-2.6.38.1/drivers/staging/autofs/root.c 2011-03-14 21:20:32.000000000 -0400
27425 +++ linux-2.6.38.1-new/drivers/staging/autofs/root.c 2011-03-21 18:31:35.000000000 -0400
27426 @@ -311,7 +311,8 @@ static int autofs_root_symlink(struct in
27427 set_bit(n,sbi->symlink_bitmap);
27428 sl = &sbi->symlink[n];
27429 sl->len = strlen(symname);
27430 - sl->data = kmalloc(slsize = sl->len+1, GFP_KERNEL);
27431 + slsize = sl->len + 1;
27432 + sl->data = kmalloc(slsize, GFP_KERNEL);
27434 clear_bit(n,sbi->symlink_bitmap);
27436 diff -urNp linux-2.6.38.1/drivers/staging/bcm/Bcmchar.c linux-2.6.38.1-new/drivers/staging/bcm/Bcmchar.c
27437 --- linux-2.6.38.1/drivers/staging/bcm/Bcmchar.c 2011-03-14 21:20:32.000000000 -0400
27438 +++ linux-2.6.38.1-new/drivers/staging/bcm/Bcmchar.c 2011-03-21 18:31:35.000000000 -0400
27439 @@ -2093,7 +2093,7 @@ static long bcm_char_ioctl(struct file *
27443 -static struct file_operations bcm_fops = {
27444 +static const struct file_operations bcm_fops = {
27445 .owner = THIS_MODULE,
27446 .open = bcm_char_open,
27447 .release = bcm_char_release,
27448 diff -urNp linux-2.6.38.1/drivers/staging/brcm80211/brcmfmac/dhd_linux.c linux-2.6.38.1-new/drivers/staging/brcm80211/brcmfmac/dhd_linux.c
27449 --- linux-2.6.38.1/drivers/staging/brcm80211/brcmfmac/dhd_linux.c 2011-03-14 21:20:32.000000000 -0400
27450 +++ linux-2.6.38.1-new/drivers/staging/brcm80211/brcmfmac/dhd_linux.c 2011-03-21 18:31:35.000000000 -0400
27451 @@ -863,14 +863,14 @@ static void dhd_op_if(dhd_if_t *ifp)
27452 free_netdev(ifp->net);
27454 /* Allocate etherdev, including space for private structure */
27455 - ifp->net = alloc_etherdev(sizeof(dhd));
27456 + ifp->net = alloc_etherdev(sizeof(*dhd));
27458 DHD_ERROR(("%s: OOM - alloc_etherdev\n", __func__));
27462 strcpy(ifp->net->name, ifp->name);
27463 - memcpy(netdev_priv(ifp->net), &dhd, sizeof(dhd));
27464 + memcpy(netdev_priv(ifp->net), dhd, sizeof(*dhd));
27465 err = dhd_net_attach(&dhd->pub, ifp->idx);
27467 DHD_ERROR(("%s: dhd_net_attach failed, "
27468 @@ -1969,25 +1969,23 @@ dhd_pub_t *dhd_attach(struct osl_info *o
27469 strcpy(nv_path, nvram_path);
27471 /* Allocate etherdev, including space for private structure */
27472 - net = alloc_etherdev(sizeof(dhd));
27473 + net = alloc_etherdev(sizeof(*dhd));
27475 DHD_ERROR(("%s: OOM - alloc_etherdev\n", __func__));
27479 /* Allocate primary dhd_info */
27480 - dhd = kmalloc(sizeof(dhd_info_t), GFP_ATOMIC);
27481 + dhd = kzalloc(sizeof(dhd_info_t), GFP_ATOMIC);
27483 DHD_ERROR(("%s: OOM - alloc dhd_info\n", __func__));
27487 - memset(dhd, 0, sizeof(dhd_info_t));
27490 * Save the dhd_info into the priv
27492 - memcpy(netdev_priv(net), &dhd, sizeof(dhd));
27493 + memcpy(netdev_priv(net), dhd, sizeof(*dhd));
27494 dhd->pub.osh = osh;
27496 /* Set network interface name if it was provided as module parameter */
27497 @@ -2105,7 +2103,7 @@ dhd_pub_t *dhd_attach(struct osl_info *o
27499 * Save the dhd_info into the priv
27501 - memcpy(netdev_priv(net), &dhd, sizeof(dhd));
27502 + memcpy(netdev_priv(net), dhd, sizeof(*dhd));
27504 #if defined(CUSTOMER_HW2) && defined(CONFIG_WIFI_CONTROL_FUNC)
27506 diff -urNp linux-2.6.38.1/drivers/staging/brcm80211/brcmfmac/wl_iw.c linux-2.6.38.1-new/drivers/staging/brcm80211/brcmfmac/wl_iw.c
27507 --- linux-2.6.38.1/drivers/staging/brcm80211/brcmfmac/wl_iw.c 2011-03-14 21:20:32.000000000 -0400
27508 +++ linux-2.6.38.1-new/drivers/staging/brcm80211/brcmfmac/wl_iw.c 2011-03-21 18:31:35.000000000 -0400
27509 @@ -513,7 +513,7 @@ wl_iw_get_range(struct net_device *dev,
27510 list = (wl_u32_list_t *) channels;
27512 dwrq->length = sizeof(struct iw_range);
27513 - memset(range, 0, sizeof(range));
27514 + memset(range, 0, sizeof(*range));
27516 range->min_nwid = range->max_nwid = 0;
27518 diff -urNp linux-2.6.38.1/drivers/staging/comedi/comedi_fops.c linux-2.6.38.1-new/drivers/staging/comedi/comedi_fops.c
27519 --- linux-2.6.38.1/drivers/staging/comedi/comedi_fops.c 2011-03-14 21:20:32.000000000 -0400
27520 +++ linux-2.6.38.1-new/drivers/staging/comedi/comedi_fops.c 2011-03-21 18:31:35.000000000 -0400
27521 @@ -1426,7 +1426,7 @@ static void comedi_unmap(struct vm_area_
27522 mutex_unlock(&dev->mutex);
27525 -static struct vm_operations_struct comedi_vm_ops = {
27526 +static const struct vm_operations_struct comedi_vm_ops = {
27527 .close = comedi_unmap,
27530 diff -urNp linux-2.6.38.1/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c linux-2.6.38.1-new/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c
27531 --- linux-2.6.38.1/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c 2011-03-14 21:20:32.000000000 -0400
27532 +++ linux-2.6.38.1-new/drivers/staging/ft1000/ft1000-usb/ft1000_debug.c 2011-03-21 18:31:35.000000000 -0400
27533 @@ -55,7 +55,7 @@ int numofmsgbuf = 0;
27535 // Table of entry-point routines for char device
27537 -static struct file_operations ft1000fops =
27538 +static const struct file_operations ft1000fops =
27540 .unlocked_ioctl = ft1000_ioctl,
27541 .poll = ft1000_poll_dev,
27542 diff -urNp linux-2.6.38.1/drivers/staging/go7007/go7007-v4l2.c linux-2.6.38.1-new/drivers/staging/go7007/go7007-v4l2.c
27543 --- linux-2.6.38.1/drivers/staging/go7007/go7007-v4l2.c 2011-03-14 21:20:32.000000000 -0400
27544 +++ linux-2.6.38.1-new/drivers/staging/go7007/go7007-v4l2.c 2011-03-21 18:31:35.000000000 -0400
27545 @@ -1672,7 +1672,7 @@ static int go7007_vm_fault(struct vm_are
27549 -static struct vm_operations_struct go7007_vm_ops = {
27550 +static const struct vm_operations_struct go7007_vm_ops = {
27551 .open = go7007_vm_open,
27552 .close = go7007_vm_close,
27553 .fault = go7007_vm_fault,
27554 diff -urNp linux-2.6.38.1/drivers/staging/hv/hv.c linux-2.6.38.1-new/drivers/staging/hv/hv.c
27555 --- linux-2.6.38.1/drivers/staging/hv/hv.c 2011-03-14 21:20:32.000000000 -0400
27556 +++ linux-2.6.38.1-new/drivers/staging/hv/hv.c 2011-03-21 18:31:35.000000000 -0400
27557 @@ -163,7 +163,7 @@ static u64 do_hypercall(u64 control, voi
27558 u64 output_address = (output) ? virt_to_phys(output) : 0;
27559 u32 output_address_hi = output_address >> 32;
27560 u32 output_address_lo = output_address & 0xFFFFFFFF;
27561 - volatile void *hypercall_page = hv_context.hypercall_page;
27562 + volatile void *hypercall_page = ktva_ktla(hv_context.hypercall_page);
27564 DPRINT_DBG(VMBUS, "Hypercall <control %llx input %p output %p>",
27565 control, input, output);
27566 diff -urNp linux-2.6.38.1/drivers/staging/phison/phison.c linux-2.6.38.1-new/drivers/staging/phison/phison.c
27567 --- linux-2.6.38.1/drivers/staging/phison/phison.c 2011-03-14 21:20:32.000000000 -0400
27568 +++ linux-2.6.38.1-new/drivers/staging/phison/phison.c 2011-03-21 18:31:35.000000000 -0400
27569 @@ -43,7 +43,7 @@ static struct scsi_host_template phison_
27570 ATA_BMDMA_SHT(DRV_NAME),
27573 -static struct ata_port_operations phison_ops = {
27574 +static const struct ata_port_operations phison_ops = {
27575 .inherits = &ata_bmdma_port_ops,
27576 .prereset = phison_pre_reset,
27578 diff -urNp linux-2.6.38.1/drivers/staging/pohmelfs/inode.c linux-2.6.38.1-new/drivers/staging/pohmelfs/inode.c
27579 --- linux-2.6.38.1/drivers/staging/pohmelfs/inode.c 2011-03-14 21:20:32.000000000 -0400
27580 +++ linux-2.6.38.1-new/drivers/staging/pohmelfs/inode.c 2011-03-21 18:31:35.000000000 -0400
27581 @@ -1855,7 +1855,7 @@ static int pohmelfs_fill_super(struct su
27582 mutex_init(&psb->mcache_lock);
27583 psb->mcache_root = RB_ROOT;
27584 psb->mcache_timeout = msecs_to_jiffies(5000);
27585 - atomic_long_set(&psb->mcache_gen, 0);
27586 + atomic_long_set_unchecked(&psb->mcache_gen, 0);
27588 psb->trans_max_pages = 100;
27590 diff -urNp linux-2.6.38.1/drivers/staging/pohmelfs/mcache.c linux-2.6.38.1-new/drivers/staging/pohmelfs/mcache.c
27591 --- linux-2.6.38.1/drivers/staging/pohmelfs/mcache.c 2011-03-14 21:20:32.000000000 -0400
27592 +++ linux-2.6.38.1-new/drivers/staging/pohmelfs/mcache.c 2011-03-21 18:31:35.000000000 -0400
27593 @@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
27597 - m->gen = atomic_long_inc_return(&psb->mcache_gen);
27598 + m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
27600 mutex_lock(&psb->mcache_lock);
27601 err = pohmelfs_mcache_insert(psb, m);
27602 diff -urNp linux-2.6.38.1/drivers/staging/pohmelfs/netfs.h linux-2.6.38.1-new/drivers/staging/pohmelfs/netfs.h
27603 --- linux-2.6.38.1/drivers/staging/pohmelfs/netfs.h 2011-03-14 21:20:32.000000000 -0400
27604 +++ linux-2.6.38.1-new/drivers/staging/pohmelfs/netfs.h 2011-03-21 18:31:35.000000000 -0400
27605 @@ -571,7 +571,7 @@ struct pohmelfs_config;
27606 struct pohmelfs_sb {
27607 struct rb_root mcache_root;
27608 struct mutex mcache_lock;
27609 - atomic_long_t mcache_gen;
27610 + atomic_long_unchecked_t mcache_gen;
27611 unsigned long mcache_timeout;
27614 diff -urNp linux-2.6.38.1/drivers/staging/rtl8192u/ieee80211/proc.c linux-2.6.38.1-new/drivers/staging/rtl8192u/ieee80211/proc.c
27615 --- linux-2.6.38.1/drivers/staging/rtl8192u/ieee80211/proc.c 2011-03-14 21:20:32.000000000 -0400
27616 +++ linux-2.6.38.1-new/drivers/staging/rtl8192u/ieee80211/proc.c 2011-03-21 18:31:35.000000000 -0400
27617 @@ -99,7 +99,7 @@ static int crypto_info_open(struct inode
27618 return seq_open(file, &crypto_seq_ops);
27621 -static struct file_operations proc_crypto_ops = {
27622 +static const struct file_operations proc_crypto_ops = {
27623 .open = crypto_info_open,
27625 .llseek = seq_lseek,
27626 diff -urNp linux-2.6.38.1/drivers/staging/spectra/ffsport.c linux-2.6.38.1-new/drivers/staging/spectra/ffsport.c
27627 --- linux-2.6.38.1/drivers/staging/spectra/ffsport.c 2011-03-14 21:20:32.000000000 -0400
27628 +++ linux-2.6.38.1-new/drivers/staging/spectra/ffsport.c 2011-03-21 18:31:35.000000000 -0400
27629 @@ -604,7 +604,7 @@ int GLOB_SBD_unlocked_ioctl(struct block
27633 -static struct block_device_operations GLOB_SBD_ops = {
27634 +static const struct block_device_operations GLOB_SBD_ops = {
27635 .owner = THIS_MODULE,
27636 .open = GLOB_SBD_open,
27637 .release = GLOB_SBD_release,
27638 diff -urNp linux-2.6.38.1/drivers/staging/vme/devices/vme_user.c linux-2.6.38.1-new/drivers/staging/vme/devices/vme_user.c
27639 --- linux-2.6.38.1/drivers/staging/vme/devices/vme_user.c 2011-03-14 21:20:32.000000000 -0400
27640 +++ linux-2.6.38.1-new/drivers/staging/vme/devices/vme_user.c 2011-03-21 18:31:35.000000000 -0400
27641 @@ -138,7 +138,7 @@ static long vme_user_unlocked_ioctl(stru
27642 static int __devinit vme_user_probe(struct device *, int, int);
27643 static int __devexit vme_user_remove(struct device *, int, int);
27645 -static struct file_operations vme_user_fops = {
27646 +static const struct file_operations vme_user_fops = {
27647 .open = vme_user_open,
27648 .release = vme_user_release,
27649 .read = vme_user_read,
27650 diff -urNp linux-2.6.38.1/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c linux-2.6.38.1-new/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c
27651 --- linux-2.6.38.1/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c 2011-03-14 21:20:32.000000000 -0400
27652 +++ linux-2.6.38.1-new/drivers/staging/westbridge/astoria/block/cyasblkdev_block.c 2011-03-21 18:31:35.000000000 -0400
27653 @@ -426,7 +426,7 @@ int cyasblkdev_revalidate_disk(struct ge
27656 /*standard block device driver interface */
27657 -static struct block_device_operations cyasblkdev_bdops = {
27658 +static const struct block_device_operations cyasblkdev_bdops = {
27659 .open = cyasblkdev_blk_open,
27660 .release = cyasblkdev_blk_release,
27661 .ioctl = cyasblkdev_blk_ioctl,
27662 diff -urNp linux-2.6.38.1/drivers/tty/hvc/hvc_console.h linux-2.6.38.1-new/drivers/tty/hvc/hvc_console.h
27663 --- linux-2.6.38.1/drivers/tty/hvc/hvc_console.h 2011-03-14 21:20:32.000000000 -0400
27664 +++ linux-2.6.38.1-new/drivers/tty/hvc/hvc_console.h 2011-03-21 18:31:35.000000000 -0400
27665 @@ -82,6 +82,7 @@ extern int hvc_instantiate(uint32_t vter
27666 /* register a vterm for hvc tty operation (module_init or hotplug add) */
27667 extern struct hvc_struct * hvc_alloc(uint32_t vtermno, int data,
27668 const struct hv_ops *ops, int outbuf_size);
27670 /* remove a vterm from hvc tty operation (module_exit or hotplug remove) */
27671 extern int hvc_remove(struct hvc_struct *hp);
27673 diff -urNp linux-2.6.38.1/drivers/tty/hvc/hvcs.c linux-2.6.38.1-new/drivers/tty/hvc/hvcs.c
27674 --- linux-2.6.38.1/drivers/tty/hvc/hvcs.c 2011-03-14 21:20:32.000000000 -0400
27675 +++ linux-2.6.38.1-new/drivers/tty/hvc/hvcs.c 2011-03-21 18:31:35.000000000 -0400
27677 #include <asm/hvcserver.h>
27678 #include <asm/uaccess.h>
27679 #include <asm/vio.h>
27680 +#include <asm/local.h>
27683 * 1.3.0 -> 1.3.1 In hvcs_open memset(..,0x00,..) instead of memset(..,0x3F,00).
27684 @@ -270,7 +271,7 @@ struct hvcs_struct {
27685 unsigned int index;
27687 struct tty_struct *tty;
27689 + local_t open_count;
27692 * Used to tell the driver kernel_thread what operations need to take
27693 @@ -420,7 +421,7 @@ static ssize_t hvcs_vterm_state_store(st
27695 spin_lock_irqsave(&hvcsd->lock, flags);
27697 - if (hvcsd->open_count > 0) {
27698 + if (local_read(&hvcsd->open_count) > 0) {
27699 spin_unlock_irqrestore(&hvcsd->lock, flags);
27700 printk(KERN_INFO "HVCS: vterm state unchanged. "
27701 "The hvcs device node is still in use.\n");
27702 @@ -1136,7 +1137,7 @@ static int hvcs_open(struct tty_struct *
27703 if ((retval = hvcs_partner_connect(hvcsd)))
27704 goto error_release;
27706 - hvcsd->open_count = 1;
27707 + local_set(&hvcsd->open_count, 1);
27709 tty->driver_data = hvcsd;
27711 @@ -1170,7 +1171,7 @@ fast_open:
27713 spin_lock_irqsave(&hvcsd->lock, flags);
27714 kref_get(&hvcsd->kref);
27715 - hvcsd->open_count++;
27716 + local_inc(&hvcsd->open_count);
27717 hvcsd->todo_mask |= HVCS_SCHED_READ;
27718 spin_unlock_irqrestore(&hvcsd->lock, flags);
27720 @@ -1214,7 +1215,7 @@ static void hvcs_close(struct tty_struct
27721 hvcsd = tty->driver_data;
27723 spin_lock_irqsave(&hvcsd->lock, flags);
27724 - if (--hvcsd->open_count == 0) {
27725 + if (local_dec_and_test(&hvcsd->open_count)) {
27727 vio_disable_interrupts(hvcsd->vdev);
27729 @@ -1240,10 +1241,10 @@ static void hvcs_close(struct tty_struct
27730 free_irq(irq, hvcsd);
27731 kref_put(&hvcsd->kref, destroy_hvcs_struct);
27733 - } else if (hvcsd->open_count < 0) {
27734 + } else if (local_read(&hvcsd->open_count) < 0) {
27735 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
27736 " is missmanaged.\n",
27737 - hvcsd->vdev->unit_address, hvcsd->open_count);
27738 + hvcsd->vdev->unit_address, local_read(&hvcsd->open_count));
27741 spin_unlock_irqrestore(&hvcsd->lock, flags);
27742 @@ -1259,7 +1260,7 @@ static void hvcs_hangup(struct tty_struc
27744 spin_lock_irqsave(&hvcsd->lock, flags);
27745 /* Preserve this so that we know how many kref refs to put */
27746 - temp_open_count = hvcsd->open_count;
27747 + temp_open_count = local_read(&hvcsd->open_count);
27750 * Don't kref put inside the spinlock because the destruction
27751 @@ -1274,7 +1275,7 @@ static void hvcs_hangup(struct tty_struc
27752 hvcsd->tty->driver_data = NULL;
27755 - hvcsd->open_count = 0;
27756 + local_set(&hvcsd->open_count, 0);
27758 /* This will drop any buffered data on the floor which is OK in a hangup
27760 @@ -1345,7 +1346,7 @@ static int hvcs_write(struct tty_struct
27761 * the middle of a write operation? This is a crummy place to do this
27762 * but we want to keep it all in the spinlock.
27764 - if (hvcsd->open_count <= 0) {
27765 + if (local_read(&hvcsd->open_count) <= 0) {
27766 spin_unlock_irqrestore(&hvcsd->lock, flags);
27769 @@ -1419,7 +1420,7 @@ static int hvcs_write_room(struct tty_st
27771 struct hvcs_struct *hvcsd = tty->driver_data;
27773 - if (!hvcsd || hvcsd->open_count <= 0)
27774 + if (!hvcsd || local_read(&hvcsd->open_count) <= 0)
27777 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
27778 diff -urNp linux-2.6.38.1/drivers/tty/hvc/hvc_xen.c linux-2.6.38.1-new/drivers/tty/hvc/hvc_xen.c
27779 --- linux-2.6.38.1/drivers/tty/hvc/hvc_xen.c 2011-03-14 21:20:32.000000000 -0400
27780 +++ linux-2.6.38.1-new/drivers/tty/hvc/hvc_xen.c 2011-03-21 18:31:35.000000000 -0400
27781 @@ -123,7 +123,7 @@ static int domU_read_console(uint32_t vt
27785 -static struct hv_ops domU_hvc_ops = {
27786 +static const struct hv_ops domU_hvc_ops = {
27787 .get_chars = domU_read_console,
27788 .put_chars = domU_write_console,
27789 .notifier_add = notifier_add_irq,
27790 @@ -149,7 +149,7 @@ static int dom0_write_console(uint32_t v
27794 -static struct hv_ops dom0_hvc_ops = {
27795 +static const struct hv_ops dom0_hvc_ops = {
27796 .get_chars = dom0_read_console,
27797 .put_chars = dom0_write_console,
27798 .notifier_add = notifier_add_irq,
27799 @@ -160,7 +160,7 @@ static struct hv_ops dom0_hvc_ops = {
27800 static int __init xen_hvc_init(void)
27802 struct hvc_struct *hp;
27803 - struct hv_ops *ops;
27804 + const struct hv_ops *ops;
27806 if (!xen_pv_domain())
27808 @@ -203,7 +203,7 @@ static void __exit xen_hvc_fini(void)
27810 static int xen_cons_init(void)
27812 - struct hv_ops *ops;
27813 + const struct hv_ops *ops;
27815 if (!xen_pv_domain())
27817 diff -urNp linux-2.6.38.1/drivers/tty/n_gsm.c linux-2.6.38.1-new/drivers/tty/n_gsm.c
27818 --- linux-2.6.38.1/drivers/tty/n_gsm.c 2011-03-14 21:20:32.000000000 -0400
27819 +++ linux-2.6.38.1-new/drivers/tty/n_gsm.c 2011-03-21 18:31:35.000000000 -0400
27820 @@ -1589,7 +1589,7 @@ static struct gsm_dlci *gsm_dlci_alloc(s
27822 spin_lock_init(&dlci->lock);
27823 dlci->fifo = &dlci->_fifo;
27824 - if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL) < 0) {
27825 + if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL)) {
27829 diff -urNp linux-2.6.38.1/drivers/tty/n_tty.c linux-2.6.38.1-new/drivers/tty/n_tty.c
27830 --- linux-2.6.38.1/drivers/tty/n_tty.c 2011-03-14 21:20:32.000000000 -0400
27831 +++ linux-2.6.38.1-new/drivers/tty/n_tty.c 2011-03-21 18:31:35.000000000 -0400
27832 @@ -2116,6 +2116,7 @@ void n_tty_inherit_ops(struct tty_ldisc_
27834 *ops = tty_ldisc_N_TTY;
27836 - ops->refcount = ops->flags = 0;
27837 + atomic_set(&ops->refcount, 0);
27840 EXPORT_SYMBOL_GPL(n_tty_inherit_ops);
27841 diff -urNp linux-2.6.38.1/drivers/tty/pty.c linux-2.6.38.1-new/drivers/tty/pty.c
27842 --- linux-2.6.38.1/drivers/tty/pty.c 2011-03-14 21:20:32.000000000 -0400
27843 +++ linux-2.6.38.1-new/drivers/tty/pty.c 2011-03-21 18:31:35.000000000 -0400
27844 @@ -700,7 +700,18 @@ out:
27848 -static struct file_operations ptmx_fops;
27849 +static const struct file_operations ptmx_fops = {
27850 + .llseek = no_llseek,
27851 + .read = tty_read,
27852 + .write = tty_write,
27853 + .poll = tty_poll,
27854 + .unlocked_ioctl = tty_ioctl,
27855 + .compat_ioctl = tty_compat_ioctl,
27856 + .open = ptmx_open,
27857 + .release = tty_release,
27858 + .fasync = tty_fasync,
27862 static void __init unix98_pty_init(void)
27864 @@ -753,10 +764,6 @@ static void __init unix98_pty_init(void)
27866 register_sysctl_table(pty_root_table);
27868 - /* Now create the /dev/ptmx special device */
27869 - tty_default_fops(&ptmx_fops);
27870 - ptmx_fops.open = ptmx_open;
27872 cdev_init(&ptmx_cdev, &ptmx_fops);
27873 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
27874 register_chrdev_region(MKDEV(TTYAUX_MAJOR, 2), 1, "/dev/ptmx") < 0)
27875 diff -urNp linux-2.6.38.1/drivers/tty/serial/8250_pci.c linux-2.6.38.1-new/drivers/tty/serial/8250_pci.c
27876 --- linux-2.6.38.1/drivers/tty/serial/8250_pci.c 2011-03-14 21:20:32.000000000 -0400
27877 +++ linux-2.6.38.1-new/drivers/tty/serial/8250_pci.c 2011-03-21 18:31:35.000000000 -0400
27878 @@ -3818,7 +3818,7 @@ static struct pci_device_id serial_pci_t
27879 PCI_ANY_ID, PCI_ANY_ID,
27880 PCI_CLASS_COMMUNICATION_MULTISERIAL << 8,
27881 0xffff00, pbn_default },
27883 + { 0, 0, 0, 0, 0, 0, 0 }
27886 static struct pci_driver serial_pci_driver = {
27887 diff -urNp linux-2.6.38.1/drivers/tty/serial/kgdboc.c linux-2.6.38.1-new/drivers/tty/serial/kgdboc.c
27888 --- linux-2.6.38.1/drivers/tty/serial/kgdboc.c 2011-03-14 21:20:32.000000000 -0400
27889 +++ linux-2.6.38.1-new/drivers/tty/serial/kgdboc.c 2011-03-21 18:31:35.000000000 -0400
27892 #define MAX_CONFIG_LEN 40
27894 -static struct kgdb_io kgdboc_io_ops;
27895 +static struct kgdb_io kgdboc_io_ops; /* cannot be const, see configure_kgdboc() */
27897 /* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
27898 static int configured = -1;
27899 @@ -293,7 +293,7 @@ static void kgdboc_post_exp_handler(void
27900 kgdboc_restore_input();
27903 -static struct kgdb_io kgdboc_io_ops = {
27904 +static struct kgdb_io kgdboc_io_ops = { /* cannot be const, see configure_kgdboc() */
27906 .read_char = kgdboc_get_char,
27907 .write_char = kgdboc_put_char,
27908 diff -urNp linux-2.6.38.1/drivers/tty/tty_io.c linux-2.6.38.1-new/drivers/tty/tty_io.c
27909 --- linux-2.6.38.1/drivers/tty/tty_io.c 2011-03-14 21:20:32.000000000 -0400
27910 +++ linux-2.6.38.1-new/drivers/tty/tty_io.c 2011-03-21 18:31:35.000000000 -0400
27911 @@ -140,21 +140,11 @@ EXPORT_SYMBOL(tty_mutex);
27912 /* Spinlock to protect the tty->tty_files list */
27913 DEFINE_SPINLOCK(tty_files_lock);
27915 -static ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
27916 -static ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
27917 ssize_t redirected_tty_write(struct file *, const char __user *,
27919 -static unsigned int tty_poll(struct file *, poll_table *);
27920 static int tty_open(struct inode *, struct file *);
27921 long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
27922 -#ifdef CONFIG_COMPAT
27923 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
27924 - unsigned long arg);
27926 -#define tty_compat_ioctl NULL
27928 static int __tty_fasync(int fd, struct file *filp, int on);
27929 -static int tty_fasync(int fd, struct file *filp, int on);
27930 static void release_tty(struct tty_struct *tty, int idx);
27931 static void __proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
27932 static void proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
27933 @@ -938,7 +928,7 @@ EXPORT_SYMBOL(start_tty);
27934 * read calls may be outstanding in parallel.
27937 -static ssize_t tty_read(struct file *file, char __user *buf, size_t count,
27938 +ssize_t tty_read(struct file *file, char __user *buf, size_t count,
27942 @@ -964,6 +954,8 @@ static ssize_t tty_read(struct file *fil
27946 +EXPORT_SYMBOL(tty_read);
27948 void tty_write_unlock(struct tty_struct *tty)
27950 mutex_unlock(&tty->atomic_write_lock);
27951 @@ -1113,7 +1105,7 @@ void tty_write_message(struct tty_struct
27952 * write method will not be invoked in parallel for each device.
27955 -static ssize_t tty_write(struct file *file, const char __user *buf,
27956 +ssize_t tty_write(struct file *file, const char __user *buf,
27957 size_t count, loff_t *ppos)
27959 struct inode *inode = file->f_path.dentry->d_inode;
27960 @@ -1139,6 +1131,8 @@ static ssize_t tty_write(struct file *fi
27964 +EXPORT_SYMBOL(tty_write);
27966 ssize_t redirected_tty_write(struct file *file, const char __user *buf,
27967 size_t count, loff_t *ppos)
27969 @@ -1778,6 +1772,8 @@ int tty_release(struct inode *inode, str
27973 +EXPORT_SYMBOL(tty_release);
27976 * tty_open - open a tty device
27977 * @inode: inode of device file
27978 @@ -1969,7 +1965,7 @@ got_driver:
27979 * may be re-entered freely by other callers.
27982 -static unsigned int tty_poll(struct file *filp, poll_table *wait)
27983 +unsigned int tty_poll(struct file *filp, poll_table *wait)
27985 struct tty_struct *tty = file_tty(filp);
27986 struct tty_ldisc *ld;
27987 @@ -1985,6 +1981,8 @@ static unsigned int tty_poll(struct file
27991 +EXPORT_SYMBOL(tty_poll);
27993 static int __tty_fasync(int fd, struct file *filp, int on)
27995 struct tty_struct *tty = file_tty(filp);
27996 @@ -2026,7 +2024,7 @@ out:
28000 -static int tty_fasync(int fd, struct file *filp, int on)
28001 +int tty_fasync(int fd, struct file *filp, int on)
28005 @@ -2035,6 +2033,8 @@ static int tty_fasync(int fd, struct fil
28009 +EXPORT_SYMBOL(tty_fasync);
28012 * tiocsti - fake input character
28013 * @tty: tty to fake input into
28014 @@ -2692,8 +2692,10 @@ long tty_ioctl(struct file *file, unsign
28018 +EXPORT_SYMBOL(tty_ioctl);
28020 #ifdef CONFIG_COMPAT
28021 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
28022 +long tty_compat_ioctl(struct file *file, unsigned int cmd,
28025 struct inode *inode = file->f_dentry->d_inode;
28026 @@ -2717,6 +2719,9 @@ static long tty_compat_ioctl(struct file
28031 +EXPORT_SYMBOL(tty_compat_ioctl);
28036 @@ -3195,11 +3200,6 @@ struct tty_struct *get_current_tty(void)
28038 EXPORT_SYMBOL_GPL(get_current_tty);
28040 -void tty_default_fops(struct file_operations *fops)
28042 - *fops = tty_fops;
28046 * Initialize the console device. This is called *early*, so
28047 * we can't necessarily depend on lots of kernel help here.
28048 diff -urNp linux-2.6.38.1/drivers/tty/tty_ldisc.c linux-2.6.38.1-new/drivers/tty/tty_ldisc.c
28049 --- linux-2.6.38.1/drivers/tty/tty_ldisc.c 2011-03-14 21:20:32.000000000 -0400
28050 +++ linux-2.6.38.1-new/drivers/tty/tty_ldisc.c 2011-03-21 18:31:35.000000000 -0400
28051 @@ -76,7 +76,7 @@ static void put_ldisc(struct tty_ldisc *
28052 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
28053 struct tty_ldisc_ops *ldo = ld->ops;
28056 + atomic_dec(&ldo->refcount);
28057 module_put(ldo->owner);
28058 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
28060 @@ -111,7 +111,7 @@ int tty_register_ldisc(int disc, struct
28061 spin_lock_irqsave(&tty_ldisc_lock, flags);
28062 tty_ldiscs[disc] = new_ldisc;
28063 new_ldisc->num = disc;
28064 - new_ldisc->refcount = 0;
28065 + atomic_set(&new_ldisc->refcount, 0);
28066 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
28069 @@ -139,7 +139,7 @@ int tty_unregister_ldisc(int disc)
28072 spin_lock_irqsave(&tty_ldisc_lock, flags);
28073 - if (tty_ldiscs[disc]->refcount)
28074 + if (atomic_read(&tty_ldiscs[disc]->refcount))
28077 tty_ldiscs[disc] = NULL;
28078 @@ -160,7 +160,7 @@ static struct tty_ldisc_ops *get_ldops(i
28080 ret = ERR_PTR(-EAGAIN);
28081 if (try_module_get(ldops->owner)) {
28082 - ldops->refcount++;
28083 + atomic_inc(&ldops->refcount);
28087 @@ -173,7 +173,7 @@ static void put_ldops(struct tty_ldisc_o
28088 unsigned long flags;
28090 spin_lock_irqsave(&tty_ldisc_lock, flags);
28091 - ldops->refcount--;
28092 + atomic_dec(&ldops->refcount);
28093 module_put(ldops->owner);
28094 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
28096 diff -urNp linux-2.6.38.1/drivers/tty/vt/keyboard.c linux-2.6.38.1-new/drivers/tty/vt/keyboard.c
28097 --- linux-2.6.38.1/drivers/tty/vt/keyboard.c 2011-03-14 21:20:32.000000000 -0400
28098 +++ linux-2.6.38.1-new/drivers/tty/vt/keyboard.c 2011-03-21 18:31:35.000000000 -0400
28099 @@ -657,6 +657,16 @@ static void k_spec(struct vc_data *vc, u
28100 kbd->kbdmode == VC_MEDIUMRAW) &&
28101 value != KVAL(K_SAK))
28102 return; /* SAK is allowed even in raw mode */
28104 +#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
28106 + void *func = fn_handler[value];
28107 + if (func == fn_show_state || func == fn_show_ptregs ||
28108 + func == fn_show_mem)
28113 fn_handler[value](vc);
28116 @@ -1413,7 +1423,7 @@ static const struct input_device_id kbd_
28117 .evbit = { BIT_MASK(EV_SND) },
28120 - { }, /* Terminating entry */
28121 + { 0 }, /* Terminating entry */
28124 MODULE_DEVICE_TABLE(input, kbd_ids);
28125 diff -urNp linux-2.6.38.1/drivers/tty/vt/vt.c linux-2.6.38.1-new/drivers/tty/vt/vt.c
28126 --- linux-2.6.38.1/drivers/tty/vt/vt.c 2011-03-14 21:20:32.000000000 -0400
28127 +++ linux-2.6.38.1-new/drivers/tty/vt/vt.c 2011-03-21 18:31:35.000000000 -0400
28128 @@ -262,7 +262,7 @@ EXPORT_SYMBOL_GPL(unregister_vt_notifier
28130 static void notify_write(struct vc_data *vc, unsigned int unicode)
28132 - struct vt_notifier_param param = { .vc = vc, unicode = unicode };
28133 + struct vt_notifier_param param = { .vc = vc, .c = unicode };
28134 atomic_notifier_call_chain(&vt_notifier_list, VT_WRITE, ¶m);
28137 diff -urNp linux-2.6.38.1/drivers/tty/vt/vt_ioctl.c linux-2.6.38.1-new/drivers/tty/vt/vt_ioctl.c
28138 --- linux-2.6.38.1/drivers/tty/vt/vt_ioctl.c 2011-03-14 21:20:32.000000000 -0400
28139 +++ linux-2.6.38.1-new/drivers/tty/vt/vt_ioctl.c 2011-03-21 18:31:35.000000000 -0400
28140 @@ -210,9 +210,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __
28141 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
28144 - if (!capable(CAP_SYS_TTY_CONFIG))
28149 key_map = key_maps[s];
28150 @@ -224,6 +221,9 @@ do_kdsk_ioctl(int cmd, struct kbentry __
28151 val = (i ? K_HOLE : K_NOSUCHMAP);
28152 return put_user(val, &user_kbe->kb_value);
28154 + if (!capable(CAP_SYS_TTY_CONFIG))
28159 if (!i && v == K_NOSUCHMAP) {
28160 @@ -325,9 +325,6 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
28164 - if (!capable(CAP_SYS_TTY_CONFIG))
28167 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
28170 @@ -361,6 +358,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
28172 return ((p && *p) ? -EOVERFLOW : 0);
28174 + if (!capable(CAP_SYS_TTY_CONFIG))
28180 diff -urNp linux-2.6.38.1/drivers/uio/uio.c linux-2.6.38.1-new/drivers/uio/uio.c
28181 --- linux-2.6.38.1/drivers/uio/uio.c 2011-03-14 21:20:32.000000000 -0400
28182 +++ linux-2.6.38.1-new/drivers/uio/uio.c 2011-03-21 18:31:35.000000000 -0400
28184 #include <linux/kobject.h>
28185 #include <linux/cdev.h>
28186 #include <linux/uio_driver.h>
28187 +#include <asm/local.h>
28189 #define UIO_MAX_DEVICES (1U << MINORBITS)
28191 @@ -35,7 +36,7 @@ struct uio_device {
28193 struct fasync_struct *async_queue;
28194 wait_queue_head_t wait;
28196 + local_t vma_count;
28197 struct uio_info *info;
28198 struct kobject *map_dir;
28199 struct kobject *portio_dir;
28200 @@ -602,13 +603,13 @@ static int uio_find_mem_index(struct vm_
28201 static void uio_vma_open(struct vm_area_struct *vma)
28203 struct uio_device *idev = vma->vm_private_data;
28204 - idev->vma_count++;
28205 + local_inc(&idev->vma_count);
28208 static void uio_vma_close(struct vm_area_struct *vma)
28210 struct uio_device *idev = vma->vm_private_data;
28211 - idev->vma_count--;
28212 + local_dec(&idev->vma_count);
28215 static int uio_vma_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
28216 diff -urNp linux-2.6.38.1/drivers/usb/atm/cxacru.c linux-2.6.38.1-new/drivers/usb/atm/cxacru.c
28217 --- linux-2.6.38.1/drivers/usb/atm/cxacru.c 2011-03-14 21:20:32.000000000 -0400
28218 +++ linux-2.6.38.1-new/drivers/usb/atm/cxacru.c 2011-03-21 18:31:35.000000000 -0400
28219 @@ -473,7 +473,7 @@ static ssize_t cxacru_sysfs_store_adsl_c
28220 ret = sscanf(buf + pos, "%x=%x%n", &index, &value, &tmp);
28223 - if (index < 0 || index > 0x7f)
28224 + if (index > 0x7f)
28228 diff -urNp linux-2.6.38.1/drivers/usb/atm/usbatm.c linux-2.6.38.1-new/drivers/usb/atm/usbatm.c
28229 --- linux-2.6.38.1/drivers/usb/atm/usbatm.c 2011-03-14 21:20:32.000000000 -0400
28230 +++ linux-2.6.38.1-new/drivers/usb/atm/usbatm.c 2011-03-21 18:31:35.000000000 -0400
28231 @@ -332,7 +332,7 @@ static void usbatm_extract_one_cell(stru
28232 if (printk_ratelimit())
28233 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
28234 __func__, vpi, vci);
28235 - atomic_inc(&vcc->stats->rx_err);
28236 + atomic_inc_unchecked(&vcc->stats->rx_err);
28240 @@ -360,7 +360,7 @@ static void usbatm_extract_one_cell(stru
28241 if (length > ATM_MAX_AAL5_PDU) {
28242 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
28243 __func__, length, vcc);
28244 - atomic_inc(&vcc->stats->rx_err);
28245 + atomic_inc_unchecked(&vcc->stats->rx_err);
28249 @@ -369,14 +369,14 @@ static void usbatm_extract_one_cell(stru
28250 if (sarb->len < pdu_length) {
28251 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
28252 __func__, pdu_length, sarb->len, vcc);
28253 - atomic_inc(&vcc->stats->rx_err);
28254 + atomic_inc_unchecked(&vcc->stats->rx_err);
28258 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
28259 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
28261 - atomic_inc(&vcc->stats->rx_err);
28262 + atomic_inc_unchecked(&vcc->stats->rx_err);
28266 @@ -386,7 +386,7 @@ static void usbatm_extract_one_cell(stru
28267 if (printk_ratelimit())
28268 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
28270 - atomic_inc(&vcc->stats->rx_drop);
28271 + atomic_inc_unchecked(&vcc->stats->rx_drop);
28275 @@ -411,7 +411,7 @@ static void usbatm_extract_one_cell(stru
28277 vcc->push(vcc, skb);
28279 - atomic_inc(&vcc->stats->rx);
28280 + atomic_inc_unchecked(&vcc->stats->rx);
28284 @@ -614,7 +614,7 @@ static void usbatm_tx_process(unsigned l
28285 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
28287 usbatm_pop(vcc, skb);
28288 - atomic_inc(&vcc->stats->tx);
28289 + atomic_inc_unchecked(&vcc->stats->tx);
28291 skb = skb_dequeue(&instance->sndqueue);
28293 @@ -773,11 +773,11 @@ static int usbatm_atm_proc_read(struct a
28295 return sprintf(page,
28296 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
28297 - atomic_read(&atm_dev->stats.aal5.tx),
28298 - atomic_read(&atm_dev->stats.aal5.tx_err),
28299 - atomic_read(&atm_dev->stats.aal5.rx),
28300 - atomic_read(&atm_dev->stats.aal5.rx_err),
28301 - atomic_read(&atm_dev->stats.aal5.rx_drop));
28302 + atomic_read_unchecked(&atm_dev->stats.aal5.tx),
28303 + atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
28304 + atomic_read_unchecked(&atm_dev->stats.aal5.rx),
28305 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
28306 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
28309 if (instance->disconnected)
28310 diff -urNp linux-2.6.38.1/drivers/usb/class/cdc-acm.c linux-2.6.38.1-new/drivers/usb/class/cdc-acm.c
28311 --- linux-2.6.38.1/drivers/usb/class/cdc-acm.c 2011-03-14 21:20:32.000000000 -0400
28312 +++ linux-2.6.38.1-new/drivers/usb/class/cdc-acm.c 2011-03-21 18:31:35.000000000 -0400
28313 @@ -1635,7 +1635,7 @@ static const struct usb_device_id acm_id
28314 { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM,
28315 USB_CDC_ACM_PROTO_AT_CDMA) },
28318 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
28321 MODULE_DEVICE_TABLE(usb, acm_ids);
28322 diff -urNp linux-2.6.38.1/drivers/usb/class/usblp.c linux-2.6.38.1-new/drivers/usb/class/usblp.c
28323 --- linux-2.6.38.1/drivers/usb/class/usblp.c 2011-03-14 21:20:32.000000000 -0400
28324 +++ linux-2.6.38.1-new/drivers/usb/class/usblp.c 2011-03-21 18:31:35.000000000 -0400
28325 @@ -227,7 +227,7 @@ static const struct quirk_printer_struct
28326 { 0x0482, 0x0010, USBLP_QUIRK_BIDIR }, /* Kyocera Mita FS 820, by zut <kernel@zut.de> */
28327 { 0x04f9, 0x000d, USBLP_QUIRK_BIDIR }, /* Brother Industries, Ltd HL-1440 Laser Printer */
28328 { 0x04b8, 0x0202, USBLP_QUIRK_BAD_CLASS }, /* Seiko Epson Receipt Printer M129C */
28333 static int usblp_wwait(struct usblp *usblp, int nonblock);
28334 @@ -1398,7 +1398,7 @@ static const struct usb_device_id usblp_
28335 { USB_INTERFACE_INFO(7, 1, 2) },
28336 { USB_INTERFACE_INFO(7, 1, 3) },
28337 { USB_DEVICE(0x04b8, 0x0202) }, /* Seiko Epson Receipt Printer M129C */
28338 - { } /* Terminating entry */
28339 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
28342 MODULE_DEVICE_TABLE(usb, usblp_ids);
28343 diff -urNp linux-2.6.38.1/drivers/usb/core/hcd.c linux-2.6.38.1-new/drivers/usb/core/hcd.c
28344 --- linux-2.6.38.1/drivers/usb/core/hcd.c 2011-03-23 17:20:07.000000000 -0400
28345 +++ linux-2.6.38.1-new/drivers/usb/core/hcd.c 2011-03-23 17:21:51.000000000 -0400
28346 @@ -2457,7 +2457,7 @@ EXPORT_SYMBOL_GPL(usb_hcd_platform_shutd
28348 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
28350 -struct usb_mon_operations *mon_ops;
28351 +const struct usb_mon_operations *mon_ops;
28354 * The registration is unlocked.
28355 @@ -2467,7 +2467,7 @@ struct usb_mon_operations *mon_ops;
28356 * symbols from usbcore, usbcore gets referenced and cannot be unloaded first.
28359 -int usb_mon_register (struct usb_mon_operations *ops)
28360 +int usb_mon_register (const struct usb_mon_operations *ops)
28364 diff -urNp linux-2.6.38.1/drivers/usb/core/hub.c linux-2.6.38.1-new/drivers/usb/core/hub.c
28365 --- linux-2.6.38.1/drivers/usb/core/hub.c 2011-03-14 21:20:32.000000000 -0400
28366 +++ linux-2.6.38.1-new/drivers/usb/core/hub.c 2011-03-21 18:31:35.000000000 -0400
28367 @@ -3492,7 +3492,7 @@ static const struct usb_device_id hub_id
28368 .bDeviceClass = USB_CLASS_HUB},
28369 { .match_flags = USB_DEVICE_ID_MATCH_INT_CLASS,
28370 .bInterfaceClass = USB_CLASS_HUB},
28371 - { } /* Terminating entry */
28372 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
28375 MODULE_DEVICE_TABLE (usb, hub_id_table);
28376 diff -urNp linux-2.6.38.1/drivers/usb/core/message.c linux-2.6.38.1-new/drivers/usb/core/message.c
28377 --- linux-2.6.38.1/drivers/usb/core/message.c 2011-03-14 21:20:32.000000000 -0400
28378 +++ linux-2.6.38.1-new/drivers/usb/core/message.c 2011-03-21 18:31:35.000000000 -0400
28379 @@ -869,8 +869,8 @@ char *usb_cache_string(struct usb_device
28380 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
28382 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
28384 - smallbuf = kmalloc(++len, GFP_NOIO);
28386 + smallbuf = kmalloc(len, GFP_NOIO);
28389 memcpy(smallbuf, buf, len);
28390 diff -urNp linux-2.6.38.1/drivers/usb/early/ehci-dbgp.c linux-2.6.38.1-new/drivers/usb/early/ehci-dbgp.c
28391 --- linux-2.6.38.1/drivers/usb/early/ehci-dbgp.c 2011-03-14 21:20:32.000000000 -0400
28392 +++ linux-2.6.38.1-new/drivers/usb/early/ehci-dbgp.c 2011-03-21 18:31:35.000000000 -0400
28393 @@ -96,7 +96,7 @@ static inline u32 dbgp_len_update(u32 x,
28397 -static struct kgdb_io kgdbdbgp_io_ops;
28398 +static struct kgdb_io kgdbdbgp_io_ops; /* cannot be const, see kgdbdbgp_parse_config */
28399 #define dbgp_kgdb_mode (dbg_io_ops == &kgdbdbgp_io_ops)
28401 #define dbgp_kgdb_mode (0)
28402 @@ -1026,7 +1026,7 @@ static void kgdbdbgp_write_char(u8 chr)
28403 early_dbgp_write(NULL, &chr, 1);
28406 -static struct kgdb_io kgdbdbgp_io_ops = {
28407 +static struct kgdb_io kgdbdbgp_io_ops = { /* cannot be const, see kgdbdbgp_parse_config() */
28408 .name = "kgdbdbgp",
28409 .read_char = kgdbdbgp_read_char,
28410 .write_char = kgdbdbgp_write_char,
28411 diff -urNp linux-2.6.38.1/drivers/usb/host/ehci-pci.c linux-2.6.38.1-new/drivers/usb/host/ehci-pci.c
28412 --- linux-2.6.38.1/drivers/usb/host/ehci-pci.c 2011-03-14 21:20:32.000000000 -0400
28413 +++ linux-2.6.38.1-new/drivers/usb/host/ehci-pci.c 2011-03-21 18:31:35.000000000 -0400
28414 @@ -516,7 +516,7 @@ static const struct pci_device_id pci_id
28415 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_EHCI, ~0),
28416 .driver_data = (unsigned long) &ehci_pci_hc_driver,
28418 - { /* end: all zeroes */ }
28419 + { 0, 0, 0, 0, 0, 0, 0 }
28421 MODULE_DEVICE_TABLE(pci, pci_ids);
28423 diff -urNp linux-2.6.38.1/drivers/usb/host/uhci-hcd.c linux-2.6.38.1-new/drivers/usb/host/uhci-hcd.c
28424 --- linux-2.6.38.1/drivers/usb/host/uhci-hcd.c 2011-03-14 21:20:32.000000000 -0400
28425 +++ linux-2.6.38.1-new/drivers/usb/host/uhci-hcd.c 2011-03-21 18:31:35.000000000 -0400
28426 @@ -948,7 +948,7 @@ static const struct pci_device_id uhci_p
28427 /* handle any USB UHCI controller */
28428 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_UHCI, ~0),
28429 .driver_data = (unsigned long) &uhci_driver,
28430 - }, { /* end: all zeroes */ }
28431 + }, { 0, 0, 0, 0, 0, 0, 0 }
28434 MODULE_DEVICE_TABLE(pci, uhci_pci_ids);
28435 diff -urNp linux-2.6.38.1/drivers/usb/mon/mon_main.c linux-2.6.38.1-new/drivers/usb/mon/mon_main.c
28436 --- linux-2.6.38.1/drivers/usb/mon/mon_main.c 2011-03-14 21:20:32.000000000 -0400
28437 +++ linux-2.6.38.1-new/drivers/usb/mon/mon_main.c 2011-03-21 18:31:35.000000000 -0400
28438 @@ -238,7 +238,7 @@ static struct notifier_block mon_nb = {
28442 -static struct usb_mon_operations mon_ops_0 = {
28443 +static const struct usb_mon_operations mon_ops_0 = {
28444 .urb_submit = mon_submit,
28445 .urb_submit_error = mon_submit_error,
28446 .urb_complete = mon_complete,
28447 diff -urNp linux-2.6.38.1/drivers/usb/storage/debug.h linux-2.6.38.1-new/drivers/usb/storage/debug.h
28448 --- linux-2.6.38.1/drivers/usb/storage/debug.h 2011-03-14 21:20:32.000000000 -0400
28449 +++ linux-2.6.38.1-new/drivers/usb/storage/debug.h 2011-03-21 18:31:35.000000000 -0400
28450 @@ -54,9 +54,9 @@ void usb_stor_show_sense( unsigned char
28451 #define US_DEBUGPX(x...) printk( x )
28452 #define US_DEBUG(x) x
28454 -#define US_DEBUGP(x...)
28455 -#define US_DEBUGPX(x...)
28456 -#define US_DEBUG(x)
28457 +#define US_DEBUGP(x...) do {} while (0)
28458 +#define US_DEBUGPX(x...) do {} while (0)
28459 +#define US_DEBUG(x) do {} while (0)
28463 diff -urNp linux-2.6.38.1/drivers/usb/storage/usb.c linux-2.6.38.1-new/drivers/usb/storage/usb.c
28464 --- linux-2.6.38.1/drivers/usb/storage/usb.c 2011-03-14 21:20:32.000000000 -0400
28465 +++ linux-2.6.38.1-new/drivers/usb/storage/usb.c 2011-03-21 18:31:35.000000000 -0400
28466 @@ -122,7 +122,7 @@ MODULE_PARM_DESC(quirks, "supplemental l
28468 static struct us_unusual_dev us_unusual_dev_list[] = {
28469 # include "unusual_devs.h"
28470 - { } /* Terminating entry */
28471 + { NULL, NULL, 0, 0, NULL } /* Terminating entry */
28475 diff -urNp linux-2.6.38.1/drivers/usb/storage/usual-tables.c linux-2.6.38.1-new/drivers/usb/storage/usual-tables.c
28476 --- linux-2.6.38.1/drivers/usb/storage/usual-tables.c 2011-03-14 21:20:32.000000000 -0400
28477 +++ linux-2.6.38.1-new/drivers/usb/storage/usual-tables.c 2011-03-21 18:31:35.000000000 -0400
28480 struct usb_device_id usb_storage_usb_ids[] = {
28481 # include "unusual_devs.h"
28482 - { } /* Terminating entry */
28483 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
28485 EXPORT_SYMBOL_GPL(usb_storage_usb_ids);
28487 diff -urNp linux-2.6.38.1/drivers/vhost/vhost.c linux-2.6.38.1-new/drivers/vhost/vhost.c
28488 --- linux-2.6.38.1/drivers/vhost/vhost.c 2011-03-14 21:20:32.000000000 -0400
28489 +++ linux-2.6.38.1-new/drivers/vhost/vhost.c 2011-03-21 18:31:35.000000000 -0400
28490 @@ -565,7 +565,7 @@ static int init_used(struct vhost_virtqu
28491 return get_user(vq->last_used_idx, &used->idx);
28494 -static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp)
28495 +static long vhost_set_vring(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
28497 struct file *eventfp, *filep = NULL,
28498 *pollstart = NULL, *pollstop = NULL;
28499 diff -urNp linux-2.6.38.1/drivers/video/fbcmap.c linux-2.6.38.1-new/drivers/video/fbcmap.c
28500 --- linux-2.6.38.1/drivers/video/fbcmap.c 2011-03-14 21:20:32.000000000 -0400
28501 +++ linux-2.6.38.1-new/drivers/video/fbcmap.c 2011-03-21 18:31:35.000000000 -0400
28502 @@ -285,8 +285,7 @@ int fb_set_user_cmap(struct fb_cmap_user
28506 - if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
28507 - !info->fbops->fb_setcmap)) {
28508 + if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap) {
28512 diff -urNp linux-2.6.38.1/drivers/video/fbmem.c linux-2.6.38.1-new/drivers/video/fbmem.c
28513 --- linux-2.6.38.1/drivers/video/fbmem.c 2011-03-14 21:20:32.000000000 -0400
28514 +++ linux-2.6.38.1-new/drivers/video/fbmem.c 2011-03-21 18:31:35.000000000 -0400
28515 @@ -403,7 +403,7 @@ static void fb_do_show_logo(struct fb_in
28516 image->dx += image->width + 8;
28518 } else if (rotate == FB_ROTATE_UD) {
28519 - for (x = 0; x < num && image->dx >= 0; x++) {
28520 + for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
28521 info->fbops->fb_imageblit(info, image);
28522 image->dx -= image->width + 8;
28524 @@ -415,7 +415,7 @@ static void fb_do_show_logo(struct fb_in
28525 image->dy += image->height + 8;
28527 } else if (rotate == FB_ROTATE_CCW) {
28528 - for (x = 0; x < num && image->dy >= 0; x++) {
28529 + for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
28530 info->fbops->fb_imageblit(info, image);
28531 image->dy -= image->height + 8;
28533 @@ -1101,7 +1101,7 @@ static long do_fb_ioctl(struct fb_info *
28535 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
28537 - if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
28538 + if (con2fb.framebuffer >= FB_MAX)
28540 if (!registered_fb[con2fb.framebuffer])
28541 request_module("fb%d", con2fb.framebuffer);
28542 diff -urNp linux-2.6.38.1/drivers/video/fbmon.c linux-2.6.38.1-new/drivers/video/fbmon.c
28543 --- linux-2.6.38.1/drivers/video/fbmon.c 2011-03-14 21:20:32.000000000 -0400
28544 +++ linux-2.6.38.1-new/drivers/video/fbmon.c 2011-03-21 18:31:35.000000000 -0400
28547 #define DPRINTK(fmt, args...) printk(fmt,## args)
28549 -#define DPRINTK(fmt, args...)
28550 +#define DPRINTK(fmt, args...) do {} while (0)
28553 #define FBMON_FIX_HEADER 1
28554 diff -urNp linux-2.6.38.1/drivers/video/i810/i810_accel.c linux-2.6.38.1-new/drivers/video/i810/i810_accel.c
28555 --- linux-2.6.38.1/drivers/video/i810/i810_accel.c 2011-03-14 21:20:32.000000000 -0400
28556 +++ linux-2.6.38.1-new/drivers/video/i810/i810_accel.c 2011-03-21 18:31:35.000000000 -0400
28557 @@ -73,6 +73,7 @@ static inline int wait_for_space(struct
28560 printk("ringbuffer lockup!!!\n");
28561 + printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
28562 i810_report_error(mmio);
28563 par->dev_flags |= LOCKUP;
28564 info->pixmap.scan_align = 1;
28565 diff -urNp linux-2.6.38.1/drivers/video/i810/i810_main.c linux-2.6.38.1-new/drivers/video/i810/i810_main.c
28566 --- linux-2.6.38.1/drivers/video/i810/i810_main.c 2011-03-14 21:20:32.000000000 -0400
28567 +++ linux-2.6.38.1-new/drivers/video/i810/i810_main.c 2011-03-21 18:31:35.000000000 -0400
28568 @@ -120,7 +120,7 @@ static struct pci_device_id i810fb_pci_t
28569 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 4 },
28570 { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC,
28571 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 5 },
28573 + { 0, 0, 0, 0, 0, 0, 0 },
28576 static struct pci_driver i810fb_driver = {
28577 diff -urNp linux-2.6.38.1/drivers/video/modedb.c linux-2.6.38.1-new/drivers/video/modedb.c
28578 --- linux-2.6.38.1/drivers/video/modedb.c 2011-03-14 21:20:32.000000000 -0400
28579 +++ linux-2.6.38.1-new/drivers/video/modedb.c 2011-03-21 18:31:35.000000000 -0400
28580 @@ -40,255 +40,255 @@ static const struct fb_videomode modedb[
28582 /* 640x400 @ 70 Hz, 31.5 kHz hsync */
28583 { NULL, 70, 640, 400, 39721, 40, 24, 39, 9, 96, 2, 0,
28584 - FB_VMODE_NONINTERLACED },
28585 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28587 /* 640x480 @ 60 Hz, 31.5 kHz hsync */
28588 { NULL, 60, 640, 480, 39721, 40, 24, 32, 11, 96, 2, 0,
28589 - FB_VMODE_NONINTERLACED },
28590 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28592 /* 800x600 @ 56 Hz, 35.15 kHz hsync */
28593 { NULL, 56, 800, 600, 27777, 128, 24, 22, 1, 72, 2, 0,
28594 - FB_VMODE_NONINTERLACED },
28595 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28597 /* 1024x768 @ 87 Hz interlaced, 35.5 kHz hsync */
28598 { NULL, 87, 1024, 768, 22271, 56, 24, 33, 8, 160, 8, 0,
28599 - FB_VMODE_INTERLACED },
28600 + FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN },
28602 /* 640x400 @ 85 Hz, 37.86 kHz hsync */
28603 { NULL, 85, 640, 400, 31746, 96, 32, 41, 1, 64, 3,
28604 - FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED },
28605 + FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28607 /* 640x480 @ 72 Hz, 36.5 kHz hsync */
28608 { NULL, 72, 640, 480, 31746, 144, 40, 30, 8, 40, 3, 0,
28609 - FB_VMODE_NONINTERLACED },
28610 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28612 /* 640x480 @ 75 Hz, 37.50 kHz hsync */
28613 { NULL, 75, 640, 480, 31746, 120, 16, 16, 1, 64, 3, 0,
28614 - FB_VMODE_NONINTERLACED },
28615 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28617 /* 800x600 @ 60 Hz, 37.8 kHz hsync */
28618 { NULL, 60, 800, 600, 25000, 88, 40, 23, 1, 128, 4,
28619 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28620 - FB_VMODE_NONINTERLACED },
28621 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28623 /* 640x480 @ 85 Hz, 43.27 kHz hsync */
28624 { NULL, 85, 640, 480, 27777, 80, 56, 25, 1, 56, 3, 0,
28625 - FB_VMODE_NONINTERLACED },
28626 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28628 /* 1152x864 @ 89 Hz interlaced, 44 kHz hsync */
28629 { NULL, 89, 1152, 864, 15384, 96, 16, 110, 1, 216, 10, 0,
28630 - FB_VMODE_INTERLACED },
28631 + FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN },
28632 /* 800x600 @ 72 Hz, 48.0 kHz hsync */
28633 { NULL, 72, 800, 600, 20000, 64, 56, 23, 37, 120, 6,
28634 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28635 - FB_VMODE_NONINTERLACED },
28636 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28638 /* 1024x768 @ 60 Hz, 48.4 kHz hsync */
28639 { NULL, 60, 1024, 768, 15384, 168, 8, 29, 3, 144, 6, 0,
28640 - FB_VMODE_NONINTERLACED },
28641 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28643 /* 640x480 @ 100 Hz, 53.01 kHz hsync */
28644 { NULL, 100, 640, 480, 21834, 96, 32, 36, 8, 96, 6, 0,
28645 - FB_VMODE_NONINTERLACED },
28646 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28648 /* 1152x864 @ 60 Hz, 53.5 kHz hsync */
28649 { NULL, 60, 1152, 864, 11123, 208, 64, 16, 4, 256, 8, 0,
28650 - FB_VMODE_NONINTERLACED },
28651 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28653 /* 800x600 @ 85 Hz, 55.84 kHz hsync */
28654 { NULL, 85, 800, 600, 16460, 160, 64, 36, 16, 64, 5, 0,
28655 - FB_VMODE_NONINTERLACED },
28656 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28658 /* 1024x768 @ 70 Hz, 56.5 kHz hsync */
28659 { NULL, 70, 1024, 768, 13333, 144, 24, 29, 3, 136, 6, 0,
28660 - FB_VMODE_NONINTERLACED },
28661 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28663 /* 1280x1024 @ 87 Hz interlaced, 51 kHz hsync */
28664 { NULL, 87, 1280, 1024, 12500, 56, 16, 128, 1, 216, 12, 0,
28665 - FB_VMODE_INTERLACED },
28666 + FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN },
28668 /* 800x600 @ 100 Hz, 64.02 kHz hsync */
28669 { NULL, 100, 800, 600, 14357, 160, 64, 30, 4, 64, 6, 0,
28670 - FB_VMODE_NONINTERLACED },
28671 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28673 /* 1024x768 @ 76 Hz, 62.5 kHz hsync */
28674 { NULL, 76, 1024, 768, 11764, 208, 8, 36, 16, 120, 3, 0,
28675 - FB_VMODE_NONINTERLACED },
28676 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28678 /* 1152x864 @ 70 Hz, 62.4 kHz hsync */
28679 { NULL, 70, 1152, 864, 10869, 106, 56, 20, 1, 160, 10, 0,
28680 - FB_VMODE_NONINTERLACED },
28681 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28683 /* 1280x1024 @ 61 Hz, 64.2 kHz hsync */
28684 { NULL, 61, 1280, 1024, 9090, 200, 48, 26, 1, 184, 3, 0,
28685 - FB_VMODE_NONINTERLACED },
28686 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28688 /* 1400x1050 @ 60Hz, 63.9 kHz hsync */
28689 { NULL, 60, 1400, 1050, 9259, 136, 40, 13, 1, 112, 3, 0,
28690 - FB_VMODE_NONINTERLACED },
28691 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28693 /* 1400x1050 @ 75,107 Hz, 82,392 kHz +hsync +vsync*/
28694 { NULL, 75, 1400, 1050, 7190, 120, 56, 23, 10, 112, 13,
28695 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28696 - FB_VMODE_NONINTERLACED },
28697 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28699 /* 1400x1050 @ 60 Hz, ? kHz +hsync +vsync*/
28700 { NULL, 60, 1400, 1050, 9259, 128, 40, 12, 0, 112, 3,
28701 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28702 - FB_VMODE_NONINTERLACED },
28703 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28705 /* 1024x768 @ 85 Hz, 70.24 kHz hsync */
28706 { NULL, 85, 1024, 768, 10111, 192, 32, 34, 14, 160, 6, 0,
28707 - FB_VMODE_NONINTERLACED },
28708 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28710 /* 1152x864 @ 78 Hz, 70.8 kHz hsync */
28711 { NULL, 78, 1152, 864, 9090, 228, 88, 32, 0, 84, 12, 0,
28712 - FB_VMODE_NONINTERLACED },
28713 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28715 /* 1280x1024 @ 70 Hz, 74.59 kHz hsync */
28716 { NULL, 70, 1280, 1024, 7905, 224, 32, 28, 8, 160, 8, 0,
28717 - FB_VMODE_NONINTERLACED },
28718 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28720 /* 1600x1200 @ 60Hz, 75.00 kHz hsync */
28721 { NULL, 60, 1600, 1200, 6172, 304, 64, 46, 1, 192, 3,
28722 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28723 - FB_VMODE_NONINTERLACED },
28724 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28726 /* 1152x864 @ 84 Hz, 76.0 kHz hsync */
28727 { NULL, 84, 1152, 864, 7407, 184, 312, 32, 0, 128, 12, 0,
28728 - FB_VMODE_NONINTERLACED },
28729 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28731 /* 1280x1024 @ 74 Hz, 78.85 kHz hsync */
28732 { NULL, 74, 1280, 1024, 7407, 256, 32, 34, 3, 144, 3, 0,
28733 - FB_VMODE_NONINTERLACED },
28734 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28736 /* 1024x768 @ 100Hz, 80.21 kHz hsync */
28737 { NULL, 100, 1024, 768, 8658, 192, 32, 21, 3, 192, 10, 0,
28738 - FB_VMODE_NONINTERLACED },
28739 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28741 /* 1280x1024 @ 76 Hz, 81.13 kHz hsync */
28742 { NULL, 76, 1280, 1024, 7407, 248, 32, 34, 3, 104, 3, 0,
28743 - FB_VMODE_NONINTERLACED },
28744 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28746 /* 1600x1200 @ 70 Hz, 87.50 kHz hsync */
28747 { NULL, 70, 1600, 1200, 5291, 304, 64, 46, 1, 192, 3, 0,
28748 - FB_VMODE_NONINTERLACED },
28749 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28751 /* 1152x864 @ 100 Hz, 89.62 kHz hsync */
28752 { NULL, 100, 1152, 864, 7264, 224, 32, 17, 2, 128, 19, 0,
28753 - FB_VMODE_NONINTERLACED },
28754 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28756 /* 1280x1024 @ 85 Hz, 91.15 kHz hsync */
28757 { NULL, 85, 1280, 1024, 6349, 224, 64, 44, 1, 160, 3,
28758 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28759 - FB_VMODE_NONINTERLACED },
28760 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28762 /* 1600x1200 @ 75 Hz, 93.75 kHz hsync */
28763 { NULL, 75, 1600, 1200, 4938, 304, 64, 46, 1, 192, 3,
28764 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28765 - FB_VMODE_NONINTERLACED },
28766 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28768 /* 1680x1050 @ 60 Hz, 65.191 kHz hsync */
28769 { NULL, 60, 1680, 1050, 6848, 280, 104, 30, 3, 176, 6,
28770 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28771 - FB_VMODE_NONINTERLACED },
28772 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28774 /* 1600x1200 @ 85 Hz, 105.77 kHz hsync */
28775 { NULL, 85, 1600, 1200, 4545, 272, 16, 37, 4, 192, 3,
28776 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28777 - FB_VMODE_NONINTERLACED },
28778 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28780 /* 1280x1024 @ 100 Hz, 107.16 kHz hsync */
28781 { NULL, 100, 1280, 1024, 5502, 256, 32, 26, 7, 128, 15, 0,
28782 - FB_VMODE_NONINTERLACED },
28783 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28785 /* 1800x1440 @ 64Hz, 96.15 kHz hsync */
28786 { NULL, 64, 1800, 1440, 4347, 304, 96, 46, 1, 192, 3,
28787 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28788 - FB_VMODE_NONINTERLACED },
28789 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28791 /* 1800x1440 @ 70Hz, 104.52 kHz hsync */
28792 { NULL, 70, 1800, 1440, 4000, 304, 96, 46, 1, 192, 3,
28793 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28794 - FB_VMODE_NONINTERLACED },
28795 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28797 /* 512x384 @ 78 Hz, 31.50 kHz hsync */
28798 { NULL, 78, 512, 384, 49603, 48, 16, 16, 1, 64, 3, 0,
28799 - FB_VMODE_NONINTERLACED },
28800 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28802 /* 512x384 @ 85 Hz, 34.38 kHz hsync */
28803 { NULL, 85, 512, 384, 45454, 48, 16, 16, 1, 64, 3, 0,
28804 - FB_VMODE_NONINTERLACED },
28805 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28807 /* 320x200 @ 70 Hz, 31.5 kHz hsync, 8:5 aspect ratio */
28808 { NULL, 70, 320, 200, 79440, 16, 16, 20, 4, 48, 1, 0,
28809 - FB_VMODE_DOUBLE },
28810 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
28812 /* 320x240 @ 60 Hz, 31.5 kHz hsync, 4:3 aspect ratio */
28813 { NULL, 60, 320, 240, 79440, 16, 16, 16, 5, 48, 1, 0,
28814 - FB_VMODE_DOUBLE },
28815 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
28817 /* 320x240 @ 72 Hz, 36.5 kHz hsync */
28818 { NULL, 72, 320, 240, 63492, 16, 16, 16, 4, 48, 2, 0,
28819 - FB_VMODE_DOUBLE },
28820 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
28822 /* 400x300 @ 56 Hz, 35.2 kHz hsync, 4:3 aspect ratio */
28823 { NULL, 56, 400, 300, 55555, 64, 16, 10, 1, 32, 1, 0,
28824 - FB_VMODE_DOUBLE },
28825 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
28827 /* 400x300 @ 60 Hz, 37.8 kHz hsync */
28828 { NULL, 60, 400, 300, 50000, 48, 16, 11, 1, 64, 2, 0,
28829 - FB_VMODE_DOUBLE },
28830 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
28832 /* 400x300 @ 72 Hz, 48.0 kHz hsync */
28833 { NULL, 72, 400, 300, 40000, 32, 24, 11, 19, 64, 3, 0,
28834 - FB_VMODE_DOUBLE },
28835 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
28837 /* 480x300 @ 56 Hz, 35.2 kHz hsync, 8:5 aspect ratio */
28838 { NULL, 56, 480, 300, 46176, 80, 16, 10, 1, 40, 1, 0,
28839 - FB_VMODE_DOUBLE },
28840 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
28842 /* 480x300 @ 60 Hz, 37.8 kHz hsync */
28843 { NULL, 60, 480, 300, 41858, 56, 16, 11, 1, 80, 2, 0,
28844 - FB_VMODE_DOUBLE },
28845 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
28847 /* 480x300 @ 63 Hz, 39.6 kHz hsync */
28848 { NULL, 63, 480, 300, 40000, 56, 16, 11, 1, 80, 2, 0,
28849 - FB_VMODE_DOUBLE },
28850 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
28852 /* 480x300 @ 72 Hz, 48.0 kHz hsync */
28853 { NULL, 72, 480, 300, 33386, 40, 24, 11, 19, 80, 3, 0,
28854 - FB_VMODE_DOUBLE },
28855 + FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN },
28857 /* 1920x1200 @ 60 Hz, 74.5 Khz hsync */
28858 { NULL, 60, 1920, 1200, 5177, 128, 336, 1, 38, 208, 3,
28859 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28860 - FB_VMODE_NONINTERLACED },
28861 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28863 /* 1152x768, 60 Hz, PowerBook G4 Titanium I and II */
28864 { NULL, 60, 1152, 768, 14047, 158, 26, 29, 3, 136, 6,
28865 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
28866 - FB_VMODE_NONINTERLACED },
28867 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28869 /* 1366x768, 60 Hz, 47.403 kHz hsync, WXGA 16:9 aspect ratio */
28870 { NULL, 60, 1366, 768, 13806, 120, 10, 14, 3, 32, 5, 0,
28871 - FB_VMODE_NONINTERLACED },
28872 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28874 /* 1280x800, 60 Hz, 47.403 kHz hsync, WXGA 16:10 aspect ratio */
28875 { NULL, 60, 1280, 800, 12048, 200, 64, 24, 1, 136, 3, 0,
28876 - FB_VMODE_NONINTERLACED },
28877 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28879 /* 720x576i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
28880 { NULL, 50, 720, 576, 74074, 64, 16, 39, 5, 64, 5, 0,
28881 - FB_VMODE_INTERLACED },
28882 + FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN },
28884 /* 800x520i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
28885 { NULL, 50, 800, 520, 58823, 144, 64, 72, 28, 80, 5, 0,
28886 - FB_VMODE_INTERLACED },
28887 + FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN },
28889 /* 864x480 @ 60 Hz, 35.15 kHz hsync */
28890 { NULL, 60, 864, 480, 27777, 1, 1, 1, 1, 0, 0,
28891 - 0, FB_VMODE_NONINTERLACED },
28892 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN },
28895 #ifdef CONFIG_FB_MODE_HELPERS
28896 diff -urNp linux-2.6.38.1/drivers/video/pxa3xx-gcu.c linux-2.6.38.1-new/drivers/video/pxa3xx-gcu.c
28897 --- linux-2.6.38.1/drivers/video/pxa3xx-gcu.c 2011-03-14 21:20:32.000000000 -0400
28898 +++ linux-2.6.38.1-new/drivers/video/pxa3xx-gcu.c 2011-03-21 18:31:35.000000000 -0400
28899 @@ -103,7 +103,7 @@ struct pxa3xx_gcu_priv {
28900 dma_addr_t shared_phys;
28901 struct resource *resource_mem;
28902 struct miscdevice misc_dev;
28903 - struct file_operations misc_fops;
28904 + const struct file_operations misc_fops;
28905 wait_queue_head_t wait_idle;
28906 wait_queue_head_t wait_free;
28907 spinlock_t spinlock;
28908 diff -urNp linux-2.6.38.1/drivers/video/uvesafb.c linux-2.6.38.1-new/drivers/video/uvesafb.c
28909 --- linux-2.6.38.1/drivers/video/uvesafb.c 2011-03-14 21:20:32.000000000 -0400
28910 +++ linux-2.6.38.1-new/drivers/video/uvesafb.c 2011-03-21 18:31:35.000000000 -0400
28912 #include <linux/io.h>
28913 #include <linux/mutex.h>
28914 #include <linux/slab.h>
28915 +#include <linux/moduleloader.h>
28916 #include <video/edid.h>
28917 #include <video/uvesafb.h>
28919 @@ -121,7 +122,7 @@ static int uvesafb_helper_start(void)
28923 - return call_usermodehelper(v86d_path, argv, envp, 1);
28924 + return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
28928 @@ -569,10 +570,32 @@ static int __devinit uvesafb_vbe_getpmi(
28929 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
28930 par->pmi_setpal = par->ypan = 0;
28933 +#ifdef CONFIG_PAX_KERNEXEC
28934 +#ifdef CONFIG_MODULES
28935 + par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
28937 + if (!par->pmi_code) {
28938 + par->pmi_setpal = par->ypan = 0;
28943 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
28944 + task->t.regs.edi);
28946 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28947 + pax_open_kernel();
28948 + memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
28949 + pax_close_kernel();
28951 + par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
28952 + par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
28954 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
28955 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
28958 printk(KERN_INFO "uvesafb: protected mode interface info at "
28960 (u16)task->t.regs.es, (u16)task->t.regs.edi);
28961 @@ -1800,6 +1823,11 @@ out:
28962 if (par->vbe_modes)
28963 kfree(par->vbe_modes);
28965 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28966 + if (par->pmi_code)
28967 + module_free_exec(NULL, par->pmi_code);
28970 framebuffer_release(info);
28973 @@ -1826,6 +1854,12 @@ static int uvesafb_remove(struct platfor
28974 kfree(par->vbe_state_orig);
28975 if (par->vbe_state_saved)
28976 kfree(par->vbe_state_saved);
28978 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
28979 + if (par->pmi_code)
28980 + module_free_exec(NULL, par->pmi_code);
28985 framebuffer_release(info);
28986 diff -urNp linux-2.6.38.1/drivers/video/vesafb.c linux-2.6.38.1-new/drivers/video/vesafb.c
28987 --- linux-2.6.38.1/drivers/video/vesafb.c 2011-03-14 21:20:32.000000000 -0400
28988 +++ linux-2.6.38.1-new/drivers/video/vesafb.c 2011-03-21 18:31:35.000000000 -0400
28992 #include <linux/module.h>
28993 +#include <linux/moduleloader.h>
28994 #include <linux/kernel.h>
28995 #include <linux/errno.h>
28996 #include <linux/string.h>
28997 @@ -52,8 +53,8 @@ static int vram_remap __initdata; /*
28998 static int vram_total __initdata; /* Set total amount of memory */
28999 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
29000 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
29001 -static void (*pmi_start)(void) __read_mostly;
29002 -static void (*pmi_pal) (void) __read_mostly;
29003 +static void (*pmi_start)(void) __read_only;
29004 +static void (*pmi_pal) (void) __read_only;
29005 static int depth __read_mostly;
29006 static int vga_compat __read_mostly;
29007 /* --------------------------------------------------------------------- */
29008 @@ -232,6 +233,7 @@ static int __init vesafb_probe(struct pl
29009 unsigned int size_vmode;
29010 unsigned int size_remap;
29011 unsigned int size_total;
29012 + void *pmi_code = NULL;
29014 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
29016 @@ -274,10 +276,6 @@ static int __init vesafb_probe(struct pl
29017 size_remap = size_total;
29018 vesafb_fix.smem_len = size_remap;
29021 - screen_info.vesapm_seg = 0;
29024 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
29025 printk(KERN_WARNING
29026 "vesafb: cannot reserve video memory at 0x%lx\n",
29027 @@ -319,9 +317,21 @@ static int __init vesafb_probe(struct pl
29028 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
29029 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
29033 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29034 + pmi_code = module_alloc_exec(screen_info.vesapm_size);
29036 +#elif !defined(CONFIG_PAX_KERNEXEC)
29041 + screen_info.vesapm_seg = 0;
29043 if (screen_info.vesapm_seg) {
29044 - printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
29045 - screen_info.vesapm_seg,screen_info.vesapm_off);
29046 + printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
29047 + screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
29050 if (screen_info.vesapm_seg < 0xc000)
29051 @@ -329,9 +339,25 @@ static int __init vesafb_probe(struct pl
29053 if (ypan || pmi_setpal) {
29054 unsigned short *pmi_base;
29055 - pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
29056 - pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
29057 - pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
29059 + pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
29061 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29062 + pax_open_kernel();
29063 + memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
29065 + pmi_code = pmi_base;
29068 + pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
29069 + pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
29071 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29072 + pmi_start = ktva_ktla(pmi_start);
29073 + pmi_pal = ktva_ktla(pmi_pal);
29074 + pax_close_kernel();
29077 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
29079 printk(KERN_INFO "vesafb: pmi: ports = ");
29080 @@ -473,6 +499,11 @@ static int __init vesafb_probe(struct pl
29081 info->node, info->fix.id);
29085 +#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29086 + module_free_exec(NULL, pmi_code);
29089 if (info->screen_base)
29090 iounmap(info->screen_base);
29091 framebuffer_release(info);
29092 diff -urNp linux-2.6.38.1/fs/9p/vfs_inode.c linux-2.6.38.1-new/fs/9p/vfs_inode.c
29093 --- linux-2.6.38.1/fs/9p/vfs_inode.c 2011-03-14 21:20:32.000000000 -0400
29094 +++ linux-2.6.38.1-new/fs/9p/vfs_inode.c 2011-03-21 18:31:35.000000000 -0400
29095 @@ -1094,7 +1094,7 @@ static void *v9fs_vfs_follow_link(struct
29097 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
29099 - char *s = nd_get_link(nd);
29100 + const char *s = nd_get_link(nd);
29102 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
29103 IS_ERR(s) ? "<error>" : s);
29104 diff -urNp linux-2.6.38.1/fs/aio.c linux-2.6.38.1-new/fs/aio.c
29105 --- linux-2.6.38.1/fs/aio.c 2011-03-14 21:20:32.000000000 -0400
29106 +++ linux-2.6.38.1-new/fs/aio.c 2011-03-21 18:31:35.000000000 -0400
29107 @@ -130,7 +130,7 @@ static int aio_setup_ring(struct kioctx
29108 size += sizeof(struct io_event) * nr_events;
29109 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
29111 - if (nr_pages < 0)
29112 + if (nr_pages <= 0)
29115 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
29116 diff -urNp linux-2.6.38.1/fs/attr.c linux-2.6.38.1-new/fs/attr.c
29117 --- linux-2.6.38.1/fs/attr.c 2011-03-14 21:20:32.000000000 -0400
29118 +++ linux-2.6.38.1-new/fs/attr.c 2011-03-21 18:31:35.000000000 -0400
29119 @@ -98,6 +98,7 @@ int inode_newsize_ok(const struct inode
29120 unsigned long limit;
29122 limit = rlimit(RLIMIT_FSIZE);
29123 + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
29124 if (limit != RLIM_INFINITY && offset > limit)
29126 if (offset > inode->i_sb->s_maxbytes)
29127 diff -urNp linux-2.6.38.1/fs/befs/linuxvfs.c linux-2.6.38.1-new/fs/befs/linuxvfs.c
29128 --- linux-2.6.38.1/fs/befs/linuxvfs.c 2011-03-14 21:20:32.000000000 -0400
29129 +++ linux-2.6.38.1-new/fs/befs/linuxvfs.c 2011-03-21 18:31:35.000000000 -0400
29130 @@ -499,7 +499,7 @@ static void befs_put_link(struct dentry
29132 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
29133 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
29134 - char *link = nd_get_link(nd);
29135 + const char *link = nd_get_link(nd);
29139 diff -urNp linux-2.6.38.1/fs/binfmt_aout.c linux-2.6.38.1-new/fs/binfmt_aout.c
29140 --- linux-2.6.38.1/fs/binfmt_aout.c 2011-03-14 21:20:32.000000000 -0400
29141 +++ linux-2.6.38.1-new/fs/binfmt_aout.c 2011-03-21 18:31:35.000000000 -0400
29143 #include <linux/string.h>
29144 #include <linux/fs.h>
29145 #include <linux/file.h>
29146 +#include <linux/security.h>
29147 #include <linux/stat.h>
29148 #include <linux/fcntl.h>
29149 #include <linux/ptrace.h>
29150 @@ -86,6 +87,8 @@ static int aout_core_dump(struct coredum
29152 # define START_STACK(u) ((void __user *)u.start_stack)
29154 + memset(&dump, 0, sizeof(dump));
29159 @@ -97,10 +100,12 @@ static int aout_core_dump(struct coredum
29161 /* If the size of the dump file exceeds the rlimit, then see what would happen
29162 if we wrote the stack, but not the data area. */
29163 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
29164 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
29167 /* Make sure we have enough room to write the stack and data areas. */
29168 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
29169 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
29172 @@ -234,6 +239,8 @@ static int load_aout_binary(struct linux
29173 rlim = rlimit(RLIMIT_DATA);
29174 if (rlim >= RLIM_INFINITY)
29177 + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
29178 if (ex.a_data + ex.a_bss > rlim)
29181 @@ -262,6 +269,27 @@ static int load_aout_binary(struct linux
29182 install_exec_creds(bprm);
29183 current->flags &= ~PF_FORKNOEXEC;
29185 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
29186 + current->mm->pax_flags = 0UL;
29189 +#ifdef CONFIG_PAX_PAGEEXEC
29190 + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
29191 + current->mm->pax_flags |= MF_PAX_PAGEEXEC;
29193 +#ifdef CONFIG_PAX_EMUTRAMP
29194 + if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
29195 + current->mm->pax_flags |= MF_PAX_EMUTRAMP;
29198 +#ifdef CONFIG_PAX_MPROTECT
29199 + if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
29200 + current->mm->pax_flags |= MF_PAX_MPROTECT;
29206 if (N_MAGIC(ex) == OMAGIC) {
29207 unsigned long text_addr, map_size;
29209 @@ -334,7 +362,7 @@ static int load_aout_binary(struct linux
29211 down_write(¤t->mm->mmap_sem);
29212 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
29213 - PROT_READ | PROT_WRITE | PROT_EXEC,
29214 + PROT_READ | PROT_WRITE,
29215 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
29216 fd_offset + ex.a_text);
29217 up_write(¤t->mm->mmap_sem);
29218 diff -urNp linux-2.6.38.1/fs/binfmt_elf.c linux-2.6.38.1-new/fs/binfmt_elf.c
29219 --- linux-2.6.38.1/fs/binfmt_elf.c 2011-03-14 21:20:32.000000000 -0400
29220 +++ linux-2.6.38.1-new/fs/binfmt_elf.c 2011-03-21 18:31:35.000000000 -0400
29221 @@ -51,6 +51,10 @@ static int elf_core_dump(struct coredump
29222 #define elf_core_dump NULL
29225 +#ifdef CONFIG_PAX_MPROTECT
29226 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
29229 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
29230 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
29232 @@ -70,6 +74,11 @@ static struct linux_binfmt elf_format =
29233 .load_binary = load_elf_binary,
29234 .load_shlib = load_elf_library,
29235 .core_dump = elf_core_dump,
29237 +#ifdef CONFIG_PAX_MPROTECT
29238 + .handle_mprotect= elf_handle_mprotect,
29241 .min_coredump = ELF_EXEC_PAGESIZE,
29244 @@ -77,6 +86,8 @@ static struct linux_binfmt elf_format =
29246 static int set_brk(unsigned long start, unsigned long end)
29248 + unsigned long e = end;
29250 start = ELF_PAGEALIGN(start);
29251 end = ELF_PAGEALIGN(end);
29253 @@ -87,7 +98,7 @@ static int set_brk(unsigned long start,
29254 if (BAD_ADDR(addr))
29257 - current->mm->start_brk = current->mm->brk = end;
29258 + current->mm->start_brk = current->mm->brk = e;
29262 @@ -148,7 +159,7 @@ create_elf_tables(struct linux_binprm *b
29263 elf_addr_t __user *u_rand_bytes;
29264 const char *k_platform = ELF_PLATFORM;
29265 const char *k_base_platform = ELF_BASE_PLATFORM;
29266 - unsigned char k_rand_bytes[16];
29267 + u32 k_rand_bytes[4];
29269 elf_addr_t *elf_info;
29271 @@ -195,8 +206,12 @@ create_elf_tables(struct linux_binprm *b
29272 * Generate 16 random bytes for userspace PRNG seeding.
29274 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
29275 - u_rand_bytes = (elf_addr_t __user *)
29276 - STACK_ALLOC(p, sizeof(k_rand_bytes));
29277 + srandom32(k_rand_bytes[0] ^ random32());
29278 + srandom32(k_rand_bytes[1] ^ random32());
29279 + srandom32(k_rand_bytes[2] ^ random32());
29280 + srandom32(k_rand_bytes[3] ^ random32());
29281 + p = STACK_ROUND(p, sizeof(k_rand_bytes));
29282 + u_rand_bytes = (elf_addr_t __user *) p;
29283 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
29286 @@ -381,10 +396,10 @@ static unsigned long load_elf_interp(str
29288 struct elf_phdr *elf_phdata;
29289 struct elf_phdr *eppnt;
29290 - unsigned long load_addr = 0;
29291 + unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
29292 int load_addr_set = 0;
29293 unsigned long last_bss = 0, elf_bss = 0;
29294 - unsigned long error = ~0UL;
29295 + unsigned long error = -EINVAL;
29296 unsigned long total_size;
29297 int retval, i, size;
29299 @@ -430,6 +445,11 @@ static unsigned long load_elf_interp(str
29303 +#ifdef CONFIG_PAX_SEGMEXEC
29304 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
29305 + pax_task_size = SEGMEXEC_TASK_SIZE;
29308 eppnt = elf_phdata;
29309 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
29310 if (eppnt->p_type == PT_LOAD) {
29311 @@ -473,8 +493,8 @@ static unsigned long load_elf_interp(str
29312 k = load_addr + eppnt->p_vaddr;
29314 eppnt->p_filesz > eppnt->p_memsz ||
29315 - eppnt->p_memsz > TASK_SIZE ||
29316 - TASK_SIZE - eppnt->p_memsz < k) {
29317 + eppnt->p_memsz > pax_task_size ||
29318 + pax_task_size - eppnt->p_memsz < k) {
29322 @@ -528,6 +548,177 @@ out:
29326 +#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
29327 +static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
29329 + unsigned long pax_flags = 0UL;
29331 +#ifdef CONFIG_PAX_PAGEEXEC
29332 + if (elf_phdata->p_flags & PF_PAGEEXEC)
29333 + pax_flags |= MF_PAX_PAGEEXEC;
29336 +#ifdef CONFIG_PAX_SEGMEXEC
29337 + if (elf_phdata->p_flags & PF_SEGMEXEC)
29338 + pax_flags |= MF_PAX_SEGMEXEC;
29341 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29342 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29343 + if ((__supported_pte_mask & _PAGE_NX))
29344 + pax_flags &= ~MF_PAX_SEGMEXEC;
29346 + pax_flags &= ~MF_PAX_PAGEEXEC;
29350 +#ifdef CONFIG_PAX_EMUTRAMP
29351 + if (elf_phdata->p_flags & PF_EMUTRAMP)
29352 + pax_flags |= MF_PAX_EMUTRAMP;
29355 +#ifdef CONFIG_PAX_MPROTECT
29356 + if (elf_phdata->p_flags & PF_MPROTECT)
29357 + pax_flags |= MF_PAX_MPROTECT;
29360 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
29361 + if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
29362 + pax_flags |= MF_PAX_RANDMMAP;
29365 + return pax_flags;
29369 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
29370 +static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
29372 + unsigned long pax_flags = 0UL;
29374 +#ifdef CONFIG_PAX_PAGEEXEC
29375 + if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
29376 + pax_flags |= MF_PAX_PAGEEXEC;
29379 +#ifdef CONFIG_PAX_SEGMEXEC
29380 + if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
29381 + pax_flags |= MF_PAX_SEGMEXEC;
29384 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29385 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29386 + if ((__supported_pte_mask & _PAGE_NX))
29387 + pax_flags &= ~MF_PAX_SEGMEXEC;
29389 + pax_flags &= ~MF_PAX_PAGEEXEC;
29393 +#ifdef CONFIG_PAX_EMUTRAMP
29394 + if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
29395 + pax_flags |= MF_PAX_EMUTRAMP;
29398 +#ifdef CONFIG_PAX_MPROTECT
29399 + if (!(elf_phdata->p_flags & PF_NOMPROTECT))
29400 + pax_flags |= MF_PAX_MPROTECT;
29403 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
29404 + if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
29405 + pax_flags |= MF_PAX_RANDMMAP;
29408 + return pax_flags;
29412 +#ifdef CONFIG_PAX_EI_PAX
29413 +static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
29415 + unsigned long pax_flags = 0UL;
29417 +#ifdef CONFIG_PAX_PAGEEXEC
29418 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
29419 + pax_flags |= MF_PAX_PAGEEXEC;
29422 +#ifdef CONFIG_PAX_SEGMEXEC
29423 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
29424 + pax_flags |= MF_PAX_SEGMEXEC;
29427 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29428 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29429 + if ((__supported_pte_mask & _PAGE_NX))
29430 + pax_flags &= ~MF_PAX_SEGMEXEC;
29432 + pax_flags &= ~MF_PAX_PAGEEXEC;
29436 +#ifdef CONFIG_PAX_EMUTRAMP
29437 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
29438 + pax_flags |= MF_PAX_EMUTRAMP;
29441 +#ifdef CONFIG_PAX_MPROTECT
29442 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
29443 + pax_flags |= MF_PAX_MPROTECT;
29446 +#ifdef CONFIG_PAX_ASLR
29447 + if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
29448 + pax_flags |= MF_PAX_RANDMMAP;
29451 + return pax_flags;
29455 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
29456 +static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
29458 + unsigned long pax_flags = 0UL;
29460 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
29464 +#ifdef CONFIG_PAX_EI_PAX
29465 + pax_flags = pax_parse_ei_pax(elf_ex);
29468 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
29469 + for (i = 0UL; i < elf_ex->e_phnum; i++)
29470 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
29471 + if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
29472 + ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
29473 + ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
29474 + ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
29475 + ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
29478 +#ifdef CONFIG_PAX_SOFTMODE
29479 + if (pax_softmode)
29480 + pax_flags = pax_parse_softmode(&elf_phdata[i]);
29484 + pax_flags = pax_parse_hardmode(&elf_phdata[i]);
29489 + if (0 > pax_check_flags(&pax_flags))
29492 + current->mm->pax_flags = pax_flags;
29498 * These are the functions used to load ELF style executables and shared
29499 * libraries. There is no binary dependent code anywhere else.
29500 @@ -544,6 +735,11 @@ static unsigned long randomize_stack_top
29502 unsigned int random_variable = 0;
29504 +#ifdef CONFIG_PAX_RANDUSTACK
29505 + if (randomize_va_space)
29506 + return stack_top - current->mm->delta_stack;
29509 if ((current->flags & PF_RANDOMIZE) &&
29510 !(current->personality & ADDR_NO_RANDOMIZE)) {
29511 random_variable = get_random_int() & STACK_RND_MASK;
29512 @@ -562,7 +758,7 @@ static int load_elf_binary(struct linux_
29513 unsigned long load_addr = 0, load_bias = 0;
29514 int load_addr_set = 0;
29515 char * elf_interpreter = NULL;
29516 - unsigned long error;
29517 + unsigned long error = 0;
29518 struct elf_phdr *elf_ppnt, *elf_phdata;
29519 unsigned long elf_bss, elf_brk;
29521 @@ -572,11 +768,11 @@ static int load_elf_binary(struct linux_
29522 unsigned long start_code, end_code, start_data, end_data;
29523 unsigned long reloc_func_desc = 0;
29524 int executable_stack = EXSTACK_DEFAULT;
29525 - unsigned long def_flags = 0;
29527 struct elfhdr elf_ex;
29528 struct elfhdr interp_elf_ex;
29530 + unsigned long pax_task_size = TASK_SIZE;
29532 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
29534 @@ -714,11 +910,80 @@ static int load_elf_binary(struct linux_
29536 /* OK, This is the point of no return */
29537 current->flags &= ~PF_FORKNOEXEC;
29538 - current->mm->def_flags = def_flags;
29540 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
29541 + current->mm->pax_flags = 0UL;
29544 +#ifdef CONFIG_PAX_DLRESOLVE
29545 + current->mm->call_dl_resolve = 0UL;
29548 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
29549 + current->mm->call_syscall = 0UL;
29552 +#ifdef CONFIG_PAX_ASLR
29553 + current->mm->delta_mmap = 0UL;
29554 + current->mm->delta_stack = 0UL;
29557 + current->mm->def_flags = 0;
29559 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
29560 + if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
29561 + send_sig(SIGKILL, current, 0);
29562 + goto out_free_dentry;
29566 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
29567 + pax_set_initial_flags(bprm);
29568 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
29569 + if (pax_set_initial_flags_func)
29570 + (pax_set_initial_flags_func)(bprm);
29573 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
29574 + if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !(__supported_pte_mask & _PAGE_NX)) {
29575 + current->mm->context.user_cs_limit = PAGE_SIZE;
29576 + current->mm->def_flags |= VM_PAGEEXEC;
29580 +#ifdef CONFIG_PAX_SEGMEXEC
29581 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
29582 + current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
29583 + current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
29584 + pax_task_size = SEGMEXEC_TASK_SIZE;
29588 +#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
29589 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29590 + set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
29595 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
29596 may depend on the personality. */
29597 SET_PERSONALITY(loc->elf_ex);
29599 +#ifdef CONFIG_PAX_ASLR
29600 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
29601 + current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
29602 + current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
29606 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
29607 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29608 + executable_stack = EXSTACK_DISABLE_X;
29609 + current->personality &= ~READ_IMPLIES_EXEC;
29613 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
29614 current->personality |= READ_IMPLIES_EXEC;
29616 @@ -800,6 +1065,20 @@ static int load_elf_binary(struct linux_
29618 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
29621 +#ifdef CONFIG_PAX_RANDMMAP
29622 + /* PaX: randomize base address at the default exe base if requested */
29623 + if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
29624 +#ifdef CONFIG_SPARC64
29625 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
29627 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
29629 + load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
29630 + elf_flags |= MAP_FIXED;
29636 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
29637 @@ -832,9 +1111,9 @@ static int load_elf_binary(struct linux_
29638 * allowed task size. Note that p_filesz must always be
29639 * <= p_memsz so it is only necessary to check p_memsz.
29641 - if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
29642 - elf_ppnt->p_memsz > TASK_SIZE ||
29643 - TASK_SIZE - elf_ppnt->p_memsz < k) {
29644 + if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
29645 + elf_ppnt->p_memsz > pax_task_size ||
29646 + pax_task_size - elf_ppnt->p_memsz < k) {
29647 /* set_brk can never work. Avoid overflows. */
29648 send_sig(SIGKILL, current, 0);
29650 @@ -862,6 +1141,11 @@ static int load_elf_binary(struct linux_
29651 start_data += load_bias;
29652 end_data += load_bias;
29654 +#ifdef CONFIG_PAX_RANDMMAP
29655 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
29656 + elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
29659 /* Calling set_brk effectively mmaps the pages that we need
29660 * for the bss and break sections. We must do this before
29661 * mapping in the interpreter, to make sure it doesn't wind
29662 @@ -873,9 +1157,11 @@ static int load_elf_binary(struct linux_
29663 goto out_free_dentry;
29665 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
29666 - send_sig(SIGSEGV, current, 0);
29667 - retval = -EFAULT; /* Nobody gets to see this, but.. */
29668 - goto out_free_dentry;
29670 + * This bss-zeroing can fail if the ELF
29671 + * file specifies odd protections. So
29672 + * we don't check the return value
29676 if (elf_interpreter) {
29677 @@ -1086,7 +1372,7 @@ out:
29678 * Decide what to dump of a segment, part, all or none.
29680 static unsigned long vma_dump_size(struct vm_area_struct *vma,
29681 - unsigned long mm_flags)
29682 + unsigned long mm_flags, long signr)
29684 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
29686 @@ -1120,7 +1406,7 @@ static unsigned long vma_dump_size(struc
29687 if (vma->vm_file == NULL)
29690 - if (FILTER(MAPPED_PRIVATE))
29691 + if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
29695 @@ -1342,9 +1628,9 @@ static void fill_auxv_note(struct memelf
29697 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
29702 - while (auxv[i - 2] != AT_NULL);
29703 + } while (auxv[i - 2] != AT_NULL);
29704 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
29707 @@ -1850,14 +2136,14 @@ static void fill_extnum_info(struct elfh
29710 static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
29711 - unsigned long mm_flags)
29712 + struct coredump_params *cprm)
29714 struct vm_area_struct *vma;
29717 for (vma = first_vma(current, gate_vma); vma != NULL;
29718 vma = next_vma(vma, gate_vma))
29719 - size += vma_dump_size(vma, mm_flags);
29720 + size += vma_dump_size(vma, cprm->mm_flags, cprm->signr);
29724 @@ -1951,7 +2237,7 @@ static int elf_core_dump(struct coredump
29726 dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
29728 - offset += elf_core_vma_data_size(gate_vma, cprm->mm_flags);
29729 + offset += elf_core_vma_data_size(gate_vma, cprm);
29730 offset += elf_core_extra_data_size();
29733 @@ -1965,10 +2251,12 @@ static int elf_core_dump(struct coredump
29736 size += sizeof(*elf);
29737 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29738 if (size > cprm->limit || !dump_write(cprm->file, elf, sizeof(*elf)))
29741 size += sizeof(*phdr4note);
29742 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29743 if (size > cprm->limit
29744 || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
29746 @@ -1982,7 +2270,7 @@ static int elf_core_dump(struct coredump
29747 phdr.p_offset = offset;
29748 phdr.p_vaddr = vma->vm_start;
29750 - phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags);
29751 + phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags, cprm->signr);
29752 phdr.p_memsz = vma->vm_end - vma->vm_start;
29753 offset += phdr.p_filesz;
29754 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
29755 @@ -1993,6 +2281,7 @@ static int elf_core_dump(struct coredump
29756 phdr.p_align = ELF_EXEC_PAGESIZE;
29758 size += sizeof(phdr);
29759 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29760 if (size > cprm->limit
29761 || !dump_write(cprm->file, &phdr, sizeof(phdr)))
29763 @@ -2017,7 +2306,7 @@ static int elf_core_dump(struct coredump
29764 unsigned long addr;
29767 - end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags);
29768 + end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags, cprm->signr);
29770 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
29772 @@ -2026,6 +2315,7 @@ static int elf_core_dump(struct coredump
29773 page = get_dump_page(addr);
29775 void *kaddr = kmap(page);
29776 + gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
29777 stop = ((size += PAGE_SIZE) > cprm->limit) ||
29778 !dump_write(cprm->file, kaddr,
29780 @@ -2043,6 +2333,7 @@ static int elf_core_dump(struct coredump
29782 if (e_phnum == PN_XNUM) {
29783 size += sizeof(*shdr4extnum);
29784 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
29785 if (size > cprm->limit
29786 || !dump_write(cprm->file, shdr4extnum,
29787 sizeof(*shdr4extnum)))
29788 @@ -2063,6 +2354,97 @@ out:
29790 #endif /* CONFIG_ELF_CORE */
29792 +#ifdef CONFIG_PAX_MPROTECT
29793 +/* PaX: non-PIC ELF libraries need relocations on their executable segments
29794 + * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
29795 + * we'll remove VM_MAYWRITE for good on RELRO segments.
29797 + * The checks favour ld-linux.so behaviour which operates on a per ELF segment
29798 + * basis because we want to allow the common case and not the special ones.
29800 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
29802 + struct elfhdr elf_h;
29803 + struct elf_phdr elf_p;
29805 + unsigned long oldflags;
29806 + bool is_textrel_rw, is_textrel_rx, is_relro;
29808 + if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
29811 + oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
29812 + newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
29814 +#ifdef CONFIG_PAX_ELFRELOCS
29815 + /* possible TEXTREL */
29816 + is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
29817 + is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
29819 + is_textrel_rw = false;
29820 + is_textrel_rx = false;
29823 + /* possible RELRO */
29824 + is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
29826 + if (!is_textrel_rw && !is_textrel_rx && !is_relro)
29829 + if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
29830 + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
29832 +#ifdef CONFIG_PAX_ETEXECRELOCS
29833 + ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
29835 + ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
29838 + (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
29839 + !elf_check_arch(&elf_h) ||
29840 + elf_h.e_phentsize != sizeof(struct elf_phdr) ||
29841 + elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
29844 + for (i = 0UL; i < elf_h.e_phnum; i++) {
29845 + if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
29847 + switch (elf_p.p_type) {
29849 + if (!is_textrel_rw && !is_textrel_rx)
29852 + while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
29855 + if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
29857 + if (dyn.d_tag == DT_NULL)
29859 + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
29860 + gr_log_textrel(vma);
29861 + if (is_textrel_rw)
29862 + vma->vm_flags |= VM_MAYWRITE;
29864 + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
29865 + vma->vm_flags &= ~VM_MAYWRITE;
29872 + case PT_GNU_RELRO:
29875 + if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
29876 + vma->vm_flags &= ~VM_MAYWRITE;
29883 static int __init init_elf_binfmt(void)
29885 return register_binfmt(&elf_format);
29886 diff -urNp linux-2.6.38.1/fs/binfmt_flat.c linux-2.6.38.1-new/fs/binfmt_flat.c
29887 --- linux-2.6.38.1/fs/binfmt_flat.c 2011-03-14 21:20:32.000000000 -0400
29888 +++ linux-2.6.38.1-new/fs/binfmt_flat.c 2011-03-21 18:31:35.000000000 -0400
29889 @@ -567,7 +567,9 @@ static int load_flat_file(struct linux_b
29890 realdatastart = (unsigned long) -ENOMEM;
29891 printk("Unable to allocate RAM for process data, errno %d\n",
29892 (int)-realdatastart);
29893 + down_write(¤t->mm->mmap_sem);
29894 do_munmap(current->mm, textpos, text_len);
29895 + up_write(¤t->mm->mmap_sem);
29896 ret = realdatastart;
29899 @@ -591,8 +593,10 @@ static int load_flat_file(struct linux_b
29901 if (IS_ERR_VALUE(result)) {
29902 printk("Unable to read data+bss, errno %d\n", (int)-result);
29903 + down_write(¤t->mm->mmap_sem);
29904 do_munmap(current->mm, textpos, text_len);
29905 do_munmap(current->mm, realdatastart, len);
29906 + up_write(¤t->mm->mmap_sem);
29910 @@ -661,8 +665,10 @@ static int load_flat_file(struct linux_b
29912 if (IS_ERR_VALUE(result)) {
29913 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
29914 + down_write(¤t->mm->mmap_sem);
29915 do_munmap(current->mm, textpos, text_len + data_len + extra +
29916 MAX_SHARED_LIBS * sizeof(unsigned long));
29917 + up_write(¤t->mm->mmap_sem);
29921 diff -urNp linux-2.6.38.1/fs/binfmt_misc.c linux-2.6.38.1-new/fs/binfmt_misc.c
29922 --- linux-2.6.38.1/fs/binfmt_misc.c 2011-03-14 21:20:32.000000000 -0400
29923 +++ linux-2.6.38.1-new/fs/binfmt_misc.c 2011-03-21 18:31:35.000000000 -0400
29924 @@ -698,7 +698,7 @@ static int bm_fill_super(struct super_bl
29925 static struct tree_descr bm_files[] = {
29926 [2] = {"status", &bm_status_operations, S_IWUSR|S_IRUGO},
29927 [3] = {"register", &bm_register_operations, S_IWUSR},
29928 - /* last one */ {""}
29929 + /* last one */ {"", NULL, 0}
29931 int err = simple_fill_super(sb, 0x42494e4d, bm_files);
29933 diff -urNp linux-2.6.38.1/fs/bio.c linux-2.6.38.1-new/fs/bio.c
29934 --- linux-2.6.38.1/fs/bio.c 2011-03-14 21:20:32.000000000 -0400
29935 +++ linux-2.6.38.1-new/fs/bio.c 2011-03-21 18:31:35.000000000 -0400
29936 @@ -1233,7 +1233,7 @@ static void bio_copy_kern_endio(struct b
29937 const int read = bio_data_dir(bio) == READ;
29938 struct bio_map_data *bmd = bio->bi_private;
29940 - char *p = bmd->sgvecs[0].iov_base;
29941 + char *p = (__force char *)bmd->sgvecs[0].iov_base;
29943 __bio_for_each_segment(bvec, bio, i, 0) {
29944 char *addr = page_address(bvec->bv_page);
29945 diff -urNp linux-2.6.38.1/fs/block_dev.c linux-2.6.38.1-new/fs/block_dev.c
29946 --- linux-2.6.38.1/fs/block_dev.c 2011-03-14 21:20:32.000000000 -0400
29947 +++ linux-2.6.38.1-new/fs/block_dev.c 2011-03-21 18:31:35.000000000 -0400
29948 @@ -669,7 +669,7 @@ static bool bd_may_claim(struct block_de
29949 else if (bdev->bd_contains == bdev)
29950 return true; /* is a whole device which isn't held */
29952 - else if (whole->bd_holder == bd_may_claim)
29953 + else if (whole->bd_holder == (void *)bd_may_claim)
29954 return true; /* is a partition of a device that is being partitioned */
29955 else if (whole->bd_holder != NULL)
29956 return false; /* is a partition of a held device */
29957 diff -urNp linux-2.6.38.1/fs/btrfs/ctree.c linux-2.6.38.1-new/fs/btrfs/ctree.c
29958 --- linux-2.6.38.1/fs/btrfs/ctree.c 2011-03-14 21:20:32.000000000 -0400
29959 +++ linux-2.6.38.1-new/fs/btrfs/ctree.c 2011-03-21 18:31:35.000000000 -0400
29960 @@ -468,9 +468,12 @@ static noinline int __btrfs_cow_block(st
29961 free_extent_buffer(buf);
29962 add_root_to_dirty_list(root);
29964 - if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID)
29965 - parent_start = parent->start;
29967 + if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) {
29969 + parent_start = parent->start;
29971 + parent_start = 0;
29975 WARN_ON(trans->transid != btrfs_header_generation(parent));
29976 @@ -3776,7 +3779,6 @@ setup_items_for_insert(struct btrfs_tran
29980 - struct btrfs_disk_key disk_key;
29981 btrfs_cpu_key_to_disk(&disk_key, cpu_key);
29982 ret = fixup_low_keys(trans, root, path, &disk_key, 1);
29984 diff -urNp linux-2.6.38.1/fs/btrfs/disk-io.c linux-2.6.38.1-new/fs/btrfs/disk-io.c
29985 --- linux-2.6.38.1/fs/btrfs/disk-io.c 2011-03-14 21:20:32.000000000 -0400
29986 +++ linux-2.6.38.1-new/fs/btrfs/disk-io.c 2011-03-21 18:31:35.000000000 -0400
29988 #include "tree-log.h"
29989 #include "free-space-cache.h"
29991 -static struct extent_io_ops btree_extent_io_ops;
29992 +static const struct extent_io_ops btree_extent_io_ops;
29993 static void end_workqueue_fn(struct btrfs_work *work);
29994 static void free_fs_root(struct btrfs_root *root);
29995 static void btrfs_check_super_valid(struct btrfs_fs_info *fs_info,
29996 @@ -3028,7 +3028,7 @@ static int btrfs_cleanup_transaction(str
30000 -static struct extent_io_ops btree_extent_io_ops = {
30001 +static const struct extent_io_ops btree_extent_io_ops = {
30002 .write_cache_pages_lock_hook = btree_lock_page_hook,
30003 .readpage_end_io_hook = btree_readpage_end_io_hook,
30004 .submit_bio_hook = btree_submit_bio_hook,
30005 diff -urNp linux-2.6.38.1/fs/btrfs/extent_io.h linux-2.6.38.1-new/fs/btrfs/extent_io.h
30006 --- linux-2.6.38.1/fs/btrfs/extent_io.h 2011-03-14 21:20:32.000000000 -0400
30007 +++ linux-2.6.38.1-new/fs/btrfs/extent_io.h 2011-03-21 18:31:35.000000000 -0400
30008 @@ -55,36 +55,36 @@ typedef int (extent_submit_bio_hook_t)(s
30009 struct bio *bio, int mirror_num,
30010 unsigned long bio_flags, u64 bio_offset);
30011 struct extent_io_ops {
30012 - int (*fill_delalloc)(struct inode *inode, struct page *locked_page,
30013 + int (* const fill_delalloc)(struct inode *inode, struct page *locked_page,
30014 u64 start, u64 end, int *page_started,
30015 unsigned long *nr_written);
30016 - int (*writepage_start_hook)(struct page *page, u64 start, u64 end);
30017 - int (*writepage_io_hook)(struct page *page, u64 start, u64 end);
30018 + int (* const writepage_start_hook)(struct page *page, u64 start, u64 end);
30019 + int (* const writepage_io_hook)(struct page *page, u64 start, u64 end);
30020 extent_submit_bio_hook_t *submit_bio_hook;
30021 - int (*merge_bio_hook)(struct page *page, unsigned long offset,
30022 + int (* const merge_bio_hook)(struct page *page, unsigned long offset,
30023 size_t size, struct bio *bio,
30024 unsigned long bio_flags);
30025 - int (*readpage_io_hook)(struct page *page, u64 start, u64 end);
30026 - int (*readpage_io_failed_hook)(struct bio *bio, struct page *page,
30027 + int (* const readpage_io_hook)(struct page *page, u64 start, u64 end);
30028 + int (* const readpage_io_failed_hook)(struct bio *bio, struct page *page,
30029 u64 start, u64 end,
30030 struct extent_state *state);
30031 - int (*writepage_io_failed_hook)(struct bio *bio, struct page *page,
30032 + int (* const writepage_io_failed_hook)(struct bio *bio, struct page *page,
30033 u64 start, u64 end,
30034 struct extent_state *state);
30035 - int (*readpage_end_io_hook)(struct page *page, u64 start, u64 end,
30036 + int (* const readpage_end_io_hook)(struct page *page, u64 start, u64 end,
30037 struct extent_state *state);
30038 - int (*writepage_end_io_hook)(struct page *page, u64 start, u64 end,
30039 + int (* const writepage_end_io_hook)(struct page *page, u64 start, u64 end,
30040 struct extent_state *state, int uptodate);
30041 - int (*set_bit_hook)(struct inode *inode, struct extent_state *state,
30042 + int (* const set_bit_hook)(struct inode *inode, struct extent_state *state,
30044 - int (*clear_bit_hook)(struct inode *inode, struct extent_state *state,
30045 + int (* const clear_bit_hook)(struct inode *inode, struct extent_state *state,
30047 - int (*merge_extent_hook)(struct inode *inode,
30048 + int (* const merge_extent_hook)(struct inode *inode,
30049 struct extent_state *new,
30050 struct extent_state *other);
30051 - int (*split_extent_hook)(struct inode *inode,
30052 + int (* const split_extent_hook)(struct inode *inode,
30053 struct extent_state *orig, u64 split);
30054 - int (*write_cache_pages_lock_hook)(struct page *page);
30055 + int (* const write_cache_pages_lock_hook)(struct page *page);
30058 struct extent_io_tree {
30059 @@ -94,7 +94,7 @@ struct extent_io_tree {
30062 spinlock_t buffer_lock;
30063 - struct extent_io_ops *ops;
30064 + const struct extent_io_ops *ops;
30067 struct extent_state {
30068 diff -urNp linux-2.6.38.1/fs/btrfs/free-space-cache.c linux-2.6.38.1-new/fs/btrfs/free-space-cache.c
30069 --- linux-2.6.38.1/fs/btrfs/free-space-cache.c 2011-03-14 21:20:32.000000000 -0400
30070 +++ linux-2.6.38.1-new/fs/btrfs/free-space-cache.c 2011-03-21 18:31:35.000000000 -0400
30071 @@ -1855,8 +1855,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
30074 if (entry->bytes < bytes || entry->offset < min_start) {
30075 - struct rb_node *node;
30077 node = rb_next(&entry->offset_index);
30080 @@ -2018,7 +2016,7 @@ again:
30082 while (entry->bitmap || found_bitmap ||
30083 (!entry->bitmap && entry->bytes < min_bytes)) {
30084 - struct rb_node *node = rb_next(&entry->offset_index);
30085 + node = rb_next(&entry->offset_index);
30087 if (entry->bitmap && entry->bytes > bytes + empty_size) {
30088 ret = btrfs_bitmap_cluster(block_group, entry, cluster,
30089 diff -urNp linux-2.6.38.1/fs/btrfs/inode.c linux-2.6.38.1-new/fs/btrfs/inode.c
30090 --- linux-2.6.38.1/fs/btrfs/inode.c 2011-03-14 21:20:32.000000000 -0400
30091 +++ linux-2.6.38.1-new/fs/btrfs/inode.c 2011-03-24 23:08:20.000000000 -0400
30092 @@ -64,7 +64,7 @@ static const struct inode_operations btr
30093 static const struct address_space_operations btrfs_aops;
30094 static const struct address_space_operations btrfs_symlink_aops;
30095 static const struct file_operations btrfs_dir_file_operations;
30096 -static struct extent_io_ops btrfs_extent_io_ops;
30097 +static const struct extent_io_ops btrfs_extent_io_ops;
30099 static struct kmem_cache *btrfs_inode_cachep;
30100 struct kmem_cache *btrfs_trans_handle_cachep;
30101 @@ -6796,7 +6796,7 @@ fail:
30105 -static int btrfs_getattr(struct vfsmount *mnt,
30106 +int btrfs_getattr(struct vfsmount *mnt,
30107 struct dentry *dentry, struct kstat *stat)
30109 struct inode *inode = dentry->d_inode;
30110 @@ -6808,6 +6808,14 @@ static int btrfs_getattr(struct vfsmount
30114 +EXPORT_SYMBOL(btrfs_getattr);
30116 +dev_t get_btrfs_dev_from_inode(struct inode *inode)
30118 + return BTRFS_I(inode)->root->anon_super.s_dev;
30120 +EXPORT_SYMBOL(get_btrfs_dev_from_inode);
30122 static int btrfs_rename(struct inode *old_dir, struct dentry *old_dentry,
30123 struct inode *new_dir, struct dentry *new_dentry)
30125 @@ -7311,7 +7319,7 @@ static const struct file_operations btrf
30126 .fsync = btrfs_sync_file,
30129 -static struct extent_io_ops btrfs_extent_io_ops = {
30130 +static const struct extent_io_ops btrfs_extent_io_ops = {
30131 .fill_delalloc = run_delalloc_range,
30132 .submit_bio_hook = btrfs_submit_bio_hook,
30133 .merge_bio_hook = btrfs_merge_bio_hook,
30134 diff -urNp linux-2.6.38.1/fs/btrfs/ioctl.c linux-2.6.38.1-new/fs/btrfs/ioctl.c
30135 --- linux-2.6.38.1/fs/btrfs/ioctl.c 2011-03-14 21:20:32.000000000 -0400
30136 +++ linux-2.6.38.1-new/fs/btrfs/ioctl.c 2011-03-21 18:31:35.000000000 -0400
30137 @@ -2270,9 +2270,12 @@ long btrfs_ioctl_space_info(struct btrfs
30138 for (i = 0; i < num_types; i++) {
30139 struct btrfs_space_info *tmp;
30141 + /* Don't copy in more than we allocated */
30149 list_for_each_entry_rcu(tmp, &root->fs_info->space_info,
30150 @@ -2294,10 +2297,7 @@ long btrfs_ioctl_space_info(struct btrfs
30151 memcpy(dest, &space, sizeof(space));
30153 space_args.total_spaces++;
30159 up_read(&info->groups_sem);
30161 diff -urNp linux-2.6.38.1/fs/btrfs/relocation.c linux-2.6.38.1-new/fs/btrfs/relocation.c
30162 --- linux-2.6.38.1/fs/btrfs/relocation.c 2011-03-14 21:20:32.000000000 -0400
30163 +++ linux-2.6.38.1-new/fs/btrfs/relocation.c 2011-03-21 18:31:35.000000000 -0400
30164 @@ -1239,7 +1239,7 @@ static int __update_reloc_root(struct bt
30166 spin_unlock(&rc->reloc_root_tree.lock);
30168 - BUG_ON((struct btrfs_root *)node->data != root);
30169 + BUG_ON(!node || (struct btrfs_root *)node->data != root);
30172 spin_lock(&rc->reloc_root_tree.lock);
30173 diff -urNp linux-2.6.38.1/fs/cachefiles/bind.c linux-2.6.38.1-new/fs/cachefiles/bind.c
30174 --- linux-2.6.38.1/fs/cachefiles/bind.c 2011-03-14 21:20:32.000000000 -0400
30175 +++ linux-2.6.38.1-new/fs/cachefiles/bind.c 2011-03-21 18:31:35.000000000 -0400
30176 @@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachef
30179 /* start by checking things over */
30180 - ASSERT(cache->fstop_percent >= 0 &&
30181 - cache->fstop_percent < cache->fcull_percent &&
30182 + ASSERT(cache->fstop_percent < cache->fcull_percent &&
30183 cache->fcull_percent < cache->frun_percent &&
30184 cache->frun_percent < 100);
30186 - ASSERT(cache->bstop_percent >= 0 &&
30187 - cache->bstop_percent < cache->bcull_percent &&
30188 + ASSERT(cache->bstop_percent < cache->bcull_percent &&
30189 cache->bcull_percent < cache->brun_percent &&
30190 cache->brun_percent < 100);
30192 diff -urNp linux-2.6.38.1/fs/cachefiles/daemon.c linux-2.6.38.1-new/fs/cachefiles/daemon.c
30193 --- linux-2.6.38.1/fs/cachefiles/daemon.c 2011-03-14 21:20:32.000000000 -0400
30194 +++ linux-2.6.38.1-new/fs/cachefiles/daemon.c 2011-03-21 18:31:35.000000000 -0400
30195 @@ -196,7 +196,7 @@ static ssize_t cachefiles_daemon_read(st
30199 - if (copy_to_user(_buffer, buffer, n) != 0)
30200 + if (n > sizeof(buffer) || copy_to_user(_buffer, buffer, n) != 0)
30204 @@ -222,7 +222,7 @@ static ssize_t cachefiles_daemon_write(s
30205 if (test_bit(CACHEFILES_DEAD, &cache->flags))
30208 - if (datalen < 0 || datalen > PAGE_SIZE - 1)
30209 + if (datalen > PAGE_SIZE - 1)
30210 return -EOPNOTSUPP;
30212 /* drag the command string into the kernel so we can parse it */
30213 @@ -386,7 +386,7 @@ static int cachefiles_daemon_fstop(struc
30214 if (args[0] != '%' || args[1] != '\0')
30217 - if (fstop < 0 || fstop >= cache->fcull_percent)
30218 + if (fstop >= cache->fcull_percent)
30219 return cachefiles_daemon_range_error(cache, args);
30221 cache->fstop_percent = fstop;
30222 @@ -458,7 +458,7 @@ static int cachefiles_daemon_bstop(struc
30223 if (args[0] != '%' || args[1] != '\0')
30226 - if (bstop < 0 || bstop >= cache->bcull_percent)
30227 + if (bstop >= cache->bcull_percent)
30228 return cachefiles_daemon_range_error(cache, args);
30230 cache->bstop_percent = bstop;
30231 diff -urNp linux-2.6.38.1/fs/cachefiles/rdwr.c linux-2.6.38.1-new/fs/cachefiles/rdwr.c
30232 --- linux-2.6.38.1/fs/cachefiles/rdwr.c 2011-03-14 21:20:32.000000000 -0400
30233 +++ linux-2.6.38.1-new/fs/cachefiles/rdwr.c 2011-03-21 18:31:35.000000000 -0400
30234 @@ -945,7 +945,7 @@ int cachefiles_write_page(struct fscache
30237 ret = file->f_op->write(
30238 - file, (const void __user *) data, len, &pos);
30239 + file, (__force const void __user *) data, len, &pos);
30243 diff -urNp linux-2.6.38.1/fs/ceph/dir.c linux-2.6.38.1-new/fs/ceph/dir.c
30244 --- linux-2.6.38.1/fs/ceph/dir.c 2011-03-14 21:20:32.000000000 -0400
30245 +++ linux-2.6.38.1-new/fs/ceph/dir.c 2011-03-21 18:31:35.000000000 -0400
30246 @@ -226,7 +226,7 @@ static int ceph_readdir(struct file *fil
30247 struct ceph_fs_client *fsc = ceph_inode_to_client(inode);
30248 struct ceph_mds_client *mdsc = fsc->mdsc;
30249 unsigned frag = fpos_frag(filp->f_pos);
30250 - int off = fpos_off(filp->f_pos);
30251 + unsigned int off = fpos_off(filp->f_pos);
30254 struct ceph_mds_reply_info_parsed *rinfo;
30255 @@ -358,7 +358,7 @@ more:
30256 rinfo = &fi->last_readdir->r_reply_info;
30257 dout("readdir frag %x num %d off %d chunkoff %d\n", frag,
30258 rinfo->dir_nr, off, fi->offset);
30259 - while (off - fi->offset >= 0 && off - fi->offset < rinfo->dir_nr) {
30260 + while (off >= fi->offset && off - fi->offset < rinfo->dir_nr) {
30261 u64 pos = ceph_make_fpos(frag, off);
30262 struct ceph_mds_reply_inode *in =
30263 rinfo->dir_in[off - fi->offset].in;
30264 diff -urNp linux-2.6.38.1/fs/cifs/cifs_uniupr.h linux-2.6.38.1-new/fs/cifs/cifs_uniupr.h
30265 --- linux-2.6.38.1/fs/cifs/cifs_uniupr.h 2011-03-14 21:20:32.000000000 -0400
30266 +++ linux-2.6.38.1-new/fs/cifs/cifs_uniupr.h 2011-03-21 18:31:35.000000000 -0400
30267 @@ -132,7 +132,7 @@ const struct UniCaseRange CifsUniUpperRa
30268 {0x0490, 0x04cc, UniCaseRangeU0490},
30269 {0x1e00, 0x1ffc, UniCaseRangeU1e00},
30270 {0xff40, 0xff5a, UniCaseRangeUff40},
30276 diff -urNp linux-2.6.38.1/fs/cifs/link.c linux-2.6.38.1-new/fs/cifs/link.c
30277 --- linux-2.6.38.1/fs/cifs/link.c 2011-03-14 21:20:32.000000000 -0400
30278 +++ linux-2.6.38.1-new/fs/cifs/link.c 2011-03-21 18:31:35.000000000 -0400
30279 @@ -577,7 +577,7 @@ symlink_exit:
30281 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
30283 - char *p = nd_get_link(nd);
30284 + const char *p = nd_get_link(nd);
30288 diff -urNp linux-2.6.38.1/fs/compat_binfmt_elf.c linux-2.6.38.1-new/fs/compat_binfmt_elf.c
30289 --- linux-2.6.38.1/fs/compat_binfmt_elf.c 2011-03-14 21:20:32.000000000 -0400
30290 +++ linux-2.6.38.1-new/fs/compat_binfmt_elf.c 2011-03-21 18:31:35.000000000 -0400
30291 @@ -30,11 +30,13 @@
30297 #define elfhdr elf32_hdr
30298 #define elf_phdr elf32_phdr
30299 #define elf_shdr elf32_shdr
30300 #define elf_note elf32_note
30301 +#define elf_dyn Elf32_Dyn
30302 #define elf_addr_t Elf32_Addr
30305 diff -urNp linux-2.6.38.1/fs/compat.c linux-2.6.38.1-new/fs/compat.c
30306 --- linux-2.6.38.1/fs/compat.c 2011-03-14 21:20:32.000000000 -0400
30307 +++ linux-2.6.38.1-new/fs/compat.c 2011-03-21 18:31:35.000000000 -0400
30308 @@ -594,7 +594,7 @@ ssize_t compat_rw_copy_check_uvector(int
30312 - if (nr_segs > UIO_MAXIOV || nr_segs < 0)
30313 + if (nr_segs > UIO_MAXIOV)
30315 if (nr_segs > fast_segs) {
30317 @@ -876,6 +876,7 @@ struct compat_old_linux_dirent {
30319 struct compat_readdir_callback {
30320 struct compat_old_linux_dirent __user *dirent;
30321 + struct file * file;
30325 @@ -893,6 +894,10 @@ static int compat_fillonedir(void *__buf
30326 buf->result = -EOVERFLOW;
30330 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
30334 dirent = buf->dirent;
30335 if (!access_ok(VERIFY_WRITE, dirent,
30336 @@ -925,6 +930,7 @@ asmlinkage long compat_sys_old_readdir(u
30339 buf.dirent = dirent;
30342 error = vfs_readdir(file, compat_fillonedir, &buf);
30344 @@ -945,6 +951,7 @@ struct compat_linux_dirent {
30345 struct compat_getdents_callback {
30346 struct compat_linux_dirent __user *current_dir;
30347 struct compat_linux_dirent __user *previous;
30348 + struct file * file;
30352 @@ -966,6 +973,10 @@ static int compat_filldir(void *__buf, c
30353 buf->error = -EOVERFLOW;
30357 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
30360 dirent = buf->previous;
30362 if (__put_user(offset, &dirent->d_off))
30363 @@ -1013,6 +1024,7 @@ asmlinkage long compat_sys_getdents(unsi
30364 buf.previous = NULL;
30369 error = vfs_readdir(file, compat_filldir, &buf);
30371 @@ -1034,6 +1046,7 @@ out:
30372 struct compat_getdents_callback64 {
30373 struct linux_dirent64 __user *current_dir;
30374 struct linux_dirent64 __user *previous;
30375 + struct file * file;
30379 @@ -1050,6 +1063,10 @@ static int compat_filldir64(void * __buf
30380 buf->error = -EINVAL; /* only used if we fail.. */
30381 if (reclen > buf->count)
30384 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
30387 dirent = buf->previous;
30390 @@ -1101,6 +1118,7 @@ asmlinkage long compat_sys_getdents64(un
30391 buf.previous = NULL;
30396 error = vfs_readdir(file, compat_filldir64, &buf);
30398 @@ -1423,6 +1441,7 @@ static int compat_copy_strings(int argc,
30400 page = get_arg_page(bprm, pos, 1);
30402 + /* We've exceed the stack rlimit. */
30406 @@ -1464,6 +1483,11 @@ int compat_do_execve(char * filename,
30407 compat_uptr_t __user *envp,
30408 struct pt_regs * regs)
30410 +#ifdef CONFIG_GRKERNSEC
30411 + struct file *old_exec_file;
30412 + struct acl_subject_label *old_acl;
30413 + struct rlimit old_rlim[RLIM_NLIMITS];
30415 struct linux_binprm *bprm;
30417 struct files_struct *displaced;
30418 @@ -1500,6 +1524,14 @@ int compat_do_execve(char * filename,
30419 bprm->filename = filename;
30420 bprm->interp = filename;
30422 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
30423 + retval = -EAGAIN;
30424 + if (gr_handle_nproc())
30426 + retval = -EACCES;
30427 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
30430 retval = bprm_mm_init(bprm);
30433 @@ -1529,9 +1561,40 @@ int compat_do_execve(char * filename,
30437 + if (!gr_tpe_allow(file)) {
30438 + retval = -EACCES;
30442 + if (gr_check_crash_exec(file)) {
30443 + retval = -EACCES;
30447 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
30449 + gr_handle_exec_args_compat(bprm, argv);
30451 +#ifdef CONFIG_GRKERNSEC
30452 + old_acl = current->acl;
30453 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
30454 + old_exec_file = current->exec_file;
30456 + current->exec_file = file;
30459 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
30460 + bprm->unsafe & LSM_UNSAFE_SHARE);
30464 retval = search_binary_handler(bprm, regs);
30468 +#ifdef CONFIG_GRKERNSEC
30469 + if (old_exec_file)
30470 + fput(old_exec_file);
30473 /* execve succeeded */
30474 current->fs->in_exec = 0;
30475 @@ -1542,6 +1605,14 @@ int compat_do_execve(char * filename,
30476 put_files_struct(displaced);
30480 +#ifdef CONFIG_GRKERNSEC
30481 + current->acl = old_acl;
30482 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
30483 + fput(current->exec_file);
30484 + current->exec_file = old_exec_file;
30489 acct_arg_size(bprm, 0);
30490 diff -urNp linux-2.6.38.1/fs/compat_ioctl.c linux-2.6.38.1-new/fs/compat_ioctl.c
30491 --- linux-2.6.38.1/fs/compat_ioctl.c 2011-03-14 21:20:32.000000000 -0400
30492 +++ linux-2.6.38.1-new/fs/compat_ioctl.c 2011-03-21 18:31:35.000000000 -0400
30493 @@ -208,6 +208,8 @@ static int do_video_set_spu_palette(unsi
30495 err = get_user(palp, &up->palette);
30496 err |= get_user(length, &up->length);
30500 up_native = compat_alloc_user_space(sizeof(struct video_spu_palette));
30501 err = put_user(compat_ptr(palp), &up_native->palette);
30502 @@ -1638,8 +1640,8 @@ asmlinkage long compat_sys_ioctl(unsigne
30503 static int __init init_sys32_ioctl_cmp(const void *p, const void *q)
30506 - a = *(unsigned int *)p;
30507 - b = *(unsigned int *)q;
30508 + a = *(const unsigned int *)p;
30509 + b = *(const unsigned int *)q;
30513 diff -urNp linux-2.6.38.1/fs/debugfs/inode.c linux-2.6.38.1-new/fs/debugfs/inode.c
30514 --- linux-2.6.38.1/fs/debugfs/inode.c 2011-03-14 21:20:32.000000000 -0400
30515 +++ linux-2.6.38.1-new/fs/debugfs/inode.c 2011-03-21 18:31:35.000000000 -0400
30516 @@ -130,7 +130,7 @@ static inline int debugfs_positive(struc
30518 static int debug_fill_super(struct super_block *sb, void *data, int silent)
30520 - static struct tree_descr debug_files[] = {{""}};
30521 + static struct tree_descr debug_files[] = {{"", NULL, 0}};
30523 return simple_fill_super(sb, DEBUGFS_MAGIC, debug_files);
30525 diff -urNp linux-2.6.38.1/fs/dlm/lockspace.c linux-2.6.38.1-new/fs/dlm/lockspace.c
30526 --- linux-2.6.38.1/fs/dlm/lockspace.c 2011-03-14 21:20:32.000000000 -0400
30527 +++ linux-2.6.38.1-new/fs/dlm/lockspace.c 2011-03-21 18:31:35.000000000 -0400
30528 @@ -200,7 +200,7 @@ static int dlm_uevent(struct kset *kset,
30532 -static struct kset_uevent_ops dlm_uevent_ops = {
30533 +static const struct kset_uevent_ops dlm_uevent_ops = {
30534 .uevent = dlm_uevent,
30537 diff -urNp linux-2.6.38.1/fs/ecryptfs/inode.c linux-2.6.38.1-new/fs/ecryptfs/inode.c
30538 --- linux-2.6.38.1/fs/ecryptfs/inode.c 2011-03-14 21:20:32.000000000 -0400
30539 +++ linux-2.6.38.1-new/fs/ecryptfs/inode.c 2011-03-21 18:31:35.000000000 -0400
30540 @@ -658,7 +658,7 @@ static int ecryptfs_readlink_lower(struc
30543 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
30544 - (char __user *)lower_buf,
30545 + (__force char __user *)lower_buf,
30549 @@ -704,7 +704,7 @@ static void *ecryptfs_follow_link(struct
30553 - rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
30554 + rc = dentry->d_inode->i_op->readlink(dentry, (__force char __user *)buf, len);
30558 @@ -719,7 +719,7 @@ out:
30560 ecryptfs_put_link(struct dentry *dentry, struct nameidata *nd, void *ptr)
30562 - char *buf = nd_get_link(nd);
30563 + const char *buf = nd_get_link(nd);
30564 if (!IS_ERR(buf)) {
30565 /* Free the char* */
30567 diff -urNp linux-2.6.38.1/fs/ecryptfs/miscdev.c linux-2.6.38.1-new/fs/ecryptfs/miscdev.c
30568 --- linux-2.6.38.1/fs/ecryptfs/miscdev.c 2011-03-14 21:20:32.000000000 -0400
30569 +++ linux-2.6.38.1-new/fs/ecryptfs/miscdev.c 2011-03-21 18:31:35.000000000 -0400
30570 @@ -328,7 +328,7 @@ check_list:
30571 goto out_unlock_msg_ctx;
30573 if (msg_ctx->msg) {
30574 - if (copy_to_user(&buf[i], packet_length, packet_length_size))
30575 + if (packet_length_size > sizeof(packet_length) || copy_to_user(&buf[i], packet_length, packet_length_size))
30576 goto out_unlock_msg_ctx;
30577 i += packet_length_size;
30578 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
30579 diff -urNp linux-2.6.38.1/fs/exec.c linux-2.6.38.1-new/fs/exec.c
30580 --- linux-2.6.38.1/fs/exec.c 2011-03-14 21:20:32.000000000 -0400
30581 +++ linux-2.6.38.1-new/fs/exec.c 2011-03-21 18:31:35.000000000 -0400
30582 @@ -55,12 +55,24 @@
30583 #include <linux/fs_struct.h>
30584 #include <linux/pipe_fs_i.h>
30585 #include <linux/oom.h>
30586 +#include <linux/random.h>
30587 +#include <linux/seq_file.h>
30589 +#ifdef CONFIG_PAX_REFCOUNT
30590 +#include <linux/kallsyms.h>
30591 +#include <linux/kdebug.h>
30594 #include <asm/uaccess.h>
30595 #include <asm/mmu_context.h>
30596 #include <asm/tlb.h>
30597 #include "internal.h"
30599 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
30600 +void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
30601 +EXPORT_SYMBOL(pax_set_initial_flags_func);
30605 char core_pattern[CORENAME_MAX_SIZE] = "core";
30606 unsigned int core_pipe_limit;
30607 @@ -120,7 +132,7 @@ SYSCALL_DEFINE1(uselib, const char __use
30610 file = do_filp_open(AT_FDCWD, tmp,
30611 - O_LARGEFILE | O_RDONLY | __FMODE_EXEC, 0,
30612 + O_LARGEFILE | O_RDONLY | __FMODE_EXEC | FMODE_GREXEC, 0,
30613 MAY_READ | MAY_EXEC | MAY_OPEN);
30615 error = PTR_ERR(file);
30616 @@ -187,18 +199,10 @@ struct page *get_arg_page(struct linux_b
30622 -#ifdef CONFIG_STACK_GROWSUP
30624 - ret = expand_stack_downwards(bprm->vma, pos);
30629 - ret = get_user_pages(current, bprm->mm, pos,
30630 - 1, write, 1, &page, NULL);
30632 + if (0 > expand_stack_downwards(bprm->vma, pos))
30634 + if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
30638 @@ -273,6 +277,11 @@ static int __bprm_mm_init(struct linux_b
30639 vma->vm_end = STACK_TOP_MAX;
30640 vma->vm_start = vma->vm_end - PAGE_SIZE;
30641 vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
30643 +#ifdef CONFIG_PAX_SEGMEXEC
30644 + vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
30647 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
30648 INIT_LIST_HEAD(&vma->anon_vma_chain);
30650 @@ -287,6 +296,12 @@ static int __bprm_mm_init(struct linux_b
30651 mm->stack_vm = mm->total_vm = 1;
30652 up_write(&mm->mmap_sem);
30653 bprm->p = vma->vm_end - sizeof(void *);
30655 +#ifdef CONFIG_PAX_RANDUSTACK
30656 + if (randomize_va_space)
30657 + bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
30662 up_write(&mm->mmap_sem);
30663 @@ -522,7 +537,7 @@ int copy_strings_kernel(int argc, const
30665 mm_segment_t oldfs = get_fs();
30667 - r = copy_strings(argc, (const char __user *const __user *)argv, bprm);
30668 + r = copy_strings(argc, (__force const char __user *const __user *)argv, bprm);
30672 @@ -552,7 +567,8 @@ static int shift_arg_pages(struct vm_are
30673 unsigned long new_end = old_end - shift;
30674 struct mmu_gather *tlb;
30676 - BUG_ON(new_start > new_end);
30677 + if (new_start >= new_end || new_start < mmap_min_addr)
30681 * ensure there are no vmas between where we want to go
30682 @@ -561,6 +577,10 @@ static int shift_arg_pages(struct vm_are
30683 if (vma != find_vma(mm, new_start))
30686 +#ifdef CONFIG_PAX_SEGMEXEC
30687 + BUG_ON(pax_find_mirror_vma(vma));
30691 * cover the whole range: [new_start, old_end)
30693 @@ -641,10 +661,6 @@ int setup_arg_pages(struct linux_binprm
30694 stack_top = arch_align_stack(stack_top);
30695 stack_top = PAGE_ALIGN(stack_top);
30697 - if (unlikely(stack_top < mmap_min_addr) ||
30698 - unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
30701 stack_shift = vma->vm_end - stack_top;
30703 bprm->p -= stack_shift;
30704 @@ -656,8 +672,28 @@ int setup_arg_pages(struct linux_binprm
30705 bprm->exec -= stack_shift;
30707 down_write(&mm->mmap_sem);
30709 + /* Move stack pages down in memory. */
30710 + if (stack_shift) {
30711 + ret = shift_arg_pages(vma, stack_shift);
30716 vm_flags = VM_STACK_FLAGS;
30718 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
30719 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
30720 + vm_flags &= ~VM_EXEC;
30722 +#ifdef CONFIG_PAX_MPROTECT
30723 + if (mm->pax_flags & MF_PAX_MPROTECT)
30724 + vm_flags &= ~VM_MAYEXEC;
30731 * Adjust stack execute permissions; explicitly enable for
30732 * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
30733 @@ -676,13 +712,6 @@ int setup_arg_pages(struct linux_binprm
30735 BUG_ON(prev != vma);
30737 - /* Move stack pages down in memory. */
30738 - if (stack_shift) {
30739 - ret = shift_arg_pages(vma, stack_shift);
30744 /* mprotect_fixup is overkill to remove the temporary stack flags */
30745 vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
30747 @@ -723,7 +752,7 @@ struct file *open_exec(const char *name)
30750 file = do_filp_open(AT_FDCWD, name,
30751 - O_LARGEFILE | O_RDONLY | __FMODE_EXEC, 0,
30752 + O_LARGEFILE | O_RDONLY | __FMODE_EXEC | FMODE_GREXEC, 0,
30753 MAY_EXEC | MAY_OPEN);
30756 @@ -760,7 +789,7 @@ int kernel_read(struct file *file, loff_
30759 /* The cast to a user pointer is valid due to the set_fs() */
30760 - result = vfs_read(file, (void __user *)addr, count, &pos);
30761 + result = vfs_read(file, (__force void __user *)addr, count, &pos);
30765 @@ -1182,7 +1211,7 @@ int check_unsafe_exec(struct linux_binpr
30769 - if (p->fs->users > n_fs) {
30770 + if (atomic_read(&p->fs->users) > n_fs) {
30771 bprm->unsafe |= LSM_UNSAFE_SHARE;
30774 @@ -1378,6 +1407,11 @@ int do_execve(const char * filename,
30775 const char __user *const __user *envp,
30776 struct pt_regs * regs)
30778 +#ifdef CONFIG_GRKERNSEC
30779 + struct file *old_exec_file;
30780 + struct acl_subject_label *old_acl;
30781 + struct rlimit old_rlim[RLIM_NLIMITS];
30783 struct linux_binprm *bprm;
30785 struct files_struct *displaced;
30786 @@ -1414,6 +1448,18 @@ int do_execve(const char * filename,
30787 bprm->filename = filename;
30788 bprm->interp = filename;
30790 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
30792 + if (gr_handle_nproc()) {
30793 + retval = -EAGAIN;
30797 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
30798 + retval = -EACCES;
30802 retval = bprm_mm_init(bprm);
30805 @@ -1443,9 +1489,40 @@ int do_execve(const char * filename,
30809 + if (!gr_tpe_allow(file)) {
30810 + retval = -EACCES;
30814 + if (gr_check_crash_exec(file)) {
30815 + retval = -EACCES;
30819 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
30821 + gr_handle_exec_args(bprm, argv);
30823 +#ifdef CONFIG_GRKERNSEC
30824 + old_acl = current->acl;
30825 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
30826 + old_exec_file = current->exec_file;
30828 + current->exec_file = file;
30831 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
30832 + bprm->unsafe & LSM_UNSAFE_SHARE);
30836 retval = search_binary_handler(bprm,regs);
30840 +#ifdef CONFIG_GRKERNSEC
30841 + if (old_exec_file)
30842 + fput(old_exec_file);
30845 /* execve succeeded */
30846 current->fs->in_exec = 0;
30847 @@ -1456,6 +1533,14 @@ int do_execve(const char * filename,
30848 put_files_struct(displaced);
30852 +#ifdef CONFIG_GRKERNSEC
30853 + current->acl = old_acl;
30854 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
30855 + fput(current->exec_file);
30856 + current->exec_file = old_exec_file;
30861 acct_arg_size(bprm, 0);
30862 @@ -1642,6 +1727,217 @@ out:
30866 +int pax_check_flags(unsigned long *flags)
30870 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
30871 + if (*flags & MF_PAX_SEGMEXEC)
30873 + *flags &= ~MF_PAX_SEGMEXEC;
30874 + retval = -EINVAL;
30878 + if ((*flags & MF_PAX_PAGEEXEC)
30880 +#ifdef CONFIG_PAX_PAGEEXEC
30881 + && (*flags & MF_PAX_SEGMEXEC)
30886 + *flags &= ~MF_PAX_PAGEEXEC;
30887 + retval = -EINVAL;
30890 + if ((*flags & MF_PAX_MPROTECT)
30892 +#ifdef CONFIG_PAX_MPROTECT
30893 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
30898 + *flags &= ~MF_PAX_MPROTECT;
30899 + retval = -EINVAL;
30902 + if ((*flags & MF_PAX_EMUTRAMP)
30904 +#ifdef CONFIG_PAX_EMUTRAMP
30905 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
30910 + *flags &= ~MF_PAX_EMUTRAMP;
30911 + retval = -EINVAL;
30917 +EXPORT_SYMBOL(pax_check_flags);
30919 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
30920 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
30922 + struct task_struct *tsk = current;
30923 + struct mm_struct *mm = current->mm;
30924 + char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
30925 + char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
30926 + char *path_exec = NULL;
30927 + char *path_fault = NULL;
30928 + unsigned long start = 0UL, end = 0UL, offset = 0UL;
30930 + if (buffer_exec && buffer_fault) {
30931 + struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
30933 + down_read(&mm->mmap_sem);
30935 + while (vma && (!vma_exec || !vma_fault)) {
30936 + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
30938 + if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
30940 + vma = vma->vm_next;
30943 + path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
30944 + if (IS_ERR(path_exec))
30945 + path_exec = "<path too long>";
30947 + path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
30950 + path_exec = buffer_exec;
30952 + path_exec = "<path too long>";
30956 + start = vma_fault->vm_start;
30957 + end = vma_fault->vm_end;
30958 + offset = vma_fault->vm_pgoff << PAGE_SHIFT;
30959 + if (vma_fault->vm_file) {
30960 + path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
30961 + if (IS_ERR(path_fault))
30962 + path_fault = "<path too long>";
30964 + path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
30965 + if (path_fault) {
30967 + path_fault = buffer_fault;
30969 + path_fault = "<path too long>";
30972 + path_fault = "<anonymous mapping>";
30974 + up_read(&mm->mmap_sem);
30976 + if (tsk->signal->curr_ip)
30977 + printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
30979 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
30980 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
30981 + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
30982 + task_uid(tsk), task_euid(tsk), pc, sp);
30983 + free_page((unsigned long)buffer_exec);
30984 + free_page((unsigned long)buffer_fault);
30985 + pax_report_insns(pc, sp);
30986 + do_coredump(SIGKILL, SIGKILL, regs);
30990 +#ifdef CONFIG_PAX_REFCOUNT
30991 +void pax_report_refcount_overflow(struct pt_regs *regs)
30993 + if (current->signal->curr_ip)
30994 + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
30995 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
30997 + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
30998 + current->comm, task_pid_nr(current), current_uid(), current_euid());
30999 + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
31001 + force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
31005 +#ifdef CONFIG_PAX_USERCOPY
31006 +/* 0: not at all, 1: fully, 2: fully inside frame, -1: partially (implies an error) */
31007 +int object_is_on_stack(const void *obj, unsigned long len)
31009 + const void * const stack = task_stack_page(current);
31010 + const void * const stackend = stack + THREAD_SIZE;
31012 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
31013 + const void *frame = NULL;
31014 + const void *oldframe;
31017 + if (obj + len < obj)
31020 + if (obj + len <= stack || stackend <= obj)
31023 + if (obj < stack || stackend < obj + len)
31026 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
31027 + oldframe = __builtin_frame_address(1);
31029 + frame = __builtin_frame_address(2);
31031 + low ----------------------------------------------> high
31032 + [saved bp][saved ip][args][local vars][saved bp][saved ip]
31033 + ^----------------^
31034 + allow copies only within here
31036 + while (stack <= frame && frame < stackend) {
31037 + /* if obj + len extends past the last frame, this
31038 + check won't pass and the next frame will be 0,
31039 + causing us to bail out and correctly report
31040 + the copy as invalid
31042 + if (obj + len <= frame)
31043 + return obj >= oldframe + 2 * sizeof(void *) ? 2 : -1;
31044 + oldframe = frame;
31045 + frame = *(const void * const *)frame;
31054 +void pax_report_leak_to_user(const void *ptr, unsigned long len)
31056 + if (current->signal->curr_ip)
31057 + printk(KERN_ERR "PAX: From %pI4: kernel memory leak attempt detected from %p (%lu bytes)\n",
31058 + ¤t->signal->curr_ip, ptr, len);
31060 + printk(KERN_ERR "PAX: kernel memory leak attempt detected from %p (%lu bytes)\n", ptr, len);
31062 + do_group_exit(SIGKILL);
31065 +void pax_report_overflow_from_user(const void *ptr, unsigned long len)
31067 + if (current->signal->curr_ip)
31068 + printk(KERN_ERR "PAX: From %pI4: kernel memory overflow attempt detected to %p (%lu bytes)\n",
31069 + ¤t->signal->curr_ip, ptr, len);
31071 + printk(KERN_ERR "PAX: kernel memory overflow attempt detected to %p (%lu bytes)\n", ptr, len);
31073 + do_group_exit(SIGKILL);
31077 static int zap_process(struct task_struct *start, int exit_code)
31079 struct task_struct *t;
31080 @@ -1852,17 +2148,17 @@ static void wait_for_dump_helpers(struct
31081 pipe = file->f_path.dentry->d_inode->i_pipe;
31086 + atomic_inc(&pipe->readers);
31087 + atomic_dec(&pipe->writers);
31089 - while ((pipe->readers > 1) && (!signal_pending(current))) {
31090 + while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
31091 wake_up_interruptible_sync(&pipe->wait);
31092 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
31098 + atomic_dec(&pipe->readers);
31099 + atomic_inc(&pipe->writers);
31103 @@ -1978,6 +2274,10 @@ void do_coredump(long signr, int exit_co
31104 goto fail_corename;
31107 + if (signr == SIGSEGV || signr == SIGBUS || signr == SIGKILL || signr == SIGILL)
31108 + gr_handle_brute_attach(current);
31109 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
31113 char **helper_argv;
31114 diff -urNp linux-2.6.38.1/fs/ext2/balloc.c linux-2.6.38.1-new/fs/ext2/balloc.c
31115 --- linux-2.6.38.1/fs/ext2/balloc.c 2011-03-14 21:20:32.000000000 -0400
31116 +++ linux-2.6.38.1-new/fs/ext2/balloc.c 2011-03-21 18:31:35.000000000 -0400
31117 @@ -1192,7 +1192,7 @@ static int ext2_has_free_blocks(struct e
31119 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
31120 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
31121 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
31122 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
31123 sbi->s_resuid != current_fsuid() &&
31124 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
31126 diff -urNp linux-2.6.38.1/fs/ext2/xattr.c linux-2.6.38.1-new/fs/ext2/xattr.c
31127 --- linux-2.6.38.1/fs/ext2/xattr.c 2011-03-14 21:20:32.000000000 -0400
31128 +++ linux-2.6.38.1-new/fs/ext2/xattr.c 2011-03-21 18:31:35.000000000 -0400
31133 -# define ea_idebug(f...)
31134 -# define ea_bdebug(f...)
31135 +# define ea_idebug(inode, f...) do {} while (0)
31136 +# define ea_bdebug(bh, f...) do {} while (0)
31139 static int ext2_xattr_set2(struct inode *, struct buffer_head *,
31140 diff -urNp linux-2.6.38.1/fs/ext3/balloc.c linux-2.6.38.1-new/fs/ext3/balloc.c
31141 --- linux-2.6.38.1/fs/ext3/balloc.c 2011-03-14 21:20:32.000000000 -0400
31142 +++ linux-2.6.38.1-new/fs/ext3/balloc.c 2011-03-21 18:31:35.000000000 -0400
31143 @@ -1441,7 +1441,7 @@ static int ext3_has_free_blocks(struct e
31145 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
31146 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
31147 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
31148 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
31149 sbi->s_resuid != current_fsuid() &&
31150 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
31152 diff -urNp linux-2.6.38.1/fs/ext3/namei.c linux-2.6.38.1-new/fs/ext3/namei.c
31153 --- linux-2.6.38.1/fs/ext3/namei.c 2011-03-23 17:20:08.000000000 -0400
31154 +++ linux-2.6.38.1-new/fs/ext3/namei.c 2011-03-23 17:21:51.000000000 -0400
31155 @@ -1159,7 +1159,7 @@ static struct ext3_dir_entry_2 *do_split
31156 char *data1 = (*bh)->b_data, *data2;
31157 unsigned split, move, size;
31158 struct ext3_dir_entry_2 *de = NULL, *de2;
31162 bh2 = ext3_append (handle, dir, &newblock, &err);
31164 diff -urNp linux-2.6.38.1/fs/ext3/xattr.c linux-2.6.38.1-new/fs/ext3/xattr.c
31165 --- linux-2.6.38.1/fs/ext3/xattr.c 2011-03-14 21:20:32.000000000 -0400
31166 +++ linux-2.6.38.1-new/fs/ext3/xattr.c 2011-03-21 18:31:35.000000000 -0400
31171 -# define ea_idebug(f...)
31172 -# define ea_bdebug(f...)
31173 +# define ea_idebug(f...) do {} while (0)
31174 +# define ea_bdebug(f...) do {} while (0)
31177 static void ext3_xattr_cache_insert(struct buffer_head *);
31178 diff -urNp linux-2.6.38.1/fs/ext4/balloc.c linux-2.6.38.1-new/fs/ext4/balloc.c
31179 --- linux-2.6.38.1/fs/ext4/balloc.c 2011-03-14 21:20:32.000000000 -0400
31180 +++ linux-2.6.38.1-new/fs/ext4/balloc.c 2011-03-21 18:31:35.000000000 -0400
31181 @@ -519,7 +519,7 @@ static int ext4_has_free_blocks(struct e
31182 /* Hm, nope. Are (enough) root reserved blocks available? */
31183 if (sbi->s_resuid == current_fsuid() ||
31184 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
31185 - capable(CAP_SYS_RESOURCE)) {
31186 + capable_nolog(CAP_SYS_RESOURCE)) {
31187 if (free_blocks >= (nblocks + dirty_blocks))
31190 diff -urNp linux-2.6.38.1/fs/ext4/ext4.h linux-2.6.38.1-new/fs/ext4/ext4.h
31191 --- linux-2.6.38.1/fs/ext4/ext4.h 2011-03-14 21:20:32.000000000 -0400
31192 +++ linux-2.6.38.1-new/fs/ext4/ext4.h 2011-03-21 18:31:35.000000000 -0400
31193 @@ -1166,19 +1166,19 @@ struct ext4_sb_info {
31194 unsigned long s_mb_last_start;
31196 /* stats for buddy allocator */
31197 - atomic_t s_bal_reqs; /* number of reqs with len > 1 */
31198 - atomic_t s_bal_success; /* we found long enough chunks */
31199 - atomic_t s_bal_allocated; /* in blocks */
31200 - atomic_t s_bal_ex_scanned; /* total extents scanned */
31201 - atomic_t s_bal_goals; /* goal hits */
31202 - atomic_t s_bal_breaks; /* too long searches */
31203 - atomic_t s_bal_2orders; /* 2^order hits */
31204 + atomic_unchecked_t s_bal_reqs; /* number of reqs with len > 1 */
31205 + atomic_unchecked_t s_bal_success; /* we found long enough chunks */
31206 + atomic_unchecked_t s_bal_allocated; /* in blocks */
31207 + atomic_unchecked_t s_bal_ex_scanned; /* total extents scanned */
31208 + atomic_unchecked_t s_bal_goals; /* goal hits */
31209 + atomic_unchecked_t s_bal_breaks; /* too long searches */
31210 + atomic_unchecked_t s_bal_2orders; /* 2^order hits */
31211 spinlock_t s_bal_lock;
31212 unsigned long s_mb_buddies_generated;
31213 unsigned long long s_mb_generation_time;
31214 - atomic_t s_mb_lost_chunks;
31215 - atomic_t s_mb_preallocated;
31216 - atomic_t s_mb_discarded;
31217 + atomic_unchecked_t s_mb_lost_chunks;
31218 + atomic_unchecked_t s_mb_preallocated;
31219 + atomic_unchecked_t s_mb_discarded;
31220 atomic_t s_lock_busy;
31222 /* locality groups */
31223 diff -urNp linux-2.6.38.1/fs/ext4/mballoc.c linux-2.6.38.1-new/fs/ext4/mballoc.c
31224 --- linux-2.6.38.1/fs/ext4/mballoc.c 2011-03-14 21:20:32.000000000 -0400
31225 +++ linux-2.6.38.1-new/fs/ext4/mballoc.c 2011-03-21 18:31:35.000000000 -0400
31226 @@ -1846,7 +1846,7 @@ void ext4_mb_simple_scan_group(struct ex
31227 BUG_ON(ac->ac_b_ex.fe_len != ac->ac_g_ex.fe_len);
31229 if (EXT4_SB(sb)->s_mb_stats)
31230 - atomic_inc(&EXT4_SB(sb)->s_bal_2orders);
31231 + atomic_inc_unchecked(&EXT4_SB(sb)->s_bal_2orders);
31235 @@ -2140,7 +2140,7 @@ repeat:
31236 ac->ac_status = AC_STATUS_CONTINUE;
31237 ac->ac_flags |= EXT4_MB_HINT_FIRST;
31239 - atomic_inc(&sbi->s_mb_lost_chunks);
31240 + atomic_inc_unchecked(&sbi->s_mb_lost_chunks);
31244 @@ -2606,25 +2606,25 @@ int ext4_mb_release(struct super_block *
31245 if (sbi->s_mb_stats) {
31247 "EXT4-fs: mballoc: %u blocks %u reqs (%u success)\n",
31248 - atomic_read(&sbi->s_bal_allocated),
31249 - atomic_read(&sbi->s_bal_reqs),
31250 - atomic_read(&sbi->s_bal_success));
31251 + atomic_read_unchecked(&sbi->s_bal_allocated),
31252 + atomic_read_unchecked(&sbi->s_bal_reqs),
31253 + atomic_read_unchecked(&sbi->s_bal_success));
31255 "EXT4-fs: mballoc: %u extents scanned, %u goal hits, "
31256 "%u 2^N hits, %u breaks, %u lost\n",
31257 - atomic_read(&sbi->s_bal_ex_scanned),
31258 - atomic_read(&sbi->s_bal_goals),
31259 - atomic_read(&sbi->s_bal_2orders),
31260 - atomic_read(&sbi->s_bal_breaks),
31261 - atomic_read(&sbi->s_mb_lost_chunks));
31262 + atomic_read_unchecked(&sbi->s_bal_ex_scanned),
31263 + atomic_read_unchecked(&sbi->s_bal_goals),
31264 + atomic_read_unchecked(&sbi->s_bal_2orders),
31265 + atomic_read_unchecked(&sbi->s_bal_breaks),
31266 + atomic_read_unchecked(&sbi->s_mb_lost_chunks));
31268 "EXT4-fs: mballoc: %lu generated and it took %Lu\n",
31269 sbi->s_mb_buddies_generated++,
31270 sbi->s_mb_generation_time);
31272 "EXT4-fs: mballoc: %u preallocated, %u discarded\n",
31273 - atomic_read(&sbi->s_mb_preallocated),
31274 - atomic_read(&sbi->s_mb_discarded));
31275 + atomic_read_unchecked(&sbi->s_mb_preallocated),
31276 + atomic_read_unchecked(&sbi->s_mb_discarded));
31279 free_percpu(sbi->s_locality_groups);
31280 @@ -3100,16 +3100,16 @@ static void ext4_mb_collect_stats(struct
31281 struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb);
31283 if (sbi->s_mb_stats && ac->ac_g_ex.fe_len > 1) {
31284 - atomic_inc(&sbi->s_bal_reqs);
31285 - atomic_add(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
31286 + atomic_inc_unchecked(&sbi->s_bal_reqs);
31287 + atomic_add_unchecked(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
31288 if (ac->ac_b_ex.fe_len >= ac->ac_o_ex.fe_len)
31289 - atomic_inc(&sbi->s_bal_success);
31290 - atomic_add(ac->ac_found, &sbi->s_bal_ex_scanned);
31291 + atomic_inc_unchecked(&sbi->s_bal_success);
31292 + atomic_add_unchecked(ac->ac_found, &sbi->s_bal_ex_scanned);
31293 if (ac->ac_g_ex.fe_start == ac->ac_b_ex.fe_start &&
31294 ac->ac_g_ex.fe_group == ac->ac_b_ex.fe_group)
31295 - atomic_inc(&sbi->s_bal_goals);
31296 + atomic_inc_unchecked(&sbi->s_bal_goals);
31297 if (ac->ac_found > sbi->s_mb_max_to_scan)
31298 - atomic_inc(&sbi->s_bal_breaks);
31299 + atomic_inc_unchecked(&sbi->s_bal_breaks);
31302 if (ac->ac_op == EXT4_MB_HISTORY_ALLOC)
31303 @@ -3507,7 +3507,7 @@ ext4_mb_new_inode_pa(struct ext4_allocat
31304 trace_ext4_mb_new_inode_pa(ac, pa);
31306 ext4_mb_use_inode_pa(ac, pa);
31307 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
31308 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
31310 ei = EXT4_I(ac->ac_inode);
31311 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
31312 @@ -3567,7 +3567,7 @@ ext4_mb_new_group_pa(struct ext4_allocat
31313 trace_ext4_mb_new_group_pa(ac, pa);
31315 ext4_mb_use_group_pa(ac, pa);
31316 - atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
31317 + atomic_add_unchecked(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
31319 grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
31321 @@ -3654,7 +3654,7 @@ ext4_mb_release_inode_pa(struct ext4_bud
31322 * from the bitmap and continue.
31325 - atomic_add(free, &sbi->s_mb_discarded);
31326 + atomic_add_unchecked(free, &sbi->s_mb_discarded);
31330 @@ -3672,7 +3672,7 @@ ext4_mb_release_group_pa(struct ext4_bud
31331 ext4_get_group_no_and_offset(sb, pa->pa_pstart, &group, &bit);
31332 BUG_ON(group != e4b->bd_group && pa->pa_len != 0);
31333 mb_free_blocks(pa->pa_inode, e4b, bit, pa->pa_len);
31334 - atomic_add(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
31335 + atomic_add_unchecked(pa->pa_len, &EXT4_SB(sb)->s_mb_discarded);
31336 trace_ext4_mballoc_discard(sb, NULL, group, bit, pa->pa_len);
31339 diff -urNp linux-2.6.38.1/fs/ext4/namei.c linux-2.6.38.1-new/fs/ext4/namei.c
31340 --- linux-2.6.38.1/fs/ext4/namei.c 2011-03-14 21:20:32.000000000 -0400
31341 +++ linux-2.6.38.1-new/fs/ext4/namei.c 2011-03-21 18:31:35.000000000 -0400
31342 @@ -1161,7 +1161,7 @@ static struct ext4_dir_entry_2 *do_split
31343 char *data1 = (*bh)->b_data, *data2;
31344 unsigned split, move, size;
31345 struct ext4_dir_entry_2 *de = NULL, *de2;
31349 bh2 = ext4_append (handle, dir, &newblock, &err);
31351 diff -urNp linux-2.6.38.1/fs/ext4/xattr.c linux-2.6.38.1-new/fs/ext4/xattr.c
31352 --- linux-2.6.38.1/fs/ext4/xattr.c 2011-03-14 21:20:32.000000000 -0400
31353 +++ linux-2.6.38.1-new/fs/ext4/xattr.c 2011-03-21 18:31:35.000000000 -0400
31358 -# define ea_idebug(f...)
31359 -# define ea_bdebug(f...)
31360 +# define ea_idebug(inode, f...) do {} while (0)
31361 +# define ea_bdebug(bh, f...) do {} while (0)
31364 static void ext4_xattr_cache_insert(struct buffer_head *);
31365 diff -urNp linux-2.6.38.1/fs/fcntl.c linux-2.6.38.1-new/fs/fcntl.c
31366 --- linux-2.6.38.1/fs/fcntl.c 2011-03-14 21:20:32.000000000 -0400
31367 +++ linux-2.6.38.1-new/fs/fcntl.c 2011-03-21 18:31:35.000000000 -0400
31368 @@ -224,6 +224,11 @@ int __f_setown(struct file *filp, struct
31372 + if (gr_handle_chroot_fowner(pid, type))
31374 + if (gr_check_protected_task_fowner(pid, type))
31377 f_modown(filp, pid, type, force);
31380 @@ -348,6 +353,7 @@ static long do_fcntl(int fd, unsigned in
31383 case F_DUPFD_CLOEXEC:
31384 + gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
31385 if (arg >= rlimit(RLIMIT_NOFILE))
31387 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
31388 @@ -808,14 +814,14 @@ static int __init fcntl_init(void)
31389 * Exceptions: O_NONBLOCK is a two bit define on parisc; O_NDELAY
31390 * is defined as O_NONBLOCK on some platforms and not on others.
31392 - BUILD_BUG_ON(18 - 1 /* for O_RDONLY being 0 */ != HWEIGHT32(
31393 + BUILD_BUG_ON(19 - 1 /* for O_RDONLY being 0 */ != HWEIGHT32(
31394 O_RDONLY | O_WRONLY | O_RDWR |
31395 O_CREAT | O_EXCL | O_NOCTTY |
31396 O_TRUNC | O_APPEND | /* O_NONBLOCK | */
31397 __O_SYNC | O_DSYNC | FASYNC |
31398 O_DIRECT | O_LARGEFILE | O_DIRECTORY |
31399 O_NOFOLLOW | O_NOATIME | O_CLOEXEC |
31401 + __FMODE_EXEC | FMODE_GREXEC
31404 fasync_cache = kmem_cache_create("fasync_cache",
31405 diff -urNp linux-2.6.38.1/fs/fifo.c linux-2.6.38.1-new/fs/fifo.c
31406 --- linux-2.6.38.1/fs/fifo.c 2011-03-14 21:20:32.000000000 -0400
31407 +++ linux-2.6.38.1-new/fs/fifo.c 2011-03-21 18:31:35.000000000 -0400
31408 @@ -58,10 +58,10 @@ static int fifo_open(struct inode *inode
31410 filp->f_op = &read_pipefifo_fops;
31412 - if (pipe->readers++ == 0)
31413 + if (atomic_inc_return(&pipe->readers) == 1)
31414 wake_up_partner(inode);
31416 - if (!pipe->writers) {
31417 + if (!atomic_read(&pipe->writers)) {
31418 if ((filp->f_flags & O_NONBLOCK)) {
31419 /* suppress POLLHUP until we have
31421 @@ -82,15 +82,15 @@ static int fifo_open(struct inode *inode
31422 * errno=ENXIO when there is no process reading the FIFO.
31425 - if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
31426 + if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
31429 filp->f_op = &write_pipefifo_fops;
31431 - if (!pipe->writers++)
31432 + if (atomic_inc_return(&pipe->writers) == 1)
31433 wake_up_partner(inode);
31435 - if (!pipe->readers) {
31436 + if (!atomic_read(&pipe->readers)) {
31437 wait_for_partner(inode, &pipe->r_counter);
31438 if (signal_pending(current))
31440 @@ -106,11 +106,11 @@ static int fifo_open(struct inode *inode
31442 filp->f_op = &rdwr_pipefifo_fops;
31446 + atomic_inc(&pipe->readers);
31447 + atomic_inc(&pipe->writers);
31450 - if (pipe->readers == 1 || pipe->writers == 1)
31451 + if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
31452 wake_up_partner(inode);
31455 @@ -124,19 +124,19 @@ static int fifo_open(struct inode *inode
31459 - if (!--pipe->readers)
31460 + if (atomic_dec_and_test(&pipe->readers))
31461 wake_up_interruptible(&pipe->wait);
31462 ret = -ERESTARTSYS;
31466 - if (!--pipe->writers)
31467 + if (atomic_dec_and_test(&pipe->writers))
31468 wake_up_interruptible(&pipe->wait);
31469 ret = -ERESTARTSYS;
31473 - if (!pipe->readers && !pipe->writers)
31474 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
31475 free_pipe_info(inode);
31478 diff -urNp linux-2.6.38.1/fs/file.c linux-2.6.38.1-new/fs/file.c
31479 --- linux-2.6.38.1/fs/file.c 2011-03-14 21:20:32.000000000 -0400
31480 +++ linux-2.6.38.1-new/fs/file.c 2011-03-21 18:31:35.000000000 -0400
31482 #include <linux/slab.h>
31483 #include <linux/vmalloc.h>
31484 #include <linux/file.h>
31485 +#include <linux/security.h>
31486 #include <linux/fdtable.h>
31487 #include <linux/bitops.h>
31488 #include <linux/interrupt.h>
31489 @@ -250,6 +251,7 @@ int expand_files(struct files_struct *fi
31490 * N.B. For clone tasks sharing a files structure, this test
31491 * will limit the total number of files that can be opened.
31493 + gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
31494 if (nr >= rlimit(RLIMIT_NOFILE))
31497 diff -urNp linux-2.6.38.1/fs/fs_struct.c linux-2.6.38.1-new/fs/fs_struct.c
31498 --- linux-2.6.38.1/fs/fs_struct.c 2011-03-14 21:20:32.000000000 -0400
31499 +++ linux-2.6.38.1-new/fs/fs_struct.c 2011-03-21 18:31:35.000000000 -0400
31501 #include <linux/slab.h>
31502 #include <linux/fs_struct.h>
31503 #include <linux/vserver/global.h>
31504 +#include <linux/grsecurity.h>
31505 #include "internal.h"
31507 static inline void path_get_longterm(struct path *path)
31508 @@ -31,6 +32,7 @@ void set_fs_root(struct fs_struct *fs, s
31509 old_root = fs->root;
31511 path_get_longterm(path);
31512 + gr_set_chroot_entries(current, path);
31513 write_seqcount_end(&fs->seq);
31514 spin_unlock(&fs->lock);
31515 if (old_root.dentry)
31516 @@ -74,6 +76,7 @@ void chroot_fs_refs(struct path *old_roo
31517 && fs->root.mnt == old_root->mnt) {
31518 path_get_longterm(new_root);
31519 fs->root = *new_root;
31520 + gr_set_chroot_entries(p, new_root);
31523 if (fs->pwd.dentry == old_root->dentry
31524 @@ -109,7 +112,8 @@ void exit_fs(struct task_struct *tsk)
31525 spin_lock(&fs->lock);
31526 write_seqcount_begin(&fs->seq);
31528 - kill = !--fs->users;
31529 + gr_clear_chroot_entries(tsk);
31530 + kill = !atomic_dec_return(&fs->users);
31531 write_seqcount_end(&fs->seq);
31532 spin_unlock(&fs->lock);
31534 @@ -123,7 +127,7 @@ struct fs_struct *copy_fs_struct(struct
31535 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
31536 /* We don't need to lock fs - think why ;-) */
31539 + atomic_set(&fs->users, 1);
31541 spin_lock_init(&fs->lock);
31542 seqcount_init(&fs->seq);
31543 @@ -132,6 +136,9 @@ struct fs_struct *copy_fs_struct(struct
31544 spin_lock(&old->lock);
31545 fs->root = old->root;
31546 path_get_longterm(&fs->root);
31547 + /* instead of calling gr_set_chroot_entries here,
31548 + we call it from every caller of this function
31550 fs->pwd = old->pwd;
31551 path_get_longterm(&fs->pwd);
31552 spin_unlock(&old->lock);
31553 @@ -150,8 +157,9 @@ int unshare_fs_struct(void)
31555 task_lock(current);
31556 spin_lock(&fs->lock);
31557 - kill = !--fs->users;
31558 + kill = !atomic_dec_return(&fs->users);
31559 current->fs = new_fs;
31560 + gr_set_chroot_entries(current, &new_fs->root);
31561 spin_unlock(&fs->lock);
31562 task_unlock(current);
31564 @@ -170,7 +178,7 @@ EXPORT_SYMBOL(current_umask);
31566 /* to be mentioned only in INIT_TASK */
31567 struct fs_struct init_fs = {
31569 + .users = ATOMIC_INIT(1),
31570 .lock = __SPIN_LOCK_UNLOCKED(init_fs.lock),
31571 .seq = SEQCNT_ZERO,
31573 @@ -186,12 +194,13 @@ void daemonize_fs_struct(void)
31574 task_lock(current);
31576 spin_lock(&init_fs.lock);
31578 + atomic_inc(&init_fs.users);
31579 spin_unlock(&init_fs.lock);
31581 spin_lock(&fs->lock);
31582 current->fs = &init_fs;
31583 - kill = !--fs->users;
31584 + gr_set_chroot_entries(current, ¤t->fs->root);
31585 + kill = !atomic_dec_return(&fs->users);
31586 spin_unlock(&fs->lock);
31588 task_unlock(current);
31589 diff -urNp linux-2.6.38.1/fs/fuse/control.c linux-2.6.38.1-new/fs/fuse/control.c
31590 --- linux-2.6.38.1/fs/fuse/control.c 2011-03-14 21:20:32.000000000 -0400
31591 +++ linux-2.6.38.1-new/fs/fuse/control.c 2011-03-21 18:31:35.000000000 -0400
31592 @@ -298,7 +298,7 @@ void fuse_ctl_remove_conn(struct fuse_co
31594 static int fuse_ctl_fill_super(struct super_block *sb, void *data, int silent)
31596 - struct tree_descr empty_descr = {""};
31597 + struct tree_descr empty_descr = {"", NULL, 0};
31598 struct fuse_conn *fc;
31601 diff -urNp linux-2.6.38.1/fs/fuse/cuse.c linux-2.6.38.1-new/fs/fuse/cuse.c
31602 --- linux-2.6.38.1/fs/fuse/cuse.c 2011-03-14 21:20:32.000000000 -0400
31603 +++ linux-2.6.38.1-new/fs/fuse/cuse.c 2011-03-21 18:31:35.000000000 -0400
31604 @@ -530,8 +530,18 @@ static int cuse_channel_release(struct i
31608 -static struct file_operations cuse_channel_fops; /* initialized during init */
31610 +static const struct file_operations cuse_channel_fops = { /* initialized during init */
31611 + .owner = THIS_MODULE,
31612 + .llseek = no_llseek,
31613 + .read = do_sync_read,
31614 + .aio_read = fuse_dev_read,
31615 + .write = do_sync_write,
31616 + .aio_write = fuse_dev_write,
31617 + .poll = fuse_dev_poll,
31618 + .open = cuse_channel_open,
31619 + .release = cuse_channel_release,
31620 + .fasync = fuse_dev_fasync,
31623 /**************************************************************************
31624 * Misc stuff and module initializatiion
31625 @@ -577,12 +587,6 @@ static int __init cuse_init(void)
31626 for (i = 0; i < CUSE_CONNTBL_LEN; i++)
31627 INIT_LIST_HEAD(&cuse_conntbl[i]);
31629 - /* inherit and extend fuse_dev_operations */
31630 - cuse_channel_fops = fuse_dev_operations;
31631 - cuse_channel_fops.owner = THIS_MODULE;
31632 - cuse_channel_fops.open = cuse_channel_open;
31633 - cuse_channel_fops.release = cuse_channel_release;
31635 cuse_class = class_create(THIS_MODULE, "cuse");
31636 if (IS_ERR(cuse_class))
31637 return PTR_ERR(cuse_class);
31638 diff -urNp linux-2.6.38.1/fs/fuse/dev.c linux-2.6.38.1-new/fs/fuse/dev.c
31639 --- linux-2.6.38.1/fs/fuse/dev.c 2011-03-14 21:20:32.000000000 -0400
31640 +++ linux-2.6.38.1-new/fs/fuse/dev.c 2011-03-21 18:31:35.000000000 -0400
31641 @@ -1183,7 +1183,7 @@ static ssize_t fuse_dev_do_read(struct f
31645 -static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
31646 +ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
31647 unsigned long nr_segs, loff_t pos)
31649 struct fuse_copy_state cs;
31650 @@ -1197,6 +1197,8 @@ static ssize_t fuse_dev_read(struct kioc
31651 return fuse_dev_do_read(fc, file, &cs, iov_length(iov, nr_segs));
31654 +EXPORT_SYMBOL_GPL(fuse_dev_read);
31656 static int fuse_dev_pipe_buf_steal(struct pipe_inode_info *pipe,
31657 struct pipe_buffer *buf)
31659 @@ -1240,7 +1242,7 @@ static ssize_t fuse_dev_splice_read(stru
31663 - if (!pipe->readers) {
31664 + if (!atomic_read(&pipe->readers)) {
31665 send_sig(SIGPIPE, current, 0);
31668 @@ -1733,7 +1735,7 @@ static ssize_t fuse_dev_do_write(struct
31672 -static ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
31673 +ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
31674 unsigned long nr_segs, loff_t pos)
31676 struct fuse_copy_state cs;
31677 @@ -1746,6 +1748,8 @@ static ssize_t fuse_dev_write(struct kio
31678 return fuse_dev_do_write(fc, &cs, iov_length(iov, nr_segs));
31681 +EXPORT_SYMBOL_GPL(fuse_dev_write);
31683 static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
31684 struct file *out, loff_t *ppos,
31685 size_t len, unsigned int flags)
31686 @@ -1824,7 +1828,7 @@ out:
31690 -static unsigned fuse_dev_poll(struct file *file, poll_table *wait)
31691 +unsigned fuse_dev_poll(struct file *file, poll_table *wait)
31693 unsigned mask = POLLOUT | POLLWRNORM;
31694 struct fuse_conn *fc = fuse_get_conn(file);
31695 @@ -1843,6 +1847,8 @@ static unsigned fuse_dev_poll(struct fil
31699 +EXPORT_SYMBOL_GPL(fuse_dev_poll);
31702 * Abort all requests on the given list (pending or processing)
31704 @@ -1962,7 +1968,7 @@ int fuse_dev_release(struct inode *inode
31706 EXPORT_SYMBOL_GPL(fuse_dev_release);
31708 -static int fuse_dev_fasync(int fd, struct file *file, int on)
31709 +int fuse_dev_fasync(int fd, struct file *file, int on)
31711 struct fuse_conn *fc = fuse_get_conn(file);
31713 @@ -1972,6 +1978,8 @@ static int fuse_dev_fasync(int fd, struc
31714 return fasync_helper(fd, file, on, &fc->fasync);
31717 +EXPORT_SYMBOL_GPL(fuse_dev_fasync);
31719 const struct file_operations fuse_dev_operations = {
31720 .owner = THIS_MODULE,
31721 .llseek = no_llseek,
31722 diff -urNp linux-2.6.38.1/fs/fuse/dir.c linux-2.6.38.1-new/fs/fuse/dir.c
31723 --- linux-2.6.38.1/fs/fuse/dir.c 2011-03-14 21:20:32.000000000 -0400
31724 +++ linux-2.6.38.1-new/fs/fuse/dir.c 2011-03-21 18:31:35.000000000 -0400
31725 @@ -1133,7 +1133,7 @@ static char *read_link(struct dentry *de
31729 -static void free_link(char *link)
31730 +static void free_link(const char *link)
31733 free_page((unsigned long) link);
31734 diff -urNp linux-2.6.38.1/fs/fuse/fuse_i.h linux-2.6.38.1-new/fs/fuse/fuse_i.h
31735 --- linux-2.6.38.1/fs/fuse/fuse_i.h 2011-03-14 21:20:32.000000000 -0400
31736 +++ linux-2.6.38.1-new/fs/fuse/fuse_i.h 2011-03-21 18:31:35.000000000 -0400
31737 @@ -541,6 +541,16 @@ extern const struct file_operations fuse
31739 extern const struct dentry_operations fuse_dentry_operations;
31741 +extern ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
31742 + unsigned long nr_segs, loff_t pos);
31744 +extern ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
31745 + unsigned long nr_segs, loff_t pos);
31747 +extern unsigned fuse_dev_poll(struct file *file, poll_table *wait);
31749 +extern int fuse_dev_fasync(int fd, struct file *file, int on);
31752 * Inode to nodeid comparison.
31754 diff -urNp linux-2.6.38.1/fs/hfs/inode.c linux-2.6.38.1-new/fs/hfs/inode.c
31755 --- linux-2.6.38.1/fs/hfs/inode.c 2011-03-14 21:20:32.000000000 -0400
31756 +++ linux-2.6.38.1-new/fs/hfs/inode.c 2011-03-21 18:31:35.000000000 -0400
31757 @@ -447,7 +447,7 @@ int hfs_write_inode(struct inode *inode,
31759 if (S_ISDIR(main_inode->i_mode)) {
31760 if (fd.entrylength < sizeof(struct hfs_cat_dir))
31763 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
31764 sizeof(struct hfs_cat_dir));
31765 if (rec.type != HFS_CDR_DIR ||
31766 @@ -468,7 +468,7 @@ int hfs_write_inode(struct inode *inode,
31767 sizeof(struct hfs_cat_file));
31769 if (fd.entrylength < sizeof(struct hfs_cat_file))
31772 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
31773 sizeof(struct hfs_cat_file));
31774 if (rec.type != HFS_CDR_FIL ||
31775 diff -urNp linux-2.6.38.1/fs/hfsplus/inode.c linux-2.6.38.1-new/fs/hfsplus/inode.c
31776 --- linux-2.6.38.1/fs/hfsplus/inode.c 2011-03-14 21:20:32.000000000 -0400
31777 +++ linux-2.6.38.1-new/fs/hfsplus/inode.c 2011-03-21 18:31:35.000000000 -0400
31778 @@ -498,7 +498,7 @@ int hfsplus_cat_read_inode(struct inode
31779 struct hfsplus_cat_folder *folder = &entry.folder;
31781 if (fd->entrylength < sizeof(struct hfsplus_cat_folder))
31784 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
31785 sizeof(struct hfsplus_cat_folder));
31786 hfsplus_get_perms(inode, &folder->permissions, 1);
31787 @@ -515,7 +515,7 @@ int hfsplus_cat_read_inode(struct inode
31788 struct hfsplus_cat_file *file = &entry.file;
31790 if (fd->entrylength < sizeof(struct hfsplus_cat_file))
31793 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
31794 sizeof(struct hfsplus_cat_file));
31796 @@ -572,7 +572,7 @@ int hfsplus_cat_write_inode(struct inode
31797 struct hfsplus_cat_folder *folder = &entry.folder;
31799 if (fd.entrylength < sizeof(struct hfsplus_cat_folder))
31802 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
31803 sizeof(struct hfsplus_cat_folder));
31804 /* simple node checks? */
31805 @@ -594,7 +594,7 @@ int hfsplus_cat_write_inode(struct inode
31806 struct hfsplus_cat_file *file = &entry.file;
31808 if (fd.entrylength < sizeof(struct hfsplus_cat_file))
31811 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
31812 sizeof(struct hfsplus_cat_file));
31813 hfsplus_inode_write_fork(inode, &file->data_fork);
31814 diff -urNp linux-2.6.38.1/fs/hugetlbfs/inode.c linux-2.6.38.1-new/fs/hugetlbfs/inode.c
31815 --- linux-2.6.38.1/fs/hugetlbfs/inode.c 2011-03-14 21:20:32.000000000 -0400
31816 +++ linux-2.6.38.1-new/fs/hugetlbfs/inode.c 2011-03-21 18:31:35.000000000 -0400
31817 @@ -915,7 +915,7 @@ static struct file_system_type hugetlbfs
31818 .kill_sb = kill_litter_super,
31821 -static struct vfsmount *hugetlbfs_vfsmount;
31822 +struct vfsmount *hugetlbfs_vfsmount;
31824 static int can_do_hugetlb_shm(void)
31826 diff -urNp linux-2.6.38.1/fs/jffs2/debug.h linux-2.6.38.1-new/fs/jffs2/debug.h
31827 --- linux-2.6.38.1/fs/jffs2/debug.h 2011-03-14 21:20:32.000000000 -0400
31828 +++ linux-2.6.38.1-new/fs/jffs2/debug.h 2011-03-21 18:31:35.000000000 -0400
31829 @@ -53,13 +53,13 @@
31830 #if CONFIG_JFFS2_FS_DEBUG > 0
31834 +#define D1(x) do {} while (0);
31837 #if CONFIG_JFFS2_FS_DEBUG > 1
31841 +#define D2(x) do {} while (0);
31844 /* The prefixes of JFFS2 messages */
31845 @@ -115,73 +115,73 @@
31846 #ifdef JFFS2_DBG_READINODE_MESSAGES
31847 #define dbg_readinode(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31849 -#define dbg_readinode(fmt, ...)
31850 +#define dbg_readinode(fmt, ...) do {} while (0)
31852 #ifdef JFFS2_DBG_READINODE2_MESSAGES
31853 #define dbg_readinode2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31855 -#define dbg_readinode2(fmt, ...)
31856 +#define dbg_readinode2(fmt, ...) do {} while (0)
31859 /* Fragtree build debugging messages */
31860 #ifdef JFFS2_DBG_FRAGTREE_MESSAGES
31861 #define dbg_fragtree(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31863 -#define dbg_fragtree(fmt, ...)
31864 +#define dbg_fragtree(fmt, ...) do {} while (0)
31866 #ifdef JFFS2_DBG_FRAGTREE2_MESSAGES
31867 #define dbg_fragtree2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31869 -#define dbg_fragtree2(fmt, ...)
31870 +#define dbg_fragtree2(fmt, ...) do {} while (0)
31873 /* Directory entry list manilulation debugging messages */
31874 #ifdef JFFS2_DBG_DENTLIST_MESSAGES
31875 #define dbg_dentlist(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31877 -#define dbg_dentlist(fmt, ...)
31878 +#define dbg_dentlist(fmt, ...) do {} while (0)
31881 /* Print the messages about manipulating node_refs */
31882 #ifdef JFFS2_DBG_NODEREF_MESSAGES
31883 #define dbg_noderef(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31885 -#define dbg_noderef(fmt, ...)
31886 +#define dbg_noderef(fmt, ...) do {} while (0)
31889 /* Manipulations with the list of inodes (JFFS2 inocache) */
31890 #ifdef JFFS2_DBG_INOCACHE_MESSAGES
31891 #define dbg_inocache(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31893 -#define dbg_inocache(fmt, ...)
31894 +#define dbg_inocache(fmt, ...) do {} while (0)
31897 /* Summary debugging messages */
31898 #ifdef JFFS2_DBG_SUMMARY_MESSAGES
31899 #define dbg_summary(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31901 -#define dbg_summary(fmt, ...)
31902 +#define dbg_summary(fmt, ...) do {} while (0)
31905 /* File system build messages */
31906 #ifdef JFFS2_DBG_FSBUILD_MESSAGES
31907 #define dbg_fsbuild(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31909 -#define dbg_fsbuild(fmt, ...)
31910 +#define dbg_fsbuild(fmt, ...) do {} while (0)
31913 /* Watch the object allocations */
31914 #ifdef JFFS2_DBG_MEMALLOC_MESSAGES
31915 #define dbg_memalloc(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31917 -#define dbg_memalloc(fmt, ...)
31918 +#define dbg_memalloc(fmt, ...) do {} while (0)
31921 /* Watch the XATTR subsystem */
31922 #ifdef JFFS2_DBG_XATTR_MESSAGES
31923 #define dbg_xattr(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31925 -#define dbg_xattr(fmt, ...)
31926 +#define dbg_xattr(fmt, ...) do {} while (0)
31929 /* "Sanity" checks */
31930 diff -urNp linux-2.6.38.1/fs/jffs2/erase.c linux-2.6.38.1-new/fs/jffs2/erase.c
31931 --- linux-2.6.38.1/fs/jffs2/erase.c 2011-03-14 21:20:32.000000000 -0400
31932 +++ linux-2.6.38.1-new/fs/jffs2/erase.c 2011-03-21 18:31:35.000000000 -0400
31933 @@ -439,7 +439,8 @@ static void jffs2_mark_erased_block(stru
31934 struct jffs2_unknown_node marker = {
31935 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
31936 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
31937 - .totlen = cpu_to_je32(c->cleanmarker_size)
31938 + .totlen = cpu_to_je32(c->cleanmarker_size),
31939 + .hdr_crc = cpu_to_je32(0)
31942 jffs2_prealloc_raw_node_refs(c, jeb, 1);
31943 diff -urNp linux-2.6.38.1/fs/jffs2/summary.h linux-2.6.38.1-new/fs/jffs2/summary.h
31944 --- linux-2.6.38.1/fs/jffs2/summary.h 2011-03-14 21:20:32.000000000 -0400
31945 +++ linux-2.6.38.1-new/fs/jffs2/summary.h 2011-03-21 18:31:35.000000000 -0400
31946 @@ -194,18 +194,18 @@ int jffs2_sum_scan_sumnode(struct jffs2_
31948 #define jffs2_sum_active() (0)
31949 #define jffs2_sum_init(a) (0)
31950 -#define jffs2_sum_exit(a)
31951 -#define jffs2_sum_disable_collecting(a)
31952 +#define jffs2_sum_exit(a) do {} while (0)
31953 +#define jffs2_sum_disable_collecting(a) do {} while (0)
31954 #define jffs2_sum_is_disabled(a) (0)
31955 -#define jffs2_sum_reset_collected(a)
31956 +#define jffs2_sum_reset_collected(a) do {} while (0)
31957 #define jffs2_sum_add_kvec(a,b,c,d) (0)
31958 -#define jffs2_sum_move_collected(a,b)
31959 +#define jffs2_sum_move_collected(a,b) do {} while (0)
31960 #define jffs2_sum_write_sumnode(a) (0)
31961 -#define jffs2_sum_add_padding_mem(a,b)
31962 -#define jffs2_sum_add_inode_mem(a,b,c)
31963 -#define jffs2_sum_add_dirent_mem(a,b,c)
31964 -#define jffs2_sum_add_xattr_mem(a,b,c)
31965 -#define jffs2_sum_add_xref_mem(a,b,c)
31966 +#define jffs2_sum_add_padding_mem(a,b) do {} while (0)
31967 +#define jffs2_sum_add_inode_mem(a,b,c) do {} while (0)
31968 +#define jffs2_sum_add_dirent_mem(a,b,c) do {} while (0)
31969 +#define jffs2_sum_add_xattr_mem(a,b,c) do {} while (0)
31970 +#define jffs2_sum_add_xref_mem(a,b,c) do {} while (0)
31971 #define jffs2_sum_scan_sumnode(a,b,c,d,e) (0)
31973 #endif /* CONFIG_JFFS2_SUMMARY */
31974 diff -urNp linux-2.6.38.1/fs/jffs2/wbuf.c linux-2.6.38.1-new/fs/jffs2/wbuf.c
31975 --- linux-2.6.38.1/fs/jffs2/wbuf.c 2011-03-14 21:20:32.000000000 -0400
31976 +++ linux-2.6.38.1-new/fs/jffs2/wbuf.c 2011-03-21 18:31:35.000000000 -0400
31977 @@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
31979 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
31980 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
31981 - .totlen = constant_cpu_to_je32(8)
31982 + .totlen = constant_cpu_to_je32(8),
31983 + .hdr_crc = constant_cpu_to_je32(0)
31987 diff -urNp linux-2.6.38.1/fs/Kconfig.binfmt linux-2.6.38.1-new/fs/Kconfig.binfmt
31988 --- linux-2.6.38.1/fs/Kconfig.binfmt 2011-03-14 21:20:32.000000000 -0400
31989 +++ linux-2.6.38.1-new/fs/Kconfig.binfmt 2011-03-21 18:31:35.000000000 -0400
31990 @@ -86,7 +86,7 @@ config HAVE_AOUT
31993 tristate "Kernel support for a.out and ECOFF binaries"
31994 - depends on HAVE_AOUT
31995 + depends on HAVE_AOUT && BROKEN
31997 A.out (Assembler.OUTput) is a set of formats for libraries and
31998 executables used in the earliest versions of UNIX. Linux used
31999 diff -urNp linux-2.6.38.1/fs/lockd/svc.c linux-2.6.38.1-new/fs/lockd/svc.c
32000 --- linux-2.6.38.1/fs/lockd/svc.c 2011-03-14 21:20:32.000000000 -0400
32001 +++ linux-2.6.38.1-new/fs/lockd/svc.c 2011-03-21 18:31:35.000000000 -0400
32004 static struct svc_program nlmsvc_program;
32006 -struct nlmsvc_binding * nlmsvc_ops;
32007 +const struct nlmsvc_binding * nlmsvc_ops;
32008 EXPORT_SYMBOL_GPL(nlmsvc_ops);
32010 static DEFINE_MUTEX(nlmsvc_mutex);
32011 diff -urNp linux-2.6.38.1/fs/locks.c linux-2.6.38.1-new/fs/locks.c
32012 --- linux-2.6.38.1/fs/locks.c 2011-03-14 21:20:32.000000000 -0400
32013 +++ linux-2.6.38.1-new/fs/locks.c 2011-03-21 18:31:35.000000000 -0400
32014 @@ -2044,16 +2044,16 @@ void locks_remove_flock(struct file *fil
32017 if (filp->f_op && filp->f_op->flock) {
32018 - struct file_lock fl = {
32019 + struct file_lock flock = {
32020 .fl_pid = current->tgid,
32022 .fl_flags = FL_FLOCK,
32023 .fl_type = F_UNLCK,
32024 .fl_end = OFFSET_MAX,
32026 - filp->f_op->flock(filp, F_SETLKW, &fl);
32027 - if (fl.fl_ops && fl.fl_ops->fl_release_private)
32028 - fl.fl_ops->fl_release_private(&fl);
32029 + filp->f_op->flock(filp, F_SETLKW, &flock);
32030 + if (flock.fl_ops && flock.fl_ops->fl_release_private)
32031 + flock.fl_ops->fl_release_private(&flock);
32035 diff -urNp linux-2.6.38.1/fs/namei.c linux-2.6.38.1-new/fs/namei.c
32036 --- linux-2.6.38.1/fs/namei.c 2011-03-14 21:20:32.000000000 -0400
32037 +++ linux-2.6.38.1-new/fs/namei.c 2011-03-23 18:34:34.000000000 -0400
32038 @@ -226,14 +226,6 @@ int generic_permission(struct inode *ino
32042 - * Read/write DACs are always overridable.
32043 - * Executable DACs are overridable if at least one exec bit is set.
32045 - if (!(mask & MAY_EXEC) || execute_ok(inode))
32046 - if (capable(CAP_DAC_OVERRIDE))
32050 * Searching includes executable on directories, else just read.
32052 mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
32053 @@ -241,6 +233,14 @@ int generic_permission(struct inode *ino
32054 if (capable(CAP_DAC_READ_SEARCH))
32058 + * Read/write DACs are always overridable.
32059 + * Executable DACs are overridable if at least one exec bit is set.
32061 + if (!(mask & MAY_EXEC) || execute_ok(inode))
32062 + if (capable(CAP_DAC_OVERRIDE))
32068 @@ -687,7 +687,8 @@ static inline int exec_permission(struct
32069 if (ret == -ECHILD)
32072 - if (capable(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH))
32073 + if (capable_nolog(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH) ||
32074 + capable(CAP_DAC_OVERRIDE))
32078 @@ -775,7 +776,7 @@ __do_follow_link(const struct path *link
32079 *p = dentry->d_inode->i_op->follow_link(dentry, nd);
32080 error = PTR_ERR(*p);
32082 - char *s = nd_get_link(nd);
32083 + const char *s = nd_get_link(nd);
32086 error = __vfs_follow_link(nd, s);
32087 @@ -814,6 +815,13 @@ static inline int do_follow_link(struct
32088 err = security_inode_follow_link(path->dentry, nd);
32092 + if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
32093 + path->dentry->d_inode, path->dentry, nd->path.mnt)) {
32098 current->link_count++;
32099 current->total_link_count++;
32101 @@ -1505,13 +1513,36 @@ return_reval:
32103 if (nameidata_drop_rcu_last_maybe(nd))
32106 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
32108 + goto err_and_ret;
32113 if (!(nd->flags & LOOKUP_RCU))
32114 path_put_conditional(&next, nd);
32117 +#ifdef CONFIG_GRKERNSEC
32118 + /* we do this because we can't operate here on an rcu'd dentry,
32119 + acquire a properly-referenced copy
32121 + if (nameidata_drop_rcu_last_maybe(nd))
32125 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
32129 +#ifndef CONFIG_GRKERNSEC
32130 + /* since we convert to ref-walk above, always put the path if we reach
32133 if (!(nd->flags & LOOKUP_RCU))
32135 path_put(&nd->path);
32138 @@ -1738,6 +1769,9 @@ static int do_path_lookup(int dfd, const
32141 if (likely(!retval)) {
32142 + if (*name != '/' && nd->path.dentry && nd->inode && !gr_chroot_fchdir(nd->path.dentry, nd->path.mnt))
32145 if (unlikely(!audit_dummy_context())) {
32146 if (nd->path.dentry && nd->inode)
32147 audit_inode(name, nd->path.dentry);
32148 @@ -1789,6 +1823,7 @@ int vfs_path_lookup(struct dentry *dentr
32149 nd->inode = nd->path.dentry->d_inode;
32151 retval = path_walk(name, nd);
32153 if (unlikely(!retval && !audit_dummy_context() && nd->path.dentry &&
32155 audit_inode(name, nd->path.dentry);
32156 @@ -2078,6 +2113,30 @@ int vfs_create(struct inode *dir, struct
32161 + * Note that while the flag value (low two bits) for sys_open means:
32163 + * 01 - write-only
32164 + * 10 - read-write
32166 + * it is changed into
32167 + * 00 - no permissions needed
32168 + * 01 - read-permission
32169 + * 10 - write-permission
32170 + * 11 - read-write
32171 + * for the internal routines (ie open_namei()/follow_link() etc)
32172 + * This is more logical, and also allows the 00 "no perm needed"
32173 + * to be used for symlinks (where the permissions are checked
32177 +static inline int open_to_namei_flags(int flag)
32179 + if ((flag+1) & O_ACCMODE)
32184 int may_open(struct path *path, int acc_mode, int flag)
32186 struct dentry *dentry = path->dentry;
32187 @@ -2126,7 +2185,27 @@ int may_open(struct path *path, int acc_
32189 * Ensure there are no outstanding leases on the file.
32191 - return break_lease(inode, flag);
32192 + error = break_lease(inode, flag);
32197 + if (gr_handle_rofs_blockwrite(dentry, path->mnt, acc_mode)) {
32202 + if (gr_handle_rawio(inode)) {
32207 + if (!gr_acl_handle_open(dentry, path->mnt, open_to_namei_flags(flag))) {
32215 static int handle_truncate(struct file *filp)
32216 @@ -2161,6 +2240,12 @@ static int __open_namei_create(struct na
32219 struct dentry *dir = nd->path.dentry;
32220 + int flag = open_to_namei_flags(open_flag);
32222 + if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, nd->path.mnt, flag, mode)) {
32227 if (!IS_POSIXACL(dir->d_inode))
32228 mode &= ~current_umask();
32229 @@ -2168,6 +2253,8 @@ static int __open_namei_create(struct na
32232 error = vfs_create(dir->d_inode, path->dentry, mode, nd);
32234 + gr_handle_create(path->dentry, nd->path.mnt);
32236 mutex_unlock(&dir->d_inode->i_mutex);
32237 dput(nd->path.dentry);
32238 @@ -2179,30 +2266,6 @@ out_unlock:
32239 return may_open(&nd->path, 0, open_flag & ~O_TRUNC);
32243 - * Note that while the flag value (low two bits) for sys_open means:
32245 - * 01 - write-only
32246 - * 10 - read-write
32248 - * it is changed into
32249 - * 00 - no permissions needed
32250 - * 01 - read-permission
32251 - * 10 - write-permission
32252 - * 11 - read-write
32253 - * for the internal routines (ie open_namei()/follow_link() etc)
32254 - * This is more logical, and also allows the 00 "no perm needed"
32255 - * to be used for symlinks (where the permissions are checked
32259 -static inline int open_to_namei_flags(int flag)
32261 - if ((flag+1) & O_ACCMODE)
32266 static int open_will_truncate(int flag, struct inode *inode)
32269 @@ -2273,6 +2336,7 @@ static struct file *do_last(struct namei
32270 int mode, const char *pathname)
32272 struct dentry *dir = nd->path.dentry;
32273 + int flag = open_to_namei_flags(open_flag);
32275 int error = -EISDIR;
32277 @@ -2351,6 +2415,14 @@ static struct file *do_last(struct namei
32279 * It already exists.
32282 + /* only check if O_CREAT is specified, all other checks need to go
32284 + if (gr_handle_fifo(path->dentry, path->mnt, dir, flag, acc_mode)) {
32286 + goto exit_mutex_unlock;
32289 mutex_unlock(&dir->d_inode->i_mutex);
32290 audit_inode(pathname, path->dentry);
32292 @@ -2467,6 +2539,7 @@ struct file *do_filp_open(int dfd, const
32293 if (!nd.inode->i_op->lookup)
32297 audit_inode(pathname, nd.path.dentry);
32298 filp = finish_open(&nd, open_flag, acc_mode);
32300 @@ -2500,6 +2573,7 @@ reval:
32302 error = path_walk_simple(pathname, &nd);
32305 if (unlikely(error))
32307 if (unlikely(!audit_dummy_context()))
32308 @@ -2534,6 +2608,11 @@ reval:
32309 error = security_inode_follow_link(link.dentry, &nd);
32312 + if (gr_handle_follow_link(link.dentry->d_parent->d_inode,
32313 + link.dentry->d_inode, link.dentry, nd.path.mnt)) {
32317 error = __do_follow_link(&link, &nd, &cookie);
32318 if (unlikely(error)) {
32319 if (!IS_ERR(cookie) && linki->i_op->put_link)
32320 @@ -2704,6 +2783,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
32321 error = may_mknod(mode);
32325 + if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
32330 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
32335 error = mnt_want_write(nd.path.mnt);
32338 @@ -2724,6 +2814,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
32341 mnt_drop_write(nd.path.mnt);
32344 + gr_handle_create(dentry, nd.path.mnt);
32348 @@ -2776,6 +2869,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
32349 if (IS_ERR(dentry))
32352 + if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
32357 if (!IS_POSIXACL(nd.path.dentry->d_inode))
32358 mode &= ~current_umask();
32359 error = mnt_want_write(nd.path.mnt);
32360 @@ -2787,6 +2885,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
32361 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
32363 mnt_drop_write(nd.path.mnt);
32366 + gr_handle_create(dentry, nd.path.mnt);
32371 @@ -2866,6 +2968,8 @@ static long do_rmdir(int dfd, const char
32373 struct dentry *dentry;
32374 struct nameidata nd;
32375 + ino_t saved_ino = 0;
32376 + dev_t saved_dev = 0;
32378 error = user_path_parent(dfd, pathname, &nd, &name);
32380 @@ -2890,6 +2994,19 @@ static long do_rmdir(int dfd, const char
32381 error = PTR_ERR(dentry);
32382 if (IS_ERR(dentry))
32385 + if (dentry->d_inode != NULL) {
32386 + if (dentry->d_inode->i_nlink <= 1) {
32387 + saved_ino = dentry->d_inode->i_ino;
32388 + saved_dev = dentry->d_inode->i_sb->s_dev;
32391 + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
32397 error = mnt_want_write(nd.path.mnt);
32400 @@ -2897,6 +3014,8 @@ static long do_rmdir(int dfd, const char
32403 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
32404 + if (!error && (saved_dev || saved_ino))
32405 + gr_handle_delete(saved_ino, saved_dev);
32407 mnt_drop_write(nd.path.mnt);
32409 @@ -2959,6 +3078,8 @@ static long do_unlinkat(int dfd, const c
32410 struct dentry *dentry;
32411 struct nameidata nd;
32412 struct inode *inode = NULL;
32413 + ino_t saved_ino = 0;
32414 + dev_t saved_dev = 0;
32416 error = user_path_parent(dfd, pathname, &nd, &name);
32418 @@ -2978,8 +3099,17 @@ static long do_unlinkat(int dfd, const c
32419 if (nd.last.name[nd.last.len])
32421 inode = dentry->d_inode;
32425 + if (inode->i_nlink <= 1) {
32426 + saved_ino = inode->i_ino;
32427 + saved_dev = inode->i_sb->s_dev;
32429 + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
32434 error = mnt_want_write(nd.path.mnt);
32437 @@ -2987,6 +3117,8 @@ static long do_unlinkat(int dfd, const c
32440 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
32441 + if (!error && (saved_ino || saved_dev))
32442 + gr_handle_delete(saved_ino, saved_dev);
32444 mnt_drop_write(nd.path.mnt);
32446 @@ -3064,6 +3196,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
32447 if (IS_ERR(dentry))
32450 + if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
32455 error = mnt_want_write(nd.path.mnt);
32458 @@ -3071,6 +3208,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
32460 goto out_drop_write;
32461 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
32463 + gr_handle_create(dentry, nd.path.mnt);
32465 mnt_drop_write(nd.path.mnt);
32467 @@ -3163,6 +3302,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
32468 error = PTR_ERR(new_dentry);
32469 if (IS_ERR(new_dentry))
32472 + if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
32473 + old_path.dentry->d_inode,
32474 + old_path.dentry->d_inode->i_mode, to)) {
32479 + if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
32480 + old_path.dentry, old_path.mnt, to)) {
32485 error = mnt_want_write(nd.path.mnt);
32488 @@ -3170,6 +3323,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
32490 goto out_drop_write;
32491 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
32493 + gr_handle_create(new_dentry, nd.path.mnt);
32495 mnt_drop_write(nd.path.mnt);
32497 @@ -3403,6 +3558,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
32498 if (new_dentry == trap)
32501 + error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
32502 + old_dentry, old_dir->d_inode, oldnd.path.mnt,
32507 error = mnt_want_write(oldnd.path.mnt);
32510 @@ -3412,6 +3573,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
32512 error = vfs_rename(old_dir->d_inode, old_dentry,
32513 new_dir->d_inode, new_dentry);
32515 + gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
32516 + new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
32518 mnt_drop_write(oldnd.path.mnt);
32520 diff -urNp linux-2.6.38.1/fs/namespace.c linux-2.6.38.1-new/fs/namespace.c
32521 --- linux-2.6.38.1/fs/namespace.c 2011-03-14 21:20:32.000000000 -0400
32522 +++ linux-2.6.38.1-new/fs/namespace.c 2011-03-21 18:31:35.000000000 -0400
32523 @@ -1285,6 +1285,9 @@ static int do_umount(struct vfsmount *mn
32524 if (!(sb->s_flags & MS_RDONLY))
32525 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
32526 up_write(&sb->s_umount);
32528 + gr_log_remount(mnt->mnt_devname, retval);
32533 @@ -1304,6 +1307,9 @@ static int do_umount(struct vfsmount *mn
32534 br_write_unlock(vfsmount_lock);
32535 up_write(&namespace_sem);
32536 release_mounts(&umount_list);
32538 + gr_log_unmount(mnt->mnt_devname, retval);
32543 @@ -2241,6 +2247,16 @@ long do_mount(char *dev_name, char *dir_
32544 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
32547 + if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
32552 + if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
32557 if (flags & MS_REMOUNT)
32558 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
32560 @@ -2255,6 +2271,9 @@ long do_mount(char *dev_name, char *dir_
32561 dev_name, data_page);
32565 + gr_log_mount(dev_name, dir_name, retval);
32570 @@ -2483,6 +2502,12 @@ SYSCALL_DEFINE2(pivot_root, const char _
32574 + if (gr_handle_chroot_pivot()) {
32580 get_fs_root(current->fs, &root);
32581 down_write(&namespace_sem);
32582 mutex_lock(&old.dentry->d_inode->i_mutex);
32583 diff -urNp linux-2.6.38.1/fs/nfs/inode.c linux-2.6.38.1-new/fs/nfs/inode.c
32584 --- linux-2.6.38.1/fs/nfs/inode.c 2011-03-14 21:20:32.000000000 -0400
32585 +++ linux-2.6.38.1-new/fs/nfs/inode.c 2011-03-21 18:31:35.000000000 -0400
32586 @@ -998,16 +998,16 @@ static int nfs_size_need_update(const st
32587 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
32590 -static atomic_long_t nfs_attr_generation_counter;
32591 +static atomic_long_unchecked_t nfs_attr_generation_counter;
32593 static unsigned long nfs_read_attr_generation_counter(void)
32595 - return atomic_long_read(&nfs_attr_generation_counter);
32596 + return atomic_long_read_unchecked(&nfs_attr_generation_counter);
32599 unsigned long nfs_inc_attr_generation_counter(void)
32601 - return atomic_long_inc_return(&nfs_attr_generation_counter);
32602 + return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
32605 void nfs_fattr_init(struct nfs_fattr *fattr)
32606 diff -urNp linux-2.6.38.1/fs/nfs/nfs4proc.c linux-2.6.38.1-new/fs/nfs/nfs4proc.c
32607 --- linux-2.6.38.1/fs/nfs/nfs4proc.c 2011-03-14 21:20:32.000000000 -0400
32608 +++ linux-2.6.38.1-new/fs/nfs/nfs4proc.c 2011-03-21 18:31:35.000000000 -0400
32609 @@ -1198,7 +1198,7 @@ static int _nfs4_do_open_reclaim(struct
32610 static int nfs4_do_open_reclaim(struct nfs_open_context *ctx, struct nfs4_state *state)
32612 struct nfs_server *server = NFS_SERVER(state->inode);
32613 - struct nfs4_exception exception = { };
32614 + struct nfs4_exception exception = {0, 0};
32617 err = _nfs4_do_open_reclaim(ctx, state);
32618 @@ -1240,7 +1240,7 @@ static int _nfs4_open_delegation_recall(
32620 int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid)
32622 - struct nfs4_exception exception = { };
32623 + struct nfs4_exception exception = {0, 0};
32624 struct nfs_server *server = NFS_SERVER(state->inode);
32627 @@ -1615,7 +1615,7 @@ static int _nfs4_open_expired(struct nfs
32628 static int nfs4_do_open_expired(struct nfs_open_context *ctx, struct nfs4_state *state)
32630 struct nfs_server *server = NFS_SERVER(state->inode);
32631 - struct nfs4_exception exception = { };
32632 + struct nfs4_exception exception = {0, 0};
32636 @@ -1730,7 +1730,7 @@ out_err:
32638 static struct nfs4_state *nfs4_do_open(struct inode *dir, struct path *path, fmode_t fmode, int flags, struct iattr *sattr, struct rpc_cred *cred)
32640 - struct nfs4_exception exception = { };
32641 + struct nfs4_exception exception = {0, 0};
32642 struct nfs4_state *res;
32645 @@ -1821,7 +1821,7 @@ static int nfs4_do_setattr(struct inode
32646 struct nfs4_state *state)
32648 struct nfs_server *server = NFS_SERVER(inode);
32649 - struct nfs4_exception exception = { };
32650 + struct nfs4_exception exception = {0, 0};
32653 err = nfs4_handle_exception(server,
32654 @@ -2111,7 +2111,7 @@ static int _nfs4_server_capabilities(str
32656 int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle)
32658 - struct nfs4_exception exception = { };
32659 + struct nfs4_exception exception = {0, 0};
32662 err = nfs4_handle_exception(server,
32663 @@ -2145,7 +2145,7 @@ static int _nfs4_lookup_root(struct nfs_
32664 static int nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,
32665 struct nfs_fsinfo *info)
32667 - struct nfs4_exception exception = { };
32668 + struct nfs4_exception exception = {0, 0};
32671 err = nfs4_handle_exception(server,
32672 @@ -2233,7 +2233,7 @@ static int _nfs4_proc_getattr(struct nfs
32674 static int nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
32676 - struct nfs4_exception exception = { };
32677 + struct nfs4_exception exception = {0, 0};
32680 err = nfs4_handle_exception(server,
32681 @@ -2321,7 +2321,7 @@ static int nfs4_proc_lookupfh(struct nfs
32682 struct qstr *name, struct nfs_fh *fhandle,
32683 struct nfs_fattr *fattr)
32685 - struct nfs4_exception exception = { };
32686 + struct nfs4_exception exception = {0, 0};
32689 err = _nfs4_proc_lookupfh(server, dirfh, name, fhandle, fattr);
32690 @@ -2350,7 +2350,7 @@ static int _nfs4_proc_lookup(struct inod
32692 static int nfs4_proc_lookup(struct inode *dir, struct qstr *name, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
32694 - struct nfs4_exception exception = { };
32695 + struct nfs4_exception exception = {0, 0};
32698 err = nfs4_handle_exception(NFS_SERVER(dir),
32699 @@ -2417,7 +2417,7 @@ static int _nfs4_proc_access(struct inod
32701 static int nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry)
32703 - struct nfs4_exception exception = { };
32704 + struct nfs4_exception exception = {0, 0};
32707 err = nfs4_handle_exception(NFS_SERVER(inode),
32708 @@ -2473,7 +2473,7 @@ static int _nfs4_proc_readlink(struct in
32709 static int nfs4_proc_readlink(struct inode *inode, struct page *page,
32710 unsigned int pgbase, unsigned int pglen)
32712 - struct nfs4_exception exception = { };
32713 + struct nfs4_exception exception = {0, 0};
32716 err = nfs4_handle_exception(NFS_SERVER(inode),
32717 @@ -2568,7 +2568,7 @@ out:
32719 static int nfs4_proc_remove(struct inode *dir, struct qstr *name)
32721 - struct nfs4_exception exception = { };
32722 + struct nfs4_exception exception = {0, 0};
32725 err = nfs4_handle_exception(NFS_SERVER(dir),
32726 @@ -2673,7 +2673,7 @@ out:
32727 static int nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
32728 struct inode *new_dir, struct qstr *new_name)
32730 - struct nfs4_exception exception = { };
32731 + struct nfs4_exception exception = {0, 0};
32734 err = nfs4_handle_exception(NFS_SERVER(old_dir),
32735 @@ -2722,7 +2722,7 @@ out:
32737 static int nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *name)
32739 - struct nfs4_exception exception = { };
32740 + struct nfs4_exception exception = {0, 0};
32743 err = nfs4_handle_exception(NFS_SERVER(inode),
32744 @@ -2814,7 +2814,7 @@ out:
32745 static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
32746 struct page *page, unsigned int len, struct iattr *sattr)
32748 - struct nfs4_exception exception = { };
32749 + struct nfs4_exception exception = {0, 0};
32752 err = nfs4_handle_exception(NFS_SERVER(dir),
32753 @@ -2845,7 +2845,7 @@ out:
32754 static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
32755 struct iattr *sattr)
32757 - struct nfs4_exception exception = { };
32758 + struct nfs4_exception exception = {0, 0};
32761 sattr->ia_mode &= ~current_umask();
32762 @@ -2899,7 +2899,7 @@ static int _nfs4_proc_readdir(struct den
32763 static int nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
32764 u64 cookie, struct page **pages, unsigned int count, int plus)
32766 - struct nfs4_exception exception = { };
32767 + struct nfs4_exception exception = {0, 0};
32770 err = nfs4_handle_exception(NFS_SERVER(dentry->d_inode),
32771 @@ -2947,7 +2947,7 @@ out:
32772 static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
32773 struct iattr *sattr, dev_t rdev)
32775 - struct nfs4_exception exception = { };
32776 + struct nfs4_exception exception = {0, 0};
32779 sattr->ia_mode &= ~current_umask();
32780 @@ -2981,7 +2981,7 @@ static int _nfs4_proc_statfs(struct nfs_
32782 static int nfs4_proc_statfs(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsstat *fsstat)
32784 - struct nfs4_exception exception = { };
32785 + struct nfs4_exception exception = {0, 0};
32788 err = nfs4_handle_exception(server,
32789 @@ -3012,7 +3012,7 @@ static int _nfs4_do_fsinfo(struct nfs_se
32791 static int nfs4_do_fsinfo(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsinfo *fsinfo)
32793 - struct nfs4_exception exception = { };
32794 + struct nfs4_exception exception = {0, 0};
32798 @@ -3058,7 +3058,7 @@ static int _nfs4_proc_pathconf(struct nf
32799 static int nfs4_proc_pathconf(struct nfs_server *server, struct nfs_fh *fhandle,
32800 struct nfs_pathconf *pathconf)
32802 - struct nfs4_exception exception = { };
32803 + struct nfs4_exception exception = {0, 0};
32807 @@ -3404,7 +3404,7 @@ out_free:
32809 static ssize_t nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
32811 - struct nfs4_exception exception = { };
32812 + struct nfs4_exception exception = {0, 0};
32815 ret = __nfs4_get_acl_uncached(inode, buf, buflen);
32816 @@ -3479,7 +3479,7 @@ static int __nfs4_proc_set_acl(struct in
32818 static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen)
32820 - struct nfs4_exception exception = { };
32821 + struct nfs4_exception exception = {0, 0};
32824 err = nfs4_handle_exception(NFS_SERVER(inode),
32825 @@ -3760,7 +3760,7 @@ out:
32826 int nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, const nfs4_stateid *stateid, int issync)
32828 struct nfs_server *server = NFS_SERVER(inode);
32829 - struct nfs4_exception exception = { };
32830 + struct nfs4_exception exception = {0, 0};
32833 err = _nfs4_proc_delegreturn(inode, cred, stateid, issync);
32834 @@ -3834,7 +3834,7 @@ out:
32836 static int nfs4_proc_getlk(struct nfs4_state *state, int cmd, struct file_lock *request)
32838 - struct nfs4_exception exception = { };
32839 + struct nfs4_exception exception = {0, 0};
32843 @@ -4239,7 +4239,7 @@ static int _nfs4_do_setlk(struct nfs4_st
32844 static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request)
32846 struct nfs_server *server = NFS_SERVER(state->inode);
32847 - struct nfs4_exception exception = { };
32848 + struct nfs4_exception exception = {0, 0};
32852 @@ -4257,7 +4257,7 @@ static int nfs4_lock_reclaim(struct nfs4
32853 static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request)
32855 struct nfs_server *server = NFS_SERVER(state->inode);
32856 - struct nfs4_exception exception = { };
32857 + struct nfs4_exception exception = {0, 0};
32860 err = nfs4_set_lock_state(state, request);
32861 @@ -4321,7 +4321,7 @@ out:
32863 static int nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock *request)
32865 - struct nfs4_exception exception = { };
32866 + struct nfs4_exception exception = {0, 0};
32870 @@ -4381,7 +4381,7 @@ nfs4_proc_lock(struct file *filp, int cm
32871 int nfs4_lock_delegation_recall(struct nfs4_state *state, struct file_lock *fl)
32873 struct nfs_server *server = NFS_SERVER(state->inode);
32874 - struct nfs4_exception exception = { };
32875 + struct nfs4_exception exception = {0, 0};
32878 err = nfs4_set_lock_state(state, fl);
32879 diff -urNp linux-2.6.38.1/fs/nfsd/lockd.c linux-2.6.38.1-new/fs/nfsd/lockd.c
32880 --- linux-2.6.38.1/fs/nfsd/lockd.c 2011-03-14 21:20:32.000000000 -0400
32881 +++ linux-2.6.38.1-new/fs/nfsd/lockd.c 2011-03-21 18:31:35.000000000 -0400
32882 @@ -61,7 +61,7 @@ nlm_fclose(struct file *filp)
32886 -static struct nlmsvc_binding nfsd_nlm_ops = {
32887 +static const struct nlmsvc_binding nfsd_nlm_ops = {
32888 .fopen = nlm_fopen, /* open file for locking */
32889 .fclose = nlm_fclose, /* close file */
32891 diff -urNp linux-2.6.38.1/fs/nfsd/nfsctl.c linux-2.6.38.1-new/fs/nfsd/nfsctl.c
32892 --- linux-2.6.38.1/fs/nfsd/nfsctl.c 2011-03-14 21:20:32.000000000 -0400
32893 +++ linux-2.6.38.1-new/fs/nfsd/nfsctl.c 2011-03-21 18:31:35.000000000 -0400
32894 @@ -180,7 +180,7 @@ static int export_features_open(struct i
32895 return single_open(file, export_features_show, NULL);
32898 -static struct file_operations export_features_operations = {
32899 +static const struct file_operations export_features_operations = {
32900 .open = export_features_open,
32902 .llseek = seq_lseek,
32903 diff -urNp linux-2.6.38.1/fs/nfsd/vfs.c linux-2.6.38.1-new/fs/nfsd/vfs.c
32904 --- linux-2.6.38.1/fs/nfsd/vfs.c 2011-03-14 21:20:32.000000000 -0400
32905 +++ linux-2.6.38.1-new/fs/nfsd/vfs.c 2011-03-21 18:31:35.000000000 -0400
32906 @@ -898,7 +898,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
32910 - host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
32911 + host_err = vfs_readv(file, (__force struct iovec __user *)vec, vlen, &offset);
32915 @@ -1002,7 +1002,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
32917 /* Write the data. */
32918 oldfs = get_fs(); set_fs(KERNEL_DS);
32919 - host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
32920 + host_err = vfs_writev(file, (__force struct iovec __user *)vec, vlen, &offset);
32924 @@ -1518,7 +1518,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
32927 oldfs = get_fs(); set_fs(KERNEL_DS);
32928 - host_err = inode->i_op->readlink(dentry, buf, *lenp);
32929 + host_err = inode->i_op->readlink(dentry, (__force char __user *)buf, *lenp);
32933 diff -urNp linux-2.6.38.1/fs/nls/nls_base.c linux-2.6.38.1-new/fs/nls/nls_base.c
32934 --- linux-2.6.38.1/fs/nls/nls_base.c 2011-03-14 21:20:32.000000000 -0400
32935 +++ linux-2.6.38.1-new/fs/nls/nls_base.c 2011-03-21 18:31:35.000000000 -0400
32936 @@ -41,7 +41,7 @@ static const struct utf8_table utf8_tabl
32937 {0xF8, 0xF0, 3*6, 0x1FFFFF, 0x10000, /* 4 byte sequence */},
32938 {0xFC, 0xF8, 4*6, 0x3FFFFFF, 0x200000, /* 5 byte sequence */},
32939 {0xFE, 0xFC, 5*6, 0x7FFFFFFF, 0x4000000, /* 6 byte sequence */},
32940 - {0, /* end of table */}
32941 + {0, 0, 0, 0, 0, /* end of table */}
32944 #define UNICODE_MAX 0x0010ffff
32945 diff -urNp linux-2.6.38.1/fs/ntfs/dir.c linux-2.6.38.1-new/fs/ntfs/dir.c
32946 --- linux-2.6.38.1/fs/ntfs/dir.c 2011-03-14 21:20:32.000000000 -0400
32947 +++ linux-2.6.38.1-new/fs/ntfs/dir.c 2011-03-21 18:31:35.000000000 -0400
32948 @@ -1329,7 +1329,7 @@ find_next_index_buffer:
32949 ia = (INDEX_ALLOCATION*)(kaddr + (ia_pos & ~PAGE_CACHE_MASK &
32950 ~(s64)(ndir->itype.index.block_size - 1)));
32951 /* Bounds checks. */
32952 - if (unlikely((u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
32953 + if (unlikely(!kaddr || (u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
32954 ntfs_error(sb, "Out of bounds check failed. Corrupt directory "
32955 "inode 0x%lx or driver bug.", vdir->i_ino);
32957 diff -urNp linux-2.6.38.1/fs/ntfs/file.c linux-2.6.38.1-new/fs/ntfs/file.c
32958 --- linux-2.6.38.1/fs/ntfs/file.c 2011-03-14 21:20:32.000000000 -0400
32959 +++ linux-2.6.38.1-new/fs/ntfs/file.c 2011-03-21 18:31:35.000000000 -0400
32960 @@ -2222,6 +2222,6 @@ const struct inode_operations ntfs_file_
32961 #endif /* NTFS_RW */
32964 -const struct file_operations ntfs_empty_file_ops = {};
32965 +const struct file_operations ntfs_empty_file_ops __read_only;
32967 -const struct inode_operations ntfs_empty_inode_ops = {};
32968 +const struct inode_operations ntfs_empty_inode_ops __read_only;
32969 diff -urNp linux-2.6.38.1/fs/ocfs2/localalloc.c linux-2.6.38.1-new/fs/ocfs2/localalloc.c
32970 --- linux-2.6.38.1/fs/ocfs2/localalloc.c 2011-03-14 21:20:32.000000000 -0400
32971 +++ linux-2.6.38.1-new/fs/ocfs2/localalloc.c 2011-03-21 18:31:35.000000000 -0400
32972 @@ -1307,7 +1307,7 @@ static int ocfs2_local_alloc_slide_windo
32976 - atomic_inc(&osb->alloc_stats.moves);
32977 + atomic_inc_unchecked(&osb->alloc_stats.moves);
32981 diff -urNp linux-2.6.38.1/fs/ocfs2/ocfs2.h linux-2.6.38.1-new/fs/ocfs2/ocfs2.h
32982 --- linux-2.6.38.1/fs/ocfs2/ocfs2.h 2011-03-14 21:20:32.000000000 -0400
32983 +++ linux-2.6.38.1-new/fs/ocfs2/ocfs2.h 2011-03-21 18:31:35.000000000 -0400
32984 @@ -230,11 +230,11 @@ enum ocfs2_vol_state
32986 struct ocfs2_alloc_stats
32989 - atomic_t local_data;
32990 - atomic_t bitmap_data;
32991 - atomic_t bg_allocs;
32992 - atomic_t bg_extends;
32993 + atomic_unchecked_t moves;
32994 + atomic_unchecked_t local_data;
32995 + atomic_unchecked_t bitmap_data;
32996 + atomic_unchecked_t bg_allocs;
32997 + atomic_unchecked_t bg_extends;
33000 enum ocfs2_local_alloc_state
33001 diff -urNp linux-2.6.38.1/fs/ocfs2/suballoc.c linux-2.6.38.1-new/fs/ocfs2/suballoc.c
33002 --- linux-2.6.38.1/fs/ocfs2/suballoc.c 2011-03-14 21:20:32.000000000 -0400
33003 +++ linux-2.6.38.1-new/fs/ocfs2/suballoc.c 2011-03-21 18:31:35.000000000 -0400
33004 @@ -877,7 +877,7 @@ static int ocfs2_reserve_suballoc_bits(s
33005 mlog_errno(status);
33008 - atomic_inc(&osb->alloc_stats.bg_extends);
33009 + atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
33011 /* You should never ask for this much metadata */
33012 BUG_ON(bits_wanted >
33013 @@ -2012,7 +2012,7 @@ int ocfs2_claim_metadata(handle_t *handl
33014 mlog_errno(status);
33017 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
33018 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
33020 *suballoc_loc = res.sr_bg_blkno;
33021 *suballoc_bit_start = res.sr_bit_offset;
33022 @@ -2219,7 +2219,7 @@ int ocfs2_claim_new_inode(handle_t *hand
33023 mlog_errno(status);
33026 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
33027 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
33029 BUG_ON(res.sr_bits != 1);
33031 @@ -2324,7 +2324,7 @@ int __ocfs2_claim_clusters(handle_t *han
33035 - atomic_inc(&osb->alloc_stats.local_data);
33036 + atomic_inc_unchecked(&osb->alloc_stats.local_data);
33038 if (min_clusters > (osb->bitmap_cpg - 1)) {
33039 /* The only paths asking for contiguousness
33040 @@ -2350,7 +2350,7 @@ int __ocfs2_claim_clusters(handle_t *han
33041 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
33043 res.sr_bit_offset);
33044 - atomic_inc(&osb->alloc_stats.bitmap_data);
33045 + atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
33046 *num_clusters = res.sr_bits;
33049 diff -urNp linux-2.6.38.1/fs/ocfs2/super.c linux-2.6.38.1-new/fs/ocfs2/super.c
33050 --- linux-2.6.38.1/fs/ocfs2/super.c 2011-03-14 21:20:32.000000000 -0400
33051 +++ linux-2.6.38.1-new/fs/ocfs2/super.c 2011-03-21 18:31:35.000000000 -0400
33052 @@ -297,11 +297,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
33053 "%10s => GlobalAllocs: %d LocalAllocs: %d "
33054 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
33056 - atomic_read(&osb->alloc_stats.bitmap_data),
33057 - atomic_read(&osb->alloc_stats.local_data),
33058 - atomic_read(&osb->alloc_stats.bg_allocs),
33059 - atomic_read(&osb->alloc_stats.moves),
33060 - atomic_read(&osb->alloc_stats.bg_extends));
33061 + atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
33062 + atomic_read_unchecked(&osb->alloc_stats.local_data),
33063 + atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
33064 + atomic_read_unchecked(&osb->alloc_stats.moves),
33065 + atomic_read_unchecked(&osb->alloc_stats.bg_extends));
33067 out += snprintf(buf + out, len - out,
33068 "%10s => State: %u Descriptor: %llu Size: %u bits "
33069 @@ -2141,11 +2141,11 @@ static int ocfs2_initialize_super(struct
33070 spin_lock_init(&osb->osb_xattr_lock);
33071 ocfs2_init_steal_slots(osb);
33073 - atomic_set(&osb->alloc_stats.moves, 0);
33074 - atomic_set(&osb->alloc_stats.local_data, 0);
33075 - atomic_set(&osb->alloc_stats.bitmap_data, 0);
33076 - atomic_set(&osb->alloc_stats.bg_allocs, 0);
33077 - atomic_set(&osb->alloc_stats.bg_extends, 0);
33078 + atomic_set_unchecked(&osb->alloc_stats.moves, 0);
33079 + atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
33080 + atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
33081 + atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
33082 + atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
33084 /* Copy the blockcheck stats from the superblock probe */
33085 osb->osb_ecc_stats = *stats;
33086 diff -urNp linux-2.6.38.1/fs/ocfs2/symlink.c linux-2.6.38.1-new/fs/ocfs2/symlink.c
33087 --- linux-2.6.38.1/fs/ocfs2/symlink.c 2011-03-14 21:20:32.000000000 -0400
33088 +++ linux-2.6.38.1-new/fs/ocfs2/symlink.c 2011-03-21 18:31:35.000000000 -0400
33089 @@ -148,7 +148,7 @@ bail:
33091 static void ocfs2_fast_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
33093 - char *link = nd_get_link(nd);
33094 + const char *link = nd_get_link(nd);
33098 diff -urNp linux-2.6.38.1/fs/open.c linux-2.6.38.1-new/fs/open.c
33099 --- linux-2.6.38.1/fs/open.c 2011-03-14 21:20:32.000000000 -0400
33100 +++ linux-2.6.38.1-new/fs/open.c 2011-03-21 18:31:35.000000000 -0400
33101 @@ -112,6 +112,10 @@ static long do_sys_truncate(const char _
33102 error = locks_verify_truncate(inode, NULL, length);
33104 error = security_path_truncate(&path);
33106 + if (!error && !gr_acl_handle_truncate(path.dentry, path.mnt))
33110 error = do_truncate(path.dentry, length, 0, NULL);
33112 @@ -358,6 +362,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
33113 if (__mnt_is_readonly(path.mnt))
33116 + if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
33122 @@ -384,6 +391,8 @@ SYSCALL_DEFINE1(chdir, const char __user
33126 + gr_log_chdir(path.dentry, path.mnt);
33128 set_fs_pwd(current->fs, &path);
33131 @@ -410,6 +419,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
33134 error = inode_permission(inode, MAY_EXEC | MAY_CHDIR);
33136 + if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
33140 + gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
33143 set_fs_pwd(current->fs, &file->f_path);
33145 @@ -438,7 +454,18 @@ SYSCALL_DEFINE1(chroot, const char __use
33149 + if (gr_handle_chroot_chroot(path.dentry, path.mnt))
33150 + goto dput_and_out;
33152 + if (gr_handle_chroot_caps(&path)) {
33154 + goto dput_and_out;
33157 set_fs_root(current->fs, &path);
33159 + gr_handle_chroot_chdir(&path);
33164 @@ -466,12 +493,25 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
33165 err = mnt_want_write_file(file);
33169 mutex_lock(&inode->i_mutex);
33171 + if (!gr_acl_handle_fchmod(dentry, file->f_vfsmnt, mode)) {
33176 err = security_path_chmod(dentry, file->f_vfsmnt, mode);
33179 if (mode == (mode_t) -1)
33180 mode = inode->i_mode;
33182 + if (gr_handle_chroot_chmod(dentry, file->f_vfsmnt, mode)) {
33187 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
33188 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
33189 err = notify_change(dentry, &newattrs);
33190 @@ -499,12 +539,25 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
33191 error = mnt_want_write(path.mnt);
33195 mutex_lock(&inode->i_mutex);
33197 + if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
33202 error = security_path_chmod(path.dentry, path.mnt, mode);
33205 if (mode == (mode_t) -1)
33206 mode = inode->i_mode;
33208 + if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
33213 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
33214 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
33215 error = notify_change(path.dentry, &newattrs);
33216 @@ -528,6 +581,9 @@ static int chown_common(struct path *pat
33218 struct iattr newattrs;
33220 + if (!gr_acl_handle_chown(path->dentry, path->mnt))
33223 newattrs.ia_valid = ATTR_CTIME;
33224 if (user != (uid_t) -1) {
33225 newattrs.ia_valid |= ATTR_UID;
33226 @@ -898,7 +954,10 @@ long do_sys_open(int dfd, const char __u
33227 if (!IS_ERR(tmp)) {
33228 fd = get_unused_fd_flags(flags);
33230 - struct file *f = do_filp_open(dfd, tmp, flags, mode, 0);
33232 + /* don't allow to be set by userland */
33233 + flags &= ~FMODE_GREXEC;
33234 + f = do_filp_open(dfd, tmp, flags, mode, 0);
33238 diff -urNp linux-2.6.38.1/fs/partitions/ldm.c linux-2.6.38.1-new/fs/partitions/ldm.c
33239 --- linux-2.6.38.1/fs/partitions/ldm.c 2011-03-14 21:20:32.000000000 -0400
33240 +++ linux-2.6.38.1-new/fs/partitions/ldm.c 2011-03-21 18:31:35.000000000 -0400
33241 @@ -1313,7 +1313,7 @@ static bool ldm_frag_add (const u8 *data
33245 - f = kmalloc (sizeof (*f) + size*num, GFP_KERNEL);
33246 + f = kmalloc (size*num + sizeof (*f), GFP_KERNEL);
33248 ldm_crit ("Out of memory.");
33250 diff -urNp linux-2.6.38.1/fs/pipe.c linux-2.6.38.1-new/fs/pipe.c
33251 --- linux-2.6.38.1/fs/pipe.c 2011-03-14 21:20:32.000000000 -0400
33252 +++ linux-2.6.38.1-new/fs/pipe.c 2011-03-21 18:31:35.000000000 -0400
33253 @@ -420,9 +420,9 @@ redo:
33255 if (bufs) /* More to do? */
33257 - if (!pipe->writers)
33258 + if (!atomic_read(&pipe->writers))
33260 - if (!pipe->waiting_writers) {
33261 + if (!atomic_read(&pipe->waiting_writers)) {
33262 /* syscall merging: Usually we must not sleep
33263 * if O_NONBLOCK is set, or if we got some data.
33264 * But if a writer sleeps in kernel space, then
33265 @@ -481,7 +481,7 @@ pipe_write(struct kiocb *iocb, const str
33266 mutex_lock(&inode->i_mutex);
33267 pipe = inode->i_pipe;
33269 - if (!pipe->readers) {
33270 + if (!atomic_read(&pipe->readers)) {
33271 send_sig(SIGPIPE, current, 0);
33274 @@ -530,7 +530,7 @@ redo1:
33278 - if (!pipe->readers) {
33279 + if (!atomic_read(&pipe->readers)) {
33280 send_sig(SIGPIPE, current, 0);
33283 @@ -616,9 +616,9 @@ redo2:
33284 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
33287 - pipe->waiting_writers++;
33288 + atomic_inc(&pipe->waiting_writers);
33290 - pipe->waiting_writers--;
33291 + atomic_dec(&pipe->waiting_writers);
33294 mutex_unlock(&inode->i_mutex);
33295 @@ -685,7 +685,7 @@ pipe_poll(struct file *filp, poll_table
33297 if (filp->f_mode & FMODE_READ) {
33298 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
33299 - if (!pipe->writers && filp->f_version != pipe->w_counter)
33300 + if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
33304 @@ -695,7 +695,7 @@ pipe_poll(struct file *filp, poll_table
33305 * Most Unices do not set POLLERR for FIFOs but on Linux they
33306 * behave exactly like pipes for poll().
33308 - if (!pipe->readers)
33309 + if (!atomic_read(&pipe->readers))
33313 @@ -709,10 +709,10 @@ pipe_release(struct inode *inode, int de
33315 mutex_lock(&inode->i_mutex);
33316 pipe = inode->i_pipe;
33317 - pipe->readers -= decr;
33318 - pipe->writers -= decw;
33319 + atomic_sub(decr, &pipe->readers);
33320 + atomic_sub(decw, &pipe->writers);
33322 - if (!pipe->readers && !pipe->writers) {
33323 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
33324 free_pipe_info(inode);
33326 wake_up_interruptible_sync_poll(&pipe->wait, POLLIN | POLLOUT | POLLRDNORM | POLLWRNORM | POLLERR | POLLHUP);
33327 @@ -802,7 +802,7 @@ pipe_read_open(struct inode *inode, stru
33329 if (inode->i_pipe) {
33331 - inode->i_pipe->readers++;
33332 + atomic_inc(&inode->i_pipe->readers);
33335 mutex_unlock(&inode->i_mutex);
33336 @@ -819,7 +819,7 @@ pipe_write_open(struct inode *inode, str
33338 if (inode->i_pipe) {
33340 - inode->i_pipe->writers++;
33341 + atomic_inc(&inode->i_pipe->writers);
33344 mutex_unlock(&inode->i_mutex);
33345 @@ -837,9 +837,9 @@ pipe_rdwr_open(struct inode *inode, stru
33346 if (inode->i_pipe) {
33348 if (filp->f_mode & FMODE_READ)
33349 - inode->i_pipe->readers++;
33350 + atomic_inc(&inode->i_pipe->readers);
33351 if (filp->f_mode & FMODE_WRITE)
33352 - inode->i_pipe->writers++;
33353 + atomic_inc(&inode->i_pipe->writers);
33356 mutex_unlock(&inode->i_mutex);
33357 @@ -931,7 +931,7 @@ void free_pipe_info(struct inode *inode)
33358 inode->i_pipe = NULL;
33361 -static struct vfsmount *pipe_mnt __read_mostly;
33362 +struct vfsmount *pipe_mnt __read_mostly;
33365 * pipefs_dname() is called from d_path().
33366 @@ -961,7 +961,8 @@ static struct inode * get_pipe_inode(voi
33368 inode->i_pipe = pipe;
33370 - pipe->readers = pipe->writers = 1;
33371 + atomic_set(&pipe->readers, 1);
33372 + atomic_set(&pipe->writers, 1);
33373 inode->i_fop = &rdwr_pipefifo_fops;
33376 diff -urNp linux-2.6.38.1/fs/proc/array.c linux-2.6.38.1-new/fs/proc/array.c
33377 --- linux-2.6.38.1/fs/proc/array.c 2011-03-14 21:20:32.000000000 -0400
33378 +++ linux-2.6.38.1-new/fs/proc/array.c 2011-03-21 18:31:35.000000000 -0400
33380 #include <linux/tty.h>
33381 #include <linux/string.h>
33382 #include <linux/mman.h>
33383 +#include <linux/grsecurity.h>
33384 #include <linux/proc_fs.h>
33385 #include <linux/ioport.h>
33386 #include <linux/uaccess.h>
33387 @@ -337,6 +338,21 @@ static void task_cpus_allowed(struct seq
33391 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
33392 +static inline void task_pax(struct seq_file *m, struct task_struct *p)
33395 + seq_printf(m, "PaX:\t%c%c%c%c%c\n",
33396 + p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
33397 + p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
33398 + p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
33399 + p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
33400 + p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
33402 + seq_printf(m, "PaX:\t-----\n");
33406 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
33407 struct pid *pid, struct task_struct *task)
33409 @@ -354,9 +370,24 @@ int proc_pid_status(struct seq_file *m,
33410 cpuset_task_status_allowed(m, task);
33411 task_vs_id(m, task);
33412 task_context_switch_counts(m, task);
33414 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
33415 + task_pax(m, task);
33418 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
33419 + task_grsec_rbac(m, task);
33425 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33426 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
33427 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
33428 + _mm->pax_flags & MF_PAX_SEGMEXEC))
33431 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
33432 struct pid *pid, struct task_struct *task, int whole)
33434 @@ -449,6 +480,19 @@ static int do_task_stat(struct seq_file
33435 gtime = task->gtime;
33438 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33439 + if (PAX_RAND_FLAGS(mm)) {
33445 +#ifdef CONFIG_GRKERNSEC_HIDESYM
33451 /* scale priority and nice values from timeslices to -20..20 */
33452 /* to make it look like a "normal" Unix priority/nice value */
33453 priority = task_prio(task);
33454 @@ -489,9 +533,15 @@ static int do_task_stat(struct seq_file
33456 mm ? get_mm_rss(mm) : 0,
33458 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33459 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->start_code : 0),
33460 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->end_code : 0),
33461 + PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0),
33463 mm ? mm->start_code : 0,
33464 mm ? mm->end_code : 0,
33465 (permitted && mm) ? mm->start_stack : 0,
33469 /* The signal information here is obsolete.
33470 @@ -544,3 +594,10 @@ int proc_pid_statm(struct seq_file *m, s
33475 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
33476 +int proc_pid_ipaddr(struct task_struct *task, char *buffer)
33478 + return sprintf(buffer, "%pI4\n", &task->signal->curr_ip);
33481 diff -urNp linux-2.6.38.1/fs/proc/base.c linux-2.6.38.1-new/fs/proc/base.c
33482 --- linux-2.6.38.1/fs/proc/base.c 2011-03-14 21:20:32.000000000 -0400
33483 +++ linux-2.6.38.1-new/fs/proc/base.c 2011-03-21 18:31:35.000000000 -0400
33484 @@ -104,6 +104,22 @@ struct pid_entry {
33488 +struct getdents_callback {
33489 + struct linux_dirent __user * current_dir;
33490 + struct linux_dirent __user * previous;
33491 + struct file * file;
33496 +static int gr_fake_filldir(void * __buf, const char *name, int namlen,
33497 + loff_t offset, u64 ino, unsigned int d_type)
33499 + struct getdents_callback * buf = (struct getdents_callback *) __buf;
33500 + buf->error = -EINVAL;
33504 #define NOD(NAME, MODE, IOP, FOP, OP) { \
33506 .len = sizeof(NAME) - 1, \
33507 @@ -203,6 +219,9 @@ static int check_mem_permission(struct t
33508 if (task == current)
33511 + if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
33515 * If current is actively ptrace'ing, and would also be
33516 * permitted to freshly attach with ptrace now, permit it.
33517 @@ -250,6 +269,9 @@ static int proc_pid_cmdline(struct task_
33519 goto out_mm; /* Shh! No looking before we're done */
33521 + if (gr_acl_handle_procpidmem(task))
33524 len = mm->arg_end - mm->arg_start;
33526 if (len > PAGE_SIZE)
33527 @@ -277,12 +299,28 @@ out:
33531 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33532 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
33533 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
33534 + _mm->pax_flags & MF_PAX_SEGMEXEC))
33537 static int proc_pid_auxv(struct task_struct *task, char *buffer)
33540 struct mm_struct *mm = get_task_mm(task);
33542 unsigned int nwords = 0;
33544 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33545 + /* allow if we're currently ptracing this task */
33546 + if (PAX_RAND_FLAGS(mm) &&
33547 + (!(task->ptrace & PT_PTRACED) || (task->parent != current))) {
33555 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
33556 @@ -296,7 +334,7 @@ static int proc_pid_auxv(struct task_str
33560 -#ifdef CONFIG_KALLSYMS
33561 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33563 * Provides a wchan file via kallsyms in a proper one-value-per-file format.
33564 * Returns the resolved symbol. If that fails, simply return the address.
33565 @@ -318,7 +356,7 @@ static int proc_pid_wchan(struct task_st
33567 #endif /* CONFIG_KALLSYMS */
33569 -#ifdef CONFIG_STACKTRACE
33570 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33572 #define MAX_STACK_TRACE_DEPTH 64
33574 @@ -503,7 +541,7 @@ static int proc_pid_limits(struct task_s
33578 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
33579 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
33580 static int proc_pid_syscall(struct task_struct *task, char *buffer)
33583 @@ -917,6 +955,9 @@ static ssize_t environ_read(struct file
33587 + if (gr_acl_handle_procpidmem(task))
33590 if (!ptrace_may_access(task, PTRACE_MODE_READ))
33593 @@ -1712,7 +1753,11 @@ static struct inode *proc_pid_make_inode
33595 cred = __task_cred(task);
33596 inode->i_uid = cred->euid;
33597 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33598 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33600 inode->i_gid = cred->egid;
33604 security_task_to_inode(task, inode);
33605 @@ -1730,6 +1775,9 @@ static int pid_getattr(struct vfsmount *
33606 struct inode *inode = dentry->d_inode;
33607 struct task_struct *task;
33608 const struct cred *cred;
33609 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33610 + const struct cred *tmpcred = current_cred();
33613 generic_fillattr(inode, stat);
33615 @@ -1737,12 +1785,34 @@ static int pid_getattr(struct vfsmount *
33618 task = pid_task(proc_pid(inode), PIDTYPE_PID);
33620 + if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
33621 + rcu_read_unlock();
33626 + cred = __task_cred(task);
33627 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33628 + if (!tmpcred->uid || (tmpcred->uid == cred->uid)
33629 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33630 + || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
33634 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
33635 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33636 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
33637 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33638 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
33640 task_dumpable(task)) {
33641 - cred = __task_cred(task);
33642 stat->uid = cred->euid;
33643 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33644 + stat->gid = CONFIG_GRKERNSEC_PROC_GID;
33646 stat->gid = cred->egid;
33651 @@ -1780,11 +1850,20 @@ static int pid_revalidate(struct dentry
33654 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
33655 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33656 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
33657 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33658 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
33660 task_dumpable(task)) {
33662 cred = __task_cred(task);
33663 inode->i_uid = cred->euid;
33664 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33665 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33667 inode->i_gid = cred->egid;
33672 @@ -1905,7 +1984,8 @@ static int proc_fd_info(struct inode *in
33673 int fd = proc_fd(inode);
33676 - files = get_files_struct(task);
33677 + if (!gr_acl_handle_procpidmem(task))
33678 + files = get_files_struct(task);
33679 put_task_struct(task);
33682 @@ -2165,15 +2245,25 @@ static const struct file_operations proc
33684 static int proc_fd_permission(struct inode *inode, int mask, unsigned int flags)
33686 + struct task_struct *task;
33689 if (flags & IPERM_FLAG_RCU)
33691 rv = generic_permission(inode, mask, flags, NULL);
33695 if (task_pid(current) == proc_pid(inode))
33698 + task = get_proc_task(inode);
33699 + if (task == NULL)
33702 + if (gr_acl_handle_procpidmem(task))
33705 + put_task_struct(task);
33710 @@ -2283,6 +2373,9 @@ static struct dentry *proc_pident_lookup
33714 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
33718 * Yes, it does not scale. And it should not. Don't add
33719 * new entries into /proc/<tgid>/ without very good reasons.
33720 @@ -2327,6 +2420,9 @@ static int proc_pident_readdir(struct fi
33724 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
33730 @@ -2597,7 +2693,7 @@ static void *proc_self_follow_link(struc
33731 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
33734 - char *s = nd_get_link(nd);
33735 + const char *s = nd_get_link(nd);
33739 @@ -2777,7 +2873,7 @@ static const struct pid_entry tgid_base_
33740 REG("autogroup", S_IRUGO|S_IWUSR, proc_pid_sched_autogroup_operations),
33742 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
33743 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
33744 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
33745 INF("syscall", S_IRUSR, proc_pid_syscall),
33747 INF("cmdline", S_IRUGO, proc_pid_cmdline),
33748 @@ -2802,10 +2898,10 @@ static const struct pid_entry tgid_base_
33749 #ifdef CONFIG_SECURITY
33750 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
33752 -#ifdef CONFIG_KALLSYMS
33753 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33754 INF("wchan", S_IRUGO, proc_pid_wchan),
33756 -#ifdef CONFIG_STACKTRACE
33757 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33758 ONE("stack", S_IRUSR, proc_pid_stack),
33760 #ifdef CONFIG_SCHEDSTATS
33761 @@ -2836,6 +2932,9 @@ static const struct pid_entry tgid_base_
33762 INF("io", S_IRUGO, proc_tgid_io_accounting),
33764 ONE("nsproxy", S_IRUGO, proc_pid_nsproxy),
33765 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
33766 + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
33770 static int proc_tgid_base_readdir(struct file * filp,
33771 @@ -2961,7 +3060,14 @@ static struct dentry *proc_pid_instantia
33775 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33776 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
33777 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33778 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33779 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
33781 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
33783 inode->i_op = &proc_tgid_base_inode_operations;
33784 inode->i_fop = &proc_tgid_base_operations;
33785 inode->i_flags|=S_IMMUTABLE;
33786 @@ -3003,7 +3109,11 @@ struct dentry *proc_pid_lookup(struct in
33790 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
33791 + goto out_put_task;
33793 result = proc_pid_instantiate(dir, dentry, task, NULL);
33795 put_task_struct(task);
33798 @@ -3068,6 +3178,11 @@ int proc_pid_readdir(struct file * filp,
33800 unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
33801 struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
33802 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33803 + const struct cred *tmpcred = current_cred();
33804 + const struct cred *itercred;
33806 + filldir_t __filldir = filldir;
33807 struct tgid_iter iter;
33808 struct pid_namespace *ns;
33810 @@ -3086,8 +3201,27 @@ int proc_pid_readdir(struct file * filp,
33811 for (iter = next_tgid(ns, iter);
33813 iter.tgid += 1, iter = next_tgid(ns, iter)) {
33814 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33816 + itercred = __task_cred(iter.task);
33818 + if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
33819 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33820 + || (tmpcred->uid && (itercred->uid != tmpcred->uid)
33821 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33822 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
33827 + __filldir = &gr_fake_filldir;
33829 + __filldir = filldir;
33830 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33831 + rcu_read_unlock();
33833 filp->f_pos = iter.tgid + TGID_OFFSET;
33834 if (!vx_proc_task_visible(iter.task))
33836 - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
33837 + if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
33838 put_task_struct(iter.task);
33839 @@ -3114,7 +3248,7 @@ static const struct pid_entry tid_base_s
33840 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
33842 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
33843 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
33844 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
33845 INF("syscall", S_IRUSR, proc_pid_syscall),
33847 INF("cmdline", S_IRUGO, proc_pid_cmdline),
33848 @@ -3138,10 +3272,10 @@ static const struct pid_entry tid_base_s
33849 #ifdef CONFIG_SECURITY
33850 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
33852 -#ifdef CONFIG_KALLSYMS
33853 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33854 INF("wchan", S_IRUGO, proc_pid_wchan),
33856 -#ifdef CONFIG_STACKTRACE
33857 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33858 ONE("stack", S_IRUSR, proc_pid_stack),
33860 #ifdef CONFIG_SCHEDSTATS
33861 diff -urNp linux-2.6.38.1/fs/proc/cmdline.c linux-2.6.38.1-new/fs/proc/cmdline.c
33862 --- linux-2.6.38.1/fs/proc/cmdline.c 2011-03-14 21:20:32.000000000 -0400
33863 +++ linux-2.6.38.1-new/fs/proc/cmdline.c 2011-03-21 18:31:35.000000000 -0400
33864 @@ -23,7 +23,11 @@ static const struct file_operations cmdl
33866 static int __init proc_cmdline_init(void)
33868 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
33869 + proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
33871 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
33875 module_init(proc_cmdline_init);
33876 diff -urNp linux-2.6.38.1/fs/proc/devices.c linux-2.6.38.1-new/fs/proc/devices.c
33877 --- linux-2.6.38.1/fs/proc/devices.c 2011-03-14 21:20:32.000000000 -0400
33878 +++ linux-2.6.38.1-new/fs/proc/devices.c 2011-03-21 18:31:35.000000000 -0400
33879 @@ -64,7 +64,11 @@ static const struct file_operations proc
33881 static int __init proc_devices_init(void)
33883 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
33884 + proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
33886 proc_create("devices", 0, NULL, &proc_devinfo_operations);
33890 module_init(proc_devices_init);
33891 diff -urNp linux-2.6.38.1/fs/proc/inode.c linux-2.6.38.1-new/fs/proc/inode.c
33892 --- linux-2.6.38.1/fs/proc/inode.c 2011-03-14 21:20:32.000000000 -0400
33893 +++ linux-2.6.38.1-new/fs/proc/inode.c 2011-03-21 18:31:35.000000000 -0400
33894 @@ -435,7 +435,11 @@ struct inode *proc_get_inode(struct supe
33896 inode->i_mode = de->mode;
33897 inode->i_uid = de->uid;
33898 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33899 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33901 inode->i_gid = de->gid;
33905 inode->i_size = de->size;
33906 diff -urNp linux-2.6.38.1/fs/proc/internal.h linux-2.6.38.1-new/fs/proc/internal.h
33907 --- linux-2.6.38.1/fs/proc/internal.h 2011-03-14 21:20:32.000000000 -0400
33908 +++ linux-2.6.38.1-new/fs/proc/internal.h 2011-03-21 18:31:35.000000000 -0400
33909 @@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
33910 extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
33911 struct pid *pid, struct task_struct *task);
33913 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
33914 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
33916 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
33918 extern const struct file_operations proc_maps_operations;
33919 diff -urNp linux-2.6.38.1/fs/proc/Kconfig linux-2.6.38.1-new/fs/proc/Kconfig
33920 --- linux-2.6.38.1/fs/proc/Kconfig 2011-03-14 21:20:32.000000000 -0400
33921 +++ linux-2.6.38.1-new/fs/proc/Kconfig 2011-03-21 18:31:35.000000000 -0400
33922 @@ -30,12 +30,12 @@ config PROC_FS
33925 bool "/proc/kcore support" if !ARM
33926 - depends on PROC_FS && MMU
33927 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
33930 bool "/proc/vmcore support"
33931 - depends on PROC_FS && CRASH_DUMP
33933 + depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
33936 Exports the dump image of crashed kernel in ELF format.
33938 @@ -59,8 +59,8 @@ config PROC_SYSCTL
33941 config PROC_PAGE_MONITOR
33943 - depends on PROC_FS && MMU
33945 + depends on PROC_FS && MMU && !GRKERNSEC
33946 bool "Enable /proc page monitoring" if EXPERT
33948 Various /proc files exist to monitor process memory utilization:
33949 diff -urNp linux-2.6.38.1/fs/proc/kcore.c linux-2.6.38.1-new/fs/proc/kcore.c
33950 --- linux-2.6.38.1/fs/proc/kcore.c 2011-03-14 21:20:32.000000000 -0400
33951 +++ linux-2.6.38.1-new/fs/proc/kcore.c 2011-03-21 18:31:35.000000000 -0400
33952 @@ -478,9 +478,10 @@ read_kcore(struct file *file, char __use
33953 * the addresses in the elf_phdr on our list.
33955 start = kc_offset_to_vaddr(*fpos - elf_buflen);
33956 - if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
33957 + tsz = PAGE_SIZE - (start & ~PAGE_MASK);
33958 + if (tsz > buflen)
33963 struct kcore_list *m;
33965 @@ -509,20 +510,23 @@ read_kcore(struct file *file, char __use
33968 if (kern_addr_valid(start)) {
33971 + mm_segment_t oldfs;
33973 - n = copy_to_user(buffer, (char *)start, tsz);
33975 - * We cannot distingush between fault on source
33976 - * and fault on destination. When this happens
33977 - * we clear too and hope it will trigger the
33981 - if (clear_user(buffer + tsz - n,
33983 + elf_buf = kmalloc(tsz, GFP_KERNEL);
33986 + oldfs = get_fs();
33987 + set_fs(KERNEL_DS);
33988 + if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) {
33990 + if (copy_to_user(buffer, elf_buf, tsz)) {
33998 if (clear_user(buffer, tsz))
34000 @@ -542,6 +546,9 @@ read_kcore(struct file *file, char __use
34002 static int open_kcore(struct inode *inode, struct file *filp)
34004 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
34007 if (!capable(CAP_SYS_RAWIO))
34009 if (kcore_need_update)
34010 diff -urNp linux-2.6.38.1/fs/proc/meminfo.c linux-2.6.38.1-new/fs/proc/meminfo.c
34011 --- linux-2.6.38.1/fs/proc/meminfo.c 2011-03-14 21:20:32.000000000 -0400
34012 +++ linux-2.6.38.1-new/fs/proc/meminfo.c 2011-03-21 18:31:35.000000000 -0400
34013 @@ -157,7 +157,7 @@ static int meminfo_proc_show(struct seq_
34015 vmi.largest_chunk >> 10
34016 #ifdef CONFIG_MEMORY_FAILURE
34017 - ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
34018 + ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
34020 #ifdef CONFIG_TRANSPARENT_HUGEPAGE
34021 ,K(global_page_state(NR_ANON_TRANSPARENT_HUGEPAGES) *
34022 diff -urNp linux-2.6.38.1/fs/proc/nommu.c linux-2.6.38.1-new/fs/proc/nommu.c
34023 --- linux-2.6.38.1/fs/proc/nommu.c 2011-03-14 21:20:32.000000000 -0400
34024 +++ linux-2.6.38.1-new/fs/proc/nommu.c 2011-03-21 18:31:35.000000000 -0400
34025 @@ -66,7 +66,7 @@ static int nommu_region_show(struct seq_
34028 seq_printf(m, "%*c", len, ' ');
34029 - seq_path(m, &file->f_path, "");
34030 + seq_path(m, &file->f_path, "\n\\");
34034 diff -urNp linux-2.6.38.1/fs/proc/proc_net.c linux-2.6.38.1-new/fs/proc/proc_net.c
34035 --- linux-2.6.38.1/fs/proc/proc_net.c 2011-03-14 21:20:32.000000000 -0400
34036 +++ linux-2.6.38.1-new/fs/proc/proc_net.c 2011-03-21 18:31:35.000000000 -0400
34037 @@ -105,6 +105,17 @@ static struct net *get_proc_task_net(str
34038 struct task_struct *task;
34039 struct nsproxy *ns;
34040 struct net *net = NULL;
34041 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34042 + const struct cred *cred = current_cred();
34045 +#ifdef CONFIG_GRKERNSEC_PROC_USER
34048 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34049 + if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
34054 task = pid_task(proc_pid(dir), PIDTYPE_PID);
34055 diff -urNp linux-2.6.38.1/fs/proc/proc_sysctl.c linux-2.6.38.1-new/fs/proc/proc_sysctl.c
34056 --- linux-2.6.38.1/fs/proc/proc_sysctl.c 2011-03-14 21:20:32.000000000 -0400
34057 +++ linux-2.6.38.1-new/fs/proc/proc_sysctl.c 2011-03-21 18:31:35.000000000 -0400
34059 #include <linux/namei.h>
34060 #include "internal.h"
34062 +extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
34064 static const struct dentry_operations proc_sys_dentry_operations;
34065 static const struct file_operations proc_sys_file_operations;
34066 static const struct inode_operations proc_sys_inode_operations;
34067 @@ -112,6 +114,9 @@ static struct dentry *proc_sys_lookup(st
34071 + if (gr_handle_sysctl(p, MAY_EXEC))
34074 err = ERR_PTR(-ENOMEM);
34075 inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
34077 @@ -231,6 +236,9 @@ static int scan(struct ctl_table_header
34078 if (*pos < file->f_pos)
34081 + if (gr_handle_sysctl(table, 0))
34084 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
34087 @@ -359,6 +367,9 @@ static int proc_sys_getattr(struct vfsmo
34089 return PTR_ERR(head);
34091 + if (table && gr_handle_sysctl(table, MAY_EXEC))
34094 generic_fillattr(inode, stat);
34096 stat->mode = (stat->mode & S_IFMT) | table->mode;
34097 diff -urNp linux-2.6.38.1/fs/proc/root.c linux-2.6.38.1-new/fs/proc/root.c
34098 --- linux-2.6.38.1/fs/proc/root.c 2011-03-14 21:20:32.000000000 -0400
34099 +++ linux-2.6.38.1-new/fs/proc/root.c 2011-03-21 18:31:35.000000000 -0400
34100 @@ -132,7 +132,15 @@ void __init proc_root_init(void)
34101 #ifdef CONFIG_PROC_DEVICETREE
34102 proc_device_tree_init();
34104 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
34105 +#ifdef CONFIG_GRKERNSEC_PROC_USER
34106 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
34107 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34108 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
34111 proc_mkdir("bus", NULL);
34116 diff -urNp linux-2.6.38.1/fs/proc/task_mmu.c linux-2.6.38.1-new/fs/proc/task_mmu.c
34117 --- linux-2.6.38.1/fs/proc/task_mmu.c 2011-03-14 21:20:32.000000000 -0400
34118 +++ linux-2.6.38.1-new/fs/proc/task_mmu.c 2011-03-21 18:31:35.000000000 -0400
34119 @@ -49,8 +49,13 @@ void task_mem(struct seq_file *m, struct
34120 "VmExe:\t%8lu kB\n"
34121 "VmLib:\t%8lu kB\n"
34122 "VmPTE:\t%8lu kB\n"
34123 - "VmSwap:\t%8lu kB\n",
34124 - hiwater_vm << (PAGE_SHIFT-10),
34125 + "VmSwap:\t%8lu kB\n"
34127 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
34128 + "CsBase:\t%8lx\nCsLim:\t%8lx\n"
34131 + ,hiwater_vm << (PAGE_SHIFT-10),
34132 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
34133 mm->locked_vm << (PAGE_SHIFT-10),
34134 hiwater_rss << (PAGE_SHIFT-10),
34135 @@ -58,7 +63,13 @@ void task_mem(struct seq_file *m, struct
34136 data << (PAGE_SHIFT-10),
34137 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
34138 (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10,
34139 - swap << (PAGE_SHIFT-10));
34140 + swap << (PAGE_SHIFT-10)
34142 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
34143 + , mm->context.user_cs_base, mm->context.user_cs_limit
34149 unsigned long task_vsize(struct mm_struct *mm)
34150 @@ -204,6 +215,12 @@ static int do_maps_open(struct inode *in
34154 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34155 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
34156 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
34157 + _mm->pax_flags & MF_PAX_SEGMEXEC))
34160 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
34162 struct mm_struct *mm = vma->vm_mm;
34163 @@ -211,7 +228,6 @@ static void show_map_vma(struct seq_file
34164 int flags = vma->vm_flags;
34165 unsigned long ino = 0;
34166 unsigned long long pgoff = 0;
34167 - unsigned long start;
34171 @@ -222,20 +238,24 @@ static void show_map_vma(struct seq_file
34172 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
34175 - /* We don't show the stack guard page in /proc/maps */
34176 - start = vma->vm_start;
34177 - if (vma->vm_flags & VM_GROWSDOWN)
34178 - if (!vma_stack_continue(vma->vm_prev, vma->vm_start))
34179 - start += PAGE_SIZE;
34181 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
34183 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34184 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
34185 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
34190 flags & VM_READ ? 'r' : '-',
34191 flags & VM_WRITE ? 'w' : '-',
34192 flags & VM_EXEC ? 'x' : '-',
34193 flags & VM_MAYSHARE ? 's' : 'p',
34194 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34195 + PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
34199 MAJOR(dev), MINOR(dev), ino, &len);
34202 @@ -244,16 +264,16 @@ static void show_map_vma(struct seq_file
34205 pad_len_spaces(m, len);
34206 - seq_path(m, &file->f_path, "\n");
34207 + seq_path(m, &file->f_path, "\n\\");
34209 const char *name = arch_vma_name(vma);
34212 - if (vma->vm_start <= mm->start_brk &&
34213 - vma->vm_end >= mm->brk) {
34214 + if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
34216 - } else if (vma->vm_start <= mm->start_stack &&
34217 - vma->vm_end >= mm->start_stack) {
34218 + } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
34219 + (vma->vm_start <= mm->start_stack &&
34220 + vma->vm_end >= mm->start_stack)) {
34224 @@ -399,11 +419,16 @@ static int show_smap(struct seq_file *m,
34227 memset(&mss, 0, sizeof mss);
34229 - /* mmap_sem is held in m_start */
34230 - if (vma->vm_mm && !is_vm_hugetlb_page(vma))
34231 - walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
34233 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34234 + if (!PAX_RAND_FLAGS(vma->vm_mm)) {
34237 + /* mmap_sem is held in m_start */
34238 + if (vma->vm_mm && !is_vm_hugetlb_page(vma))
34239 + walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
34240 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34243 show_map_vma(m, vma);
34246 @@ -420,7 +445,11 @@ static int show_smap(struct seq_file *m,
34247 "KernelPageSize: %8lu kB\n"
34248 "MMUPageSize: %8lu kB\n"
34249 "Locked: %8lu kB\n",
34250 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34251 + PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
34253 (vma->vm_end - vma->vm_start) >> 10,
34255 mss.resident >> 10,
34256 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
34257 mss.shared_clean >> 10,
34258 diff -urNp linux-2.6.38.1/fs/proc/task_nommu.c linux-2.6.38.1-new/fs/proc/task_nommu.c
34259 --- linux-2.6.38.1/fs/proc/task_nommu.c 2011-03-14 21:20:32.000000000 -0400
34260 +++ linux-2.6.38.1-new/fs/proc/task_nommu.c 2011-03-21 18:31:35.000000000 -0400
34261 @@ -51,7 +51,7 @@ void task_mem(struct seq_file *m, struct
34263 bytes += kobjsize(mm);
34265 - if (current->fs && current->fs->users > 1)
34266 + if (current->fs && atomic_read(¤t->fs->users) > 1)
34267 sbytes += kobjsize(current->fs);
34269 bytes += kobjsize(current->fs);
34270 @@ -166,7 +166,7 @@ static int nommu_vma_show(struct seq_fil
34273 pad_len_spaces(m, len);
34274 - seq_path(m, &file->f_path, "");
34275 + seq_path(m, &file->f_path, "\n\\");
34277 if (vma->vm_start <= mm->start_stack &&
34278 vma->vm_end >= mm->start_stack) {
34279 diff -urNp linux-2.6.38.1/fs/readdir.c linux-2.6.38.1-new/fs/readdir.c
34280 --- linux-2.6.38.1/fs/readdir.c 2011-03-14 21:20:32.000000000 -0400
34281 +++ linux-2.6.38.1-new/fs/readdir.c 2011-03-21 18:31:35.000000000 -0400
34283 #include <linux/security.h>
34284 #include <linux/syscalls.h>
34285 #include <linux/unistd.h>
34286 +#include <linux/namei.h>
34288 #include <asm/uaccess.h>
34290 @@ -67,6 +68,7 @@ struct old_linux_dirent {
34292 struct readdir_callback {
34293 struct old_linux_dirent __user * dirent;
34294 + struct file * file;
34298 @@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
34299 buf->result = -EOVERFLOW;
34303 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
34307 dirent = buf->dirent;
34308 if (!access_ok(VERIFY_WRITE, dirent,
34309 @@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
34312 buf.dirent = dirent;
34315 error = vfs_readdir(file, fillonedir, &buf);
34317 @@ -142,6 +149,7 @@ struct linux_dirent {
34318 struct getdents_callback {
34319 struct linux_dirent __user * current_dir;
34320 struct linux_dirent __user * previous;
34321 + struct file * file;
34325 @@ -163,6 +171,10 @@ static int filldir(void * __buf, const c
34326 buf->error = -EOVERFLOW;
34330 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
34333 dirent = buf->previous;
34335 if (__put_user(offset, &dirent->d_off))
34336 @@ -210,6 +222,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
34337 buf.previous = NULL;
34342 error = vfs_readdir(file, filldir, &buf);
34344 @@ -229,6 +242,7 @@ out:
34345 struct getdents_callback64 {
34346 struct linux_dirent64 __user * current_dir;
34347 struct linux_dirent64 __user * previous;
34348 + struct file *file;
34352 @@ -244,6 +258,10 @@ static int filldir64(void * __buf, const
34353 buf->error = -EINVAL; /* only used if we fail.. */
34354 if (reclen > buf->count)
34357 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
34360 dirent = buf->previous;
34362 if (__put_user(offset, &dirent->d_off))
34363 @@ -291,6 +309,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
34365 buf.current_dir = dirent;
34366 buf.previous = NULL;
34371 diff -urNp linux-2.6.38.1/fs/reiserfs/do_balan.c linux-2.6.38.1-new/fs/reiserfs/do_balan.c
34372 --- linux-2.6.38.1/fs/reiserfs/do_balan.c 2011-03-14 21:20:32.000000000 -0400
34373 +++ linux-2.6.38.1-new/fs/reiserfs/do_balan.c 2011-03-21 18:31:35.000000000 -0400
34374 @@ -2051,7 +2051,7 @@ void do_balance(struct tree_balance *tb,
34378 - atomic_inc(&(fs_generation(tb->tb_sb)));
34379 + atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
34380 do_balance_starts(tb);
34382 /* balance leaf returns 0 except if combining L R and S into
34383 diff -urNp linux-2.6.38.1/fs/reiserfs/item_ops.c linux-2.6.38.1-new/fs/reiserfs/item_ops.c
34384 --- linux-2.6.38.1/fs/reiserfs/item_ops.c 2011-03-14 21:20:32.000000000 -0400
34385 +++ linux-2.6.38.1-new/fs/reiserfs/item_ops.c 2011-03-21 18:31:35.000000000 -0400
34386 @@ -102,7 +102,7 @@ static void sd_print_vi(struct virtual_i
34387 vi->vi_index, vi->vi_type, vi->vi_ih);
34390 -static struct item_operations stat_data_ops = {
34391 +static const struct item_operations stat_data_ops = {
34392 .bytes_number = sd_bytes_number,
34393 .decrement_key = sd_decrement_key,
34394 .is_left_mergeable = sd_is_left_mergeable,
34395 @@ -196,7 +196,7 @@ static void direct_print_vi(struct virtu
34396 vi->vi_index, vi->vi_type, vi->vi_ih);
34399 -static struct item_operations direct_ops = {
34400 +static const struct item_operations direct_ops = {
34401 .bytes_number = direct_bytes_number,
34402 .decrement_key = direct_decrement_key,
34403 .is_left_mergeable = direct_is_left_mergeable,
34404 @@ -341,7 +341,7 @@ static void indirect_print_vi(struct vir
34405 vi->vi_index, vi->vi_type, vi->vi_ih);
34408 -static struct item_operations indirect_ops = {
34409 +static const struct item_operations indirect_ops = {
34410 .bytes_number = indirect_bytes_number,
34411 .decrement_key = indirect_decrement_key,
34412 .is_left_mergeable = indirect_is_left_mergeable,
34413 @@ -628,7 +628,7 @@ static void direntry_print_vi(struct vir
34417 -static struct item_operations direntry_ops = {
34418 +static const struct item_operations direntry_ops = {
34419 .bytes_number = direntry_bytes_number,
34420 .decrement_key = direntry_decrement_key,
34421 .is_left_mergeable = direntry_is_left_mergeable,
34422 @@ -724,7 +724,7 @@ static void errcatch_print_vi(struct vir
34423 "Invalid item type observed, run fsck ASAP");
34426 -static struct item_operations errcatch_ops = {
34427 +static const struct item_operations errcatch_ops = {
34428 errcatch_bytes_number,
34429 errcatch_decrement_key,
34430 errcatch_is_left_mergeable,
34431 @@ -746,7 +746,7 @@ static struct item_operations errcatch_o
34432 #error Item types must use disk-format assigned values.
34435 -struct item_operations *item_ops[TYPE_ANY + 1] = {
34436 +const struct item_operations * const item_ops[TYPE_ANY + 1] = {
34440 diff -urNp linux-2.6.38.1/fs/reiserfs/procfs.c linux-2.6.38.1-new/fs/reiserfs/procfs.c
34441 --- linux-2.6.38.1/fs/reiserfs/procfs.c 2011-03-14 21:20:32.000000000 -0400
34442 +++ linux-2.6.38.1-new/fs/reiserfs/procfs.c 2011-03-21 18:31:35.000000000 -0400
34443 @@ -113,7 +113,7 @@ static int show_super(struct seq_file *m
34444 "SMALL_TAILS " : "NO_TAILS ",
34445 replay_only(sb) ? "REPLAY_ONLY " : "",
34446 convert_reiserfs(sb) ? "CONV " : "",
34447 - atomic_read(&r->s_generation_counter),
34448 + atomic_read_unchecked(&r->s_generation_counter),
34449 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
34450 SF(s_do_balance), SF(s_unneeded_left_neighbor),
34451 SF(s_good_search_by_key_reada), SF(s_bmaps),
34452 diff -urNp linux-2.6.38.1/fs/select.c linux-2.6.38.1-new/fs/select.c
34453 --- linux-2.6.38.1/fs/select.c 2011-03-14 21:20:32.000000000 -0400
34454 +++ linux-2.6.38.1-new/fs/select.c 2011-03-21 18:31:35.000000000 -0400
34456 #include <linux/module.h>
34457 #include <linux/slab.h>
34458 #include <linux/poll.h>
34459 +#include <linux/security.h>
34460 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
34461 #include <linux/file.h>
34462 #include <linux/fdtable.h>
34463 @@ -840,6 +841,7 @@ int do_sys_poll(struct pollfd __user *uf
34464 struct poll_list *walk = head;
34465 unsigned long todo = nfds;
34467 + gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
34468 if (nfds > rlimit(RLIMIT_NOFILE))
34471 diff -urNp linux-2.6.38.1/fs/seq_file.c linux-2.6.38.1-new/fs/seq_file.c
34472 --- linux-2.6.38.1/fs/seq_file.c 2011-03-14 21:20:32.000000000 -0400
34473 +++ linux-2.6.38.1-new/fs/seq_file.c 2011-03-21 18:31:35.000000000 -0400
34474 @@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
34478 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
34479 + m->size = PAGE_SIZE;
34480 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
34484 @@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
34488 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
34490 + m->buf = kmalloc(m->size, GFP_KERNEL);
34491 return !m->buf ? -ENOMEM : -EAGAIN;
34494 @@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
34495 m->version = file->f_version;
34496 /* grab buffer if we didn't have one */
34498 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
34499 + m->size = PAGE_SIZE;
34500 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
34504 @@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
34508 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
34510 + m->buf = kmalloc(m->size, GFP_KERNEL);
34514 diff -urNp linux-2.6.38.1/fs/splice.c linux-2.6.38.1-new/fs/splice.c
34515 --- linux-2.6.38.1/fs/splice.c 2011-03-14 21:20:32.000000000 -0400
34516 +++ linux-2.6.38.1-new/fs/splice.c 2011-03-21 18:31:35.000000000 -0400
34517 @@ -186,7 +186,7 @@ ssize_t splice_to_pipe(struct pipe_inode
34521 - if (!pipe->readers) {
34522 + if (!atomic_read(&pipe->readers)) {
34523 send_sig(SIGPIPE, current, 0);
34526 @@ -240,9 +240,9 @@ ssize_t splice_to_pipe(struct pipe_inode
34530 - pipe->waiting_writers++;
34531 + atomic_inc(&pipe->waiting_writers);
34533 - pipe->waiting_writers--;
34534 + atomic_dec(&pipe->waiting_writers);
34538 @@ -556,7 +556,7 @@ static ssize_t kernel_readv(struct file
34541 /* The cast to a user pointer is valid due to the set_fs() */
34542 - res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
34543 + res = vfs_readv(file, (__force const struct iovec __user *)vec, vlen, &pos);
34547 @@ -571,7 +571,7 @@ static ssize_t kernel_write(struct file
34550 /* The cast to a user pointer is valid due to the set_fs() */
34551 - res = vfs_write(file, (const char __user *)buf, count, &pos);
34552 + res = vfs_write(file, (__force const char __user *)buf, count, &pos);
34556 @@ -622,7 +622,7 @@ ssize_t default_file_splice_read(struct
34559 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
34560 - vec[i].iov_base = (void __user *) page_address(page);
34561 + vec[i].iov_base = (__force void __user *) page_address(page);
34562 vec[i].iov_len = this_len;
34563 spd.pages[i] = page;
34565 @@ -842,10 +842,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
34566 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
34568 while (!pipe->nrbufs) {
34569 - if (!pipe->writers)
34570 + if (!atomic_read(&pipe->writers))
34573 - if (!pipe->waiting_writers && sd->num_spliced)
34574 + if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
34577 if (sd->flags & SPLICE_F_NONBLOCK)
34578 @@ -1178,7 +1178,7 @@ ssize_t splice_direct_to_actor(struct fi
34579 * out of the pipe right after the splice_to_pipe(). So set
34580 * PIPE_READERS appropriately.
34582 - pipe->readers = 1;
34583 + atomic_set(&pipe->readers, 1);
34585 current->splice_pipe = pipe;
34587 @@ -1730,9 +1730,9 @@ static int ipipe_prep(struct pipe_inode_
34588 ret = -ERESTARTSYS;
34591 - if (!pipe->writers)
34592 + if (!atomic_read(&pipe->writers))
34594 - if (!pipe->waiting_writers) {
34595 + if (!atomic_read(&pipe->waiting_writers)) {
34596 if (flags & SPLICE_F_NONBLOCK) {
34599 @@ -1764,7 +1764,7 @@ static int opipe_prep(struct pipe_inode_
34602 while (pipe->nrbufs >= pipe->buffers) {
34603 - if (!pipe->readers) {
34604 + if (!atomic_read(&pipe->readers)) {
34605 send_sig(SIGPIPE, current, 0);
34608 @@ -1777,9 +1777,9 @@ static int opipe_prep(struct pipe_inode_
34609 ret = -ERESTARTSYS;
34612 - pipe->waiting_writers++;
34613 + atomic_inc(&pipe->waiting_writers);
34615 - pipe->waiting_writers--;
34616 + atomic_dec(&pipe->waiting_writers);
34620 @@ -1815,14 +1815,14 @@ retry:
34621 pipe_double_lock(ipipe, opipe);
34624 - if (!opipe->readers) {
34625 + if (!atomic_read(&opipe->readers)) {
34626 send_sig(SIGPIPE, current, 0);
34632 - if (!ipipe->nrbufs && !ipipe->writers)
34633 + if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
34637 @@ -1922,7 +1922,7 @@ static int link_pipe(struct pipe_inode_i
34638 pipe_double_lock(ipipe, opipe);
34641 - if (!opipe->readers) {
34642 + if (!atomic_read(&opipe->readers)) {
34643 send_sig(SIGPIPE, current, 0);
34646 @@ -1967,7 +1967,7 @@ static int link_pipe(struct pipe_inode_i
34647 * return EAGAIN if we have the potential of some data in the
34648 * future, otherwise just return 0
34650 - if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
34651 + if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
34654 pipe_unlock(ipipe);
34655 diff -urNp linux-2.6.38.1/fs/sysfs/mount.c linux-2.6.38.1-new/fs/sysfs/mount.c
34656 --- linux-2.6.38.1/fs/sysfs/mount.c 2011-03-14 21:20:32.000000000 -0400
34657 +++ linux-2.6.38.1-new/fs/sysfs/mount.c 2011-03-21 18:31:35.000000000 -0400
34658 @@ -36,7 +36,11 @@ struct sysfs_dirent sysfs_root = {
34660 .s_count = ATOMIC_INIT(1),
34661 .s_flags = SYSFS_DIR | (KOBJ_NS_TYPE_NONE << SYSFS_NS_TYPE_SHIFT),
34662 +#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
34663 + .s_mode = S_IFDIR | S_IRWXU,
34665 .s_mode = S_IFDIR | S_IRWXU | S_IRUGO | S_IXUGO,
34670 diff -urNp linux-2.6.38.1/fs/sysfs/symlink.c linux-2.6.38.1-new/fs/sysfs/symlink.c
34671 --- linux-2.6.38.1/fs/sysfs/symlink.c 2011-03-14 21:20:32.000000000 -0400
34672 +++ linux-2.6.38.1-new/fs/sysfs/symlink.c 2011-03-21 18:31:35.000000000 -0400
34673 @@ -286,7 +286,7 @@ static void *sysfs_follow_link(struct de
34675 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
34677 - char *page = nd_get_link(nd);
34678 + const char *page = nd_get_link(nd);
34680 free_page((unsigned long)page);
34682 diff -urNp linux-2.6.38.1/fs/ubifs/debug.c linux-2.6.38.1-new/fs/ubifs/debug.c
34683 --- linux-2.6.38.1/fs/ubifs/debug.c 2011-03-14 21:20:32.000000000 -0400
34684 +++ linux-2.6.38.1-new/fs/ubifs/debug.c 2011-03-21 18:31:35.000000000 -0400
34685 @@ -2813,19 +2813,19 @@ int dbg_debugfs_init_fs(struct ubifs_inf
34688 fname = "dump_lprops";
34689 - dent = debugfs_create_file(fname, S_IWUGO, d->dfs_dir, c, &dfs_fops);
34690 + dent = debugfs_create_file(fname, S_IWUSR, d->dfs_dir, c, &dfs_fops);
34693 d->dfs_dump_lprops = dent;
34695 fname = "dump_budg";
34696 - dent = debugfs_create_file(fname, S_IWUGO, d->dfs_dir, c, &dfs_fops);
34697 + dent = debugfs_create_file(fname, S_IWUSR, d->dfs_dir, c, &dfs_fops);
34700 d->dfs_dump_budg = dent;
34702 fname = "dump_tnc";
34703 - dent = debugfs_create_file(fname, S_IWUGO, d->dfs_dir, c, &dfs_fops);
34704 + dent = debugfs_create_file(fname, S_IWUSR, d->dfs_dir, c, &dfs_fops);
34707 d->dfs_dump_tnc = dent;
34708 diff -urNp linux-2.6.38.1/fs/udf/misc.c linux-2.6.38.1-new/fs/udf/misc.c
34709 --- linux-2.6.38.1/fs/udf/misc.c 2011-03-14 21:20:32.000000000 -0400
34710 +++ linux-2.6.38.1-new/fs/udf/misc.c 2011-03-21 18:31:35.000000000 -0400
34711 @@ -142,8 +142,8 @@ struct genericFormat *udf_add_extendedat
34712 iinfo->i_lenEAttr += size;
34713 return (struct genericFormat *)&ea[offset];
34717 + if (loc & 0x02) {
34722 @@ -286,7 +286,7 @@ void udf_new_tag(char *data, uint16_t id
34724 u8 udf_tag_checksum(const struct tag *t)
34726 - u8 *data = (u8 *)t;
34727 + const u8 *data = (const u8 *)t;
34730 for (i = 0; i < sizeof(struct tag); ++i)
34731 diff -urNp linux-2.6.38.1/fs/udf/udfdecl.h linux-2.6.38.1-new/fs/udf/udfdecl.h
34732 --- linux-2.6.38.1/fs/udf/udfdecl.h 2011-03-14 21:20:32.000000000 -0400
34733 +++ linux-2.6.38.1-new/fs/udf/udfdecl.h 2011-03-21 18:31:35.000000000 -0400
34734 @@ -26,7 +26,7 @@ do { \
34738 -#define udf_debug(f, a...) /**/
34739 +#define udf_debug(f, a...) do {} while (0)
34742 #define udf_info(f, a...) \
34743 diff -urNp linux-2.6.38.1/fs/utimes.c linux-2.6.38.1-new/fs/utimes.c
34744 --- linux-2.6.38.1/fs/utimes.c 2011-03-14 21:20:32.000000000 -0400
34745 +++ linux-2.6.38.1-new/fs/utimes.c 2011-03-21 18:31:35.000000000 -0400
34747 #include <linux/compiler.h>
34748 #include <linux/file.h>
34749 #include <linux/fs.h>
34750 +#include <linux/security.h>
34751 #include <linux/linkage.h>
34752 #include <linux/mount.h>
34753 #include <linux/namei.h>
34754 @@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
34755 goto mnt_drop_write_and_out;
34759 + if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
34761 + goto mnt_drop_write_and_out;
34764 mutex_lock(&inode->i_mutex);
34765 error = notify_change(path->dentry, &newattrs);
34766 mutex_unlock(&inode->i_mutex);
34767 diff -urNp linux-2.6.38.1/fs/xattr_acl.c linux-2.6.38.1-new/fs/xattr_acl.c
34768 --- linux-2.6.38.1/fs/xattr_acl.c 2011-03-14 21:20:32.000000000 -0400
34769 +++ linux-2.6.38.1-new/fs/xattr_acl.c 2011-03-21 18:31:35.000000000 -0400
34772 posix_acl_from_xattr(const void *value, size_t size)
34774 - posix_acl_xattr_header *header = (posix_acl_xattr_header *)value;
34775 - posix_acl_xattr_entry *entry = (posix_acl_xattr_entry *)(header+1), *end;
34776 + const posix_acl_xattr_header *header = (const posix_acl_xattr_header *)value;
34777 + const posix_acl_xattr_entry *entry = (const posix_acl_xattr_entry *)(header+1), *end;
34779 struct posix_acl *acl;
34780 struct posix_acl_entry *acl_e;
34781 diff -urNp linux-2.6.38.1/fs/xattr.c linux-2.6.38.1-new/fs/xattr.c
34782 --- linux-2.6.38.1/fs/xattr.c 2011-03-14 21:20:32.000000000 -0400
34783 +++ linux-2.6.38.1-new/fs/xattr.c 2011-03-21 18:31:35.000000000 -0400
34784 @@ -247,7 +247,7 @@ EXPORT_SYMBOL_GPL(vfs_removexattr);
34785 * Extended attribute SET operations
34788 -setxattr(struct dentry *d, const char __user *name, const void __user *value,
34789 +setxattr(struct path *path, const char __user *name, const void __user *value,
34790 size_t size, int flags)
34793 @@ -271,7 +271,13 @@ setxattr(struct dentry *d, const char __
34794 return PTR_ERR(kvalue);
34797 - error = vfs_setxattr(d, kname, kvalue, size, flags);
34798 + if (!gr_acl_handle_setxattr(path->dentry, path->mnt)) {
34803 + error = vfs_setxattr(path->dentry, kname, kvalue, size, flags);
34808 @@ -288,7 +294,7 @@ SYSCALL_DEFINE5(setxattr, const char __u
34810 error = mnt_want_write(path.mnt);
34812 - error = setxattr(path.dentry, name, value, size, flags);
34813 + error = setxattr(&path, name, value, size, flags);
34814 mnt_drop_write(path.mnt);
34817 @@ -307,7 +313,7 @@ SYSCALL_DEFINE5(lsetxattr, const char __
34819 error = mnt_want_write(path.mnt);
34821 - error = setxattr(path.dentry, name, value, size, flags);
34822 + error = setxattr(&path, name, value, size, flags);
34823 mnt_drop_write(path.mnt);
34826 @@ -318,17 +324,15 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, cons
34827 const void __user *,value, size_t, size, int, flags)
34830 - struct dentry *dentry;
34831 int error = -EBADF;
34836 - dentry = f->f_path.dentry;
34837 - audit_inode(NULL, dentry);
34838 + audit_inode(NULL, f->f_path.dentry);
34839 error = mnt_want_write_file(f);
34841 - error = setxattr(dentry, name, value, size, flags);
34842 + error = setxattr(&f->f_path, name, value, size, flags);
34843 mnt_drop_write(f->f_path.mnt);
34846 diff -urNp linux-2.6.38.1/fs/xfs/linux-2.6/xfs_ioctl32.c linux-2.6.38.1-new/fs/xfs/linux-2.6/xfs_ioctl32.c
34847 --- linux-2.6.38.1/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-03-14 21:20:32.000000000 -0400
34848 +++ linux-2.6.38.1-new/fs/xfs/linux-2.6/xfs_ioctl32.c 2011-03-21 18:31:35.000000000 -0400
34849 @@ -73,6 +73,7 @@ xfs_compat_ioc_fsgeometry_v1(
34850 xfs_fsop_geom_t fsgeo;
34853 + memset(&fsgeo, 0, sizeof(fsgeo));
34854 error = xfs_fs_geometry(mp, &fsgeo, 3);
34857 diff -urNp linux-2.6.38.1/fs/xfs/linux-2.6/xfs_ioctl.c linux-2.6.38.1-new/fs/xfs/linux-2.6/xfs_ioctl.c
34858 --- linux-2.6.38.1/fs/xfs/linux-2.6/xfs_ioctl.c 2011-03-14 21:20:32.000000000 -0400
34859 +++ linux-2.6.38.1-new/fs/xfs/linux-2.6/xfs_ioctl.c 2011-03-21 18:31:35.000000000 -0400
34860 @@ -128,7 +128,7 @@ xfs_find_handle(
34864 - if (copy_to_user(hreq->ohandle, &handle, hsize) ||
34865 + if (hsize > sizeof handle || copy_to_user(hreq->ohandle, &handle, hsize) ||
34866 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
34869 @@ -720,6 +720,7 @@ xfs_ioc_fsgeometry(
34870 xfs_fsop_geom_t fsgeo;
34873 + memset(&fsgeo, 0, sizeof(fsgeo));
34874 error = xfs_fs_geometry(mp, &fsgeo, 4);
34877 diff -urNp linux-2.6.38.1/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.38.1-new/fs/xfs/linux-2.6/xfs_iops.c
34878 --- linux-2.6.38.1/fs/xfs/linux-2.6/xfs_iops.c 2011-03-14 21:20:32.000000000 -0400
34879 +++ linux-2.6.38.1-new/fs/xfs/linux-2.6/xfs_iops.c 2011-03-21 18:31:35.000000000 -0400
34880 @@ -436,7 +436,7 @@ xfs_vn_put_link(
34881 struct nameidata *nd,
34884 - char *s = nd_get_link(nd);
34885 + const char *s = nd_get_link(nd);
34889 diff -urNp linux-2.6.38.1/fs/xfs/xfs_bmap.c linux-2.6.38.1-new/fs/xfs/xfs_bmap.c
34890 --- linux-2.6.38.1/fs/xfs/xfs_bmap.c 2011-03-14 21:20:32.000000000 -0400
34891 +++ linux-2.6.38.1-new/fs/xfs/xfs_bmap.c 2011-03-21 18:31:35.000000000 -0400
34892 @@ -287,7 +287,7 @@ xfs_bmap_validate_ret(
34896 -#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
34897 +#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
34901 diff -urNp linux-2.6.38.1/grsecurity/gracl_alloc.c linux-2.6.38.1-new/grsecurity/gracl_alloc.c
34902 --- linux-2.6.38.1/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
34903 +++ linux-2.6.38.1-new/grsecurity/gracl_alloc.c 2011-03-21 18:31:35.000000000 -0400
34905 +#include <linux/kernel.h>
34906 +#include <linux/mm.h>
34907 +#include <linux/slab.h>
34908 +#include <linux/vmalloc.h>
34909 +#include <linux/gracl.h>
34910 +#include <linux/grsecurity.h>
34912 +static unsigned long alloc_stack_next = 1;
34913 +static unsigned long alloc_stack_size = 1;
34914 +static void **alloc_stack;
34916 +static __inline__ int
34919 + if (alloc_stack_next == 1)
34922 + kfree(alloc_stack[alloc_stack_next - 2]);
34924 + alloc_stack_next--;
34929 +static __inline__ int
34930 +alloc_push(void *buf)
34932 + if (alloc_stack_next >= alloc_stack_size)
34935 + alloc_stack[alloc_stack_next - 1] = buf;
34937 + alloc_stack_next++;
34943 +acl_alloc(unsigned long len)
34945 + void *ret = NULL;
34947 + if (!len || len > PAGE_SIZE)
34950 + ret = kmalloc(len, GFP_KERNEL);
34953 + if (alloc_push(ret)) {
34964 +acl_alloc_num(unsigned long num, unsigned long len)
34966 + if (!len || (num > (PAGE_SIZE / len)))
34969 + return acl_alloc(num * len);
34973 +acl_free_all(void)
34975 + if (gr_acl_is_enabled() || !alloc_stack)
34978 + while (alloc_pop()) ;
34980 + if (alloc_stack) {
34981 + if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
34982 + kfree(alloc_stack);
34984 + vfree(alloc_stack);
34987 + alloc_stack = NULL;
34988 + alloc_stack_size = 1;
34989 + alloc_stack_next = 1;
34995 +acl_alloc_stack_init(unsigned long size)
34997 + if ((size * sizeof (void *)) <= PAGE_SIZE)
34999 + (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
35001 + alloc_stack = (void **) vmalloc(size * sizeof (void *));
35003 + alloc_stack_size = size;
35005 + if (!alloc_stack)
35010 diff -urNp linux-2.6.38.1/grsecurity/gracl.c linux-2.6.38.1-new/grsecurity/gracl.c
35011 --- linux-2.6.38.1/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
35012 +++ linux-2.6.38.1-new/grsecurity/gracl.c 2011-03-24 23:08:27.000000000 -0400
35014 +#include <linux/kernel.h>
35015 +#include <linux/module.h>
35016 +#include <linux/sched.h>
35017 +#include <linux/mm.h>
35018 +#include <linux/file.h>
35019 +#include <linux/fs.h>
35020 +#include <linux/namei.h>
35021 +#include <linux/mount.h>
35022 +#include <linux/tty.h>
35023 +#include <linux/proc_fs.h>
35024 +#include <linux/smp_lock.h>
35025 +#include <linux/lglock.h>
35026 +#include <linux/slab.h>
35027 +#include <linux/vmalloc.h>
35028 +#include <linux/types.h>
35029 +#include <linux/sysctl.h>
35030 +#include <linux/netdevice.h>
35031 +#include <linux/ptrace.h>
35032 +#include <linux/gracl.h>
35033 +#include <linux/gralloc.h>
35034 +#include <linux/grsecurity.h>
35035 +#include <linux/grinternal.h>
35036 +#include <linux/pid_namespace.h>
35037 +#include <linux/fdtable.h>
35038 +#include <linux/percpu.h>
35040 +#include <asm/uaccess.h>
35041 +#include <asm/errno.h>
35042 +#include <asm/mman.h>
35044 +static struct acl_role_db acl_role_set;
35045 +static struct name_db name_set;
35046 +static struct inodev_db inodev_set;
35048 +/* for keeping track of userspace pointers used for subjects, so we
35049 + can share references in the kernel as well
35052 +static struct path real_root;
35054 +static struct acl_subj_map_db subj_map_set;
35056 +static struct acl_role_label *default_role;
35058 +static struct acl_role_label *role_list;
35060 +static u16 acl_sp_role_value;
35062 +extern char *gr_shared_page[4];
35063 +static DEFINE_MUTEX(gr_dev_mutex);
35064 +DEFINE_RWLOCK(gr_inode_lock);
35066 +struct gr_arg *gr_usermode;
35068 +static unsigned int gr_status __read_only = GR_STATUS_INIT;
35070 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
35071 +extern void gr_clear_learn_entries(void);
35073 +#ifdef CONFIG_GRKERNSEC_RESLOG
35074 +extern void gr_log_resource(const struct task_struct *task,
35075 + const int res, const unsigned long wanted, const int gt);
35078 +unsigned char *gr_system_salt;
35079 +unsigned char *gr_system_sum;
35081 +static struct sprole_pw **acl_special_roles = NULL;
35082 +static __u16 num_sprole_pws = 0;
35084 +static struct acl_role_label *kernel_role = NULL;
35086 +static unsigned int gr_auth_attempts = 0;
35087 +static unsigned long gr_auth_expires = 0UL;
35089 +extern struct vfsmount *sock_mnt;
35090 +extern struct vfsmount *pipe_mnt;
35091 +extern struct vfsmount *shm_mnt;
35092 +#ifdef CONFIG_HUGETLBFS
35093 +extern struct vfsmount *hugetlbfs_vfsmount;
35096 +static struct acl_object_label *fakefs_obj;
35098 +extern int gr_init_uidset(void);
35099 +extern void gr_free_uidset(void);
35100 +extern void gr_remove_uid(uid_t uid);
35101 +extern int gr_find_uid(uid_t uid);
35103 +DECLARE_BRLOCK(vfsmount_lock);
35106 +gr_acl_is_enabled(void)
35108 + return (gr_status & GR_READY);
35111 +#ifdef CONFIG_BTRFS_FS
35112 +extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
35113 +extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
35116 +static inline dev_t __get_dev(const struct dentry *dentry)
35118 +#ifdef CONFIG_BTRFS_FS
35119 + if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
35120 + return get_btrfs_dev_from_inode(dentry->d_inode);
35123 + return dentry->d_inode->i_sb->s_dev;
35126 +static char gr_task_roletype_to_char(struct task_struct *task)
35128 + switch (task->role->roletype &
35129 + (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
35130 + GR_ROLE_SPECIAL)) {
35131 + case GR_ROLE_DEFAULT:
35133 + case GR_ROLE_USER:
35135 + case GR_ROLE_GROUP:
35137 + case GR_ROLE_SPECIAL:
35144 +char gr_roletype_to_char(void)
35146 + return gr_task_roletype_to_char(current);
35150 +gr_acl_tpe_check(void)
35152 + if (unlikely(!(gr_status & GR_READY)))
35154 + if (current->role->roletype & GR_ROLE_TPE)
35161 +gr_handle_rawio(const struct inode *inode)
35163 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
35164 + if (inode && S_ISBLK(inode->i_mode) &&
35165 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
35166 + !capable(CAP_SYS_RAWIO))
35173 +gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
35175 + if (likely(lena != lenb))
35178 + return !memcmp(a, b, lena);
35181 +static int prepend(char **buffer, int *buflen, const char *str, int namelen)
35183 + *buflen -= namelen;
35185 + return -ENAMETOOLONG;
35186 + *buffer -= namelen;
35187 + memcpy(*buffer, str, namelen);
35191 +static int prepend_name(char **buffer, int *buflen, struct qstr *name)
35193 + return prepend(buffer, buflen, name->name, name->len);
35196 +static int prepend_path(const struct path *path, struct path *root,
35197 + char **buffer, int *buflen)
35199 + struct dentry *dentry = path->dentry;
35200 + struct vfsmount *vfsmnt = path->mnt;
35201 + bool slash = false;
35204 + while (dentry != root->dentry || vfsmnt != root->mnt) {
35205 + struct dentry * parent;
35207 + if (dentry == vfsmnt->mnt_root || IS_ROOT(dentry)) {
35208 + /* Global root? */
35209 + if (vfsmnt->mnt_parent == vfsmnt) {
35212 + dentry = vfsmnt->mnt_mountpoint;
35213 + vfsmnt = vfsmnt->mnt_parent;
35216 + parent = dentry->d_parent;
35217 + prefetch(parent);
35218 + spin_lock(&dentry->d_lock);
35219 + error = prepend_name(buffer, buflen, &dentry->d_name);
35220 + spin_unlock(&dentry->d_lock);
35222 + error = prepend(buffer, buflen, "/", 1);
35231 + if (!error && !slash)
35232 + error = prepend(buffer, buflen, "/", 1);
35237 +/* this must be called with vfsmount_lock and rename_lock held */
35239 +static char *__our_d_path(const struct path *path, struct path *root,
35240 + char *buf, int buflen)
35242 + char *res = buf + buflen;
35245 + prepend(&res, &buflen, "\0", 1);
35246 + error = prepend_path(path, root, &res, &buflen);
35248 + return ERR_PTR(error);
35254 +gen_full_path(struct path *path, struct path *root, char *buf, int buflen)
35258 + retval = __our_d_path(path, root, buf, buflen);
35259 + if (unlikely(IS_ERR(retval)))
35260 + retval = strcpy(buf, "<path too long>");
35261 + else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
35262 + retval[1] = '\0';
35268 +__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
35269 + char *buf, int buflen)
35271 + struct path path;
35274 + path.dentry = (struct dentry *)dentry;
35275 + path.mnt = (struct vfsmount *)vfsmnt;
35277 + /* we can use real_root.dentry, real_root.mnt, because this is only called
35278 + by the RBAC system */
35279 + res = gen_full_path(&path, &real_root, buf, buflen);
35285 +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
35286 + char *buf, int buflen)
35289 + struct path path;
35290 + struct path root;
35291 + struct task_struct *reaper = &init_task;
35293 + path.dentry = (struct dentry *)dentry;
35294 + path.mnt = (struct vfsmount *)vfsmnt;
35296 + /* we can't use real_root.dentry, real_root.mnt, because they belong only to the RBAC system */
35297 + root.dentry = reaper->nsproxy->mnt_ns->root->mnt_root;
35298 + root.mnt = reaper->nsproxy->mnt_ns->root;
35301 + write_seqlock(&rename_lock);
35302 + br_read_lock(vfsmount_lock);
35303 + res = gen_full_path(&path, &root, buf, buflen);
35304 + br_read_unlock(vfsmount_lock);
35305 + write_sequnlock(&rename_lock);
35312 +gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
35315 + write_seqlock(&rename_lock);
35316 + br_read_lock(vfsmount_lock);
35317 + ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
35319 + br_read_unlock(vfsmount_lock);
35320 + write_sequnlock(&rename_lock);
35325 +gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
35327 + return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
35332 +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
35334 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
35339 +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
35341 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
35346 +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
35348 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
35353 +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
35355 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
35360 +to_gr_audit(const __u32 reqmode)
35362 + /* masks off auditable permission flags, then shifts them to create
35363 + auditing flags, and adds the special case of append auditing if
35364 + we're requesting write */
35365 + return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
35368 +struct acl_subject_label *
35369 +lookup_subject_map(const struct acl_subject_label *userp)
35371 + unsigned int index = shash(userp, subj_map_set.s_size);
35372 + struct subject_map *match;
35374 + match = subj_map_set.s_hash[index];
35376 + while (match && match->user != userp)
35377 + match = match->next;
35379 + if (match != NULL)
35380 + return match->kernel;
35386 +insert_subj_map_entry(struct subject_map *subjmap)
35388 + unsigned int index = shash(subjmap->user, subj_map_set.s_size);
35389 + struct subject_map **curr;
35391 + subjmap->prev = NULL;
35393 + curr = &subj_map_set.s_hash[index];
35394 + if (*curr != NULL)
35395 + (*curr)->prev = subjmap;
35397 + subjmap->next = *curr;
35403 +static struct acl_role_label *
35404 +lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
35407 + unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
35408 + struct acl_role_label *match;
35409 + struct role_allowed_ip *ipp;
35411 + u32 curr_ip = task->signal->curr_ip;
35413 + task->signal->saved_ip = curr_ip;
35415 + match = acl_role_set.r_hash[index];
35418 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
35419 + for (x = 0; x < match->domain_child_num; x++) {
35420 + if (match->domain_children[x] == uid)
35423 + } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
35425 + match = match->next;
35428 + if (match == NULL) {
35430 + index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
35431 + match = acl_role_set.r_hash[index];
35434 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
35435 + for (x = 0; x < match->domain_child_num; x++) {
35436 + if (match->domain_children[x] == gid)
35439 + } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
35441 + match = match->next;
35444 + if (match == NULL)
35445 + match = default_role;
35446 + if (match->allowed_ips == NULL)
35449 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
35451 + ((ntohl(curr_ip) & ipp->netmask) ==
35452 + (ntohl(ipp->addr) & ipp->netmask)))
35455 + match = default_role;
35457 + } else if (match->allowed_ips == NULL) {
35460 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
35462 + ((ntohl(curr_ip) & ipp->netmask) ==
35463 + (ntohl(ipp->addr) & ipp->netmask)))
35472 +struct acl_subject_label *
35473 +lookup_acl_subj_label(const ino_t ino, const dev_t dev,
35474 + const struct acl_role_label *role)
35476 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
35477 + struct acl_subject_label *match;
35479 + match = role->subj_hash[index];
35481 + while (match && (match->inode != ino || match->device != dev ||
35482 + (match->mode & GR_DELETED))) {
35483 + match = match->next;
35486 + if (match && !(match->mode & GR_DELETED))
35492 +struct acl_subject_label *
35493 +lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
35494 + const struct acl_role_label *role)
35496 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
35497 + struct acl_subject_label *match;
35499 + match = role->subj_hash[index];
35501 + while (match && (match->inode != ino || match->device != dev ||
35502 + !(match->mode & GR_DELETED))) {
35503 + match = match->next;
35506 + if (match && (match->mode & GR_DELETED))
35512 +static struct acl_object_label *
35513 +lookup_acl_obj_label(const ino_t ino, const dev_t dev,
35514 + const struct acl_subject_label *subj)
35516 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
35517 + struct acl_object_label *match;
35519 + match = subj->obj_hash[index];
35521 + while (match && (match->inode != ino || match->device != dev ||
35522 + (match->mode & GR_DELETED))) {
35523 + match = match->next;
35526 + if (match && !(match->mode & GR_DELETED))
35532 +static struct acl_object_label *
35533 +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
35534 + const struct acl_subject_label *subj)
35536 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
35537 + struct acl_object_label *match;
35539 + match = subj->obj_hash[index];
35541 + while (match && (match->inode != ino || match->device != dev ||
35542 + !(match->mode & GR_DELETED))) {
35543 + match = match->next;
35546 + if (match && (match->mode & GR_DELETED))
35549 + match = subj->obj_hash[index];
35551 + while (match && (match->inode != ino || match->device != dev ||
35552 + (match->mode & GR_DELETED))) {
35553 + match = match->next;
35556 + if (match && !(match->mode & GR_DELETED))
35562 +static struct name_entry *
35563 +lookup_name_entry(const char *name)
35565 + unsigned int len = strlen(name);
35566 + unsigned int key = full_name_hash(name, len);
35567 + unsigned int index = key % name_set.n_size;
35568 + struct name_entry *match;
35570 + match = name_set.n_hash[index];
35572 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
35573 + match = match->next;
35578 +static struct name_entry *
35579 +lookup_name_entry_create(const char *name)
35581 + unsigned int len = strlen(name);
35582 + unsigned int key = full_name_hash(name, len);
35583 + unsigned int index = key % name_set.n_size;
35584 + struct name_entry *match;
35586 + match = name_set.n_hash[index];
35588 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
35589 + !match->deleted))
35590 + match = match->next;
35592 + if (match && match->deleted)
35595 + match = name_set.n_hash[index];
35597 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
35599 + match = match->next;
35601 + if (match && !match->deleted)
35607 +static struct inodev_entry *
35608 +lookup_inodev_entry(const ino_t ino, const dev_t dev)
35610 + unsigned int index = fhash(ino, dev, inodev_set.i_size);
35611 + struct inodev_entry *match;
35613 + match = inodev_set.i_hash[index];
35615 + while (match && (match->nentry->inode != ino || match->nentry->device != dev))
35616 + match = match->next;
35622 +insert_inodev_entry(struct inodev_entry *entry)
35624 + unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
35625 + inodev_set.i_size);
35626 + struct inodev_entry **curr;
35628 + entry->prev = NULL;
35630 + curr = &inodev_set.i_hash[index];
35631 + if (*curr != NULL)
35632 + (*curr)->prev = entry;
35634 + entry->next = *curr;
35641 +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
35643 + unsigned int index =
35644 + rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
35645 + struct acl_role_label **curr;
35646 + struct acl_role_label *tmp;
35648 + curr = &acl_role_set.r_hash[index];
35650 + /* if role was already inserted due to domains and already has
35651 + a role in the same bucket as it attached, then we need to
35652 + combine these two buckets
35654 + if (role->next) {
35655 + tmp = role->next;
35656 + while (tmp->next)
35658 + tmp->next = *curr;
35660 + role->next = *curr;
35667 +insert_acl_role_label(struct acl_role_label *role)
35671 + if (role_list == NULL) {
35672 + role_list = role;
35673 + role->prev = NULL;
35675 + role->prev = role_list;
35676 + role_list = role;
35679 + /* used for hash chains */
35680 + role->next = NULL;
35682 + if (role->roletype & GR_ROLE_DOMAIN) {
35683 + for (i = 0; i < role->domain_child_num; i++)
35684 + __insert_acl_role_label(role, role->domain_children[i]);
35686 + __insert_acl_role_label(role, role->uidgid);
35690 +insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
35692 + struct name_entry **curr, *nentry;
35693 + struct inodev_entry *ientry;
35694 + unsigned int len = strlen(name);
35695 + unsigned int key = full_name_hash(name, len);
35696 + unsigned int index = key % name_set.n_size;
35698 + curr = &name_set.n_hash[index];
35700 + while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
35701 + curr = &((*curr)->next);
35703 + if (*curr != NULL)
35706 + nentry = acl_alloc(sizeof (struct name_entry));
35707 + if (nentry == NULL)
35709 + ientry = acl_alloc(sizeof (struct inodev_entry));
35710 + if (ientry == NULL)
35712 + ientry->nentry = nentry;
35714 + nentry->key = key;
35715 + nentry->name = name;
35716 + nentry->inode = inode;
35717 + nentry->device = device;
35718 + nentry->len = len;
35719 + nentry->deleted = deleted;
35721 + nentry->prev = NULL;
35722 + curr = &name_set.n_hash[index];
35723 + if (*curr != NULL)
35724 + (*curr)->prev = nentry;
35725 + nentry->next = *curr;
35728 + /* insert us into the table searchable by inode/dev */
35729 + insert_inodev_entry(ientry);
35735 +insert_acl_obj_label(struct acl_object_label *obj,
35736 + struct acl_subject_label *subj)
35738 + unsigned int index =
35739 + fhash(obj->inode, obj->device, subj->obj_hash_size);
35740 + struct acl_object_label **curr;
35743 + obj->prev = NULL;
35745 + curr = &subj->obj_hash[index];
35746 + if (*curr != NULL)
35747 + (*curr)->prev = obj;
35749 + obj->next = *curr;
35756 +insert_acl_subj_label(struct acl_subject_label *obj,
35757 + struct acl_role_label *role)
35759 + unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
35760 + struct acl_subject_label **curr;
35762 + obj->prev = NULL;
35764 + curr = &role->subj_hash[index];
35765 + if (*curr != NULL)
35766 + (*curr)->prev = obj;
35768 + obj->next = *curr;
35774 +/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
35777 +create_table(__u32 * len, int elementsize)
35779 + unsigned int table_sizes[] = {
35780 + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
35781 + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
35782 + 4194301, 8388593, 16777213, 33554393, 67108859
35784 + void *newtable = NULL;
35785 + unsigned int pwr = 0;
35787 + while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
35788 + table_sizes[pwr] <= *len)
35791 + if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
35794 + if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
35796 + kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
35798 + newtable = vmalloc(table_sizes[pwr] * elementsize);
35800 + *len = table_sizes[pwr];
35806 +init_variables(const struct gr_arg *arg)
35808 + struct task_struct *reaper = &init_task;
35809 + unsigned int stacksize;
35811 + subj_map_set.s_size = arg->role_db.num_subjects;
35812 + acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
35813 + name_set.n_size = arg->role_db.num_objects;
35814 + inodev_set.i_size = arg->role_db.num_objects;
35816 + if (!subj_map_set.s_size || !acl_role_set.r_size ||
35817 + !name_set.n_size || !inodev_set.i_size)
35820 + if (!gr_init_uidset())
35823 + /* set up the stack that holds allocation info */
35825 + stacksize = arg->role_db.num_pointers + 5;
35827 + if (!acl_alloc_stack_init(stacksize))
35830 + /* grab reference for the real root dentry and vfsmount */
35831 + real_root.dentry = reaper->nsproxy->mnt_ns->root->mnt_root;
35832 + real_root.mnt = reaper->nsproxy->mnt_ns->root;
35833 + path_get(&real_root);
35835 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
35836 + printk(KERN_ALERT "Obtained real root device=%d, inode=%lu\n", __get_dev(real_root.dentry), real_root.dentry->d_inode->i_ino);
35839 + fakefs_obj = acl_alloc(sizeof(struct acl_object_label));
35840 + if (fakefs_obj == NULL)
35842 + fakefs_obj->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
35844 + subj_map_set.s_hash =
35845 + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
35846 + acl_role_set.r_hash =
35847 + (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
35848 + name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
35849 + inodev_set.i_hash =
35850 + (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
35852 + if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
35853 + !name_set.n_hash || !inodev_set.i_hash)
35856 + memset(subj_map_set.s_hash, 0,
35857 + sizeof(struct subject_map *) * subj_map_set.s_size);
35858 + memset(acl_role_set.r_hash, 0,
35859 + sizeof (struct acl_role_label *) * acl_role_set.r_size);
35860 + memset(name_set.n_hash, 0,
35861 + sizeof (struct name_entry *) * name_set.n_size);
35862 + memset(inodev_set.i_hash, 0,
35863 + sizeof (struct inodev_entry *) * inodev_set.i_size);
35868 +/* free information not needed after startup
35869 + currently contains user->kernel pointer mappings for subjects
35873 +free_init_variables(void)
35877 + if (subj_map_set.s_hash) {
35878 + for (i = 0; i < subj_map_set.s_size; i++) {
35879 + if (subj_map_set.s_hash[i]) {
35880 + kfree(subj_map_set.s_hash[i]);
35881 + subj_map_set.s_hash[i] = NULL;
35885 + if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
35887 + kfree(subj_map_set.s_hash);
35889 + vfree(subj_map_set.s_hash);
35896 +free_variables(void)
35898 + struct acl_subject_label *s;
35899 + struct acl_role_label *r;
35900 + struct task_struct *task, *task2;
35903 + gr_clear_learn_entries();
35905 + read_lock(&tasklist_lock);
35906 + do_each_thread(task2, task) {
35907 + task->acl_sp_role = 0;
35908 + task->acl_role_id = 0;
35909 + task->acl = NULL;
35910 + task->role = NULL;
35911 + } while_each_thread(task2, task);
35912 + read_unlock(&tasklist_lock);
35914 + /* release the reference to the real root dentry and vfsmount */
35915 + path_put(&real_root);
35917 + /* free all object hash tables */
35919 + FOR_EACH_ROLE_START(r)
35920 + if (r->subj_hash == NULL)
35922 + FOR_EACH_SUBJECT_START(r, s, x)
35923 + if (s->obj_hash == NULL)
35925 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
35926 + kfree(s->obj_hash);
35928 + vfree(s->obj_hash);
35929 + FOR_EACH_SUBJECT_END(s, x)
35930 + FOR_EACH_NESTED_SUBJECT_START(r, s)
35931 + if (s->obj_hash == NULL)
35933 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
35934 + kfree(s->obj_hash);
35936 + vfree(s->obj_hash);
35937 + FOR_EACH_NESTED_SUBJECT_END(s)
35938 + if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
35939 + kfree(r->subj_hash);
35941 + vfree(r->subj_hash);
35942 + r->subj_hash = NULL;
35944 + FOR_EACH_ROLE_END(r)
35948 + if (acl_role_set.r_hash) {
35949 + if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
35951 + kfree(acl_role_set.r_hash);
35953 + vfree(acl_role_set.r_hash);
35955 + if (name_set.n_hash) {
35956 + if ((name_set.n_size * sizeof (struct name_entry *)) <=
35958 + kfree(name_set.n_hash);
35960 + vfree(name_set.n_hash);
35963 + if (inodev_set.i_hash) {
35964 + if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
35966 + kfree(inodev_set.i_hash);
35968 + vfree(inodev_set.i_hash);
35971 + gr_free_uidset();
35973 + memset(&name_set, 0, sizeof (struct name_db));
35974 + memset(&inodev_set, 0, sizeof (struct inodev_db));
35975 + memset(&acl_role_set, 0, sizeof (struct acl_role_db));
35976 + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
35978 + default_role = NULL;
35979 + role_list = NULL;
35985 +count_user_objs(struct acl_object_label *userp)
35987 + struct acl_object_label o_tmp;
35991 + if (copy_from_user(&o_tmp, userp,
35992 + sizeof (struct acl_object_label)))
35995 + userp = o_tmp.prev;
36002 +static struct acl_subject_label *
36003 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
36006 +copy_user_glob(struct acl_object_label *obj)
36008 + struct acl_object_label *g_tmp, **guser;
36009 + unsigned int len;
36012 + if (obj->globbed == NULL)
36015 + guser = &obj->globbed;
36017 + g_tmp = (struct acl_object_label *)
36018 + acl_alloc(sizeof (struct acl_object_label));
36019 + if (g_tmp == NULL)
36022 + if (copy_from_user(g_tmp, *guser,
36023 + sizeof (struct acl_object_label)))
36026 + len = strnlen_user(g_tmp->filename, PATH_MAX);
36028 + if (!len || len >= PATH_MAX)
36031 + if ((tmp = (char *) acl_alloc(len)) == NULL)
36034 + if (copy_from_user(tmp, g_tmp->filename, len))
36036 + tmp[len-1] = '\0';
36037 + g_tmp->filename = tmp;
36040 + guser = &(g_tmp->next);
36047 +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
36048 + struct acl_role_label *role)
36050 + struct acl_object_label *o_tmp;
36051 + unsigned int len;
36056 + if ((o_tmp = (struct acl_object_label *)
36057 + acl_alloc(sizeof (struct acl_object_label))) == NULL)
36060 + if (copy_from_user(o_tmp, userp,
36061 + sizeof (struct acl_object_label)))
36064 + userp = o_tmp->prev;
36066 + len = strnlen_user(o_tmp->filename, PATH_MAX);
36068 + if (!len || len >= PATH_MAX)
36071 + if ((tmp = (char *) acl_alloc(len)) == NULL)
36074 + if (copy_from_user(tmp, o_tmp->filename, len))
36076 + tmp[len-1] = '\0';
36077 + o_tmp->filename = tmp;
36079 + insert_acl_obj_label(o_tmp, subj);
36080 + if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
36081 + o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
36084 + ret = copy_user_glob(o_tmp);
36088 + if (o_tmp->nested) {
36089 + o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
36090 + if (IS_ERR(o_tmp->nested))
36091 + return PTR_ERR(o_tmp->nested);
36093 + /* insert into nested subject list */
36094 + o_tmp->nested->next = role->hash->first;
36095 + role->hash->first = o_tmp->nested;
36103 +count_user_subjs(struct acl_subject_label *userp)
36105 + struct acl_subject_label s_tmp;
36109 + if (copy_from_user(&s_tmp, userp,
36110 + sizeof (struct acl_subject_label)))
36113 + userp = s_tmp.prev;
36114 + /* do not count nested subjects against this count, since
36115 + they are not included in the hash table, but are
36116 + attached to objects. We have already counted
36117 + the subjects in userspace for the allocation
36120 + if (!(s_tmp.mode & GR_NESTED))
36128 +copy_user_allowedips(struct acl_role_label *rolep)
36130 + struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
36132 + ruserip = rolep->allowed_ips;
36134 + while (ruserip) {
36137 + if ((rtmp = (struct role_allowed_ip *)
36138 + acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
36141 + if (copy_from_user(rtmp, ruserip,
36142 + sizeof (struct role_allowed_ip)))
36145 + ruserip = rtmp->prev;
36148 + rtmp->prev = NULL;
36149 + rolep->allowed_ips = rtmp;
36151 + rlast->next = rtmp;
36152 + rtmp->prev = rlast;
36156 + rtmp->next = NULL;
36163 +copy_user_transitions(struct acl_role_label *rolep)
36165 + struct role_transition *rusertp, *rtmp = NULL, *rlast;
36167 + unsigned int len;
36170 + rusertp = rolep->transitions;
36172 + while (rusertp) {
36175 + if ((rtmp = (struct role_transition *)
36176 + acl_alloc(sizeof (struct role_transition))) == NULL)
36179 + if (copy_from_user(rtmp, rusertp,
36180 + sizeof (struct role_transition)))
36183 + rusertp = rtmp->prev;
36185 + len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
36187 + if (!len || len >= GR_SPROLE_LEN)
36190 + if ((tmp = (char *) acl_alloc(len)) == NULL)
36193 + if (copy_from_user(tmp, rtmp->rolename, len))
36195 + tmp[len-1] = '\0';
36196 + rtmp->rolename = tmp;
36199 + rtmp->prev = NULL;
36200 + rolep->transitions = rtmp;
36202 + rlast->next = rtmp;
36203 + rtmp->prev = rlast;
36207 + rtmp->next = NULL;
36213 +static struct acl_subject_label *
36214 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
36216 + struct acl_subject_label *s_tmp = NULL, *s_tmp2;
36217 + unsigned int len;
36220 + struct acl_ip_label **i_tmp, *i_utmp2;
36221 + struct gr_hash_struct ghash;
36222 + struct subject_map *subjmap;
36223 + unsigned int i_num;
36226 + s_tmp = lookup_subject_map(userp);
36228 + /* we've already copied this subject into the kernel, just return
36229 + the reference to it, and don't copy it over again
36234 + if ((s_tmp = (struct acl_subject_label *)
36235 + acl_alloc(sizeof (struct acl_subject_label))) == NULL)
36236 + return ERR_PTR(-ENOMEM);
36238 + subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
36239 + if (subjmap == NULL)
36240 + return ERR_PTR(-ENOMEM);
36242 + subjmap->user = userp;
36243 + subjmap->kernel = s_tmp;
36244 + insert_subj_map_entry(subjmap);
36246 + if (copy_from_user(s_tmp, userp,
36247 + sizeof (struct acl_subject_label)))
36248 + return ERR_PTR(-EFAULT);
36250 + len = strnlen_user(s_tmp->filename, PATH_MAX);
36252 + if (!len || len >= PATH_MAX)
36253 + return ERR_PTR(-EINVAL);
36255 + if ((tmp = (char *) acl_alloc(len)) == NULL)
36256 + return ERR_PTR(-ENOMEM);
36258 + if (copy_from_user(tmp, s_tmp->filename, len))
36259 + return ERR_PTR(-EFAULT);
36260 + tmp[len-1] = '\0';
36261 + s_tmp->filename = tmp;
36263 + if (!strcmp(s_tmp->filename, "/"))
36264 + role->root_label = s_tmp;
36266 + if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
36267 + return ERR_PTR(-EFAULT);
36269 + /* copy user and group transition tables */
36271 + if (s_tmp->user_trans_num) {
36274 + uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
36275 + if (uidlist == NULL)
36276 + return ERR_PTR(-ENOMEM);
36277 + if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
36278 + return ERR_PTR(-EFAULT);
36280 + s_tmp->user_transitions = uidlist;
36283 + if (s_tmp->group_trans_num) {
36286 + gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
36287 + if (gidlist == NULL)
36288 + return ERR_PTR(-ENOMEM);
36289 + if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
36290 + return ERR_PTR(-EFAULT);
36292 + s_tmp->group_transitions = gidlist;
36295 + /* set up object hash table */
36296 + num_objs = count_user_objs(ghash.first);
36298 + s_tmp->obj_hash_size = num_objs;
36299 + s_tmp->obj_hash =
36300 + (struct acl_object_label **)
36301 + create_table(&(s_tmp->obj_hash_size), sizeof(void *));
36303 + if (!s_tmp->obj_hash)
36304 + return ERR_PTR(-ENOMEM);
36306 + memset(s_tmp->obj_hash, 0,
36307 + s_tmp->obj_hash_size *
36308 + sizeof (struct acl_object_label *));
36310 + /* add in objects */
36311 + err = copy_user_objs(ghash.first, s_tmp, role);
36314 + return ERR_PTR(err);
36316 + /* set pointer for parent subject */
36317 + if (s_tmp->parent_subject) {
36318 + s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
36320 + if (IS_ERR(s_tmp2))
36323 + s_tmp->parent_subject = s_tmp2;
36326 + /* add in ip acls */
36328 + if (!s_tmp->ip_num) {
36329 + s_tmp->ips = NULL;
36334 + (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
36335 + sizeof (struct acl_ip_label *));
36338 + return ERR_PTR(-ENOMEM);
36340 + for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
36341 + *(i_tmp + i_num) =
36342 + (struct acl_ip_label *)
36343 + acl_alloc(sizeof (struct acl_ip_label));
36344 + if (!*(i_tmp + i_num))
36345 + return ERR_PTR(-ENOMEM);
36347 + if (copy_from_user
36348 + (&i_utmp2, s_tmp->ips + i_num,
36349 + sizeof (struct acl_ip_label *)))
36350 + return ERR_PTR(-EFAULT);
36352 + if (copy_from_user
36353 + (*(i_tmp + i_num), i_utmp2,
36354 + sizeof (struct acl_ip_label)))
36355 + return ERR_PTR(-EFAULT);
36357 + if ((*(i_tmp + i_num))->iface == NULL)
36360 + len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
36361 + if (!len || len >= IFNAMSIZ)
36362 + return ERR_PTR(-EINVAL);
36363 + tmp = acl_alloc(len);
36365 + return ERR_PTR(-ENOMEM);
36366 + if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
36367 + return ERR_PTR(-EFAULT);
36368 + (*(i_tmp + i_num))->iface = tmp;
36371 + s_tmp->ips = i_tmp;
36374 + if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
36375 + s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
36376 + return ERR_PTR(-ENOMEM);
36382 +copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
36384 + struct acl_subject_label s_pre;
36385 + struct acl_subject_label * ret;
36389 + if (copy_from_user(&s_pre, userp,
36390 + sizeof (struct acl_subject_label)))
36393 + /* do not add nested subjects here, add
36394 + while parsing objects
36397 + if (s_pre.mode & GR_NESTED) {
36398 + userp = s_pre.prev;
36402 + ret = do_copy_user_subj(userp, role);
36404 + err = PTR_ERR(ret);
36408 + insert_acl_subj_label(ret, role);
36410 + userp = s_pre.prev;
36417 +copy_user_acl(struct gr_arg *arg)
36419 + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
36420 + struct sprole_pw *sptmp;
36421 + struct gr_hash_struct *ghash;
36422 + uid_t *domainlist;
36423 + unsigned int r_num;
36424 + unsigned int len;
36430 + /* we need a default and kernel role */
36431 + if (arg->role_db.num_roles < 2)
36434 + /* copy special role authentication info from userspace */
36436 + num_sprole_pws = arg->num_sprole_pws;
36437 + acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
36439 + if (!acl_special_roles) {
36444 + for (i = 0; i < num_sprole_pws; i++) {
36445 + sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
36450 + if (copy_from_user(sptmp, arg->sprole_pws + i,
36451 + sizeof (struct sprole_pw))) {
36457 + strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
36459 + if (!len || len >= GR_SPROLE_LEN) {
36464 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
36469 + if (copy_from_user(tmp, sptmp->rolename, len)) {
36473 + tmp[len-1] = '\0';
36474 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
36475 + printk(KERN_ALERT "Copying special role %s\n", tmp);
36477 + sptmp->rolename = tmp;
36478 + acl_special_roles[i] = sptmp;
36481 + r_utmp = (struct acl_role_label **) arg->role_db.r_table;
36483 + for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
36484 + r_tmp = acl_alloc(sizeof (struct acl_role_label));
36491 + if (copy_from_user(&r_utmp2, r_utmp + r_num,
36492 + sizeof (struct acl_role_label *))) {
36497 + if (copy_from_user(r_tmp, r_utmp2,
36498 + sizeof (struct acl_role_label))) {
36503 + len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
36505 + if (!len || len >= PATH_MAX) {
36510 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
36514 + if (copy_from_user(tmp, r_tmp->rolename, len)) {
36518 + tmp[len-1] = '\0';
36519 + r_tmp->rolename = tmp;
36521 + if (!strcmp(r_tmp->rolename, "default")
36522 + && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
36523 + default_role = r_tmp;
36524 + } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
36525 + kernel_role = r_tmp;
36528 + if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
36532 + if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
36537 + r_tmp->hash = ghash;
36539 + num_subjs = count_user_subjs(r_tmp->hash->first);
36541 + r_tmp->subj_hash_size = num_subjs;
36542 + r_tmp->subj_hash =
36543 + (struct acl_subject_label **)
36544 + create_table(&(r_tmp->subj_hash_size), sizeof(void *));
36546 + if (!r_tmp->subj_hash) {
36551 + err = copy_user_allowedips(r_tmp);
36555 + /* copy domain info */
36556 + if (r_tmp->domain_children != NULL) {
36557 + domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
36558 + if (domainlist == NULL) {
36562 + if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
36566 + r_tmp->domain_children = domainlist;
36569 + err = copy_user_transitions(r_tmp);
36573 + memset(r_tmp->subj_hash, 0,
36574 + r_tmp->subj_hash_size *
36575 + sizeof (struct acl_subject_label *));
36577 + err = copy_user_subjs(r_tmp->hash->first, r_tmp);
36582 + /* set nested subject list to null */
36583 + r_tmp->hash->first = NULL;
36585 + insert_acl_role_label(r_tmp);
36590 + free_variables();
36597 +gracl_init(struct gr_arg *args)
36601 + memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
36602 + memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
36604 + if (init_variables(args)) {
36605 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
36607 + free_variables();
36611 + error = copy_user_acl(args);
36612 + free_init_variables();
36614 + free_variables();
36618 + if ((error = gr_set_acls(0))) {
36619 + free_variables();
36623 + pax_open_kernel();
36624 + gr_status |= GR_READY;
36625 + pax_close_kernel();
36631 +/* derived from glibc fnmatch() 0: match, 1: no match*/
36634 +glob_match(const char *p, const char *n)
36638 + while ((c = *p++) != '\0') {
36643 + else if (*n == '/')
36651 + for (c = *p++; c == '?' || c == '*'; c = *p++) {
36654 + else if (c == '?') {
36664 + const char *endp;
36666 + if ((endp = strchr(n, '/')) == NULL)
36667 + endp = n + strlen(n);
36670 + for (--p; n < endp; ++n)
36671 + if (!glob_match(p, n))
36673 + } else if (c == '/') {
36674 + while (*n != '\0' && *n != '/')
36676 + if (*n == '/' && !glob_match(p, n + 1))
36679 + for (--p; n < endp; ++n)
36680 + if (*n == c && !glob_match(p, n))
36691 + if (*n == '\0' || *n == '/')
36694 + not = (*p == '!' || *p == '^');
36700 + unsigned char fn = (unsigned char)*n;
36710 + if (c == '-' && *p != ']') {
36711 + unsigned char cend = *p++;
36713 + if (cend == '\0')
36716 + if (cold <= fn && fn <= cend)
36730 + while (c != ']') {
36757 +static struct acl_object_label *
36758 +chk_glob_label(struct acl_object_label *globbed,
36759 + struct dentry *dentry, struct vfsmount *mnt, char **path)
36761 + struct acl_object_label *tmp;
36763 + if (*path == NULL)
36764 + *path = gr_to_filename_nolock(dentry, mnt);
36769 + if (!glob_match(tmp->filename, *path))
36777 +static struct acl_object_label *
36778 +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
36779 + const ino_t curr_ino, const dev_t curr_dev,
36780 + const struct acl_subject_label *subj, char **path, const int checkglob)
36782 + struct acl_subject_label *tmpsubj;
36783 + struct acl_object_label *retval;
36784 + struct acl_object_label *retval2;
36786 + tmpsubj = (struct acl_subject_label *) subj;
36787 + read_lock(&gr_inode_lock);
36789 + retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
36791 + if (checkglob && retval->globbed) {
36792 + retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
36793 + (struct vfsmount *)orig_mnt, path);
36795 + retval = retval2;
36799 + } while ((tmpsubj = tmpsubj->parent_subject));
36800 + read_unlock(&gr_inode_lock);
36805 +static __inline__ struct acl_object_label *
36806 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
36807 + struct dentry *curr_dentry,
36808 + const struct acl_subject_label *subj, char **path, const int checkglob)
36810 + int newglob = checkglob;
36814 + /* if we aren't checking a subdirectory of the original path yet, don't do glob checking
36815 + as we don't want a / * rule to match instead of the / object
36816 + don't do this for create lookups that call this function though, since they're looking up
36817 + on the parent and thus need globbing checks on all paths
36819 + if (orig_dentry == curr_dentry && newglob != GR_CREATE_GLOB)
36820 + newglob = GR_NO_GLOB;
36822 + spin_lock(&curr_dentry->d_lock);
36823 + inode = curr_dentry->d_inode->i_ino;
36824 + device = __get_dev(curr_dentry);
36825 + spin_unlock(&curr_dentry->d_lock);
36827 + return __full_lookup(orig_dentry, orig_mnt, inode, device, subj, path, newglob);
36830 +static struct acl_object_label *
36831 +__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
36832 + const struct acl_subject_label *subj, char *path, const int checkglob)
36834 + struct dentry *dentry = (struct dentry *) l_dentry;
36835 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
36836 + struct acl_object_label *retval;
36837 + struct dentry *parent;
36839 + write_seqlock(&rename_lock);
36840 + br_read_lock(vfsmount_lock);
36842 + if (unlikely(mnt == shm_mnt || mnt == pipe_mnt || mnt == sock_mnt ||
36843 +#ifdef CONFIG_HUGETLBFS
36844 + mnt == hugetlbfs_vfsmount ||
36846 + /* ignore Eric Biederman */
36847 + IS_PRIVATE(l_dentry->d_inode))) {
36848 + retval = fakefs_obj;
36853 + if (dentry == real_root.dentry && mnt == real_root.mnt)
36856 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
36857 + if (mnt->mnt_parent == mnt)
36860 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
36861 + if (retval != NULL)
36864 + dentry = mnt->mnt_mountpoint;
36865 + mnt = mnt->mnt_parent;
36869 + parent = dentry->d_parent;
36870 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
36871 + if (retval != NULL)
36877 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
36879 + /* real_root is pinned so we don't have to hold a reference */
36880 + if (retval == NULL)
36881 + retval = full_lookup(l_dentry, l_mnt, real_root.dentry, subj, &path, checkglob);
36883 + br_read_unlock(vfsmount_lock);
36884 + write_sequnlock(&rename_lock);
36886 + BUG_ON(retval == NULL);
36891 +static __inline__ struct acl_object_label *
36892 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
36893 + const struct acl_subject_label *subj)
36895 + char *path = NULL;
36896 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_REG_GLOB);
36899 +static __inline__ struct acl_object_label *
36900 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
36901 + const struct acl_subject_label *subj)
36903 + char *path = NULL;
36904 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_NO_GLOB);
36907 +static __inline__ struct acl_object_label *
36908 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
36909 + const struct acl_subject_label *subj, char *path)
36911 + return __chk_obj_label(l_dentry, l_mnt, subj, path, GR_CREATE_GLOB);
36914 +static struct acl_subject_label *
36915 +chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
36916 + const struct acl_role_label *role)
36918 + struct dentry *dentry = (struct dentry *) l_dentry;
36919 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
36920 + struct acl_subject_label *retval;
36921 + struct dentry *parent;
36923 + write_seqlock(&rename_lock);
36924 + br_read_lock(vfsmount_lock);
36927 + if (dentry == real_root.dentry && mnt == real_root.mnt)
36929 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
36930 + if (mnt->mnt_parent == mnt)
36933 + spin_lock(&dentry->d_lock);
36934 + read_lock(&gr_inode_lock);
36936 + lookup_acl_subj_label(dentry->d_inode->i_ino,
36937 + __get_dev(dentry), role);
36938 + read_unlock(&gr_inode_lock);
36939 + spin_unlock(&dentry->d_lock);
36940 + if (retval != NULL)
36943 + dentry = mnt->mnt_mountpoint;
36944 + mnt = mnt->mnt_parent;
36948 + spin_lock(&dentry->d_lock);
36949 + read_lock(&gr_inode_lock);
36950 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
36951 + __get_dev(dentry), role);
36952 + read_unlock(&gr_inode_lock);
36953 + parent = dentry->d_parent;
36954 + spin_unlock(&dentry->d_lock);
36956 + if (retval != NULL)
36962 + spin_lock(&dentry->d_lock);
36963 + read_lock(&gr_inode_lock);
36964 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
36965 + __get_dev(dentry), role);
36966 + read_unlock(&gr_inode_lock);
36967 + spin_unlock(&dentry->d_lock);
36969 + if (unlikely(retval == NULL)) {
36970 + /* real_root is pinned, we don't need to hold a reference */
36971 + read_lock(&gr_inode_lock);
36972 + retval = lookup_acl_subj_label(real_root.dentry->d_inode->i_ino,
36973 + __get_dev(real_root.dentry), role);
36974 + read_unlock(&gr_inode_lock);
36977 + br_read_unlock(vfsmount_lock);
36978 + write_sequnlock(&rename_lock);
36980 + BUG_ON(retval == NULL);
36986 +gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
36988 + struct task_struct *task = current;
36989 + const struct cred *cred = current_cred();
36991 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
36992 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
36993 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
36994 + 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->saved_ip);
37000 +gr_log_learn_sysctl(const char *path, const __u32 mode)
37002 + struct task_struct *task = current;
37003 + const struct cred *cred = current_cred();
37005 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
37006 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
37007 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
37008 + 1UL, 1UL, path, (unsigned long) mode, &task->signal->saved_ip);
37014 +gr_log_learn_id_change(const char type, const unsigned int real,
37015 + const unsigned int effective, const unsigned int fs)
37017 + struct task_struct *task = current;
37018 + const struct cred *cred = current_cred();
37020 + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
37021 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
37022 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
37023 + type, real, effective, fs, &task->signal->saved_ip);
37029 +gr_check_link(const struct dentry * new_dentry,
37030 + const struct dentry * parent_dentry,
37031 + const struct vfsmount * parent_mnt,
37032 + const struct dentry * old_dentry, const struct vfsmount * old_mnt)
37034 + struct acl_object_label *obj;
37035 + __u32 oldmode, newmode;
37038 + if (unlikely(!(gr_status & GR_READY)))
37039 + return (GR_CREATE | GR_LINK);
37041 + obj = chk_obj_label(old_dentry, old_mnt, current->acl);
37042 + oldmode = obj->mode;
37044 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
37045 + oldmode |= (GR_CREATE | GR_LINK);
37047 + needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
37048 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
37049 + needmode |= GR_SETID | GR_AUDIT_SETID;
37052 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
37053 + oldmode | needmode);
37055 + needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
37056 + GR_SETID | GR_READ | GR_FIND | GR_DELETE |
37057 + GR_INHERIT | GR_AUDIT_INHERIT);
37059 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
37062 + if ((oldmode & needmode) != needmode)
37065 + needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
37066 + if ((newmode & needmode) != needmode)
37069 + if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
37072 + needmode = oldmode;
37073 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
37074 + needmode |= GR_SETID;
37076 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
37077 + gr_log_learn(old_dentry, old_mnt, needmode);
37078 + return (GR_CREATE | GR_LINK);
37079 + } else if (newmode & GR_SUPPRESS)
37080 + return GR_SUPPRESS;
37086 +gr_search_file(const struct dentry * dentry, const __u32 mode,
37087 + const struct vfsmount * mnt)
37089 + __u32 retval = mode;
37090 + struct acl_subject_label *curracl;
37091 + struct acl_object_label *currobj;
37093 + if (unlikely(!(gr_status & GR_READY)))
37094 + return (mode & ~GR_AUDITS);
37096 + curracl = current->acl;
37098 + currobj = chk_obj_label(dentry, mnt, curracl);
37099 + retval = currobj->mode & mode;
37102 + ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
37103 + && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
37104 + __u32 new_mode = mode;
37106 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
37108 + retval = new_mode;
37110 + if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
37111 + new_mode |= GR_INHERIT;
37113 + if (!(mode & GR_NOLEARN))
37114 + gr_log_learn(dentry, mnt, new_mode);
37121 +gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
37122 + const struct vfsmount * mnt, const __u32 mode)
37124 + struct name_entry *match;
37125 + struct acl_object_label *matchpo;
37126 + struct acl_subject_label *curracl;
37130 + if (unlikely(!(gr_status & GR_READY)))
37131 + return (mode & ~GR_AUDITS);
37133 + preempt_disable();
37134 + path = gr_to_filename_rbac(new_dentry, mnt);
37135 + match = lookup_name_entry_create(path);
37138 + goto check_parent;
37140 + curracl = current->acl;
37142 + read_lock(&gr_inode_lock);
37143 + matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
37144 + read_unlock(&gr_inode_lock);
37147 + if ((matchpo->mode & mode) !=
37148 + (mode & ~(GR_AUDITS | GR_SUPPRESS))
37149 + && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
37150 + __u32 new_mode = mode;
37152 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
37154 + gr_log_learn(new_dentry, mnt, new_mode);
37156 + preempt_enable();
37159 + preempt_enable();
37160 + return (matchpo->mode & mode);
37164 + curracl = current->acl;
37166 + matchpo = chk_obj_create_label(parent, mnt, curracl, path);
37167 + retval = matchpo->mode & mode;
37169 + if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
37170 + && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
37171 + __u32 new_mode = mode;
37173 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
37175 + gr_log_learn(new_dentry, mnt, new_mode);
37176 + preempt_enable();
37180 + preempt_enable();
37185 +gr_check_hidden_task(const struct task_struct *task)
37187 + if (unlikely(!(gr_status & GR_READY)))
37190 + if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
37197 +gr_check_protected_task(const struct task_struct *task)
37199 + if (unlikely(!(gr_status & GR_READY) || !task))
37202 + if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
37203 + task->acl != current->acl)
37210 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
37212 + struct task_struct *p;
37215 + if (unlikely(!(gr_status & GR_READY) || !pid))
37218 + read_lock(&tasklist_lock);
37219 + do_each_pid_task(pid, type, p) {
37220 + if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
37221 + p->acl != current->acl) {
37225 + } while_each_pid_task(pid, type, p);
37227 + read_unlock(&tasklist_lock);
37233 +gr_copy_label(struct task_struct *tsk)
37235 + tsk->signal->used_accept = 0;
37236 + tsk->acl_sp_role = 0;
37237 + tsk->acl_role_id = current->acl_role_id;
37238 + tsk->acl = current->acl;
37239 + tsk->role = current->role;
37240 + tsk->signal->curr_ip = current->signal->curr_ip;
37241 + tsk->signal->saved_ip = current->signal->saved_ip;
37242 + if (current->exec_file)
37243 + get_file(current->exec_file);
37244 + tsk->exec_file = current->exec_file;
37245 + tsk->is_writable = current->is_writable;
37246 + if (unlikely(current->signal->used_accept)) {
37247 + current->signal->curr_ip = 0;
37248 + current->signal->saved_ip = 0;
37255 +gr_set_proc_res(struct task_struct *task)
37257 + struct acl_subject_label *proc;
37258 + unsigned short i;
37260 + proc = task->acl;
37262 + if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
37265 + for (i = 0; i < RLIM_NLIMITS; i++) {
37266 + if (!(proc->resmask & (1 << i)))
37269 + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
37270 + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
37277 +gr_check_user_change(int real, int effective, int fs)
37284 + int effectiveok = 0;
37287 + if (unlikely(!(gr_status & GR_READY)))
37290 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
37291 + gr_log_learn_id_change('u', real, effective, fs);
37293 + num = current->acl->user_trans_num;
37294 + uidlist = current->acl->user_transitions;
37296 + if (uidlist == NULL)
37301 + if (effective == -1)
37306 + if (current->acl->user_trans_type & GR_ID_ALLOW) {
37307 + for (i = 0; i < num; i++) {
37308 + curuid = (int)uidlist[i];
37309 + if (real == curuid)
37311 + if (effective == curuid)
37313 + if (fs == curuid)
37316 + } else if (current->acl->user_trans_type & GR_ID_DENY) {
37317 + for (i = 0; i < num; i++) {
37318 + curuid = (int)uidlist[i];
37319 + if (real == curuid)
37321 + if (effective == curuid)
37323 + if (fs == curuid)
37326 + /* not in deny list */
37334 + if (realok && effectiveok && fsok)
37337 + gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
37343 +gr_check_group_change(int real, int effective, int fs)
37350 + int effectiveok = 0;
37353 + if (unlikely(!(gr_status & GR_READY)))
37356 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
37357 + gr_log_learn_id_change('g', real, effective, fs);
37359 + num = current->acl->group_trans_num;
37360 + gidlist = current->acl->group_transitions;
37362 + if (gidlist == NULL)
37367 + if (effective == -1)
37372 + if (current->acl->group_trans_type & GR_ID_ALLOW) {
37373 + for (i = 0; i < num; i++) {
37374 + curgid = (int)gidlist[i];
37375 + if (real == curgid)
37377 + if (effective == curgid)
37379 + if (fs == curgid)
37382 + } else if (current->acl->group_trans_type & GR_ID_DENY) {
37383 + for (i = 0; i < num; i++) {
37384 + curgid = (int)gidlist[i];
37385 + if (real == curgid)
37387 + if (effective == curgid)
37389 + if (fs == curgid)
37392 + /* not in deny list */
37400 + if (realok && effectiveok && fsok)
37403 + gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
37409 +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
37411 + struct acl_role_label *role = task->role;
37412 + struct acl_subject_label *subj = NULL;
37413 + struct acl_object_label *obj;
37414 + struct file *filp;
37416 + if (unlikely(!(gr_status & GR_READY)))
37419 + filp = task->exec_file;
37421 + /* kernel process, we'll give them the kernel role */
37422 + if (unlikely(!filp)) {
37423 + task->role = kernel_role;
37424 + task->acl = kernel_role->root_label;
37426 + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
37427 + role = lookup_acl_role_label(task, uid, gid);
37429 + /* perform subject lookup in possibly new role
37430 + we can use this result below in the case where role == task->role
37432 + subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
37434 + /* if we changed uid/gid, but result in the same role
37435 + and are using inheritance, don't lose the inherited subject
37436 + if current subject is other than what normal lookup
37437 + would result in, we arrived via inheritance, don't
37440 + if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
37441 + (subj == task->acl)))
37442 + task->acl = subj;
37444 + task->role = role;
37446 + task->is_writable = 0;
37448 + /* ignore additional mmap checks for processes that are writable
37449 + by the default ACL */
37450 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
37451 + if (unlikely(obj->mode & GR_WRITE))
37452 + task->is_writable = 1;
37453 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
37454 + if (unlikely(obj->mode & GR_WRITE))
37455 + task->is_writable = 1;
37457 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
37458 + printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
37461 + gr_set_proc_res(task);
37467 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
37468 + const int unsafe_share)
37470 + struct task_struct *task = current;
37471 + struct acl_subject_label *newacl;
37472 + struct acl_object_label *obj;
37475 + if (unlikely(!(gr_status & GR_READY)))
37478 + newacl = chk_subj_label(dentry, mnt, task->role);
37481 + if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
37482 + !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
37483 + !(task->role->roletype & GR_ROLE_GOD) &&
37484 + !gr_search_file(dentry, GR_PTRACERD, mnt) &&
37485 + !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
37486 + task_unlock(task);
37487 + if (unsafe_share)
37488 + gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
37490 + gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
37493 + task_unlock(task);
37495 + obj = chk_obj_label(dentry, mnt, task->acl);
37496 + retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
37498 + if (!(task->acl->mode & GR_INHERITLEARN) &&
37499 + ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
37501 + task->acl = obj->nested;
37503 + task->acl = newacl;
37504 + } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
37505 + gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
37507 + task->is_writable = 0;
37509 + /* ignore additional mmap checks for processes that are writable
37510 + by the default ACL */
37511 + obj = chk_obj_label(dentry, mnt, default_role->root_label);
37512 + if (unlikely(obj->mode & GR_WRITE))
37513 + task->is_writable = 1;
37514 + obj = chk_obj_label(dentry, mnt, task->role->root_label);
37515 + if (unlikely(obj->mode & GR_WRITE))
37516 + task->is_writable = 1;
37518 + gr_set_proc_res(task);
37520 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
37521 + printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
37526 +/* always called with valid inodev ptr */
37528 +do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
37530 + struct acl_object_label *matchpo;
37531 + struct acl_subject_label *matchps;
37532 + struct acl_subject_label *subj;
37533 + struct acl_role_label *role;
37536 + FOR_EACH_ROLE_START(role)
37537 + FOR_EACH_SUBJECT_START(role, subj, x)
37538 + if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
37539 + matchpo->mode |= GR_DELETED;
37540 + FOR_EACH_SUBJECT_END(subj,x)
37541 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
37542 + if (subj->inode == ino && subj->device == dev)
37543 + subj->mode |= GR_DELETED;
37544 + FOR_EACH_NESTED_SUBJECT_END(subj)
37545 + if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
37546 + matchps->mode |= GR_DELETED;
37547 + FOR_EACH_ROLE_END(role)
37549 + inodev->nentry->deleted = 1;
37555 +gr_handle_delete(const ino_t ino, const dev_t dev)
37557 + struct inodev_entry *inodev;
37559 + if (unlikely(!(gr_status & GR_READY)))
37562 + write_lock(&gr_inode_lock);
37563 + inodev = lookup_inodev_entry(ino, dev);
37564 + if (inodev != NULL)
37565 + do_handle_delete(inodev, ino, dev);
37566 + write_unlock(&gr_inode_lock);
37572 +update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
37573 + const ino_t newinode, const dev_t newdevice,
37574 + struct acl_subject_label *subj)
37576 + unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
37577 + struct acl_object_label *match;
37579 + match = subj->obj_hash[index];
37581 + while (match && (match->inode != oldinode ||
37582 + match->device != olddevice ||
37583 + !(match->mode & GR_DELETED)))
37584 + match = match->next;
37586 + if (match && (match->inode == oldinode)
37587 + && (match->device == olddevice)
37588 + && (match->mode & GR_DELETED)) {
37589 + if (match->prev == NULL) {
37590 + subj->obj_hash[index] = match->next;
37591 + if (match->next != NULL)
37592 + match->next->prev = NULL;
37594 + match->prev->next = match->next;
37595 + if (match->next != NULL)
37596 + match->next->prev = match->prev;
37598 + match->prev = NULL;
37599 + match->next = NULL;
37600 + match->inode = newinode;
37601 + match->device = newdevice;
37602 + match->mode &= ~GR_DELETED;
37604 + insert_acl_obj_label(match, subj);
37611 +update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
37612 + const ino_t newinode, const dev_t newdevice,
37613 + struct acl_role_label *role)
37615 + unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
37616 + struct acl_subject_label *match;
37618 + match = role->subj_hash[index];
37620 + while (match && (match->inode != oldinode ||
37621 + match->device != olddevice ||
37622 + !(match->mode & GR_DELETED)))
37623 + match = match->next;
37625 + if (match && (match->inode == oldinode)
37626 + && (match->device == olddevice)
37627 + && (match->mode & GR_DELETED)) {
37628 + if (match->prev == NULL) {
37629 + role->subj_hash[index] = match->next;
37630 + if (match->next != NULL)
37631 + match->next->prev = NULL;
37633 + match->prev->next = match->next;
37634 + if (match->next != NULL)
37635 + match->next->prev = match->prev;
37637 + match->prev = NULL;
37638 + match->next = NULL;
37639 + match->inode = newinode;
37640 + match->device = newdevice;
37641 + match->mode &= ~GR_DELETED;
37643 + insert_acl_subj_label(match, role);
37650 +update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
37651 + const ino_t newinode, const dev_t newdevice)
37653 + unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
37654 + struct inodev_entry *match;
37656 + match = inodev_set.i_hash[index];
37658 + while (match && (match->nentry->inode != oldinode ||
37659 + match->nentry->device != olddevice || !match->nentry->deleted))
37660 + match = match->next;
37662 + if (match && (match->nentry->inode == oldinode)
37663 + && (match->nentry->device == olddevice) &&
37664 + match->nentry->deleted) {
37665 + if (match->prev == NULL) {
37666 + inodev_set.i_hash[index] = match->next;
37667 + if (match->next != NULL)
37668 + match->next->prev = NULL;
37670 + match->prev->next = match->next;
37671 + if (match->next != NULL)
37672 + match->next->prev = match->prev;
37674 + match->prev = NULL;
37675 + match->next = NULL;
37676 + match->nentry->inode = newinode;
37677 + match->nentry->device = newdevice;
37678 + match->nentry->deleted = 0;
37680 + insert_inodev_entry(match);
37687 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
37688 + const struct vfsmount *mnt)
37690 + struct acl_subject_label *subj;
37691 + struct acl_role_label *role;
37693 + ino_t ino = dentry->d_inode->i_ino;
37694 + dev_t dev = __get_dev(dentry);
37696 + FOR_EACH_ROLE_START(role)
37697 + update_acl_subj_label(matchn->inode, matchn->device, ino, dev, role);
37699 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
37700 + if ((subj->inode == ino) && (subj->device == dev)) {
37701 + subj->inode = ino;
37702 + subj->device = dev;
37704 + FOR_EACH_NESTED_SUBJECT_END(subj)
37705 + FOR_EACH_SUBJECT_START(role, subj, x)
37706 + update_acl_obj_label(matchn->inode, matchn->device,
37708 + FOR_EACH_SUBJECT_END(subj,x)
37709 + FOR_EACH_ROLE_END(role)
37711 + update_inodev_entry(matchn->inode, matchn->device, ino, dev);
37717 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
37719 + struct name_entry *matchn;
37721 + if (unlikely(!(gr_status & GR_READY)))
37724 + preempt_disable();
37725 + matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
37727 + if (unlikely((unsigned long)matchn)) {
37728 + write_lock(&gr_inode_lock);
37729 + do_handle_create(matchn, dentry, mnt);
37730 + write_unlock(&gr_inode_lock);
37732 + preempt_enable();
37738 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
37739 + struct dentry *old_dentry,
37740 + struct dentry *new_dentry,
37741 + struct vfsmount *mnt, const __u8 replace)
37743 + struct name_entry *matchn;
37744 + struct inodev_entry *inodev;
37745 + ino_t old_ino = old_dentry->d_inode->i_ino;
37746 + dev_t old_dev = __get_dev(old_dentry);
37748 + /* vfs_rename swaps the name and parent link for old_dentry and
37750 + at this point, old_dentry has the new name, parent link, and inode
37751 + for the renamed file
37752 + if a file is being replaced by a rename, new_dentry has the inode
37753 + and name for the replaced file
37756 + if (unlikely(!(gr_status & GR_READY)))
37759 + preempt_disable();
37760 + matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
37762 + /* we wouldn't have to check d_inode if it weren't for
37763 + NFS silly-renaming
37766 + write_lock(&gr_inode_lock);
37767 + if (unlikely(replace && new_dentry->d_inode)) {
37768 + ino_t new_ino = new_dentry->d_inode->i_ino;
37769 + dev_t new_dev = __get_dev(new_dentry);
37771 + inodev = lookup_inodev_entry(new_ino, new_dev);
37772 + if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
37773 + do_handle_delete(inodev, new_ino, new_dev);
37776 + inodev = lookup_inodev_entry(old_ino, old_dev);
37777 + if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
37778 + do_handle_delete(inodev, old_ino, old_dev);
37780 + if (unlikely((unsigned long)matchn))
37781 + do_handle_create(matchn, old_dentry, mnt);
37783 + write_unlock(&gr_inode_lock);
37784 + preempt_enable();
37790 +lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
37791 + unsigned char **sum)
37793 + struct acl_role_label *r;
37794 + struct role_allowed_ip *ipp;
37795 + struct role_transition *trans;
37798 + u32 curr_ip = current->signal->curr_ip;
37800 + current->signal->saved_ip = curr_ip;
37802 + /* check transition table */
37804 + for (trans = current->role->transitions; trans; trans = trans->next) {
37805 + if (!strcmp(rolename, trans->rolename)) {
37814 + /* handle special roles that do not require authentication
37817 + FOR_EACH_ROLE_START(r)
37818 + if (!strcmp(rolename, r->rolename) &&
37819 + (r->roletype & GR_ROLE_SPECIAL)) {
37821 + if (r->allowed_ips != NULL) {
37822 + for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
37823 + if ((ntohl(curr_ip) & ipp->netmask) ==
37824 + (ntohl(ipp->addr) & ipp->netmask))
37832 + if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
37833 + ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
37839 + FOR_EACH_ROLE_END(r)
37841 + for (i = 0; i < num_sprole_pws; i++) {
37842 + if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
37843 + *salt = acl_special_roles[i]->salt;
37844 + *sum = acl_special_roles[i]->sum;
37853 +assign_special_role(char *rolename)
37855 + struct acl_object_label *obj;
37856 + struct acl_role_label *r;
37857 + struct acl_role_label *assigned = NULL;
37858 + struct task_struct *tsk;
37859 + struct file *filp;
37861 + FOR_EACH_ROLE_START(r)
37862 + if (!strcmp(rolename, r->rolename) &&
37863 + (r->roletype & GR_ROLE_SPECIAL)) {
37867 + FOR_EACH_ROLE_END(r)
37872 + read_lock(&tasklist_lock);
37873 + read_lock(&grsec_exec_file_lock);
37875 + tsk = current->real_parent;
37879 + filp = tsk->exec_file;
37880 + if (filp == NULL)
37883 + tsk->is_writable = 0;
37885 + tsk->acl_sp_role = 1;
37886 + tsk->acl_role_id = ++acl_sp_role_value;
37887 + tsk->role = assigned;
37888 + tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
37890 + /* ignore additional mmap checks for processes that are writable
37891 + by the default ACL */
37892 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
37893 + if (unlikely(obj->mode & GR_WRITE))
37894 + tsk->is_writable = 1;
37895 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
37896 + if (unlikely(obj->mode & GR_WRITE))
37897 + tsk->is_writable = 1;
37899 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
37900 + printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
37904 + read_unlock(&grsec_exec_file_lock);
37905 + read_unlock(&tasklist_lock);
37909 +int gr_check_secure_terminal(struct task_struct *task)
37911 + struct task_struct *p, *p2, *p3;
37912 + struct files_struct *files;
37913 + struct fdtable *fdt;
37914 + struct file *our_file = NULL, *file;
37917 + if (task->signal->tty == NULL)
37920 + files = get_files_struct(task);
37921 + if (files != NULL) {
37923 + fdt = files_fdtable(files);
37924 + for (i=0; i < fdt->max_fds; i++) {
37925 + file = fcheck_files(files, i);
37926 + if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
37931 + rcu_read_unlock();
37932 + put_files_struct(files);
37935 + if (our_file == NULL)
37938 + read_lock(&tasklist_lock);
37939 + do_each_thread(p2, p) {
37940 + files = get_files_struct(p);
37941 + if (files == NULL ||
37942 + (p->signal && p->signal->tty == task->signal->tty)) {
37943 + if (files != NULL)
37944 + put_files_struct(files);
37948 + fdt = files_fdtable(files);
37949 + for (i=0; i < fdt->max_fds; i++) {
37950 + file = fcheck_files(files, i);
37951 + if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
37952 + file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
37954 + while (p3->pid > 0) {
37957 + p3 = p3->real_parent;
37961 + gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
37962 + gr_handle_alertkill(p);
37963 + rcu_read_unlock();
37964 + put_files_struct(files);
37965 + read_unlock(&tasklist_lock);
37970 + rcu_read_unlock();
37971 + put_files_struct(files);
37972 + } while_each_thread(p2, p);
37973 + read_unlock(&tasklist_lock);
37980 +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
37982 + struct gr_arg_wrapper uwrap;
37983 + unsigned char *sprole_salt = NULL;
37984 + unsigned char *sprole_sum = NULL;
37985 + int error = sizeof (struct gr_arg_wrapper);
37988 + mutex_lock(&gr_dev_mutex);
37990 + if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
37995 + if (count != sizeof (struct gr_arg_wrapper)) {
37996 + gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
38002 + if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
38003 + gr_auth_expires = 0;
38004 + gr_auth_attempts = 0;
38007 + if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
38012 + if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
38017 + if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
38022 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
38023 + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
38024 + time_after(gr_auth_expires, get_seconds())) {
38029 + /* if non-root trying to do anything other than use a special role,
38030 + do not attempt authentication, do not count towards authentication
38034 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
38035 + gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
38041 + /* ensure pw and special role name are null terminated */
38043 + gr_usermode->pw[GR_PW_LEN - 1] = '\0';
38044 + gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
38047 + * We have our enough of the argument structure..(we have yet
38048 + * to copy_from_user the tables themselves) . Copy the tables
38049 + * only if we need them, i.e. for loading operations. */
38051 + switch (gr_usermode->mode) {
38053 + if (gr_status & GR_READY) {
38055 + if (!gr_check_secure_terminal(current))
38060 + case GR_SHUTDOWN:
38061 + if ((gr_status & GR_READY)
38062 + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
38063 + pax_open_kernel();
38064 + gr_status &= ~GR_READY;
38065 + pax_close_kernel();
38067 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
38068 + free_variables();
38069 + memset(gr_usermode, 0, sizeof (struct gr_arg));
38070 + memset(gr_system_salt, 0, GR_SALT_LEN);
38071 + memset(gr_system_sum, 0, GR_SHA_LEN);
38072 + } else if (gr_status & GR_READY) {
38073 + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
38076 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
38081 + if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
38082 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
38084 + if (gr_status & GR_READY)
38088 + gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
38092 + if (!(gr_status & GR_READY)) {
38093 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
38095 + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
38096 + preempt_disable();
38098 + pax_open_kernel();
38099 + gr_status &= ~GR_READY;
38100 + pax_close_kernel();
38102 + free_variables();
38103 + if (!(error2 = gracl_init(gr_usermode))) {
38104 + preempt_enable();
38105 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
38107 + preempt_enable();
38109 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
38112 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
38117 + if (unlikely(!(gr_status & GR_READY))) {
38118 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
38123 + if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
38124 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
38125 + if (gr_usermode->segv_device && gr_usermode->segv_inode) {
38126 + struct acl_subject_label *segvacl;
38128 + lookup_acl_subj_label(gr_usermode->segv_inode,
38129 + gr_usermode->segv_device,
38132 + segvacl->crashes = 0;
38133 + segvacl->expires = 0;
38135 + } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
38136 + gr_remove_uid(gr_usermode->segv_uid);
38139 + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
38144 + case GR_SPROLEPAM:
38145 + if (unlikely(!(gr_status & GR_READY))) {
38146 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
38151 + if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
38152 + current->role->expires = 0;
38153 + current->role->auth_attempts = 0;
38156 + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
38157 + time_after(current->role->expires, get_seconds())) {
38162 + if (lookup_special_role_auth
38163 + (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
38164 + && ((!sprole_salt && !sprole_sum)
38165 + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
38167 + assign_special_role(gr_usermode->sp_role);
38168 + read_lock(&tasklist_lock);
38169 + if (current->real_parent)
38170 + p = current->real_parent->role->rolename;
38171 + read_unlock(&tasklist_lock);
38172 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
38173 + p, acl_sp_role_value);
38175 + gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
38177 + if(!(current->role->auth_attempts++))
38178 + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
38183 + case GR_UNSPROLE:
38184 + if (unlikely(!(gr_status & GR_READY))) {
38185 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
38190 + if (current->role->roletype & GR_ROLE_SPECIAL) {
38194 + read_lock(&tasklist_lock);
38195 + if (current->real_parent) {
38196 + p = current->real_parent->role->rolename;
38197 + i = current->real_parent->acl_role_id;
38199 + read_unlock(&tasklist_lock);
38201 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
38209 + gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
38214 + if (error != -EPERM)
38217 + if(!(gr_auth_attempts++))
38218 + gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
38221 + mutex_unlock(&gr_dev_mutex);
38226 +gr_set_acls(const int type)
38228 + struct acl_object_label *obj;
38229 + struct task_struct *task, *task2;
38230 + struct file *filp;
38231 + struct acl_role_label *role = current->role;
38232 + __u16 acl_role_id = current->acl_role_id;
38233 + const struct cred *cred;
38235 + struct name_entry *nmatch;
38236 + struct acl_subject_label *tmpsubj;
38239 + read_lock(&tasklist_lock);
38240 + read_lock(&grsec_exec_file_lock);
38241 + do_each_thread(task2, task) {
38242 + /* check to see if we're called from the exit handler,
38243 + if so, only replace ACLs that have inherited the admin
38246 + if (type && (task->role != role ||
38247 + task->acl_role_id != acl_role_id))
38250 + task->acl_role_id = 0;
38251 + task->acl_sp_role = 0;
38253 + if ((filp = task->exec_file)) {
38254 + cred = __task_cred(task);
38255 + task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
38257 + /* the following is to apply the correct subject
38258 + on binaries running when the RBAC system
38259 + is enabled, when the binaries have been
38260 + replaced or deleted since their execution
38262 + when the RBAC system starts, the inode/dev
38263 + from exec_file will be one the RBAC system
38264 + is unaware of. It only knows the inode/dev
38265 + of the present file on disk, or the absence
38268 + preempt_disable();
38269 + tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
38271 + nmatch = lookup_name_entry(tmpname);
38272 + preempt_enable();
38275 + if (nmatch->deleted)
38276 + tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
38278 + tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
38279 + if (tmpsubj != NULL)
38280 + task->acl = tmpsubj;
38282 + if (tmpsubj == NULL)
38283 + task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
38286 + struct acl_subject_label *curr;
38287 + curr = task->acl;
38289 + task->is_writable = 0;
38290 + /* ignore additional mmap checks for processes that are writable
38291 + by the default ACL */
38292 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
38293 + if (unlikely(obj->mode & GR_WRITE))
38294 + task->is_writable = 1;
38295 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
38296 + if (unlikely(obj->mode & GR_WRITE))
38297 + task->is_writable = 1;
38299 + gr_set_proc_res(task);
38301 +#ifdef CONFIG_GRKERNSEC_RBAC_DEBUG
38302 + printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
38305 + read_unlock(&grsec_exec_file_lock);
38306 + read_unlock(&tasklist_lock);
38307 + rcu_read_unlock();
38308 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
38312 + // it's a kernel process
38313 + task->role = kernel_role;
38314 + task->acl = kernel_role->root_label;
38315 +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
38316 + task->acl->mode &= ~GR_PROCFIND;
38319 + } while_each_thread(task2, task);
38320 + read_unlock(&grsec_exec_file_lock);
38321 + read_unlock(&tasklist_lock);
38322 + rcu_read_unlock();
38328 +gr_learn_resource(const struct task_struct *task,
38329 + const int res, const unsigned long wanted, const int gt)
38331 + struct acl_subject_label *acl;
38332 + const struct cred *cred;
38334 + if (unlikely((gr_status & GR_READY) &&
38335 + task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
38336 + goto skip_reslog;
38338 +#ifdef CONFIG_GRKERNSEC_RESLOG
38339 + gr_log_resource(task, res, wanted, gt);
38343 + if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
38348 + if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
38349 + !(acl->resmask & (1 << (unsigned short) res))))
38352 + if (wanted >= acl->res[res].rlim_cur) {
38353 + unsigned long res_add;
38355 + res_add = wanted;
38358 + res_add += GR_RLIM_CPU_BUMP;
38360 + case RLIMIT_FSIZE:
38361 + res_add += GR_RLIM_FSIZE_BUMP;
38363 + case RLIMIT_DATA:
38364 + res_add += GR_RLIM_DATA_BUMP;
38366 + case RLIMIT_STACK:
38367 + res_add += GR_RLIM_STACK_BUMP;
38369 + case RLIMIT_CORE:
38370 + res_add += GR_RLIM_CORE_BUMP;
38373 + res_add += GR_RLIM_RSS_BUMP;
38375 + case RLIMIT_NPROC:
38376 + res_add += GR_RLIM_NPROC_BUMP;
38378 + case RLIMIT_NOFILE:
38379 + res_add += GR_RLIM_NOFILE_BUMP;
38381 + case RLIMIT_MEMLOCK:
38382 + res_add += GR_RLIM_MEMLOCK_BUMP;
38385 + res_add += GR_RLIM_AS_BUMP;
38387 + case RLIMIT_LOCKS:
38388 + res_add += GR_RLIM_LOCKS_BUMP;
38390 + case RLIMIT_SIGPENDING:
38391 + res_add += GR_RLIM_SIGPENDING_BUMP;
38393 + case RLIMIT_MSGQUEUE:
38394 + res_add += GR_RLIM_MSGQUEUE_BUMP;
38396 + case RLIMIT_NICE:
38397 + res_add += GR_RLIM_NICE_BUMP;
38399 + case RLIMIT_RTPRIO:
38400 + res_add += GR_RLIM_RTPRIO_BUMP;
38402 + case RLIMIT_RTTIME:
38403 + res_add += GR_RLIM_RTTIME_BUMP;
38407 + acl->res[res].rlim_cur = res_add;
38409 + if (wanted > acl->res[res].rlim_max)
38410 + acl->res[res].rlim_max = res_add;
38412 + /* only log the subject filename, since resource logging is supported for
38413 + single-subject learning only */
38415 + cred = __task_cred(task);
38416 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
38417 + task->role->roletype, cred->uid, cred->gid, acl->filename,
38418 + acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
38419 + "", (unsigned long) res, &task->signal->saved_ip);
38420 + rcu_read_unlock();
38426 +#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
38428 +pax_set_initial_flags(struct linux_binprm *bprm)
38430 + struct task_struct *task = current;
38431 + struct acl_subject_label *proc;
38432 + unsigned long flags;
38434 + if (unlikely(!(gr_status & GR_READY)))
38437 + flags = pax_get_flags(task);
38439 + proc = task->acl;
38441 + if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
38442 + flags &= ~MF_PAX_PAGEEXEC;
38443 + if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
38444 + flags &= ~MF_PAX_SEGMEXEC;
38445 + if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
38446 + flags &= ~MF_PAX_RANDMMAP;
38447 + if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
38448 + flags &= ~MF_PAX_EMUTRAMP;
38449 + if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
38450 + flags &= ~MF_PAX_MPROTECT;
38452 + if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
38453 + flags |= MF_PAX_PAGEEXEC;
38454 + if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
38455 + flags |= MF_PAX_SEGMEXEC;
38456 + if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
38457 + flags |= MF_PAX_RANDMMAP;
38458 + if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
38459 + flags |= MF_PAX_EMUTRAMP;
38460 + if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
38461 + flags |= MF_PAX_MPROTECT;
38463 + pax_set_flags(task, flags);
38469 +#ifdef CONFIG_SYSCTL
38470 +/* Eric Biederman likes breaking userland ABI and every inode-based security
38471 + system to save 35kb of memory */
38473 +/* we modify the passed in filename, but adjust it back before returning */
38474 +static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
38476 + struct name_entry *nmatch;
38477 + char *p, *lastp = NULL;
38478 + struct acl_object_label *obj = NULL, *tmp;
38479 + struct acl_subject_label *tmpsubj;
38482 + read_lock(&gr_inode_lock);
38484 + p = name + len - 1;
38486 + nmatch = lookup_name_entry(name);
38487 + if (lastp != NULL)
38490 + if (nmatch == NULL)
38491 + goto next_component;
38492 + tmpsubj = current->acl;
38494 + obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
38495 + if (obj != NULL) {
38496 + tmp = obj->globbed;
38498 + if (!glob_match(tmp->filename, name)) {
38506 + } while ((tmpsubj = tmpsubj->parent_subject));
38512 + while (*p != '/')
38524 + read_unlock(&gr_inode_lock);
38525 + /* obj returned will always be non-null */
38529 +/* returns 0 when allowing, non-zero on error
38530 + op of 0 is used for readdir, so we don't log the names of hidden files
38533 +gr_handle_sysctl(const struct ctl_table *table, const int op)
38535 + struct ctl_table *tmp;
38536 + const char *proc_sys = "/proc/sys";
38538 + struct acl_object_label *obj;
38539 + unsigned short len = 0, pos = 0, depth = 0, i;
38543 + if (unlikely(!(gr_status & GR_READY)))
38546 + /* for now, ignore operations on non-sysctl entries if it's not a
38548 + if (table->child != NULL && op != 0)
38552 + /* it's only a read if it's an entry, read on dirs is for readdir */
38553 + if (op & MAY_READ)
38555 + if (op & MAY_WRITE)
38556 + mode |= GR_WRITE;
38558 + preempt_disable();
38560 + path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
38562 + /* it's only a read/write if it's an actual entry, not a dir
38563 + (which are opened for readdir)
38566 + /* convert the requested sysctl entry into a pathname */
38568 + for (tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
38569 + len += strlen(tmp->procname);
38574 + if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
38579 + memset(path, 0, PAGE_SIZE);
38581 + memcpy(path, proc_sys, strlen(proc_sys));
38583 + pos += strlen(proc_sys);
38585 + for (; depth > 0; depth--) {
38588 + for (i = 1, tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
38589 + if (depth == i) {
38590 + memcpy(path + pos, tmp->procname,
38591 + strlen(tmp->procname));
38592 + pos += strlen(tmp->procname);
38598 + obj = gr_lookup_by_name(path, pos);
38599 + err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
38601 + if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
38602 + ((err & mode) != mode))) {
38603 + __u32 new_mode = mode;
38605 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
38608 + gr_log_learn_sysctl(path, new_mode);
38609 + } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
38610 + gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
38612 + } else if (!(err & GR_FIND)) {
38614 + } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
38615 + gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
38616 + path, (mode & GR_READ) ? " reading" : "",
38617 + (mode & GR_WRITE) ? " writing" : "");
38619 + } else if ((err & mode) != mode) {
38621 + } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
38622 + gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
38623 + path, (mode & GR_READ) ? " reading" : "",
38624 + (mode & GR_WRITE) ? " writing" : "");
38630 + preempt_enable();
38637 +gr_handle_proc_ptrace(struct task_struct *task)
38639 + struct file *filp;
38640 + struct task_struct *tmp = task;
38641 + struct task_struct *curtemp = current;
38644 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
38645 + if (unlikely(!(gr_status & GR_READY)))
38649 + read_lock(&tasklist_lock);
38650 + read_lock(&grsec_exec_file_lock);
38651 + filp = task->exec_file;
38653 + while (tmp->pid > 0) {
38654 + if (tmp == curtemp)
38656 + tmp = tmp->real_parent;
38659 + if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
38660 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
38661 + read_unlock(&grsec_exec_file_lock);
38662 + read_unlock(&tasklist_lock);
38666 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
38667 + if (!(gr_status & GR_READY)) {
38668 + read_unlock(&grsec_exec_file_lock);
38669 + read_unlock(&tasklist_lock);
38674 + retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
38675 + read_unlock(&grsec_exec_file_lock);
38676 + read_unlock(&tasklist_lock);
38678 + if (retmode & GR_NOPTRACE)
38681 + if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
38682 + && (current->acl != task->acl || (current->acl != current->role->root_label
38683 + && current->pid != task->pid)))
38689 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p)
38691 + if (unlikely(!(gr_status & GR_READY)))
38694 + if (!(current->role->roletype & GR_ROLE_GOD))
38697 + seq_printf(m, "RBAC:\t%.64s:%c:%.950s\n",
38698 + p->role->rolename, gr_task_roletype_to_char(p),
38699 + p->acl->filename);
38703 +gr_handle_ptrace(struct task_struct *task, const long request)
38705 + struct task_struct *tmp = task;
38706 + struct task_struct *curtemp = current;
38709 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
38710 + if (unlikely(!(gr_status & GR_READY)))
38714 + read_lock(&tasklist_lock);
38715 + while (tmp->pid > 0) {
38716 + if (tmp == curtemp)
38718 + tmp = tmp->real_parent;
38721 + if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
38722 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
38723 + read_unlock(&tasklist_lock);
38724 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
38727 + read_unlock(&tasklist_lock);
38729 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
38730 + if (!(gr_status & GR_READY))
38734 + read_lock(&grsec_exec_file_lock);
38735 + if (unlikely(!task->exec_file)) {
38736 + read_unlock(&grsec_exec_file_lock);
38740 + retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
38741 + read_unlock(&grsec_exec_file_lock);
38743 + if (retmode & GR_NOPTRACE) {
38744 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
38748 + if (retmode & GR_PTRACERD) {
38749 + switch (request) {
38750 + case PTRACE_POKETEXT:
38751 + case PTRACE_POKEDATA:
38752 + case PTRACE_POKEUSR:
38753 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
38754 + case PTRACE_SETREGS:
38755 + case PTRACE_SETFPREGS:
38758 + case PTRACE_SETFPXREGS:
38760 +#ifdef CONFIG_ALTIVEC
38761 + case PTRACE_SETVRREGS:
38767 + } else if (!(current->acl->mode & GR_POVERRIDE) &&
38768 + !(current->role->roletype & GR_ROLE_GOD) &&
38769 + (current->acl != task->acl)) {
38770 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
38777 +static int is_writable_mmap(const struct file *filp)
38779 + struct task_struct *task = current;
38780 + struct acl_object_label *obj, *obj2;
38782 + if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
38783 + !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && filp->f_path.mnt != shm_mnt) {
38784 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
38785 + obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
38786 + task->role->root_label);
38787 + if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
38788 + gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
38796 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
38800 + if (unlikely(!file || !(prot & PROT_EXEC)))
38803 + if (is_writable_mmap(file))
38807 + gr_search_file(file->f_path.dentry,
38808 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
38809 + file->f_path.mnt);
38811 + if (!gr_tpe_allow(file))
38814 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
38815 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
38817 + } else if (unlikely(!(mode & GR_EXEC))) {
38819 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
38820 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
38828 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
38832 + if (unlikely(!file || !(prot & PROT_EXEC)))
38835 + if (is_writable_mmap(file))
38839 + gr_search_file(file->f_path.dentry,
38840 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
38841 + file->f_path.mnt);
38843 + if (!gr_tpe_allow(file))
38846 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
38847 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
38849 + } else if (unlikely(!(mode & GR_EXEC))) {
38851 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
38852 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
38860 +gr_acl_handle_psacct(struct task_struct *task, const long code)
38862 + unsigned long runtime;
38863 + unsigned long cputime;
38864 + unsigned int wday, cday;
38868 + struct timespec timeval;
38870 + if (unlikely(!(gr_status & GR_READY) || !task->acl ||
38871 + !(task->acl->mode & GR_PROCACCT)))
38874 + do_posix_clock_monotonic_gettime(&timeval);
38875 + runtime = timeval.tv_sec - task->start_time.tv_sec;
38876 + wday = runtime / (3600 * 24);
38877 + runtime -= wday * (3600 * 24);
38878 + whr = runtime / 3600;
38879 + runtime -= whr * 3600;
38880 + wmin = runtime / 60;
38881 + runtime -= wmin * 60;
38884 + cputime = (task->utime + task->stime) / HZ;
38885 + cday = cputime / (3600 * 24);
38886 + cputime -= cday * (3600 * 24);
38887 + chr = cputime / 3600;
38888 + cputime -= chr * 3600;
38889 + cmin = cputime / 60;
38890 + cputime -= cmin * 60;
38893 + gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
38898 +void gr_set_kernel_label(struct task_struct *task)
38900 + if (gr_status & GR_READY) {
38901 + task->role = kernel_role;
38902 + task->acl = kernel_role->root_label;
38907 +#ifdef CONFIG_TASKSTATS
38908 +int gr_is_taskstats_denied(int pid)
38910 + struct task_struct *task;
38911 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
38912 + const struct cred *cred;
38916 + /* restrict taskstats viewing to un-chrooted root users
38917 + who have the 'view' subject flag if the RBAC system is enabled
38921 + read_lock(&tasklist_lock);
38922 + task = find_task_by_vpid(pid);
38924 +#ifdef CONFIG_GRKERNSEC_CHROOT
38925 + if (proc_is_chrooted(task))
38928 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
38929 + cred = __task_cred(task);
38930 +#ifdef CONFIG_GRKERNSEC_PROC_USER
38931 + if (cred->uid != 0)
38933 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
38934 + if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
38938 + if (gr_status & GR_READY) {
38939 + if (!(task->acl->mode & GR_VIEW))
38945 + read_unlock(&tasklist_lock);
38946 + rcu_read_unlock();
38952 +/* AUXV entries are filled via a descendant of search_binary_handler
38953 + after we've already applied the subject for the target
38955 +int gr_acl_enable_at_secure(void)
38957 + if (unlikely(!(gr_status & GR_READY)))
38960 + if (current->acl->mode & GR_ATSECURE)
38966 +int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
38968 + struct task_struct *task = current;
38969 + struct dentry *dentry = file->f_path.dentry;
38970 + struct vfsmount *mnt = file->f_path.mnt;
38971 + struct acl_object_label *obj, *tmp;
38972 + struct acl_subject_label *subj;
38973 + unsigned int bufsize;
38976 + dev_t dev = __get_dev(dentry);
38978 + if (unlikely(!(gr_status & GR_READY)))
38981 + if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
38984 + /* ignore Eric Biederman */
38985 + if (IS_PRIVATE(dentry->d_inode))
38988 + subj = task->acl;
38990 + obj = lookup_acl_obj_label(ino, dev, subj);
38992 + return (obj->mode & GR_FIND) ? 1 : 0;
38993 + } while ((subj = subj->parent_subject));
38995 + /* this is purely an optimization since we're looking for an object
38996 + for the directory we're doing a readdir on
38997 + if it's possible for any globbed object to match the entry we're
38998 + filling into the directory, then the object we find here will be
38999 + an anchor point with attached globbed objects
39001 + obj = chk_obj_label_noglob(dentry, mnt, task->acl);
39002 + if (obj->globbed == NULL)
39003 + return (obj->mode & GR_FIND) ? 1 : 0;
39005 + is_not_root = ((obj->filename[0] == '/') &&
39006 + (obj->filename[1] == '\0')) ? 0 : 1;
39007 + bufsize = PAGE_SIZE - namelen - is_not_root;
39009 + /* check bufsize > PAGE_SIZE || bufsize == 0 */
39010 + if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
39013 + preempt_disable();
39014 + path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
39017 + bufsize = strlen(path);
39019 + /* if base is "/", don't append an additional slash */
39021 + *(path + bufsize) = '/';
39022 + memcpy(path + bufsize + is_not_root, name, namelen);
39023 + *(path + bufsize + namelen + is_not_root) = '\0';
39025 + tmp = obj->globbed;
39027 + if (!glob_match(tmp->filename, path)) {
39028 + preempt_enable();
39029 + return (tmp->mode & GR_FIND) ? 1 : 0;
39033 + preempt_enable();
39034 + return (obj->mode & GR_FIND) ? 1 : 0;
39037 +#ifdef CONFIG_NETFILTER_XT_MATCH_GRADM_MODULE
39038 +EXPORT_SYMBOL(gr_acl_is_enabled);
39040 +EXPORT_SYMBOL(gr_learn_resource);
39041 +EXPORT_SYMBOL(gr_set_kernel_label);
39042 +#ifdef CONFIG_SECURITY
39043 +EXPORT_SYMBOL(gr_check_user_change);
39044 +EXPORT_SYMBOL(gr_check_group_change);
39047 diff -urNp linux-2.6.38.1/grsecurity/gracl_cap.c linux-2.6.38.1-new/grsecurity/gracl_cap.c
39048 --- linux-2.6.38.1/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
39049 +++ linux-2.6.38.1-new/grsecurity/gracl_cap.c 2011-03-21 20:22:36.000000000 -0400
39051 +#include <linux/kernel.h>
39052 +#include <linux/module.h>
39053 +#include <linux/sched.h>
39054 +#include <linux/gracl.h>
39055 +#include <linux/grsecurity.h>
39056 +#include <linux/grinternal.h>
39058 +static const char *captab_log[] = {
39060 + "CAP_DAC_OVERRIDE",
39061 + "CAP_DAC_READ_SEARCH",
39068 + "CAP_LINUX_IMMUTABLE",
39069 + "CAP_NET_BIND_SERVICE",
39070 + "CAP_NET_BROADCAST",
39075 + "CAP_SYS_MODULE",
39077 + "CAP_SYS_CHROOT",
39078 + "CAP_SYS_PTRACE",
39083 + "CAP_SYS_RESOURCE",
39085 + "CAP_SYS_TTY_CONFIG",
39088 + "CAP_AUDIT_WRITE",
39089 + "CAP_AUDIT_CONTROL",
39091 + "CAP_MAC_OVERRIDE",
39096 +EXPORT_SYMBOL(gr_is_capable);
39097 +EXPORT_SYMBOL(gr_is_capable_nolog);
39100 +gr_is_capable(const int cap)
39102 + struct task_struct *task = current;
39103 + const struct cred *cred = current_cred();
39104 + struct acl_subject_label *curracl;
39105 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
39106 + kernel_cap_t cap_audit = __cap_empty_set;
39108 + if (!gr_acl_is_enabled())
39111 + curracl = task->acl;
39113 + cap_drop = curracl->cap_lower;
39114 + cap_mask = curracl->cap_mask;
39115 + cap_audit = curracl->cap_invert_audit;
39117 + while ((curracl = curracl->parent_subject)) {
39118 + /* if the cap isn't specified in the current computed mask but is specified in the
39119 + current level subject, and is lowered in the current level subject, then add
39120 + it to the set of dropped capabilities
39121 + otherwise, add the current level subject's mask to the current computed mask
39123 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
39124 + cap_raise(cap_mask, cap);
39125 + if (cap_raised(curracl->cap_lower, cap))
39126 + cap_raise(cap_drop, cap);
39127 + if (cap_raised(curracl->cap_invert_audit, cap))
39128 + cap_raise(cap_audit, cap);
39132 + if (!cap_raised(cap_drop, cap)) {
39133 + if (cap_raised(cap_audit, cap))
39134 + gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
39138 + curracl = task->acl;
39140 + if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
39141 + && cap_raised(cred->cap_effective, cap)) {
39142 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
39143 + task->role->roletype, cred->uid,
39144 + cred->gid, task->exec_file ?
39145 + gr_to_filename(task->exec_file->f_path.dentry,
39146 + task->exec_file->f_path.mnt) : curracl->filename,
39147 + curracl->filename, 0UL,
39148 + 0UL, "", (unsigned long) cap, &task->signal->saved_ip);
39152 + if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
39153 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
39158 +gr_is_capable_nolog(const int cap)
39160 + struct acl_subject_label *curracl;
39161 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
39163 + if (!gr_acl_is_enabled())
39166 + curracl = current->acl;
39168 + cap_drop = curracl->cap_lower;
39169 + cap_mask = curracl->cap_mask;
39171 + while ((curracl = curracl->parent_subject)) {
39172 + /* if the cap isn't specified in the current computed mask but is specified in the
39173 + current level subject, and is lowered in the current level subject, then add
39174 + it to the set of dropped capabilities
39175 + otherwise, add the current level subject's mask to the current computed mask
39177 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
39178 + cap_raise(cap_mask, cap);
39179 + if (cap_raised(curracl->cap_lower, cap))
39180 + cap_raise(cap_drop, cap);
39184 + if (!cap_raised(cap_drop, cap))
39190 diff -urNp linux-2.6.38.1/grsecurity/gracl_fs.c linux-2.6.38.1-new/grsecurity/gracl_fs.c
39191 --- linux-2.6.38.1/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
39192 +++ linux-2.6.38.1-new/grsecurity/gracl_fs.c 2011-03-21 18:31:35.000000000 -0400
39194 +#include <linux/kernel.h>
39195 +#include <linux/sched.h>
39196 +#include <linux/types.h>
39197 +#include <linux/fs.h>
39198 +#include <linux/file.h>
39199 +#include <linux/stat.h>
39200 +#include <linux/grsecurity.h>
39201 +#include <linux/grinternal.h>
39202 +#include <linux/gracl.h>
39205 +gr_acl_handle_hidden_file(const struct dentry * dentry,
39206 + const struct vfsmount * mnt)
39210 + if (unlikely(!dentry->d_inode))
39214 + gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
39216 + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
39217 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
39219 + } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
39220 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
39222 + } else if (unlikely(!(mode & GR_FIND)))
39229 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
39232 + __u32 reqmode = GR_FIND;
39235 + if (unlikely(!dentry->d_inode))
39238 + if (unlikely(fmode & O_APPEND))
39239 + reqmode |= GR_APPEND;
39240 + else if (unlikely(fmode & FMODE_WRITE))
39241 + reqmode |= GR_WRITE;
39242 + if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
39243 + reqmode |= GR_READ;
39244 + if ((fmode & FMODE_GREXEC) && (fmode & __FMODE_EXEC))
39245 + reqmode &= ~GR_READ;
39247 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
39250 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
39251 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
39252 + reqmode & GR_READ ? " reading" : "",
39253 + reqmode & GR_WRITE ? " writing" : reqmode &
39254 + GR_APPEND ? " appending" : "");
39257 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
39259 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
39260 + reqmode & GR_READ ? " reading" : "",
39261 + reqmode & GR_WRITE ? " writing" : reqmode &
39262 + GR_APPEND ? " appending" : "");
39264 + } else if (unlikely((mode & reqmode) != reqmode))
39271 +gr_acl_handle_creat(const struct dentry * dentry,
39272 + const struct dentry * p_dentry,
39273 + const struct vfsmount * p_mnt, const int fmode,
39276 + __u32 reqmode = GR_WRITE | GR_CREATE;
39279 + if (unlikely(fmode & O_APPEND))
39280 + reqmode |= GR_APPEND;
39281 + if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
39282 + reqmode |= GR_READ;
39283 + if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
39284 + reqmode |= GR_SETID;
39287 + gr_check_create(dentry, p_dentry, p_mnt,
39288 + reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
39290 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
39291 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
39292 + reqmode & GR_READ ? " reading" : "",
39293 + reqmode & GR_WRITE ? " writing" : reqmode &
39294 + GR_APPEND ? " appending" : "");
39297 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
39299 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
39300 + reqmode & GR_READ ? " reading" : "",
39301 + reqmode & GR_WRITE ? " writing" : reqmode &
39302 + GR_APPEND ? " appending" : "");
39304 + } else if (unlikely((mode & reqmode) != reqmode))
39311 +gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
39314 + __u32 mode, reqmode = GR_FIND;
39316 + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
39317 + reqmode |= GR_EXEC;
39318 + if (fmode & S_IWOTH)
39319 + reqmode |= GR_WRITE;
39320 + if (fmode & S_IROTH)
39321 + reqmode |= GR_READ;
39324 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
39327 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
39328 + gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
39329 + reqmode & GR_READ ? " reading" : "",
39330 + reqmode & GR_WRITE ? " writing" : "",
39331 + reqmode & GR_EXEC ? " executing" : "");
39334 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
39336 + gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
39337 + reqmode & GR_READ ? " reading" : "",
39338 + reqmode & GR_WRITE ? " writing" : "",
39339 + reqmode & GR_EXEC ? " executing" : "");
39341 + } else if (unlikely((mode & reqmode) != reqmode))
39347 +static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
39351 + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
39353 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
39354 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
39356 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
39357 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
39359 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
39362 + return (reqmode);
39366 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
39368 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
39372 +gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
39374 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
39378 +gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
39380 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
39384 +gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
39386 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
39390 +gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
39393 + if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
39396 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
39397 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
39398 + GR_FCHMOD_ACL_MSG);
39400 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
39405 +gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
39408 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
39409 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
39410 + GR_CHMOD_ACL_MSG);
39412 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
39417 +gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
39419 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
39423 +gr_acl_handle_setxattr(const struct dentry *dentry, const struct vfsmount *mnt)
39425 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_SETXATTR_ACL_MSG);
39429 +gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
39431 + return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
39435 +gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
39437 + return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
39438 + GR_UNIXCONNECT_ACL_MSG);
39441 +/* hardlinks require at minimum create permission,
39442 + any additional privilege required is based on the
39443 + privilege of the file being linked to
39446 +gr_acl_handle_link(const struct dentry * new_dentry,
39447 + const struct dentry * parent_dentry,
39448 + const struct vfsmount * parent_mnt,
39449 + const struct dentry * old_dentry,
39450 + const struct vfsmount * old_mnt, const char *to)
39453 + __u32 needmode = GR_CREATE | GR_LINK;
39454 + __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
39457 + gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
39460 + if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
39461 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
39463 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
39464 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
39466 + } else if (unlikely((mode & needmode) != needmode))
39473 +gr_acl_handle_symlink(const struct dentry * new_dentry,
39474 + const struct dentry * parent_dentry,
39475 + const struct vfsmount * parent_mnt, const char *from)
39477 + __u32 needmode = GR_WRITE | GR_CREATE;
39481 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
39482 + GR_CREATE | GR_AUDIT_CREATE |
39483 + GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
39485 + if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
39486 + gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
39488 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
39489 + gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
39491 + } else if (unlikely((mode & needmode) != needmode))
39494 + return (GR_WRITE | GR_CREATE);
39497 +static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
39501 + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
39503 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
39504 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
39506 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
39507 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
39509 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
39512 + return (reqmode);
39516 +gr_acl_handle_mknod(const struct dentry * new_dentry,
39517 + const struct dentry * parent_dentry,
39518 + const struct vfsmount * parent_mnt,
39521 + __u32 reqmode = GR_WRITE | GR_CREATE;
39522 + if (unlikely(mode & (S_ISUID | S_ISGID)))
39523 + reqmode |= GR_SETID;
39525 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
39526 + reqmode, GR_MKNOD_ACL_MSG);
39530 +gr_acl_handle_mkdir(const struct dentry *new_dentry,
39531 + const struct dentry *parent_dentry,
39532 + const struct vfsmount *parent_mnt)
39534 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
39535 + GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
39538 +#define RENAME_CHECK_SUCCESS(old, new) \
39539 + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
39540 + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
39543 +gr_acl_handle_rename(struct dentry *new_dentry,
39544 + struct dentry *parent_dentry,
39545 + const struct vfsmount *parent_mnt,
39546 + struct dentry *old_dentry,
39547 + struct inode *old_parent_inode,
39548 + struct vfsmount *old_mnt, const char *newname)
39550 + __u32 comp1, comp2;
39553 + if (unlikely(!gr_acl_is_enabled()))
39556 + if (!new_dentry->d_inode) {
39557 + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
39558 + GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
39559 + GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
39560 + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
39561 + GR_DELETE | GR_AUDIT_DELETE |
39562 + GR_AUDIT_READ | GR_AUDIT_WRITE |
39563 + GR_SUPPRESS, old_mnt);
39565 + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
39566 + GR_CREATE | GR_DELETE |
39567 + GR_AUDIT_CREATE | GR_AUDIT_DELETE |
39568 + GR_AUDIT_READ | GR_AUDIT_WRITE |
39569 + GR_SUPPRESS, parent_mnt);
39571 + gr_search_file(old_dentry,
39572 + GR_READ | GR_WRITE | GR_AUDIT_READ |
39573 + GR_DELETE | GR_AUDIT_DELETE |
39574 + GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
39577 + if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
39578 + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
39579 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
39580 + else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
39581 + && !(comp2 & GR_SUPPRESS)) {
39582 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
39584 + } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
39591 +gr_acl_handle_exit(void)
39595 + struct file *exec_file;
39597 + if (unlikely(current->acl_sp_role && gr_acl_is_enabled())) {
39598 + id = current->acl_role_id;
39599 + rolename = current->role->rolename;
39601 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
39604 + write_lock(&grsec_exec_file_lock);
39605 + exec_file = current->exec_file;
39606 + current->exec_file = NULL;
39607 + write_unlock(&grsec_exec_file_lock);
39614 +gr_acl_handle_procpidmem(const struct task_struct *task)
39616 + if (unlikely(!gr_acl_is_enabled()))
39619 + if (task != current && task->acl->mode & GR_PROTPROCFD)
39624 diff -urNp linux-2.6.38.1/grsecurity/gracl_ip.c linux-2.6.38.1-new/grsecurity/gracl_ip.c
39625 --- linux-2.6.38.1/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
39626 +++ linux-2.6.38.1-new/grsecurity/gracl_ip.c 2011-03-21 18:31:35.000000000 -0400
39628 +#include <linux/kernel.h>
39629 +#include <asm/uaccess.h>
39630 +#include <asm/errno.h>
39631 +#include <net/sock.h>
39632 +#include <linux/file.h>
39633 +#include <linux/fs.h>
39634 +#include <linux/net.h>
39635 +#include <linux/in.h>
39636 +#include <linux/skbuff.h>
39637 +#include <linux/ip.h>
39638 +#include <linux/udp.h>
39639 +#include <linux/smp_lock.h>
39640 +#include <linux/types.h>
39641 +#include <linux/sched.h>
39642 +#include <linux/netdevice.h>
39643 +#include <linux/inetdevice.h>
39644 +#include <linux/gracl.h>
39645 +#include <linux/grsecurity.h>
39646 +#include <linux/grinternal.h>
39648 +#define GR_BIND 0x01
39649 +#define GR_CONNECT 0x02
39650 +#define GR_INVERT 0x04
39651 +#define GR_BINDOVERRIDE 0x08
39652 +#define GR_CONNECTOVERRIDE 0x10
39653 +#define GR_SOCK_FAMILY 0x20
39655 +static const char * gr_protocols[IPPROTO_MAX] = {
39656 + "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
39657 + "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
39658 + "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
39659 + "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
39660 + "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
39661 + "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
39662 + "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
39663 + "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
39664 + "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
39665 + "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
39666 + "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
39667 + "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
39668 + "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
39669 + "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
39670 + "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
39671 + "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
39672 + "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
39673 + "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
39674 + "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
39675 + "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
39676 + "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
39677 + "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
39678 + "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
39679 + "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
39680 + "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
39681 + "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
39682 + "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
39683 + "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
39684 + "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
39685 + "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
39686 + "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
39687 + "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
39690 +static const char * gr_socktypes[SOCK_MAX] = {
39691 + "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
39692 + "unknown:7", "unknown:8", "unknown:9", "packet"
39695 +static const char * gr_sockfamilies[AF_MAX+1] = {
39696 + "unspec", "unix", "inet", "ax25", "ipx", "appletalk", "netrom", "bridge", "atmpvc", "x25",
39697 + "inet6", "rose", "decnet", "netbeui", "security", "key", "netlink", "packet", "ash",
39698 + "econet", "atmsvc", "rds", "sna", "irda", "ppox", "wanpipe", "llc", "fam_27", "fam_28",
39699 + "tipc", "bluetooth", "iucv", "rxrpc", "isdn", "phonet", "ieee802154", "ciaf"
39703 +gr_proto_to_name(unsigned char proto)
39705 + return gr_protocols[proto];
39709 +gr_socktype_to_name(unsigned char type)
39711 + return gr_socktypes[type];
39715 +gr_sockfamily_to_name(unsigned char family)
39717 + return gr_sockfamilies[family];
39721 +gr_search_socket(const int domain, const int type, const int protocol)
39723 + struct acl_subject_label *curr;
39724 + const struct cred *cred = current_cred();
39726 + if (unlikely(!gr_acl_is_enabled()))
39729 + if ((domain < 0) || (type < 0) || (protocol < 0) ||
39730 + (domain >= AF_MAX) || (type >= SOCK_MAX) || (protocol >= IPPROTO_MAX))
39731 + goto exit; // let the kernel handle it
39733 + curr = current->acl;
39735 + if (curr->sock_families[domain / 32] & (1 << (domain % 32))) {
39736 + /* the family is allowed, if this is PF_INET allow it only if
39737 + the extra sock type/protocol checks pass */
39738 + if (domain == PF_INET)
39742 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
39743 + __u32 fakeip = 0;
39744 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
39745 + current->role->roletype, cred->uid,
39746 + cred->gid, current->exec_file ?
39747 + gr_to_filename(current->exec_file->f_path.dentry,
39748 + current->exec_file->f_path.mnt) :
39749 + curr->filename, curr->filename,
39750 + &fakeip, domain, 0, 0, GR_SOCK_FAMILY,
39751 + ¤t->signal->saved_ip);
39758 + /* the rest of this checking is for IPv4 only */
39762 + if ((curr->ip_type & (1 << type)) &&
39763 + (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
39766 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
39767 + /* we don't place acls on raw sockets , and sometimes
39768 + dgram/ip sockets are opened for ioctl and not
39769 + bind/connect, so we'll fake a bind learn log */
39770 + if (type == SOCK_RAW || type == SOCK_PACKET) {
39771 + __u32 fakeip = 0;
39772 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
39773 + current->role->roletype, cred->uid,
39774 + cred->gid, current->exec_file ?
39775 + gr_to_filename(current->exec_file->f_path.dentry,
39776 + current->exec_file->f_path.mnt) :
39777 + curr->filename, curr->filename,
39778 + &fakeip, 0, type,
39779 + protocol, GR_CONNECT, ¤t->signal->saved_ip);
39780 + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
39781 + __u32 fakeip = 0;
39782 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
39783 + current->role->roletype, cred->uid,
39784 + cred->gid, current->exec_file ?
39785 + gr_to_filename(current->exec_file->f_path.dentry,
39786 + current->exec_file->f_path.mnt) :
39787 + curr->filename, curr->filename,
39788 + &fakeip, 0, type,
39789 + protocol, GR_BIND, ¤t->signal->saved_ip);
39791 + /* we'll log when they use connect or bind */
39796 + if (domain == PF_INET)
39797 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
39798 + gr_socktype_to_name(type), gr_proto_to_name(protocol));
39800 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(domain),
39801 + gr_socktype_to_name(type), protocol);
39808 +int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
39810 + if ((ip->mode & mode) &&
39811 + (ip_port >= ip->low) &&
39812 + (ip_port <= ip->high) &&
39813 + ((ntohl(ip_addr) & our_netmask) ==
39814 + (ntohl(our_addr) & our_netmask))
39815 + && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
39816 + && (ip->type & (1 << type))) {
39817 + if (ip->mode & GR_INVERT)
39818 + return 2; // specifically denied
39820 + return 1; // allowed
39823 + return 0; // not specifically allowed, may continue parsing
39827 +gr_search_connectbind(const int full_mode, struct sock *sk,
39828 + struct sockaddr_in *addr, const int type)
39830 + char iface[IFNAMSIZ] = {0};
39831 + struct acl_subject_label *curr;
39832 + struct acl_ip_label *ip;
39833 + struct inet_sock *isk;
39834 + struct net_device *dev;
39835 + struct in_device *idev;
39838 + int mode = full_mode & (GR_BIND | GR_CONNECT);
39839 + __u32 ip_addr = 0;
39841 + __u32 our_netmask;
39843 + __u16 ip_port = 0;
39844 + const struct cred *cred = current_cred();
39846 + if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
39849 + curr = current->acl;
39850 + isk = inet_sk(sk);
39852 + /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
39853 + if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
39854 + addr->sin_addr.s_addr = curr->inaddr_any_override;
39855 + if ((full_mode & GR_CONNECT) && isk->inet_saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
39856 + struct sockaddr_in saddr;
39859 + saddr.sin_family = AF_INET;
39860 + saddr.sin_addr.s_addr = curr->inaddr_any_override;
39861 + saddr.sin_port = isk->inet_sport;
39863 + err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
39867 + err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
39875 + ip_addr = addr->sin_addr.s_addr;
39876 + ip_port = ntohs(addr->sin_port);
39878 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
39879 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
39880 + current->role->roletype, cred->uid,
39881 + cred->gid, current->exec_file ?
39882 + gr_to_filename(current->exec_file->f_path.dentry,
39883 + current->exec_file->f_path.mnt) :
39884 + curr->filename, curr->filename,
39885 + &ip_addr, ip_port, type,
39886 + sk->sk_protocol, mode, ¤t->signal->saved_ip);
39890 + for (i = 0; i < curr->ip_num; i++) {
39891 + ip = *(curr->ips + i);
39892 + if (ip->iface != NULL) {
39893 + strncpy(iface, ip->iface, IFNAMSIZ - 1);
39894 + p = strchr(iface, ':');
39897 + dev = dev_get_by_name(sock_net(sk), iface);
39900 + idev = in_dev_get(dev);
39901 + if (idev == NULL) {
39907 + if (!strcmp(ip->iface, ifa->ifa_label)) {
39908 + our_addr = ifa->ifa_address;
39909 + our_netmask = 0xffffffff;
39910 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
39912 + rcu_read_unlock();
39913 + in_dev_put(idev);
39916 + } else if (ret == 2) {
39917 + rcu_read_unlock();
39918 + in_dev_put(idev);
39923 + } endfor_ifa(idev);
39924 + rcu_read_unlock();
39925 + in_dev_put(idev);
39928 + our_addr = ip->addr;
39929 + our_netmask = ip->netmask;
39930 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
39933 + else if (ret == 2)
39939 + if (mode == GR_BIND)
39940 + gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
39941 + else if (mode == GR_CONNECT)
39942 + gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
39948 +gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
39950 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
39954 +gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
39956 + return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
39959 +int gr_search_listen(struct socket *sock)
39961 + struct sock *sk = sock->sk;
39962 + struct sockaddr_in addr;
39964 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
39965 + addr.sin_port = inet_sk(sk)->inet_sport;
39967 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
39970 +int gr_search_accept(struct socket *sock)
39972 + struct sock *sk = sock->sk;
39973 + struct sockaddr_in addr;
39975 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
39976 + addr.sin_port = inet_sk(sk)->inet_sport;
39978 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
39982 +gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
39985 + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
39987 + struct sockaddr_in sin;
39988 + const struct inet_sock *inet = inet_sk(sk);
39990 + sin.sin_addr.s_addr = inet->inet_daddr;
39991 + sin.sin_port = inet->inet_dport;
39993 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
39998 +gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
40000 + struct sockaddr_in sin;
40002 + if (unlikely(skb->len < sizeof (struct udphdr)))
40003 + return 0; // skip this packet
40005 + sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
40006 + sin.sin_port = udp_hdr(skb)->source;
40008 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
40010 diff -urNp linux-2.6.38.1/grsecurity/gracl_learn.c linux-2.6.38.1-new/grsecurity/gracl_learn.c
40011 --- linux-2.6.38.1/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
40012 +++ linux-2.6.38.1-new/grsecurity/gracl_learn.c 2011-03-21 18:31:35.000000000 -0400
40014 +#include <linux/kernel.h>
40015 +#include <linux/mm.h>
40016 +#include <linux/sched.h>
40017 +#include <linux/poll.h>
40018 +#include <linux/smp_lock.h>
40019 +#include <linux/string.h>
40020 +#include <linux/file.h>
40021 +#include <linux/types.h>
40022 +#include <linux/vmalloc.h>
40023 +#include <linux/grinternal.h>
40025 +extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
40026 + size_t count, loff_t *ppos);
40027 +extern int gr_acl_is_enabled(void);
40029 +static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
40030 +static int gr_learn_attached;
40032 +/* use a 512k buffer */
40033 +#define LEARN_BUFFER_SIZE (512 * 1024)
40035 +static DEFINE_SPINLOCK(gr_learn_lock);
40036 +static DEFINE_MUTEX(gr_learn_user_mutex);
40038 +/* we need to maintain two buffers, so that the kernel context of grlearn
40039 + uses a semaphore around the userspace copying, and the other kernel contexts
40040 + use a spinlock when copying into the buffer, since they cannot sleep
40042 +static char *learn_buffer;
40043 +static char *learn_buffer_user;
40044 +static int learn_buffer_len;
40045 +static int learn_buffer_user_len;
40048 +read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
40050 + DECLARE_WAITQUEUE(wait, current);
40051 + ssize_t retval = 0;
40053 + add_wait_queue(&learn_wait, &wait);
40054 + set_current_state(TASK_INTERRUPTIBLE);
40056 + mutex_lock(&gr_learn_user_mutex);
40057 + spin_lock(&gr_learn_lock);
40058 + if (learn_buffer_len)
40060 + spin_unlock(&gr_learn_lock);
40061 + mutex_unlock(&gr_learn_user_mutex);
40062 + if (file->f_flags & O_NONBLOCK) {
40063 + retval = -EAGAIN;
40066 + if (signal_pending(current)) {
40067 + retval = -ERESTARTSYS;
40074 + memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
40075 + learn_buffer_user_len = learn_buffer_len;
40076 + retval = learn_buffer_len;
40077 + learn_buffer_len = 0;
40079 + spin_unlock(&gr_learn_lock);
40081 + if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
40082 + retval = -EFAULT;
40084 + mutex_unlock(&gr_learn_user_mutex);
40086 + set_current_state(TASK_RUNNING);
40087 + remove_wait_queue(&learn_wait, &wait);
40091 +static unsigned int
40092 +poll_learn(struct file * file, poll_table * wait)
40094 + poll_wait(file, &learn_wait, wait);
40096 + if (learn_buffer_len)
40097 + return (POLLIN | POLLRDNORM);
40103 +gr_clear_learn_entries(void)
40107 + mutex_lock(&gr_learn_user_mutex);
40108 + if (learn_buffer != NULL) {
40109 + spin_lock(&gr_learn_lock);
40110 + tmp = learn_buffer;
40111 + learn_buffer = NULL;
40112 + spin_unlock(&gr_learn_lock);
40113 + vfree(learn_buffer);
40115 + if (learn_buffer_user != NULL) {
40116 + vfree(learn_buffer_user);
40117 + learn_buffer_user = NULL;
40119 + learn_buffer_len = 0;
40120 + mutex_unlock(&gr_learn_user_mutex);
40126 +gr_add_learn_entry(const char *fmt, ...)
40129 + unsigned int len;
40131 + if (!gr_learn_attached)
40134 + spin_lock(&gr_learn_lock);
40136 + /* leave a gap at the end so we know when it's "full" but don't have to
40137 + compute the exact length of the string we're trying to append
40139 + if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
40140 + spin_unlock(&gr_learn_lock);
40141 + wake_up_interruptible(&learn_wait);
40144 + if (learn_buffer == NULL) {
40145 + spin_unlock(&gr_learn_lock);
40149 + va_start(args, fmt);
40150 + len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
40153 + learn_buffer_len += len + 1;
40155 + spin_unlock(&gr_learn_lock);
40156 + wake_up_interruptible(&learn_wait);
40162 +open_learn(struct inode *inode, struct file *file)
40164 + if (file->f_mode & FMODE_READ && gr_learn_attached)
40166 + if (file->f_mode & FMODE_READ) {
40168 + mutex_lock(&gr_learn_user_mutex);
40169 + if (learn_buffer == NULL)
40170 + learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
40171 + if (learn_buffer_user == NULL)
40172 + learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
40173 + if (learn_buffer == NULL) {
40174 + retval = -ENOMEM;
40177 + if (learn_buffer_user == NULL) {
40178 + retval = -ENOMEM;
40181 + learn_buffer_len = 0;
40182 + learn_buffer_user_len = 0;
40183 + gr_learn_attached = 1;
40185 + mutex_unlock(&gr_learn_user_mutex);
40192 +close_learn(struct inode *inode, struct file *file)
40196 + if (file->f_mode & FMODE_READ) {
40197 + mutex_lock(&gr_learn_user_mutex);
40198 + if (learn_buffer != NULL) {
40199 + spin_lock(&gr_learn_lock);
40200 + tmp = learn_buffer;
40201 + learn_buffer = NULL;
40202 + spin_unlock(&gr_learn_lock);
40205 + if (learn_buffer_user != NULL) {
40206 + vfree(learn_buffer_user);
40207 + learn_buffer_user = NULL;
40209 + learn_buffer_len = 0;
40210 + learn_buffer_user_len = 0;
40211 + gr_learn_attached = 0;
40212 + mutex_unlock(&gr_learn_user_mutex);
40218 +const struct file_operations grsec_fops = {
40219 + .read = read_learn,
40220 + .write = write_grsec_handler,
40221 + .open = open_learn,
40222 + .release = close_learn,
40223 + .poll = poll_learn,
40225 diff -urNp linux-2.6.38.1/grsecurity/gracl_res.c linux-2.6.38.1-new/grsecurity/gracl_res.c
40226 --- linux-2.6.38.1/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
40227 +++ linux-2.6.38.1-new/grsecurity/gracl_res.c 2011-03-21 18:31:35.000000000 -0400
40229 +#include <linux/kernel.h>
40230 +#include <linux/sched.h>
40231 +#include <linux/gracl.h>
40232 +#include <linux/grinternal.h>
40234 +static const char *restab_log[] = {
40235 + [RLIMIT_CPU] = "RLIMIT_CPU",
40236 + [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
40237 + [RLIMIT_DATA] = "RLIMIT_DATA",
40238 + [RLIMIT_STACK] = "RLIMIT_STACK",
40239 + [RLIMIT_CORE] = "RLIMIT_CORE",
40240 + [RLIMIT_RSS] = "RLIMIT_RSS",
40241 + [RLIMIT_NPROC] = "RLIMIT_NPROC",
40242 + [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
40243 + [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
40244 + [RLIMIT_AS] = "RLIMIT_AS",
40245 + [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
40246 + [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
40247 + [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
40248 + [RLIMIT_NICE] = "RLIMIT_NICE",
40249 + [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
40250 + [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
40251 + [GR_CRASH_RES] = "RLIMIT_CRASH"
40255 +gr_log_resource(const struct task_struct *task,
40256 + const int res, const unsigned long wanted, const int gt)
40258 + const struct cred *cred;
40259 + unsigned long rlim;
40261 + if (!gr_acl_is_enabled() && !grsec_resource_logging)
40264 + // not yet supported resource
40265 + if (unlikely(!restab_log[res]))
40268 + if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
40269 + rlim = task_rlimit_max(task, res);
40271 + rlim = task_rlimit(task, res);
40273 + if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
40277 + cred = __task_cred(task);
40279 + if (res == RLIMIT_NPROC &&
40280 + (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
40281 + cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
40282 + goto out_rcu_unlock;
40283 + else if (res == RLIMIT_MEMLOCK &&
40284 + cap_raised(cred->cap_effective, CAP_IPC_LOCK))
40285 + goto out_rcu_unlock;
40286 + else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
40287 + goto out_rcu_unlock;
40288 + rcu_read_unlock();
40290 + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
40294 + rcu_read_unlock();
40297 diff -urNp linux-2.6.38.1/grsecurity/gracl_segv.c linux-2.6.38.1-new/grsecurity/gracl_segv.c
40298 --- linux-2.6.38.1/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
40299 +++ linux-2.6.38.1-new/grsecurity/gracl_segv.c 2011-03-24 23:09:37.000000000 -0400
40301 +#include <linux/kernel.h>
40302 +#include <linux/mm.h>
40303 +#include <asm/uaccess.h>
40304 +#include <asm/errno.h>
40305 +#include <asm/mman.h>
40306 +#include <net/sock.h>
40307 +#include <linux/file.h>
40308 +#include <linux/fs.h>
40309 +#include <linux/net.h>
40310 +#include <linux/in.h>
40311 +#include <linux/smp_lock.h>
40312 +#include <linux/slab.h>
40313 +#include <linux/types.h>
40314 +#include <linux/sched.h>
40315 +#include <linux/timer.h>
40316 +#include <linux/gracl.h>
40317 +#include <linux/grsecurity.h>
40318 +#include <linux/grinternal.h>
40320 +static struct crash_uid *uid_set;
40321 +static unsigned short uid_used;
40322 +static DEFINE_SPINLOCK(gr_uid_lock);
40323 +extern rwlock_t gr_inode_lock;
40324 +extern struct acl_subject_label *
40325 + lookup_acl_subj_label(const ino_t inode, const dev_t dev,
40326 + struct acl_role_label *role);
40327 +extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
40330 +#ifdef CONFIG_BTRFS_FS
40331 +extern dev_t get_btrfs_dev_from_inode(struct inode *inode);
40332 +extern int btrfs_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat);
40335 +static inline dev_t __get_dev(const struct dentry *dentry)
40337 +#ifdef CONFIG_BTRFS_FS
40338 + if (dentry->d_inode->i_op && dentry->d_inode->i_op->getattr == &btrfs_getattr)
40339 + return get_btrfs_dev_from_inode(dentry->d_inode);
40342 + return dentry->d_inode->i_sb->s_dev;
40346 +gr_init_uidset(void)
40349 + kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
40352 + return uid_set ? 1 : 0;
40356 +gr_free_uidset(void)
40365 +gr_find_uid(const uid_t uid)
40367 + struct crash_uid *tmp = uid_set;
40369 + int low = 0, high = uid_used - 1, mid;
40371 + while (high >= low) {
40372 + mid = (low + high) >> 1;
40373 + buid = tmp[mid].uid;
40385 +static __inline__ void
40386 +gr_insertsort(void)
40388 + unsigned short i, j;
40389 + struct crash_uid index;
40391 + for (i = 1; i < uid_used; i++) {
40392 + index = uid_set[i];
40394 + while ((j > 0) && uid_set[j - 1].uid > index.uid) {
40395 + uid_set[j] = uid_set[j - 1];
40398 + uid_set[j] = index;
40404 +static __inline__ void
40405 +gr_insert_uid(const uid_t uid, const unsigned long expires)
40409 + if (uid_used == GR_UIDTABLE_MAX)
40412 + loc = gr_find_uid(uid);
40415 + uid_set[loc].expires = expires;
40419 + uid_set[uid_used].uid = uid;
40420 + uid_set[uid_used].expires = expires;
40429 +gr_remove_uid(const unsigned short loc)
40431 + unsigned short i;
40433 + for (i = loc + 1; i < uid_used; i++)
40434 + uid_set[i - 1] = uid_set[i];
40442 +gr_check_crash_uid(const uid_t uid)
40447 + if (unlikely(!gr_acl_is_enabled()))
40450 + spin_lock(&gr_uid_lock);
40451 + loc = gr_find_uid(uid);
40456 + if (time_before_eq(uid_set[loc].expires, get_seconds()))
40457 + gr_remove_uid(loc);
40462 + spin_unlock(&gr_uid_lock);
40466 +static __inline__ int
40467 +proc_is_setxid(const struct cred *cred)
40469 + if (cred->uid != cred->euid || cred->uid != cred->suid ||
40470 + cred->uid != cred->fsuid)
40472 + if (cred->gid != cred->egid || cred->gid != cred->sgid ||
40473 + cred->gid != cred->fsgid)
40478 +static __inline__ int
40479 +gr_fake_force_sig(int sig, struct task_struct *t)
40481 + unsigned long int flags;
40482 + int ret, blocked, ignored;
40483 + struct k_sigaction *action;
40485 + spin_lock_irqsave(&t->sighand->siglock, flags);
40486 + action = &t->sighand->action[sig-1];
40487 + ignored = action->sa.sa_handler == SIG_IGN;
40488 + blocked = sigismember(&t->blocked, sig);
40489 + if (blocked || ignored) {
40490 + action->sa.sa_handler = SIG_DFL;
40492 + sigdelset(&t->blocked, sig);
40493 + recalc_sigpending_and_wake(t);
40496 + if (action->sa.sa_handler == SIG_DFL)
40497 + t->signal->flags &= ~SIGNAL_UNKILLABLE;
40498 + ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
40500 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
40506 +gr_handle_crash(struct task_struct *task, const int sig)
40508 + struct acl_subject_label *curr;
40509 + struct acl_subject_label *curr2;
40510 + struct task_struct *tsk, *tsk2;
40511 + const struct cred *cred;
40512 + const struct cred *cred2;
40514 + if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
40517 + if (unlikely(!gr_acl_is_enabled()))
40520 + curr = task->acl;
40522 + if (!(curr->resmask & (1 << GR_CRASH_RES)))
40525 + if (time_before_eq(curr->expires, get_seconds())) {
40526 + curr->expires = 0;
40527 + curr->crashes = 0;
40532 + if (!curr->expires)
40533 + curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
40535 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
40536 + time_after(curr->expires, get_seconds())) {
40538 + cred = __task_cred(task);
40539 + if (cred->uid && proc_is_setxid(cred)) {
40540 + gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
40541 + spin_lock(&gr_uid_lock);
40542 + gr_insert_uid(cred->uid, curr->expires);
40543 + spin_unlock(&gr_uid_lock);
40544 + curr->expires = 0;
40545 + curr->crashes = 0;
40546 + read_lock(&tasklist_lock);
40547 + do_each_thread(tsk2, tsk) {
40548 + cred2 = __task_cred(tsk);
40549 + if (tsk != task && cred2->uid == cred->uid)
40550 + gr_fake_force_sig(SIGKILL, tsk);
40551 + } while_each_thread(tsk2, tsk);
40552 + read_unlock(&tasklist_lock);
40554 + gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
40555 + read_lock(&tasklist_lock);
40556 + do_each_thread(tsk2, tsk) {
40557 + if (likely(tsk != task)) {
40558 + curr2 = tsk->acl;
40560 + if (curr2->device == curr->device &&
40561 + curr2->inode == curr->inode)
40562 + gr_fake_force_sig(SIGKILL, tsk);
40564 + } while_each_thread(tsk2, tsk);
40565 + read_unlock(&tasklist_lock);
40567 + rcu_read_unlock();
40574 +gr_check_crash_exec(const struct file *filp)
40576 + struct acl_subject_label *curr;
40578 + if (unlikely(!gr_acl_is_enabled()))
40581 + read_lock(&gr_inode_lock);
40582 + curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
40583 + __get_dev(filp->f_path.dentry),
40585 + read_unlock(&gr_inode_lock);
40587 + if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
40588 + (!curr->crashes && !curr->expires))
40591 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
40592 + time_after(curr->expires, get_seconds()))
40594 + else if (time_before_eq(curr->expires, get_seconds())) {
40595 + curr->crashes = 0;
40596 + curr->expires = 0;
40603 +gr_handle_alertkill(struct task_struct *task)
40605 + struct acl_subject_label *curracl;
40607 + struct task_struct *p, *p2;
40609 + if (unlikely(!gr_acl_is_enabled()))
40612 + curracl = task->acl;
40613 + curr_ip = task->signal->curr_ip;
40615 + if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
40616 + read_lock(&tasklist_lock);
40617 + do_each_thread(p2, p) {
40618 + if (p->signal->curr_ip == curr_ip)
40619 + gr_fake_force_sig(SIGKILL, p);
40620 + } while_each_thread(p2, p);
40621 + read_unlock(&tasklist_lock);
40622 + } else if (curracl->mode & GR_KILLPROC)
40623 + gr_fake_force_sig(SIGKILL, task);
40627 diff -urNp linux-2.6.38.1/grsecurity/gracl_shm.c linux-2.6.38.1-new/grsecurity/gracl_shm.c
40628 --- linux-2.6.38.1/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
40629 +++ linux-2.6.38.1-new/grsecurity/gracl_shm.c 2011-03-21 18:31:35.000000000 -0400
40631 +#include <linux/kernel.h>
40632 +#include <linux/mm.h>
40633 +#include <linux/sched.h>
40634 +#include <linux/file.h>
40635 +#include <linux/ipc.h>
40636 +#include <linux/gracl.h>
40637 +#include <linux/grsecurity.h>
40638 +#include <linux/grinternal.h>
40641 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
40642 + const time_t shm_createtime, const uid_t cuid, const int shmid)
40644 + struct task_struct *task;
40646 + if (!gr_acl_is_enabled())
40650 + read_lock(&tasklist_lock);
40652 + task = find_task_by_vpid(shm_cprid);
40654 + if (unlikely(!task))
40655 + task = find_task_by_vpid(shm_lapid);
40657 + if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
40658 + (task->pid == shm_lapid)) &&
40659 + (task->acl->mode & GR_PROTSHM) &&
40660 + (task->acl != current->acl))) {
40661 + read_unlock(&tasklist_lock);
40662 + rcu_read_unlock();
40663 + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
40666 + read_unlock(&tasklist_lock);
40667 + rcu_read_unlock();
40671 diff -urNp linux-2.6.38.1/grsecurity/grsec_chdir.c linux-2.6.38.1-new/grsecurity/grsec_chdir.c
40672 --- linux-2.6.38.1/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
40673 +++ linux-2.6.38.1-new/grsecurity/grsec_chdir.c 2011-03-21 18:31:35.000000000 -0400
40675 +#include <linux/kernel.h>
40676 +#include <linux/sched.h>
40677 +#include <linux/fs.h>
40678 +#include <linux/file.h>
40679 +#include <linux/grsecurity.h>
40680 +#include <linux/grinternal.h>
40683 +gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
40685 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
40686 + if ((grsec_enable_chdir && grsec_enable_group &&
40687 + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
40688 + !grsec_enable_group)) {
40689 + gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
40694 diff -urNp linux-2.6.38.1/grsecurity/grsec_chroot.c linux-2.6.38.1-new/grsecurity/grsec_chroot.c
40695 --- linux-2.6.38.1/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
40696 +++ linux-2.6.38.1-new/grsecurity/grsec_chroot.c 2011-03-21 21:24:10.000000000 -0400
40698 +#include <linux/kernel.h>
40699 +#include <linux/module.h>
40700 +#include <linux/sched.h>
40701 +#include <linux/file.h>
40702 +#include <linux/fs.h>
40703 +#include <linux/mount.h>
40704 +#include <linux/types.h>
40705 +#include <linux/pid_namespace.h>
40706 +#include <linux/grsecurity.h>
40707 +#include <linux/grinternal.h>
40709 +void gr_set_chroot_entries(struct task_struct *task, struct path *path)
40711 +#ifdef CONFIG_GRKERNSEC
40712 + if (task->pid > 1 && path->dentry != init_task.fs->root.dentry &&
40713 + path->dentry != task->nsproxy->mnt_ns->root->mnt_root)
40714 + task->gr_is_chrooted = 1;
40716 + task->gr_is_chrooted = 0;
40718 + task->gr_chroot_dentry = path->dentry;
40723 +void gr_clear_chroot_entries(struct task_struct *task)
40725 +#ifdef CONFIG_GRKERNSEC
40726 + task->gr_is_chrooted = 0;
40727 + task->gr_chroot_dentry = NULL;
40733 +gr_handle_chroot_unix(struct pid *pid)
40735 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
40736 + struct task_struct *p;
40738 + if (unlikely(!grsec_enable_chroot_unix))
40741 + if (likely(!proc_is_chrooted(current)))
40745 + read_lock(&tasklist_lock);
40746 + p = pid_task(pid, PIDTYPE_PID);
40747 + if (unlikely(!have_same_root(current, p))) {
40748 + read_unlock(&tasklist_lock);
40749 + rcu_read_unlock();
40750 + gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
40753 + read_unlock(&tasklist_lock);
40754 + rcu_read_unlock();
40760 +gr_handle_chroot_nice(void)
40762 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
40763 + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
40764 + gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
40772 +gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
40774 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
40775 + if (grsec_enable_chroot_nice && (niceval < task_nice(p))
40776 + && proc_is_chrooted(current)) {
40777 + gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
40785 +gr_handle_chroot_rawio(const struct inode *inode)
40787 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
40788 + if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
40789 + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
40796 +gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
40798 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
40799 + struct task_struct *p;
40801 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
40804 + read_lock(&tasklist_lock);
40805 + do_each_pid_task(pid, type, p) {
40806 + if (!have_same_root(current, p)) {
40810 + } while_each_pid_task(pid, type, p);
40812 + read_unlock(&tasklist_lock);
40819 +gr_pid_is_chrooted(struct task_struct *p)
40821 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
40822 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
40825 + if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
40826 + !have_same_root(current, p)) {
40833 +EXPORT_SYMBOL(gr_pid_is_chrooted);
40835 +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
40836 +int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
40838 + struct path path, currentroot;
40841 + path.dentry = (struct dentry *)u_dentry;
40842 + path.mnt = (struct vfsmount *)u_mnt;
40843 + get_fs_root(current->fs, ¤troot);
40844 + if (path_is_under(&path, ¤troot))
40846 + path_put(¤troot);
40853 +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
40855 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
40856 + if (!grsec_enable_chroot_fchdir)
40859 + if (!proc_is_chrooted(current))
40861 + else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
40862 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
40870 +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
40871 + const time_t shm_createtime)
40873 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
40874 + struct pid *pid = NULL;
40875 + time_t starttime;
40877 + if (unlikely(!grsec_enable_chroot_shmat))
40880 + if (likely(!proc_is_chrooted(current)))
40884 + read_lock(&tasklist_lock);
40886 + pid = find_vpid(shm_cprid);
40888 + struct task_struct *p;
40889 + p = pid_task(pid, PIDTYPE_PID);
40890 + starttime = p->start_time.tv_sec;
40891 + if (unlikely(!have_same_root(current, p) &&
40892 + time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime))) {
40893 + read_unlock(&tasklist_lock);
40894 + rcu_read_unlock();
40895 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
40899 + pid = find_vpid(shm_lapid);
40901 + struct task_struct *p;
40902 + p = pid_task(pid, PIDTYPE_PID);
40903 + if (unlikely(!have_same_root(current, p))) {
40904 + read_unlock(&tasklist_lock);
40905 + rcu_read_unlock();
40906 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
40912 + read_unlock(&tasklist_lock);
40913 + rcu_read_unlock();
40919 +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
40921 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
40922 + if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
40923 + gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
40929 +gr_handle_chroot_mknod(const struct dentry *dentry,
40930 + const struct vfsmount *mnt, const int mode)
40932 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
40933 + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
40934 + proc_is_chrooted(current)) {
40935 + gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
40943 +gr_handle_chroot_mount(const struct dentry *dentry,
40944 + const struct vfsmount *mnt, const char *dev_name)
40946 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
40947 + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
40948 + gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name, dentry, mnt);
40956 +gr_handle_chroot_pivot(void)
40958 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
40959 + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
40960 + gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
40968 +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
40970 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
40971 + if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
40972 + !gr_is_outside_chroot(dentry, mnt)) {
40973 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
40981 +gr_handle_chroot_caps(struct path *path)
40983 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
40984 + if (grsec_enable_chroot_caps && current->pid > 1 && current->fs != NULL &&
40985 + (init_task.fs->root.dentry != path->dentry) &&
40986 + (current->nsproxy->mnt_ns->root->mnt_root != path->dentry)) {
40988 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
40989 + const struct cred *old = current_cred();
40990 + struct cred *new = prepare_creds();
40994 + new->cap_permitted = cap_drop(old->cap_permitted,
40996 + new->cap_inheritable = cap_drop(old->cap_inheritable,
40998 + new->cap_effective = cap_drop(old->cap_effective,
41001 + commit_creds(new);
41010 +gr_handle_chroot_sysctl(const int op)
41012 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
41013 + if (grsec_enable_chroot_sysctl && (op & MAY_WRITE) &&
41014 + proc_is_chrooted(current))
41021 +gr_handle_chroot_chdir(struct path *path)
41023 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
41024 + if (grsec_enable_chroot_chdir)
41025 + set_fs_pwd(current->fs, path);
41031 +gr_handle_chroot_chmod(const struct dentry *dentry,
41032 + const struct vfsmount *mnt, const int mode)
41034 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
41035 + /* allow chmod +s on directories, but not files */
41036 + if (grsec_enable_chroot_chmod && !S_ISDIR(dentry->d_inode->i_mode) &&
41037 + ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
41038 + proc_is_chrooted(current)) {
41039 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
41046 +#ifdef CONFIG_SECURITY
41047 +EXPORT_SYMBOL(gr_handle_chroot_caps);
41049 diff -urNp linux-2.6.38.1/grsecurity/grsec_disabled.c linux-2.6.38.1-new/grsecurity/grsec_disabled.c
41050 --- linux-2.6.38.1/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
41051 +++ linux-2.6.38.1-new/grsecurity/grsec_disabled.c 2011-03-21 18:31:35.000000000 -0400
41053 +#include <linux/kernel.h>
41054 +#include <linux/module.h>
41055 +#include <linux/sched.h>
41056 +#include <linux/file.h>
41057 +#include <linux/fs.h>
41058 +#include <linux/kdev_t.h>
41059 +#include <linux/net.h>
41060 +#include <linux/in.h>
41061 +#include <linux/ip.h>
41062 +#include <linux/skbuff.h>
41063 +#include <linux/sysctl.h>
41065 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
41067 +pax_set_initial_flags(struct linux_binprm *bprm)
41073 +#ifdef CONFIG_SYSCTL
41075 +gr_handle_sysctl(const struct ctl_table * table, const int op)
41081 +#ifdef CONFIG_TASKSTATS
41082 +int gr_is_taskstats_denied(int pid)
41089 +gr_acl_is_enabled(void)
41095 +gr_handle_rawio(const struct inode *inode)
41101 +gr_acl_handle_psacct(struct task_struct *task, const long code)
41107 +gr_handle_ptrace(struct task_struct *task, const long request)
41113 +gr_handle_proc_ptrace(struct task_struct *task)
41119 +gr_learn_resource(const struct task_struct *task,
41120 + const int res, const unsigned long wanted, const int gt)
41126 +gr_set_acls(const int type)
41132 +gr_check_hidden_task(const struct task_struct *tsk)
41138 +gr_check_protected_task(const struct task_struct *task)
41144 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
41150 +gr_copy_label(struct task_struct *tsk)
41156 +gr_set_pax_flags(struct task_struct *task)
41162 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
41163 + const int unsafe_share)
41169 +gr_handle_delete(const ino_t ino, const dev_t dev)
41175 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
41181 +gr_handle_crash(struct task_struct *task, const int sig)
41187 +gr_check_crash_exec(const struct file *filp)
41193 +gr_check_crash_uid(const uid_t uid)
41199 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
41200 + struct dentry *old_dentry,
41201 + struct dentry *new_dentry,
41202 + struct vfsmount *mnt, const __u8 replace)
41208 +gr_search_socket(const int family, const int type, const int protocol)
41214 +gr_search_connectbind(const int mode, const struct socket *sock,
41215 + const struct sockaddr_in *addr)
41221 +gr_is_capable(const int cap)
41227 +gr_is_capable_nolog(const int cap)
41233 +gr_handle_alertkill(struct task_struct *task)
41239 +gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
41245 +gr_acl_handle_hidden_file(const struct dentry * dentry,
41246 + const struct vfsmount * mnt)
41252 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
41259 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
41265 +gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
41271 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
41272 + unsigned int *vm_flags)
41278 +gr_acl_handle_truncate(const struct dentry * dentry,
41279 + const struct vfsmount * mnt)
41285 +gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
41291 +gr_acl_handle_access(const struct dentry * dentry,
41292 + const struct vfsmount * mnt, const int fmode)
41298 +gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
41305 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
41312 +gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
41318 +gr_acl_handle_setxattr(const struct dentry * dentry, const struct vfsmount * mnt)
41324 +grsecurity_init(void)
41330 +gr_acl_handle_mknod(const struct dentry * new_dentry,
41331 + const struct dentry * parent_dentry,
41332 + const struct vfsmount * parent_mnt,
41339 +gr_acl_handle_mkdir(const struct dentry * new_dentry,
41340 + const struct dentry * parent_dentry,
41341 + const struct vfsmount * parent_mnt)
41347 +gr_acl_handle_symlink(const struct dentry * new_dentry,
41348 + const struct dentry * parent_dentry,
41349 + const struct vfsmount * parent_mnt, const char *from)
41355 +gr_acl_handle_link(const struct dentry * new_dentry,
41356 + const struct dentry * parent_dentry,
41357 + const struct vfsmount * parent_mnt,
41358 + const struct dentry * old_dentry,
41359 + const struct vfsmount * old_mnt, const char *to)
41365 +gr_acl_handle_rename(const struct dentry *new_dentry,
41366 + const struct dentry *parent_dentry,
41367 + const struct vfsmount *parent_mnt,
41368 + const struct dentry *old_dentry,
41369 + const struct inode *old_parent_inode,
41370 + const struct vfsmount *old_mnt, const char *newname)
41376 +gr_acl_handle_filldir(const struct file *file, const char *name,
41377 + const int namelen, const ino_t ino)
41383 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
41384 + const time_t shm_createtime, const uid_t cuid, const int shmid)
41390 +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
41396 +gr_search_accept(const struct socket *sock)
41402 +gr_search_listen(const struct socket *sock)
41408 +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
41414 +gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
41420 +gr_acl_handle_creat(const struct dentry * dentry,
41421 + const struct dentry * p_dentry,
41422 + const struct vfsmount * p_mnt, const int fmode,
41429 +gr_acl_handle_exit(void)
41435 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
41441 +gr_set_role_label(const uid_t uid, const gid_t gid)
41447 +gr_acl_handle_procpidmem(const struct task_struct *task)
41453 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
41459 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
41465 +gr_set_kernel_label(struct task_struct *task)
41471 +gr_check_user_change(int real, int effective, int fs)
41477 +gr_check_group_change(int real, int effective, int fs)
41482 +int gr_acl_enable_at_secure(void)
41487 +EXPORT_SYMBOL(gr_is_capable);
41488 +EXPORT_SYMBOL(gr_is_capable_nolog);
41489 +EXPORT_SYMBOL(gr_learn_resource);
41490 +EXPORT_SYMBOL(gr_set_kernel_label);
41491 +#ifdef CONFIG_SECURITY
41492 +EXPORT_SYMBOL(gr_check_user_change);
41493 +EXPORT_SYMBOL(gr_check_group_change);
41495 diff -urNp linux-2.6.38.1/grsecurity/grsec_exec.c linux-2.6.38.1-new/grsecurity/grsec_exec.c
41496 --- linux-2.6.38.1/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
41497 +++ linux-2.6.38.1-new/grsecurity/grsec_exec.c 2011-03-21 18:31:35.000000000 -0400
41499 +#include <linux/kernel.h>
41500 +#include <linux/sched.h>
41501 +#include <linux/file.h>
41502 +#include <linux/binfmts.h>
41503 +#include <linux/smp_lock.h>
41504 +#include <linux/fs.h>
41505 +#include <linux/types.h>
41506 +#include <linux/grdefs.h>
41507 +#include <linux/grinternal.h>
41508 +#include <linux/capability.h>
41509 +#include <linux/compat.h>
41511 +#include <asm/uaccess.h>
41513 +#ifdef CONFIG_GRKERNSEC_EXECLOG
41514 +static char gr_exec_arg_buf[132];
41515 +static DEFINE_MUTEX(gr_exec_arg_mutex);
41519 +gr_handle_nproc(void)
41521 +#ifdef CONFIG_GRKERNSEC_EXECVE
41522 + const struct cred *cred = current_cred();
41523 + if (grsec_enable_execve && cred->user &&
41524 + (atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC)) &&
41525 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
41526 + gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
41534 +gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv)
41536 +#ifdef CONFIG_GRKERNSEC_EXECLOG
41537 + char *grarg = gr_exec_arg_buf;
41538 + unsigned int i, x, execlen = 0;
41541 + if (!((grsec_enable_execlog && grsec_enable_group &&
41542 + in_group_p(grsec_audit_gid))
41543 + || (grsec_enable_execlog && !grsec_enable_group)))
41546 + mutex_lock(&gr_exec_arg_mutex);
41547 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
41549 + if (unlikely(argv == NULL))
41552 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
41553 + const char __user *p;
41554 + unsigned int len;
41556 + if (copy_from_user(&p, argv + i, sizeof(p)))
41560 + len = strnlen_user(p, 128 - execlen);
41561 + if (len > 128 - execlen)
41562 + len = 128 - execlen;
41563 + else if (len > 0)
41565 + if (copy_from_user(grarg + execlen, p, len))
41568 + /* rewrite unprintable characters */
41569 + for (x = 0; x < len; x++) {
41570 + c = *(grarg + execlen + x);
41571 + if (c < 32 || c > 126)
41572 + *(grarg + execlen + x) = ' ';
41576 + *(grarg + execlen) = ' ';
41577 + *(grarg + execlen + 1) = '\0';
41582 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
41583 + bprm->file->f_path.mnt, grarg);
41584 + mutex_unlock(&gr_exec_arg_mutex);
41589 +#ifdef CONFIG_COMPAT
41591 +gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv)
41593 +#ifdef CONFIG_GRKERNSEC_EXECLOG
41594 + char *grarg = gr_exec_arg_buf;
41595 + unsigned int i, x, execlen = 0;
41598 + if (!((grsec_enable_execlog && grsec_enable_group &&
41599 + in_group_p(grsec_audit_gid))
41600 + || (grsec_enable_execlog && !grsec_enable_group)))
41603 + mutex_lock(&gr_exec_arg_mutex);
41604 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
41606 + if (unlikely(argv == NULL))
41609 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
41611 + unsigned int len;
41613 + if (get_user(p, argv + i))
41615 + len = strnlen_user(compat_ptr(p), 128 - execlen);
41616 + if (len > 128 - execlen)
41617 + len = 128 - execlen;
41618 + else if (len > 0)
41622 + if (copy_from_user(grarg + execlen, compat_ptr(p), len))
41625 + /* rewrite unprintable characters */
41626 + for (x = 0; x < len; x++) {
41627 + c = *(grarg + execlen + x);
41628 + if (c < 32 || c > 126)
41629 + *(grarg + execlen + x) = ' ';
41633 + *(grarg + execlen) = ' ';
41634 + *(grarg + execlen + 1) = '\0';
41639 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
41640 + bprm->file->f_path.mnt, grarg);
41641 + mutex_unlock(&gr_exec_arg_mutex);
41646 diff -urNp linux-2.6.38.1/grsecurity/grsec_fifo.c linux-2.6.38.1-new/grsecurity/grsec_fifo.c
41647 --- linux-2.6.38.1/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
41648 +++ linux-2.6.38.1-new/grsecurity/grsec_fifo.c 2011-03-21 20:33:29.000000000 -0400
41650 +#include <linux/kernel.h>
41651 +#include <linux/sched.h>
41652 +#include <linux/fs.h>
41653 +#include <linux/file.h>
41654 +#include <linux/grinternal.h>
41657 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
41658 + const struct dentry *dir, const int flag, const int acc_mode)
41660 +#ifdef CONFIG_GRKERNSEC_FIFO
41661 + const struct cred *cred = current_cred();
41663 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
41664 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
41665 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
41666 + (cred->fsuid != dentry->d_inode->i_uid)) {
41667 + if (!inode_permission(dentry->d_inode, acc_mode))
41668 + gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
41674 diff -urNp linux-2.6.38.1/grsecurity/grsec_fork.c linux-2.6.38.1-new/grsecurity/grsec_fork.c
41675 --- linux-2.6.38.1/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
41676 +++ linux-2.6.38.1-new/grsecurity/grsec_fork.c 2011-03-21 18:31:35.000000000 -0400
41678 +#include <linux/kernel.h>
41679 +#include <linux/sched.h>
41680 +#include <linux/grsecurity.h>
41681 +#include <linux/grinternal.h>
41682 +#include <linux/errno.h>
41685 +gr_log_forkfail(const int retval)
41687 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
41688 + if (grsec_enable_forkfail && (retval == -EAGAIN || retval == -ENOMEM)) {
41689 + switch (retval) {
41691 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "EAGAIN");
41694 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "ENOMEM");
41701 diff -urNp linux-2.6.38.1/grsecurity/grsec_init.c linux-2.6.38.1-new/grsecurity/grsec_init.c
41702 --- linux-2.6.38.1/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
41703 +++ linux-2.6.38.1-new/grsecurity/grsec_init.c 2011-03-21 18:31:35.000000000 -0400
41705 +#include <linux/kernel.h>
41706 +#include <linux/sched.h>
41707 +#include <linux/mm.h>
41708 +#include <linux/smp_lock.h>
41709 +#include <linux/gracl.h>
41710 +#include <linux/slab.h>
41711 +#include <linux/vmalloc.h>
41712 +#include <linux/percpu.h>
41713 +#include <linux/module.h>
41715 +int grsec_enable_link;
41716 +int grsec_enable_dmesg;
41717 +int grsec_enable_harden_ptrace;
41718 +int grsec_enable_fifo;
41719 +int grsec_enable_execve;
41720 +int grsec_enable_execlog;
41721 +int grsec_enable_signal;
41722 +int grsec_enable_forkfail;
41723 +int grsec_enable_audit_ptrace;
41724 +int grsec_enable_time;
41725 +int grsec_enable_audit_textrel;
41726 +int grsec_enable_group;
41727 +int grsec_audit_gid;
41728 +int grsec_enable_chdir;
41729 +int grsec_enable_mount;
41730 +int grsec_enable_rofs;
41731 +int grsec_enable_chroot_findtask;
41732 +int grsec_enable_chroot_mount;
41733 +int grsec_enable_chroot_shmat;
41734 +int grsec_enable_chroot_fchdir;
41735 +int grsec_enable_chroot_double;
41736 +int grsec_enable_chroot_pivot;
41737 +int grsec_enable_chroot_chdir;
41738 +int grsec_enable_chroot_chmod;
41739 +int grsec_enable_chroot_mknod;
41740 +int grsec_enable_chroot_nice;
41741 +int grsec_enable_chroot_execlog;
41742 +int grsec_enable_chroot_caps;
41743 +int grsec_enable_chroot_sysctl;
41744 +int grsec_enable_chroot_unix;
41745 +int grsec_enable_tpe;
41746 +int grsec_tpe_gid;
41747 +int grsec_enable_blackhole;
41748 +#ifdef CONFIG_IPV6_MODULE
41749 +EXPORT_SYMBOL(grsec_enable_blackhole);
41751 +int grsec_lastack_retries;
41752 +int grsec_enable_tpe_all;
41753 +int grsec_enable_tpe_invert;
41754 +int grsec_enable_socket_all;
41755 +int grsec_socket_all_gid;
41756 +int grsec_enable_socket_client;
41757 +int grsec_socket_client_gid;
41758 +int grsec_enable_socket_server;
41759 +int grsec_socket_server_gid;
41760 +int grsec_resource_logging;
41761 +int grsec_disable_privio;
41762 +int grsec_enable_log_rwxmaps;
41765 +DEFINE_SPINLOCK(grsec_alert_lock);
41766 +unsigned long grsec_alert_wtime = 0;
41767 +unsigned long grsec_alert_fyet = 0;
41769 +DEFINE_SPINLOCK(grsec_audit_lock);
41771 +DEFINE_RWLOCK(grsec_exec_file_lock);
41773 +char *gr_shared_page[4];
41775 +char *gr_alert_log_fmt;
41776 +char *gr_audit_log_fmt;
41777 +char *gr_alert_log_buf;
41778 +char *gr_audit_log_buf;
41780 +extern struct gr_arg *gr_usermode;
41781 +extern unsigned char *gr_system_salt;
41782 +extern unsigned char *gr_system_sum;
41785 +grsecurity_init(void)
41788 + /* create the per-cpu shared pages */
41791 + memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
41794 + for (j = 0; j < 4; j++) {
41795 + gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
41796 + if (gr_shared_page[j] == NULL) {
41797 + panic("Unable to allocate grsecurity shared page");
41802 + /* allocate log buffers */
41803 + gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
41804 + if (!gr_alert_log_fmt) {
41805 + panic("Unable to allocate grsecurity alert log format buffer");
41808 + gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
41809 + if (!gr_audit_log_fmt) {
41810 + panic("Unable to allocate grsecurity audit log format buffer");
41813 + gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
41814 + if (!gr_alert_log_buf) {
41815 + panic("Unable to allocate grsecurity alert log buffer");
41818 + gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
41819 + if (!gr_audit_log_buf) {
41820 + panic("Unable to allocate grsecurity audit log buffer");
41824 + /* allocate memory for authentication structure */
41825 + gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
41826 + gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
41827 + gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
41829 + if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
41830 + panic("Unable to allocate grsecurity authentication structure");
41835 +#ifdef CONFIG_GRKERNSEC_IO
41836 +#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
41837 + grsec_disable_privio = 1;
41838 +#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
41839 + grsec_disable_privio = 1;
41841 + grsec_disable_privio = 0;
41845 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
41846 + /* for backward compatibility, tpe_invert always defaults to on if
41847 + enabled in the kernel
41849 + grsec_enable_tpe_invert = 1;
41852 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
41853 +#ifndef CONFIG_GRKERNSEC_SYSCTL
41857 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
41858 + grsec_enable_audit_textrel = 1;
41860 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
41861 + grsec_enable_log_rwxmaps = 1;
41863 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
41864 + grsec_enable_group = 1;
41865 + grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
41867 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
41868 + grsec_enable_chdir = 1;
41870 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
41871 + grsec_enable_harden_ptrace = 1;
41873 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
41874 + grsec_enable_mount = 1;
41876 +#ifdef CONFIG_GRKERNSEC_LINK
41877 + grsec_enable_link = 1;
41879 +#ifdef CONFIG_GRKERNSEC_DMESG
41880 + grsec_enable_dmesg = 1;
41882 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
41883 + grsec_enable_blackhole = 1;
41884 + grsec_lastack_retries = 4;
41886 +#ifdef CONFIG_GRKERNSEC_FIFO
41887 + grsec_enable_fifo = 1;
41889 +#ifdef CONFIG_GRKERNSEC_EXECVE
41890 + grsec_enable_execve = 1;
41892 +#ifdef CONFIG_GRKERNSEC_EXECLOG
41893 + grsec_enable_execlog = 1;
41895 +#ifdef CONFIG_GRKERNSEC_SIGNAL
41896 + grsec_enable_signal = 1;
41898 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
41899 + grsec_enable_forkfail = 1;
41901 +#ifdef CONFIG_GRKERNSEC_TIME
41902 + grsec_enable_time = 1;
41904 +#ifdef CONFIG_GRKERNSEC_RESLOG
41905 + grsec_resource_logging = 1;
41907 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
41908 + grsec_enable_chroot_findtask = 1;
41910 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
41911 + grsec_enable_chroot_unix = 1;
41913 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
41914 + grsec_enable_chroot_mount = 1;
41916 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
41917 + grsec_enable_chroot_fchdir = 1;
41919 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
41920 + grsec_enable_chroot_shmat = 1;
41922 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
41923 + grsec_enable_audit_ptrace = 1;
41925 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
41926 + grsec_enable_chroot_double = 1;
41928 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
41929 + grsec_enable_chroot_pivot = 1;
41931 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
41932 + grsec_enable_chroot_chdir = 1;
41934 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
41935 + grsec_enable_chroot_chmod = 1;
41937 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
41938 + grsec_enable_chroot_mknod = 1;
41940 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
41941 + grsec_enable_chroot_nice = 1;
41943 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
41944 + grsec_enable_chroot_execlog = 1;
41946 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
41947 + grsec_enable_chroot_caps = 1;
41949 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
41950 + grsec_enable_chroot_sysctl = 1;
41952 +#ifdef CONFIG_GRKERNSEC_TPE
41953 + grsec_enable_tpe = 1;
41954 + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
41955 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
41956 + grsec_enable_tpe_all = 1;
41959 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
41960 + grsec_enable_socket_all = 1;
41961 + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
41963 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
41964 + grsec_enable_socket_client = 1;
41965 + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
41967 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
41968 + grsec_enable_socket_server = 1;
41969 + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
41975 diff -urNp linux-2.6.38.1/grsecurity/grsec_link.c linux-2.6.38.1-new/grsecurity/grsec_link.c
41976 --- linux-2.6.38.1/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
41977 +++ linux-2.6.38.1-new/grsecurity/grsec_link.c 2011-03-21 20:34:41.000000000 -0400
41979 +#include <linux/kernel.h>
41980 +#include <linux/sched.h>
41981 +#include <linux/fs.h>
41982 +#include <linux/file.h>
41983 +#include <linux/grinternal.h>
41986 +gr_handle_follow_link(const struct inode *parent,
41987 + const struct inode *inode,
41988 + const struct dentry *dentry, const struct vfsmount *mnt)
41990 +#ifdef CONFIG_GRKERNSEC_LINK
41991 + const struct cred *cred = current_cred();
41993 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
41994 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
41995 + (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
41996 + gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
42004 +gr_handle_hardlink(const struct dentry *dentry,
42005 + const struct vfsmount *mnt,
42006 + struct inode *inode, const int mode, const char *to)
42008 +#ifdef CONFIG_GRKERNSEC_LINK
42009 + const struct cred *cred = current_cred();
42011 + if (grsec_enable_link && cred->fsuid != inode->i_uid &&
42012 + (!S_ISREG(mode) || (mode & S_ISUID) ||
42013 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
42014 + (inode_permission(inode, MAY_READ | MAY_WRITE))) &&
42015 + !capable(CAP_FOWNER) && cred->uid) {
42016 + gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
42022 diff -urNp linux-2.6.38.1/grsecurity/grsec_log.c linux-2.6.38.1-new/grsecurity/grsec_log.c
42023 --- linux-2.6.38.1/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
42024 +++ linux-2.6.38.1-new/grsecurity/grsec_log.c 2011-03-21 18:31:35.000000000 -0400
42026 +#include <linux/kernel.h>
42027 +#include <linux/sched.h>
42028 +#include <linux/file.h>
42029 +#include <linux/tty.h>
42030 +#include <linux/fs.h>
42031 +#include <linux/grinternal.h>
42033 +#ifdef CONFIG_TREE_PREEMPT_RCU
42034 +#define DISABLE_PREEMPT() preempt_disable()
42035 +#define ENABLE_PREEMPT() preempt_enable()
42037 +#define DISABLE_PREEMPT()
42038 +#define ENABLE_PREEMPT()
42041 +#define BEGIN_LOCKS(x) \
42042 + DISABLE_PREEMPT(); \
42043 + rcu_read_lock(); \
42044 + read_lock(&tasklist_lock); \
42045 + read_lock(&grsec_exec_file_lock); \
42046 + if (x != GR_DO_AUDIT) \
42047 + spin_lock(&grsec_alert_lock); \
42049 + spin_lock(&grsec_audit_lock)
42051 +#define END_LOCKS(x) \
42052 + if (x != GR_DO_AUDIT) \
42053 + spin_unlock(&grsec_alert_lock); \
42055 + spin_unlock(&grsec_audit_lock); \
42056 + read_unlock(&grsec_exec_file_lock); \
42057 + read_unlock(&tasklist_lock); \
42058 + rcu_read_unlock(); \
42059 + ENABLE_PREEMPT(); \
42060 + if (x == GR_DONT_AUDIT) \
42061 + gr_handle_alertkill(current)
42068 +extern char *gr_alert_log_fmt;
42069 +extern char *gr_audit_log_fmt;
42070 +extern char *gr_alert_log_buf;
42071 +extern char *gr_audit_log_buf;
42073 +static int gr_log_start(int audit)
42075 + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
42076 + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
42077 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
42079 + if (audit == GR_DO_AUDIT)
42082 + if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
42083 + grsec_alert_wtime = jiffies;
42084 + grsec_alert_fyet = 0;
42085 + } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
42086 + grsec_alert_fyet++;
42087 + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
42088 + grsec_alert_wtime = jiffies;
42089 + grsec_alert_fyet++;
42090 + printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
42092 + } else return FLOODING;
42095 + memset(buf, 0, PAGE_SIZE);
42096 + if (current->signal->curr_ip && gr_acl_is_enabled()) {
42097 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
42098 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
42099 + } else if (current->signal->curr_ip) {
42100 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
42101 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip);
42102 + } else if (gr_acl_is_enabled()) {
42103 + sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
42104 + snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
42106 + sprintf(fmt, "%s%s", loglevel, "grsec: ");
42107 + strcpy(buf, fmt);
42110 + return NO_FLOODING;
42113 +static void gr_log_middle(int audit, const char *msg, va_list ap)
42114 + __attribute__ ((format (printf, 2, 0)));
42116 +static void gr_log_middle(int audit, const char *msg, va_list ap)
42118 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
42119 + unsigned int len = strlen(buf);
42121 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
42126 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
42127 + __attribute__ ((format (printf, 2, 3)));
42129 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
42131 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
42132 + unsigned int len = strlen(buf);
42135 + va_start(ap, msg);
42136 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
42142 +static void gr_log_end(int audit)
42144 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
42145 + unsigned int len = strlen(buf);
42147 + snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->real_parent)));
42148 + printk("%s\n", buf);
42153 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
42156 + char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
42157 + char *str1, *str2, *str3;
42160 + unsigned long ulong1, ulong2;
42161 + struct dentry *dentry;
42162 + struct vfsmount *mnt;
42163 + struct file *file;
42164 + struct task_struct *task;
42165 + const struct cred *cred, *pcred;
42168 + BEGIN_LOCKS(audit);
42169 + logtype = gr_log_start(audit);
42170 + if (logtype == FLOODING) {
42171 + END_LOCKS(audit);
42174 + va_start(ap, argtypes);
42175 + switch (argtypes) {
42176 + case GR_TTYSNIFF:
42177 + task = va_arg(ap, struct task_struct *);
42178 + gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid);
42180 + case GR_SYSCTL_HIDDEN:
42181 + str1 = va_arg(ap, char *);
42182 + gr_log_middle_varargs(audit, msg, result, str1);
42185 + dentry = va_arg(ap, struct dentry *);
42186 + mnt = va_arg(ap, struct vfsmount *);
42187 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
42189 + case GR_RBAC_STR:
42190 + dentry = va_arg(ap, struct dentry *);
42191 + mnt = va_arg(ap, struct vfsmount *);
42192 + str1 = va_arg(ap, char *);
42193 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
42195 + case GR_STR_RBAC:
42196 + str1 = va_arg(ap, char *);
42197 + dentry = va_arg(ap, struct dentry *);
42198 + mnt = va_arg(ap, struct vfsmount *);
42199 + gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
42201 + case GR_RBAC_MODE2:
42202 + dentry = va_arg(ap, struct dentry *);
42203 + mnt = va_arg(ap, struct vfsmount *);
42204 + str1 = va_arg(ap, char *);
42205 + str2 = va_arg(ap, char *);
42206 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
42208 + case GR_RBAC_MODE3:
42209 + dentry = va_arg(ap, struct dentry *);
42210 + mnt = va_arg(ap, struct vfsmount *);
42211 + str1 = va_arg(ap, char *);
42212 + str2 = va_arg(ap, char *);
42213 + str3 = va_arg(ap, char *);
42214 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
42216 + case GR_FILENAME:
42217 + dentry = va_arg(ap, struct dentry *);
42218 + mnt = va_arg(ap, struct vfsmount *);
42219 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
42221 + case GR_STR_FILENAME:
42222 + str1 = va_arg(ap, char *);
42223 + dentry = va_arg(ap, struct dentry *);
42224 + mnt = va_arg(ap, struct vfsmount *);
42225 + gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
42227 + case GR_FILENAME_STR:
42228 + dentry = va_arg(ap, struct dentry *);
42229 + mnt = va_arg(ap, struct vfsmount *);
42230 + str1 = va_arg(ap, char *);
42231 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
42233 + case GR_FILENAME_TWO_INT:
42234 + dentry = va_arg(ap, struct dentry *);
42235 + mnt = va_arg(ap, struct vfsmount *);
42236 + num1 = va_arg(ap, int);
42237 + num2 = va_arg(ap, int);
42238 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
42240 + case GR_FILENAME_TWO_INT_STR:
42241 + dentry = va_arg(ap, struct dentry *);
42242 + mnt = va_arg(ap, struct vfsmount *);
42243 + num1 = va_arg(ap, int);
42244 + num2 = va_arg(ap, int);
42245 + str1 = va_arg(ap, char *);
42246 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
42249 + file = va_arg(ap, struct file *);
42250 + ulong1 = va_arg(ap, unsigned long);
42251 + ulong2 = va_arg(ap, unsigned long);
42252 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
42255 + task = va_arg(ap, struct task_struct *);
42256 + gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
42258 + case GR_RESOURCE:
42259 + task = va_arg(ap, struct task_struct *);
42260 + cred = __task_cred(task);
42261 + pcred = __task_cred(task->real_parent);
42262 + ulong1 = va_arg(ap, unsigned long);
42263 + str1 = va_arg(ap, char *);
42264 + ulong2 = va_arg(ap, unsigned long);
42265 + gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
42268 + task = va_arg(ap, struct task_struct *);
42269 + cred = __task_cred(task);
42270 + pcred = __task_cred(task->real_parent);
42271 + str1 = va_arg(ap, char *);
42272 + gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
42275 + str1 = va_arg(ap, char *);
42276 + voidptr = va_arg(ap, void *);
42277 + gr_log_middle_varargs(audit, msg, str1, voidptr);
42280 + task = va_arg(ap, struct task_struct *);
42281 + cred = __task_cred(task);
42282 + pcred = __task_cred(task->real_parent);
42283 + num1 = va_arg(ap, int);
42284 + gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
42287 + task = va_arg(ap, struct task_struct *);
42288 + cred = __task_cred(task);
42289 + pcred = __task_cred(task->real_parent);
42290 + ulong1 = va_arg(ap, unsigned long);
42291 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
42294 + task = va_arg(ap, struct task_struct *);
42295 + cred = __task_cred(task);
42296 + pcred = __task_cred(task->real_parent);
42297 + ulong1 = va_arg(ap, unsigned long);
42298 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
42301 + file = va_arg(ap, struct file *);
42302 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>");
42306 + unsigned int wday, cday;
42310 + char cur_tty[64] = { 0 };
42311 + char parent_tty[64] = { 0 };
42313 + task = va_arg(ap, struct task_struct *);
42314 + wday = va_arg(ap, unsigned int);
42315 + cday = va_arg(ap, unsigned int);
42316 + whr = va_arg(ap, int);
42317 + chr = va_arg(ap, int);
42318 + wmin = va_arg(ap, int);
42319 + cmin = va_arg(ap, int);
42320 + wsec = va_arg(ap, int);
42321 + csec = va_arg(ap, int);
42322 + ulong1 = va_arg(ap, unsigned long);
42323 + cred = __task_cred(task);
42324 + pcred = __task_cred(task->real_parent);
42326 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, &task->real_parent->signal->curr_ip, tty_name(task->real_parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
42330 + gr_log_middle(audit, msg, ap);
42333 + gr_log_end(audit);
42334 + END_LOCKS(audit);
42336 diff -urNp linux-2.6.38.1/grsecurity/grsec_mem.c linux-2.6.38.1-new/grsecurity/grsec_mem.c
42337 --- linux-2.6.38.1/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
42338 +++ linux-2.6.38.1-new/grsecurity/grsec_mem.c 2011-03-21 18:31:35.000000000 -0400
42340 +#include <linux/kernel.h>
42341 +#include <linux/sched.h>
42342 +#include <linux/mm.h>
42343 +#include <linux/mman.h>
42344 +#include <linux/grinternal.h>
42347 +gr_handle_ioperm(void)
42349 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
42354 +gr_handle_iopl(void)
42356 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
42361 +gr_handle_mem_write(void)
42363 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_WRITE_MSG);
42368 +gr_handle_kmem_write(void)
42370 + gr_log_noargs(GR_DONT_AUDIT, GR_KMEM_MSG);
42375 +gr_handle_open_port(void)
42377 + gr_log_noargs(GR_DONT_AUDIT, GR_PORT_OPEN_MSG);
42382 +gr_handle_mem_mmap(const unsigned long offset, struct vm_area_struct *vma)
42384 + unsigned long start, end;
42387 + end = start + vma->vm_end - vma->vm_start;
42389 + if (start > end) {
42390 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
42394 +/* if raw i/o is disabled, prevent writes to /dev/mem entirely */
42395 +#ifndef CONFIG_GRKERNSEC_IO
42396 + /* allowed ranges : ISA I/O BIOS */
42397 + if ((start >= __pa(high_memory))
42398 +#if defined(CONFIG_X86) || defined(CONFIG_PPC)
42399 + || (start >= 0x000a0000 && end <= 0x00100000)
42400 + || (start >= 0x00000000 && end <= 0x00001000)
42406 + if (vma->vm_flags & VM_WRITE) {
42407 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
42410 + vma->vm_flags &= ~VM_MAYWRITE;
42416 +gr_log_nonroot_mod_load(const char *modname)
42418 + gr_log_str(GR_DONT_AUDIT, GR_NONROOT_MODLOAD_MSG, modname);
42423 +gr_handle_vm86(void)
42425 + gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
42428 diff -urNp linux-2.6.38.1/grsecurity/grsec_mount.c linux-2.6.38.1-new/grsecurity/grsec_mount.c
42429 --- linux-2.6.38.1/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
42430 +++ linux-2.6.38.1-new/grsecurity/grsec_mount.c 2011-03-21 18:31:35.000000000 -0400
42432 +#include <linux/kernel.h>
42433 +#include <linux/sched.h>
42434 +#include <linux/mount.h>
42435 +#include <linux/grsecurity.h>
42436 +#include <linux/grinternal.h>
42439 +gr_log_remount(const char *devname, const int retval)
42441 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
42442 + if (grsec_enable_mount && (retval >= 0))
42443 + gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
42449 +gr_log_unmount(const char *devname, const int retval)
42451 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
42452 + if (grsec_enable_mount && (retval >= 0))
42453 + gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
42459 +gr_log_mount(const char *from, const char *to, const int retval)
42461 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
42462 + if (grsec_enable_mount && (retval >= 0))
42463 + gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from, to);
42469 +gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
42471 +#ifdef CONFIG_GRKERNSEC_ROFS
42472 + if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
42473 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
42482 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
42484 +#ifdef CONFIG_GRKERNSEC_ROFS
42485 + if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
42486 + dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
42487 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
42494 diff -urNp linux-2.6.38.1/grsecurity/grsec_pax.c linux-2.6.38.1-new/grsecurity/grsec_pax.c
42495 --- linux-2.6.38.1/grsecurity/grsec_pax.c 1969-12-31 19:00:00.000000000 -0500
42496 +++ linux-2.6.38.1-new/grsecurity/grsec_pax.c 2011-03-21 18:31:35.000000000 -0400
42498 +#include <linux/kernel.h>
42499 +#include <linux/sched.h>
42500 +#include <linux/mm.h>
42501 +#include <linux/file.h>
42502 +#include <linux/grinternal.h>
42503 +#include <linux/grsecurity.h>
42506 +gr_log_textrel(struct vm_area_struct * vma)
42508 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
42509 + if (grsec_enable_audit_textrel)
42510 + gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
42516 +gr_log_rwxmmap(struct file *file)
42518 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
42519 + if (grsec_enable_log_rwxmaps)
42520 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMMAP_MSG, file);
42526 +gr_log_rwxmprotect(struct file *file)
42528 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
42529 + if (grsec_enable_log_rwxmaps)
42530 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMPROTECT_MSG, file);
42534 diff -urNp linux-2.6.38.1/grsecurity/grsec_ptrace.c linux-2.6.38.1-new/grsecurity/grsec_ptrace.c
42535 --- linux-2.6.38.1/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
42536 +++ linux-2.6.38.1-new/grsecurity/grsec_ptrace.c 2011-03-21 18:31:35.000000000 -0400
42538 +#include <linux/kernel.h>
42539 +#include <linux/sched.h>
42540 +#include <linux/grinternal.h>
42541 +#include <linux/grsecurity.h>
42544 +gr_audit_ptrace(struct task_struct *task)
42546 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
42547 + if (grsec_enable_audit_ptrace)
42548 + gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
42552 diff -urNp linux-2.6.38.1/grsecurity/grsec_sig.c linux-2.6.38.1-new/grsecurity/grsec_sig.c
42553 --- linux-2.6.38.1/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
42554 +++ linux-2.6.38.1-new/grsecurity/grsec_sig.c 2011-03-21 18:31:35.000000000 -0400
42556 +#include <linux/kernel.h>
42557 +#include <linux/sched.h>
42558 +#include <linux/delay.h>
42559 +#include <linux/grsecurity.h>
42560 +#include <linux/grinternal.h>
42562 +char *signames[] = {
42563 + [SIGSEGV] = "Segmentation fault",
42564 + [SIGILL] = "Illegal instruction",
42565 + [SIGABRT] = "Abort",
42566 + [SIGBUS] = "Invalid alignment/Bus error"
42570 +gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
42572 +#ifdef CONFIG_GRKERNSEC_SIGNAL
42573 + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
42574 + (sig == SIGABRT) || (sig == SIGBUS))) {
42575 + if (t->pid == current->pid) {
42576 + gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
42578 + gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
42586 +gr_handle_signal(const struct task_struct *p, const int sig)
42588 +#ifdef CONFIG_GRKERNSEC
42589 + if (current->pid > 1 && gr_check_protected_task(p)) {
42590 + gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
42592 + } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
42599 +void gr_handle_brute_attach(struct task_struct *p)
42601 +#ifdef CONFIG_GRKERNSEC_BRUTE
42602 + read_lock(&tasklist_lock);
42603 + read_lock(&grsec_exec_file_lock);
42604 + if (p->real_parent && p->real_parent->exec_file == p->exec_file)
42605 + p->real_parent->brute = 1;
42606 + read_unlock(&grsec_exec_file_lock);
42607 + read_unlock(&tasklist_lock);
42612 +void gr_handle_brute_check(void)
42614 +#ifdef CONFIG_GRKERNSEC_BRUTE
42615 + if (current->brute)
42616 + msleep(30 * 1000);
42621 diff -urNp linux-2.6.38.1/grsecurity/grsec_sock.c linux-2.6.38.1-new/grsecurity/grsec_sock.c
42622 --- linux-2.6.38.1/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
42623 +++ linux-2.6.38.1-new/grsecurity/grsec_sock.c 2011-03-21 18:31:35.000000000 -0400
42625 +#include <linux/kernel.h>
42626 +#include <linux/module.h>
42627 +#include <linux/sched.h>
42628 +#include <linux/file.h>
42629 +#include <linux/net.h>
42630 +#include <linux/in.h>
42631 +#include <linux/ip.h>
42632 +#include <net/sock.h>
42633 +#include <net/inet_sock.h>
42634 +#include <linux/grsecurity.h>
42635 +#include <linux/grinternal.h>
42636 +#include <linux/gracl.h>
42638 +kernel_cap_t gr_cap_rtnetlink(struct sock *sock);
42639 +EXPORT_SYMBOL(gr_cap_rtnetlink);
42641 +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
42642 +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
42644 +EXPORT_SYMBOL(gr_search_udp_recvmsg);
42645 +EXPORT_SYMBOL(gr_search_udp_sendmsg);
42647 +#ifdef CONFIG_UNIX_MODULE
42648 +EXPORT_SYMBOL(gr_acl_handle_unix);
42649 +EXPORT_SYMBOL(gr_acl_handle_mknod);
42650 +EXPORT_SYMBOL(gr_handle_chroot_unix);
42651 +EXPORT_SYMBOL(gr_handle_create);
42654 +#ifdef CONFIG_GRKERNSEC
42655 +#define gr_conn_table_size 32749
42656 +struct conn_table_entry {
42657 + struct conn_table_entry *next;
42658 + struct signal_struct *sig;
42661 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
42662 +DEFINE_SPINLOCK(gr_conn_table_lock);
42664 +extern const char * gr_socktype_to_name(unsigned char type);
42665 +extern const char * gr_proto_to_name(unsigned char proto);
42666 +extern const char * gr_sockfamily_to_name(unsigned char family);
42668 +static __inline__ int
42669 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
42671 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
42674 +static __inline__ int
42675 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
42676 + __u16 sport, __u16 dport)
42678 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
42679 + sig->gr_sport == sport && sig->gr_dport == dport))
42685 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
42687 + struct conn_table_entry **match;
42688 + unsigned int index;
42690 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
42691 + sig->gr_sport, sig->gr_dport,
42692 + gr_conn_table_size);
42694 + newent->sig = sig;
42696 + match = &gr_conn_table[index];
42697 + newent->next = *match;
42703 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
42705 + struct conn_table_entry *match, *last = NULL;
42706 + unsigned int index;
42708 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
42709 + sig->gr_sport, sig->gr_dport,
42710 + gr_conn_table_size);
42712 + match = gr_conn_table[index];
42713 + while (match && !conn_match(match->sig,
42714 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
42715 + sig->gr_dport)) {
42717 + match = match->next;
42722 + last->next = match->next;
42724 + gr_conn_table[index] = NULL;
42731 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
42732 + __u16 sport, __u16 dport)
42734 + struct conn_table_entry *match;
42735 + unsigned int index;
42737 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
42739 + match = gr_conn_table[index];
42740 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
42741 + match = match->next;
42744 + return match->sig;
42751 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
42753 +#ifdef CONFIG_GRKERNSEC
42754 + struct signal_struct *sig = task->signal;
42755 + struct conn_table_entry *newent;
42757 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
42758 + if (newent == NULL)
42760 + /* no bh lock needed since we are called with bh disabled */
42761 + spin_lock(&gr_conn_table_lock);
42762 + gr_del_task_from_ip_table_nolock(sig);
42763 + sig->gr_saddr = inet->inet_rcv_saddr;
42764 + sig->gr_daddr = inet->inet_daddr;
42765 + sig->gr_sport = inet->inet_sport;
42766 + sig->gr_dport = inet->inet_dport;
42767 + gr_add_to_task_ip_table_nolock(sig, newent);
42768 + spin_unlock(&gr_conn_table_lock);
42773 +void gr_del_task_from_ip_table(struct task_struct *task)
42775 +#ifdef CONFIG_GRKERNSEC
42776 + spin_lock_bh(&gr_conn_table_lock);
42777 + gr_del_task_from_ip_table_nolock(task->signal);
42778 + spin_unlock_bh(&gr_conn_table_lock);
42784 +gr_attach_curr_ip(const struct sock *sk)
42786 +#ifdef CONFIG_GRKERNSEC
42787 + struct signal_struct *p, *set;
42788 + const struct inet_sock *inet = inet_sk(sk);
42790 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
42793 + set = current->signal;
42795 + spin_lock_bh(&gr_conn_table_lock);
42796 + p = gr_lookup_task_ip_table(inet->inet_daddr, inet->inet_rcv_saddr,
42797 + inet->inet_dport, inet->inet_sport);
42798 + if (unlikely(p != NULL)) {
42799 + set->curr_ip = p->curr_ip;
42800 + set->used_accept = 1;
42801 + gr_del_task_from_ip_table_nolock(p);
42802 + spin_unlock_bh(&gr_conn_table_lock);
42805 + spin_unlock_bh(&gr_conn_table_lock);
42807 + set->curr_ip = inet->inet_daddr;
42808 + set->used_accept = 1;
42814 +gr_handle_sock_all(const int family, const int type, const int protocol)
42816 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
42817 + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
42818 + (family != AF_UNIX)) {
42819 + if (family == AF_INET)
42820 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), gr_proto_to_name(protocol));
42822 + gr_log_str2_int(GR_DONT_AUDIT, GR_SOCK_NOINET_MSG, gr_sockfamily_to_name(family), gr_socktype_to_name(type), protocol);
42830 +gr_handle_sock_server(const struct sockaddr *sck)
42832 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
42833 + if (grsec_enable_socket_server &&
42834 + in_group_p(grsec_socket_server_gid) &&
42835 + sck && (sck->sa_family != AF_UNIX) &&
42836 + (sck->sa_family != AF_LOCAL)) {
42837 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
42845 +gr_handle_sock_server_other(const struct sock *sck)
42847 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
42848 + if (grsec_enable_socket_server &&
42849 + in_group_p(grsec_socket_server_gid) &&
42850 + sck && (sck->sk_family != AF_UNIX) &&
42851 + (sck->sk_family != AF_LOCAL)) {
42852 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
42860 +gr_handle_sock_client(const struct sockaddr *sck)
42862 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
42863 + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
42864 + sck && (sck->sa_family != AF_UNIX) &&
42865 + (sck->sa_family != AF_LOCAL)) {
42866 + gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
42874 +gr_cap_rtnetlink(struct sock *sock)
42876 +#ifdef CONFIG_GRKERNSEC
42877 + if (!gr_acl_is_enabled())
42878 + return current_cap();
42879 + else if (sock->sk_protocol == NETLINK_ISCSI &&
42880 + cap_raised(current_cap(), CAP_SYS_ADMIN) &&
42881 + gr_is_capable(CAP_SYS_ADMIN))
42882 + return current_cap();
42883 + else if (sock->sk_protocol == NETLINK_AUDIT &&
42884 + cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
42885 + gr_is_capable(CAP_AUDIT_WRITE) &&
42886 + cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
42887 + gr_is_capable(CAP_AUDIT_CONTROL))
42888 + return current_cap();
42889 + else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
42890 + ((sock->sk_protocol == NETLINK_ROUTE) ?
42891 + gr_is_capable_nolog(CAP_NET_ADMIN) :
42892 + gr_is_capable(CAP_NET_ADMIN)))
42893 + return current_cap();
42895 + return __cap_empty_set;
42897 + return current_cap();
42900 diff -urNp linux-2.6.38.1/grsecurity/grsec_sysctl.c linux-2.6.38.1-new/grsecurity/grsec_sysctl.c
42901 --- linux-2.6.38.1/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
42902 +++ linux-2.6.38.1-new/grsecurity/grsec_sysctl.c 2011-03-21 18:31:35.000000000 -0400
42904 +#include <linux/kernel.h>
42905 +#include <linux/sched.h>
42906 +#include <linux/sysctl.h>
42907 +#include <linux/grsecurity.h>
42908 +#include <linux/grinternal.h>
42911 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
42913 +#ifdef CONFIG_GRKERNSEC_SYSCTL
42914 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
42915 + gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
42922 +#ifdef CONFIG_GRKERNSEC_ROFS
42923 +static int __maybe_unused one = 1;
42926 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
42927 +struct ctl_table grsecurity_table[] = {
42928 +#ifdef CONFIG_GRKERNSEC_SYSCTL
42929 +#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
42930 +#ifdef CONFIG_GRKERNSEC_IO
42932 + .procname = "disable_priv_io",
42933 + .data = &grsec_disable_privio,
42934 + .maxlen = sizeof(int),
42936 + .proc_handler = &proc_dointvec,
42940 +#ifdef CONFIG_GRKERNSEC_LINK
42942 + .procname = "linking_restrictions",
42943 + .data = &grsec_enable_link,
42944 + .maxlen = sizeof(int),
42946 + .proc_handler = &proc_dointvec,
42949 +#ifdef CONFIG_GRKERNSEC_FIFO
42951 + .procname = "fifo_restrictions",
42952 + .data = &grsec_enable_fifo,
42953 + .maxlen = sizeof(int),
42955 + .proc_handler = &proc_dointvec,
42958 +#ifdef CONFIG_GRKERNSEC_EXECVE
42960 + .procname = "execve_limiting",
42961 + .data = &grsec_enable_execve,
42962 + .maxlen = sizeof(int),
42964 + .proc_handler = &proc_dointvec,
42967 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
42969 + .procname = "ip_blackhole",
42970 + .data = &grsec_enable_blackhole,
42971 + .maxlen = sizeof(int),
42973 + .proc_handler = &proc_dointvec,
42976 + .procname = "lastack_retries",
42977 + .data = &grsec_lastack_retries,
42978 + .maxlen = sizeof(int),
42980 + .proc_handler = &proc_dointvec,
42983 +#ifdef CONFIG_GRKERNSEC_EXECLOG
42985 + .procname = "exec_logging",
42986 + .data = &grsec_enable_execlog,
42987 + .maxlen = sizeof(int),
42989 + .proc_handler = &proc_dointvec,
42992 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
42994 + .procname = "rwxmap_logging",
42995 + .data = &grsec_enable_log_rwxmaps,
42996 + .maxlen = sizeof(int),
42998 + .proc_handler = &proc_dointvec,
43001 +#ifdef CONFIG_GRKERNSEC_SIGNAL
43003 + .procname = "signal_logging",
43004 + .data = &grsec_enable_signal,
43005 + .maxlen = sizeof(int),
43007 + .proc_handler = &proc_dointvec,
43010 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
43012 + .procname = "forkfail_logging",
43013 + .data = &grsec_enable_forkfail,
43014 + .maxlen = sizeof(int),
43016 + .proc_handler = &proc_dointvec,
43019 +#ifdef CONFIG_GRKERNSEC_TIME
43021 + .procname = "timechange_logging",
43022 + .data = &grsec_enable_time,
43023 + .maxlen = sizeof(int),
43025 + .proc_handler = &proc_dointvec,
43028 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
43030 + .procname = "chroot_deny_shmat",
43031 + .data = &grsec_enable_chroot_shmat,
43032 + .maxlen = sizeof(int),
43034 + .proc_handler = &proc_dointvec,
43037 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
43039 + .procname = "chroot_deny_unix",
43040 + .data = &grsec_enable_chroot_unix,
43041 + .maxlen = sizeof(int),
43043 + .proc_handler = &proc_dointvec,
43046 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
43048 + .procname = "chroot_deny_mount",
43049 + .data = &grsec_enable_chroot_mount,
43050 + .maxlen = sizeof(int),
43052 + .proc_handler = &proc_dointvec,
43055 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
43057 + .procname = "chroot_deny_fchdir",
43058 + .data = &grsec_enable_chroot_fchdir,
43059 + .maxlen = sizeof(int),
43061 + .proc_handler = &proc_dointvec,
43064 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
43066 + .procname = "chroot_deny_chroot",
43067 + .data = &grsec_enable_chroot_double,
43068 + .maxlen = sizeof(int),
43070 + .proc_handler = &proc_dointvec,
43073 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
43075 + .procname = "chroot_deny_pivot",
43076 + .data = &grsec_enable_chroot_pivot,
43077 + .maxlen = sizeof(int),
43079 + .proc_handler = &proc_dointvec,
43082 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
43084 + .procname = "chroot_enforce_chdir",
43085 + .data = &grsec_enable_chroot_chdir,
43086 + .maxlen = sizeof(int),
43088 + .proc_handler = &proc_dointvec,
43091 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
43093 + .procname = "chroot_deny_chmod",
43094 + .data = &grsec_enable_chroot_chmod,
43095 + .maxlen = sizeof(int),
43097 + .proc_handler = &proc_dointvec,
43100 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
43102 + .procname = "chroot_deny_mknod",
43103 + .data = &grsec_enable_chroot_mknod,
43104 + .maxlen = sizeof(int),
43106 + .proc_handler = &proc_dointvec,
43109 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
43111 + .procname = "chroot_restrict_nice",
43112 + .data = &grsec_enable_chroot_nice,
43113 + .maxlen = sizeof(int),
43115 + .proc_handler = &proc_dointvec,
43118 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
43120 + .procname = "chroot_execlog",
43121 + .data = &grsec_enable_chroot_execlog,
43122 + .maxlen = sizeof(int),
43124 + .proc_handler = &proc_dointvec,
43127 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
43129 + .procname = "chroot_caps",
43130 + .data = &grsec_enable_chroot_caps,
43131 + .maxlen = sizeof(int),
43133 + .proc_handler = &proc_dointvec,
43136 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
43138 + .procname = "chroot_deny_sysctl",
43139 + .data = &grsec_enable_chroot_sysctl,
43140 + .maxlen = sizeof(int),
43142 + .proc_handler = &proc_dointvec,
43145 +#ifdef CONFIG_GRKERNSEC_TPE
43147 + .procname = "tpe",
43148 + .data = &grsec_enable_tpe,
43149 + .maxlen = sizeof(int),
43151 + .proc_handler = &proc_dointvec,
43154 + .procname = "tpe_gid",
43155 + .data = &grsec_tpe_gid,
43156 + .maxlen = sizeof(int),
43158 + .proc_handler = &proc_dointvec,
43161 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
43163 + .procname = "tpe_invert",
43164 + .data = &grsec_enable_tpe_invert,
43165 + .maxlen = sizeof(int),
43167 + .proc_handler = &proc_dointvec,
43170 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
43172 + .procname = "tpe_restrict_all",
43173 + .data = &grsec_enable_tpe_all,
43174 + .maxlen = sizeof(int),
43176 + .proc_handler = &proc_dointvec,
43179 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
43181 + .procname = "socket_all",
43182 + .data = &grsec_enable_socket_all,
43183 + .maxlen = sizeof(int),
43185 + .proc_handler = &proc_dointvec,
43188 + .procname = "socket_all_gid",
43189 + .data = &grsec_socket_all_gid,
43190 + .maxlen = sizeof(int),
43192 + .proc_handler = &proc_dointvec,
43195 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
43197 + .procname = "socket_client",
43198 + .data = &grsec_enable_socket_client,
43199 + .maxlen = sizeof(int),
43201 + .proc_handler = &proc_dointvec,
43204 + .procname = "socket_client_gid",
43205 + .data = &grsec_socket_client_gid,
43206 + .maxlen = sizeof(int),
43208 + .proc_handler = &proc_dointvec,
43211 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
43213 + .procname = "socket_server",
43214 + .data = &grsec_enable_socket_server,
43215 + .maxlen = sizeof(int),
43217 + .proc_handler = &proc_dointvec,
43220 + .procname = "socket_server_gid",
43221 + .data = &grsec_socket_server_gid,
43222 + .maxlen = sizeof(int),
43224 + .proc_handler = &proc_dointvec,
43227 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
43229 + .procname = "audit_group",
43230 + .data = &grsec_enable_group,
43231 + .maxlen = sizeof(int),
43233 + .proc_handler = &proc_dointvec,
43236 + .procname = "audit_gid",
43237 + .data = &grsec_audit_gid,
43238 + .maxlen = sizeof(int),
43240 + .proc_handler = &proc_dointvec,
43243 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
43245 + .procname = "audit_chdir",
43246 + .data = &grsec_enable_chdir,
43247 + .maxlen = sizeof(int),
43249 + .proc_handler = &proc_dointvec,
43252 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
43254 + .procname = "audit_mount",
43255 + .data = &grsec_enable_mount,
43256 + .maxlen = sizeof(int),
43258 + .proc_handler = &proc_dointvec,
43261 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
43263 + .procname = "audit_textrel",
43264 + .data = &grsec_enable_audit_textrel,
43265 + .maxlen = sizeof(int),
43267 + .proc_handler = &proc_dointvec,
43270 +#ifdef CONFIG_GRKERNSEC_DMESG
43272 + .procname = "dmesg",
43273 + .data = &grsec_enable_dmesg,
43274 + .maxlen = sizeof(int),
43276 + .proc_handler = &proc_dointvec,
43279 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
43281 + .procname = "chroot_findtask",
43282 + .data = &grsec_enable_chroot_findtask,
43283 + .maxlen = sizeof(int),
43285 + .proc_handler = &proc_dointvec,
43288 +#ifdef CONFIG_GRKERNSEC_RESLOG
43290 + .procname = "resource_logging",
43291 + .data = &grsec_resource_logging,
43292 + .maxlen = sizeof(int),
43294 + .proc_handler = &proc_dointvec,
43297 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
43299 + .procname = "audit_ptrace",
43300 + .data = &grsec_enable_audit_ptrace,
43301 + .maxlen = sizeof(int),
43303 + .proc_handler = &proc_dointvec,
43306 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
43308 + .procname = "harden_ptrace",
43309 + .data = &grsec_enable_harden_ptrace,
43310 + .maxlen = sizeof(int),
43312 + .proc_handler = &proc_dointvec,
43316 + .procname = "grsec_lock",
43317 + .data = &grsec_lock,
43318 + .maxlen = sizeof(int),
43320 + .proc_handler = &proc_dointvec,
43323 +#ifdef CONFIG_GRKERNSEC_ROFS
43325 + .procname = "romount_protect",
43326 + .data = &grsec_enable_rofs,
43327 + .maxlen = sizeof(int),
43329 + .proc_handler = &proc_dointvec_minmax,
43337 diff -urNp linux-2.6.38.1/grsecurity/grsec_time.c linux-2.6.38.1-new/grsecurity/grsec_time.c
43338 --- linux-2.6.38.1/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
43339 +++ linux-2.6.38.1-new/grsecurity/grsec_time.c 2011-03-21 18:31:35.000000000 -0400
43341 +#include <linux/kernel.h>
43342 +#include <linux/sched.h>
43343 +#include <linux/grinternal.h>
43344 +#include <linux/module.h>
43347 +gr_log_timechange(void)
43349 +#ifdef CONFIG_GRKERNSEC_TIME
43350 + if (grsec_enable_time)
43351 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
43356 +EXPORT_SYMBOL(gr_log_timechange);
43357 diff -urNp linux-2.6.38.1/grsecurity/grsec_tpe.c linux-2.6.38.1-new/grsecurity/grsec_tpe.c
43358 --- linux-2.6.38.1/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
43359 +++ linux-2.6.38.1-new/grsecurity/grsec_tpe.c 2011-03-21 18:31:35.000000000 -0400
43361 +#include <linux/kernel.h>
43362 +#include <linux/sched.h>
43363 +#include <linux/file.h>
43364 +#include <linux/fs.h>
43365 +#include <linux/grinternal.h>
43367 +extern int gr_acl_tpe_check(void);
43370 +gr_tpe_allow(const struct file *file)
43372 +#ifdef CONFIG_GRKERNSEC
43373 + struct inode *inode = file->f_path.dentry->d_parent->d_inode;
43374 + const struct cred *cred = current_cred();
43376 + if (cred->uid && ((grsec_enable_tpe &&
43377 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
43378 + ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
43379 + (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
43381 + in_group_p(grsec_tpe_gid)
43383 + ) || gr_acl_tpe_check()) &&
43384 + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
43385 + (inode->i_mode & S_IWOTH))))) {
43386 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
43389 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
43390 + if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
43391 + ((inode->i_uid && (inode->i_uid != cred->uid)) ||
43392 + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
43393 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
43400 diff -urNp linux-2.6.38.1/grsecurity/grsum.c linux-2.6.38.1-new/grsecurity/grsum.c
43401 --- linux-2.6.38.1/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
43402 +++ linux-2.6.38.1-new/grsecurity/grsum.c 2011-03-21 18:31:35.000000000 -0400
43404 +#include <linux/err.h>
43405 +#include <linux/kernel.h>
43406 +#include <linux/sched.h>
43407 +#include <linux/mm.h>
43408 +#include <linux/scatterlist.h>
43409 +#include <linux/crypto.h>
43410 +#include <linux/gracl.h>
43413 +#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
43414 +#error "crypto and sha256 must be built into the kernel"
43418 +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
43421 + struct crypto_hash *tfm;
43422 + struct hash_desc desc;
43423 + struct scatterlist sg;
43424 + unsigned char temp_sum[GR_SHA_LEN];
43425 + volatile int retval = 0;
43426 + volatile int dummy = 0;
43429 + sg_init_table(&sg, 1);
43431 + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
43432 + if (IS_ERR(tfm)) {
43433 + /* should never happen, since sha256 should be built in */
43440 + crypto_hash_init(&desc);
43443 + sg_set_buf(&sg, p, GR_SALT_LEN);
43444 + crypto_hash_update(&desc, &sg, sg.length);
43447 + sg_set_buf(&sg, p, strlen(p));
43449 + crypto_hash_update(&desc, &sg, sg.length);
43451 + crypto_hash_final(&desc, temp_sum);
43453 + memset(entry->pw, 0, GR_PW_LEN);
43455 + for (i = 0; i < GR_SHA_LEN; i++)
43456 + if (sum[i] != temp_sum[i])
43459 + dummy = 1; // waste a cycle
43461 + crypto_free_hash(tfm);
43465 diff -urNp linux-2.6.38.1/grsecurity/Kconfig linux-2.6.38.1-new/grsecurity/Kconfig
43466 --- linux-2.6.38.1/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
43467 +++ linux-2.6.38.1-new/grsecurity/Kconfig 2011-03-21 18:31:35.000000000 -0400
43470 +# grecurity configuration
43476 + bool "Grsecurity"
43478 + select CRYPTO_SHA256
43480 + If you say Y here, you will be able to configure many features
43481 + that will enhance the security of your system. It is highly
43482 + recommended that you say Y here and read through the help
43483 + for each option so that you fully understand the features and
43484 + can evaluate their usefulness for your machine.
43487 + prompt "Security Level"
43488 + depends on GRKERNSEC
43489 + default GRKERNSEC_CUSTOM
43491 +config GRKERNSEC_LOW
43493 + select GRKERNSEC_LINK
43494 + select GRKERNSEC_FIFO
43495 + select GRKERNSEC_EXECVE
43496 + select GRKERNSEC_RANDNET
43497 + select GRKERNSEC_DMESG
43498 + select GRKERNSEC_CHROOT
43499 + select GRKERNSEC_CHROOT_CHDIR
43502 + If you choose this option, several of the grsecurity options will
43503 + be enabled that will give you greater protection against a number
43504 + of attacks, while assuring that none of your software will have any
43505 + conflicts with the additional security measures. If you run a lot
43506 + of unusual software, or you are having problems with the higher
43507 + security levels, you should say Y here. With this option, the
43508 + following features are enabled:
43510 + - Linking restrictions
43511 + - FIFO restrictions
43512 + - Enforcing RLIMIT_NPROC on execve
43513 + - Restricted dmesg
43514 + - Enforced chdir("/") on chroot
43515 + - Runtime module disabling
43517 +config GRKERNSEC_MEDIUM
43520 + select PAX_EI_PAX
43521 + select PAX_PT_PAX_FLAGS
43522 + select PAX_HAVE_ACL_FLAGS
43523 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
43524 + select GRKERNSEC_CHROOT
43525 + select GRKERNSEC_CHROOT_SYSCTL
43526 + select GRKERNSEC_LINK
43527 + select GRKERNSEC_FIFO
43528 + select GRKERNSEC_EXECVE
43529 + select GRKERNSEC_DMESG
43530 + select GRKERNSEC_RANDNET
43531 + select GRKERNSEC_FORKFAIL
43532 + select GRKERNSEC_TIME
43533 + select GRKERNSEC_SIGNAL
43534 + select GRKERNSEC_CHROOT
43535 + select GRKERNSEC_CHROOT_UNIX
43536 + select GRKERNSEC_CHROOT_MOUNT
43537 + select GRKERNSEC_CHROOT_PIVOT
43538 + select GRKERNSEC_CHROOT_DOUBLE
43539 + select GRKERNSEC_CHROOT_CHDIR
43540 + select GRKERNSEC_CHROOT_MKNOD
43541 + select GRKERNSEC_PROC
43542 + select GRKERNSEC_PROC_USERGROUP
43543 + select PAX_RANDUSTACK
43545 + select PAX_RANDMMAP
43546 + select PAX_REFCOUNT if (X86 || SPARC64)
43547 + select PAX_USERCOPY if ((X86 || SPARC32 || SPARC64 || PPC) && (SLAB || SLUB || SLOB))
43550 + If you say Y here, several features in addition to those included
43551 + in the low additional security level will be enabled. These
43552 + features provide even more security to your system, though in rare
43553 + cases they may be incompatible with very old or poorly written
43554 + software. If you enable this option, make sure that your auth
43555 + service (identd) is running as gid 1001. With this option,
43556 + the following features (in addition to those provided in the
43557 + low additional security level) will be enabled:
43559 + - Failed fork logging
43560 + - Time change logging
43562 + - Deny mounts in chroot
43563 + - Deny double chrooting
43564 + - Deny sysctl writes in chroot
43565 + - Deny mknod in chroot
43566 + - Deny access to abstract AF_UNIX sockets out of chroot
43567 + - Deny pivot_root in chroot
43568 + - Denied writes of /dev/kmem, /dev/mem, and /dev/port
43569 + - /proc restrictions with special GID set to 10 (usually wheel)
43570 + - Address Space Layout Randomization (ASLR)
43571 + - Prevent exploitation of most refcount overflows
43572 + - Bounds checking of copying between the kernel and userland
43574 +config GRKERNSEC_HIGH
43576 + select GRKERNSEC_LINK
43577 + select GRKERNSEC_FIFO
43578 + select GRKERNSEC_EXECVE
43579 + select GRKERNSEC_DMESG
43580 + select GRKERNSEC_FORKFAIL
43581 + select GRKERNSEC_TIME
43582 + select GRKERNSEC_SIGNAL
43583 + select GRKERNSEC_CHROOT
43584 + select GRKERNSEC_CHROOT_SHMAT
43585 + select GRKERNSEC_CHROOT_UNIX
43586 + select GRKERNSEC_CHROOT_MOUNT
43587 + select GRKERNSEC_CHROOT_FCHDIR
43588 + select GRKERNSEC_CHROOT_PIVOT
43589 + select GRKERNSEC_CHROOT_DOUBLE
43590 + select GRKERNSEC_CHROOT_CHDIR
43591 + select GRKERNSEC_CHROOT_MKNOD
43592 + select GRKERNSEC_CHROOT_CAPS
43593 + select GRKERNSEC_CHROOT_SYSCTL
43594 + select GRKERNSEC_CHROOT_FINDTASK
43595 + select GRKERNSEC_SYSFS_RESTRICT
43596 + select GRKERNSEC_PROC
43597 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
43598 + select GRKERNSEC_HIDESYM
43599 + select GRKERNSEC_BRUTE
43600 + select GRKERNSEC_PROC_USERGROUP
43601 + select GRKERNSEC_KMEM
43602 + select GRKERNSEC_RESLOG
43603 + select GRKERNSEC_RANDNET
43604 + select GRKERNSEC_PROC_ADD
43605 + select GRKERNSEC_CHROOT_CHMOD
43606 + select GRKERNSEC_CHROOT_NICE
43607 + select GRKERNSEC_AUDIT_MOUNT
43608 + select GRKERNSEC_MODHARDEN if (MODULES)
43609 + select GRKERNSEC_HARDEN_PTRACE
43610 + select GRKERNSEC_VM86 if (X86_32)
43612 + select PAX_RANDUSTACK
43614 + select PAX_RANDMMAP
43615 + select PAX_NOEXEC
43616 + select PAX_MPROTECT
43617 + select PAX_EI_PAX
43618 + select PAX_PT_PAX_FLAGS
43619 + select PAX_HAVE_ACL_FLAGS
43620 + select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
43621 + select PAX_MEMORY_UDEREF if (X86 && !XEN)
43622 + select PAX_RANDKSTACK if (X86_TSC && !X86_64)
43623 + select PAX_SEGMEXEC if (X86_32)
43624 + select PAX_PAGEEXEC
43625 + select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
43626 + select PAX_EMUTRAMP if (PARISC)
43627 + select PAX_EMUSIGRT if (PARISC)
43628 + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
43629 + select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
43630 + select PAX_REFCOUNT if (X86 || SPARC64)
43631 + select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
43633 + If you say Y here, many of the features of grsecurity will be
43634 + enabled, which will protect you against many kinds of attacks
43635 + against your system. The heightened security comes at a cost
43636 + of an increased chance of incompatibilities with rare software
43637 + on your machine. Since this security level enables PaX, you should
43638 + view <http://pax.grsecurity.net> and read about the PaX
43639 + project. While you are there, download chpax and run it on
43640 + binaries that cause problems with PaX. Also remember that
43641 + since the /proc restrictions are enabled, you must run your
43642 + identd as gid 1001. This security level enables the following
43643 + features in addition to those listed in the low and medium
43646 + - Additional /proc restrictions
43647 + - Chmod restrictions in chroot
43648 + - No signals, ptrace, or viewing of processes outside of chroot
43649 + - Capability restrictions in chroot
43650 + - Deny fchdir out of chroot
43651 + - Priority restrictions in chroot
43652 + - Segmentation-based implementation of PaX
43653 + - Mprotect restrictions
43654 + - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
43655 + - Kernel stack randomization
43656 + - Mount/unmount/remount logging
43657 + - Kernel symbol hiding
43658 + - Prevention of memory exhaustion-based exploits
43659 + - Hardening of module auto-loading
43660 + - Ptrace restrictions
43661 + - Restricted vm86 mode
43662 + - Restricted sysfs/debugfs
43664 +config GRKERNSEC_CUSTOM
43667 + If you say Y here, you will be able to configure every grsecurity
43668 + option, which allows you to enable many more features that aren't
43669 + covered in the basic security levels. These additional features
43670 + include TPE, socket restrictions, and the sysctl system for
43671 + grsecurity. It is advised that you read through the help for
43672 + each option to determine its usefulness in your situation.
43676 +menu "Address Space Protection"
43677 +depends on GRKERNSEC
43679 +config GRKERNSEC_KMEM
43680 + bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
43682 + If you say Y here, /dev/kmem and /dev/mem won't be allowed to
43683 + be written to via mmap or otherwise to modify the running kernel.
43684 + /dev/port will also not be allowed to be opened. If you have module
43685 + support disabled, enabling this will close up four ways that are
43686 + currently used to insert malicious code into the running kernel.
43687 + Even with all these features enabled, we still highly recommend that
43688 + you use the RBAC system, as it is still possible for an attacker to
43689 + modify the running kernel through privileged I/O granted by ioperm/iopl.
43690 + If you are not using XFree86, you may be able to stop this additional
43691 + case by enabling the 'Disable privileged I/O' option. Though nothing
43692 + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
43693 + but only to video memory, which is the only writing we allow in this
43694 + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
43695 + not be allowed to mprotect it with PROT_WRITE later.
43696 + It is highly recommended that you say Y here if you meet all the
43697 + conditions above.
43699 +config GRKERNSEC_VM86
43700 + bool "Restrict VM86 mode"
43701 + depends on X86_32
43704 + If you say Y here, only processes with CAP_SYS_RAWIO will be able to
43705 + make use of a special execution mode on 32bit x86 processors called
43706 + Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
43707 + video cards and will still work with this option enabled. The purpose
43708 + of the option is to prevent exploitation of emulation errors in
43709 + virtualization of vm86 mode like the one discovered in VMWare in 2009.
43710 + Nearly all users should be able to enable this option.
43712 +config GRKERNSEC_IO
43713 + bool "Disable privileged I/O"
43716 + select RTC_INTF_DEV
43717 + select RTC_DRV_CMOS
43720 + If you say Y here, all ioperm and iopl calls will return an error.
43721 + Ioperm and iopl can be used to modify the running kernel.
43722 + Unfortunately, some programs need this access to operate properly,
43723 + the most notable of which are XFree86 and hwclock. hwclock can be
43724 + remedied by having RTC support in the kernel, so real-time
43725 + clock support is enabled if this option is enabled, to ensure
43726 + that hwclock operates correctly. XFree86 still will not
43727 + operate correctly with this option enabled, so DO NOT CHOOSE Y
43728 + IF YOU USE XFree86. If you use XFree86 and you still want to
43729 + protect your kernel against modification, use the RBAC system.
43731 +config GRKERNSEC_PROC_MEMMAP
43732 + bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
43733 + default y if (PAX_NOEXEC || PAX_ASLR)
43734 + depends on PAX_NOEXEC || PAX_ASLR
43736 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
43737 + give no information about the addresses of its mappings if
43738 + PaX features that rely on random addresses are enabled on the task.
43739 + If you use PaX it is greatly recommended that you say Y here as it
43740 + closes up a hole that makes the full ASLR useless for suid
43743 +config GRKERNSEC_BRUTE
43744 + bool "Deter exploit bruteforcing"
43746 + If you say Y here, attempts to bruteforce exploits against forking
43747 + daemons such as apache or sshd will be deterred. When a child of a
43748 + forking daemon is killed by PaX or crashes due to an illegal
43749 + instruction, the parent process will be delayed 30 seconds upon every
43750 + subsequent fork until the administrator is able to assess the
43751 + situation and restart the daemon. It is recommended that you also
43752 + enable signal logging in the auditing section so that logs are
43753 + generated when a process performs an illegal instruction.
43755 +config GRKERNSEC_MODHARDEN
43756 + bool "Harden module auto-loading"
43757 + depends on MODULES
43759 + If you say Y here, module auto-loading in response to use of some
43760 + feature implemented by an unloaded module will be restricted to
43761 + root users. Enabling this option helps defend against attacks
43762 + by unprivileged users who abuse the auto-loading behavior to
43763 + cause a vulnerable module to load that is then exploited.
43765 + If this option prevents a legitimate use of auto-loading for a
43766 + non-root user, the administrator can execute modprobe manually
43767 + with the exact name of the module mentioned in the alert log.
43768 + Alternatively, the administrator can add the module to the list
43769 + of modules loaded at boot by modifying init scripts.
43771 + Modification of init scripts will most likely be needed on
43772 + Ubuntu servers with encrypted home directory support enabled,
43773 + as the first non-root user logging in will cause the ecb(aes),
43774 + ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
43776 +config GRKERNSEC_HIDESYM
43777 + bool "Hide kernel symbols"
43779 + If you say Y here, getting information on loaded modules, and
43780 + displaying all kernel symbols through a syscall will be restricted
43781 + to users with CAP_SYS_MODULE. For software compatibility reasons,
43782 + /proc/kallsyms will be restricted to the root user. The RBAC
43783 + system can hide that entry even from root.
43785 + This option also prevents leaking of kernel addresses through
43786 + several /proc entries.
43788 + Note that this option is only effective provided the following
43789 + conditions are met:
43790 + 1) The kernel using grsecurity is not precompiled by some distribution
43791 + 2) You have also enabled GRKERNSEC_DMESG
43792 + 3) You are using the RBAC system and hiding other files such as your
43793 + kernel image and System.map. Alternatively, enabling this option
43794 + causes the permissions on /boot, /lib/modules, and the kernel
43795 + source directory to change at compile time to prevent
43796 + reading by non-root users.
43797 + If the above conditions are met, this option will aid in providing a
43798 + useful protection against local kernel exploitation of overflows
43799 + and arbitrary read/write vulnerabilities.
43802 +menu "Role Based Access Control Options"
43803 +depends on GRKERNSEC
43805 +config GRKERNSEC_NO_RBAC
43806 + bool "Disable RBAC system"
43808 + If you say Y here, the /dev/grsec device will be removed from the kernel,
43809 + preventing the RBAC system from being enabled. You should only say Y
43810 + here if you have no intention of using the RBAC system, so as to prevent
43811 + an attacker with root access from misusing the RBAC system to hide files
43812 + and processes when loadable module support and /dev/[k]mem have been
43815 +config GRKERNSEC_ACL_HIDEKERN
43816 + bool "Hide kernel processes"
43818 + If you say Y here, all kernel threads will be hidden to all
43819 + processes but those whose subject has the "view hidden processes"
43822 +config GRKERNSEC_ACL_MAXTRIES
43823 + int "Maximum tries before password lockout"
43826 + This option enforces the maximum number of times a user can attempt
43827 + to authorize themselves with the grsecurity RBAC system before being
43828 + denied the ability to attempt authorization again for a specified time.
43829 + The lower the number, the harder it will be to brute-force a password.
43831 +config GRKERNSEC_ACL_TIMEOUT
43832 + int "Time to wait after max password tries, in seconds"
43835 + This option specifies the time the user must wait after attempting to
43836 + authorize to the RBAC system with the maximum number of invalid
43837 + passwords. The higher the number, the harder it will be to brute-force
43841 +menu "Filesystem Protections"
43842 +depends on GRKERNSEC
43844 +config GRKERNSEC_PROC
43845 + bool "Proc restrictions"
43847 + If you say Y here, the permissions of the /proc filesystem
43848 + will be altered to enhance system security and privacy. You MUST
43849 + choose either a user only restriction or a user and group restriction.
43850 + Depending upon the option you choose, you can either restrict users to
43851 + see only the processes they themselves run, or choose a group that can
43852 + view all processes and files normally restricted to root if you choose
43853 + the "restrict to user only" option. NOTE: If you're running identd as
43854 + a non-root user, you will have to run it as the group you specify here.
43856 +config GRKERNSEC_PROC_USER
43857 + bool "Restrict /proc to user only"
43858 + depends on GRKERNSEC_PROC
43860 + If you say Y here, non-root users will only be able to view their own
43861 + processes, and restricts them from viewing network-related information,
43862 + and viewing kernel symbol and module information.
43864 +config GRKERNSEC_PROC_USERGROUP
43865 + bool "Allow special group"
43866 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
43868 + If you say Y here, you will be able to select a group that will be
43869 + able to view all processes and network-related information. If you've
43870 + enabled GRKERNSEC_HIDESYM, kernel and symbol information may still
43871 + remain hidden. This option is useful if you want to run identd as
43874 +config GRKERNSEC_PROC_GID
43875 + int "GID for special group"
43876 + depends on GRKERNSEC_PROC_USERGROUP
43879 +config GRKERNSEC_PROC_ADD
43880 + bool "Additional restrictions"
43881 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
43883 + If you say Y here, additional restrictions will be placed on
43884 + /proc that keep normal users from viewing device information and
43885 + slabinfo information that could be useful for exploits.
43887 +config GRKERNSEC_LINK
43888 + bool "Linking restrictions"
43890 + If you say Y here, /tmp race exploits will be prevented, since users
43891 + will no longer be able to follow symlinks owned by other users in
43892 + world-writable +t directories (e.g. /tmp), unless the owner of the
43893 + symlink is the owner of the directory. users will also not be
43894 + able to hardlink to files they do not own. If the sysctl option is
43895 + enabled, a sysctl option with name "linking_restrictions" is created.
43897 +config GRKERNSEC_FIFO
43898 + bool "FIFO restrictions"
43900 + If you say Y here, users will not be able to write to FIFOs they don't
43901 + own in world-writable +t directories (e.g. /tmp), unless the owner of
43902 + the FIFO is the same owner of the directory it's held in. If the sysctl
43903 + option is enabled, a sysctl option with name "fifo_restrictions" is
43906 +config GRKERNSEC_SYSFS_RESTRICT
43907 + bool "Sysfs/debugfs restriction"
43910 + If you say Y here, sysfs (the pseudo-filesystem mounted at /sys) and
43911 + any filesystem normally mounted under it (e.g. debugfs) will only
43912 + be accessible by root. These filesystems generally provide access
43913 + to hardware and debug information that isn't appropriate for unprivileged
43914 + users of the system. Sysfs and debugfs have also become a large source
43915 + of new vulnerabilities, ranging from infoleaks to local compromise.
43916 + There has been very little oversight with an eye toward security involved
43917 + in adding new exporters of information to these filesystems, so their
43918 + use is discouraged.
43919 + This option is equivalent to a chmod 0700 of the mount paths.
43921 +config GRKERNSEC_ROFS
43922 + bool "Runtime read-only mount protection"
43924 + If you say Y here, a sysctl option with name "romount_protect" will
43925 + be created. By setting this option to 1 at runtime, filesystems
43926 + will be protected in the following ways:
43927 + * No new writable mounts will be allowed
43928 + * Existing read-only mounts won't be able to be remounted read/write
43929 + * Write operations will be denied on all block devices
43930 + This option acts independently of grsec_lock: once it is set to 1,
43931 + it cannot be turned off. Therefore, please be mindful of the resulting
43932 + behavior if this option is enabled in an init script on a read-only
43933 + filesystem. This feature is mainly intended for secure embedded systems.
43935 +config GRKERNSEC_CHROOT
43936 + bool "Chroot jail restrictions"
43938 + If you say Y here, you will be able to choose several options that will
43939 + make breaking out of a chrooted jail much more difficult. If you
43940 + encounter no software incompatibilities with the following options, it
43941 + is recommended that you enable each one.
43943 +config GRKERNSEC_CHROOT_MOUNT
43944 + bool "Deny mounts"
43945 + depends on GRKERNSEC_CHROOT
43947 + If you say Y here, processes inside a chroot will not be able to
43948 + mount or remount filesystems. If the sysctl option is enabled, a
43949 + sysctl option with name "chroot_deny_mount" is created.
43951 +config GRKERNSEC_CHROOT_DOUBLE
43952 + bool "Deny double-chroots"
43953 + depends on GRKERNSEC_CHROOT
43955 + If you say Y here, processes inside a chroot will not be able to chroot
43956 + again outside the chroot. This is a widely used method of breaking
43957 + out of a chroot jail and should not be allowed. If the sysctl
43958 + option is enabled, a sysctl option with name
43959 + "chroot_deny_chroot" is created.
43961 +config GRKERNSEC_CHROOT_PIVOT
43962 + bool "Deny pivot_root in chroot"
43963 + depends on GRKERNSEC_CHROOT
43965 + If you say Y here, processes inside a chroot will not be able to use
43966 + a function called pivot_root() that was introduced in Linux 2.3.41. It
43967 + works similar to chroot in that it changes the root filesystem. This
43968 + function could be misused in a chrooted process to attempt to break out
43969 + of the chroot, and therefore should not be allowed. If the sysctl
43970 + option is enabled, a sysctl option with name "chroot_deny_pivot" is
43973 +config GRKERNSEC_CHROOT_CHDIR
43974 + bool "Enforce chdir(\"/\") on all chroots"
43975 + depends on GRKERNSEC_CHROOT
43977 + If you say Y here, the current working directory of all newly-chrooted
43978 + applications will be set to the the root directory of the chroot.
43979 + The man page on chroot(2) states:
43980 + Note that this call does not change the current working
43981 + directory, so that `.' can be outside the tree rooted at
43982 + `/'. In particular, the super-user can escape from a
43983 + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
43985 + It is recommended that you say Y here, since it's not known to break
43986 + any software. If the sysctl option is enabled, a sysctl option with
43987 + name "chroot_enforce_chdir" is created.
43989 +config GRKERNSEC_CHROOT_CHMOD
43990 + bool "Deny (f)chmod +s"
43991 + depends on GRKERNSEC_CHROOT
43993 + If you say Y here, processes inside a chroot will not be able to chmod
43994 + or fchmod files to make them have suid or sgid bits. This protects
43995 + against another published method of breaking a chroot. If the sysctl
43996 + option is enabled, a sysctl option with name "chroot_deny_chmod" is
43999 +config GRKERNSEC_CHROOT_FCHDIR
44000 + bool "Deny fchdir out of chroot"
44001 + depends on GRKERNSEC_CHROOT
44003 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
44004 + to a file descriptor of the chrooting process that points to a directory
44005 + outside the filesystem will be stopped. If the sysctl option
44006 + is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
44008 +config GRKERNSEC_CHROOT_MKNOD
44009 + bool "Deny mknod"
44010 + depends on GRKERNSEC_CHROOT
44012 + If you say Y here, processes inside a chroot will not be allowed to
44013 + mknod. The problem with using mknod inside a chroot is that it
44014 + would allow an attacker to create a device entry that is the same
44015 + as one on the physical root of your system, which could range from
44016 + anything from the console device to a device for your harddrive (which
44017 + they could then use to wipe the drive or steal data). It is recommended
44018 + that you say Y here, unless you run into software incompatibilities.
44019 + If the sysctl option is enabled, a sysctl option with name
44020 + "chroot_deny_mknod" is created.
44022 +config GRKERNSEC_CHROOT_SHMAT
44023 + bool "Deny shmat() out of chroot"
44024 + depends on GRKERNSEC_CHROOT
44026 + If you say Y here, processes inside a chroot will not be able to attach
44027 + to shared memory segments that were created outside of the chroot jail.
44028 + It is recommended that you say Y here. If the sysctl option is enabled,
44029 + a sysctl option with name "chroot_deny_shmat" is created.
44031 +config GRKERNSEC_CHROOT_UNIX
44032 + bool "Deny access to abstract AF_UNIX sockets out of chroot"
44033 + depends on GRKERNSEC_CHROOT
44035 + If you say Y here, processes inside a chroot will not be able to
44036 + connect to abstract (meaning not belonging to a filesystem) Unix
44037 + domain sockets that were bound outside of a chroot. It is recommended
44038 + that you say Y here. If the sysctl option is enabled, a sysctl option
44039 + with name "chroot_deny_unix" is created.
44041 +config GRKERNSEC_CHROOT_FINDTASK
44042 + bool "Protect outside processes"
44043 + depends on GRKERNSEC_CHROOT
44045 + If you say Y here, processes inside a chroot will not be able to
44046 + kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
44047 + getsid, or view any process outside of the chroot. If the sysctl
44048 + option is enabled, a sysctl option with name "chroot_findtask" is
44051 +config GRKERNSEC_CHROOT_NICE
44052 + bool "Restrict priority changes"
44053 + depends on GRKERNSEC_CHROOT
44055 + If you say Y here, processes inside a chroot will not be able to raise
44056 + the priority of processes in the chroot, or alter the priority of
44057 + processes outside the chroot. This provides more security than simply
44058 + removing CAP_SYS_NICE from the process' capability set. If the
44059 + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
44062 +config GRKERNSEC_CHROOT_SYSCTL
44063 + bool "Deny sysctl writes"
44064 + depends on GRKERNSEC_CHROOT
44066 + If you say Y here, an attacker in a chroot will not be able to
44067 + write to sysctl entries, either by sysctl(2) or through a /proc
44068 + interface. It is strongly recommended that you say Y here. If the
44069 + sysctl option is enabled, a sysctl option with name
44070 + "chroot_deny_sysctl" is created.
44072 +config GRKERNSEC_CHROOT_CAPS
44073 + bool "Capability restrictions"
44074 + depends on GRKERNSEC_CHROOT
44076 + If you say Y here, the capabilities on all root processes within a
44077 + chroot jail will be lowered to stop module insertion, raw i/o,
44078 + system and net admin tasks, rebooting the system, modifying immutable
44079 + files, modifying IPC owned by another, and changing the system time.
44080 + This is left an option because it can break some apps. Disable this
44081 + if your chrooted apps are having problems performing those kinds of
44082 + tasks. If the sysctl option is enabled, a sysctl option with
44083 + name "chroot_caps" is created.
44086 +menu "Kernel Auditing"
44087 +depends on GRKERNSEC
44089 +config GRKERNSEC_AUDIT_GROUP
44090 + bool "Single group for auditing"
44092 + If you say Y here, the exec, chdir, and (un)mount logging features
44093 + will only operate on a group you specify. This option is recommended
44094 + if you only want to watch certain users instead of having a large
44095 + amount of logs from the entire system. If the sysctl option is enabled,
44096 + a sysctl option with name "audit_group" is created.
44098 +config GRKERNSEC_AUDIT_GID
44099 + int "GID for auditing"
44100 + depends on GRKERNSEC_AUDIT_GROUP
44103 +config GRKERNSEC_EXECLOG
44104 + bool "Exec logging"
44106 + If you say Y here, all execve() calls will be logged (since the
44107 + other exec*() calls are frontends to execve(), all execution
44108 + will be logged). Useful for shell-servers that like to keep track
44109 + of their users. If the sysctl option is enabled, a sysctl option with
44110 + name "exec_logging" is created.
44111 + WARNING: This option when enabled will produce a LOT of logs, especially
44112 + on an active system.
44114 +config GRKERNSEC_RESLOG
44115 + bool "Resource logging"
44117 + If you say Y here, all attempts to overstep resource limits will
44118 + be logged with the resource name, the requested size, and the current
44119 + limit. It is highly recommended that you say Y here. If the sysctl
44120 + option is enabled, a sysctl option with name "resource_logging" is
44121 + created. If the RBAC system is enabled, the sysctl value is ignored.
44123 +config GRKERNSEC_CHROOT_EXECLOG
44124 + bool "Log execs within chroot"
44126 + If you say Y here, all executions inside a chroot jail will be logged
44127 + to syslog. This can cause a large amount of logs if certain
44128 + applications (eg. djb's daemontools) are installed on the system, and
44129 + is therefore left as an option. If the sysctl option is enabled, a
44130 + sysctl option with name "chroot_execlog" is created.
44132 +config GRKERNSEC_AUDIT_PTRACE
44133 + bool "Ptrace logging"
44135 + If you say Y here, all attempts to attach to a process via ptrace
44136 + will be logged. If the sysctl option is enabled, a sysctl option
44137 + with name "audit_ptrace" is created.
44139 +config GRKERNSEC_AUDIT_CHDIR
44140 + bool "Chdir logging"
44142 + If you say Y here, all chdir() calls will be logged. If the sysctl
44143 + option is enabled, a sysctl option with name "audit_chdir" is created.
44145 +config GRKERNSEC_AUDIT_MOUNT
44146 + bool "(Un)Mount logging"
44148 + If you say Y here, all mounts and unmounts will be logged. If the
44149 + sysctl option is enabled, a sysctl option with name "audit_mount" is
44152 +config GRKERNSEC_SIGNAL
44153 + bool "Signal logging"
44155 + If you say Y here, certain important signals will be logged, such as
44156 + SIGSEGV, which will as a result inform you of when a error in a program
44157 + occurred, which in some cases could mean a possible exploit attempt.
44158 + If the sysctl option is enabled, a sysctl option with name
44159 + "signal_logging" is created.
44161 +config GRKERNSEC_FORKFAIL
44162 + bool "Fork failure logging"
44164 + If you say Y here, all failed fork() attempts will be logged.
44165 + This could suggest a fork bomb, or someone attempting to overstep
44166 + their process limit. If the sysctl option is enabled, a sysctl option
44167 + with name "forkfail_logging" is created.
44169 +config GRKERNSEC_TIME
44170 + bool "Time change logging"
44172 + If you say Y here, any changes of the system clock will be logged.
44173 + If the sysctl option is enabled, a sysctl option with name
44174 + "timechange_logging" is created.
44176 +config GRKERNSEC_PROC_IPADDR
44177 + bool "/proc/<pid>/ipaddr support"
44179 + If you say Y here, a new entry will be added to each /proc/<pid>
44180 + directory that contains the IP address of the person using the task.
44181 + The IP is carried across local TCP and AF_UNIX stream sockets.
44182 + This information can be useful for IDS/IPSes to perform remote response
44183 + to a local attack. The entry is readable by only the owner of the
44184 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
44185 + the RBAC system), and thus does not create privacy concerns.
44187 +config GRKERNSEC_RWXMAP_LOG
44188 + bool 'Denied RWX mmap/mprotect logging'
44189 + depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
44191 + If you say Y here, calls to mmap() and mprotect() with explicit
44192 + usage of PROT_WRITE and PROT_EXEC together will be logged when
44193 + denied by the PAX_MPROTECT feature. If the sysctl option is
44194 + enabled, a sysctl option with name "rwxmap_logging" is created.
44196 +config GRKERNSEC_AUDIT_TEXTREL
44197 + bool 'ELF text relocations logging (READ HELP)'
44198 + depends on PAX_MPROTECT
44200 + If you say Y here, text relocations will be logged with the filename
44201 + of the offending library or binary. The purpose of the feature is
44202 + to help Linux distribution developers get rid of libraries and
44203 + binaries that need text relocations which hinder the future progress
44204 + of PaX. Only Linux distribution developers should say Y here, and
44205 + never on a production machine, as this option creates an information
44206 + leak that could aid an attacker in defeating the randomization of
44207 + a single memory region. If the sysctl option is enabled, a sysctl
44208 + option with name "audit_textrel" is created.
44212 +menu "Executable Protections"
44213 +depends on GRKERNSEC
44215 +config GRKERNSEC_EXECVE
44216 + bool "Enforce RLIMIT_NPROC on execs"
44218 + If you say Y here, users with a resource limit on processes will
44219 + have the value checked during execve() calls. The current system
44220 + only checks the system limit during fork() calls. If the sysctl option
44221 + is enabled, a sysctl option with name "execve_limiting" is created.
44223 +config GRKERNSEC_DMESG
44224 + bool "Dmesg(8) restriction"
44226 + If you say Y here, non-root users will not be able to use dmesg(8)
44227 + to view up to the last 4kb of messages in the kernel's log buffer.
44228 + The kernel's log buffer often contains kernel addresses and other
44229 + identifying information useful to an attacker in fingerprinting a
44230 + system for a targeted exploit.
44231 + If the sysctl option is enabled, a sysctl option with name "dmesg" is
44234 +config GRKERNSEC_HARDEN_PTRACE
44235 + bool "Deter ptrace-based process snooping"
44237 + If you say Y here, TTY sniffers and other malicious monitoring
44238 + programs implemented through ptrace will be defeated. If you
44239 + have been using the RBAC system, this option has already been
44240 + enabled for several years for all users, with the ability to make
44241 + fine-grained exceptions.
44243 + This option only affects the ability of non-root users to ptrace
44244 + processes that are not a descendent of the ptracing process.
44245 + This means that strace ./binary and gdb ./binary will still work,
44246 + but attaching to arbitrary processes will not. If the sysctl
44247 + option is enabled, a sysctl option with name "harden_ptrace" is
44250 +config GRKERNSEC_TPE
44251 + bool "Trusted Path Execution (TPE)"
44253 + If you say Y here, you will be able to choose a gid to add to the
44254 + supplementary groups of users you want to mark as "untrusted."
44255 + These users will not be able to execute any files that are not in
44256 + root-owned directories writable only by root. If the sysctl option
44257 + is enabled, a sysctl option with name "tpe" is created.
44259 +config GRKERNSEC_TPE_ALL
44260 + bool "Partially restrict all non-root users"
44261 + depends on GRKERNSEC_TPE
44263 + If you say Y here, all non-root users will be covered under
44264 + a weaker TPE restriction. This is separate from, and in addition to,
44265 + the main TPE options that you have selected elsewhere. Thus, if a
44266 + "trusted" GID is chosen, this restriction applies to even that GID.
44267 + Under this restriction, all non-root users will only be allowed to
44268 + execute files in directories they own that are not group or
44269 + world-writable, or in directories owned by root and writable only by
44270 + root. If the sysctl option is enabled, a sysctl option with name
44271 + "tpe_restrict_all" is created.
44273 +config GRKERNSEC_TPE_INVERT
44274 + bool "Invert GID option"
44275 + depends on GRKERNSEC_TPE
44277 + If you say Y here, the group you specify in the TPE configuration will
44278 + decide what group TPE restrictions will be *disabled* for. This
44279 + option is useful if you want TPE restrictions to be applied to most
44280 + users on the system. If the sysctl option is enabled, a sysctl option
44281 + with name "tpe_invert" is created. Unlike other sysctl options, this
44282 + entry will default to on for backward-compatibility.
44284 +config GRKERNSEC_TPE_GID
44285 + int "GID for untrusted users"
44286 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
44289 + Setting this GID determines what group TPE restrictions will be
44290 + *enabled* for. If the sysctl option is enabled, a sysctl option
44291 + with name "tpe_gid" is created.
44293 +config GRKERNSEC_TPE_GID
44294 + int "GID for trusted users"
44295 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
44298 + Setting this GID determines what group TPE restrictions will be
44299 + *disabled* for. If the sysctl option is enabled, a sysctl option
44300 + with name "tpe_gid" is created.
44303 +menu "Network Protections"
44304 +depends on GRKERNSEC
44306 +config GRKERNSEC_RANDNET
44307 + bool "Larger entropy pools"
44309 + If you say Y here, the entropy pools used for many features of Linux
44310 + and grsecurity will be doubled in size. Since several grsecurity
44311 + features use additional randomness, it is recommended that you say Y
44312 + here. Saying Y here has a similar effect as modifying
44313 + /proc/sys/kernel/random/poolsize.
44315 +config GRKERNSEC_BLACKHOLE
44316 + bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
44318 + If you say Y here, neither TCP resets nor ICMP
44319 + destination-unreachable packets will be sent in response to packets
44320 + sent to ports for which no associated listening process exists.
44321 + This feature supports both IPV4 and IPV6 and exempts the
44322 + loopback interface from blackholing. Enabling this feature
44323 + makes a host more resilient to DoS attacks and reduces network
44324 + visibility against scanners.
44326 + The blackhole feature as-implemented is equivalent to the FreeBSD
44327 + blackhole feature, as it prevents RST responses to all packets, not
44328 + just SYNs. Under most application behavior this causes no
44329 + problems, but applications (like haproxy) may not close certain
44330 + connections in a way that cleanly terminates them on the remote
44331 + end, leaving the remote host in LAST_ACK state. Because of this
44332 + side-effect and to prevent intentional LAST_ACK DoSes, this
44333 + feature also adds automatic mitigation against such attacks.
44334 + The mitigation drastically reduces the amount of time a socket
44335 + can spend in LAST_ACK state. If you're using haproxy and not
44336 + all servers it connects to have this option enabled, consider
44337 + disabling this feature on the haproxy host.
44339 + If the sysctl option is enabled, two sysctl options with names
44340 + "ip_blackhole" and "lastack_retries" will be created.
44341 + While "ip_blackhole" takes the standard zero/non-zero on/off
44342 + toggle, "lastack_retries" uses the same kinds of values as
44343 + "tcp_retries1" and "tcp_retries2". The default value of 4
44344 + prevents a socket from lasting more than 45 seconds in LAST_ACK
44347 +config GRKERNSEC_SOCKET
44348 + bool "Socket restrictions"
44350 + If you say Y here, you will be able to choose from several options.
44351 + If you assign a GID on your system and add it to the supplementary
44352 + groups of users you want to restrict socket access to, this patch
44353 + will perform up to three things, based on the option(s) you choose.
44355 +config GRKERNSEC_SOCKET_ALL
44356 + bool "Deny any sockets to group"
44357 + depends on GRKERNSEC_SOCKET
44359 + If you say Y here, you will be able to choose a GID of whose users will
44360 + be unable to connect to other hosts from your machine or run server
44361 + applications from your machine. If the sysctl option is enabled, a
44362 + sysctl option with name "socket_all" is created.
44364 +config GRKERNSEC_SOCKET_ALL_GID
44365 + int "GID to deny all sockets for"
44366 + depends on GRKERNSEC_SOCKET_ALL
44369 + Here you can choose the GID to disable socket access for. Remember to
44370 + add the users you want socket access disabled for to the GID
44371 + specified here. If the sysctl option is enabled, a sysctl option
44372 + with name "socket_all_gid" is created.
44374 +config GRKERNSEC_SOCKET_CLIENT
44375 + bool "Deny client sockets to group"
44376 + depends on GRKERNSEC_SOCKET
44378 + If you say Y here, you will be able to choose a GID of whose users will
44379 + be unable to connect to other hosts from your machine, but will be
44380 + able to run servers. If this option is enabled, all users in the group
44381 + you specify will have to use passive mode when initiating ftp transfers
44382 + from the shell on your machine. If the sysctl option is enabled, a
44383 + sysctl option with name "socket_client" is created.
44385 +config GRKERNSEC_SOCKET_CLIENT_GID
44386 + int "GID to deny client sockets for"
44387 + depends on GRKERNSEC_SOCKET_CLIENT
44390 + Here you can choose the GID to disable client socket access for.
44391 + Remember to add the users you want client socket access disabled for to
44392 + the GID specified here. If the sysctl option is enabled, a sysctl
44393 + option with name "socket_client_gid" is created.
44395 +config GRKERNSEC_SOCKET_SERVER
44396 + bool "Deny server sockets to group"
44397 + depends on GRKERNSEC_SOCKET
44399 + If you say Y here, you will be able to choose a GID of whose users will
44400 + be unable to run server applications from your machine. If the sysctl
44401 + option is enabled, a sysctl option with name "socket_server" is created.
44403 +config GRKERNSEC_SOCKET_SERVER_GID
44404 + int "GID to deny server sockets for"
44405 + depends on GRKERNSEC_SOCKET_SERVER
44408 + Here you can choose the GID to disable server socket access for.
44409 + Remember to add the users you want server socket access disabled for to
44410 + the GID specified here. If the sysctl option is enabled, a sysctl
44411 + option with name "socket_server_gid" is created.
44414 +menu "Sysctl support"
44415 +depends on GRKERNSEC && SYSCTL
44417 +config GRKERNSEC_SYSCTL
44418 + bool "Sysctl support"
44420 + If you say Y here, you will be able to change the options that
44421 + grsecurity runs with at bootup, without having to recompile your
44422 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
44423 + to enable (1) or disable (0) various features. All the sysctl entries
44424 + are mutable until the "grsec_lock" entry is set to a non-zero value.
44425 + All features enabled in the kernel configuration are disabled at boot
44426 + if you do not say Y to the "Turn on features by default" option.
44427 + All options should be set at startup, and the grsec_lock entry should
44428 + be set to a non-zero value after all the options are set.
44429 + *THIS IS EXTREMELY IMPORTANT*
44431 +config GRKERNSEC_SYSCTL_DISTRO
44432 + bool "Extra sysctl support for distro makers (READ HELP)"
44433 + depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
44435 + If you say Y here, additional sysctl options will be created
44436 + for features that affect processes running as root. Therefore,
44437 + it is critical when using this option that the grsec_lock entry be
44438 + enabled after boot. Only distros with prebuilt kernel packages
44439 + with this option enabled that can ensure grsec_lock is enabled
44440 + after boot should use this option.
44441 + *Failure to set grsec_lock after boot makes all grsec features
44442 + this option covers useless*
44444 + Currently this option creates the following sysctl entries:
44445 + "Disable Privileged I/O": "disable_priv_io"
44447 +config GRKERNSEC_SYSCTL_ON
44448 + bool "Turn on features by default"
44449 + depends on GRKERNSEC_SYSCTL
44451 + If you say Y here, instead of having all features enabled in the
44452 + kernel configuration disabled at boot time, the features will be
44453 + enabled at boot time. It is recommended you say Y here unless
44454 + there is some reason you would want all sysctl-tunable features to
44455 + be disabled by default. As mentioned elsewhere, it is important
44456 + to enable the grsec_lock entry once you have finished modifying
44457 + the sysctl entries.
44460 +menu "Logging Options"
44461 +depends on GRKERNSEC
44463 +config GRKERNSEC_FLOODTIME
44464 + int "Seconds in between log messages (minimum)"
44467 + This option allows you to enforce the number of seconds between
44468 + grsecurity log messages. The default should be suitable for most
44469 + people, however, if you choose to change it, choose a value small enough
44470 + to allow informative logs to be produced, but large enough to
44471 + prevent flooding.
44473 +config GRKERNSEC_FLOODBURST
44474 + int "Number of messages in a burst (maximum)"
44477 + This option allows you to choose the maximum number of messages allowed
44478 + within the flood time interval you chose in a separate option. The
44479 + default should be suitable for most people, however if you find that
44480 + many of your logs are being interpreted as flooding, you may want to
44481 + raise this value.
44486 diff -urNp linux-2.6.38.1/grsecurity/Makefile linux-2.6.38.1-new/grsecurity/Makefile
44487 --- linux-2.6.38.1/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
44488 +++ linux-2.6.38.1-new/grsecurity/Makefile 2011-03-21 18:31:35.000000000 -0400
44490 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
44491 +# during 2001-2009 it has been completely redesigned by Brad Spengler
44492 +# into an RBAC system
44494 +# All code in this directory and various hooks inserted throughout the kernel
44495 +# are copyright Brad Spengler - Open Source Security, Inc., and released
44496 +# under the GPL v2 or higher
44498 +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
44499 + grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
44500 + grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
44502 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
44503 + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
44504 + gracl_learn.o grsec_log.o
44505 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
44507 +ifndef CONFIG_GRKERNSEC
44508 +obj-y += grsec_disabled.o
44511 +ifdef CONFIG_GRKERNSEC_HIDESYM
44512 +extra-y := grsec_hidesym.o
44513 +$(obj)/grsec_hidesym.o:
44514 + @-chmod -f 500 /boot
44515 + @-chmod -f 500 /lib/modules
44517 + @echo ' grsec: protected kernel image paths'
44519 diff -urNp linux-2.6.38.1/include/acpi/acoutput.h linux-2.6.38.1-new/include/acpi/acoutput.h
44520 --- linux-2.6.38.1/include/acpi/acoutput.h 2011-03-14 21:20:32.000000000 -0400
44521 +++ linux-2.6.38.1-new/include/acpi/acoutput.h 2011-03-21 18:31:35.000000000 -0400
44522 @@ -269,8 +269,8 @@
44523 * leaving no executable debug code!
44525 #define ACPI_FUNCTION_NAME(a)
44526 -#define ACPI_DEBUG_PRINT(pl)
44527 -#define ACPI_DEBUG_PRINT_RAW(pl)
44528 +#define ACPI_DEBUG_PRINT(pl) do {} while (0)
44529 +#define ACPI_DEBUG_PRINT_RAW(pl) do {} while (0)
44531 #endif /* ACPI_DEBUG_OUTPUT */
44533 diff -urNp linux-2.6.38.1/include/acpi/acpi_drivers.h linux-2.6.38.1-new/include/acpi/acpi_drivers.h
44534 --- linux-2.6.38.1/include/acpi/acpi_drivers.h 2011-03-14 21:20:32.000000000 -0400
44535 +++ linux-2.6.38.1-new/include/acpi/acpi_drivers.h 2011-03-21 18:31:35.000000000 -0400
44536 @@ -119,8 +119,8 @@ void pci_acpi_crs_quirks(void);
44538 -------------------------------------------------------------------------- */
44539 struct acpi_dock_ops {
44540 - acpi_notify_handler handler;
44541 - acpi_notify_handler uevent;
44542 + const acpi_notify_handler handler;
44543 + const acpi_notify_handler uevent;
44546 #if defined(CONFIG_ACPI_DOCK) || defined(CONFIG_ACPI_DOCK_MODULE)
44547 @@ -128,7 +128,7 @@ extern int is_dock_device(acpi_handle ha
44548 extern int register_dock_notifier(struct notifier_block *nb);
44549 extern void unregister_dock_notifier(struct notifier_block *nb);
44550 extern int register_hotplug_dock_device(acpi_handle handle,
44551 - struct acpi_dock_ops *ops,
44552 + const struct acpi_dock_ops *ops,
44554 extern void unregister_hotplug_dock_device(acpi_handle handle);
44556 @@ -144,7 +144,7 @@ static inline void unregister_dock_notif
44559 static inline int register_hotplug_dock_device(acpi_handle handle,
44560 - struct acpi_dock_ops *ops,
44561 + const struct acpi_dock_ops *ops,
44565 diff -urNp linux-2.6.38.1/include/asm-generic/atomic-long.h linux-2.6.38.1-new/include/asm-generic/atomic-long.h
44566 --- linux-2.6.38.1/include/asm-generic/atomic-long.h 2011-03-14 21:20:32.000000000 -0400
44567 +++ linux-2.6.38.1-new/include/asm-generic/atomic-long.h 2011-03-21 18:31:35.000000000 -0400
44570 typedef atomic64_t atomic_long_t;
44572 +#ifdef CONFIG_PAX_REFCOUNT
44573 +typedef atomic64_unchecked_t atomic_long_unchecked_t;
44575 +typedef atomic64_t atomic_long_unchecked_t;
44578 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
44580 static inline long atomic_long_read(atomic_long_t *l)
44581 @@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
44582 return (long)atomic64_read(v);
44585 +#ifdef CONFIG_PAX_REFCOUNT
44586 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
44588 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44590 + return (long)atomic64_read_unchecked(v);
44594 static inline void atomic_long_set(atomic_long_t *l, long i)
44596 atomic64_t *v = (atomic64_t *)l;
44597 @@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
44598 atomic64_set(v, i);
44601 +#ifdef CONFIG_PAX_REFCOUNT
44602 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
44604 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44606 + atomic64_set_unchecked(v, i);
44610 static inline void atomic_long_inc(atomic_long_t *l)
44612 atomic64_t *v = (atomic64_t *)l;
44613 @@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
44617 +#ifdef CONFIG_PAX_REFCOUNT
44618 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
44620 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44622 + atomic64_inc_unchecked(v);
44626 static inline void atomic_long_dec(atomic_long_t *l)
44628 atomic64_t *v = (atomic64_t *)l;
44629 @@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomi
44633 +#ifdef CONFIG_PAX_REFCOUNT
44634 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
44636 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44638 + atomic64_dec_unchecked(v);
44642 static inline void atomic_long_add(long i, atomic_long_t *l)
44644 atomic64_t *v = (atomic64_t *)l;
44645 @@ -59,6 +101,15 @@ static inline void atomic_long_add(long
44646 atomic64_add(i, v);
44649 +#ifdef CONFIG_PAX_REFCOUNT
44650 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
44652 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44654 + atomic64_add_unchecked(i, v);
44658 static inline void atomic_long_sub(long i, atomic_long_t *l)
44660 atomic64_t *v = (atomic64_t *)l;
44661 @@ -66,6 +117,15 @@ static inline void atomic_long_sub(long
44662 atomic64_sub(i, v);
44665 +#ifdef CONFIG_PAX_REFCOUNT
44666 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
44668 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44670 + atomic64_sub_unchecked(i, v);
44674 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
44676 atomic64_t *v = (atomic64_t *)l;
44677 @@ -115,6 +175,15 @@ static inline long atomic_long_inc_retur
44678 return (long)atomic64_inc_return(v);
44681 +#ifdef CONFIG_PAX_REFCOUNT
44682 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
44684 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44686 + return (long)atomic64_inc_return_unchecked(v);
44690 static inline long atomic_long_dec_return(atomic_long_t *l)
44692 atomic64_t *v = (atomic64_t *)l;
44693 @@ -140,6 +209,12 @@ static inline long atomic_long_add_unles
44695 typedef atomic_t atomic_long_t;
44697 +#ifdef CONFIG_PAX_REFCOUNT
44698 +typedef atomic_unchecked_t atomic_long_unchecked_t;
44700 +typedef atomic_t atomic_long_unchecked_t;
44703 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
44704 static inline long atomic_long_read(atomic_long_t *l)
44706 @@ -148,6 +223,15 @@ static inline long atomic_long_read(atom
44707 return (long)atomic_read(v);
44710 +#ifdef CONFIG_PAX_REFCOUNT
44711 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
44713 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44715 + return (long)atomic_read_unchecked(v);
44719 static inline void atomic_long_set(atomic_long_t *l, long i)
44721 atomic_t *v = (atomic_t *)l;
44722 @@ -155,6 +239,15 @@ static inline void atomic_long_set(atomi
44726 +#ifdef CONFIG_PAX_REFCOUNT
44727 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
44729 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44731 + atomic_set_unchecked(v, i);
44735 static inline void atomic_long_inc(atomic_long_t *l)
44737 atomic_t *v = (atomic_t *)l;
44738 @@ -162,6 +255,15 @@ static inline void atomic_long_inc(atomi
44742 +#ifdef CONFIG_PAX_REFCOUNT
44743 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
44745 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44747 + atomic_inc_unchecked(v);
44751 static inline void atomic_long_dec(atomic_long_t *l)
44753 atomic_t *v = (atomic_t *)l;
44754 @@ -169,6 +271,15 @@ static inline void atomic_long_dec(atomi
44758 +#ifdef CONFIG_PAX_REFCOUNT
44759 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
44761 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44763 + atomic_dec_unchecked(v);
44767 static inline void atomic_long_add(long i, atomic_long_t *l)
44769 atomic_t *v = (atomic_t *)l;
44770 @@ -176,6 +287,15 @@ static inline void atomic_long_add(long
44774 +#ifdef CONFIG_PAX_REFCOUNT
44775 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
44777 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44779 + atomic_add_unchecked(i, v);
44783 static inline void atomic_long_sub(long i, atomic_long_t *l)
44785 atomic_t *v = (atomic_t *)l;
44786 @@ -183,6 +303,15 @@ static inline void atomic_long_sub(long
44790 +#ifdef CONFIG_PAX_REFCOUNT
44791 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
44793 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44795 + atomic_sub_unchecked(i, v);
44799 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
44801 atomic_t *v = (atomic_t *)l;
44802 @@ -232,6 +361,15 @@ static inline long atomic_long_inc_retur
44803 return (long)atomic_inc_return(v);
44806 +#ifdef CONFIG_PAX_REFCOUNT
44807 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
44809 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44811 + return (long)atomic_inc_return_unchecked(v);
44815 static inline long atomic_long_dec_return(atomic_long_t *l)
44817 atomic_t *v = (atomic_t *)l;
44818 @@ -255,4 +393,41 @@ static inline long atomic_long_add_unles
44820 #endif /* BITS_PER_LONG == 64 */
44822 +#ifdef CONFIG_PAX_REFCOUNT
44823 +static inline void pax_refcount_needs_these_functions(void)
44825 + atomic_read_unchecked((atomic_unchecked_t *)NULL);
44826 + atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
44827 + atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
44828 + atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
44829 + atomic_inc_unchecked((atomic_unchecked_t *)NULL);
44830 + atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
44831 + atomic_add_return_unchecked(0, (atomic_unchecked_t *)NULL);
44833 + atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
44834 + atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
44835 + atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
44836 + atomic_long_sub_unchecked(0, (atomic_long_unchecked_t *)NULL);
44837 + atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
44838 + atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
44839 + atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
44842 +#define atomic_read_unchecked(v) atomic_read(v)
44843 +#define atomic_set_unchecked(v, i) atomic_set((v), (i))
44844 +#define atomic_add_unchecked(i, v) atomic_add((i), (v))
44845 +#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
44846 +#define atomic_inc_unchecked(v) atomic_inc(v)
44847 +#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
44848 +#define atomic_add_return_unchecked(i, v) atomic_add_return((i), (v))
44850 +#define atomic_long_read_unchecked(v) atomic_long_read(v)
44851 +#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
44852 +#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
44853 +#define atomic_long_sub_unchecked(i, v) atomic_long_sub((i), (v))
44854 +#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
44855 +#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
44856 +#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
44859 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
44860 diff -urNp linux-2.6.38.1/include/asm-generic/dma-mapping-common.h linux-2.6.38.1-new/include/asm-generic/dma-mapping-common.h
44861 --- linux-2.6.38.1/include/asm-generic/dma-mapping-common.h 2011-03-14 21:20:32.000000000 -0400
44862 +++ linux-2.6.38.1-new/include/asm-generic/dma-mapping-common.h 2011-03-21 18:31:35.000000000 -0400
44863 @@ -11,7 +11,7 @@ static inline dma_addr_t dma_map_single_
44864 enum dma_data_direction dir,
44865 struct dma_attrs *attrs)
44867 - struct dma_map_ops *ops = get_dma_ops(dev);
44868 + const struct dma_map_ops *ops = get_dma_ops(dev);
44871 kmemcheck_mark_initialized(ptr, size);
44872 @@ -30,7 +30,7 @@ static inline void dma_unmap_single_attr
44873 enum dma_data_direction dir,
44874 struct dma_attrs *attrs)
44876 - struct dma_map_ops *ops = get_dma_ops(dev);
44877 + const struct dma_map_ops *ops = get_dma_ops(dev);
44879 BUG_ON(!valid_dma_direction(dir));
44880 if (ops->unmap_page)
44881 @@ -42,7 +42,7 @@ static inline int dma_map_sg_attrs(struc
44882 int nents, enum dma_data_direction dir,
44883 struct dma_attrs *attrs)
44885 - struct dma_map_ops *ops = get_dma_ops(dev);
44886 + const struct dma_map_ops *ops = get_dma_ops(dev);
44888 struct scatterlist *s;
44890 @@ -59,7 +59,7 @@ static inline void dma_unmap_sg_attrs(st
44891 int nents, enum dma_data_direction dir,
44892 struct dma_attrs *attrs)
44894 - struct dma_map_ops *ops = get_dma_ops(dev);
44895 + const struct dma_map_ops *ops = get_dma_ops(dev);
44897 BUG_ON(!valid_dma_direction(dir));
44898 debug_dma_unmap_sg(dev, sg, nents, dir);
44899 @@ -71,7 +71,7 @@ static inline dma_addr_t dma_map_page(st
44900 size_t offset, size_t size,
44901 enum dma_data_direction dir)
44903 - struct dma_map_ops *ops = get_dma_ops(dev);
44904 + const struct dma_map_ops *ops = get_dma_ops(dev);
44907 kmemcheck_mark_initialized(page_address(page) + offset, size);
44908 @@ -85,7 +85,7 @@ static inline dma_addr_t dma_map_page(st
44909 static inline void dma_unmap_page(struct device *dev, dma_addr_t addr,
44910 size_t size, enum dma_data_direction dir)
44912 - struct dma_map_ops *ops = get_dma_ops(dev);
44913 + const struct dma_map_ops *ops = get_dma_ops(dev);
44915 BUG_ON(!valid_dma_direction(dir));
44916 if (ops->unmap_page)
44917 @@ -97,7 +97,7 @@ static inline void dma_sync_single_for_c
44919 enum dma_data_direction dir)
44921 - struct dma_map_ops *ops = get_dma_ops(dev);
44922 + const struct dma_map_ops *ops = get_dma_ops(dev);
44924 BUG_ON(!valid_dma_direction(dir));
44925 if (ops->sync_single_for_cpu)
44926 @@ -109,7 +109,7 @@ static inline void dma_sync_single_for_d
44927 dma_addr_t addr, size_t size,
44928 enum dma_data_direction dir)
44930 - struct dma_map_ops *ops = get_dma_ops(dev);
44931 + const struct dma_map_ops *ops = get_dma_ops(dev);
44933 BUG_ON(!valid_dma_direction(dir));
44934 if (ops->sync_single_for_device)
44935 @@ -139,7 +139,7 @@ static inline void
44936 dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg,
44937 int nelems, enum dma_data_direction dir)
44939 - struct dma_map_ops *ops = get_dma_ops(dev);
44940 + const struct dma_map_ops *ops = get_dma_ops(dev);
44942 BUG_ON(!valid_dma_direction(dir));
44943 if (ops->sync_sg_for_cpu)
44944 @@ -151,7 +151,7 @@ static inline void
44945 dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
44946 int nelems, enum dma_data_direction dir)
44948 - struct dma_map_ops *ops = get_dma_ops(dev);
44949 + const struct dma_map_ops *ops = get_dma_ops(dev);
44951 BUG_ON(!valid_dma_direction(dir));
44952 if (ops->sync_sg_for_device)
44953 diff -urNp linux-2.6.38.1/include/asm-generic/futex.h linux-2.6.38.1-new/include/asm-generic/futex.h
44954 --- linux-2.6.38.1/include/asm-generic/futex.h 2011-03-14 21:20:32.000000000 -0400
44955 +++ linux-2.6.38.1-new/include/asm-generic/futex.h 2011-03-21 18:31:35.000000000 -0400
44957 #include <asm/errno.h>
44960 -futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
44961 +futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
44963 int op = (encoded_op >> 28) & 7;
44964 int cmp = (encoded_op >> 24) & 15;
44965 @@ -48,7 +48,7 @@ futex_atomic_op_inuser (int encoded_op,
44969 -futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
44970 +futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
44974 diff -urNp linux-2.6.38.1/include/asm-generic/int-l64.h linux-2.6.38.1-new/include/asm-generic/int-l64.h
44975 --- linux-2.6.38.1/include/asm-generic/int-l64.h 2011-03-14 21:20:32.000000000 -0400
44976 +++ linux-2.6.38.1-new/include/asm-generic/int-l64.h 2011-03-21 18:31:35.000000000 -0400
44977 @@ -46,6 +46,8 @@ typedef unsigned int u32;
44978 typedef signed long s64;
44979 typedef unsigned long u64;
44981 +typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
44984 #define U8_C(x) x ## U
44986 diff -urNp linux-2.6.38.1/include/asm-generic/int-ll64.h linux-2.6.38.1-new/include/asm-generic/int-ll64.h
44987 --- linux-2.6.38.1/include/asm-generic/int-ll64.h 2011-03-14 21:20:32.000000000 -0400
44988 +++ linux-2.6.38.1-new/include/asm-generic/int-ll64.h 2011-03-21 18:31:35.000000000 -0400
44989 @@ -51,6 +51,8 @@ typedef unsigned int u32;
44990 typedef signed long long s64;
44991 typedef unsigned long long u64;
44993 +typedef unsigned long long intoverflow_t;
44996 #define U8_C(x) x ## U
44998 diff -urNp linux-2.6.38.1/include/asm-generic/kmap_types.h linux-2.6.38.1-new/include/asm-generic/kmap_types.h
44999 --- linux-2.6.38.1/include/asm-generic/kmap_types.h 2011-03-14 21:20:32.000000000 -0400
45000 +++ linux-2.6.38.1-new/include/asm-generic/kmap_types.h 2011-03-21 18:31:35.000000000 -0400
45001 @@ -29,10 +29,11 @@ KMAP_D(16) KM_IRQ_PTE,
45003 KMAP_D(18) KM_NMI_PTE,
45005 +KMAP_D(20) KM_CLEARPAGE,
45007 * Remember to update debug_kmap_atomic() when adding new kmap types!
45009 -KMAP_D(20) KM_TYPE_NR
45010 +KMAP_D(21) KM_TYPE_NR
45014 diff -urNp linux-2.6.38.1/include/asm-generic/pgtable.h linux-2.6.38.1-new/include/asm-generic/pgtable.h
45015 --- linux-2.6.38.1/include/asm-generic/pgtable.h 2011-03-14 21:20:32.000000000 -0400
45016 +++ linux-2.6.38.1-new/include/asm-generic/pgtable.h 2011-03-21 18:31:35.000000000 -0400
45017 @@ -447,6 +447,14 @@ static inline int pmd_write(pmd_t pmd)
45018 #endif /* __HAVE_ARCH_PMD_WRITE */
45021 +#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
45022 +static inline unsigned long pax_open_kernel(void) { return 0; }
45025 +#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
45026 +static inline unsigned long pax_close_kernel(void) { return 0; }
45029 #endif /* !__ASSEMBLY__ */
45031 #endif /* _ASM_GENERIC_PGTABLE_H */
45032 diff -urNp linux-2.6.38.1/include/asm-generic/pgtable-nopmd.h linux-2.6.38.1-new/include/asm-generic/pgtable-nopmd.h
45033 --- linux-2.6.38.1/include/asm-generic/pgtable-nopmd.h 2011-03-14 21:20:32.000000000 -0400
45034 +++ linux-2.6.38.1-new/include/asm-generic/pgtable-nopmd.h 2011-03-21 18:31:35.000000000 -0400
45036 #ifndef _PGTABLE_NOPMD_H
45037 #define _PGTABLE_NOPMD_H
45039 -#ifndef __ASSEMBLY__
45041 #include <asm-generic/pgtable-nopud.h>
45045 #define __PAGETABLE_PMD_FOLDED
45047 +#define PMD_SHIFT PUD_SHIFT
45048 +#define PTRS_PER_PMD 1
45049 +#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
45050 +#define PMD_MASK (~(PMD_SIZE-1))
45052 +#ifndef __ASSEMBLY__
45057 * Having the pmd type consist of a pud gets the size right, and allows
45058 * us to conceptually access the pud entry that this pmd is folded into
45059 @@ -16,11 +21,6 @@ struct mm_struct;
45061 typedef struct { pud_t pud; } pmd_t;
45063 -#define PMD_SHIFT PUD_SHIFT
45064 -#define PTRS_PER_PMD 1
45065 -#define PMD_SIZE (1UL << PMD_SHIFT)
45066 -#define PMD_MASK (~(PMD_SIZE-1))
45069 * The "pud_xxx()" functions here are trivial for a folded two-level
45070 * setup: the pmd is never bad, and a pmd always exists (as it's folded
45071 diff -urNp linux-2.6.38.1/include/asm-generic/pgtable-nopud.h linux-2.6.38.1-new/include/asm-generic/pgtable-nopud.h
45072 --- linux-2.6.38.1/include/asm-generic/pgtable-nopud.h 2011-03-14 21:20:32.000000000 -0400
45073 +++ linux-2.6.38.1-new/include/asm-generic/pgtable-nopud.h 2011-03-21 18:31:35.000000000 -0400
45075 #ifndef _PGTABLE_NOPUD_H
45076 #define _PGTABLE_NOPUD_H
45078 -#ifndef __ASSEMBLY__
45080 #define __PAGETABLE_PUD_FOLDED
45082 +#define PUD_SHIFT PGDIR_SHIFT
45083 +#define PTRS_PER_PUD 1
45084 +#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
45085 +#define PUD_MASK (~(PUD_SIZE-1))
45087 +#ifndef __ASSEMBLY__
45090 * Having the pud type consist of a pgd gets the size right, and allows
45091 * us to conceptually access the pgd entry that this pud is folded into
45094 typedef struct { pgd_t pgd; } pud_t;
45096 -#define PUD_SHIFT PGDIR_SHIFT
45097 -#define PTRS_PER_PUD 1
45098 -#define PUD_SIZE (1UL << PUD_SHIFT)
45099 -#define PUD_MASK (~(PUD_SIZE-1))
45102 * The "pgd_xxx()" functions here are trivial for a folded two-level
45103 * setup: the pud is never bad, and a pud always exists (as it's folded
45104 diff -urNp linux-2.6.38.1/include/asm-generic/vmlinux.lds.h linux-2.6.38.1-new/include/asm-generic/vmlinux.lds.h
45105 --- linux-2.6.38.1/include/asm-generic/vmlinux.lds.h 2011-03-14 21:20:32.000000000 -0400
45106 +++ linux-2.6.38.1-new/include/asm-generic/vmlinux.lds.h 2011-03-21 18:31:35.000000000 -0400
45107 @@ -213,6 +213,7 @@
45108 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
45109 VMLINUX_SYMBOL(__start_rodata) = .; \
45110 *(.rodata) *(.rodata.*) \
45111 + *(.data..read_only) \
45112 *(__vermagic) /* Kernel version magic */ \
45114 VMLINUX_SYMBOL(__start___tracepoints_ptrs) = .; \
45115 @@ -696,14 +697,15 @@
45116 * section in the linker script will go there too. @phdr should have
45119 - * Note that this macros defines __per_cpu_load as an absolute symbol.
45120 + * Note that this macros defines per_cpu_load as an absolute symbol.
45121 * If there is no need to put the percpu section at a predetermined
45122 * address, use PERCPU().
45124 #define PERCPU_VADDR(vaddr, phdr) \
45125 - VMLINUX_SYMBOL(__per_cpu_load) = .; \
45126 - .data..percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
45127 + per_cpu_load = .; \
45128 + .data..percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
45130 + VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
45131 VMLINUX_SYMBOL(__per_cpu_start) = .; \
45132 *(.data..percpu..first) \
45133 . = ALIGN(PAGE_SIZE); \
45134 @@ -713,7 +715,7 @@
45135 *(.data..percpu..shared_aligned) \
45136 VMLINUX_SYMBOL(__per_cpu_end) = .; \
45138 - . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data..percpu);
45139 + . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data..percpu);
45142 * PERCPU - define output section for percpu area, simple version
45143 diff -urNp linux-2.6.38.1/include/drm/drm_pciids.h linux-2.6.38.1-new/include/drm/drm_pciids.h
45144 --- linux-2.6.38.1/include/drm/drm_pciids.h 2011-03-14 21:20:32.000000000 -0400
45145 +++ linux-2.6.38.1-new/include/drm/drm_pciids.h 2011-03-21 18:31:35.000000000 -0400
45146 @@ -458,7 +458,7 @@
45147 {0x1002, 0x9803, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_PALM|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
45148 {0x1002, 0x9804, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_PALM|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
45149 {0x1002, 0x9805, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_PALM|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
45151 + {0, 0, 0, 0, 0, 0}
45153 #define r128_PCI_IDS \
45154 {0x1002, 0x4c45, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45155 @@ -498,14 +498,14 @@
45156 {0x1002, 0x5446, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45157 {0x1002, 0x544C, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45158 {0x1002, 0x5452, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45160 + {0, 0, 0, 0, 0, 0}
45162 #define mga_PCI_IDS \
45163 {0x102b, 0x0520, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
45164 {0x102b, 0x0521, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
45165 {0x102b, 0x0525, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G400}, \
45166 {0x102b, 0x2527, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G550}, \
45168 + {0, 0, 0, 0, 0, 0}
45170 #define mach64_PCI_IDS \
45171 {0x1002, 0x4749, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45172 @@ -528,7 +528,7 @@
45173 {0x1002, 0x4c53, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45174 {0x1002, 0x4c4d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45175 {0x1002, 0x4c4e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45177 + {0, 0, 0, 0, 0, 0}
45179 #define sisdrv_PCI_IDS \
45180 {0x1039, 0x0300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45181 @@ -539,7 +539,7 @@
45182 {0x1039, 0x7300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45183 {0x18CA, 0x0040, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
45184 {0x18CA, 0x0042, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
45186 + {0, 0, 0, 0, 0, 0}
45188 #define tdfx_PCI_IDS \
45189 {0x121a, 0x0003, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45190 @@ -548,7 +548,7 @@
45191 {0x121a, 0x0007, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45192 {0x121a, 0x0009, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45193 {0x121a, 0x000b, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45195 + {0, 0, 0, 0, 0, 0}
45197 #define viadrv_PCI_IDS \
45198 {0x1106, 0x3022, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45199 @@ -560,14 +560,14 @@
45200 {0x1106, 0x3343, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45201 {0x1106, 0x3230, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_DX9_0}, \
45202 {0x1106, 0x3157, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_PRO_GROUP_A}, \
45204 + {0, 0, 0, 0, 0, 0}
45206 #define i810_PCI_IDS \
45207 {0x8086, 0x7121, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45208 {0x8086, 0x7123, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45209 {0x8086, 0x7125, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45210 {0x8086, 0x1132, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45212 + {0, 0, 0, 0, 0, 0}
45214 #define i830_PCI_IDS \
45215 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45216 @@ -575,11 +575,11 @@
45217 {0x8086, 0x3582, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45218 {0x8086, 0x2572, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45219 {0x8086, 0x358e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45221 + {0, 0, 0, 0, 0, 0}
45223 #define gamma_PCI_IDS \
45224 {0x3d3d, 0x0008, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
45226 + {0, 0, 0, 0, 0, 0}
45228 #define savage_PCI_IDS \
45229 {0x5333, 0x8a20, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_SAVAGE3D}, \
45230 @@ -605,10 +605,10 @@
45231 {0x5333, 0x8d02, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_TWISTER}, \
45232 {0x5333, 0x8d03, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
45233 {0x5333, 0x8d04, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
45235 + {0, 0, 0, 0, 0, 0}
45237 #define ffb_PCI_IDS \
45239 + {0, 0, 0, 0, 0, 0}
45241 #define i915_PCI_IDS \
45242 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
45243 @@ -642,4 +642,4 @@
45244 {0x8086, 0x0042, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
45245 {0x8086, 0x0046, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
45246 {0x8086, 0x0102, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
45248 + {0, 0, 0, 0, 0, 0}
45249 diff -urNp linux-2.6.38.1/include/drm/drmP.h linux-2.6.38.1-new/include/drm/drmP.h
45250 --- linux-2.6.38.1/include/drm/drmP.h 2011-03-14 21:20:32.000000000 -0400
45251 +++ linux-2.6.38.1-new/include/drm/drmP.h 2011-03-21 18:31:35.000000000 -0400
45253 #include <linux/workqueue.h>
45254 #include <linux/poll.h>
45255 #include <asm/pgalloc.h>
45256 +#include <asm/local.h>
45259 #include <linux/idr.h>
45260 @@ -881,7 +882,7 @@ struct drm_driver {
45261 void (*vgaarb_irq)(struct drm_device *dev, bool state);
45263 /* Driver private ops for this object */
45264 - struct vm_operations_struct *gem_vm_ops;
45265 + const struct vm_operations_struct *gem_vm_ops;
45269 @@ -894,7 +895,7 @@ struct drm_driver {
45271 struct drm_ioctl_desc *ioctls;
45273 - struct file_operations fops;
45274 + const struct file_operations fops;
45275 struct pci_driver pci_driver;
45276 struct platform_device *platform_device;
45277 /* List of devices hanging off this driver */
45278 @@ -991,7 +992,7 @@ struct drm_device {
45280 /** \name Usage Counters */
45282 - int open_count; /**< Outstanding files open */
45283 + local_t open_count; /**< Outstanding files open */
45284 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
45285 atomic_t vma_count; /**< Outstanding vma areas open */
45286 int buf_use; /**< Buffers in use -- cannot alloc */
45287 @@ -1002,7 +1003,7 @@ struct drm_device {
45289 unsigned long counters;
45290 enum drm_stat_type types[15];
45291 - atomic_t counts[15];
45292 + atomic_unchecked_t counts[15];
45295 struct list_head filelist;
45296 @@ -1101,7 +1102,7 @@ struct drm_device {
45297 struct platform_device *platformdev; /**< Platform device struture */
45299 struct drm_sg_mem *sg; /**< Scatter gather memory */
45300 - unsigned int num_crtcs; /**< Number of CRTCs on this device */
45301 + unsigned int num_crtcs; /**< Number of CRTCs on this device */
45302 void *dev_private; /**< device private data */
45304 struct address_space *dev_mapping;
45305 diff -urNp linux-2.6.38.1/include/linux/a.out.h linux-2.6.38.1-new/include/linux/a.out.h
45306 --- linux-2.6.38.1/include/linux/a.out.h 2011-03-14 21:20:32.000000000 -0400
45307 +++ linux-2.6.38.1-new/include/linux/a.out.h 2011-03-21 18:31:35.000000000 -0400
45308 @@ -39,6 +39,14 @@ enum machine_type {
45309 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
45312 +/* Constants for the N_FLAGS field */
45313 +#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
45314 +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
45315 +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
45316 +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
45317 +/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
45318 +#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
45320 #if !defined (N_MAGIC)
45321 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
45323 diff -urNp linux-2.6.38.1/include/linux/atmdev.h linux-2.6.38.1-new/include/linux/atmdev.h
45324 --- linux-2.6.38.1/include/linux/atmdev.h 2011-03-14 21:20:32.000000000 -0400
45325 +++ linux-2.6.38.1-new/include/linux/atmdev.h 2011-03-21 18:31:35.000000000 -0400
45326 @@ -237,7 +237,7 @@ struct compat_atm_iobuf {
45329 struct k_atm_aal_stats {
45330 -#define __HANDLE_ITEM(i) atomic_t i
45331 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
45333 #undef __HANDLE_ITEM
45335 diff -urNp linux-2.6.38.1/include/linux/binfmts.h linux-2.6.38.1-new/include/linux/binfmts.h
45336 --- linux-2.6.38.1/include/linux/binfmts.h 2011-03-14 21:20:32.000000000 -0400
45337 +++ linux-2.6.38.1-new/include/linux/binfmts.h 2011-03-21 18:31:35.000000000 -0400
45338 @@ -92,6 +92,7 @@ struct linux_binfmt {
45339 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
45340 int (*load_shlib)(struct file *);
45341 int (*core_dump)(struct coredump_params *cprm);
45342 + void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
45343 unsigned long min_coredump; /* minimal dump size */
45346 diff -urNp linux-2.6.38.1/include/linux/blkdev.h linux-2.6.38.1-new/include/linux/blkdev.h
45347 --- linux-2.6.38.1/include/linux/blkdev.h 2011-03-14 21:20:32.000000000 -0400
45348 +++ linux-2.6.38.1-new/include/linux/blkdev.h 2011-03-21 18:31:35.000000000 -0400
45349 @@ -1247,22 +1247,22 @@ queue_max_integrity_segments(struct requ
45350 #endif /* CONFIG_BLK_DEV_INTEGRITY */
45352 struct block_device_operations {
45353 - int (*open) (struct block_device *, fmode_t);
45354 - int (*release) (struct gendisk *, fmode_t);
45355 - int (*ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
45356 - int (*compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
45357 - int (*direct_access) (struct block_device *, sector_t,
45358 + int (* const open) (struct block_device *, fmode_t);
45359 + int (* const release) (struct gendisk *, fmode_t);
45360 + int (* const ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
45361 + int (* const compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
45362 + int (* const direct_access) (struct block_device *, sector_t,
45363 void **, unsigned long *);
45364 - unsigned int (*check_events) (struct gendisk *disk,
45365 + unsigned int (* const check_events) (struct gendisk *disk,
45366 unsigned int clearing);
45367 /* ->media_changed() is DEPRECATED, use ->check_events() instead */
45368 - int (*media_changed) (struct gendisk *);
45369 - void (*unlock_native_capacity) (struct gendisk *);
45370 - int (*revalidate_disk) (struct gendisk *);
45371 - int (*getgeo)(struct block_device *, struct hd_geometry *);
45372 + int (* const media_changed) (struct gendisk *);
45373 + void (* const unlock_native_capacity) (struct gendisk *);
45374 + int (* const revalidate_disk) (struct gendisk *);
45375 + int (* const getgeo)(struct block_device *, struct hd_geometry *);
45376 /* this callback is with swap_lock and sometimes page table lock held */
45377 - void (*swap_slot_free_notify) (struct block_device *, unsigned long);
45378 - struct module *owner;
45379 + void (* const swap_slot_free_notify) (struct block_device *, unsigned long);
45380 + struct module * const owner;
45383 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
45384 diff -urNp linux-2.6.38.1/include/linux/byteorder/little_endian.h linux-2.6.38.1-new/include/linux/byteorder/little_endian.h
45385 --- linux-2.6.38.1/include/linux/byteorder/little_endian.h 2011-03-14 21:20:32.000000000 -0400
45386 +++ linux-2.6.38.1-new/include/linux/byteorder/little_endian.h 2011-03-21 18:31:35.000000000 -0400
45387 @@ -42,51 +42,51 @@
45389 static inline __le64 __cpu_to_le64p(const __u64 *p)
45391 - return (__force __le64)*p;
45392 + return (__force const __le64)*p;
45394 static inline __u64 __le64_to_cpup(const __le64 *p)
45396 - return (__force __u64)*p;
45397 + return (__force const __u64)*p;
45399 static inline __le32 __cpu_to_le32p(const __u32 *p)
45401 - return (__force __le32)*p;
45402 + return (__force const __le32)*p;
45404 static inline __u32 __le32_to_cpup(const __le32 *p)
45406 - return (__force __u32)*p;
45407 + return (__force const __u32)*p;
45409 static inline __le16 __cpu_to_le16p(const __u16 *p)
45411 - return (__force __le16)*p;
45412 + return (__force const __le16)*p;
45414 static inline __u16 __le16_to_cpup(const __le16 *p)
45416 - return (__force __u16)*p;
45417 + return (__force const __u16)*p;
45419 static inline __be64 __cpu_to_be64p(const __u64 *p)
45421 - return (__force __be64)__swab64p(p);
45422 + return (__force const __be64)__swab64p(p);
45424 static inline __u64 __be64_to_cpup(const __be64 *p)
45426 - return __swab64p((__u64 *)p);
45427 + return __swab64p((const __u64 *)p);
45429 static inline __be32 __cpu_to_be32p(const __u32 *p)
45431 - return (__force __be32)__swab32p(p);
45432 + return (__force const __be32)__swab32p(p);
45434 static inline __u32 __be32_to_cpup(const __be32 *p)
45436 - return __swab32p((__u32 *)p);
45437 + return __swab32p((const __u32 *)p);
45439 static inline __be16 __cpu_to_be16p(const __u16 *p)
45441 - return (__force __be16)__swab16p(p);
45442 + return (__force const __be16)__swab16p(p);
45444 static inline __u16 __be16_to_cpup(const __be16 *p)
45446 - return __swab16p((__u16 *)p);
45447 + return __swab16p((const __u16 *)p);
45449 #define __cpu_to_le64s(x) do { (void)(x); } while (0)
45450 #define __le64_to_cpus(x) do { (void)(x); } while (0)
45451 diff -urNp linux-2.6.38.1/include/linux/cache.h linux-2.6.38.1-new/include/linux/cache.h
45452 --- linux-2.6.38.1/include/linux/cache.h 2011-03-14 21:20:32.000000000 -0400
45453 +++ linux-2.6.38.1-new/include/linux/cache.h 2011-03-21 18:31:35.000000000 -0400
45455 #define __read_mostly
45458 +#ifndef __read_only
45459 +#define __read_only __read_mostly
45462 #ifndef ____cacheline_aligned
45463 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
45465 diff -urNp linux-2.6.38.1/include/linux/capability.h linux-2.6.38.1-new/include/linux/capability.h
45466 --- linux-2.6.38.1/include/linux/capability.h 2011-03-14 21:20:32.000000000 -0400
45467 +++ linux-2.6.38.1-new/include/linux/capability.h 2011-03-21 18:31:35.000000000 -0400
45468 @@ -561,6 +561,7 @@ extern const kernel_cap_t __cap_init_eff
45469 (security_real_capable_noaudit((t), (cap)) == 0)
45471 extern int capable(int cap);
45472 +int capable_nolog(int cap);
45474 /* audit system wants to get cap info from files as well */
45476 diff -urNp linux-2.6.38.1/include/linux/compiler-gcc4.h linux-2.6.38.1-new/include/linux/compiler-gcc4.h
45477 --- linux-2.6.38.1/include/linux/compiler-gcc4.h 2011-03-14 21:20:32.000000000 -0400
45478 +++ linux-2.6.38.1-new/include/linux/compiler-gcc4.h 2011-03-21 18:31:35.000000000 -0400
45483 +#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
45484 +#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
45485 +#define __bos0(ptr) __bos((ptr), 0)
45486 +#define __bos1(ptr) __bos((ptr), 1)
45489 #if __GNUC_MINOR__ > 0
45490 diff -urNp linux-2.6.38.1/include/linux/compiler.h linux-2.6.38.1-new/include/linux/compiler.h
45491 --- linux-2.6.38.1/include/linux/compiler.h 2011-03-14 21:20:32.000000000 -0400
45492 +++ linux-2.6.38.1-new/include/linux/compiler.h 2011-03-21 18:31:35.000000000 -0400
45493 @@ -273,6 +273,22 @@ void ftrace_likely_update(struct ftrace_
45497 +#ifndef __alloc_size
45498 +#define __alloc_size
45513 /* Simple shorthand for a section definition */
45515 # define __section(S) __attribute__ ((__section__(#S)))
45516 @@ -306,6 +322,7 @@ void ftrace_likely_update(struct ftrace_
45517 * use is to mediate communication between process-level code and irq/NMI
45518 * handlers, all running on the same CPU.
45520 -#define ACCESS_ONCE(x) (*(volatile typeof(x) *)&(x))
45521 +#define ACCESS_ONCE(x) (*(volatile const typeof(x) *)&(x))
45522 +#define ACCESS_ONCE_RW(x) (*(volatile typeof(x) *)&(x))
45524 #endif /* __LINUX_COMPILER_H */
45525 diff -urNp linux-2.6.38.1/include/linux/cpuset.h linux-2.6.38.1-new/include/linux/cpuset.h
45526 --- linux-2.6.38.1/include/linux/cpuset.h 2011-03-14 21:20:32.000000000 -0400
45527 +++ linux-2.6.38.1-new/include/linux/cpuset.h 2011-03-21 18:31:35.000000000 -0400
45528 @@ -118,7 +118,7 @@ static inline void put_mems_allowed(void
45532 - --ACCESS_ONCE(current->mems_allowed_change_disable);
45533 + --ACCESS_ONCE_RW(current->mems_allowed_change_disable);
45536 static inline void set_mems_allowed(nodemask_t nodemask)
45537 diff -urNp linux-2.6.38.1/include/linux/decompress/mm.h linux-2.6.38.1-new/include/linux/decompress/mm.h
45538 --- linux-2.6.38.1/include/linux/decompress/mm.h 2011-03-14 21:20:32.000000000 -0400
45539 +++ linux-2.6.38.1-new/include/linux/decompress/mm.h 2011-03-21 18:31:35.000000000 -0400
45540 @@ -77,7 +77,7 @@ static void free(void *where)
45541 * warnings when not needed (indeed large_malloc / large_free are not
45542 * needed by inflate */
45544 -#define malloc(a) kmalloc(a, GFP_KERNEL)
45545 +#define malloc(a) kmalloc((a), GFP_KERNEL)
45546 #define free(a) kfree(a)
45548 #define large_malloc(a) vmalloc(a)
45549 diff -urNp linux-2.6.38.1/include/linux/dma-mapping.h linux-2.6.38.1-new/include/linux/dma-mapping.h
45550 --- linux-2.6.38.1/include/linux/dma-mapping.h 2011-03-14 21:20:32.000000000 -0400
45551 +++ linux-2.6.38.1-new/include/linux/dma-mapping.h 2011-03-21 18:31:35.000000000 -0400
45552 @@ -16,40 +16,40 @@ enum dma_data_direction {
45555 struct dma_map_ops {
45556 - void* (*alloc_coherent)(struct device *dev, size_t size,
45557 + void* (* const alloc_coherent)(struct device *dev, size_t size,
45558 dma_addr_t *dma_handle, gfp_t gfp);
45559 - void (*free_coherent)(struct device *dev, size_t size,
45560 + void (* const free_coherent)(struct device *dev, size_t size,
45561 void *vaddr, dma_addr_t dma_handle);
45562 - dma_addr_t (*map_page)(struct device *dev, struct page *page,
45563 + dma_addr_t (* const map_page)(struct device *dev, struct page *page,
45564 unsigned long offset, size_t size,
45565 enum dma_data_direction dir,
45566 struct dma_attrs *attrs);
45567 - void (*unmap_page)(struct device *dev, dma_addr_t dma_handle,
45568 + void (* const unmap_page)(struct device *dev, dma_addr_t dma_handle,
45569 size_t size, enum dma_data_direction dir,
45570 struct dma_attrs *attrs);
45571 - int (*map_sg)(struct device *dev, struct scatterlist *sg,
45572 + int (* const map_sg)(struct device *dev, struct scatterlist *sg,
45573 int nents, enum dma_data_direction dir,
45574 struct dma_attrs *attrs);
45575 - void (*unmap_sg)(struct device *dev,
45576 + void (* const unmap_sg)(struct device *dev,
45577 struct scatterlist *sg, int nents,
45578 enum dma_data_direction dir,
45579 struct dma_attrs *attrs);
45580 - void (*sync_single_for_cpu)(struct device *dev,
45581 + void (* const sync_single_for_cpu)(struct device *dev,
45582 dma_addr_t dma_handle, size_t size,
45583 enum dma_data_direction dir);
45584 - void (*sync_single_for_device)(struct device *dev,
45585 + void (* const sync_single_for_device)(struct device *dev,
45586 dma_addr_t dma_handle, size_t size,
45587 enum dma_data_direction dir);
45588 - void (*sync_sg_for_cpu)(struct device *dev,
45589 + void (* const sync_sg_for_cpu)(struct device *dev,
45590 struct scatterlist *sg, int nents,
45591 enum dma_data_direction dir);
45592 - void (*sync_sg_for_device)(struct device *dev,
45593 + void (* const sync_sg_for_device)(struct device *dev,
45594 struct scatterlist *sg, int nents,
45595 enum dma_data_direction dir);
45596 - int (*mapping_error)(struct device *dev, dma_addr_t dma_addr);
45597 - int (*dma_supported)(struct device *dev, u64 mask);
45598 - int (*set_dma_mask)(struct device *dev, u64 mask);
45600 + int (* const mapping_error)(struct device *dev, dma_addr_t dma_addr);
45601 + int (* const dma_supported)(struct device *dev, u64 mask);
45602 + int (* set_dma_mask)(struct device *dev, u64 mask);
45603 + const int is_phys;
45606 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
45607 diff -urNp linux-2.6.38.1/include/linux/elf.h linux-2.6.38.1-new/include/linux/elf.h
45608 --- linux-2.6.38.1/include/linux/elf.h 2011-03-14 21:20:32.000000000 -0400
45609 +++ linux-2.6.38.1-new/include/linux/elf.h 2011-03-21 18:31:35.000000000 -0400
45610 @@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
45611 #define PT_GNU_EH_FRAME 0x6474e550
45613 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
45614 +#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
45616 +#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
45618 +/* Constants for the e_flags field */
45619 +#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
45620 +#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
45621 +#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
45622 +#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
45623 +/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
45624 +#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
45627 * Extended Numbering
45628 @@ -106,6 +117,8 @@ typedef __s64 Elf64_Sxword;
45629 #define DT_DEBUG 21
45630 #define DT_TEXTREL 22
45631 #define DT_JMPREL 23
45632 +#define DT_FLAGS 30
45633 + #define DF_TEXTREL 0x00000004
45634 #define DT_ENCODING 32
45635 #define OLD_DT_LOOS 0x60000000
45636 #define DT_LOOS 0x6000000d
45637 @@ -252,6 +265,19 @@ typedef struct elf64_hdr {
45641 +#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
45642 +#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
45643 +#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
45644 +#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
45645 +#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
45646 +#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
45647 +/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
45648 +/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
45649 +#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
45650 +#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
45651 +#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
45652 +#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
45654 typedef struct elf32_phdr{
45656 Elf32_Off p_offset;
45657 @@ -344,6 +370,8 @@ typedef struct elf64_shdr {
45663 #define ELFMAG0 0x7f /* EI_MAG */
45664 #define ELFMAG1 'E'
45665 #define ELFMAG2 'L'
45666 @@ -421,6 +449,7 @@ extern Elf32_Dyn _DYNAMIC [];
45667 #define elf_note elf32_note
45668 #define elf_addr_t Elf32_Off
45669 #define Elf_Half Elf32_Half
45670 +#define elf_dyn Elf32_Dyn
45674 @@ -431,6 +460,7 @@ extern Elf64_Dyn _DYNAMIC [];
45675 #define elf_note elf64_note
45676 #define elf_addr_t Elf64_Off
45677 #define Elf_Half Elf64_Half
45678 +#define elf_dyn Elf64_Dyn
45682 diff -urNp linux-2.6.38.1/include/linux/fs.h linux-2.6.38.1-new/include/linux/fs.h
45683 --- linux-2.6.38.1/include/linux/fs.h 2011-03-14 21:20:32.000000000 -0400
45684 +++ linux-2.6.38.1-new/include/linux/fs.h 2011-03-21 18:31:35.000000000 -0400
45685 @@ -105,6 +105,11 @@ struct inodes_stat_t {
45686 /* File was opened by fanotify and shouldn't generate fanotify events */
45687 #define FMODE_NONOTIFY ((__force fmode_t)0x1000000)
45689 +/* Hack for grsec so as not to require read permission simply to execute
45692 +#define FMODE_GREXEC ((__force fmode_t)0x2000000)
45695 * The below are the various read and write types that we support. Some of
45696 * them include behavioral modifiers that send information down to the
45697 @@ -581,42 +586,42 @@ typedef int (*read_actor_t)(read_descrip
45698 unsigned long, unsigned long);
45700 struct address_space_operations {
45701 - int (*writepage)(struct page *page, struct writeback_control *wbc);
45702 - int (*readpage)(struct file *, struct page *);
45703 - void (*sync_page)(struct page *);
45704 + int (* const writepage)(struct page *page, struct writeback_control *wbc);
45705 + int (* const readpage)(struct file *, struct page *);
45706 + void (* const sync_page)(struct page *);
45708 /* Write back some dirty pages from this mapping. */
45709 - int (*writepages)(struct address_space *, struct writeback_control *);
45710 + int (* const writepages)(struct address_space *, struct writeback_control *);
45712 /* Set a page dirty. Return true if this dirtied it */
45713 - int (*set_page_dirty)(struct page *page);
45714 + int (* const set_page_dirty)(struct page *page);
45716 - int (*readpages)(struct file *filp, struct address_space *mapping,
45717 + int (* const readpages)(struct file *filp, struct address_space *mapping,
45718 struct list_head *pages, unsigned nr_pages);
45720 - int (*write_begin)(struct file *, struct address_space *mapping,
45721 + int (* const write_begin)(struct file *, struct address_space *mapping,
45722 loff_t pos, unsigned len, unsigned flags,
45723 struct page **pagep, void **fsdata);
45724 - int (*write_end)(struct file *, struct address_space *mapping,
45725 + int (* const write_end)(struct file *, struct address_space *mapping,
45726 loff_t pos, unsigned len, unsigned copied,
45727 struct page *page, void *fsdata);
45729 /* Unfortunately this kludge is needed for FIBMAP. Don't use it */
45730 - sector_t (*bmap)(struct address_space *, sector_t);
45731 - void (*invalidatepage) (struct page *, unsigned long);
45732 - int (*releasepage) (struct page *, gfp_t);
45733 - void (*freepage)(struct page *);
45734 - ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
45735 + sector_t (* const bmap)(struct address_space *, sector_t);
45736 + void (* const invalidatepage) (struct page *, unsigned long);
45737 + int (* const releasepage) (struct page *, gfp_t);
45738 + void (* const freepage)(struct page *);
45739 + ssize_t (* const direct_IO)(int, struct kiocb *, const struct iovec *iov,
45740 loff_t offset, unsigned long nr_segs);
45741 - int (*get_xip_mem)(struct address_space *, pgoff_t, int,
45742 + int (* const get_xip_mem)(struct address_space *, pgoff_t, int,
45743 void **, unsigned long *);
45744 /* migrate the contents of a page to the specified target */
45745 - int (*migratepage) (struct address_space *,
45746 + int (* const migratepage) (struct address_space *,
45747 struct page *, struct page *);
45748 - int (*launder_page) (struct page *);
45749 - int (*is_partially_uptodate) (struct page *, read_descriptor_t *,
45750 + int (* const launder_page) (struct page *);
45751 + int (* const is_partially_uptodate) (struct page *, read_descriptor_t *,
45753 - int (*error_remove_page)(struct address_space *, struct page *);
45754 + int (* const error_remove_page)(struct address_space *, struct page *);
45758 @@ -1059,17 +1064,17 @@ static inline int file_check_writeable(s
45759 typedef struct files_struct *fl_owner_t;
45761 struct file_lock_operations {
45762 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
45763 - void (*fl_release_private)(struct file_lock *);
45764 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
45765 + void (* const fl_release_private)(struct file_lock *);
45768 struct lock_manager_operations {
45769 - int (*fl_compare_owner)(struct file_lock *, struct file_lock *);
45770 - void (*fl_notify)(struct file_lock *); /* unblock callback */
45771 - int (*fl_grant)(struct file_lock *, struct file_lock *, int);
45772 - void (*fl_release_private)(struct file_lock *);
45773 - void (*fl_break)(struct file_lock *);
45774 - int (*fl_change)(struct file_lock **, int);
45775 + int (* const fl_compare_owner)(struct file_lock *, struct file_lock *);
45776 + void (* const fl_notify)(struct file_lock *); /* unblock callback */
45777 + int (* const fl_grant)(struct file_lock *, struct file_lock *, int);
45778 + void (* const fl_release_private)(struct file_lock *);
45779 + void (* const fl_break)(struct file_lock *);
45780 + int (* const fl_change)(struct file_lock **, int);
45783 struct lock_manager {
45784 diff -urNp linux-2.6.38.1/include/linux/fs_struct.h linux-2.6.38.1-new/include/linux/fs_struct.h
45785 --- linux-2.6.38.1/include/linux/fs_struct.h 2011-03-14 21:20:32.000000000 -0400
45786 +++ linux-2.6.38.1-new/include/linux/fs_struct.h 2011-03-21 18:31:35.000000000 -0400
45788 #include <linux/seqlock.h>
45796 diff -urNp linux-2.6.38.1/include/linux/genhd.h linux-2.6.38.1-new/include/linux/genhd.h
45797 --- linux-2.6.38.1/include/linux/genhd.h 2011-03-14 21:20:32.000000000 -0400
45798 +++ linux-2.6.38.1-new/include/linux/genhd.h 2011-03-21 18:31:35.000000000 -0400
45799 @@ -183,7 +183,7 @@ struct gendisk {
45800 struct kobject *slave_dir;
45802 struct timer_rand_state *random;
45803 - atomic_t sync_io; /* RAID */
45804 + atomic_unchecked_t sync_io; /* RAID */
45805 struct disk_events *ev;
45806 #ifdef CONFIG_BLK_DEV_INTEGRITY
45807 struct blk_integrity *integrity;
45808 diff -urNp linux-2.6.38.1/include/linux/gracl.h linux-2.6.38.1-new/include/linux/gracl.h
45809 --- linux-2.6.38.1/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
45810 +++ linux-2.6.38.1-new/include/linux/gracl.h 2011-03-21 18:31:35.000000000 -0400
45815 +#include <linux/grdefs.h>
45816 +#include <linux/resource.h>
45817 +#include <linux/capability.h>
45818 +#include <linux/dcache.h>
45819 +#include <asm/resource.h>
45821 +/* Major status information */
45823 +#define GR_VERSION "grsecurity 2.2.1"
45824 +#define GRSECURITY_VERSION 0x2201
45835 + GR_SPROLEPAM = 8,
45838 +/* Password setup definitions
45839 + * kernel/grhash.c */
45842 + GR_SALT_LEN = 16,
45847 + GR_SPROLE_LEN = 64,
45856 +#define GR_NLIMITS 32
45858 +/* Begin Data Structures */
45860 +struct sprole_pw {
45861 + unsigned char *rolename;
45862 + unsigned char salt[GR_SALT_LEN];
45863 + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
45866 +struct name_entry {
45873 + struct name_entry *prev;
45874 + struct name_entry *next;
45877 +struct inodev_entry {
45878 + struct name_entry *nentry;
45879 + struct inodev_entry *prev;
45880 + struct inodev_entry *next;
45883 +struct acl_role_db {
45884 + struct acl_role_label **r_hash;
45888 +struct inodev_db {
45889 + struct inodev_entry **i_hash;
45894 + struct name_entry **n_hash;
45898 +struct crash_uid {
45900 + unsigned long expires;
45903 +struct gr_hash_struct {
45905 + void **nametable;
45907 + __u32 table_size;
45912 +/* Userspace Grsecurity ACL data structures */
45914 +struct acl_subject_label {
45919 + kernel_cap_t cap_mask;
45920 + kernel_cap_t cap_lower;
45921 + kernel_cap_t cap_invert_audit;
45923 + struct rlimit res[GR_NLIMITS];
45926 + __u8 user_trans_type;
45927 + __u8 group_trans_type;
45928 + uid_t *user_transitions;
45929 + gid_t *group_transitions;
45930 + __u16 user_trans_num;
45931 + __u16 group_trans_num;
45933 + __u32 sock_families[2];
45934 + __u32 ip_proto[8];
45936 + struct acl_ip_label **ips;
45938 + __u32 inaddr_any_override;
45941 + unsigned long expires;
45943 + struct acl_subject_label *parent_subject;
45944 + struct gr_hash_struct *hash;
45945 + struct acl_subject_label *prev;
45946 + struct acl_subject_label *next;
45948 + struct acl_object_label **obj_hash;
45949 + __u32 obj_hash_size;
45953 +struct role_allowed_ip {
45957 + struct role_allowed_ip *prev;
45958 + struct role_allowed_ip *next;
45961 +struct role_transition {
45964 + struct role_transition *prev;
45965 + struct role_transition *next;
45968 +struct acl_role_label {
45973 + __u16 auth_attempts;
45974 + unsigned long expires;
45976 + struct acl_subject_label *root_label;
45977 + struct gr_hash_struct *hash;
45979 + struct acl_role_label *prev;
45980 + struct acl_role_label *next;
45982 + struct role_transition *transitions;
45983 + struct role_allowed_ip *allowed_ips;
45984 + uid_t *domain_children;
45985 + __u16 domain_child_num;
45987 + struct acl_subject_label **subj_hash;
45988 + __u32 subj_hash_size;
45991 +struct user_acl_role_db {
45992 + struct acl_role_label **r_table;
45993 + __u32 num_pointers; /* Number of allocations to track */
45994 + __u32 num_roles; /* Number of roles */
45995 + __u32 num_domain_children; /* Number of domain children */
45996 + __u32 num_subjects; /* Number of subjects */
45997 + __u32 num_objects; /* Number of objects */
46000 +struct acl_object_label {
46006 + struct acl_subject_label *nested;
46007 + struct acl_object_label *globbed;
46009 + /* next two structures not used */
46011 + struct acl_object_label *prev;
46012 + struct acl_object_label *next;
46015 +struct acl_ip_label {
46024 + /* next two structures not used */
46026 + struct acl_ip_label *prev;
46027 + struct acl_ip_label *next;
46031 + struct user_acl_role_db role_db;
46032 + unsigned char pw[GR_PW_LEN];
46033 + unsigned char salt[GR_SALT_LEN];
46034 + unsigned char sum[GR_SHA_LEN];
46035 + unsigned char sp_role[GR_SPROLE_LEN];
46036 + struct sprole_pw *sprole_pws;
46037 + dev_t segv_device;
46038 + ino_t segv_inode;
46040 + __u16 num_sprole_pws;
46044 +struct gr_arg_wrapper {
46045 + struct gr_arg *arg;
46050 +struct subject_map {
46051 + struct acl_subject_label *user;
46052 + struct acl_subject_label *kernel;
46053 + struct subject_map *prev;
46054 + struct subject_map *next;
46057 +struct acl_subj_map_db {
46058 + struct subject_map **s_hash;
46062 +/* End Data Structures Section */
46064 +/* Hash functions generated by empirical testing by Brad Spengler
46065 + Makes good use of the low bits of the inode. Generally 0-1 times
46066 + in loop for successful match. 0-3 for unsuccessful match.
46067 + Shift/add algorithm with modulus of table size and an XOR*/
46069 +static __inline__ unsigned int
46070 +rhash(const uid_t uid, const __u16 type, const unsigned int sz)
46072 + return ((((uid + type) << (16 + type)) ^ uid) % sz);
46075 + static __inline__ unsigned int
46076 +shash(const struct acl_subject_label *userp, const unsigned int sz)
46078 + return ((const unsigned long)userp % sz);
46081 +static __inline__ unsigned int
46082 +fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
46084 + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
46087 +static __inline__ unsigned int
46088 +nhash(const char *name, const __u16 len, const unsigned int sz)
46090 + return full_name_hash((const unsigned char *)name, len) % sz;
46093 +#define FOR_EACH_ROLE_START(role) \
46094 + role = role_list; \
46097 +#define FOR_EACH_ROLE_END(role) \
46098 + role = role->prev; \
46101 +#define FOR_EACH_SUBJECT_START(role,subj,iter) \
46104 + while (iter < role->subj_hash_size) { \
46105 + if (subj == NULL) \
46106 + subj = role->subj_hash[iter]; \
46107 + if (subj == NULL) { \
46112 +#define FOR_EACH_SUBJECT_END(subj,iter) \
46113 + subj = subj->next; \
46114 + if (subj == NULL) \
46119 +#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
46120 + subj = role->hash->first; \
46121 + while (subj != NULL) {
46123 +#define FOR_EACH_NESTED_SUBJECT_END(subj) \
46124 + subj = subj->next; \
46129 diff -urNp linux-2.6.38.1/include/linux/gralloc.h linux-2.6.38.1-new/include/linux/gralloc.h
46130 --- linux-2.6.38.1/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
46131 +++ linux-2.6.38.1-new/include/linux/gralloc.h 2011-03-21 18:31:35.000000000 -0400
46133 +#ifndef __GRALLOC_H
46134 +#define __GRALLOC_H
46136 +void acl_free_all(void);
46137 +int acl_alloc_stack_init(unsigned long size);
46138 +void *acl_alloc(unsigned long len);
46139 +void *acl_alloc_num(unsigned long num, unsigned long len);
46142 diff -urNp linux-2.6.38.1/include/linux/grdefs.h linux-2.6.38.1-new/include/linux/grdefs.h
46143 --- linux-2.6.38.1/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
46144 +++ linux-2.6.38.1-new/include/linux/grdefs.h 2011-03-21 18:31:35.000000000 -0400
46149 +/* Begin grsecurity status declarations */
46153 + GR_STATUS_INIT = 0x00 // disabled state
46156 +/* Begin ACL declarations */
46161 + GR_ROLE_USER = 0x0001,
46162 + GR_ROLE_GROUP = 0x0002,
46163 + GR_ROLE_DEFAULT = 0x0004,
46164 + GR_ROLE_SPECIAL = 0x0008,
46165 + GR_ROLE_AUTH = 0x0010,
46166 + GR_ROLE_NOPW = 0x0020,
46167 + GR_ROLE_GOD = 0x0040,
46168 + GR_ROLE_LEARN = 0x0080,
46169 + GR_ROLE_TPE = 0x0100,
46170 + GR_ROLE_DOMAIN = 0x0200,
46171 + GR_ROLE_PAM = 0x0400
46174 +/* ACL Subject and Object mode flags */
46176 + GR_DELETED = 0x80000000
46179 +/* ACL Object-only mode flags */
46181 + GR_READ = 0x00000001,
46182 + GR_APPEND = 0x00000002,
46183 + GR_WRITE = 0x00000004,
46184 + GR_EXEC = 0x00000008,
46185 + GR_FIND = 0x00000010,
46186 + GR_INHERIT = 0x00000020,
46187 + GR_SETID = 0x00000040,
46188 + GR_CREATE = 0x00000080,
46189 + GR_DELETE = 0x00000100,
46190 + GR_LINK = 0x00000200,
46191 + GR_AUDIT_READ = 0x00000400,
46192 + GR_AUDIT_APPEND = 0x00000800,
46193 + GR_AUDIT_WRITE = 0x00001000,
46194 + GR_AUDIT_EXEC = 0x00002000,
46195 + GR_AUDIT_FIND = 0x00004000,
46196 + GR_AUDIT_INHERIT= 0x00008000,
46197 + GR_AUDIT_SETID = 0x00010000,
46198 + GR_AUDIT_CREATE = 0x00020000,
46199 + GR_AUDIT_DELETE = 0x00040000,
46200 + GR_AUDIT_LINK = 0x00080000,
46201 + GR_PTRACERD = 0x00100000,
46202 + GR_NOPTRACE = 0x00200000,
46203 + GR_SUPPRESS = 0x00400000,
46204 + GR_NOLEARN = 0x00800000
46207 +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
46208 + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
46209 + GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
46211 +/* ACL subject-only mode flags */
46213 + GR_KILL = 0x00000001,
46214 + GR_VIEW = 0x00000002,
46215 + GR_PROTECTED = 0x00000004,
46216 + GR_LEARN = 0x00000008,
46217 + GR_OVERRIDE = 0x00000010,
46218 + /* just a placeholder, this mode is only used in userspace */
46219 + GR_DUMMY = 0x00000020,
46220 + GR_PROTSHM = 0x00000040,
46221 + GR_KILLPROC = 0x00000080,
46222 + GR_KILLIPPROC = 0x00000100,
46223 + /* just a placeholder, this mode is only used in userspace */
46224 + GR_NOTROJAN = 0x00000200,
46225 + GR_PROTPROCFD = 0x00000400,
46226 + GR_PROCACCT = 0x00000800,
46227 + GR_RELAXPTRACE = 0x00001000,
46228 + GR_NESTED = 0x00002000,
46229 + GR_INHERITLEARN = 0x00004000,
46230 + GR_PROCFIND = 0x00008000,
46231 + GR_POVERRIDE = 0x00010000,
46232 + GR_KERNELAUTH = 0x00020000,
46233 + GR_ATSECURE = 0x00040000
46237 + GR_PAX_ENABLE_SEGMEXEC = 0x0001,
46238 + GR_PAX_ENABLE_PAGEEXEC = 0x0002,
46239 + GR_PAX_ENABLE_MPROTECT = 0x0004,
46240 + GR_PAX_ENABLE_RANDMMAP = 0x0008,
46241 + GR_PAX_ENABLE_EMUTRAMP = 0x0010,
46242 + GR_PAX_DISABLE_SEGMEXEC = 0x0100,
46243 + GR_PAX_DISABLE_PAGEEXEC = 0x0200,
46244 + GR_PAX_DISABLE_MPROTECT = 0x0400,
46245 + GR_PAX_DISABLE_RANDMMAP = 0x0800,
46246 + GR_PAX_DISABLE_EMUTRAMP = 0x1000,
46250 + GR_ID_USER = 0x01,
46251 + GR_ID_GROUP = 0x02,
46255 + GR_ID_ALLOW = 0x01,
46256 + GR_ID_DENY = 0x02,
46259 +#define GR_CRASH_RES 31
46260 +#define GR_UIDTABLE_MAX 500
46262 +/* begin resource learning section */
46264 + GR_RLIM_CPU_BUMP = 60,
46265 + GR_RLIM_FSIZE_BUMP = 50000,
46266 + GR_RLIM_DATA_BUMP = 10000,
46267 + GR_RLIM_STACK_BUMP = 1000,
46268 + GR_RLIM_CORE_BUMP = 10000,
46269 + GR_RLIM_RSS_BUMP = 500000,
46270 + GR_RLIM_NPROC_BUMP = 1,
46271 + GR_RLIM_NOFILE_BUMP = 5,
46272 + GR_RLIM_MEMLOCK_BUMP = 50000,
46273 + GR_RLIM_AS_BUMP = 500000,
46274 + GR_RLIM_LOCKS_BUMP = 2,
46275 + GR_RLIM_SIGPENDING_BUMP = 5,
46276 + GR_RLIM_MSGQUEUE_BUMP = 10000,
46277 + GR_RLIM_NICE_BUMP = 1,
46278 + GR_RLIM_RTPRIO_BUMP = 1,
46279 + GR_RLIM_RTTIME_BUMP = 1000000
46283 diff -urNp linux-2.6.38.1/include/linux/grinternal.h linux-2.6.38.1-new/include/linux/grinternal.h
46284 --- linux-2.6.38.1/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
46285 +++ linux-2.6.38.1-new/include/linux/grinternal.h 2011-03-21 18:31:35.000000000 -0400
46287 +#ifndef __GRINTERNAL_H
46288 +#define __GRINTERNAL_H
46290 +#ifdef CONFIG_GRKERNSEC
46292 +#include <linux/fs.h>
46293 +#include <linux/mnt_namespace.h>
46294 +#include <linux/nsproxy.h>
46295 +#include <linux/gracl.h>
46296 +#include <linux/grdefs.h>
46297 +#include <linux/grmsg.h>
46299 +void gr_add_learn_entry(const char *fmt, ...)
46300 + __attribute__ ((format (printf, 1, 2)));
46301 +__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
46302 + const struct vfsmount *mnt);
46303 +__u32 gr_check_create(const struct dentry *new_dentry,
46304 + const struct dentry *parent,
46305 + const struct vfsmount *mnt, const __u32 mode);
46306 +int gr_check_protected_task(const struct task_struct *task);
46307 +__u32 to_gr_audit(const __u32 reqmode);
46308 +int gr_set_acls(const int type);
46310 +int gr_acl_is_enabled(void);
46311 +char gr_roletype_to_char(void);
46313 +void gr_handle_alertkill(struct task_struct *task);
46314 +char *gr_to_filename(const struct dentry *dentry,
46315 + const struct vfsmount *mnt);
46316 +char *gr_to_filename1(const struct dentry *dentry,
46317 + const struct vfsmount *mnt);
46318 +char *gr_to_filename2(const struct dentry *dentry,
46319 + const struct vfsmount *mnt);
46320 +char *gr_to_filename3(const struct dentry *dentry,
46321 + const struct vfsmount *mnt);
46323 +extern int grsec_enable_harden_ptrace;
46324 +extern int grsec_enable_link;
46325 +extern int grsec_enable_fifo;
46326 +extern int grsec_enable_execve;
46327 +extern int grsec_enable_shm;
46328 +extern int grsec_enable_execlog;
46329 +extern int grsec_enable_signal;
46330 +extern int grsec_enable_audit_ptrace;
46331 +extern int grsec_enable_forkfail;
46332 +extern int grsec_enable_time;
46333 +extern int grsec_enable_rofs;
46334 +extern int grsec_enable_chroot_shmat;
46335 +extern int grsec_enable_chroot_findtask;
46336 +extern int grsec_enable_chroot_mount;
46337 +extern int grsec_enable_chroot_double;
46338 +extern int grsec_enable_chroot_pivot;
46339 +extern int grsec_enable_chroot_chdir;
46340 +extern int grsec_enable_chroot_chmod;
46341 +extern int grsec_enable_chroot_mknod;
46342 +extern int grsec_enable_chroot_fchdir;
46343 +extern int grsec_enable_chroot_nice;
46344 +extern int grsec_enable_chroot_execlog;
46345 +extern int grsec_enable_chroot_caps;
46346 +extern int grsec_enable_chroot_sysctl;
46347 +extern int grsec_enable_chroot_unix;
46348 +extern int grsec_enable_tpe;
46349 +extern int grsec_tpe_gid;
46350 +extern int grsec_enable_tpe_all;
46351 +extern int grsec_enable_tpe_invert;
46352 +extern int grsec_enable_socket_all;
46353 +extern int grsec_socket_all_gid;
46354 +extern int grsec_enable_socket_client;
46355 +extern int grsec_socket_client_gid;
46356 +extern int grsec_enable_socket_server;
46357 +extern int grsec_socket_server_gid;
46358 +extern int grsec_audit_gid;
46359 +extern int grsec_enable_group;
46360 +extern int grsec_enable_audit_textrel;
46361 +extern int grsec_enable_log_rwxmaps;
46362 +extern int grsec_enable_mount;
46363 +extern int grsec_enable_chdir;
46364 +extern int grsec_resource_logging;
46365 +extern int grsec_enable_blackhole;
46366 +extern int grsec_lastack_retries;
46367 +extern int grsec_lock;
46369 +extern spinlock_t grsec_alert_lock;
46370 +extern unsigned long grsec_alert_wtime;
46371 +extern unsigned long grsec_alert_fyet;
46373 +extern spinlock_t grsec_audit_lock;
46375 +extern rwlock_t grsec_exec_file_lock;
46377 +#define gr_task_fullpath(tsk) ((tsk)->exec_file ? \
46378 + gr_to_filename2((tsk)->exec_file->f_path.dentry, \
46379 + (tsk)->exec_file->f_vfsmnt) : "/")
46381 +#define gr_parent_task_fullpath(tsk) ((tsk)->real_parent->exec_file ? \
46382 + gr_to_filename3((tsk)->real_parent->exec_file->f_path.dentry, \
46383 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
46385 +#define gr_task_fullpath0(tsk) ((tsk)->exec_file ? \
46386 + gr_to_filename((tsk)->exec_file->f_path.dentry, \
46387 + (tsk)->exec_file->f_vfsmnt) : "/")
46389 +#define gr_parent_task_fullpath0(tsk) ((tsk)->real_parent->exec_file ? \
46390 + gr_to_filename1((tsk)->real_parent->exec_file->f_path.dentry, \
46391 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
46393 +#define proc_is_chrooted(tsk_a) ((tsk_a)->gr_is_chrooted)
46395 +#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry)
46397 +#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), (task)->comm, \
46398 + (task)->pid, (cred)->uid, \
46399 + (cred)->euid, (cred)->gid, (cred)->egid, \
46400 + gr_parent_task_fullpath(task), \
46401 + (task)->real_parent->comm, (task)->real_parent->pid, \
46402 + (pcred)->uid, (pcred)->euid, \
46403 + (pcred)->gid, (pcred)->egid
46405 +#define GR_CHROOT_CAPS {{ \
46406 + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
46407 + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
46408 + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
46409 + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
46410 + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
46411 + CAP_TO_MASK(CAP_IPC_OWNER) , 0 }}
46413 +#define security_learn(normal_msg,args...) \
46415 + read_lock(&grsec_exec_file_lock); \
46416 + gr_add_learn_entry(normal_msg "\n", ## args); \
46417 + read_unlock(&grsec_exec_file_lock); \
46423 + GR_DONT_AUDIT_GOOD
46434 + GR_SYSCTL_HIDDEN,
46437 + GR_ONE_INT_TWO_STR,
46443 + GR_FIVE_INT_TWO_STR,
46449 + GR_FILENAME_TWO_INT,
46450 + GR_FILENAME_TWO_INT_STR,
46463 +#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
46464 +#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
46465 +#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
46466 +#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
46467 +#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
46468 +#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
46469 +#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
46470 +#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
46471 +#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
46472 +#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
46473 +#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
46474 +#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
46475 +#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
46476 +#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
46477 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
46478 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
46479 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
46480 +#define gr_log_str2_int(audit, msg, str1, str2, num) gr_log_varargs(audit, msg, GR_TWO_STR_INT, str1, str2, num)
46481 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
46482 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
46483 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
46484 +#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
46485 +#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
46486 +#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
46487 +#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
46488 +#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
46489 +#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
46490 +#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
46491 +#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
46492 +#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
46493 +#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
46494 +#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
46495 +#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
46496 +#define gr_log_rwxmap(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAP, str)
46498 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
46503 diff -urNp linux-2.6.38.1/include/linux/grmsg.h linux-2.6.38.1-new/include/linux/grmsg.h
46504 --- linux-2.6.38.1/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
46505 +++ linux-2.6.38.1-new/include/linux/grmsg.h 2011-03-21 18:31:35.000000000 -0400
46507 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
46508 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
46509 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
46510 +#define GR_STOPMOD_MSG "denied modification of module state by "
46511 +#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
46512 +#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
46513 +#define GR_IOPERM_MSG "denied use of ioperm() by "
46514 +#define GR_IOPL_MSG "denied use of iopl() by "
46515 +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
46516 +#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
46517 +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
46518 +#define GR_KMEM_MSG "denied write of /dev/kmem by "
46519 +#define GR_PORT_OPEN_MSG "denied open of /dev/port by "
46520 +#define GR_MEM_WRITE_MSG "denied write of /dev/mem by "
46521 +#define GR_MEM_MMAP_MSG "denied mmap write of /dev/[k]mem by "
46522 +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
46523 +#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
46524 +#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
46525 +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
46526 +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
46527 +#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
46528 +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
46529 +#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
46530 +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
46531 +#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
46532 +#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
46533 +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
46534 +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
46535 +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
46536 +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
46537 +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
46538 +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
46539 +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
46540 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
46541 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
46542 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
46543 +#define GR_NPROC_MSG "denied overstep of process limit by "
46544 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
46545 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
46546 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
46547 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
46548 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
46549 +#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
46550 +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
46551 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
46552 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
46553 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
46554 +#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
46555 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
46556 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
46557 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
46558 +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
46559 +#define GR_SETXATTR_ACL_MSG "%s setting extended attributes of %.950s by "
46560 +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
46561 +#define GR_INITF_ACL_MSG "init_variables() failed %s by "
46562 +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
46563 +#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
46564 +#define GR_SHUTS_ACL_MSG "shutdown auth success for "
46565 +#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
46566 +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
46567 +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
46568 +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
46569 +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
46570 +#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
46571 +#define GR_ENABLEF_ACL_MSG "unable to load %s for "
46572 +#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
46573 +#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
46574 +#define GR_RELOADF_ACL_MSG "failed reload of %s for "
46575 +#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
46576 +#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
46577 +#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
46578 +#define GR_SPROLEF_ACL_MSG "special role %s failure for "
46579 +#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
46580 +#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
46581 +#define GR_INVMODE_ACL_MSG "invalid mode %d by "
46582 +#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
46583 +#define GR_FAILFORK_MSG "failed fork with errno %s by "
46584 +#define GR_NICE_CHROOT_MSG "denied priority change by "
46585 +#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
46586 +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
46587 +#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
46588 +#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
46589 +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
46590 +#define GR_TIME_MSG "time set by "
46591 +#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
46592 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
46593 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
46594 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
46595 +#define GR_SOCK_NOINET_MSG "denied socket(%.16s,%.16s,%d) by "
46596 +#define GR_BIND_MSG "denied bind() by "
46597 +#define GR_CONNECT_MSG "denied connect() by "
46598 +#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
46599 +#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
46600 +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
46601 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
46602 +#define GR_CAP_ACL_MSG "use of %s denied for "
46603 +#define GR_CAP_ACL_MSG2 "use of %s permitted for "
46604 +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
46605 +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
46606 +#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
46607 +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
46608 +#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
46609 +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
46610 +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
46611 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
46612 +#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by "
46613 +#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by "
46614 +#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
46615 +#define GR_NONROOT_MODLOAD_MSG "denied kernel module auto-load of %.64s by "
46616 +#define GR_VM86_MSG "denied use of vm86 by "
46617 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
46618 diff -urNp linux-2.6.38.1/include/linux/grsecurity.h linux-2.6.38.1-new/include/linux/grsecurity.h
46619 --- linux-2.6.38.1/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
46620 +++ linux-2.6.38.1-new/include/linux/grsecurity.h 2011-03-21 18:31:35.000000000 -0400
46622 +#ifndef GR_SECURITY_H
46623 +#define GR_SECURITY_H
46624 +#include <linux/fs.h>
46625 +#include <linux/fs_struct.h>
46626 +#include <linux/binfmts.h>
46627 +#include <linux/gracl.h>
46628 +#include <linux/compat.h>
46630 +/* notify of brain-dead configs */
46631 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
46632 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
46634 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
46635 +#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
46637 +#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
46638 +#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
46640 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
46641 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
46643 +#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
46644 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
46647 +void gr_handle_brute_attach(struct task_struct *p);
46648 +void gr_handle_brute_check(void);
46650 +char gr_roletype_to_char(void);
46652 +int gr_acl_enable_at_secure(void);
46654 +int gr_check_user_change(int real, int effective, int fs);
46655 +int gr_check_group_change(int real, int effective, int fs);
46657 +void gr_del_task_from_ip_table(struct task_struct *p);
46659 +int gr_pid_is_chrooted(struct task_struct *p);
46660 +int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
46661 +int gr_handle_chroot_nice(void);
46662 +int gr_handle_chroot_sysctl(const int op);
46663 +int gr_handle_chroot_setpriority(struct task_struct *p,
46664 + const int niceval);
46665 +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
46666 +int gr_handle_chroot_chroot(const struct dentry *dentry,
46667 + const struct vfsmount *mnt);
46668 +int gr_handle_chroot_caps(struct path *path);
46669 +void gr_handle_chroot_chdir(struct path *path);
46670 +int gr_handle_chroot_chmod(const struct dentry *dentry,
46671 + const struct vfsmount *mnt, const int mode);
46672 +int gr_handle_chroot_mknod(const struct dentry *dentry,
46673 + const struct vfsmount *mnt, const int mode);
46674 +int gr_handle_chroot_mount(const struct dentry *dentry,
46675 + const struct vfsmount *mnt,
46676 + const char *dev_name);
46677 +int gr_handle_chroot_pivot(void);
46678 +int gr_handle_chroot_unix(struct pid *pid);
46680 +int gr_handle_rawio(const struct inode *inode);
46681 +int gr_handle_nproc(void);
46683 +void gr_handle_ioperm(void);
46684 +void gr_handle_iopl(void);
46686 +int gr_tpe_allow(const struct file *file);
46688 +void gr_set_chroot_entries(struct task_struct *task, struct path *path);
46689 +void gr_clear_chroot_entries(struct task_struct *task);
46691 +void gr_log_forkfail(const int retval);
46692 +void gr_log_timechange(void);
46693 +void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
46694 +void gr_log_chdir(const struct dentry *dentry,
46695 + const struct vfsmount *mnt);
46696 +void gr_log_chroot_exec(const struct dentry *dentry,
46697 + const struct vfsmount *mnt);
46698 +void gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv);
46699 +#ifdef CONFIG_COMPAT
46700 +void gr_handle_exec_args_compat(struct linux_binprm *bprm, compat_uptr_t __user *argv);
46702 +void gr_log_remount(const char *devname, const int retval);
46703 +void gr_log_unmount(const char *devname, const int retval);
46704 +void gr_log_mount(const char *from, const char *to, const int retval);
46705 +void gr_log_textrel(struct vm_area_struct *vma);
46706 +void gr_log_rwxmmap(struct file *file);
46707 +void gr_log_rwxmprotect(struct file *file);
46709 +int gr_handle_follow_link(const struct inode *parent,
46710 + const struct inode *inode,
46711 + const struct dentry *dentry,
46712 + const struct vfsmount *mnt);
46713 +int gr_handle_fifo(const struct dentry *dentry,
46714 + const struct vfsmount *mnt,
46715 + const struct dentry *dir, const int flag,
46716 + const int acc_mode);
46717 +int gr_handle_hardlink(const struct dentry *dentry,
46718 + const struct vfsmount *mnt,
46719 + struct inode *inode,
46720 + const int mode, const char *to);
46722 +int gr_is_capable(const int cap);
46723 +int gr_is_capable_nolog(const int cap);
46724 +void gr_learn_resource(const struct task_struct *task, const int limit,
46725 + const unsigned long wanted, const int gt);
46726 +void gr_copy_label(struct task_struct *tsk);
46727 +void gr_handle_crash(struct task_struct *task, const int sig);
46728 +int gr_handle_signal(const struct task_struct *p, const int sig);
46729 +int gr_check_crash_uid(const uid_t uid);
46730 +int gr_check_protected_task(const struct task_struct *task);
46731 +int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
46732 +int gr_acl_handle_mmap(const struct file *file,
46733 + const unsigned long prot);
46734 +int gr_acl_handle_mprotect(const struct file *file,
46735 + const unsigned long prot);
46736 +int gr_check_hidden_task(const struct task_struct *tsk);
46737 +__u32 gr_acl_handle_truncate(const struct dentry *dentry,
46738 + const struct vfsmount *mnt);
46739 +__u32 gr_acl_handle_utime(const struct dentry *dentry,
46740 + const struct vfsmount *mnt);
46741 +__u32 gr_acl_handle_access(const struct dentry *dentry,
46742 + const struct vfsmount *mnt, const int fmode);
46743 +__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
46744 + const struct vfsmount *mnt, mode_t mode);
46745 +__u32 gr_acl_handle_chmod(const struct dentry *dentry,
46746 + const struct vfsmount *mnt, mode_t mode);
46747 +__u32 gr_acl_handle_chown(const struct dentry *dentry,
46748 + const struct vfsmount *mnt);
46749 +__u32 gr_acl_handle_setxattr(const struct dentry *dentry,
46750 + const struct vfsmount *mnt);
46751 +int gr_handle_ptrace(struct task_struct *task, const long request);
46752 +int gr_handle_proc_ptrace(struct task_struct *task);
46753 +__u32 gr_acl_handle_execve(const struct dentry *dentry,
46754 + const struct vfsmount *mnt);
46755 +int gr_check_crash_exec(const struct file *filp);
46756 +int gr_acl_is_enabled(void);
46757 +void gr_set_kernel_label(struct task_struct *task);
46758 +void gr_set_role_label(struct task_struct *task, const uid_t uid,
46759 + const gid_t gid);
46760 +int gr_set_proc_label(const struct dentry *dentry,
46761 + const struct vfsmount *mnt,
46762 + const int unsafe_share);
46763 +__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
46764 + const struct vfsmount *mnt);
46765 +__u32 gr_acl_handle_open(const struct dentry *dentry,
46766 + const struct vfsmount *mnt, const int fmode);
46767 +__u32 gr_acl_handle_creat(const struct dentry *dentry,
46768 + const struct dentry *p_dentry,
46769 + const struct vfsmount *p_mnt, const int fmode,
46770 + const int imode);
46771 +void gr_handle_create(const struct dentry *dentry,
46772 + const struct vfsmount *mnt);
46773 +__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
46774 + const struct dentry *parent_dentry,
46775 + const struct vfsmount *parent_mnt,
46777 +__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
46778 + const struct dentry *parent_dentry,
46779 + const struct vfsmount *parent_mnt);
46780 +__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
46781 + const struct vfsmount *mnt);
46782 +void gr_handle_delete(const ino_t ino, const dev_t dev);
46783 +__u32 gr_acl_handle_unlink(const struct dentry *dentry,
46784 + const struct vfsmount *mnt);
46785 +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
46786 + const struct dentry *parent_dentry,
46787 + const struct vfsmount *parent_mnt,
46788 + const char *from);
46789 +__u32 gr_acl_handle_link(const struct dentry *new_dentry,
46790 + const struct dentry *parent_dentry,
46791 + const struct vfsmount *parent_mnt,
46792 + const struct dentry *old_dentry,
46793 + const struct vfsmount *old_mnt, const char *to);
46794 +int gr_acl_handle_rename(struct dentry *new_dentry,
46795 + struct dentry *parent_dentry,
46796 + const struct vfsmount *parent_mnt,
46797 + struct dentry *old_dentry,
46798 + struct inode *old_parent_inode,
46799 + struct vfsmount *old_mnt, const char *newname);
46800 +void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
46801 + struct dentry *old_dentry,
46802 + struct dentry *new_dentry,
46803 + struct vfsmount *mnt, const __u8 replace);
46804 +__u32 gr_check_link(const struct dentry *new_dentry,
46805 + const struct dentry *parent_dentry,
46806 + const struct vfsmount *parent_mnt,
46807 + const struct dentry *old_dentry,
46808 + const struct vfsmount *old_mnt);
46809 +int gr_acl_handle_filldir(const struct file *file, const char *name,
46810 + const unsigned int namelen, const ino_t ino);
46812 +__u32 gr_acl_handle_unix(const struct dentry *dentry,
46813 + const struct vfsmount *mnt);
46814 +void gr_acl_handle_exit(void);
46815 +void gr_acl_handle_psacct(struct task_struct *task, const long code);
46816 +int gr_acl_handle_procpidmem(const struct task_struct *task);
46817 +int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
46818 +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
46819 +void gr_audit_ptrace(struct task_struct *task);
46821 +#ifdef CONFIG_GRKERNSEC
46822 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p);
46823 +void gr_log_nonroot_mod_load(const char *modname);
46824 +void gr_handle_vm86(void);
46825 +void gr_handle_mem_write(void);
46826 +void gr_handle_kmem_write(void);
46827 +void gr_handle_open_port(void);
46828 +int gr_handle_mem_mmap(const unsigned long offset,
46829 + struct vm_area_struct *vma);
46831 +extern int grsec_enable_dmesg;
46832 +extern int grsec_disable_privio;
46836 diff -urNp linux-2.6.38.1/include/linux/grsock.h linux-2.6.38.1-new/include/linux/grsock.h
46837 --- linux-2.6.38.1/include/linux/grsock.h 1969-12-31 19:00:00.000000000 -0500
46838 +++ linux-2.6.38.1-new/include/linux/grsock.h 2011-03-21 18:31:35.000000000 -0400
46840 +#ifndef __GRSOCK_H
46841 +#define __GRSOCK_H
46843 +extern void gr_attach_curr_ip(const struct sock *sk);
46844 +extern int gr_handle_sock_all(const int family, const int type,
46845 + const int protocol);
46846 +extern int gr_handle_sock_server(const struct sockaddr *sck);
46847 +extern int gr_handle_sock_server_other(const struct sock *sck);
46848 +extern int gr_handle_sock_client(const struct sockaddr *sck);
46849 +extern int gr_search_connect(struct socket * sock,
46850 + struct sockaddr_in * addr);
46851 +extern int gr_search_bind(struct socket * sock,
46852 + struct sockaddr_in * addr);
46853 +extern int gr_search_listen(struct socket * sock);
46854 +extern int gr_search_accept(struct socket * sock);
46855 +extern int gr_search_socket(const int domain, const int type,
46856 + const int protocol);
46859 diff -urNp linux-2.6.38.1/include/linux/highmem.h linux-2.6.38.1-new/include/linux/highmem.h
46860 --- linux-2.6.38.1/include/linux/highmem.h 2011-03-14 21:20:32.000000000 -0400
46861 +++ linux-2.6.38.1-new/include/linux/highmem.h 2011-03-21 18:31:35.000000000 -0400
46862 @@ -185,6 +185,18 @@ static inline void clear_highpage(struct
46863 kunmap_atomic(kaddr, KM_USER0);
46866 +static inline void sanitize_highpage(struct page *page)
46869 + unsigned long flags;
46871 + local_irq_save(flags);
46872 + kaddr = kmap_atomic(page, KM_CLEARPAGE);
46873 + clear_page(kaddr);
46874 + kunmap_atomic(kaddr, KM_CLEARPAGE);
46875 + local_irq_restore(flags);
46878 static inline void zero_user_segments(struct page *page,
46879 unsigned start1, unsigned end1,
46880 unsigned start2, unsigned end2)
46881 diff -urNp linux-2.6.38.1/include/linux/init.h linux-2.6.38.1-new/include/linux/init.h
46882 --- linux-2.6.38.1/include/linux/init.h 2011-03-14 21:20:32.000000000 -0400
46883 +++ linux-2.6.38.1-new/include/linux/init.h 2011-03-21 18:31:35.000000000 -0400
46884 @@ -293,13 +293,13 @@ void __init parse_early_options(char *cm
46886 /* Each module must use one module_init(). */
46887 #define module_init(initfn) \
46888 - static inline initcall_t __inittest(void) \
46889 + static inline __used initcall_t __inittest(void) \
46890 { return initfn; } \
46891 int init_module(void) __attribute__((alias(#initfn)));
46893 /* This is only required if you want to be unloadable. */
46894 #define module_exit(exitfn) \
46895 - static inline exitcall_t __exittest(void) \
46896 + static inline __used exitcall_t __exittest(void) \
46897 { return exitfn; } \
46898 void cleanup_module(void) __attribute__((alias(#exitfn)));
46900 diff -urNp linux-2.6.38.1/include/linux/interrupt.h linux-2.6.38.1-new/include/linux/interrupt.h
46901 --- linux-2.6.38.1/include/linux/interrupt.h 2011-03-14 21:20:32.000000000 -0400
46902 +++ linux-2.6.38.1-new/include/linux/interrupt.h 2011-03-21 18:31:35.000000000 -0400
46903 @@ -393,7 +393,7 @@ enum
46904 /* map softirq index to softirq name. update 'softirq_to_name' in
46905 * kernel/softirq.c when adding a new softirq.
46907 -extern char *softirq_to_name[NR_SOFTIRQS];
46908 +extern const char * const softirq_to_name[NR_SOFTIRQS];
46910 /* softirq mask and active fields moved to irq_cpustat_t in
46911 * asm/hardirq.h to get better cache usage. KAO
46912 @@ -401,12 +401,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
46914 struct softirq_action
46916 - void (*action)(struct softirq_action *);
46917 + void (*action)(void);
46920 asmlinkage void do_softirq(void);
46921 asmlinkage void __do_softirq(void);
46922 -extern void open_softirq(int nr, void (*action)(struct softirq_action *));
46923 +extern void open_softirq(int nr, void (*action)(void));
46924 extern void softirq_init(void);
46925 static inline void __raise_softirq_irqoff(unsigned int nr)
46927 diff -urNp linux-2.6.38.1/include/linux/jbd2.h linux-2.6.38.1-new/include/linux/jbd2.h
46928 --- linux-2.6.38.1/include/linux/jbd2.h 2011-03-14 21:20:32.000000000 -0400
46929 +++ linux-2.6.38.1-new/include/linux/jbd2.h 2011-03-21 18:31:35.000000000 -0400
46930 @@ -67,7 +67,7 @@ extern u8 jbd2_journal_enable_debug;
46934 -#define jbd_debug(f, a...) /**/
46935 +#define jbd_debug(f, a...) do {} while (0)
46938 extern void *jbd2_alloc(size_t size, gfp_t flags);
46939 diff -urNp linux-2.6.38.1/include/linux/jbd.h linux-2.6.38.1-new/include/linux/jbd.h
46940 --- linux-2.6.38.1/include/linux/jbd.h 2011-03-14 21:20:32.000000000 -0400
46941 +++ linux-2.6.38.1-new/include/linux/jbd.h 2011-03-21 18:31:35.000000000 -0400
46942 @@ -67,7 +67,7 @@ extern u8 journal_enable_debug;
46946 -#define jbd_debug(f, a...) /**/
46947 +#define jbd_debug(f, a...) do {} while (0)
46950 static inline void *jbd_alloc(size_t size, gfp_t flags)
46951 diff -urNp linux-2.6.38.1/include/linux/kallsyms.h linux-2.6.38.1-new/include/linux/kallsyms.h
46952 --- linux-2.6.38.1/include/linux/kallsyms.h 2011-03-14 21:20:32.000000000 -0400
46953 +++ linux-2.6.38.1-new/include/linux/kallsyms.h 2011-03-21 18:31:35.000000000 -0400
46958 -#ifdef CONFIG_KALLSYMS
46959 +#if !defined(__INCLUDED_BY_HIDESYM) || !defined(CONFIG_KALLSYMS)
46960 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
46961 /* Lookup the address for a symbol. Returns 0 if not found. */
46962 unsigned long kallsyms_lookup_name(const char *name);
46964 @@ -92,6 +93,15 @@ static inline int lookup_symbol_attrs(un
46965 /* Stupid that this does nothing, but I didn't create this mess. */
46966 #define __print_symbol(fmt, addr)
46967 #endif /*CONFIG_KALLSYMS*/
46968 +#else /* when included by kallsyms.c, vsnprintf.c, or
46969 + arch/x86/kernel/dumpstack.c, with HIDESYM enabled */
46970 +extern void __print_symbol(const char *fmt, unsigned long address);
46971 +extern int sprint_symbol(char *buffer, unsigned long address);
46972 +const char *kallsyms_lookup(unsigned long addr,
46973 + unsigned long *symbolsize,
46974 + unsigned long *offset,
46975 + char **modname, char *namebuf);
46978 /* This macro allows us to keep printk typechecking */
46979 static void __check_printsym_format(const char *fmt, ...)
46980 diff -urNp linux-2.6.38.1/include/linux/kgdb.h linux-2.6.38.1-new/include/linux/kgdb.h
46981 --- linux-2.6.38.1/include/linux/kgdb.h 2011-03-14 21:20:32.000000000 -0400
46982 +++ linux-2.6.38.1-new/include/linux/kgdb.h 2011-03-21 18:31:35.000000000 -0400
46983 @@ -269,22 +269,22 @@ struct kgdb_arch {
46987 - int (*read_char) (void);
46988 - void (*write_char) (u8);
46989 - void (*flush) (void);
46990 - int (*init) (void);
46991 - void (*pre_exception) (void);
46992 - void (*post_exception) (void);
46993 + int (* const read_char) (void);
46994 + void (* const write_char) (u8);
46995 + void (* const flush) (void);
46996 + int (* const init) (void);
46997 + void (* const pre_exception) (void);
46998 + void (* const post_exception) (void);
47002 -extern struct kgdb_arch arch_kgdb_ops;
47003 +extern const struct kgdb_arch arch_kgdb_ops;
47005 extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
47007 -extern int kgdb_register_io_module(struct kgdb_io *local_kgdb_io_ops);
47008 -extern void kgdb_unregister_io_module(struct kgdb_io *local_kgdb_io_ops);
47009 -extern struct kgdb_io *dbg_io_ops;
47010 +extern int kgdb_register_io_module(const struct kgdb_io *local_kgdb_io_ops);
47011 +extern void kgdb_unregister_io_module(const struct kgdb_io *local_kgdb_io_ops);
47012 +extern const struct kgdb_io *dbg_io_ops;
47014 extern int kgdb_hex2long(char **ptr, unsigned long *long_val);
47015 extern char *kgdb_mem2hex(char *mem, char *buf, int count);
47016 diff -urNp linux-2.6.38.1/include/linux/kvm_host.h linux-2.6.38.1-new/include/linux/kvm_host.h
47017 --- linux-2.6.38.1/include/linux/kvm_host.h 2011-03-14 21:20:32.000000000 -0400
47018 +++ linux-2.6.38.1-new/include/linux/kvm_host.h 2011-03-21 18:31:35.000000000 -0400
47019 @@ -288,7 +288,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
47020 void vcpu_load(struct kvm_vcpu *vcpu);
47021 void vcpu_put(struct kvm_vcpu *vcpu);
47023 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
47024 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
47025 struct module *module);
47026 void kvm_exit(void);
47028 @@ -428,7 +428,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
47029 struct kvm_guest_debug *dbg);
47030 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
47032 -int kvm_arch_init(void *opaque);
47033 +int kvm_arch_init(const void *opaque);
47034 void kvm_arch_exit(void);
47036 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
47037 diff -urNp linux-2.6.38.1/include/linux/libata.h linux-2.6.38.1-new/include/linux/libata.h
47038 --- linux-2.6.38.1/include/linux/libata.h 2011-03-14 21:20:32.000000000 -0400
47039 +++ linux-2.6.38.1-new/include/linux/libata.h 2011-03-21 18:31:35.000000000 -0400
47040 @@ -65,11 +65,11 @@
47041 #ifdef ATA_VERBOSE_DEBUG
47042 #define VPRINTK(fmt, args...) printk(KERN_ERR "%s: " fmt, __func__, ## args)
47044 -#define VPRINTK(fmt, args...)
47045 +#define VPRINTK(fmt, args...) do {} while (0)
47046 #endif /* ATA_VERBOSE_DEBUG */
47048 -#define DPRINTK(fmt, args...)
47049 -#define VPRINTK(fmt, args...)
47050 +#define DPRINTK(fmt, args...) do {} while (0)
47051 +#define VPRINTK(fmt, args...) do {} while (0)
47052 #endif /* ATA_DEBUG */
47054 #define BPRINTK(fmt, args...) if (ap->flags & ATA_FLAG_DEBUGMSG) printk(KERN_ERR "%s: " fmt, __func__, ## args)
47055 @@ -530,11 +530,11 @@ struct ata_ioports {
47059 - struct device *dev;
47060 + struct device *dev;
47061 void __iomem * const *iomap;
47062 unsigned int n_ports;
47063 void *private_data;
47064 - struct ata_port_operations *ops;
47065 + const struct ata_port_operations *ops;
47066 unsigned long flags;
47068 struct mutex eh_mutex;
47069 @@ -725,7 +725,7 @@ struct ata_link {
47072 struct Scsi_Host *scsi_host; /* our co-allocated scsi host */
47073 - struct ata_port_operations *ops;
47074 + const struct ata_port_operations *ops;
47076 /* Flags owned by the EH context. Only EH should touch these once the
47078 @@ -913,7 +913,7 @@ struct ata_port_info {
47079 unsigned long pio_mask;
47080 unsigned long mwdma_mask;
47081 unsigned long udma_mask;
47082 - struct ata_port_operations *port_ops;
47083 + const struct ata_port_operations *port_ops;
47084 void *private_data;
47087 @@ -937,7 +937,7 @@ extern const unsigned long sata_deb_timi
47088 extern const unsigned long sata_deb_timing_hotplug[];
47089 extern const unsigned long sata_deb_timing_long[];
47091 -extern struct ata_port_operations ata_dummy_port_ops;
47092 +extern const struct ata_port_operations ata_dummy_port_ops;
47093 extern const struct ata_port_info ata_dummy_port_info;
47095 static inline const unsigned long *
47096 @@ -983,7 +983,7 @@ extern int ata_host_activate(struct ata_
47097 struct scsi_host_template *sht);
47098 extern void ata_host_detach(struct ata_host *host);
47099 extern void ata_host_init(struct ata_host *, struct device *,
47100 - unsigned long, struct ata_port_operations *);
47101 + unsigned long, const struct ata_port_operations *);
47102 extern int ata_scsi_detect(struct scsi_host_template *sht);
47103 extern int ata_scsi_ioctl(struct scsi_device *dev, int cmd, void __user *arg);
47104 extern int ata_scsi_queuecmd(struct Scsi_Host *h, struct scsi_cmnd *cmd);
47105 diff -urNp linux-2.6.38.1/include/linux/lockd/bind.h linux-2.6.38.1-new/include/linux/lockd/bind.h
47106 --- linux-2.6.38.1/include/linux/lockd/bind.h 2011-03-14 21:20:32.000000000 -0400
47107 +++ linux-2.6.38.1-new/include/linux/lockd/bind.h 2011-03-21 18:31:35.000000000 -0400
47108 @@ -23,13 +23,13 @@ struct svc_rqst;
47109 * This is the set of functions for lockd->nfsd communication
47111 struct nlmsvc_binding {
47112 - __be32 (*fopen)(struct svc_rqst *,
47113 + __be32 (* const fopen)(struct svc_rqst *,
47116 - void (*fclose)(struct file *);
47117 + void (* const fclose)(struct file *);
47120 -extern struct nlmsvc_binding * nlmsvc_ops;
47121 +extern const struct nlmsvc_binding * nlmsvc_ops;
47124 * Similar to nfs_client_initdata, but without the NFS-specific
47125 diff -urNp linux-2.6.38.1/include/linux/mm.h linux-2.6.38.1-new/include/linux/mm.h
47126 --- linux-2.6.38.1/include/linux/mm.h 2011-03-14 21:20:32.000000000 -0400
47127 +++ linux-2.6.38.1-new/include/linux/mm.h 2011-03-21 18:31:35.000000000 -0400
47128 @@ -113,7 +113,14 @@ extern unsigned int kobjsize(const void
47130 #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
47131 #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
47133 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
47134 +#define VM_SAO 0x00000000 /* Strong Access Ordering (powerpc) */
47135 +#define VM_PAGEEXEC 0x20000000 /* vma->vm_page_prot needs special handling */
47137 #define VM_SAO 0x20000000 /* Strong Access Ordering (powerpc) */
47140 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
47141 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
47143 @@ -985,12 +992,6 @@ int set_page_dirty(struct page *page);
47144 int set_page_dirty_lock(struct page *page);
47145 int clear_page_dirty_for_io(struct page *page);
47147 -/* Is the vma a continuation of the stack vma above it? */
47148 -static inline int vma_stack_continue(struct vm_area_struct *vma, unsigned long addr)
47150 - return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN);
47153 extern unsigned long move_page_tables(struct vm_area_struct *vma,
47154 unsigned long old_addr, struct vm_area_struct *new_vma,
47155 unsigned long new_addr, unsigned long len);
47156 @@ -1142,6 +1143,15 @@ struct shrinker {
47157 extern void register_shrinker(struct shrinker *);
47158 extern void unregister_shrinker(struct shrinker *);
47161 +pgprot_t vm_get_page_prot(unsigned long vm_flags);
47163 +static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
47165 + return __pgprot(0);
47169 int vma_wants_writenotify(struct vm_area_struct *vma);
47171 extern pte_t *__get_locked_pte(struct mm_struct *mm, unsigned long addr,
47172 @@ -1431,6 +1441,7 @@ out:
47175 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
47176 +extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
47178 extern unsigned long do_brk(unsigned long, unsigned long);
47180 @@ -1487,6 +1498,10 @@ extern struct vm_area_struct * find_vma(
47181 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
47182 struct vm_area_struct **pprev);
47184 +extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
47185 +extern __must_check long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
47186 +extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
47188 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
47189 NULL if none. Assume start_addr < end_addr. */
47190 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
47191 @@ -1503,15 +1518,6 @@ static inline unsigned long vma_pages(st
47192 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
47196 -pgprot_t vm_get_page_prot(unsigned long vm_flags);
47198 -static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
47200 - return __pgprot(0);
47204 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
47205 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
47206 unsigned long pfn, unsigned long size, pgprot_t);
47207 @@ -1620,7 +1626,7 @@ extern int unpoison_memory(unsigned long
47208 extern int sysctl_memory_failure_early_kill;
47209 extern int sysctl_memory_failure_recovery;
47210 extern void shake_page(struct page *p, int access);
47211 -extern atomic_long_t mce_bad_pages;
47212 +extern atomic_long_unchecked_t mce_bad_pages;
47213 extern int soft_offline_page(struct page *page, int flags);
47214 #ifdef CONFIG_MEMORY_FAILURE
47215 int is_hwpoison_address(unsigned long addr);
47216 @@ -1642,5 +1648,11 @@ extern void copy_user_huge_page(struct p
47217 unsigned int pages_per_huge_page);
47218 #endif /* CONFIG_TRANSPARENT_HUGEPAGE || CONFIG_HUGETLBFS */
47220 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
47221 +extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
47223 +static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
47226 #endif /* __KERNEL__ */
47227 #endif /* _LINUX_MM_H */
47228 diff -urNp linux-2.6.38.1/include/linux/mm_types.h linux-2.6.38.1-new/include/linux/mm_types.h
47229 --- linux-2.6.38.1/include/linux/mm_types.h 2011-03-14 21:20:32.000000000 -0400
47230 +++ linux-2.6.38.1-new/include/linux/mm_types.h 2011-03-21 18:31:35.000000000 -0400
47231 @@ -183,6 +183,8 @@ struct vm_area_struct {
47233 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
47236 + struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
47239 struct core_thread {
47240 @@ -315,6 +317,24 @@ struct mm_struct {
47242 /* How many tasks sharing this mm are OOM_DISABLE */
47243 atomic_t oom_disable_count;
47245 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
47246 + unsigned long pax_flags;
47249 +#ifdef CONFIG_PAX_DLRESOLVE
47250 + unsigned long call_dl_resolve;
47253 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
47254 + unsigned long call_syscall;
47257 +#ifdef CONFIG_PAX_ASLR
47258 + unsigned long delta_mmap; /* randomized offset */
47259 + unsigned long delta_stack; /* randomized offset */
47264 /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */
47265 diff -urNp linux-2.6.38.1/include/linux/mmu_notifier.h linux-2.6.38.1-new/include/linux/mmu_notifier.h
47266 --- linux-2.6.38.1/include/linux/mmu_notifier.h 2011-03-14 21:20:32.000000000 -0400
47267 +++ linux-2.6.38.1-new/include/linux/mmu_notifier.h 2011-03-21 18:31:35.000000000 -0400
47268 @@ -255,12 +255,12 @@ static inline void mmu_notifier_mm_destr
47270 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
47274 struct vm_area_struct *___vma = __vma; \
47275 unsigned long ___address = __address; \
47276 - __pte = ptep_clear_flush(___vma, ___address, __ptep); \
47277 + ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
47278 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
47283 #define pmdp_clear_flush_notify(__vma, __address, __pmdp) \
47284 diff -urNp linux-2.6.38.1/include/linux/mmzone.h linux-2.6.38.1-new/include/linux/mmzone.h
47285 --- linux-2.6.38.1/include/linux/mmzone.h 2011-03-14 21:20:32.000000000 -0400
47286 +++ linux-2.6.38.1-new/include/linux/mmzone.h 2011-03-21 18:31:35.000000000 -0400
47287 @@ -355,7 +355,7 @@ struct zone {
47288 unsigned long flags; /* zone flags, see below */
47290 /* Zone statistics */
47291 - atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
47292 + atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
47295 * The target ratio of ACTIVE_ANON to INACTIVE_ANON pages on
47296 diff -urNp linux-2.6.38.1/include/linux/mod_devicetable.h linux-2.6.38.1-new/include/linux/mod_devicetable.h
47297 --- linux-2.6.38.1/include/linux/mod_devicetable.h 2011-03-14 21:20:32.000000000 -0400
47298 +++ linux-2.6.38.1-new/include/linux/mod_devicetable.h 2011-03-21 18:31:35.000000000 -0400
47300 typedef unsigned long kernel_ulong_t;
47303 -#define PCI_ANY_ID (~0)
47304 +#define PCI_ANY_ID ((__u16)~0)
47306 struct pci_device_id {
47307 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
47308 @@ -131,7 +131,7 @@ struct usb_device_id {
47309 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
47310 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
47312 -#define HID_ANY_ID (~0)
47313 +#define HID_ANY_ID (~0U)
47315 struct hid_device_id {
47317 diff -urNp linux-2.6.38.1/include/linux/module.h linux-2.6.38.1-new/include/linux/module.h
47318 --- linux-2.6.38.1/include/linux/module.h 2011-03-14 21:20:32.000000000 -0400
47319 +++ linux-2.6.38.1-new/include/linux/module.h 2011-03-21 18:31:35.000000000 -0400
47320 @@ -324,19 +324,16 @@ struct module
47323 /* If this is non-NULL, vfree after init() returns */
47324 - void *module_init;
47325 + void *module_init_rx, *module_init_rw;
47327 /* Here is the actual code + data, vfree'd on unload. */
47328 - void *module_core;
47329 + void *module_core_rx, *module_core_rw;
47331 /* Here are the sizes of the init and core sections */
47332 - unsigned int init_size, core_size;
47333 + unsigned int init_size_rw, core_size_rw;
47335 /* The size of the executable code in each section. */
47336 - unsigned int init_text_size, core_text_size;
47338 - /* Size of RO sections of the module (text+rodata) */
47339 - unsigned int init_ro_size, core_ro_size;
47340 + unsigned int init_size_rx, core_size_rx;
47342 /* Arch-specific module values */
47343 struct mod_arch_specific arch;
47344 @@ -441,16 +438,46 @@ bool is_module_address(unsigned long add
47345 bool is_module_percpu_address(unsigned long addr);
47346 bool is_module_text_address(unsigned long addr);
47348 +static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
47351 +#ifdef CONFIG_PAX_KERNEXEC
47352 + if (ktla_ktva(addr) >= (unsigned long)start &&
47353 + ktla_ktva(addr) < (unsigned long)start + size)
47357 + return ((void *)addr >= start && (void *)addr < start + size);
47360 +static inline int within_module_core_rx(unsigned long addr, struct module *mod)
47362 + return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
47365 +static inline int within_module_core_rw(unsigned long addr, struct module *mod)
47367 + return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
47370 +static inline int within_module_init_rx(unsigned long addr, struct module *mod)
47372 + return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
47375 +static inline int within_module_init_rw(unsigned long addr, struct module *mod)
47377 + return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
47380 static inline int within_module_core(unsigned long addr, struct module *mod)
47382 - return (unsigned long)mod->module_core <= addr &&
47383 - addr < (unsigned long)mod->module_core + mod->core_size;
47384 + return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
47387 static inline int within_module_init(unsigned long addr, struct module *mod)
47389 - return (unsigned long)mod->module_init <= addr &&
47390 - addr < (unsigned long)mod->module_init + mod->init_size;
47391 + return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
47394 /* Search for module by name: must hold module_mutex. */
47395 diff -urNp linux-2.6.38.1/include/linux/moduleloader.h linux-2.6.38.1-new/include/linux/moduleloader.h
47396 --- linux-2.6.38.1/include/linux/moduleloader.h 2011-03-14 21:20:32.000000000 -0400
47397 +++ linux-2.6.38.1-new/include/linux/moduleloader.h 2011-03-21 18:31:35.000000000 -0400
47398 @@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
47399 sections. Returns NULL on failure. */
47400 void *module_alloc(unsigned long size);
47402 +#ifdef CONFIG_PAX_KERNEXEC
47403 +void *module_alloc_exec(unsigned long size);
47405 +#define module_alloc_exec(x) module_alloc(x)
47408 /* Free memory returned from module_alloc. */
47409 void module_free(struct module *mod, void *module_region);
47411 +#ifdef CONFIG_PAX_KERNEXEC
47412 +void module_free_exec(struct module *mod, void *module_region);
47414 +#define module_free_exec(x, y) module_free((x), (y))
47417 /* Apply the given relocation to the (simplified) ELF. Return -error
47419 int apply_relocate(Elf_Shdr *sechdrs,
47420 diff -urNp linux-2.6.38.1/include/linux/moduleparam.h linux-2.6.38.1-new/include/linux/moduleparam.h
47421 --- linux-2.6.38.1/include/linux/moduleparam.h 2011-03-14 21:20:32.000000000 -0400
47422 +++ linux-2.6.38.1-new/include/linux/moduleparam.h 2011-03-21 18:31:35.000000000 -0400
47423 @@ -255,7 +255,7 @@ static inline void __kernel_param_unlock
47424 * @len is usually just sizeof(string).
47426 #define module_param_string(name, string, len, perm) \
47427 - static const struct kparam_string __param_string_##name \
47428 + static const struct kparam_string __param_string_##name __used \
47429 = { len, string }; \
47430 __module_param_call(MODULE_PARAM_PREFIX, name, \
47431 ¶m_ops_string, \
47432 @@ -370,7 +370,7 @@ extern int param_get_invbool(char *buffe
47433 * module_param_named() for why this might be necessary.
47435 #define module_param_array_named(name, array, type, nump, perm) \
47436 - static const struct kparam_array __param_arr_##name \
47437 + static const struct kparam_array __param_arr_##name __used \
47438 = { ARRAY_SIZE(array), nump, ¶m_ops_##type, \
47439 sizeof(array[0]), array }; \
47440 __module_param_call(MODULE_PARAM_PREFIX, name, \
47441 diff -urNp linux-2.6.38.1/include/linux/namei.h linux-2.6.38.1-new/include/linux/namei.h
47442 --- linux-2.6.38.1/include/linux/namei.h 2011-03-14 21:20:32.000000000 -0400
47443 +++ linux-2.6.38.1-new/include/linux/namei.h 2011-03-21 18:31:35.000000000 -0400
47444 @@ -25,7 +25,7 @@ struct nameidata {
47448 - char *saved_names[MAX_NESTED_LINKS + 1];
47449 + const char *saved_names[MAX_NESTED_LINKS + 1];
47453 @@ -88,12 +88,12 @@ extern int follow_up(struct path *);
47454 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
47455 extern void unlock_rename(struct dentry *, struct dentry *);
47457 -static inline void nd_set_link(struct nameidata *nd, char *path)
47458 +static inline void nd_set_link(struct nameidata *nd, const char *path)
47460 nd->saved_names[nd->depth] = path;
47463 -static inline char *nd_get_link(struct nameidata *nd)
47464 +static inline const char *nd_get_link(const struct nameidata *nd)
47466 return nd->saved_names[nd->depth];
47468 diff -urNp linux-2.6.38.1/include/linux/netfilter/xt_gradm.h linux-2.6.38.1-new/include/linux/netfilter/xt_gradm.h
47469 --- linux-2.6.38.1/include/linux/netfilter/xt_gradm.h 1969-12-31 19:00:00.000000000 -0500
47470 +++ linux-2.6.38.1-new/include/linux/netfilter/xt_gradm.h 2011-03-21 18:31:35.000000000 -0400
47472 +#ifndef _LINUX_NETFILTER_XT_GRADM_H
47473 +#define _LINUX_NETFILTER_XT_GRADM_H 1
47475 +struct xt_gradm_mtinfo {
47481 diff -urNp linux-2.6.38.1/include/linux/oprofile.h linux-2.6.38.1-new/include/linux/oprofile.h
47482 --- linux-2.6.38.1/include/linux/oprofile.h 2011-03-14 21:20:32.000000000 -0400
47483 +++ linux-2.6.38.1-new/include/linux/oprofile.h 2011-03-21 18:31:35.000000000 -0400
47484 @@ -132,9 +132,9 @@ int oprofilefs_create_ulong(struct super
47485 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
47486 char const * name, ulong * val);
47488 -/** Create a file for read-only access to an atomic_t. */
47489 +/** Create a file for read-only access to an atomic_unchecked_t. */
47490 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
47491 - char const * name, atomic_t * val);
47492 + char const * name, atomic_unchecked_t * val);
47494 /** create a directory */
47495 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
47496 diff -urNp linux-2.6.38.1/include/linux/pipe_fs_i.h linux-2.6.38.1-new/include/linux/pipe_fs_i.h
47497 --- linux-2.6.38.1/include/linux/pipe_fs_i.h 2011-03-14 21:20:32.000000000 -0400
47498 +++ linux-2.6.38.1-new/include/linux/pipe_fs_i.h 2011-03-21 18:31:35.000000000 -0400
47499 @@ -46,9 +46,9 @@ struct pipe_buffer {
47500 struct pipe_inode_info {
47501 wait_queue_head_t wait;
47502 unsigned int nrbufs, curbuf, buffers;
47503 - unsigned int readers;
47504 - unsigned int writers;
47505 - unsigned int waiting_writers;
47506 + atomic_t readers;
47507 + atomic_t writers;
47508 + atomic_t waiting_writers;
47509 unsigned int r_counter;
47510 unsigned int w_counter;
47511 struct page *tmp_page;
47512 diff -urNp linux-2.6.38.1/include/linux/pm_runtime.h linux-2.6.38.1-new/include/linux/pm_runtime.h
47513 --- linux-2.6.38.1/include/linux/pm_runtime.h 2011-03-14 21:20:32.000000000 -0400
47514 +++ linux-2.6.38.1-new/include/linux/pm_runtime.h 2011-03-21 18:31:35.000000000 -0400
47515 @@ -89,7 +89,7 @@ static inline bool pm_runtime_enabled(st
47517 static inline void pm_runtime_mark_last_busy(struct device *dev)
47519 - ACCESS_ONCE(dev->power.last_busy) = jiffies;
47520 + ACCESS_ONCE_RW(dev->power.last_busy) = jiffies;
47523 #else /* !CONFIG_PM_RUNTIME */
47524 diff -urNp linux-2.6.38.1/include/linux/poison.h linux-2.6.38.1-new/include/linux/poison.h
47525 --- linux-2.6.38.1/include/linux/poison.h 2011-03-14 21:20:32.000000000 -0400
47526 +++ linux-2.6.38.1-new/include/linux/poison.h 2011-03-21 18:31:35.000000000 -0400
47528 * under normal circumstances, used to verify that nobody uses
47529 * non-initialized list entries.
47531 -#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
47532 -#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
47533 +#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
47534 +#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
47536 /********** include/linux/timer.h **********/
47538 diff -urNp linux-2.6.38.1/include/linux/proc_fs.h linux-2.6.38.1-new/include/linux/proc_fs.h
47539 --- linux-2.6.38.1/include/linux/proc_fs.h 2011-03-14 21:20:32.000000000 -0400
47540 +++ linux-2.6.38.1-new/include/linux/proc_fs.h 2011-03-21 18:31:35.000000000 -0400
47541 @@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
47542 return proc_create_data(name, mode, parent, proc_fops, NULL);
47545 +static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
47546 + struct proc_dir_entry *parent, const struct file_operations *proc_fops)
47548 +#ifdef CONFIG_GRKERNSEC_PROC_USER
47549 + return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
47550 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
47551 + return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
47553 + return proc_create_data(name, mode, parent, proc_fops, NULL);
47558 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
47559 mode_t mode, struct proc_dir_entry *base,
47560 read_proc_t *read_proc, void * data)
47561 diff -urNp linux-2.6.38.1/include/linux/random.h linux-2.6.38.1-new/include/linux/random.h
47562 --- linux-2.6.38.1/include/linux/random.h 2011-03-14 21:20:32.000000000 -0400
47563 +++ linux-2.6.38.1-new/include/linux/random.h 2011-03-21 18:31:35.000000000 -0400
47564 @@ -80,12 +80,17 @@ void srandom32(u32 seed);
47566 u32 prandom32(struct rnd_state *);
47568 +static inline unsigned long pax_get_random_long(void)
47570 + return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
47574 * Handle minimum values for seeds
47576 static inline u32 __seed(u32 x, u32 m)
47578 - return (x < m) ? x + m : x;
47579 + return (x <= m) ? x + m + 1 : x;
47583 diff -urNp linux-2.6.38.1/include/linux/reiserfs_fs.h linux-2.6.38.1-new/include/linux/reiserfs_fs.h
47584 --- linux-2.6.38.1/include/linux/reiserfs_fs.h 2011-03-14 21:20:32.000000000 -0400
47585 +++ linux-2.6.38.1-new/include/linux/reiserfs_fs.h 2011-03-21 18:31:35.000000000 -0400
47586 @@ -1403,7 +1403,7 @@ static inline loff_t max_reiserfs_offset
47587 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
47589 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
47590 -#define get_generation(s) atomic_read (&fs_generation(s))
47591 +#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
47592 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
47593 #define __fs_changed(gen,s) (gen != get_generation (s))
47594 #define fs_changed(gen,s) \
47595 @@ -1615,24 +1615,24 @@ static inline struct super_block *sb_fro
47598 struct item_operations {
47599 - int (*bytes_number) (struct item_head * ih, int block_size);
47600 - void (*decrement_key) (struct cpu_key *);
47601 - int (*is_left_mergeable) (struct reiserfs_key * ih,
47602 + int (* const bytes_number) (struct item_head * ih, int block_size);
47603 + void (* const decrement_key) (struct cpu_key *);
47604 + int (* const is_left_mergeable) (struct reiserfs_key * ih,
47605 unsigned long bsize);
47606 - void (*print_item) (struct item_head *, char *item);
47607 - void (*check_item) (struct item_head *, char *item);
47608 + void (* const print_item) (struct item_head *, char *item);
47609 + void (* const check_item) (struct item_head *, char *item);
47611 - int (*create_vi) (struct virtual_node * vn, struct virtual_item * vi,
47612 + int (* const create_vi) (struct virtual_node * vn, struct virtual_item * vi,
47613 int is_affected, int insert_size);
47614 - int (*check_left) (struct virtual_item * vi, int free,
47615 + int (* const check_left) (struct virtual_item * vi, int free,
47616 int start_skip, int end_skip);
47617 - int (*check_right) (struct virtual_item * vi, int free);
47618 - int (*part_size) (struct virtual_item * vi, int from, int to);
47619 - int (*unit_num) (struct virtual_item * vi);
47620 - void (*print_vi) (struct virtual_item * vi);
47621 + int (* const check_right) (struct virtual_item * vi, int free);
47622 + int (* const part_size) (struct virtual_item * vi, int from, int to);
47623 + int (* const unit_num) (struct virtual_item * vi);
47624 + void (* const print_vi) (struct virtual_item * vi);
47627 -extern struct item_operations *item_ops[TYPE_ANY + 1];
47628 +extern const struct item_operations * const item_ops[TYPE_ANY + 1];
47630 #define op_bytes_number(ih,bsize) item_ops[le_ih_k_type (ih)]->bytes_number (ih, bsize)
47631 #define op_is_left_mergeable(key,bsize) item_ops[le_key_k_type (le_key_version (key), key)]->is_left_mergeable (key, bsize)
47632 diff -urNp linux-2.6.38.1/include/linux/reiserfs_fs_sb.h linux-2.6.38.1-new/include/linux/reiserfs_fs_sb.h
47633 --- linux-2.6.38.1/include/linux/reiserfs_fs_sb.h 2011-03-14 21:20:32.000000000 -0400
47634 +++ linux-2.6.38.1-new/include/linux/reiserfs_fs_sb.h 2011-03-21 18:31:35.000000000 -0400
47635 @@ -386,7 +386,7 @@ struct reiserfs_sb_info {
47636 /* Comment? -Hans */
47637 wait_queue_head_t s_wait;
47638 /* To be obsoleted soon by per buffer seals.. -Hans */
47639 - atomic_t s_generation_counter; // increased by one every time the
47640 + atomic_unchecked_t s_generation_counter; // increased by one every time the
47641 // tree gets re-balanced
47642 unsigned long s_properties; /* File system properties. Currently holds
47643 on-disk FS format */
47644 diff -urNp linux-2.6.38.1/include/linux/rmap.h linux-2.6.38.1-new/include/linux/rmap.h
47645 --- linux-2.6.38.1/include/linux/rmap.h 2011-03-14 21:20:32.000000000 -0400
47646 +++ linux-2.6.38.1-new/include/linux/rmap.h 2011-03-21 18:31:35.000000000 -0400
47647 @@ -145,8 +145,8 @@ static inline void anon_vma_unlock(struc
47648 void anon_vma_init(void); /* create anon_vma_cachep */
47649 int anon_vma_prepare(struct vm_area_struct *);
47650 void unlink_anon_vmas(struct vm_area_struct *);
47651 -int anon_vma_clone(struct vm_area_struct *, struct vm_area_struct *);
47652 -int anon_vma_fork(struct vm_area_struct *, struct vm_area_struct *);
47653 +int anon_vma_clone(struct vm_area_struct *, const struct vm_area_struct *);
47654 +int anon_vma_fork(struct vm_area_struct *, const struct vm_area_struct *);
47655 void __anon_vma_link(struct vm_area_struct *);
47656 void anon_vma_free(struct anon_vma *);
47658 diff -urNp linux-2.6.38.1/include/linux/sched.h linux-2.6.38.1-new/include/linux/sched.h
47659 --- linux-2.6.38.1/include/linux/sched.h 2011-03-14 21:20:32.000000000 -0400
47660 +++ linux-2.6.38.1-new/include/linux/sched.h 2011-03-21 23:47:41.000000000 -0400
47661 @@ -99,6 +99,7 @@ struct robust_list_head;
47664 struct perf_event_context;
47665 +struct linux_binprm;
47668 * List of flags we want to share for kernel threads,
47669 @@ -380,10 +381,13 @@ struct user_namespace;
47670 #define DEFAULT_MAX_MAP_COUNT (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
47672 extern int sysctl_max_map_count;
47673 +extern unsigned long sysctl_heap_stack_gap;
47675 #include <linux/aio.h>
47678 +extern bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len);
47679 +extern unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len);
47680 extern void arch_pick_mmap_layout(struct mm_struct *mm);
47681 extern unsigned long
47682 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
47683 @@ -628,6 +632,17 @@ struct signal_struct {
47684 #ifdef CONFIG_TASKSTATS
47685 struct taskstats *stats;
47688 +#ifdef CONFIG_GRKERNSEC
47695 + u8 used_accept:1;
47698 #ifdef CONFIG_AUDIT
47699 unsigned audit_tty;
47700 struct tty_audit_buf *tty_audit_buf;
47701 @@ -1192,7 +1207,7 @@ enum perf_event_task_context {
47703 struct task_struct {
47704 volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */
47706 + struct thread_info *stack;
47708 unsigned int flags; /* per process flags, defined below */
47709 unsigned int ptrace;
47710 @@ -1307,8 +1322,8 @@ struct task_struct {
47711 struct list_head thread_group;
47713 struct completion *vfork_done; /* for vfork() */
47714 - int __user *set_child_tid; /* CLONE_CHILD_SETTID */
47715 - int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
47716 + pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
47717 + pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
47719 cputime_t utime, stime, utimescaled, stimescaled;
47721 @@ -1324,13 +1339,6 @@ struct task_struct {
47722 struct task_cputime cputime_expires;
47723 struct list_head cpu_timers[3];
47725 -/* process credentials */
47726 - const struct cred __rcu *real_cred; /* objective and real subjective task
47727 - * credentials (COW) */
47728 - const struct cred __rcu *cred; /* effective (overridable) subjective task
47729 - * credentials (COW) */
47730 - struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
47732 char comm[TASK_COMM_LEN]; /* executable name excluding path
47733 - access with [gs]et_task_comm (which lock
47734 it with task_lock())
47735 @@ -1349,6 +1357,10 @@ struct task_struct {
47736 struct thread_struct thread;
47737 /* filesystem information */
47738 struct fs_struct *fs;
47740 + const struct cred __rcu *cred; /* effective (overridable) subjective task
47741 + * credentials (COW) */
47743 /* open file information */
47744 struct files_struct *files;
47746 @@ -1395,6 +1407,11 @@ struct task_struct {
47747 struct rt_mutex_waiter *pi_blocked_on;
47750 +/* process credentials */
47751 + const struct cred __rcu *real_cred; /* objective and real subjective task
47752 + * credentials (COW) */
47753 + struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
47755 #ifdef CONFIG_DEBUG_MUTEXES
47756 /* mutex deadlock detection */
47757 struct mutex_waiter *blocked_on;
47758 @@ -1499,6 +1516,20 @@ struct task_struct {
47759 unsigned long default_timer_slack_ns;
47761 struct list_head *scm_work_list;
47763 +#ifdef CONFIG_GRKERNSEC
47765 + struct dentry *gr_chroot_dentry;
47766 + struct acl_subject_label *acl;
47767 + struct acl_role_label *role;
47768 + struct file *exec_file;
47773 + u8 gr_is_chrooted;
47776 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
47777 /* Index of current stored address in ret_stack */
47778 int curr_ret_stack;
47779 @@ -1530,6 +1561,52 @@ struct task_struct {
47783 +#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
47784 +#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
47785 +#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
47786 +#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
47787 +/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
47788 +#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
47790 +#ifdef CONFIG_PAX_SOFTMODE
47791 +extern unsigned int pax_softmode;
47794 +extern int pax_check_flags(unsigned long *);
47796 +/* if tsk != current then task_lock must be held on it */
47797 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
47798 +static inline unsigned long pax_get_flags(struct task_struct *tsk)
47800 + if (likely(tsk->mm))
47801 + return tsk->mm->pax_flags;
47806 +/* if tsk != current then task_lock must be held on it */
47807 +static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
47809 + if (likely(tsk->mm)) {
47810 + tsk->mm->pax_flags = flags;
47817 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
47818 +extern void pax_set_initial_flags(struct linux_binprm *bprm);
47819 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
47820 +extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
47823 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
47824 +void pax_report_insns(void *pc, void *sp);
47825 +void pax_report_refcount_overflow(struct pt_regs *regs);
47826 +void pax_report_leak_to_user(const void *ptr, unsigned long len);
47827 +void pax_report_overflow_from_user(const void *ptr, unsigned long len);
47829 /* Future-safe accessor for struct task_struct's cpus_allowed. */
47830 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
47832 @@ -2169,7 +2246,7 @@ extern void __cleanup_sighand(struct sig
47833 extern void exit_itimers(struct signal_struct *);
47834 extern void flush_itimer_signals(void);
47836 -extern NORET_TYPE void do_group_exit(int);
47837 +extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
47839 extern void daemonize(const char *, ...);
47840 extern int allow_signal(int);
47841 @@ -2294,8 +2371,8 @@ static inline void unlock_task_sighand(s
47843 #ifndef __HAVE_THREAD_FUNCTIONS
47845 -#define task_thread_info(task) ((struct thread_info *)(task)->stack)
47846 -#define task_stack_page(task) ((task)->stack)
47847 +#define task_thread_info(task) ((task)->stack)
47848 +#define task_stack_page(task) ((void *)(task)->stack)
47850 static inline void setup_thread_stack(struct task_struct *p, struct task_struct *org)
47852 @@ -2310,13 +2387,17 @@ static inline unsigned long *end_of_stac
47856 -static inline int object_is_on_stack(void *obj)
47857 +static inline int object_starts_on_stack(void *obj)
47859 - void *stack = task_stack_page(current);
47860 + const void *stack = task_stack_page(current);
47862 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
47865 +#ifdef CONFIG_PAX_USERCOPY
47866 +extern int object_is_on_stack(const void *obj, unsigned long len);
47869 extern void thread_info_cache_init(void);
47871 #ifdef CONFIG_DEBUG_STACK_USAGE
47872 diff -urNp linux-2.6.38.1/include/linux/screen_info.h linux-2.6.38.1-new/include/linux/screen_info.h
47873 --- linux-2.6.38.1/include/linux/screen_info.h 2011-03-14 21:20:32.000000000 -0400
47874 +++ linux-2.6.38.1-new/include/linux/screen_info.h 2011-03-21 18:31:35.000000000 -0400
47875 @@ -43,7 +43,8 @@ struct screen_info {
47876 __u16 pages; /* 0x32 */
47877 __u16 vesa_attributes; /* 0x34 */
47878 __u32 capabilities; /* 0x36 */
47879 - __u8 _reserved[6]; /* 0x3a */
47880 + __u16 vesapm_size; /* 0x3a */
47881 + __u8 _reserved[4]; /* 0x3c */
47882 } __attribute__((packed));
47884 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
47885 diff -urNp linux-2.6.38.1/include/linux/security.h linux-2.6.38.1-new/include/linux/security.h
47886 --- linux-2.6.38.1/include/linux/security.h 2011-03-14 21:20:32.000000000 -0400
47887 +++ linux-2.6.38.1-new/include/linux/security.h 2011-03-21 18:31:35.000000000 -0400
47889 #include <linux/key.h>
47890 #include <linux/xfrm.h>
47891 #include <linux/slab.h>
47892 +#include <linux/grsecurity.h>
47893 #include <net/flow.h>
47895 /* Maximum number of letters for an LSM name string */
47896 diff -urNp linux-2.6.38.1/include/linux/shm.h linux-2.6.38.1-new/include/linux/shm.h
47897 --- linux-2.6.38.1/include/linux/shm.h 2011-03-14 21:20:32.000000000 -0400
47898 +++ linux-2.6.38.1-new/include/linux/shm.h 2011-03-21 18:31:35.000000000 -0400
47899 @@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
47902 struct user_struct *mlock_user;
47903 +#ifdef CONFIG_GRKERNSEC
47904 + time_t shm_createtime;
47909 /* shm_mode upper byte flags */
47910 diff -urNp linux-2.6.38.1/include/linux/skbuff.h linux-2.6.38.1-new/include/linux/skbuff.h
47911 --- linux-2.6.38.1/include/linux/skbuff.h 2011-03-14 21:20:32.000000000 -0400
47912 +++ linux-2.6.38.1-new/include/linux/skbuff.h 2011-03-21 18:31:35.000000000 -0400
47913 @@ -589,7 +589,7 @@ static inline struct skb_shared_hwtstamp
47915 static inline int skb_queue_empty(const struct sk_buff_head *list)
47917 - return list->next == (struct sk_buff *)list;
47918 + return list->next == (const struct sk_buff *)list;
47922 @@ -602,7 +602,7 @@ static inline int skb_queue_empty(const
47923 static inline bool skb_queue_is_last(const struct sk_buff_head *list,
47924 const struct sk_buff *skb)
47926 - return skb->next == (struct sk_buff *)list;
47927 + return skb->next == (const struct sk_buff *)list;
47931 @@ -615,7 +615,7 @@ static inline bool skb_queue_is_last(con
47932 static inline bool skb_queue_is_first(const struct sk_buff_head *list,
47933 const struct sk_buff *skb)
47935 - return skb->prev == (struct sk_buff *)list;
47936 + return skb->prev == (const struct sk_buff *)list;
47940 diff -urNp linux-2.6.38.1/include/linux/slab.h linux-2.6.38.1-new/include/linux/slab.h
47941 --- linux-2.6.38.1/include/linux/slab.h 2011-03-14 21:20:32.000000000 -0400
47942 +++ linux-2.6.38.1-new/include/linux/slab.h 2011-03-21 18:31:35.000000000 -0400
47945 #include <linux/gfp.h>
47946 #include <linux/types.h>
47947 +#include <linux/err.h>
47950 * Flags to pass to kmem_cache_create().
47951 @@ -87,10 +88,13 @@
47952 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
47953 * Both make kfree a no-op.
47955 -#define ZERO_SIZE_PTR ((void *)16)
47956 +#define ZERO_SIZE_PTR \
47958 + BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
47959 + (void *)(-MAX_ERRNO-1L); \
47962 -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
47963 - (unsigned long)ZERO_SIZE_PTR)
47964 +#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
47967 * struct kmem_cache related prototypes
47968 @@ -142,6 +146,7 @@ void * __must_check krealloc(const void
47969 void kfree(const void *);
47970 void kzfree(const void *);
47971 size_t ksize(const void *);
47972 +void check_object_size(const void *ptr, unsigned long n, bool to);
47975 * Allocator specific definitions. These are mainly used to establish optimized
47976 @@ -334,4 +339,37 @@ static inline void *kzalloc_node(size_t
47978 void __init kmem_cache_init_late(void);
47980 +#define kmalloc(x, y) \
47982 + void *___retval; \
47983 + intoverflow_t ___x = (intoverflow_t)x; \
47984 + if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n"))\
47985 + ___retval = NULL; \
47987 + ___retval = kmalloc((size_t)___x, (y)); \
47991 +#define kmalloc_node(x, y, z) \
47993 + void *___retval; \
47994 + intoverflow_t ___x = (intoverflow_t)x; \
47995 + if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
47996 + ___retval = NULL; \
47998 + ___retval = kmalloc_node((size_t)___x, (y), (z));\
48002 +#define kzalloc(x, y) \
48004 + void *___retval; \
48005 + intoverflow_t ___x = (intoverflow_t)x; \
48006 + if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n"))\
48007 + ___retval = NULL; \
48009 + ___retval = kzalloc((size_t)___x, (y)); \
48013 #endif /* _LINUX_SLAB_H */
48014 diff -urNp linux-2.6.38.1/include/linux/slub_def.h linux-2.6.38.1-new/include/linux/slub_def.h
48015 --- linux-2.6.38.1/include/linux/slub_def.h 2011-03-14 21:20:32.000000000 -0400
48016 +++ linux-2.6.38.1-new/include/linux/slub_def.h 2011-03-21 18:31:35.000000000 -0400
48017 @@ -79,7 +79,7 @@ struct kmem_cache {
48018 struct kmem_cache_order_objects max;
48019 struct kmem_cache_order_objects min;
48020 gfp_t allocflags; /* gfp flags to use on each alloc */
48021 - int refcount; /* Refcount for slab cache destroy */
48022 + atomic_t refcount; /* Refcount for slab cache destroy */
48023 void (*ctor)(void *);
48024 int inuse; /* Offset to metadata */
48025 int align; /* Alignment */
48026 diff -urNp linux-2.6.38.1/include/linux/sonet.h linux-2.6.38.1-new/include/linux/sonet.h
48027 --- linux-2.6.38.1/include/linux/sonet.h 2011-03-14 21:20:32.000000000 -0400
48028 +++ linux-2.6.38.1-new/include/linux/sonet.h 2011-03-21 18:31:35.000000000 -0400
48029 @@ -61,7 +61,7 @@ struct sonet_stats {
48030 #include <asm/atomic.h>
48032 struct k_sonet_stats {
48033 -#define __HANDLE_ITEM(i) atomic_t i
48034 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
48036 #undef __HANDLE_ITEM
48038 diff -urNp linux-2.6.38.1/include/linux/sunrpc/clnt.h linux-2.6.38.1-new/include/linux/sunrpc/clnt.h
48039 --- linux-2.6.38.1/include/linux/sunrpc/clnt.h 2011-03-14 21:20:32.000000000 -0400
48040 +++ linux-2.6.38.1-new/include/linux/sunrpc/clnt.h 2011-03-21 18:31:35.000000000 -0400
48041 @@ -168,9 +168,9 @@ static inline unsigned short rpc_get_por
48043 switch (sap->sa_family) {
48045 - return ntohs(((struct sockaddr_in *)sap)->sin_port);
48046 + return ntohs(((const struct sockaddr_in *)sap)->sin_port);
48048 - return ntohs(((struct sockaddr_in6 *)sap)->sin6_port);
48049 + return ntohs(((const struct sockaddr_in6 *)sap)->sin6_port);
48053 @@ -203,7 +203,7 @@ static inline bool __rpc_cmp_addr4(const
48054 static inline bool __rpc_copy_addr4(struct sockaddr *dst,
48055 const struct sockaddr *src)
48057 - const struct sockaddr_in *ssin = (struct sockaddr_in *) src;
48058 + const struct sockaddr_in *ssin = (const struct sockaddr_in *) src;
48059 struct sockaddr_in *dsin = (struct sockaddr_in *) dst;
48061 dsin->sin_family = ssin->sin_family;
48062 @@ -300,7 +300,7 @@ static inline u32 rpc_get_scope_id(const
48063 if (sa->sa_family != AF_INET6)
48066 - return ((struct sockaddr_in6 *) sa)->sin6_scope_id;
48067 + return ((const struct sockaddr_in6 *) sa)->sin6_scope_id;
48070 #endif /* __KERNEL__ */
48071 diff -urNp linux-2.6.38.1/include/linux/suspend.h linux-2.6.38.1-new/include/linux/suspend.h
48072 --- linux-2.6.38.1/include/linux/suspend.h 2011-03-14 21:20:32.000000000 -0400
48073 +++ linux-2.6.38.1-new/include/linux/suspend.h 2011-03-21 18:31:35.000000000 -0400
48074 @@ -106,15 +106,15 @@ typedef int __bitwise suspend_state_t;
48075 * which require special recovery actions in that situation.
48077 struct platform_suspend_ops {
48078 - int (*valid)(suspend_state_t state);
48079 - int (*begin)(suspend_state_t state);
48080 - int (*prepare)(void);
48081 - int (*prepare_late)(void);
48082 - int (*enter)(suspend_state_t state);
48083 - void (*wake)(void);
48084 - void (*finish)(void);
48085 - void (*end)(void);
48086 - void (*recover)(void);
48087 + int (* const valid)(suspend_state_t state);
48088 + int (* const begin)(suspend_state_t state);
48089 + int (* const prepare)(void);
48090 + int (* const prepare_late)(void);
48091 + int (* const enter)(suspend_state_t state);
48092 + void (* const wake)(void);
48093 + void (* const finish)(void);
48094 + void (* const end)(void);
48095 + void (* const recover)(void);
48098 #ifdef CONFIG_SUSPEND
48099 @@ -217,16 +217,16 @@ extern void mark_free_pages(struct zone
48100 * platforms which require special recovery actions in that situation.
48102 struct platform_hibernation_ops {
48103 - int (*begin)(void);
48104 - void (*end)(void);
48105 - int (*pre_snapshot)(void);
48106 - void (*finish)(void);
48107 - int (*prepare)(void);
48108 - int (*enter)(void);
48109 - void (*leave)(void);
48110 - int (*pre_restore)(void);
48111 - void (*restore_cleanup)(void);
48112 - void (*recover)(void);
48113 + int (* const begin)(void);
48114 + void (* const end)(void);
48115 + int (* const pre_snapshot)(void);
48116 + void (* const finish)(void);
48117 + int (* const prepare)(void);
48118 + int (* const enter)(void);
48119 + void (* const leave)(void);
48120 + int (* const pre_restore)(void);
48121 + void (* const restore_cleanup)(void);
48122 + void (* const recover)(void);
48125 #ifdef CONFIG_HIBERNATION
48126 diff -urNp linux-2.6.38.1/include/linux/sysctl.h linux-2.6.38.1-new/include/linux/sysctl.h
48127 --- linux-2.6.38.1/include/linux/sysctl.h 2011-03-14 21:20:32.000000000 -0400
48128 +++ linux-2.6.38.1-new/include/linux/sysctl.h 2011-03-21 18:31:35.000000000 -0400
48129 @@ -155,7 +155,11 @@ enum
48130 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
48134 +#ifdef CONFIG_PAX_SOFTMODE
48136 + PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
48140 /* CTL_VM names: */
48142 @@ -967,6 +971,8 @@ typedef int proc_handler (struct ctl_tab
48144 extern int proc_dostring(struct ctl_table *, int,
48145 void __user *, size_t *, loff_t *);
48146 +extern int proc_dostring_modpriv(struct ctl_table *, int,
48147 + void __user *, size_t *, loff_t *);
48148 extern int proc_dointvec(struct ctl_table *, int,
48149 void __user *, size_t *, loff_t *);
48150 extern int proc_dointvec_minmax(struct ctl_table *, int,
48151 diff -urNp linux-2.6.38.1/include/linux/sysfs.h linux-2.6.38.1-new/include/linux/sysfs.h
48152 --- linux-2.6.38.1/include/linux/sysfs.h 2011-03-14 21:20:32.000000000 -0400
48153 +++ linux-2.6.38.1-new/include/linux/sysfs.h 2011-03-21 18:31:35.000000000 -0400
48154 @@ -110,8 +110,8 @@ struct bin_attribute {
48155 #define sysfs_bin_attr_init(bin_attr) sysfs_attr_init(&(bin_attr)->attr)
48158 - ssize_t (*show)(struct kobject *, struct attribute *,char *);
48159 - ssize_t (*store)(struct kobject *,struct attribute *,const char *, size_t);
48160 + ssize_t (* const show)(struct kobject *, struct attribute *,char *);
48161 + ssize_t (* const store)(struct kobject *,struct attribute *,const char *, size_t);
48164 struct sysfs_dirent;
48165 diff -urNp linux-2.6.38.1/include/linux/tty.h linux-2.6.38.1-new/include/linux/tty.h
48166 --- linux-2.6.38.1/include/linux/tty.h 2011-03-14 21:20:32.000000000 -0400
48167 +++ linux-2.6.38.1-new/include/linux/tty.h 2011-03-21 18:31:35.000000000 -0400
48169 #include <linux/tty_driver.h>
48170 #include <linux/tty_ldisc.h>
48171 #include <linux/mutex.h>
48172 +#include <linux/poll.h>
48173 +#include <linux/smp_lock.h>
48175 #include <asm/system.h>
48177 @@ -465,7 +467,6 @@ extern int tty_perform_flush(struct tty_
48178 extern dev_t tty_devnum(struct tty_struct *tty);
48179 extern void proc_clear_tty(struct task_struct *p);
48180 extern struct tty_struct *get_current_tty(void);
48181 -extern void tty_default_fops(struct file_operations *fops);
48182 extern struct tty_struct *alloc_tty_struct(void);
48183 extern int tty_add_file(struct tty_struct *tty, struct file *file);
48184 extern void free_tty_struct(struct tty_struct *tty);
48185 @@ -528,6 +529,18 @@ extern void tty_ldisc_begin(void);
48186 /* This last one is just for the tty layer internals and shouldn't be used elsewhere */
48187 extern void tty_ldisc_enable(struct tty_struct *tty);
48190 +extern ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
48191 +extern ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
48192 +extern unsigned int tty_poll(struct file *, poll_table *);
48193 +#ifdef CONFIG_COMPAT
48194 +extern long tty_compat_ioctl(struct file *file, unsigned int cmd,
48195 + unsigned long arg);
48197 +#define tty_compat_ioctl NULL
48199 +extern int tty_release(struct inode *, struct file *);
48200 +extern int tty_fasync(int fd, struct file *filp, int on);
48203 extern struct tty_ldisc_ops tty_ldisc_N_TTY;
48204 diff -urNp linux-2.6.38.1/include/linux/tty_ldisc.h linux-2.6.38.1-new/include/linux/tty_ldisc.h
48205 --- linux-2.6.38.1/include/linux/tty_ldisc.h 2011-03-14 21:20:32.000000000 -0400
48206 +++ linux-2.6.38.1-new/include/linux/tty_ldisc.h 2011-03-21 18:31:35.000000000 -0400
48207 @@ -148,7 +148,7 @@ struct tty_ldisc_ops {
48209 struct module *owner;
48212 + atomic_t refcount;
48216 diff -urNp linux-2.6.38.1/include/linux/types.h linux-2.6.38.1-new/include/linux/types.h
48217 --- linux-2.6.38.1/include/linux/types.h 2011-03-14 21:20:32.000000000 -0400
48218 +++ linux-2.6.38.1-new/include/linux/types.h 2011-03-21 18:31:35.000000000 -0400
48219 @@ -207,10 +207,26 @@ typedef struct {
48223 +#ifdef CONFIG_PAX_REFCOUNT
48226 +} atomic_unchecked_t;
48228 +typedef atomic_t atomic_unchecked_t;
48231 #ifdef CONFIG_64BIT
48236 +#ifdef CONFIG_PAX_REFCOUNT
48239 +} atomic64_unchecked_t;
48241 +typedef atomic64_t atomic64_unchecked_t;
48246 diff -urNp linux-2.6.38.1/include/linux/uaccess.h linux-2.6.38.1-new/include/linux/uaccess.h
48247 --- linux-2.6.38.1/include/linux/uaccess.h 2011-03-14 21:20:32.000000000 -0400
48248 +++ linux-2.6.38.1-new/include/linux/uaccess.h 2011-03-21 18:31:35.000000000 -0400
48249 @@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
48251 mm_segment_t old_fs = get_fs(); \
48253 - set_fs(KERNEL_DS); \
48254 pagefault_disable(); \
48255 + set_fs(KERNEL_DS); \
48256 ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
48257 - pagefault_enable(); \
48259 + pagefault_enable(); \
48263 @@ -93,8 +93,8 @@ static inline unsigned long __copy_from_
48264 * Safely read from address @src to the buffer at @dst. If a kernel fault
48265 * happens, handle that and return -EFAULT.
48267 -extern long probe_kernel_read(void *dst, void *src, size_t size);
48268 -extern long __probe_kernel_read(void *dst, void *src, size_t size);
48269 +extern long probe_kernel_read(void *dst, const void *src, size_t size);
48270 +extern long __probe_kernel_read(void *dst, const void *src, size_t size);
48273 * probe_kernel_write(): safely attempt to write to a location
48274 @@ -105,7 +105,7 @@ extern long __probe_kernel_read(void *ds
48275 * Safely write to address @dst from the buffer at @src. If a kernel fault
48276 * happens, handle that and return -EFAULT.
48278 -extern long notrace probe_kernel_write(void *dst, void *src, size_t size);
48279 -extern long notrace __probe_kernel_write(void *dst, void *src, size_t size);
48280 +extern long notrace probe_kernel_write(void *dst, const void *src, size_t size);
48281 +extern long notrace __probe_kernel_write(void *dst, const void *src, size_t size);
48283 #endif /* __LINUX_UACCESS_H__ */
48284 diff -urNp linux-2.6.38.1/include/linux/unaligned/access_ok.h linux-2.6.38.1-new/include/linux/unaligned/access_ok.h
48285 --- linux-2.6.38.1/include/linux/unaligned/access_ok.h 2011-03-14 21:20:32.000000000 -0400
48286 +++ linux-2.6.38.1-new/include/linux/unaligned/access_ok.h 2011-03-21 18:31:35.000000000 -0400
48289 static inline u16 get_unaligned_le16(const void *p)
48291 - return le16_to_cpup((__le16 *)p);
48292 + return le16_to_cpup((const __le16 *)p);
48295 static inline u32 get_unaligned_le32(const void *p)
48297 - return le32_to_cpup((__le32 *)p);
48298 + return le32_to_cpup((const __le32 *)p);
48301 static inline u64 get_unaligned_le64(const void *p)
48303 - return le64_to_cpup((__le64 *)p);
48304 + return le64_to_cpup((const __le64 *)p);
48307 static inline u16 get_unaligned_be16(const void *p)
48309 - return be16_to_cpup((__be16 *)p);
48310 + return be16_to_cpup((const __be16 *)p);
48313 static inline u32 get_unaligned_be32(const void *p)
48315 - return be32_to_cpup((__be32 *)p);
48316 + return be32_to_cpup((const __be32 *)p);
48319 static inline u64 get_unaligned_be64(const void *p)
48321 - return be64_to_cpup((__be64 *)p);
48322 + return be64_to_cpup((const __be64 *)p);
48325 static inline void put_unaligned_le16(u16 val, void *p)
48326 diff -urNp linux-2.6.38.1/include/linux/usb/hcd.h linux-2.6.38.1-new/include/linux/usb/hcd.h
48327 --- linux-2.6.38.1/include/linux/usb/hcd.h 2011-03-23 17:20:08.000000000 -0400
48328 +++ linux-2.6.38.1-new/include/linux/usb/hcd.h 2011-03-23 17:21:51.000000000 -0400
48329 @@ -589,7 +589,7 @@ struct usb_mon_operations {
48330 /* void (*urb_unlink)(struct usb_bus *bus, struct urb *urb); */
48333 -extern struct usb_mon_operations *mon_ops;
48334 +extern const struct usb_mon_operations *mon_ops;
48336 static inline void usbmon_urb_submit(struct usb_bus *bus, struct urb *urb)
48338 @@ -611,7 +611,7 @@ static inline void usbmon_urb_complete(s
48339 (*mon_ops->urb_complete)(bus, urb, status);
48342 -int usb_mon_register(struct usb_mon_operations *ops);
48343 +int usb_mon_register(const struct usb_mon_operations *ops);
48344 void usb_mon_deregister(void);
48347 diff -urNp linux-2.6.38.1/include/linux/vmalloc.h linux-2.6.38.1-new/include/linux/vmalloc.h
48348 --- linux-2.6.38.1/include/linux/vmalloc.h 2011-03-14 21:20:32.000000000 -0400
48349 +++ linux-2.6.38.1-new/include/linux/vmalloc.h 2011-03-21 18:31:35.000000000 -0400
48350 @@ -13,6 +13,11 @@ struct vm_area_struct; /* vma defining
48351 #define VM_MAP 0x00000004 /* vmap()ed pages */
48352 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
48353 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
48355 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
48356 +#define VM_KERNEXEC 0x00000020 /* allocate from executable kernel memory range */
48359 /* bits [20..32] reserved for arch specific ioremap internals */
48362 @@ -123,4 +128,103 @@ struct vm_struct **pcpu_get_vm_areas(con
48363 void pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms);
48366 +#define vmalloc(x) \
48368 + void *___retval; \
48369 + intoverflow_t ___x = (intoverflow_t)x; \
48370 + if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
48371 + ___retval = NULL; \
48373 + ___retval = vmalloc((unsigned long)___x); \
48377 +#define vzalloc(x) \
48379 + void *___retval; \
48380 + intoverflow_t ___x = (intoverflow_t)x; \
48381 + if (WARN(___x > ULONG_MAX, "vzalloc size overflow\n")) \
48382 + ___retval = NULL; \
48384 + ___retval = vzalloc((unsigned long)___x); \
48388 +#define __vmalloc(x, y, z) \
48390 + void *___retval; \
48391 + intoverflow_t ___x = (intoverflow_t)x; \
48392 + if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
48393 + ___retval = NULL; \
48395 + ___retval = __vmalloc((unsigned long)___x, (y), (z));\
48399 +#define vmalloc_user(x) \
48401 + void *___retval; \
48402 + intoverflow_t ___x = (intoverflow_t)x; \
48403 + if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
48404 + ___retval = NULL; \
48406 + ___retval = vmalloc_user((unsigned long)___x); \
48410 +#define vmalloc_exec(x) \
48412 + void *___retval; \
48413 + intoverflow_t ___x = (intoverflow_t)x; \
48414 + if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
48415 + ___retval = NULL; \
48417 + ___retval = vmalloc_exec((unsigned long)___x); \
48421 +#define vmalloc_node(x, y) \
48423 + void *___retval; \
48424 + intoverflow_t ___x = (intoverflow_t)x; \
48425 + if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
48426 + ___retval = NULL; \
48428 + ___retval = vmalloc_node((unsigned long)___x, (y));\
48432 +#define vzalloc_node(x, y) \
48434 + void *___retval; \
48435 + intoverflow_t ___x = (intoverflow_t)x; \
48436 + if (WARN(___x > ULONG_MAX, "vzalloc_node size overflow\n"))\
48437 + ___retval = NULL; \
48439 + ___retval = vzalloc_node((unsigned long)___x, (y));\
48443 +#define vmalloc_32(x) \
48445 + void *___retval; \
48446 + intoverflow_t ___x = (intoverflow_t)x; \
48447 + if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
48448 + ___retval = NULL; \
48450 + ___retval = vmalloc_32((unsigned long)___x); \
48454 +#define vmalloc_32_user(x) \
48456 +void *___retval; \
48457 + intoverflow_t ___x = (intoverflow_t)x; \
48458 + if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
48459 + ___retval = NULL; \
48461 + ___retval = vmalloc_32_user((unsigned long)___x);\
48465 #endif /* _LINUX_VMALLOC_H */
48466 diff -urNp linux-2.6.38.1/include/linux/vmstat.h linux-2.6.38.1-new/include/linux/vmstat.h
48467 --- linux-2.6.38.1/include/linux/vmstat.h 2011-03-14 21:20:32.000000000 -0400
48468 +++ linux-2.6.38.1-new/include/linux/vmstat.h 2011-03-21 18:31:35.000000000 -0400
48469 @@ -140,18 +140,18 @@ static inline void vm_events_fold_cpu(in
48471 * Zone based page accounting with per cpu differentials.
48473 -extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
48474 +extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
48476 static inline void zone_page_state_add(long x, struct zone *zone,
48477 enum zone_stat_item item)
48479 - atomic_long_add(x, &zone->vm_stat[item]);
48480 - atomic_long_add(x, &vm_stat[item]);
48481 + atomic_long_add_unchecked(x, &zone->vm_stat[item]);
48482 + atomic_long_add_unchecked(x, &vm_stat[item]);
48485 static inline unsigned long global_page_state(enum zone_stat_item item)
48487 - long x = atomic_long_read(&vm_stat[item]);
48488 + long x = atomic_long_read_unchecked(&vm_stat[item]);
48492 @@ -162,7 +162,7 @@ static inline unsigned long global_page_
48493 static inline unsigned long zone_page_state(struct zone *zone,
48494 enum zone_stat_item item)
48496 - long x = atomic_long_read(&zone->vm_stat[item]);
48497 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
48501 @@ -179,7 +179,7 @@ static inline unsigned long zone_page_st
48502 static inline unsigned long zone_page_state_snapshot(struct zone *zone,
48503 enum zone_stat_item item)
48505 - long x = atomic_long_read(&zone->vm_stat[item]);
48506 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
48510 @@ -273,8 +273,8 @@ static inline void __mod_zone_page_state
48512 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
48514 - atomic_long_inc(&zone->vm_stat[item]);
48515 - atomic_long_inc(&vm_stat[item]);
48516 + atomic_long_inc_unchecked(&zone->vm_stat[item]);
48517 + atomic_long_inc_unchecked(&vm_stat[item]);
48520 static inline void __inc_zone_page_state(struct page *page,
48521 @@ -285,8 +285,8 @@ static inline void __inc_zone_page_state
48523 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
48525 - atomic_long_dec(&zone->vm_stat[item]);
48526 - atomic_long_dec(&vm_stat[item]);
48527 + atomic_long_dec_unchecked(&zone->vm_stat[item]);
48528 + atomic_long_dec_unchecked(&vm_stat[item]);
48531 static inline void __dec_zone_page_state(struct page *page,
48532 diff -urNp linux-2.6.38.1/include/net/inetpeer.h linux-2.6.38.1-new/include/net/inetpeer.h
48533 --- linux-2.6.38.1/include/net/inetpeer.h 2011-03-14 21:20:32.000000000 -0400
48534 +++ linux-2.6.38.1-new/include/net/inetpeer.h 2011-03-21 18:31:35.000000000 -0400
48535 @@ -38,8 +38,8 @@ struct inet_peer {
48539 - atomic_t rid; /* Frag reception counter */
48540 - atomic_t ip_id_count; /* IP ID for the next packet */
48541 + atomic_unchecked_t rid; /* Frag reception counter */
48542 + atomic_unchecked_t ip_id_count; /* IP ID for the next packet */
48544 __u32 tcp_ts_stamp;
48546 @@ -88,7 +88,7 @@ static inline __u16 inet_getid(struct in
48549 inet_peer_refcheck(p);
48550 - return atomic_add_return(more, &p->ip_id_count) - more;
48551 + return atomic_add_return_unchecked(more, &p->ip_id_count) - more;
48554 #endif /* _NET_INETPEER_H */
48555 diff -urNp linux-2.6.38.1/include/net/irda/ircomm_tty.h linux-2.6.38.1-new/include/net/irda/ircomm_tty.h
48556 --- linux-2.6.38.1/include/net/irda/ircomm_tty.h 2011-03-14 21:20:32.000000000 -0400
48557 +++ linux-2.6.38.1-new/include/net/irda/ircomm_tty.h 2011-03-21 18:31:35.000000000 -0400
48559 #include <linux/termios.h>
48560 #include <linux/timer.h>
48561 #include <linux/tty.h> /* struct tty_struct */
48562 +#include <asm/local.h>
48564 #include <net/irda/irias_object.h>
48565 #include <net/irda/ircomm_core.h>
48566 @@ -105,8 +106,8 @@ struct ircomm_tty_cb {
48567 unsigned short close_delay;
48568 unsigned short closing_wait; /* time to wait before closing */
48571 - int blocked_open; /* # of blocked opens */
48572 + local_t open_count;
48573 + local_t blocked_open; /* # of blocked opens */
48575 /* Protect concurent access to :
48576 * o self->open_count
48577 diff -urNp linux-2.6.38.1/include/net/neighbour.h linux-2.6.38.1-new/include/net/neighbour.h
48578 --- linux-2.6.38.1/include/net/neighbour.h 2011-03-14 21:20:32.000000000 -0400
48579 +++ linux-2.6.38.1-new/include/net/neighbour.h 2011-03-21 18:31:35.000000000 -0400
48580 @@ -118,12 +118,12 @@ struct neighbour {
48584 - void (*solicit)(struct neighbour *, struct sk_buff*);
48585 - void (*error_report)(struct neighbour *, struct sk_buff*);
48586 - int (*output)(struct sk_buff*);
48587 - int (*connected_output)(struct sk_buff*);
48588 - int (*hh_output)(struct sk_buff*);
48589 - int (*queue_xmit)(struct sk_buff*);
48590 + void (* const solicit)(struct neighbour *, struct sk_buff*);
48591 + void (* const error_report)(struct neighbour *, struct sk_buff*);
48592 + int (* const output)(struct sk_buff*);
48593 + int (* const connected_output)(struct sk_buff*);
48594 + int (* const hh_output)(struct sk_buff*);
48595 + int (* const queue_xmit)(struct sk_buff*);
48598 struct pneigh_entry {
48599 diff -urNp linux-2.6.38.1/include/net/netlink.h linux-2.6.38.1-new/include/net/netlink.h
48600 --- linux-2.6.38.1/include/net/netlink.h 2011-03-14 21:20:32.000000000 -0400
48601 +++ linux-2.6.38.1-new/include/net/netlink.h 2011-03-21 18:31:35.000000000 -0400
48602 @@ -562,7 +562,7 @@ static inline void *nlmsg_get_pos(struct
48603 static inline void nlmsg_trim(struct sk_buff *skb, const void *mark)
48606 - skb_trim(skb, (unsigned char *) mark - skb->data);
48607 + skb_trim(skb, (const unsigned char *) mark - skb->data);
48611 diff -urNp linux-2.6.38.1/include/net/sctp/sctp.h linux-2.6.38.1-new/include/net/sctp/sctp.h
48612 --- linux-2.6.38.1/include/net/sctp/sctp.h 2011-03-14 21:20:32.000000000 -0400
48613 +++ linux-2.6.38.1-new/include/net/sctp/sctp.h 2011-03-21 18:31:35.000000000 -0400
48614 @@ -316,9 +316,9 @@ do { \
48616 #else /* SCTP_DEBUG */
48618 -#define SCTP_DEBUG_PRINTK(whatever...)
48619 -#define SCTP_DEBUG_PRINTK_CONT(fmt, args...)
48620 -#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
48621 +#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
48622 +#define SCTP_DEBUG_PRINTK_CONT(fmt, args...) do {} while (0)
48623 +#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
48624 #define SCTP_ENABLE_DEBUG
48625 #define SCTP_DISABLE_DEBUG
48626 #define SCTP_ASSERT(expr, str, func)
48627 diff -urNp linux-2.6.38.1/include/net/tcp.h linux-2.6.38.1-new/include/net/tcp.h
48628 --- linux-2.6.38.1/include/net/tcp.h 2011-03-14 21:20:32.000000000 -0400
48629 +++ linux-2.6.38.1-new/include/net/tcp.h 2011-03-21 18:31:35.000000000 -0400
48630 @@ -1382,7 +1382,7 @@ enum tcp_seq_states {
48631 struct tcp_seq_afinfo {
48633 sa_family_t family;
48634 - struct file_operations seq_fops;
48635 + struct file_operations seq_fops; /* cannot be const */
48636 struct seq_operations seq_ops;
48639 diff -urNp linux-2.6.38.1/include/net/udp.h linux-2.6.38.1-new/include/net/udp.h
48640 --- linux-2.6.38.1/include/net/udp.h 2011-03-14 21:20:32.000000000 -0400
48641 +++ linux-2.6.38.1-new/include/net/udp.h 2011-03-21 18:31:35.000000000 -0400
48642 @@ -223,7 +223,7 @@ struct udp_seq_afinfo {
48644 sa_family_t family;
48645 struct udp_table *udp_table;
48646 - struct file_operations seq_fops;
48647 + struct file_operations seq_fops; /* cannot be const */
48648 struct seq_operations seq_ops;
48651 diff -urNp linux-2.6.38.1/include/sound/ac97_codec.h linux-2.6.38.1-new/include/sound/ac97_codec.h
48652 --- linux-2.6.38.1/include/sound/ac97_codec.h 2011-03-14 21:20:32.000000000 -0400
48653 +++ linux-2.6.38.1-new/include/sound/ac97_codec.h 2011-03-21 18:31:35.000000000 -0400
48654 @@ -419,15 +419,15 @@
48657 struct snd_ac97_build_ops {
48658 - int (*build_3d) (struct snd_ac97 *ac97);
48659 - int (*build_specific) (struct snd_ac97 *ac97);
48660 - int (*build_spdif) (struct snd_ac97 *ac97);
48661 - int (*build_post_spdif) (struct snd_ac97 *ac97);
48662 + int (* const build_3d) (struct snd_ac97 *ac97);
48663 + int (* const build_specific) (struct snd_ac97 *ac97);
48664 + int (* const build_spdif) (struct snd_ac97 *ac97);
48665 + int (* const build_post_spdif) (struct snd_ac97 *ac97);
48667 - void (*suspend) (struct snd_ac97 *ac97);
48668 - void (*resume) (struct snd_ac97 *ac97);
48669 + void (* const suspend) (struct snd_ac97 *ac97);
48670 + void (* const resume) (struct snd_ac97 *ac97);
48672 - void (*update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
48673 + void (* const update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
48676 struct snd_ac97_bus_ops {
48677 diff -urNp linux-2.6.38.1/include/trace/events/irq.h linux-2.6.38.1-new/include/trace/events/irq.h
48678 --- linux-2.6.38.1/include/trace/events/irq.h 2011-03-14 21:20:32.000000000 -0400
48679 +++ linux-2.6.38.1-new/include/trace/events/irq.h 2011-03-21 18:31:35.000000000 -0400
48680 @@ -36,7 +36,7 @@ struct softirq_action;
48682 TRACE_EVENT(irq_handler_entry,
48684 - TP_PROTO(int irq, struct irqaction *action),
48685 + TP_PROTO(int irq, const struct irqaction *action),
48687 TP_ARGS(irq, action),
48689 @@ -66,7 +66,7 @@ TRACE_EVENT(irq_handler_entry,
48691 TRACE_EVENT(irq_handler_exit,
48693 - TP_PROTO(int irq, struct irqaction *action, int ret),
48694 + TP_PROTO(int irq, const struct irqaction *action, int ret),
48696 TP_ARGS(irq, action, ret),
48698 diff -urNp linux-2.6.38.1/include/video/uvesafb.h linux-2.6.38.1-new/include/video/uvesafb.h
48699 --- linux-2.6.38.1/include/video/uvesafb.h 2011-03-14 21:20:32.000000000 -0400
48700 +++ linux-2.6.38.1-new/include/video/uvesafb.h 2011-03-21 18:31:35.000000000 -0400
48701 @@ -177,6 +177,7 @@ struct uvesafb_par {
48702 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
48703 u8 pmi_setpal; /* PMI for palette changes */
48704 u16 *pmi_base; /* protected mode interface location */
48705 + u8 *pmi_code; /* protected mode code location */
48708 u8 *vbe_state_orig; /*
48709 diff -urNp linux-2.6.38.1/init/do_mounts.c linux-2.6.38.1-new/init/do_mounts.c
48710 --- linux-2.6.38.1/init/do_mounts.c 2011-03-14 21:20:32.000000000 -0400
48711 +++ linux-2.6.38.1-new/init/do_mounts.c 2011-03-21 18:31:35.000000000 -0400
48712 @@ -287,7 +287,7 @@ static void __init get_fs_names(char *pa
48714 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
48716 - int err = sys_mount(name, "/root", fs, flags, data);
48717 + int err = sys_mount((__force char __user *)name, (__force char __user *)"/root", (__force char __user *)fs, flags, (__force void __user *)data);
48721 @@ -382,18 +382,18 @@ void __init change_floppy(char *fmt, ...
48722 va_start(args, fmt);
48723 vsprintf(buf, fmt, args);
48725 - fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
48726 + fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
48728 sys_ioctl(fd, FDEJECT, 0);
48731 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
48732 - fd = sys_open("/dev/console", O_RDWR, 0);
48733 + fd = sys_open((__force const char __user *)"/dev/console", O_RDWR, 0);
48735 sys_ioctl(fd, TCGETS, (long)&termios);
48736 termios.c_lflag &= ~ICANON;
48737 sys_ioctl(fd, TCSETSF, (long)&termios);
48738 - sys_read(fd, &c, 1);
48739 + sys_read(fd, (char __user *)&c, 1);
48740 termios.c_lflag |= ICANON;
48741 sys_ioctl(fd, TCSETSF, (long)&termios);
48743 @@ -487,6 +487,6 @@ void __init prepare_namespace(void)
48746 devtmpfs_mount("dev");
48747 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
48748 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
48749 sys_chroot((const char __user __force *)".");
48751 diff -urNp linux-2.6.38.1/init/do_mounts.h linux-2.6.38.1-new/init/do_mounts.h
48752 --- linux-2.6.38.1/init/do_mounts.h 2011-03-14 21:20:32.000000000 -0400
48753 +++ linux-2.6.38.1-new/init/do_mounts.h 2011-03-21 18:31:35.000000000 -0400
48754 @@ -15,15 +15,15 @@ extern int root_mountflags;
48756 static inline int create_dev(char *name, dev_t dev)
48758 - sys_unlink(name);
48759 - return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
48760 + sys_unlink((__force char __user *)name);
48761 + return sys_mknod((__force char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
48764 #if BITS_PER_LONG == 32
48765 static inline u32 bstat(char *name)
48767 struct stat64 stat;
48768 - if (sys_stat64(name, &stat) != 0)
48769 + if (sys_stat64((__force char __user *)name, (__force struct stat64 __user *)&stat) != 0)
48771 if (!S_ISBLK(stat.st_mode))
48773 diff -urNp linux-2.6.38.1/init/do_mounts_initrd.c linux-2.6.38.1-new/init/do_mounts_initrd.c
48774 --- linux-2.6.38.1/init/do_mounts_initrd.c 2011-03-14 21:20:32.000000000 -0400
48775 +++ linux-2.6.38.1-new/init/do_mounts_initrd.c 2011-03-21 18:31:35.000000000 -0400
48776 @@ -44,13 +44,13 @@ static void __init handle_initrd(void)
48777 create_dev("/dev/root.old", Root_RAM0);
48778 /* mount initrd on rootfs' /root */
48779 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
48780 - sys_mkdir("/old", 0700);
48781 - root_fd = sys_open("/", 0, 0);
48782 - old_fd = sys_open("/old", 0, 0);
48783 + sys_mkdir((__force const char __user *)"/old", 0700);
48784 + root_fd = sys_open((__force const char __user *)"/", 0, 0);
48785 + old_fd = sys_open((__force const char __user *)"/old", 0, 0);
48786 /* move initrd over / and chdir/chroot in initrd root */
48787 - sys_chdir("/root");
48788 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
48790 + sys_chdir((__force const char __user *)"/root");
48791 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
48792 + sys_chroot((__force const char __user *)".");
48795 * In case that a resume from disk is carried out by linuxrc or one of
48796 @@ -67,15 +67,15 @@ static void __init handle_initrd(void)
48798 /* move initrd to rootfs' /old */
48799 sys_fchdir(old_fd);
48800 - sys_mount("/", ".", NULL, MS_MOVE, NULL);
48801 + sys_mount((__force char __user *)"/", (__force char __user *)".", NULL, MS_MOVE, NULL);
48802 /* switch root and cwd back to / of rootfs */
48803 sys_fchdir(root_fd);
48805 + sys_chroot((__force const char __user *)".");
48807 sys_close(root_fd);
48809 if (new_decode_dev(real_root_dev) == Root_RAM0) {
48810 - sys_chdir("/old");
48811 + sys_chdir((__force const char __user *)"/old");
48815 @@ -83,17 +83,17 @@ static void __init handle_initrd(void)
48818 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
48819 - error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
48820 + error = sys_mount((__force char __user *)"/old", (__force char __user *)"/root/initrd", NULL, MS_MOVE, NULL);
48824 - int fd = sys_open("/dev/root.old", O_RDWR, 0);
48825 + int fd = sys_open((__force const char __user *)"/dev/root.old", O_RDWR, 0);
48826 if (error == -ENOENT)
48827 printk("/initrd does not exist. Ignored.\n");
48829 printk("failed\n");
48830 printk(KERN_NOTICE "Unmounting old root\n");
48831 - sys_umount("/old", MNT_DETACH);
48832 + sys_umount((__force char __user *)"/old", MNT_DETACH);
48833 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
48836 @@ -116,11 +116,11 @@ int __init initrd_load(void)
48837 * mounted in the normal path.
48839 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
48840 - sys_unlink("/initrd.image");
48841 + sys_unlink((__force const char __user *)"/initrd.image");
48846 - sys_unlink("/initrd.image");
48847 + sys_unlink((__force const char __user *)"/initrd.image");
48850 diff -urNp linux-2.6.38.1/init/do_mounts_md.c linux-2.6.38.1-new/init/do_mounts_md.c
48851 --- linux-2.6.38.1/init/do_mounts_md.c 2011-03-14 21:20:32.000000000 -0400
48852 +++ linux-2.6.38.1-new/init/do_mounts_md.c 2011-03-21 18:31:35.000000000 -0400
48853 @@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
48854 partitioned ? "_d" : "", minor,
48855 md_setup_args[ent].device_names);
48857 - fd = sys_open(name, 0, 0);
48858 + fd = sys_open((__force char __user *)name, 0, 0);
48860 printk(KERN_ERR "md: open failed - cannot start "
48861 "array %s\n", name);
48862 @@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
48866 - fd = sys_open(name, 0, 0);
48867 + fd = sys_open((__force char __user *)name, 0, 0);
48868 sys_ioctl(fd, BLKRRPART, 0);
48871 diff -urNp linux-2.6.38.1/init/initramfs.c linux-2.6.38.1-new/init/initramfs.c
48872 --- linux-2.6.38.1/init/initramfs.c 2011-03-14 21:20:32.000000000 -0400
48873 +++ linux-2.6.38.1-new/init/initramfs.c 2011-03-21 18:31:35.000000000 -0400
48874 @@ -74,7 +74,7 @@ static void __init free_hash(void)
48878 -static long __init do_utime(char __user *filename, time_t mtime)
48879 +static long __init do_utime(__force char __user *filename, time_t mtime)
48881 struct timespec t[2];
48883 @@ -109,7 +109,7 @@ static void __init dir_utime(void)
48884 struct dir_entry *de, *tmp;
48885 list_for_each_entry_safe(de, tmp, &dir_list, list) {
48886 list_del(&de->list);
48887 - do_utime(de->name, de->mtime);
48888 + do_utime((__force char __user *)de->name, de->mtime);
48892 @@ -271,7 +271,7 @@ static int __init maybe_link(void)
48894 char *old = find_link(major, minor, ino, mode, collected);
48896 - return (sys_link(old, collected) < 0) ? -1 : 1;
48897 + return (sys_link((__force char __user *)old, (__force char __user *)collected) < 0) ? -1 : 1;
48901 @@ -280,11 +280,11 @@ static void __init clean_path(char *path
48905 - if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
48906 + if (!sys_newlstat((__force char __user *)path, (__force struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
48907 if (S_ISDIR(st.st_mode))
48909 + sys_rmdir((__force char __user *)path);
48911 - sys_unlink(path);
48912 + sys_unlink((__force char __user *)path);
48916 @@ -305,7 +305,7 @@ static int __init do_name(void)
48917 int openflags = O_WRONLY|O_CREAT;
48919 openflags |= O_TRUNC;
48920 - wfd = sys_open(collected, openflags, mode);
48921 + wfd = sys_open((__force char __user *)collected, openflags, mode);
48924 sys_fchown(wfd, uid, gid);
48925 @@ -317,17 +317,17 @@ static int __init do_name(void)
48928 } else if (S_ISDIR(mode)) {
48929 - sys_mkdir(collected, mode);
48930 - sys_chown(collected, uid, gid);
48931 - sys_chmod(collected, mode);
48932 + sys_mkdir((__force char __user *)collected, mode);
48933 + sys_chown((__force char __user *)collected, uid, gid);
48934 + sys_chmod((__force char __user *)collected, mode);
48935 dir_add(collected, mtime);
48936 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
48937 S_ISFIFO(mode) || S_ISSOCK(mode)) {
48938 if (maybe_link() == 0) {
48939 - sys_mknod(collected, mode, rdev);
48940 - sys_chown(collected, uid, gid);
48941 - sys_chmod(collected, mode);
48942 - do_utime(collected, mtime);
48943 + sys_mknod((__force char __user *)collected, mode, rdev);
48944 + sys_chown((__force char __user *)collected, uid, gid);
48945 + sys_chmod((__force char __user *)collected, mode);
48946 + do_utime((__force char __user *)collected, mtime);
48950 @@ -336,15 +336,15 @@ static int __init do_name(void)
48951 static int __init do_copy(void)
48953 if (count >= body_len) {
48954 - sys_write(wfd, victim, body_len);
48955 + sys_write(wfd, (__force char __user *)victim, body_len);
48957 - do_utime(vcollected, mtime);
48958 + do_utime((__force char __user *)vcollected, mtime);
48964 - sys_write(wfd, victim, count);
48965 + sys_write(wfd, (__force char __user *)victim, count);
48969 @@ -355,9 +355,9 @@ static int __init do_symlink(void)
48971 collected[N_ALIGN(name_len) + body_len] = '\0';
48972 clean_path(collected, 0);
48973 - sys_symlink(collected + N_ALIGN(name_len), collected);
48974 - sys_lchown(collected, uid, gid);
48975 - do_utime(collected, mtime);
48976 + sys_symlink((__force char __user *)collected + N_ALIGN(name_len), (__force char __user *)collected);
48977 + sys_lchown((__force char __user *)collected, uid, gid);
48978 + do_utime((__force char __user *)collected, mtime);
48980 next_state = Reset;
48982 diff -urNp linux-2.6.38.1/init/Kconfig linux-2.6.38.1-new/init/Kconfig
48983 --- linux-2.6.38.1/init/Kconfig 2011-03-14 21:20:32.000000000 -0400
48984 +++ linux-2.6.38.1-new/init/Kconfig 2011-03-21 18:31:35.000000000 -0400
48985 @@ -1185,7 +1185,7 @@ config SLUB_DEBUG
48988 bool "Disable heap randomization"
48992 Randomizing heap placement makes heap exploits harder, but it
48993 also breaks ancient binaries (including anything libc5 based).
48994 diff -urNp linux-2.6.38.1/init/main.c linux-2.6.38.1-new/init/main.c
48995 --- linux-2.6.38.1/init/main.c 2011-03-14 21:20:32.000000000 -0400
48996 +++ linux-2.6.38.1-new/init/main.c 2011-03-21 18:31:35.000000000 -0400
48997 @@ -96,6 +96,8 @@ static inline void mark_rodata_ro(void)
48998 extern void tc_init(void);
49001 +extern void grsecurity_init(void);
49004 * Debug helper: via this flag we know that we are in 'early bootup code'
49005 * where only the boot processor is running with IRQ disabled. This means
49006 @@ -206,6 +208,47 @@ static int __init set_reset_devices(char
49008 __setup("reset_devices", set_reset_devices);
49010 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
49011 +extern char pax_enter_kernel_user[];
49012 +extern char pax_exit_kernel_user[];
49013 +extern pgdval_t clone_pgd_mask;
49016 +#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
49017 +static int __init setup_pax_nouderef(char *str)
49019 +#ifdef CONFIG_X86_32
49020 + unsigned int cpu;
49022 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
49023 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].type = 3;
49024 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].limit = 0xf;
49025 + get_cpu_gdt_table(cpu)[GDT_ENTRY_DEFAULT_USER_CS].limit = 0xf;
49026 + get_cpu_gdt_table(cpu)[GDT_ENTRY_DEFAULT_USER_DS].limit = 0xf;
49028 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
49030 + memcpy(pax_enter_kernel_user, (unsigned char []){0xc3}, 1);
49031 + memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1);
49032 + clone_pgd_mask = ~(pgdval_t)0UL;
49037 +early_param("pax_nouderef", setup_pax_nouderef);
49040 +#ifdef CONFIG_PAX_SOFTMODE
49041 +unsigned int pax_softmode;
49043 +static int __init setup_pax_softmode(char *str)
49045 + get_option(&str, &pax_softmode);
49048 +__setup("pax_softmode=", setup_pax_softmode);
49051 static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
49052 const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
49053 static const char *panic_later, *panic_param;
49054 @@ -751,6 +794,7 @@ int __init_or_module do_one_initcall(ini
49056 int count = preempt_count();
49058 + const char *msg1 = "", *msg2 = "";
49060 if (initcall_debug)
49061 ret = do_one_initcall_debug(fn);
49062 @@ -763,15 +807,15 @@ int __init_or_module do_one_initcall(ini
49063 sprintf(msgbuf, "error code %d ", ret);
49065 if (preempt_count() != count) {
49066 - strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
49067 + msg1 = " preemption imbalance";
49068 preempt_count() = count;
49070 if (irqs_disabled()) {
49071 - strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
49072 + msg2 = " disabled interrupts";
49073 local_irq_enable();
49076 - printk("initcall %pF returned with %s\n", fn, msgbuf);
49077 + if (msgbuf[0] || *msg1 || *msg2) {
49078 + printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
49082 @@ -898,7 +942,7 @@ static int __init kernel_init(void * unu
49085 /* Open the /dev/console on the rootfs, this should never fail */
49086 - if (sys_open((const char __user *) "/dev/console", O_RDWR, 0) < 0)
49087 + if (sys_open((__force const char __user *) "/dev/console", O_RDWR, 0) < 0)
49088 printk(KERN_WARNING "Warning: unable to open an initial console.\n");
49091 @@ -911,11 +955,13 @@ static int __init kernel_init(void * unu
49092 if (!ramdisk_execute_command)
49093 ramdisk_execute_command = "/init";
49095 - if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
49096 + if (sys_access((__force const char __user *) ramdisk_execute_command, 0) != 0) {
49097 ramdisk_execute_command = NULL;
49098 prepare_namespace();
49101 + grsecurity_init();
49104 * Ok, we have completed the initial bootup, and
49105 * we're essentially up and running. Get rid of the
49106 diff -urNp linux-2.6.38.1/ipc/mqueue.c linux-2.6.38.1-new/ipc/mqueue.c
49107 --- linux-2.6.38.1/ipc/mqueue.c 2011-03-14 21:20:32.000000000 -0400
49108 +++ linux-2.6.38.1-new/ipc/mqueue.c 2011-03-21 18:31:35.000000000 -0400
49109 @@ -154,6 +154,7 @@ static struct inode *mqueue_get_inode(st
49110 mq_bytes = (mq_msg_tblsz +
49111 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
49113 + gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
49114 spin_lock(&mq_lock);
49115 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
49116 u->mq_bytes + mq_bytes >
49117 diff -urNp linux-2.6.38.1/ipc/shm.c linux-2.6.38.1-new/ipc/shm.c
49118 --- linux-2.6.38.1/ipc/shm.c 2011-03-14 21:20:32.000000000 -0400
49119 +++ linux-2.6.38.1-new/ipc/shm.c 2011-03-21 18:31:35.000000000 -0400
49120 @@ -69,6 +69,14 @@ static void shm_destroy (struct ipc_name
49121 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
49124 +#ifdef CONFIG_GRKERNSEC
49125 +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
49126 + const time_t shm_createtime, const uid_t cuid,
49127 + const int shmid);
49128 +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
49129 + const time_t shm_createtime);
49132 void shm_init_ns(struct ipc_namespace *ns)
49134 ns->shm_ctlmax = SHMMAX;
49135 @@ -401,6 +409,14 @@ static int newseg(struct ipc_namespace *
49136 shp->shm_lprid = 0;
49137 shp->shm_atim = shp->shm_dtim = 0;
49138 shp->shm_ctim = get_seconds();
49139 +#ifdef CONFIG_GRKERNSEC
49141 + struct timespec timeval;
49142 + do_posix_clock_monotonic_gettime(&timeval);
49144 + shp->shm_createtime = timeval.tv_sec;
49147 shp->shm_segsz = size;
49148 shp->shm_nattch = 0;
49149 shp->shm_file = file;
49150 @@ -761,8 +777,6 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int,
49154 - struct file *uninitialized_var(shm_file);
49156 lru_add_drain_all(); /* drain pagevecs to lru lists */
49158 shp = shm_lock_check(ns, shmid);
49159 @@ -895,9 +909,21 @@ long do_shmat(int shmid, char __user *sh
49163 +#ifdef CONFIG_GRKERNSEC
49164 + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
49165 + shp->shm_perm.cuid, shmid) ||
49166 + !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
49172 path = shp->shm_file->f_path;
49175 +#ifdef CONFIG_GRKERNSEC
49176 + shp->shm_lapid = current->pid;
49178 size = i_size_read(path.dentry->d_inode);
49181 diff -urNp linux-2.6.38.1/kernel/acct.c linux-2.6.38.1-new/kernel/acct.c
49182 --- linux-2.6.38.1/kernel/acct.c 2011-03-14 21:20:32.000000000 -0400
49183 +++ linux-2.6.38.1-new/kernel/acct.c 2011-03-21 18:31:35.000000000 -0400
49184 @@ -570,7 +570,7 @@ static void do_acct_process(struct bsd_a
49186 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
49187 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
49188 - file->f_op->write(file, (char *)&ac,
49189 + file->f_op->write(file, (__force char __user *)&ac,
49190 sizeof(acct_t), &file->f_pos);
49191 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
49193 diff -urNp linux-2.6.38.1/kernel/capability.c linux-2.6.38.1-new/kernel/capability.c
49194 --- linux-2.6.38.1/kernel/capability.c 2011-03-14 21:20:32.000000000 -0400
49195 +++ linux-2.6.38.1-new/kernel/capability.c 2011-03-21 18:31:35.000000000 -0400
49196 @@ -205,6 +205,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_
49197 * before modification is attempted and the application
49200 + if (tocopy > ARRAY_SIZE(kdata))
49203 if (copy_to_user(dataptr, kdata, tocopy
49204 * sizeof(struct __user_cap_data_struct))) {
49206 @@ -306,10 +309,26 @@ int capable(int cap)
49210 - if (security_capable(current_cred(), cap) == 0) {
49211 + if (security_capable(current_cred(), cap) == 0 && gr_is_capable(cap)) {
49212 current->flags |= PF_SUPERPRIV;
49218 +int capable_nolog(int cap)
49220 + if (unlikely(!cap_valid(cap))) {
49221 + printk(KERN_CRIT "capable() called with invalid cap=%u\n", cap);
49225 + if (security_capable(current_cred(), cap) == 0 && gr_is_capable_nolog(cap)) {
49226 + current->flags |= PF_SUPERPRIV;
49232 EXPORT_SYMBOL(capable);
49233 +EXPORT_SYMBOL(capable_nolog);
49234 diff -urNp linux-2.6.38.1/kernel/compat.c linux-2.6.38.1-new/kernel/compat.c
49235 --- linux-2.6.38.1/kernel/compat.c 2011-03-14 21:20:32.000000000 -0400
49236 +++ linux-2.6.38.1-new/kernel/compat.c 2011-03-21 18:31:35.000000000 -0400
49239 #include <linux/linkage.h>
49240 #include <linux/compat.h>
49241 +#include <linux/module.h>
49242 #include <linux/errno.h>
49243 #include <linux/time.h>
49244 #include <linux/signal.h>
49245 diff -urNp linux-2.6.38.1/kernel/configs.c linux-2.6.38.1-new/kernel/configs.c
49246 --- linux-2.6.38.1/kernel/configs.c 2011-03-14 21:20:32.000000000 -0400
49247 +++ linux-2.6.38.1-new/kernel/configs.c 2011-03-21 18:31:35.000000000 -0400
49248 @@ -74,8 +74,19 @@ static int __init ikconfig_init(void)
49249 struct proc_dir_entry *entry;
49251 /* create the current config file */
49252 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
49253 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
49254 + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
49255 + &ikconfig_file_ops);
49256 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
49257 + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
49258 + &ikconfig_file_ops);
49261 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
49262 &ikconfig_file_ops);
49268 diff -urNp linux-2.6.38.1/kernel/cred.c linux-2.6.38.1-new/kernel/cred.c
49269 --- linux-2.6.38.1/kernel/cred.c 2011-03-14 21:20:32.000000000 -0400
49270 +++ linux-2.6.38.1-new/kernel/cred.c 2011-03-21 18:31:35.000000000 -0400
49271 @@ -483,6 +483,8 @@ int commit_creds(struct cred *new)
49273 get_cred(new); /* we will require a ref for the subj creds too */
49275 + gr_set_role_label(task, new->uid, new->gid);
49277 /* dumpability changes */
49278 if (old->euid != new->euid ||
49279 old->egid != new->egid ||
49280 diff -urNp linux-2.6.38.1/kernel/debug/debug_core.c linux-2.6.38.1-new/kernel/debug/debug_core.c
49281 --- linux-2.6.38.1/kernel/debug/debug_core.c 2011-03-14 21:20:32.000000000 -0400
49282 +++ linux-2.6.38.1-new/kernel/debug/debug_core.c 2011-03-21 18:31:35.000000000 -0400
49283 @@ -72,7 +72,7 @@ int kgdb_io_module_registered;
49284 /* Guard for recursive entry */
49285 static int exception_level;
49287 -struct kgdb_io *dbg_io_ops;
49288 +const struct kgdb_io *dbg_io_ops;
49289 static DEFINE_SPINLOCK(kgdb_registration_lock);
49291 /* kgdb console driver is loaded */
49292 @@ -864,7 +864,7 @@ static void kgdb_initial_breakpoint(void
49294 * Register it with the KGDB core.
49296 -int kgdb_register_io_module(struct kgdb_io *new_dbg_io_ops)
49297 +int kgdb_register_io_module(const struct kgdb_io *new_dbg_io_ops)
49301 @@ -909,7 +909,7 @@ EXPORT_SYMBOL_GPL(kgdb_register_io_modul
49303 * Unregister it with the KGDB core.
49305 -void kgdb_unregister_io_module(struct kgdb_io *old_dbg_io_ops)
49306 +void kgdb_unregister_io_module(const struct kgdb_io *old_dbg_io_ops)
49308 BUG_ON(kgdb_connected);
49310 diff -urNp linux-2.6.38.1/kernel/debug/kdb/kdb_main.c linux-2.6.38.1-new/kernel/debug/kdb/kdb_main.c
49311 --- linux-2.6.38.1/kernel/debug/kdb/kdb_main.c 2011-03-14 21:20:32.000000000 -0400
49312 +++ linux-2.6.38.1-new/kernel/debug/kdb/kdb_main.c 2011-03-21 18:31:35.000000000 -0400
49313 @@ -1980,7 +1980,7 @@ static int kdb_lsmod(int argc, const cha
49314 list_for_each_entry(mod, kdb_modules, list) {
49316 kdb_printf("%-20s%8u 0x%p ", mod->name,
49317 - mod->core_size, (void *)mod);
49318 + mod->core_size_rx + mod->core_size_rw, (void *)mod);
49319 #ifdef CONFIG_MODULE_UNLOAD
49320 kdb_printf("%4d ", module_refcount(mod));
49322 @@ -1990,7 +1990,7 @@ static int kdb_lsmod(int argc, const cha
49323 kdb_printf(" (Loading)");
49325 kdb_printf(" (Live)");
49326 - kdb_printf(" 0x%p", mod->module_core);
49327 + kdb_printf(" 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
49329 #ifdef CONFIG_MODULE_UNLOAD
49331 diff -urNp linux-2.6.38.1/kernel/exit.c linux-2.6.38.1-new/kernel/exit.c
49332 --- linux-2.6.38.1/kernel/exit.c 2011-03-14 21:20:32.000000000 -0400
49333 +++ linux-2.6.38.1-new/kernel/exit.c 2011-03-21 18:31:35.000000000 -0400
49335 #include <asm/pgtable.h>
49336 #include <asm/mmu_context.h>
49338 +#ifdef CONFIG_GRKERNSEC
49339 +extern rwlock_t grsec_exec_file_lock;
49342 static void exit_mm(struct task_struct * tsk);
49344 static void __unhash_process(struct task_struct *p, bool group_dead)
49345 @@ -169,6 +173,8 @@ void release_task(struct task_struct * p
49346 struct task_struct *leader;
49349 + gr_del_task_from_ip_table(p);
49351 tracehook_prepare_release_task(p);
49352 /* don't need to get the RCU readlock here - the process is dead and
49353 * can't be modifying its own credentials. But shut RCU-lockdep up */
49354 @@ -338,11 +344,22 @@ static void reparent_to_kthreadd(void)
49356 write_lock_irq(&tasklist_lock);
49358 +#ifdef CONFIG_GRKERNSEC
49359 + write_lock(&grsec_exec_file_lock);
49360 + if (current->exec_file) {
49361 + fput(current->exec_file);
49362 + current->exec_file = NULL;
49364 + write_unlock(&grsec_exec_file_lock);
49367 ptrace_unlink(current);
49368 /* Reparent to init */
49369 current->real_parent = current->parent = kthreadd_task;
49370 list_move_tail(¤t->sibling, ¤t->real_parent->children);
49372 + gr_set_kernel_label(current);
49374 /* Set the exit signal to SIGCHLD so we signal init on exit */
49375 current->exit_signal = SIGCHLD;
49377 @@ -394,7 +411,7 @@ int allow_signal(int sig)
49378 * know it'll be handled, so that they don't get converted to
49379 * SIGKILL or just silently dropped.
49381 - current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
49382 + current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
49383 recalc_sigpending();
49384 spin_unlock_irq(¤t->sighand->siglock);
49386 @@ -430,6 +447,17 @@ void daemonize(const char *name, ...)
49387 vsnprintf(current->comm, sizeof(current->comm), name, args);
49390 +#ifdef CONFIG_GRKERNSEC
49391 + write_lock(&grsec_exec_file_lock);
49392 + if (current->exec_file) {
49393 + fput(current->exec_file);
49394 + current->exec_file = NULL;
49396 + write_unlock(&grsec_exec_file_lock);
49399 + gr_set_kernel_label(current);
49402 * If we were started as result of loading a module, close all of the
49403 * user space pages. We don't need them, and if we didn't close them
49404 @@ -905,17 +933,17 @@ NORET_TYPE void do_exit(long code)
49405 struct task_struct *tsk = current;
49408 - profile_task_exit(tsk);
49410 - WARN_ON(atomic_read(&tsk->fs_excl));
49413 + * Check this first since set_fs() below depends on
49414 + * current_thread_info(), which we better not access when we're in
49415 + * interrupt context. Other than that, we want to do the set_fs()
49416 + * as early as possible.
49418 if (unlikely(in_interrupt()))
49419 panic("Aiee, killing interrupt handler!");
49420 - if (unlikely(!tsk->pid))
49421 - panic("Attempted to kill the idle task!");
49424 - * If do_exit is called because this processes oopsed, it's possible
49425 + * If do_exit is called because this processes Oops'ed, it's possible
49426 * that get_fs() was left as KERNEL_DS, so reset it to USER_DS before
49427 * continuing. Amongst other possible reasons, this is to prevent
49428 * mm_release()->clear_child_tid() from writing to a user-controlled
49429 @@ -923,6 +951,13 @@ NORET_TYPE void do_exit(long code)
49433 + profile_task_exit(tsk);
49435 + WARN_ON(atomic_read(&tsk->fs_excl));
49437 + if (unlikely(!tsk->pid))
49438 + panic("Attempted to kill the idle task!");
49440 tracehook_report_exit(&code);
49442 validate_creds_for_do_exit(tsk);
49443 @@ -983,6 +1018,9 @@ NORET_TYPE void do_exit(long code)
49444 tsk->exit_code = code;
49445 taskstats_exit(tsk, group_dead);
49447 + gr_acl_handle_psacct(tsk, code);
49448 + gr_acl_handle_exit();
49453 diff -urNp linux-2.6.38.1/kernel/fork.c linux-2.6.38.1-new/kernel/fork.c
49454 --- linux-2.6.38.1/kernel/fork.c 2011-03-14 21:20:32.000000000 -0400
49455 +++ linux-2.6.38.1-new/kernel/fork.c 2011-03-21 18:31:35.000000000 -0400
49456 @@ -280,7 +280,7 @@ static struct task_struct *dup_task_stru
49457 *stackend = STACK_END_MAGIC; /* for overflow detection */
49459 #ifdef CONFIG_CC_STACKPROTECTOR
49460 - tsk->stack_canary = get_random_int();
49461 + tsk->stack_canary = pax_get_random_long();
49464 /* One for us, one for whoever does the "release_task()" (usually parent) */
49465 @@ -302,13 +302,78 @@ out:
49469 +static struct vm_area_struct *dup_vma(struct mm_struct *mm, struct vm_area_struct *mpnt)
49471 + struct vm_area_struct *tmp;
49472 + unsigned long charge;
49473 + struct mempolicy *pol;
49474 + struct file *file;
49477 + if (mpnt->vm_flags & VM_ACCOUNT) {
49478 + unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
49479 + if (security_vm_enough_memory(len))
49483 + tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
49488 + INIT_LIST_HEAD(&tmp->anon_vma_chain);
49489 + pol = mpol_dup(vma_policy(mpnt));
49491 + goto fail_nomem_policy;
49492 + vma_set_policy(tmp, pol);
49493 + if (anon_vma_fork(tmp, mpnt))
49494 + goto fail_nomem_anon_vma_fork;
49495 + tmp->vm_flags &= ~VM_LOCKED;
49496 + tmp->vm_next = tmp->vm_prev = NULL;
49497 + tmp->vm_mirror = NULL;
49498 + file = tmp->vm_file;
49500 + struct inode *inode = file->f_path.dentry->d_inode;
49501 + struct address_space *mapping = file->f_mapping;
49504 + if (tmp->vm_flags & VM_DENYWRITE)
49505 + atomic_dec(&inode->i_writecount);
49506 + spin_lock(&mapping->i_mmap_lock);
49507 + if (tmp->vm_flags & VM_SHARED)
49508 + mapping->i_mmap_writable++;
49509 + tmp->vm_truncate_count = mpnt->vm_truncate_count;
49510 + flush_dcache_mmap_lock(mapping);
49511 + /* insert tmp into the share list, just after mpnt */
49512 + vma_prio_tree_add(tmp, mpnt);
49513 + flush_dcache_mmap_unlock(mapping);
49514 + spin_unlock(&mapping->i_mmap_lock);
49518 + * Clear hugetlb-related page reserves for children. This only
49519 + * affects MAP_PRIVATE mappings. Faults generated by the child
49520 + * are not guaranteed to succeed, even if read-only
49522 + if (is_vm_hugetlb_page(tmp))
49523 + reset_vma_resv_huge_pages(tmp);
49527 +fail_nomem_anon_vma_fork:
49529 +fail_nomem_policy:
49530 + kmem_cache_free(vm_area_cachep, tmp);
49532 + vm_unacct_memory(charge);
49536 static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
49538 struct vm_area_struct *mpnt, *tmp, *prev, **pprev;
49539 struct rb_node **rb_link, *rb_parent;
49541 - unsigned long charge;
49542 - struct mempolicy *pol;
49544 down_write(&oldmm->mmap_sem);
49545 flush_cache_dup_mm(oldmm);
49546 @@ -320,8 +385,8 @@ static int dup_mmap(struct mm_struct *mm
49549 mm->mmap_cache = NULL;
49550 - mm->free_area_cache = oldmm->mmap_base;
49551 - mm->cached_hole_size = ~0UL;
49552 + mm->free_area_cache = oldmm->free_area_cache;
49553 + mm->cached_hole_size = oldmm->cached_hole_size;
49555 cpumask_clear(mm_cpumask(mm));
49556 mm->mm_rb = RB_ROOT;
49557 @@ -337,8 +402,6 @@ static int dup_mmap(struct mm_struct *mm
49560 for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) {
49561 - struct file *file;
49563 if (mpnt->vm_flags & VM_DONTCOPY) {
49564 long pages = vma_pages(mpnt);
49565 mm->total_vm -= pages;
49566 @@ -346,56 +409,13 @@ static int dup_mmap(struct mm_struct *mm
49571 - if (mpnt->vm_flags & VM_ACCOUNT) {
49572 - unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
49573 - if (security_vm_enough_memory(len))
49577 - tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
49581 - INIT_LIST_HEAD(&tmp->anon_vma_chain);
49582 - pol = mpol_dup(vma_policy(mpnt));
49583 - retval = PTR_ERR(pol);
49585 - goto fail_nomem_policy;
49586 - vma_set_policy(tmp, pol);
49588 - if (anon_vma_fork(tmp, mpnt))
49589 - goto fail_nomem_anon_vma_fork;
49590 - tmp->vm_flags &= ~VM_LOCKED;
49591 - tmp->vm_next = tmp->vm_prev = NULL;
49592 - file = tmp->vm_file;
49594 - struct inode *inode = file->f_path.dentry->d_inode;
49595 - struct address_space *mapping = file->f_mapping;
49598 - if (tmp->vm_flags & VM_DENYWRITE)
49599 - atomic_dec(&inode->i_writecount);
49600 - spin_lock(&mapping->i_mmap_lock);
49601 - if (tmp->vm_flags & VM_SHARED)
49602 - mapping->i_mmap_writable++;
49603 - tmp->vm_truncate_count = mpnt->vm_truncate_count;
49604 - flush_dcache_mmap_lock(mapping);
49605 - /* insert tmp into the share list, just after mpnt */
49606 - vma_prio_tree_add(tmp, mpnt);
49607 - flush_dcache_mmap_unlock(mapping);
49608 - spin_unlock(&mapping->i_mmap_lock);
49609 + tmp = dup_vma(mm, mpnt);
49611 + retval = -ENOMEM;
49616 - * Clear hugetlb-related page reserves for children. This only
49617 - * affects MAP_PRIVATE mappings. Faults generated by the child
49618 - * are not guaranteed to succeed, even if read-only
49620 - if (is_vm_hugetlb_page(tmp))
49621 - reset_vma_resv_huge_pages(tmp);
49624 * Link in the new vma and copy the page table entries.
49627 @@ -416,6 +436,31 @@ static int dup_mmap(struct mm_struct *mm
49632 +#ifdef CONFIG_PAX_SEGMEXEC
49633 + if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
49634 + struct vm_area_struct *mpnt_m;
49636 + for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
49637 + BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
49639 + if (!mpnt->vm_mirror)
49642 + if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
49643 + BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
49644 + mpnt->vm_mirror = mpnt_m;
49646 + BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
49647 + mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
49648 + mpnt_m->vm_mirror->vm_mirror = mpnt_m;
49649 + mpnt->vm_mirror->vm_mirror = mpnt;
49656 /* a new mm has just been created */
49657 arch_dup_mmap(oldmm, mm);
49659 @@ -424,14 +469,6 @@ out:
49660 flush_tlb_mm(oldmm);
49661 up_write(&oldmm->mmap_sem);
49663 -fail_nomem_anon_vma_fork:
49665 -fail_nomem_policy:
49666 - kmem_cache_free(vm_area_cachep, tmp);
49668 - retval = -ENOMEM;
49669 - vm_unacct_memory(charge);
49673 static inline int mm_alloc_pgd(struct mm_struct * mm)
49674 @@ -778,13 +815,14 @@ static int copy_fs(unsigned long clone_f
49675 spin_unlock(&fs->lock);
49679 + atomic_inc(&fs->users);
49680 spin_unlock(&fs->lock);
49683 tsk->fs = copy_fs_struct(fs);
49686 + gr_set_chroot_entries(tsk, &tsk->fs->root);
49690 @@ -1042,10 +1080,13 @@ static struct task_struct *copy_process(
49692 if (!vx_nproc_avail(1))
49693 goto bad_fork_free;
49695 + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
49697 if (atomic_read(&p->real_cred->user->processes) >=
49698 task_rlimit(p, RLIMIT_NPROC)) {
49699 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
49700 - p->real_cred->user != INIT_USER)
49701 + if (p->real_cred->user != INIT_USER &&
49702 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE))
49703 goto bad_fork_free;
49706 @@ -1199,6 +1240,8 @@ static struct task_struct *copy_process(
49707 goto bad_fork_free_pid;
49710 + gr_copy_label(p);
49712 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
49714 * Clear TID on mm_release()?
49715 @@ -1356,6 +1399,8 @@ bad_fork_cleanup_count:
49719 + gr_log_forkfail(retval);
49721 return ERR_PTR(retval);
49724 @@ -1444,6 +1489,8 @@ long do_fork(unsigned long clone_flags,
49725 if (clone_flags & CLONE_PARENT_SETTID)
49726 put_user(nr, parent_tidptr);
49728 + gr_handle_brute_check();
49730 if (clone_flags & CLONE_VFORK) {
49731 p->vfork_done = &vfork;
49732 init_completion(&vfork);
49733 @@ -1559,7 +1606,7 @@ static int unshare_fs(unsigned long unsh
49736 /* don't need lock here; in the worst case we'll do useless copy */
49737 - if (fs->users == 1)
49738 + if (atomic_read(&fs->users) == 1)
49741 *new_fsp = copy_fs_struct(fs);
49742 @@ -1682,7 +1729,8 @@ SYSCALL_DEFINE1(unshare, unsigned long,
49744 spin_lock(&fs->lock);
49745 current->fs = new_fs;
49747 + gr_set_chroot_entries(current, ¤t->fs->root);
49748 + if (atomic_dec_return(&fs->users))
49752 diff -urNp linux-2.6.38.1/kernel/futex.c linux-2.6.38.1-new/kernel/futex.c
49753 --- linux-2.6.38.1/kernel/futex.c 2011-03-14 21:20:32.000000000 -0400
49754 +++ linux-2.6.38.1-new/kernel/futex.c 2011-03-21 18:31:35.000000000 -0400
49756 #include <linux/mount.h>
49757 #include <linux/pagemap.h>
49758 #include <linux/syscalls.h>
49759 +#include <linux/ptrace.h>
49760 #include <linux/signal.h>
49761 #include <linux/module.h>
49762 #include <linux/magic.h>
49763 @@ -236,6 +237,11 @@ get_futex_key(u32 __user *uaddr, int fsh
49764 struct page *page, *page_head;
49767 +#ifdef CONFIG_PAX_SEGMEXEC
49768 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
49773 * The futex address must be "naturally" aligned.
49775 @@ -2404,7 +2410,9 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
49777 struct robust_list_head __user *head;
49779 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
49780 const struct cred *cred = current_cred(), *pcred;
49783 if (!futex_cmpxchg_enabled)
49785 @@ -2420,11 +2428,16 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
49789 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49790 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
49793 pcred = __task_cred(p);
49794 if (cred->euid != pcred->euid &&
49795 cred->euid != pcred->uid &&
49796 !capable(CAP_SYS_PTRACE))
49799 head = p->robust_list;
49802 @@ -2667,6 +2680,7 @@ static int __init futex_init(void)
49806 + mm_segment_t oldfs;
49809 * This will fail and we want it. Some arch implementations do
49810 @@ -2678,7 +2692,10 @@ static int __init futex_init(void)
49811 * implementation, the non-functional ones will return
49814 + oldfs = get_fs();
49816 curval = cmpxchg_futex_value_locked(NULL, 0, 0);
49818 if (curval == -EFAULT)
49819 futex_cmpxchg_enabled = 1;
49821 diff -urNp linux-2.6.38.1/kernel/futex_compat.c linux-2.6.38.1-new/kernel/futex_compat.c
49822 --- linux-2.6.38.1/kernel/futex_compat.c 2011-03-14 21:20:32.000000000 -0400
49823 +++ linux-2.6.38.1-new/kernel/futex_compat.c 2011-03-21 18:31:35.000000000 -0400
49825 #include <linux/compat.h>
49826 #include <linux/nsproxy.h>
49827 #include <linux/futex.h>
49828 +#include <linux/ptrace.h>
49830 #include <asm/uaccess.h>
49832 @@ -136,7 +137,10 @@ compat_sys_get_robust_list(int pid, comp
49834 struct compat_robust_list_head __user *head;
49836 - const struct cred *cred = current_cred(), *pcred;
49837 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
49838 + const struct cred *cred = current_cred();
49839 + const struct cred *pcred;
49842 if (!futex_cmpxchg_enabled)
49844 @@ -152,11 +156,16 @@ compat_sys_get_robust_list(int pid, comp
49848 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49849 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
49852 pcred = __task_cred(p);
49853 if (cred->euid != pcred->euid &&
49854 cred->euid != pcred->uid &&
49855 !capable(CAP_SYS_PTRACE))
49858 head = p->compat_robust_list;
49861 diff -urNp linux-2.6.38.1/kernel/gcov/base.c linux-2.6.38.1-new/kernel/gcov/base.c
49862 --- linux-2.6.38.1/kernel/gcov/base.c 2011-03-14 21:20:32.000000000 -0400
49863 +++ linux-2.6.38.1-new/kernel/gcov/base.c 2011-03-21 18:31:35.000000000 -0400
49864 @@ -102,11 +102,6 @@ void gcov_enable_events(void)
49867 #ifdef CONFIG_MODULES
49868 -static inline int within(void *addr, void *start, unsigned long size)
49870 - return ((addr >= start) && (addr < start + size));
49873 /* Update list and generate events when modules are unloaded. */
49874 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
49876 @@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
49878 /* Remove entries located in module from linked list. */
49879 for (info = gcov_info_head; info; info = info->next) {
49880 - if (within(info, mod->module_core, mod->core_size)) {
49881 + if (within_module_core_rw((unsigned long)info, mod)) {
49883 prev->next = info->next;
49885 diff -urNp linux-2.6.38.1/kernel/hrtimer.c linux-2.6.38.1-new/kernel/hrtimer.c
49886 --- linux-2.6.38.1/kernel/hrtimer.c 2011-03-14 21:20:32.000000000 -0400
49887 +++ linux-2.6.38.1-new/kernel/hrtimer.c 2011-03-21 18:31:35.000000000 -0400
49888 @@ -1371,7 +1371,7 @@ void hrtimer_peek_ahead_timers(void)
49889 local_irq_restore(flags);
49892 -static void run_hrtimer_softirq(struct softirq_action *h)
49893 +static void run_hrtimer_softirq(void)
49895 hrtimer_peek_ahead_timers();
49897 diff -urNp linux-2.6.38.1/kernel/jump_label.c linux-2.6.38.1-new/kernel/jump_label.c
49898 --- linux-2.6.38.1/kernel/jump_label.c 2011-03-14 21:20:32.000000000 -0400
49899 +++ linux-2.6.38.1-new/kernel/jump_label.c 2011-03-21 18:31:35.000000000 -0400
49900 @@ -49,6 +49,17 @@ void jump_label_unlock(void)
49901 mutex_unlock(&jump_label_mutex);
49904 +static void jump_label_swap(void *a, void *b, int size)
49906 + struct jump_entry t;
49908 + t = *(struct jump_entry *)a;
49909 + pax_open_kernel();
49910 + *(struct jump_entry *)a = *(struct jump_entry *)b;
49911 + *(struct jump_entry *)b = t;
49912 + pax_close_kernel();
49915 static int jump_label_cmp(const void *a, const void *b)
49917 const struct jump_entry *jea = a;
49918 @@ -70,7 +81,7 @@ sort_jump_label_entries(struct jump_entr
49920 size = (((unsigned long)stop - (unsigned long)start)
49921 / sizeof(struct jump_entry));
49922 - sort(start, size, sizeof(struct jump_entry), jump_label_cmp, NULL);
49923 + sort(start, size, sizeof(struct jump_entry), jump_label_cmp, jump_label_swap);
49926 static struct jump_label_entry *get_jump_label_entry(jump_label_t key)
49927 @@ -407,8 +418,11 @@ static void remove_jump_label_module_ini
49928 count = e_module->nr_entries;
49929 iter = e_module->table;
49931 - if (within_module_init(iter->code, mod))
49932 + if (within_module_init(iter->code, mod)) {
49933 + pax_open_kernel();
49935 + pax_close_kernel();
49940 diff -urNp linux-2.6.38.1/kernel/kallsyms.c linux-2.6.38.1-new/kernel/kallsyms.c
49941 --- linux-2.6.38.1/kernel/kallsyms.c 2011-03-14 21:20:32.000000000 -0400
49942 +++ linux-2.6.38.1-new/kernel/kallsyms.c 2011-03-21 18:31:35.000000000 -0400
49944 * Changed the compression method from stem compression to "table lookup"
49945 * compression (see scripts/kallsyms.c for a more complete description)
49947 +#ifdef CONFIG_GRKERNSEC_HIDESYM
49948 +#define __INCLUDED_BY_HIDESYM 1
49950 #include <linux/kallsyms.h>
49951 #include <linux/module.h>
49952 #include <linux/init.h>
49953 @@ -53,12 +56,33 @@ extern const unsigned long kallsyms_mark
49955 static inline int is_kernel_inittext(unsigned long addr)
49957 + if (system_state != SYSTEM_BOOTING)
49960 if (addr >= (unsigned long)_sinittext
49961 && addr <= (unsigned long)_einittext)
49966 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
49967 +#ifdef CONFIG_MODULES
49968 +static inline int is_module_text(unsigned long addr)
49970 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
49973 + addr = ktla_ktva(addr);
49974 + return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
49977 +static inline int is_module_text(unsigned long addr)
49984 static inline int is_kernel_text(unsigned long addr)
49986 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
49987 @@ -69,13 +93,28 @@ static inline int is_kernel_text(unsigne
49989 static inline int is_kernel(unsigned long addr)
49992 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
49993 + if (is_kernel_text(addr) || is_kernel_inittext(addr))
49996 + if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
49998 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
50002 return in_gate_area_no_task(addr);
50005 static int is_ksym_addr(unsigned long addr)
50008 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
50009 + if (is_module_text(addr))
50014 return is_kernel(addr);
50016 @@ -416,7 +455,6 @@ static unsigned long get_ksymbol_core(st
50018 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
50020 - iter->name[0] = '\0';
50021 iter->nameoff = get_symbol_offset(new_pos);
50022 iter->pos = new_pos;
50024 @@ -464,6 +502,11 @@ static int s_show(struct seq_file *m, vo
50026 struct kallsym_iter *iter = m->private;
50028 +#ifdef CONFIG_GRKERNSEC_HIDESYM
50029 + if (current_uid())
50033 /* Some debugging symbols have no name. Ignore them. */
50034 if (!iter->name[0])
50036 @@ -504,7 +547,7 @@ static int kallsyms_open(struct inode *i
50037 struct kallsym_iter *iter;
50040 - iter = kmalloc(sizeof(*iter), GFP_KERNEL);
50041 + iter = kzalloc(sizeof(*iter), GFP_KERNEL);
50044 reset_iter(iter, 0);
50045 diff -urNp linux-2.6.38.1/kernel/kmod.c linux-2.6.38.1-new/kernel/kmod.c
50046 --- linux-2.6.38.1/kernel/kmod.c 2011-03-14 21:20:32.000000000 -0400
50047 +++ linux-2.6.38.1-new/kernel/kmod.c 2011-03-21 18:31:35.000000000 -0400
50048 @@ -90,6 +90,28 @@ int __request_module(bool wait, const ch
50052 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
50053 + /* we could do a tighter check here, but some distros
50054 + are taking it upon themselves to remove CAP_SYS_MODULE
50055 + from even root-running apps which cause modules to be
50058 + if (current_uid()) {
50059 +#if !defined(CONFIG_IPV6) && !defined(CONFIG_IPV6_MODULE)
50060 + /* There are known knowns. These are things we know
50061 + that we know. There are known unknowns. That is to say,
50062 + there are things that we know we don't know. But there are
50063 + also unknown unknowns. There are things we don't know
50065 + This here is a known unknown.
50067 + if (strcmp(module_name, "net-pf-10"))
50069 + gr_log_nonroot_mod_load(module_name);
50074 /* If modprobe needs a service that is in a module, we get a recursive
50075 * loop. Limit the number of running kmod threads to max_threads/2 or
50076 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
50077 diff -urNp linux-2.6.38.1/kernel/kprobes.c linux-2.6.38.1-new/kernel/kprobes.c
50078 --- linux-2.6.38.1/kernel/kprobes.c 2011-03-14 21:20:32.000000000 -0400
50079 +++ linux-2.6.38.1-new/kernel/kprobes.c 2011-03-21 18:31:35.000000000 -0400
50080 @@ -185,7 +185,7 @@ static kprobe_opcode_t __kprobes *__get_
50081 * kernel image and loaded module images reside. This is required
50082 * so x86_64 can correctly handle the %rip-relative fixups.
50084 - kip->insns = module_alloc(PAGE_SIZE);
50085 + kip->insns = module_alloc_exec(PAGE_SIZE);
50089 @@ -225,7 +225,7 @@ static int __kprobes collect_one_slot(st
50091 if (!list_is_singular(&kip->list)) {
50092 list_del(&kip->list);
50093 - module_free(NULL, kip->insns);
50094 + module_free_exec(NULL, kip->insns);
50098 @@ -1936,7 +1936,7 @@ static int __init init_kprobes(void)
50101 unsigned long offset = 0, size = 0;
50102 - char *modname, namebuf[128];
50103 + char *modname, namebuf[KSYM_NAME_LEN];
50104 const char *symbol_name;
50106 struct kprobe_blackpoint *kb;
50107 @@ -2062,7 +2062,7 @@ static int __kprobes show_kprobe_addr(st
50108 const char *sym = NULL;
50109 unsigned int i = *(loff_t *) v;
50110 unsigned long offset = 0;
50111 - char *modname, namebuf[128];
50112 + char *modname, namebuf[KSYM_NAME_LEN];
50114 head = &kprobe_table[i];
50116 diff -urNp linux-2.6.38.1/kernel/lockdep.c linux-2.6.38.1-new/kernel/lockdep.c
50117 --- linux-2.6.38.1/kernel/lockdep.c 2011-03-14 21:20:32.000000000 -0400
50118 +++ linux-2.6.38.1-new/kernel/lockdep.c 2011-03-21 18:31:35.000000000 -0400
50119 @@ -571,6 +571,10 @@ static int static_obj(void *obj)
50120 end = (unsigned long) &_end,
50121 addr = (unsigned long) obj;
50123 +#ifdef CONFIG_PAX_KERNEXEC
50124 + start = ktla_ktva(start);
50130 @@ -706,6 +710,7 @@ register_lock_class(struct lockdep_map *
50131 if (!static_obj(lock->key)) {
50133 printk("INFO: trying to register non-static key.\n");
50134 + printk("lock:%pS key:%pS.\n", lock, lock->key);
50135 printk("the code is fine but needs lockdep annotation.\n");
50136 printk("turning off the locking correctness validator.\n");
50138 @@ -2752,7 +2757,7 @@ static int __lock_acquire(struct lockdep
50142 - atomic_inc((atomic_t *)&class->ops);
50143 + atomic_inc_unchecked((atomic_unchecked_t *)&class->ops);
50144 if (very_verbose(class)) {
50145 printk("\nacquire class [%p] %s", class->key, class->name);
50146 if (class->name_version > 1)
50147 diff -urNp linux-2.6.38.1/kernel/lockdep_proc.c linux-2.6.38.1-new/kernel/lockdep_proc.c
50148 --- linux-2.6.38.1/kernel/lockdep_proc.c 2011-03-14 21:20:32.000000000 -0400
50149 +++ linux-2.6.38.1-new/kernel/lockdep_proc.c 2011-03-21 18:31:35.000000000 -0400
50150 @@ -39,7 +39,7 @@ static void l_stop(struct seq_file *m, v
50152 static void print_name(struct seq_file *m, struct lock_class *class)
50155 + char str[KSYM_NAME_LEN];
50156 const char *name = class->name;
50159 diff -urNp linux-2.6.38.1/kernel/module.c linux-2.6.38.1-new/kernel/module.c
50160 --- linux-2.6.38.1/kernel/module.c 2011-03-14 21:20:32.000000000 -0400
50161 +++ linux-2.6.38.1-new/kernel/module.c 2011-03-21 18:31:35.000000000 -0400
50162 @@ -118,7 +118,8 @@ static BLOCKING_NOTIFIER_HEAD(module_not
50164 /* Bounds of module allocation, for speeding __module_address.
50165 * Protected by module_mutex. */
50166 -static unsigned long module_addr_min = -1UL, module_addr_max = 0;
50167 +static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
50168 +static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
50170 int register_module_notifier(struct notifier_block * nb)
50172 @@ -282,7 +283,7 @@ bool each_symbol(bool (*fn)(const struct
50175 list_for_each_entry_rcu(mod, &modules, list) {
50176 - struct symsearch arr[] = {
50177 + struct symsearch modarr[] = {
50178 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
50179 NOT_GPL_ONLY, false },
50180 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
50181 @@ -304,7 +305,7 @@ bool each_symbol(bool (*fn)(const struct
50185 - if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
50186 + if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
50190 @@ -415,7 +416,7 @@ static inline void __percpu *mod_percpu(
50191 static int percpu_modalloc(struct module *mod,
50192 unsigned long size, unsigned long align)
50194 - if (align > PAGE_SIZE) {
50195 + if (align-1 >= PAGE_SIZE) {
50196 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
50197 mod->name, align, PAGE_SIZE);
50199 @@ -1143,7 +1144,7 @@ resolve_symbol_wait(struct module *mod,
50201 #ifdef CONFIG_SYSFS
50203 -#ifdef CONFIG_KALLSYMS
50204 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
50205 static inline bool sect_empty(const Elf_Shdr *sect)
50207 return !(sect->sh_flags & SHF_ALLOC) || sect->sh_size == 0;
50208 @@ -1612,17 +1613,17 @@ void unset_section_ro_nx(struct module *
50210 unsigned long total_pages;
50212 - if (mod->module_core == module_region) {
50213 + if (mod->module_core_rx == module_region) {
50214 /* Set core as NX+RW */
50215 - total_pages = MOD_NUMBER_OF_PAGES(mod->module_core, mod->core_size);
50216 - set_memory_nx((unsigned long)mod->module_core, total_pages);
50217 - set_memory_rw((unsigned long)mod->module_core, total_pages);
50218 + total_pages = MOD_NUMBER_OF_PAGES(mod->module_core_rx, mod->core_size_rx);
50219 + set_memory_nx((unsigned long)mod->module_core_rx, total_pages);
50220 + set_memory_rw((unsigned long)mod->module_core_rx, total_pages);
50222 - } else if (mod->module_init == module_region) {
50223 + } else if (mod->module_init_rx == module_region) {
50224 /* Set init as NX+RW */
50225 - total_pages = MOD_NUMBER_OF_PAGES(mod->module_init, mod->init_size);
50226 - set_memory_nx((unsigned long)mod->module_init, total_pages);
50227 - set_memory_rw((unsigned long)mod->module_init, total_pages);
50228 + total_pages = MOD_NUMBER_OF_PAGES(mod->module_init_rx, mod->init_size_rx);
50229 + set_memory_nx((unsigned long)mod->module_init_rx, total_pages);
50230 + set_memory_rw((unsigned long)mod->module_init_rx, total_pages);
50234 @@ -1633,14 +1634,14 @@ void set_all_modules_text_rw()
50236 mutex_lock(&module_mutex);
50237 list_for_each_entry_rcu(mod, &modules, list) {
50238 - if ((mod->module_core) && (mod->core_text_size)) {
50239 - set_page_attributes(mod->module_core,
50240 - mod->module_core + mod->core_text_size,
50241 + if ((mod->module_core_rx) && (mod->core_size_rx)) {
50242 + set_page_attributes(mod->module_core_rx,
50243 + mod->module_core_rx + mod->core_size_rx,
50246 - if ((mod->module_init) && (mod->init_text_size)) {
50247 - set_page_attributes(mod->module_init,
50248 - mod->module_init + mod->init_text_size,
50249 + if ((mod->module_init_rx) && (mod->init_size_rx)) {
50250 + set_page_attributes(mod->module_init_rx,
50251 + mod->module_init_rx + mod->init_size_rx,
50255 @@ -1654,14 +1655,14 @@ void set_all_modules_text_ro()
50257 mutex_lock(&module_mutex);
50258 list_for_each_entry_rcu(mod, &modules, list) {
50259 - if ((mod->module_core) && (mod->core_text_size)) {
50260 - set_page_attributes(mod->module_core,
50261 - mod->module_core + mod->core_text_size,
50262 + if ((mod->module_core_rx) && (mod->core_size_rx)) {
50263 + set_page_attributes(mod->module_core_rx,
50264 + mod->module_core_rx + mod->core_size_rx,
50267 - if ((mod->module_init) && (mod->init_text_size)) {
50268 - set_page_attributes(mod->module_init,
50269 - mod->module_init + mod->init_text_size,
50270 + if ((mod->module_init_rx) && (mod->init_size_rx)) {
50271 + set_page_attributes(mod->module_init_rx,
50272 + mod->module_init_rx + mod->init_size_rx,
50276 @@ -1696,17 +1697,20 @@ static void free_module(struct module *m
50277 destroy_params(mod->kp, mod->num_kp);
50279 /* This may be NULL, but that's OK */
50280 - unset_section_ro_nx(mod, mod->module_init);
50281 - module_free(mod, mod->module_init);
50282 + unset_section_ro_nx(mod, mod->module_init_rx);
50283 + module_free(mod, mod->module_init_rw);
50284 + module_free_exec(mod, mod->module_init_rx);
50286 percpu_modfree(mod);
50288 /* Free lock-classes: */
50289 - lockdep_free_key_range(mod->module_core, mod->core_size);
50290 + lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
50291 + lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
50293 /* Finally, free the core (containing the module structure) */
50294 - unset_section_ro_nx(mod, mod->module_core);
50295 - module_free(mod, mod->module_core);
50296 + unset_section_ro_nx(mod, mod->module_core_rx);
50297 + module_free_exec(mod, mod->module_core_rx);
50298 + module_free(mod, mod->module_core_rw);
50301 update_protections(current->mm);
50302 @@ -1799,7 +1803,9 @@ static int simplify_symbols(struct modul
50303 ksym = resolve_symbol_wait(mod, info, name);
50304 /* Ok if resolved. */
50305 if (ksym && !IS_ERR(ksym)) {
50306 + pax_open_kernel();
50307 sym[i].st_value = ksym->value;
50308 + pax_close_kernel();
50312 @@ -1818,7 +1824,9 @@ static int simplify_symbols(struct modul
50313 secbase = (unsigned long)mod_percpu(mod);
50315 secbase = info->sechdrs[sym[i].st_shndx].sh_addr;
50316 + pax_open_kernel();
50317 sym[i].st_value += secbase;
50318 + pax_close_kernel();
50322 @@ -1906,22 +1914,12 @@ static void layout_sections(struct modul
50323 || s->sh_entsize != ~0UL
50324 || strstarts(sname, ".init"))
50326 - s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
50327 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
50328 + s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
50330 + s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
50331 DEBUGP("\t%s\n", name);
50334 - case 0: /* executable */
50335 - mod->core_size = debug_align(mod->core_size);
50336 - mod->core_text_size = mod->core_size;
50338 - case 1: /* RO: text and ro-data */
50339 - mod->core_size = debug_align(mod->core_size);
50340 - mod->core_ro_size = mod->core_size;
50342 - case 3: /* whole core */
50343 - mod->core_size = debug_align(mod->core_size);
50348 DEBUGP("Init section allocation order:\n");
50349 @@ -1935,23 +1933,13 @@ static void layout_sections(struct modul
50350 || s->sh_entsize != ~0UL
50351 || !strstarts(sname, ".init"))
50353 - s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
50354 - | INIT_OFFSET_MASK);
50355 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
50356 + s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
50358 + s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
50359 + s->sh_entsize |= INIT_OFFSET_MASK;
50360 DEBUGP("\t%s\n", sname);
50363 - case 0: /* executable */
50364 - mod->init_size = debug_align(mod->init_size);
50365 - mod->init_text_size = mod->init_size;
50367 - case 1: /* RO: text and ro-data */
50368 - mod->init_size = debug_align(mod->init_size);
50369 - mod->init_ro_size = mod->init_size;
50371 - case 3: /* whole init */
50372 - mod->init_size = debug_align(mod->init_size);
50378 @@ -2119,7 +2107,7 @@ static void layout_symtab(struct module
50380 /* Put symbol section at end of init part of module. */
50381 symsect->sh_flags |= SHF_ALLOC;
50382 - symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
50383 + symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
50384 info->index.sym) | INIT_OFFSET_MASK;
50385 DEBUGP("\t%s\n", info->secstrings + symsect->sh_name);
50387 @@ -2136,19 +2124,19 @@ static void layout_symtab(struct module
50390 /* Append room for core symbols at end of core part. */
50391 - info->symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
50392 - mod->core_size = info->symoffs + ndst * sizeof(Elf_Sym);
50393 + info->symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
50394 + mod->core_size_rx = info->symoffs + ndst * sizeof(Elf_Sym);
50396 /* Put string table section at end of init part of module. */
50397 strsect->sh_flags |= SHF_ALLOC;
50398 - strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
50399 + strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
50400 info->index.str) | INIT_OFFSET_MASK;
50401 DEBUGP("\t%s\n", info->secstrings + strsect->sh_name);
50403 /* Append room for core symbols' strings at end of core part. */
50404 - info->stroffs = mod->core_size;
50405 + info->stroffs = mod->core_size_rx;
50406 __set_bit(0, info->strmap);
50407 - mod->core_size += bitmap_weight(info->strmap, strsect->sh_size);
50408 + mod->core_size_rx += bitmap_weight(info->strmap, strsect->sh_size);
50411 static void add_kallsyms(struct module *mod, const struct load_info *info)
50412 @@ -2164,11 +2152,13 @@ static void add_kallsyms(struct module *
50413 /* Make sure we get permanent strtab: don't use info->strtab. */
50414 mod->strtab = (void *)info->sechdrs[info->index.str].sh_addr;
50416 + pax_open_kernel();
50418 /* Set types up while we still have access to sections. */
50419 for (i = 0; i < mod->num_symtab; i++)
50420 mod->symtab[i].st_info = elf_type(&mod->symtab[i], info);
50422 - mod->core_symtab = dst = mod->module_core + info->symoffs;
50423 + mod->core_symtab = dst = mod->module_core_rx + info->symoffs;
50426 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
50427 @@ -2181,10 +2171,12 @@ static void add_kallsyms(struct module *
50429 mod->core_num_syms = ndst;
50431 - mod->core_strtab = s = mod->module_core + info->stroffs;
50432 + mod->core_strtab = s = mod->module_core_rx + info->stroffs;
50433 for (*s = 0, i = 1; i < info->sechdrs[info->index.str].sh_size; ++i)
50434 if (test_bit(i, info->strmap))
50435 *++s = mod->strtab[i];
50437 + pax_close_kernel();
50440 static inline void layout_symtab(struct module *mod, struct load_info *info)
50441 @@ -2213,17 +2205,33 @@ static void dynamic_debug_remove(struct
50442 ddebug_remove_module(debug->modname);
50445 -static void *module_alloc_update_bounds(unsigned long size)
50446 +static void *module_alloc_update_bounds_rw(unsigned long size)
50448 void *ret = module_alloc(size);
50451 mutex_lock(&module_mutex);
50452 /* Update module bounds. */
50453 - if ((unsigned long)ret < module_addr_min)
50454 - module_addr_min = (unsigned long)ret;
50455 - if ((unsigned long)ret + size > module_addr_max)
50456 - module_addr_max = (unsigned long)ret + size;
50457 + if ((unsigned long)ret < module_addr_min_rw)
50458 + module_addr_min_rw = (unsigned long)ret;
50459 + if ((unsigned long)ret + size > module_addr_max_rw)
50460 + module_addr_max_rw = (unsigned long)ret + size;
50461 + mutex_unlock(&module_mutex);
50466 +static void *module_alloc_update_bounds_rx(unsigned long size)
50468 + void *ret = module_alloc_exec(size);
50471 + mutex_lock(&module_mutex);
50472 + /* Update module bounds. */
50473 + if ((unsigned long)ret < module_addr_min_rx)
50474 + module_addr_min_rx = (unsigned long)ret;
50475 + if ((unsigned long)ret + size > module_addr_max_rx)
50476 + module_addr_max_rx = (unsigned long)ret + size;
50477 mutex_unlock(&module_mutex);
50480 @@ -2516,7 +2524,7 @@ static int move_module(struct module *mo
50483 /* Do the allocs. */
50484 - ptr = module_alloc_update_bounds(mod->core_size);
50485 + ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
50487 * The pointer to this block is stored in the module structure
50488 * which is inside the block. Just mark it as not being a
50489 @@ -2526,23 +2534,50 @@ static int move_module(struct module *mo
50493 - memset(ptr, 0, mod->core_size);
50494 - mod->module_core = ptr;
50495 + memset(ptr, 0, mod->core_size_rw);
50496 + mod->module_core_rw = ptr;
50498 - ptr = module_alloc_update_bounds(mod->init_size);
50499 + ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
50501 * The pointer to this block is stored in the module structure
50502 * which is inside the block. This block doesn't need to be
50503 * scanned as it contains data and code that will be freed
50504 * after the module is initialized.
50506 - kmemleak_ignore(ptr);
50507 - if (!ptr && mod->init_size) {
50508 - module_free(mod, mod->module_core);
50509 + kmemleak_not_leak(ptr);
50510 + if (!ptr && mod->init_size_rw) {
50511 + module_free(mod, mod->module_core_rw);
50514 - memset(ptr, 0, mod->init_size);
50515 - mod->module_init = ptr;
50516 + memset(ptr, 0, mod->init_size_rw);
50517 + mod->module_init_rw = ptr;
50519 + ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
50520 + kmemleak_not_leak(ptr);
50522 + module_free(mod, mod->module_init_rw);
50523 + module_free(mod, mod->module_core_rw);
50527 + pax_open_kernel();
50528 + memset(ptr, 0, mod->core_size_rx);
50529 + pax_close_kernel();
50530 + mod->module_core_rx = ptr;
50532 + ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
50533 + kmemleak_not_leak(ptr);
50534 + if (!ptr && mod->init_size_rx) {
50535 + module_free_exec(mod, mod->module_core_rx);
50536 + module_free(mod, mod->module_init_rw);
50537 + module_free(mod, mod->module_core_rw);
50541 + pax_open_kernel();
50542 + memset(ptr, 0, mod->init_size_rx);
50543 + pax_close_kernel();
50544 + mod->module_init_rx = ptr;
50546 /* Transfer each section which specifies SHF_ALLOC */
50547 DEBUGP("final section addresses:\n");
50548 @@ -2553,16 +2588,45 @@ static int move_module(struct module *mo
50549 if (!(shdr->sh_flags & SHF_ALLOC))
50552 - if (shdr->sh_entsize & INIT_OFFSET_MASK)
50553 - dest = mod->module_init
50554 - + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
50556 - dest = mod->module_core + shdr->sh_entsize;
50557 + if (shdr->sh_entsize & INIT_OFFSET_MASK) {
50558 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
50559 + dest = mod->module_init_rw
50560 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
50562 + dest = mod->module_init_rx
50563 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
50565 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
50566 + dest = mod->module_core_rw + shdr->sh_entsize;
50568 + dest = mod->module_core_rx + shdr->sh_entsize;
50571 + if (shdr->sh_type != SHT_NOBITS) {
50573 +#ifdef CONFIG_PAX_KERNEXEC
50574 +#ifdef CONFIG_X86_64
50575 + if ((shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_EXECINSTR))
50576 + set_memory_x((unsigned long)dest, (shdr->sh_size + PAGE_SIZE) >> PAGE_SHIFT);
50578 + if (!(shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_ALLOC)) {
50579 + pax_open_kernel();
50580 + memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
50581 + pax_close_kernel();
50585 - if (shdr->sh_type != SHT_NOBITS)
50586 memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
50588 /* Update sh_addr to point to copy in image. */
50589 - shdr->sh_addr = (unsigned long)dest;
50591 +#ifdef CONFIG_PAX_KERNEXEC
50592 + if (shdr->sh_flags & SHF_EXECINSTR)
50593 + shdr->sh_addr = ktva_ktla((unsigned long)dest);
50597 + shdr->sh_addr = (unsigned long)dest;
50598 DEBUGP("\t0x%lx %s\n",
50599 shdr->sh_addr, info->secstrings + shdr->sh_name);
50601 @@ -2613,12 +2677,12 @@ static void flush_module_icache(const st
50602 * Do it before processing of module parameters, so the module
50603 * can provide parameter accessor functions of its own.
50605 - if (mod->module_init)
50606 - flush_icache_range((unsigned long)mod->module_init,
50607 - (unsigned long)mod->module_init
50608 - + mod->init_size);
50609 - flush_icache_range((unsigned long)mod->module_core,
50610 - (unsigned long)mod->module_core + mod->core_size);
50611 + if (mod->module_init_rx)
50612 + flush_icache_range((unsigned long)mod->module_init_rx,
50613 + (unsigned long)mod->module_init_rx
50614 + + mod->init_size_rx);
50615 + flush_icache_range((unsigned long)mod->module_core_rx,
50616 + (unsigned long)mod->module_core_rx + mod->core_size_rx);
50620 @@ -2690,8 +2754,10 @@ static void module_deallocate(struct mod
50622 kfree(info->strmap);
50623 percpu_modfree(mod);
50624 - module_free(mod, mod->module_init);
50625 - module_free(mod, mod->module_core);
50626 + module_free_exec(mod, mod->module_init_rx);
50627 + module_free_exec(mod, mod->module_core_rx);
50628 + module_free(mod, mod->module_init_rw);
50629 + module_free(mod, mod->module_core_rw);
50632 static int post_relocation(struct module *mod, const struct load_info *info)
50633 @@ -2877,16 +2943,16 @@ SYSCALL_DEFINE3(init_module, void __user
50634 MODULE_STATE_COMING, mod);
50636 /* Set RO and NX regions for core */
50637 - set_section_ro_nx(mod->module_core,
50638 - mod->core_text_size,
50639 - mod->core_ro_size,
50641 + set_section_ro_nx(mod->module_core_rx,
50642 + mod->core_size_rx,
50643 + mod->core_size_rx,
50644 + mod->core_size_rx);
50646 /* Set RO and NX regions for init */
50647 - set_section_ro_nx(mod->module_init,
50648 - mod->init_text_size,
50649 - mod->init_ro_size,
50651 + set_section_ro_nx(mod->module_init_rx,
50652 + mod->init_size_rx,
50653 + mod->init_size_rx,
50654 + mod->init_size_rx);
50657 /* Start the module */
50658 @@ -2931,11 +2997,13 @@ SYSCALL_DEFINE3(init_module, void __user
50659 mod->symtab = mod->core_symtab;
50660 mod->strtab = mod->core_strtab;
50662 - unset_section_ro_nx(mod, mod->module_init);
50663 - module_free(mod, mod->module_init);
50664 - mod->module_init = NULL;
50665 - mod->init_size = 0;
50666 - mod->init_text_size = 0;
50667 + unset_section_ro_nx(mod, mod->module_init_rx);
50668 + module_free(mod, mod->module_init_rw);
50669 + module_free_exec(mod, mod->module_init_rx);
50670 + mod->module_init_rw = NULL;
50671 + mod->module_init_rx = NULL;
50672 + mod->init_size_rw = 0;
50673 + mod->init_size_rx = 0;
50674 mutex_unlock(&module_mutex);
50677 @@ -2966,10 +3034,16 @@ static const char *get_ksymbol(struct mo
50678 unsigned long nextval;
50680 /* At worse, next value is at end of module */
50681 - if (within_module_init(addr, mod))
50682 - nextval = (unsigned long)mod->module_init+mod->init_text_size;
50683 + if (within_module_init_rx(addr, mod))
50684 + nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
50685 + else if (within_module_init_rw(addr, mod))
50686 + nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
50687 + else if (within_module_core_rx(addr, mod))
50688 + nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
50689 + else if (within_module_core_rw(addr, mod))
50690 + nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
50692 - nextval = (unsigned long)mod->module_core+mod->core_text_size;
50695 /* Scan for closest preceeding symbol, and next symbol. (ELF
50696 starts real symbols at 1). */
50697 @@ -3215,7 +3289,7 @@ static int m_show(struct seq_file *m, vo
50700 seq_printf(m, "%s %u",
50701 - mod->name, mod->init_size + mod->core_size);
50702 + mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
50703 print_unload_info(m, mod);
50705 /* Informative for users. */
50706 @@ -3224,7 +3298,7 @@ static int m_show(struct seq_file *m, vo
50707 mod->state == MODULE_STATE_COMING ? "Loading":
50709 /* Used by oprofile and other similar tools. */
50710 - seq_printf(m, " 0x%p", mod->module_core);
50711 + seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
50715 @@ -3260,7 +3334,17 @@ static const struct file_operations proc
50717 static int __init proc_modules_init(void)
50719 +#ifndef CONFIG_GRKERNSEC_HIDESYM
50720 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50721 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
50722 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50723 + proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
50725 proc_create("modules", 0, NULL, &proc_modules_operations);
50728 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
50732 module_init(proc_modules_init);
50733 @@ -3319,12 +3403,12 @@ struct module *__module_address(unsigned
50735 struct module *mod;
50737 - if (addr < module_addr_min || addr > module_addr_max)
50738 + if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
50739 + (addr < module_addr_min_rw || addr > module_addr_max_rw))
50742 list_for_each_entry_rcu(mod, &modules, list)
50743 - if (within_module_core(addr, mod)
50744 - || within_module_init(addr, mod))
50745 + if (within_module_init(addr, mod) || within_module_core(addr, mod))
50749 @@ -3358,11 +3442,20 @@ bool is_module_text_address(unsigned lon
50751 struct module *__module_text_address(unsigned long addr)
50753 - struct module *mod = __module_address(addr);
50754 + struct module *mod;
50756 +#ifdef CONFIG_X86_32
50757 + addr = ktla_ktva(addr);
50760 + if (addr < module_addr_min_rx || addr > module_addr_max_rx)
50763 + mod = __module_address(addr);
50766 /* Make sure it's within the text section. */
50767 - if (!within(addr, mod->module_init, mod->init_text_size)
50768 - && !within(addr, mod->module_core, mod->core_text_size))
50769 + if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
50773 diff -urNp linux-2.6.38.1/kernel/panic.c linux-2.6.38.1-new/kernel/panic.c
50774 --- linux-2.6.38.1/kernel/panic.c 2011-03-14 21:20:32.000000000 -0400
50775 +++ linux-2.6.38.1-new/kernel/panic.c 2011-03-21 18:31:35.000000000 -0400
50776 @@ -369,7 +369,7 @@ static void warn_slowpath_common(const c
50779 printk(KERN_WARNING "------------[ cut here ]------------\n");
50780 - printk(KERN_WARNING "WARNING: at %s:%d %pS()\n", file, line, caller);
50781 + printk(KERN_WARNING "WARNING: at %s:%d %pA()\n", file, line, caller);
50782 board = dmi_get_system_info(DMI_PRODUCT_NAME);
50784 printk(KERN_WARNING "Hardware name: %s\n", board);
50785 @@ -424,7 +424,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
50787 void __stack_chk_fail(void)
50789 - panic("stack-protector: Kernel stack is corrupted in: %p\n",
50791 + panic("stack-protector: Kernel stack is corrupted in: %pA\n",
50792 __builtin_return_address(0));
50794 EXPORT_SYMBOL(__stack_chk_fail);
50795 diff -urNp linux-2.6.38.1/kernel/pid.c linux-2.6.38.1-new/kernel/pid.c
50796 --- linux-2.6.38.1/kernel/pid.c 2011-03-14 21:20:32.000000000 -0400
50797 +++ linux-2.6.38.1-new/kernel/pid.c 2011-03-21 18:31:35.000000000 -0400
50799 #include <linux/rculist.h>
50800 #include <linux/bootmem.h>
50801 #include <linux/hash.h>
50802 +#include <linux/security.h>
50803 #include <linux/pid_namespace.h>
50804 #include <linux/init_task.h>
50805 #include <linux/syscalls.h>
50806 @@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
50808 int pid_max = PID_MAX_DEFAULT;
50810 -#define RESERVED_PIDS 300
50811 +#define RESERVED_PIDS 500
50813 int pid_max_min = RESERVED_PIDS + 1;
50814 int pid_max_max = PID_MAX_LIMIT;
50815 @@ -416,8 +417,15 @@ EXPORT_SYMBOL(pid_task);
50817 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
50819 + struct task_struct *task;
50821 rcu_lockdep_assert(rcu_read_lock_held());
50822 - return pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
50823 + task = pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
50825 + if (gr_pid_is_chrooted(task))
50831 struct task_struct *find_task_by_vpid(pid_t vnr)
50832 diff -urNp linux-2.6.38.1/kernel/posix-cpu-timers.c linux-2.6.38.1-new/kernel/posix-cpu-timers.c
50833 --- linux-2.6.38.1/kernel/posix-cpu-timers.c 2011-03-14 21:20:32.000000000 -0400
50834 +++ linux-2.6.38.1-new/kernel/posix-cpu-timers.c 2011-03-21 18:31:35.000000000 -0400
50836 #include <linux/posix-timers.h>
50837 #include <linux/errno.h>
50838 #include <linux/math64.h>
50839 +#include <linux/security.h>
50840 #include <asm/uaccess.h>
50841 #include <linux/kernel_stat.h>
50842 #include <trace/events/timer.h>
50843 diff -urNp linux-2.6.38.1/kernel/posix-timers.c linux-2.6.38.1-new/kernel/posix-timers.c
50844 --- linux-2.6.38.1/kernel/posix-timers.c 2011-03-14 21:20:32.000000000 -0400
50845 +++ linux-2.6.38.1-new/kernel/posix-timers.c 2011-03-21 18:31:35.000000000 -0400
50847 #include <linux/compiler.h>
50848 #include <linux/idr.h>
50849 #include <linux/posix-timers.h>
50850 +#include <linux/grsecurity.h>
50851 #include <linux/syscalls.h>
50852 #include <linux/wait.h>
50853 #include <linux/workqueue.h>
50854 @@ -955,6 +956,13 @@ SYSCALL_DEFINE2(clock_settime, const clo
50855 if (copy_from_user(&new_tp, tp, sizeof (*tp)))
50858 + /* only the CLOCK_REALTIME clock can be set, all other clocks
50859 + have their clock_set fptr set to a nosettime dummy function
50860 + CLOCK_REALTIME has a NULL clock_set fptr which causes it to
50861 + call common_clock_set, which calls do_sys_settimeofday, which
50865 return CLOCK_DISPATCH(which_clock, clock_set, (which_clock, &new_tp));
50868 diff -urNp linux-2.6.38.1/kernel/power/poweroff.c linux-2.6.38.1-new/kernel/power/poweroff.c
50869 --- linux-2.6.38.1/kernel/power/poweroff.c 2011-03-14 21:20:32.000000000 -0400
50870 +++ linux-2.6.38.1-new/kernel/power/poweroff.c 2011-03-21 18:31:35.000000000 -0400
50871 @@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
50872 .enable_mask = SYSRQ_ENABLE_BOOT,
50875 -static int pm_sysrq_init(void)
50876 +static int __init pm_sysrq_init(void)
50878 register_sysrq_key('o', &sysrq_poweroff_op);
50880 diff -urNp linux-2.6.38.1/kernel/power/process.c linux-2.6.38.1-new/kernel/power/process.c
50881 --- linux-2.6.38.1/kernel/power/process.c 2011-03-14 21:20:32.000000000 -0400
50882 +++ linux-2.6.38.1-new/kernel/power/process.c 2011-03-21 18:31:35.000000000 -0400
50883 @@ -41,6 +41,7 @@ static int try_to_freeze_tasks(bool sig_
50884 u64 elapsed_csecs64;
50885 unsigned int elapsed_csecs;
50886 bool wakeup = false;
50887 + bool timedout = false;
50889 do_gettimeofday(&start);
50891 @@ -51,6 +52,8 @@ static int try_to_freeze_tasks(bool sig_
50895 + if (time_after(jiffies, end_time))
50897 read_lock(&tasklist_lock);
50898 do_each_thread(g, p) {
50899 if (frozen(p) || !freezable(p))
50900 @@ -71,9 +74,13 @@ static int try_to_freeze_tasks(bool sig_
50901 * try_to_stop() after schedule() in ptrace/signal
50902 * stop sees TIF_FREEZE.
50904 - if (!task_is_stopped_or_traced(p) &&
50905 - !freezer_should_skip(p))
50906 + if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
50909 + printk(KERN_ERR "Task refusing to freeze:\n");
50910 + sched_show_task(p);
50913 } while_each_thread(g, p);
50914 read_unlock(&tasklist_lock);
50916 @@ -82,7 +89,7 @@ static int try_to_freeze_tasks(bool sig_
50920 - if (!todo || time_after(jiffies, end_time))
50921 + if (!todo || timedout)
50924 if (pm_wakeup_pending()) {
50925 diff -urNp linux-2.6.38.1/kernel/printk.c linux-2.6.38.1-new/kernel/printk.c
50926 --- linux-2.6.38.1/kernel/printk.c 2011-03-14 21:20:32.000000000 -0400
50927 +++ linux-2.6.38.1-new/kernel/printk.c 2011-03-23 22:30:08.000000000 -0400
50928 @@ -279,12 +279,17 @@ static int check_syslog_permissions(int
50929 if (from_file && type != SYSLOG_ACTION_OPEN)
50932 +#ifdef CONFIG_GRKERNSEC_DMESG
50933 + if (grsec_enable_dmesg && !capable(CAP_SYSLOG) && !capable_nolog(CAP_SYS_ADMIN))
50937 if (syslog_action_restricted(type)) {
50938 if (vx_capable(CAP_SYSLOG, VXC_SYSLOG))
50940 /* For historical reasons, accept CAP_SYS_ADMIN too, with a warning */
50941 if (capable(CAP_SYS_ADMIN)) {
50942 - WARN_ONCE(1, "Attempt to access syslog with CAP_SYS_ADMIN "
50943 + printk_once(KERN_WARNING "Attempt to access syslog with CAP_SYS_ADMIN "
50944 "but no CAP_SYSLOG (deprecated).\n");
50947 diff -urNp linux-2.6.38.1/kernel/ptrace.c linux-2.6.38.1-new/kernel/ptrace.c
50948 --- linux-2.6.38.1/kernel/ptrace.c 2011-03-14 21:20:32.000000000 -0400
50949 +++ linux-2.6.38.1-new/kernel/ptrace.c 2011-03-21 18:31:35.000000000 -0400
50950 @@ -140,7 +140,7 @@ int __ptrace_may_access(struct task_stru
50951 cred->gid != tcred->egid ||
50952 cred->gid != tcred->sgid ||
50953 cred->gid != tcred->gid) &&
50954 - !capable(CAP_SYS_PTRACE)) {
50955 + !capable_nolog(CAP_SYS_PTRACE)) {
50959 @@ -148,7 +148,7 @@ int __ptrace_may_access(struct task_stru
50962 dumpable = get_dumpable(task->mm);
50963 - if (!dumpable && !capable(CAP_SYS_PTRACE))
50964 + if (!dumpable && !capable_nolog(CAP_SYS_PTRACE))
50967 return security_ptrace_access_check(task, mode);
50968 @@ -198,7 +198,7 @@ static int ptrace_attach(struct task_str
50969 goto unlock_tasklist;
50971 task->ptrace = PT_PTRACED;
50972 - if (capable(CAP_SYS_PTRACE))
50973 + if (capable_nolog(CAP_SYS_PTRACE))
50974 task->ptrace |= PT_PTRACE_CAP;
50976 __ptrace_link(task, current);
50977 @@ -369,7 +369,7 @@ int ptrace_readdata(struct task_struct *
50981 - if (copy_to_user(dst, buf, retval))
50982 + if (retval > sizeof(buf) || copy_to_user(dst, buf, retval))
50986 @@ -565,7 +565,7 @@ int ptrace_request(struct task_struct *c
50990 - void __user *datavp = (void __user *) data;
50991 + void __user *datavp = (__force void __user *) data;
50992 unsigned long __user *datalp = datavp;
50995 @@ -713,14 +713,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
50996 if (!vx_check(vx_task_xid(child), VS_WATCH_P | VS_IDENT))
50997 goto out_put_task_struct;
50999 + if (gr_handle_ptrace(child, request)) {
51001 + goto out_put_task_struct;
51004 if (request == PTRACE_ATTACH) {
51005 ret = ptrace_attach(child);
51007 * Some architectures need to do book-keeping after
51012 arch_ptrace_attach(child);
51013 + gr_audit_ptrace(child);
51015 goto out_put_task_struct;
51018 @@ -855,14 +862,21 @@ asmlinkage long compat_sys_ptrace(compat
51022 + if (gr_handle_ptrace(child, request)) {
51024 + goto out_put_task_struct;
51027 if (request == PTRACE_ATTACH) {
51028 ret = ptrace_attach(child);
51030 * Some architectures need to do book-keeping after
51035 arch_ptrace_attach(child);
51036 + gr_audit_ptrace(child);
51038 goto out_put_task_struct;
51041 diff -urNp linux-2.6.38.1/kernel/rcutree.c linux-2.6.38.1-new/kernel/rcutree.c
51042 --- linux-2.6.38.1/kernel/rcutree.c 2011-03-14 21:20:32.000000000 -0400
51043 +++ linux-2.6.38.1-new/kernel/rcutree.c 2011-03-21 18:31:35.000000000 -0400
51044 @@ -1389,7 +1389,7 @@ __rcu_process_callbacks(struct rcu_state
51046 * Do softirq processing for the current CPU.
51048 -static void rcu_process_callbacks(struct softirq_action *unused)
51049 +static void rcu_process_callbacks(void)
51052 * Memory references from any prior RCU read-side critical sections
51053 diff -urNp linux-2.6.38.1/kernel/rcutree_plugin.h linux-2.6.38.1-new/kernel/rcutree_plugin.h
51054 --- linux-2.6.38.1/kernel/rcutree_plugin.h 2011-03-14 21:20:32.000000000 -0400
51055 +++ linux-2.6.38.1-new/kernel/rcutree_plugin.h 2011-03-21 18:31:35.000000000 -0400
51056 @@ -730,7 +730,7 @@ void synchronize_rcu_expedited(void)
51058 /* Clean up and exit. */
51059 smp_mb(); /* ensure expedited GP seen before counter increment. */
51060 - ACCESS_ONCE(sync_rcu_preempt_exp_count)++;
51061 + ACCESS_ONCE_RW(sync_rcu_preempt_exp_count)++;
51063 mutex_unlock(&sync_rcu_preempt_exp_mutex);
51065 diff -urNp linux-2.6.38.1/kernel/resource.c linux-2.6.38.1-new/kernel/resource.c
51066 --- linux-2.6.38.1/kernel/resource.c 2011-03-14 21:20:32.000000000 -0400
51067 +++ linux-2.6.38.1-new/kernel/resource.c 2011-03-21 18:31:35.000000000 -0400
51068 @@ -133,8 +133,18 @@ static const struct file_operations proc
51070 static int __init ioresources_init(void)
51072 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
51073 +#ifdef CONFIG_GRKERNSEC_PROC_USER
51074 + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
51075 + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
51076 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
51077 + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
51078 + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
51081 proc_create("ioports", 0, NULL, &proc_ioports_operations);
51082 proc_create("iomem", 0, NULL, &proc_iomem_operations);
51086 __initcall(ioresources_init);
51087 diff -urNp linux-2.6.38.1/kernel/rtmutex.c linux-2.6.38.1-new/kernel/rtmutex.c
51088 --- linux-2.6.38.1/kernel/rtmutex.c 2011-03-14 21:20:32.000000000 -0400
51089 +++ linux-2.6.38.1-new/kernel/rtmutex.c 2011-03-21 18:31:35.000000000 -0400
51090 @@ -511,7 +511,7 @@ static void wakeup_next_waiter(struct rt
51092 raw_spin_lock_irqsave(&pendowner->pi_lock, flags);
51094 - WARN_ON(!pendowner->pi_blocked_on);
51095 + BUG_ON(!pendowner->pi_blocked_on);
51096 WARN_ON(pendowner->pi_blocked_on != waiter);
51097 WARN_ON(pendowner->pi_blocked_on->lock != lock);
51099 diff -urNp linux-2.6.38.1/kernel/sched.c linux-2.6.38.1-new/kernel/sched.c
51100 --- linux-2.6.38.1/kernel/sched.c 2011-03-23 17:20:08.000000000 -0400
51101 +++ linux-2.6.38.1-new/kernel/sched.c 2011-03-23 17:21:51.000000000 -0400
51102 @@ -4638,6 +4638,8 @@ int can_nice(const struct task_struct *p
51103 /* convert nice value [19,-20] to rlimit style value [1,40] */
51104 int nice_rlim = 20 - nice;
51106 + gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
51108 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
51109 capable(CAP_SYS_NICE));
51111 @@ -4671,7 +4673,8 @@ SYSCALL_DEFINE1(nice, int, increment)
51115 - if (increment < 0 && !can_nice(current, nice))
51116 + if (increment < 0 && (!can_nice(current, nice) ||
51117 + gr_handle_chroot_nice()))
51118 return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
51120 retval = security_task_setnice(current, nice);
51121 @@ -4814,6 +4817,7 @@ recheck:
51122 unsigned long rlim_rtprio =
51123 task_rlimit(p, RLIMIT_RTPRIO);
51125 + gr_learn_resource(p, RLIMIT_RTPRIO, param->sched_priority, 1);
51126 /* can't set/change the rt policy */
51127 if (policy != p->policy && !rlim_rtprio)
51129 @@ -6942,7 +6946,7 @@ static void init_sched_groups_power(int
51133 - WARN_ON(!sd || !sd->groups);
51134 + BUG_ON(!sd || !sd->groups);
51136 if (cpu != group_first_cpu(sd->groups))
51138 diff -urNp linux-2.6.38.1/kernel/sched_fair.c linux-2.6.38.1-new/kernel/sched_fair.c
51139 --- linux-2.6.38.1/kernel/sched_fair.c 2011-03-14 21:20:32.000000000 -0400
51140 +++ linux-2.6.38.1-new/kernel/sched_fair.c 2011-03-21 18:31:35.000000000 -0400
51141 @@ -3960,7 +3960,7 @@ static void nohz_idle_balance(int this_c
51142 * run_rebalance_domains is triggered when needed from the scheduler tick.
51143 * Also triggered for nohz idle balancing (with nohz_balancing_kick set).
51145 -static void run_rebalance_domains(struct softirq_action *h)
51146 +static void run_rebalance_domains(void)
51148 int this_cpu = smp_processor_id();
51149 struct rq *this_rq = cpu_rq(this_cpu);
51150 diff -urNp linux-2.6.38.1/kernel/signal.c linux-2.6.38.1-new/kernel/signal.c
51151 --- linux-2.6.38.1/kernel/signal.c 2011-03-14 21:20:32.000000000 -0400
51152 +++ linux-2.6.38.1-new/kernel/signal.c 2011-03-21 18:31:35.000000000 -0400
51153 @@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cache
51155 int print_fatal_signals __read_mostly;
51157 -static void __user *sig_handler(struct task_struct *t, int sig)
51158 +static __sighandler_t sig_handler(struct task_struct *t, int sig)
51160 return t->sighand->action[sig - 1].sa.sa_handler;
51163 -static int sig_handler_ignored(void __user *handler, int sig)
51164 +static int sig_handler_ignored(__sighandler_t handler, int sig)
51166 /* Is it explicitly or implicitly ignored? */
51167 return handler == SIG_IGN ||
51168 @@ -60,7 +60,7 @@ static int sig_handler_ignored(void __us
51169 static int sig_task_ignored(struct task_struct *t, int sig,
51170 int from_ancestor_ns)
51172 - void __user *handler;
51173 + __sighandler_t handler;
51175 handler = sig_handler(t, sig);
51177 @@ -243,6 +243,9 @@ __sigqueue_alloc(int sig, struct task_st
51178 atomic_inc(&user->sigpending);
51181 + if (!override_rlimit)
51182 + gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
51184 if (override_rlimit ||
51185 atomic_read(&user->sigpending) <=
51186 task_rlimit(t, RLIMIT_SIGPENDING)) {
51187 @@ -367,7 +370,7 @@ flush_signal_handlers(struct task_struct
51189 int unhandled_signal(struct task_struct *tsk, int sig)
51191 - void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
51192 + __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
51193 if (is_global_init(tsk))
51195 if (handler != SIG_IGN && handler != SIG_DFL)
51196 @@ -705,6 +708,10 @@ static int check_kill_permission(int sig
51197 sig, info, t, vx_task_xid(t), t->pid, current->xid);
51201 + if (gr_handle_signal(t, sig))
51205 return security_task_kill(t, info, sig, 0);
51207 @@ -1025,7 +1032,7 @@ __group_send_sig_info(int sig, struct si
51208 return send_signal(sig, info, p, 1);
51213 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
51215 return send_signal(sig, info, t, 0);
51216 @@ -1062,6 +1068,7 @@ force_sig_info(int sig, struct siginfo *
51217 unsigned long int flags;
51218 int ret, blocked, ignored;
51219 struct k_sigaction *action;
51220 + int is_unhandled = 0;
51222 spin_lock_irqsave(&t->sighand->siglock, flags);
51223 action = &t->sighand->action[sig-1];
51224 @@ -1076,9 +1083,18 @@ force_sig_info(int sig, struct siginfo *
51226 if (action->sa.sa_handler == SIG_DFL)
51227 t->signal->flags &= ~SIGNAL_UNKILLABLE;
51228 + if (action->sa.sa_handler == SIG_IGN || action->sa.sa_handler == SIG_DFL)
51229 + is_unhandled = 1;
51230 ret = specific_send_sig_info(sig, info, t);
51231 spin_unlock_irqrestore(&t->sighand->siglock, flags);
51233 + /* only deal with unhandled signals, java etc trigger SIGSEGV during
51234 + normal operation */
51235 + if (is_unhandled) {
51236 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
51237 + gr_handle_crash(t, sig);
51243 @@ -1137,8 +1153,11 @@ int group_send_sig_info(int sig, struct
51244 ret = check_kill_permission(sig, info, p);
51248 + if (!ret && sig) {
51249 ret = do_send_sig_info(sig, info, p, true);
51251 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
51256 diff -urNp linux-2.6.38.1/kernel/smp.c linux-2.6.38.1-new/kernel/smp.c
51257 --- linux-2.6.38.1/kernel/smp.c 2011-03-23 17:20:08.000000000 -0400
51258 +++ linux-2.6.38.1-new/kernel/smp.c 2011-03-23 17:21:51.000000000 -0400
51259 @@ -583,22 +583,22 @@ int smp_call_function(smp_call_func_t fu
51261 EXPORT_SYMBOL(smp_call_function);
51263 -void ipi_call_lock(void)
51264 +void ipi_call_lock(void) __acquires(call_function.lock)
51266 raw_spin_lock(&call_function.lock);
51269 -void ipi_call_unlock(void)
51270 +void ipi_call_unlock(void) __releases(call_function.lock)
51272 raw_spin_unlock(&call_function.lock);
51275 -void ipi_call_lock_irq(void)
51276 +void ipi_call_lock_irq(void) __acquires(call_function.lock)
51278 raw_spin_lock_irq(&call_function.lock);
51281 -void ipi_call_unlock_irq(void)
51282 +void ipi_call_unlock_irq(void) __releases(call_function.lock)
51284 raw_spin_unlock_irq(&call_function.lock);
51286 diff -urNp linux-2.6.38.1/kernel/softirq.c linux-2.6.38.1-new/kernel/softirq.c
51287 --- linux-2.6.38.1/kernel/softirq.c 2011-03-14 21:20:32.000000000 -0400
51288 +++ linux-2.6.38.1-new/kernel/softirq.c 2011-03-21 18:31:35.000000000 -0400
51289 @@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
51291 static DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
51293 -char *softirq_to_name[NR_SOFTIRQS] = {
51294 +const char * const softirq_to_name[NR_SOFTIRQS] = {
51295 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
51296 "TASKLET", "SCHED", "HRTIMER", "RCU"
51298 @@ -206,7 +206,7 @@ EXPORT_SYMBOL(local_bh_enable_ip);
51300 asmlinkage void __do_softirq(void)
51302 - struct softirq_action *h;
51303 + const struct softirq_action *h;
51305 int max_restart = MAX_SOFTIRQ_RESTART;
51307 @@ -235,7 +235,7 @@ restart:
51308 kstat_incr_softirqs_this_cpu(vec_nr);
51310 trace_softirq_entry(vec_nr);
51313 trace_softirq_exit(vec_nr);
51314 if (unlikely(prev_count != preempt_count())) {
51315 printk(KERN_ERR "huh, entered softirq %u %s %p"
51316 @@ -365,7 +365,7 @@ void raise_softirq(unsigned int nr)
51317 local_irq_restore(flags);
51320 -void open_softirq(int nr, void (*action)(struct softirq_action *))
51321 +void open_softirq(int nr, void (*action)(void))
51323 softirq_vec[nr].action = action;
51325 @@ -421,7 +421,7 @@ void __tasklet_hi_schedule_first(struct
51327 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
51329 -static void tasklet_action(struct softirq_action *a)
51330 +static void tasklet_action(void)
51332 struct tasklet_struct *list;
51334 @@ -456,7 +456,7 @@ static void tasklet_action(struct softir
51338 -static void tasklet_hi_action(struct softirq_action *a)
51339 +static void tasklet_hi_action(void)
51341 struct tasklet_struct *list;
51343 diff -urNp linux-2.6.38.1/kernel/sys.c linux-2.6.38.1-new/kernel/sys.c
51344 --- linux-2.6.38.1/kernel/sys.c 2011-03-14 21:20:32.000000000 -0400
51345 +++ linux-2.6.38.1-new/kernel/sys.c 2011-03-21 18:31:35.000000000 -0400
51346 @@ -136,6 +136,12 @@ static int set_one_prio(struct task_stru
51351 + if (gr_handle_chroot_setpriority(p, niceval)) {
51356 no_nice = security_task_setnice(p, niceval);
51359 @@ -517,6 +523,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
51363 + if (gr_check_group_change(new->gid, new->egid, -1))
51366 if (rgid != (gid_t) -1 ||
51367 (egid != (gid_t) -1 && egid != old->gid))
51368 new->sgid = new->egid;
51369 @@ -546,6 +555,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
51370 old = current_cred();
51374 + if (gr_check_group_change(gid, gid, gid))
51377 if (capable(CAP_SETGID))
51378 new->gid = new->egid = new->sgid = new->fsgid = gid;
51379 else if (gid == old->gid || gid == old->sgid)
51380 @@ -626,6 +639,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
51384 + if (gr_check_user_change(new->uid, new->euid, -1))
51387 if (new->uid != old->uid) {
51388 retval = set_user(new);
51390 @@ -670,6 +686,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
51391 old = current_cred();
51395 + if (gr_check_crash_uid(uid))
51397 + if (gr_check_user_change(uid, uid, uid))
51400 if (capable(CAP_SETUID)) {
51401 new->suid = new->uid = uid;
51402 if (uid != old->uid) {
51403 @@ -724,6 +746,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
51407 + if (gr_check_user_change(ruid, euid, -1))
51410 if (ruid != (uid_t) -1) {
51412 if (ruid != old->uid) {
51413 @@ -788,6 +813,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
51417 + if (gr_check_group_change(rgid, egid, -1))
51420 if (rgid != (gid_t) -1)
51422 if (egid != (gid_t) -1)
51423 @@ -834,6 +862,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
51424 old = current_cred();
51425 old_fsuid = old->fsuid;
51427 + if (gr_check_user_change(-1, -1, uid))
51430 if (uid == old->uid || uid == old->euid ||
51431 uid == old->suid || uid == old->fsuid ||
51432 capable(CAP_SETUID)) {
51433 @@ -844,6 +875,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
51441 @@ -870,12 +902,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
51442 if (gid == old->gid || gid == old->egid ||
51443 gid == old->sgid || gid == old->fsgid ||
51444 capable(CAP_SETGID)) {
51445 + if (gr_check_group_change(-1, -1, gid))
51448 if (gid != old_fsgid) {
51458 @@ -1616,7 +1652,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
51459 error = get_dumpable(me->mm);
51461 case PR_SET_DUMPABLE:
51462 - if (arg2 < 0 || arg2 > 1) {
51467 diff -urNp linux-2.6.38.1/kernel/sysctl.c linux-2.6.38.1-new/kernel/sysctl.c
51468 --- linux-2.6.38.1/kernel/sysctl.c 2011-03-14 21:20:32.000000000 -0400
51469 +++ linux-2.6.38.1-new/kernel/sysctl.c 2011-03-21 18:31:35.000000000 -0400
51473 #if defined(CONFIG_SYSCTL)
51474 +#include <linux/grsecurity.h>
51475 +#include <linux/grinternal.h>
51477 +extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
51478 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
51480 +extern int gr_handle_chroot_sysctl(const int op);
51482 /* External variables not in a header file. */
51483 extern int sysctl_overcommit_memory;
51484 @@ -190,6 +197,7 @@ static int sysrq_sysctl_handler(ctl_tabl
51488 +extern struct ctl_table grsecurity_table[];
51490 static struct ctl_table root_table[];
51491 static struct ctl_table_root sysctl_table_root;
51492 @@ -219,6 +227,20 @@ extern struct ctl_table epoll_table[];
51493 int sysctl_legacy_va_layout;
51496 +#ifdef CONFIG_PAX_SOFTMODE
51497 +static ctl_table pax_table[] = {
51499 + .procname = "softmode",
51500 + .data = &pax_softmode,
51501 + .maxlen = sizeof(unsigned int),
51503 + .proc_handler = &proc_dointvec,
51510 /* The default sysctl tables: */
51512 static struct ctl_table root_table[] = {
51513 @@ -265,6 +287,22 @@ static int max_extfrag_threshold = 1000;
51516 static struct ctl_table kern_table[] = {
51517 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
51519 + .procname = "grsecurity",
51521 + .child = grsecurity_table,
51525 +#ifdef CONFIG_PAX_SOFTMODE
51527 + .procname = "pax",
51529 + .child = pax_table,
51534 .procname = "sched_child_runs_first",
51535 .data = &sysctl_sched_child_runs_first,
51536 @@ -546,7 +584,7 @@ static struct ctl_table kern_table[] = {
51537 .data = &modprobe_path,
51538 .maxlen = KMOD_PATH_LEN,
51540 - .proc_handler = proc_dostring,
51541 + .proc_handler = proc_dostring_modpriv,
51544 .procname = "modules_disabled",
51545 @@ -708,16 +746,20 @@ static struct ctl_table kern_table[] = {
51551 .procname = "kptr_restrict",
51552 .data = &kptr_restrict,
51553 .maxlen = sizeof(int),
51555 .proc_handler = proc_dointvec_minmax,
51556 +#ifdef CONFIG_GRKERNSEC_HIDESYM
51565 .procname = "ngroups_max",
51566 .data = &ngroups_max,
51567 @@ -1182,6 +1224,13 @@ static struct ctl_table vm_table[] = {
51568 .proc_handler = proc_dointvec_minmax,
51572 + .procname = "heap_stack_gap",
51573 + .data = &sysctl_heap_stack_gap,
51574 + .maxlen = sizeof(sysctl_heap_stack_gap),
51576 + .proc_handler = proc_doulongvec_minmax,
51580 .procname = "nr_trim_pages",
51581 @@ -1693,6 +1742,16 @@ int sysctl_perm(struct ctl_table_root *r
51585 + if (table->parent != NULL && table->parent->procname != NULL &&
51586 + table->procname != NULL &&
51587 + gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
51589 + if (gr_handle_chroot_sysctl(op))
51591 + error = gr_handle_sysctl(table, op);
51595 error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
51598 @@ -2100,6 +2159,16 @@ int proc_dostring(struct ctl_table *tabl
51599 buffer, lenp, ppos);
51602 +int proc_dostring_modpriv(struct ctl_table *table, int write,
51603 + void __user *buffer, size_t *lenp, loff_t *ppos)
51605 + if (write && !capable(CAP_SYS_MODULE))
51608 + return _proc_do_string(table->data, table->maxlen, write,
51609 + buffer, lenp, ppos);
51612 static size_t proc_skip_spaces(char **buf)
51615 @@ -2205,6 +2274,8 @@ static int proc_put_long(void __user **b
51619 + if (len > sizeof(tmp))
51620 + len = sizeof(tmp);
51621 if (copy_to_user(*buf, tmp, len))
51624 @@ -2510,8 +2581,11 @@ static int __do_proc_doulongvec_minmax(v
51627 val = convdiv * (*i) / convmul;
51630 err = proc_put_char(&buffer, &left, '\t');
51634 err = proc_put_long(&buffer, &left, val, false);
51637 @@ -2906,6 +2980,12 @@ int proc_dostring(struct ctl_table *tabl
51641 +int proc_dostring_modpriv(struct ctl_table *table, int write,
51642 + void __user *buffer, size_t *lenp, loff_t *ppos)
51647 int proc_dointvec(struct ctl_table *table, int write,
51648 void __user *buffer, size_t *lenp, loff_t *ppos)
51650 @@ -2962,6 +3042,7 @@ EXPORT_SYMBOL(proc_dointvec_minmax);
51651 EXPORT_SYMBOL(proc_dointvec_userhz_jiffies);
51652 EXPORT_SYMBOL(proc_dointvec_ms_jiffies);
51653 EXPORT_SYMBOL(proc_dostring);
51654 +EXPORT_SYMBOL(proc_dostring_modpriv);
51655 EXPORT_SYMBOL(proc_doulongvec_minmax);
51656 EXPORT_SYMBOL(proc_doulongvec_ms_jiffies_minmax);
51657 EXPORT_SYMBOL(register_sysctl_table);
51658 diff -urNp linux-2.6.38.1/kernel/sysctl_check.c linux-2.6.38.1-new/kernel/sysctl_check.c
51659 --- linux-2.6.38.1/kernel/sysctl_check.c 2011-03-14 21:20:32.000000000 -0400
51660 +++ linux-2.6.38.1-new/kernel/sysctl_check.c 2011-03-21 18:31:35.000000000 -0400
51661 @@ -131,6 +131,7 @@ int sysctl_check_table(struct nsproxy *n
51662 set_fail(&fail, table, "Directory with extra2");
51664 if ((table->proc_handler == proc_dostring) ||
51665 + (table->proc_handler == proc_dostring_modpriv) ||
51666 (table->proc_handler == proc_dointvec) ||
51667 (table->proc_handler == proc_dointvec_minmax) ||
51668 (table->proc_handler == proc_dointvec_jiffies) ||
51669 diff -urNp linux-2.6.38.1/kernel/taskstats.c linux-2.6.38.1-new/kernel/taskstats.c
51670 --- linux-2.6.38.1/kernel/taskstats.c 2011-03-14 21:20:32.000000000 -0400
51671 +++ linux-2.6.38.1-new/kernel/taskstats.c 2011-03-21 18:31:35.000000000 -0400
51673 #include <linux/cgroup.h>
51674 #include <linux/fs.h>
51675 #include <linux/file.h>
51676 +#include <linux/grsecurity.h>
51677 #include <net/genetlink.h>
51678 #include <asm/atomic.h>
51680 +extern int gr_is_taskstats_denied(int pid);
51683 * Maximum length of a cpumask that can be specified in
51684 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
51685 @@ -549,6 +552,9 @@ err:
51687 static int taskstats_user_cmd(struct sk_buff *skb, struct genl_info *info)
51689 + if (gr_is_taskstats_denied(current->pid))
51692 if (info->attrs[TASKSTATS_CMD_ATTR_REGISTER_CPUMASK])
51693 return cmd_attr_register_cpumask(info);
51694 else if (info->attrs[TASKSTATS_CMD_ATTR_DEREGISTER_CPUMASK])
51695 diff -urNp linux-2.6.38.1/kernel/time/tick-broadcast.c linux-2.6.38.1-new/kernel/time/tick-broadcast.c
51696 --- linux-2.6.38.1/kernel/time/tick-broadcast.c 2011-03-14 21:20:32.000000000 -0400
51697 +++ linux-2.6.38.1-new/kernel/time/tick-broadcast.c 2011-03-21 18:31:35.000000000 -0400
51698 @@ -116,7 +116,7 @@ int tick_device_uses_broadcast(struct cl
51699 * then clear the broadcast bit.
51701 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
51702 - int cpu = smp_processor_id();
51703 + cpu = smp_processor_id();
51705 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
51706 tick_broadcast_clear_oneshot(cpu);
51707 diff -urNp linux-2.6.38.1/kernel/time/timekeeping.c linux-2.6.38.1-new/kernel/time/timekeeping.c
51708 --- linux-2.6.38.1/kernel/time/timekeeping.c 2011-03-14 21:20:32.000000000 -0400
51709 +++ linux-2.6.38.1-new/kernel/time/timekeeping.c 2011-03-21 18:31:35.000000000 -0400
51711 #include <linux/init.h>
51712 #include <linux/mm.h>
51713 #include <linux/sched.h>
51714 +#include <linux/grsecurity.h>
51715 #include <linux/sysdev.h>
51716 #include <linux/clocksource.h>
51717 #include <linux/jiffies.h>
51718 @@ -361,6 +362,8 @@ int do_settimeofday(struct timespec *tv)
51719 if ((unsigned long)tv->tv_nsec >= NSEC_PER_SEC)
51722 + gr_log_timechange();
51724 write_seqlock_irqsave(&xtime_lock, flags);
51726 timekeeping_forward_now();
51727 diff -urNp linux-2.6.38.1/kernel/time/timer_list.c linux-2.6.38.1-new/kernel/time/timer_list.c
51728 --- linux-2.6.38.1/kernel/time/timer_list.c 2011-03-14 21:20:32.000000000 -0400
51729 +++ linux-2.6.38.1-new/kernel/time/timer_list.c 2011-03-21 18:31:35.000000000 -0400
51730 @@ -38,12 +38,16 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base,
51732 static void print_name_offset(struct seq_file *m, void *sym)
51734 +#ifdef CONFIG_GRKERNSEC_HIDESYM
51735 + SEQ_printf(m, "<%p>", NULL);
51737 char symname[KSYM_NAME_LEN];
51739 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
51740 SEQ_printf(m, "<%pK>", sym);
51742 SEQ_printf(m, "%s", symname);
51747 @@ -112,7 +116,11 @@ next_one:
51749 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
51751 +#ifdef CONFIG_GRKERNSEC_HIDESYM
51752 + SEQ_printf(m, " .base: %p\n", NULL);
51754 SEQ_printf(m, " .base: %pK\n", base);
51756 SEQ_printf(m, " .index: %d\n",
51758 SEQ_printf(m, " .resolution: %Lu nsecs\n",
51759 @@ -293,7 +301,11 @@ static int __init init_timer_list_procfs
51761 struct proc_dir_entry *pe;
51763 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
51764 + pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
51766 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
51771 diff -urNp linux-2.6.38.1/kernel/time/timer_stats.c linux-2.6.38.1-new/kernel/time/timer_stats.c
51772 --- linux-2.6.38.1/kernel/time/timer_stats.c 2011-03-14 21:20:32.000000000 -0400
51773 +++ linux-2.6.38.1-new/kernel/time/timer_stats.c 2011-03-21 18:31:35.000000000 -0400
51774 @@ -269,12 +269,16 @@ void timer_stats_update_stats(void *time
51776 static void print_name_offset(struct seq_file *m, unsigned long addr)
51778 +#ifdef CONFIG_GRKERNSEC_HIDESYM
51779 + seq_printf(m, "<%p>", NULL);
51781 char symname[KSYM_NAME_LEN];
51783 if (lookup_symbol_name(addr, symname) < 0)
51784 seq_printf(m, "<%p>", (void *)addr);
51786 seq_printf(m, "%s", symname);
51790 static int tstats_show(struct seq_file *m, void *v)
51791 @@ -417,7 +421,11 @@ static int __init init_tstats_procfs(voi
51793 struct proc_dir_entry *pe;
51795 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
51796 + pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
51798 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
51803 diff -urNp linux-2.6.38.1/kernel/time.c linux-2.6.38.1-new/kernel/time.c
51804 --- linux-2.6.38.1/kernel/time.c 2011-03-14 21:20:32.000000000 -0400
51805 +++ linux-2.6.38.1-new/kernel/time.c 2011-03-21 18:31:35.000000000 -0400
51806 @@ -163,6 +163,11 @@ int do_sys_settimeofday(struct timespec
51810 + /* we log in do_settimeofday called below, so don't log twice
51813 + gr_log_timechange();
51815 /* SMP safe, global irq locking makes it work. */
51817 update_vsyscall_tz();
51818 diff -urNp linux-2.6.38.1/kernel/timer.c linux-2.6.38.1-new/kernel/timer.c
51819 --- linux-2.6.38.1/kernel/timer.c 2011-03-14 21:20:32.000000000 -0400
51820 +++ linux-2.6.38.1-new/kernel/timer.c 2011-03-21 18:31:35.000000000 -0400
51821 @@ -1276,7 +1276,7 @@ void update_process_times(int user_tick)
51823 * This function runs timers and the timer-tq in bottom half context.
51825 -static void run_timer_softirq(struct softirq_action *h)
51826 +static void run_timer_softirq(void)
51828 struct tvec_base *base = __this_cpu_read(tvec_bases);
51830 diff -urNp linux-2.6.38.1/kernel/trace/ftrace.c linux-2.6.38.1-new/kernel/trace/ftrace.c
51831 --- linux-2.6.38.1/kernel/trace/ftrace.c 2011-03-23 17:20:08.000000000 -0400
51832 +++ linux-2.6.38.1-new/kernel/trace/ftrace.c 2011-03-23 17:21:51.000000000 -0400
51833 @@ -1107,13 +1107,18 @@ ftrace_code_disable(struct module *mod,
51837 + ret = ftrace_arch_code_modify_prepare();
51838 + FTRACE_WARN_ON(ret);
51842 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
51843 + FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
51845 ftrace_bug(ret, ip);
51846 rec->flags |= FTRACE_FL_FAILED;
51850 + return ret ? 0 : 1;
51854 diff -urNp linux-2.6.38.1/kernel/trace/ring_buffer.c linux-2.6.38.1-new/kernel/trace/ring_buffer.c
51855 --- linux-2.6.38.1/kernel/trace/ring_buffer.c 2011-03-14 21:20:32.000000000 -0400
51856 +++ linux-2.6.38.1-new/kernel/trace/ring_buffer.c 2011-03-21 18:31:35.000000000 -0400
51857 @@ -669,7 +669,7 @@ static struct list_head *rb_list_head(st
51858 * the reader page). But if the next page is a header page,
51859 * its flags will be non zero.
51863 rb_is_head_page(struct ring_buffer_per_cpu *cpu_buffer,
51864 struct buffer_page *page, struct list_head *list)
51866 diff -urNp linux-2.6.38.1/kernel/trace/trace.c linux-2.6.38.1-new/kernel/trace/trace.c
51867 --- linux-2.6.38.1/kernel/trace/trace.c 2011-03-14 21:20:32.000000000 -0400
51868 +++ linux-2.6.38.1-new/kernel/trace/trace.c 2011-03-21 18:31:35.000000000 -0400
51869 @@ -3967,10 +3967,9 @@ static const struct file_operations trac
51873 -static struct dentry *d_tracer;
51875 struct dentry *tracing_init_dentry(void)
51877 + static struct dentry *d_tracer;
51881 @@ -3990,10 +3989,9 @@ struct dentry *tracing_init_dentry(void)
51885 -static struct dentry *d_percpu;
51887 struct dentry *tracing_dentry_percpu(void)
51889 + static struct dentry *d_percpu;
51891 struct dentry *d_tracer;
51893 diff -urNp linux-2.6.38.1/kernel/trace/trace_events.c linux-2.6.38.1-new/kernel/trace/trace_events.c
51894 --- linux-2.6.38.1/kernel/trace/trace_events.c 2011-03-14 21:20:32.000000000 -0400
51895 +++ linux-2.6.38.1-new/kernel/trace/trace_events.c 2011-03-21 18:31:35.000000000 -0400
51896 @@ -1240,10 +1240,10 @@ static LIST_HEAD(ftrace_module_file_list
51897 struct ftrace_module_file_ops {
51898 struct list_head list;
51899 struct module *mod;
51900 - struct file_operations id;
51901 - struct file_operations enable;
51902 - struct file_operations format;
51903 - struct file_operations filter;
51904 + struct file_operations id; /* cannot be const, see trace_create_file_ops() */
51905 + struct file_operations enable; /* cannot be const, see trace_create_file_ops() */
51906 + struct file_operations format; /* cannot be const, see trace_create_file_ops() */
51907 + struct file_operations filter; /* cannot be const, see trace_create_file_ops() */
51910 static struct ftrace_module_file_ops *
51911 diff -urNp linux-2.6.38.1/kernel/trace/trace_output.c linux-2.6.38.1-new/kernel/trace/trace_output.c
51912 --- linux-2.6.38.1/kernel/trace/trace_output.c 2011-03-14 21:20:32.000000000 -0400
51913 +++ linux-2.6.38.1-new/kernel/trace/trace_output.c 2011-03-21 18:31:35.000000000 -0400
51914 @@ -278,7 +278,7 @@ int trace_seq_path(struct trace_seq *s,
51916 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
51918 - p = mangle_path(s->buffer + s->len, p, "\n");
51919 + p = mangle_path(s->buffer + s->len, p, "\n\\");
51921 s->len = p - s->buffer;
51923 diff -urNp linux-2.6.38.1/kernel/trace/trace_stack.c linux-2.6.38.1-new/kernel/trace/trace_stack.c
51924 --- linux-2.6.38.1/kernel/trace/trace_stack.c 2011-03-14 21:20:32.000000000 -0400
51925 +++ linux-2.6.38.1-new/kernel/trace/trace_stack.c 2011-03-21 18:31:35.000000000 -0400
51926 @@ -50,7 +50,7 @@ static inline void check_stack(void)
51929 /* we do not handle interrupt stacks yet */
51930 - if (!object_is_on_stack(&this_size))
51931 + if (!object_starts_on_stack(&this_size))
51934 local_irq_save(flags);
51935 diff -urNp linux-2.6.38.1/lib/bug.c linux-2.6.38.1-new/lib/bug.c
51936 --- linux-2.6.38.1/lib/bug.c 2011-03-14 21:20:32.000000000 -0400
51937 +++ linux-2.6.38.1-new/lib/bug.c 2011-03-21 18:31:35.000000000 -0400
51938 @@ -133,6 +133,8 @@ enum bug_trap_type report_bug(unsigned l
51939 return BUG_TRAP_TYPE_NONE;
51941 bug = find_bug(bugaddr);
51943 + return BUG_TRAP_TYPE_NONE;
51947 diff -urNp linux-2.6.38.1/lib/debugobjects.c linux-2.6.38.1-new/lib/debugobjects.c
51948 --- linux-2.6.38.1/lib/debugobjects.c 2011-03-14 21:20:32.000000000 -0400
51949 +++ linux-2.6.38.1-new/lib/debugobjects.c 2011-03-21 18:31:35.000000000 -0400
51950 @@ -281,7 +281,7 @@ static void debug_object_is_on_stack(voi
51954 - is_on_stack = object_is_on_stack(addr);
51955 + is_on_stack = object_starts_on_stack(addr);
51956 if (is_on_stack == onstack)
51959 diff -urNp linux-2.6.38.1/lib/dma-debug.c linux-2.6.38.1-new/lib/dma-debug.c
51960 --- linux-2.6.38.1/lib/dma-debug.c 2011-03-14 21:20:32.000000000 -0400
51961 +++ linux-2.6.38.1-new/lib/dma-debug.c 2011-03-21 18:31:35.000000000 -0400
51962 @@ -862,7 +862,7 @@ out:
51964 static void check_for_stack(struct device *dev, void *addr)
51966 - if (object_is_on_stack(addr))
51967 + if (object_starts_on_stack(addr))
51968 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
51969 "stack [addr=%p]\n", addr);
51971 diff -urNp linux-2.6.38.1/lib/inflate.c linux-2.6.38.1-new/lib/inflate.c
51972 --- linux-2.6.38.1/lib/inflate.c 2011-03-14 21:20:32.000000000 -0400
51973 +++ linux-2.6.38.1-new/lib/inflate.c 2011-03-21 18:31:35.000000000 -0400
51974 @@ -269,7 +269,7 @@ static void free(void *where)
51975 malloc_ptr = free_mem_ptr;
51978 -#define malloc(a) kmalloc(a, GFP_KERNEL)
51979 +#define malloc(a) kmalloc((a), GFP_KERNEL)
51980 #define free(a) kfree(a)
51983 diff -urNp linux-2.6.38.1/lib/Kconfig.debug linux-2.6.38.1-new/lib/Kconfig.debug
51984 --- linux-2.6.38.1/lib/Kconfig.debug 2011-03-14 21:20:32.000000000 -0400
51985 +++ linux-2.6.38.1-new/lib/Kconfig.debug 2011-03-21 18:31:35.000000000 -0400
51986 @@ -1066,6 +1066,7 @@ config LATENCYTOP
51987 depends on DEBUG_KERNEL
51988 depends on STACKTRACE_SUPPORT
51990 + depends on !GRKERNSEC_HIDESYM
51991 select FRAME_POINTER if !MIPS && !PPC && !S390 && !MICROBLAZE
51993 select KALLSYMS_ALL
51994 diff -urNp linux-2.6.38.1/lib/kref.c linux-2.6.38.1-new/lib/kref.c
51995 --- linux-2.6.38.1/lib/kref.c 2011-03-14 21:20:32.000000000 -0400
51996 +++ linux-2.6.38.1-new/lib/kref.c 2011-03-21 18:31:35.000000000 -0400
51997 @@ -52,7 +52,7 @@ void kref_get(struct kref *kref)
51999 int kref_put(struct kref *kref, void (*release)(struct kref *kref))
52001 - WARN_ON(release == NULL);
52002 + BUG_ON(release == NULL);
52003 WARN_ON(release == (void (*)(struct kref *))kfree);
52005 if (atomic_dec_and_test(&kref->refcount)) {
52006 diff -urNp linux-2.6.38.1/lib/radix-tree.c linux-2.6.38.1-new/lib/radix-tree.c
52007 --- linux-2.6.38.1/lib/radix-tree.c 2011-03-14 21:20:32.000000000 -0400
52008 +++ linux-2.6.38.1-new/lib/radix-tree.c 2011-03-21 18:31:35.000000000 -0400
52009 @@ -80,7 +80,7 @@ struct radix_tree_preload {
52011 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
52013 -static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
52014 +static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
52016 static inline void *ptr_to_indirect(void *ptr)
52018 diff -urNp linux-2.6.38.1/lib/vsprintf.c linux-2.6.38.1-new/lib/vsprintf.c
52019 --- linux-2.6.38.1/lib/vsprintf.c 2011-03-14 21:20:32.000000000 -0400
52020 +++ linux-2.6.38.1-new/lib/vsprintf.c 2011-03-21 18:31:35.000000000 -0400
52022 * - scnprintf and vscnprintf
52025 +#ifdef CONFIG_GRKERNSEC_HIDESYM
52026 +#define __INCLUDED_BY_HIDESYM 1
52028 #include <stdarg.h>
52029 #include <linux/module.h>
52030 #include <linux/types.h>
52031 @@ -574,7 +577,7 @@ char *symbol_string(char *buf, char *end
52032 unsigned long value = (unsigned long) ptr;
52033 #ifdef CONFIG_KALLSYMS
52034 char sym[KSYM_SYMBOL_LEN];
52035 - if (ext != 'f' && ext != 's')
52036 + if (ext != 'f' && ext != 's' && ext != 'a')
52037 sprint_symbol(sym, value);
52039 kallsyms_lookup(value, NULL, NULL, NULL, sym);
52040 @@ -936,7 +939,11 @@ char *uuid_string(char *buf, char *end,
52041 return string(buf, end, uuid, spec);
52044 +#ifdef CONFIG_GRKERNSEC_HIDESYM
52045 +int kptr_restrict = 2;
52047 int kptr_restrict = 1;
52051 * Show a '%p' thing. A kernel extension is that the '%p' is followed
52052 @@ -949,6 +956,8 @@ int kptr_restrict = 1;
52053 * - 'f' For simple symbolic function names without offset
52054 * - 'S' For symbolic direct pointers with offset
52055 * - 's' For symbolic direct pointers without offset
52056 + * - 'A' For symbolic direct pointers with offset approved for use with GRKERNSEC_HIDESYM
52057 + * - 'a' For symbolic direct pointers without offset approved for use with GRKERNSEC_HIDESYM
52058 * - 'R' For decoded struct resource, e.g., [mem 0x0-0x1f 64bit pref]
52059 * - 'r' For raw struct resource, e.g., [mem 0x0-0x1f flags 0x201]
52060 * - 'M' For a 6-byte MAC address, it prints the address in the
52061 @@ -993,12 +1002,12 @@ char *pointer(const char *fmt, char *buf
52065 - * Print (null) with the same width as a pointer so it makes
52066 + * Print (nil) with the same width as a pointer so it makes
52067 * tabular output look nice.
52069 if (spec.field_width == -1)
52070 spec.field_width = 2 * sizeof(void *);
52071 - return string(buf, end, "(null)", spec);
52072 + return string(buf, end, "(nil)", spec);
52076 @@ -1008,6 +1017,13 @@ char *pointer(const char *fmt, char *buf
52080 +#ifdef CONFIG_GRKERNSEC_HIDESYM
52083 + return symbol_string(buf, end, ptr, spec, *fmt);
52087 return symbol_string(buf, end, ptr, spec, *fmt);
52090 @@ -1772,11 +1788,11 @@ int bstr_printf(char *buf, size_t size,
52091 typeof(type) value; \
52092 if (sizeof(type) == 8) { \
52093 args = PTR_ALIGN(args, sizeof(u32)); \
52094 - *(u32 *)&value = *(u32 *)args; \
52095 - *((u32 *)&value + 1) = *(u32 *)(args + 4); \
52096 + *(u32 *)&value = *(const u32 *)args; \
52097 + *((u32 *)&value + 1) = *(const u32 *)(args + 4); \
52099 args = PTR_ALIGN(args, sizeof(type)); \
52100 - value = *(typeof(type) *)args; \
52101 + value = *(const typeof(type) *)args; \
52103 args += sizeof(type); \
52105 @@ -1839,7 +1855,7 @@ int bstr_printf(char *buf, size_t size,
52106 case FORMAT_TYPE_STR: {
52107 const char *str_arg = args;
52108 args += strlen(str_arg) + 1;
52109 - str = string(str, end, (char *)str_arg, spec);
52110 + str = string(str, end, str_arg, spec);
52114 diff -urNp linux-2.6.38.1/localversion-grsec linux-2.6.38.1-new/localversion-grsec
52115 --- linux-2.6.38.1/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
52116 +++ linux-2.6.38.1-new/localversion-grsec 2011-03-21 18:31:35.000000000 -0400
52119 diff -urNp linux-2.6.38.1/Makefile linux-2.6.38.1-new/Makefile
52120 --- linux-2.6.38.1/Makefile 2011-03-23 17:20:06.000000000 -0400
52121 +++ linux-2.6.38.1-new/Makefile 2011-03-23 17:21:43.000000000 -0400
52122 @@ -233,8 +233,8 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
52126 -HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
52127 -HOSTCXXFLAGS = -O2
52128 +HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
52129 +HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
52131 # Decide whether to build built-in, modular, or both.
52132 # Normally, just do built-in.
52133 @@ -681,7 +681,7 @@ export mod_strip_cmd
52136 ifeq ($(KBUILD_EXTMOD),)
52137 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
52138 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
52140 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
52141 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
52142 diff -urNp linux-2.6.38.1/mm/bootmem.c linux-2.6.38.1-new/mm/bootmem.c
52143 --- linux-2.6.38.1/mm/bootmem.c 2011-03-14 21:20:32.000000000 -0400
52144 +++ linux-2.6.38.1-new/mm/bootmem.c 2011-03-21 18:31:35.000000000 -0400
52145 @@ -201,19 +201,30 @@ static void __init __free_pages_memory(u
52146 unsigned long __init free_all_memory_core_early(int nodeid)
52150 + u64 start, end, startrange, endrange;
52151 unsigned long count = 0;
52152 - struct range *range = NULL;
52153 + struct range *range = NULL, rangerange = { 0, 0 };
52156 nr_range = get_free_all_memory_range(&range, nodeid);
52157 + startrange = __pa(range) >> PAGE_SHIFT;
52158 + endrange = (__pa(range + nr_range) - 1) >> PAGE_SHIFT;
52160 for (i = 0; i < nr_range; i++) {
52161 start = range[i].start;
52162 end = range[i].end;
52163 + if (start <= endrange && startrange < end) {
52164 + BUG_ON(rangerange.start | rangerange.end);
52165 + rangerange = range[i];
52168 count += end - start;
52169 __free_pages_memory(start, end);
52171 + start = rangerange.start;
52172 + end = rangerange.end;
52173 + count += end - start;
52174 + __free_pages_memory(start, end);
52178 diff -urNp linux-2.6.38.1/mm/filemap.c linux-2.6.38.1-new/mm/filemap.c
52179 --- linux-2.6.38.1/mm/filemap.c 2011-03-14 21:20:32.000000000 -0400
52180 +++ linux-2.6.38.1-new/mm/filemap.c 2011-03-21 18:31:35.000000000 -0400
52181 @@ -1664,7 +1664,7 @@ int generic_file_mmap(struct file * file
52182 struct address_space *mapping = file->f_mapping;
52184 if (!mapping->a_ops->readpage)
52187 file_accessed(file);
52188 vma->vm_ops = &generic_file_vm_ops;
52189 vma->vm_flags |= VM_CAN_NONLINEAR;
52190 @@ -2060,6 +2060,7 @@ inline int generic_write_checks(struct f
52191 *pos = i_size_read(inode);
52193 if (limit != RLIM_INFINITY) {
52194 + gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
52195 if (*pos >= limit) {
52196 send_sig(SIGXFSZ, current, 0);
52198 diff -urNp linux-2.6.38.1/mm/fremap.c linux-2.6.38.1-new/mm/fremap.c
52199 --- linux-2.6.38.1/mm/fremap.c 2011-03-14 21:20:32.000000000 -0400
52200 +++ linux-2.6.38.1-new/mm/fremap.c 2011-03-21 18:31:35.000000000 -0400
52201 @@ -156,6 +156,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
52203 vma = find_vma(mm, start);
52205 +#ifdef CONFIG_PAX_SEGMEXEC
52206 + if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
52211 * Make sure the vma is shared, that it supports prefaulting,
52212 * and that the remapped range is valid and fully within
52213 @@ -224,7 +229,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
52215 * drop PG_Mlocked flag for over-mapped range
52217 - unsigned int saved_flags = vma->vm_flags;
52218 + unsigned long saved_flags = vma->vm_flags;
52219 munlock_vma_pages_range(vma, start, start + size);
52220 vma->vm_flags = saved_flags;
52222 diff -urNp linux-2.6.38.1/mm/highmem.c linux-2.6.38.1-new/mm/highmem.c
52223 --- linux-2.6.38.1/mm/highmem.c 2011-03-14 21:20:32.000000000 -0400
52224 +++ linux-2.6.38.1-new/mm/highmem.c 2011-03-21 18:31:35.000000000 -0400
52225 @@ -125,9 +125,10 @@ static void flush_all_zero_pkmaps(void)
52226 * So no dangers, even with speculative execution.
52228 page = pte_page(pkmap_page_table[i]);
52229 + pax_open_kernel();
52230 pte_clear(&init_mm, (unsigned long)page_address(page),
52231 &pkmap_page_table[i]);
52233 + pax_close_kernel();
52234 set_page_address(page, NULL);
52237 @@ -186,9 +187,11 @@ start:
52240 vaddr = PKMAP_ADDR(last_pkmap_nr);
52242 + pax_open_kernel();
52243 set_pte_at(&init_mm, vaddr,
52244 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
52246 + pax_close_kernel();
52247 pkmap_count[last_pkmap_nr] = 1;
52248 set_page_address(page, (void *)vaddr);
52250 diff -urNp linux-2.6.38.1/mm/hugetlb.c linux-2.6.38.1-new/mm/hugetlb.c
52251 --- linux-2.6.38.1/mm/hugetlb.c 2011-03-14 21:20:32.000000000 -0400
52252 +++ linux-2.6.38.1-new/mm/hugetlb.c 2011-03-21 18:31:35.000000000 -0400
52253 @@ -2333,6 +2333,27 @@ static int unmap_ref_private(struct mm_s
52257 +#ifdef CONFIG_PAX_SEGMEXEC
52258 +static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
52260 + struct mm_struct *mm = vma->vm_mm;
52261 + struct vm_area_struct *vma_m;
52262 + unsigned long address_m;
52265 + vma_m = pax_find_mirror_vma(vma);
52269 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
52270 + address_m = address + SEGMEXEC_TASK_SIZE;
52271 + ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
52272 + get_page(page_m);
52273 + hugepage_add_anon_rmap(page_m, vma_m, address_m);
52274 + set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
52279 * Hugetlb_cow() should be called with page lock of the original hugepage held.
52281 @@ -2434,6 +2455,11 @@ retry_avoidcopy:
52282 make_huge_pte(vma, new_page, 1));
52283 page_remove_rmap(old_page);
52284 hugepage_add_new_anon_rmap(new_page, vma, address);
52286 +#ifdef CONFIG_PAX_SEGMEXEC
52287 + pax_mirror_huge_pte(vma, address, new_page);
52290 /* Make the old page be freed below */
52291 new_page = old_page;
52292 mmu_notifier_invalidate_range_end(mm,
52293 @@ -2585,6 +2611,10 @@ retry:
52294 && (vma->vm_flags & VM_SHARED)));
52295 set_huge_pte_at(mm, address, ptep, new_pte);
52297 +#ifdef CONFIG_PAX_SEGMEXEC
52298 + pax_mirror_huge_pte(vma, address, page);
52301 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
52302 /* Optimization, do the COW without a second fault */
52303 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
52304 @@ -2614,6 +2644,10 @@ int hugetlb_fault(struct mm_struct *mm,
52305 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
52306 struct hstate *h = hstate_vma(vma);
52308 +#ifdef CONFIG_PAX_SEGMEXEC
52309 + struct vm_area_struct *vma_m;
52312 ptep = huge_pte_offset(mm, address);
52314 entry = huge_ptep_get(ptep);
52315 @@ -2625,6 +2659,26 @@ int hugetlb_fault(struct mm_struct *mm,
52316 VM_FAULT_SET_HINDEX(h - hstates);
52319 +#ifdef CONFIG_PAX_SEGMEXEC
52320 + vma_m = pax_find_mirror_vma(vma);
52322 + unsigned long address_m;
52324 + if (vma->vm_start > vma_m->vm_start) {
52325 + address_m = address;
52326 + address -= SEGMEXEC_TASK_SIZE;
52328 + h = hstate_vma(vma);
52330 + address_m = address + SEGMEXEC_TASK_SIZE;
52332 + if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
52333 + return VM_FAULT_OOM;
52334 + address_m &= HPAGE_MASK;
52335 + unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
52339 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
52341 return VM_FAULT_OOM;
52342 diff -urNp linux-2.6.38.1/mm/Kconfig linux-2.6.38.1-new/mm/Kconfig
52343 --- linux-2.6.38.1/mm/Kconfig 2011-03-14 21:20:32.000000000 -0400
52344 +++ linux-2.6.38.1-new/mm/Kconfig 2011-03-21 18:31:35.000000000 -0400
52345 @@ -240,7 +240,7 @@ config KSM
52346 config DEFAULT_MMAP_MIN_ADDR
52347 int "Low address space to protect from user allocation"
52352 This is the portion of low virtual memory which should be protected
52353 from userspace allocation. Keeping a user from writing to low pages
52354 diff -urNp linux-2.6.38.1/mm/kmemleak.c linux-2.6.38.1-new/mm/kmemleak.c
52355 --- linux-2.6.38.1/mm/kmemleak.c 2011-03-14 21:20:32.000000000 -0400
52356 +++ linux-2.6.38.1-new/mm/kmemleak.c 2011-03-21 18:31:35.000000000 -0400
52357 @@ -357,7 +357,7 @@ static void print_unreferenced(struct se
52359 for (i = 0; i < object->trace_len; i++) {
52360 void *ptr = (void *)object->trace[i];
52361 - seq_printf(seq, " [<%p>] %pS\n", ptr, ptr);
52362 + seq_printf(seq, " [<%p>] %pA\n", ptr, ptr);
52366 diff -urNp linux-2.6.38.1/mm/maccess.c linux-2.6.38.1-new/mm/maccess.c
52367 --- linux-2.6.38.1/mm/maccess.c 2011-03-14 21:20:32.000000000 -0400
52368 +++ linux-2.6.38.1-new/mm/maccess.c 2011-03-21 18:31:35.000000000 -0400
52369 @@ -15,10 +15,10 @@
52370 * happens, handle that and return -EFAULT.
52373 -long __weak probe_kernel_read(void *dst, void *src, size_t size)
52374 +long __weak probe_kernel_read(void *dst, const void *src, size_t size)
52375 __attribute__((alias("__probe_kernel_read")));
52377 -long __probe_kernel_read(void *dst, void *src, size_t size)
52378 +long __probe_kernel_read(void *dst, const void *src, size_t size)
52381 mm_segment_t old_fs = get_fs();
52382 @@ -43,10 +43,10 @@ EXPORT_SYMBOL_GPL(probe_kernel_read);
52383 * Safely write to address @dst from the buffer at @src. If a kernel fault
52384 * happens, handle that and return -EFAULT.
52386 -long __weak probe_kernel_write(void *dst, void *src, size_t size)
52387 +long __weak probe_kernel_write(void *dst, const void *src, size_t size)
52388 __attribute__((alias("__probe_kernel_write")));
52390 -long __probe_kernel_write(void *dst, void *src, size_t size)
52391 +long __probe_kernel_write(void *dst, const void *src, size_t size)
52394 mm_segment_t old_fs = get_fs();
52395 diff -urNp linux-2.6.38.1/mm/madvise.c linux-2.6.38.1-new/mm/madvise.c
52396 --- linux-2.6.38.1/mm/madvise.c 2011-03-14 21:20:32.000000000 -0400
52397 +++ linux-2.6.38.1-new/mm/madvise.c 2011-03-21 18:31:35.000000000 -0400
52398 @@ -45,6 +45,10 @@ static long madvise_behavior(struct vm_a
52400 unsigned long new_flags = vma->vm_flags;
52402 +#ifdef CONFIG_PAX_SEGMEXEC
52403 + struct vm_area_struct *vma_m;
52406 switch (behavior) {
52408 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
52409 @@ -110,6 +114,13 @@ success:
52411 * vm_flags is protected by the mmap_sem held in write mode.
52414 +#ifdef CONFIG_PAX_SEGMEXEC
52415 + vma_m = pax_find_mirror_vma(vma);
52417 + vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
52420 vma->vm_flags = new_flags;
52423 @@ -168,6 +179,11 @@ static long madvise_dontneed(struct vm_a
52424 struct vm_area_struct ** prev,
52425 unsigned long start, unsigned long end)
52428 +#ifdef CONFIG_PAX_SEGMEXEC
52429 + struct vm_area_struct *vma_m;
52433 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
52435 @@ -180,6 +196,21 @@ static long madvise_dontneed(struct vm_a
52436 zap_page_range(vma, start, end - start, &details);
52438 zap_page_range(vma, start, end - start, NULL);
52440 +#ifdef CONFIG_PAX_SEGMEXEC
52441 + vma_m = pax_find_mirror_vma(vma);
52443 + if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
52444 + struct zap_details details = {
52445 + .nonlinear_vma = vma_m,
52446 + .last_index = ULONG_MAX,
52448 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
52450 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
52457 @@ -376,6 +407,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
52461 +#ifdef CONFIG_PAX_SEGMEXEC
52462 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
52463 + if (end > SEGMEXEC_TASK_SIZE)
52468 + if (end > TASK_SIZE)
52474 diff -urNp linux-2.6.38.1/mm/memory.c linux-2.6.38.1-new/mm/memory.c
52475 --- linux-2.6.38.1/mm/memory.c 2011-03-14 21:20:32.000000000 -0400
52476 +++ linux-2.6.38.1-new/mm/memory.c 2011-03-21 18:31:35.000000000 -0400
52477 @@ -259,8 +259,12 @@ static inline void free_pmd_range(struct
52480 pmd = pmd_offset(pud, start);
52482 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
52484 pmd_free_tlb(tlb, pmd, start);
52489 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
52490 @@ -291,9 +295,12 @@ static inline void free_pud_range(struct
52491 if (end - 1 > ceiling - 1)
52494 +#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
52495 pud = pud_offset(pgd, start);
52497 pud_free_tlb(tlb, pud, start);
52503 @@ -1433,10 +1440,10 @@ int __get_user_pages(struct task_struct
52504 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
52508 + while (nr_pages) {
52509 struct vm_area_struct *vma;
52511 - vma = find_extend_vma(mm, start);
52512 + vma = find_vma(mm, start);
52513 if (!vma && in_gate_area(tsk, start)) {
52514 unsigned long pg = start & PAGE_MASK;
52515 struct vm_area_struct *gate_vma = get_gate_vma(tsk);
52516 @@ -1489,7 +1496,7 @@ int __get_user_pages(struct task_struct
52521 + if (!vma || start < vma->vm_start ||
52522 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
52523 !(vm_flags & vma->vm_flags))
52524 return i ? : -EFAULT;
52525 @@ -1575,7 +1582,7 @@ int __get_user_pages(struct task_struct
52526 start += PAGE_SIZE;
52528 } while (nr_pages && start < vma->vm_end);
52529 - } while (nr_pages);
52534 @@ -1724,6 +1731,10 @@ static int insert_page(struct vm_area_st
52535 page_add_file_rmap(page);
52536 set_pte_at(mm, addr, pte, mk_pte(page, prot));
52538 +#ifdef CONFIG_PAX_SEGMEXEC
52539 + pax_mirror_file_pte(vma, addr, page, ptl);
52543 pte_unmap_unlock(pte, ptl);
52545 @@ -1758,10 +1769,22 @@ out:
52546 int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
52550 +#ifdef CONFIG_PAX_SEGMEXEC
52551 + struct vm_area_struct *vma_m;
52554 if (addr < vma->vm_start || addr >= vma->vm_end)
52556 if (!page_count(page))
52559 +#ifdef CONFIG_PAX_SEGMEXEC
52560 + vma_m = pax_find_mirror_vma(vma);
52562 + vma_m->vm_flags |= VM_INSERTPAGE;
52565 vma->vm_flags |= VM_INSERTPAGE;
52566 return insert_page(vma, addr, page, vma->vm_page_prot);
52568 @@ -1847,6 +1870,7 @@ int vm_insert_mixed(struct vm_area_struc
52571 BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));
52572 + BUG_ON(vma->vm_mirror);
52574 if (addr < vma->vm_start || addr >= vma->vm_end)
52576 @@ -2162,6 +2186,186 @@ static inline void cow_user_page(struct
52577 copy_user_highpage(dst, src, va, vma);
52580 +#ifdef CONFIG_PAX_SEGMEXEC
52581 +static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
52583 + struct mm_struct *mm = vma->vm_mm;
52585 + pte_t *pte, entry;
52587 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
52589 + if (!pte_present(entry)) {
52590 + if (!pte_none(entry)) {
52591 + BUG_ON(pte_file(entry));
52592 + free_swap_and_cache(pte_to_swp_entry(entry));
52593 + pte_clear_not_present_full(mm, address, pte, 0);
52596 + struct page *page;
52598 + flush_cache_page(vma, address, pte_pfn(entry));
52599 + entry = ptep_clear_flush(vma, address, pte);
52600 + BUG_ON(pte_dirty(entry));
52601 + page = vm_normal_page(vma, address, entry);
52603 + update_hiwater_rss(mm);
52604 + if (PageAnon(page))
52605 + dec_mm_counter_fast(mm, MM_ANONPAGES);
52607 + dec_mm_counter_fast(mm, MM_FILEPAGES);
52608 + page_remove_rmap(page);
52609 + page_cache_release(page);
52612 + pte_unmap_unlock(pte, ptl);
52615 +/* PaX: if vma is mirrored, synchronize the mirror's PTE
52617 + * the ptl of the lower mapped page is held on entry and is not released on exit
52618 + * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
52620 +static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
52622 + struct mm_struct *mm = vma->vm_mm;
52623 + unsigned long address_m;
52624 + spinlock_t *ptl_m;
52625 + struct vm_area_struct *vma_m;
52627 + pte_t *pte_m, entry_m;
52629 + BUG_ON(!page_m || !PageAnon(page_m));
52631 + vma_m = pax_find_mirror_vma(vma);
52635 + BUG_ON(!PageLocked(page_m));
52636 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
52637 + address_m = address + SEGMEXEC_TASK_SIZE;
52638 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
52639 + pte_m = pte_offset_map(pmd_m, address_m);
52640 + ptl_m = pte_lockptr(mm, pmd_m);
52641 + if (ptl != ptl_m) {
52642 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
52643 + if (!pte_none(*pte_m))
52647 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
52648 + page_cache_get(page_m);
52649 + page_add_anon_rmap(page_m, vma_m, address_m);
52650 + inc_mm_counter_fast(mm, MM_ANONPAGES);
52651 + set_pte_at(mm, address_m, pte_m, entry_m);
52652 + update_mmu_cache(vma_m, address_m, entry_m);
52654 + if (ptl != ptl_m)
52655 + spin_unlock(ptl_m);
52656 + pte_unmap(pte_m);
52657 + unlock_page(page_m);
52660 +void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
52662 + struct mm_struct *mm = vma->vm_mm;
52663 + unsigned long address_m;
52664 + spinlock_t *ptl_m;
52665 + struct vm_area_struct *vma_m;
52667 + pte_t *pte_m, entry_m;
52669 + BUG_ON(!page_m || PageAnon(page_m));
52671 + vma_m = pax_find_mirror_vma(vma);
52675 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
52676 + address_m = address + SEGMEXEC_TASK_SIZE;
52677 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
52678 + pte_m = pte_offset_map(pmd_m, address_m);
52679 + ptl_m = pte_lockptr(mm, pmd_m);
52680 + if (ptl != ptl_m) {
52681 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
52682 + if (!pte_none(*pte_m))
52686 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
52687 + page_cache_get(page_m);
52688 + page_add_file_rmap(page_m);
52689 + inc_mm_counter_fast(mm, MM_FILEPAGES);
52690 + set_pte_at(mm, address_m, pte_m, entry_m);
52691 + update_mmu_cache(vma_m, address_m, entry_m);
52693 + if (ptl != ptl_m)
52694 + spin_unlock(ptl_m);
52695 + pte_unmap(pte_m);
52698 +static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
52700 + struct mm_struct *mm = vma->vm_mm;
52701 + unsigned long address_m;
52702 + spinlock_t *ptl_m;
52703 + struct vm_area_struct *vma_m;
52705 + pte_t *pte_m, entry_m;
52707 + vma_m = pax_find_mirror_vma(vma);
52711 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
52712 + address_m = address + SEGMEXEC_TASK_SIZE;
52713 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
52714 + pte_m = pte_offset_map(pmd_m, address_m);
52715 + ptl_m = pte_lockptr(mm, pmd_m);
52716 + if (ptl != ptl_m) {
52717 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
52718 + if (!pte_none(*pte_m))
52722 + entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
52723 + set_pte_at(mm, address_m, pte_m, entry_m);
52725 + if (ptl != ptl_m)
52726 + spin_unlock(ptl_m);
52727 + pte_unmap(pte_m);
52730 +static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
52732 + struct page *page_m;
52735 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
52739 + page_m = vm_normal_page(vma, address, entry);
52741 + pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
52742 + else if (PageAnon(page_m)) {
52743 + if (pax_find_mirror_vma(vma)) {
52744 + pte_unmap_unlock(pte, ptl);
52745 + lock_page(page_m);
52746 + pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
52747 + if (pte_same(entry, *pte))
52748 + pax_mirror_anon_pte(vma, address, page_m, ptl);
52750 + unlock_page(page_m);
52753 + pax_mirror_file_pte(vma, address, page_m, ptl);
52756 + pte_unmap_unlock(pte, ptl);
52761 * This routine handles present pages, when users try to write
52762 * to a shared page. It is done by copying the page to a new address
52763 @@ -2373,6 +2577,12 @@ gotten:
52765 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
52766 if (likely(pte_same(*page_table, orig_pte))) {
52768 +#ifdef CONFIG_PAX_SEGMEXEC
52769 + if (pax_find_mirror_vma(vma))
52770 + BUG_ON(!trylock_page(new_page));
52774 if (!PageAnon(old_page)) {
52775 dec_mm_counter_fast(mm, MM_FILEPAGES);
52776 @@ -2424,6 +2634,10 @@ gotten:
52777 page_remove_rmap(old_page);
52780 +#ifdef CONFIG_PAX_SEGMEXEC
52781 + pax_mirror_anon_pte(vma, address, new_page, ptl);
52784 /* Free the old page.. */
52785 new_page = old_page;
52786 ret |= VM_FAULT_WRITE;
52787 @@ -2834,6 +3048,11 @@ static int do_swap_page(struct mm_struct
52789 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
52790 try_to_free_swap(page);
52792 +#ifdef CONFIG_PAX_SEGMEXEC
52793 + if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
52799 @@ -2857,6 +3076,11 @@ static int do_swap_page(struct mm_struct
52801 /* No need to invalidate - it was non-present before */
52802 update_mmu_cache(vma, address, page_table);
52804 +#ifdef CONFIG_PAX_SEGMEXEC
52805 + pax_mirror_anon_pte(vma, address, page, ptl);
52809 pte_unmap_unlock(page_table, ptl);
52811 @@ -2876,40 +3100,6 @@ out_release:
52815 - * This is like a special single-page "expand_{down|up}wards()",
52816 - * except we must first make sure that 'address{-|+}PAGE_SIZE'
52817 - * doesn't hit another vma.
52819 -static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
52821 - address &= PAGE_MASK;
52822 - if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
52823 - struct vm_area_struct *prev = vma->vm_prev;
52826 - * Is there a mapping abutting this one below?
52828 - * That's only ok if it's the same stack mapping
52829 - * that has gotten split..
52831 - if (prev && prev->vm_end == address)
52832 - return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
52834 - expand_stack(vma, address - PAGE_SIZE);
52836 - if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
52837 - struct vm_area_struct *next = vma->vm_next;
52839 - /* As VM_GROWSDOWN but s/below/above/ */
52840 - if (next && next->vm_start == address + PAGE_SIZE)
52841 - return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
52843 - expand_upwards(vma, address + PAGE_SIZE);
52849 * We enter with non-exclusive mmap_sem (to exclude vma changes,
52850 * but allow concurrent faults), and pte mapped but not yet locked.
52851 * We return with mmap_sem still held, but pte unmapped and unlocked.
52852 @@ -2918,27 +3108,23 @@ static int do_anonymous_page(struct mm_s
52853 unsigned long address, pte_t *page_table, pmd_t *pmd,
52854 unsigned int flags)
52856 - struct page *page;
52857 + struct page *page = NULL;
52861 - pte_unmap(page_table);
52863 - /* Check if we need to add a guard page to the stack */
52864 - if (check_stack_guard_page(vma, address) < 0)
52865 - return VM_FAULT_SIGBUS;
52867 - /* Use the zero-page for reads */
52868 if (!(flags & FAULT_FLAG_WRITE)) {
52869 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
52870 vma->vm_page_prot));
52871 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
52872 + ptl = pte_lockptr(mm, pmd);
52874 if (!pte_none(*page_table))
52879 /* Allocate our own private page. */
52880 + pte_unmap(page_table);
52882 if (unlikely(anon_vma_prepare(vma)))
52884 page = alloc_zeroed_user_highpage_movable(vma, address);
52885 @@ -2957,6 +3143,11 @@ static int do_anonymous_page(struct mm_s
52886 if (!pte_none(*page_table))
52889 +#ifdef CONFIG_PAX_SEGMEXEC
52890 + if (pax_find_mirror_vma(vma))
52891 + BUG_ON(!trylock_page(page));
52894 inc_mm_counter_fast(mm, MM_ANONPAGES);
52895 page_add_new_anon_rmap(page, vma, address);
52897 @@ -2964,6 +3155,12 @@ setpte:
52899 /* No need to invalidate - it was non-present before */
52900 update_mmu_cache(vma, address, page_table);
52902 +#ifdef CONFIG_PAX_SEGMEXEC
52904 + pax_mirror_anon_pte(vma, address, page, ptl);
52908 pte_unmap_unlock(page_table, ptl);
52910 @@ -3101,6 +3298,12 @@ static int __do_fault(struct mm_struct *
52912 /* Only go through if we didn't race with anybody else... */
52913 if (likely(pte_same(*page_table, orig_pte))) {
52915 +#ifdef CONFIG_PAX_SEGMEXEC
52916 + if (anon && pax_find_mirror_vma(vma))
52917 + BUG_ON(!trylock_page(page));
52920 flush_icache_page(vma, page);
52921 entry = mk_pte(page, vma->vm_page_prot);
52922 if (flags & FAULT_FLAG_WRITE)
52923 @@ -3120,6 +3323,14 @@ static int __do_fault(struct mm_struct *
52925 /* no need to invalidate: a not-present page won't be cached */
52926 update_mmu_cache(vma, address, page_table);
52928 +#ifdef CONFIG_PAX_SEGMEXEC
52930 + pax_mirror_anon_pte(vma, address, page, ptl);
52932 + pax_mirror_file_pte(vma, address, page, ptl);
52937 mem_cgroup_uncharge_page(page);
52938 @@ -3267,6 +3478,12 @@ int handle_pte_fault(struct mm_struct *m
52939 if (flags & FAULT_FLAG_WRITE)
52940 flush_tlb_fix_spurious_fault(vma, address);
52943 +#ifdef CONFIG_PAX_SEGMEXEC
52944 + pax_mirror_pte(vma, address, pte, pmd, ptl);
52949 pte_unmap_unlock(pte, ptl);
52951 @@ -3283,6 +3500,10 @@ int handle_mm_fault(struct mm_struct *mm
52955 +#ifdef CONFIG_PAX_SEGMEXEC
52956 + struct vm_area_struct *vma_m;
52959 __set_current_state(TASK_RUNNING);
52961 count_vm_event(PGFAULT);
52962 @@ -3293,6 +3514,34 @@ int handle_mm_fault(struct mm_struct *mm
52963 if (unlikely(is_vm_hugetlb_page(vma)))
52964 return hugetlb_fault(mm, vma, address, flags);
52966 +#ifdef CONFIG_PAX_SEGMEXEC
52967 + vma_m = pax_find_mirror_vma(vma);
52969 + unsigned long address_m;
52974 + if (vma->vm_start > vma_m->vm_start) {
52975 + address_m = address;
52976 + address -= SEGMEXEC_TASK_SIZE;
52979 + address_m = address + SEGMEXEC_TASK_SIZE;
52981 + pgd_m = pgd_offset(mm, address_m);
52982 + pud_m = pud_alloc(mm, pgd_m, address_m);
52984 + return VM_FAULT_OOM;
52985 + pmd_m = pmd_alloc(mm, pud_m, address_m);
52987 + return VM_FAULT_OOM;
52988 + if (!pmd_present(*pmd_m) && __pte_alloc(mm, vma_m, pmd_m, address_m))
52989 + return VM_FAULT_OOM;
52990 + pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
52994 pgd = pgd_offset(mm, address);
52995 pud = pud_alloc(mm, pgd, address);
52997 @@ -3426,7 +3675,7 @@ static int __init gate_vma_init(void)
52998 gate_vma.vm_start = FIXADDR_USER_START;
52999 gate_vma.vm_end = FIXADDR_USER_END;
53000 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
53001 - gate_vma.vm_page_prot = __P101;
53002 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
53004 * Make sure the vDSO gets into every core dump.
53005 * Dumping its contents makes post-mortem fully interpretable later
53006 diff -urNp linux-2.6.38.1/mm/memory-failure.c linux-2.6.38.1-new/mm/memory-failure.c
53007 --- linux-2.6.38.1/mm/memory-failure.c 2011-03-14 21:20:32.000000000 -0400
53008 +++ linux-2.6.38.1-new/mm/memory-failure.c 2011-03-21 18:31:35.000000000 -0400
53009 @@ -58,7 +58,7 @@ int sysctl_memory_failure_early_kill __r
53011 int sysctl_memory_failure_recovery __read_mostly = 1;
53013 -atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
53014 +atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
53016 #if defined(CONFIG_HWPOISON_INJECT) || defined(CONFIG_HWPOISON_INJECT_MODULE)
53018 @@ -1012,7 +1012,7 @@ int __memory_failure(unsigned long pfn,
53021 nr_pages = 1 << compound_trans_order(hpage);
53022 - atomic_long_add(nr_pages, &mce_bad_pages);
53023 + atomic_long_add_unchecked(nr_pages, &mce_bad_pages);
53026 * We need/can do nothing about count=0 pages.
53027 @@ -1042,7 +1042,7 @@ int __memory_failure(unsigned long pfn,
53028 if (!PageHWPoison(hpage)
53029 || (hwpoison_filter(p) && TestClearPageHWPoison(p))
53030 || (p != hpage && TestSetPageHWPoison(hpage))) {
53031 - atomic_long_sub(nr_pages, &mce_bad_pages);
53032 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
53035 set_page_hwpoison_huge_page(hpage);
53036 @@ -1100,7 +1100,7 @@ int __memory_failure(unsigned long pfn,
53038 if (hwpoison_filter(p)) {
53039 if (TestClearPageHWPoison(p))
53040 - atomic_long_sub(nr_pages, &mce_bad_pages);
53041 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
53042 unlock_page(hpage);
53045 @@ -1226,7 +1226,7 @@ int unpoison_memory(unsigned long pfn)
53048 if (TestClearPageHWPoison(p))
53049 - atomic_long_sub(nr_pages, &mce_bad_pages);
53050 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
53051 pr_info("MCE: Software-unpoisoned free page %#lx\n", pfn);
53054 @@ -1240,7 +1240,7 @@ int unpoison_memory(unsigned long pfn)
53056 if (TestClearPageHWPoison(page)) {
53057 pr_info("MCE: Software-unpoisoned page %#lx\n", pfn);
53058 - atomic_long_sub(nr_pages, &mce_bad_pages);
53059 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
53061 if (PageHuge(page))
53062 clear_page_hwpoison_huge_page(page);
53063 @@ -1353,7 +1353,7 @@ static int soft_offline_huge_page(struct
53066 if (!PageHWPoison(hpage))
53067 - atomic_long_add(1 << compound_trans_order(hpage), &mce_bad_pages);
53068 + atomic_long_add_unchecked(1 << compound_trans_order(hpage), &mce_bad_pages);
53069 set_page_hwpoison_huge_page(hpage);
53070 dequeue_hwpoisoned_huge_page(hpage);
53071 /* keep elevated page count for bad page */
53072 @@ -1482,7 +1482,7 @@ int soft_offline_page(struct page *page,
53076 - atomic_long_add(1, &mce_bad_pages);
53077 + atomic_long_add_unchecked(1, &mce_bad_pages);
53078 SetPageHWPoison(page);
53079 /* keep elevated page count for bad page */
53081 diff -urNp linux-2.6.38.1/mm/mempolicy.c linux-2.6.38.1-new/mm/mempolicy.c
53082 --- linux-2.6.38.1/mm/mempolicy.c 2011-03-14 21:20:32.000000000 -0400
53083 +++ linux-2.6.38.1-new/mm/mempolicy.c 2011-03-21 18:31:35.000000000 -0400
53084 @@ -643,6 +643,10 @@ static int mbind_range(struct mm_struct
53085 unsigned long vmstart;
53086 unsigned long vmend;
53088 +#ifdef CONFIG_PAX_SEGMEXEC
53089 + struct vm_area_struct *vma_m;
53092 vma = find_vma_prev(mm, start, &prev);
53093 if (!vma || vma->vm_start > start)
53095 @@ -673,6 +677,16 @@ static int mbind_range(struct mm_struct
53096 err = policy_vma(vma, new_pol);
53100 +#ifdef CONFIG_PAX_SEGMEXEC
53101 + vma_m = pax_find_mirror_vma(vma);
53103 + err = policy_vma(vma_m, new_pol);
53112 @@ -1106,6 +1120,17 @@ static long do_mbind(unsigned long start
53117 +#ifdef CONFIG_PAX_SEGMEXEC
53118 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
53119 + if (end > SEGMEXEC_TASK_SIZE)
53124 + if (end > TASK_SIZE)
53130 @@ -1324,6 +1349,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
53134 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
53135 + if (mm != current->mm &&
53136 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
53143 * Check if this process has the right to modify the specified
53144 * process. The right exists if the process has administrative
53145 @@ -1333,8 +1366,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
53147 tcred = __task_cred(task);
53148 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
53149 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
53150 - !capable(CAP_SYS_NICE)) {
53151 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
53155 @@ -2635,7 +2667,7 @@ int show_numa_map(struct seq_file *m, vo
53158 seq_printf(m, " file=");
53159 - seq_path(m, &file->f_path, "\n\t= ");
53160 + seq_path(m, &file->f_path, "\n\t\\= ");
53161 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
53162 seq_printf(m, " heap");
53163 } else if (vma->vm_start <= mm->start_stack &&
53164 diff -urNp linux-2.6.38.1/mm/migrate.c linux-2.6.38.1-new/mm/migrate.c
53165 --- linux-2.6.38.1/mm/migrate.c 2011-03-14 21:20:32.000000000 -0400
53166 +++ linux-2.6.38.1-new/mm/migrate.c 2011-03-21 18:31:35.000000000 -0400
53167 @@ -1299,6 +1299,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
53171 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
53172 + if (mm != current->mm &&
53173 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
53180 * Check if this process has the right to modify the specified
53181 * process. The right exists if the process has administrative
53182 @@ -1308,8 +1316,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
53184 tcred = __task_cred(task);
53185 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
53186 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
53187 - !capable(CAP_SYS_NICE)) {
53188 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
53192 diff -urNp linux-2.6.38.1/mm/mlock.c linux-2.6.38.1-new/mm/mlock.c
53193 --- linux-2.6.38.1/mm/mlock.c 2011-03-14 21:20:32.000000000 -0400
53194 +++ linux-2.6.38.1-new/mm/mlock.c 2011-03-21 18:31:35.000000000 -0400
53196 #include <linux/pagemap.h>
53197 #include <linux/mempolicy.h>
53198 #include <linux/syscalls.h>
53199 +#include <linux/security.h>
53200 #include <linux/sched.h>
53201 #include <linux/module.h>
53202 #include <linux/rmap.h>
53203 @@ -135,13 +136,6 @@ void munlock_vma_page(struct page *page)
53207 -static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
53209 - return (vma->vm_flags & VM_GROWSDOWN) &&
53210 - (vma->vm_start == addr) &&
53211 - !vma_stack_continue(vma->vm_prev, addr);
53215 * __mlock_vma_pages_range() - mlock a range of pages in the vma.
53217 @@ -188,12 +182,6 @@ static long __mlock_vma_pages_range(stru
53218 if (vma->vm_flags & VM_LOCKED)
53219 gup_flags |= FOLL_MLOCK;
53221 - /* We don't try to access the guard page of a stack vma */
53222 - if (stack_guard_page(vma, start)) {
53223 - addr += PAGE_SIZE;
53227 return __get_user_pages(current, mm, addr, nr_pages, gup_flags,
53228 NULL, NULL, nonblocking);
53230 @@ -393,6 +381,9 @@ static int do_mlock(unsigned long start,
53234 + if (end > TASK_SIZE)
53237 vma = find_vma_prev(current->mm, start, &prev);
53238 if (!vma || vma->vm_start > start)
53240 @@ -403,6 +394,11 @@ static int do_mlock(unsigned long start,
53241 for (nstart = start ; ; ) {
53242 unsigned int newflags;
53244 +#ifdef CONFIG_PAX_SEGMEXEC
53245 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
53249 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
53251 newflags = vma->vm_flags | VM_LOCKED;
53252 @@ -508,6 +504,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
53253 lock_limit >>= PAGE_SHIFT;
53255 /* check against resource limits */
53256 + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
53257 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
53258 error = do_mlock(start, len, 1);
53259 up_write(¤t->mm->mmap_sem);
53260 @@ -531,17 +528,23 @@ SYSCALL_DEFINE2(munlock, unsigned long,
53261 static int do_mlockall(int flags)
53263 struct vm_area_struct * vma, * prev = NULL;
53264 - unsigned int def_flags = 0;
53266 if (flags & MCL_FUTURE)
53267 - def_flags = VM_LOCKED;
53268 - current->mm->def_flags = def_flags;
53269 + current->mm->def_flags |= VM_LOCKED;
53271 + current->mm->def_flags &= ~VM_LOCKED;
53272 if (flags == MCL_FUTURE)
53275 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
53276 - unsigned int newflags;
53277 + unsigned long newflags;
53279 +#ifdef CONFIG_PAX_SEGMEXEC
53280 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
53284 + BUG_ON(vma->vm_end > TASK_SIZE);
53285 newflags = vma->vm_flags | VM_LOCKED;
53286 if (!(flags & MCL_CURRENT))
53287 newflags &= ~VM_LOCKED;
53288 @@ -573,6 +576,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
53289 lock_limit >>= PAGE_SHIFT;
53292 + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
53293 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
53294 capable(CAP_IPC_LOCK))
53295 ret = do_mlockall(flags);
53296 diff -urNp linux-2.6.38.1/mm/mmap.c linux-2.6.38.1-new/mm/mmap.c
53297 --- linux-2.6.38.1/mm/mmap.c 2011-03-14 21:20:32.000000000 -0400
53298 +++ linux-2.6.38.1-new/mm/mmap.c 2011-03-21 23:47:41.000000000 -0400
53300 #define arch_rebalance_pgtables(addr, len) (addr)
53303 +static inline void verify_mm_writelocked(struct mm_struct *mm)
53305 +#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
53306 + if (unlikely(down_read_trylock(&mm->mmap_sem))) {
53307 + up_read(&mm->mmap_sem);
53313 static void unmap_region(struct mm_struct *mm,
53314 struct vm_area_struct *vma, struct vm_area_struct *prev,
53315 unsigned long start, unsigned long end);
53316 @@ -71,22 +81,32 @@ static void unmap_region(struct mm_struc
53317 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
53320 -pgprot_t protection_map[16] = {
53321 +pgprot_t protection_map[16] __read_only = {
53322 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
53323 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
53326 pgprot_t vm_get_page_prot(unsigned long vm_flags)
53328 - return __pgprot(pgprot_val(protection_map[vm_flags &
53329 + pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
53330 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
53331 pgprot_val(arch_vm_get_page_prot(vm_flags)));
53333 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
53334 + if (!(__supported_pte_mask & _PAGE_NX) &&
53335 + (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
53336 + (vm_flags & (VM_READ | VM_WRITE)))
53337 + prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
53342 EXPORT_SYMBOL(vm_get_page_prot);
53344 int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */
53345 int sysctl_overcommit_ratio = 50; /* default is 50% */
53346 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
53347 +unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
53348 struct percpu_counter vm_committed_as;
53351 @@ -232,6 +252,7 @@ static struct vm_area_struct *remove_vma
53352 struct vm_area_struct *next = vma->vm_next;
53355 + BUG_ON(vma->vm_mirror);
53356 if (vma->vm_ops && vma->vm_ops->close)
53357 vma->vm_ops->close(vma);
53358 if (vma->vm_file) {
53359 @@ -276,6 +297,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
53360 * not page aligned -Ram Gupta
53362 rlim = rlimit(RLIMIT_DATA);
53363 + gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
53364 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
53365 (mm->end_data - mm->start_data) > rlim)
53367 @@ -719,6 +741,12 @@ static int
53368 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
53369 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
53372 +#ifdef CONFIG_PAX_SEGMEXEC
53373 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
53377 if (is_mergeable_vma(vma, file, vm_flags) &&
53378 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
53379 if (vma->vm_pgoff == vm_pgoff)
53380 @@ -738,6 +766,12 @@ static int
53381 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
53382 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
53385 +#ifdef CONFIG_PAX_SEGMEXEC
53386 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
53390 if (is_mergeable_vma(vma, file, vm_flags) &&
53391 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
53393 @@ -780,13 +814,20 @@ can_vma_merge_after(struct vm_area_struc
53394 struct vm_area_struct *vma_merge(struct mm_struct *mm,
53395 struct vm_area_struct *prev, unsigned long addr,
53396 unsigned long end, unsigned long vm_flags,
53397 - struct anon_vma *anon_vma, struct file *file,
53398 + struct anon_vma *anon_vma, struct file *file,
53399 pgoff_t pgoff, struct mempolicy *policy)
53401 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
53402 struct vm_area_struct *area, *next;
53405 +#ifdef CONFIG_PAX_SEGMEXEC
53406 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
53407 + struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
53409 + BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
53413 * We later require that vma->vm_flags == vm_flags,
53414 * so this tests vma->vm_flags & VM_SPECIAL, too.
53415 @@ -802,6 +843,15 @@ struct vm_area_struct *vma_merge(struct
53416 if (next && next->vm_end == end) /* cases 6, 7, 8 */
53417 next = next->vm_next;
53419 +#ifdef CONFIG_PAX_SEGMEXEC
53421 + prev_m = pax_find_mirror_vma(prev);
53423 + area_m = pax_find_mirror_vma(area);
53425 + next_m = pax_find_mirror_vma(next);
53429 * Can it merge with the predecessor?
53431 @@ -821,9 +871,24 @@ struct vm_area_struct *vma_merge(struct
53433 err = vma_adjust(prev, prev->vm_start,
53434 next->vm_end, prev->vm_pgoff, NULL);
53435 - } else /* cases 2, 5, 7 */
53437 +#ifdef CONFIG_PAX_SEGMEXEC
53438 + if (!err && prev_m)
53439 + err = vma_adjust(prev_m, prev_m->vm_start,
53440 + next_m->vm_end, prev_m->vm_pgoff, NULL);
53443 + } else { /* cases 2, 5, 7 */
53444 err = vma_adjust(prev, prev->vm_start,
53445 end, prev->vm_pgoff, NULL);
53447 +#ifdef CONFIG_PAX_SEGMEXEC
53448 + if (!err && prev_m)
53449 + err = vma_adjust(prev_m, prev_m->vm_start,
53450 + end_m, prev_m->vm_pgoff, NULL);
53456 khugepaged_enter_vma_merge(prev);
53457 @@ -837,12 +902,27 @@ struct vm_area_struct *vma_merge(struct
53458 mpol_equal(policy, vma_policy(next)) &&
53459 can_vma_merge_before(next, vm_flags,
53460 anon_vma, file, pgoff+pglen)) {
53461 - if (prev && addr < prev->vm_end) /* case 4 */
53462 + if (prev && addr < prev->vm_end) { /* case 4 */
53463 err = vma_adjust(prev, prev->vm_start,
53464 addr, prev->vm_pgoff, NULL);
53465 - else /* cases 3, 8 */
53467 +#ifdef CONFIG_PAX_SEGMEXEC
53468 + if (!err && prev_m)
53469 + err = vma_adjust(prev_m, prev_m->vm_start,
53470 + addr_m, prev_m->vm_pgoff, NULL);
53473 + } else { /* cases 3, 8 */
53474 err = vma_adjust(area, addr, next->vm_end,
53475 next->vm_pgoff - pglen, NULL);
53477 +#ifdef CONFIG_PAX_SEGMEXEC
53478 + if (!err && area_m)
53479 + err = vma_adjust(area_m, addr_m, next_m->vm_end,
53480 + next_m->vm_pgoff - pglen, NULL);
53486 khugepaged_enter_vma_merge(area);
53487 @@ -958,14 +1038,11 @@ none:
53488 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
53489 struct file *file, long pages)
53491 - const unsigned long stack_flags
53492 - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
53495 mm->shared_vm += pages;
53496 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
53497 mm->exec_vm += pages;
53498 - } else if (flags & stack_flags)
53499 + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
53500 mm->stack_vm += pages;
53501 if (flags & (VM_RESERVED|VM_IO))
53502 mm->reserved_vm += pages;
53503 @@ -992,7 +1069,7 @@ unsigned long do_mmap_pgoff(struct file
53504 * (the exception is when the underlying filesystem is noexec
53505 * mounted, in which case we dont add PROT_EXEC.)
53507 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
53508 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
53509 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
53512 @@ -1018,7 +1095,7 @@ unsigned long do_mmap_pgoff(struct file
53513 /* Obtain the address to map to. we verify (or select) it and ensure
53514 * that it represents a valid section of the address space.
53516 - addr = get_unmapped_area(file, addr, len, pgoff, flags);
53517 + addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
53518 if (addr & ~PAGE_MASK)
53521 @@ -1029,6 +1106,36 @@ unsigned long do_mmap_pgoff(struct file
53522 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
53523 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
53525 +#ifdef CONFIG_PAX_MPROTECT
53526 + if (mm->pax_flags & MF_PAX_MPROTECT) {
53527 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
53528 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
53529 + gr_log_rwxmmap(file);
53531 +#ifdef CONFIG_PAX_EMUPLT
53532 + vm_flags &= ~VM_EXEC;
53539 + if (!(vm_flags & VM_EXEC))
53540 + vm_flags &= ~VM_MAYEXEC;
53542 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
53543 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
53546 + vm_flags &= ~VM_MAYWRITE;
53550 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
53551 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
53552 + vm_flags &= ~VM_PAGEEXEC;
53555 if (flags & MAP_LOCKED)
53556 if (!can_do_mlock())
53558 @@ -1040,6 +1147,7 @@ unsigned long do_mmap_pgoff(struct file
53559 locked += mm->locked_vm;
53560 lock_limit = rlimit(RLIMIT_MEMLOCK);
53561 lock_limit >>= PAGE_SHIFT;
53562 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
53563 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
53566 @@ -1110,6 +1218,9 @@ unsigned long do_mmap_pgoff(struct file
53570 + if (!gr_acl_handle_mmap(file, prot))
53573 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
53575 EXPORT_SYMBOL(do_mmap_pgoff);
53576 @@ -1187,10 +1298,10 @@ SYSCALL_DEFINE1(old_mmap, struct mmap_ar
53578 int vma_wants_writenotify(struct vm_area_struct *vma)
53580 - unsigned int vm_flags = vma->vm_flags;
53581 + unsigned long vm_flags = vma->vm_flags;
53583 /* If it was private or non-writable, the write bit is already clear */
53584 - if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
53585 + if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
53588 /* The backer wishes to know when pages are first written to? */
53589 @@ -1239,14 +1350,24 @@ unsigned long mmap_region(struct file *f
53590 unsigned long charged = 0;
53591 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
53593 +#ifdef CONFIG_PAX_SEGMEXEC
53594 + struct vm_area_struct *vma_m = NULL;
53598 + * mm->mmap_sem is required to protect against another thread
53599 + * changing the mappings in case we sleep.
53601 + verify_mm_writelocked(mm);
53603 /* Clear old maps */
53606 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
53607 if (vma && vma->vm_start < addr + len) {
53608 if (do_munmap(mm, addr, len))
53610 - goto munmap_back;
53611 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
53612 + BUG_ON(vma && vma->vm_start < addr + len);
53615 /* Check against address space limit. */
53616 @@ -1295,6 +1416,16 @@ munmap_back:
53620 +#ifdef CONFIG_PAX_SEGMEXEC
53621 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
53622 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
53631 vma->vm_start = addr;
53632 vma->vm_end = addr + len;
53633 @@ -1318,6 +1449,19 @@ munmap_back:
53634 error = file->f_op->mmap(file, vma);
53636 goto unmap_and_free_vma;
53638 +#ifdef CONFIG_PAX_SEGMEXEC
53639 + if (vma_m && (vm_flags & VM_EXECUTABLE))
53640 + added_exe_file_vma(mm);
53643 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
53644 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
53645 + vma->vm_flags |= VM_PAGEEXEC;
53646 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
53650 if (vm_flags & VM_EXECUTABLE)
53651 added_exe_file_vma(mm);
53653 @@ -1353,6 +1497,11 @@ munmap_back:
53654 vma_link(mm, vma, prev, rb_link, rb_parent);
53655 file = vma->vm_file;
53657 +#ifdef CONFIG_PAX_SEGMEXEC
53659 + BUG_ON(pax_mirror_vma(vma_m, vma));
53662 /* Once vma denies write, undo our temporary denial count */
53663 if (correct_wcount)
53664 atomic_inc(&inode->i_writecount);
53665 @@ -1361,6 +1510,7 @@ out:
53667 mm->total_vm += len >> PAGE_SHIFT;
53668 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
53669 + track_exec_limit(mm, addr, addr + len, vm_flags);
53670 if (vm_flags & VM_LOCKED) {
53671 if (!mlock_vma_pages_range(vma, addr, addr + len))
53672 mm->locked_vm += (len >> PAGE_SHIFT);
53673 @@ -1378,6 +1528,12 @@ unmap_and_free_vma:
53674 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
53678 +#ifdef CONFIG_PAX_SEGMEXEC
53680 + kmem_cache_free(vm_area_cachep, vma_m);
53683 kmem_cache_free(vm_area_cachep, vma);
53686 @@ -1385,6 +1541,44 @@ unacct_error:
53690 +bool check_heap_stack_gap(const struct vm_area_struct *vma, unsigned long addr, unsigned long len)
53693 +#ifdef CONFIG_STACK_GROWSUP
53694 + if (addr > sysctl_heap_stack_gap)
53695 + vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
53697 + vma = find_vma(current->mm, 0);
53698 + if (vma && (vma->vm_flags & VM_GROWSUP))
53704 + if (addr + len > vma->vm_start)
53707 + if (vma->vm_flags & VM_GROWSDOWN)
53708 + return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
53709 +#ifdef CONFIG_STACK_GROWSUP
53710 + else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
53711 + return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap;
53717 +unsigned long skip_heap_stack_gap(const struct vm_area_struct *vma, unsigned long len)
53719 + if (vma->vm_start < len)
53721 + if (!(vma->vm_flags & VM_GROWSDOWN))
53722 + return vma->vm_start - len;
53723 + if (sysctl_heap_stack_gap <= vma->vm_start - len)
53724 + return vma->vm_start - len - sysctl_heap_stack_gap;
53728 /* Get an address range which is currently unmapped.
53729 * For shmat() with addr=0.
53731 @@ -1411,18 +1605,23 @@ arch_get_unmapped_area(struct file *filp
53732 if (flags & MAP_FIXED)
53735 +#ifdef CONFIG_PAX_RANDMMAP
53736 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
53740 addr = PAGE_ALIGN(addr);
53741 - vma = find_vma(mm, addr);
53742 - if (TASK_SIZE - len >= addr &&
53743 - (!vma || addr + len <= vma->vm_start))
53745 + if (TASK_SIZE - len >= addr) {
53746 + vma = find_vma(mm, addr);
53747 + if (check_heap_stack_gap(vma, addr, len))
53751 if (len > mm->cached_hole_size) {
53752 - start_addr = addr = mm->free_area_cache;
53753 + start_addr = addr = mm->free_area_cache;
53755 - start_addr = addr = TASK_UNMAPPED_BASE;
53756 - mm->cached_hole_size = 0;
53757 + start_addr = addr = mm->mmap_base;
53758 + mm->cached_hole_size = 0;
53762 @@ -1433,34 +1632,40 @@ full_search:
53763 * Start a new search - just in case we missed
53766 - if (start_addr != TASK_UNMAPPED_BASE) {
53767 - addr = TASK_UNMAPPED_BASE;
53768 - start_addr = addr;
53769 + if (start_addr != mm->mmap_base) {
53770 + start_addr = addr = mm->mmap_base;
53771 mm->cached_hole_size = 0;
53776 - if (!vma || addr + len <= vma->vm_start) {
53778 - * Remember the place where we stopped the search:
53780 - mm->free_area_cache = addr + len;
53783 + if (check_heap_stack_gap(vma, addr, len))
53785 if (addr + mm->cached_hole_size < vma->vm_start)
53786 mm->cached_hole_size = vma->vm_start - addr;
53787 addr = vma->vm_end;
53791 + * Remember the place where we stopped the search:
53793 + mm->free_area_cache = addr + len;
53798 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
53801 +#ifdef CONFIG_PAX_SEGMEXEC
53802 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
53807 * Is this a new hole at the lowest possible address?
53809 - if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
53810 + if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
53811 mm->free_area_cache = addr;
53812 mm->cached_hole_size = ~0UL;
53814 @@ -1478,7 +1683,7 @@ arch_get_unmapped_area_topdown(struct fi
53816 struct vm_area_struct *vma;
53817 struct mm_struct *mm = current->mm;
53818 - unsigned long addr = addr0;
53819 + unsigned long base = mm->mmap_base, addr = addr0;
53821 /* requested length too big for entire address space */
53822 if (len > TASK_SIZE)
53823 @@ -1487,13 +1692,18 @@ arch_get_unmapped_area_topdown(struct fi
53824 if (flags & MAP_FIXED)
53827 +#ifdef CONFIG_PAX_RANDMMAP
53828 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
53831 /* requesting a specific address */
53833 addr = PAGE_ALIGN(addr);
53834 - vma = find_vma(mm, addr);
53835 - if (TASK_SIZE - len >= addr &&
53836 - (!vma || addr + len <= vma->vm_start))
53838 + if (TASK_SIZE - len >= addr) {
53839 + vma = find_vma(mm, addr);
53840 + if (check_heap_stack_gap(vma, addr, len))
53845 /* check if free_area_cache is useful for us */
53846 @@ -1508,7 +1718,7 @@ arch_get_unmapped_area_topdown(struct fi
53847 /* make sure it can fit in the remaining address space */
53849 vma = find_vma(mm, addr-len);
53850 - if (!vma || addr <= vma->vm_start)
53851 + if (check_heap_stack_gap(vma, addr - len, len))
53852 /* remember the address as a hint for next time */
53853 return (mm->free_area_cache = addr-len);
53855 @@ -1525,7 +1735,7 @@ arch_get_unmapped_area_topdown(struct fi
53856 * return with success:
53858 vma = find_vma(mm, addr);
53859 - if (!vma || addr+len <= vma->vm_start)
53860 + if (check_heap_stack_gap(vma, addr, len))
53861 /* remember the address as a hint for next time */
53862 return (mm->free_area_cache = addr);
53864 @@ -1534,8 +1744,8 @@ arch_get_unmapped_area_topdown(struct fi
53865 mm->cached_hole_size = vma->vm_start - addr;
53867 /* try just below the current vma->vm_start */
53868 - addr = vma->vm_start-len;
53869 - } while (len < vma->vm_start);
53870 + addr = skip_heap_stack_gap(vma, len);
53871 + } while (!IS_ERR_VALUE(addr));
53875 @@ -1544,13 +1754,21 @@ bottomup:
53876 * can happen with large stack limits and large mmap()
53879 + mm->mmap_base = TASK_UNMAPPED_BASE;
53881 +#ifdef CONFIG_PAX_RANDMMAP
53882 + if (mm->pax_flags & MF_PAX_RANDMMAP)
53883 + mm->mmap_base += mm->delta_mmap;
53886 + mm->free_area_cache = mm->mmap_base;
53887 mm->cached_hole_size = ~0UL;
53888 - mm->free_area_cache = TASK_UNMAPPED_BASE;
53889 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
53891 * Restore the topdown base:
53893 - mm->free_area_cache = mm->mmap_base;
53894 + mm->mmap_base = base;
53895 + mm->free_area_cache = base;
53896 mm->cached_hole_size = ~0UL;
53899 @@ -1559,6 +1777,12 @@ bottomup:
53901 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
53904 +#ifdef CONFIG_PAX_SEGMEXEC
53905 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
53910 * Is this a new hole at the highest possible address?
53912 @@ -1566,8 +1790,10 @@ void arch_unmap_area_topdown(struct mm_s
53913 mm->free_area_cache = addr;
53915 /* dont allow allocations above current base */
53916 - if (mm->free_area_cache > mm->mmap_base)
53917 + if (mm->free_area_cache > mm->mmap_base) {
53918 mm->free_area_cache = mm->mmap_base;
53919 + mm->cached_hole_size = ~0UL;
53924 @@ -1675,6 +1901,28 @@ out:
53925 return prev ? prev->vm_next : vma;
53928 +#ifdef CONFIG_PAX_SEGMEXEC
53929 +struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
53931 + struct vm_area_struct *vma_m;
53933 + BUG_ON(!vma || vma->vm_start >= vma->vm_end);
53934 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
53935 + BUG_ON(vma->vm_mirror);
53938 + BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
53939 + vma_m = vma->vm_mirror;
53940 + BUG_ON(!vma_m || vma_m->vm_mirror != vma);
53941 + BUG_ON(vma->vm_file != vma_m->vm_file);
53942 + BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
53943 + BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff);
53944 + BUG_ON(vma->anon_vma != vma_m->anon_vma && vma->anon_vma->root != vma_m->anon_vma->root);
53945 + BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_RESERVED));
53951 * Verify that the stack growth is acceptable and
53952 * update accounting. This is shared with both the
53953 @@ -1691,6 +1939,7 @@ static int acct_stack_growth(struct vm_a
53956 /* Stack limit test */
53957 + gr_learn_resource(current, RLIMIT_STACK, size, 1);
53958 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
53961 @@ -1701,6 +1950,7 @@ static int acct_stack_growth(struct vm_a
53962 locked = mm->locked_vm + grow;
53963 limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
53964 limit >>= PAGE_SHIFT;
53965 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
53966 if (locked > limit && !capable(CAP_IPC_LOCK))
53969 @@ -1731,37 +1981,48 @@ static int acct_stack_growth(struct vm_a
53970 * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
53971 * vma is the last one with address > vma->vm_end. Have to extend vma.
53973 +#ifndef CONFIG_IA64
53976 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
53981 if (!(vma->vm_flags & VM_GROWSUP))
53984 + /* Also guard against wrapping around to address 0. */
53985 + if (address < PAGE_ALIGN(address+1))
53986 + address = PAGE_ALIGN(address+1);
53991 * We must make sure the anon_vma is allocated
53992 * so that the anon_vma locking is not a noop.
53994 if (unlikely(anon_vma_prepare(vma)))
53996 + locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
53997 + if (locknext && anon_vma_prepare(vma->vm_next))
53999 vma_lock_anon_vma(vma);
54001 + vma_lock_anon_vma(vma->vm_next);
54004 * vma->vm_start/vm_end cannot change under us because the caller
54005 * is required to hold the mmap_sem in read mode. We need the
54006 - * anon_vma lock to serialize against concurrent expand_stacks.
54007 - * Also guard against wrapping around to address 0.
54008 + * anon_vma locks to serialize against concurrent expand_stacks
54009 + * and expand_upwards.
54011 - if (address < PAGE_ALIGN(address+4))
54012 - address = PAGE_ALIGN(address+4);
54014 - vma_unlock_anon_vma(vma);
54019 /* Somebody else might have raced and expanded it already */
54020 - if (address > vma->vm_end) {
54021 + if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
54023 + else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
54024 unsigned long size, grow;
54026 size = address - vma->vm_start;
54027 @@ -1773,6 +2034,8 @@ int expand_upwards(struct vm_area_struct
54028 perf_event_mmap(vma);
54032 + vma_unlock_anon_vma(vma->vm_next);
54033 vma_unlock_anon_vma(vma);
54034 khugepaged_enter_vma_merge(vma);
54036 @@ -1786,6 +2049,8 @@ static int expand_downwards(struct vm_ar
54037 unsigned long address)
54040 + bool lockprev = false;
54041 + struct vm_area_struct *prev;
54044 * We must make sure the anon_vma is allocated
54045 @@ -1799,6 +2064,15 @@ static int expand_downwards(struct vm_ar
54049 + prev = vma->vm_prev;
54050 +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
54051 + lockprev = prev && (prev->vm_flags & VM_GROWSUP);
54053 + if (lockprev && anon_vma_prepare(prev))
54056 + vma_lock_anon_vma(prev);
54058 vma_lock_anon_vma(vma);
54061 @@ -1808,9 +2082,17 @@ static int expand_downwards(struct vm_ar
54064 /* Somebody else might have raced and expanded it already */
54065 - if (address < vma->vm_start) {
54066 + if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
54068 + else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
54069 unsigned long size, grow;
54071 +#ifdef CONFIG_PAX_SEGMEXEC
54072 + struct vm_area_struct *vma_m;
54074 + vma_m = pax_find_mirror_vma(vma);
54077 size = vma->vm_end - address;
54078 grow = (vma->vm_start - address) >> PAGE_SHIFT;
54080 @@ -1818,10 +2100,21 @@ static int expand_downwards(struct vm_ar
54082 vma->vm_start = address;
54083 vma->vm_pgoff -= grow;
54084 + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
54086 +#ifdef CONFIG_PAX_SEGMEXEC
54088 + vma_m->vm_start -= grow << PAGE_SHIFT;
54089 + vma_m->vm_pgoff -= grow;
54093 perf_event_mmap(vma);
54096 vma_unlock_anon_vma(vma);
54098 + vma_unlock_anon_vma(prev);
54099 khugepaged_enter_vma_merge(vma);
54102 @@ -1896,6 +2189,13 @@ static void remove_vma_list(struct mm_st
54104 long nrpages = vma_pages(vma);
54106 +#ifdef CONFIG_PAX_SEGMEXEC
54107 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
54108 + vma = remove_vma(vma);
54113 mm->total_vm -= nrpages;
54114 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
54115 vma = remove_vma(vma);
54116 @@ -1941,6 +2241,16 @@ detach_vmas_to_be_unmapped(struct mm_str
54117 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
54118 vma->vm_prev = NULL;
54121 +#ifdef CONFIG_PAX_SEGMEXEC
54122 + if (vma->vm_mirror) {
54123 + BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
54124 + vma->vm_mirror->vm_mirror = NULL;
54125 + vma->vm_mirror->vm_flags &= ~VM_EXEC;
54126 + vma->vm_mirror = NULL;
54130 rb_erase(&vma->vm_rb, &mm->mm_rb);
54133 @@ -1969,14 +2279,33 @@ static int __split_vma(struct mm_struct
54134 struct vm_area_struct *new;
54137 +#ifdef CONFIG_PAX_SEGMEXEC
54138 + struct vm_area_struct *vma_m, *new_m = NULL;
54139 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
54142 if (is_vm_hugetlb_page(vma) && (addr &
54143 ~(huge_page_mask(hstate_vma(vma)))))
54146 +#ifdef CONFIG_PAX_SEGMEXEC
54147 + vma_m = pax_find_mirror_vma(vma);
54150 new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
54154 +#ifdef CONFIG_PAX_SEGMEXEC
54156 + new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
54158 + kmem_cache_free(vm_area_cachep, new);
54164 /* most fields are the same, copy all, and then fixup */
54167 @@ -1989,6 +2318,22 @@ static int __split_vma(struct mm_struct
54168 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
54171 +#ifdef CONFIG_PAX_SEGMEXEC
54174 + INIT_LIST_HEAD(&new_m->anon_vma_chain);
54175 + new_m->vm_mirror = new;
54176 + new->vm_mirror = new_m;
54179 + new_m->vm_end = addr_m;
54181 + new_m->vm_start = addr_m;
54182 + new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
54187 pol = mpol_dup(vma_policy(vma));
54189 err = PTR_ERR(pol);
54190 @@ -2014,6 +2359,42 @@ static int __split_vma(struct mm_struct
54192 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
54194 +#ifdef CONFIG_PAX_SEGMEXEC
54195 + if (!err && vma_m) {
54196 + if (anon_vma_clone(new_m, vma_m))
54197 + goto out_free_mpol;
54200 + vma_set_policy(new_m, pol);
54202 + if (new_m->vm_file) {
54203 + get_file(new_m->vm_file);
54204 + if (vma_m->vm_flags & VM_EXECUTABLE)
54205 + added_exe_file_vma(mm);
54208 + if (new_m->vm_ops && new_m->vm_ops->open)
54209 + new_m->vm_ops->open(new_m);
54212 + err = vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
54213 + ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
54215 + err = vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
54218 + if (new_m->vm_ops && new_m->vm_ops->close)
54219 + new_m->vm_ops->close(new_m);
54220 + if (new_m->vm_file) {
54221 + if (vma_m->vm_flags & VM_EXECUTABLE)
54222 + removed_exe_file_vma(mm);
54223 + fput(new_m->vm_file);
54233 @@ -2026,10 +2407,18 @@ static int __split_vma(struct mm_struct
54234 removed_exe_file_vma(mm);
54235 fput(new->vm_file);
54237 - unlink_anon_vmas(new);
54242 +#ifdef CONFIG_PAX_SEGMEXEC
54244 + unlink_anon_vmas(new_m);
54245 + kmem_cache_free(vm_area_cachep, new_m);
54249 + unlink_anon_vmas(new);
54250 kmem_cache_free(vm_area_cachep, new);
54253 @@ -2042,6 +2431,15 @@ static int __split_vma(struct mm_struct
54254 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
54255 unsigned long addr, int new_below)
54258 +#ifdef CONFIG_PAX_SEGMEXEC
54259 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
54260 + BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
54261 + if (mm->map_count >= sysctl_max_map_count-1)
54266 if (mm->map_count >= sysctl_max_map_count)
54269 @@ -2053,11 +2451,30 @@ int split_vma(struct mm_struct *mm, stru
54270 * work. This now handles partial unmappings.
54271 * Jeremy Fitzhardinge <jeremy@goop.org>
54273 +#ifdef CONFIG_PAX_SEGMEXEC
54274 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
54276 + int ret = __do_munmap(mm, start, len);
54277 + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
54280 + return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
54283 +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
54285 +int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
54289 struct vm_area_struct *vma, *prev, *last;
54292 + * mm->mmap_sem is required to protect against another thread
54293 + * changing the mappings in case we sleep.
54295 + verify_mm_writelocked(mm);
54297 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
54300 @@ -2131,6 +2548,8 @@ int do_munmap(struct mm_struct *mm, unsi
54301 /* Fix up all other VM information */
54302 remove_vma_list(mm, vma);
54304 + track_exec_limit(mm, start, end, 0UL);
54309 @@ -2143,22 +2562,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
54311 profile_munmap(addr);
54313 +#ifdef CONFIG_PAX_SEGMEXEC
54314 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
54315 + (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
54319 down_write(&mm->mmap_sem);
54320 ret = do_munmap(mm, addr, len);
54321 up_write(&mm->mmap_sem);
54325 -static inline void verify_mm_writelocked(struct mm_struct *mm)
54327 -#ifdef CONFIG_DEBUG_VM
54328 - if (unlikely(down_read_trylock(&mm->mmap_sem))) {
54330 - up_read(&mm->mmap_sem);
54336 * this is really a simplified "do_mmap". it only handles
54337 * anonymous maps. eventually we may be able to do some
54338 @@ -2172,6 +2587,7 @@ unsigned long do_brk(unsigned long addr,
54339 struct rb_node ** rb_link, * rb_parent;
54340 pgoff_t pgoff = addr >> PAGE_SHIFT;
54342 + unsigned long charged;
54344 len = PAGE_ALIGN(len);
54346 @@ -2183,16 +2599,30 @@ unsigned long do_brk(unsigned long addr,
54348 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
54350 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
54351 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
54352 + flags &= ~VM_EXEC;
54354 +#ifdef CONFIG_PAX_MPROTECT
54355 + if (mm->pax_flags & MF_PAX_MPROTECT)
54356 + flags &= ~VM_MAYEXEC;
54362 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
54363 if (error & ~PAGE_MASK)
54366 + charged = len >> PAGE_SHIFT;
54369 * mlock MCL_FUTURE?
54371 if (mm->def_flags & VM_LOCKED) {
54372 unsigned long locked, lock_limit;
54373 - locked = len >> PAGE_SHIFT;
54374 + locked = charged;
54375 locked += mm->locked_vm;
54376 lock_limit = rlimit(RLIMIT_MEMLOCK);
54377 lock_limit >>= PAGE_SHIFT;
54378 @@ -2209,22 +2639,22 @@ unsigned long do_brk(unsigned long addr,
54380 * Clear old maps. this also does some error checking for us
54383 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
54384 if (vma && vma->vm_start < addr + len) {
54385 if (do_munmap(mm, addr, len))
54387 - goto munmap_back;
54388 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
54389 + BUG_ON(vma && vma->vm_start < addr + len);
54392 /* Check against address space limits *after* clearing old maps... */
54393 - if (!may_expand_vm(mm, len >> PAGE_SHIFT))
54394 + if (!may_expand_vm(mm, charged))
54397 if (mm->map_count > sysctl_max_map_count)
54400 - if (security_vm_enough_memory(len >> PAGE_SHIFT))
54401 + if (security_vm_enough_memory(charged))
54404 /* Can we just expand an old private anonymous mapping? */
54405 @@ -2238,7 +2668,7 @@ unsigned long do_brk(unsigned long addr,
54407 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
54409 - vm_unacct_memory(len >> PAGE_SHIFT);
54410 + vm_unacct_memory(charged);
54414 @@ -2252,11 +2682,12 @@ unsigned long do_brk(unsigned long addr,
54415 vma_link(mm, vma, prev, rb_link, rb_parent);
54417 perf_event_mmap(vma);
54418 - mm->total_vm += len >> PAGE_SHIFT;
54419 + mm->total_vm += charged;
54420 if (flags & VM_LOCKED) {
54421 if (!mlock_vma_pages_range(vma, addr, addr + len))
54422 - mm->locked_vm += (len >> PAGE_SHIFT);
54423 + mm->locked_vm += charged;
54425 + track_exec_limit(mm, addr, addr + len, flags);
54429 @@ -2303,8 +2734,10 @@ void exit_mmap(struct mm_struct *mm)
54430 * Walk the list again, actually closing and freeing it,
54431 * with preemption enabled, without holding any MM locks.
54435 + vma->vm_mirror = NULL;
54436 vma = remove_vma(vma);
54439 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
54441 @@ -2318,6 +2751,13 @@ int insert_vm_struct(struct mm_struct *
54442 struct vm_area_struct * __vma, * prev;
54443 struct rb_node ** rb_link, * rb_parent;
54445 +#ifdef CONFIG_PAX_SEGMEXEC
54446 + struct vm_area_struct *vma_m = NULL;
54449 + if (security_file_mmap(NULL, 0, 0, 0, vma->vm_start, 1))
54453 * The vm_pgoff of a purely anonymous vma should be irrelevant
54454 * until its first write fault, when page's anon_vma and index
54455 @@ -2340,7 +2780,22 @@ int insert_vm_struct(struct mm_struct *
54456 if ((vma->vm_flags & VM_ACCOUNT) &&
54457 security_vm_enough_memory_mm(mm, vma_pages(vma)))
54460 +#ifdef CONFIG_PAX_SEGMEXEC
54461 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
54462 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
54468 vma_link(mm, vma, prev, rb_link, rb_parent);
54470 +#ifdef CONFIG_PAX_SEGMEXEC
54472 + BUG_ON(pax_mirror_vma(vma_m, vma));
54478 @@ -2358,6 +2813,8 @@ struct vm_area_struct *copy_vma(struct v
54479 struct rb_node **rb_link, *rb_parent;
54480 struct mempolicy *pol;
54482 + BUG_ON(vma->vm_mirror);
54485 * If anonymous vma has not yet been faulted, update new pgoff
54486 * to match new location, to increase its chance of merging.
54487 @@ -2407,6 +2864,39 @@ struct vm_area_struct *copy_vma(struct v
54488 kmem_cache_free(vm_area_cachep, new_vma);
54492 +#ifdef CONFIG_PAX_SEGMEXEC
54493 +long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
54495 + struct vm_area_struct *prev_m;
54496 + struct rb_node **rb_link_m, *rb_parent_m;
54497 + struct mempolicy *pol_m;
54499 + BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
54500 + BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
54501 + BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
54503 + INIT_LIST_HEAD(&vma_m->anon_vma_chain);
54504 + if (anon_vma_clone(vma_m, vma))
54506 + pol_m = vma_policy(vma_m);
54508 + vma_set_policy(vma_m, pol_m);
54509 + vma_m->vm_start += SEGMEXEC_TASK_SIZE;
54510 + vma_m->vm_end += SEGMEXEC_TASK_SIZE;
54511 + vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
54512 + vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
54513 + if (vma_m->vm_file)
54514 + get_file(vma_m->vm_file);
54515 + if (vma_m->vm_ops && vma_m->vm_ops->open)
54516 + vma_m->vm_ops->open(vma_m);
54517 + find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
54518 + vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
54519 + vma_m->vm_mirror = vma;
54520 + vma->vm_mirror = vma_m;
54526 * Return true if the calling process may expand its vm space by the passed
54527 @@ -2418,7 +2908,7 @@ int may_expand_vm(struct mm_struct *mm,
54530 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
54532 + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
54533 if (cur + npages > lim)
54536 @@ -2489,6 +2979,22 @@ int install_special_mapping(struct mm_st
54537 vma->vm_start = addr;
54538 vma->vm_end = addr + len;
54540 +#ifdef CONFIG_PAX_MPROTECT
54541 + if (mm->pax_flags & MF_PAX_MPROTECT) {
54542 +#ifndef CONFIG_PAX_MPROTECT_COMPAT
54543 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
54545 + if (!(vm_flags & VM_EXEC))
54546 + vm_flags &= ~VM_MAYEXEC;
54548 + if ((vm_flags & (VM_WRITE | VM_EXEC)) != VM_EXEC)
54549 + vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
54552 + vm_flags &= ~VM_MAYWRITE;
54556 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
54557 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
54559 diff -urNp linux-2.6.38.1/mm/mprotect.c linux-2.6.38.1-new/mm/mprotect.c
54560 --- linux-2.6.38.1/mm/mprotect.c 2011-03-14 21:20:32.000000000 -0400
54561 +++ linux-2.6.38.1-new/mm/mprotect.c 2011-03-21 18:31:35.000000000 -0400
54562 @@ -23,10 +23,16 @@
54563 #include <linux/mmu_notifier.h>
54564 #include <linux/migrate.h>
54565 #include <linux/perf_event.h>
54567 +#ifdef CONFIG_PAX_MPROTECT
54568 +#include <linux/elf.h>
54571 #include <asm/uaccess.h>
54572 #include <asm/pgtable.h>
54573 #include <asm/cacheflush.h>
54574 #include <asm/tlbflush.h>
54575 +#include <asm/mmu_context.h>
54577 #ifndef pgprot_modify
54578 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
54579 @@ -141,6 +147,48 @@ static void change_protection(struct vm_
54580 flush_tlb_range(vma, start, end);
54583 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
54584 +/* called while holding the mmap semaphor for writing except stack expansion */
54585 +void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
54587 + unsigned long oldlimit, newlimit = 0UL;
54589 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || (__supported_pte_mask & _PAGE_NX))
54592 + spin_lock(&mm->page_table_lock);
54593 + oldlimit = mm->context.user_cs_limit;
54594 + if ((prot & VM_EXEC) && oldlimit < end)
54595 + /* USER_CS limit moved up */
54597 + else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
54598 + /* USER_CS limit moved down */
54599 + newlimit = start;
54602 + mm->context.user_cs_limit = newlimit;
54606 + cpus_clear(mm->context.cpu_user_cs_mask);
54607 + cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
54610 + set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
54612 + spin_unlock(&mm->page_table_lock);
54613 + if (newlimit == end) {
54614 + struct vm_area_struct *vma = find_vma(mm, oldlimit);
54616 + for (; vma && vma->vm_start < end; vma = vma->vm_next)
54617 + if (is_vm_hugetlb_page(vma))
54618 + hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
54620 + change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
54626 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
54627 unsigned long start, unsigned long end, unsigned long newflags)
54628 @@ -153,11 +201,29 @@ mprotect_fixup(struct vm_area_struct *vm
54630 int dirty_accountable = 0;
54632 +#ifdef CONFIG_PAX_SEGMEXEC
54633 + struct vm_area_struct *vma_m = NULL;
54634 + unsigned long start_m, end_m;
54636 + start_m = start + SEGMEXEC_TASK_SIZE;
54637 + end_m = end + SEGMEXEC_TASK_SIZE;
54640 if (newflags == oldflags) {
54645 + if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
54646 + struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
54648 + if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
54651 + if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
54656 * If we make a private mapping writable we increase our commit;
54657 * but (without finer accounting) cannot reduce our commit if we
54658 @@ -174,6 +240,42 @@ mprotect_fixup(struct vm_area_struct *vm
54662 +#ifdef CONFIG_PAX_SEGMEXEC
54663 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
54664 + if (start != vma->vm_start) {
54665 + error = split_vma(mm, vma, start, 1);
54668 + BUG_ON(!*pprev || (*pprev)->vm_next == vma);
54669 + *pprev = (*pprev)->vm_next;
54672 + if (end != vma->vm_end) {
54673 + error = split_vma(mm, vma, end, 0);
54678 + if (pax_find_mirror_vma(vma)) {
54679 + error = __do_munmap(mm, start_m, end_m - start_m);
54683 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
54688 + vma->vm_flags = newflags;
54689 + error = pax_mirror_vma(vma_m, vma);
54691 + vma->vm_flags = oldflags;
54699 * First try to merge with previous and/or next vma.
54701 @@ -204,9 +306,21 @@ success:
54702 * vm_flags and vm_page_prot are protected by the mmap_sem
54703 * held in write mode.
54706 +#ifdef CONFIG_PAX_SEGMEXEC
54707 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
54708 + pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
54711 vma->vm_flags = newflags;
54713 +#ifdef CONFIG_PAX_MPROTECT
54714 + if (mm->binfmt && mm->binfmt->handle_mprotect)
54715 + mm->binfmt->handle_mprotect(vma, newflags);
54718 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
54719 - vm_get_page_prot(newflags));
54720 + vm_get_page_prot(vma->vm_flags));
54722 if (vma_wants_writenotify(vma)) {
54723 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
54724 @@ -248,6 +362,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
54729 +#ifdef CONFIG_PAX_SEGMEXEC
54730 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
54731 + if (end > SEGMEXEC_TASK_SIZE)
54736 + if (end > TASK_SIZE)
54739 if (!arch_validate_prot(prot))
54742 @@ -255,7 +380,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
54744 * Does the application expect PROT_READ to imply PROT_EXEC:
54746 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
54747 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
54750 vm_flags = calc_vm_prot_bits(prot);
54751 @@ -287,6 +412,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
54752 if (start > vma->vm_start)
54755 +#ifdef CONFIG_PAX_MPROTECT
54756 + if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
54757 + current->mm->binfmt->handle_mprotect(vma, vm_flags);
54760 for (nstart = start ; ; ) {
54761 unsigned long newflags;
54763 @@ -296,6 +426,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
54765 /* newflags >> 4 shift VM_MAY% in place of VM_% */
54766 if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
54767 + if (prot & (PROT_WRITE | PROT_EXEC))
54768 + gr_log_rwxmprotect(vma->vm_file);
54774 + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
54778 @@ -310,6 +448,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
54779 error = mprotect_fixup(vma, &prev, nstart, tmp, newflags);
54783 + track_exec_limit(current->mm, nstart, tmp, vm_flags);
54787 if (nstart < prev->vm_end)
54788 diff -urNp linux-2.6.38.1/mm/mremap.c linux-2.6.38.1-new/mm/mremap.c
54789 --- linux-2.6.38.1/mm/mremap.c 2011-03-14 21:20:32.000000000 -0400
54790 +++ linux-2.6.38.1-new/mm/mremap.c 2011-03-21 18:31:35.000000000 -0400
54791 @@ -114,6 +114,12 @@ static void move_ptes(struct vm_area_str
54793 pte = ptep_clear_flush(vma, old_addr, old_pte);
54794 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
54796 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
54797 + if (!(__supported_pte_mask & _PAGE_NX) && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
54798 + pte = pte_exprotect(pte);
54801 set_pte_at(mm, new_addr, new_pte, pte);
54804 @@ -273,6 +279,11 @@ static struct vm_area_struct *vma_to_res
54805 if (is_vm_hugetlb_page(vma))
54808 +#ifdef CONFIG_PAX_SEGMEXEC
54809 + if (pax_find_mirror_vma(vma))
54813 /* We can't remap across vm area boundaries */
54814 if (old_len > vma->vm_end - addr)
54816 @@ -322,20 +333,25 @@ static unsigned long mremap_to(unsigned
54817 unsigned long ret = -EINVAL;
54818 unsigned long charged = 0;
54819 unsigned long map_flags;
54820 + unsigned long pax_task_size = TASK_SIZE;
54822 if (new_addr & ~PAGE_MASK)
54825 - if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
54826 +#ifdef CONFIG_PAX_SEGMEXEC
54827 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
54828 + pax_task_size = SEGMEXEC_TASK_SIZE;
54831 + pax_task_size -= PAGE_SIZE;
54833 + if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
54836 /* Check if the location we're moving into overlaps the
54837 * old location at all, and fail if it does.
54839 - if ((new_addr <= addr) && (new_addr+new_len) > addr)
54842 - if ((addr <= new_addr) && (addr+old_len) > new_addr)
54843 + if (addr + old_len > new_addr && new_addr + new_len > addr)
54846 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
54847 @@ -407,6 +423,7 @@ unsigned long do_mremap(unsigned long ad
54848 struct vm_area_struct *vma;
54849 unsigned long ret = -EINVAL;
54850 unsigned long charged = 0;
54851 + unsigned long pax_task_size = TASK_SIZE;
54853 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
54855 @@ -425,6 +442,17 @@ unsigned long do_mremap(unsigned long ad
54859 +#ifdef CONFIG_PAX_SEGMEXEC
54860 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
54861 + pax_task_size = SEGMEXEC_TASK_SIZE;
54864 + pax_task_size -= PAGE_SIZE;
54866 + if (new_len > pax_task_size || addr > pax_task_size-new_len ||
54867 + old_len > pax_task_size || addr > pax_task_size-old_len)
54870 if (flags & MREMAP_FIXED) {
54871 if (flags & MREMAP_MAYMOVE)
54872 ret = mremap_to(addr, old_len, new_addr, new_len);
54873 @@ -474,6 +502,7 @@ unsigned long do_mremap(unsigned long ad
54877 + track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
54881 @@ -500,7 +529,13 @@ unsigned long do_mremap(unsigned long ad
54882 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
54886 + map_flags = vma->vm_flags;
54887 ret = move_vma(vma, addr, old_len, new_len, new_addr);
54888 + if (!(ret & ~PAGE_MASK)) {
54889 + track_exec_limit(current->mm, addr, addr + old_len, 0UL);
54890 + track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
54894 if (ret & ~PAGE_MASK)
54895 diff -urNp linux-2.6.38.1/mm/nommu.c linux-2.6.38.1-new/mm/nommu.c
54896 --- linux-2.6.38.1/mm/nommu.c 2011-03-14 21:20:32.000000000 -0400
54897 +++ linux-2.6.38.1-new/mm/nommu.c 2011-03-21 18:31:35.000000000 -0400
54898 @@ -63,7 +63,6 @@ int sysctl_overcommit_memory = OVERCOMMI
54899 int sysctl_overcommit_ratio = 50; /* default is 50% */
54900 int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
54901 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
54902 -int heap_stack_gap = 0;
54904 atomic_long_t mmap_pages_allocated;
54906 @@ -833,15 +832,6 @@ struct vm_area_struct *find_vma(struct m
54907 EXPORT_SYMBOL(find_vma);
54911 - * - we don't extend stack VMAs under NOMMU conditions
54913 -struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
54915 - return find_vma(mm, addr);
54919 * expand a stack to a given address
54920 * - not supported under NOMMU conditions
54922 @@ -1563,6 +1553,7 @@ int split_vma(struct mm_struct *mm, stru
54924 /* most fields are the same, copy all, and then fixup */
54926 + INIT_LIST_HEAD(&new->anon_vma_chain);
54927 *region = *vma->vm_region;
54928 new->vm_region = region;
54930 diff -urNp linux-2.6.38.1/mm/page_alloc.c linux-2.6.38.1-new/mm/page_alloc.c
54931 --- linux-2.6.38.1/mm/page_alloc.c 2011-03-14 21:20:32.000000000 -0400
54932 +++ linux-2.6.38.1-new/mm/page_alloc.c 2011-03-21 18:31:35.000000000 -0400
54933 @@ -644,6 +644,10 @@ static bool free_pages_prepare(struct pa
54937 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
54938 + unsigned long index = 1UL << order;
54941 trace_mm_page_free_direct(page, order);
54942 kmemcheck_free_shadow(page, order);
54944 @@ -659,6 +663,12 @@ static bool free_pages_prepare(struct pa
54945 debug_check_no_obj_freed(page_address(page),
54946 PAGE_SIZE << order);
54949 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
54950 + for (; index; --index)
54951 + sanitize_highpage(page + index - 1);
54954 arch_free_page(page, order);
54955 kernel_map_pages(page, 1 << order, 0);
54957 @@ -773,8 +783,10 @@ static int prep_new_page(struct page *pa
54958 arch_alloc_page(page, order);
54959 kernel_map_pages(page, 1 << order, 1);
54961 +#ifndef CONFIG_PAX_MEMORY_SANITIZE
54962 if (gfp_flags & __GFP_ZERO)
54963 prep_zero_page(page, order, gfp_flags);
54966 if (order && (gfp_flags & __GFP_COMP))
54967 prep_compound_page(page, order);
54968 diff -urNp linux-2.6.38.1/mm/percpu.c linux-2.6.38.1-new/mm/percpu.c
54969 --- linux-2.6.38.1/mm/percpu.c 2011-03-14 21:20:32.000000000 -0400
54970 +++ linux-2.6.38.1-new/mm/percpu.c 2011-03-21 18:31:35.000000000 -0400
54971 @@ -121,7 +121,7 @@ static unsigned int pcpu_first_unit_cpu
54972 static unsigned int pcpu_last_unit_cpu __read_mostly;
54974 /* the address of the first chunk which starts with the kernel static area */
54975 -void *pcpu_base_addr __read_mostly;
54976 +void *pcpu_base_addr __read_only;
54977 EXPORT_SYMBOL_GPL(pcpu_base_addr);
54979 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
54980 diff -urNp linux-2.6.38.1/mm/rmap.c linux-2.6.38.1-new/mm/rmap.c
54981 --- linux-2.6.38.1/mm/rmap.c 2011-03-14 21:20:32.000000000 -0400
54982 +++ linux-2.6.38.1-new/mm/rmap.c 2011-03-21 18:31:35.000000000 -0400
54983 @@ -117,6 +117,10 @@ int anon_vma_prepare(struct vm_area_stru
54984 struct anon_vma *anon_vma = vma->anon_vma;
54985 struct anon_vma_chain *avc;
54987 +#ifdef CONFIG_PAX_SEGMEXEC
54988 + struct anon_vma_chain *avc_m = NULL;
54992 if (unlikely(!anon_vma)) {
54993 struct mm_struct *mm = vma->vm_mm;
54994 @@ -126,6 +130,12 @@ int anon_vma_prepare(struct vm_area_stru
54998 +#ifdef CONFIG_PAX_SEGMEXEC
54999 + avc_m = anon_vma_chain_alloc();
55001 + goto out_enomem_free_avc;
55004 anon_vma = find_mergeable_anon_vma(vma);
55007 @@ -144,6 +154,21 @@ int anon_vma_prepare(struct vm_area_stru
55008 /* page_table_lock to protect against threads */
55009 spin_lock(&mm->page_table_lock);
55010 if (likely(!vma->anon_vma)) {
55012 +#ifdef CONFIG_PAX_SEGMEXEC
55013 + struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
55016 + BUG_ON(vma_m->anon_vma);
55017 + vma_m->anon_vma = anon_vma;
55018 + avc_m->anon_vma = anon_vma;
55019 + avc_m->vma = vma;
55020 + list_add(&avc_m->same_vma, &vma_m->anon_vma_chain);
55021 + list_add(&avc_m->same_anon_vma, &anon_vma->head);
55026 vma->anon_vma = anon_vma;
55027 avc->anon_vma = anon_vma;
55029 @@ -157,12 +182,24 @@ int anon_vma_prepare(struct vm_area_stru
55031 if (unlikely(allocated))
55032 anon_vma_free(allocated);
55034 +#ifdef CONFIG_PAX_SEGMEXEC
55035 + if (unlikely(avc_m))
55036 + anon_vma_chain_free(avc_m);
55040 anon_vma_chain_free(avc);
55044 out_enomem_free_avc:
55046 +#ifdef CONFIG_PAX_SEGMEXEC
55048 + anon_vma_chain_free(avc_m);
55051 anon_vma_chain_free(avc);
55054 @@ -189,7 +226,7 @@ static void anon_vma_chain_link(struct v
55055 * Attach the anon_vmas from src to dst.
55056 * Returns 0 on success, -ENOMEM on failure.
55058 -int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
55059 +int anon_vma_clone(struct vm_area_struct *dst, const struct vm_area_struct *src)
55061 struct anon_vma_chain *avc, *pavc;
55063 @@ -211,7 +248,7 @@ int anon_vma_clone(struct vm_area_struct
55064 * the corresponding VMA in the parent process is attached to.
55065 * Returns 0 on success, non-zero on failure.
55067 -int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
55068 +int anon_vma_fork(struct vm_area_struct *vma, const struct vm_area_struct *pvma)
55070 struct anon_vma_chain *avc;
55071 struct anon_vma *anon_vma;
55072 diff -urNp linux-2.6.38.1/mm/shmem.c linux-2.6.38.1-new/mm/shmem.c
55073 --- linux-2.6.38.1/mm/shmem.c 2011-03-14 21:20:32.000000000 -0400
55074 +++ linux-2.6.38.1-new/mm/shmem.c 2011-03-21 18:31:35.000000000 -0400
55076 #include <linux/percpu_counter.h>
55077 #include <linux/swap.h>
55079 -static struct vfsmount *shm_mnt;
55080 +struct vfsmount *shm_mnt;
55082 #ifdef CONFIG_SHMEM
55084 @@ -1070,6 +1070,8 @@ static int shmem_writepage(struct page *
55087 entry = shmem_swp_entry(info, index, NULL);
55092 * The more uptodate page coming down from a stacked
55093 diff -urNp linux-2.6.38.1/mm/slab.c linux-2.6.38.1-new/mm/slab.c
55094 --- linux-2.6.38.1/mm/slab.c 2011-03-14 21:20:32.000000000 -0400
55095 +++ linux-2.6.38.1-new/mm/slab.c 2011-03-21 18:31:35.000000000 -0400
55096 @@ -284,7 +284,7 @@ struct kmem_list3 {
55097 * Need this for bootstrapping a per node allocator.
55099 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
55100 -static struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
55101 +static struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
55102 #define CACHE_CACHE 0
55103 #define SIZE_AC MAX_NUMNODES
55104 #define SIZE_L3 (2 * MAX_NUMNODES)
55105 @@ -534,7 +534,7 @@ static inline void *index_to_obj(struct
55106 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
55108 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
55109 - const struct slab *slab, void *obj)
55110 + const struct slab *slab, const void *obj)
55112 u32 offset = (obj - slab->s_mem);
55113 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
55114 @@ -560,14 +560,14 @@ struct cache_names {
55115 static struct cache_names __initdata cache_names[] = {
55116 #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
55117 #include <linux/kmalloc_sizes.h>
55123 static struct arraycache_init initarray_cache __initdata =
55124 - { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
55125 + { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
55126 static struct arraycache_init initarray_generic =
55127 - { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
55128 + { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
55130 /* internal cache of cache description objs */
55131 static struct kmem_cache cache_cache = {
55132 @@ -4535,15 +4535,66 @@ static const struct file_operations proc
55134 static int __init slab_proc_init(void)
55136 - proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
55137 + mode_t gr_mode = S_IRUGO;
55139 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
55140 + gr_mode = S_IRUSR;
55143 + proc_create("slabinfo",S_IWUSR|gr_mode,NULL,&proc_slabinfo_operations);
55144 #ifdef CONFIG_DEBUG_SLAB_LEAK
55145 - proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
55146 + proc_create("slab_allocators", gr_mode, NULL, &proc_slabstats_operations);
55150 module_init(slab_proc_init);
55153 +void check_object_size(const void *ptr, unsigned long n, bool to)
55156 +#ifdef CONFIG_PAX_USERCOPY
55157 + struct kmem_cache *cachep;
55158 + struct slab *slabp;
55159 + struct page *page;
55160 + unsigned int objnr;
55161 + unsigned long offset;
55166 + if (ZERO_OR_NULL_PTR(ptr))
55169 + if (!virt_addr_valid(ptr))
55172 + page = virt_to_head_page(ptr);
55174 + if (!PageSlab(page)) {
55175 + if (object_is_on_stack(ptr, n) == -1)
55180 + cachep = page_get_cache(page);
55181 + slabp = page_get_slab(page);
55182 + objnr = obj_to_index(cachep, slabp, ptr);
55183 + BUG_ON(objnr >= cachep->num);
55184 + offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
55185 + if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
55190 + pax_report_leak_to_user(ptr, n);
55192 + pax_report_overflow_from_user(ptr, n);
55196 +EXPORT_SYMBOL(check_object_size);
55199 * ksize - get the actual amount of memory allocated for a given object
55200 * @objp: Pointer to the object
55201 diff -urNp linux-2.6.38.1/mm/slob.c linux-2.6.38.1-new/mm/slob.c
55202 --- linux-2.6.38.1/mm/slob.c 2011-03-14 21:20:32.000000000 -0400
55203 +++ linux-2.6.38.1-new/mm/slob.c 2011-03-21 18:31:35.000000000 -0400
55205 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
55206 * alloc_pages() directly, allocating compound pages so the page order
55207 * does not have to be separately tracked, and also stores the exact
55208 - * allocation size in page->private so that it can be used to accurately
55209 + * allocation size in slob_page->size so that it can be used to accurately
55210 * provide ksize(). These objects are detected in kfree() because slob_page()
55211 * is false for them.
55216 #include <linux/kernel.h>
55217 +#include <linux/sched.h>
55218 #include <linux/slab.h>
55219 #include <linux/mm.h>
55220 #include <linux/swap.h> /* struct reclaim_state */
55221 @@ -102,7 +103,8 @@ struct slob_page {
55222 unsigned long flags; /* mandatory */
55223 atomic_t _count; /* mandatory */
55224 slobidx_t units; /* free units left in page */
55225 - unsigned long pad[2];
55226 + unsigned long pad[1];
55227 + unsigned long size; /* size when >=PAGE_SIZE */
55228 slob_t *free; /* first free slob_t in page */
55229 struct list_head list; /* linked list of free pages */
55231 @@ -135,7 +137,7 @@ static LIST_HEAD(free_slob_large);
55233 static inline int is_slob_page(struct slob_page *sp)
55235 - return PageSlab((struct page *)sp);
55236 + return PageSlab((struct page *)sp) && !sp->size;
55239 static inline void set_slob_page(struct slob_page *sp)
55240 @@ -150,7 +152,7 @@ static inline void clear_slob_page(struc
55242 static inline struct slob_page *slob_page(const void *addr)
55244 - return (struct slob_page *)virt_to_page(addr);
55245 + return (struct slob_page *)virt_to_head_page(addr);
55249 @@ -210,7 +212,7 @@ static void set_slob(slob_t *s, slobidx_
55251 * Return the size of a slob block.
55253 -static slobidx_t slob_units(slob_t *s)
55254 +static slobidx_t slob_units(const slob_t *s)
55258 @@ -220,7 +222,7 @@ static slobidx_t slob_units(slob_t *s)
55260 * Return the next free slob block pointer after this one.
55262 -static slob_t *slob_next(slob_t *s)
55263 +static slob_t *slob_next(const slob_t *s)
55265 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
55267 @@ -235,7 +237,7 @@ static slob_t *slob_next(slob_t *s)
55269 * Returns true if s is the last free block in its page.
55271 -static int slob_last(slob_t *s)
55272 +static int slob_last(const slob_t *s)
55274 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
55276 @@ -254,6 +256,7 @@ static void *slob_new_pages(gfp_t gfp, i
55280 + set_slob_page(page);
55281 return page_address(page);
55284 @@ -370,11 +373,11 @@ static void *slob_alloc(size_t size, gfp
55288 - set_slob_page(sp);
55290 spin_lock_irqsave(&slob_lock, flags);
55291 sp->units = SLOB_UNITS(PAGE_SIZE);
55294 INIT_LIST_HEAD(&sp->list);
55295 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
55296 set_slob_page_free(sp, slob_list);
55297 @@ -476,10 +479,9 @@ out:
55298 * End of slob allocator proper. Begin kmem_cache_alloc and kmalloc frontend.
55301 -void *__kmalloc_node(size_t size, gfp_t gfp, int node)
55302 +static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
55305 - int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
55309 lockdep_trace_alloc(gfp);
55310 @@ -492,7 +494,10 @@ void *__kmalloc_node(size_t size, gfp_t
55315 + BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
55316 + BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
55317 + m[0].units = size;
55318 + m[1].units = align;
55319 ret = (void *)m + align;
55321 trace_kmalloc_node(_RET_IP_, ret,
55322 @@ -504,9 +509,9 @@ void *__kmalloc_node(size_t size, gfp_t
55324 ret = slob_new_pages(gfp, order, node);
55326 - struct page *page;
55327 - page = virt_to_page(ret);
55328 - page->private = size;
55329 + struct slob_page *sp;
55330 + sp = slob_page(ret);
55334 trace_kmalloc_node(_RET_IP_, ret,
55335 @@ -516,6 +521,13 @@ void *__kmalloc_node(size_t size, gfp_t
55336 kmemleak_alloc(ret, size, 1, gfp);
55340 +void *__kmalloc_node(size_t size, gfp_t gfp, int node)
55342 + int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
55344 + return __kmalloc_node_align(size, gfp, node, align);
55346 EXPORT_SYMBOL(__kmalloc_node);
55348 void kfree(const void *block)
55349 @@ -531,13 +543,84 @@ void kfree(const void *block)
55350 sp = slob_page(block);
55351 if (is_slob_page(sp)) {
55352 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
55353 - unsigned int *m = (unsigned int *)(block - align);
55354 - slob_free(m, *m + align);
55356 + slob_t *m = (slob_t *)(block - align);
55357 + slob_free(m, m[0].units + align);
55359 + clear_slob_page(sp);
55360 + free_slob_page(sp);
55362 put_page(&sp->page);
55365 EXPORT_SYMBOL(kfree);
55367 +void check_object_size(const void *ptr, unsigned long n, bool to)
55370 +#ifdef CONFIG_PAX_USERCOPY
55371 + struct slob_page *sp;
55372 + const slob_t *free;
55373 + const void *base;
55378 + if (ZERO_OR_NULL_PTR(ptr))
55381 + if (!virt_addr_valid(ptr))
55384 + sp = slob_page(ptr);
55385 + if (!PageSlab((struct page*)sp)) {
55386 + if (object_is_on_stack(ptr, n) == -1)
55392 + base = page_address(&sp->page);
55393 + if (base <= ptr && n <= sp->size - (ptr - base))
55398 + /* some tricky double walking to find the chunk */
55399 + base = (void *)((unsigned long)ptr & PAGE_MASK);
55402 + while (!slob_last(free) && (void *)free <= ptr) {
55403 + base = free + slob_units(free);
55404 + free = slob_next(free);
55407 + while (base < (void *)free) {
55408 + slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
55409 + int size = SLOB_UNIT * SLOB_UNITS(m + align);
55412 + if (ptr < base + align)
55415 + offset = ptr - base - align;
55416 + if (offset < m) {
55417 + if (n <= m - offset)
55426 + pax_report_leak_to_user(ptr, n);
55428 + pax_report_overflow_from_user(ptr, n);
55432 +EXPORT_SYMBOL(check_object_size);
55434 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
55435 size_t ksize(const void *block)
55437 @@ -550,10 +633,10 @@ size_t ksize(const void *block)
55438 sp = slob_page(block);
55439 if (is_slob_page(sp)) {
55440 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
55441 - unsigned int *m = (unsigned int *)(block - align);
55442 - return SLOB_UNITS(*m) * SLOB_UNIT;
55443 + slob_t *m = (slob_t *)(block - align);
55444 + return SLOB_UNITS(m[0].units) * SLOB_UNIT;
55446 - return sp->page.private;
55449 EXPORT_SYMBOL(ksize);
55451 @@ -608,17 +691,25 @@ void *kmem_cache_alloc_node(struct kmem_
55455 +#ifdef CONFIG_PAX_USERCOPY
55456 + b = __kmalloc_node_align(c->size, flags, node, c->align);
55458 if (c->size < PAGE_SIZE) {
55459 b = slob_alloc(c->size, flags, c->align, node);
55460 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
55461 SLOB_UNITS(c->size) * SLOB_UNIT,
55464 + struct slob_page *sp;
55466 b = slob_new_pages(flags, get_order(c->size), node);
55467 + sp = slob_page(b);
55468 + sp->size = c->size;
55469 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
55470 PAGE_SIZE << get_order(c->size),
55477 @@ -630,10 +721,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
55479 static void __kmem_cache_free(void *b, int size)
55481 - if (size < PAGE_SIZE)
55482 + struct slob_page *sp = slob_page(b);
55484 + if (is_slob_page(sp))
55485 slob_free(b, size);
55488 + clear_slob_page(sp);
55489 + free_slob_page(sp);
55491 slob_free_pages(b, get_order(size));
55495 static void kmem_rcu_free(struct rcu_head *head)
55496 @@ -646,14 +743,23 @@ static void kmem_rcu_free(struct rcu_hea
55498 void kmem_cache_free(struct kmem_cache *c, void *b)
55500 + int size = c->size;
55502 +#ifdef CONFIG_PAX_USERCOPY
55503 + if (size + c->align < PAGE_SIZE) {
55504 + size += c->align;
55509 kmemleak_free_recursive(b, c->flags);
55510 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
55511 struct slob_rcu *slob_rcu;
55512 - slob_rcu = b + (c->size - sizeof(struct slob_rcu));
55513 - slob_rcu->size = c->size;
55514 + slob_rcu = b + (size - sizeof(struct slob_rcu));
55515 + slob_rcu->size = size;
55516 call_rcu(&slob_rcu->head, kmem_rcu_free);
55518 - __kmem_cache_free(b, c->size);
55519 + __kmem_cache_free(b, size);
55522 trace_kmem_cache_free(_RET_IP_, b);
55523 diff -urNp linux-2.6.38.1/mm/slub.c linux-2.6.38.1-new/mm/slub.c
55524 --- linux-2.6.38.1/mm/slub.c 2011-03-14 21:20:32.000000000 -0400
55525 +++ linux-2.6.38.1-new/mm/slub.c 2011-03-21 18:31:35.000000000 -0400
55526 @@ -390,7 +390,7 @@ static void print_track(const char *s, s
55530 - printk(KERN_ERR "INFO: %s in %pS age=%lu cpu=%u pid=%d\n",
55531 + printk(KERN_ERR "INFO: %s in %pA age=%lu cpu=%u pid=%d\n",
55532 s, (void *)t->addr, jiffies - t->when, t->cpu, t->pid);
55535 @@ -1927,6 +1927,8 @@ void kmem_cache_free(struct kmem_cache *
55537 page = virt_to_head_page(x);
55539 + BUG_ON(!PageSlab(page));
55541 slab_free(s, page, x, _RET_IP_);
55543 trace_kmem_cache_free(_RET_IP_, x);
55544 @@ -1960,7 +1962,7 @@ static int slub_min_objects;
55545 * Merge control. If this is set then no merging of slab caches will occur.
55546 * (Could be removed. This was introduced to pacify the merge skeptics.)
55548 -static int slub_nomerge;
55549 +static int slub_nomerge = 1;
55552 * Calculate the order of allocation given an slab object size.
55553 @@ -2370,7 +2372,7 @@ static int kmem_cache_open(struct kmem_c
55554 * list to avoid pounding the page allocator excessively.
55556 set_min_partial(s, ilog2(s->size));
55558 + atomic_set(&s->refcount, 1);
55560 s->remote_node_defrag_ratio = 1000;
55562 @@ -2482,8 +2484,7 @@ static inline int kmem_cache_close(struc
55563 void kmem_cache_destroy(struct kmem_cache *s)
55565 down_write(&slub_lock);
55567 - if (!s->refcount) {
55568 + if (atomic_dec_and_test(&s->refcount)) {
55569 list_del(&s->list);
55570 if (kmem_cache_close(s)) {
55571 printk(KERN_ERR "SLUB %s: %s called for cache that "
55572 @@ -2693,6 +2694,46 @@ void *__kmalloc_node(size_t size, gfp_t
55573 EXPORT_SYMBOL(__kmalloc_node);
55576 +void check_object_size(const void *ptr, unsigned long n, bool to)
55579 +#ifdef CONFIG_PAX_USERCOPY
55580 + struct page *page;
55581 + struct kmem_cache *s;
55582 + unsigned long offset;
55587 + if (ZERO_OR_NULL_PTR(ptr))
55590 + if (!virt_addr_valid(ptr))
55593 + page = virt_to_head_page(ptr);
55595 + if (!PageSlab(page)) {
55596 + if (object_is_on_stack(ptr, n) == -1)
55602 + offset = (ptr - page_address(page)) % s->size;
55603 + if (offset <= s->objsize && n <= s->objsize - offset)
55608 + pax_report_leak_to_user(ptr, n);
55610 + pax_report_overflow_from_user(ptr, n);
55614 +EXPORT_SYMBOL(check_object_size);
55616 size_t ksize(const void *object)
55619 @@ -2958,7 +2999,7 @@ static void __init kmem_cache_bootstrap_
55622 list_add(&s->list, &slab_caches);
55623 - s->refcount = -1;
55624 + atomic_set(&s->refcount, -1);
55626 for_each_node_state(node, N_NORMAL_MEMORY) {
55627 struct kmem_cache_node *n = get_node(s, node);
55628 @@ -3153,7 +3194,7 @@ static int slab_unmergeable(struct kmem_
55630 * We may have set a slab to be unmergeable during bootstrap.
55632 - if (s->refcount < 0)
55633 + if (atomic_read(&s->refcount) < 0)
55637 @@ -3212,7 +3253,7 @@ struct kmem_cache *kmem_cache_create(con
55638 down_write(&slub_lock);
55639 s = find_mergeable(size, align, flags, name, ctor);
55642 + atomic_inc(&s->refcount);
55644 * Adjust the object sizes so that we clear
55645 * the complete object on kzalloc.
55646 @@ -3221,7 +3262,7 @@ struct kmem_cache *kmem_cache_create(con
55647 s->inuse = max_t(int, s->inuse, ALIGN(size, sizeof(void *)));
55649 if (sysfs_slab_alias(s, name)) {
55651 + atomic_dec(&s->refcount);
55654 up_write(&slub_lock);
55655 @@ -3954,7 +3995,7 @@ SLAB_ATTR_RO(ctor);
55657 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
55659 - return sprintf(buf, "%d\n", s->refcount - 1);
55660 + return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
55662 SLAB_ATTR_RO(aliases);
55664 @@ -4691,7 +4732,13 @@ static const struct file_operations proc
55666 static int __init slab_proc_init(void)
55668 - proc_create("slabinfo", S_IRUGO, NULL, &proc_slabinfo_operations);
55669 + mode_t gr_mode = S_IRUGO;
55671 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
55672 + gr_mode = S_IRUSR;
55675 + proc_create("slabinfo", gr_mode, NULL, &proc_slabinfo_operations);
55678 module_init(slab_proc_init);
55679 diff -urNp linux-2.6.38.1/mm/util.c linux-2.6.38.1-new/mm/util.c
55680 --- linux-2.6.38.1/mm/util.c 2011-03-14 21:20:32.000000000 -0400
55681 +++ linux-2.6.38.1-new/mm/util.c 2011-03-21 18:31:35.000000000 -0400
55682 @@ -219,6 +219,12 @@ EXPORT_SYMBOL(strndup_user);
55683 void arch_pick_mmap_layout(struct mm_struct *mm)
55685 mm->mmap_base = TASK_UNMAPPED_BASE;
55687 +#ifdef CONFIG_PAX_RANDMMAP
55688 + if (mm->pax_flags & MF_PAX_RANDMMAP)
55689 + mm->mmap_base += mm->delta_mmap;
55692 mm->get_unmapped_area = arch_get_unmapped_area;
55693 mm->unmap_area = arch_unmap_area;
55695 diff -urNp linux-2.6.38.1/mm/vmalloc.c linux-2.6.38.1-new/mm/vmalloc.c
55696 --- linux-2.6.38.1/mm/vmalloc.c 2011-03-14 21:20:32.000000000 -0400
55697 +++ linux-2.6.38.1-new/mm/vmalloc.c 2011-03-21 18:31:35.000000000 -0400
55698 @@ -39,8 +39,19 @@ static void vunmap_pte_range(pmd_t *pmd,
55700 pte = pte_offset_kernel(pmd, addr);
55702 - pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
55703 - WARN_ON(!pte_none(ptent) && !pte_present(ptent));
55705 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
55706 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
55707 + BUG_ON(!pte_exec(*pte));
55708 + set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
55714 + pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
55715 + WARN_ON(!pte_none(ptent) && !pte_present(ptent));
55717 } while (pte++, addr += PAGE_SIZE, addr != end);
55720 @@ -91,6 +102,7 @@ static int vmap_pte_range(pmd_t *pmd, un
55721 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
55724 + int ret = -ENOMEM;
55727 * nr is a running index into the array which helps higher level
55728 @@ -100,17 +112,30 @@ static int vmap_pte_range(pmd_t *pmd, un
55729 pte = pte_alloc_kernel(pmd, addr);
55733 + pax_open_kernel();
55735 struct page *page = pages[*nr];
55737 - if (WARN_ON(!pte_none(*pte)))
55739 - if (WARN_ON(!page))
55741 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
55742 + if (pgprot_val(prot) & _PAGE_NX)
55745 + if (WARN_ON(!pte_none(*pte))) {
55749 + if (WARN_ON(!page)) {
55753 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
55755 } while (pte++, addr += PAGE_SIZE, addr != end);
55759 + pax_close_kernel();
55763 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
55764 @@ -191,11 +216,20 @@ int is_vmalloc_or_module_addr(const void
55765 * and fall back on vmalloc() if that fails. Others
55766 * just put it in the vmalloc space.
55768 -#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
55769 +#ifdef CONFIG_MODULES
55770 +#ifdef MODULES_VADDR
55771 unsigned long addr = (unsigned long)x;
55772 if (addr >= MODULES_VADDR && addr < MODULES_END)
55776 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
55777 + if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
55783 return is_vmalloc_addr(x);
55786 @@ -216,8 +250,14 @@ struct page *vmalloc_to_page(const void
55788 if (!pgd_none(*pgd)) {
55789 pud_t *pud = pud_offset(pgd, addr);
55791 + if (!pud_large(*pud))
55793 if (!pud_none(*pud)) {
55794 pmd_t *pmd = pmd_offset(pud, addr);
55796 + if (!pmd_large(*pmd))
55798 if (!pmd_none(*pmd)) {
55801 @@ -1244,6 +1284,16 @@ static struct vm_struct *__get_vm_area_n
55802 struct vm_struct *area;
55804 BUG_ON(in_interrupt());
55806 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
55807 + if (flags & VM_KERNEXEC) {
55808 + if (start != VMALLOC_START || end != VMALLOC_END)
55810 + start = (unsigned long)MODULES_EXEC_VADDR;
55811 + end = (unsigned long)MODULES_EXEC_END;
55815 if (flags & VM_IOREMAP) {
55816 int bit = fls(size);
55818 @@ -1462,6 +1512,11 @@ void *vmap(struct page **pages, unsigned
55819 if (count > totalram_pages)
55822 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
55823 + if (!(pgprot_val(prot) & _PAGE_NX))
55824 + flags |= VM_KERNEXEC;
55827 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
55828 __builtin_return_address(0));
55830 @@ -1558,6 +1613,13 @@ void *__vmalloc_node_range(unsigned long
55831 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
55834 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
55835 + if (!(pgprot_val(prot) & _PAGE_NX))
55836 + area = __get_vm_area_node(size, align, VM_ALLOC | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
55837 + node, gfp_mask, caller);
55841 area = __get_vm_area_node(size, align, VM_ALLOC, start, end, node,
55844 @@ -1597,6 +1659,7 @@ static void *__vmalloc_node(unsigned lon
55845 gfp_mask, prot, node, caller);
55849 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
55851 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
55852 @@ -1620,6 +1683,7 @@ static inline void *__vmalloc_node_flags
55853 * For tight control over page level allocator and protection flags
55854 * use __vmalloc() instead.
55857 void *vmalloc(unsigned long size)
55859 return __vmalloc_node_flags(size, -1, GFP_KERNEL | __GFP_HIGHMEM);
55860 @@ -1636,6 +1700,7 @@ EXPORT_SYMBOL(vmalloc);
55861 * For tight control over page level allocator and protection flags
55862 * use __vmalloc() instead.
55865 void *vzalloc(unsigned long size)
55867 return __vmalloc_node_flags(size, -1,
55868 @@ -1650,6 +1715,7 @@ EXPORT_SYMBOL(vzalloc);
55869 * The resulting memory area is zeroed so it can be mapped to userspace
55870 * without leaking data.
55872 +#undef vmalloc_user
55873 void *vmalloc_user(unsigned long size)
55875 struct vm_struct *area;
55876 @@ -1677,6 +1743,7 @@ EXPORT_SYMBOL(vmalloc_user);
55877 * For tight control over page level allocator and protection flags
55878 * use __vmalloc() instead.
55880 +#undef vmalloc_node
55881 void *vmalloc_node(unsigned long size, int node)
55883 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
55884 @@ -1696,6 +1763,7 @@ EXPORT_SYMBOL(vmalloc_node);
55885 * For tight control over page level allocator and protection flags
55886 * use __vmalloc_node() instead.
55888 +#undef vzalloc_node
55889 void *vzalloc_node(unsigned long size, int node)
55891 return __vmalloc_node_flags(size, node,
55892 @@ -1718,10 +1786,10 @@ EXPORT_SYMBOL(vzalloc_node);
55893 * For tight control over page level allocator and protection flags
55894 * use __vmalloc() instead.
55897 +#undef vmalloc_exec
55898 void *vmalloc_exec(unsigned long size)
55900 - return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
55901 + return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
55902 -1, __builtin_return_address(0));
55905 @@ -1740,6 +1808,7 @@ void *vmalloc_exec(unsigned long size)
55906 * Allocate enough 32bit PA addressable pages to cover @size from the
55907 * page level allocator and map them into contiguous kernel virtual space.
55910 void *vmalloc_32(unsigned long size)
55912 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
55913 @@ -1754,6 +1823,7 @@ EXPORT_SYMBOL(vmalloc_32);
55914 * The resulting memory area is 32bit addressable and zeroed so it can be
55915 * mapped to userspace without leaking data.
55917 +#undef vmalloc_32_user
55918 void *vmalloc_32_user(unsigned long size)
55920 struct vm_struct *area;
55921 @@ -2018,6 +2088,8 @@ int remap_vmalloc_range(struct vm_area_s
55922 unsigned long uaddr = vma->vm_start;
55923 unsigned long usize = vma->vm_end - vma->vm_start;
55925 + BUG_ON(vma->vm_mirror);
55927 if ((PAGE_SIZE-1) & (unsigned long)addr)
55930 diff -urNp linux-2.6.38.1/mm/vmstat.c linux-2.6.38.1-new/mm/vmstat.c
55931 --- linux-2.6.38.1/mm/vmstat.c 2011-03-14 21:20:32.000000000 -0400
55932 +++ linux-2.6.38.1-new/mm/vmstat.c 2011-03-21 18:31:35.000000000 -0400
55933 @@ -78,7 +78,7 @@ void vm_events_fold_cpu(int cpu)
55935 * vm_stat contains the global counters
55937 -atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
55938 +atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
55939 EXPORT_SYMBOL(vm_stat);
55942 @@ -451,7 +451,7 @@ void refresh_cpu_vm_stats(int cpu)
55943 v = p->vm_stat_diff[i];
55944 p->vm_stat_diff[i] = 0;
55945 local_irq_restore(flags);
55946 - atomic_long_add(v, &zone->vm_stat[i]);
55947 + atomic_long_add_unchecked(v, &zone->vm_stat[i]);
55948 global_diff[i] += v;
55950 /* 3 seconds idle till flush */
55951 @@ -489,7 +489,7 @@ void refresh_cpu_vm_stats(int cpu)
55953 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
55954 if (global_diff[i])
55955 - atomic_long_add(global_diff[i], &vm_stat[i]);
55956 + atomic_long_add_unchecked(global_diff[i], &vm_stat[i]);
55960 @@ -1188,10 +1188,20 @@ static int __init setup_vmstat(void)
55961 start_cpu_timer(cpu);
55963 #ifdef CONFIG_PROC_FS
55964 - proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
55965 - proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
55966 - proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
55967 - proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
55969 + mode_t gr_mode = S_IRUGO;
55970 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
55971 + gr_mode = S_IRUSR;
55973 + proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
55974 + proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
55975 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
55976 + proc_create("vmstat", gr_mode | S_IRGRP, NULL, &proc_vmstat_file_operations);
55978 + proc_create("vmstat", gr_mode, NULL, &proc_vmstat_file_operations);
55980 + proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
55985 diff -urNp linux-2.6.38.1/net/8021q/vlan.c linux-2.6.38.1-new/net/8021q/vlan.c
55986 --- linux-2.6.38.1/net/8021q/vlan.c 2011-03-14 21:20:32.000000000 -0400
55987 +++ linux-2.6.38.1-new/net/8021q/vlan.c 2011-03-21 18:31:35.000000000 -0400
55988 @@ -589,8 +589,7 @@ static int vlan_ioctl_handler(struct net
55990 if (!capable(CAP_NET_ADMIN))
55992 - if ((args.u.name_type >= 0) &&
55993 - (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
55994 + if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
55995 struct vlan_net *vn;
55997 vn = net_generic(net, vlan_net_id);
55998 diff -urNp linux-2.6.38.1/net/atm/atm_misc.c linux-2.6.38.1-new/net/atm/atm_misc.c
55999 --- linux-2.6.38.1/net/atm/atm_misc.c 2011-03-14 21:20:32.000000000 -0400
56000 +++ linux-2.6.38.1-new/net/atm/atm_misc.c 2011-03-21 18:31:35.000000000 -0400
56001 @@ -17,7 +17,7 @@ int atm_charge(struct atm_vcc *vcc, int
56002 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
56004 atm_return(vcc, truesize);
56005 - atomic_inc(&vcc->stats->rx_drop);
56006 + atomic_inc_unchecked(&vcc->stats->rx_drop);
56009 EXPORT_SYMBOL(atm_charge);
56010 @@ -39,7 +39,7 @@ struct sk_buff *atm_alloc_charge(struct
56013 atm_return(vcc, guess);
56014 - atomic_inc(&vcc->stats->rx_drop);
56015 + atomic_inc_unchecked(&vcc->stats->rx_drop);
56018 EXPORT_SYMBOL(atm_alloc_charge);
56019 @@ -86,7 +86,7 @@ EXPORT_SYMBOL(atm_pcr_goal);
56021 void sonet_copy_stats(struct k_sonet_stats *from, struct sonet_stats *to)
56023 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
56024 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
56026 #undef __HANDLE_ITEM
56028 @@ -94,7 +94,7 @@ EXPORT_SYMBOL(sonet_copy_stats);
56030 void sonet_subtract_stats(struct k_sonet_stats *from, struct sonet_stats *to)
56032 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
56033 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
56035 #undef __HANDLE_ITEM
56037 diff -urNp linux-2.6.38.1/net/atm/proc.c linux-2.6.38.1-new/net/atm/proc.c
56038 --- linux-2.6.38.1/net/atm/proc.c 2011-03-14 21:20:32.000000000 -0400
56039 +++ linux-2.6.38.1-new/net/atm/proc.c 2011-03-21 18:31:35.000000000 -0400
56040 @@ -45,9 +45,9 @@ static void add_stats(struct seq_file *s
56041 const struct k_atm_aal_stats *stats)
56043 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
56044 - atomic_read(&stats->tx), atomic_read(&stats->tx_err),
56045 - atomic_read(&stats->rx), atomic_read(&stats->rx_err),
56046 - atomic_read(&stats->rx_drop));
56047 + atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
56048 + atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
56049 + atomic_read_unchecked(&stats->rx_drop));
56052 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
56053 @@ -191,7 +191,12 @@ static void vcc_info(struct seq_file *se
56055 struct sock *sk = sk_atm(vcc);
56057 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56058 + seq_printf(seq, "%p ", NULL);
56060 seq_printf(seq, "%p ", vcc);
56064 seq_printf(seq, "Unassigned ");
56066 @@ -218,7 +223,11 @@ static void svc_info(struct seq_file *se
56069 seq_printf(seq, sizeof(void *) == 4 ?
56070 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56071 + "N/A@%p%10s" : "N/A@%p%2s", NULL, "");
56073 "N/A@%p%10s" : "N/A@%p%2s", vcc, "");
56076 seq_printf(seq, "%3d %3d %5d ",
56077 vcc->dev->number, vcc->vpi, vcc->vci);
56078 diff -urNp linux-2.6.38.1/net/atm/resources.c linux-2.6.38.1-new/net/atm/resources.c
56079 --- linux-2.6.38.1/net/atm/resources.c 2011-03-14 21:20:32.000000000 -0400
56080 +++ linux-2.6.38.1-new/net/atm/resources.c 2011-03-21 18:31:35.000000000 -0400
56081 @@ -160,7 +160,7 @@ EXPORT_SYMBOL(atm_dev_deregister);
56082 static void copy_aal_stats(struct k_atm_aal_stats *from,
56083 struct atm_aal_stats *to)
56085 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
56086 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
56088 #undef __HANDLE_ITEM
56090 @@ -168,7 +168,7 @@ static void copy_aal_stats(struct k_atm_
56091 static void subtract_aal_stats(struct k_atm_aal_stats *from,
56092 struct atm_aal_stats *to)
56094 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
56095 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
56097 #undef __HANDLE_ITEM
56099 diff -urNp linux-2.6.38.1/net/bluetooth/bnep/sock.c linux-2.6.38.1-new/net/bluetooth/bnep/sock.c
56100 --- linux-2.6.38.1/net/bluetooth/bnep/sock.c 2011-03-14 21:20:32.000000000 -0400
56101 +++ linux-2.6.38.1-new/net/bluetooth/bnep/sock.c 2011-03-21 18:31:35.000000000 -0400
56102 @@ -88,6 +88,7 @@ static int bnep_sock_ioctl(struct socket
56106 + ca.device[sizeof(ca.device)-1] = 0;
56108 err = bnep_add_connection(&ca, nsock);
56110 diff -urNp linux-2.6.38.1/net/bluetooth/sco.c linux-2.6.38.1-new/net/bluetooth/sco.c
56111 --- linux-2.6.38.1/net/bluetooth/sco.c 2011-03-14 21:20:32.000000000 -0400
56112 +++ linux-2.6.38.1-new/net/bluetooth/sco.c 2011-03-21 18:31:35.000000000 -0400
56113 @@ -703,6 +703,7 @@ static int sco_sock_getsockopt_old(struc
56117 + memset(&cinfo, 0, sizeof(cinfo));
56118 cinfo.hci_handle = sco_pi(sk)->conn->hcon->handle;
56119 memcpy(cinfo.dev_class, sco_pi(sk)->conn->hcon->dev_class, 3);
56121 diff -urNp linux-2.6.38.1/net/bridge/br_multicast.c linux-2.6.38.1-new/net/bridge/br_multicast.c
56122 --- linux-2.6.38.1/net/bridge/br_multicast.c 2011-03-14 21:20:32.000000000 -0400
56123 +++ linux-2.6.38.1-new/net/bridge/br_multicast.c 2011-03-21 18:31:35.000000000 -0400
56124 @@ -1482,7 +1482,7 @@ static int br_multicast_ipv6_rcv(struct
56125 nexthdr = ip6h->nexthdr;
56126 offset = ipv6_skip_exthdr(skb, sizeof(*ip6h), &nexthdr);
56128 - if (offset < 0 || nexthdr != IPPROTO_ICMPV6)
56129 + if (nexthdr != IPPROTO_ICMPV6)
56132 /* Okay, we found ICMPv6 header */
56133 diff -urNp linux-2.6.38.1/net/bridge/netfilter/ebtables.c linux-2.6.38.1-new/net/bridge/netfilter/ebtables.c
56134 --- linux-2.6.38.1/net/bridge/netfilter/ebtables.c 2011-03-14 21:20:32.000000000 -0400
56135 +++ linux-2.6.38.1-new/net/bridge/netfilter/ebtables.c 2011-03-21 18:31:35.000000000 -0400
56136 @@ -1107,6 +1107,8 @@ static int do_replace(struct net *net, c
56137 if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
56140 + tmp.name[sizeof(tmp.name)-1] = 0;
56142 countersize = COUNTER_OFFSET(tmp.nentries) * nr_cpu_ids;
56143 newinfo = vmalloc(sizeof(*newinfo) + countersize);
56145 @@ -1510,7 +1512,7 @@ static int do_ebt_get_ctl(struct sock *s
56146 tmp.valid_hooks = t->table->valid_hooks;
56148 mutex_unlock(&ebt_mutex);
56149 - if (copy_to_user(user, &tmp, *len) != 0){
56150 + if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0){
56151 BUGPRINT("c2u Didn't work\n");
56154 diff -urNp linux-2.6.38.1/net/can/bcm.c linux-2.6.38.1-new/net/can/bcm.c
56155 --- linux-2.6.38.1/net/can/bcm.c 2011-03-14 21:20:32.000000000 -0400
56156 +++ linux-2.6.38.1-new/net/can/bcm.c 2011-03-21 18:31:35.000000000 -0400
56157 @@ -165,9 +165,15 @@ static int bcm_proc_show(struct seq_file
56158 struct bcm_sock *bo = bcm_sk(sk);
56161 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56162 + seq_printf(m, ">>> socket %p", NULL);
56163 + seq_printf(m, " / sk %p", NULL);
56164 + seq_printf(m, " / bo %p", NULL);
56166 seq_printf(m, ">>> socket %p", sk->sk_socket);
56167 seq_printf(m, " / sk %p", sk);
56168 seq_printf(m, " / bo %p", bo);
56170 seq_printf(m, " / dropped %lu", bo->dropped_usr_msgs);
56171 seq_printf(m, " / bound %s", bcm_proc_getifname(ifname, bo->ifindex));
56172 seq_printf(m, " <<<\n");
56173 diff -urNp linux-2.6.38.1/net/core/dev.c linux-2.6.38.1-new/net/core/dev.c
56174 --- linux-2.6.38.1/net/core/dev.c 2011-03-14 21:20:32.000000000 -0400
56175 +++ linux-2.6.38.1-new/net/core/dev.c 2011-03-21 18:31:35.000000000 -0400
56176 @@ -1124,7 +1124,7 @@ void dev_load(struct net *net, const cha
56177 if (no_module && capable(CAP_NET_ADMIN))
56178 no_module = request_module("netdev-%s", name);
56179 if (no_module && capable(CAP_SYS_MODULE)) {
56180 - if (!request_module("%s", name))
56181 + if (!request_module("%s", name))
56182 pr_err("Loading kernel module for a network device "
56183 "with CAP_SYS_MODULE (deprecated). Use CAP_NET_ADMIN and alias netdev-%s "
56184 "instead\n", name);
56185 @@ -2787,7 +2787,7 @@ int netif_rx_ni(struct sk_buff *skb)
56187 EXPORT_SYMBOL(netif_rx_ni);
56189 -static void net_tx_action(struct softirq_action *h)
56190 +static void net_tx_action(void)
56192 struct softnet_data *sd = &__get_cpu_var(softnet_data);
56194 @@ -3697,7 +3697,7 @@ void netif_napi_del(struct napi_struct *
56196 EXPORT_SYMBOL(netif_napi_del);
56198 -static void net_rx_action(struct softirq_action *h)
56199 +static void net_rx_action(void)
56201 struct softnet_data *sd = &__get_cpu_var(softnet_data);
56202 unsigned long time_limit = jiffies + 2;
56203 diff -urNp linux-2.6.38.1/net/core/sock.c linux-2.6.38.1-new/net/core/sock.c
56204 --- linux-2.6.38.1/net/core/sock.c 2011-03-14 21:20:32.000000000 -0400
56205 +++ linux-2.6.38.1-new/net/core/sock.c 2011-03-21 18:31:35.000000000 -0400
56206 @@ -934,7 +934,7 @@ int sock_getsockopt(struct socket *sock,
56210 - if (copy_to_user(optval, address, len))
56211 + if (len > sizeof(address) || copy_to_user(optval, address, len))
56215 @@ -967,7 +967,7 @@ int sock_getsockopt(struct socket *sock,
56219 - if (copy_to_user(optval, &v, len))
56220 + if (len > sizeof(v) || copy_to_user(optval, &v, len))
56223 if (put_user(len, optlen))
56224 diff -urNp linux-2.6.38.1/net/dccp/ccids/ccid3.c linux-2.6.38.1-new/net/dccp/ccids/ccid3.c
56225 --- linux-2.6.38.1/net/dccp/ccids/ccid3.c 2011-03-14 21:20:32.000000000 -0400
56226 +++ linux-2.6.38.1-new/net/dccp/ccids/ccid3.c 2011-03-21 18:31:35.000000000 -0400
56228 static int ccid3_debug;
56229 #define ccid3_pr_debug(format, a...) DCCP_PR_DEBUG(ccid3_debug, format, ##a)
56231 -#define ccid3_pr_debug(format, a...)
56232 +#define ccid3_pr_debug(format, a...) do {} while (0)
56236 diff -urNp linux-2.6.38.1/net/dccp/dccp.h linux-2.6.38.1-new/net/dccp/dccp.h
56237 --- linux-2.6.38.1/net/dccp/dccp.h 2011-03-14 21:20:32.000000000 -0400
56238 +++ linux-2.6.38.1-new/net/dccp/dccp.h 2011-03-21 18:31:35.000000000 -0400
56239 @@ -44,9 +44,9 @@ extern int dccp_debug;
56240 #define dccp_pr_debug_cat(format, a...) DCCP_PRINTK(dccp_debug, format, ##a)
56241 #define dccp_debug(fmt, a...) dccp_pr_debug_cat(KERN_DEBUG fmt, ##a)
56243 -#define dccp_pr_debug(format, a...)
56244 -#define dccp_pr_debug_cat(format, a...)
56245 -#define dccp_debug(format, a...)
56246 +#define dccp_pr_debug(format, a...) do {} while (0)
56247 +#define dccp_pr_debug_cat(format, a...) do {} while (0)
56248 +#define dccp_debug(format, a...) do {} while (0)
56251 extern struct inet_hashinfo dccp_hashinfo;
56252 diff -urNp linux-2.6.38.1/net/decnet/sysctl_net_decnet.c linux-2.6.38.1-new/net/decnet/sysctl_net_decnet.c
56253 --- linux-2.6.38.1/net/decnet/sysctl_net_decnet.c 2011-03-14 21:20:32.000000000 -0400
56254 +++ linux-2.6.38.1-new/net/decnet/sysctl_net_decnet.c 2011-03-21 18:31:35.000000000 -0400
56255 @@ -173,7 +173,7 @@ static int dn_node_address_handler(ctl_t
56257 if (len > *lenp) len = *lenp;
56259 - if (copy_to_user(buffer, addr, len))
56260 + if (len > sizeof addr || copy_to_user(buffer, addr, len))
56264 @@ -236,7 +236,7 @@ static int dn_def_dev_handler(ctl_table
56266 if (len > *lenp) len = *lenp;
56268 - if (copy_to_user(buffer, devname, len))
56269 + if (len > sizeof devname || copy_to_user(buffer, devname, len))
56273 diff -urNp linux-2.6.38.1/net/econet/Kconfig linux-2.6.38.1-new/net/econet/Kconfig
56274 --- linux-2.6.38.1/net/econet/Kconfig 2011-03-14 21:20:32.000000000 -0400
56275 +++ linux-2.6.38.1-new/net/econet/Kconfig 2011-03-21 18:31:35.000000000 -0400
56279 tristate "Acorn Econet/AUN protocols (EXPERIMENTAL)"
56280 - depends on EXPERIMENTAL && INET
56281 + depends on EXPERIMENTAL && INET && BROKEN
56283 Econet is a fairly old and slow networking protocol mainly used by
56284 Acorn computers to access file and print servers. It uses native
56285 diff -urNp linux-2.6.38.1/net/ipv4/inet_diag.c linux-2.6.38.1-new/net/ipv4/inet_diag.c
56286 --- linux-2.6.38.1/net/ipv4/inet_diag.c 2011-03-14 21:20:32.000000000 -0400
56287 +++ linux-2.6.38.1-new/net/ipv4/inet_diag.c 2011-03-21 18:31:35.000000000 -0400
56288 @@ -114,8 +114,14 @@ static int inet_csk_diag_fill(struct soc
56289 r->idiag_retrans = 0;
56291 r->id.idiag_if = sk->sk_bound_dev_if;
56293 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56294 + r->id.idiag_cookie[0] = 0;
56295 + r->id.idiag_cookie[1] = 0;
56297 r->id.idiag_cookie[0] = (u32)(unsigned long)sk;
56298 r->id.idiag_cookie[1] = (u32)(((unsigned long)sk >> 31) >> 1);
56301 r->id.idiag_sport = inet->inet_sport;
56302 r->id.idiag_dport = inet->inet_dport;
56303 @@ -201,8 +207,15 @@ static int inet_twsk_diag_fill(struct in
56304 r->idiag_family = tw->tw_family;
56305 r->idiag_retrans = 0;
56306 r->id.idiag_if = tw->tw_bound_dev_if;
56308 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56309 + r->id.idiag_cookie[0] = 0;
56310 + r->id.idiag_cookie[1] = 0;
56312 r->id.idiag_cookie[0] = (u32)(unsigned long)tw;
56313 r->id.idiag_cookie[1] = (u32)(((unsigned long)tw >> 31) >> 1);
56316 r->id.idiag_sport = tw->tw_sport;
56317 r->id.idiag_dport = tw->tw_dport;
56318 r->id.idiag_src[0] = tw->tw_rcv_saddr;
56319 @@ -285,12 +298,14 @@ static int inet_diag_get_exact(struct sk
56323 +#ifndef CONFIG_GRKERNSEC_HIDESYM
56325 if ((req->id.idiag_cookie[0] != INET_DIAG_NOCOOKIE ||
56326 req->id.idiag_cookie[1] != INET_DIAG_NOCOOKIE) &&
56327 ((u32)(unsigned long)sk != req->id.idiag_cookie[0] ||
56328 (u32)((((unsigned long)sk) >> 31) >> 1) != req->id.idiag_cookie[1]))
56333 rep = alloc_skb(NLMSG_SPACE((sizeof(struct inet_diag_msg) +
56334 @@ -582,8 +597,14 @@ static int inet_diag_fill_req(struct sk_
56335 r->idiag_retrans = req->retrans;
56337 r->id.idiag_if = sk->sk_bound_dev_if;
56339 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56340 + r->id.idiag_cookie[0] = 0;
56341 + r->id.idiag_cookie[1] = 0;
56343 r->id.idiag_cookie[0] = (u32)(unsigned long)req;
56344 r->id.idiag_cookie[1] = (u32)(((unsigned long)req >> 31) >> 1);
56347 tmo = req->expires - jiffies;
56349 diff -urNp linux-2.6.38.1/net/ipv4/inet_hashtables.c linux-2.6.38.1-new/net/ipv4/inet_hashtables.c
56350 --- linux-2.6.38.1/net/ipv4/inet_hashtables.c 2011-03-14 21:20:32.000000000 -0400
56351 +++ linux-2.6.38.1-new/net/ipv4/inet_hashtables.c 2011-03-21 18:31:35.000000000 -0400
56352 @@ -18,11 +18,14 @@
56353 #include <linux/sched.h>
56354 #include <linux/slab.h>
56355 #include <linux/wait.h>
56356 +#include <linux/security.h>
56358 #include <net/inet_connection_sock.h>
56359 #include <net/inet_hashtables.h>
56360 #include <net/route.h>
56361 #include <net/ip.h>
56363 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
56366 * Allocate and initialize a new local port bind bucket.
56367 * The bindhash mutex for snum's hash chain must be held here.
56368 @@ -529,6 +532,8 @@ ok:
56369 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
56370 spin_unlock(&head->lock);
56372 + gr_update_task_in_ip_table(current, inet_sk(sk));
56375 inet_twsk_deschedule(tw, death_row);
56377 diff -urNp linux-2.6.38.1/net/ipv4/inetpeer.c linux-2.6.38.1-new/net/ipv4/inetpeer.c
56378 --- linux-2.6.38.1/net/ipv4/inetpeer.c 2011-03-14 21:20:32.000000000 -0400
56379 +++ linux-2.6.38.1-new/net/ipv4/inetpeer.c 2011-03-21 18:31:35.000000000 -0400
56380 @@ -509,8 +509,8 @@ struct inet_peer *inet_getpeer(struct in
56383 atomic_set(&p->refcnt, 1);
56384 - atomic_set(&p->rid, 0);
56385 - atomic_set(&p->ip_id_count, secure_ip_id(daddr->a4));
56386 + atomic_set_unchecked(&p->rid, 0);
56387 + atomic_set_unchecked(&p->ip_id_count, secure_ip_id(daddr->a4));
56388 p->tcp_ts_stamp = 0;
56389 INIT_LIST_HEAD(&p->unused);
56391 diff -urNp linux-2.6.38.1/net/ipv4/ip_fragment.c linux-2.6.38.1-new/net/ipv4/ip_fragment.c
56392 --- linux-2.6.38.1/net/ipv4/ip_fragment.c 2011-03-14 21:20:32.000000000 -0400
56393 +++ linux-2.6.38.1-new/net/ipv4/ip_fragment.c 2011-03-21 18:31:35.000000000 -0400
56394 @@ -298,7 +298,7 @@ static inline int ip_frag_too_far(struct
56398 - end = atomic_inc_return(&peer->rid);
56399 + end = atomic_inc_return_unchecked(&peer->rid);
56402 rc = qp->q.fragments && (end - start) > max;
56403 diff -urNp linux-2.6.38.1/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.38.1-new/net/ipv4/netfilter/nf_nat_snmp_basic.c
56404 --- linux-2.6.38.1/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-03-14 21:20:32.000000000 -0400
56405 +++ linux-2.6.38.1-new/net/ipv4/netfilter/nf_nat_snmp_basic.c 2011-03-21 18:31:35.000000000 -0400
56406 @@ -398,7 +398,7 @@ static unsigned char asn1_octets_decode(
56410 - *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
56411 + *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
56412 if (*octets == NULL) {
56413 if (net_ratelimit())
56414 pr_notice("OOM in bsalg (%d)\n", __LINE__);
56415 diff -urNp linux-2.6.38.1/net/ipv4/route.c linux-2.6.38.1-new/net/ipv4/route.c
56416 --- linux-2.6.38.1/net/ipv4/route.c 2011-03-14 21:20:32.000000000 -0400
56417 +++ linux-2.6.38.1-new/net/ipv4/route.c 2011-03-21 18:31:35.000000000 -0400
56418 @@ -2857,7 +2857,7 @@ static int rt_fill_info(struct net *net,
56419 expires = rt->dst.expires ? rt->dst.expires - jiffies : 0;
56421 inet_peer_refcheck(rt->peer);
56422 - id = atomic_read(&rt->peer->ip_id_count) & 0xffff;
56423 + id = atomic_read_unchecked(&rt->peer->ip_id_count) & 0xffff;
56424 if (rt->peer->tcp_ts_stamp) {
56425 ts = rt->peer->tcp_ts;
56426 tsage = get_seconds() - rt->peer->tcp_ts_stamp;
56427 diff -urNp linux-2.6.38.1/net/ipv4/tcp_ipv4.c linux-2.6.38.1-new/net/ipv4/tcp_ipv4.c
56428 --- linux-2.6.38.1/net/ipv4/tcp_ipv4.c 2011-03-14 21:20:32.000000000 -0400
56429 +++ linux-2.6.38.1-new/net/ipv4/tcp_ipv4.c 2011-03-21 18:31:35.000000000 -0400
56430 @@ -86,6 +86,9 @@ int sysctl_tcp_tw_reuse __read_mostly;
56431 int sysctl_tcp_low_latency __read_mostly;
56432 EXPORT_SYMBOL(sysctl_tcp_low_latency);
56434 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56435 +extern int grsec_enable_blackhole;
56438 #ifdef CONFIG_TCP_MD5SIG
56439 static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
56440 @@ -1593,6 +1596,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
56444 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56445 + if (!grsec_enable_blackhole)
56447 tcp_v4_send_reset(rsk, skb);
56450 @@ -1655,12 +1661,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
56451 TCP_SKB_CB(skb)->sacked = 0;
56453 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
56456 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56459 goto no_tcp_socket;
56463 - if (sk->sk_state == TCP_TIME_WAIT)
56464 + if (sk->sk_state == TCP_TIME_WAIT) {
56465 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56471 if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
56472 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
56473 @@ -1710,6 +1723,10 @@ no_tcp_socket:
56475 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
56477 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56478 + if (!grsec_enable_blackhole || (ret == 1 &&
56479 + (skb->dev->flags & IFF_LOOPBACK)))
56481 tcp_v4_send_reset(NULL, skb);
56484 @@ -2373,7 +2390,11 @@ static void get_openreq4(struct sock *sk
56485 0, /* non standard timer */
56486 0, /* open_requests have no inode */
56487 atomic_read(&sk->sk_refcnt),
56488 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56496 @@ -2423,7 +2444,12 @@ static void get_tcp4_sock(struct sock *s
56498 icsk->icsk_probes_out,
56500 - atomic_read(&sk->sk_refcnt), sk,
56501 + atomic_read(&sk->sk_refcnt),
56502 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56507 jiffies_to_clock_t(icsk->icsk_rto),
56508 jiffies_to_clock_t(icsk->icsk_ack.ato),
56509 (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
56510 @@ -2451,7 +2477,13 @@ static void get_timewait4_sock(struct in
56511 " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n",
56512 i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
56513 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
56514 - atomic_read(&tw->tw_refcnt), tw, len);
56515 + atomic_read(&tw->tw_refcnt),
56516 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56525 diff -urNp linux-2.6.38.1/net/ipv4/tcp_minisocks.c linux-2.6.38.1-new/net/ipv4/tcp_minisocks.c
56526 --- linux-2.6.38.1/net/ipv4/tcp_minisocks.c 2011-03-14 21:20:32.000000000 -0400
56527 +++ linux-2.6.38.1-new/net/ipv4/tcp_minisocks.c 2011-03-21 18:31:35.000000000 -0400
56529 #include <net/inet_common.h>
56530 #include <net/xfrm.h>
56532 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56533 +extern int grsec_enable_blackhole;
56536 int sysctl_tcp_syncookies __read_mostly = 1;
56537 EXPORT_SYMBOL(sysctl_tcp_syncookies);
56539 @@ -745,6 +749,10 @@ listen_overflow:
56542 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
56544 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56545 + if (!grsec_enable_blackhole)
56547 if (!(flg & TCP_FLAG_RST))
56548 req->rsk_ops->send_reset(sk, skb);
56550 diff -urNp linux-2.6.38.1/net/ipv4/tcp_probe.c linux-2.6.38.1-new/net/ipv4/tcp_probe.c
56551 --- linux-2.6.38.1/net/ipv4/tcp_probe.c 2011-03-14 21:20:32.000000000 -0400
56552 +++ linux-2.6.38.1-new/net/ipv4/tcp_probe.c 2011-03-21 18:31:35.000000000 -0400
56553 @@ -202,7 +202,7 @@ static ssize_t tcpprobe_read(struct file
56554 if (cnt + width >= len)
56557 - if (copy_to_user(buf + cnt, tbuf, width))
56558 + if (width > sizeof tbuf || copy_to_user(buf + cnt, tbuf, width))
56562 diff -urNp linux-2.6.38.1/net/ipv4/tcp_timer.c linux-2.6.38.1-new/net/ipv4/tcp_timer.c
56563 --- linux-2.6.38.1/net/ipv4/tcp_timer.c 2011-03-14 21:20:32.000000000 -0400
56564 +++ linux-2.6.38.1-new/net/ipv4/tcp_timer.c 2011-03-21 18:31:35.000000000 -0400
56566 #include <linux/gfp.h>
56567 #include <net/tcp.h>
56569 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56570 +extern int grsec_lastack_retries;
56573 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
56574 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
56575 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
56576 @@ -199,6 +203,13 @@ static int tcp_write_timeout(struct sock
56580 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56581 + if ((sk->sk_state == TCP_LAST_ACK) &&
56582 + (grsec_lastack_retries > 0) &&
56583 + (grsec_lastack_retries < retry_until))
56584 + retry_until = grsec_lastack_retries;
56587 if (retransmits_timed_out(sk, retry_until,
56588 syn_set ? 0 : icsk->icsk_user_timeout, syn_set)) {
56589 /* Has it gone just too far? */
56590 diff -urNp linux-2.6.38.1/net/ipv4/udp.c linux-2.6.38.1-new/net/ipv4/udp.c
56591 --- linux-2.6.38.1/net/ipv4/udp.c 2011-03-14 21:20:32.000000000 -0400
56592 +++ linux-2.6.38.1-new/net/ipv4/udp.c 2011-03-21 18:31:35.000000000 -0400
56594 #include <linux/types.h>
56595 #include <linux/fcntl.h>
56596 #include <linux/module.h>
56597 +#include <linux/security.h>
56598 #include <linux/socket.h>
56599 #include <linux/sockios.h>
56600 #include <linux/igmp.h>
56601 @@ -107,6 +108,10 @@
56602 #include <net/xfrm.h>
56603 #include "udp_impl.h"
56605 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56606 +extern int grsec_enable_blackhole;
56609 struct udp_table udp_table __read_mostly;
56610 EXPORT_SYMBOL(udp_table);
56612 @@ -564,6 +569,9 @@ found:
56616 +extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
56617 +extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
56620 * This routine is called by the ICMP module when it gets some
56621 * sort of error condition. If err < 0 then the socket should
56622 @@ -832,9 +840,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
56623 dport = usin->sin_port;
56627 + err = gr_search_udp_sendmsg(sk, usin);
56631 if (sk->sk_state != TCP_ESTABLISHED)
56632 return -EDESTADDRREQ;
56634 + err = gr_search_udp_sendmsg(sk, NULL);
56638 daddr = inet->inet_daddr;
56639 dport = inet->inet_dport;
56640 /* Open fast path for connected socket.
56641 @@ -1139,6 +1156,10 @@ try_again:
56645 + err = gr_search_udp_recvmsg(sk, skb);
56649 ulen = skb->len - sizeof(struct udphdr);
56652 @@ -1623,6 +1644,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
56655 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
56656 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56657 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
56659 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
56662 @@ -2050,7 +2074,12 @@ static void udp4_format_sock(struct sock
56663 sk_wmem_alloc_get(sp),
56664 sk_rmem_alloc_get(sp),
56665 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
56666 - atomic_read(&sp->sk_refcnt), sp,
56667 + atomic_read(&sp->sk_refcnt),
56668 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56673 atomic_read(&sp->sk_drops), len);
56676 diff -urNp linux-2.6.38.1/net/ipv6/exthdrs.c linux-2.6.38.1-new/net/ipv6/exthdrs.c
56677 --- linux-2.6.38.1/net/ipv6/exthdrs.c 2011-03-14 21:20:32.000000000 -0400
56678 +++ linux-2.6.38.1-new/net/ipv6/exthdrs.c 2011-03-21 18:31:35.000000000 -0400
56679 @@ -634,7 +634,7 @@ static struct tlvtype_proc tlvprochopopt
56680 .type = IPV6_TLV_JUMBO,
56681 .func = ipv6_hop_jumbo,
56687 int ipv6_parse_hopopts(struct sk_buff *skb)
56688 diff -urNp linux-2.6.38.1/net/ipv6/raw.c linux-2.6.38.1-new/net/ipv6/raw.c
56689 --- linux-2.6.38.1/net/ipv6/raw.c 2011-03-14 21:20:32.000000000 -0400
56690 +++ linux-2.6.38.1-new/net/ipv6/raw.c 2011-03-21 18:31:35.000000000 -0400
56691 @@ -602,7 +602,7 @@ out:
56695 -static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
56696 +static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
56697 struct flowi *fl, struct dst_entry **dstp,
56698 unsigned int flags)
56700 @@ -1262,7 +1262,13 @@ static void raw6_sock_seq_show(struct se
56704 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
56705 + atomic_read(&sp->sk_refcnt),
56706 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56711 + atomic_read(&sp->sk_drops));
56714 static int raw6_seq_show(struct seq_file *seq, void *v)
56715 diff -urNp linux-2.6.38.1/net/ipv6/tcp_ipv6.c linux-2.6.38.1-new/net/ipv6/tcp_ipv6.c
56716 --- linux-2.6.38.1/net/ipv6/tcp_ipv6.c 2011-03-14 21:20:32.000000000 -0400
56717 +++ linux-2.6.38.1-new/net/ipv6/tcp_ipv6.c 2011-03-21 18:31:35.000000000 -0400
56718 @@ -92,6 +92,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
56722 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56723 +extern int grsec_enable_blackhole;
56726 static void tcp_v6_hash(struct sock *sk)
56728 if (sk->sk_state != TCP_CLOSE) {
56729 @@ -1676,6 +1680,9 @@ static int tcp_v6_do_rcv(struct sock *sk
56733 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56734 + if (!grsec_enable_blackhole)
56736 tcp_v6_send_reset(sk, skb);
56739 @@ -1755,12 +1762,20 @@ static int tcp_v6_rcv(struct sk_buff *sk
56740 TCP_SKB_CB(skb)->sacked = 0;
56742 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
56745 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56748 goto no_tcp_socket;
56752 - if (sk->sk_state == TCP_TIME_WAIT)
56753 + if (sk->sk_state == TCP_TIME_WAIT) {
56754 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56760 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
56761 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
56762 @@ -1808,6 +1823,10 @@ no_tcp_socket:
56764 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
56766 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56767 + if (!grsec_enable_blackhole || (ret == 1 &&
56768 + (skb->dev->flags & IFF_LOOPBACK)))
56770 tcp_v6_send_reset(NULL, skb);
56773 @@ -2068,7 +2087,13 @@ static void get_openreq6(struct seq_file
56775 0, /* non standard timer */
56776 0, /* open_requests have no inode */
56779 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56787 static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
56788 @@ -2118,7 +2143,12 @@ static void get_tcp6_sock(struct seq_fil
56790 icsk->icsk_probes_out,
56792 - atomic_read(&sp->sk_refcnt), sp,
56793 + atomic_read(&sp->sk_refcnt),
56794 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56799 jiffies_to_clock_t(icsk->icsk_rto),
56800 jiffies_to_clock_t(icsk->icsk_ack.ato),
56801 (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong,
56802 @@ -2153,7 +2183,13 @@ static void get_timewait6_sock(struct se
56803 dest->s6_addr32[2], dest->s6_addr32[3], destp,
56804 tw->tw_substate, 0, 0,
56805 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
56806 - atomic_read(&tw->tw_refcnt), tw);
56807 + atomic_read(&tw->tw_refcnt),
56808 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56816 static int tcp6_seq_show(struct seq_file *seq, void *v)
56817 diff -urNp linux-2.6.38.1/net/ipv6/udp.c linux-2.6.38.1-new/net/ipv6/udp.c
56818 --- linux-2.6.38.1/net/ipv6/udp.c 2011-03-14 21:20:32.000000000 -0400
56819 +++ linux-2.6.38.1-new/net/ipv6/udp.c 2011-03-21 18:31:35.000000000 -0400
56821 #include <linux/seq_file.h>
56822 #include "udp_impl.h"
56824 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56825 +extern int grsec_enable_blackhole;
56828 int ipv6_rcv_saddr_equal(const struct sock *sk1, const struct sock *sk2)
56830 const struct in6_addr *sk1_rcv_saddr6 = &inet6_sk(sk1)->rcv_saddr;
56831 @@ -773,6 +777,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
56832 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
56833 proto == IPPROTO_UDPLITE);
56835 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56836 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
56838 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
56841 @@ -1407,7 +1414,12 @@ static void udp6_sock_seq_show(struct se
56845 - atomic_read(&sp->sk_refcnt), sp,
56846 + atomic_read(&sp->sk_refcnt),
56847 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56852 atomic_read(&sp->sk_drops));
56855 diff -urNp linux-2.6.38.1/net/irda/ircomm/ircomm_tty.c linux-2.6.38.1-new/net/irda/ircomm/ircomm_tty.c
56856 --- linux-2.6.38.1/net/irda/ircomm/ircomm_tty.c 2011-03-14 21:20:32.000000000 -0400
56857 +++ linux-2.6.38.1-new/net/irda/ircomm/ircomm_tty.c 2011-03-21 18:31:35.000000000 -0400
56858 @@ -281,16 +281,16 @@ static int ircomm_tty_block_til_ready(st
56859 add_wait_queue(&self->open_wait, &wait);
56861 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
56862 - __FILE__,__LINE__, tty->driver->name, self->open_count );
56863 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
56865 /* As far as I can see, we protect open_count - Jean II */
56866 spin_lock_irqsave(&self->spinlock, flags);
56867 if (!tty_hung_up_p(filp)) {
56869 - self->open_count--;
56870 + local_dec(&self->open_count);
56872 spin_unlock_irqrestore(&self->spinlock, flags);
56873 - self->blocked_open++;
56874 + local_inc(&self->blocked_open);
56877 if (tty->termios->c_cflag & CBAUD) {
56878 @@ -330,7 +330,7 @@ static int ircomm_tty_block_til_ready(st
56881 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
56882 - __FILE__,__LINE__, tty->driver->name, self->open_count );
56883 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count) );
56887 @@ -341,13 +341,13 @@ static int ircomm_tty_block_til_ready(st
56889 /* ++ is not atomic, so this should be protected - Jean II */
56890 spin_lock_irqsave(&self->spinlock, flags);
56891 - self->open_count++;
56892 + local_inc(&self->open_count);
56893 spin_unlock_irqrestore(&self->spinlock, flags);
56895 - self->blocked_open--;
56896 + local_dec(&self->blocked_open);
56898 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
56899 - __FILE__,__LINE__, tty->driver->name, self->open_count);
56900 + __FILE__,__LINE__, tty->driver->name, local_read(&self->open_count));
56903 self->flags |= ASYNC_NORMAL_ACTIVE;
56904 @@ -416,14 +416,14 @@ static int ircomm_tty_open(struct tty_st
56906 /* ++ is not atomic, so this should be protected - Jean II */
56907 spin_lock_irqsave(&self->spinlock, flags);
56908 - self->open_count++;
56909 + local_inc(&self->open_count);
56911 tty->driver_data = self;
56913 spin_unlock_irqrestore(&self->spinlock, flags);
56915 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
56916 - self->line, self->open_count);
56917 + self->line, local_read(&self->open_count));
56919 /* Not really used by us, but lets do it anyway */
56920 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
56921 @@ -509,7 +509,7 @@ static void ircomm_tty_close(struct tty_
56925 - if ((tty->count == 1) && (self->open_count != 1)) {
56926 + if ((tty->count == 1) && (local_read(&self->open_count) != 1)) {
56928 * Uh, oh. tty->count is 1, which means that the tty
56929 * structure will be freed. state->count should always
56930 @@ -519,16 +519,16 @@ static void ircomm_tty_close(struct tty_
56932 IRDA_DEBUG(0, "%s(), bad serial port count; "
56933 "tty->count is 1, state->count is %d\n", __func__ ,
56934 - self->open_count);
56935 - self->open_count = 1;
56936 + local_read(&self->open_count));
56937 + local_set(&self->open_count, 1);
56940 - if (--self->open_count < 0) {
56941 + if (local_dec_return(&self->open_count) < 0) {
56942 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
56943 - __func__, self->line, self->open_count);
56944 - self->open_count = 0;
56945 + __func__, self->line, local_read(&self->open_count));
56946 + local_set(&self->open_count, 0);
56948 - if (self->open_count) {
56949 + if (local_read(&self->open_count)) {
56950 spin_unlock_irqrestore(&self->spinlock, flags);
56952 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
56953 @@ -560,7 +560,7 @@ static void ircomm_tty_close(struct tty_
56957 - if (self->blocked_open) {
56958 + if (local_read(&self->blocked_open)) {
56959 if (self->close_delay)
56960 schedule_timeout_interruptible(self->close_delay);
56961 wake_up_interruptible(&self->open_wait);
56962 @@ -1012,7 +1012,7 @@ static void ircomm_tty_hangup(struct tty
56963 spin_lock_irqsave(&self->spinlock, flags);
56964 self->flags &= ~ASYNC_NORMAL_ACTIVE;
56966 - self->open_count = 0;
56967 + local_set(&self->open_count, 0);
56968 spin_unlock_irqrestore(&self->spinlock, flags);
56970 wake_up_interruptible(&self->open_wait);
56971 @@ -1364,7 +1364,7 @@ static void ircomm_tty_line_info(struct
56974 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
56975 - seq_printf(m, "Open count: %d\n", self->open_count);
56976 + seq_printf(m, "Open count: %d\n", local_read(&self->open_count));
56977 seq_printf(m, "Max data size: %d\n", self->max_data_size);
56978 seq_printf(m, "Max header size: %d\n", self->max_header_size);
56980 diff -urNp linux-2.6.38.1/net/key/af_key.c linux-2.6.38.1-new/net/key/af_key.c
56981 --- linux-2.6.38.1/net/key/af_key.c 2011-03-14 21:20:32.000000000 -0400
56982 +++ linux-2.6.38.1-new/net/key/af_key.c 2011-03-21 18:31:35.000000000 -0400
56983 @@ -3644,7 +3644,11 @@ static int pfkey_seq_show(struct seq_fil
56984 seq_printf(f ,"sk RefCnt Rmem Wmem User Inode\n");
56986 seq_printf(f ,"%p %-6d %-6u %-6u %-6u %-6lu\n",
56987 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56992 atomic_read(&s->sk_refcnt),
56993 sk_rmem_alloc_get(s),
56994 sk_wmem_alloc_get(s),
56995 diff -urNp linux-2.6.38.1/net/mac80211/ieee80211_i.h linux-2.6.38.1-new/net/mac80211/ieee80211_i.h
56996 --- linux-2.6.38.1/net/mac80211/ieee80211_i.h 2011-03-14 21:20:32.000000000 -0400
56997 +++ linux-2.6.38.1-new/net/mac80211/ieee80211_i.h 2011-03-21 18:31:35.000000000 -0400
56999 #include <net/ieee80211_radiotap.h>
57000 #include <net/cfg80211.h>
57001 #include <net/mac80211.h>
57002 +#include <asm/local.h>
57004 #include "sta_info.h"
57006 @@ -716,7 +717,7 @@ struct ieee80211_local {
57007 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
57008 spinlock_t queue_stop_reason_lock;
57011 + local_t open_count;
57012 int monitors, cooked_mntrs;
57013 /* number of interfaces with corresponding FIF_ flags */
57014 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll,
57015 diff -urNp linux-2.6.38.1/net/mac80211/iface.c linux-2.6.38.1-new/net/mac80211/iface.c
57016 --- linux-2.6.38.1/net/mac80211/iface.c 2011-03-14 21:20:32.000000000 -0400
57017 +++ linux-2.6.38.1-new/net/mac80211/iface.c 2011-03-21 18:31:35.000000000 -0400
57018 @@ -211,7 +211,7 @@ static int ieee80211_do_open(struct net_
57022 - if (local->open_count == 0) {
57023 + if (local_read(&local->open_count) == 0) {
57024 res = drv_start(local);
57027 @@ -235,7 +235,7 @@ static int ieee80211_do_open(struct net_
57028 memcpy(dev->perm_addr, dev->dev_addr, ETH_ALEN);
57030 if (!is_valid_ether_addr(dev->dev_addr)) {
57031 - if (!local->open_count)
57032 + if (!local_read(&local->open_count))
57034 return -EADDRNOTAVAIL;
57036 @@ -327,7 +327,7 @@ static int ieee80211_do_open(struct net_
57037 mutex_unlock(&local->mtx);
57040 - local->open_count++;
57041 + local_inc(&local->open_count);
57043 if (hw_reconf_flags) {
57044 ieee80211_hw_config(local, hw_reconf_flags);
57045 @@ -347,7 +347,7 @@ static int ieee80211_do_open(struct net_
57047 drv_remove_interface(local, &sdata->vif);
57049 - if (!local->open_count)
57050 + if (!local_read(&local->open_count))
57054 @@ -473,7 +473,7 @@ static void ieee80211_do_stop(struct iee
57058 - local->open_count--;
57059 + local_dec(&local->open_count);
57061 switch (sdata->vif.type) {
57062 case NL80211_IFTYPE_AP_VLAN:
57063 @@ -532,7 +532,7 @@ static void ieee80211_do_stop(struct iee
57065 ieee80211_recalc_ps(local, -1);
57067 - if (local->open_count == 0) {
57068 + if (local_read(&local->open_count) == 0) {
57069 if (local->ops->napi_poll)
57070 napi_disable(&local->napi);
57071 ieee80211_clear_tx_pending(local);
57072 diff -urNp linux-2.6.38.1/net/mac80211/main.c linux-2.6.38.1-new/net/mac80211/main.c
57073 --- linux-2.6.38.1/net/mac80211/main.c 2011-03-14 21:20:32.000000000 -0400
57074 +++ linux-2.6.38.1-new/net/mac80211/main.c 2011-03-21 18:31:35.000000000 -0400
57075 @@ -161,7 +161,7 @@ int ieee80211_hw_config(struct ieee80211
57076 local->hw.conf.power_level = power;
57079 - if (changed && local->open_count) {
57080 + if (changed && local_read(&local->open_count)) {
57081 ret = drv_config(local, changed);
57084 diff -urNp linux-2.6.38.1/net/mac80211/pm.c linux-2.6.38.1-new/net/mac80211/pm.c
57085 --- linux-2.6.38.1/net/mac80211/pm.c 2011-03-14 21:20:32.000000000 -0400
57086 +++ linux-2.6.38.1-new/net/mac80211/pm.c 2011-03-21 18:31:35.000000000 -0400
57087 @@ -95,7 +95,7 @@ int __ieee80211_suspend(struct ieee80211
57090 /* stop hardware - this must stop RX */
57091 - if (local->open_count)
57092 + if (local_read(&local->open_count))
57093 ieee80211_stop_device(local);
57095 local->suspended = true;
57096 diff -urNp linux-2.6.38.1/net/mac80211/rate.c linux-2.6.38.1-new/net/mac80211/rate.c
57097 --- linux-2.6.38.1/net/mac80211/rate.c 2011-03-14 21:20:32.000000000 -0400
57098 +++ linux-2.6.38.1-new/net/mac80211/rate.c 2011-03-21 18:31:35.000000000 -0400
57099 @@ -371,7 +371,7 @@ int ieee80211_init_rate_ctrl_alg(struct
57103 - if (local->open_count)
57104 + if (local_read(&local->open_count))
57107 if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) {
57108 diff -urNp linux-2.6.38.1/net/mac80211/rc80211_pid_debugfs.c linux-2.6.38.1-new/net/mac80211/rc80211_pid_debugfs.c
57109 --- linux-2.6.38.1/net/mac80211/rc80211_pid_debugfs.c 2011-03-14 21:20:32.000000000 -0400
57110 +++ linux-2.6.38.1-new/net/mac80211/rc80211_pid_debugfs.c 2011-03-21 18:31:35.000000000 -0400
57111 @@ -192,7 +192,7 @@ static ssize_t rate_control_pid_events_r
57113 spin_unlock_irqrestore(&events->lock, status);
57115 - if (copy_to_user(buf, pb, p))
57116 + if (p > sizeof(pb) || copy_to_user(buf, pb, p))
57120 diff -urNp linux-2.6.38.1/net/mac80211/tx.c linux-2.6.38.1-new/net/mac80211/tx.c
57121 --- linux-2.6.38.1/net/mac80211/tx.c 2011-03-14 21:20:32.000000000 -0400
57122 +++ linux-2.6.38.1-new/net/mac80211/tx.c 2011-03-21 18:31:35.000000000 -0400
57123 @@ -173,7 +173,7 @@ static __le16 ieee80211_duration(struct
57124 return cpu_to_le16(dur);
57127 -static int inline is_ieee80211_device(struct ieee80211_local *local,
57128 +static inline int is_ieee80211_device(struct ieee80211_local *local,
57129 struct net_device *dev)
57131 return local == wdev_priv(dev->ieee80211_ptr);
57132 diff -urNp linux-2.6.38.1/net/mac80211/util.c linux-2.6.38.1-new/net/mac80211/util.c
57133 --- linux-2.6.38.1/net/mac80211/util.c 2011-03-14 21:20:32.000000000 -0400
57134 +++ linux-2.6.38.1-new/net/mac80211/util.c 2011-03-21 18:31:35.000000000 -0400
57135 @@ -1135,7 +1135,7 @@ int ieee80211_reconfig(struct ieee80211_
57136 local->resuming = true;
57138 /* restart hardware */
57139 - if (local->open_count) {
57140 + if (local_read(&local->open_count)) {
57142 * Upon resume hardware can sometimes be goofy due to
57143 * various platform / driver / bus issues, so restarting
57144 diff -urNp linux-2.6.38.1/net/netfilter/Kconfig linux-2.6.38.1-new/net/netfilter/Kconfig
57145 --- linux-2.6.38.1/net/netfilter/Kconfig 2011-03-14 21:20:32.000000000 -0400
57146 +++ linux-2.6.38.1-new/net/netfilter/Kconfig 2011-03-21 18:31:35.000000000 -0400
57147 @@ -709,6 +709,16 @@ config NETFILTER_XT_MATCH_ESP
57149 To compile it as a module, choose M here. If unsure, say N.
57151 +config NETFILTER_XT_MATCH_GRADM
57152 + tristate '"gradm" match support'
57153 + depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
57154 + depends on GRKERNSEC && !GRKERNSEC_NO_RBAC
57156 + The gradm match allows to match on grsecurity RBAC being enabled.
57157 + It is useful when iptables rules are applied early on bootup to
57158 + prevent connections to the machine (except from a trusted host)
57159 + while the RBAC system is disabled.
57161 config NETFILTER_XT_MATCH_HASHLIMIT
57162 tristate '"hashlimit" match support'
57163 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
57164 diff -urNp linux-2.6.38.1/net/netfilter/Makefile linux-2.6.38.1-new/net/netfilter/Makefile
57165 --- linux-2.6.38.1/net/netfilter/Makefile 2011-03-14 21:20:32.000000000 -0400
57166 +++ linux-2.6.38.1-new/net/netfilter/Makefile 2011-03-21 18:31:35.000000000 -0400
57167 @@ -74,6 +74,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CPU) +=
57168 obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o
57169 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
57170 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
57171 +obj-$(CONFIG_NETFILTER_XT_MATCH_GRADM) += xt_gradm.o
57172 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
57173 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
57174 obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
57175 diff -urNp linux-2.6.38.1/net/netfilter/nf_conntrack_netlink.c linux-2.6.38.1-new/net/netfilter/nf_conntrack_netlink.c
57176 --- linux-2.6.38.1/net/netfilter/nf_conntrack_netlink.c 2011-03-14 21:20:32.000000000 -0400
57177 +++ linux-2.6.38.1-new/net/netfilter/nf_conntrack_netlink.c 2011-03-21 18:31:35.000000000 -0400
57178 @@ -761,7 +761,7 @@ static const struct nla_policy tuple_nla
57180 ctnetlink_parse_tuple(const struct nlattr * const cda[],
57181 struct nf_conntrack_tuple *tuple,
57182 - enum ctattr_tuple type, u_int8_t l3num)
57183 + enum ctattr_type type, u_int8_t l3num)
57185 struct nlattr *tb[CTA_TUPLE_MAX+1];
57187 diff -urNp linux-2.6.38.1/net/netfilter/xt_gradm.c linux-2.6.38.1-new/net/netfilter/xt_gradm.c
57188 --- linux-2.6.38.1/net/netfilter/xt_gradm.c 1969-12-31 19:00:00.000000000 -0500
57189 +++ linux-2.6.38.1-new/net/netfilter/xt_gradm.c 2011-03-21 18:31:35.000000000 -0400
57192 + * gradm match for netfilter
57193 + * Copyright © Zbigniew Krzystolik, 2010
57195 + * This program is free software; you can redistribute it and/or modify
57196 + * it under the terms of the GNU General Public License; either version
57197 + * 2 or 3 as published by the Free Software Foundation.
57199 +#include <linux/module.h>
57200 +#include <linux/moduleparam.h>
57201 +#include <linux/skbuff.h>
57202 +#include <linux/netfilter/x_tables.h>
57203 +#include <linux/grsecurity.h>
57204 +#include <linux/netfilter/xt_gradm.h>
57207 +gradm_mt(const struct sk_buff *skb, struct xt_action_param *par)
57209 + const struct xt_gradm_mtinfo *info = par->matchinfo;
57210 + bool retval = false;
57211 + if (gr_acl_is_enabled())
57213 + return retval ^ info->invflags;
57216 +static struct xt_match gradm_mt_reg __read_mostly = {
57219 + .family = NFPROTO_UNSPEC,
57220 + .match = gradm_mt,
57221 + .matchsize = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
57222 + .me = THIS_MODULE,
57225 +static int __init gradm_mt_init(void)
57227 + return xt_register_match(&gradm_mt_reg);
57230 +static void __exit gradm_mt_exit(void)
57232 + xt_unregister_match(&gradm_mt_reg);
57235 +module_init(gradm_mt_init);
57236 +module_exit(gradm_mt_exit);
57237 +MODULE_AUTHOR("Zbigniew Krzystolik <zbyniu@destrukcja.pl>");
57238 +MODULE_DESCRIPTION("Xtables: Grsecurity RBAC match");
57239 +MODULE_LICENSE("GPL");
57240 +MODULE_ALIAS("ipt_gradm");
57241 +MODULE_ALIAS("ip6t_gradm");
57242 diff -urNp linux-2.6.38.1/net/netlink/af_netlink.c linux-2.6.38.1-new/net/netlink/af_netlink.c
57243 --- linux-2.6.38.1/net/netlink/af_netlink.c 2011-03-14 21:20:32.000000000 -0400
57244 +++ linux-2.6.38.1-new/net/netlink/af_netlink.c 2011-03-21 18:31:35.000000000 -0400
57245 @@ -2001,13 +2001,21 @@ static int netlink_seq_show(struct seq_f
57246 struct netlink_sock *nlk = nlk_sk(s);
57248 seq_printf(seq, "%p %-3d %-6d %08x %-8d %-8d %p %-8d %-8d %-8lu\n",
57249 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57256 nlk->groups ? (u32)nlk->groups[0] : 0,
57257 sk_rmem_alloc_get(s),
57258 sk_wmem_alloc_get(s),
57259 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57264 atomic_read(&s->sk_refcnt),
57265 atomic_read(&s->sk_drops),
57267 diff -urNp linux-2.6.38.1/net/netrom/af_netrom.c linux-2.6.38.1-new/net/netrom/af_netrom.c
57268 --- linux-2.6.38.1/net/netrom/af_netrom.c 2011-03-14 21:20:32.000000000 -0400
57269 +++ linux-2.6.38.1-new/net/netrom/af_netrom.c 2011-03-21 18:31:35.000000000 -0400
57270 @@ -840,6 +840,7 @@ static int nr_getname(struct socket *soc
57271 struct sock *sk = sock->sk;
57272 struct nr_sock *nr = nr_sk(sk);
57274 + memset(sax, 0, sizeof(*sax));
57277 if (sk->sk_state != TCP_ESTABLISHED) {
57278 @@ -854,7 +855,6 @@ static int nr_getname(struct socket *soc
57279 *uaddr_len = sizeof(struct full_sockaddr_ax25);
57281 sax->fsa_ax25.sax25_family = AF_NETROM;
57282 - sax->fsa_ax25.sax25_ndigis = 0;
57283 sax->fsa_ax25.sax25_call = nr->source_addr;
57284 *uaddr_len = sizeof(struct sockaddr_ax25);
57286 diff -urNp linux-2.6.38.1/net/packet/af_packet.c linux-2.6.38.1-new/net/packet/af_packet.c
57287 --- linux-2.6.38.1/net/packet/af_packet.c 2011-03-14 21:20:32.000000000 -0400
57288 +++ linux-2.6.38.1-new/net/packet/af_packet.c 2011-03-21 18:31:35.000000000 -0400
57289 @@ -2134,7 +2134,7 @@ static int packet_getsockopt(struct sock
57290 case PACKET_HDRLEN:
57291 if (len > sizeof(int))
57293 - if (copy_from_user(&val, optval, len))
57294 + if (len > sizeof(val) || copy_from_user(&val, optval, len))
57298 @@ -2172,7 +2172,7 @@ static int packet_getsockopt(struct sock
57300 if (put_user(len, optlen))
57302 - if (copy_to_user(optval, data, len))
57303 + if (len > sizeof(st) || copy_to_user(optval, data, len))
57307 @@ -2684,7 +2684,11 @@ static int packet_seq_show(struct seq_fi
57310 "%p %-6d %-4d %04x %-5d %1d %-6u %-6u %-6lu\n",
57311 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57316 atomic_read(&s->sk_refcnt),
57319 diff -urNp linux-2.6.38.1/net/phonet/af_phonet.c linux-2.6.38.1-new/net/phonet/af_phonet.c
57320 --- linux-2.6.38.1/net/phonet/af_phonet.c 2011-03-14 21:20:32.000000000 -0400
57321 +++ linux-2.6.38.1-new/net/phonet/af_phonet.c 2011-03-21 18:31:35.000000000 -0400
57322 @@ -41,7 +41,7 @@ static struct phonet_protocol *phonet_pr
57324 struct phonet_protocol *pp;
57326 - if (protocol >= PHONET_NPROTO)
57327 + if (protocol < 0 || protocol >= PHONET_NPROTO)
57331 @@ -463,7 +463,7 @@ int __init_or_module phonet_proto_regist
57335 - if (protocol >= PHONET_NPROTO)
57336 + if (protocol < 0 || protocol >= PHONET_NPROTO)
57339 err = proto_register(pp->prot, 1);
57340 diff -urNp linux-2.6.38.1/net/phonet/socket.c linux-2.6.38.1-new/net/phonet/socket.c
57341 --- linux-2.6.38.1/net/phonet/socket.c 2011-03-14 21:20:32.000000000 -0400
57342 +++ linux-2.6.38.1-new/net/phonet/socket.c 2011-03-21 18:31:35.000000000 -0400
57343 @@ -637,7 +637,12 @@ static int pn_sock_seq_show(struct seq_f
57345 sk_wmem_alloc_get(sk), sk_rmem_alloc_get(sk),
57346 sock_i_uid(sk), sock_i_ino(sk),
57347 - atomic_read(&sk->sk_refcnt), sk,
57348 + atomic_read(&sk->sk_refcnt),
57349 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57354 atomic_read(&sk->sk_drops), &len);
57356 seq_printf(seq, "%*s\n", 127 - len, "");
57357 diff -urNp linux-2.6.38.1/net/sctp/proc.c linux-2.6.38.1-new/net/sctp/proc.c
57358 --- linux-2.6.38.1/net/sctp/proc.c 2011-03-14 21:20:32.000000000 -0400
57359 +++ linux-2.6.38.1-new/net/sctp/proc.c 2011-03-21 18:31:35.000000000 -0400
57360 @@ -212,7 +212,12 @@ static int sctp_eps_seq_show(struct seq_
57361 sctp_for_each_hentry(epb, node, &head->chain) {
57364 - seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ", ep, sk,
57365 + seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ",
57366 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57371 sctp_sk(sk)->type, sk->sk_state, hash,
57372 epb->bind_addr.port,
57373 sock_i_uid(sk), sock_i_ino(sk));
57374 @@ -318,7 +323,12 @@ static int sctp_assocs_seq_show(struct s
57376 "%8p %8p %-3d %-3d %-2d %-4d "
57377 "%4d %8d %8d %7d %5lu %-5d %5d ",
57378 - assoc, sk, sctp_sk(sk)->type, sk->sk_state,
57379 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57384 + sctp_sk(sk)->type, sk->sk_state,
57385 assoc->state, hash,
57387 assoc->sndbuf_used,
57388 diff -urNp linux-2.6.38.1/net/sctp/socket.c linux-2.6.38.1-new/net/sctp/socket.c
57389 --- linux-2.6.38.1/net/sctp/socket.c 2011-03-14 21:20:32.000000000 -0400
57390 +++ linux-2.6.38.1-new/net/sctp/socket.c 2011-03-21 18:31:35.000000000 -0400
57391 @@ -1496,7 +1496,7 @@ SCTP_STATIC int sctp_sendmsg(struct kioc
57392 struct sctp_sndrcvinfo *sinfo;
57393 struct sctp_initmsg *sinit;
57394 sctp_assoc_t associd = 0;
57395 - sctp_cmsgs_t cmsgs = { NULL };
57396 + sctp_cmsgs_t cmsgs = { NULL, NULL };
57398 sctp_scope_t scope;
57400 @@ -4435,7 +4435,7 @@ static int sctp_getsockopt_peer_addrs(st
57401 addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
57402 if (space_left < addrlen)
57404 - if (copy_to_user(to, &temp, addrlen))
57405 + if (addrlen > sizeof(temp) || copy_to_user(to, &temp, addrlen))
57409 diff -urNp linux-2.6.38.1/net/socket.c linux-2.6.38.1-new/net/socket.c
57410 --- linux-2.6.38.1/net/socket.c 2011-03-14 21:20:32.000000000 -0400
57411 +++ linux-2.6.38.1-new/net/socket.c 2011-03-21 18:31:35.000000000 -0400
57413 #include <linux/nsproxy.h>
57414 #include <linux/magic.h>
57415 #include <linux/slab.h>
57416 +#include <linux/in.h>
57418 #include <asm/uaccess.h>
57419 #include <asm/unistd.h>
57420 @@ -105,6 +106,8 @@
57421 #include <linux/sockios.h>
57422 #include <linux/atalk.h>
57424 +#include <linux/grsock.h>
57426 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
57427 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
57428 unsigned long nr_segs, loff_t pos);
57429 @@ -326,7 +329,7 @@ static struct dentry *sockfs_mount(struc
57430 &sockfs_dentry_operations, SOCKFS_MAGIC);
57433 -static struct vfsmount *sock_mnt __read_mostly;
57434 +struct vfsmount *sock_mnt __read_mostly;
57436 static struct file_system_type sock_fs_type = {
57438 @@ -1174,6 +1177,8 @@ int __sock_create(struct net *net, int f
57439 return -EAFNOSUPPORT;
57440 if (type < 0 || type >= SOCK_MAX)
57442 + if (protocol < 0)
57447 @@ -1306,6 +1311,16 @@ SYSCALL_DEFINE3(socket, int, family, int
57448 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
57449 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
57451 + if(!gr_search_socket(family, type, protocol)) {
57452 + retval = -EACCES;
57456 + if (gr_handle_sock_all(family, type, protocol)) {
57457 + retval = -EACCES;
57461 retval = sock_create(family, type, protocol, &sock);
57464 @@ -1418,6 +1433,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
57466 err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
57468 + if (gr_handle_sock_server((struct sockaddr *)&address)) {
57472 + err = gr_search_bind(sock, (struct sockaddr_in *)&address);
57476 err = security_socket_bind(sock,
57477 (struct sockaddr *)&address,
57479 @@ -1426,6 +1449,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
57480 (struct sockaddr *)
57481 &address, addrlen);
57484 fput_light(sock->file, fput_needed);
57487 @@ -1449,10 +1473,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
57488 if ((unsigned)backlog > somaxconn)
57489 backlog = somaxconn;
57491 + if (gr_handle_sock_server_other(sock->sk)) {
57496 + err = gr_search_listen(sock);
57500 err = security_socket_listen(sock, backlog);
57502 err = sock->ops->listen(sock, backlog);
57505 fput_light(sock->file, fput_needed);
57508 @@ -1496,6 +1530,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
57509 newsock->type = sock->type;
57510 newsock->ops = sock->ops;
57512 + if (gr_handle_sock_server_other(sock->sk)) {
57514 + sock_release(newsock);
57518 + err = gr_search_accept(sock);
57520 + sock_release(newsock);
57525 * We don't need try_module_get here, as the listening socket (sock)
57526 * has the protocol module (sock->ops->owner) held.
57527 @@ -1534,6 +1580,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
57528 fd_install(newfd, newfile);
57531 + gr_attach_curr_ip(newsock->sk);
57534 fput_light(sock->file, fput_needed);
57536 @@ -1566,6 +1614,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
57539 struct socket *sock;
57540 + struct sockaddr *sck;
57541 struct sockaddr_storage address;
57542 int err, fput_needed;
57544 @@ -1576,6 +1625,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
57548 + sck = (struct sockaddr *)&address;
57550 + if (gr_handle_sock_client(sck)) {
57555 + err = gr_search_connect(sock, (struct sockaddr_in *)sck);
57560 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
57562 diff -urNp linux-2.6.38.1/net/sunrpc/sched.c linux-2.6.38.1-new/net/sunrpc/sched.c
57563 --- linux-2.6.38.1/net/sunrpc/sched.c 2011-03-23 17:20:08.000000000 -0400
57564 +++ linux-2.6.38.1-new/net/sunrpc/sched.c 2011-03-23 17:21:51.000000000 -0400
57565 @@ -234,9 +234,9 @@ static int rpc_wait_bit_killable(void *w
57567 static void rpc_task_set_debuginfo(struct rpc_task *task)
57569 - static atomic_t rpc_pid;
57570 + static atomic_unchecked_t rpc_pid;
57572 - task->tk_pid = atomic_inc_return(&rpc_pid);
57573 + task->tk_pid = atomic_inc_return_unchecked(&rpc_pid);
57576 static inline void rpc_task_set_debuginfo(struct rpc_task *task)
57577 diff -urNp linux-2.6.38.1/net/sunrpc/xprtrdma/svc_rdma.c linux-2.6.38.1-new/net/sunrpc/xprtrdma/svc_rdma.c
57578 --- linux-2.6.38.1/net/sunrpc/xprtrdma/svc_rdma.c 2011-03-14 21:20:32.000000000 -0400
57579 +++ linux-2.6.38.1-new/net/sunrpc/xprtrdma/svc_rdma.c 2011-03-21 18:31:35.000000000 -0400
57580 @@ -109,7 +109,7 @@ static int read_reset_stat(ctl_table *ta
57584 - if (len && copy_to_user(buffer, str_buf, len))
57585 + if (len > sizeof str_buf || (len && copy_to_user(buffer, str_buf, len)))
57589 diff -urNp linux-2.6.38.1/net/sysctl_net.c linux-2.6.38.1-new/net/sysctl_net.c
57590 --- linux-2.6.38.1/net/sysctl_net.c 2011-03-14 21:20:32.000000000 -0400
57591 +++ linux-2.6.38.1-new/net/sysctl_net.c 2011-03-21 18:31:35.000000000 -0400
57592 @@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
57593 struct ctl_table *table)
57595 /* Allow network administrator to have same access as root. */
57596 - if (capable(CAP_NET_ADMIN)) {
57597 + if (capable_nolog(CAP_NET_ADMIN)) {
57598 int mode = (table->mode >> 6) & 7;
57599 return (mode << 6) | (mode << 3) | mode;
57601 diff -urNp linux-2.6.38.1/net/tipc/socket.c linux-2.6.38.1-new/net/tipc/socket.c
57602 --- linux-2.6.38.1/net/tipc/socket.c 2011-03-14 21:20:32.000000000 -0400
57603 +++ linux-2.6.38.1-new/net/tipc/socket.c 2011-03-21 18:31:35.000000000 -0400
57604 @@ -1447,8 +1447,9 @@ static int connect(struct socket *sock,
57609 - ; /* leave "res" unchanged */
57611 + /* leave "res" unchanged */
57613 sock->state = SS_DISCONNECTING;
57616 diff -urNp linux-2.6.38.1/net/unix/af_unix.c linux-2.6.38.1-new/net/unix/af_unix.c
57617 --- linux-2.6.38.1/net/unix/af_unix.c 2011-03-14 21:20:32.000000000 -0400
57618 +++ linux-2.6.38.1-new/net/unix/af_unix.c 2011-03-21 18:31:35.000000000 -0400
57619 @@ -765,6 +765,12 @@ static struct sock *unix_find_other(stru
57620 err = -ECONNREFUSED;
57621 if (!S_ISSOCK(inode->i_mode))
57624 + if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
57629 u = unix_find_socket_byinode(inode);
57632 @@ -785,6 +791,13 @@ static struct sock *unix_find_other(stru
57634 struct dentry *dentry;
57635 dentry = unix_sk(u)->dentry;
57637 + if (!gr_handle_chroot_unix(u->sk_peer_pid)) {
57644 touch_atime(unix_sk(u)->mnt, dentry);
57646 @@ -870,11 +883,18 @@ static int unix_bind(struct socket *sock
57647 err = security_path_mknod(&nd.path, dentry, mode, 0);
57649 goto out_mknod_drop_write;
57650 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
57652 + goto out_mknod_drop_write;
57654 err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
57655 out_mknod_drop_write:
57656 mnt_drop_write(nd.path.mnt);
57658 goto out_mknod_dput;
57660 + gr_handle_create(dentry, nd.path.mnt);
57662 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
57663 dput(nd.path.dentry);
57664 nd.path.dentry = dentry;
57665 @@ -892,6 +912,11 @@ out_mknod_drop_write:
57669 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
57670 + put_pid(sk->sk_peer_pid);
57671 + sk->sk_peer_pid = get_pid(task_tgid(current));
57674 list = &unix_socket_table[addr->hash];
57676 list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
57677 @@ -2235,7 +2260,11 @@ static int unix_seq_show(struct seq_file
57678 unix_state_lock(s);
57680 seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu",
57681 +#ifdef CONFIG_GRKERNSEC_HIDESYM
57686 atomic_read(&s->sk_refcnt),
57688 s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0,
57689 diff -urNp linux-2.6.38.1/net/wireless/reg.c linux-2.6.38.1-new/net/wireless/reg.c
57690 --- linux-2.6.38.1/net/wireless/reg.c 2011-03-14 21:20:32.000000000 -0400
57691 +++ linux-2.6.38.1-new/net/wireless/reg.c 2011-03-21 18:31:35.000000000 -0400
57693 printk(KERN_DEBUG pr_fmt(format), ##args); \
57696 -#define REG_DBG_PRINT(args...)
57697 +#define REG_DBG_PRINT(args...) do {} while (0)
57700 /* Receipt of information from last regulatory request */
57701 diff -urNp linux-2.6.38.1/net/wireless/wext-core.c linux-2.6.38.1-new/net/wireless/wext-core.c
57702 --- linux-2.6.38.1/net/wireless/wext-core.c 2011-03-14 21:20:32.000000000 -0400
57703 +++ linux-2.6.38.1-new/net/wireless/wext-core.c 2011-03-21 18:31:35.000000000 -0400
57704 @@ -746,8 +746,7 @@ static int ioctl_standard_iw_point(struc
57707 /* Support for very large requests */
57708 - if ((descr->flags & IW_DESCR_FLAG_NOMAX) &&
57709 - (user_length > descr->max_tokens)) {
57710 + if (user_length > descr->max_tokens) {
57711 /* Allow userspace to GET more than max so
57712 * we can support any size GET requests.
57713 * There is still a limit : -ENOMEM.
57714 @@ -784,22 +783,6 @@ static int ioctl_standard_iw_point(struc
57718 - if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
57720 - * If this is a GET, but not NOMAX, it means that the extra
57721 - * data is not bounded by userspace, but by max_tokens. Thus
57722 - * set the length to max_tokens. This matches the extra data
57724 - * The driver should fill it with the number of tokens it
57725 - * provided, and it may check iwp->length rather than having
57726 - * knowledge of max_tokens. If the driver doesn't change the
57727 - * iwp->length, this ioctl just copies back max_token tokens
57728 - * filled with zeroes. Hopefully the driver isn't claiming
57729 - * them to be valid data.
57731 - iwp->length = descr->max_tokens;
57734 err = handler(dev, info, (union iwreq_data *) iwp, extra);
57736 iwp->length += essid_compat;
57737 diff -urNp linux-2.6.38.1/net/x25/x25_facilities.c linux-2.6.38.1-new/net/x25/x25_facilities.c
57738 --- linux-2.6.38.1/net/x25/x25_facilities.c 2011-03-14 21:20:32.000000000 -0400
57739 +++ linux-2.6.38.1-new/net/x25/x25_facilities.c 2011-03-21 18:31:35.000000000 -0400
57740 @@ -167,7 +167,8 @@ int x25_parse_facilities(struct sk_buff
57743 printk(KERN_DEBUG "X.25: unknown facility %02X,"
57744 - "length %d\n", p[0], p[1]);
57745 + "length %d, values %02X, %02X\n",
57746 + p[0], p[1], p[2], p[3]);
57750 diff -urNp linux-2.6.38.1/net/xfrm/xfrm_policy.c linux-2.6.38.1-new/net/xfrm/xfrm_policy.c
57751 --- linux-2.6.38.1/net/xfrm/xfrm_policy.c 2011-03-14 21:20:32.000000000 -0400
57752 +++ linux-2.6.38.1-new/net/xfrm/xfrm_policy.c 2011-03-21 18:31:35.000000000 -0400
57753 @@ -1507,7 +1507,7 @@ free_dst:
57759 xfrm_dst_alloc_copy(void **target, void *src, int size)
57762 @@ -1519,7 +1519,7 @@ xfrm_dst_alloc_copy(void **target, void
57768 xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel)
57770 #ifdef CONFIG_XFRM_SUB_POLICY
57771 @@ -1531,7 +1531,7 @@ xfrm_dst_update_parent(struct dst_entry
57777 xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
57779 #ifdef CONFIG_XFRM_SUB_POLICY
57780 diff -urNp linux-2.6.38.1/scripts/basic/fixdep.c linux-2.6.38.1-new/scripts/basic/fixdep.c
57781 --- linux-2.6.38.1/scripts/basic/fixdep.c 2011-03-14 21:20:32.000000000 -0400
57782 +++ linux-2.6.38.1-new/scripts/basic/fixdep.c 2011-03-21 18:31:35.000000000 -0400
57783 @@ -235,9 +235,9 @@ static void use_config(const char *m, in
57785 static void parse_config_file(const char *map, size_t len)
57787 - const int *end = (const int *) (map + len);
57788 + const unsigned int *end = (const unsigned int *) (map + len);
57789 /* start at +1, so that p can never be < map */
57790 - const int *m = (const int *) map + 1;
57791 + const unsigned int *m = (const unsigned int *) map + 1;
57794 for (; m < end; m++) {
57795 @@ -405,7 +405,7 @@ static void print_deps(void)
57796 static void traps(void)
57798 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
57799 - int *p = (int *)test;
57800 + unsigned int *p = (unsigned int *)test;
57802 if (*p != INT_CONF) {
57803 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
57804 diff -urNp linux-2.6.38.1/scripts/kallsyms.c linux-2.6.38.1-new/scripts/kallsyms.c
57805 --- linux-2.6.38.1/scripts/kallsyms.c 2011-03-14 21:20:32.000000000 -0400
57806 +++ linux-2.6.38.1-new/scripts/kallsyms.c 2011-03-21 18:31:35.000000000 -0400
57807 @@ -43,10 +43,10 @@ struct text_range {
57809 static unsigned long long _text;
57810 static struct text_range text_ranges[] = {
57811 - { "_stext", "_etext" },
57812 - { "_sinittext", "_einittext" },
57813 - { "_stext_l1", "_etext_l1" }, /* Blackfin on-chip L1 inst SRAM */
57814 - { "_stext_l2", "_etext_l2" }, /* Blackfin on-chip L2 SRAM */
57815 + { "_stext", "_etext", 0, 0 },
57816 + { "_sinittext", "_einittext", 0, 0 },
57817 + { "_stext_l1", "_etext_l1", 0, 0 }, /* Blackfin on-chip L1 inst SRAM */
57818 + { "_stext_l2", "_etext_l2", 0, 0 }, /* Blackfin on-chip L2 SRAM */
57820 #define text_range_text (&text_ranges[0])
57821 #define text_range_inittext (&text_ranges[1])
57822 diff -urNp linux-2.6.38.1/scripts/mod/file2alias.c linux-2.6.38.1-new/scripts/mod/file2alias.c
57823 --- linux-2.6.38.1/scripts/mod/file2alias.c 2011-03-14 21:20:32.000000000 -0400
57824 +++ linux-2.6.38.1-new/scripts/mod/file2alias.c 2011-03-21 18:31:35.000000000 -0400
57825 @@ -72,7 +72,7 @@ static void device_id_check(const char *
57826 unsigned long size, unsigned long id_size,
57832 if (size % id_size || size < id_size) {
57833 if (cross_build != 0)
57834 @@ -102,7 +102,7 @@ static void device_id_check(const char *
57835 /* USB is special because the bcdDevice can be matched against a numeric range */
57836 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
57837 static void do_usb_entry(struct usb_device_id *id,
57838 - unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
57839 + unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
57840 unsigned char range_lo, unsigned char range_hi,
57841 unsigned char max, struct module *mod)
57843 @@ -437,7 +437,7 @@ static void do_pnp_device_entry(void *sy
57844 for (i = 0; i < count; i++) {
57845 const char *id = (char *)devs[i].id;
57846 char acpi_id[sizeof(devs[0].id)];
57850 buf_printf(&mod->dev_table_buf,
57851 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
57852 @@ -467,7 +467,7 @@ static void do_pnp_card_entries(void *sy
57854 for (j = 0; j < PNP_MAX_DEVICES; j++) {
57855 const char *id = (char *)card->devs[j].id;
57857 + unsigned int i2, j2;
57861 @@ -493,7 +493,7 @@ static void do_pnp_card_entries(void *sy
57862 /* add an individual alias for every device entry */
57864 char acpi_id[sizeof(card->devs[0].id)];
57868 buf_printf(&mod->dev_table_buf,
57869 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
57870 @@ -768,7 +768,7 @@ static void dmi_ascii_filter(char *d, co
57871 static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
57875 + unsigned int i, j;
57877 sprintf(alias, "dmi*");
57879 diff -urNp linux-2.6.38.1/scripts/mod/modpost.c linux-2.6.38.1-new/scripts/mod/modpost.c
57880 --- linux-2.6.38.1/scripts/mod/modpost.c 2011-03-14 21:20:32.000000000 -0400
57881 +++ linux-2.6.38.1-new/scripts/mod/modpost.c 2011-03-21 18:31:35.000000000 -0400
57882 @@ -896,6 +896,7 @@ enum mismatch {
57883 ANY_INIT_TO_ANY_EXIT,
57884 ANY_EXIT_TO_ANY_INIT,
57885 EXPORT_TO_INIT_EXIT,
57889 struct sectioncheck {
57890 @@ -1004,6 +1005,12 @@ const struct sectioncheck sectioncheck[]
57891 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
57892 .mismatch = EXPORT_TO_INIT_EXIT,
57893 .symbol_white_list = { DEFAULT_SYMBOL_WHITE_LIST, NULL },
57895 +/* Do not reference code from writable data */
57897 + .fromsec = { DATA_SECTIONS, NULL },
57898 + .tosec = { TEXT_SECTIONS, NULL },
57899 + .mismatch = DATA_TO_TEXT
57903 @@ -1126,10 +1133,10 @@ static Elf_Sym *find_elf_symbol(struct e
57905 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
57907 - if (sym->st_value == addr)
57909 /* Find a symbol nearby - addr are maybe negative */
57910 d = sym->st_value - addr;
57914 d = addr - sym->st_value;
57915 if (d < distance) {
57916 @@ -1401,6 +1408,14 @@ static void report_sec_mismatch(const ch
57917 tosym, prl_to, prl_to, tosym);
57920 + case DATA_TO_TEXT:
57923 + "The variable %s references\n"
57924 + "the %s %s%s%s\n",
57925 + fromsym, to, sec2annotation(tosec), tosym, to_p);
57929 fprintf(stderr, "\n");
57931 @@ -1724,7 +1739,7 @@ void __attribute__((format(printf, 2, 3)
57935 -void buf_write(struct buffer *buf, const char *s, int len)
57936 +void buf_write(struct buffer *buf, const char *s, unsigned int len)
57938 if (buf->size - buf->pos < len) {
57939 buf->size += len + SZ;
57940 @@ -1936,7 +1951,7 @@ static void write_if_changed(struct buff
57941 if (fstat(fileno(file), &st) < 0)
57944 - if (st.st_size != b->pos)
57945 + if (st.st_size != (off_t)b->pos)
57948 tmp = NOFAIL(malloc(b->pos));
57949 diff -urNp linux-2.6.38.1/scripts/mod/modpost.h linux-2.6.38.1-new/scripts/mod/modpost.h
57950 --- linux-2.6.38.1/scripts/mod/modpost.h 2011-03-14 21:20:32.000000000 -0400
57951 +++ linux-2.6.38.1-new/scripts/mod/modpost.h 2011-03-21 18:31:35.000000000 -0400
57952 @@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
57958 + unsigned int pos;
57959 + unsigned int size;
57962 void __attribute__((format(printf, 2, 3)))
57963 buf_printf(struct buffer *buf, const char *fmt, ...);
57966 -buf_write(struct buffer *buf, const char *s, int len);
57967 +buf_write(struct buffer *buf, const char *s, unsigned int len);
57970 struct module *next;
57971 diff -urNp linux-2.6.38.1/scripts/mod/sumversion.c linux-2.6.38.1-new/scripts/mod/sumversion.c
57972 --- linux-2.6.38.1/scripts/mod/sumversion.c 2011-03-14 21:20:32.000000000 -0400
57973 +++ linux-2.6.38.1-new/scripts/mod/sumversion.c 2011-03-21 18:31:35.000000000 -0400
57974 @@ -470,7 +470,7 @@ static void write_version(const char *fi
57978 - if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
57979 + if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
57980 warn("writing sum in %s failed: %s\n",
57981 filename, strerror(errno));
57983 diff -urNp linux-2.6.38.1/scripts/pnmtologo.c linux-2.6.38.1-new/scripts/pnmtologo.c
57984 --- linux-2.6.38.1/scripts/pnmtologo.c 2011-03-14 21:20:32.000000000 -0400
57985 +++ linux-2.6.38.1-new/scripts/pnmtologo.c 2011-03-21 18:31:35.000000000 -0400
57986 @@ -237,14 +237,14 @@ static void write_header(void)
57987 fprintf(out, " * Linux logo %s\n", logoname);
57988 fputs(" */\n\n", out);
57989 fputs("#include <linux/linux_logo.h>\n\n", out);
57990 - fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
57991 + fprintf(out, "static unsigned char %s_data[] = {\n",
57995 static void write_footer(void)
57997 fputs("\n};\n\n", out);
57998 - fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
57999 + fprintf(out, "const struct linux_logo %s = {\n", logoname);
58000 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
58001 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
58002 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
58003 @@ -374,7 +374,7 @@ static void write_logo_clut224(void)
58004 fputs("\n};\n\n", out);
58006 /* write logo clut */
58007 - fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
58008 + fprintf(out, "static unsigned char %s_clut[] = {\n",
58011 for (i = 0; i < logo_clutsize; i++) {
58012 diff -urNp linux-2.6.38.1/security/apparmor/lsm.c linux-2.6.38.1-new/security/apparmor/lsm.c
58013 --- linux-2.6.38.1/security/apparmor/lsm.c 2011-03-14 21:20:32.000000000 -0400
58014 +++ linux-2.6.38.1-new/security/apparmor/lsm.c 2011-03-21 18:31:35.000000000 -0400
58015 @@ -619,7 +619,7 @@ static int apparmor_task_setrlimit(struc
58019 -static struct security_operations apparmor_ops = {
58020 +static struct security_operations apparmor_ops __read_only = {
58021 .name = "apparmor",
58023 .ptrace_access_check = apparmor_ptrace_access_check,
58024 diff -urNp linux-2.6.38.1/security/commoncap.c linux-2.6.38.1-new/security/commoncap.c
58025 --- linux-2.6.38.1/security/commoncap.c 2011-03-14 21:20:32.000000000 -0400
58026 +++ linux-2.6.38.1-new/security/commoncap.c 2011-03-21 18:31:35.000000000 -0400
58028 #include <linux/prctl.h>
58029 #include <linux/securebits.h>
58030 // #include <linux/vs_context.h>
58031 +#include <net/sock.h>
58034 * If a non-root user executes a setuid-root binary in
58035 @@ -50,9 +51,11 @@ static void warn_setuid_and_fcaps_mixed(
58039 +extern kernel_cap_t gr_cap_rtnetlink(struct sock *sk);
58041 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
58043 - NETLINK_CB(skb).eff_cap = vx_mbcaps(current_cap());
58044 + NETLINK_CB(skb).eff_cap = vx_mbcaps(gr_cap_rtnetlink(sk));
58048 @@ -534,6 +537,9 @@ int cap_bprm_secureexec(struct linux_bin
58050 const struct cred *cred = current_cred();
58052 + if (gr_acl_enable_at_secure())
58055 if (cred->uid != 0) {
58056 if (bprm->cap_effective)
58058 diff -urNp linux-2.6.38.1/security/integrity/ima/ima_api.c linux-2.6.38.1-new/security/integrity/ima/ima_api.c
58059 --- linux-2.6.38.1/security/integrity/ima/ima_api.c 2011-03-14 21:20:32.000000000 -0400
58060 +++ linux-2.6.38.1-new/security/integrity/ima/ima_api.c 2011-03-21 18:31:35.000000000 -0400
58061 @@ -75,7 +75,7 @@ void ima_add_violation(struct inode *ino
58064 /* can overflow, only indicator */
58065 - atomic_long_inc(&ima_htable.violations);
58066 + atomic_long_inc_unchecked(&ima_htable.violations);
58068 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
58070 diff -urNp linux-2.6.38.1/security/integrity/ima/ima_fs.c linux-2.6.38.1-new/security/integrity/ima/ima_fs.c
58071 --- linux-2.6.38.1/security/integrity/ima/ima_fs.c 2011-03-14 21:20:32.000000000 -0400
58072 +++ linux-2.6.38.1-new/security/integrity/ima/ima_fs.c 2011-03-21 18:31:35.000000000 -0400
58073 @@ -28,12 +28,12 @@
58074 static int valid_policy = 1;
58075 #define TMPBUFLEN 12
58076 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
58077 - loff_t *ppos, atomic_long_t *val)
58078 + loff_t *ppos, atomic_long_unchecked_t *val)
58080 char tmpbuf[TMPBUFLEN];
58083 - len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
58084 + len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
58085 return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
58088 diff -urNp linux-2.6.38.1/security/integrity/ima/ima.h linux-2.6.38.1-new/security/integrity/ima/ima.h
58089 --- linux-2.6.38.1/security/integrity/ima/ima.h 2011-03-14 21:20:32.000000000 -0400
58090 +++ linux-2.6.38.1-new/security/integrity/ima/ima.h 2011-03-21 18:31:35.000000000 -0400
58091 @@ -85,8 +85,8 @@ void ima_add_violation(struct inode *ino
58092 extern spinlock_t ima_queue_lock;
58094 struct ima_h_table {
58095 - atomic_long_t len; /* number of stored measurements in the list */
58096 - atomic_long_t violations;
58097 + atomic_long_unchecked_t len; /* number of stored measurements in the list */
58098 + atomic_long_unchecked_t violations;
58099 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
58101 extern struct ima_h_table ima_htable;
58102 diff -urNp linux-2.6.38.1/security/integrity/ima/ima_queue.c linux-2.6.38.1-new/security/integrity/ima/ima_queue.c
58103 --- linux-2.6.38.1/security/integrity/ima/ima_queue.c 2011-03-14 21:20:32.000000000 -0400
58104 +++ linux-2.6.38.1-new/security/integrity/ima/ima_queue.c 2011-03-21 18:31:35.000000000 -0400
58105 @@ -79,7 +79,7 @@ static int ima_add_digest_entry(struct i
58106 INIT_LIST_HEAD(&qe->later);
58107 list_add_tail_rcu(&qe->later, &ima_measurements);
58109 - atomic_long_inc(&ima_htable.len);
58110 + atomic_long_inc_unchecked(&ima_htable.len);
58111 key = ima_hash_key(entry->digest);
58112 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
58114 diff -urNp linux-2.6.38.1/security/Kconfig linux-2.6.38.1-new/security/Kconfig
58115 --- linux-2.6.38.1/security/Kconfig 2011-03-14 21:20:32.000000000 -0400
58116 +++ linux-2.6.38.1-new/security/Kconfig 2011-03-21 18:31:35.000000000 -0400
58119 menu "Security options"
58121 +source grsecurity/Kconfig
58125 + config ARCH_TRACK_EXEC_LIMIT
58128 + config PAX_PER_CPU_PGD
58131 + config TASK_SIZE_MAX_SHIFT
58133 + depends on X86_64
58134 + default 47 if !PAX_PER_CPU_PGD
58135 + default 42 if PAX_PER_CPU_PGD
58137 + config PAX_ENABLE_PAE
58139 + default y if (X86_32 && (MPENTIUM4 || MK8 || MPSC || MCORE2 || MATOM))
58142 + bool "Enable various PaX features"
58143 + depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
58145 + This allows you to enable various PaX features. PaX adds
58146 + intrusion prevention mechanisms to the kernel that reduce
58147 + the risks posed by exploitable memory corruption bugs.
58149 +menu "PaX Control"
58152 +config PAX_SOFTMODE
58153 + bool 'Support soft mode'
58154 + select PAX_PT_PAX_FLAGS
58156 + Enabling this option will allow you to run PaX in soft mode, that
58157 + is, PaX features will not be enforced by default, only on executables
58158 + marked explicitly. You must also enable PT_PAX_FLAGS support as it
58159 + is the only way to mark executables for soft mode use.
58161 + Soft mode can be activated by using the "pax_softmode=1" kernel command
58162 + line option on boot. Furthermore you can control various PaX features
58163 + at runtime via the entries in /proc/sys/kernel/pax.
58166 + bool 'Use legacy ELF header marking'
58168 + Enabling this option will allow you to control PaX features on
58169 + a per executable basis via the 'chpax' utility available at
58170 + http://pax.grsecurity.net/. The control flags will be read from
58171 + an otherwise reserved part of the ELF header. This marking has
58172 + numerous drawbacks (no support for soft-mode, toolchain does not
58173 + know about the non-standard use of the ELF header) therefore it
58174 + has been deprecated in favour of PT_PAX_FLAGS support.
58176 + If you have applications not marked by the PT_PAX_FLAGS ELF
58177 + program header then you MUST enable this option otherwise they
58178 + will not get any protection.
58180 + Note that if you enable PT_PAX_FLAGS marking support as well,
58181 + the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
58183 +config PAX_PT_PAX_FLAGS
58184 + bool 'Use ELF program header marking'
58186 + Enabling this option will allow you to control PaX features on
58187 + a per executable basis via the 'paxctl' utility available at
58188 + http://pax.grsecurity.net/. The control flags will be read from
58189 + a PaX specific ELF program header (PT_PAX_FLAGS). This marking
58190 + has the benefits of supporting both soft mode and being fully
58191 + integrated into the toolchain (the binutils patch is available
58192 + from http://pax.grsecurity.net).
58194 + If you have applications not marked by the PT_PAX_FLAGS ELF
58195 + program header then you MUST enable the EI_PAX marking support
58196 + otherwise they will not get any protection.
58198 + Note that if you enable the legacy EI_PAX marking support as well,
58199 + the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
58202 + prompt 'MAC system integration'
58203 + default PAX_HAVE_ACL_FLAGS
58205 + Mandatory Access Control systems have the option of controlling
58206 + PaX flags on a per executable basis, choose the method supported
58207 + by your particular system.
58209 + - "none": if your MAC system does not interact with PaX,
58210 + - "direct": if your MAC system defines pax_set_initial_flags() itself,
58211 + - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
58213 + NOTE: this option is for developers/integrators only.
58215 + config PAX_NO_ACL_FLAGS
58218 + config PAX_HAVE_ACL_FLAGS
58221 + config PAX_HOOK_ACL_FLAGS
58227 +menu "Non-executable pages"
58231 + bool "Enforce non-executable pages"
58232 + depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
58234 + By design some architectures do not allow for protecting memory
58235 + pages against execution or even if they do, Linux does not make
58236 + use of this feature. In practice this means that if a page is
58237 + readable (such as the stack or heap) it is also executable.
58239 + There is a well known exploit technique that makes use of this
58240 + fact and a common programming mistake where an attacker can
58241 + introduce code of his choice somewhere in the attacked program's
58242 + memory (typically the stack or the heap) and then execute it.
58244 + If the attacked program was running with different (typically
58245 + higher) privileges than that of the attacker, then he can elevate
58246 + his own privilege level (e.g. get a root shell, write to files for
58247 + which he does not have write access to, etc).
58249 + Enabling this option will let you choose from various features
58250 + that prevent the injection and execution of 'foreign' code in
58253 + This will also break programs that rely on the old behaviour and
58254 + expect that dynamically allocated memory via the malloc() family
58255 + of functions is executable (which it is not). Notable examples
58256 + are the XFree86 4.x server, the java runtime and wine.
58258 +config PAX_PAGEEXEC
58259 + bool "Paging based non-executable pages"
58260 + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
58261 + select S390_SWITCH_AMODE if S390
58262 + select S390_EXEC_PROTECT if S390
58263 + select ARCH_TRACK_EXEC_LIMIT if X86_32
58265 + This implementation is based on the paging feature of the CPU.
58266 + On i386 without hardware non-executable bit support there is a
58267 + variable but usually low performance impact, however on Intel's
58268 + P4 core based CPUs it is very high so you should not enable this
58269 + for kernels meant to be used on such CPUs.
58271 + On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
58272 + with hardware non-executable bit support there is no performance
58273 + impact, on ppc the impact is negligible.
58275 + Note that several architectures require various emulations due to
58276 + badly designed userland ABIs, this will cause a performance impact
58277 + but will disappear as soon as userland is fixed. For example, ppc
58278 + userland MUST have been built with secure-plt by a recent toolchain.
58280 +config PAX_SEGMEXEC
58281 + bool "Segmentation based non-executable pages"
58282 + depends on PAX_NOEXEC && X86_32
58284 + This implementation is based on the segmentation feature of the
58285 + CPU and has a very small performance impact, however applications
58286 + will be limited to a 1.5 GB address space instead of the normal
58289 +config PAX_EMUTRAMP
58290 + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
58291 + default y if PARISC
58293 + There are some programs and libraries that for one reason or
58294 + another attempt to execute special small code snippets from
58295 + non-executable memory pages. Most notable examples are the
58296 + signal handler return code generated by the kernel itself and
58297 + the GCC trampolines.
58299 + If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
58300 + such programs will no longer work under your kernel.
58302 + As a remedy you can say Y here and use the 'chpax' or 'paxctl'
58303 + utilities to enable trampoline emulation for the affected programs
58304 + yet still have the protection provided by the non-executable pages.
58306 + On parisc you MUST enable this option and EMUSIGRT as well, otherwise
58307 + your system will not even boot.
58309 + Alternatively you can say N here and use the 'chpax' or 'paxctl'
58310 + utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
58311 + for the affected files.
58313 + NOTE: enabling this feature *may* open up a loophole in the
58314 + protection provided by non-executable pages that an attacker
58315 + could abuse. Therefore the best solution is to not have any
58316 + files on your system that would require this option. This can
58317 + be achieved by not using libc5 (which relies on the kernel
58318 + signal handler return code) and not using or rewriting programs
58319 + that make use of the nested function implementation of GCC.
58320 + Skilled users can just fix GCC itself so that it implements
58321 + nested function calls in a way that does not interfere with PaX.
58323 +config PAX_EMUSIGRT
58324 + bool "Automatically emulate sigreturn trampolines"
58325 + depends on PAX_EMUTRAMP && PARISC
58328 + Enabling this option will have the kernel automatically detect
58329 + and emulate signal return trampolines executing on the stack
58330 + that would otherwise lead to task termination.
58332 + This solution is intended as a temporary one for users with
58333 + legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
58334 + Modula-3 runtime, etc) or executables linked to such, basically
58335 + everything that does not specify its own SA_RESTORER function in
58336 + normal executable memory like glibc 2.1+ does.
58338 + On parisc you MUST enable this option, otherwise your system will
58341 + NOTE: this feature cannot be disabled on a per executable basis
58342 + and since it *does* open up a loophole in the protection provided
58343 + by non-executable pages, the best solution is to not have any
58344 + files on your system that would require this option.
58346 +config PAX_MPROTECT
58347 + bool "Restrict mprotect()"
58348 + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
58350 + Enabling this option will prevent programs from
58351 + - changing the executable status of memory pages that were
58352 + not originally created as executable,
58353 + - making read-only executable pages writable again,
58354 + - creating executable pages from anonymous memory,
58355 + - making read-only-after-relocations (RELRO) data pages writable again.
58357 + You should say Y here to complete the protection provided by
58358 + the enforcement of non-executable pages.
58360 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
58361 + this feature on a per file basis.
58363 +config PAX_MPROTECT_COMPAT
58364 + bool "Use legacy/compat protection demoting (read help)"
58365 + depends on PAX_MPROTECT
58368 + The current implementation of PAX_MPROTECT denies RWX allocations/mprotects
58369 + by sending the proper error code to the application. For some broken
58370 + userland, this can cause problems with Python or other applications. The
58371 + current implementation however allows for applications like clamav to
58372 + detect if JIT compilation/execution is allowed and to fall back gracefully
58373 + to an interpreter-based mode if it does not. While we encourage everyone
58374 + to use the current implementation as-is and push upstream to fix broken
58375 + userland (note that the RWX logging option can assist with this), in some
58376 + environments this may not be possible. Having to disable MPROTECT
58377 + completely on certain binaries reduces the security benefit of PaX,
58378 + so this option is provided for those environments to revert to the old
58381 +config PAX_ELFRELOCS
58382 + bool "Allow ELF text relocations (read help)"
58383 + depends on PAX_MPROTECT
58386 + Non-executable pages and mprotect() restrictions are effective
58387 + in preventing the introduction of new executable code into an
58388 + attacked task's address space. There remain only two venues
58389 + for this kind of attack: if the attacker can execute already
58390 + existing code in the attacked task then he can either have it
58391 + create and mmap() a file containing his code or have it mmap()
58392 + an already existing ELF library that does not have position
58393 + independent code in it and use mprotect() on it to make it
58394 + writable and copy his code there. While protecting against
58395 + the former approach is beyond PaX, the latter can be prevented
58396 + by having only PIC ELF libraries on one's system (which do not
58397 + need to relocate their code). If you are sure this is your case,
58398 + as is the case with all modern Linux distributions, then leave
58399 + this option disabled. You should say 'n' here.
58401 +config PAX_ETEXECRELOCS
58402 + bool "Allow ELF ET_EXEC text relocations"
58403 + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
58404 + select PAX_ELFRELOCS
58407 + On some architectures there are incorrectly created applications
58408 + that require text relocations and would not work without enabling
58409 + this option. If you are an alpha, ia64 or parisc user, you should
58410 + enable this option and disable it once you have made sure that
58411 + none of your applications need it.
58414 + bool "Automatically emulate ELF PLT"
58415 + depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC)
58418 + Enabling this option will have the kernel automatically detect
58419 + and emulate the Procedure Linkage Table entries in ELF files.
58420 + On some architectures such entries are in writable memory, and
58421 + become non-executable leading to task termination. Therefore
58422 + it is mandatory that you enable this option on alpha, parisc,
58423 + sparc and sparc64, otherwise your system would not even boot.
58425 + NOTE: this feature *does* open up a loophole in the protection
58426 + provided by the non-executable pages, therefore the proper
58427 + solution is to modify the toolchain to produce a PLT that does
58428 + not need to be writable.
58430 +config PAX_DLRESOLVE
58431 + bool 'Emulate old glibc resolver stub'
58432 + depends on PAX_EMUPLT && SPARC
58435 + This option is needed if userland has an old glibc (before 2.4)
58436 + that puts a 'save' instruction into the runtime generated resolver
58437 + stub that needs special emulation.
58439 +config PAX_KERNEXEC
58440 + bool "Enforce non-executable kernel pages"
58441 + depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
58442 + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
58444 + This is the kernel land equivalent of PAGEEXEC and MPROTECT,
58445 + that is, enabling this option will make it harder to inject
58446 + and execute 'foreign' code in kernel memory itself.
58448 +config PAX_KERNEXEC_MODULE_TEXT
58449 + int "Minimum amount of memory reserved for module code"
58451 + depends on PAX_KERNEXEC && X86_32 && MODULES
58453 + Due to implementation details the kernel must reserve a fixed
58454 + amount of memory for module code at compile time that cannot be
58455 + changed at runtime. Here you can specify the minimum amount
58456 + in MB that will be reserved. Due to the same implementation
58457 + details this size will always be rounded up to the next 2/4 MB
58458 + boundary (depends on PAE) so the actually available memory for
58459 + module code will usually be more than this minimum.
58461 + The default 4 MB should be enough for most users but if you have
58462 + an excessive number of modules (e.g., most distribution configs
58463 + compile many drivers as modules) or use huge modules such as
58464 + nvidia's kernel driver, you will need to adjust this amount.
58465 + A good rule of thumb is to look at your currently loaded kernel
58466 + modules and add up their sizes.
58470 +menu "Address Space Layout Randomization"
58474 + bool "Address Space Layout Randomization"
58475 + depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
58477 + Many if not most exploit techniques rely on the knowledge of
58478 + certain addresses in the attacked program. The following options
58479 + will allow the kernel to apply a certain amount of randomization
58480 + to specific parts of the program thereby forcing an attacker to
58481 + guess them in most cases. Any failed guess will most likely crash
58482 + the attacked program which allows the kernel to detect such attempts
58483 + and react on them. PaX itself provides no reaction mechanisms,
58484 + instead it is strongly encouraged that you make use of Nergal's
58485 + segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
58486 + (http://www.grsecurity.net/) built-in crash detection features or
58487 + develop one yourself.
58489 + By saying Y here you can choose to randomize the following areas:
58490 + - top of the task's kernel stack
58491 + - top of the task's userland stack
58492 + - base address for mmap() requests that do not specify one
58493 + (this includes all libraries)
58494 + - base address of the main executable
58496 + It is strongly recommended to say Y here as address space layout
58497 + randomization has negligible impact on performance yet it provides
58498 + a very effective protection.
58500 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
58501 + this feature on a per file basis.
58503 +config PAX_RANDKSTACK
58504 + bool "Randomize kernel stack base"
58505 + depends on PAX_ASLR && X86_TSC && X86_32
58507 + By saying Y here the kernel will randomize every task's kernel
58508 + stack on every system call. This will not only force an attacker
58509 + to guess it but also prevent him from making use of possible
58510 + leaked information about it.
58512 + Since the kernel stack is a rather scarce resource, randomization
58513 + may cause unexpected stack overflows, therefore you should very
58514 + carefully test your system. Note that once enabled in the kernel
58515 + configuration, this feature cannot be disabled on a per file basis.
58517 +config PAX_RANDUSTACK
58518 + bool "Randomize user stack base"
58519 + depends on PAX_ASLR
58521 + By saying Y here the kernel will randomize every task's userland
58522 + stack. The randomization is done in two steps where the second
58523 + one may apply a big amount of shift to the top of the stack and
58524 + cause problems for programs that want to use lots of memory (more
58525 + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
58526 + For this reason the second step can be controlled by 'chpax' or
58527 + 'paxctl' on a per file basis.
58529 +config PAX_RANDMMAP
58530 + bool "Randomize mmap() base"
58531 + depends on PAX_ASLR
58533 + By saying Y here the kernel will use a randomized base address for
58534 + mmap() requests that do not specify one themselves. As a result
58535 + all dynamically loaded libraries will appear at random addresses
58536 + and therefore be harder to exploit by a technique where an attacker
58537 + attempts to execute library code for his purposes (e.g. spawn a
58538 + shell from an exploited program that is running at an elevated
58539 + privilege level).
58541 + Furthermore, if a program is relinked as a dynamic ELF file, its
58542 + base address will be randomized as well, completing the full
58543 + randomization of the address space layout. Attacking such programs
58544 + becomes a guess game. You can find an example of doing this at
58545 + http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
58546 + http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
58548 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
58549 + feature on a per file basis.
58553 +menu "Miscellaneous hardening features"
58555 +config PAX_MEMORY_SANITIZE
58556 + bool "Sanitize all freed memory"
58558 + By saying Y here the kernel will erase memory pages as soon as they
58559 + are freed. This in turn reduces the lifetime of data stored in the
58560 + pages, making it less likely that sensitive information such as
58561 + passwords, cryptographic secrets, etc stay in memory for too long.
58563 + This is especially useful for programs whose runtime is short, long
58564 + lived processes and the kernel itself benefit from this as long as
58565 + they operate on whole memory pages and ensure timely freeing of pages
58566 + that may hold sensitive information.
58568 + The tradeoff is performance impact, on a single CPU system kernel
58569 + compilation sees a 3% slowdown, other systems and workloads may vary
58570 + and you are advised to test this feature on your expected workload
58571 + before deploying it.
58573 + Note that this feature does not protect data stored in live pages,
58574 + e.g., process memory swapped to disk may stay there for a long time.
58576 +config PAX_MEMORY_UDEREF
58577 + bool "Prevent invalid userland pointer dereference"
58578 + depends on X86 && !UML_X86 && !XEN
58579 + select PAX_PER_CPU_PGD if X86_64
58581 + By saying Y here the kernel will be prevented from dereferencing
58582 + userland pointers in contexts where the kernel expects only kernel
58583 + pointers. This is both a useful runtime debugging feature and a
58584 + security measure that prevents exploiting a class of kernel bugs.
58586 + The tradeoff is that some virtualization solutions may experience
58587 + a huge slowdown and therefore you should not enable this feature
58588 + for kernels meant to run in such environments. Whether a given VM
58589 + solution is affected or not is best determined by simply trying it
58590 + out, the performance impact will be obvious right on boot as this
58591 + mechanism engages from very early on. A good rule of thumb is that
58592 + VMs running on CPUs without hardware virtualization support (i.e.,
58593 + the majority of IA-32 CPUs) will likely experience the slowdown.
58595 +config PAX_REFCOUNT
58596 + bool "Prevent various kernel object reference counter overflows"
58597 + depends on GRKERNSEC && (X86 || SPARC64)
58599 + By saying Y here the kernel will detect and prevent overflowing
58600 + various (but not all) kinds of object reference counters. Such
58601 + overflows can normally occur due to bugs only and are often, if
58602 + not always, exploitable.
58604 + The tradeoff is that data structures protected by an overflowed
58605 + refcount will never be freed and therefore will leak memory. Note
58606 + that this leak also happens even without this protection but in
58607 + that case the overflow can eventually trigger the freeing of the
58608 + data structure while it is still being used elsewhere, resulting
58609 + in the exploitable situation that this feature prevents.
58611 + Since this has a negligible performance impact, you should enable
58614 +config PAX_USERCOPY
58615 + bool "Bounds check heap object copies between kernel and userland"
58616 + depends on X86 || PPC || SPARC
58617 + depends on GRKERNSEC && (SLAB || SLUB || SLOB)
58619 + By saying Y here the kernel will enforce the size of heap objects
58620 + when they are copied in either direction between the kernel and
58621 + userland, even if only a part of the heap object is copied.
58623 + Specifically, this checking prevents information leaking from the
58624 + kernel heap during kernel to userland copies (if the kernel heap
58625 + object is otherwise fully initialized) and prevents kernel heap
58626 + overflows during userland to kernel copies.
58628 + Note that the current implementation provides the strictest checks
58629 + for the SLUB allocator.
58631 + If frame pointers are enabled on x86, this option will also restrict
58632 + copies into and out of the kernel stack to local variables within a
58635 + Since this has a negligible performance impact, you should enable
58643 bool "Enable access key retention support"
58645 @@ -167,7 +688,7 @@ config INTEL_TXT
58646 config LSM_MMAP_MIN_ADDR
58647 int "Low address space for LSM to protect from user allocation"
58648 depends on SECURITY && SECURITY_SELINUX
58652 This is the portion of low virtual memory which should be protected
58653 from userspace allocation. Keeping a user from writing to low pages
58654 diff -urNp linux-2.6.38.1/security/min_addr.c linux-2.6.38.1-new/security/min_addr.c
58655 --- linux-2.6.38.1/security/min_addr.c 2011-03-14 21:20:32.000000000 -0400
58656 +++ linux-2.6.38.1-new/security/min_addr.c 2011-03-21 18:31:35.000000000 -0400
58657 @@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG
58659 static void update_mmap_min_addr(void)
58662 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
58663 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
58664 mmap_min_addr = dac_mmap_min_addr;
58665 @@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
58667 mmap_min_addr = dac_mmap_min_addr;
58673 diff -urNp linux-2.6.38.1/security/security.c linux-2.6.38.1-new/security/security.c
58674 --- linux-2.6.38.1/security/security.c 2011-03-14 21:20:32.000000000 -0400
58675 +++ linux-2.6.38.1-new/security/security.c 2011-03-21 18:31:35.000000000 -0400
58676 @@ -25,8 +25,8 @@ static __initdata char chosen_lsm[SECURI
58677 /* things that live in capability.c */
58678 extern void __init security_fixup_ops(struct security_operations *ops);
58680 -static struct security_operations *security_ops;
58681 -static struct security_operations default_security_ops = {
58682 +static struct security_operations *security_ops __read_only;
58683 +static struct security_operations default_security_ops __read_only = {
58687 @@ -67,7 +67,9 @@ int __init security_init(void)
58689 void reset_security_ops(void)
58691 + pax_open_kernel();
58692 security_ops = &default_security_ops;
58693 + pax_close_kernel();
58696 /* Save user chosen LSM */
58697 diff -urNp linux-2.6.38.1/security/selinux/hooks.c linux-2.6.38.1-new/security/selinux/hooks.c
58698 --- linux-2.6.38.1/security/selinux/hooks.c 2011-03-14 21:20:32.000000000 -0400
58699 +++ linux-2.6.38.1-new/security/selinux/hooks.c 2011-03-21 18:31:35.000000000 -0400
58701 #define NUM_SEL_MNT_OPTS 5
58703 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
58704 -extern struct security_operations *security_ops;
58706 /* SECMARK reference count */
58707 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
58708 @@ -5395,7 +5394,7 @@ static int selinux_key_getsecurity(struc
58712 -static struct security_operations selinux_ops = {
58713 +static struct security_operations selinux_ops __read_only = {
58716 .ptrace_access_check = selinux_ptrace_access_check,
58717 diff -urNp linux-2.6.38.1/security/smack/smack_lsm.c linux-2.6.38.1-new/security/smack/smack_lsm.c
58718 --- linux-2.6.38.1/security/smack/smack_lsm.c 2011-03-14 21:20:32.000000000 -0400
58719 +++ linux-2.6.38.1-new/security/smack/smack_lsm.c 2011-03-21 18:31:35.000000000 -0400
58720 @@ -3179,7 +3179,7 @@ static int smack_inode_getsecctx(struct
58724 -struct security_operations smack_ops = {
58725 +struct security_operations smack_ops __read_only = {
58728 .ptrace_access_check = smack_ptrace_access_check,
58729 diff -urNp linux-2.6.38.1/security/tomoyo/tomoyo.c linux-2.6.38.1-new/security/tomoyo/tomoyo.c
58730 --- linux-2.6.38.1/security/tomoyo/tomoyo.c 2011-03-14 21:20:32.000000000 -0400
58731 +++ linux-2.6.38.1-new/security/tomoyo/tomoyo.c 2011-03-21 18:31:35.000000000 -0400
58732 @@ -240,7 +240,7 @@ static int tomoyo_sb_pivotroot(struct pa
58733 * tomoyo_security_ops is a "struct security_operations" which is used for
58734 * registering TOMOYO.
58736 -static struct security_operations tomoyo_security_ops = {
58737 +static struct security_operations tomoyo_security_ops __read_only = {
58739 .cred_alloc_blank = tomoyo_cred_alloc_blank,
58740 .cred_prepare = tomoyo_cred_prepare,
58741 diff -urNp linux-2.6.38.1/sound/aoa/codecs/onyx.c linux-2.6.38.1-new/sound/aoa/codecs/onyx.c
58742 --- linux-2.6.38.1/sound/aoa/codecs/onyx.c 2011-03-14 21:20:32.000000000 -0400
58743 +++ linux-2.6.38.1-new/sound/aoa/codecs/onyx.c 2011-03-21 18:31:35.000000000 -0400
58744 @@ -54,7 +54,7 @@ struct onyx {
58749 + local_t open_count;
58750 struct codec_info *codec_info;
58752 /* mutex serializes concurrent access to the device
58753 @@ -753,7 +753,7 @@ static int onyx_open(struct codec_info_i
58754 struct onyx *onyx = cii->codec_data;
58756 mutex_lock(&onyx->mutex);
58757 - onyx->open_count++;
58758 + local_inc(&onyx->open_count);
58759 mutex_unlock(&onyx->mutex);
58762 @@ -765,8 +765,7 @@ static int onyx_close(struct codec_info_
58763 struct onyx *onyx = cii->codec_data;
58765 mutex_lock(&onyx->mutex);
58766 - onyx->open_count--;
58767 - if (!onyx->open_count)
58768 + if (local_dec_and_test(&onyx->open_count))
58769 onyx->spdif_locked = onyx->analog_locked = 0;
58770 mutex_unlock(&onyx->mutex);
58772 diff -urNp linux-2.6.38.1/sound/aoa/codecs/onyx.h linux-2.6.38.1-new/sound/aoa/codecs/onyx.h
58773 --- linux-2.6.38.1/sound/aoa/codecs/onyx.h 2011-03-14 21:20:32.000000000 -0400
58774 +++ linux-2.6.38.1-new/sound/aoa/codecs/onyx.h 2011-03-21 18:31:35.000000000 -0400
58776 #include <linux/i2c.h>
58777 #include <asm/pmac_low_i2c.h>
58778 #include <asm/prom.h>
58779 +#include <asm/local.h>
58781 /* PCM3052 register definitions */
58783 diff -urNp linux-2.6.38.1/sound/core/oss/pcm_oss.c linux-2.6.38.1-new/sound/core/oss/pcm_oss.c
58784 --- linux-2.6.38.1/sound/core/oss/pcm_oss.c 2011-03-14 21:20:32.000000000 -0400
58785 +++ linux-2.6.38.1-new/sound/core/oss/pcm_oss.c 2011-03-21 18:31:35.000000000 -0400
58786 @@ -2971,8 +2971,8 @@ static void snd_pcm_oss_proc_done(struct
58789 #else /* !CONFIG_SND_VERBOSE_PROCFS */
58790 -#define snd_pcm_oss_proc_init(pcm)
58791 -#define snd_pcm_oss_proc_done(pcm)
58792 +#define snd_pcm_oss_proc_init(pcm) do {} while (0)
58793 +#define snd_pcm_oss_proc_done(pcm) do {} while (0)
58794 #endif /* CONFIG_SND_VERBOSE_PROCFS */
58797 diff -urNp linux-2.6.38.1/sound/core/seq/seq_lock.h linux-2.6.38.1-new/sound/core/seq/seq_lock.h
58798 --- linux-2.6.38.1/sound/core/seq/seq_lock.h 2011-03-14 21:20:32.000000000 -0400
58799 +++ linux-2.6.38.1-new/sound/core/seq/seq_lock.h 2011-03-21 18:31:35.000000000 -0400
58800 @@ -23,10 +23,10 @@ void snd_use_lock_sync_helper(snd_use_lo
58801 #else /* SMP || CONFIG_SND_DEBUG */
58803 typedef spinlock_t snd_use_lock_t; /* dummy */
58804 -#define snd_use_lock_init(lockp) /**/
58805 -#define snd_use_lock_use(lockp) /**/
58806 -#define snd_use_lock_free(lockp) /**/
58807 -#define snd_use_lock_sync(lockp) /**/
58808 +#define snd_use_lock_init(lockp) do {} while (0)
58809 +#define snd_use_lock_use(lockp) do {} while (0)
58810 +#define snd_use_lock_free(lockp) do {} while (0)
58811 +#define snd_use_lock_sync(lockp) do {} while (0)
58813 #endif /* SMP || CONFIG_SND_DEBUG */
58815 diff -urNp linux-2.6.38.1/sound/drivers/mts64.c linux-2.6.38.1-new/sound/drivers/mts64.c
58816 --- linux-2.6.38.1/sound/drivers/mts64.c 2011-03-14 21:20:32.000000000 -0400
58817 +++ linux-2.6.38.1-new/sound/drivers/mts64.c 2011-03-21 18:31:35.000000000 -0400
58819 #include <sound/initval.h>
58820 #include <sound/rawmidi.h>
58821 #include <sound/control.h>
58822 +#include <asm/local.h>
58824 #define CARD_NAME "Miditerminal 4140"
58825 #define DRIVER_NAME "MTS64"
58826 @@ -66,7 +67,7 @@ struct mts64 {
58827 struct pardevice *pardev;
58828 int pardev_claimed;
58831 + local_t open_count;
58832 int current_midi_output_port;
58833 int current_midi_input_port;
58834 u8 mode[MTS64_NUM_INPUT_PORTS];
58835 @@ -696,7 +697,7 @@ static int snd_mts64_rawmidi_open(struct
58837 struct mts64 *mts = substream->rmidi->private_data;
58839 - if (mts->open_count == 0) {
58840 + if (local_read(&mts->open_count) == 0) {
58841 /* We don't need a spinlock here, because this is just called
58842 if the device has not been opened before.
58843 So there aren't any IRQs from the device */
58844 @@ -704,7 +705,7 @@ static int snd_mts64_rawmidi_open(struct
58848 - ++(mts->open_count);
58849 + local_inc(&mts->open_count);
58853 @@ -714,8 +715,7 @@ static int snd_mts64_rawmidi_close(struc
58854 struct mts64 *mts = substream->rmidi->private_data;
58855 unsigned long flags;
58857 - --(mts->open_count);
58858 - if (mts->open_count == 0) {
58859 + if (local_dec_return(&mts->open_count) == 0) {
58860 /* We need the spinlock_irqsave here because we can still
58861 have IRQs at this point */
58862 spin_lock_irqsave(&mts->lock, flags);
58863 @@ -724,8 +724,8 @@ static int snd_mts64_rawmidi_close(struc
58867 - } else if (mts->open_count < 0)
58868 - mts->open_count = 0;
58869 + } else if (local_read(&mts->open_count) < 0)
58870 + local_set(&mts->open_count, 0);
58874 diff -urNp linux-2.6.38.1/sound/drivers/portman2x4.c linux-2.6.38.1-new/sound/drivers/portman2x4.c
58875 --- linux-2.6.38.1/sound/drivers/portman2x4.c 2011-03-14 21:20:32.000000000 -0400
58876 +++ linux-2.6.38.1-new/sound/drivers/portman2x4.c 2011-03-21 18:31:35.000000000 -0400
58878 #include <sound/initval.h>
58879 #include <sound/rawmidi.h>
58880 #include <sound/control.h>
58881 +#include <asm/local.h>
58883 #define CARD_NAME "Portman 2x4"
58884 #define DRIVER_NAME "portman"
58885 @@ -84,7 +85,7 @@ struct portman {
58886 struct pardevice *pardev;
58887 int pardev_claimed;
58890 + local_t open_count;
58891 int mode[PORTMAN_NUM_INPUT_PORTS];
58892 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
58894 diff -urNp linux-2.6.38.1/sound/oss/sb_audio.c linux-2.6.38.1-new/sound/oss/sb_audio.c
58895 --- linux-2.6.38.1/sound/oss/sb_audio.c 2011-03-14 21:20:32.000000000 -0400
58896 +++ linux-2.6.38.1-new/sound/oss/sb_audio.c 2011-03-21 18:31:35.000000000 -0400
58897 @@ -901,7 +901,7 @@ sb16_copy_from_user(int dev,
58898 buf16 = (signed short *)(localbuf + localoffs);
58901 - locallen = (c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
58902 + locallen = ((unsigned)c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
58903 if (copy_from_user(lbuf8,
58904 userbuf+useroffs + p,
58906 diff -urNp linux-2.6.38.1/sound/oss/swarm_cs4297a.c linux-2.6.38.1-new/sound/oss/swarm_cs4297a.c
58907 --- linux-2.6.38.1/sound/oss/swarm_cs4297a.c 2011-03-14 21:20:32.000000000 -0400
58908 +++ linux-2.6.38.1-new/sound/oss/swarm_cs4297a.c 2011-03-21 18:31:35.000000000 -0400
58909 @@ -2606,7 +2606,6 @@ static int __init cs4297a_init(void)
58911 struct cs4297a_state *s;
58915 #ifndef CONFIG_BCM_CS4297A_CSWARM
58917 @@ -2696,22 +2695,23 @@ static int __init cs4297a_init(void)
58919 char *sb1250_duart_present;
58926 val = SOUND_MASK_LINE;
58927 mixer_ioctl(s, SOUND_MIXER_WRITE_RECSRC, (unsigned long) &val);
58928 for (i = 0; i < ARRAY_SIZE(initvol); i++) {
58929 val = initvol[i].vol;
58930 mixer_ioctl(s, initvol[i].mixch, (unsigned long) &val);
58933 // cs4297a_write_ac97(s, 0x18, 0x0808);
58935 // cs4297a_write_ac97(s, 0x5e, 0x180);
58936 cs4297a_write_ac97(s, 0x02, 0x0808);
58937 cs4297a_write_ac97(s, 0x18, 0x0808);
58941 list_add(&s->list, &cs4297a_devs);
58943 diff -urNp linux-2.6.38.1/sound/pci/ac97/ac97_patch.c linux-2.6.38.1-new/sound/pci/ac97/ac97_patch.c
58944 --- linux-2.6.38.1/sound/pci/ac97/ac97_patch.c 2011-03-14 21:20:32.000000000 -0400
58945 +++ linux-2.6.38.1-new/sound/pci/ac97/ac97_patch.c 2011-03-21 18:31:35.000000000 -0400
58946 @@ -1486,7 +1486,7 @@ static const struct snd_ac97_res_table a
58947 { AC97_VIDEO, 0x9f1f },
58948 { AC97_AUX, 0x9f1f },
58949 { AC97_PCM, 0x9f1f },
58950 - { } /* terminator */
58951 + { 0, 0 } /* terminator */
58954 static int patch_ad1819(struct snd_ac97 * ac97)
58955 @@ -3864,7 +3864,7 @@ static struct snd_ac97_res_table lm4550_
58956 { AC97_AUX, 0x1f1f },
58957 { AC97_PCM, 0x1f1f },
58958 { AC97_REC_GAIN, 0x0f0f },
58959 - { } /* terminator */
58960 + { 0, 0 } /* terminator */
58963 static int patch_lm4550(struct snd_ac97 *ac97)
58964 diff -urNp linux-2.6.38.1/sound/pci/ens1370.c linux-2.6.38.1-new/sound/pci/ens1370.c
58965 --- linux-2.6.38.1/sound/pci/ens1370.c 2011-03-14 21:20:32.000000000 -0400
58966 +++ linux-2.6.38.1-new/sound/pci/ens1370.c 2011-03-21 18:31:35.000000000 -0400
58967 @@ -452,7 +452,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_audio
58968 { PCI_VDEVICE(ENSONIQ, 0x5880), 0, }, /* ES1373 - CT5880 */
58969 { PCI_VDEVICE(ECTIVA, 0x8938), 0, }, /* Ectiva EV1938 */
58972 + { 0, 0, 0, 0, 0, 0, 0 }
58975 MODULE_DEVICE_TABLE(pci, snd_audiopci_ids);
58976 diff -urNp linux-2.6.38.1/sound/pci/hda/patch_hdmi.c linux-2.6.38.1-new/sound/pci/hda/patch_hdmi.c
58977 --- linux-2.6.38.1/sound/pci/hda/patch_hdmi.c 2011-03-14 21:20:32.000000000 -0400
58978 +++ linux-2.6.38.1-new/sound/pci/hda/patch_hdmi.c 2011-03-21 18:31:35.000000000 -0400
58979 @@ -733,10 +733,10 @@ static void hdmi_non_intrinsic_event(str
58994 diff -urNp linux-2.6.38.1/sound/pci/intel8x0.c linux-2.6.38.1-new/sound/pci/intel8x0.c
58995 --- linux-2.6.38.1/sound/pci/intel8x0.c 2011-03-14 21:20:32.000000000 -0400
58996 +++ linux-2.6.38.1-new/sound/pci/intel8x0.c 2011-03-21 18:31:35.000000000 -0400
58997 @@ -444,7 +444,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_intel
58998 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
58999 { PCI_VDEVICE(AMD, 0x7445), DEVICE_INTEL }, /* AMD768 */
59000 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
59002 + { 0, 0, 0, 0, 0, 0, 0 }
59005 MODULE_DEVICE_TABLE(pci, snd_intel8x0_ids);
59006 @@ -2141,7 +2141,7 @@ static struct ac97_quirk ac97_quirks[] _
59007 .type = AC97_TUNE_HP_ONLY
59010 - { } /* terminator */
59011 + { 0, 0, 0, 0, NULL, 0 } /* terminator */
59014 static int __devinit snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock,
59015 diff -urNp linux-2.6.38.1/sound/pci/intel8x0m.c linux-2.6.38.1-new/sound/pci/intel8x0m.c
59016 --- linux-2.6.38.1/sound/pci/intel8x0m.c 2011-03-14 21:20:32.000000000 -0400
59017 +++ linux-2.6.38.1-new/sound/pci/intel8x0m.c 2011-03-21 18:31:35.000000000 -0400
59018 @@ -239,7 +239,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_intel
59019 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
59020 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
59023 + { 0, 0, 0, 0, 0, 0, 0 }
59026 MODULE_DEVICE_TABLE(pci, snd_intel8x0m_ids);
59027 @@ -1264,7 +1264,7 @@ static struct shortname_table {
59028 { 0x5455, "ALi M5455" },
59029 { 0x746d, "AMD AMD8111" },
59035 static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
59036 diff -urNp linux-2.6.38.1/usr/gen_init_cpio.c linux-2.6.38.1-new/usr/gen_init_cpio.c
59037 --- linux-2.6.38.1/usr/gen_init_cpio.c 2011-03-14 21:20:32.000000000 -0400
59038 +++ linux-2.6.38.1-new/usr/gen_init_cpio.c 2011-03-21 18:31:35.000000000 -0400
59039 @@ -305,7 +305,7 @@ static int cpio_mkfile(const char *name,
59048 @@ -394,9 +394,10 @@ static char *cpio_replace_env(char *new_
59049 *env_var = *expanded = '\0';
59050 strncat(env_var, start + 2, end - start - 2);
59051 strncat(expanded, new_location, start - new_location);
59052 - strncat(expanded, getenv(env_var), PATH_MAX);
59053 - strncat(expanded, end + 1, PATH_MAX);
59054 + strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
59055 + strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
59056 strncpy(new_location, expanded, PATH_MAX);
59057 + new_location[PATH_MAX] = 0;
59061 diff -urNp linux-2.6.38.1/virt/kvm/kvm_main.c linux-2.6.38.1-new/virt/kvm/kvm_main.c
59062 --- linux-2.6.38.1/virt/kvm/kvm_main.c 2011-03-14 21:20:32.000000000 -0400
59063 +++ linux-2.6.38.1-new/virt/kvm/kvm_main.c 2011-03-21 18:31:35.000000000 -0400
59064 @@ -1521,7 +1521,7 @@ static int kvm_vcpu_release(struct inode
59068 -static struct file_operations kvm_vcpu_fops = {
59069 +static struct file_operations kvm_vcpu_fops = { /* cannot be const */
59070 .release = kvm_vcpu_release,
59071 .unlocked_ioctl = kvm_vcpu_ioctl,
59072 .compat_ioctl = kvm_vcpu_ioctl,
59073 @@ -1990,7 +1990,7 @@ static int kvm_vm_mmap(struct file *file
59077 -static struct file_operations kvm_vm_fops = {
59078 +static struct file_operations kvm_vm_fops = { /* cannot be const */
59079 .release = kvm_vm_release,
59080 .unlocked_ioctl = kvm_vm_ioctl,
59081 #ifdef CONFIG_COMPAT
59082 @@ -2088,7 +2088,7 @@ out:
59086 -static struct file_operations kvm_chardev_ops = {
59087 +static struct file_operations kvm_chardev_ops = { /* cannot be const */
59088 .unlocked_ioctl = kvm_dev_ioctl,
59089 .compat_ioctl = kvm_dev_ioctl,
59090 .llseek = noop_llseek,
59091 @@ -2098,6 +2098,9 @@ static struct miscdevice kvm_dev = {
59100 static void hardware_enable_nolock(void *junk)
59101 @@ -2443,7 +2446,7 @@ static void kvm_sched_out(struct preempt
59102 kvm_arch_vcpu_put(vcpu);
59105 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
59106 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
59107 struct module *module)