1 diff -urNp linux-2.6.36.1/arch/alpha/include/asm/dma-mapping.h linux-2.6.36.1/arch/alpha/include/asm/dma-mapping.h
2 --- linux-2.6.36.1/arch/alpha/include/asm/dma-mapping.h 2010-10-20 16:30:22.000000000 -0400
3 +++ linux-2.6.36.1/arch/alpha/include/asm/dma-mapping.h 2010-11-06 18:58:15.000000000 -0400
6 #include <linux/dma-attrs.h>
8 -extern struct dma_map_ops *dma_ops;
9 +extern const struct dma_map_ops *dma_ops;
11 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
12 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
16 diff -urNp linux-2.6.36.1/arch/alpha/include/asm/elf.h linux-2.6.36.1/arch/alpha/include/asm/elf.h
17 --- linux-2.6.36.1/arch/alpha/include/asm/elf.h 2010-10-20 16:30:22.000000000 -0400
18 +++ linux-2.6.36.1/arch/alpha/include/asm/elf.h 2010-11-06 18:58:15.000000000 -0400
19 @@ -90,6 +90,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
21 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x1000000)
23 +#ifdef CONFIG_PAX_ASLR
24 +#define PAX_ELF_ET_DYN_BASE (current->personality & ADDR_LIMIT_32BIT ? 0x10000 : 0x120000000UL)
26 +#define PAX_DELTA_MMAP_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 28)
27 +#define PAX_DELTA_STACK_LEN (current->personality & ADDR_LIMIT_32BIT ? 14 : 19)
30 /* $0 is set by ld.so to a pointer to a function which might be
31 registered using atexit. This provides a mean for the dynamic
32 linker to call DT_FINI functions for shared libraries that have
33 diff -urNp linux-2.6.36.1/arch/alpha/include/asm/pgtable.h linux-2.6.36.1/arch/alpha/include/asm/pgtable.h
34 --- linux-2.6.36.1/arch/alpha/include/asm/pgtable.h 2010-10-20 16:30:22.000000000 -0400
35 +++ linux-2.6.36.1/arch/alpha/include/asm/pgtable.h 2010-11-06 18:58:15.000000000 -0400
36 @@ -101,6 +101,17 @@ struct vm_area_struct;
37 #define PAGE_SHARED __pgprot(_PAGE_VALID | __ACCESS_BITS)
38 #define PAGE_COPY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
39 #define PAGE_READONLY __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW)
41 +#ifdef CONFIG_PAX_PAGEEXEC
42 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOE)
43 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
44 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_VALID | __ACCESS_BITS | _PAGE_FOW | _PAGE_FOE)
46 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
47 +# define PAGE_COPY_NOEXEC PAGE_COPY
48 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
51 #define PAGE_KERNEL __pgprot(_PAGE_VALID | _PAGE_ASM | _PAGE_KRE | _PAGE_KWE)
53 #define _PAGE_NORMAL(x) __pgprot(_PAGE_VALID | __ACCESS_BITS | (x))
54 diff -urNp linux-2.6.36.1/arch/alpha/kernel/module.c linux-2.6.36.1/arch/alpha/kernel/module.c
55 --- linux-2.6.36.1/arch/alpha/kernel/module.c 2010-10-20 16:30:22.000000000 -0400
56 +++ linux-2.6.36.1/arch/alpha/kernel/module.c 2010-11-06 18:58:15.000000000 -0400
57 @@ -182,7 +182,7 @@ apply_relocate_add(Elf64_Shdr *sechdrs,
59 /* The small sections were sorted to the end of the segment.
60 The following should definitely cover them. */
61 - gp = (u64)me->module_core + me->core_size - 0x8000;
62 + gp = (u64)me->module_core_rw + me->core_size_rw - 0x8000;
63 got = sechdrs[me->arch.gotsecindex].sh_addr;
65 for (i = 0; i < n; i++) {
66 diff -urNp linux-2.6.36.1/arch/alpha/kernel/osf_sys.c linux-2.6.36.1/arch/alpha/kernel/osf_sys.c
67 --- linux-2.6.36.1/arch/alpha/kernel/osf_sys.c 2010-10-20 16:30:22.000000000 -0400
68 +++ linux-2.6.36.1/arch/alpha/kernel/osf_sys.c 2010-11-06 18:58:15.000000000 -0400
69 @@ -1165,7 +1165,7 @@ arch_get_unmapped_area_1(unsigned long a
70 /* At this point: (!vma || addr < vma->vm_end). */
71 if (limit - len < addr)
73 - if (!vma || addr + len <= vma->vm_start)
74 + if (check_heap_stack_gap(vma, addr, len))
78 @@ -1201,6 +1201,10 @@ arch_get_unmapped_area(struct file *filp
79 merely specific addresses, but regions of memory -- perhaps
80 this feature should be incorporated into all ports? */
82 +#ifdef CONFIG_PAX_RANDMMAP
83 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
87 addr = arch_get_unmapped_area_1 (PAGE_ALIGN(addr), len, limit);
88 if (addr != (unsigned long) -ENOMEM)
89 @@ -1208,8 +1212,8 @@ arch_get_unmapped_area(struct file *filp
92 /* Next, try allocating at TASK_UNMAPPED_BASE. */
93 - addr = arch_get_unmapped_area_1 (PAGE_ALIGN(TASK_UNMAPPED_BASE),
95 + addr = arch_get_unmapped_area_1 (PAGE_ALIGN(current->mm->mmap_base), len, limit);
97 if (addr != (unsigned long) -ENOMEM)
100 diff -urNp linux-2.6.36.1/arch/alpha/kernel/pci_iommu.c linux-2.6.36.1/arch/alpha/kernel/pci_iommu.c
101 --- linux-2.6.36.1/arch/alpha/kernel/pci_iommu.c 2010-10-20 16:30:22.000000000 -0400
102 +++ linux-2.6.36.1/arch/alpha/kernel/pci_iommu.c 2010-11-06 18:58:15.000000000 -0400
103 @@ -950,7 +950,7 @@ static int alpha_pci_set_mask(struct dev
107 -struct dma_map_ops alpha_pci_ops = {
108 +const struct dma_map_ops alpha_pci_ops = {
109 .alloc_coherent = alpha_pci_alloc_coherent,
110 .free_coherent = alpha_pci_free_coherent,
111 .map_page = alpha_pci_map_page,
112 @@ -962,5 +962,5 @@ struct dma_map_ops alpha_pci_ops = {
113 .set_dma_mask = alpha_pci_set_mask,
116 -struct dma_map_ops *dma_ops = &alpha_pci_ops;
117 +const struct dma_map_ops *dma_ops = &alpha_pci_ops;
118 EXPORT_SYMBOL(dma_ops);
119 diff -urNp linux-2.6.36.1/arch/alpha/kernel/pci-noop.c linux-2.6.36.1/arch/alpha/kernel/pci-noop.c
120 --- linux-2.6.36.1/arch/alpha/kernel/pci-noop.c 2010-10-20 16:30:22.000000000 -0400
121 +++ linux-2.6.36.1/arch/alpha/kernel/pci-noop.c 2010-11-06 18:58:15.000000000 -0400
122 @@ -173,7 +173,7 @@ static int alpha_noop_set_mask(struct de
126 -struct dma_map_ops alpha_noop_ops = {
127 +const struct dma_map_ops alpha_noop_ops = {
128 .alloc_coherent = alpha_noop_alloc_coherent,
129 .free_coherent = alpha_noop_free_coherent,
130 .map_page = alpha_noop_map_page,
131 @@ -183,7 +183,7 @@ struct dma_map_ops alpha_noop_ops = {
132 .set_dma_mask = alpha_noop_set_mask,
135 -struct dma_map_ops *dma_ops = &alpha_noop_ops;
136 +const struct dma_map_ops *dma_ops = &alpha_noop_ops;
137 EXPORT_SYMBOL(dma_ops);
139 void __iomem *pci_iomap(struct pci_dev *dev, int bar, unsigned long maxlen)
140 diff -urNp linux-2.6.36.1/arch/alpha/mm/fault.c linux-2.6.36.1/arch/alpha/mm/fault.c
141 --- linux-2.6.36.1/arch/alpha/mm/fault.c 2010-10-20 16:30:22.000000000 -0400
142 +++ linux-2.6.36.1/arch/alpha/mm/fault.c 2010-11-06 18:58:15.000000000 -0400
143 @@ -54,6 +54,124 @@ __load_new_mm_context(struct mm_struct *
144 __reload_thread(pcb);
147 +#ifdef CONFIG_PAX_PAGEEXEC
149 + * PaX: decide what to do with offenders (regs->pc = fault address)
151 + * returns 1 when task should be killed
152 + * 2 when patched PLT trampoline was detected
153 + * 3 when unpatched PLT trampoline was detected
155 +static int pax_handle_fetch_fault(struct pt_regs *regs)
158 +#ifdef CONFIG_PAX_EMUPLT
161 + do { /* PaX: patched PLT emulation #1 */
162 + unsigned int ldah, ldq, jmp;
164 + err = get_user(ldah, (unsigned int *)regs->pc);
165 + err |= get_user(ldq, (unsigned int *)(regs->pc+4));
166 + err |= get_user(jmp, (unsigned int *)(regs->pc+8));
171 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
172 + (ldq & 0xFFFF0000U) == 0xA77B0000U &&
173 + jmp == 0x6BFB0000U)
175 + unsigned long r27, addr;
176 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
177 + unsigned long addrl = ldq | 0xFFFFFFFFFFFF0000UL;
179 + addr = regs->r27 + ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
180 + err = get_user(r27, (unsigned long *)addr);
190 + do { /* PaX: patched PLT emulation #2 */
191 + unsigned int ldah, lda, br;
193 + err = get_user(ldah, (unsigned int *)regs->pc);
194 + err |= get_user(lda, (unsigned int *)(regs->pc+4));
195 + err |= get_user(br, (unsigned int *)(regs->pc+8));
200 + if ((ldah & 0xFFFF0000U) == 0x277B0000U &&
201 + (lda & 0xFFFF0000U) == 0xA77B0000U &&
202 + (br & 0xFFE00000U) == 0xC3E00000U)
204 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL;
205 + unsigned long addrh = (ldah | 0xFFFFFFFFFFFF0000UL) << 16;
206 + unsigned long addrl = lda | 0xFFFFFFFFFFFF0000UL;
208 + regs->r27 += ((addrh ^ 0x80000000UL) + 0x80000000UL) + ((addrl ^ 0x8000UL) + 0x8000UL);
209 + regs->pc += 12 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
214 + do { /* PaX: unpatched PLT emulation */
217 + err = get_user(br, (unsigned int *)regs->pc);
219 + if (!err && (br & 0xFFE00000U) == 0xC3800000U) {
220 + unsigned int br2, ldq, nop, jmp;
221 + unsigned long addr = br | 0xFFFFFFFFFFE00000UL, resolver;
223 + addr = regs->pc + 4 + (((addr ^ 0x00100000UL) + 0x00100000UL) << 2);
224 + err = get_user(br2, (unsigned int *)addr);
225 + err |= get_user(ldq, (unsigned int *)(addr+4));
226 + err |= get_user(nop, (unsigned int *)(addr+8));
227 + err |= get_user(jmp, (unsigned int *)(addr+12));
228 + err |= get_user(resolver, (unsigned long *)(addr+16));
233 + if (br2 == 0xC3600000U &&
234 + ldq == 0xA77B000CU &&
235 + nop == 0x47FF041FU &&
236 + jmp == 0x6B7B0000U)
238 + regs->r28 = regs->pc+4;
239 + regs->r27 = addr+16;
240 + regs->pc = resolver;
250 +void pax_report_insns(void *pc, void *sp)
254 + printk(KERN_ERR "PAX: bytes at PC: ");
255 + for (i = 0; i < 5; i++) {
257 + if (get_user(c, (unsigned int *)pc+i))
258 + printk(KERN_CONT "???????? ");
260 + printk(KERN_CONT "%08x ", c);
267 * This routine handles page faults. It determines the address,
268 @@ -131,8 +249,29 @@ do_page_fault(unsigned long address, uns
270 si_code = SEGV_ACCERR;
272 - if (!(vma->vm_flags & VM_EXEC))
273 + if (!(vma->vm_flags & VM_EXEC)) {
275 +#ifdef CONFIG_PAX_PAGEEXEC
276 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->pc)
279 + up_read(&mm->mmap_sem);
280 + switch (pax_handle_fetch_fault(regs)) {
282 +#ifdef CONFIG_PAX_EMUPLT
289 + pax_report_fault(regs, (void *)regs->pc, (void *)rdusp());
290 + do_group_exit(SIGKILL);
297 /* Allow reads even for write-only mappings */
298 if (!(vma->vm_flags & (VM_READ | VM_WRITE)))
299 diff -urNp linux-2.6.36.1/arch/arm/include/asm/elf.h linux-2.6.36.1/arch/arm/include/asm/elf.h
300 --- linux-2.6.36.1/arch/arm/include/asm/elf.h 2010-10-20 16:30:22.000000000 -0400
301 +++ linux-2.6.36.1/arch/arm/include/asm/elf.h 2010-11-06 18:58:15.000000000 -0400
302 @@ -113,7 +113,14 @@ int dump_task_regs(struct task_struct *t
303 the loader. We need to make sure that it is out of the way of the program
304 that it will "exec", and that there is sufficient room for the brk. */
306 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
307 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
309 +#ifdef CONFIG_PAX_ASLR
310 +#define PAX_ELF_ET_DYN_BASE 0x00008000UL
312 +#define PAX_DELTA_MMAP_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
313 +#define PAX_DELTA_STACK_LEN ((current->personality == PER_LINUX_32BIT) ? 16 : 10)
316 /* When the program starts, a1 contains a pointer to a function to be
317 registered with atexit, as per the SVR4 ABI. A value of 0 means we
318 diff -urNp linux-2.6.36.1/arch/arm/include/asm/kmap_types.h linux-2.6.36.1/arch/arm/include/asm/kmap_types.h
319 --- linux-2.6.36.1/arch/arm/include/asm/kmap_types.h 2010-10-20 16:30:22.000000000 -0400
320 +++ linux-2.6.36.1/arch/arm/include/asm/kmap_types.h 2010-11-06 18:58:15.000000000 -0400
321 @@ -21,6 +21,7 @@ enum km_type {
329 diff -urNp linux-2.6.36.1/arch/arm/include/asm/uaccess.h linux-2.6.36.1/arch/arm/include/asm/uaccess.h
330 --- linux-2.6.36.1/arch/arm/include/asm/uaccess.h 2010-10-20 16:30:22.000000000 -0400
331 +++ linux-2.6.36.1/arch/arm/include/asm/uaccess.h 2010-11-06 18:58:15.000000000 -0400
332 @@ -403,6 +403,9 @@ extern unsigned long __must_check __strn
334 static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
339 if (access_ok(VERIFY_READ, from, n))
340 n = __copy_from_user(to, from, n);
341 else /* security hole - plug it */
342 @@ -412,6 +415,9 @@ static inline unsigned long __must_check
344 static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
349 if (access_ok(VERIFY_WRITE, to, n))
350 n = __copy_to_user(to, from, n);
352 diff -urNp linux-2.6.36.1/arch/arm/kernel/kgdb.c linux-2.6.36.1/arch/arm/kernel/kgdb.c
353 --- linux-2.6.36.1/arch/arm/kernel/kgdb.c 2010-11-26 18:26:23.000000000 -0500
354 +++ linux-2.6.36.1/arch/arm/kernel/kgdb.c 2010-11-26 18:27:07.000000000 -0500
355 @@ -246,7 +246,7 @@ void kgdb_arch_exit(void)
356 * and we handle the normal undef case within the do_undefinstr
359 -struct kgdb_arch arch_kgdb_ops = {
360 +const struct kgdb_arch arch_kgdb_ops = {
362 .gdb_bpt_instr = {0xfe, 0xde, 0xff, 0xe7}
363 #else /* ! __ARMEB__ */
364 diff -urNp linux-2.6.36.1/arch/arm/mach-at91/pm.c linux-2.6.36.1/arch/arm/mach-at91/pm.c
365 --- linux-2.6.36.1/arch/arm/mach-at91/pm.c 2010-10-20 16:30:22.000000000 -0400
366 +++ linux-2.6.36.1/arch/arm/mach-at91/pm.c 2010-11-06 18:58:15.000000000 -0400
367 @@ -294,7 +294,7 @@ static void at91_pm_end(void)
371 -static struct platform_suspend_ops at91_pm_ops ={
372 +static const struct platform_suspend_ops at91_pm_ops ={
373 .valid = at91_pm_valid_state,
374 .begin = at91_pm_begin,
375 .enter = at91_pm_enter,
376 diff -urNp linux-2.6.36.1/arch/arm/mach-davinci/pm.c linux-2.6.36.1/arch/arm/mach-davinci/pm.c
377 --- linux-2.6.36.1/arch/arm/mach-davinci/pm.c 2010-10-20 16:30:22.000000000 -0400
378 +++ linux-2.6.36.1/arch/arm/mach-davinci/pm.c 2010-11-06 18:58:15.000000000 -0400
379 @@ -110,7 +110,7 @@ static int davinci_pm_enter(suspend_stat
383 -static struct platform_suspend_ops davinci_pm_ops = {
384 +static const struct platform_suspend_ops davinci_pm_ops = {
385 .enter = davinci_pm_enter,
386 .valid = suspend_valid_only_mem,
388 diff -urNp linux-2.6.36.1/arch/arm/mach-imx/pm-imx27.c linux-2.6.36.1/arch/arm/mach-imx/pm-imx27.c
389 --- linux-2.6.36.1/arch/arm/mach-imx/pm-imx27.c 2010-10-20 16:30:22.000000000 -0400
390 +++ linux-2.6.36.1/arch/arm/mach-imx/pm-imx27.c 2010-11-06 18:58:15.000000000 -0400
391 @@ -32,7 +32,7 @@ static int mx27_suspend_enter(suspend_st
395 -static struct platform_suspend_ops mx27_suspend_ops = {
396 +static const struct platform_suspend_ops mx27_suspend_ops = {
397 .enter = mx27_suspend_enter,
398 .valid = suspend_valid_only_mem,
400 diff -urNp linux-2.6.36.1/arch/arm/mach-lpc32xx/pm.c linux-2.6.36.1/arch/arm/mach-lpc32xx/pm.c
401 --- linux-2.6.36.1/arch/arm/mach-lpc32xx/pm.c 2010-10-20 16:30:22.000000000 -0400
402 +++ linux-2.6.36.1/arch/arm/mach-lpc32xx/pm.c 2010-11-06 18:58:15.000000000 -0400
403 @@ -123,7 +123,7 @@ static int lpc32xx_pm_enter(suspend_stat
407 -static struct platform_suspend_ops lpc32xx_pm_ops = {
408 +static const struct platform_suspend_ops lpc32xx_pm_ops = {
409 .valid = suspend_valid_only_mem,
410 .enter = lpc32xx_pm_enter,
412 diff -urNp linux-2.6.36.1/arch/arm/mach-msm/last_radio_log.c linux-2.6.36.1/arch/arm/mach-msm/last_radio_log.c
413 --- linux-2.6.36.1/arch/arm/mach-msm/last_radio_log.c 2010-10-20 16:30:22.000000000 -0400
414 +++ linux-2.6.36.1/arch/arm/mach-msm/last_radio_log.c 2010-11-06 18:58:15.000000000 -0400
415 @@ -47,6 +47,7 @@ static ssize_t last_radio_log_read(struc
419 +/* cannot be const, see msm_init_last_radio_log */
420 static struct file_operations last_radio_log_fops = {
421 .read = last_radio_log_read
423 diff -urNp linux-2.6.36.1/arch/arm/mach-omap1/pm.c linux-2.6.36.1/arch/arm/mach-omap1/pm.c
424 --- linux-2.6.36.1/arch/arm/mach-omap1/pm.c 2010-10-20 16:30:22.000000000 -0400
425 +++ linux-2.6.36.1/arch/arm/mach-omap1/pm.c 2010-11-06 18:58:15.000000000 -0400
426 @@ -647,7 +647,7 @@ static struct irqaction omap_wakeup_irq
430 -static struct platform_suspend_ops omap_pm_ops ={
431 +static const struct platform_suspend_ops omap_pm_ops ={
432 .prepare = omap_pm_prepare,
433 .enter = omap_pm_enter,
434 .finish = omap_pm_finish,
435 diff -urNp linux-2.6.36.1/arch/arm/mach-omap2/pm24xx.c linux-2.6.36.1/arch/arm/mach-omap2/pm24xx.c
436 --- linux-2.6.36.1/arch/arm/mach-omap2/pm24xx.c 2010-10-20 16:30:22.000000000 -0400
437 +++ linux-2.6.36.1/arch/arm/mach-omap2/pm24xx.c 2010-11-06 18:58:15.000000000 -0400
438 @@ -324,7 +324,7 @@ static void omap2_pm_finish(void)
442 -static struct platform_suspend_ops omap_pm_ops = {
443 +static const struct platform_suspend_ops omap_pm_ops = {
444 .prepare = omap2_pm_prepare,
445 .enter = omap2_pm_enter,
446 .finish = omap2_pm_finish,
447 diff -urNp linux-2.6.36.1/arch/arm/mach-omap2/pm34xx.c linux-2.6.36.1/arch/arm/mach-omap2/pm34xx.c
448 --- linux-2.6.36.1/arch/arm/mach-omap2/pm34xx.c 2010-10-20 16:30:22.000000000 -0400
449 +++ linux-2.6.36.1/arch/arm/mach-omap2/pm34xx.c 2010-11-06 18:58:15.000000000 -0400
450 @@ -672,7 +672,7 @@ static void omap3_pm_end(void)
454 -static struct platform_suspend_ops omap_pm_ops = {
455 +static const struct platform_suspend_ops omap_pm_ops = {
456 .begin = omap3_pm_begin,
458 .prepare = omap3_pm_prepare,
459 diff -urNp linux-2.6.36.1/arch/arm/mach-omap2/pm44xx.c linux-2.6.36.1/arch/arm/mach-omap2/pm44xx.c
460 --- linux-2.6.36.1/arch/arm/mach-omap2/pm44xx.c 2010-10-20 16:30:22.000000000 -0400
461 +++ linux-2.6.36.1/arch/arm/mach-omap2/pm44xx.c 2010-11-06 18:58:15.000000000 -0400
462 @@ -75,7 +75,7 @@ static void omap4_pm_end(void)
466 -static struct platform_suspend_ops omap_pm_ops = {
467 +static const struct platform_suspend_ops omap_pm_ops = {
468 .begin = omap4_pm_begin,
470 .prepare = omap4_pm_prepare,
471 diff -urNp linux-2.6.36.1/arch/arm/mach-pnx4008/pm.c linux-2.6.36.1/arch/arm/mach-pnx4008/pm.c
472 --- linux-2.6.36.1/arch/arm/mach-pnx4008/pm.c 2010-10-20 16:30:22.000000000 -0400
473 +++ linux-2.6.36.1/arch/arm/mach-pnx4008/pm.c 2010-11-06 18:58:15.000000000 -0400
474 @@ -119,7 +119,7 @@ static int pnx4008_pm_valid(suspend_stat
475 (state == PM_SUSPEND_MEM);
478 -static struct platform_suspend_ops pnx4008_pm_ops = {
479 +static const struct platform_suspend_ops pnx4008_pm_ops = {
480 .enter = pnx4008_pm_enter,
481 .valid = pnx4008_pm_valid,
483 diff -urNp linux-2.6.36.1/arch/arm/mach-pxa/pm.c linux-2.6.36.1/arch/arm/mach-pxa/pm.c
484 --- linux-2.6.36.1/arch/arm/mach-pxa/pm.c 2010-10-20 16:30:22.000000000 -0400
485 +++ linux-2.6.36.1/arch/arm/mach-pxa/pm.c 2010-11-06 18:58:15.000000000 -0400
486 @@ -96,7 +96,7 @@ void pxa_pm_finish(void)
487 pxa_cpu_pm_fns->finish();
490 -static struct platform_suspend_ops pxa_pm_ops = {
491 +static const struct platform_suspend_ops pxa_pm_ops = {
492 .valid = pxa_pm_valid,
493 .enter = pxa_pm_enter,
494 .prepare = pxa_pm_prepare,
495 diff -urNp linux-2.6.36.1/arch/arm/mach-pxa/sharpsl_pm.c linux-2.6.36.1/arch/arm/mach-pxa/sharpsl_pm.c
496 --- linux-2.6.36.1/arch/arm/mach-pxa/sharpsl_pm.c 2010-10-20 16:30:22.000000000 -0400
497 +++ linux-2.6.36.1/arch/arm/mach-pxa/sharpsl_pm.c 2010-11-06 18:58:15.000000000 -0400
498 @@ -868,7 +868,7 @@ static void sharpsl_apm_get_power_status
502 -static struct platform_suspend_ops sharpsl_pm_ops = {
503 +static const struct platform_suspend_ops sharpsl_pm_ops = {
504 .prepare = pxa_pm_prepare,
505 .finish = pxa_pm_finish,
506 .enter = corgi_pxa_pm_enter,
507 diff -urNp linux-2.6.36.1/arch/arm/mach-sa1100/pm.c linux-2.6.36.1/arch/arm/mach-sa1100/pm.c
508 --- linux-2.6.36.1/arch/arm/mach-sa1100/pm.c 2010-10-20 16:30:22.000000000 -0400
509 +++ linux-2.6.36.1/arch/arm/mach-sa1100/pm.c 2010-11-06 18:58:15.000000000 -0400
510 @@ -120,7 +120,7 @@ unsigned long sleep_phys_sp(void *sp)
511 return virt_to_phys(sp);
514 -static struct platform_suspend_ops sa11x0_pm_ops = {
515 +static const struct platform_suspend_ops sa11x0_pm_ops = {
516 .enter = sa11x0_pm_enter,
517 .valid = suspend_valid_only_mem,
519 diff -urNp linux-2.6.36.1/arch/arm/mm/fault.c linux-2.6.36.1/arch/arm/mm/fault.c
520 --- linux-2.6.36.1/arch/arm/mm/fault.c 2010-10-20 16:30:22.000000000 -0400
521 +++ linux-2.6.36.1/arch/arm/mm/fault.c 2010-11-06 18:58:15.000000000 -0400
522 @@ -167,6 +167,13 @@ __do_user_fault(struct task_struct *tsk,
526 +#ifdef CONFIG_PAX_PAGEEXEC
527 + if (fsr & FSR_LNX_PF) {
528 + pax_report_fault(regs, (void *)regs->ARM_pc, (void *)regs->ARM_sp);
529 + do_group_exit(SIGKILL);
533 tsk->thread.address = addr;
534 tsk->thread.error_code = fsr;
535 tsk->thread.trap_no = 14;
536 @@ -364,6 +371,33 @@ do_page_fault(unsigned long addr, unsign
538 #endif /* CONFIG_MMU */
540 +#ifdef CONFIG_PAX_PAGEEXEC
541 +void pax_report_insns(void *pc, void *sp)
545 + printk(KERN_ERR "PAX: bytes at PC: ");
546 + for (i = 0; i < 20; i++) {
548 + if (get_user(c, (__force unsigned char __user *)pc+i))
549 + printk(KERN_CONT "?? ");
551 + printk(KERN_CONT "%02x ", c);
555 + printk(KERN_ERR "PAX: bytes at SP-4: ");
556 + for (i = -1; i < 20; i++) {
558 + if (get_user(c, (__force unsigned long __user *)sp+i))
559 + printk(KERN_CONT "???????? ");
561 + printk(KERN_CONT "%08lx ", c);
568 * First Level Translation Fault Handler
570 diff -urNp linux-2.6.36.1/arch/arm/mm/mmap.c linux-2.6.36.1/arch/arm/mm/mmap.c
571 --- linux-2.6.36.1/arch/arm/mm/mmap.c 2010-10-20 16:30:22.000000000 -0400
572 +++ linux-2.6.36.1/arch/arm/mm/mmap.c 2010-11-06 18:58:15.000000000 -0400
573 @@ -64,6 +64,10 @@ arch_get_unmapped_area(struct file *filp
577 +#ifdef CONFIG_PAX_RANDMMAP
578 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
583 addr = COLOUR_ALIGN(addr, pgoff);
584 @@ -71,15 +75,14 @@ arch_get_unmapped_area(struct file *filp
585 addr = PAGE_ALIGN(addr);
587 vma = find_vma(mm, addr);
588 - if (TASK_SIZE - len >= addr &&
589 - (!vma || addr + len <= vma->vm_start))
590 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
593 if (len > mm->cached_hole_size) {
594 - start_addr = addr = mm->free_area_cache;
595 + start_addr = addr = mm->free_area_cache;
597 - start_addr = addr = TASK_UNMAPPED_BASE;
598 - mm->cached_hole_size = 0;
599 + start_addr = addr = mm->mmap_base;
600 + mm->cached_hole_size = 0;
602 /* 8 bits of randomness in 20 address space bits */
603 if (current->flags & PF_RANDOMIZE)
604 @@ -98,14 +101,14 @@ full_search:
605 * Start a new search - just in case we missed
608 - if (start_addr != TASK_UNMAPPED_BASE) {
609 - start_addr = addr = TASK_UNMAPPED_BASE;
610 + if (start_addr != mm->mmap_base) {
611 + start_addr = addr = mm->mmap_base;
612 mm->cached_hole_size = 0;
617 - if (!vma || addr + len <= vma->vm_start) {
618 + if (check_heap_stack_gap(vma, addr, len)) {
620 * Remember the place where we stopped the search:
622 diff -urNp linux-2.6.36.1/arch/arm/plat-samsung/pm.c linux-2.6.36.1/arch/arm/plat-samsung/pm.c
623 --- linux-2.6.36.1/arch/arm/plat-samsung/pm.c 2010-10-20 16:30:22.000000000 -0400
624 +++ linux-2.6.36.1/arch/arm/plat-samsung/pm.c 2010-11-06 18:58:15.000000000 -0400
625 @@ -355,7 +355,7 @@ static void s3c_pm_finish(void)
626 s3c_pm_check_cleanup();
629 -static struct platform_suspend_ops s3c_pm_ops = {
630 +static const struct platform_suspend_ops s3c_pm_ops = {
631 .enter = s3c_pm_enter,
632 .prepare = s3c_pm_prepare,
633 .finish = s3c_pm_finish,
634 diff -urNp linux-2.6.36.1/arch/avr32/include/asm/elf.h linux-2.6.36.1/arch/avr32/include/asm/elf.h
635 --- linux-2.6.36.1/arch/avr32/include/asm/elf.h 2010-10-20 16:30:22.000000000 -0400
636 +++ linux-2.6.36.1/arch/avr32/include/asm/elf.h 2010-11-06 18:58:15.000000000 -0400
637 @@ -84,8 +84,14 @@ typedef struct user_fpu_struct elf_fpreg
638 the loader. We need to make sure that it is out of the way of the program
639 that it will "exec", and that there is sufficient room for the brk. */
641 -#define ELF_ET_DYN_BASE (2 * TASK_SIZE / 3)
642 +#define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
644 +#ifdef CONFIG_PAX_ASLR
645 +#define PAX_ELF_ET_DYN_BASE 0x00001000UL
647 +#define PAX_DELTA_MMAP_LEN 15
648 +#define PAX_DELTA_STACK_LEN 15
651 /* This yields a mask that user programs can use to figure out what
652 instruction set this CPU supports. This could be done in user space,
653 diff -urNp linux-2.6.36.1/arch/avr32/include/asm/kmap_types.h linux-2.6.36.1/arch/avr32/include/asm/kmap_types.h
654 --- linux-2.6.36.1/arch/avr32/include/asm/kmap_types.h 2010-10-20 16:30:22.000000000 -0400
655 +++ linux-2.6.36.1/arch/avr32/include/asm/kmap_types.h 2010-11-06 18:58:15.000000000 -0400
656 @@ -22,7 +22,8 @@ D(10) KM_IRQ0,
666 diff -urNp linux-2.6.36.1/arch/avr32/mach-at32ap/pm.c linux-2.6.36.1/arch/avr32/mach-at32ap/pm.c
667 --- linux-2.6.36.1/arch/avr32/mach-at32ap/pm.c 2010-10-20 16:30:22.000000000 -0400
668 +++ linux-2.6.36.1/arch/avr32/mach-at32ap/pm.c 2010-11-06 18:58:15.000000000 -0400
669 @@ -176,7 +176,7 @@ out:
673 -static struct platform_suspend_ops avr32_pm_ops = {
674 +static const struct platform_suspend_ops avr32_pm_ops = {
675 .valid = avr32_pm_valid_state,
676 .enter = avr32_pm_enter,
678 diff -urNp linux-2.6.36.1/arch/avr32/mm/fault.c linux-2.6.36.1/arch/avr32/mm/fault.c
679 --- linux-2.6.36.1/arch/avr32/mm/fault.c 2010-10-20 16:30:22.000000000 -0400
680 +++ linux-2.6.36.1/arch/avr32/mm/fault.c 2010-11-06 18:58:15.000000000 -0400
681 @@ -41,6 +41,23 @@ static inline int notify_page_fault(stru
683 int exception_trace = 1;
685 +#ifdef CONFIG_PAX_PAGEEXEC
686 +void pax_report_insns(void *pc, void *sp)
690 + printk(KERN_ERR "PAX: bytes at PC: ");
691 + for (i = 0; i < 20; i++) {
693 + if (get_user(c, (unsigned char *)pc+i))
694 + printk(KERN_CONT "???????? ");
696 + printk(KERN_CONT "%02x ", c);
703 * This routine handles page faults. It determines the address and the
704 * problem, and then passes it off to one of the appropriate routines.
705 @@ -156,6 +173,16 @@ bad_area:
706 up_read(&mm->mmap_sem);
708 if (user_mode(regs)) {
710 +#ifdef CONFIG_PAX_PAGEEXEC
711 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
712 + if (ecr == ECR_PROTECTION_X || ecr == ECR_TLB_MISS_X) {
713 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->sp);
714 + do_group_exit(SIGKILL);
719 if (exception_trace && printk_ratelimit())
720 printk("%s%s[%d]: segfault at %08lx pc %08lx "
721 "sp %08lx ecr %lu\n",
722 diff -urNp linux-2.6.36.1/arch/blackfin/kernel/kgdb.c linux-2.6.36.1/arch/blackfin/kernel/kgdb.c
723 --- linux-2.6.36.1/arch/blackfin/kernel/kgdb.c 2010-10-20 16:30:22.000000000 -0400
724 +++ linux-2.6.36.1/arch/blackfin/kernel/kgdb.c 2010-11-06 18:58:15.000000000 -0400
725 @@ -397,7 +397,7 @@ int kgdb_arch_handle_exception(int vecto
726 return -1; /* this means that we do not want to exit from the handler */
729 -struct kgdb_arch arch_kgdb_ops = {
730 +const struct kgdb_arch arch_kgdb_ops = {
731 .gdb_bpt_instr = {0xa1},
733 .flags = KGDB_HW_BREAKPOINT|KGDB_THR_PROC_SWAP,
734 diff -urNp linux-2.6.36.1/arch/blackfin/mach-common/pm.c linux-2.6.36.1/arch/blackfin/mach-common/pm.c
735 --- linux-2.6.36.1/arch/blackfin/mach-common/pm.c 2010-10-20 16:30:22.000000000 -0400
736 +++ linux-2.6.36.1/arch/blackfin/mach-common/pm.c 2010-11-06 18:58:15.000000000 -0400
737 @@ -233,7 +233,7 @@ static int bfin_pm_enter(suspend_state_t
741 -struct platform_suspend_ops bfin_pm_ops = {
742 +const struct platform_suspend_ops bfin_pm_ops = {
743 .enter = bfin_pm_enter,
744 .valid = bfin_pm_valid,
746 diff -urNp linux-2.6.36.1/arch/blackfin/mm/maccess.c linux-2.6.36.1/arch/blackfin/mm/maccess.c
747 --- linux-2.6.36.1/arch/blackfin/mm/maccess.c 2010-10-20 16:30:22.000000000 -0400
748 +++ linux-2.6.36.1/arch/blackfin/mm/maccess.c 2010-11-06 18:58:15.000000000 -0400
749 @@ -16,7 +16,7 @@ static int validate_memory_access_addres
750 return bfin_mem_access_type(addr, size);
753 -long probe_kernel_read(void *dst, void *src, size_t size)
754 +long probe_kernel_read(void *dst, const void *src, size_t size)
756 unsigned long lsrc = (unsigned long)src;
758 @@ -55,7 +55,7 @@ long probe_kernel_read(void *dst, void *
762 -long probe_kernel_write(void *dst, void *src, size_t size)
763 +long probe_kernel_write(void *dst, const void *src, size_t size)
765 unsigned long ldst = (unsigned long)dst;
767 diff -urNp linux-2.6.36.1/arch/frv/include/asm/kmap_types.h linux-2.6.36.1/arch/frv/include/asm/kmap_types.h
768 --- linux-2.6.36.1/arch/frv/include/asm/kmap_types.h 2010-10-20 16:30:22.000000000 -0400
769 +++ linux-2.6.36.1/arch/frv/include/asm/kmap_types.h 2010-11-06 18:58:15.000000000 -0400
770 @@ -23,6 +23,7 @@ enum km_type {
778 diff -urNp linux-2.6.36.1/arch/frv/mm/elf-fdpic.c linux-2.6.36.1/arch/frv/mm/elf-fdpic.c
779 --- linux-2.6.36.1/arch/frv/mm/elf-fdpic.c 2010-10-20 16:30:22.000000000 -0400
780 +++ linux-2.6.36.1/arch/frv/mm/elf-fdpic.c 2010-11-06 18:58:15.000000000 -0400
781 @@ -73,8 +73,7 @@ unsigned long arch_get_unmapped_area(str
783 addr = PAGE_ALIGN(addr);
784 vma = find_vma(current->mm, addr);
785 - if (TASK_SIZE - len >= addr &&
786 - (!vma || addr + len <= vma->vm_start))
787 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
791 @@ -89,7 +88,7 @@ unsigned long arch_get_unmapped_area(str
792 for (; vma; vma = vma->vm_next) {
795 - if (addr + len <= vma->vm_start)
796 + if (check_heap_stack_gap(vma, addr, len))
800 @@ -104,7 +103,7 @@ unsigned long arch_get_unmapped_area(str
801 for (; vma; vma = vma->vm_next) {
804 - if (addr + len <= vma->vm_start)
805 + if (check_heap_stack_gap(vma, addr, len))
809 diff -urNp linux-2.6.36.1/arch/ia64/hp/common/hwsw_iommu.c linux-2.6.36.1/arch/ia64/hp/common/hwsw_iommu.c
810 --- linux-2.6.36.1/arch/ia64/hp/common/hwsw_iommu.c 2010-10-20 16:30:22.000000000 -0400
811 +++ linux-2.6.36.1/arch/ia64/hp/common/hwsw_iommu.c 2010-11-06 18:58:15.000000000 -0400
813 #include <linux/swiotlb.h>
814 #include <asm/machvec.h>
816 -extern struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
817 +extern const struct dma_map_ops sba_dma_ops, swiotlb_dma_ops;
819 /* swiotlb declarations & definitions: */
820 extern int swiotlb_late_init_with_default_size (size_t size);
821 @@ -33,7 +33,7 @@ static inline int use_swiotlb(struct dev
822 !sba_dma_ops.dma_supported(dev, *dev->dma_mask);
825 -struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
826 +const struct dma_map_ops *hwsw_dma_get_ops(struct device *dev)
828 if (use_swiotlb(dev))
829 return &swiotlb_dma_ops;
830 diff -urNp linux-2.6.36.1/arch/ia64/hp/common/sba_iommu.c linux-2.6.36.1/arch/ia64/hp/common/sba_iommu.c
831 --- linux-2.6.36.1/arch/ia64/hp/common/sba_iommu.c 2010-10-20 16:30:22.000000000 -0400
832 +++ linux-2.6.36.1/arch/ia64/hp/common/sba_iommu.c 2010-11-06 18:58:15.000000000 -0400
833 @@ -2097,7 +2097,7 @@ static struct acpi_driver acpi_sba_ioc_d
837 -extern struct dma_map_ops swiotlb_dma_ops;
838 +extern const struct dma_map_ops swiotlb_dma_ops;
842 @@ -2211,7 +2211,7 @@ sba_page_override(char *str)
844 __setup("sbapagesize=",sba_page_override);
846 -struct dma_map_ops sba_dma_ops = {
847 +const struct dma_map_ops sba_dma_ops = {
848 .alloc_coherent = sba_alloc_coherent,
849 .free_coherent = sba_free_coherent,
850 .map_page = sba_map_page,
851 diff -urNp linux-2.6.36.1/arch/ia64/include/asm/dma-mapping.h linux-2.6.36.1/arch/ia64/include/asm/dma-mapping.h
852 --- linux-2.6.36.1/arch/ia64/include/asm/dma-mapping.h 2010-10-20 16:30:22.000000000 -0400
853 +++ linux-2.6.36.1/arch/ia64/include/asm/dma-mapping.h 2010-11-06 18:58:15.000000000 -0400
856 #define ARCH_HAS_DMA_GET_REQUIRED_MASK
858 -extern struct dma_map_ops *dma_ops;
859 +extern const struct dma_map_ops *dma_ops;
860 extern struct ia64_machine_vector ia64_mv;
861 extern void set_iommu_machvec(void);
863 @@ -24,7 +24,7 @@ extern void machvec_dma_sync_sg(struct d
864 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
865 dma_addr_t *daddr, gfp_t gfp)
867 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
868 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
871 caddr = ops->alloc_coherent(dev, size, daddr, gfp);
872 @@ -35,7 +35,7 @@ static inline void *dma_alloc_coherent(s
873 static inline void dma_free_coherent(struct device *dev, size_t size,
874 void *caddr, dma_addr_t daddr)
876 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
877 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
878 debug_dma_free_coherent(dev, size, caddr, daddr);
879 ops->free_coherent(dev, size, caddr, daddr);
881 @@ -49,13 +49,13 @@ static inline void dma_free_coherent(str
883 static inline int dma_mapping_error(struct device *dev, dma_addr_t daddr)
885 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
886 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
887 return ops->mapping_error(dev, daddr);
890 static inline int dma_supported(struct device *dev, u64 mask)
892 - struct dma_map_ops *ops = platform_dma_get_ops(dev);
893 + const struct dma_map_ops *ops = platform_dma_get_ops(dev);
894 return ops->dma_supported(dev, mask);
897 diff -urNp linux-2.6.36.1/arch/ia64/include/asm/elf.h linux-2.6.36.1/arch/ia64/include/asm/elf.h
898 --- linux-2.6.36.1/arch/ia64/include/asm/elf.h 2010-10-20 16:30:22.000000000 -0400
899 +++ linux-2.6.36.1/arch/ia64/include/asm/elf.h 2010-11-06 18:58:15.000000000 -0400
902 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x800000000UL)
904 +#ifdef CONFIG_PAX_ASLR
905 +#define PAX_ELF_ET_DYN_BASE (current->personality == PER_LINUX32 ? 0x08048000UL : 0x4000000000000000UL)
907 +#define PAX_DELTA_MMAP_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
908 +#define PAX_DELTA_STACK_LEN (current->personality == PER_LINUX32 ? 16 : 3*PAGE_SHIFT - 13)
911 #define PT_IA_64_UNWIND 0x70000001
913 /* IA-64 relocations: */
914 diff -urNp linux-2.6.36.1/arch/ia64/include/asm/machvec.h linux-2.6.36.1/arch/ia64/include/asm/machvec.h
915 --- linux-2.6.36.1/arch/ia64/include/asm/machvec.h 2010-10-20 16:30:22.000000000 -0400
916 +++ linux-2.6.36.1/arch/ia64/include/asm/machvec.h 2010-11-06 18:58:15.000000000 -0400
917 @@ -45,7 +45,7 @@ typedef void ia64_mv_kernel_launch_event
918 /* DMA-mapping interface: */
919 typedef void ia64_mv_dma_init (void);
920 typedef u64 ia64_mv_dma_get_required_mask (struct device *);
921 -typedef struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
922 +typedef const struct dma_map_ops *ia64_mv_dma_get_ops(struct device *);
925 * WARNING: The legacy I/O space is _architected_. Platforms are
926 @@ -251,7 +251,7 @@ extern void machvec_init_from_cmdline(co
927 # endif /* CONFIG_IA64_GENERIC */
929 extern void swiotlb_dma_init(void);
930 -extern struct dma_map_ops *dma_get_ops(struct device *);
931 +extern const struct dma_map_ops *dma_get_ops(struct device *);
934 * Define default versions so we can extend machvec for new platforms without having
935 diff -urNp linux-2.6.36.1/arch/ia64/include/asm/pgtable.h linux-2.6.36.1/arch/ia64/include/asm/pgtable.h
936 --- linux-2.6.36.1/arch/ia64/include/asm/pgtable.h 2010-10-20 16:30:22.000000000 -0400
937 +++ linux-2.6.36.1/arch/ia64/include/asm/pgtable.h 2010-11-06 18:58:15.000000000 -0400
939 * David Mosberger-Tang <davidm@hpl.hp.com>
943 +#include <linux/const.h>
944 #include <asm/mman.h>
945 #include <asm/page.h>
946 #include <asm/processor.h>
948 #define PAGE_READONLY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
949 #define PAGE_COPY __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
950 #define PAGE_COPY_EXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RX)
952 +#ifdef CONFIG_PAX_PAGEEXEC
953 +# define PAGE_SHARED_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_RW)
954 +# define PAGE_READONLY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
955 +# define PAGE_COPY_NOEXEC __pgprot(__ACCESS_BITS | _PAGE_PL_3 | _PAGE_AR_R)
957 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
958 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
959 +# define PAGE_COPY_NOEXEC PAGE_COPY
962 #define PAGE_GATE __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_X_RX)
963 #define PAGE_KERNEL __pgprot(__DIRTY_BITS | _PAGE_PL_0 | _PAGE_AR_RWX)
964 #define PAGE_KERNELRX __pgprot(__ACCESS_BITS | _PAGE_PL_0 | _PAGE_AR_RX)
965 diff -urNp linux-2.6.36.1/arch/ia64/include/asm/uaccess.h linux-2.6.36.1/arch/ia64/include/asm/uaccess.h
966 --- linux-2.6.36.1/arch/ia64/include/asm/uaccess.h 2010-10-20 16:30:22.000000000 -0400
967 +++ linux-2.6.36.1/arch/ia64/include/asm/uaccess.h 2010-11-06 18:58:15.000000000 -0400
968 @@ -257,7 +257,7 @@ __copy_from_user (void *to, const void _
969 const void *__cu_from = (from); \
970 long __cu_len = (n); \
972 - if (__access_ok(__cu_to, __cu_len, get_fs())) \
973 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_to, __cu_len, get_fs())) \
974 __cu_len = __copy_user(__cu_to, (__force void __user *) __cu_from, __cu_len); \
977 @@ -269,7 +269,7 @@ __copy_from_user (void *to, const void _
978 long __cu_len = (n); \
980 __chk_user_ptr(__cu_from); \
981 - if (__access_ok(__cu_from, __cu_len, get_fs())) \
982 + if (__cu_len > 0 && __cu_len <= INT_MAX && __access_ok(__cu_from, __cu_len, get_fs())) \
983 __cu_len = __copy_user((__force void __user *) __cu_to, __cu_from, __cu_len); \
986 diff -urNp linux-2.6.36.1/arch/ia64/kernel/dma-mapping.c linux-2.6.36.1/arch/ia64/kernel/dma-mapping.c
987 --- linux-2.6.36.1/arch/ia64/kernel/dma-mapping.c 2010-10-20 16:30:22.000000000 -0400
988 +++ linux-2.6.36.1/arch/ia64/kernel/dma-mapping.c 2010-11-06 18:58:15.000000000 -0400
990 /* Set this to 1 if there is a HW IOMMU in the system */
991 int iommu_detected __read_mostly;
993 -struct dma_map_ops *dma_ops;
994 +const struct dma_map_ops *dma_ops;
995 EXPORT_SYMBOL(dma_ops);
997 #define PREALLOC_DMA_DEBUG_ENTRIES (1 << 16)
998 @@ -16,7 +16,7 @@ static int __init dma_init(void)
1000 fs_initcall(dma_init);
1002 -struct dma_map_ops *dma_get_ops(struct device *dev)
1003 +const struct dma_map_ops *dma_get_ops(struct device *dev)
1007 diff -urNp linux-2.6.36.1/arch/ia64/kernel/module.c linux-2.6.36.1/arch/ia64/kernel/module.c
1008 --- linux-2.6.36.1/arch/ia64/kernel/module.c 2010-10-20 16:30:22.000000000 -0400
1009 +++ linux-2.6.36.1/arch/ia64/kernel/module.c 2010-11-06 18:58:15.000000000 -0400
1010 @@ -315,8 +315,7 @@ module_alloc (unsigned long size)
1012 module_free (struct module *mod, void *module_region)
1014 - if (mod && mod->arch.init_unw_table &&
1015 - module_region == mod->module_init) {
1016 + if (mod && mod->arch.init_unw_table && module_region == mod->module_init_rx) {
1017 unw_remove_unwind_table(mod->arch.init_unw_table);
1018 mod->arch.init_unw_table = NULL;
1020 @@ -502,15 +501,39 @@ module_frob_arch_sections (Elf_Ehdr *ehd
1024 +in_init_rx (const struct module *mod, uint64_t addr)
1026 + return addr - (uint64_t) mod->module_init_rx < mod->init_size_rx;
1030 +in_init_rw (const struct module *mod, uint64_t addr)
1032 + return addr - (uint64_t) mod->module_init_rw < mod->init_size_rw;
1036 in_init (const struct module *mod, uint64_t addr)
1038 - return addr - (uint64_t) mod->module_init < mod->init_size;
1039 + return in_init_rx(mod, addr) || in_init_rw(mod, addr);
1043 +in_core_rx (const struct module *mod, uint64_t addr)
1045 + return addr - (uint64_t) mod->module_core_rx < mod->core_size_rx;
1049 +in_core_rw (const struct module *mod, uint64_t addr)
1051 + return addr - (uint64_t) mod->module_core_rw < mod->core_size_rw;
1055 in_core (const struct module *mod, uint64_t addr)
1057 - return addr - (uint64_t) mod->module_core < mod->core_size;
1058 + return in_core_rx(mod, addr) || in_core_rw(mod, addr);
1062 @@ -693,7 +716,14 @@ do_reloc (struct module *mod, uint8_t r_
1066 - val -= (uint64_t) (in_init(mod, val) ? mod->module_init : mod->module_core);
1067 + if (in_init_rx(mod, val))
1068 + val -= (uint64_t) mod->module_init_rx;
1069 + else if (in_init_rw(mod, val))
1070 + val -= (uint64_t) mod->module_init_rw;
1071 + else if (in_core_rx(mod, val))
1072 + val -= (uint64_t) mod->module_core_rx;
1073 + else if (in_core_rw(mod, val))
1074 + val -= (uint64_t) mod->module_core_rw;
1078 @@ -828,15 +858,15 @@ apply_relocate_add (Elf64_Shdr *sechdrs,
1079 * addresses have been selected...
1082 - if (mod->core_size > MAX_LTOFF)
1083 + if (mod->core_size_rx + mod->core_size_rw > MAX_LTOFF)
1085 * This takes advantage of fact that SHF_ARCH_SMALL gets allocated
1086 * at the end of the module.
1088 - gp = mod->core_size - MAX_LTOFF / 2;
1089 + gp = mod->core_size_rx + mod->core_size_rw - MAX_LTOFF / 2;
1091 - gp = mod->core_size / 2;
1092 - gp = (uint64_t) mod->module_core + ((gp + 7) & -8);
1093 + gp = (mod->core_size_rx + mod->core_size_rw) / 2;
1094 + gp = (uint64_t) mod->module_core_rx + ((gp + 7) & -8);
1096 DEBUGP("%s: placing gp at 0x%lx\n", __func__, gp);
1098 diff -urNp linux-2.6.36.1/arch/ia64/kernel/pci-dma.c linux-2.6.36.1/arch/ia64/kernel/pci-dma.c
1099 --- linux-2.6.36.1/arch/ia64/kernel/pci-dma.c 2010-10-20 16:30:22.000000000 -0400
1100 +++ linux-2.6.36.1/arch/ia64/kernel/pci-dma.c 2010-11-06 18:58:15.000000000 -0400
1101 @@ -43,7 +43,7 @@ struct device fallback_dev = {
1102 .dma_mask = &fallback_dev.coherent_dma_mask,
1105 -extern struct dma_map_ops intel_dma_ops;
1106 +extern const struct dma_map_ops intel_dma_ops;
1108 static int __init pci_iommu_init(void)
1110 diff -urNp linux-2.6.36.1/arch/ia64/kernel/pci-swiotlb.c linux-2.6.36.1/arch/ia64/kernel/pci-swiotlb.c
1111 --- linux-2.6.36.1/arch/ia64/kernel/pci-swiotlb.c 2010-10-20 16:30:22.000000000 -0400
1112 +++ linux-2.6.36.1/arch/ia64/kernel/pci-swiotlb.c 2010-11-06 18:58:15.000000000 -0400
1113 @@ -22,7 +22,7 @@ static void *ia64_swiotlb_alloc_coherent
1114 return swiotlb_alloc_coherent(dev, size, dma_handle, gfp);
1117 -struct dma_map_ops swiotlb_dma_ops = {
1118 +const struct dma_map_ops swiotlb_dma_ops = {
1119 .alloc_coherent = ia64_swiotlb_alloc_coherent,
1120 .free_coherent = swiotlb_free_coherent,
1121 .map_page = swiotlb_map_page,
1122 diff -urNp linux-2.6.36.1/arch/ia64/kernel/sys_ia64.c linux-2.6.36.1/arch/ia64/kernel/sys_ia64.c
1123 --- linux-2.6.36.1/arch/ia64/kernel/sys_ia64.c 2010-10-20 16:30:22.000000000 -0400
1124 +++ linux-2.6.36.1/arch/ia64/kernel/sys_ia64.c 2010-11-06 18:58:15.000000000 -0400
1125 @@ -43,6 +43,13 @@ arch_get_unmapped_area (struct file *fil
1126 if (REGION_NUMBER(addr) == RGN_HPAGE)
1130 +#ifdef CONFIG_PAX_RANDMMAP
1131 + if (mm->pax_flags & MF_PAX_RANDMMAP)
1132 + addr = mm->free_area_cache;
1137 addr = mm->free_area_cache;
1139 @@ -61,14 +68,14 @@ arch_get_unmapped_area (struct file *fil
1140 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
1141 /* At this point: (!vma || addr < vma->vm_end). */
1142 if (TASK_SIZE - len < addr || RGN_MAP_LIMIT - len < REGION_OFFSET(addr)) {
1143 - if (start_addr != TASK_UNMAPPED_BASE) {
1144 + if (start_addr != mm->mmap_base) {
1145 /* Start a new search --- just in case we missed some holes. */
1146 - addr = TASK_UNMAPPED_BASE;
1147 + addr = mm->mmap_base;
1152 - if (!vma || addr + len <= vma->vm_start) {
1153 + if (check_heap_stack_gap(vma, addr, len)) {
1154 /* Remember the address where we stopped this search: */
1155 mm->free_area_cache = addr + len;
1157 diff -urNp linux-2.6.36.1/arch/ia64/kernel/vmlinux.lds.S linux-2.6.36.1/arch/ia64/kernel/vmlinux.lds.S
1158 --- linux-2.6.36.1/arch/ia64/kernel/vmlinux.lds.S 2010-10-20 16:30:22.000000000 -0400
1159 +++ linux-2.6.36.1/arch/ia64/kernel/vmlinux.lds.S 2010-11-06 18:58:15.000000000 -0400
1160 @@ -199,7 +199,7 @@ SECTIONS {
1162 . = ALIGN(PERCPU_PAGE_SIZE);
1163 PERCPU_VADDR(PERCPU_ADDR, :percpu)
1164 - __phys_per_cpu_start = __per_cpu_load;
1165 + __phys_per_cpu_start = per_cpu_load;
1167 * ensure percpu data fits
1168 * into percpu page size
1169 diff -urNp linux-2.6.36.1/arch/ia64/mm/fault.c linux-2.6.36.1/arch/ia64/mm/fault.c
1170 --- linux-2.6.36.1/arch/ia64/mm/fault.c 2010-10-20 16:30:22.000000000 -0400
1171 +++ linux-2.6.36.1/arch/ia64/mm/fault.c 2010-11-06 18:58:15.000000000 -0400
1172 @@ -72,6 +72,23 @@ mapped_kernel_page_is_present (unsigned
1173 return pte_present(pte);
1176 +#ifdef CONFIG_PAX_PAGEEXEC
1177 +void pax_report_insns(void *pc, void *sp)
1181 + printk(KERN_ERR "PAX: bytes at PC: ");
1182 + for (i = 0; i < 8; i++) {
1184 + if (get_user(c, (unsigned int *)pc+i))
1185 + printk(KERN_CONT "???????? ");
1187 + printk(KERN_CONT "%08x ", c);
1194 ia64_do_page_fault (unsigned long address, unsigned long isr, struct pt_regs *regs)
1196 @@ -145,9 +162,23 @@ ia64_do_page_fault (unsigned long addres
1197 mask = ( (((isr >> IA64_ISR_X_BIT) & 1UL) << VM_EXEC_BIT)
1198 | (((isr >> IA64_ISR_W_BIT) & 1UL) << VM_WRITE_BIT));
1200 - if ((vma->vm_flags & mask) != mask)
1201 + if ((vma->vm_flags & mask) != mask) {
1203 +#ifdef CONFIG_PAX_PAGEEXEC
1204 + if (!(vma->vm_flags & VM_EXEC) && (mask & VM_EXEC)) {
1205 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || address != regs->cr_iip)
1208 + up_read(&mm->mmap_sem);
1209 + pax_report_fault(regs, (void *)regs->cr_iip, (void *)regs->r12);
1210 + do_group_exit(SIGKILL);
1219 * If for any reason at all we couldn't handle the fault, make
1220 * sure we exit gracefully rather than endlessly redo the
1221 diff -urNp linux-2.6.36.1/arch/ia64/mm/hugetlbpage.c linux-2.6.36.1/arch/ia64/mm/hugetlbpage.c
1222 --- linux-2.6.36.1/arch/ia64/mm/hugetlbpage.c 2010-10-20 16:30:22.000000000 -0400
1223 +++ linux-2.6.36.1/arch/ia64/mm/hugetlbpage.c 2010-11-06 18:58:15.000000000 -0400
1224 @@ -171,7 +171,7 @@ unsigned long hugetlb_get_unmapped_area(
1225 /* At this point: (!vmm || addr < vmm->vm_end). */
1226 if (REGION_OFFSET(addr) + len > RGN_MAP_LIMIT)
1228 - if (!vmm || (addr + len) <= vmm->vm_start)
1229 + if (check_heap_stack_gap(vmm, addr, len))
1231 addr = ALIGN(vmm->vm_end, HPAGE_SIZE);
1233 diff -urNp linux-2.6.36.1/arch/ia64/mm/init.c linux-2.6.36.1/arch/ia64/mm/init.c
1234 --- linux-2.6.36.1/arch/ia64/mm/init.c 2010-10-20 16:30:22.000000000 -0400
1235 +++ linux-2.6.36.1/arch/ia64/mm/init.c 2010-11-06 18:58:15.000000000 -0400
1236 @@ -122,6 +122,19 @@ ia64_init_addr_space (void)
1237 vma->vm_start = current->thread.rbs_bot & PAGE_MASK;
1238 vma->vm_end = vma->vm_start + PAGE_SIZE;
1239 vma->vm_flags = VM_DATA_DEFAULT_FLAGS|VM_GROWSUP|VM_ACCOUNT;
1241 +#ifdef CONFIG_PAX_PAGEEXEC
1242 + if (current->mm->pax_flags & MF_PAX_PAGEEXEC) {
1243 + vma->vm_flags &= ~VM_EXEC;
1245 +#ifdef CONFIG_PAX_MPROTECT
1246 + if (current->mm->pax_flags & MF_PAX_MPROTECT)
1247 + vma->vm_flags &= ~VM_MAYEXEC;
1253 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
1254 down_write(¤t->mm->mmap_sem);
1255 if (insert_vm_struct(current->mm, vma)) {
1256 diff -urNp linux-2.6.36.1/arch/ia64/sn/pci/pci_dma.c linux-2.6.36.1/arch/ia64/sn/pci/pci_dma.c
1257 --- linux-2.6.36.1/arch/ia64/sn/pci/pci_dma.c 2010-10-20 16:30:22.000000000 -0400
1258 +++ linux-2.6.36.1/arch/ia64/sn/pci/pci_dma.c 2010-11-06 18:58:15.000000000 -0400
1259 @@ -465,7 +465,7 @@ int sn_pci_legacy_write(struct pci_bus *
1263 -static struct dma_map_ops sn_dma_ops = {
1264 +static const struct dma_map_ops sn_dma_ops = {
1265 .alloc_coherent = sn_dma_alloc_coherent,
1266 .free_coherent = sn_dma_free_coherent,
1267 .map_page = sn_dma_map_page,
1268 diff -urNp linux-2.6.36.1/arch/m32r/lib/usercopy.c linux-2.6.36.1/arch/m32r/lib/usercopy.c
1269 --- linux-2.6.36.1/arch/m32r/lib/usercopy.c 2010-10-20 16:30:22.000000000 -0400
1270 +++ linux-2.6.36.1/arch/m32r/lib/usercopy.c 2010-11-06 18:58:15.000000000 -0400
1273 __generic_copy_to_user(void __user *to, const void *from, unsigned long n)
1279 if (access_ok(VERIFY_WRITE, to, n))
1280 __copy_user(to,from,n);
1281 @@ -23,6 +26,9 @@ __generic_copy_to_user(void __user *to,
1283 __generic_copy_from_user(void *to, const void __user *from, unsigned long n)
1289 if (access_ok(VERIFY_READ, from, n))
1290 __copy_user_zeroing(to,from,n);
1291 diff -urNp linux-2.6.36.1/arch/microblaze/include/asm/device.h linux-2.6.36.1/arch/microblaze/include/asm/device.h
1292 --- linux-2.6.36.1/arch/microblaze/include/asm/device.h 2010-10-20 16:30:22.000000000 -0400
1293 +++ linux-2.6.36.1/arch/microblaze/include/asm/device.h 2010-11-06 18:58:15.000000000 -0400
1294 @@ -13,7 +13,7 @@ struct device_node;
1296 struct dev_archdata {
1297 /* DMA operations on that device */
1298 - struct dma_map_ops *dma_ops;
1299 + const struct dma_map_ops *dma_ops;
1303 diff -urNp linux-2.6.36.1/arch/microblaze/include/asm/dma-mapping.h linux-2.6.36.1/arch/microblaze/include/asm/dma-mapping.h
1304 --- linux-2.6.36.1/arch/microblaze/include/asm/dma-mapping.h 2010-10-20 16:30:22.000000000 -0400
1305 +++ linux-2.6.36.1/arch/microblaze/include/asm/dma-mapping.h 2010-11-06 18:58:15.000000000 -0400
1306 @@ -43,14 +43,14 @@ static inline unsigned long device_to_ma
1307 return 0xfffffffful;
1310 -extern struct dma_map_ops *dma_ops;
1311 +extern const struct dma_map_ops *dma_ops;
1314 * Available generic sets of operations
1316 -extern struct dma_map_ops dma_direct_ops;
1317 +extern const struct dma_map_ops dma_direct_ops;
1319 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
1320 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
1322 /* We don't handle the NULL dev case for ISA for now. We could
1323 * do it via an out of line call but it is not needed for now. The
1324 @@ -63,14 +63,14 @@ static inline struct dma_map_ops *get_dm
1325 return dev->archdata.dma_ops;
1328 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
1329 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
1331 dev->archdata.dma_ops = ops;
1334 static inline int dma_supported(struct device *dev, u64 mask)
1336 - struct dma_map_ops *ops = get_dma_ops(dev);
1337 + const struct dma_map_ops *ops = get_dma_ops(dev);
1341 @@ -81,7 +81,7 @@ static inline int dma_supported(struct d
1343 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
1345 - struct dma_map_ops *ops = get_dma_ops(dev);
1346 + const struct dma_map_ops *ops = get_dma_ops(dev);
1348 if (unlikely(ops == NULL))
1350 @@ -97,7 +97,7 @@ static inline int dma_set_mask(struct de
1352 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
1354 - struct dma_map_ops *ops = get_dma_ops(dev);
1355 + const struct dma_map_ops *ops = get_dma_ops(dev);
1356 if (ops->mapping_error)
1357 return ops->mapping_error(dev, dma_addr);
1359 @@ -110,7 +110,7 @@ static inline int dma_mapping_error(stru
1360 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
1361 dma_addr_t *dma_handle, gfp_t flag)
1363 - struct dma_map_ops *ops = get_dma_ops(dev);
1364 + const struct dma_map_ops *ops = get_dma_ops(dev);
1368 @@ -124,7 +124,7 @@ static inline void *dma_alloc_coherent(s
1369 static inline void dma_free_coherent(struct device *dev, size_t size,
1370 void *cpu_addr, dma_addr_t dma_handle)
1372 - struct dma_map_ops *ops = get_dma_ops(dev);
1373 + const struct dma_map_ops *ops = get_dma_ops(dev);
1376 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
1377 diff -urNp linux-2.6.36.1/arch/microblaze/include/asm/pci.h linux-2.6.36.1/arch/microblaze/include/asm/pci.h
1378 --- linux-2.6.36.1/arch/microblaze/include/asm/pci.h 2010-10-20 16:30:22.000000000 -0400
1379 +++ linux-2.6.36.1/arch/microblaze/include/asm/pci.h 2010-11-06 18:58:15.000000000 -0400
1380 @@ -54,8 +54,8 @@ static inline void pcibios_penalize_isa_
1384 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
1385 -extern struct dma_map_ops *get_pci_dma_ops(void);
1386 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
1387 +extern const struct dma_map_ops *get_pci_dma_ops(void);
1388 #else /* CONFIG_PCI */
1389 #define set_pci_dma_ops(d)
1390 #define get_pci_dma_ops() NULL
1391 diff -urNp linux-2.6.36.1/arch/microblaze/kernel/dma.c linux-2.6.36.1/arch/microblaze/kernel/dma.c
1392 --- linux-2.6.36.1/arch/microblaze/kernel/dma.c 2010-10-20 16:30:22.000000000 -0400
1393 +++ linux-2.6.36.1/arch/microblaze/kernel/dma.c 2010-11-06 18:58:15.000000000 -0400
1394 @@ -133,7 +133,7 @@ static inline void dma_direct_unmap_page
1395 __dma_sync_page(dma_address, 0 , size, direction);
1398 -struct dma_map_ops dma_direct_ops = {
1399 +const struct dma_map_ops dma_direct_ops = {
1400 .alloc_coherent = dma_direct_alloc_coherent,
1401 .free_coherent = dma_direct_free_coherent,
1402 .map_sg = dma_direct_map_sg,
1403 diff -urNp linux-2.6.36.1/arch/microblaze/kernel/kgdb.c linux-2.6.36.1/arch/microblaze/kernel/kgdb.c
1404 --- linux-2.6.36.1/arch/microblaze/kernel/kgdb.c 2010-10-20 16:30:22.000000000 -0400
1405 +++ linux-2.6.36.1/arch/microblaze/kernel/kgdb.c 2010-11-06 18:58:15.000000000 -0400
1406 @@ -142,6 +142,6 @@ void kgdb_arch_exit(void)
1410 -struct kgdb_arch arch_kgdb_ops = {
1411 +const struct kgdb_arch arch_kgdb_ops = {
1412 .gdb_bpt_instr = {0xba, 0x0c, 0x00, 0x18}, /* brki r16, 0x18 */
1414 diff -urNp linux-2.6.36.1/arch/microblaze/pci/pci-common.c linux-2.6.36.1/arch/microblaze/pci/pci-common.c
1415 --- linux-2.6.36.1/arch/microblaze/pci/pci-common.c 2010-10-20 16:30:22.000000000 -0400
1416 +++ linux-2.6.36.1/arch/microblaze/pci/pci-common.c 2010-11-06 18:58:15.000000000 -0400
1417 @@ -47,14 +47,14 @@ resource_size_t isa_mem_base;
1418 /* Default PCI flags is 0 on ppc32, modified at boot on ppc64 */
1419 unsigned int pci_flags;
1421 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
1422 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
1424 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
1425 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
1427 pci_dma_ops = dma_ops;
1430 -struct dma_map_ops *get_pci_dma_ops(void)
1431 +const struct dma_map_ops *get_pci_dma_ops(void)
1435 diff -urNp linux-2.6.36.1/arch/mips/alchemy/devboards/pm.c linux-2.6.36.1/arch/mips/alchemy/devboards/pm.c
1436 --- linux-2.6.36.1/arch/mips/alchemy/devboards/pm.c 2010-10-20 16:30:22.000000000 -0400
1437 +++ linux-2.6.36.1/arch/mips/alchemy/devboards/pm.c 2010-11-06 18:58:15.000000000 -0400
1438 @@ -110,7 +110,7 @@ static void db1x_pm_end(void)
1442 -static struct platform_suspend_ops db1x_pm_ops = {
1443 +static const struct platform_suspend_ops db1x_pm_ops = {
1444 .valid = suspend_valid_only_mem,
1445 .begin = db1x_pm_begin,
1446 .enter = db1x_pm_enter,
1447 diff -urNp linux-2.6.36.1/arch/mips/include/asm/elf.h linux-2.6.36.1/arch/mips/include/asm/elf.h
1448 --- linux-2.6.36.1/arch/mips/include/asm/elf.h 2010-10-20 16:30:22.000000000 -0400
1449 +++ linux-2.6.36.1/arch/mips/include/asm/elf.h 2010-11-06 18:58:15.000000000 -0400
1450 @@ -368,6 +368,13 @@ extern const char *__elf_platform;
1451 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
1454 +#ifdef CONFIG_PAX_ASLR
1455 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1457 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1458 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1461 #define ARCH_HAS_SETUP_ADDITIONAL_PAGES 1
1462 struct linux_binprm;
1463 extern int arch_setup_additional_pages(struct linux_binprm *bprm,
1464 diff -urNp linux-2.6.36.1/arch/mips/include/asm/page.h linux-2.6.36.1/arch/mips/include/asm/page.h
1465 --- linux-2.6.36.1/arch/mips/include/asm/page.h 2010-10-20 16:30:22.000000000 -0400
1466 +++ linux-2.6.36.1/arch/mips/include/asm/page.h 2010-11-06 18:58:15.000000000 -0400
1467 @@ -93,7 +93,7 @@ extern void copy_user_highpage(struct pa
1468 #ifdef CONFIG_CPU_MIPS32
1469 typedef struct { unsigned long pte_low, pte_high; } pte_t;
1470 #define pte_val(x) ((x).pte_low | ((unsigned long long)(x).pte_high << 32))
1471 - #define __pte(x) ({ pte_t __pte = {(x), ((unsigned long long)(x)) >> 32}; __pte; })
1472 + #define __pte(x) ({ pte_t __pte = {(x), (x) >> 32}; __pte; })
1474 typedef struct { unsigned long long pte; } pte_t;
1475 #define pte_val(x) ((x).pte)
1476 diff -urNp linux-2.6.36.1/arch/mips/include/asm/system.h linux-2.6.36.1/arch/mips/include/asm/system.h
1477 --- linux-2.6.36.1/arch/mips/include/asm/system.h 2010-10-20 16:30:22.000000000 -0400
1478 +++ linux-2.6.36.1/arch/mips/include/asm/system.h 2010-11-06 18:58:15.000000000 -0400
1479 @@ -234,6 +234,6 @@ extern void per_cpu_trap_init(void);
1481 #define __ARCH_WANT_UNLOCKED_CTXSW
1483 -extern unsigned long arch_align_stack(unsigned long sp);
1484 +#define arch_align_stack(x) ((x) & ALMASK)
1486 #endif /* _ASM_SYSTEM_H */
1487 diff -urNp linux-2.6.36.1/arch/mips/jz4740/pm.c linux-2.6.36.1/arch/mips/jz4740/pm.c
1488 --- linux-2.6.36.1/arch/mips/jz4740/pm.c 2010-10-20 16:30:22.000000000 -0400
1489 +++ linux-2.6.36.1/arch/mips/jz4740/pm.c 2010-11-06 18:58:15.000000000 -0400
1490 @@ -42,7 +42,7 @@ static int jz4740_pm_enter(suspend_state
1494 -static struct platform_suspend_ops jz4740_pm_ops = {
1495 +static const struct platform_suspend_ops jz4740_pm_ops = {
1496 .valid = suspend_valid_only_mem,
1497 .enter = jz4740_pm_enter,
1499 diff -urNp linux-2.6.36.1/arch/mips/kernel/binfmt_elfn32.c linux-2.6.36.1/arch/mips/kernel/binfmt_elfn32.c
1500 --- linux-2.6.36.1/arch/mips/kernel/binfmt_elfn32.c 2010-10-20 16:30:22.000000000 -0400
1501 +++ linux-2.6.36.1/arch/mips/kernel/binfmt_elfn32.c 2010-11-06 18:58:15.000000000 -0400
1502 @@ -50,6 +50,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1503 #undef ELF_ET_DYN_BASE
1504 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1506 +#ifdef CONFIG_PAX_ASLR
1507 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1509 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1510 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1513 #include <asm/processor.h>
1514 #include <linux/module.h>
1515 #include <linux/elfcore.h>
1516 diff -urNp linux-2.6.36.1/arch/mips/kernel/binfmt_elfo32.c linux-2.6.36.1/arch/mips/kernel/binfmt_elfo32.c
1517 --- linux-2.6.36.1/arch/mips/kernel/binfmt_elfo32.c 2010-10-20 16:30:22.000000000 -0400
1518 +++ linux-2.6.36.1/arch/mips/kernel/binfmt_elfo32.c 2010-11-06 18:58:15.000000000 -0400
1519 @@ -52,6 +52,13 @@ typedef elf_fpreg_t elf_fpregset_t[ELF_N
1520 #undef ELF_ET_DYN_BASE
1521 #define ELF_ET_DYN_BASE (TASK32_SIZE / 3 * 2)
1523 +#ifdef CONFIG_PAX_ASLR
1524 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT_ADDR) ? 0x00400000UL : 0x00400000UL)
1526 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1527 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT_ADDR) ? 27-PAGE_SHIFT : 36-PAGE_SHIFT)
1530 #include <asm/processor.h>
1533 diff -urNp linux-2.6.36.1/arch/mips/kernel/kgdb.c linux-2.6.36.1/arch/mips/kernel/kgdb.c
1534 --- linux-2.6.36.1/arch/mips/kernel/kgdb.c 2010-10-20 16:30:22.000000000 -0400
1535 +++ linux-2.6.36.1/arch/mips/kernel/kgdb.c 2010-11-06 18:58:15.000000000 -0400
1536 @@ -351,6 +351,7 @@ int kgdb_arch_handle_exception(int vecto
1540 +/* cannot be const, see kgdb_arch_init */
1541 struct kgdb_arch arch_kgdb_ops;
1544 diff -urNp linux-2.6.36.1/arch/mips/kernel/process.c linux-2.6.36.1/arch/mips/kernel/process.c
1545 --- linux-2.6.36.1/arch/mips/kernel/process.c 2010-10-20 16:30:22.000000000 -0400
1546 +++ linux-2.6.36.1/arch/mips/kernel/process.c 2010-11-06 18:58:15.000000000 -0400
1547 @@ -474,15 +474,3 @@ unsigned long get_wchan(struct task_stru
1553 - * Don't forget that the stack pointer must be aligned on a 8 bytes
1554 - * boundary for 32-bits ABI and 16 bytes for 64-bits ABI.
1556 -unsigned long arch_align_stack(unsigned long sp)
1558 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
1559 - sp -= get_random_int() & ~PAGE_MASK;
1561 - return sp & ALMASK;
1563 diff -urNp linux-2.6.36.1/arch/mips/kernel/syscall.c linux-2.6.36.1/arch/mips/kernel/syscall.c
1564 --- linux-2.6.36.1/arch/mips/kernel/syscall.c 2010-10-20 16:30:22.000000000 -0400
1565 +++ linux-2.6.36.1/arch/mips/kernel/syscall.c 2010-11-06 18:58:15.000000000 -0400
1566 @@ -108,14 +108,18 @@ unsigned long arch_get_unmapped_area(str
1568 if (filp || (flags & MAP_SHARED))
1571 +#ifdef CONFIG_PAX_RANDMMAP
1572 + if (!(current->mm->pax_flags & MF_PAX_RANDMMAP))
1577 addr = COLOUR_ALIGN(addr, pgoff);
1579 addr = PAGE_ALIGN(addr);
1580 vmm = find_vma(current->mm, addr);
1581 - if (task_size - len >= addr &&
1582 - (!vmm || addr + len <= vmm->vm_start))
1583 + if (task_size - len >= addr && check_heap_stack_gap(vmm, addr, len))
1586 addr = current->mm->mmap_base;
1587 @@ -128,7 +132,7 @@ unsigned long arch_get_unmapped_area(str
1588 /* At this point: (!vmm || addr < vmm->vm_end). */
1589 if (task_size - len < addr)
1591 - if (!vmm || addr + len <= vmm->vm_start)
1592 + if (check_heap_stack_gap(vmm, addr, len))
1596 diff -urNp linux-2.6.36.1/arch/mips/loongson/common/pm.c linux-2.6.36.1/arch/mips/loongson/common/pm.c
1597 --- linux-2.6.36.1/arch/mips/loongson/common/pm.c 2010-10-20 16:30:22.000000000 -0400
1598 +++ linux-2.6.36.1/arch/mips/loongson/common/pm.c 2010-11-06 18:58:15.000000000 -0400
1599 @@ -147,7 +147,7 @@ static int loongson_pm_valid_state(suspe
1603 -static struct platform_suspend_ops loongson_pm_ops = {
1604 +static const struct platform_suspend_ops loongson_pm_ops = {
1605 .valid = loongson_pm_valid_state,
1606 .enter = loongson_pm_enter,
1608 diff -urNp linux-2.6.36.1/arch/mips/mm/fault.c linux-2.6.36.1/arch/mips/mm/fault.c
1609 --- linux-2.6.36.1/arch/mips/mm/fault.c 2010-10-20 16:30:22.000000000 -0400
1610 +++ linux-2.6.36.1/arch/mips/mm/fault.c 2010-11-06 18:58:15.000000000 -0400
1612 #include <asm/highmem.h> /* For VMALLOC_END */
1613 #include <linux/kdebug.h>
1615 +#ifdef CONFIG_PAX_PAGEEXEC
1616 +void pax_report_insns(void *pc, void *sp)
1620 + printk(KERN_ERR "PAX: bytes at PC: ");
1621 + for (i = 0; i < 5; i++) {
1623 + if (get_user(c, (unsigned int *)pc+i))
1624 + printk(KERN_CONT "???????? ");
1626 + printk(KERN_CONT "%08x ", c);
1633 * This routine handles page faults. It determines the address,
1634 * and the problem, and then passes it off to one of the appropriate
1635 diff -urNp linux-2.6.36.1/arch/parisc/include/asm/elf.h linux-2.6.36.1/arch/parisc/include/asm/elf.h
1636 --- linux-2.6.36.1/arch/parisc/include/asm/elf.h 2010-10-20 16:30:22.000000000 -0400
1637 +++ linux-2.6.36.1/arch/parisc/include/asm/elf.h 2010-11-06 18:58:15.000000000 -0400
1638 @@ -342,6 +342,13 @@ struct pt_regs; /* forward declaration..
1640 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE + 0x01000000)
1642 +#ifdef CONFIG_PAX_ASLR
1643 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
1645 +#define PAX_DELTA_MMAP_LEN 16
1646 +#define PAX_DELTA_STACK_LEN 16
1649 /* This yields a mask that user programs can use to figure out what
1650 instruction set this CPU supports. This could be done in user space,
1651 but it's not easy, and we've already done it here. */
1652 diff -urNp linux-2.6.36.1/arch/parisc/include/asm/pgtable.h linux-2.6.36.1/arch/parisc/include/asm/pgtable.h
1653 --- linux-2.6.36.1/arch/parisc/include/asm/pgtable.h 2010-10-20 16:30:22.000000000 -0400
1654 +++ linux-2.6.36.1/arch/parisc/include/asm/pgtable.h 2010-11-06 18:58:15.000000000 -0400
1655 @@ -207,6 +207,17 @@
1656 #define PAGE_EXECREAD __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_EXEC |_PAGE_ACCESSED)
1657 #define PAGE_COPY PAGE_EXECREAD
1658 #define PAGE_RWX __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_EXEC |_PAGE_ACCESSED)
1660 +#ifdef CONFIG_PAX_PAGEEXEC
1661 +# define PAGE_SHARED_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_WRITE | _PAGE_ACCESSED)
1662 +# define PAGE_COPY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1663 +# define PAGE_READONLY_NOEXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | _PAGE_READ | _PAGE_ACCESSED)
1665 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
1666 +# define PAGE_COPY_NOEXEC PAGE_COPY
1667 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
1670 #define PAGE_KERNEL __pgprot(_PAGE_KERNEL)
1671 #define PAGE_KERNEL_RO __pgprot(_PAGE_KERNEL & ~_PAGE_WRITE)
1672 #define PAGE_KERNEL_UNC __pgprot(_PAGE_KERNEL | _PAGE_NO_CACHE)
1673 diff -urNp linux-2.6.36.1/arch/parisc/kernel/module.c linux-2.6.36.1/arch/parisc/kernel/module.c
1674 --- linux-2.6.36.1/arch/parisc/kernel/module.c 2010-10-20 16:30:22.000000000 -0400
1675 +++ linux-2.6.36.1/arch/parisc/kernel/module.c 2010-11-06 18:58:15.000000000 -0400
1678 /* three functions to determine where in the module core
1679 * or init pieces the location is */
1680 +static inline int in_init_rx(struct module *me, void *loc)
1682 + return (loc >= me->module_init_rx &&
1683 + loc < (me->module_init_rx + me->init_size_rx));
1686 +static inline int in_init_rw(struct module *me, void *loc)
1688 + return (loc >= me->module_init_rw &&
1689 + loc < (me->module_init_rw + me->init_size_rw));
1692 static inline int in_init(struct module *me, void *loc)
1694 - return (loc >= me->module_init &&
1695 - loc <= (me->module_init + me->init_size));
1696 + return in_init_rx(me, loc) || in_init_rw(me, loc);
1699 +static inline int in_core_rx(struct module *me, void *loc)
1701 + return (loc >= me->module_core_rx &&
1702 + loc < (me->module_core_rx + me->core_size_rx));
1705 +static inline int in_core_rw(struct module *me, void *loc)
1707 + return (loc >= me->module_core_rw &&
1708 + loc < (me->module_core_rw + me->core_size_rw));
1711 static inline int in_core(struct module *me, void *loc)
1713 - return (loc >= me->module_core &&
1714 - loc <= (me->module_core + me->core_size));
1715 + return in_core_rx(me, loc) || in_core_rw(me, loc);
1718 static inline int in_local(struct module *me, void *loc)
1719 @@ -365,13 +387,13 @@ int module_frob_arch_sections(CONST Elf_
1722 /* align things a bit */
1723 - me->core_size = ALIGN(me->core_size, 16);
1724 - me->arch.got_offset = me->core_size;
1725 - me->core_size += gots * sizeof(struct got_entry);
1727 - me->core_size = ALIGN(me->core_size, 16);
1728 - me->arch.fdesc_offset = me->core_size;
1729 - me->core_size += fdescs * sizeof(Elf_Fdesc);
1730 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1731 + me->arch.got_offset = me->core_size_rw;
1732 + me->core_size_rw += gots * sizeof(struct got_entry);
1734 + me->core_size_rw = ALIGN(me->core_size_rw, 16);
1735 + me->arch.fdesc_offset = me->core_size_rw;
1736 + me->core_size_rw += fdescs * sizeof(Elf_Fdesc);
1738 me->arch.got_max = gots;
1739 me->arch.fdesc_max = fdescs;
1740 @@ -389,7 +411,7 @@ static Elf64_Word get_got(struct module
1744 - got = me->module_core + me->arch.got_offset;
1745 + got = me->module_core_rw + me->arch.got_offset;
1746 for (i = 0; got[i].addr; i++)
1747 if (got[i].addr == value)
1749 @@ -407,7 +429,7 @@ static Elf64_Word get_got(struct module
1751 static Elf_Addr get_fdesc(struct module *me, unsigned long value)
1753 - Elf_Fdesc *fdesc = me->module_core + me->arch.fdesc_offset;
1754 + Elf_Fdesc *fdesc = me->module_core_rw + me->arch.fdesc_offset;
1757 printk(KERN_ERR "%s: zero OPD requested!\n", me->name);
1758 @@ -425,7 +447,7 @@ static Elf_Addr get_fdesc(struct module
1760 /* Create new one */
1761 fdesc->addr = value;
1762 - fdesc->gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1763 + fdesc->gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1764 return (Elf_Addr)fdesc;
1766 #endif /* CONFIG_64BIT */
1767 @@ -849,7 +871,7 @@ register_unwind_table(struct module *me,
1769 table = (unsigned char *)sechdrs[me->arch.unwind_section].sh_addr;
1770 end = table + sechdrs[me->arch.unwind_section].sh_size;
1771 - gp = (Elf_Addr)me->module_core + me->arch.got_offset;
1772 + gp = (Elf_Addr)me->module_core_rw + me->arch.got_offset;
1774 DEBUGP("register_unwind_table(), sect = %d at 0x%p - 0x%p (gp=0x%lx)\n",
1775 me->arch.unwind_section, table, end, gp);
1776 diff -urNp linux-2.6.36.1/arch/parisc/kernel/sys_parisc.c linux-2.6.36.1/arch/parisc/kernel/sys_parisc.c
1777 --- linux-2.6.36.1/arch/parisc/kernel/sys_parisc.c 2010-10-20 16:30:22.000000000 -0400
1778 +++ linux-2.6.36.1/arch/parisc/kernel/sys_parisc.c 2010-11-06 18:58:15.000000000 -0400
1779 @@ -43,7 +43,7 @@ static unsigned long get_unshared_area(u
1780 /* At this point: (!vma || addr < vma->vm_end). */
1781 if (TASK_SIZE - len < addr)
1783 - if (!vma || addr + len <= vma->vm_start)
1784 + if (check_heap_stack_gap(vma, addr, len))
1788 @@ -79,7 +79,7 @@ static unsigned long get_shared_area(str
1789 /* At this point: (!vma || addr < vma->vm_end). */
1790 if (TASK_SIZE - len < addr)
1792 - if (!vma || addr + len <= vma->vm_start)
1793 + if (check_heap_stack_gap(vma, addr, len))
1795 addr = DCACHE_ALIGN(vma->vm_end - offset) + offset;
1796 if (addr < vma->vm_end) /* handle wraparound */
1797 @@ -98,7 +98,7 @@ unsigned long arch_get_unmapped_area(str
1798 if (flags & MAP_FIXED)
1801 - addr = TASK_UNMAPPED_BASE;
1802 + addr = current->mm->mmap_base;
1805 addr = get_shared_area(filp->f_mapping, addr, len, pgoff);
1806 diff -urNp linux-2.6.36.1/arch/parisc/kernel/traps.c linux-2.6.36.1/arch/parisc/kernel/traps.c
1807 --- linux-2.6.36.1/arch/parisc/kernel/traps.c 2010-10-20 16:30:22.000000000 -0400
1808 +++ linux-2.6.36.1/arch/parisc/kernel/traps.c 2010-11-06 18:58:15.000000000 -0400
1809 @@ -733,9 +733,7 @@ void notrace handle_interruption(int cod
1811 down_read(¤t->mm->mmap_sem);
1812 vma = find_vma(current->mm,regs->iaoq[0]);
1813 - if (vma && (regs->iaoq[0] >= vma->vm_start)
1814 - && (vma->vm_flags & VM_EXEC)) {
1816 + if (vma && (regs->iaoq[0] >= vma->vm_start)) {
1817 fault_address = regs->iaoq[0];
1818 fault_space = regs->iasq[0];
1820 diff -urNp linux-2.6.36.1/arch/parisc/mm/fault.c linux-2.6.36.1/arch/parisc/mm/fault.c
1821 --- linux-2.6.36.1/arch/parisc/mm/fault.c 2010-10-20 16:30:22.000000000 -0400
1822 +++ linux-2.6.36.1/arch/parisc/mm/fault.c 2010-11-06 18:58:15.000000000 -0400
1824 #include <linux/sched.h>
1825 #include <linux/interrupt.h>
1826 #include <linux/module.h>
1827 +#include <linux/unistd.h>
1829 #include <asm/uaccess.h>
1830 #include <asm/traps.h>
1831 @@ -52,7 +53,7 @@ DEFINE_PER_CPU(struct exception_data, ex
1832 static unsigned long
1833 parisc_acctyp(unsigned long code, unsigned int inst)
1835 - if (code == 6 || code == 16)
1836 + if (code == 6 || code == 7 || code == 16)
1839 switch (inst & 0xf0000000) {
1840 @@ -138,6 +139,116 @@ parisc_acctyp(unsigned long code, unsign
1844 +#ifdef CONFIG_PAX_PAGEEXEC
1846 + * PaX: decide what to do with offenders (instruction_pointer(regs) = fault address)
1848 + * returns 1 when task should be killed
1849 + * 2 when rt_sigreturn trampoline was detected
1850 + * 3 when unpatched PLT trampoline was detected
1852 +static int pax_handle_fetch_fault(struct pt_regs *regs)
1855 +#ifdef CONFIG_PAX_EMUPLT
1858 + do { /* PaX: unpatched PLT emulation */
1859 + unsigned int bl, depwi;
1861 + err = get_user(bl, (unsigned int *)instruction_pointer(regs));
1862 + err |= get_user(depwi, (unsigned int *)(instruction_pointer(regs)+4));
1867 + if (bl == 0xEA9F1FDDU && depwi == 0xD6801C1EU) {
1868 + unsigned int ldw, bv, ldw2, addr = instruction_pointer(regs)-12;
1870 + err = get_user(ldw, (unsigned int *)addr);
1871 + err |= get_user(bv, (unsigned int *)(addr+4));
1872 + err |= get_user(ldw2, (unsigned int *)(addr+8));
1877 + if (ldw == 0x0E801096U &&
1878 + bv == 0xEAC0C000U &&
1879 + ldw2 == 0x0E881095U)
1881 + unsigned int resolver, map;
1883 + err = get_user(resolver, (unsigned int *)(instruction_pointer(regs)+8));
1884 + err |= get_user(map, (unsigned int *)(instruction_pointer(regs)+12));
1888 + regs->gr[20] = instruction_pointer(regs)+8;
1889 + regs->gr[21] = map;
1890 + regs->gr[22] = resolver;
1891 + regs->iaoq[0] = resolver | 3UL;
1892 + regs->iaoq[1] = regs->iaoq[0] + 4;
1899 +#ifdef CONFIG_PAX_EMUTRAMP
1901 +#ifndef CONFIG_PAX_EMUSIGRT
1902 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
1906 + do { /* PaX: rt_sigreturn emulation */
1907 + unsigned int ldi1, ldi2, bel, nop;
1909 + err = get_user(ldi1, (unsigned int *)instruction_pointer(regs));
1910 + err |= get_user(ldi2, (unsigned int *)(instruction_pointer(regs)+4));
1911 + err |= get_user(bel, (unsigned int *)(instruction_pointer(regs)+8));
1912 + err |= get_user(nop, (unsigned int *)(instruction_pointer(regs)+12));
1917 + if ((ldi1 == 0x34190000U || ldi1 == 0x34190002U) &&
1918 + ldi2 == 0x3414015AU &&
1919 + bel == 0xE4008200U &&
1920 + nop == 0x08000240U)
1922 + regs->gr[25] = (ldi1 & 2) >> 1;
1923 + regs->gr[20] = __NR_rt_sigreturn;
1924 + regs->gr[31] = regs->iaoq[1] + 16;
1925 + regs->sr[0] = regs->iasq[1];
1926 + regs->iaoq[0] = 0x100UL;
1927 + regs->iaoq[1] = regs->iaoq[0] + 4;
1928 + regs->iasq[0] = regs->sr[2];
1929 + regs->iasq[1] = regs->sr[2];
1938 +void pax_report_insns(void *pc, void *sp)
1942 + printk(KERN_ERR "PAX: bytes at PC: ");
1943 + for (i = 0; i < 5; i++) {
1945 + if (get_user(c, (unsigned int *)pc+i))
1946 + printk(KERN_CONT "???????? ");
1948 + printk(KERN_CONT "%08x ", c);
1954 int fixup_exception(struct pt_regs *regs)
1956 const struct exception_table_entry *fix;
1957 @@ -192,8 +303,33 @@ good_area:
1959 acc_type = parisc_acctyp(code,regs->iir);
1961 - if ((vma->vm_flags & acc_type) != acc_type)
1962 + if ((vma->vm_flags & acc_type) != acc_type) {
1964 +#ifdef CONFIG_PAX_PAGEEXEC
1965 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && (acc_type & VM_EXEC) &&
1966 + (address & ~3UL) == instruction_pointer(regs))
1968 + up_read(&mm->mmap_sem);
1969 + switch (pax_handle_fetch_fault(regs)) {
1971 +#ifdef CONFIG_PAX_EMUPLT
1976 +#ifdef CONFIG_PAX_EMUTRAMP
1982 + pax_report_fault(regs, (void *)instruction_pointer(regs), (void *)regs->gr[30]);
1983 + do_group_exit(SIGKILL);
1991 * If for any reason at all we couldn't handle the fault, make
1992 diff -urNp linux-2.6.36.1/arch/powerpc/include/asm/device.h linux-2.6.36.1/arch/powerpc/include/asm/device.h
1993 --- linux-2.6.36.1/arch/powerpc/include/asm/device.h 2010-10-20 16:30:22.000000000 -0400
1994 +++ linux-2.6.36.1/arch/powerpc/include/asm/device.h 2010-11-06 18:58:15.000000000 -0400
1995 @@ -11,7 +11,7 @@ struct device_node;
1997 struct dev_archdata {
1998 /* DMA operations on that device */
1999 - struct dma_map_ops *dma_ops;
2000 + const struct dma_map_ops *dma_ops;
2003 * When an iommu is in use, dma_data is used as a ptr to the base of the
2004 diff -urNp linux-2.6.36.1/arch/powerpc/include/asm/dma-mapping.h linux-2.6.36.1/arch/powerpc/include/asm/dma-mapping.h
2005 --- linux-2.6.36.1/arch/powerpc/include/asm/dma-mapping.h 2010-10-20 16:30:22.000000000 -0400
2006 +++ linux-2.6.36.1/arch/powerpc/include/asm/dma-mapping.h 2010-11-06 18:58:15.000000000 -0400
2007 @@ -66,12 +66,13 @@ static inline unsigned long device_to_ma
2009 * Available generic sets of operations
2011 +/* cannot be const */
2013 extern struct dma_map_ops dma_iommu_ops;
2015 -extern struct dma_map_ops dma_direct_ops;
2016 +extern const struct dma_map_ops dma_direct_ops;
2018 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
2019 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
2021 /* We don't handle the NULL dev case for ISA for now. We could
2022 * do it via an out of line call but it is not needed for now. The
2023 @@ -84,7 +85,7 @@ static inline struct dma_map_ops *get_dm
2024 return dev->archdata.dma_ops;
2027 -static inline void set_dma_ops(struct device *dev, struct dma_map_ops *ops)
2028 +static inline void set_dma_ops(struct device *dev, const struct dma_map_ops *ops)
2030 dev->archdata.dma_ops = ops;
2032 @@ -118,7 +119,7 @@ static inline void set_dma_offset(struct
2034 static inline int dma_supported(struct device *dev, u64 mask)
2036 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2037 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2039 if (unlikely(dma_ops == NULL))
2041 @@ -129,7 +130,7 @@ static inline int dma_supported(struct d
2043 static inline int dma_set_mask(struct device *dev, u64 dma_mask)
2045 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2046 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2048 if (unlikely(dma_ops == NULL))
2050 @@ -144,7 +145,7 @@ static inline int dma_set_mask(struct de
2051 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
2052 dma_addr_t *dma_handle, gfp_t flag)
2054 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2055 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2059 @@ -159,7 +160,7 @@ static inline void *dma_alloc_coherent(s
2060 static inline void dma_free_coherent(struct device *dev, size_t size,
2061 void *cpu_addr, dma_addr_t dma_handle)
2063 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2064 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2068 @@ -170,7 +171,7 @@ static inline void dma_free_coherent(str
2070 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
2072 - struct dma_map_ops *dma_ops = get_dma_ops(dev);
2073 + const struct dma_map_ops *dma_ops = get_dma_ops(dev);
2075 if (dma_ops->mapping_error)
2076 return dma_ops->mapping_error(dev, dma_addr);
2077 diff -urNp linux-2.6.36.1/arch/powerpc/include/asm/elf.h linux-2.6.36.1/arch/powerpc/include/asm/elf.h
2078 --- linux-2.6.36.1/arch/powerpc/include/asm/elf.h 2010-10-20 16:30:22.000000000 -0400
2079 +++ linux-2.6.36.1/arch/powerpc/include/asm/elf.h 2010-11-06 18:58:15.000000000 -0400
2080 @@ -178,8 +178,19 @@ typedef elf_fpreg_t elf_vsrreghalf_t32[E
2081 the loader. We need to make sure that it is out of the way of the program
2082 that it will "exec", and that there is sufficient room for the brk. */
2084 -extern unsigned long randomize_et_dyn(unsigned long base);
2085 -#define ELF_ET_DYN_BASE (randomize_et_dyn(0x20000000))
2086 +#define ELF_ET_DYN_BASE (0x20000000)
2088 +#ifdef CONFIG_PAX_ASLR
2089 +#define PAX_ELF_ET_DYN_BASE (0x10000000UL)
2091 +#ifdef __powerpc64__
2092 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
2093 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 16 : 28)
2095 +#define PAX_DELTA_MMAP_LEN 15
2096 +#define PAX_DELTA_STACK_LEN 15
2101 * Our registers are always unsigned longs, whether we're a 32 bit
2102 @@ -274,9 +285,6 @@ extern int arch_setup_additional_pages(s
2103 (0x7ff >> (PAGE_SHIFT - 12)) : \
2104 (0x3ffff >> (PAGE_SHIFT - 12)))
2106 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
2107 -#define arch_randomize_brk arch_randomize_brk
2109 #endif /* __KERNEL__ */
2112 diff -urNp linux-2.6.36.1/arch/powerpc/include/asm/iommu.h linux-2.6.36.1/arch/powerpc/include/asm/iommu.h
2113 --- linux-2.6.36.1/arch/powerpc/include/asm/iommu.h 2010-10-20 16:30:22.000000000 -0400
2114 +++ linux-2.6.36.1/arch/powerpc/include/asm/iommu.h 2010-11-06 18:58:15.000000000 -0400
2115 @@ -116,6 +116,9 @@ extern void iommu_init_early_iSeries(voi
2116 extern void iommu_init_early_dart(void);
2117 extern void iommu_init_early_pasemi(void);
2120 +extern int dma_iommu_dma_supported(struct device *dev, u64 mask);
2123 extern void pci_iommu_init(void);
2124 extern void pci_direct_iommu_init(void);
2125 diff -urNp linux-2.6.36.1/arch/powerpc/include/asm/kmap_types.h linux-2.6.36.1/arch/powerpc/include/asm/kmap_types.h
2126 --- linux-2.6.36.1/arch/powerpc/include/asm/kmap_types.h 2010-10-20 16:30:22.000000000 -0400
2127 +++ linux-2.6.36.1/arch/powerpc/include/asm/kmap_types.h 2010-11-06 18:58:15.000000000 -0400
2128 @@ -27,6 +27,7 @@ enum km_type {
2136 diff -urNp linux-2.6.36.1/arch/powerpc/include/asm/page_64.h linux-2.6.36.1/arch/powerpc/include/asm/page_64.h
2137 --- linux-2.6.36.1/arch/powerpc/include/asm/page_64.h 2010-10-20 16:30:22.000000000 -0400
2138 +++ linux-2.6.36.1/arch/powerpc/include/asm/page_64.h 2010-11-06 18:58:15.000000000 -0400
2139 @@ -172,15 +172,18 @@ do { \
2140 * stack by default, so in the absense of a PT_GNU_STACK program header
2141 * we turn execute permission off.
2143 -#define VM_STACK_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2144 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2145 +#define VM_STACK_DEFAULT_FLAGS32 \
2146 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2147 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2149 #define VM_STACK_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2150 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2152 +#ifndef CONFIG_PAX_PAGEEXEC
2153 #define VM_STACK_DEFAULT_FLAGS \
2154 (test_thread_flag(TIF_32BIT) ? \
2155 VM_STACK_DEFAULT_FLAGS32 : VM_STACK_DEFAULT_FLAGS64)
2158 #include <asm-generic/getorder.h>
2160 diff -urNp linux-2.6.36.1/arch/powerpc/include/asm/page.h linux-2.6.36.1/arch/powerpc/include/asm/page.h
2161 --- linux-2.6.36.1/arch/powerpc/include/asm/page.h 2010-10-20 16:30:22.000000000 -0400
2162 +++ linux-2.6.36.1/arch/powerpc/include/asm/page.h 2010-11-06 18:58:15.000000000 -0400
2163 @@ -129,8 +129,9 @@ extern phys_addr_t kernstart_addr;
2164 * and needs to be executable. This means the whole heap ends
2165 * up being executable.
2167 -#define VM_DATA_DEFAULT_FLAGS32 (VM_READ | VM_WRITE | VM_EXEC | \
2168 - VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2169 +#define VM_DATA_DEFAULT_FLAGS32 \
2170 + (((current->personality & READ_IMPLIES_EXEC) ? VM_EXEC : 0) | \
2171 + VM_READ | VM_WRITE | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2173 #define VM_DATA_DEFAULT_FLAGS64 (VM_READ | VM_WRITE | \
2174 VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC)
2175 @@ -158,6 +159,9 @@ extern phys_addr_t kernstart_addr;
2176 #define is_kernel_addr(x) ((x) >= PAGE_OFFSET)
2179 +#define ktla_ktva(addr) (addr)
2180 +#define ktva_ktla(addr) (addr)
2182 #ifndef __ASSEMBLY__
2184 #undef STRICT_MM_TYPECHECKS
2185 diff -urNp linux-2.6.36.1/arch/powerpc/include/asm/pci.h linux-2.6.36.1/arch/powerpc/include/asm/pci.h
2186 --- linux-2.6.36.1/arch/powerpc/include/asm/pci.h 2010-10-20 16:30:22.000000000 -0400
2187 +++ linux-2.6.36.1/arch/powerpc/include/asm/pci.h 2010-11-06 18:58:15.000000000 -0400
2188 @@ -65,8 +65,8 @@ static inline int pci_get_legacy_ide_irq
2192 -extern void set_pci_dma_ops(struct dma_map_ops *dma_ops);
2193 -extern struct dma_map_ops *get_pci_dma_ops(void);
2194 +extern void set_pci_dma_ops(const struct dma_map_ops *dma_ops);
2195 +extern const struct dma_map_ops *get_pci_dma_ops(void);
2196 #else /* CONFIG_PCI */
2197 #define set_pci_dma_ops(d)
2198 #define get_pci_dma_ops() NULL
2199 diff -urNp linux-2.6.36.1/arch/powerpc/include/asm/pte-hash32.h linux-2.6.36.1/arch/powerpc/include/asm/pte-hash32.h
2200 --- linux-2.6.36.1/arch/powerpc/include/asm/pte-hash32.h 2010-10-20 16:30:22.000000000 -0400
2201 +++ linux-2.6.36.1/arch/powerpc/include/asm/pte-hash32.h 2010-11-06 18:58:15.000000000 -0400
2203 #define _PAGE_FILE 0x004 /* when !present: nonlinear file mapping */
2204 #define _PAGE_USER 0x004 /* usermode access allowed */
2205 #define _PAGE_GUARDED 0x008 /* G: prohibit speculative access */
2206 +#define _PAGE_EXEC _PAGE_GUARDED
2207 #define _PAGE_COHERENT 0x010 /* M: enforce memory coherence (SMP systems) */
2208 #define _PAGE_NO_CACHE 0x020 /* I: cache inhibit */
2209 #define _PAGE_WRITETHRU 0x040 /* W: cache write-through */
2210 diff -urNp linux-2.6.36.1/arch/powerpc/include/asm/reg.h linux-2.6.36.1/arch/powerpc/include/asm/reg.h
2211 --- linux-2.6.36.1/arch/powerpc/include/asm/reg.h 2010-10-20 16:30:22.000000000 -0400
2212 +++ linux-2.6.36.1/arch/powerpc/include/asm/reg.h 2010-11-06 18:58:15.000000000 -0400
2214 #define SPRN_DBCR 0x136 /* e300 Data Breakpoint Control Reg */
2215 #define SPRN_DSISR 0x012 /* Data Storage Interrupt Status Register */
2216 #define DSISR_NOHPTE 0x40000000 /* no translation found */
2217 +#define DSISR_GUARDED 0x10000000 /* fetch from guarded storage */
2218 #define DSISR_PROTFAULT 0x08000000 /* protection fault */
2219 #define DSISR_ISSTORE 0x02000000 /* access was a store */
2220 #define DSISR_DABRMATCH 0x00400000 /* hit data breakpoint */
2221 diff -urNp linux-2.6.36.1/arch/powerpc/include/asm/swiotlb.h linux-2.6.36.1/arch/powerpc/include/asm/swiotlb.h
2222 --- linux-2.6.36.1/arch/powerpc/include/asm/swiotlb.h 2010-10-20 16:30:22.000000000 -0400
2223 +++ linux-2.6.36.1/arch/powerpc/include/asm/swiotlb.h 2010-11-06 18:58:15.000000000 -0400
2226 #include <linux/swiotlb.h>
2228 -extern struct dma_map_ops swiotlb_dma_ops;
2229 +extern const struct dma_map_ops swiotlb_dma_ops;
2231 static inline void dma_mark_clean(void *addr, size_t size) {}
2233 diff -urNp linux-2.6.36.1/arch/powerpc/include/asm/uaccess.h linux-2.6.36.1/arch/powerpc/include/asm/uaccess.h
2234 --- linux-2.6.36.1/arch/powerpc/include/asm/uaccess.h 2010-10-20 16:30:22.000000000 -0400
2235 +++ linux-2.6.36.1/arch/powerpc/include/asm/uaccess.h 2010-11-06 18:58:15.000000000 -0400
2237 #define VERIFY_READ 0
2238 #define VERIFY_WRITE 1
2240 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
2243 * The fs value determines whether argument validity checking should be
2244 * performed or not. If get_fs() == USER_DS, checking is performed, with
2245 @@ -327,52 +329,6 @@ do { \
2246 extern unsigned long __copy_tofrom_user(void __user *to,
2247 const void __user *from, unsigned long size);
2249 -#ifndef __powerpc64__
2251 -static inline unsigned long copy_from_user(void *to,
2252 - const void __user *from, unsigned long n)
2254 - unsigned long over;
2256 - if (access_ok(VERIFY_READ, from, n))
2257 - return __copy_tofrom_user((__force void __user *)to, from, n);
2258 - if ((unsigned long)from < TASK_SIZE) {
2259 - over = (unsigned long)from + n - TASK_SIZE;
2260 - return __copy_tofrom_user((__force void __user *)to, from,
2266 -static inline unsigned long copy_to_user(void __user *to,
2267 - const void *from, unsigned long n)
2269 - unsigned long over;
2271 - if (access_ok(VERIFY_WRITE, to, n))
2272 - return __copy_tofrom_user(to, (__force void __user *)from, n);
2273 - if ((unsigned long)to < TASK_SIZE) {
2274 - over = (unsigned long)to + n - TASK_SIZE;
2275 - return __copy_tofrom_user(to, (__force void __user *)from,
2281 -#else /* __powerpc64__ */
2283 -#define __copy_in_user(to, from, size) \
2284 - __copy_tofrom_user((to), (from), (size))
2286 -extern unsigned long copy_from_user(void *to, const void __user *from,
2288 -extern unsigned long copy_to_user(void __user *to, const void *from,
2290 -extern unsigned long copy_in_user(void __user *to, const void __user *from,
2293 -#endif /* __powerpc64__ */
2295 static inline unsigned long __copy_from_user_inatomic(void *to,
2296 const void __user *from, unsigned long n)
2298 @@ -396,6 +352,10 @@ static inline unsigned long __copy_from_
2303 + if (!__builtin_constant_p(n))
2304 + check_object_size(to, n, false);
2306 return __copy_tofrom_user((__force void __user *)to, from, n);
2309 @@ -422,6 +382,10 @@ static inline unsigned long __copy_to_us
2314 + if (!__builtin_constant_p(n))
2315 + check_object_size(from, n, true);
2317 return __copy_tofrom_user(to, (__force const void __user *)from, n);
2320 @@ -439,6 +403,92 @@ static inline unsigned long __copy_to_us
2321 return __copy_to_user_inatomic(to, from, size);
2324 +#ifndef __powerpc64__
2326 +static inline unsigned long __must_check copy_from_user(void *to,
2327 + const void __user *from, unsigned long n)
2329 + unsigned long over;
2334 + if (access_ok(VERIFY_READ, from, n)) {
2335 + if (!__builtin_constant_p(n))
2336 + check_object_size(to, n, false);
2337 + return __copy_tofrom_user((__force void __user *)to, from, n);
2339 + if ((unsigned long)from < TASK_SIZE) {
2340 + over = (unsigned long)from + n - TASK_SIZE;
2341 + if (!__builtin_constant_p(n - over))
2342 + check_object_size(to, n - over, false);
2343 + return __copy_tofrom_user((__force void __user *)to, from,
2349 +static inline unsigned long __must_check copy_to_user(void __user *to,
2350 + const void *from, unsigned long n)
2352 + unsigned long over;
2357 + if (access_ok(VERIFY_WRITE, to, n)) {
2358 + if (!__builtin_constant_p(n))
2359 + check_object_size(from, n, true);
2360 + return __copy_tofrom_user(to, (__force void __user *)from, n);
2362 + if ((unsigned long)to < TASK_SIZE) {
2363 + over = (unsigned long)to + n - TASK_SIZE;
2364 + if (!__builtin_constant_p(n))
2365 + check_object_size(from, n - over, true);
2366 + return __copy_tofrom_user(to, (__force void __user *)from,
2372 +#else /* __powerpc64__ */
2374 +#define __copy_in_user(to, from, size) \
2375 + __copy_tofrom_user((to), (from), (size))
2377 +static inline unsigned long __must_check copy_from_user(void *to, const void __user *from, unsigned long n)
2379 + if ((long)n < 0 || n > INT_MAX)
2382 + if (!__builtin_constant_p(n))
2383 + check_object_size(to, n, false);
2385 + if (likely(access_ok(VERIFY_READ, from, n)))
2386 + n = __copy_from_user(to, from, n);
2392 +static inline unsigned long __must_check copy_to_user(void __user *to, const void *from, unsigned long n)
2394 + if ((long)n < 0 || n > INT_MAX)
2397 + if (likely(access_ok(VERIFY_WRITE, to, n))) {
2398 + if (!__builtin_constant_p(n))
2399 + check_object_size(from, n, true);
2400 + n = __copy_to_user(to, from, n);
2405 +extern unsigned long copy_in_user(void __user *to, const void __user *from,
2408 +#endif /* __powerpc64__ */
2410 extern unsigned long __clear_user(void __user *addr, unsigned long size);
2412 static inline unsigned long clear_user(void __user *addr, unsigned long size)
2413 diff -urNp linux-2.6.36.1/arch/powerpc/kernel/dma.c linux-2.6.36.1/arch/powerpc/kernel/dma.c
2414 --- linux-2.6.36.1/arch/powerpc/kernel/dma.c 2010-10-20 16:30:22.000000000 -0400
2415 +++ linux-2.6.36.1/arch/powerpc/kernel/dma.c 2010-11-06 18:58:15.000000000 -0400
2416 @@ -135,7 +135,7 @@ static inline void dma_direct_sync_singl
2420 -struct dma_map_ops dma_direct_ops = {
2421 +const struct dma_map_ops dma_direct_ops = {
2422 .alloc_coherent = dma_direct_alloc_coherent,
2423 .free_coherent = dma_direct_free_coherent,
2424 .map_sg = dma_direct_map_sg,
2425 diff -urNp linux-2.6.36.1/arch/powerpc/kernel/dma-iommu.c linux-2.6.36.1/arch/powerpc/kernel/dma-iommu.c
2426 --- linux-2.6.36.1/arch/powerpc/kernel/dma-iommu.c 2010-10-20 16:30:22.000000000 -0400
2427 +++ linux-2.6.36.1/arch/powerpc/kernel/dma-iommu.c 2010-11-06 18:58:15.000000000 -0400
2428 @@ -70,7 +70,7 @@ static void dma_iommu_unmap_sg(struct de
2431 /* We support DMA to/from any memory page via the iommu */
2432 -static int dma_iommu_dma_supported(struct device *dev, u64 mask)
2433 +int dma_iommu_dma_supported(struct device *dev, u64 mask)
2435 struct iommu_table *tbl = get_iommu_table_base(dev);
2437 @@ -89,6 +89,7 @@ static int dma_iommu_dma_supported(struc
2441 +/* cannot be const, see arch/powerpc/platforms/cell/iommu.c */
2442 struct dma_map_ops dma_iommu_ops = {
2443 .alloc_coherent = dma_iommu_alloc_coherent,
2444 .free_coherent = dma_iommu_free_coherent,
2445 diff -urNp linux-2.6.36.1/arch/powerpc/kernel/dma-swiotlb.c linux-2.6.36.1/arch/powerpc/kernel/dma-swiotlb.c
2446 --- linux-2.6.36.1/arch/powerpc/kernel/dma-swiotlb.c 2010-10-20 16:30:22.000000000 -0400
2447 +++ linux-2.6.36.1/arch/powerpc/kernel/dma-swiotlb.c 2010-11-06 18:58:15.000000000 -0400
2448 @@ -31,7 +31,7 @@ unsigned int ppc_swiotlb_enable;
2449 * map_page, and unmap_page on highmem, use normal dma_ops
2450 * for everything else.
2452 -struct dma_map_ops swiotlb_dma_ops = {
2453 +const struct dma_map_ops swiotlb_dma_ops = {
2454 .alloc_coherent = dma_direct_alloc_coherent,
2455 .free_coherent = dma_direct_free_coherent,
2456 .map_sg = swiotlb_map_sg_attrs,
2457 diff -urNp linux-2.6.36.1/arch/powerpc/kernel/exceptions-64e.S linux-2.6.36.1/arch/powerpc/kernel/exceptions-64e.S
2458 --- linux-2.6.36.1/arch/powerpc/kernel/exceptions-64e.S 2010-10-20 16:30:22.000000000 -0400
2459 +++ linux-2.6.36.1/arch/powerpc/kernel/exceptions-64e.S 2010-11-06 18:58:15.000000000 -0400
2460 @@ -495,6 +495,7 @@ storage_fault_common:
2463 addi r3,r1,STACK_FRAME_OVERHEAD
2467 ld r14,PACA_EXGEN+EX_R14(r13)
2468 @@ -504,8 +505,7 @@ storage_fault_common:
2471 b .ret_from_except_lite
2475 addi r3,r1,STACK_FRAME_OVERHEAD
2478 diff -urNp linux-2.6.36.1/arch/powerpc/kernel/exceptions-64s.S linux-2.6.36.1/arch/powerpc/kernel/exceptions-64s.S
2479 --- linux-2.6.36.1/arch/powerpc/kernel/exceptions-64s.S 2010-10-20 16:30:22.000000000 -0400
2480 +++ linux-2.6.36.1/arch/powerpc/kernel/exceptions-64s.S 2010-11-06 18:58:15.000000000 -0400
2481 @@ -841,10 +841,10 @@ handle_page_fault:
2484 addi r3,r1,STACK_FRAME_OVERHEAD
2491 addi r3,r1,STACK_FRAME_OVERHEAD
2493 diff -urNp linux-2.6.36.1/arch/powerpc/kernel/ibmebus.c linux-2.6.36.1/arch/powerpc/kernel/ibmebus.c
2494 --- linux-2.6.36.1/arch/powerpc/kernel/ibmebus.c 2010-10-20 16:30:22.000000000 -0400
2495 +++ linux-2.6.36.1/arch/powerpc/kernel/ibmebus.c 2010-11-06 18:58:15.000000000 -0400
2496 @@ -128,7 +128,7 @@ static int ibmebus_dma_supported(struct
2500 -static struct dma_map_ops ibmebus_dma_ops = {
2501 +static const struct dma_map_ops ibmebus_dma_ops = {
2502 .alloc_coherent = ibmebus_alloc_coherent,
2503 .free_coherent = ibmebus_free_coherent,
2504 .map_sg = ibmebus_map_sg,
2505 diff -urNp linux-2.6.36.1/arch/powerpc/kernel/kgdb.c linux-2.6.36.1/arch/powerpc/kernel/kgdb.c
2506 --- linux-2.6.36.1/arch/powerpc/kernel/kgdb.c 2010-10-20 16:30:22.000000000 -0400
2507 +++ linux-2.6.36.1/arch/powerpc/kernel/kgdb.c 2010-11-06 18:58:15.000000000 -0400
2508 @@ -360,7 +360,7 @@ int kgdb_arch_handle_exception(int vecto
2512 -struct kgdb_arch arch_kgdb_ops = {
2513 +const struct kgdb_arch arch_kgdb_ops = {
2514 .gdb_bpt_instr = {0x7d, 0x82, 0x10, 0x08},
2517 diff -urNp linux-2.6.36.1/arch/powerpc/kernel/module_32.c linux-2.6.36.1/arch/powerpc/kernel/module_32.c
2518 --- linux-2.6.36.1/arch/powerpc/kernel/module_32.c 2010-10-20 16:30:22.000000000 -0400
2519 +++ linux-2.6.36.1/arch/powerpc/kernel/module_32.c 2010-11-06 18:58:15.000000000 -0400
2520 @@ -162,7 +162,7 @@ int module_frob_arch_sections(Elf32_Ehdr
2521 me->arch.core_plt_section = i;
2523 if (!me->arch.core_plt_section || !me->arch.init_plt_section) {
2524 - printk("Module doesn't contain .plt or .init.plt sections.\n");
2525 + printk("Module %s doesn't contain .plt or .init.plt sections.\n", me->name);
2529 @@ -203,11 +203,16 @@ static uint32_t do_plt_call(void *locati
2531 DEBUGP("Doing plt for call to 0x%x at 0x%x\n", val, (unsigned int)location);
2532 /* Init, or core PLT? */
2533 - if (location >= mod->module_core
2534 - && location < mod->module_core + mod->core_size)
2535 + if ((location >= mod->module_core_rx && location < mod->module_core_rx + mod->core_size_rx) ||
2536 + (location >= mod->module_core_rw && location < mod->module_core_rw + mod->core_size_rw))
2537 entry = (void *)sechdrs[mod->arch.core_plt_section].sh_addr;
2539 + else if ((location >= mod->module_init_rx && location < mod->module_init_rx + mod->init_size_rx) ||
2540 + (location >= mod->module_init_rw && location < mod->module_init_rw + mod->init_size_rw))
2541 entry = (void *)sechdrs[mod->arch.init_plt_section].sh_addr;
2543 + printk(KERN_ERR "%s: invalid R_PPC_REL24 entry found\n", mod->name);
2547 /* Find this entry, or if that fails, the next avail. entry */
2548 while (entry->jump[0]) {
2549 diff -urNp linux-2.6.36.1/arch/powerpc/kernel/module.c linux-2.6.36.1/arch/powerpc/kernel/module.c
2550 --- linux-2.6.36.1/arch/powerpc/kernel/module.c 2010-10-20 16:30:22.000000000 -0400
2551 +++ linux-2.6.36.1/arch/powerpc/kernel/module.c 2010-11-06 18:58:15.000000000 -0400
2554 LIST_HEAD(module_bug_list);
2556 +#ifdef CONFIG_PAX_KERNEXEC
2557 void *module_alloc(unsigned long size)
2562 + return vmalloc(size);
2565 +void *module_alloc_exec(unsigned long size)
2567 +void *module_alloc(unsigned long size)
2574 return vmalloc_exec(size);
2577 @@ -45,6 +58,13 @@ void module_free(struct module *mod, voi
2578 vfree(module_region);
2581 +#ifdef CONFIG_PAX_KERNEXEC
2582 +void module_free_exec(struct module *mod, void *module_region)
2584 + module_free(mod, module_region);
2588 static const Elf_Shdr *find_section(const Elf_Ehdr *hdr,
2589 const Elf_Shdr *sechdrs,
2591 diff -urNp linux-2.6.36.1/arch/powerpc/kernel/pci-common.c linux-2.6.36.1/arch/powerpc/kernel/pci-common.c
2592 --- linux-2.6.36.1/arch/powerpc/kernel/pci-common.c 2010-10-20 16:30:22.000000000 -0400
2593 +++ linux-2.6.36.1/arch/powerpc/kernel/pci-common.c 2010-11-06 18:58:15.000000000 -0400
2594 @@ -52,14 +52,14 @@ resource_size_t isa_mem_base;
2595 unsigned int ppc_pci_flags = 0;
2598 -static struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2599 +static const struct dma_map_ops *pci_dma_ops = &dma_direct_ops;
2601 -void set_pci_dma_ops(struct dma_map_ops *dma_ops)
2602 +void set_pci_dma_ops(const struct dma_map_ops *dma_ops)
2604 pci_dma_ops = dma_ops;
2607 -struct dma_map_ops *get_pci_dma_ops(void)
2608 +const struct dma_map_ops *get_pci_dma_ops(void)
2612 diff -urNp linux-2.6.36.1/arch/powerpc/kernel/process.c linux-2.6.36.1/arch/powerpc/kernel/process.c
2613 --- linux-2.6.36.1/arch/powerpc/kernel/process.c 2010-10-20 16:30:22.000000000 -0400
2614 +++ linux-2.6.36.1/arch/powerpc/kernel/process.c 2010-11-13 16:29:01.000000000 -0500
2615 @@ -654,8 +654,8 @@ void show_regs(struct pt_regs * regs)
2616 * Lookup NIP late so we have the best change of getting the
2617 * above info out without failing
2619 - printk("NIP ["REG"] %pS\n", regs->nip, (void *)regs->nip);
2620 - printk("LR ["REG"] %pS\n", regs->link, (void *)regs->link);
2621 + printk("NIP ["REG"] %pA\n", regs->nip, (void *)regs->nip);
2622 + printk("LR ["REG"] %pA\n", regs->link, (void *)regs->link);
2624 show_stack(current, (unsigned long *) regs->gpr[1]);
2625 if (!user_mode(regs))
2626 @@ -1145,10 +1145,10 @@ void show_stack(struct task_struct *tsk,
2628 ip = stack[STACK_FRAME_LR_SAVE];
2629 if (!firstframe || ip != lr) {
2630 - printk("["REG"] ["REG"] %pS", sp, ip, (void *)ip);
2631 + printk("["REG"] ["REG"] %pA", sp, ip, (void *)ip);
2632 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
2633 if ((ip == rth || ip == mrth) && curr_frame >= 0) {
2636 (void *)current->ret_stack[curr_frame].ret);
2639 @@ -1168,7 +1168,7 @@ void show_stack(struct task_struct *tsk,
2640 struct pt_regs *regs = (struct pt_regs *)
2641 (sp + STACK_FRAME_OVERHEAD);
2643 - printk("--- Exception: %lx at %pS\n LR = %pS\n",
2644 + printk("--- Exception: %lx at %pA\n LR = %pA\n",
2645 regs->trap, (void *)regs->nip, (void *)lr);
2648 @@ -1251,54 +1251,6 @@ unsigned long arch_align_stack(unsigned
2652 -static inline unsigned long brk_rnd(void)
2654 - unsigned long rnd = 0;
2656 - /* 8MB for 32bit, 1GB for 64bit */
2657 - if (is_32bit_task())
2658 - rnd = (long)(get_random_int() % (1<<(23-PAGE_SHIFT)));
2660 - rnd = (long)(get_random_int() % (1<<(30-PAGE_SHIFT)));
2662 - return rnd << PAGE_SHIFT;
2665 -unsigned long arch_randomize_brk(struct mm_struct *mm)
2667 - unsigned long base = mm->brk;
2668 - unsigned long ret;
2670 -#ifdef CONFIG_PPC_STD_MMU_64
2672 - * If we are using 1TB segments and we are allowed to randomise
2673 - * the heap, we can put it above 1TB so it is backed by a 1TB
2674 - * segment. Otherwise the heap will be in the bottom 1TB
2675 - * which always uses 256MB segments and this may result in a
2676 - * performance penalty.
2678 - if (!is_32bit_task() && (mmu_highuser_ssize == MMU_SEGSIZE_1T))
2679 - base = max_t(unsigned long, mm->brk, 1UL << SID_SHIFT_1T);
2682 - ret = PAGE_ALIGN(base + brk_rnd());
2684 - if (ret < mm->brk)
2690 -unsigned long randomize_et_dyn(unsigned long base)
2692 - unsigned long ret = PAGE_ALIGN(base + brk_rnd());
2701 int arch_sd_sibling_asym_packing(void)
2703 diff -urNp linux-2.6.36.1/arch/powerpc/kernel/signal_32.c linux-2.6.36.1/arch/powerpc/kernel/signal_32.c
2704 --- linux-2.6.36.1/arch/powerpc/kernel/signal_32.c 2010-10-20 16:30:22.000000000 -0400
2705 +++ linux-2.6.36.1/arch/powerpc/kernel/signal_32.c 2010-11-06 18:58:15.000000000 -0400
2706 @@ -858,7 +858,7 @@ int handle_rt_signal32(unsigned long sig
2707 /* Save user registers on the stack */
2708 frame = &rt_sf->uc.uc_mcontext;
2710 - if (vdso32_rt_sigtramp && current->mm->context.vdso_base) {
2711 + if (vdso32_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2712 if (save_user_regs(regs, frame, 0, 1))
2714 regs->link = current->mm->context.vdso_base + vdso32_rt_sigtramp;
2715 diff -urNp linux-2.6.36.1/arch/powerpc/kernel/signal_64.c linux-2.6.36.1/arch/powerpc/kernel/signal_64.c
2716 --- linux-2.6.36.1/arch/powerpc/kernel/signal_64.c 2010-10-20 16:30:22.000000000 -0400
2717 +++ linux-2.6.36.1/arch/powerpc/kernel/signal_64.c 2010-11-06 18:58:15.000000000 -0400
2718 @@ -429,7 +429,7 @@ int handle_rt_signal64(int signr, struct
2719 current->thread.fpscr.val = 0;
2721 /* Set up to return from userspace. */
2722 - if (vdso64_rt_sigtramp && current->mm->context.vdso_base) {
2723 + if (vdso64_rt_sigtramp && current->mm->context.vdso_base != ~0UL) {
2724 regs->link = current->mm->context.vdso_base + vdso64_rt_sigtramp;
2726 err |= setup_trampoline(__NR_rt_sigreturn, &frame->tramp[0]);
2727 diff -urNp linux-2.6.36.1/arch/powerpc/kernel/vdso.c linux-2.6.36.1/arch/powerpc/kernel/vdso.c
2728 --- linux-2.6.36.1/arch/powerpc/kernel/vdso.c 2010-10-20 16:30:22.000000000 -0400
2729 +++ linux-2.6.36.1/arch/powerpc/kernel/vdso.c 2010-11-06 18:58:15.000000000 -0400
2731 #include <asm/firmware.h>
2732 #include <asm/vdso.h>
2733 #include <asm/vdso_datapage.h>
2734 +#include <asm/mman.h>
2738 @@ -220,7 +221,7 @@ int arch_setup_additional_pages(struct l
2739 vdso_base = VDSO32_MBASE;
2742 - current->mm->context.vdso_base = 0;
2743 + current->mm->context.vdso_base = ~0UL;
2745 /* vDSO has a problem and was disabled, just don't "enable" it for the
2747 @@ -240,7 +241,7 @@ int arch_setup_additional_pages(struct l
2748 vdso_base = get_unmapped_area(NULL, vdso_base,
2749 (vdso_pages << PAGE_SHIFT) +
2750 ((VDSO_ALIGNMENT - 1) & PAGE_MASK),
2752 + 0, MAP_PRIVATE | MAP_EXECUTABLE);
2753 if (IS_ERR_VALUE(vdso_base)) {
2756 diff -urNp linux-2.6.36.1/arch/powerpc/kernel/vio.c linux-2.6.36.1/arch/powerpc/kernel/vio.c
2757 --- linux-2.6.36.1/arch/powerpc/kernel/vio.c 2010-10-20 16:30:22.000000000 -0400
2758 +++ linux-2.6.36.1/arch/powerpc/kernel/vio.c 2010-11-06 18:58:15.000000000 -0400
2759 @@ -602,11 +602,12 @@ static void vio_dma_iommu_unmap_sg(struc
2760 vio_cmo_dealloc(viodev, alloc_size);
2763 -struct dma_map_ops vio_dma_mapping_ops = {
2764 +static const struct dma_map_ops vio_dma_mapping_ops = {
2765 .alloc_coherent = vio_dma_iommu_alloc_coherent,
2766 .free_coherent = vio_dma_iommu_free_coherent,
2767 .map_sg = vio_dma_iommu_map_sg,
2768 .unmap_sg = vio_dma_iommu_unmap_sg,
2769 + .dma_supported = dma_iommu_dma_supported,
2770 .map_page = vio_dma_iommu_map_page,
2771 .unmap_page = vio_dma_iommu_unmap_page,
2773 @@ -860,7 +861,6 @@ static void vio_cmo_bus_remove(struct vi
2775 static void vio_cmo_set_dma_ops(struct vio_dev *viodev)
2777 - vio_dma_mapping_ops.dma_supported = dma_iommu_ops.dma_supported;
2778 viodev->dev.archdata.dma_ops = &vio_dma_mapping_ops;
2781 diff -urNp linux-2.6.36.1/arch/powerpc/lib/usercopy_64.c linux-2.6.36.1/arch/powerpc/lib/usercopy_64.c
2782 --- linux-2.6.36.1/arch/powerpc/lib/usercopy_64.c 2010-10-20 16:30:22.000000000 -0400
2783 +++ linux-2.6.36.1/arch/powerpc/lib/usercopy_64.c 2010-11-06 18:58:15.000000000 -0400
2785 #include <linux/module.h>
2786 #include <asm/uaccess.h>
2788 -unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
2790 - if (likely(access_ok(VERIFY_READ, from, n)))
2791 - n = __copy_from_user(to, from, n);
2797 -unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
2799 - if (likely(access_ok(VERIFY_WRITE, to, n)))
2800 - n = __copy_to_user(to, from, n);
2804 unsigned long copy_in_user(void __user *to, const void __user *from,
2807 @@ -35,7 +19,5 @@ unsigned long copy_in_user(void __user *
2811 -EXPORT_SYMBOL(copy_from_user);
2812 -EXPORT_SYMBOL(copy_to_user);
2813 EXPORT_SYMBOL(copy_in_user);
2815 diff -urNp linux-2.6.36.1/arch/powerpc/mm/fault.c linux-2.6.36.1/arch/powerpc/mm/fault.c
2816 --- linux-2.6.36.1/arch/powerpc/mm/fault.c 2010-10-20 16:30:22.000000000 -0400
2817 +++ linux-2.6.36.1/arch/powerpc/mm/fault.c 2010-11-06 18:58:15.000000000 -0400
2819 #include <linux/kprobes.h>
2820 #include <linux/kdebug.h>
2821 #include <linux/perf_event.h>
2822 +#include <linux/slab.h>
2823 +#include <linux/pagemap.h>
2824 +#include <linux/compiler.h>
2825 +#include <linux/unistd.h>
2827 #include <asm/firmware.h>
2828 #include <asm/page.h>
2830 #include <asm/tlbflush.h>
2831 #include <asm/siginfo.h>
2832 #include <mm/mmu_decl.h>
2833 +#include <asm/ptrace.h>
2835 #ifdef CONFIG_KPROBES
2836 static inline int notify_page_fault(struct pt_regs *regs)
2837 @@ -64,6 +69,33 @@ static inline int notify_page_fault(stru
2841 +#ifdef CONFIG_PAX_PAGEEXEC
2843 + * PaX: decide what to do with offenders (regs->nip = fault address)
2845 + * returns 1 when task should be killed
2847 +static int pax_handle_fetch_fault(struct pt_regs *regs)
2852 +void pax_report_insns(void *pc, void *sp)
2856 + printk(KERN_ERR "PAX: bytes at PC: ");
2857 + for (i = 0; i < 5; i++) {
2859 + if (get_user(c, (unsigned int __user *)pc+i))
2860 + printk(KERN_CONT "???????? ");
2862 + printk(KERN_CONT "%08x ", c);
2869 * Check whether the instruction at regs->nip is a store using
2870 * an update addressing form which will update r1.
2871 @@ -134,7 +166,7 @@ int __kprobes do_page_fault(struct pt_re
2872 * indicate errors in DSISR but can validly be set in SRR1.
2875 - error_code &= 0x48200000;
2876 + error_code &= 0x58200000;
2878 is_write = error_code & DSISR_ISSTORE;
2880 @@ -257,7 +289,7 @@ good_area:
2881 * "undefined". Of those that can be set, this is the only
2882 * one which seems bad.
2884 - if (error_code & 0x10000000)
2885 + if (error_code & DSISR_GUARDED)
2886 /* Guarded storage error. */
2888 #endif /* CONFIG_8xx */
2889 @@ -272,7 +304,7 @@ good_area:
2890 * processors use the same I/D cache coherency mechanism
2893 - if (error_code & DSISR_PROTFAULT)
2894 + if (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))
2896 #endif /* CONFIG_PPC_STD_MMU */
2898 @@ -341,6 +373,23 @@ bad_area:
2899 bad_area_nosemaphore:
2900 /* User mode accesses cause a SIGSEGV */
2901 if (user_mode(regs)) {
2903 +#ifdef CONFIG_PAX_PAGEEXEC
2904 + if (mm->pax_flags & MF_PAX_PAGEEXEC) {
2905 +#ifdef CONFIG_PPC_STD_MMU
2906 + if (is_exec && (error_code & (DSISR_PROTFAULT | DSISR_GUARDED))) {
2908 + if (is_exec && regs->nip == address) {
2910 + switch (pax_handle_fetch_fault(regs)) {
2913 + pax_report_fault(regs, (void *)regs->nip, (void *)regs->gpr[PT_R1]);
2914 + do_group_exit(SIGKILL);
2919 _exception(SIGSEGV, regs, code, address);
2922 diff -urNp linux-2.6.36.1/arch/powerpc/mm/mmap_64.c linux-2.6.36.1/arch/powerpc/mm/mmap_64.c
2923 --- linux-2.6.36.1/arch/powerpc/mm/mmap_64.c 2010-10-20 16:30:22.000000000 -0400
2924 +++ linux-2.6.36.1/arch/powerpc/mm/mmap_64.c 2010-11-06 18:58:15.000000000 -0400
2925 @@ -99,10 +99,22 @@ void arch_pick_mmap_layout(struct mm_str
2927 if (mmap_is_legacy()) {
2928 mm->mmap_base = TASK_UNMAPPED_BASE;
2930 +#ifdef CONFIG_PAX_RANDMMAP
2931 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2932 + mm->mmap_base += mm->delta_mmap;
2935 mm->get_unmapped_area = arch_get_unmapped_area;
2936 mm->unmap_area = arch_unmap_area;
2938 mm->mmap_base = mmap_base();
2940 +#ifdef CONFIG_PAX_RANDMMAP
2941 + if (mm->pax_flags & MF_PAX_RANDMMAP)
2942 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
2945 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
2946 mm->unmap_area = arch_unmap_area_topdown;
2948 diff -urNp linux-2.6.36.1/arch/powerpc/mm/slice.c linux-2.6.36.1/arch/powerpc/mm/slice.c
2949 --- linux-2.6.36.1/arch/powerpc/mm/slice.c 2010-10-20 16:30:22.000000000 -0400
2950 +++ linux-2.6.36.1/arch/powerpc/mm/slice.c 2010-11-06 18:58:15.000000000 -0400
2951 @@ -98,7 +98,7 @@ static int slice_area_is_free(struct mm_
2952 if ((mm->task_size - len) < addr)
2954 vma = find_vma(mm, addr);
2955 - return (!vma || (addr + len) <= vma->vm_start);
2956 + return check_heap_stack_gap(vma, addr, len);
2959 static int slice_low_has_vma(struct mm_struct *mm, unsigned long slice)
2960 @@ -256,7 +256,7 @@ full_search:
2961 addr = _ALIGN_UP(addr + 1, 1ul << SLICE_HIGH_SHIFT);
2964 - if (!vma || addr + len <= vma->vm_start) {
2965 + if (check_heap_stack_gap(vma, addr, len)) {
2967 * Remember the place where we stopped the search:
2969 @@ -336,7 +336,7 @@ static unsigned long slice_find_area_top
2970 * return with success:
2972 vma = find_vma(mm, addr);
2973 - if (!vma || (addr + len) <= vma->vm_start) {
2974 + if (check_heap_stack_gap(vma, addr, len)) {
2975 /* remember the address as a hint for next time */
2977 mm->free_area_cache = addr;
2978 @@ -426,6 +426,11 @@ unsigned long slice_get_unmapped_area(un
2979 if (fixed && addr > (mm->task_size - len))
2982 +#ifdef CONFIG_PAX_RANDMMAP
2983 + if (!fixed && (mm->pax_flags & MF_PAX_RANDMMAP))
2987 /* If hint, make sure it matches our alignment restrictions */
2988 if (!fixed && addr) {
2989 addr = _ALIGN_UP(addr, 1ul << pshift);
2990 diff -urNp linux-2.6.36.1/arch/powerpc/platforms/52xx/lite5200_pm.c linux-2.6.36.1/arch/powerpc/platforms/52xx/lite5200_pm.c
2991 --- linux-2.6.36.1/arch/powerpc/platforms/52xx/lite5200_pm.c 2010-10-20 16:30:22.000000000 -0400
2992 +++ linux-2.6.36.1/arch/powerpc/platforms/52xx/lite5200_pm.c 2010-11-06 18:58:15.000000000 -0400
2993 @@ -232,7 +232,7 @@ static void lite5200_pm_end(void)
2994 lite5200_pm_target_state = PM_SUSPEND_ON;
2997 -static struct platform_suspend_ops lite5200_pm_ops = {
2998 +static const struct platform_suspend_ops lite5200_pm_ops = {
2999 .valid = lite5200_pm_valid,
3000 .begin = lite5200_pm_begin,
3001 .prepare = lite5200_pm_prepare,
3002 diff -urNp linux-2.6.36.1/arch/powerpc/platforms/52xx/mpc52xx_pm.c linux-2.6.36.1/arch/powerpc/platforms/52xx/mpc52xx_pm.c
3003 --- linux-2.6.36.1/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2010-10-20 16:30:22.000000000 -0400
3004 +++ linux-2.6.36.1/arch/powerpc/platforms/52xx/mpc52xx_pm.c 2010-11-06 18:58:15.000000000 -0400
3005 @@ -186,7 +186,7 @@ void mpc52xx_pm_finish(void)
3009 -static struct platform_suspend_ops mpc52xx_pm_ops = {
3010 +static const struct platform_suspend_ops mpc52xx_pm_ops = {
3011 .valid = mpc52xx_pm_valid,
3012 .prepare = mpc52xx_pm_prepare,
3013 .enter = mpc52xx_pm_enter,
3014 diff -urNp linux-2.6.36.1/arch/powerpc/platforms/83xx/suspend.c linux-2.6.36.1/arch/powerpc/platforms/83xx/suspend.c
3015 --- linux-2.6.36.1/arch/powerpc/platforms/83xx/suspend.c 2010-10-20 16:30:22.000000000 -0400
3016 +++ linux-2.6.36.1/arch/powerpc/platforms/83xx/suspend.c 2010-11-06 18:58:15.000000000 -0400
3017 @@ -311,7 +311,7 @@ static int mpc83xx_is_pci_agent(void)
3021 -static struct platform_suspend_ops mpc83xx_suspend_ops = {
3022 +static const struct platform_suspend_ops mpc83xx_suspend_ops = {
3023 .valid = mpc83xx_suspend_valid,
3024 .begin = mpc83xx_suspend_begin,
3025 .enter = mpc83xx_suspend_enter,
3026 diff -urNp linux-2.6.36.1/arch/powerpc/platforms/cell/iommu.c linux-2.6.36.1/arch/powerpc/platforms/cell/iommu.c
3027 --- linux-2.6.36.1/arch/powerpc/platforms/cell/iommu.c 2010-10-20 16:30:22.000000000 -0400
3028 +++ linux-2.6.36.1/arch/powerpc/platforms/cell/iommu.c 2010-11-06 18:58:15.000000000 -0400
3029 @@ -642,7 +642,7 @@ static int dma_fixed_dma_supported(struc
3031 static int dma_set_mask_and_switch(struct device *dev, u64 dma_mask);
3033 -struct dma_map_ops dma_iommu_fixed_ops = {
3034 +const struct dma_map_ops dma_iommu_fixed_ops = {
3035 .alloc_coherent = dma_fixed_alloc_coherent,
3036 .free_coherent = dma_fixed_free_coherent,
3037 .map_sg = dma_fixed_map_sg,
3038 diff -urNp linux-2.6.36.1/arch/powerpc/platforms/ps3/system-bus.c linux-2.6.36.1/arch/powerpc/platforms/ps3/system-bus.c
3039 --- linux-2.6.36.1/arch/powerpc/platforms/ps3/system-bus.c 2010-10-20 16:30:22.000000000 -0400
3040 +++ linux-2.6.36.1/arch/powerpc/platforms/ps3/system-bus.c 2010-11-06 18:58:15.000000000 -0400
3041 @@ -695,7 +695,7 @@ static int ps3_dma_supported(struct devi
3042 return mask >= DMA_BIT_MASK(32);
3045 -static struct dma_map_ops ps3_sb_dma_ops = {
3046 +static const struct dma_map_ops ps3_sb_dma_ops = {
3047 .alloc_coherent = ps3_alloc_coherent,
3048 .free_coherent = ps3_free_coherent,
3049 .map_sg = ps3_sb_map_sg,
3050 @@ -705,7 +705,7 @@ static struct dma_map_ops ps3_sb_dma_ops
3051 .unmap_page = ps3_unmap_page,
3054 -static struct dma_map_ops ps3_ioc0_dma_ops = {
3055 +static const struct dma_map_ops ps3_ioc0_dma_ops = {
3056 .alloc_coherent = ps3_alloc_coherent,
3057 .free_coherent = ps3_free_coherent,
3058 .map_sg = ps3_ioc0_map_sg,
3059 diff -urNp linux-2.6.36.1/arch/powerpc/platforms/pseries/suspend.c linux-2.6.36.1/arch/powerpc/platforms/pseries/suspend.c
3060 --- linux-2.6.36.1/arch/powerpc/platforms/pseries/suspend.c 2010-10-20 16:30:22.000000000 -0400
3061 +++ linux-2.6.36.1/arch/powerpc/platforms/pseries/suspend.c 2010-11-06 18:58:15.000000000 -0400
3062 @@ -153,7 +153,7 @@ static struct sysdev_class suspend_sysde
3066 -static struct platform_suspend_ops pseries_suspend_ops = {
3067 +static const struct platform_suspend_ops pseries_suspend_ops = {
3068 .valid = suspend_valid_only_mem,
3069 .begin = pseries_suspend_begin,
3070 .prepare_late = pseries_prepare_late,
3071 diff -urNp linux-2.6.36.1/arch/powerpc/sysdev/fsl_pmc.c linux-2.6.36.1/arch/powerpc/sysdev/fsl_pmc.c
3072 --- linux-2.6.36.1/arch/powerpc/sysdev/fsl_pmc.c 2010-10-20 16:30:22.000000000 -0400
3073 +++ linux-2.6.36.1/arch/powerpc/sysdev/fsl_pmc.c 2010-11-06 18:58:15.000000000 -0400
3074 @@ -53,7 +53,7 @@ static int pmc_suspend_valid(suspend_sta
3078 -static struct platform_suspend_ops pmc_suspend_ops = {
3079 +static const struct platform_suspend_ops pmc_suspend_ops = {
3080 .valid = pmc_suspend_valid,
3081 .enter = pmc_suspend_enter,
3083 diff -urNp linux-2.6.36.1/arch/s390/include/asm/elf.h linux-2.6.36.1/arch/s390/include/asm/elf.h
3084 --- linux-2.6.36.1/arch/s390/include/asm/elf.h 2010-10-20 16:30:22.000000000 -0400
3085 +++ linux-2.6.36.1/arch/s390/include/asm/elf.h 2010-11-06 18:58:15.000000000 -0400
3086 @@ -163,6 +163,13 @@ extern unsigned int vdso_enabled;
3087 that it will "exec", and that there is sufficient room for the brk. */
3088 #define ELF_ET_DYN_BASE (STACK_TOP / 3 * 2)
3090 +#ifdef CONFIG_PAX_ASLR
3091 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_31BIT) ? 0x10000UL : 0x80000000UL)
3093 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3094 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_31BIT) ? 15 : 26 )
3097 /* This yields a mask that user programs can use to figure out what
3098 instruction set this CPU supports. */
3100 diff -urNp linux-2.6.36.1/arch/s390/include/asm/uaccess.h linux-2.6.36.1/arch/s390/include/asm/uaccess.h
3101 --- linux-2.6.36.1/arch/s390/include/asm/uaccess.h 2010-10-20 16:30:22.000000000 -0400
3102 +++ linux-2.6.36.1/arch/s390/include/asm/uaccess.h 2010-11-06 18:58:15.000000000 -0400
3103 @@ -234,6 +234,10 @@ static inline unsigned long __must_check
3104 copy_to_user(void __user *to, const void *from, unsigned long n)
3111 if (access_ok(VERIFY_WRITE, to, n))
3112 n = __copy_to_user(to, from, n);
3114 @@ -259,6 +263,9 @@ copy_to_user(void __user *to, const void
3115 static inline unsigned long __must_check
3116 __copy_from_user(void *to, const void __user *from, unsigned long n)
3121 if (__builtin_constant_p(n) && (n <= 256))
3122 return uaccess.copy_from_user_small(n, from, to);
3124 @@ -293,6 +300,10 @@ copy_from_user(void *to, const void __us
3125 unsigned int sz = __compiletime_object_size(to);
3132 if (unlikely(sz != -1 && sz < n)) {
3133 copy_from_user_overflow();
3135 diff -urNp linux-2.6.36.1/arch/s390/Kconfig linux-2.6.36.1/arch/s390/Kconfig
3136 --- linux-2.6.36.1/arch/s390/Kconfig 2010-10-20 16:30:22.000000000 -0400
3137 +++ linux-2.6.36.1/arch/s390/Kconfig 2010-11-06 18:58:15.000000000 -0400
3138 @@ -227,13 +227,12 @@ config AUDIT_ARCH
3140 config S390_EXEC_PROTECT
3141 bool "Data execute protection"
3144 This option allows to enable a buffer overflow protection for user
3145 - space programs and it also selects the addressing mode option above.
3146 - The kernel parameter noexec=on will enable this feature and also
3147 - switch the addressing modes, default is disabled. Enabling this (via
3148 - kernel parameter) on machines earlier than IBM System z9-109 EC/BC
3149 - will reduce system performance.
3151 + Enabling this on machines earlier than IBM System z9-109 EC/BC will
3152 + reduce system performance.
3154 comment "Code generation options"
3156 diff -urNp linux-2.6.36.1/arch/s390/kernel/module.c linux-2.6.36.1/arch/s390/kernel/module.c
3157 --- linux-2.6.36.1/arch/s390/kernel/module.c 2010-10-20 16:30:22.000000000 -0400
3158 +++ linux-2.6.36.1/arch/s390/kernel/module.c 2010-11-06 18:58:15.000000000 -0400
3159 @@ -168,11 +168,11 @@ module_frob_arch_sections(Elf_Ehdr *hdr,
3161 /* Increase core size by size of got & plt and set start
3162 offsets for got and plt. */
3163 - me->core_size = ALIGN(me->core_size, 4);
3164 - me->arch.got_offset = me->core_size;
3165 - me->core_size += me->arch.got_size;
3166 - me->arch.plt_offset = me->core_size;
3167 - me->core_size += me->arch.plt_size;
3168 + me->core_size_rw = ALIGN(me->core_size_rw, 4);
3169 + me->arch.got_offset = me->core_size_rw;
3170 + me->core_size_rw += me->arch.got_size;
3171 + me->arch.plt_offset = me->core_size_rx;
3172 + me->core_size_rx += me->arch.plt_size;
3176 @@ -258,7 +258,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3177 if (info->got_initialized == 0) {
3180 - gotent = me->module_core + me->arch.got_offset +
3181 + gotent = me->module_core_rw + me->arch.got_offset +
3184 info->got_initialized = 1;
3185 @@ -282,7 +282,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3186 else if (r_type == R_390_GOTENT ||
3187 r_type == R_390_GOTPLTENT)
3188 *(unsigned int *) loc =
3189 - (val + (Elf_Addr) me->module_core - loc) >> 1;
3190 + (val + (Elf_Addr) me->module_core_rw - loc) >> 1;
3191 else if (r_type == R_390_GOT64 ||
3192 r_type == R_390_GOTPLT64)
3193 *(unsigned long *) loc = val;
3194 @@ -296,7 +296,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3195 case R_390_PLTOFF64: /* 16 bit offset from GOT to PLT. */
3196 if (info->plt_initialized == 0) {
3198 - ip = me->module_core + me->arch.plt_offset +
3199 + ip = me->module_core_rx + me->arch.plt_offset +
3201 #ifndef CONFIG_64BIT
3202 ip[0] = 0x0d105810; /* basr 1,0; l 1,6(1); br 1 */
3203 @@ -321,7 +321,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3204 val - loc + 0xffffUL < 0x1ffffeUL) ||
3205 (r_type == R_390_PLT32DBL &&
3206 val - loc + 0xffffffffULL < 0x1fffffffeULL)))
3207 - val = (Elf_Addr) me->module_core +
3208 + val = (Elf_Addr) me->module_core_rx +
3209 me->arch.plt_offset +
3211 val += rela->r_addend - loc;
3212 @@ -343,7 +343,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3213 case R_390_GOTOFF32: /* 32 bit offset to GOT. */
3214 case R_390_GOTOFF64: /* 64 bit offset to GOT. */
3215 val = val + rela->r_addend -
3216 - ((Elf_Addr) me->module_core + me->arch.got_offset);
3217 + ((Elf_Addr) me->module_core_rw + me->arch.got_offset);
3218 if (r_type == R_390_GOTOFF16)
3219 *(unsigned short *) loc = val;
3220 else if (r_type == R_390_GOTOFF32)
3221 @@ -353,7 +353,7 @@ apply_rela(Elf_Rela *rela, Elf_Addr base
3223 case R_390_GOTPC: /* 32 bit PC relative offset to GOT. */
3224 case R_390_GOTPCDBL: /* 32 bit PC rel. off. to GOT shifted by 1. */
3225 - val = (Elf_Addr) me->module_core + me->arch.got_offset +
3226 + val = (Elf_Addr) me->module_core_rw + me->arch.got_offset +
3227 rela->r_addend - loc;
3228 if (r_type == R_390_GOTPC)
3229 *(unsigned int *) loc = val;
3230 diff -urNp linux-2.6.36.1/arch/s390/kernel/setup.c linux-2.6.36.1/arch/s390/kernel/setup.c
3231 --- linux-2.6.36.1/arch/s390/kernel/setup.c 2010-10-20 16:30:22.000000000 -0400
3232 +++ linux-2.6.36.1/arch/s390/kernel/setup.c 2010-11-06 18:58:15.000000000 -0400
3233 @@ -281,7 +281,7 @@ static int __init early_parse_mem(char *
3235 early_param("mem", early_parse_mem);
3237 -unsigned int user_mode = HOME_SPACE_MODE;
3238 +unsigned int user_mode = SECONDARY_SPACE_MODE;
3239 EXPORT_SYMBOL_GPL(user_mode);
3241 static int set_amode_and_uaccess(unsigned long user_amode,
3242 @@ -310,17 +310,6 @@ static int set_amode_and_uaccess(unsigne
3247 - * Switch kernel/user addressing modes?
3249 -static int __init early_parse_switch_amode(char *p)
3251 - if (user_mode != SECONDARY_SPACE_MODE)
3252 - user_mode = PRIMARY_SPACE_MODE;
3255 -early_param("switch_amode", early_parse_switch_amode);
3257 static int __init early_parse_user_mode(char *p)
3259 if (p && strcmp(p, "primary") == 0)
3260 @@ -337,20 +326,6 @@ static int __init early_parse_user_mode(
3262 early_param("user_mode", early_parse_user_mode);
3264 -#ifdef CONFIG_S390_EXEC_PROTECT
3266 - * Enable execute protection?
3268 -static int __init early_parse_noexec(char *p)
3270 - if (!strncmp(p, "off", 3))
3272 - user_mode = SECONDARY_SPACE_MODE;
3275 -early_param("noexec", early_parse_noexec);
3276 -#endif /* CONFIG_S390_EXEC_PROTECT */
3278 static void setup_addressing_mode(void)
3280 if (user_mode == SECONDARY_SPACE_MODE) {
3281 diff -urNp linux-2.6.36.1/arch/s390/mm/maccess.c linux-2.6.36.1/arch/s390/mm/maccess.c
3282 --- linux-2.6.36.1/arch/s390/mm/maccess.c 2010-10-20 16:30:22.000000000 -0400
3283 +++ linux-2.6.36.1/arch/s390/mm/maccess.c 2010-11-06 18:58:15.000000000 -0400
3284 @@ -45,7 +45,7 @@ static long probe_kernel_write_odd(void
3285 return rc ? rc : count;
3288 -long probe_kernel_write(void *dst, void *src, size_t size)
3289 +long probe_kernel_write(void *dst, const void *src, size_t size)
3293 diff -urNp linux-2.6.36.1/arch/s390/mm/mmap.c linux-2.6.36.1/arch/s390/mm/mmap.c
3294 --- linux-2.6.36.1/arch/s390/mm/mmap.c 2010-10-20 16:30:22.000000000 -0400
3295 +++ linux-2.6.36.1/arch/s390/mm/mmap.c 2010-11-06 18:58:15.000000000 -0400
3296 @@ -78,10 +78,22 @@ void arch_pick_mmap_layout(struct mm_str
3298 if (mmap_is_legacy()) {
3299 mm->mmap_base = TASK_UNMAPPED_BASE;
3301 +#ifdef CONFIG_PAX_RANDMMAP
3302 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3303 + mm->mmap_base += mm->delta_mmap;
3306 mm->get_unmapped_area = arch_get_unmapped_area;
3307 mm->unmap_area = arch_unmap_area;
3309 mm->mmap_base = mmap_base();
3311 +#ifdef CONFIG_PAX_RANDMMAP
3312 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3313 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3316 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
3317 mm->unmap_area = arch_unmap_area_topdown;
3319 @@ -153,10 +165,22 @@ void arch_pick_mmap_layout(struct mm_str
3321 if (mmap_is_legacy()) {
3322 mm->mmap_base = TASK_UNMAPPED_BASE;
3324 +#ifdef CONFIG_PAX_RANDMMAP
3325 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3326 + mm->mmap_base += mm->delta_mmap;
3329 mm->get_unmapped_area = s390_get_unmapped_area;
3330 mm->unmap_area = arch_unmap_area;
3332 mm->mmap_base = mmap_base();
3334 +#ifdef CONFIG_PAX_RANDMMAP
3335 + if (mm->pax_flags & MF_PAX_RANDMMAP)
3336 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
3339 mm->get_unmapped_area = s390_get_unmapped_area_topdown;
3340 mm->unmap_area = arch_unmap_area_topdown;
3342 diff -urNp linux-2.6.36.1/arch/sh/boards/mach-hp6xx/pm.c linux-2.6.36.1/arch/sh/boards/mach-hp6xx/pm.c
3343 --- linux-2.6.36.1/arch/sh/boards/mach-hp6xx/pm.c 2010-10-20 16:30:22.000000000 -0400
3344 +++ linux-2.6.36.1/arch/sh/boards/mach-hp6xx/pm.c 2010-11-06 18:58:15.000000000 -0400
3345 @@ -143,7 +143,7 @@ static int hp6x0_pm_enter(suspend_state_
3349 -static struct platform_suspend_ops hp6x0_pm_ops = {
3350 +static const struct platform_suspend_ops hp6x0_pm_ops = {
3351 .enter = hp6x0_pm_enter,
3352 .valid = suspend_valid_only_mem,
3354 diff -urNp linux-2.6.36.1/arch/sh/include/asm/dma-mapping.h linux-2.6.36.1/arch/sh/include/asm/dma-mapping.h
3355 --- linux-2.6.36.1/arch/sh/include/asm/dma-mapping.h 2010-10-20 16:30:22.000000000 -0400
3356 +++ linux-2.6.36.1/arch/sh/include/asm/dma-mapping.h 2010-11-06 18:58:15.000000000 -0400
3358 #ifndef __ASM_SH_DMA_MAPPING_H
3359 #define __ASM_SH_DMA_MAPPING_H
3361 -extern struct dma_map_ops *dma_ops;
3362 +extern const struct dma_map_ops *dma_ops;
3363 extern void no_iommu_init(void);
3365 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3366 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3370 @@ -14,7 +14,7 @@ static inline struct dma_map_ops *get_dm
3372 static inline int dma_supported(struct device *dev, u64 mask)
3374 - struct dma_map_ops *ops = get_dma_ops(dev);
3375 + const struct dma_map_ops *ops = get_dma_ops(dev);
3377 if (ops->dma_supported)
3378 return ops->dma_supported(dev, mask);
3379 @@ -24,7 +24,7 @@ static inline int dma_supported(struct d
3381 static inline int dma_set_mask(struct device *dev, u64 mask)
3383 - struct dma_map_ops *ops = get_dma_ops(dev);
3384 + const struct dma_map_ops *ops = get_dma_ops(dev);
3386 if (!dev->dma_mask || !dma_supported(dev, mask))
3388 @@ -44,7 +44,7 @@ void dma_cache_sync(struct device *dev,
3390 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
3392 - struct dma_map_ops *ops = get_dma_ops(dev);
3393 + const struct dma_map_ops *ops = get_dma_ops(dev);
3395 if (ops->mapping_error)
3396 return ops->mapping_error(dev, dma_addr);
3397 @@ -55,7 +55,7 @@ static inline int dma_mapping_error(stru
3398 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3399 dma_addr_t *dma_handle, gfp_t gfp)
3401 - struct dma_map_ops *ops = get_dma_ops(dev);
3402 + const struct dma_map_ops *ops = get_dma_ops(dev);
3405 if (dma_alloc_from_coherent(dev, size, dma_handle, &memory))
3406 @@ -72,7 +72,7 @@ static inline void *dma_alloc_coherent(s
3407 static inline void dma_free_coherent(struct device *dev, size_t size,
3408 void *vaddr, dma_addr_t dma_handle)
3410 - struct dma_map_ops *ops = get_dma_ops(dev);
3411 + const struct dma_map_ops *ops = get_dma_ops(dev);
3413 if (dma_release_from_coherent(dev, get_order(size), vaddr))
3415 diff -urNp linux-2.6.36.1/arch/sh/kernel/cpu/shmobile/pm.c linux-2.6.36.1/arch/sh/kernel/cpu/shmobile/pm.c
3416 --- linux-2.6.36.1/arch/sh/kernel/cpu/shmobile/pm.c 2010-10-20 16:30:22.000000000 -0400
3417 +++ linux-2.6.36.1/arch/sh/kernel/cpu/shmobile/pm.c 2010-11-06 18:58:15.000000000 -0400
3418 @@ -141,7 +141,7 @@ static int sh_pm_enter(suspend_state_t s
3422 -static struct platform_suspend_ops sh_pm_ops = {
3423 +static const struct platform_suspend_ops sh_pm_ops = {
3424 .enter = sh_pm_enter,
3425 .valid = suspend_valid_only_mem,
3427 diff -urNp linux-2.6.36.1/arch/sh/kernel/dma-nommu.c linux-2.6.36.1/arch/sh/kernel/dma-nommu.c
3428 --- linux-2.6.36.1/arch/sh/kernel/dma-nommu.c 2010-10-20 16:30:22.000000000 -0400
3429 +++ linux-2.6.36.1/arch/sh/kernel/dma-nommu.c 2010-11-06 18:58:15.000000000 -0400
3430 @@ -62,7 +62,7 @@ static void nommu_sync_sg(struct device
3434 -struct dma_map_ops nommu_dma_ops = {
3435 +const struct dma_map_ops nommu_dma_ops = {
3436 .alloc_coherent = dma_generic_alloc_coherent,
3437 .free_coherent = dma_generic_free_coherent,
3438 .map_page = nommu_map_page,
3439 diff -urNp linux-2.6.36.1/arch/sh/kernel/kgdb.c linux-2.6.36.1/arch/sh/kernel/kgdb.c
3440 --- linux-2.6.36.1/arch/sh/kernel/kgdb.c 2010-10-20 16:30:22.000000000 -0400
3441 +++ linux-2.6.36.1/arch/sh/kernel/kgdb.c 2010-11-06 18:58:15.000000000 -0400
3442 @@ -319,7 +319,7 @@ void kgdb_arch_exit(void)
3443 unregister_die_notifier(&kgdb_notifier);
3446 -struct kgdb_arch arch_kgdb_ops = {
3447 +const struct kgdb_arch arch_kgdb_ops = {
3448 /* Breakpoint instruction: trapa #0x3c */
3449 #ifdef CONFIG_CPU_LITTLE_ENDIAN
3450 .gdb_bpt_instr = { 0x3c, 0xc3 },
3451 diff -urNp linux-2.6.36.1/arch/sh/mm/consistent.c linux-2.6.36.1/arch/sh/mm/consistent.c
3452 --- linux-2.6.36.1/arch/sh/mm/consistent.c 2010-10-20 16:30:22.000000000 -0400
3453 +++ linux-2.6.36.1/arch/sh/mm/consistent.c 2010-11-06 18:58:15.000000000 -0400
3456 #define PREALLOC_DMA_DEBUG_ENTRIES 4096
3458 -struct dma_map_ops *dma_ops;
3459 +const struct dma_map_ops *dma_ops;
3460 EXPORT_SYMBOL(dma_ops);
3462 static int __init dma_init(void)
3463 diff -urNp linux-2.6.36.1/arch/sh/mm/mmap.c linux-2.6.36.1/arch/sh/mm/mmap.c
3464 --- linux-2.6.36.1/arch/sh/mm/mmap.c 2010-10-20 16:30:22.000000000 -0400
3465 +++ linux-2.6.36.1/arch/sh/mm/mmap.c 2010-11-06 18:58:15.000000000 -0400
3466 @@ -74,8 +74,7 @@ unsigned long arch_get_unmapped_area(str
3467 addr = PAGE_ALIGN(addr);
3469 vma = find_vma(mm, addr);
3470 - if (TASK_SIZE - len >= addr &&
3471 - (!vma || addr + len <= vma->vm_start))
3472 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3476 @@ -106,7 +105,7 @@ full_search:
3480 - if (likely(!vma || addr + len <= vma->vm_start)) {
3481 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3483 * Remember the place where we stopped the search:
3485 @@ -157,8 +156,7 @@ arch_get_unmapped_area_topdown(struct fi
3486 addr = PAGE_ALIGN(addr);
3488 vma = find_vma(mm, addr);
3489 - if (TASK_SIZE - len >= addr &&
3490 - (!vma || addr + len <= vma->vm_start))
3491 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
3495 @@ -179,7 +177,7 @@ arch_get_unmapped_area_topdown(struct fi
3496 /* make sure it can fit in the remaining address space */
3497 if (likely(addr > len)) {
3498 vma = find_vma(mm, addr-len);
3499 - if (!vma || addr <= vma->vm_start) {
3500 + if (check_heap_stack_gap(vma, addr - len, len)) {
3501 /* remember the address as a hint for next time */
3502 return (mm->free_area_cache = addr-len);
3504 @@ -199,7 +197,7 @@ arch_get_unmapped_area_topdown(struct fi
3505 * return with success:
3507 vma = find_vma(mm, addr);
3508 - if (likely(!vma || addr+len <= vma->vm_start)) {
3509 + if (likely(check_heap_stack_gap(vma, addr, len))) {
3510 /* remember the address as a hint for next time */
3511 return (mm->free_area_cache = addr);
3513 diff -urNp linux-2.6.36.1/arch/sparc/include/asm/atomic_64.h linux-2.6.36.1/arch/sparc/include/asm/atomic_64.h
3514 --- linux-2.6.36.1/arch/sparc/include/asm/atomic_64.h 2010-10-20 16:30:22.000000000 -0400
3515 +++ linux-2.6.36.1/arch/sparc/include/asm/atomic_64.h 2010-11-06 18:58:15.000000000 -0400
3517 #define ATOMIC64_INIT(i) { (i) }
3519 #define atomic_read(v) (*(volatile int *)&(v)->counter)
3520 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
3522 + return v->counter;
3524 #define atomic64_read(v) (*(volatile long *)&(v)->counter)
3525 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
3527 + return v->counter;
3530 #define atomic_set(v, i) (((v)->counter) = i)
3531 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
3535 #define atomic64_set(v, i) (((v)->counter) = i)
3536 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
3541 extern void atomic_add(int, atomic_t *);
3542 +extern void atomic_add_unchecked(int, atomic_unchecked_t *);
3543 extern void atomic64_add(long, atomic64_t *);
3544 +extern void atomic64_add_unchecked(long, atomic64_unchecked_t *);
3545 extern void atomic_sub(int, atomic_t *);
3546 +extern void atomic_sub_unchecked(int, atomic_unchecked_t *);
3547 extern void atomic64_sub(long, atomic64_t *);
3548 +extern void atomic64_sub_unchecked(long, atomic64_unchecked_t *);
3550 extern int atomic_add_ret(int, atomic_t *);
3551 +extern int atomic_add_ret_unchecked(int, atomic_unchecked_t *);
3552 extern long atomic64_add_ret(long, atomic64_t *);
3553 +extern long atomic64_add_ret_unchecked(long, atomic64_unchecked_t *);
3554 extern int atomic_sub_ret(int, atomic_t *);
3555 extern long atomic64_sub_ret(long, atomic64_t *);
3557 @@ -33,12 +55,24 @@ extern long atomic64_sub_ret(long, atomi
3558 #define atomic64_dec_return(v) atomic64_sub_ret(1, v)
3560 #define atomic_inc_return(v) atomic_add_ret(1, v)
3561 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
3563 + return atomic_add_ret_unchecked(1, v);
3565 #define atomic64_inc_return(v) atomic64_add_ret(1, v)
3566 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
3568 + return atomic64_add_ret_unchecked(1, v);
3571 #define atomic_sub_return(i, v) atomic_sub_ret(i, v)
3572 #define atomic64_sub_return(i, v) atomic64_sub_ret(i, v)
3574 #define atomic_add_return(i, v) atomic_add_ret(i, v)
3575 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
3577 + return atomic_add_ret_unchecked(i, v);
3579 #define atomic64_add_return(i, v) atomic64_add_ret(i, v)
3582 @@ -59,10 +93,26 @@ extern long atomic64_sub_ret(long, atomi
3583 #define atomic64_dec_and_test(v) (atomic64_sub_ret(1, v) == 0)
3585 #define atomic_inc(v) atomic_add(1, v)
3586 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
3588 + atomic_add_unchecked(1, v);
3590 #define atomic64_inc(v) atomic64_add(1, v)
3591 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
3593 + atomic64_add_unchecked(1, v);
3596 #define atomic_dec(v) atomic_sub(1, v)
3597 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
3599 + atomic_sub_unchecked(1, v);
3601 #define atomic64_dec(v) atomic64_sub(1, v)
3602 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
3604 + atomic64_sub_unchecked(1, v);
3607 #define atomic_add_negative(i, v) (atomic_add_ret(i, v) < 0)
3608 #define atomic64_add_negative(i, v) (atomic64_add_ret(i, v) < 0)
3609 @@ -72,17 +122,28 @@ extern long atomic64_sub_ret(long, atomi
3611 static inline int atomic_add_unless(atomic_t *v, int a, int u)
3617 - if (unlikely(c == (u)))
3618 + if (unlikely(c == u))
3620 - old = atomic_cmpxchg((v), c, c + (a));
3622 + asm volatile("addcc %2, %0, %0\n"
3624 +#ifdef CONFIG_PAX_REFCOUNT
3629 + : "0" (c), "ir" (a)
3632 + old = atomic_cmpxchg(v, c, new);
3633 if (likely(old == c))
3641 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
3642 @@ -93,17 +154,28 @@ static inline int atomic_add_unless(atom
3644 static inline long atomic64_add_unless(atomic64_t *v, long a, long u)
3648 c = atomic64_read(v);
3650 - if (unlikely(c == (u)))
3651 + if (unlikely(c == u))
3653 - old = atomic64_cmpxchg((v), c, c + (a));
3655 + asm volatile("addcc %2, %0, %0\n"
3657 +#ifdef CONFIG_PAX_REFCOUNT
3662 + : "0" (c), "ir" (a)
3665 + old = atomic64_cmpxchg(v, c, new);
3666 if (likely(old == c))
3674 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
3675 diff -urNp linux-2.6.36.1/arch/sparc/include/asm/dma-mapping.h linux-2.6.36.1/arch/sparc/include/asm/dma-mapping.h
3676 --- linux-2.6.36.1/arch/sparc/include/asm/dma-mapping.h 2010-10-20 16:30:22.000000000 -0400
3677 +++ linux-2.6.36.1/arch/sparc/include/asm/dma-mapping.h 2010-11-06 18:58:15.000000000 -0400
3678 @@ -12,10 +12,10 @@ extern int dma_supported(struct device *
3679 #define dma_alloc_noncoherent(d, s, h, f) dma_alloc_coherent(d, s, h, f)
3680 #define dma_free_noncoherent(d, s, v, h) dma_free_coherent(d, s, v, h)
3682 -extern struct dma_map_ops *dma_ops, pci32_dma_ops;
3683 +extern const struct dma_map_ops *dma_ops, pci32_dma_ops;
3684 extern struct bus_type pci_bus_type;
3686 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
3687 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
3689 #if defined(CONFIG_SPARC32) && defined(CONFIG_PCI)
3690 if (dev->bus == &pci_bus_type)
3691 @@ -29,7 +29,7 @@ static inline struct dma_map_ops *get_dm
3692 static inline void *dma_alloc_coherent(struct device *dev, size_t size,
3693 dma_addr_t *dma_handle, gfp_t flag)
3695 - struct dma_map_ops *ops = get_dma_ops(dev);
3696 + const struct dma_map_ops *ops = get_dma_ops(dev);
3699 cpu_addr = ops->alloc_coherent(dev, size, dma_handle, flag);
3700 @@ -40,7 +40,7 @@ static inline void *dma_alloc_coherent(s
3701 static inline void dma_free_coherent(struct device *dev, size_t size,
3702 void *cpu_addr, dma_addr_t dma_handle)
3704 - struct dma_map_ops *ops = get_dma_ops(dev);
3705 + const struct dma_map_ops *ops = get_dma_ops(dev);
3707 debug_dma_free_coherent(dev, size, cpu_addr, dma_handle);
3708 ops->free_coherent(dev, size, cpu_addr, dma_handle);
3709 diff -urNp linux-2.6.36.1/arch/sparc/include/asm/elf_32.h linux-2.6.36.1/arch/sparc/include/asm/elf_32.h
3710 --- linux-2.6.36.1/arch/sparc/include/asm/elf_32.h 2010-10-20 16:30:22.000000000 -0400
3711 +++ linux-2.6.36.1/arch/sparc/include/asm/elf_32.h 2010-11-06 18:58:15.000000000 -0400
3712 @@ -114,6 +114,13 @@ typedef struct {
3714 #define ELF_ET_DYN_BASE (TASK_UNMAPPED_BASE)
3716 +#ifdef CONFIG_PAX_ASLR
3717 +#define PAX_ELF_ET_DYN_BASE 0x10000UL
3719 +#define PAX_DELTA_MMAP_LEN 16
3720 +#define PAX_DELTA_STACK_LEN 16
3723 /* This yields a mask that user programs can use to figure out what
3724 instruction set this cpu supports. This can NOT be done in userspace
3726 diff -urNp linux-2.6.36.1/arch/sparc/include/asm/elf_64.h linux-2.6.36.1/arch/sparc/include/asm/elf_64.h
3727 --- linux-2.6.36.1/arch/sparc/include/asm/elf_64.h 2010-10-20 16:30:22.000000000 -0400
3728 +++ linux-2.6.36.1/arch/sparc/include/asm/elf_64.h 2010-11-06 18:58:15.000000000 -0400
3729 @@ -162,6 +162,12 @@ typedef struct {
3730 #define ELF_ET_DYN_BASE 0x0000010000000000UL
3731 #define COMPAT_ELF_ET_DYN_BASE 0x0000000070000000UL
3733 +#ifdef CONFIG_PAX_ASLR
3734 +#define PAX_ELF_ET_DYN_BASE (test_thread_flag(TIF_32BIT) ? 0x10000UL : 0x100000UL)
3736 +#define PAX_DELTA_MMAP_LEN (test_thread_flag(TIF_32BIT) ? 14 : 28)
3737 +#define PAX_DELTA_STACK_LEN (test_thread_flag(TIF_32BIT) ? 15 : 29)
3740 /* This yields a mask that user programs can use to figure out what
3741 instruction set this cpu supports. */
3742 diff -urNp linux-2.6.36.1/arch/sparc/include/asm/pgtable_32.h linux-2.6.36.1/arch/sparc/include/asm/pgtable_32.h
3743 --- linux-2.6.36.1/arch/sparc/include/asm/pgtable_32.h 2010-10-20 16:30:22.000000000 -0400
3744 +++ linux-2.6.36.1/arch/sparc/include/asm/pgtable_32.h 2010-11-06 18:58:15.000000000 -0400
3745 @@ -43,6 +43,13 @@ BTFIXUPDEF_SIMM13(user_ptrs_per_pgd)
3746 BTFIXUPDEF_INT(page_none)
3747 BTFIXUPDEF_INT(page_copy)
3748 BTFIXUPDEF_INT(page_readonly)
3750 +#ifdef CONFIG_PAX_PAGEEXEC
3751 +BTFIXUPDEF_INT(page_shared_noexec)
3752 +BTFIXUPDEF_INT(page_copy_noexec)
3753 +BTFIXUPDEF_INT(page_readonly_noexec)
3756 BTFIXUPDEF_INT(page_kernel)
3758 #define PMD_SHIFT SUN4C_PMD_SHIFT
3759 @@ -64,6 +71,16 @@ extern pgprot_t PAGE_SHARED;
3760 #define PAGE_COPY __pgprot(BTFIXUP_INT(page_copy))
3761 #define PAGE_READONLY __pgprot(BTFIXUP_INT(page_readonly))
3763 +#ifdef CONFIG_PAX_PAGEEXEC
3764 +extern pgprot_t PAGE_SHARED_NOEXEC;
3765 +# define PAGE_COPY_NOEXEC __pgprot(BTFIXUP_INT(page_copy_noexec))
3766 +# define PAGE_READONLY_NOEXEC __pgprot(BTFIXUP_INT(page_readonly_noexec))
3768 +# define PAGE_SHARED_NOEXEC PAGE_SHARED
3769 +# define PAGE_COPY_NOEXEC PAGE_COPY
3770 +# define PAGE_READONLY_NOEXEC PAGE_READONLY
3773 extern unsigned long page_kernel;
3776 diff -urNp linux-2.6.36.1/arch/sparc/include/asm/pgtsrmmu.h linux-2.6.36.1/arch/sparc/include/asm/pgtsrmmu.h
3777 --- linux-2.6.36.1/arch/sparc/include/asm/pgtsrmmu.h 2010-10-20 16:30:22.000000000 -0400
3778 +++ linux-2.6.36.1/arch/sparc/include/asm/pgtsrmmu.h 2010-11-06 18:58:15.000000000 -0400
3779 @@ -115,6 +115,13 @@
3780 SRMMU_EXEC | SRMMU_REF)
3781 #define SRMMU_PAGE_RDONLY __pgprot(SRMMU_VALID | SRMMU_CACHE | \
3782 SRMMU_EXEC | SRMMU_REF)
3784 +#ifdef CONFIG_PAX_PAGEEXEC
3785 +#define SRMMU_PAGE_SHARED_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_WRITE | SRMMU_REF)
3786 +#define SRMMU_PAGE_COPY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3787 +#define SRMMU_PAGE_RDONLY_NOEXEC __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_REF)
3790 #define SRMMU_PAGE_KERNEL __pgprot(SRMMU_VALID | SRMMU_CACHE | SRMMU_PRIV | \
3791 SRMMU_DIRTY | SRMMU_REF)
3793 diff -urNp linux-2.6.36.1/arch/sparc/include/asm/spinlock_64.h linux-2.6.36.1/arch/sparc/include/asm/spinlock_64.h
3794 --- linux-2.6.36.1/arch/sparc/include/asm/spinlock_64.h 2010-10-20 16:30:22.000000000 -0400
3795 +++ linux-2.6.36.1/arch/sparc/include/asm/spinlock_64.h 2010-11-06 18:58:15.000000000 -0400
3796 @@ -99,7 +99,12 @@ static void inline arch_read_lock(arch_r
3797 __asm__ __volatile__ (
3798 "1: ldsw [%2], %0\n"
3800 -"4: add %0, 1, %1\n"
3801 +"4: addcc %0, 1, %1\n"
3803 +#ifdef CONFIG_PAX_REFCOUNT
3807 " cas [%2], %0, %1\n"
3809 " bne,pn %%icc, 1b\n"
3810 @@ -112,7 +117,7 @@ static void inline arch_read_lock(arch_r
3812 : "=&r" (tmp1), "=&r" (tmp2)
3815 + : "memory", "cc");
3818 static int inline arch_read_trylock(arch_rwlock_t *lock)
3819 @@ -123,7 +128,12 @@ static int inline arch_read_trylock(arch
3820 "1: ldsw [%2], %0\n"
3821 " brlz,a,pn %0, 2f\n"
3824 +" addcc %0, 1, %1\n"
3826 +#ifdef CONFIG_PAX_REFCOUNT
3830 " cas [%2], %0, %1\n"
3832 " bne,pn %%icc, 1b\n"
3833 @@ -142,7 +152,12 @@ static void inline arch_read_unlock(arch
3835 __asm__ __volatile__(
3836 "1: lduw [%2], %0\n"
3838 +" subcc %0, 1, %1\n"
3840 +#ifdef CONFIG_PAX_REFCOUNT
3844 " cas [%2], %0, %1\n"
3846 " bne,pn %%xcc, 1b\n"
3847 diff -urNp linux-2.6.36.1/arch/sparc/include/asm/uaccess_32.h linux-2.6.36.1/arch/sparc/include/asm/uaccess_32.h
3848 --- linux-2.6.36.1/arch/sparc/include/asm/uaccess_32.h 2010-10-20 16:30:22.000000000 -0400
3849 +++ linux-2.6.36.1/arch/sparc/include/asm/uaccess_32.h 2010-11-06 18:58:15.000000000 -0400
3850 @@ -249,27 +249,46 @@ extern unsigned long __copy_user(void __
3852 static inline unsigned long copy_to_user(void __user *to, const void *from, unsigned long n)
3854 - if (n && __access_ok((unsigned long) to, n))
3858 + if (n && __access_ok((unsigned long) to, n)) {
3859 + if (!__builtin_constant_p(n))
3860 + check_object_size(from, n, true);
3861 return __copy_user(to, (__force void __user *) from, n);
3867 static inline unsigned long __copy_to_user(void __user *to, const void *from, unsigned long n)
3872 + if (!__builtin_constant_p(n))
3873 + check_object_size(from, n, true);
3875 return __copy_user(to, (__force void __user *) from, n);
3878 static inline unsigned long copy_from_user(void *to, const void __user *from, unsigned long n)
3880 - if (n && __access_ok((unsigned long) from, n))
3884 + if (n && __access_ok((unsigned long) from, n)) {
3885 + if (!__builtin_constant_p(n))
3886 + check_object_size(to, n, false);
3887 return __copy_user((__force void __user *) to, from, n);
3893 static inline unsigned long __copy_from_user(void *to, const void __user *from, unsigned long n)
3898 return __copy_user((__force void __user *) to, from, n);
3901 diff -urNp linux-2.6.36.1/arch/sparc/include/asm/uaccess_64.h linux-2.6.36.1/arch/sparc/include/asm/uaccess_64.h
3902 --- linux-2.6.36.1/arch/sparc/include/asm/uaccess_64.h 2010-10-20 16:30:22.000000000 -0400
3903 +++ linux-2.6.36.1/arch/sparc/include/asm/uaccess_64.h 2010-11-06 18:58:15.000000000 -0400
3905 #include <linux/compiler.h>
3906 #include <linux/string.h>
3907 #include <linux/thread_info.h>
3908 +#include <linux/kernel.h>
3909 #include <asm/asi.h>
3910 #include <asm/system.h>
3911 #include <asm/spitfire.h>
3912 @@ -213,8 +214,15 @@ extern unsigned long copy_from_user_fixu
3913 static inline unsigned long __must_check
3914 copy_from_user(void *to, const void __user *from, unsigned long size)
3916 - unsigned long ret = ___copy_from_user(to, from, size);
3917 + unsigned long ret;
3919 + if ((long)size < 0 || size > INT_MAX)
3922 + if (!__builtin_constant_p(size))
3923 + check_object_size(to, size, false);
3925 + ret = ___copy_from_user(to, from, size);
3927 ret = copy_from_user_fixup(to, from, size);
3929 @@ -230,8 +238,15 @@ extern unsigned long copy_to_user_fixup(
3930 static inline unsigned long __must_check
3931 copy_to_user(void __user *to, const void *from, unsigned long size)
3933 - unsigned long ret = ___copy_to_user(to, from, size);
3934 + unsigned long ret;
3936 + if ((long)size < 0 || size > INT_MAX)
3939 + if (!__builtin_constant_p(size))
3940 + check_object_size(from, size, true);
3942 + ret = ___copy_to_user(to, from, size);
3944 ret = copy_to_user_fixup(to, from, size);
3946 diff -urNp linux-2.6.36.1/arch/sparc/include/asm/uaccess.h linux-2.6.36.1/arch/sparc/include/asm/uaccess.h
3947 --- linux-2.6.36.1/arch/sparc/include/asm/uaccess.h 2010-10-20 16:30:22.000000000 -0400
3948 +++ linux-2.6.36.1/arch/sparc/include/asm/uaccess.h 2010-11-06 18:58:15.000000000 -0400
3950 #ifndef ___ASM_SPARC_UACCESS_H
3951 #define ___ASM_SPARC_UACCESS_H
3954 +#ifndef __ASSEMBLY__
3955 +#include <linux/types.h>
3956 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
3960 #if defined(__sparc__) && defined(__arch64__)
3961 #include <asm/uaccess_64.h>
3963 diff -urNp linux-2.6.36.1/arch/sparc/kernel/iommu.c linux-2.6.36.1/arch/sparc/kernel/iommu.c
3964 --- linux-2.6.36.1/arch/sparc/kernel/iommu.c 2010-10-20 16:30:22.000000000 -0400
3965 +++ linux-2.6.36.1/arch/sparc/kernel/iommu.c 2010-11-06 18:58:15.000000000 -0400
3966 @@ -828,7 +828,7 @@ static void dma_4u_sync_sg_for_cpu(struc
3967 spin_unlock_irqrestore(&iommu->lock, flags);
3970 -static struct dma_map_ops sun4u_dma_ops = {
3971 +static const struct dma_map_ops sun4u_dma_ops = {
3972 .alloc_coherent = dma_4u_alloc_coherent,
3973 .free_coherent = dma_4u_free_coherent,
3974 .map_page = dma_4u_map_page,
3975 @@ -839,7 +839,7 @@ static struct dma_map_ops sun4u_dma_ops
3976 .sync_sg_for_cpu = dma_4u_sync_sg_for_cpu,
3979 -struct dma_map_ops *dma_ops = &sun4u_dma_ops;
3980 +const struct dma_map_ops *dma_ops = &sun4u_dma_ops;
3981 EXPORT_SYMBOL(dma_ops);
3983 extern int pci64_dma_supported(struct pci_dev *pdev, u64 device_mask);
3984 diff -urNp linux-2.6.36.1/arch/sparc/kernel/ioport.c linux-2.6.36.1/arch/sparc/kernel/ioport.c
3985 --- linux-2.6.36.1/arch/sparc/kernel/ioport.c 2010-10-20 16:30:22.000000000 -0400
3986 +++ linux-2.6.36.1/arch/sparc/kernel/ioport.c 2010-11-06 18:58:15.000000000 -0400
3987 @@ -397,7 +397,7 @@ static void sbus_sync_sg_for_device(stru
3991 -struct dma_map_ops sbus_dma_ops = {
3992 +const struct dma_map_ops sbus_dma_ops = {
3993 .alloc_coherent = sbus_alloc_coherent,
3994 .free_coherent = sbus_free_coherent,
3995 .map_page = sbus_map_page,
3996 @@ -408,7 +408,7 @@ struct dma_map_ops sbus_dma_ops = {
3997 .sync_sg_for_device = sbus_sync_sg_for_device,
4000 -struct dma_map_ops *dma_ops = &sbus_dma_ops;
4001 +const struct dma_map_ops *dma_ops = &sbus_dma_ops;
4002 EXPORT_SYMBOL(dma_ops);
4004 static int __init sparc_register_ioport(void)
4005 @@ -645,7 +645,7 @@ static void pci32_sync_sg_for_device(str
4009 -struct dma_map_ops pci32_dma_ops = {
4010 +const struct dma_map_ops pci32_dma_ops = {
4011 .alloc_coherent = pci32_alloc_coherent,
4012 .free_coherent = pci32_free_coherent,
4013 .map_page = pci32_map_page,
4014 diff -urNp linux-2.6.36.1/arch/sparc/kernel/kgdb_32.c linux-2.6.36.1/arch/sparc/kernel/kgdb_32.c
4015 --- linux-2.6.36.1/arch/sparc/kernel/kgdb_32.c 2010-10-20 16:30:22.000000000 -0400
4016 +++ linux-2.6.36.1/arch/sparc/kernel/kgdb_32.c 2010-11-06 18:58:15.000000000 -0400
4017 @@ -164,7 +164,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
4018 regs->npc = regs->pc + 4;
4021 -struct kgdb_arch arch_kgdb_ops = {
4022 +const struct kgdb_arch arch_kgdb_ops = {
4023 /* Breakpoint instruction: ta 0x7d */
4024 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x7d },
4026 diff -urNp linux-2.6.36.1/arch/sparc/kernel/kgdb_64.c linux-2.6.36.1/arch/sparc/kernel/kgdb_64.c
4027 --- linux-2.6.36.1/arch/sparc/kernel/kgdb_64.c 2010-10-20 16:30:22.000000000 -0400
4028 +++ linux-2.6.36.1/arch/sparc/kernel/kgdb_64.c 2010-11-06 18:58:15.000000000 -0400
4029 @@ -187,7 +187,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
4030 regs->tnpc = regs->tpc + 4;
4033 -struct kgdb_arch arch_kgdb_ops = {
4034 +const struct kgdb_arch arch_kgdb_ops = {
4035 /* Breakpoint instruction: ta 0x72 */
4036 .gdb_bpt_instr = { 0x91, 0xd0, 0x20, 0x72 },
4038 diff -urNp linux-2.6.36.1/arch/sparc/kernel/Makefile linux-2.6.36.1/arch/sparc/kernel/Makefile
4039 --- linux-2.6.36.1/arch/sparc/kernel/Makefile 2010-10-20 16:30:22.000000000 -0400
4040 +++ linux-2.6.36.1/arch/sparc/kernel/Makefile 2010-11-06 18:58:15.000000000 -0400
4045 -ccflags-y := -Werror
4046 +#ccflags-y := -Werror
4048 extra-y := head_$(BITS).o
4049 extra-y += init_task.o
4050 diff -urNp linux-2.6.36.1/arch/sparc/kernel/pci_sun4v.c linux-2.6.36.1/arch/sparc/kernel/pci_sun4v.c
4051 --- linux-2.6.36.1/arch/sparc/kernel/pci_sun4v.c 2010-10-20 16:30:22.000000000 -0400
4052 +++ linux-2.6.36.1/arch/sparc/kernel/pci_sun4v.c 2010-11-06 18:58:15.000000000 -0400
4053 @@ -525,7 +525,7 @@ static void dma_4v_unmap_sg(struct devic
4054 spin_unlock_irqrestore(&iommu->lock, flags);
4057 -static struct dma_map_ops sun4v_dma_ops = {
4058 +static const struct dma_map_ops sun4v_dma_ops = {
4059 .alloc_coherent = dma_4v_alloc_coherent,
4060 .free_coherent = dma_4v_free_coherent,
4061 .map_page = dma_4v_map_page,
4062 diff -urNp linux-2.6.36.1/arch/sparc/kernel/process_32.c linux-2.6.36.1/arch/sparc/kernel/process_32.c
4063 --- linux-2.6.36.1/arch/sparc/kernel/process_32.c 2010-10-20 16:30:22.000000000 -0400
4064 +++ linux-2.6.36.1/arch/sparc/kernel/process_32.c 2010-11-13 16:29:01.000000000 -0500
4065 @@ -196,7 +196,7 @@ void __show_backtrace(unsigned long fp)
4066 rw->ins[4], rw->ins[5],
4069 - printk("%pS\n", (void *) rw->ins[7]);
4070 + printk("%pA\n", (void *) rw->ins[7]);
4071 rw = (struct reg_window32 *) rw->ins[6];
4073 spin_unlock_irqrestore(&sparc_backtrace_lock, flags);
4074 @@ -263,14 +263,14 @@ void show_regs(struct pt_regs *r)
4076 printk("PSR: %08lx PC: %08lx NPC: %08lx Y: %08lx %s\n",
4077 r->psr, r->pc, r->npc, r->y, print_tainted());
4078 - printk("PC: <%pS>\n", (void *) r->pc);
4079 + printk("PC: <%pA>\n", (void *) r->pc);
4080 printk("%%G: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4081 r->u_regs[0], r->u_regs[1], r->u_regs[2], r->u_regs[3],
4082 r->u_regs[4], r->u_regs[5], r->u_regs[6], r->u_regs[7]);
4083 printk("%%O: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4084 r->u_regs[8], r->u_regs[9], r->u_regs[10], r->u_regs[11],
4085 r->u_regs[12], r->u_regs[13], r->u_regs[14], r->u_regs[15]);
4086 - printk("RPC: <%pS>\n", (void *) r->u_regs[15]);
4087 + printk("RPC: <%pA>\n", (void *) r->u_regs[15]);
4089 printk("%%L: %08lx %08lx %08lx %08lx %08lx %08lx %08lx %08lx\n",
4090 rw->locals[0], rw->locals[1], rw->locals[2], rw->locals[3],
4091 @@ -305,7 +305,7 @@ void show_stack(struct task_struct *tsk,
4092 rw = (struct reg_window32 *) fp;
4094 printk("[%08lx : ", pc);
4095 - printk("%pS ] ", (void *) pc);
4096 + printk("%pA ] ", (void *) pc);
4098 } while (++count < 16);
4100 diff -urNp linux-2.6.36.1/arch/sparc/kernel/process_64.c linux-2.6.36.1/arch/sparc/kernel/process_64.c
4101 --- linux-2.6.36.1/arch/sparc/kernel/process_64.c 2010-10-20 16:30:22.000000000 -0400
4102 +++ linux-2.6.36.1/arch/sparc/kernel/process_64.c 2010-11-13 16:34:22.000000000 -0500
4103 @@ -180,14 +180,14 @@ static void show_regwindow(struct pt_reg
4104 printk("i4: %016lx i5: %016lx i6: %016lx i7: %016lx\n",
4105 rwk->ins[4], rwk->ins[5], rwk->ins[6], rwk->ins[7]);
4106 if (regs->tstate & TSTATE_PRIV)
4107 - printk("I7: <%pS>\n", (void *) rwk->ins[7]);
4108 + printk("I7: <%pA>\n", (void *) rwk->ins[7]);
4111 void show_regs(struct pt_regs *regs)
4113 printk("TSTATE: %016lx TPC: %016lx TNPC: %016lx Y: %08x %s\n", regs->tstate,
4114 regs->tpc, regs->tnpc, regs->y, print_tainted());
4115 - printk("TPC: <%pS>\n", (void *) regs->tpc);
4116 + printk("TPC: <%pA>\n", (void *) regs->tpc);
4117 printk("g0: %016lx g1: %016lx g2: %016lx g3: %016lx\n",
4118 regs->u_regs[0], regs->u_regs[1], regs->u_regs[2],
4120 @@ -200,7 +200,7 @@ void show_regs(struct pt_regs *regs)
4121 printk("o4: %016lx o5: %016lx sp: %016lx ret_pc: %016lx\n",
4122 regs->u_regs[12], regs->u_regs[13], regs->u_regs[14],
4124 - printk("RPC: <%pS>\n", (void *) regs->u_regs[15]);
4125 + printk("RPC: <%pA>\n", (void *) regs->u_regs[15]);
4126 show_regwindow(regs);
4127 show_stack(current, (unsigned long *) regs->u_regs[UREG_FP]);
4129 @@ -285,7 +285,7 @@ void arch_trigger_all_cpu_backtrace(void
4130 ((tp && tp->task) ? tp->task->pid : -1));
4132 if (gp->tstate & TSTATE_PRIV) {
4133 - printk(" TPC[%pS] O7[%pS] I7[%pS] RPC[%pS]\n",
4134 + printk(" TPC[%pA] O7[%pA] I7[%pA] RPC[%pA]\n",
4138 diff -urNp linux-2.6.36.1/arch/sparc/kernel/sys_sparc_32.c linux-2.6.36.1/arch/sparc/kernel/sys_sparc_32.c
4139 --- linux-2.6.36.1/arch/sparc/kernel/sys_sparc_32.c 2010-10-20 16:30:22.000000000 -0400
4140 +++ linux-2.6.36.1/arch/sparc/kernel/sys_sparc_32.c 2010-11-06 18:58:15.000000000 -0400
4141 @@ -57,7 +57,7 @@ unsigned long arch_get_unmapped_area(str
4142 if (ARCH_SUN4C && len > 0x20000000)
4145 - addr = TASK_UNMAPPED_BASE;
4146 + addr = current->mm->mmap_base;
4148 if (flags & MAP_SHARED)
4149 addr = COLOUR_ALIGN(addr);
4150 @@ -72,7 +72,7 @@ unsigned long arch_get_unmapped_area(str
4152 if (TASK_SIZE - PAGE_SIZE - len < addr)
4154 - if (!vmm || addr + len <= vmm->vm_start)
4155 + if (check_heap_stack_gap(vmm, addr, len))
4158 if (flags & MAP_SHARED)
4159 diff -urNp linux-2.6.36.1/arch/sparc/kernel/sys_sparc_64.c linux-2.6.36.1/arch/sparc/kernel/sys_sparc_64.c
4160 --- linux-2.6.36.1/arch/sparc/kernel/sys_sparc_64.c 2010-10-20 16:30:22.000000000 -0400
4161 +++ linux-2.6.36.1/arch/sparc/kernel/sys_sparc_64.c 2010-11-06 18:58:15.000000000 -0400
4162 @@ -124,7 +124,7 @@ unsigned long arch_get_unmapped_area(str
4163 /* We do not accept a shared mapping if it would violate
4164 * cache aliasing constraints.
4166 - if ((flags & MAP_SHARED) &&
4167 + if ((filp || (flags & MAP_SHARED)) &&
4168 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4171 @@ -139,6 +139,10 @@ unsigned long arch_get_unmapped_area(str
4172 if (filp || (flags & MAP_SHARED))
4175 +#ifdef CONFIG_PAX_RANDMMAP
4176 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
4181 addr = COLOUR_ALIGN(addr, pgoff);
4182 @@ -146,15 +150,14 @@ unsigned long arch_get_unmapped_area(str
4183 addr = PAGE_ALIGN(addr);
4185 vma = find_vma(mm, addr);
4186 - if (task_size - len >= addr &&
4187 - (!vma || addr + len <= vma->vm_start))
4188 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4192 if (len > mm->cached_hole_size) {
4193 - start_addr = addr = mm->free_area_cache;
4194 + start_addr = addr = mm->free_area_cache;
4196 - start_addr = addr = TASK_UNMAPPED_BASE;
4197 + start_addr = addr = mm->mmap_base;
4198 mm->cached_hole_size = 0;
4201 @@ -174,14 +177,14 @@ full_search:
4202 vma = find_vma(mm, VA_EXCLUDE_END);
4204 if (unlikely(task_size < addr)) {
4205 - if (start_addr != TASK_UNMAPPED_BASE) {
4206 - start_addr = addr = TASK_UNMAPPED_BASE;
4207 + if (start_addr != mm->mmap_base) {
4208 + start_addr = addr = mm->mmap_base;
4209 mm->cached_hole_size = 0;
4214 - if (likely(!vma || addr + len <= vma->vm_start)) {
4215 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4217 * Remember the place where we stopped the search:
4219 @@ -215,7 +218,7 @@ arch_get_unmapped_area_topdown(struct fi
4220 /* We do not accept a shared mapping if it would violate
4221 * cache aliasing constraints.
4223 - if ((flags & MAP_SHARED) &&
4224 + if ((filp || (flags & MAP_SHARED)) &&
4225 ((addr - (pgoff << PAGE_SHIFT)) & (SHMLBA - 1)))
4228 @@ -236,8 +239,7 @@ arch_get_unmapped_area_topdown(struct fi
4229 addr = PAGE_ALIGN(addr);
4231 vma = find_vma(mm, addr);
4232 - if (task_size - len >= addr &&
4233 - (!vma || addr + len <= vma->vm_start))
4234 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
4238 @@ -258,7 +260,7 @@ arch_get_unmapped_area_topdown(struct fi
4239 /* make sure it can fit in the remaining address space */
4240 if (likely(addr > len)) {
4241 vma = find_vma(mm, addr-len);
4242 - if (!vma || addr <= vma->vm_start) {
4243 + if (check_heap_stack_gap(vma, addr - len, len)) {
4244 /* remember the address as a hint for next time */
4245 return (mm->free_area_cache = addr-len);
4247 @@ -278,7 +280,7 @@ arch_get_unmapped_area_topdown(struct fi
4248 * return with success:
4250 vma = find_vma(mm, addr);
4251 - if (likely(!vma || addr+len <= vma->vm_start)) {
4252 + if (likely(check_heap_stack_gap(vma, addr, len))) {
4253 /* remember the address as a hint for next time */
4254 return (mm->free_area_cache = addr);
4256 @@ -385,6 +387,12 @@ void arch_pick_mmap_layout(struct mm_str
4257 gap == RLIM_INFINITY ||
4258 sysctl_legacy_va_layout) {
4259 mm->mmap_base = TASK_UNMAPPED_BASE + random_factor;
4261 +#ifdef CONFIG_PAX_RANDMMAP
4262 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4263 + mm->mmap_base += mm->delta_mmap;
4266 mm->get_unmapped_area = arch_get_unmapped_area;
4267 mm->unmap_area = arch_unmap_area;
4269 @@ -397,6 +405,12 @@ void arch_pick_mmap_layout(struct mm_str
4270 gap = (task_size / 6 * 5);
4272 mm->mmap_base = PAGE_ALIGN(task_size - gap - random_factor);
4274 +#ifdef CONFIG_PAX_RANDMMAP
4275 + if (mm->pax_flags & MF_PAX_RANDMMAP)
4276 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
4279 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
4280 mm->unmap_area = arch_unmap_area_topdown;
4282 diff -urNp linux-2.6.36.1/arch/sparc/kernel/traps_32.c linux-2.6.36.1/arch/sparc/kernel/traps_32.c
4283 --- linux-2.6.36.1/arch/sparc/kernel/traps_32.c 2010-10-20 16:30:22.000000000 -0400
4284 +++ linux-2.6.36.1/arch/sparc/kernel/traps_32.c 2010-11-13 16:29:01.000000000 -0500
4285 @@ -76,7 +76,7 @@ void die_if_kernel(char *str, struct pt_
4287 (((unsigned long) rw) >= PAGE_OFFSET) &&
4288 !(((unsigned long) rw) & 0x7)) {
4289 - printk("Caller[%08lx]: %pS\n", rw->ins[7],
4290 + printk("Caller[%08lx]: %pA\n", rw->ins[7],
4291 (void *) rw->ins[7]);
4292 rw = (struct reg_window32 *)rw->ins[6];
4294 diff -urNp linux-2.6.36.1/arch/sparc/kernel/traps_64.c linux-2.6.36.1/arch/sparc/kernel/traps_64.c
4295 --- linux-2.6.36.1/arch/sparc/kernel/traps_64.c 2010-10-20 16:30:22.000000000 -0400
4296 +++ linux-2.6.36.1/arch/sparc/kernel/traps_64.c 2010-11-13 16:34:06.000000000 -0500
4297 @@ -75,7 +75,7 @@ static void dump_tl1_traplog(struct tl1_
4299 p->trapstack[i].tstate, p->trapstack[i].tpc,
4300 p->trapstack[i].tnpc, p->trapstack[i].tt);
4301 - printk("TRAPLOG: TPC<%pS>\n", (void *) p->trapstack[i].tpc);
4302 + printk("TRAPLOG: TPC<%pA>\n", (void *) p->trapstack[i].tpc);
4306 @@ -95,6 +95,12 @@ void bad_trap(struct pt_regs *regs, long
4309 if (regs->tstate & TSTATE_PRIV) {
4311 +#ifdef CONFIG_PAX_REFCOUNT
4313 + pax_report_refcount_overflow(regs);
4316 sprintf(buffer, "Kernel bad sw trap %lx", lvl);
4317 die_if_kernel(buffer, regs);
4319 @@ -113,11 +119,16 @@ void bad_trap(struct pt_regs *regs, long
4320 void bad_trap_tl1(struct pt_regs *regs, long lvl)
4325 if (notify_die(DIE_TRAP_TL1, "bad trap tl1", regs,
4326 0, lvl, SIGTRAP) == NOTIFY_STOP)
4329 +#ifdef CONFIG_PAX_REFCOUNT
4331 + pax_report_refcount_overflow(regs);
4334 dump_tl1_traplog((struct tl1_traplog *)(regs + 1));
4336 sprintf (buffer, "Bad trap %lx at tl>0", lvl);
4337 @@ -1141,7 +1152,7 @@ static void cheetah_log_errors(struct pt
4338 regs->tpc, regs->tnpc, regs->u_regs[UREG_I7], regs->tstate);
4339 printk("%s" "ERROR(%d): ",
4340 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id());
4341 - printk("TPC<%pS>\n", (void *) regs->tpc);
4342 + printk("TPC<%pA>\n", (void *) regs->tpc);
4343 printk("%s" "ERROR(%d): M_SYND(%lx), E_SYND(%lx)%s%s\n",
4344 (recoverable ? KERN_WARNING : KERN_CRIT), smp_processor_id(),
4345 (afsr & CHAFSR_M_SYNDROME) >> CHAFSR_M_SYNDROME_SHIFT,
4346 @@ -1748,7 +1759,7 @@ void cheetah_plus_parity_error(int type,
4348 (type & 0x1) ? 'I' : 'D',
4350 - printk(KERN_EMERG "TPC<%pS>\n", (void *) regs->tpc);
4351 + printk(KERN_EMERG "TPC<%pA>\n", (void *) regs->tpc);
4352 panic("Irrecoverable Cheetah+ parity error.");
4355 @@ -1756,7 +1767,7 @@ void cheetah_plus_parity_error(int type,
4357 (type & 0x1) ? 'I' : 'D',
4359 - printk(KERN_WARNING "TPC<%pS>\n", (void *) regs->tpc);
4360 + printk(KERN_WARNING "TPC<%pA>\n", (void *) regs->tpc);
4363 struct sun4v_error_entry {
4364 @@ -1963,9 +1974,9 @@ void sun4v_itlb_error_report(struct pt_r
4366 printk(KERN_EMERG "SUN4V-ITLB: Error at TPC[%lx], tl %d\n",
4368 - printk(KERN_EMERG "SUN4V-ITLB: TPC<%pS>\n", (void *) regs->tpc);
4369 + printk(KERN_EMERG "SUN4V-ITLB: TPC<%pA>\n", (void *) regs->tpc);
4370 printk(KERN_EMERG "SUN4V-ITLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
4371 - printk(KERN_EMERG "SUN4V-ITLB: O7<%pS>\n",
4372 + printk(KERN_EMERG "SUN4V-ITLB: O7<%pA>\n",
4373 (void *) regs->u_regs[UREG_I7]);
4374 printk(KERN_EMERG "SUN4V-ITLB: vaddr[%lx] ctx[%lx] "
4375 "pte[%lx] error[%lx]\n",
4376 @@ -1987,9 +1998,9 @@ void sun4v_dtlb_error_report(struct pt_r
4378 printk(KERN_EMERG "SUN4V-DTLB: Error at TPC[%lx], tl %d\n",
4380 - printk(KERN_EMERG "SUN4V-DTLB: TPC<%pS>\n", (void *) regs->tpc);
4381 + printk(KERN_EMERG "SUN4V-DTLB: TPC<%pA>\n", (void *) regs->tpc);
4382 printk(KERN_EMERG "SUN4V-DTLB: O7[%lx]\n", regs->u_regs[UREG_I7]);
4383 - printk(KERN_EMERG "SUN4V-DTLB: O7<%pS>\n",
4384 + printk(KERN_EMERG "SUN4V-DTLB: O7<%pA>\n",
4385 (void *) regs->u_regs[UREG_I7]);
4386 printk(KERN_EMERG "SUN4V-DTLB: vaddr[%lx] ctx[%lx] "
4387 "pte[%lx] error[%lx]\n",
4388 @@ -2196,13 +2207,13 @@ void show_stack(struct task_struct *tsk,
4389 fp = (unsigned long)sf->fp + STACK_BIAS;
4392 - printk(" [%016lx] %pS\n", pc, (void *) pc);
4393 + printk(" [%016lx] %pA\n", pc, (void *) pc);
4394 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
4395 if ((pc + 8UL) == (unsigned long) &return_to_handler) {
4396 int index = tsk->curr_ret_stack;
4397 if (tsk->ret_stack && index >= graph) {
4398 pc = tsk->ret_stack[index - graph].ret;
4399 - printk(" [%016lx] %pS\n", pc, (void *) pc);
4400 + printk(" [%016lx] %pA\n", pc, (void *) pc);
4404 @@ -2255,7 +2266,7 @@ void die_if_kernel(char *str, struct pt_
4407 kstack_valid(tp, (unsigned long) rw)) {
4408 - printk("Caller[%016lx]: %pS\n", rw->ins[7],
4409 + printk("Caller[%016lx]: %pA\n", rw->ins[7],
4410 (void *) rw->ins[7]);
4412 rw = kernel_stack_up(rw);
4413 diff -urNp linux-2.6.36.1/arch/sparc/kernel/unaligned_64.c linux-2.6.36.1/arch/sparc/kernel/unaligned_64.c
4414 --- linux-2.6.36.1/arch/sparc/kernel/unaligned_64.c 2010-10-20 16:30:22.000000000 -0400
4415 +++ linux-2.6.36.1/arch/sparc/kernel/unaligned_64.c 2010-11-13 16:33:46.000000000 -0500
4416 @@ -278,7 +278,7 @@ static void log_unaligned(struct pt_regs
4417 static DEFINE_RATELIMIT_STATE(ratelimit, 5 * HZ, 5);
4419 if (__ratelimit(&ratelimit)) {
4420 - printk("Kernel unaligned access at TPC[%lx] %pS\n",
4421 + printk("Kernel unaligned access at TPC[%lx] %pA\n",
4422 regs->tpc, (void *) regs->tpc);
4425 diff -urNp linux-2.6.36.1/arch/sparc/lib/atomic_64.S linux-2.6.36.1/arch/sparc/lib/atomic_64.S
4426 --- linux-2.6.36.1/arch/sparc/lib/atomic_64.S 2010-10-20 16:30:22.000000000 -0400
4427 +++ linux-2.6.36.1/arch/sparc/lib/atomic_64.S 2010-11-06 18:58:15.000000000 -0400
4429 atomic_add: /* %o0 = increment, %o1 = atomic_ptr */
4433 + addcc %g1, %o0, %g7
4435 +#ifdef CONFIG_PAX_REFCOUNT
4441 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4442 @@ -28,12 +33,32 @@ atomic_add: /* %o0 = increment, %o1 = at
4443 2: BACKOFF_SPIN(%o2, %o3, 1b)
4444 .size atomic_add, .-atomic_add
4446 + .globl atomic_add_unchecked
4447 + .type atomic_add_unchecked,#function
4448 +atomic_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4449 + BACKOFF_SETUP(%o2)
4452 + cas [%o1], %g1, %g7
4458 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4459 + .size atomic_add_unchecked, .-atomic_add_unchecked
4462 .type atomic_sub,#function
4463 atomic_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4467 + subcc %g1, %o0, %g7
4469 +#ifdef CONFIG_PAX_REFCOUNT
4475 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4476 @@ -43,12 +68,32 @@ atomic_sub: /* %o0 = decrement, %o1 = at
4477 2: BACKOFF_SPIN(%o2, %o3, 1b)
4478 .size atomic_sub, .-atomic_sub
4480 + .globl atomic_sub_unchecked
4481 + .type atomic_sub_unchecked,#function
4482 +atomic_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4483 + BACKOFF_SETUP(%o2)
4486 + cas [%o1], %g1, %g7
4492 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4493 + .size atomic_sub_unchecked, .-atomic_sub_unchecked
4495 .globl atomic_add_ret
4496 .type atomic_add_ret,#function
4497 atomic_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4501 + addcc %g1, %o0, %g7
4503 +#ifdef CONFIG_PAX_REFCOUNT
4509 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4510 @@ -58,12 +103,33 @@ atomic_add_ret: /* %o0 = increment, %o1
4511 2: BACKOFF_SPIN(%o2, %o3, 1b)
4512 .size atomic_add_ret, .-atomic_add_ret
4514 + .globl atomic_add_ret_unchecked
4515 + .type atomic_add_ret_unchecked,#function
4516 +atomic_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4517 + BACKOFF_SETUP(%o2)
4519 + addcc %g1, %o0, %g7
4520 + cas [%o1], %g1, %g7
4527 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4528 + .size atomic_add_ret_unchecked, .-atomic_add_ret_unchecked
4530 .globl atomic_sub_ret
4531 .type atomic_sub_ret,#function
4532 atomic_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4536 + subcc %g1, %o0, %g7
4538 +#ifdef CONFIG_PAX_REFCOUNT
4544 bne,pn %icc, BACKOFF_LABEL(2f, 1b)
4545 @@ -78,7 +144,12 @@ atomic_sub_ret: /* %o0 = decrement, %o1
4546 atomic64_add: /* %o0 = increment, %o1 = atomic_ptr */
4550 + addcc %g1, %o0, %g7
4552 +#ifdef CONFIG_PAX_REFCOUNT
4556 casx [%o1], %g1, %g7
4558 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4559 @@ -88,12 +159,32 @@ atomic64_add: /* %o0 = increment, %o1 =
4560 2: BACKOFF_SPIN(%o2, %o3, 1b)
4561 .size atomic64_add, .-atomic64_add
4563 + .globl atomic64_add_unchecked
4564 + .type atomic64_add_unchecked,#function
4565 +atomic64_add_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4566 + BACKOFF_SETUP(%o2)
4568 + addcc %g1, %o0, %g7
4569 + casx [%o1], %g1, %g7
4575 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4576 + .size atomic64_add_unchecked, .-atomic64_add_unchecked
4579 .type atomic64_sub,#function
4580 atomic64_sub: /* %o0 = decrement, %o1 = atomic_ptr */
4584 + subcc %g1, %o0, %g7
4586 +#ifdef CONFIG_PAX_REFCOUNT
4590 casx [%o1], %g1, %g7
4592 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4593 @@ -103,12 +194,32 @@ atomic64_sub: /* %o0 = decrement, %o1 =
4594 2: BACKOFF_SPIN(%o2, %o3, 1b)
4595 .size atomic64_sub, .-atomic64_sub
4597 + .globl atomic64_sub_unchecked
4598 + .type atomic64_sub_unchecked,#function
4599 +atomic64_sub_unchecked: /* %o0 = decrement, %o1 = atomic_ptr */
4600 + BACKOFF_SETUP(%o2)
4602 + subcc %g1, %o0, %g7
4603 + casx [%o1], %g1, %g7
4609 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4610 + .size atomic64_sub_unchecked, .-atomic64_sub_unchecked
4612 .globl atomic64_add_ret
4613 .type atomic64_add_ret,#function
4614 atomic64_add_ret: /* %o0 = increment, %o1 = atomic_ptr */
4618 + addcc %g1, %o0, %g7
4620 +#ifdef CONFIG_PAX_REFCOUNT
4624 casx [%o1], %g1, %g7
4626 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4627 @@ -118,12 +229,33 @@ atomic64_add_ret: /* %o0 = increment, %o
4628 2: BACKOFF_SPIN(%o2, %o3, 1b)
4629 .size atomic64_add_ret, .-atomic64_add_ret
4631 + .globl atomic64_add_ret_unchecked
4632 + .type atomic64_add_ret_unchecked,#function
4633 +atomic64_add_ret_unchecked: /* %o0 = increment, %o1 = atomic_ptr */
4634 + BACKOFF_SETUP(%o2)
4636 + addcc %g1, %o0, %g7
4637 + casx [%o1], %g1, %g7
4644 +2: BACKOFF_SPIN(%o2, %o3, 1b)
4645 + .size atomic64_add_ret_unchecked, .-atomic64_add_ret_unchecked
4647 .globl atomic64_sub_ret
4648 .type atomic64_sub_ret,#function
4649 atomic64_sub_ret: /* %o0 = decrement, %o1 = atomic_ptr */
4653 + subcc %g1, %o0, %g7
4655 +#ifdef CONFIG_PAX_REFCOUNT
4659 casx [%o1], %g1, %g7
4661 bne,pn %xcc, BACKOFF_LABEL(2f, 1b)
4662 diff -urNp linux-2.6.36.1/arch/sparc/lib/ksyms.c linux-2.6.36.1/arch/sparc/lib/ksyms.c
4663 --- linux-2.6.36.1/arch/sparc/lib/ksyms.c 2010-10-20 16:30:22.000000000 -0400
4664 +++ linux-2.6.36.1/arch/sparc/lib/ksyms.c 2010-11-06 18:58:15.000000000 -0400
4665 @@ -142,12 +142,17 @@ EXPORT_SYMBOL(__downgrade_write);
4667 /* Atomic counter implementation. */
4668 EXPORT_SYMBOL(atomic_add);
4669 +EXPORT_SYMBOL(atomic_add_unchecked);
4670 EXPORT_SYMBOL(atomic_add_ret);
4671 EXPORT_SYMBOL(atomic_sub);
4672 +EXPORT_SYMBOL(atomic_sub_unchecked);
4673 EXPORT_SYMBOL(atomic_sub_ret);
4674 EXPORT_SYMBOL(atomic64_add);
4675 +EXPORT_SYMBOL(atomic64_add_unchecked);
4676 EXPORT_SYMBOL(atomic64_add_ret);
4677 +EXPORT_SYMBOL(atomic64_add_ret_unchecked);
4678 EXPORT_SYMBOL(atomic64_sub);
4679 +EXPORT_SYMBOL(atomic64_sub_unchecked);
4680 EXPORT_SYMBOL(atomic64_sub_ret);
4682 /* Atomic bit operations. */
4683 diff -urNp linux-2.6.36.1/arch/sparc/Makefile linux-2.6.36.1/arch/sparc/Makefile
4684 --- linux-2.6.36.1/arch/sparc/Makefile 2010-10-20 16:30:22.000000000 -0400
4685 +++ linux-2.6.36.1/arch/sparc/Makefile 2010-11-06 18:58:50.000000000 -0400
4686 @@ -75,7 +75,7 @@ drivers-$(CONFIG_OPROFILE) += arch/sparc
4687 # Export what is needed by arch/sparc/boot/Makefile
4688 export VMLINUX_INIT VMLINUX_MAIN
4689 VMLINUX_INIT := $(head-y) $(init-y)
4690 -VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/
4691 +VMLINUX_MAIN := $(core-y) kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
4692 VMLINUX_MAIN += $(patsubst %/, %/lib.a, $(libs-y)) $(libs-y)
4693 VMLINUX_MAIN += $(drivers-y) $(net-y)
4695 diff -urNp linux-2.6.36.1/arch/sparc/mm/fault_32.c linux-2.6.36.1/arch/sparc/mm/fault_32.c
4696 --- linux-2.6.36.1/arch/sparc/mm/fault_32.c 2010-10-20 16:30:22.000000000 -0400
4697 +++ linux-2.6.36.1/arch/sparc/mm/fault_32.c 2010-11-06 18:58:15.000000000 -0400
4699 #include <linux/interrupt.h>
4700 #include <linux/module.h>
4701 #include <linux/kdebug.h>
4702 +#include <linux/slab.h>
4703 +#include <linux/pagemap.h>
4704 +#include <linux/compiler.h>
4706 #include <asm/system.h>
4707 #include <asm/page.h>
4708 @@ -209,6 +212,268 @@ static unsigned long compute_si_addr(str
4709 return safe_compute_effective_address(regs, insn);
4712 +#ifdef CONFIG_PAX_PAGEEXEC
4713 +#ifdef CONFIG_PAX_DLRESOLVE
4714 +static void pax_emuplt_close(struct vm_area_struct *vma)
4716 + vma->vm_mm->call_dl_resolve = 0UL;
4719 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
4721 + unsigned int *kaddr;
4723 + vmf->page = alloc_page(GFP_HIGHUSER);
4725 + return VM_FAULT_OOM;
4727 + kaddr = kmap(vmf->page);
4728 + memset(kaddr, 0, PAGE_SIZE);
4729 + kaddr[0] = 0x9DE3BFA8U; /* save */
4730 + flush_dcache_page(vmf->page);
4731 + kunmap(vmf->page);
4732 + return VM_FAULT_MAJOR;
4735 +static const struct vm_operations_struct pax_vm_ops = {
4736 + .close = pax_emuplt_close,
4737 + .fault = pax_emuplt_fault
4740 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
4744 + INIT_LIST_HEAD(&vma->anon_vma_chain);
4745 + vma->vm_mm = current->mm;
4746 + vma->vm_start = addr;
4747 + vma->vm_end = addr + PAGE_SIZE;
4748 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
4749 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
4750 + vma->vm_ops = &pax_vm_ops;
4752 + ret = insert_vm_struct(current->mm, vma);
4756 + ++current->mm->total_vm;
4762 + * PaX: decide what to do with offenders (regs->pc = fault address)
4764 + * returns 1 when task should be killed
4765 + * 2 when patched PLT trampoline was detected
4766 + * 3 when unpatched PLT trampoline was detected
4768 +static int pax_handle_fetch_fault(struct pt_regs *regs)
4771 +#ifdef CONFIG_PAX_EMUPLT
4774 + do { /* PaX: patched PLT emulation #1 */
4775 + unsigned int sethi1, sethi2, jmpl;
4777 + err = get_user(sethi1, (unsigned int *)regs->pc);
4778 + err |= get_user(sethi2, (unsigned int *)(regs->pc+4));
4779 + err |= get_user(jmpl, (unsigned int *)(regs->pc+8));
4784 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
4785 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
4786 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
4788 + unsigned int addr;
4790 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
4791 + addr = regs->u_regs[UREG_G1];
4792 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4794 + regs->npc = addr+4;
4799 + { /* PaX: patched PLT emulation #2 */
4802 + err = get_user(ba, (unsigned int *)regs->pc);
4804 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
4805 + unsigned int addr;
4807 + addr = regs->pc + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4809 + regs->npc = addr+4;
4814 + do { /* PaX: patched PLT emulation #3 */
4815 + unsigned int sethi, jmpl, nop;
4817 + err = get_user(sethi, (unsigned int *)regs->pc);
4818 + err |= get_user(jmpl, (unsigned int *)(regs->pc+4));
4819 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
4824 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4825 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
4826 + nop == 0x01000000U)
4828 + unsigned int addr;
4830 + addr = (sethi & 0x003FFFFFU) << 10;
4831 + regs->u_regs[UREG_G1] = addr;
4832 + addr += (((jmpl | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4834 + regs->npc = addr+4;
4839 + do { /* PaX: unpatched PLT emulation step 1 */
4840 + unsigned int sethi, ba, nop;
4842 + err = get_user(sethi, (unsigned int *)regs->pc);
4843 + err |= get_user(ba, (unsigned int *)(regs->pc+4));
4844 + err |= get_user(nop, (unsigned int *)(regs->pc+8));
4849 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
4850 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
4851 + nop == 0x01000000U)
4853 + unsigned int addr, save, call;
4855 + if ((ba & 0xFFC00000U) == 0x30800000U)
4856 + addr = regs->pc + 4 + ((((ba | 0xFFC00000U) ^ 0x00200000U) + 0x00200000U) << 2);
4858 + addr = regs->pc + 4 + ((((ba | 0xFFF80000U) ^ 0x00040000U) + 0x00040000U) << 2);
4860 + err = get_user(save, (unsigned int *)addr);
4861 + err |= get_user(call, (unsigned int *)(addr+4));
4862 + err |= get_user(nop, (unsigned int *)(addr+8));
4866 +#ifdef CONFIG_PAX_DLRESOLVE
4867 + if (save == 0x9DE3BFA8U &&
4868 + (call & 0xC0000000U) == 0x40000000U &&
4869 + nop == 0x01000000U)
4871 + struct vm_area_struct *vma;
4872 + unsigned long call_dl_resolve;
4874 + down_read(¤t->mm->mmap_sem);
4875 + call_dl_resolve = current->mm->call_dl_resolve;
4876 + up_read(¤t->mm->mmap_sem);
4877 + if (likely(call_dl_resolve))
4880 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
4882 + down_write(¤t->mm->mmap_sem);
4883 + if (current->mm->call_dl_resolve) {
4884 + call_dl_resolve = current->mm->call_dl_resolve;
4885 + up_write(¤t->mm->mmap_sem);
4887 + kmem_cache_free(vm_area_cachep, vma);
4891 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
4892 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
4893 + up_write(¤t->mm->mmap_sem);
4895 + kmem_cache_free(vm_area_cachep, vma);
4899 + if (pax_insert_vma(vma, call_dl_resolve)) {
4900 + up_write(¤t->mm->mmap_sem);
4901 + kmem_cache_free(vm_area_cachep, vma);
4905 + current->mm->call_dl_resolve = call_dl_resolve;
4906 + up_write(¤t->mm->mmap_sem);
4909 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4910 + regs->pc = call_dl_resolve;
4911 + regs->npc = addr+4;
4916 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
4917 + if ((save & 0xFFC00000U) == 0x05000000U &&
4918 + (call & 0xFFFFE000U) == 0x85C0A000U &&
4919 + nop == 0x01000000U)
4921 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
4922 + regs->u_regs[UREG_G2] = addr + 4;
4923 + addr = (save & 0x003FFFFFU) << 10;
4924 + addr += (((call | 0xFFFFE000U) ^ 0x00001000U) + 0x00001000U);
4926 + regs->npc = addr+4;
4932 + do { /* PaX: unpatched PLT emulation step 2 */
4933 + unsigned int save, call, nop;
4935 + err = get_user(save, (unsigned int *)(regs->pc-4));
4936 + err |= get_user(call, (unsigned int *)regs->pc);
4937 + err |= get_user(nop, (unsigned int *)(regs->pc+4));
4941 + if (save == 0x9DE3BFA8U &&
4942 + (call & 0xC0000000U) == 0x40000000U &&
4943 + nop == 0x01000000U)
4945 + unsigned int dl_resolve = regs->pc + ((((call | 0xC0000000U) ^ 0x20000000U) + 0x20000000U) << 2);
4947 + regs->u_regs[UREG_RETPC] = regs->pc;
4948 + regs->pc = dl_resolve;
4949 + regs->npc = dl_resolve+4;
4958 +void pax_report_insns(void *pc, void *sp)
4962 + printk(KERN_ERR "PAX: bytes at PC: ");
4963 + for (i = 0; i < 8; i++) {
4965 + if (get_user(c, (unsigned int *)pc+i))
4966 + printk(KERN_CONT "???????? ");
4968 + printk(KERN_CONT "%08x ", c);
4974 static noinline void do_fault_siginfo(int code, int sig, struct pt_regs *regs,
4977 @@ -282,6 +547,24 @@ good_area:
4978 if(!(vma->vm_flags & VM_WRITE))
4982 +#ifdef CONFIG_PAX_PAGEEXEC
4983 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && text_fault && !(vma->vm_flags & VM_EXEC)) {
4984 + up_read(&mm->mmap_sem);
4985 + switch (pax_handle_fetch_fault(regs)) {
4987 +#ifdef CONFIG_PAX_EMUPLT
4994 + pax_report_fault(regs, (void *)regs->pc, (void *)regs->u_regs[UREG_FP]);
4995 + do_group_exit(SIGKILL);
4999 /* Allow reads even for write-only mappings */
5000 if(!(vma->vm_flags & (VM_READ | VM_EXEC)))
5002 diff -urNp linux-2.6.36.1/arch/sparc/mm/fault_64.c linux-2.6.36.1/arch/sparc/mm/fault_64.c
5003 --- linux-2.6.36.1/arch/sparc/mm/fault_64.c 2010-10-20 16:30:22.000000000 -0400
5004 +++ linux-2.6.36.1/arch/sparc/mm/fault_64.c 2010-11-13 16:29:01.000000000 -0500
5006 #include <linux/kprobes.h>
5007 #include <linux/kdebug.h>
5008 #include <linux/percpu.h>
5009 +#include <linux/slab.h>
5010 +#include <linux/pagemap.h>
5011 +#include <linux/compiler.h>
5013 #include <asm/page.h>
5014 #include <asm/pgtable.h>
5015 @@ -74,7 +77,7 @@ static void __kprobes bad_kernel_pc(stru
5016 printk(KERN_CRIT "OOPS: Bogus kernel PC [%016lx] in fault handler\n",
5018 printk(KERN_CRIT "OOPS: RPC [%016lx]\n", regs->u_regs[15]);
5019 - printk("OOPS: RPC <%pS>\n", (void *) regs->u_regs[15]);
5020 + printk("OOPS: RPC <%pA>\n", (void *) regs->u_regs[15]);
5021 printk(KERN_CRIT "OOPS: Fault was to vaddr[%lx]\n", vaddr);
5023 unhandled_fault(regs->tpc, current, regs);
5024 @@ -272,6 +275,457 @@ static void noinline __kprobes bogus_32b
5028 +#ifdef CONFIG_PAX_PAGEEXEC
5029 +#ifdef CONFIG_PAX_DLRESOLVE
5030 +static void pax_emuplt_close(struct vm_area_struct *vma)
5032 + vma->vm_mm->call_dl_resolve = 0UL;
5035 +static int pax_emuplt_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
5037 + unsigned int *kaddr;
5039 + vmf->page = alloc_page(GFP_HIGHUSER);
5041 + return VM_FAULT_OOM;
5043 + kaddr = kmap(vmf->page);
5044 + memset(kaddr, 0, PAGE_SIZE);
5045 + kaddr[0] = 0x9DE3BFA8U; /* save */
5046 + flush_dcache_page(vmf->page);
5047 + kunmap(vmf->page);
5048 + return VM_FAULT_MAJOR;
5051 +static const struct vm_operations_struct pax_vm_ops = {
5052 + .close = pax_emuplt_close,
5053 + .fault = pax_emuplt_fault
5056 +static int pax_insert_vma(struct vm_area_struct *vma, unsigned long addr)
5060 + INIT_LIST_HEAD(&vma->anon_vma_chain);
5061 + vma->vm_mm = current->mm;
5062 + vma->vm_start = addr;
5063 + vma->vm_end = addr + PAGE_SIZE;
5064 + vma->vm_flags = VM_READ | VM_EXEC | VM_MAYREAD | VM_MAYEXEC;
5065 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
5066 + vma->vm_ops = &pax_vm_ops;
5068 + ret = insert_vm_struct(current->mm, vma);
5072 + ++current->mm->total_vm;
5078 + * PaX: decide what to do with offenders (regs->tpc = fault address)
5080 + * returns 1 when task should be killed
5081 + * 2 when patched PLT trampoline was detected
5082 + * 3 when unpatched PLT trampoline was detected
5084 +static int pax_handle_fetch_fault(struct pt_regs *regs)
5087 +#ifdef CONFIG_PAX_EMUPLT
5090 + do { /* PaX: patched PLT emulation #1 */
5091 + unsigned int sethi1, sethi2, jmpl;
5093 + err = get_user(sethi1, (unsigned int *)regs->tpc);
5094 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+4));
5095 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+8));
5100 + if ((sethi1 & 0xFFC00000U) == 0x03000000U &&
5101 + (sethi2 & 0xFFC00000U) == 0x03000000U &&
5102 + (jmpl & 0xFFFFE000U) == 0x81C06000U)
5104 + unsigned long addr;
5106 + regs->u_regs[UREG_G1] = (sethi2 & 0x003FFFFFU) << 10;
5107 + addr = regs->u_regs[UREG_G1];
5108 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5110 + if (test_thread_flag(TIF_32BIT))
5111 + addr &= 0xFFFFFFFFUL;
5114 + regs->tnpc = addr+4;
5119 + { /* PaX: patched PLT emulation #2 */
5122 + err = get_user(ba, (unsigned int *)regs->tpc);
5124 + if (!err && (ba & 0xFFC00000U) == 0x30800000U) {
5125 + unsigned long addr;
5127 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5129 + if (test_thread_flag(TIF_32BIT))
5130 + addr &= 0xFFFFFFFFUL;
5133 + regs->tnpc = addr+4;
5138 + do { /* PaX: patched PLT emulation #3 */
5139 + unsigned int sethi, jmpl, nop;
5141 + err = get_user(sethi, (unsigned int *)regs->tpc);
5142 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+4));
5143 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5148 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5149 + (jmpl & 0xFFFFE000U) == 0x81C06000U &&
5150 + nop == 0x01000000U)
5152 + unsigned long addr;
5154 + addr = (sethi & 0x003FFFFFU) << 10;
5155 + regs->u_regs[UREG_G1] = addr;
5156 + addr += (((jmpl | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5158 + if (test_thread_flag(TIF_32BIT))
5159 + addr &= 0xFFFFFFFFUL;
5162 + regs->tnpc = addr+4;
5167 + do { /* PaX: patched PLT emulation #4 */
5168 + unsigned int sethi, mov1, call, mov2;
5170 + err = get_user(sethi, (unsigned int *)regs->tpc);
5171 + err |= get_user(mov1, (unsigned int *)(regs->tpc+4));
5172 + err |= get_user(call, (unsigned int *)(regs->tpc+8));
5173 + err |= get_user(mov2, (unsigned int *)(regs->tpc+12));
5178 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5179 + mov1 == 0x8210000FU &&
5180 + (call & 0xC0000000U) == 0x40000000U &&
5181 + mov2 == 0x9E100001U)
5183 + unsigned long addr;
5185 + regs->u_regs[UREG_G1] = regs->u_regs[UREG_RETPC];
5186 + addr = regs->tpc + 4 + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5188 + if (test_thread_flag(TIF_32BIT))
5189 + addr &= 0xFFFFFFFFUL;
5192 + regs->tnpc = addr+4;
5197 + do { /* PaX: patched PLT emulation #5 */
5198 + unsigned int sethi, sethi1, sethi2, or1, or2, sllx, jmpl, nop;
5200 + err = get_user(sethi, (unsigned int *)regs->tpc);
5201 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5202 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5203 + err |= get_user(or1, (unsigned int *)(regs->tpc+12));
5204 + err |= get_user(or2, (unsigned int *)(regs->tpc+16));
5205 + err |= get_user(sllx, (unsigned int *)(regs->tpc+20));
5206 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+24));
5207 + err |= get_user(nop, (unsigned int *)(regs->tpc+28));
5212 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5213 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5214 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5215 + (or1 & 0xFFFFE000U) == 0x82106000U &&
5216 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5217 + sllx == 0x83287020U &&
5218 + jmpl == 0x81C04005U &&
5219 + nop == 0x01000000U)
5221 + unsigned long addr;
5223 + regs->u_regs[UREG_G1] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5224 + regs->u_regs[UREG_G1] <<= 32;
5225 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5226 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5228 + regs->tnpc = addr+4;
5233 + do { /* PaX: patched PLT emulation #6 */
5234 + unsigned int sethi, sethi1, sethi2, sllx, or, jmpl, nop;
5236 + err = get_user(sethi, (unsigned int *)regs->tpc);
5237 + err |= get_user(sethi1, (unsigned int *)(regs->tpc+4));
5238 + err |= get_user(sethi2, (unsigned int *)(regs->tpc+8));
5239 + err |= get_user(sllx, (unsigned int *)(regs->tpc+12));
5240 + err |= get_user(or, (unsigned int *)(regs->tpc+16));
5241 + err |= get_user(jmpl, (unsigned int *)(regs->tpc+20));
5242 + err |= get_user(nop, (unsigned int *)(regs->tpc+24));
5247 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5248 + (sethi1 & 0xFFC00000U) == 0x03000000U &&
5249 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5250 + sllx == 0x83287020U &&
5251 + (or & 0xFFFFE000U) == 0x8A116000U &&
5252 + jmpl == 0x81C04005U &&
5253 + nop == 0x01000000U)
5255 + unsigned long addr;
5257 + regs->u_regs[UREG_G1] = (sethi1 & 0x003FFFFFU) << 10;
5258 + regs->u_regs[UREG_G1] <<= 32;
5259 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or & 0x3FFU);
5260 + addr = regs->u_regs[UREG_G1] + regs->u_regs[UREG_G5];
5262 + regs->tnpc = addr+4;
5267 + do { /* PaX: unpatched PLT emulation step 1 */
5268 + unsigned int sethi, ba, nop;
5270 + err = get_user(sethi, (unsigned int *)regs->tpc);
5271 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5272 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5277 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5278 + ((ba & 0xFFC00000U) == 0x30800000U || (ba & 0xFFF80000U) == 0x30680000U) &&
5279 + nop == 0x01000000U)
5281 + unsigned long addr;
5282 + unsigned int save, call;
5283 + unsigned int sethi1, sethi2, or1, or2, sllx, add, jmpl;
5285 + if ((ba & 0xFFC00000U) == 0x30800000U)
5286 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFC00000UL) ^ 0x00200000UL) + 0x00200000UL) << 2);
5288 + addr = regs->tpc + 4 + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5290 + if (test_thread_flag(TIF_32BIT))
5291 + addr &= 0xFFFFFFFFUL;
5293 + err = get_user(save, (unsigned int *)addr);
5294 + err |= get_user(call, (unsigned int *)(addr+4));
5295 + err |= get_user(nop, (unsigned int *)(addr+8));
5299 +#ifdef CONFIG_PAX_DLRESOLVE
5300 + if (save == 0x9DE3BFA8U &&
5301 + (call & 0xC0000000U) == 0x40000000U &&
5302 + nop == 0x01000000U)
5304 + struct vm_area_struct *vma;
5305 + unsigned long call_dl_resolve;
5307 + down_read(¤t->mm->mmap_sem);
5308 + call_dl_resolve = current->mm->call_dl_resolve;
5309 + up_read(¤t->mm->mmap_sem);
5310 + if (likely(call_dl_resolve))
5313 + vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
5315 + down_write(¤t->mm->mmap_sem);
5316 + if (current->mm->call_dl_resolve) {
5317 + call_dl_resolve = current->mm->call_dl_resolve;
5318 + up_write(¤t->mm->mmap_sem);
5320 + kmem_cache_free(vm_area_cachep, vma);
5324 + call_dl_resolve = get_unmapped_area(NULL, 0UL, PAGE_SIZE, 0UL, MAP_PRIVATE);
5325 + if (!vma || (call_dl_resolve & ~PAGE_MASK)) {
5326 + up_write(¤t->mm->mmap_sem);
5328 + kmem_cache_free(vm_area_cachep, vma);
5332 + if (pax_insert_vma(vma, call_dl_resolve)) {
5333 + up_write(¤t->mm->mmap_sem);
5334 + kmem_cache_free(vm_area_cachep, vma);
5338 + current->mm->call_dl_resolve = call_dl_resolve;
5339 + up_write(¤t->mm->mmap_sem);
5342 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5343 + regs->tpc = call_dl_resolve;
5344 + regs->tnpc = addr+4;
5349 + /* PaX: glibc 2.4+ generates sethi/jmpl instead of save/call */
5350 + if ((save & 0xFFC00000U) == 0x05000000U &&
5351 + (call & 0xFFFFE000U) == 0x85C0A000U &&
5352 + nop == 0x01000000U)
5354 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5355 + regs->u_regs[UREG_G2] = addr + 4;
5356 + addr = (save & 0x003FFFFFU) << 10;
5357 + addr += (((call | 0xFFFFFFFFFFFFE000UL) ^ 0x00001000UL) + 0x00001000UL);
5359 + if (test_thread_flag(TIF_32BIT))
5360 + addr &= 0xFFFFFFFFUL;
5363 + regs->tnpc = addr+4;
5367 + /* PaX: 64-bit PLT stub */
5368 + err = get_user(sethi1, (unsigned int *)addr);
5369 + err |= get_user(sethi2, (unsigned int *)(addr+4));
5370 + err |= get_user(or1, (unsigned int *)(addr+8));
5371 + err |= get_user(or2, (unsigned int *)(addr+12));
5372 + err |= get_user(sllx, (unsigned int *)(addr+16));
5373 + err |= get_user(add, (unsigned int *)(addr+20));
5374 + err |= get_user(jmpl, (unsigned int *)(addr+24));
5375 + err |= get_user(nop, (unsigned int *)(addr+28));
5379 + if ((sethi1 & 0xFFC00000U) == 0x09000000U &&
5380 + (sethi2 & 0xFFC00000U) == 0x0B000000U &&
5381 + (or1 & 0xFFFFE000U) == 0x88112000U &&
5382 + (or2 & 0xFFFFE000U) == 0x8A116000U &&
5383 + sllx == 0x89293020U &&
5384 + add == 0x8A010005U &&
5385 + jmpl == 0x89C14000U &&
5386 + nop == 0x01000000U)
5388 + regs->u_regs[UREG_G1] = (sethi & 0x003FFFFFU) << 10;
5389 + regs->u_regs[UREG_G4] = ((sethi1 & 0x003FFFFFU) << 10) | (or1 & 0x000003FFU);
5390 + regs->u_regs[UREG_G4] <<= 32;
5391 + regs->u_regs[UREG_G5] = ((sethi2 & 0x003FFFFFU) << 10) | (or2 & 0x000003FFU);
5392 + regs->u_regs[UREG_G5] += regs->u_regs[UREG_G4];
5393 + regs->u_regs[UREG_G4] = addr + 24;
5394 + addr = regs->u_regs[UREG_G5];
5396 + regs->tnpc = addr+4;
5402 +#ifdef CONFIG_PAX_DLRESOLVE
5403 + do { /* PaX: unpatched PLT emulation step 2 */
5404 + unsigned int save, call, nop;
5406 + err = get_user(save, (unsigned int *)(regs->tpc-4));
5407 + err |= get_user(call, (unsigned int *)regs->tpc);
5408 + err |= get_user(nop, (unsigned int *)(regs->tpc+4));
5412 + if (save == 0x9DE3BFA8U &&
5413 + (call & 0xC0000000U) == 0x40000000U &&
5414 + nop == 0x01000000U)
5416 + unsigned long dl_resolve = regs->tpc + ((((call | 0xFFFFFFFFC0000000UL) ^ 0x20000000UL) + 0x20000000UL) << 2);
5418 + if (test_thread_flag(TIF_32BIT))
5419 + dl_resolve &= 0xFFFFFFFFUL;
5421 + regs->u_regs[UREG_RETPC] = regs->tpc;
5422 + regs->tpc = dl_resolve;
5423 + regs->tnpc = dl_resolve+4;
5429 + do { /* PaX: patched PLT emulation #7, must be AFTER the unpatched PLT emulation */
5430 + unsigned int sethi, ba, nop;
5432 + err = get_user(sethi, (unsigned int *)regs->tpc);
5433 + err |= get_user(ba, (unsigned int *)(regs->tpc+4));
5434 + err |= get_user(nop, (unsigned int *)(regs->tpc+8));
5439 + if ((sethi & 0xFFC00000U) == 0x03000000U &&
5440 + (ba & 0xFFF00000U) == 0x30600000U &&
5441 + nop == 0x01000000U)
5443 + unsigned long addr;
5445 + addr = (sethi & 0x003FFFFFU) << 10;
5446 + regs->u_regs[UREG_G1] = addr;
5447 + addr = regs->tpc + ((((ba | 0xFFFFFFFFFFF80000UL) ^ 0x00040000UL) + 0x00040000UL) << 2);
5449 + if (test_thread_flag(TIF_32BIT))
5450 + addr &= 0xFFFFFFFFUL;
5453 + regs->tnpc = addr+4;
5463 +void pax_report_insns(void *pc, void *sp)
5467 + printk(KERN_ERR "PAX: bytes at PC: ");
5468 + for (i = 0; i < 8; i++) {
5470 + if (get_user(c, (unsigned int *)pc+i))
5471 + printk(KERN_CONT "???????? ");
5473 + printk(KERN_CONT "%08x ", c);
5479 asmlinkage void __kprobes do_sparc64_fault(struct pt_regs *regs)
5481 struct mm_struct *mm = current->mm;
5482 @@ -340,6 +794,29 @@ asmlinkage void __kprobes do_sparc64_fau
5486 +#ifdef CONFIG_PAX_PAGEEXEC
5487 + /* PaX: detect ITLB misses on non-exec pages */
5488 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && vma->vm_start <= address &&
5489 + !(vma->vm_flags & VM_EXEC) && (fault_code & FAULT_CODE_ITLB))
5491 + if (address != regs->tpc)
5494 + up_read(&mm->mmap_sem);
5495 + switch (pax_handle_fetch_fault(regs)) {
5497 +#ifdef CONFIG_PAX_EMUPLT
5504 + pax_report_fault(regs, (void *)regs->tpc, (void *)(regs->u_regs[UREG_FP] + STACK_BIAS));
5505 + do_group_exit(SIGKILL);
5509 /* Pure DTLB misses do not tell us whether the fault causing
5510 * load/store/atomic was a write or not, it only says that there
5511 * was no match. So in such a case we (carefully) read the
5512 diff -urNp linux-2.6.36.1/arch/sparc/mm/hugetlbpage.c linux-2.6.36.1/arch/sparc/mm/hugetlbpage.c
5513 --- linux-2.6.36.1/arch/sparc/mm/hugetlbpage.c 2010-10-20 16:30:22.000000000 -0400
5514 +++ linux-2.6.36.1/arch/sparc/mm/hugetlbpage.c 2010-11-06 18:58:15.000000000 -0400
5515 @@ -68,7 +68,7 @@ full_search:
5519 - if (likely(!vma || addr + len <= vma->vm_start)) {
5520 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5522 * Remember the place where we stopped the search:
5524 @@ -107,7 +107,7 @@ hugetlb_get_unmapped_area_topdown(struct
5525 /* make sure it can fit in the remaining address space */
5526 if (likely(addr > len)) {
5527 vma = find_vma(mm, addr-len);
5528 - if (!vma || addr <= vma->vm_start) {
5529 + if (check_heap_stack_gap(vma, addr - len, len)) {
5530 /* remember the address as a hint for next time */
5531 return (mm->free_area_cache = addr-len);
5533 @@ -125,7 +125,7 @@ hugetlb_get_unmapped_area_topdown(struct
5534 * return with success:
5536 vma = find_vma(mm, addr);
5537 - if (likely(!vma || addr+len <= vma->vm_start)) {
5538 + if (likely(check_heap_stack_gap(vma, addr, len))) {
5539 /* remember the address as a hint for next time */
5540 return (mm->free_area_cache = addr);
5542 @@ -182,8 +182,7 @@ hugetlb_get_unmapped_area(struct file *f
5544 addr = ALIGN(addr, HPAGE_SIZE);
5545 vma = find_vma(mm, addr);
5546 - if (task_size - len >= addr &&
5547 - (!vma || addr + len <= vma->vm_start))
5548 + if (task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
5551 if (mm->get_unmapped_area == arch_get_unmapped_area)
5552 diff -urNp linux-2.6.36.1/arch/sparc/mm/init_32.c linux-2.6.36.1/arch/sparc/mm/init_32.c
5553 --- linux-2.6.36.1/arch/sparc/mm/init_32.c 2010-10-20 16:30:22.000000000 -0400
5554 +++ linux-2.6.36.1/arch/sparc/mm/init_32.c 2010-11-06 18:58:15.000000000 -0400
5555 @@ -318,6 +318,9 @@ extern void device_scan(void);
5556 pgprot_t PAGE_SHARED __read_mostly;
5557 EXPORT_SYMBOL(PAGE_SHARED);
5559 +pgprot_t PAGE_SHARED_NOEXEC __read_mostly;
5560 +EXPORT_SYMBOL(PAGE_SHARED_NOEXEC);
5562 void __init paging_init(void)
5564 switch(sparc_cpu_model) {
5565 @@ -346,17 +349,17 @@ void __init paging_init(void)
5567 /* Initialize the protection map with non-constant, MMU dependent values. */
5568 protection_map[0] = PAGE_NONE;
5569 - protection_map[1] = PAGE_READONLY;
5570 - protection_map[2] = PAGE_COPY;
5571 - protection_map[3] = PAGE_COPY;
5572 + protection_map[1] = PAGE_READONLY_NOEXEC;
5573 + protection_map[2] = PAGE_COPY_NOEXEC;
5574 + protection_map[3] = PAGE_COPY_NOEXEC;
5575 protection_map[4] = PAGE_READONLY;
5576 protection_map[5] = PAGE_READONLY;
5577 protection_map[6] = PAGE_COPY;
5578 protection_map[7] = PAGE_COPY;
5579 protection_map[8] = PAGE_NONE;
5580 - protection_map[9] = PAGE_READONLY;
5581 - protection_map[10] = PAGE_SHARED;
5582 - protection_map[11] = PAGE_SHARED;
5583 + protection_map[9] = PAGE_READONLY_NOEXEC;
5584 + protection_map[10] = PAGE_SHARED_NOEXEC;
5585 + protection_map[11] = PAGE_SHARED_NOEXEC;
5586 protection_map[12] = PAGE_READONLY;
5587 protection_map[13] = PAGE_READONLY;
5588 protection_map[14] = PAGE_SHARED;
5589 diff -urNp linux-2.6.36.1/arch/sparc/mm/Makefile linux-2.6.36.1/arch/sparc/mm/Makefile
5590 --- linux-2.6.36.1/arch/sparc/mm/Makefile 2010-10-20 16:30:22.000000000 -0400
5591 +++ linux-2.6.36.1/arch/sparc/mm/Makefile 2010-11-06 18:58:15.000000000 -0400
5596 -ccflags-y := -Werror
5597 +#ccflags-y := -Werror
5599 obj-$(CONFIG_SPARC64) += ultra.o tlb.o tsb.o
5600 obj-y += fault_$(BITS).o
5601 diff -urNp linux-2.6.36.1/arch/sparc/mm/srmmu.c linux-2.6.36.1/arch/sparc/mm/srmmu.c
5602 --- linux-2.6.36.1/arch/sparc/mm/srmmu.c 2010-10-20 16:30:22.000000000 -0400
5603 +++ linux-2.6.36.1/arch/sparc/mm/srmmu.c 2010-11-06 18:58:15.000000000 -0400
5604 @@ -2198,6 +2198,13 @@ void __init ld_mmu_srmmu(void)
5605 PAGE_SHARED = pgprot_val(SRMMU_PAGE_SHARED);
5606 BTFIXUPSET_INT(page_copy, pgprot_val(SRMMU_PAGE_COPY));
5607 BTFIXUPSET_INT(page_readonly, pgprot_val(SRMMU_PAGE_RDONLY));
5609 +#ifdef CONFIG_PAX_PAGEEXEC
5610 + PAGE_SHARED_NOEXEC = pgprot_val(SRMMU_PAGE_SHARED_NOEXEC);
5611 + BTFIXUPSET_INT(page_copy_noexec, pgprot_val(SRMMU_PAGE_COPY_NOEXEC));
5612 + BTFIXUPSET_INT(page_readonly_noexec, pgprot_val(SRMMU_PAGE_RDONLY_NOEXEC));
5615 BTFIXUPSET_INT(page_kernel, pgprot_val(SRMMU_PAGE_KERNEL));
5616 page_kernel = pgprot_val(SRMMU_PAGE_KERNEL);
5618 diff -urNp linux-2.6.36.1/arch/um/include/asm/kmap_types.h linux-2.6.36.1/arch/um/include/asm/kmap_types.h
5619 --- linux-2.6.36.1/arch/um/include/asm/kmap_types.h 2010-10-20 16:30:22.000000000 -0400
5620 +++ linux-2.6.36.1/arch/um/include/asm/kmap_types.h 2010-11-06 18:58:15.000000000 -0400
5621 @@ -23,6 +23,7 @@ enum km_type {
5629 diff -urNp linux-2.6.36.1/arch/um/include/asm/page.h linux-2.6.36.1/arch/um/include/asm/page.h
5630 --- linux-2.6.36.1/arch/um/include/asm/page.h 2010-10-20 16:30:22.000000000 -0400
5631 +++ linux-2.6.36.1/arch/um/include/asm/page.h 2010-11-06 18:58:15.000000000 -0400
5633 #define PAGE_SIZE (_AC(1, UL) << PAGE_SHIFT)
5634 #define PAGE_MASK (~(PAGE_SIZE-1))
5636 +#define ktla_ktva(addr) (addr)
5637 +#define ktva_ktla(addr) (addr)
5639 #ifndef __ASSEMBLY__
5642 diff -urNp linux-2.6.36.1/arch/um/sys-i386/syscalls.c linux-2.6.36.1/arch/um/sys-i386/syscalls.c
5643 --- linux-2.6.36.1/arch/um/sys-i386/syscalls.c 2010-10-20 16:30:22.000000000 -0400
5644 +++ linux-2.6.36.1/arch/um/sys-i386/syscalls.c 2010-11-06 18:58:15.000000000 -0400
5646 #include "asm/uaccess.h"
5647 #include "asm/unistd.h"
5649 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
5651 + unsigned long pax_task_size = TASK_SIZE;
5653 +#ifdef CONFIG_PAX_SEGMEXEC
5654 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
5655 + pax_task_size = SEGMEXEC_TASK_SIZE;
5658 + if (len > pax_task_size || addr > pax_task_size - len)
5665 * The prototype on i386 is:
5667 diff -urNp linux-2.6.36.1/arch/x86/boot/bitops.h linux-2.6.36.1/arch/x86/boot/bitops.h
5668 --- linux-2.6.36.1/arch/x86/boot/bitops.h 2010-10-20 16:30:22.000000000 -0400
5669 +++ linux-2.6.36.1/arch/x86/boot/bitops.h 2010-11-06 18:58:15.000000000 -0400
5670 @@ -26,7 +26,7 @@ static inline int variable_test_bit(int
5672 const u32 *p = (const u32 *)addr;
5674 - asm("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5675 + asm volatile("btl %2,%1; setc %0" : "=qm" (v) : "m" (*p), "Ir" (nr));
5679 @@ -37,7 +37,7 @@ static inline int variable_test_bit(int
5681 static inline void set_bit(int nr, void *addr)
5683 - asm("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5684 + asm volatile("btsl %1,%0" : "+m" (*(u32 *)addr) : "Ir" (nr));
5687 #endif /* BOOT_BITOPS_H */
5688 diff -urNp linux-2.6.36.1/arch/x86/boot/boot.h linux-2.6.36.1/arch/x86/boot/boot.h
5689 --- linux-2.6.36.1/arch/x86/boot/boot.h 2010-10-20 16:30:22.000000000 -0400
5690 +++ linux-2.6.36.1/arch/x86/boot/boot.h 2010-11-06 18:58:15.000000000 -0400
5691 @@ -85,7 +85,7 @@ static inline void io_delay(void)
5692 static inline u16 ds(void)
5695 - asm("movw %%ds,%0" : "=rm" (seg));
5696 + asm volatile("movw %%ds,%0" : "=rm" (seg));
5700 @@ -181,7 +181,7 @@ static inline void wrgs32(u32 v, addr_t
5701 static inline int memcmp(const void *s1, const void *s2, size_t len)
5704 - asm("repe; cmpsb; setnz %0"
5705 + asm volatile("repe; cmpsb; setnz %0"
5706 : "=qm" (diff), "+D" (s1), "+S" (s2), "+c" (len));
5709 diff -urNp linux-2.6.36.1/arch/x86/boot/compressed/head_32.S linux-2.6.36.1/arch/x86/boot/compressed/head_32.S
5710 --- linux-2.6.36.1/arch/x86/boot/compressed/head_32.S 2010-10-20 16:30:22.000000000 -0400
5711 +++ linux-2.6.36.1/arch/x86/boot/compressed/head_32.S 2010-11-06 18:58:15.000000000 -0400
5712 @@ -76,7 +76,7 @@ ENTRY(startup_32)
5716 - movl $LOAD_PHYSICAL_ADDR, %ebx
5717 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5720 /* Target address to relocate to for decompression */
5721 @@ -162,7 +162,7 @@ relocated:
5722 * and where it was actually loaded.
5725 - subl $LOAD_PHYSICAL_ADDR, %ebx
5726 + subl $____LOAD_PHYSICAL_ADDR, %ebx
5727 jz 2f /* Nothing to be done if loaded at compiled addr. */
5729 * Process relocations.
5730 @@ -170,8 +170,7 @@ relocated:
5737 addl %ebx, -__PAGE_OFFSET(%ebx, %ecx)
5740 diff -urNp linux-2.6.36.1/arch/x86/boot/compressed/head_64.S linux-2.6.36.1/arch/x86/boot/compressed/head_64.S
5741 --- linux-2.6.36.1/arch/x86/boot/compressed/head_64.S 2010-10-20 16:30:22.000000000 -0400
5742 +++ linux-2.6.36.1/arch/x86/boot/compressed/head_64.S 2010-11-06 18:58:15.000000000 -0400
5743 @@ -91,7 +91,7 @@ ENTRY(startup_32)
5747 - movl $LOAD_PHYSICAL_ADDR, %ebx
5748 + movl $____LOAD_PHYSICAL_ADDR, %ebx
5751 /* Target address to relocate to for decompression */
5752 @@ -233,7 +233,7 @@ ENTRY(startup_64)
5756 - movq $LOAD_PHYSICAL_ADDR, %rbp
5757 + movq $____LOAD_PHYSICAL_ADDR, %rbp
5760 /* Target address to relocate to for decompression */
5761 diff -urNp linux-2.6.36.1/arch/x86/boot/compressed/misc.c linux-2.6.36.1/arch/x86/boot/compressed/misc.c
5762 --- linux-2.6.36.1/arch/x86/boot/compressed/misc.c 2010-10-20 16:30:22.000000000 -0400
5763 +++ linux-2.6.36.1/arch/x86/boot/compressed/misc.c 2010-11-06 18:58:15.000000000 -0400
5764 @@ -289,7 +289,7 @@ static void parse_elf(void *output)
5766 #ifdef CONFIG_RELOCATABLE
5768 - dest += (phdr->p_paddr - LOAD_PHYSICAL_ADDR);
5769 + dest += (phdr->p_paddr - ____LOAD_PHYSICAL_ADDR);
5771 dest = (void *)(phdr->p_paddr);
5773 @@ -342,7 +342,7 @@ asmlinkage void decompress_kernel(void *
5774 error("Destination address too large");
5776 #ifndef CONFIG_RELOCATABLE
5777 - if ((unsigned long)output != LOAD_PHYSICAL_ADDR)
5778 + if ((unsigned long)output != ____LOAD_PHYSICAL_ADDR)
5779 error("Wrong destination address");
5782 diff -urNp linux-2.6.36.1/arch/x86/boot/compressed/mkpiggy.c linux-2.6.36.1/arch/x86/boot/compressed/mkpiggy.c
5783 --- linux-2.6.36.1/arch/x86/boot/compressed/mkpiggy.c 2010-10-20 16:30:22.000000000 -0400
5784 +++ linux-2.6.36.1/arch/x86/boot/compressed/mkpiggy.c 2010-11-06 18:58:15.000000000 -0400
5785 @@ -74,7 +74,7 @@ int main(int argc, char *argv[])
5787 offs = (olen > ilen) ? olen - ilen : 0;
5788 offs += olen >> 12; /* Add 8 bytes for each 32K block */
5789 - offs += 32*1024 + 18; /* Add 32K + 18 bytes slack */
5790 + offs += 64*1024; /* Add 64K bytes slack */
5791 offs = (offs+4095) & ~4095; /* Round to a 4K boundary */
5793 printf(".section \".rodata..compressed\",\"a\",@progbits\n");
5794 diff -urNp linux-2.6.36.1/arch/x86/boot/compressed/relocs.c linux-2.6.36.1/arch/x86/boot/compressed/relocs.c
5795 --- linux-2.6.36.1/arch/x86/boot/compressed/relocs.c 2010-10-20 16:30:22.000000000 -0400
5796 +++ linux-2.6.36.1/arch/x86/boot/compressed/relocs.c 2010-11-06 18:58:15.000000000 -0400
5799 static void die(char *fmt, ...);
5801 +#include "../../../../include/generated/autoconf.h"
5803 #define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
5804 static Elf32_Ehdr ehdr;
5805 +static Elf32_Phdr *phdr;
5806 static unsigned long reloc_count, reloc_idx;
5807 static unsigned long *relocs;
5809 @@ -270,9 +273,39 @@ static void read_ehdr(FILE *fp)
5813 +static void read_phdrs(FILE *fp)
5817 + phdr = calloc(ehdr.e_phnum, sizeof(Elf32_Phdr));
5819 + die("Unable to allocate %d program headers\n",
5822 + if (fseek(fp, ehdr.e_phoff, SEEK_SET) < 0) {
5823 + die("Seek to %d failed: %s\n",
5824 + ehdr.e_phoff, strerror(errno));
5826 + if (fread(phdr, sizeof(*phdr), ehdr.e_phnum, fp) != ehdr.e_phnum) {
5827 + die("Cannot read ELF program headers: %s\n",
5830 + for(i = 0; i < ehdr.e_phnum; i++) {
5831 + phdr[i].p_type = elf32_to_cpu(phdr[i].p_type);
5832 + phdr[i].p_offset = elf32_to_cpu(phdr[i].p_offset);
5833 + phdr[i].p_vaddr = elf32_to_cpu(phdr[i].p_vaddr);
5834 + phdr[i].p_paddr = elf32_to_cpu(phdr[i].p_paddr);
5835 + phdr[i].p_filesz = elf32_to_cpu(phdr[i].p_filesz);
5836 + phdr[i].p_memsz = elf32_to_cpu(phdr[i].p_memsz);
5837 + phdr[i].p_flags = elf32_to_cpu(phdr[i].p_flags);
5838 + phdr[i].p_align = elf32_to_cpu(phdr[i].p_align);
5843 static void read_shdrs(FILE *fp)
5849 secs = calloc(ehdr.e_shnum, sizeof(struct section));
5850 @@ -307,7 +340,7 @@ static void read_shdrs(FILE *fp)
5852 static void read_strtabs(FILE *fp)
5856 for (i = 0; i < ehdr.e_shnum; i++) {
5857 struct section *sec = &secs[i];
5858 if (sec->shdr.sh_type != SHT_STRTAB) {
5859 @@ -332,7 +365,7 @@ static void read_strtabs(FILE *fp)
5861 static void read_symtabs(FILE *fp)
5865 for (i = 0; i < ehdr.e_shnum; i++) {
5866 struct section *sec = &secs[i];
5867 if (sec->shdr.sh_type != SHT_SYMTAB) {
5868 @@ -365,7 +398,9 @@ static void read_symtabs(FILE *fp)
5870 static void read_relocs(FILE *fp)
5876 for (i = 0; i < ehdr.e_shnum; i++) {
5877 struct section *sec = &secs[i];
5878 if (sec->shdr.sh_type != SHT_REL) {
5879 @@ -385,9 +420,18 @@ static void read_relocs(FILE *fp)
5880 die("Cannot read symbol table: %s\n",
5884 + for (j = 0; j < ehdr.e_phnum; j++) {
5885 + if (phdr[j].p_type != PT_LOAD )
5887 + if (secs[sec->shdr.sh_info].shdr.sh_offset < phdr[j].p_offset || secs[sec->shdr.sh_info].shdr.sh_offset >= phdr[j].p_offset + phdr[j].p_filesz)
5889 + base = CONFIG_PAGE_OFFSET + phdr[j].p_paddr - phdr[j].p_vaddr;
5892 for (j = 0; j < sec->shdr.sh_size/sizeof(Elf32_Rel); j++) {
5893 Elf32_Rel *rel = &sec->reltab[j];
5894 - rel->r_offset = elf32_to_cpu(rel->r_offset);
5895 + rel->r_offset = elf32_to_cpu(rel->r_offset) + base;
5896 rel->r_info = elf32_to_cpu(rel->r_info);
5899 @@ -396,14 +440,14 @@ static void read_relocs(FILE *fp)
5901 static void print_absolute_symbols(void)
5905 printf("Absolute symbols\n");
5906 printf(" Num: Value Size Type Bind Visibility Name\n");
5907 for (i = 0; i < ehdr.e_shnum; i++) {
5908 struct section *sec = &secs[i];
5910 Elf32_Sym *sh_symtab;
5914 if (sec->shdr.sh_type != SHT_SYMTAB) {
5916 @@ -431,14 +475,14 @@ static void print_absolute_symbols(void)
5918 static void print_absolute_relocs(void)
5920 - int i, printed = 0;
5921 + unsigned int i, printed = 0;
5923 for (i = 0; i < ehdr.e_shnum; i++) {
5924 struct section *sec = &secs[i];
5925 struct section *sec_applies, *sec_symtab;
5927 Elf32_Sym *sh_symtab;
5930 if (sec->shdr.sh_type != SHT_REL) {
5933 @@ -499,13 +543,13 @@ static void print_absolute_relocs(void)
5935 static void walk_relocs(void (*visit)(Elf32_Rel *rel, Elf32_Sym *sym))
5939 /* Walk through the relocations */
5940 for (i = 0; i < ehdr.e_shnum; i++) {
5942 Elf32_Sym *sh_symtab;
5943 struct section *sec_applies, *sec_symtab;
5946 struct section *sec = &secs[i];
5948 if (sec->shdr.sh_type != SHT_REL) {
5949 @@ -530,6 +574,22 @@ static void walk_relocs(void (*visit)(El
5950 !is_rel_reloc(sym_name(sym_strtab, sym))) {
5953 + /* Don't relocate actual per-cpu variables, they are absolute indices, not addresses */
5954 + if (!strcmp(sec_name(sym->st_shndx), ".data..percpu") && strcmp(sym_name(sym_strtab, sym), "__per_cpu_load"))
5957 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_X86_32)
5958 + /* Don't relocate actual code, they are relocated implicitly by the base address of KERNEL_CS */
5959 + if (!strcmp(sec_name(sym->st_shndx), ".module.text") && !strcmp(sym_name(sym_strtab, sym), "_etext"))
5961 + if (!strcmp(sec_name(sym->st_shndx), ".init.text"))
5963 + if (!strcmp(sec_name(sym->st_shndx), ".exit.text"))
5965 + if (!strcmp(sec_name(sym->st_shndx), ".text") && strcmp(sym_name(sym_strtab, sym), "__LOAD_PHYSICAL_ADDR"))
5972 @@ -571,7 +631,7 @@ static int cmp_relocs(const void *va, co
5974 static void emit_relocs(int as_text)
5978 /* Count how many relocations I have and allocate space for them. */
5980 walk_relocs(count_reloc);
5981 @@ -665,6 +725,7 @@ int main(int argc, char **argv)
5982 fname, strerror(errno));
5989 diff -urNp linux-2.6.36.1/arch/x86/boot/cpucheck.c linux-2.6.36.1/arch/x86/boot/cpucheck.c
5990 --- linux-2.6.36.1/arch/x86/boot/cpucheck.c 2010-10-20 16:30:22.000000000 -0400
5991 +++ linux-2.6.36.1/arch/x86/boot/cpucheck.c 2010-11-06 18:58:15.000000000 -0400
5992 @@ -74,7 +74,7 @@ static int has_fpu(void)
5993 u16 fcw = -1, fsw = -1;
5996 - asm("movl %%cr0,%0" : "=r" (cr0));
5997 + asm volatile("movl %%cr0,%0" : "=r" (cr0));
5998 if (cr0 & (X86_CR0_EM|X86_CR0_TS)) {
5999 cr0 &= ~(X86_CR0_EM|X86_CR0_TS);
6000 asm volatile("movl %0,%%cr0" : : "r" (cr0));
6001 @@ -90,7 +90,7 @@ static int has_eflag(u32 mask)
6006 + asm volatile("pushfl ; "
6010 @@ -115,7 +115,7 @@ static void get_flags(void)
6011 set_bit(X86_FEATURE_FPU, cpu.flags);
6013 if (has_eflag(X86_EFLAGS_ID)) {
6015 + asm volatile("cpuid"
6016 : "=a" (max_intel_level),
6017 "=b" (cpu_vendor[0]),
6018 "=d" (cpu_vendor[1]),
6019 @@ -124,7 +124,7 @@ static void get_flags(void)
6021 if (max_intel_level >= 0x00000001 &&
6022 max_intel_level <= 0x0000ffff) {
6024 + asm volatile("cpuid"
6026 "=c" (cpu.flags[4]),
6028 @@ -136,7 +136,7 @@ static void get_flags(void)
6029 cpu.model += ((tfms >> 16) & 0xf) << 4;
6033 + asm volatile("cpuid"
6034 : "=a" (max_amd_level)
6036 : "ebx", "ecx", "edx");
6037 @@ -144,7 +144,7 @@ static void get_flags(void)
6038 if (max_amd_level >= 0x80000001 &&
6039 max_amd_level <= 0x8000ffff) {
6040 u32 eax = 0x80000001;
6042 + asm volatile("cpuid"
6044 "=c" (cpu.flags[6]),
6046 @@ -203,9 +203,9 @@ int check_cpu(int *cpu_level_ptr, int *r
6047 u32 ecx = MSR_K7_HWCR;
6050 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6051 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6053 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6054 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6056 get_flags(); /* Make sure it really did something */
6057 err = check_flags();
6058 @@ -218,9 +218,9 @@ int check_cpu(int *cpu_level_ptr, int *r
6059 u32 ecx = MSR_VIA_FCR;
6062 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6063 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6064 eax |= (1<<1)|(1<<7);
6065 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6066 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6068 set_bit(X86_FEATURE_CX8, cpu.flags);
6069 err = check_flags();
6070 @@ -231,12 +231,12 @@ int check_cpu(int *cpu_level_ptr, int *r
6074 - asm("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6075 - asm("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
6077 + asm volatile("rdmsr" : "=a" (eax), "=d" (edx) : "c" (ecx));
6078 + asm volatile("wrmsr" : : "a" (~0), "d" (edx), "c" (ecx));
6079 + asm volatile("cpuid"
6080 : "+a" (level), "=d" (cpu.flags[0])
6082 - asm("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6083 + asm volatile("wrmsr" : : "a" (eax), "d" (edx), "c" (ecx));
6085 err = check_flags();
6087 diff -urNp linux-2.6.36.1/arch/x86/boot/header.S linux-2.6.36.1/arch/x86/boot/header.S
6088 --- linux-2.6.36.1/arch/x86/boot/header.S 2010-10-20 16:30:22.000000000 -0400
6089 +++ linux-2.6.36.1/arch/x86/boot/header.S 2010-11-06 18:58:15.000000000 -0400
6090 @@ -224,7 +224,7 @@ setup_data: .quad 0 # 64-bit physical
6091 # single linked list of
6094 -pref_address: .quad LOAD_PHYSICAL_ADDR # preferred load addr
6095 +pref_address: .quad ____LOAD_PHYSICAL_ADDR # preferred load addr
6097 #define ZO_INIT_SIZE (ZO__end - ZO_startup_32 + ZO_z_extract_offset)
6098 #define VO_INIT_SIZE (VO__end - VO__text)
6099 diff -urNp linux-2.6.36.1/arch/x86/boot/memory.c linux-2.6.36.1/arch/x86/boot/memory.c
6100 --- linux-2.6.36.1/arch/x86/boot/memory.c 2010-10-20 16:30:22.000000000 -0400
6101 +++ linux-2.6.36.1/arch/x86/boot/memory.c 2010-11-06 18:58:15.000000000 -0400
6104 static int detect_memory_e820(void)
6107 + unsigned int count = 0;
6108 struct biosregs ireg, oreg;
6109 struct e820entry *desc = boot_params.e820_map;
6110 static struct e820entry buf; /* static so it is zeroed */
6111 diff -urNp linux-2.6.36.1/arch/x86/boot/video.c linux-2.6.36.1/arch/x86/boot/video.c
6112 --- linux-2.6.36.1/arch/x86/boot/video.c 2010-10-20 16:30:22.000000000 -0400
6113 +++ linux-2.6.36.1/arch/x86/boot/video.c 2010-11-06 18:58:15.000000000 -0400
6114 @@ -96,7 +96,7 @@ static void store_mode_params(void)
6115 static unsigned int get_entry(void)
6119 + unsigned int i, len = 0;
6123 diff -urNp linux-2.6.36.1/arch/x86/boot/video-vesa.c linux-2.6.36.1/arch/x86/boot/video-vesa.c
6124 --- linux-2.6.36.1/arch/x86/boot/video-vesa.c 2010-10-20 16:30:22.000000000 -0400
6125 +++ linux-2.6.36.1/arch/x86/boot/video-vesa.c 2010-11-06 18:58:15.000000000 -0400
6126 @@ -200,6 +200,7 @@ static void vesa_store_pm_info(void)
6128 boot_params.screen_info.vesapm_seg = oreg.es;
6129 boot_params.screen_info.vesapm_off = oreg.di;
6130 + boot_params.screen_info.vesapm_size = oreg.cx;
6134 diff -urNp linux-2.6.36.1/arch/x86/ia32/ia32_aout.c linux-2.6.36.1/arch/x86/ia32/ia32_aout.c
6135 --- linux-2.6.36.1/arch/x86/ia32/ia32_aout.c 2010-10-20 16:30:22.000000000 -0400
6136 +++ linux-2.6.36.1/arch/x86/ia32/ia32_aout.c 2010-11-06 18:58:50.000000000 -0400
6137 @@ -162,6 +162,8 @@ static int aout_core_dump(long signr, st
6138 unsigned long dump_start, dump_size;
6141 + memset(&dump, 0, sizeof(dump));
6146 diff -urNp linux-2.6.36.1/arch/x86/ia32/ia32entry.S linux-2.6.36.1/arch/x86/ia32/ia32entry.S
6147 --- linux-2.6.36.1/arch/x86/ia32/ia32entry.S 2010-10-20 16:30:22.000000000 -0400
6148 +++ linux-2.6.36.1/arch/x86/ia32/ia32entry.S 2010-11-06 18:58:15.000000000 -0400
6150 #include <asm/thread_info.h>
6151 #include <asm/segment.h>
6152 #include <asm/irqflags.h>
6153 +#include <asm/pgtable.h>
6154 #include <linux/linkage.h>
6156 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
6157 @@ -120,6 +121,11 @@ ENTRY(ia32_sysenter_target)
6159 movq PER_CPU_VAR(kernel_stack), %rsp
6160 addq $(KERNEL_STACK_OFFSET),%rsp
6162 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6163 + call pax_enter_kernel_user
6167 * No need to follow this irqs on/off section: the syscall
6168 * disabled irqs, here we enable it straight after entry:
6169 @@ -150,6 +156,12 @@ ENTRY(ia32_sysenter_target)
6171 /* no need to do an access_ok check here because rbp has been
6172 32bit zero extended */
6174 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6175 + mov $PAX_USER_SHADOW_BASE,%r10
6180 .section __ex_table,"a"
6181 .quad 1b,ia32_badarg
6182 @@ -172,6 +184,11 @@ sysenter_dispatch:
6183 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6185 sysexit_from_sys_call:
6187 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6188 + call pax_exit_kernel_user
6191 andl $~TS_COMPAT,TI_status(%r10)
6192 /* clear IF, that popfq doesn't enable interrupts early */
6193 andl $~0x200,EFLAGS-R11(%rsp)
6194 @@ -290,6 +307,11 @@ ENTRY(ia32_cstar_target)
6197 movq PER_CPU_VAR(kernel_stack),%rsp
6199 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6200 + call pax_enter_kernel_user
6204 * No need to follow this irqs on/off section: the syscall
6205 * disabled irqs and here we enable it straight after entry:
6206 @@ -311,6 +333,12 @@ ENTRY(ia32_cstar_target)
6207 /* no need to do an access_ok check here because r8 has been
6208 32bit zero extended */
6209 /* hardware stack frame is complete now */
6211 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6212 + mov $PAX_USER_SHADOW_BASE,%r10
6217 .section __ex_table,"a"
6218 .quad 1b,ia32_badarg
6219 @@ -333,6 +361,11 @@ cstar_dispatch:
6220 testl $_TIF_ALLWORK_MASK,TI_flags(%r10)
6222 sysretl_from_sys_call:
6224 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6225 + call pax_exit_kernel_user
6228 andl $~TS_COMPAT,TI_status(%r10)
6229 RESTORE_ARGS 1,-ARG_SKIP,1,1,1
6230 movl RIP-ARGOFFSET(%rsp),%ecx
6231 @@ -415,6 +448,11 @@ ENTRY(ia32_syscall)
6232 CFI_REL_OFFSET rip,RIP-RIP
6233 PARAVIRT_ADJUST_EXCEPTION_FRAME
6236 +#ifdef CONFIG_PAX_MEMORY_UDEREF
6237 + call pax_enter_kernel_user
6241 * No need to follow this irqs on/off section: the syscall
6242 * disabled irqs and here we enable it straight after entry:
6243 diff -urNp linux-2.6.36.1/arch/x86/ia32/ia32_signal.c linux-2.6.36.1/arch/x86/ia32/ia32_signal.c
6244 --- linux-2.6.36.1/arch/x86/ia32/ia32_signal.c 2010-10-20 16:30:22.000000000 -0400
6245 +++ linux-2.6.36.1/arch/x86/ia32/ia32_signal.c 2010-11-06 18:58:15.000000000 -0400
6246 @@ -403,7 +403,7 @@ static void __user *get_sigframe(struct
6248 /* Align the stack pointer according to the i386 ABI,
6249 * i.e. so that on function entry ((sp + 4) & 15) == 0. */
6250 - sp = ((sp + 4) & -16ul) - 4;
6251 + sp = ((sp - 12) & -16ul) - 4;
6252 return (void __user *) sp;
6255 @@ -503,7 +503,7 @@ int ia32_setup_rt_frame(int sig, struct
6257 __NR_ia32_rt_sigreturn,
6263 frame = get_sigframe(ka, regs, sizeof(*frame), &fpstate);
6264 @@ -533,9 +533,11 @@ int ia32_setup_rt_frame(int sig, struct
6266 if (ka->sa.sa_flags & SA_RESTORER)
6267 restorer = ka->sa.sa_restorer;
6268 + else if (current->mm->context.vdso)
6269 + /* Return stub is in 32bit vsyscall page */
6270 + restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
6272 - restorer = VDSO32_SYMBOL(current->mm->context.vdso,
6274 + restorer = &frame->retcode;
6275 put_user_ex(ptr_to_compat(restorer), &frame->pretcode);
6278 diff -urNp linux-2.6.36.1/arch/x86/include/asm/alternative.h linux-2.6.36.1/arch/x86/include/asm/alternative.h
6279 --- linux-2.6.36.1/arch/x86/include/asm/alternative.h 2010-10-20 16:30:22.000000000 -0400
6280 +++ linux-2.6.36.1/arch/x86/include/asm/alternative.h 2010-11-06 18:58:15.000000000 -0400
6281 @@ -92,7 +92,7 @@ static inline int alternatives_text_rese
6282 ".section .discard,\"aw\",@progbits\n" \
6283 " .byte 0xff + (664f-663f) - (662b-661b)\n" /* rlen <= slen */ \
6285 - ".section .altinstr_replacement, \"ax\"\n" \
6286 + ".section .altinstr_replacement, \"a\"\n" \
6287 "663:\n\t" newinstr "\n664:\n" /* replacement */ \
6290 diff -urNp linux-2.6.36.1/arch/x86/include/asm/apm.h linux-2.6.36.1/arch/x86/include/asm/apm.h
6291 --- linux-2.6.36.1/arch/x86/include/asm/apm.h 2010-10-20 16:30:22.000000000 -0400
6292 +++ linux-2.6.36.1/arch/x86/include/asm/apm.h 2010-11-06 18:58:15.000000000 -0400
6293 @@ -34,7 +34,7 @@ static inline void apm_bios_call_asm(u32
6294 __asm__ __volatile__(APM_DO_ZERO_SEGS
6297 - "lcall *%%cs:apm_bios_entry\n\t"
6298 + "lcall *%%ss:apm_bios_entry\n\t"
6302 @@ -58,7 +58,7 @@ static inline u8 apm_bios_call_simple_as
6303 __asm__ __volatile__(APM_DO_ZERO_SEGS
6306 - "lcall *%%cs:apm_bios_entry\n\t"
6307 + "lcall *%%ss:apm_bios_entry\n\t"
6311 diff -urNp linux-2.6.36.1/arch/x86/include/asm/asm.h linux-2.6.36.1/arch/x86/include/asm/asm.h
6312 --- linux-2.6.36.1/arch/x86/include/asm/asm.h 2010-10-20 16:30:22.000000000 -0400
6313 +++ linux-2.6.36.1/arch/x86/include/asm/asm.h 2010-11-06 18:58:15.000000000 -0400
6315 #define _ASM_SI __ASM_REG(si)
6316 #define _ASM_DI __ASM_REG(di)
6318 +#ifdef CONFIG_X86_32
6319 +#define _ASM_INTO "into"
6321 +#define _ASM_INTO "int $4"
6324 /* Exception table entry */
6326 # define _ASM_EXTABLE(from,to) \
6327 diff -urNp linux-2.6.36.1/arch/x86/include/asm/atomic64_32.h linux-2.6.36.1/arch/x86/include/asm/atomic64_32.h
6328 --- linux-2.6.36.1/arch/x86/include/asm/atomic64_32.h 2010-10-20 16:30:22.000000000 -0400
6329 +++ linux-2.6.36.1/arch/x86/include/asm/atomic64_32.h 2010-11-06 18:58:15.000000000 -0400
6330 @@ -12,6 +12,14 @@ typedef struct {
6331 u64 __aligned(8) counter;
6334 +#ifdef CONFIG_PAX_REFCOUNT
6336 + u64 __aligned(8) counter;
6337 +} atomic64_unchecked_t;
6339 +typedef atomic64_t atomic64_unchecked_t;
6342 #define ATOMIC64_INIT(val) { (val) }
6344 #ifdef CONFIG_X86_CMPXCHG64
6345 diff -urNp linux-2.6.36.1/arch/x86/include/asm/atomic64_64.h linux-2.6.36.1/arch/x86/include/asm/atomic64_64.h
6346 --- linux-2.6.36.1/arch/x86/include/asm/atomic64_64.h 2010-10-20 16:30:22.000000000 -0400
6347 +++ linux-2.6.36.1/arch/x86/include/asm/atomic64_64.h 2010-11-06 18:58:15.000000000 -0400
6348 @@ -22,6 +22,18 @@ static inline long atomic64_read(const a
6352 + * atomic64_read_unchecked - read atomic64 variable
6353 + * @v: pointer of type atomic64_unchecked_t
6355 + * Atomically reads the value of @v.
6356 + * Doesn't imply a read memory barrier.
6358 +static inline long atomic64_read_unchecked(const atomic64_unchecked_t *v)
6360 + return v->counter;
6364 * atomic64_set - set atomic64 variable
6365 * @v: pointer to type atomic64_t
6366 * @i: required value
6367 @@ -34,6 +46,18 @@ static inline void atomic64_set(atomic64
6371 + * atomic64_set_unchecked - set atomic64 variable
6372 + * @v: pointer to type atomic64_unchecked_t
6373 + * @i: required value
6375 + * Atomically sets the value of @v to @i.
6377 +static inline void atomic64_set_unchecked(atomic64_unchecked_t *v, long i)
6383 * atomic64_add - add integer to atomic64 variable
6384 * @i: integer value to add
6385 * @v: pointer to type atomic64_t
6386 @@ -42,6 +66,28 @@ static inline void atomic64_set(atomic64
6388 static inline void atomic64_add(long i, atomic64_t *v)
6390 + asm volatile(LOCK_PREFIX "addq %1,%0\n"
6392 +#ifdef CONFIG_PAX_REFCOUNT
6394 + LOCK_PREFIX "subq %1,%0\n"
6396 + _ASM_EXTABLE(0b, 0b)
6399 + : "=m" (v->counter)
6400 + : "er" (i), "m" (v->counter));
6404 + * atomic64_add_unchecked - add integer to atomic64 variable
6405 + * @i: integer value to add
6406 + * @v: pointer to type atomic64_unchecked_t
6408 + * Atomically adds @i to @v.
6410 +static inline void atomic64_add_unchecked(long i, atomic64_unchecked_t *v)
6412 asm volatile(LOCK_PREFIX "addq %1,%0"
6414 : "er" (i), "m" (v->counter));
6415 @@ -56,7 +102,29 @@ static inline void atomic64_add(long i,
6417 static inline void atomic64_sub(long i, atomic64_t *v)
6419 - asm volatile(LOCK_PREFIX "subq %1,%0"
6420 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
6422 +#ifdef CONFIG_PAX_REFCOUNT
6424 + LOCK_PREFIX "addq %1,%0\n"
6426 + _ASM_EXTABLE(0b, 0b)
6429 + : "=m" (v->counter)
6430 + : "er" (i), "m" (v->counter));
6434 + * atomic64_sub_unchecked - subtract the atomic64 variable
6435 + * @i: integer value to subtract
6436 + * @v: pointer to type atomic64_unchecked_t
6438 + * Atomically subtracts @i from @v.
6440 +static inline void atomic64_sub_unchecked(long i, atomic64_unchecked_t *v)
6442 + asm volatile(LOCK_PREFIX "subq %1,%0\n"
6444 : "er" (i), "m" (v->counter));
6446 @@ -74,7 +142,16 @@ static inline int atomic64_sub_and_test(
6450 - asm volatile(LOCK_PREFIX "subq %2,%0; sete %1"
6451 + asm volatile(LOCK_PREFIX "subq %2,%0\n"
6453 +#ifdef CONFIG_PAX_REFCOUNT
6455 + LOCK_PREFIX "addq %2,%0\n"
6457 + _ASM_EXTABLE(0b, 0b)
6461 : "=m" (v->counter), "=qm" (c)
6462 : "er" (i), "m" (v->counter) : "memory");
6464 @@ -88,6 +165,27 @@ static inline int atomic64_sub_and_test(
6466 static inline void atomic64_inc(atomic64_t *v)
6468 + asm volatile(LOCK_PREFIX "incq %0\n"
6470 +#ifdef CONFIG_PAX_REFCOUNT
6472 + LOCK_PREFIX "decq %0\n"
6474 + _ASM_EXTABLE(0b, 0b)
6477 + : "=m" (v->counter)
6478 + : "m" (v->counter));
6482 + * atomic64_inc_unchecked - increment atomic64 variable
6483 + * @v: pointer to type atomic64_unchecked_t
6485 + * Atomically increments @v by 1.
6487 +static inline void atomic64_inc_unchecked(atomic64_unchecked_t *v)
6489 asm volatile(LOCK_PREFIX "incq %0"
6491 : "m" (v->counter));
6492 @@ -101,7 +199,28 @@ static inline void atomic64_inc(atomic64
6494 static inline void atomic64_dec(atomic64_t *v)
6496 - asm volatile(LOCK_PREFIX "decq %0"
6497 + asm volatile(LOCK_PREFIX "decq %0\n"
6499 +#ifdef CONFIG_PAX_REFCOUNT
6501 + LOCK_PREFIX "incq %0\n"
6503 + _ASM_EXTABLE(0b, 0b)
6506 + : "=m" (v->counter)
6507 + : "m" (v->counter));
6511 + * atomic64_dec_unchecked - decrement atomic64 variable
6512 + * @v: pointer to type atomic64_t
6514 + * Atomically decrements @v by 1.
6516 +static inline void atomic64_dec_unchecked(atomic64_unchecked_t *v)
6518 + asm volatile(LOCK_PREFIX "decq %0\n"
6520 : "m" (v->counter));
6522 @@ -118,7 +237,16 @@ static inline int atomic64_dec_and_test(
6526 - asm volatile(LOCK_PREFIX "decq %0; sete %1"
6527 + asm volatile(LOCK_PREFIX "decq %0\n"
6529 +#ifdef CONFIG_PAX_REFCOUNT
6531 + LOCK_PREFIX "incq %0\n"
6533 + _ASM_EXTABLE(0b, 0b)
6537 : "=m" (v->counter), "=qm" (c)
6538 : "m" (v->counter) : "memory");
6540 @@ -136,7 +264,16 @@ static inline int atomic64_inc_and_test(
6544 - asm volatile(LOCK_PREFIX "incq %0; sete %1"
6545 + asm volatile(LOCK_PREFIX "incq %0\n"
6547 +#ifdef CONFIG_PAX_REFCOUNT
6549 + LOCK_PREFIX "decq %0\n"
6551 + _ASM_EXTABLE(0b, 0b)
6555 : "=m" (v->counter), "=qm" (c)
6556 : "m" (v->counter) : "memory");
6558 @@ -155,7 +292,16 @@ static inline int atomic64_add_negative(
6562 - asm volatile(LOCK_PREFIX "addq %2,%0; sets %1"
6563 + asm volatile(LOCK_PREFIX "addq %2,%0\n"
6565 +#ifdef CONFIG_PAX_REFCOUNT
6567 + LOCK_PREFIX "subq %2,%0\n"
6569 + _ASM_EXTABLE(0b, 0b)
6573 : "=m" (v->counter), "=qm" (c)
6574 : "er" (i), "m" (v->counter) : "memory");
6576 @@ -171,7 +317,31 @@ static inline int atomic64_add_negative(
6577 static inline long atomic64_add_return(long i, atomic64_t *v)
6580 - asm volatile(LOCK_PREFIX "xaddq %0, %1;"
6581 + asm volatile(LOCK_PREFIX "xaddq %0, %1\n"
6583 +#ifdef CONFIG_PAX_REFCOUNT
6587 + _ASM_EXTABLE(0b, 0b)
6590 + : "+r" (i), "+m" (v->counter)
6596 + * atomic64_add_return_unchecked - add and return
6597 + * @i: integer value to add
6598 + * @v: pointer to type atomic64_unchecked_t
6600 + * Atomically adds @i to @v and returns @i + @v
6602 +static inline long atomic64_add_return_unchecked(long i, atomic64_unchecked_t *v)
6605 + asm volatile(LOCK_PREFIX "xaddq %0, %1"
6606 : "+r" (i), "+m" (v->counter)
6609 @@ -183,6 +353,10 @@ static inline long atomic64_sub_return(l
6612 #define atomic64_inc_return(v) (atomic64_add_return(1, (v)))
6613 +static inline long atomic64_inc_return_unchecked(atomic64_unchecked_t *v)
6615 + return atomic64_add_return_unchecked(1, v);
6617 #define atomic64_dec_return(v) (atomic64_sub_return(1, (v)))
6619 static inline long atomic64_cmpxchg(atomic64_t *v, long old, long new)
6620 @@ -206,17 +380,30 @@ static inline long atomic64_xchg(atomic6
6622 static inline int atomic64_add_unless(atomic64_t *v, long a, long u)
6626 c = atomic64_read(v);
6628 - if (unlikely(c == (u)))
6629 + if (unlikely(c == u))
6631 - old = atomic64_cmpxchg((v), c, c + (a));
6633 + asm volatile("add %2,%0\n"
6635 +#ifdef CONFIG_PAX_REFCOUNT
6639 + _ASM_EXTABLE(0b, 0b)
6643 + : "0" (c), "ir" (a));
6645 + old = atomic64_cmpxchg(v, c, new);
6646 if (likely(old == c))
6654 #define atomic64_inc_not_zero(v) atomic64_add_unless((v), 1, 0)
6655 diff -urNp linux-2.6.36.1/arch/x86/include/asm/atomic.h linux-2.6.36.1/arch/x86/include/asm/atomic.h
6656 --- linux-2.6.36.1/arch/x86/include/asm/atomic.h 2010-10-20 16:30:22.000000000 -0400
6657 +++ linux-2.6.36.1/arch/x86/include/asm/atomic.h 2010-11-06 18:58:15.000000000 -0400
6658 @@ -26,6 +26,17 @@ static inline int atomic_read(const atom
6662 + * atomic_read_unchecked - read atomic variable
6663 + * @v: pointer of type atomic_unchecked_t
6665 + * Atomically reads the value of @v.
6667 +static inline int atomic_read_unchecked(const atomic_unchecked_t *v)
6669 + return v->counter;
6673 * atomic_set - set atomic variable
6674 * @v: pointer of type atomic_t
6675 * @i: required value
6676 @@ -38,6 +49,18 @@ static inline void atomic_set(atomic_t *
6680 + * atomic_set_unchecked - set atomic variable
6681 + * @v: pointer of type atomic_unchecked_t
6682 + * @i: required value
6684 + * Atomically sets the value of @v to @i.
6686 +static inline void atomic_set_unchecked(atomic_unchecked_t *v, int i)
6692 * atomic_add - add integer to atomic variable
6693 * @i: integer value to add
6694 * @v: pointer of type atomic_t
6695 @@ -46,7 +69,29 @@ static inline void atomic_set(atomic_t *
6697 static inline void atomic_add(int i, atomic_t *v)
6699 - asm volatile(LOCK_PREFIX "addl %1,%0"
6700 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6702 +#ifdef CONFIG_PAX_REFCOUNT
6704 + LOCK_PREFIX "subl %1,%0\n"
6705 + _ASM_INTO "\n0:\n"
6706 + _ASM_EXTABLE(0b, 0b)
6709 + : "+m" (v->counter)
6714 + * atomic_add_unchecked - add integer to atomic variable
6715 + * @i: integer value to add
6716 + * @v: pointer of type atomic_unchecked_t
6718 + * Atomically adds @i to @v.
6720 +static inline void atomic_add_unchecked(int i, atomic_unchecked_t *v)
6722 + asm volatile(LOCK_PREFIX "addl %1,%0\n"
6726 @@ -60,7 +105,29 @@ static inline void atomic_add(int i, ato
6728 static inline void atomic_sub(int i, atomic_t *v)
6730 - asm volatile(LOCK_PREFIX "subl %1,%0"
6731 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
6733 +#ifdef CONFIG_PAX_REFCOUNT
6735 + LOCK_PREFIX "addl %1,%0\n"
6736 + _ASM_INTO "\n0:\n"
6737 + _ASM_EXTABLE(0b, 0b)
6740 + : "+m" (v->counter)
6745 + * atomic_sub_unchecked - subtract integer from atomic variable
6746 + * @i: integer value to subtract
6747 + * @v: pointer of type atomic_t
6749 + * Atomically subtracts @i from @v.
6751 +static inline void atomic_sub_unchecked(int i, atomic_unchecked_t *v)
6753 + asm volatile(LOCK_PREFIX "subl %1,%0\n"
6757 @@ -78,7 +145,16 @@ static inline int atomic_sub_and_test(in
6761 - asm volatile(LOCK_PREFIX "subl %2,%0; sete %1"
6762 + asm volatile(LOCK_PREFIX "subl %2,%0\n"
6764 +#ifdef CONFIG_PAX_REFCOUNT
6766 + LOCK_PREFIX "addl %2,%0\n"
6767 + _ASM_INTO "\n0:\n"
6768 + _ASM_EXTABLE(0b, 0b)
6772 : "+m" (v->counter), "=qm" (c)
6773 : "ir" (i) : "memory");
6775 @@ -92,7 +168,27 @@ static inline int atomic_sub_and_test(in
6777 static inline void atomic_inc(atomic_t *v)
6779 - asm volatile(LOCK_PREFIX "incl %0"
6780 + asm volatile(LOCK_PREFIX "incl %0\n"
6782 +#ifdef CONFIG_PAX_REFCOUNT
6784 + LOCK_PREFIX "decl %0\n"
6785 + _ASM_INTO "\n0:\n"
6786 + _ASM_EXTABLE(0b, 0b)
6789 + : "+m" (v->counter));
6793 + * atomic_inc_unchecked - increment atomic variable
6794 + * @v: pointer of type atomic_unchecked_t
6796 + * Atomically increments @v by 1.
6798 +static inline void atomic_inc_unchecked(atomic_unchecked_t *v)
6800 + asm volatile(LOCK_PREFIX "incl %0\n"
6801 : "+m" (v->counter));
6804 @@ -104,7 +200,27 @@ static inline void atomic_inc(atomic_t *
6806 static inline void atomic_dec(atomic_t *v)
6808 - asm volatile(LOCK_PREFIX "decl %0"
6809 + asm volatile(LOCK_PREFIX "decl %0\n"
6811 +#ifdef CONFIG_PAX_REFCOUNT
6813 + LOCK_PREFIX "incl %0\n"
6814 + _ASM_INTO "\n0:\n"
6815 + _ASM_EXTABLE(0b, 0b)
6818 + : "+m" (v->counter));
6822 + * atomic_dec_unchecked - decrement atomic variable
6823 + * @v: pointer of type atomic_t
6825 + * Atomically decrements @v by 1.
6827 +static inline void atomic_dec_unchecked(atomic_unchecked_t *v)
6829 + asm volatile(LOCK_PREFIX "decl %0\n"
6830 : "+m" (v->counter));
6833 @@ -120,7 +236,16 @@ static inline int atomic_dec_and_test(at
6837 - asm volatile(LOCK_PREFIX "decl %0; sete %1"
6838 + asm volatile(LOCK_PREFIX "decl %0\n"
6840 +#ifdef CONFIG_PAX_REFCOUNT
6842 + LOCK_PREFIX "incl %0\n"
6843 + _ASM_INTO "\n0:\n"
6844 + _ASM_EXTABLE(0b, 0b)
6848 : "+m" (v->counter), "=qm" (c)
6851 @@ -138,7 +263,16 @@ static inline int atomic_inc_and_test(at
6855 - asm volatile(LOCK_PREFIX "incl %0; sete %1"
6856 + asm volatile(LOCK_PREFIX "incl %0\n"
6858 +#ifdef CONFIG_PAX_REFCOUNT
6860 + LOCK_PREFIX "decl %0\n"
6861 + _ASM_INTO "\n0:\n"
6862 + _ASM_EXTABLE(0b, 0b)
6866 : "+m" (v->counter), "=qm" (c)
6869 @@ -157,7 +291,16 @@ static inline int atomic_add_negative(in
6873 - asm volatile(LOCK_PREFIX "addl %2,%0; sets %1"
6874 + asm volatile(LOCK_PREFIX "addl %2,%0\n"
6876 +#ifdef CONFIG_PAX_REFCOUNT
6878 + LOCK_PREFIX "subl %2,%0\n"
6879 + _ASM_INTO "\n0:\n"
6880 + _ASM_EXTABLE(0b, 0b)
6884 : "+m" (v->counter), "=qm" (c)
6885 : "ir" (i) : "memory");
6887 @@ -180,6 +323,46 @@ static inline int atomic_add_return(int
6889 /* Modern 486+ processor */
6891 + asm volatile(LOCK_PREFIX "xaddl %0, %1\n"
6893 +#ifdef CONFIG_PAX_REFCOUNT
6896 + _ASM_INTO "\n0:\n"
6897 + _ASM_EXTABLE(0b, 0b)
6900 + : "+r" (i), "+m" (v->counter)
6905 +no_xadd: /* Legacy 386 processor */
6906 + local_irq_save(flags);
6907 + __i = atomic_read(v);
6908 + atomic_set(v, i + __i);
6909 + local_irq_restore(flags);
6915 + * atomic_add_return_unchecked - add integer and return
6916 + * @v: pointer of type atomic_unchecked_t
6917 + * @i: integer value to add
6919 + * Atomically adds @i to @v and returns @i + @v
6921 +static inline int atomic_add_return_unchecked(int i, atomic_unchecked_t *v)
6925 + unsigned long flags;
6926 + if (unlikely(boot_cpu_data.x86 <= 3))
6929 + /* Modern 486+ processor */
6931 asm volatile(LOCK_PREFIX "xaddl %0, %1"
6932 : "+r" (i), "+m" (v->counter)
6934 @@ -208,6 +391,10 @@ static inline int atomic_sub_return(int
6937 #define atomic_inc_return(v) (atomic_add_return(1, v))
6938 +static inline int atomic_inc_return_unchecked(atomic_unchecked_t *v)
6940 + return atomic_add_return_unchecked(1, v);
6942 #define atomic_dec_return(v) (atomic_sub_return(1, v))
6944 static inline int atomic_cmpxchg(atomic_t *v, int old, int new)
6945 @@ -231,17 +418,30 @@ static inline int atomic_xchg(atomic_t *
6947 static inline int atomic_add_unless(atomic_t *v, int a, int u)
6953 - if (unlikely(c == (u)))
6954 + if (unlikely(c == u))
6956 - old = atomic_cmpxchg((v), c, c + (a));
6958 + asm volatile("addl %2,%0\n"
6960 +#ifdef CONFIG_PAX_REFCOUNT
6963 + _ASM_INTO "\n0:\n"
6964 + _ASM_EXTABLE(0b, 0b)
6968 + : "0" (c), "ir" (a));
6970 + old = atomic_cmpxchg(v, c, new);
6971 if (likely(old == c))
6979 #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0)
6980 diff -urNp linux-2.6.36.1/arch/x86/include/asm/boot.h linux-2.6.36.1/arch/x86/include/asm/boot.h
6981 --- linux-2.6.36.1/arch/x86/include/asm/boot.h 2010-10-20 16:30:22.000000000 -0400
6982 +++ linux-2.6.36.1/arch/x86/include/asm/boot.h 2010-11-06 18:58:15.000000000 -0400
6984 #include <asm/pgtable_types.h>
6986 /* Physical address where kernel should be loaded. */
6987 -#define LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
6988 +#define ____LOAD_PHYSICAL_ADDR ((CONFIG_PHYSICAL_START \
6989 + (CONFIG_PHYSICAL_ALIGN - 1)) \
6990 & ~(CONFIG_PHYSICAL_ALIGN - 1))
6992 +#ifndef __ASSEMBLY__
6993 +extern unsigned char __LOAD_PHYSICAL_ADDR[];
6994 +#define LOAD_PHYSICAL_ADDR ((unsigned long)__LOAD_PHYSICAL_ADDR)
6997 /* Minimum kernel alignment, as a power of two */
6998 #ifdef CONFIG_X86_64
6999 #define MIN_KERNEL_ALIGN_LG2 PMD_SHIFT
7000 diff -urNp linux-2.6.36.1/arch/x86/include/asm/cacheflush.h linux-2.6.36.1/arch/x86/include/asm/cacheflush.h
7001 --- linux-2.6.36.1/arch/x86/include/asm/cacheflush.h 2010-10-20 16:30:22.000000000 -0400
7002 +++ linux-2.6.36.1/arch/x86/include/asm/cacheflush.h 2010-11-06 18:58:15.000000000 -0400
7003 @@ -66,7 +66,7 @@ static inline unsigned long get_page_mem
7004 unsigned long pg_flags = pg->flags & _PGMT_MASK;
7006 if (pg_flags == _PGMT_DEFAULT)
7009 else if (pg_flags == _PGMT_WC)
7010 return _PAGE_CACHE_WC;
7011 else if (pg_flags == _PGMT_UC_MINUS)
7012 diff -urNp linux-2.6.36.1/arch/x86/include/asm/cache.h linux-2.6.36.1/arch/x86/include/asm/cache.h
7013 --- linux-2.6.36.1/arch/x86/include/asm/cache.h 2010-10-20 16:30:22.000000000 -0400
7014 +++ linux-2.6.36.1/arch/x86/include/asm/cache.h 2010-11-06 18:58:15.000000000 -0400
7016 #define L1_CACHE_BYTES (1 << L1_CACHE_SHIFT)
7018 #define __read_mostly __attribute__((__section__(".data..read_mostly")))
7019 +#define __read_only __attribute__((__section__(".data..read_only")))
7021 #define INTERNODE_CACHE_SHIFT CONFIG_X86_INTERNODE_CACHE_SHIFT
7022 #define INTERNODE_CACHE_BYTES (1 << INTERNODE_CACHE_SHIFT)
7023 diff -urNp linux-2.6.36.1/arch/x86/include/asm/checksum_32.h linux-2.6.36.1/arch/x86/include/asm/checksum_32.h
7024 --- linux-2.6.36.1/arch/x86/include/asm/checksum_32.h 2010-10-20 16:30:22.000000000 -0400
7025 +++ linux-2.6.36.1/arch/x86/include/asm/checksum_32.h 2010-11-06 18:58:15.000000000 -0400
7026 @@ -31,6 +31,14 @@ asmlinkage __wsum csum_partial_copy_gene
7027 int len, __wsum sum,
7028 int *src_err_ptr, int *dst_err_ptr);
7030 +asmlinkage __wsum csum_partial_copy_generic_to_user(const void *src, void *dst,
7031 + int len, __wsum sum,
7032 + int *src_err_ptr, int *dst_err_ptr);
7034 +asmlinkage __wsum csum_partial_copy_generic_from_user(const void *src, void *dst,
7035 + int len, __wsum sum,
7036 + int *src_err_ptr, int *dst_err_ptr);
7039 * Note: when you get a NULL pointer exception here this means someone
7040 * passed in an incorrect kernel address to one of these functions.
7041 @@ -50,7 +58,7 @@ static inline __wsum csum_partial_copy_f
7045 - return csum_partial_copy_generic((__force void *)src, dst,
7046 + return csum_partial_copy_generic_from_user((__force void *)src, dst,
7047 len, sum, err_ptr, NULL);
7050 @@ -178,7 +186,7 @@ static inline __wsum csum_and_copy_to_us
7053 if (access_ok(VERIFY_WRITE, dst, len))
7054 - return csum_partial_copy_generic(src, (__force void *)dst,
7055 + return csum_partial_copy_generic_to_user(src, (__force void *)dst,
7056 len, sum, NULL, err_ptr);
7059 diff -urNp linux-2.6.36.1/arch/x86/include/asm/cpufeature.h linux-2.6.36.1/arch/x86/include/asm/cpufeature.h
7060 --- linux-2.6.36.1/arch/x86/include/asm/cpufeature.h 2010-11-26 18:26:23.000000000 -0500
7061 +++ linux-2.6.36.1/arch/x86/include/asm/cpufeature.h 2010-11-26 18:27:07.000000000 -0500
7062 @@ -338,7 +338,7 @@ static __always_inline __pure bool __sta
7063 ".section .discard,\"aw\",@progbits\n"
7064 " .byte 0xff + (4f-3f) - (2b-1b)\n" /* size check */
7066 - ".section .altinstr_replacement,\"ax\"\n"
7067 + ".section .altinstr_replacement,\"a\"\n"
7071 diff -urNp linux-2.6.36.1/arch/x86/include/asm/desc.h linux-2.6.36.1/arch/x86/include/asm/desc.h
7072 --- linux-2.6.36.1/arch/x86/include/asm/desc.h 2010-10-20 16:30:22.000000000 -0400
7073 +++ linux-2.6.36.1/arch/x86/include/asm/desc.h 2010-11-06 18:58:15.000000000 -0400
7075 #include <asm/desc_defs.h>
7076 #include <asm/ldt.h>
7077 #include <asm/mmu.h>
7078 +#include <asm/pgtable.h>
7079 #include <linux/smp.h>
7081 static inline void fill_ldt(struct desc_struct *desc,
7082 @@ -15,6 +16,7 @@ static inline void fill_ldt(struct desc_
7083 desc->base1 = (info->base_addr & 0x00ff0000) >> 16;
7084 desc->type = (info->read_exec_only ^ 1) << 1;
7085 desc->type |= info->contents << 2;
7086 + desc->type |= info->seg_not_present ^ 1;
7089 desc->p = info->seg_not_present ^ 1;
7090 @@ -31,16 +33,12 @@ static inline void fill_ldt(struct desc_
7093 extern struct desc_ptr idt_descr;
7094 -extern gate_desc idt_table[];
7097 - struct desc_struct gdt[GDT_ENTRIES];
7098 -} __attribute__((aligned(PAGE_SIZE)));
7099 -DECLARE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page);
7100 +extern gate_desc idt_table[256];
7102 +extern struct desc_struct cpu_gdt_table[NR_CPUS][PAGE_SIZE / sizeof(struct desc_struct)];
7103 static inline struct desc_struct *get_cpu_gdt_table(unsigned int cpu)
7105 - return per_cpu(gdt_page, cpu).gdt;
7106 + return cpu_gdt_table[cpu];
7109 #ifdef CONFIG_X86_64
7110 @@ -115,19 +113,24 @@ static inline void paravirt_free_ldt(str
7111 static inline void native_write_idt_entry(gate_desc *idt, int entry,
7112 const gate_desc *gate)
7114 + pax_open_kernel();
7115 memcpy(&idt[entry], gate, sizeof(*gate));
7116 + pax_close_kernel();
7119 static inline void native_write_ldt_entry(struct desc_struct *ldt, int entry,
7122 + pax_open_kernel();
7123 memcpy(&ldt[entry], desc, 8);
7124 + pax_close_kernel();
7127 static inline void native_write_gdt_entry(struct desc_struct *gdt, int entry,
7128 const void *desc, int type)
7134 size = sizeof(tss_desc);
7135 @@ -139,7 +142,10 @@ static inline void native_write_gdt_entr
7136 size = sizeof(struct desc_struct);
7140 + pax_open_kernel();
7141 memcpy(&gdt[entry], desc, size);
7142 + pax_close_kernel();
7145 static inline void pack_descriptor(struct desc_struct *desc, unsigned long base,
7146 @@ -211,7 +217,9 @@ static inline void native_set_ldt(const
7148 static inline void native_load_tr_desc(void)
7150 + pax_open_kernel();
7151 asm volatile("ltr %w0"::"q" (GDT_ENTRY_TSS*8));
7152 + pax_close_kernel();
7155 static inline void native_load_gdt(const struct desc_ptr *dtr)
7156 @@ -246,8 +254,10 @@ static inline void native_load_tls(struc
7158 struct desc_struct *gdt = get_cpu_gdt_table(cpu);
7160 + pax_open_kernel();
7161 for (i = 0; i < GDT_ENTRY_TLS_ENTRIES; i++)
7162 gdt[GDT_ENTRY_TLS_MIN + i] = t->tls_array[i];
7163 + pax_close_kernel();
7166 #define _LDT_empty(info) \
7167 @@ -309,7 +319,7 @@ static inline void set_desc_limit(struct
7168 desc->limit = (limit >> 16) & 0xf;
7171 -static inline void _set_gate(int gate, unsigned type, void *addr,
7172 +static inline void _set_gate(int gate, unsigned type, const void *addr,
7173 unsigned dpl, unsigned ist, unsigned seg)
7176 @@ -327,7 +337,7 @@ static inline void _set_gate(int gate, u
7177 * Pentium F0 0F bugfix can have resulted in the mapped
7178 * IDT being write-protected.
7180 -static inline void set_intr_gate(unsigned int n, void *addr)
7181 +static inline void set_intr_gate(unsigned int n, const void *addr)
7183 BUG_ON((unsigned)n > 0xFF);
7184 _set_gate(n, GATE_INTERRUPT, addr, 0, 0, __KERNEL_CS);
7185 @@ -356,19 +366,19 @@ static inline void alloc_intr_gate(unsig
7187 * This routine sets up an interrupt gate at directory privilege level 3.
7189 -static inline void set_system_intr_gate(unsigned int n, void *addr)
7190 +static inline void set_system_intr_gate(unsigned int n, const void *addr)
7192 BUG_ON((unsigned)n > 0xFF);
7193 _set_gate(n, GATE_INTERRUPT, addr, 0x3, 0, __KERNEL_CS);
7196 -static inline void set_system_trap_gate(unsigned int n, void *addr)
7197 +static inline void set_system_trap_gate(unsigned int n, const void *addr)
7199 BUG_ON((unsigned)n > 0xFF);
7200 _set_gate(n, GATE_TRAP, addr, 0x3, 0, __KERNEL_CS);
7203 -static inline void set_trap_gate(unsigned int n, void *addr)
7204 +static inline void set_trap_gate(unsigned int n, const void *addr)
7206 BUG_ON((unsigned)n > 0xFF);
7207 _set_gate(n, GATE_TRAP, addr, 0, 0, __KERNEL_CS);
7208 @@ -377,19 +387,31 @@ static inline void set_trap_gate(unsigne
7209 static inline void set_task_gate(unsigned int n, unsigned int gdt_entry)
7211 BUG_ON((unsigned)n > 0xFF);
7212 - _set_gate(n, GATE_TASK, (void *)0, 0, 0, (gdt_entry<<3));
7213 + _set_gate(n, GATE_TASK, (const void *)0, 0, 0, (gdt_entry<<3));
7216 -static inline void set_intr_gate_ist(int n, void *addr, unsigned ist)
7217 +static inline void set_intr_gate_ist(int n, const void *addr, unsigned ist)
7219 BUG_ON((unsigned)n > 0xFF);
7220 _set_gate(n, GATE_INTERRUPT, addr, 0, ist, __KERNEL_CS);
7223 -static inline void set_system_intr_gate_ist(int n, void *addr, unsigned ist)
7224 +static inline void set_system_intr_gate_ist(int n, const void *addr, unsigned ist)
7226 BUG_ON((unsigned)n > 0xFF);
7227 _set_gate(n, GATE_INTERRUPT, addr, 0x3, ist, __KERNEL_CS);
7230 +#ifdef CONFIG_X86_32
7231 +static inline void set_user_cs(unsigned long base, unsigned long limit, int cpu)
7233 + struct desc_struct d;
7235 + if (likely(limit))
7236 + limit = (limit - 1UL) >> PAGE_SHIFT;
7237 + pack_descriptor(&d, base, limit, 0xFB, 0xC);
7238 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_CS, &d, DESCTYPE_S);
7242 #endif /* _ASM_X86_DESC_H */
7243 diff -urNp linux-2.6.36.1/arch/x86/include/asm/device.h linux-2.6.36.1/arch/x86/include/asm/device.h
7244 --- linux-2.6.36.1/arch/x86/include/asm/device.h 2010-10-20 16:30:22.000000000 -0400
7245 +++ linux-2.6.36.1/arch/x86/include/asm/device.h 2010-11-06 18:58:15.000000000 -0400
7246 @@ -6,7 +6,7 @@ struct dev_archdata {
7249 #ifdef CONFIG_X86_64
7250 -struct dma_map_ops *dma_ops;
7251 + const struct dma_map_ops *dma_ops;
7253 #if defined(CONFIG_DMAR) || defined(CONFIG_AMD_IOMMU)
7254 void *iommu; /* hook for IOMMU specific extension */
7255 diff -urNp linux-2.6.36.1/arch/x86/include/asm/dma-mapping.h linux-2.6.36.1/arch/x86/include/asm/dma-mapping.h
7256 --- linux-2.6.36.1/arch/x86/include/asm/dma-mapping.h 2010-10-20 16:30:22.000000000 -0400
7257 +++ linux-2.6.36.1/arch/x86/include/asm/dma-mapping.h 2010-11-06 18:58:15.000000000 -0400
7258 @@ -26,9 +26,9 @@ extern int iommu_merge;
7259 extern struct device x86_dma_fallback_dev;
7260 extern int panic_on_overflow;
7262 -extern struct dma_map_ops *dma_ops;
7263 +extern const struct dma_map_ops *dma_ops;
7265 -static inline struct dma_map_ops *get_dma_ops(struct device *dev)
7266 +static inline const struct dma_map_ops *get_dma_ops(struct device *dev)
7268 #ifdef CONFIG_X86_32
7270 @@ -45,7 +45,7 @@ static inline struct dma_map_ops *get_dm
7271 /* Make sure we keep the same behaviour */
7272 static inline int dma_mapping_error(struct device *dev, dma_addr_t dma_addr)
7274 - struct dma_map_ops *ops = get_dma_ops(dev);
7275 + const struct dma_map_ops *ops = get_dma_ops(dev);
7276 if (ops->mapping_error)
7277 return ops->mapping_error(dev, dma_addr);
7279 @@ -115,7 +115,7 @@ static inline void *
7280 dma_alloc_coherent(struct device *dev, size_t size, dma_addr_t *dma_handle,
7283 - struct dma_map_ops *ops = get_dma_ops(dev);
7284 + const struct dma_map_ops *ops = get_dma_ops(dev);
7287 gfp &= ~(__GFP_DMA | __GFP_HIGHMEM | __GFP_DMA32);
7288 @@ -142,7 +142,7 @@ dma_alloc_coherent(struct device *dev, s
7289 static inline void dma_free_coherent(struct device *dev, size_t size,
7290 void *vaddr, dma_addr_t bus)
7292 - struct dma_map_ops *ops = get_dma_ops(dev);
7293 + const struct dma_map_ops *ops = get_dma_ops(dev);
7295 WARN_ON(irqs_disabled()); /* for portability */
7297 diff -urNp linux-2.6.36.1/arch/x86/include/asm/e820.h linux-2.6.36.1/arch/x86/include/asm/e820.h
7298 --- linux-2.6.36.1/arch/x86/include/asm/e820.h 2010-10-20 16:30:22.000000000 -0400
7299 +++ linux-2.6.36.1/arch/x86/include/asm/e820.h 2010-11-06 18:58:15.000000000 -0400
7300 @@ -69,7 +69,7 @@ struct e820map {
7301 #define ISA_START_ADDRESS 0xa0000
7302 #define ISA_END_ADDRESS 0x100000
7304 -#define BIOS_BEGIN 0x000a0000
7305 +#define BIOS_BEGIN 0x000c0000
7306 #define BIOS_END 0x00100000
7309 diff -urNp linux-2.6.36.1/arch/x86/include/asm/elf.h linux-2.6.36.1/arch/x86/include/asm/elf.h
7310 --- linux-2.6.36.1/arch/x86/include/asm/elf.h 2010-10-20 16:30:22.000000000 -0400
7311 +++ linux-2.6.36.1/arch/x86/include/asm/elf.h 2010-11-06 18:58:15.000000000 -0400
7312 @@ -237,7 +237,25 @@ extern int force_personality32;
7313 the loader. We need to make sure that it is out of the way of the program
7314 that it will "exec", and that there is sufficient room for the brk. */
7316 +#ifdef CONFIG_PAX_SEGMEXEC
7317 +#define ELF_ET_DYN_BASE ((current->mm->pax_flags & MF_PAX_SEGMEXEC) ? SEGMEXEC_TASK_SIZE/3*2 : TASK_SIZE/3*2)
7319 #define ELF_ET_DYN_BASE (TASK_SIZE / 3 * 2)
7322 +#ifdef CONFIG_PAX_ASLR
7323 +#ifdef CONFIG_X86_32
7324 +#define PAX_ELF_ET_DYN_BASE 0x10000000UL
7326 +#define PAX_DELTA_MMAP_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7327 +#define PAX_DELTA_STACK_LEN (current->mm->pax_flags & MF_PAX_SEGMEXEC ? 15 : 16)
7329 +#define PAX_ELF_ET_DYN_BASE 0x400000UL
7331 +#define PAX_DELTA_MMAP_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7332 +#define PAX_DELTA_STACK_LEN ((test_thread_flag(TIF_IA32)) ? 16 : TASK_SIZE_MAX_SHIFT - PAGE_SHIFT - 3)
7336 /* This yields a mask that user programs can use to figure out what
7337 instruction set this CPU supports. This could be done in user space,
7338 @@ -291,8 +309,7 @@ do { \
7339 #define ARCH_DLINFO \
7342 - NEW_AUX_ENT(AT_SYSINFO_EHDR, \
7343 - (unsigned long)current->mm->context.vdso); \
7344 + NEW_AUX_ENT(AT_SYSINFO_EHDR, current->mm->context.vdso);\
7347 #define AT_SYSINFO 32
7348 @@ -303,7 +320,7 @@ do { \
7350 #endif /* !CONFIG_X86_32 */
7352 -#define VDSO_CURRENT_BASE ((unsigned long)current->mm->context.vdso)
7353 +#define VDSO_CURRENT_BASE (current->mm->context.vdso)
7355 #define VDSO_ENTRY \
7356 ((unsigned long)VDSO32_SYMBOL(VDSO_CURRENT_BASE, vsyscall))
7357 @@ -317,7 +334,4 @@ extern int arch_setup_additional_pages(s
7358 extern int syscall32_setup_pages(struct linux_binprm *, int exstack);
7359 #define compat_arch_setup_additional_pages syscall32_setup_pages
7361 -extern unsigned long arch_randomize_brk(struct mm_struct *mm);
7362 -#define arch_randomize_brk arch_randomize_brk
7364 #endif /* _ASM_X86_ELF_H */
7365 diff -urNp linux-2.6.36.1/arch/x86/include/asm/futex.h linux-2.6.36.1/arch/x86/include/asm/futex.h
7366 --- linux-2.6.36.1/arch/x86/include/asm/futex.h 2010-10-20 16:30:22.000000000 -0400
7367 +++ linux-2.6.36.1/arch/x86/include/asm/futex.h 2010-11-06 18:58:15.000000000 -0400
7369 #include <asm/processor.h>
7370 #include <asm/system.h>
7372 +#ifdef CONFIG_X86_32
7373 #define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
7375 + "movw\t%w6, %%ds\n" \
7376 + "1:\t" insn "\n" \
7377 + "2:\tpushl\t%%ss\n" \
7378 + "\tpopl\t%%ds\n" \
7379 + "\t.section .fixup,\"ax\"\n" \
7380 + "3:\tmov\t%3, %1\n" \
7383 + _ASM_EXTABLE(1b, 3b) \
7384 + : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
7385 + : "i" (-EFAULT), "0" (oparg), "1" (0), "r" (__USER_DS))
7387 +#define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
7388 + asm volatile("movw\t%w7, %%es\n" \
7389 + "1:\tmovl\t%%es:%2, %0\n" \
7390 + "\tmovl\t%0, %3\n" \
7392 + "2:\t" LOCK_PREFIX "cmpxchgl %3, %%es:%2\n"\
7394 + "3:\tpushl\t%%ss\n" \
7395 + "\tpopl\t%%es\n" \
7396 + "\t.section .fixup,\"ax\"\n" \
7397 + "4:\tmov\t%5, %1\n" \
7400 + _ASM_EXTABLE(1b, 4b) \
7401 + _ASM_EXTABLE(2b, 4b) \
7402 + : "=&a" (oldval), "=&r" (ret), \
7403 + "+m" (*uaddr), "=&r" (tem) \
7404 + : "r" (oparg), "i" (-EFAULT), "1" (0), "r" (__USER_DS))
7406 +#define __futex_atomic_op1(insn, ret, oldval, uaddr, oparg) \
7407 + typecheck(u32 *, uaddr); \
7408 asm volatile("1:\t" insn "\n" \
7409 "2:\t.section .fixup,\"ax\"\n" \
7410 "3:\tmov\t%3, %1\n" \
7413 _ASM_EXTABLE(1b, 3b) \
7414 - : "=r" (oldval), "=r" (ret), "+m" (*uaddr) \
7415 + : "=r" (oldval), "=r" (ret), \
7416 + "+m" (*(uaddr + PAX_USER_SHADOW_BASE / 4))\
7417 : "i" (-EFAULT), "0" (oparg), "1" (0))
7419 #define __futex_atomic_op2(insn, ret, oldval, uaddr, oparg) \
7420 + typecheck(u32 *, uaddr); \
7421 asm volatile("1:\tmovl %2, %0\n" \
7422 "\tmovl\t%0, %3\n" \
7425 _ASM_EXTABLE(1b, 4b) \
7426 _ASM_EXTABLE(2b, 4b) \
7427 : "=&a" (oldval), "=&r" (ret), \
7428 - "+m" (*uaddr), "=&r" (tem) \
7429 + "+m" (*(uaddr + PAX_USER_SHADOW_BASE / 4)),\
7431 : "r" (oparg), "i" (-EFAULT), "1" (0))
7434 -static inline int futex_atomic_op_inuser(int encoded_op, int __user *uaddr)
7435 +static inline int futex_atomic_op_inuser(int encoded_op, u32 __user *uaddr)
7437 int op = (encoded_op >> 28) & 7;
7438 int cmp = (encoded_op >> 24) & 15;
7439 @@ -61,11 +100,20 @@ static inline int futex_atomic_op_inuser
7443 +#ifdef CONFIG_X86_32
7444 + __futex_atomic_op1("xchgl %0, %%ds:%2", ret, oldval, uaddr, oparg);
7446 __futex_atomic_op1("xchgl %0, %2", ret, oldval, uaddr, oparg);
7450 +#ifdef CONFIG_X86_32
7451 + __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %%ds:%2", ret, oldval,
7454 __futex_atomic_op1(LOCK_PREFIX "xaddl %0, %2", ret, oldval,
7459 __futex_atomic_op2("orl %4, %3", ret, oldval, uaddr, oparg);
7460 @@ -109,7 +157,7 @@ static inline int futex_atomic_op_inuser
7464 -static inline int futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval,
7465 +static inline int futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval,
7469 @@ -119,17 +167,31 @@ static inline int futex_atomic_cmpxchg_i
7473 - if (!access_ok(VERIFY_WRITE, uaddr, sizeof(int)))
7474 + if (!access_ok(VERIFY_WRITE, uaddr, sizeof(u32)))
7477 - asm volatile("1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
7478 - "2:\t.section .fixup, \"ax\"\n"
7480 +#ifdef CONFIG_X86_32
7481 + "\tmovw %w5, %%ds\n"
7482 + "1:\t" LOCK_PREFIX "cmpxchgl %3, %%ds:%1\n"
7483 + "2:\tpushl %%ss\n"
7486 + "1:\t" LOCK_PREFIX "cmpxchgl %3, %1\n"
7489 + "\t.section .fixup, \"ax\"\n"
7493 _ASM_EXTABLE(1b, 3b)
7494 +#ifdef CONFIG_X86_32
7495 : "=a" (oldval), "+m" (*uaddr)
7496 + : "i" (-EFAULT), "r" (newval), "0" (oldval), "r" (__USER_DS)
7498 + : "=a" (oldval), "+m" (*(uaddr + PAX_USER_SHADOW_BASE / 4))
7499 : "i" (-EFAULT), "r" (newval), "0" (oldval)
7504 diff -urNp linux-2.6.36.1/arch/x86/include/asm/i387.h linux-2.6.36.1/arch/x86/include/asm/i387.h
7505 --- linux-2.6.36.1/arch/x86/include/asm/i387.h 2010-10-20 16:30:22.000000000 -0400
7506 +++ linux-2.6.36.1/arch/x86/include/asm/i387.h 2010-11-06 18:58:15.000000000 -0400
7507 @@ -90,6 +90,11 @@ static inline int fxrstor_checking(struc
7511 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7512 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7513 + fx = (struct i387_fxsave_struct *)((void *)fx + PAX_USER_SHADOW_BASE);
7516 asm volatile("1: rex64/fxrstor (%[fx])\n\t"
7518 ".section .fixup,\"ax\"\n"
7519 @@ -140,6 +145,11 @@ static inline int fxsave_user(struct i38
7523 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7524 + if ((unsigned long)fx < PAX_USER_SHADOW_BASE)
7525 + fx = (struct i387_fxsave_struct __user *)((void __user *)fx + PAX_USER_SHADOW_BASE);
7529 * Clear the bytes not touched by the fxsave and reserved
7531 @@ -242,13 +252,8 @@ static inline int fxrstor_checking(struc
7534 /* We need a safe address that is cheap to find and that is already
7535 - in L1 during context switch. The best choices are unfortunately
7536 - different for UP and SMP */
7538 -#define safe_address (__per_cpu_offset[0])
7540 -#define safe_address (kstat_cpu(0).cpustat.user)
7542 + in L1 during context switch. */
7543 +#define safe_address (init_tss[smp_processor_id()].x86_tss.sp0)
7546 * These must be called with preempt disabled
7547 diff -urNp linux-2.6.36.1/arch/x86/include/asm/io.h linux-2.6.36.1/arch/x86/include/asm/io.h
7548 --- linux-2.6.36.1/arch/x86/include/asm/io.h 2010-11-26 18:26:23.000000000 -0500
7549 +++ linux-2.6.36.1/arch/x86/include/asm/io.h 2010-11-26 18:27:07.000000000 -0500
7550 @@ -214,6 +214,17 @@ extern void set_iounmap_nonlazy(void);
7552 #include <linux/vmalloc.h>
7554 +#define ARCH_HAS_VALID_PHYS_ADDR_RANGE
7555 +static inline int valid_phys_addr_range(unsigned long addr, size_t count)
7557 + return ((addr + count + PAGE_SIZE - 1) >> PAGE_SHIFT) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7560 +static inline int valid_mmap_phys_addr_range(unsigned long pfn, size_t count)
7562 + return (pfn + (count >> PAGE_SHIFT)) < (1 << (boot_cpu_data.x86_phys_bits - PAGE_SHIFT)) ? 1 : 0;
7566 * Convert a virtual cached pointer to an uncached pointer
7568 diff -urNp linux-2.6.36.1/arch/x86/include/asm/iommu.h linux-2.6.36.1/arch/x86/include/asm/iommu.h
7569 --- linux-2.6.36.1/arch/x86/include/asm/iommu.h 2010-10-20 16:30:22.000000000 -0400
7570 +++ linux-2.6.36.1/arch/x86/include/asm/iommu.h 2010-11-06 18:58:15.000000000 -0400
7572 #ifndef _ASM_X86_IOMMU_H
7573 #define _ASM_X86_IOMMU_H
7575 -extern struct dma_map_ops nommu_dma_ops;
7576 +extern const struct dma_map_ops nommu_dma_ops;
7577 extern int force_iommu, no_iommu;
7578 extern int iommu_detected;
7579 extern int iommu_pass_through;
7580 diff -urNp linux-2.6.36.1/arch/x86/include/asm/irqflags.h linux-2.6.36.1/arch/x86/include/asm/irqflags.h
7581 --- linux-2.6.36.1/arch/x86/include/asm/irqflags.h 2010-10-20 16:30:22.000000000 -0400
7582 +++ linux-2.6.36.1/arch/x86/include/asm/irqflags.h 2010-11-06 18:58:15.000000000 -0400
7583 @@ -142,6 +142,11 @@ static inline unsigned long __raw_local_
7587 +#define GET_CR0_INTO_RDI mov %cr0, %rdi
7588 +#define SET_RDI_INTO_CR0 mov %rdi, %cr0
7589 +#define GET_CR3_INTO_RDI mov %cr3, %rdi
7590 +#define SET_RDI_INTO_CR3 mov %rdi, %cr3
7593 #define INTERRUPT_RETURN iret
7594 #define ENABLE_INTERRUPTS_SYSEXIT sti; sysexit
7595 diff -urNp linux-2.6.36.1/arch/x86/include/asm/kvm_host.h linux-2.6.36.1/arch/x86/include/asm/kvm_host.h
7596 --- linux-2.6.36.1/arch/x86/include/asm/kvm_host.h 2010-10-20 16:30:22.000000000 -0400
7597 +++ linux-2.6.36.1/arch/x86/include/asm/kvm_host.h 2010-11-06 18:58:15.000000000 -0400
7598 @@ -525,7 +525,7 @@ struct kvm_x86_ops {
7599 const struct trace_print_flags *exit_reasons_str;
7602 -extern struct kvm_x86_ops *kvm_x86_ops;
7603 +extern const struct kvm_x86_ops *kvm_x86_ops;
7605 int kvm_mmu_module_init(void);
7606 void kvm_mmu_module_exit(void);
7607 diff -urNp linux-2.6.36.1/arch/x86/include/asm/local.h linux-2.6.36.1/arch/x86/include/asm/local.h
7608 --- linux-2.6.36.1/arch/x86/include/asm/local.h 2010-10-20 16:30:22.000000000 -0400
7609 +++ linux-2.6.36.1/arch/x86/include/asm/local.h 2010-11-06 18:58:15.000000000 -0400
7610 @@ -18,26 +18,90 @@ typedef struct {
7612 static inline void local_inc(local_t *l)
7614 - asm volatile(_ASM_INC "%0"
7615 + asm volatile(_ASM_INC "%0\n"
7617 +#ifdef CONFIG_PAX_REFCOUNT
7618 +#ifdef CONFIG_X86_32
7624 + ".pushsection .fixup,\"ax\"\n"
7629 + _ASM_EXTABLE(0b, 1b)
7632 : "+m" (l->a.counter));
7635 static inline void local_dec(local_t *l)
7637 - asm volatile(_ASM_DEC "%0"
7638 + asm volatile(_ASM_DEC "%0\n"
7640 +#ifdef CONFIG_PAX_REFCOUNT
7641 +#ifdef CONFIG_X86_32
7647 + ".pushsection .fixup,\"ax\"\n"
7652 + _ASM_EXTABLE(0b, 1b)
7655 : "+m" (l->a.counter));
7658 static inline void local_add(long i, local_t *l)
7660 - asm volatile(_ASM_ADD "%1,%0"
7661 + asm volatile(_ASM_ADD "%1,%0\n"
7663 +#ifdef CONFIG_PAX_REFCOUNT
7664 +#ifdef CONFIG_X86_32
7670 + ".pushsection .fixup,\"ax\"\n"
7672 + _ASM_SUB "%1,%0\n"
7675 + _ASM_EXTABLE(0b, 1b)
7678 : "+m" (l->a.counter)
7682 static inline void local_sub(long i, local_t *l)
7684 - asm volatile(_ASM_SUB "%1,%0"
7685 + asm volatile(_ASM_SUB "%1,%0\n"
7687 +#ifdef CONFIG_PAX_REFCOUNT
7688 +#ifdef CONFIG_X86_32
7694 + ".pushsection .fixup,\"ax\"\n"
7696 + _ASM_ADD "%1,%0\n"
7699 + _ASM_EXTABLE(0b, 1b)
7702 : "+m" (l->a.counter)
7705 @@ -55,7 +119,24 @@ static inline int local_sub_and_test(lon
7709 - asm volatile(_ASM_SUB "%2,%0; sete %1"
7710 + asm volatile(_ASM_SUB "%2,%0\n"
7712 +#ifdef CONFIG_PAX_REFCOUNT
7713 +#ifdef CONFIG_X86_32
7719 + ".pushsection .fixup,\"ax\"\n"
7721 + _ASM_ADD "%2,%0\n"
7724 + _ASM_EXTABLE(0b, 1b)
7728 : "+m" (l->a.counter), "=qm" (c)
7729 : "ir" (i) : "memory");
7731 @@ -73,7 +154,24 @@ static inline int local_dec_and_test(loc
7735 - asm volatile(_ASM_DEC "%0; sete %1"
7736 + asm volatile(_ASM_DEC "%0\n"
7738 +#ifdef CONFIG_PAX_REFCOUNT
7739 +#ifdef CONFIG_X86_32
7745 + ".pushsection .fixup,\"ax\"\n"
7750 + _ASM_EXTABLE(0b, 1b)
7754 : "+m" (l->a.counter), "=qm" (c)
7757 @@ -91,7 +189,24 @@ static inline int local_inc_and_test(loc
7761 - asm volatile(_ASM_INC "%0; sete %1"
7762 + asm volatile(_ASM_INC "%0\n"
7764 +#ifdef CONFIG_PAX_REFCOUNT
7765 +#ifdef CONFIG_X86_32
7771 + ".pushsection .fixup,\"ax\"\n"
7776 + _ASM_EXTABLE(0b, 1b)
7780 : "+m" (l->a.counter), "=qm" (c)
7783 @@ -110,7 +225,24 @@ static inline int local_add_negative(lon
7787 - asm volatile(_ASM_ADD "%2,%0; sets %1"
7788 + asm volatile(_ASM_ADD "%2,%0\n"
7790 +#ifdef CONFIG_PAX_REFCOUNT
7791 +#ifdef CONFIG_X86_32
7797 + ".pushsection .fixup,\"ax\"\n"
7799 + _ASM_SUB "%2,%0\n"
7802 + _ASM_EXTABLE(0b, 1b)
7806 : "+m" (l->a.counter), "=qm" (c)
7807 : "ir" (i) : "memory");
7809 @@ -133,7 +265,23 @@ static inline long local_add_return(long
7811 /* Modern 486+ processor */
7813 - asm volatile(_ASM_XADD "%0, %1;"
7814 + asm volatile(_ASM_XADD "%0, %1\n"
7816 +#ifdef CONFIG_PAX_REFCOUNT
7817 +#ifdef CONFIG_X86_32
7823 + ".pushsection .fixup,\"ax\"\n"
7825 + _ASM_MOV "%0,%1\n"
7828 + _ASM_EXTABLE(0b, 1b)
7831 : "+r" (i), "+m" (l->a.counter)
7834 diff -urNp linux-2.6.36.1/arch/x86/include/asm/mc146818rtc.h linux-2.6.36.1/arch/x86/include/asm/mc146818rtc.h
7835 --- linux-2.6.36.1/arch/x86/include/asm/mc146818rtc.h 2010-10-20 16:30:22.000000000 -0400
7836 +++ linux-2.6.36.1/arch/x86/include/asm/mc146818rtc.h 2010-11-06 18:58:15.000000000 -0400
7837 @@ -81,8 +81,8 @@ static inline unsigned char current_lock
7839 #define lock_cmos_prefix(reg) do {} while (0)
7840 #define lock_cmos_suffix(reg) do {} while (0)
7841 -#define lock_cmos(reg)
7842 -#define unlock_cmos()
7843 +#define lock_cmos(reg) do {} while (0)
7844 +#define unlock_cmos() do {} while (0)
7845 #define do_i_have_lock_cmos() 0
7846 #define current_lock_cmos_reg() 0
7848 diff -urNp linux-2.6.36.1/arch/x86/include/asm/microcode.h linux-2.6.36.1/arch/x86/include/asm/microcode.h
7849 --- linux-2.6.36.1/arch/x86/include/asm/microcode.h 2010-10-20 16:30:22.000000000 -0400
7850 +++ linux-2.6.36.1/arch/x86/include/asm/microcode.h 2010-11-06 18:58:15.000000000 -0400
7851 @@ -12,13 +12,13 @@ struct device;
7852 enum ucode_state { UCODE_ERROR, UCODE_OK, UCODE_NFOUND };
7854 struct microcode_ops {
7855 - enum ucode_state (*request_microcode_user) (int cpu,
7856 + enum ucode_state (* const request_microcode_user) (int cpu,
7857 const void __user *buf, size_t size);
7859 - enum ucode_state (*request_microcode_fw) (int cpu,
7860 + enum ucode_state (* const request_microcode_fw) (int cpu,
7861 struct device *device);
7863 - void (*microcode_fini_cpu) (int cpu);
7864 + void (* const microcode_fini_cpu) (int cpu);
7867 * The generic 'microcode_core' part guarantees that
7868 @@ -38,18 +38,18 @@ struct ucode_cpu_info {
7869 extern struct ucode_cpu_info ucode_cpu_info[];
7871 #ifdef CONFIG_MICROCODE_INTEL
7872 -extern struct microcode_ops * __init init_intel_microcode(void);
7873 +extern const struct microcode_ops * __init init_intel_microcode(void);
7875 -static inline struct microcode_ops * __init init_intel_microcode(void)
7876 +static inline const struct microcode_ops * __init init_intel_microcode(void)
7880 #endif /* CONFIG_MICROCODE_INTEL */
7882 #ifdef CONFIG_MICROCODE_AMD
7883 -extern struct microcode_ops * __init init_amd_microcode(void);
7884 +extern const struct microcode_ops * __init init_amd_microcode(void);
7886 -static inline struct microcode_ops * __init init_amd_microcode(void)
7887 +static inline const struct microcode_ops * __init init_amd_microcode(void)
7891 diff -urNp linux-2.6.36.1/arch/x86/include/asm/mman.h linux-2.6.36.1/arch/x86/include/asm/mman.h
7892 --- linux-2.6.36.1/arch/x86/include/asm/mman.h 2010-10-20 16:30:22.000000000 -0400
7893 +++ linux-2.6.36.1/arch/x86/include/asm/mman.h 2010-11-06 18:58:15.000000000 -0400
7896 #include <asm-generic/mman.h>
7899 +#ifndef __ASSEMBLY__
7900 +#ifdef CONFIG_X86_32
7901 +#define arch_mmap_check i386_mmap_check
7902 +int i386_mmap_check(unsigned long addr, unsigned long len,
7903 + unsigned long flags);
7908 #endif /* _ASM_X86_MMAN_H */
7909 diff -urNp linux-2.6.36.1/arch/x86/include/asm/mmu_context.h linux-2.6.36.1/arch/x86/include/asm/mmu_context.h
7910 --- linux-2.6.36.1/arch/x86/include/asm/mmu_context.h 2010-10-20 16:30:22.000000000 -0400
7911 +++ linux-2.6.36.1/arch/x86/include/asm/mmu_context.h 2010-11-06 18:58:15.000000000 -0400
7912 @@ -24,6 +24,21 @@ void destroy_context(struct mm_struct *m
7914 static inline void enter_lazy_tlb(struct mm_struct *mm, struct task_struct *tsk)
7917 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
7921 + pax_open_kernel();
7922 + pgd = get_cpu_pgd(smp_processor_id());
7923 + for (i = USER_PGD_PTRS; i < 2 * USER_PGD_PTRS; ++i)
7924 + if (paravirt_enabled())
7925 + set_pgd(pgd+i, native_make_pgd(0));
7927 + pgd[i] = native_make_pgd(0);
7928 + pax_close_kernel();
7932 if (percpu_read(cpu_tlbstate.state) == TLBSTATE_OK)
7933 percpu_write(cpu_tlbstate.state, TLBSTATE_LAZY);
7934 @@ -34,27 +49,70 @@ static inline void switch_mm(struct mm_s
7935 struct task_struct *tsk)
7937 unsigned cpu = smp_processor_id();
7938 +#if defined(CONFIG_X86_32) && defined(CONFIG_SMP)
7939 + int tlbstate = TLBSTATE_OK;
7942 if (likely(prev != next)) {
7943 /* stop flush ipis for the previous mm */
7944 cpumask_clear_cpu(cpu, mm_cpumask(prev));
7946 +#ifdef CONFIG_X86_32
7947 + tlbstate = percpu_read(cpu_tlbstate.state);
7949 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
7950 percpu_write(cpu_tlbstate.active_mm, next);
7952 cpumask_set_cpu(cpu, mm_cpumask(next));
7954 /* Re-load page tables */
7955 +#ifdef CONFIG_PAX_PER_CPU_PGD
7956 + pax_open_kernel();
7957 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
7958 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
7959 + pax_close_kernel();
7960 + load_cr3(get_cpu_pgd(cpu));
7962 load_cr3(next->pgd);
7966 * load the LDT, if the LDT is different:
7968 if (unlikely(prev->context.ldt != next->context.ldt))
7969 load_LDT_nolock(&next->context);
7972 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
7973 + if (!(__supported_pte_mask & _PAGE_NX)) {
7974 + smp_mb__before_clear_bit();
7975 + cpu_clear(cpu, prev->context.cpu_user_cs_mask);
7976 + smp_mb__after_clear_bit();
7977 + cpu_set(cpu, next->context.cpu_user_cs_mask);
7981 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
7982 + if (unlikely(prev->context.user_cs_base != next->context.user_cs_base ||
7983 + prev->context.user_cs_limit != next->context.user_cs_limit))
7984 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7986 + else if (unlikely(tlbstate != TLBSTATE_OK))
7987 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
7994 +#ifdef CONFIG_PAX_PER_CPU_PGD
7995 + pax_open_kernel();
7996 + __clone_user_pgds(get_cpu_pgd(cpu), next->pgd, USER_PGD_PTRS);
7997 + __shadow_user_pgds(get_cpu_pgd(cpu) + USER_PGD_PTRS, next->pgd, USER_PGD_PTRS);
7998 + pax_close_kernel();
7999 + load_cr3(get_cpu_pgd(cpu));
8003 percpu_write(cpu_tlbstate.state, TLBSTATE_OK);
8004 BUG_ON(percpu_read(cpu_tlbstate.active_mm) != next);
8006 @@ -63,11 +121,28 @@ static inline void switch_mm(struct mm_s
8007 * tlb flush IPI delivery. We must reload CR3
8008 * to make sure to use no freed page tables.
8011 +#ifndef CONFIG_PAX_PER_CPU_PGD
8012 load_cr3(next->pgd);
8015 load_LDT_nolock(&next->context);
8017 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
8018 + if (!(__supported_pte_mask & _PAGE_NX))
8019 + cpu_set(cpu, next->context.cpu_user_cs_mask);
8022 +#if defined(CONFIG_X86_32) && (defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC))
8023 +#ifdef CONFIG_PAX_PAGEEXEC
8024 + if (!((next->pax_flags & MF_PAX_PAGEEXEC) && (__supported_pte_mask & _PAGE_NX)))
8026 + set_user_cs(next->context.user_cs_base, next->context.user_cs_limit, cpu);
8035 #define activate_mm(prev, next) \
8036 diff -urNp linux-2.6.36.1/arch/x86/include/asm/mmu.h linux-2.6.36.1/arch/x86/include/asm/mmu.h
8037 --- linux-2.6.36.1/arch/x86/include/asm/mmu.h 2010-10-20 16:30:22.000000000 -0400
8038 +++ linux-2.6.36.1/arch/x86/include/asm/mmu.h 2010-11-06 18:58:15.000000000 -0400
8040 * we put the segment information here.
8044 + struct desc_struct *ldt;
8048 + unsigned long vdso;
8050 +#ifdef CONFIG_X86_32
8051 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
8052 + unsigned long user_cs_base;
8053 + unsigned long user_cs_limit;
8055 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
8056 + cpumask_t cpu_user_cs_mask;
8065 diff -urNp linux-2.6.36.1/arch/x86/include/asm/module.h linux-2.6.36.1/arch/x86/include/asm/module.h
8066 --- linux-2.6.36.1/arch/x86/include/asm/module.h 2010-10-20 16:30:22.000000000 -0400
8067 +++ linux-2.6.36.1/arch/x86/include/asm/module.h 2010-11-06 18:58:50.000000000 -0400
8069 #error unknown processor family
8072 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8073 +#define MODULE_PAX_UDEREF "UDEREF "
8075 +#define MODULE_PAX_UDEREF ""
8078 #ifdef CONFIG_X86_32
8079 # ifdef CONFIG_4KSTACKS
8080 # define MODULE_STACKSIZE "4KSTACKS "
8082 # define MODULE_STACKSIZE ""
8084 -# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE
8085 +# ifdef CONFIG_PAX_KERNEXEC
8086 +# define MODULE_PAX_KERNEXEC "KERNEXEC "
8088 +# define MODULE_PAX_KERNEXEC ""
8090 +# ifdef CONFIG_GRKERNSEC
8091 +# define MODULE_GRSEC "GRSECURITY "
8093 +# define MODULE_GRSEC ""
8095 +# define MODULE_ARCH_VERMAGIC MODULE_PROC_FAMILY MODULE_STACKSIZE MODULE_GRSEC MODULE_PAX_KERNEXEC MODULE_PAX_UDEREF
8097 +# define MODULE_ARCH_VERMAGIC MODULE_PAX_UDEREF
8100 #endif /* _ASM_X86_MODULE_H */
8101 diff -urNp linux-2.6.36.1/arch/x86/include/asm/page_32_types.h linux-2.6.36.1/arch/x86/include/asm/page_32_types.h
8102 --- linux-2.6.36.1/arch/x86/include/asm/page_32_types.h 2010-10-20 16:30:22.000000000 -0400
8103 +++ linux-2.6.36.1/arch/x86/include/asm/page_32_types.h 2010-11-06 18:58:15.000000000 -0400
8106 #define __PAGE_OFFSET _AC(CONFIG_PAGE_OFFSET, UL)
8108 +#ifdef CONFIG_PAX_PAGEEXEC
8109 +#define CONFIG_ARCH_TRACK_EXEC_LIMIT 1
8112 #ifdef CONFIG_4KSTACKS
8113 #define THREAD_ORDER 0
8115 diff -urNp linux-2.6.36.1/arch/x86/include/asm/page_64_types.h linux-2.6.36.1/arch/x86/include/asm/page_64_types.h
8116 --- linux-2.6.36.1/arch/x86/include/asm/page_64_types.h 2010-10-20 16:30:22.000000000 -0400
8117 +++ linux-2.6.36.1/arch/x86/include/asm/page_64_types.h 2010-11-11 18:21:08.000000000 -0500
8118 @@ -56,7 +56,7 @@ void copy_page(void *to, void *from);
8120 /* duplicated to the one in bootmem.h */
8121 extern unsigned long max_pfn;
8122 -extern unsigned long phys_base;
8123 +extern const unsigned long phys_base;
8125 extern unsigned long __phys_addr(unsigned long);
8126 #define __phys_reloc_hide(x) (x)
8127 diff -urNp linux-2.6.36.1/arch/x86/include/asm/paravirt.h linux-2.6.36.1/arch/x86/include/asm/paravirt.h
8128 --- linux-2.6.36.1/arch/x86/include/asm/paravirt.h 2010-10-20 16:30:22.000000000 -0400
8129 +++ linux-2.6.36.1/arch/x86/include/asm/paravirt.h 2010-11-06 18:58:15.000000000 -0400
8130 @@ -720,6 +720,21 @@ static inline void __set_fixmap(unsigned
8131 pv_mmu_ops.set_fixmap(idx, phys, flags);
8134 +#ifdef CONFIG_PAX_KERNEXEC
8135 +static inline unsigned long pax_open_kernel(void)
8137 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_open_kernel);
8140 +static inline unsigned long pax_close_kernel(void)
8142 + return PVOP_CALL0(unsigned long, pv_mmu_ops.pax_close_kernel);
8145 +static inline unsigned long pax_open_kernel(void) { return 0; }
8146 +static inline unsigned long pax_close_kernel(void) { return 0; }
8149 #if defined(CONFIG_SMP) && defined(CONFIG_PARAVIRT_SPINLOCKS)
8151 static inline int arch_spin_is_locked(struct arch_spinlock *lock)
8152 @@ -936,7 +951,7 @@ extern void default_banner(void);
8154 #define PARA_PATCH(struct, off) ((PARAVIRT_PATCH_##struct + (off)) / 4)
8155 #define PARA_SITE(ptype, clobbers, ops) _PVSITE(ptype, clobbers, ops, .long, 4)
8156 -#define PARA_INDIRECT(addr) *%cs:addr
8157 +#define PARA_INDIRECT(addr) *%ss:addr
8160 #define INTERRUPT_RETURN \
8161 @@ -1013,6 +1028,21 @@ extern void default_banner(void);
8162 PARA_SITE(PARA_PATCH(pv_cpu_ops, PV_CPU_irq_enable_sysexit), \
8164 jmp PARA_INDIRECT(pv_cpu_ops+PV_CPU_irq_enable_sysexit))
8166 +#define GET_CR0_INTO_RDI \
8167 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0); \
8170 +#define SET_RDI_INTO_CR0 \
8171 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
8173 +#define GET_CR3_INTO_RDI \
8174 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_read_cr3); \
8177 +#define SET_RDI_INTO_CR3 \
8178 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_write_cr3)
8180 #endif /* CONFIG_X86_32 */
8182 #endif /* __ASSEMBLY__ */
8183 diff -urNp linux-2.6.36.1/arch/x86/include/asm/paravirt_types.h linux-2.6.36.1/arch/x86/include/asm/paravirt_types.h
8184 --- linux-2.6.36.1/arch/x86/include/asm/paravirt_types.h 2010-10-20 16:30:22.000000000 -0400
8185 +++ linux-2.6.36.1/arch/x86/include/asm/paravirt_types.h 2010-11-06 18:58:15.000000000 -0400
8186 @@ -312,6 +312,12 @@ struct pv_mmu_ops {
8187 an mfn. We can tell which is which from the index. */
8188 void (*set_fixmap)(unsigned /* enum fixed_addresses */ idx,
8189 phys_addr_t phys, pgprot_t flags);
8191 +#ifdef CONFIG_PAX_KERNEXEC
8192 + unsigned long (*pax_open_kernel)(void);
8193 + unsigned long (*pax_close_kernel)(void);
8198 struct arch_spinlock;
8199 diff -urNp linux-2.6.36.1/arch/x86/include/asm/pci_x86.h linux-2.6.36.1/arch/x86/include/asm/pci_x86.h
8200 --- linux-2.6.36.1/arch/x86/include/asm/pci_x86.h 2010-10-20 16:30:22.000000000 -0400
8201 +++ linux-2.6.36.1/arch/x86/include/asm/pci_x86.h 2010-11-06 18:58:15.000000000 -0400
8202 @@ -92,16 +92,16 @@ extern int (*pcibios_enable_irq)(struct
8203 extern void (*pcibios_disable_irq)(struct pci_dev *dev);
8205 struct pci_raw_ops {
8206 - int (*read)(unsigned int domain, unsigned int bus, unsigned int devfn,
8207 + int (* const read)(unsigned int domain, unsigned int bus, unsigned int devfn,
8208 int reg, int len, u32 *val);
8209 - int (*write)(unsigned int domain, unsigned int bus, unsigned int devfn,
8210 + int (* const write)(unsigned int domain, unsigned int bus, unsigned int devfn,
8211 int reg, int len, u32 val);
8214 -extern struct pci_raw_ops *raw_pci_ops;
8215 -extern struct pci_raw_ops *raw_pci_ext_ops;
8216 +extern const struct pci_raw_ops *raw_pci_ops;
8217 +extern const struct pci_raw_ops *raw_pci_ext_ops;
8219 -extern struct pci_raw_ops pci_direct_conf1;
8220 +extern const struct pci_raw_ops pci_direct_conf1;
8221 extern bool port_cf9_safe;
8223 /* arch_initcall level */
8224 diff -urNp linux-2.6.36.1/arch/x86/include/asm/pgalloc.h linux-2.6.36.1/arch/x86/include/asm/pgalloc.h
8225 --- linux-2.6.36.1/arch/x86/include/asm/pgalloc.h 2010-10-20 16:30:22.000000000 -0400
8226 +++ linux-2.6.36.1/arch/x86/include/asm/pgalloc.h 2010-11-06 18:58:15.000000000 -0400
8227 @@ -63,6 +63,13 @@ static inline void pmd_populate_kernel(s
8228 pmd_t *pmd, pte_t *pte)
8230 paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8231 + set_pmd(pmd, __pmd(__pa(pte) | _KERNPG_TABLE));
8234 +static inline void pmd_populate_user(struct mm_struct *mm,
8235 + pmd_t *pmd, pte_t *pte)
8237 + paravirt_alloc_pte(mm, __pa(pte) >> PAGE_SHIFT);
8238 set_pmd(pmd, __pmd(__pa(pte) | _PAGE_TABLE));
8241 diff -urNp linux-2.6.36.1/arch/x86/include/asm/pgtable-2level.h linux-2.6.36.1/arch/x86/include/asm/pgtable-2level.h
8242 --- linux-2.6.36.1/arch/x86/include/asm/pgtable-2level.h 2010-10-20 16:30:22.000000000 -0400
8243 +++ linux-2.6.36.1/arch/x86/include/asm/pgtable-2level.h 2010-11-06 18:58:15.000000000 -0400
8244 @@ -18,7 +18,9 @@ static inline void native_set_pte(pte_t
8246 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8248 + pax_open_kernel();
8250 + pax_close_kernel();
8253 static inline void native_set_pte_atomic(pte_t *ptep, pte_t pte)
8254 diff -urNp linux-2.6.36.1/arch/x86/include/asm/pgtable_32.h linux-2.6.36.1/arch/x86/include/asm/pgtable_32.h
8255 --- linux-2.6.36.1/arch/x86/include/asm/pgtable_32.h 2010-10-20 16:30:22.000000000 -0400
8256 +++ linux-2.6.36.1/arch/x86/include/asm/pgtable_32.h 2010-11-06 18:58:15.000000000 -0400
8259 struct vm_area_struct;
8261 -extern pgd_t swapper_pg_dir[1024];
8262 -extern pgd_t trampoline_pg_dir[1024];
8264 static inline void pgtable_cache_init(void) { }
8265 static inline void check_pgt_cache(void) { }
8266 void paging_init(void);
8267 @@ -48,6 +45,12 @@ extern void set_pmd_pfn(unsigned long, u
8268 # include <asm/pgtable-2level.h>
8271 +extern pgd_t swapper_pg_dir[PTRS_PER_PGD];
8272 +extern pgd_t trampoline_pg_dir[PTRS_PER_PGD];
8273 +#ifdef CONFIG_X86_PAE
8274 +extern pmd_t swapper_pm_dir[PTRS_PER_PGD][PTRS_PER_PMD];
8277 #if defined(CONFIG_HIGHPTE)
8279 (in_nmi() ? KM_NMI_PTE : \
8280 @@ -72,7 +75,9 @@ extern void set_pmd_pfn(unsigned long, u
8281 /* Clear a kernel PTE and flush it from the TLB */
8282 #define kpte_clear_flush(ptep, vaddr) \
8284 + pax_open_kernel(); \
8285 pte_clear(&init_mm, (vaddr), (ptep)); \
8286 + pax_close_kernel(); \
8287 __flush_tlb_one((vaddr)); \
8290 @@ -84,6 +89,9 @@ do { \
8292 #endif /* !__ASSEMBLY__ */
8294 +#define HAVE_ARCH_UNMAPPED_AREA
8295 +#define HAVE_ARCH_UNMAPPED_AREA_TOPDOWN
8298 * kern_addr_valid() is (1) for FLATMEM and (0) for
8299 * SPARSEMEM and DISCONTIGMEM
8300 diff -urNp linux-2.6.36.1/arch/x86/include/asm/pgtable_32_types.h linux-2.6.36.1/arch/x86/include/asm/pgtable_32_types.h
8301 --- linux-2.6.36.1/arch/x86/include/asm/pgtable_32_types.h 2010-10-20 16:30:22.000000000 -0400
8302 +++ linux-2.6.36.1/arch/x86/include/asm/pgtable_32_types.h 2010-11-06 18:58:15.000000000 -0400
8305 #ifdef CONFIG_X86_PAE
8306 # include <asm/pgtable-3level_types.h>
8307 -# define PMD_SIZE (1UL << PMD_SHIFT)
8308 +# define PMD_SIZE (_AC(1, UL) << PMD_SHIFT)
8309 # define PMD_MASK (~(PMD_SIZE - 1))
8311 # include <asm/pgtable-2level_types.h>
8312 @@ -46,6 +46,19 @@ extern bool __vmalloc_start_set; /* set
8313 # define VMALLOC_END (FIXADDR_START - 2 * PAGE_SIZE)
8316 +#ifdef CONFIG_PAX_KERNEXEC
8317 +#ifndef __ASSEMBLY__
8318 +extern unsigned char MODULES_EXEC_VADDR[];
8319 +extern unsigned char MODULES_EXEC_END[];
8321 +#include <asm/boot.h>
8322 +#define ktla_ktva(addr) (addr + LOAD_PHYSICAL_ADDR + PAGE_OFFSET)
8323 +#define ktva_ktla(addr) (addr - LOAD_PHYSICAL_ADDR - PAGE_OFFSET)
8325 +#define ktla_ktva(addr) (addr)
8326 +#define ktva_ktla(addr) (addr)
8329 #define MODULES_VADDR VMALLOC_START
8330 #define MODULES_END VMALLOC_END
8331 #define MODULES_LEN (MODULES_VADDR - MODULES_END)
8332 diff -urNp linux-2.6.36.1/arch/x86/include/asm/pgtable-3level.h linux-2.6.36.1/arch/x86/include/asm/pgtable-3level.h
8333 --- linux-2.6.36.1/arch/x86/include/asm/pgtable-3level.h 2010-10-20 16:30:22.000000000 -0400
8334 +++ linux-2.6.36.1/arch/x86/include/asm/pgtable-3level.h 2010-11-06 18:58:15.000000000 -0400
8335 @@ -38,12 +38,16 @@ static inline void native_set_pte_atomic
8337 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8339 + pax_open_kernel();
8340 set_64bit((unsigned long long *)(pmdp), native_pmd_val(pmd));
8341 + pax_close_kernel();
8344 static inline void native_set_pud(pud_t *pudp, pud_t pud)
8346 + pax_open_kernel();
8347 set_64bit((unsigned long long *)(pudp), native_pud_val(pud));
8348 + pax_close_kernel();
8352 diff -urNp linux-2.6.36.1/arch/x86/include/asm/pgtable_64.h linux-2.6.36.1/arch/x86/include/asm/pgtable_64.h
8353 --- linux-2.6.36.1/arch/x86/include/asm/pgtable_64.h 2010-10-20 16:30:22.000000000 -0400
8354 +++ linux-2.6.36.1/arch/x86/include/asm/pgtable_64.h 2010-11-06 18:58:15.000000000 -0400
8357 extern pud_t level3_kernel_pgt[512];
8358 extern pud_t level3_ident_pgt[512];
8359 +extern pud_t level3_vmalloc_pgt[512];
8360 +extern pud_t level3_vmemmap_pgt[512];
8361 +extern pud_t level2_vmemmap_pgt[512];
8362 extern pmd_t level2_kernel_pgt[512];
8363 extern pmd_t level2_fixmap_pgt[512];
8364 -extern pmd_t level2_ident_pgt[512];
8365 -extern pgd_t init_level4_pgt[];
8366 +extern pmd_t level2_ident_pgt[512*2];
8367 +extern pgd_t init_level4_pgt[512];
8369 #define swapper_pg_dir init_level4_pgt
8371 @@ -74,7 +77,9 @@ static inline pte_t native_ptep_get_and_
8373 static inline void native_set_pmd(pmd_t *pmdp, pmd_t pmd)
8375 + pax_open_kernel();
8377 + pax_close_kernel();
8380 static inline void native_pmd_clear(pmd_t *pmd)
8381 @@ -94,7 +99,9 @@ static inline void native_pud_clear(pud_
8383 static inline void native_set_pgd(pgd_t *pgdp, pgd_t pgd)
8385 + pax_open_kernel();
8387 + pax_close_kernel();
8390 static inline void native_pgd_clear(pgd_t *pgd)
8391 diff -urNp linux-2.6.36.1/arch/x86/include/asm/pgtable_64_types.h linux-2.6.36.1/arch/x86/include/asm/pgtable_64_types.h
8392 --- linux-2.6.36.1/arch/x86/include/asm/pgtable_64_types.h 2010-10-20 16:30:22.000000000 -0400
8393 +++ linux-2.6.36.1/arch/x86/include/asm/pgtable_64_types.h 2010-11-06 18:58:15.000000000 -0400
8394 @@ -59,5 +59,10 @@ typedef struct { pteval_t pte; } pte_t;
8395 #define MODULES_VADDR _AC(0xffffffffa0000000, UL)
8396 #define MODULES_END _AC(0xffffffffff000000, UL)
8397 #define MODULES_LEN (MODULES_END - MODULES_VADDR)
8398 +#define MODULES_EXEC_VADDR MODULES_VADDR
8399 +#define MODULES_EXEC_END MODULES_END
8401 +#define ktla_ktva(addr) (addr)
8402 +#define ktva_ktla(addr) (addr)
8404 #endif /* _ASM_X86_PGTABLE_64_DEFS_H */
8405 diff -urNp linux-2.6.36.1/arch/x86/include/asm/pgtable.h linux-2.6.36.1/arch/x86/include/asm/pgtable.h
8406 --- linux-2.6.36.1/arch/x86/include/asm/pgtable.h 2010-10-20 16:30:22.000000000 -0400
8407 +++ linux-2.6.36.1/arch/x86/include/asm/pgtable.h 2010-11-06 18:58:15.000000000 -0400
8408 @@ -76,12 +76,51 @@ extern struct list_head pgd_list;
8410 #define arch_end_context_switch(prev) do {} while(0)
8412 +#define pax_open_kernel() native_pax_open_kernel()
8413 +#define pax_close_kernel() native_pax_close_kernel()
8414 #endif /* CONFIG_PARAVIRT */
8416 +#define __HAVE_ARCH_PAX_OPEN_KERNEL
8417 +#define __HAVE_ARCH_PAX_CLOSE_KERNEL
8419 +#ifdef CONFIG_PAX_KERNEXEC
8420 +static inline unsigned long native_pax_open_kernel(void)
8422 + unsigned long cr0;
8424 + preempt_disable();
8426 + cr0 = read_cr0() ^ X86_CR0_WP;
8427 + BUG_ON(unlikely(cr0 & X86_CR0_WP));
8429 + return cr0 ^ X86_CR0_WP;
8432 +static inline unsigned long native_pax_close_kernel(void)
8434 + unsigned long cr0;
8436 + cr0 = read_cr0() ^ X86_CR0_WP;
8437 + BUG_ON(unlikely(!(cr0 & X86_CR0_WP)));
8440 + preempt_enable_no_resched();
8441 + return cr0 ^ X86_CR0_WP;
8444 +static inline unsigned long native_pax_open_kernel(void) { return 0; }
8445 +static inline unsigned long native_pax_close_kernel(void) { return 0; }
8449 * The following only work if pte_present() is true.
8450 * Undefined behaviour if not..
8452 +static inline int pte_user(pte_t pte)
8454 + return pte_val(pte) & _PAGE_USER;
8457 static inline int pte_dirty(pte_t pte)
8459 return pte_flags(pte) & _PAGE_DIRTY;
8460 @@ -169,9 +208,29 @@ static inline pte_t pte_wrprotect(pte_t
8461 return pte_clear_flags(pte, _PAGE_RW);
8464 +static inline pte_t pte_mkread(pte_t pte)
8466 + return __pte(pte_val(pte) | _PAGE_USER);
8469 static inline pte_t pte_mkexec(pte_t pte)
8471 - return pte_clear_flags(pte, _PAGE_NX);
8472 +#ifdef CONFIG_X86_PAE
8473 + if (__supported_pte_mask & _PAGE_NX)
8474 + return pte_clear_flags(pte, _PAGE_NX);
8477 + return pte_set_flags(pte, _PAGE_USER);
8480 +static inline pte_t pte_exprotect(pte_t pte)
8482 +#ifdef CONFIG_X86_PAE
8483 + if (__supported_pte_mask & _PAGE_NX)
8484 + return pte_set_flags(pte, _PAGE_NX);
8487 + return pte_clear_flags(pte, _PAGE_USER);
8490 static inline pte_t pte_mkdirty(pte_t pte)
8491 @@ -304,6 +363,15 @@ pte_t *populate_extra_pte(unsigned long
8494 #ifndef __ASSEMBLY__
8496 +#ifdef CONFIG_PAX_PER_CPU_PGD
8497 +extern pgd_t cpu_pgd[NR_CPUS][PTRS_PER_PGD];
8498 +static inline pgd_t *get_cpu_pgd(unsigned int cpu)
8500 + return cpu_pgd[cpu];
8504 #include <linux/mm_types.h>
8506 static inline int pte_none(pte_t pte)
8507 @@ -474,7 +542,7 @@ static inline pud_t *pud_offset(pgd_t *p
8509 static inline int pgd_bad(pgd_t pgd)
8511 - return (pgd_flags(pgd) & ~_PAGE_USER) != _KERNPG_TABLE;
8512 + return (pgd_flags(pgd) & ~(_PAGE_USER | _PAGE_NX)) != _KERNPG_TABLE;
8515 static inline int pgd_none(pgd_t pgd)
8516 @@ -497,7 +565,12 @@ static inline int pgd_none(pgd_t pgd)
8517 * pgd_offset() returns a (pgd_t *)
8518 * pgd_index() is used get the offset into the pgd page's array of pgd_t's;
8520 -#define pgd_offset(mm, address) ((mm)->pgd + pgd_index((address)))
8521 +#define pgd_offset(mm, address) ((mm)->pgd + pgd_index(address))
8523 +#ifdef CONFIG_PAX_PER_CPU_PGD
8524 +#define pgd_offset_cpu(cpu, address) (get_cpu_pgd(cpu) + pgd_index(address))
8528 * a shortcut which implies the use of the kernel's pgd, instead
8530 @@ -508,6 +581,20 @@ static inline int pgd_none(pgd_t pgd)
8531 #define KERNEL_PGD_BOUNDARY pgd_index(PAGE_OFFSET)
8532 #define KERNEL_PGD_PTRS (PTRS_PER_PGD - KERNEL_PGD_BOUNDARY)
8534 +#ifdef CONFIG_X86_32
8535 +#define USER_PGD_PTRS KERNEL_PGD_BOUNDARY
8537 +#define TASK_SIZE_MAX_SHIFT CONFIG_TASK_SIZE_MAX_SHIFT
8538 +#define USER_PGD_PTRS (_AC(1,UL) << (TASK_SIZE_MAX_SHIFT - PGDIR_SHIFT))
8540 +#ifdef CONFIG_PAX_MEMORY_UDEREF
8541 +#define PAX_USER_SHADOW_BASE (_AC(1,UL) << TASK_SIZE_MAX_SHIFT)
8543 +#define PAX_USER_SHADOW_BASE (_AC(0,UL))
8548 #ifndef __ASSEMBLY__
8550 extern int direct_gbpages;
8551 @@ -613,11 +700,23 @@ static inline void ptep_set_wrprotect(st
8552 * dst and src can be on the same page, but the range must not overlap,
8553 * and must not cross a page boundary.
8555 -static inline void clone_pgd_range(pgd_t *dst, pgd_t *src, int count)
8556 +static inline void clone_pgd_range(pgd_t *dst, const pgd_t *src, int count)
8558 - memcpy(dst, src, count * sizeof(pgd_t));
8559 + pax_open_kernel();
8562 + pax_close_kernel();
8565 +#ifdef CONFIG_PAX_PER_CPU_PGD
8566 +extern void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8569 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
8570 +extern void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count);
8572 +static inline void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count) {}
8575 #include <asm-generic/pgtable.h>
8576 #endif /* __ASSEMBLY__ */
8577 diff -urNp linux-2.6.36.1/arch/x86/include/asm/pgtable_types.h linux-2.6.36.1/arch/x86/include/asm/pgtable_types.h
8578 --- linux-2.6.36.1/arch/x86/include/asm/pgtable_types.h 2010-10-20 16:30:22.000000000 -0400
8579 +++ linux-2.6.36.1/arch/x86/include/asm/pgtable_types.h 2010-11-06 18:58:15.000000000 -0400
8581 #define _PAGE_BIT_PSE 7 /* 4 MB (or 2MB) page */
8582 #define _PAGE_BIT_PAT 7 /* on 4KB pages */
8583 #define _PAGE_BIT_GLOBAL 8 /* Global TLB entry PPro+ */
8584 -#define _PAGE_BIT_UNUSED1 9 /* available for programmer */
8585 +#define _PAGE_BIT_SPECIAL 9 /* special mappings, no associated struct page */
8586 #define _PAGE_BIT_IOMAP 10 /* flag used to indicate IO mapping */
8587 #define _PAGE_BIT_HIDDEN 11 /* hidden by kmemcheck */
8588 #define _PAGE_BIT_PAT_LARGE 12 /* On 2MB or 1GB pages */
8589 -#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1
8590 -#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1
8591 +#define _PAGE_BIT_CPA_TEST _PAGE_BIT_SPECIAL
8592 #define _PAGE_BIT_NX 63 /* No execute: only valid after cpuid check */
8594 /* If _PAGE_BIT_PRESENT is clear, we use these: */
8596 #define _PAGE_DIRTY (_AT(pteval_t, 1) << _PAGE_BIT_DIRTY)
8597 #define _PAGE_PSE (_AT(pteval_t, 1) << _PAGE_BIT_PSE)
8598 #define _PAGE_GLOBAL (_AT(pteval_t, 1) << _PAGE_BIT_GLOBAL)
8599 -#define _PAGE_UNUSED1 (_AT(pteval_t, 1) << _PAGE_BIT_UNUSED1)
8600 #define _PAGE_IOMAP (_AT(pteval_t, 1) << _PAGE_BIT_IOMAP)
8601 #define _PAGE_PAT (_AT(pteval_t, 1) << _PAGE_BIT_PAT)
8602 #define _PAGE_PAT_LARGE (_AT(pteval_t, 1) << _PAGE_BIT_PAT_LARGE)
8605 #if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
8606 #define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_NX)
8608 +#elif defined(CONFIG_KMEMCHECK)
8609 #define _PAGE_NX (_AT(pteval_t, 0))
8611 +#define _PAGE_NX (_AT(pteval_t, 1) << _PAGE_BIT_HIDDEN)
8614 #define _PAGE_FILE (_AT(pteval_t, 1) << _PAGE_BIT_FILE)
8616 #define PAGE_READONLY_EXEC __pgprot(_PAGE_PRESENT | _PAGE_USER | \
8619 +#define PAGE_READONLY_NOEXEC PAGE_READONLY
8620 +#define PAGE_SHARED_NOEXEC PAGE_SHARED
8622 #define __PAGE_KERNEL_EXEC \
8623 (_PAGE_PRESENT | _PAGE_RW | _PAGE_DIRTY | _PAGE_ACCESSED | _PAGE_GLOBAL)
8624 #define __PAGE_KERNEL (__PAGE_KERNEL_EXEC | _PAGE_NX)
8626 #define __PAGE_KERNEL_WC (__PAGE_KERNEL | _PAGE_CACHE_WC)
8627 #define __PAGE_KERNEL_NOCACHE (__PAGE_KERNEL | _PAGE_PCD | _PAGE_PWT)
8628 #define __PAGE_KERNEL_UC_MINUS (__PAGE_KERNEL | _PAGE_PCD)
8629 -#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RX | _PAGE_USER)
8630 -#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_VSYSCALL | _PAGE_PCD | _PAGE_PWT)
8631 +#define __PAGE_KERNEL_VSYSCALL (__PAGE_KERNEL_RO | _PAGE_USER)
8632 +#define __PAGE_KERNEL_VSYSCALL_NOCACHE (__PAGE_KERNEL_RO | _PAGE_PCD | _PAGE_PWT | _PAGE_USER)
8633 #define __PAGE_KERNEL_LARGE (__PAGE_KERNEL | _PAGE_PSE)
8634 #define __PAGE_KERNEL_LARGE_NOCACHE (__PAGE_KERNEL | _PAGE_CACHE_UC | _PAGE_PSE)
8635 #define __PAGE_KERNEL_LARGE_EXEC (__PAGE_KERNEL_EXEC | _PAGE_PSE)
8637 * bits are combined, this will alow user to access the high address mapped
8638 * VDSO in the presence of CONFIG_COMPAT_VDSO
8640 -#define PTE_IDENT_ATTR 0x003 /* PRESENT+RW */
8641 -#define PDE_IDENT_ATTR 0x067 /* PRESENT+RW+USER+DIRTY+ACCESSED */
8642 +#define PTE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8643 +#define PDE_IDENT_ATTR 0x063 /* PRESENT+RW+DIRTY+ACCESSED */
8644 #define PGD_IDENT_ATTR 0x001 /* PRESENT (no other attributes) */
8647 @@ -202,7 +205,17 @@ static inline pgdval_t pgd_flags(pgd_t p
8649 return native_pgd_val(pgd) & PTE_FLAGS_MASK;
8653 +#if PAGETABLE_LEVELS == 3
8654 +#include <asm-generic/pgtable-nopud.h>
8657 +#if PAGETABLE_LEVELS == 2
8658 +#include <asm-generic/pgtable-nopmd.h>
8661 +#ifndef __ASSEMBLY__
8662 #if PAGETABLE_LEVELS > 3
8663 typedef struct { pudval_t pud; } pud_t;
8665 @@ -216,8 +229,6 @@ static inline pudval_t native_pud_val(pu
8669 -#include <asm-generic/pgtable-nopud.h>
8671 static inline pudval_t native_pud_val(pud_t pud)
8673 return native_pgd_val(pud.pgd);
8674 @@ -237,8 +248,6 @@ static inline pmdval_t native_pmd_val(pm
8678 -#include <asm-generic/pgtable-nopmd.h>
8680 static inline pmdval_t native_pmd_val(pmd_t pmd)
8682 return native_pgd_val(pmd.pud.pgd);
8683 @@ -278,7 +287,6 @@ typedef struct page *pgtable_t;
8685 extern pteval_t __supported_pte_mask;
8686 extern void set_nx(void);
8687 -extern int nx_enabled;
8689 #define pgprot_writecombine pgprot_writecombine
8690 extern pgprot_t pgprot_writecombine(pgprot_t prot);
8691 diff -urNp linux-2.6.36.1/arch/x86/include/asm/processor.h linux-2.6.36.1/arch/x86/include/asm/processor.h
8692 --- linux-2.6.36.1/arch/x86/include/asm/processor.h 2010-10-20 16:30:22.000000000 -0400
8693 +++ linux-2.6.36.1/arch/x86/include/asm/processor.h 2010-11-06 18:58:15.000000000 -0400
8694 @@ -269,7 +269,7 @@ struct tss_struct {
8696 } ____cacheline_aligned;
8698 -DECLARE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss);
8699 +extern struct tss_struct init_tss[NR_CPUS];
8702 * Save the original ist values for checking stack pointers during debugging
8703 @@ -885,8 +885,15 @@ static inline void spin_lock_prefetch(co
8705 #define TASK_SIZE PAGE_OFFSET
8706 #define TASK_SIZE_MAX TASK_SIZE
8708 +#ifdef CONFIG_PAX_SEGMEXEC
8709 +#define SEGMEXEC_TASK_SIZE (TASK_SIZE / 2)
8710 +#define STACK_TOP ((current->mm->pax_flags & MF_PAX_SEGMEXEC)?SEGMEXEC_TASK_SIZE:TASK_SIZE)
8712 #define STACK_TOP TASK_SIZE
8713 -#define STACK_TOP_MAX STACK_TOP
8716 +#define STACK_TOP_MAX TASK_SIZE
8718 #define INIT_THREAD { \
8719 .sp0 = sizeof(init_stack) + (long)&init_stack, \
8720 @@ -903,7 +910,7 @@ static inline void spin_lock_prefetch(co
8722 #define INIT_TSS { \
8724 - .sp0 = sizeof(init_stack) + (long)&init_stack, \
8725 + .sp0 = sizeof(init_stack) + (long)&init_stack - 8, \
8726 .ss0 = __KERNEL_DS, \
8727 .ss1 = __KERNEL_CS, \
8728 .io_bitmap_base = INVALID_IO_BITMAP_OFFSET, \
8729 @@ -914,11 +921,7 @@ static inline void spin_lock_prefetch(co
8730 extern unsigned long thread_saved_pc(struct task_struct *tsk);
8732 #define THREAD_SIZE_LONGS (THREAD_SIZE/sizeof(unsigned long))
8733 -#define KSTK_TOP(info) \
8735 - unsigned long *__ptr = (unsigned long *)(info); \
8736 - (unsigned long)(&__ptr[THREAD_SIZE_LONGS]); \
8738 +#define KSTK_TOP(info) ((info)->task.thread.sp0)
8741 * The below -8 is to reserve 8 bytes on top of the ring0 stack.
8742 @@ -933,7 +936,7 @@ extern unsigned long thread_saved_pc(str
8743 #define task_pt_regs(task) \
8745 struct pt_regs *__regs__; \
8746 - __regs__ = (struct pt_regs *)(KSTK_TOP(task_stack_page(task))-8); \
8747 + __regs__ = (struct pt_regs *)((task)->thread.sp0); \
8751 @@ -943,13 +946,13 @@ extern unsigned long thread_saved_pc(str
8753 * User space process size. 47bits minus one guard page.
8755 -#define TASK_SIZE_MAX ((1UL << 47) - PAGE_SIZE)
8756 +#define TASK_SIZE_MAX ((1UL << TASK_SIZE_MAX_SHIFT) - PAGE_SIZE)
8758 /* This decides where the kernel will search for a free chunk of vm
8759 * space during mmap's.
8761 #define IA32_PAGE_OFFSET ((current->personality & ADDR_LIMIT_3GB) ? \
8762 - 0xc0000000 : 0xFFFFe000)
8763 + 0xc0000000 : 0xFFFFf000)
8765 #define TASK_SIZE (test_thread_flag(TIF_IA32) ? \
8766 IA32_PAGE_OFFSET : TASK_SIZE_MAX)
8767 @@ -986,6 +989,10 @@ extern void start_thread(struct pt_regs
8769 #define TASK_UNMAPPED_BASE (PAGE_ALIGN(TASK_SIZE / 3))
8771 +#ifdef CONFIG_PAX_SEGMEXEC
8772 +#define SEGMEXEC_TASK_UNMAPPED_BASE (PAGE_ALIGN(SEGMEXEC_TASK_SIZE / 3))
8775 #define KSTK_EIP(task) (task_pt_regs(task)->ip)
8777 /* Get/set a process' ability to use the timestamp counter instruction */
8778 diff -urNp linux-2.6.36.1/arch/x86/include/asm/ptrace.h linux-2.6.36.1/arch/x86/include/asm/ptrace.h
8779 --- linux-2.6.36.1/arch/x86/include/asm/ptrace.h 2010-10-20 16:30:22.000000000 -0400
8780 +++ linux-2.6.36.1/arch/x86/include/asm/ptrace.h 2010-11-06 18:58:15.000000000 -0400
8781 @@ -152,28 +152,29 @@ static inline unsigned long regs_return_
8785 - * user_mode_vm(regs) determines whether a register set came from user mode.
8786 + * user_mode(regs) determines whether a register set came from user mode.
8787 * This is true if V8086 mode was enabled OR if the register set was from
8788 * protected mode with RPL-3 CS value. This tricky test checks that with
8789 * one comparison. Many places in the kernel can bypass this full check
8790 - * if they have already ruled out V8086 mode, so user_mode(regs) can be used.
8791 + * if they have already ruled out V8086 mode, so user_mode_novm(regs) can
8794 -static inline int user_mode(struct pt_regs *regs)
8795 +static inline int user_mode_novm(struct pt_regs *regs)
8797 #ifdef CONFIG_X86_32
8798 return (regs->cs & SEGMENT_RPL_MASK) == USER_RPL;
8800 - return !!(regs->cs & 3);
8801 + return !!(regs->cs & SEGMENT_RPL_MASK);
8805 -static inline int user_mode_vm(struct pt_regs *regs)
8806 +static inline int user_mode(struct pt_regs *regs)
8808 #ifdef CONFIG_X86_32
8809 return ((regs->cs & SEGMENT_RPL_MASK) | (regs->flags & X86_VM_MASK)) >=
8812 - return user_mode(regs);
8813 + return user_mode_novm(regs);
8817 diff -urNp linux-2.6.36.1/arch/x86/include/asm/reboot.h linux-2.6.36.1/arch/x86/include/asm/reboot.h
8818 --- linux-2.6.36.1/arch/x86/include/asm/reboot.h 2010-10-20 16:30:22.000000000 -0400
8819 +++ linux-2.6.36.1/arch/x86/include/asm/reboot.h 2010-11-06 18:58:15.000000000 -0400
8820 @@ -18,7 +18,7 @@ extern struct machine_ops machine_ops;
8822 void native_machine_crash_shutdown(struct pt_regs *regs);
8823 void native_machine_shutdown(void);
8824 -void machine_real_restart(const unsigned char *code, int length);
8825 +void machine_real_restart(const unsigned char *code, unsigned int length);
8827 typedef void (*nmi_shootdown_cb)(int, struct die_args*);
8828 void nmi_shootdown_cpus(nmi_shootdown_cb callback);
8829 diff -urNp linux-2.6.36.1/arch/x86/include/asm/rwsem.h linux-2.6.36.1/arch/x86/include/asm/rwsem.h
8830 --- linux-2.6.36.1/arch/x86/include/asm/rwsem.h 2010-10-20 16:30:22.000000000 -0400
8831 +++ linux-2.6.36.1/arch/x86/include/asm/rwsem.h 2010-11-06 18:58:15.000000000 -0400
8832 @@ -118,10 +118,26 @@ static inline void __down_read(struct rw
8834 asm volatile("# beginning down_read\n\t"
8835 LOCK_PREFIX _ASM_INC "(%1)\n\t"
8837 +#ifdef CONFIG_PAX_REFCOUNT
8838 +#ifdef CONFIG_X86_32
8844 + ".pushsection .fixup,\"ax\"\n"
8846 + LOCK_PREFIX _ASM_DEC "(%1)\n"
8849 + _ASM_EXTABLE(0b, 1b)
8852 /* adds 0x00000001 */
8855 " call call_rwsem_down_read_failed\n"
8858 "# ending down_read\n\t"
8861 @@ -136,13 +152,29 @@ static inline int __down_read_trylock(st
8862 rwsem_count_t result, tmp;
8863 asm volatile("# beginning __down_read_trylock\n\t"
8871 +#ifdef CONFIG_PAX_REFCOUNT
8872 +#ifdef CONFIG_X86_32
8878 + ".pushsection .fixup,\"ax\"\n"
8883 + _ASM_EXTABLE(0b, 1b)
8887 LOCK_PREFIX " cmpxchg %2,%0\n\t"
8892 "# ending __down_read_trylock\n\t"
8893 : "+m" (sem->count), "=&a" (result), "=&r" (tmp)
8894 : "i" (RWSEM_ACTIVE_READ_BIAS)
8895 @@ -158,12 +190,28 @@ static inline void __down_write_nested(s
8897 asm volatile("# beginning down_write\n\t"
8898 LOCK_PREFIX " xadd %1,(%2)\n\t"
8900 +#ifdef CONFIG_PAX_REFCOUNT
8901 +#ifdef CONFIG_X86_32
8907 + ".pushsection .fixup,\"ax\"\n"
8912 + _ASM_EXTABLE(0b, 1b)
8915 /* adds 0xffff0001, returns the old value */
8917 /* was the count 0 before? */
8920 " call call_rwsem_down_write_failed\n"
8923 "# ending down_write"
8924 : "+m" (sem->count), "=d" (tmp)
8925 : "a" (sem), "1" (RWSEM_ACTIVE_WRITE_BIAS)
8926 @@ -196,10 +244,26 @@ static inline void __up_read(struct rw_s
8928 asm volatile("# beginning __up_read\n\t"
8929 LOCK_PREFIX " xadd %1,(%2)\n\t"
8931 +#ifdef CONFIG_PAX_REFCOUNT
8932 +#ifdef CONFIG_X86_32
8938 + ".pushsection .fixup,\"ax\"\n"
8943 + _ASM_EXTABLE(0b, 1b)
8946 /* subtracts 1, returns the old value */
8949 " call call_rwsem_wake\n" /* expects old value in %edx */
8952 "# ending __up_read\n"
8953 : "+m" (sem->count), "=d" (tmp)
8954 : "a" (sem), "1" (-RWSEM_ACTIVE_READ_BIAS)
8955 @@ -214,10 +278,26 @@ static inline void __up_write(struct rw_
8957 asm volatile("# beginning __up_write\n\t"
8958 LOCK_PREFIX " xadd %1,(%2)\n\t"
8960 +#ifdef CONFIG_PAX_REFCOUNT
8961 +#ifdef CONFIG_X86_32
8967 + ".pushsection .fixup,\"ax\"\n"
8972 + _ASM_EXTABLE(0b, 1b)
8975 /* subtracts 0xffff0001, returns the old value */
8978 " call call_rwsem_wake\n" /* expects old value in %edx */
8981 "# ending __up_write\n"
8982 : "+m" (sem->count), "=d" (tmp)
8983 : "a" (sem), "1" (-RWSEM_ACTIVE_WRITE_BIAS)
8984 @@ -231,13 +311,29 @@ static inline void __downgrade_write(str
8986 asm volatile("# beginning __downgrade_write\n\t"
8987 LOCK_PREFIX _ASM_ADD "%2,(%1)\n\t"
8989 +#ifdef CONFIG_PAX_REFCOUNT
8990 +#ifdef CONFIG_X86_32
8996 + ".pushsection .fixup,\"ax\"\n"
8998 + LOCK_PREFIX _ASM_SUB "%2,(%1)\n"
9001 + _ASM_EXTABLE(0b, 1b)
9005 * transitions 0xZZZZ0001 -> 0xYYYY0001 (i386)
9006 * 0xZZZZZZZZ00000001 -> 0xYYYYYYYY00000001 (x86_64)
9010 " call call_rwsem_downgrade_wake\n"
9013 "# ending __downgrade_write\n"
9015 : "a" (sem), "er" (-RWSEM_WAITING_BIAS)
9016 @@ -250,7 +346,23 @@ static inline void __downgrade_write(str
9017 static inline void rwsem_atomic_add(rwsem_count_t delta,
9018 struct rw_semaphore *sem)
9020 - asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0"
9021 + asm volatile(LOCK_PREFIX _ASM_ADD "%1,%0\n"
9023 +#ifdef CONFIG_PAX_REFCOUNT
9024 +#ifdef CONFIG_X86_32
9030 + ".pushsection .fixup,\"ax\"\n"
9032 + LOCK_PREFIX _ASM_SUB "%1,%0\n"
9035 + _ASM_EXTABLE(0b, 1b)
9041 @@ -263,7 +375,23 @@ static inline rwsem_count_t rwsem_atomic
9043 rwsem_count_t tmp = delta;
9045 - asm volatile(LOCK_PREFIX "xadd %0,%1"
9046 + asm volatile(LOCK_PREFIX "xadd %0,%1\n"
9048 +#ifdef CONFIG_PAX_REFCOUNT
9049 +#ifdef CONFIG_X86_32
9055 + ".pushsection .fixup,\"ax\"\n"
9060 + _ASM_EXTABLE(0b, 1b)
9063 : "+r" (tmp), "+m" (sem->count)
9066 diff -urNp linux-2.6.36.1/arch/x86/include/asm/segment.h linux-2.6.36.1/arch/x86/include/asm/segment.h
9067 --- linux-2.6.36.1/arch/x86/include/asm/segment.h 2010-10-20 16:30:22.000000000 -0400
9068 +++ linux-2.6.36.1/arch/x86/include/asm/segment.h 2010-11-06 18:58:15.000000000 -0400
9070 * 26 - ESPFIX small SS
9071 * 27 - per-cpu [ offset to per-cpu data area ]
9072 * 28 - stack_canary-20 [ for stack protector ]
9075 + * 29 - PCI BIOS CS
9076 + * 30 - PCI BIOS DS
9077 * 31 - TSS for double fault handler
9079 #define GDT_ENTRY_TLS_MIN 6
9082 #define GDT_ENTRY_KERNEL_CS (GDT_ENTRY_KERNEL_BASE + 0)
9084 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS (4)
9086 #define GDT_ENTRY_KERNEL_DS (GDT_ENTRY_KERNEL_BASE + 1)
9088 #define GDT_ENTRY_TSS (GDT_ENTRY_KERNEL_BASE + 4)
9090 #define GDT_ENTRY_ESPFIX_SS (GDT_ENTRY_KERNEL_BASE + 14)
9091 #define __ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)
9093 -#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
9094 +#define GDT_ENTRY_PERCPU (GDT_ENTRY_KERNEL_BASE + 15)
9096 #define __KERNEL_PERCPU (GDT_ENTRY_PERCPU * 8)
9098 @@ -102,6 +104,12 @@
9099 #define __KERNEL_STACK_CANARY 0
9102 +#define GDT_ENTRY_PCIBIOS_CS (GDT_ENTRY_KERNEL_BASE + 17)
9103 +#define __PCIBIOS_CS (GDT_ENTRY_PCIBIOS_CS * 8)
9105 +#define GDT_ENTRY_PCIBIOS_DS (GDT_ENTRY_KERNEL_BASE + 18)
9106 +#define __PCIBIOS_DS (GDT_ENTRY_PCIBIOS_DS * 8)
9108 #define GDT_ENTRY_DOUBLEFAULT_TSS 31
9114 /* Matches PNP_CS32 and PNP_CS16 (they must be consecutive) */
9115 -#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xf4) == GDT_ENTRY_PNPBIOS_BASE * 8)
9116 +#define SEGMENT_IS_PNP_CODE(x) (((x) & 0xFFFCU) == PNP_CS32 || ((x) & 0xFFFCU) == PNP_CS16)
9121 #define __USER32_CS (GDT_ENTRY_DEFAULT_USER32_CS * 8 + 3)
9122 #define __USER32_DS __USER_DS
9124 +#define GDT_ENTRY_KERNEXEC_KERNEL_CS 7
9126 #define GDT_ENTRY_TSS 8 /* needs two entries */
9127 #define GDT_ENTRY_LDT 10 /* needs two entries */
9128 #define GDT_ENTRY_TLS_MIN 12
9132 #define __KERNEL_CS (GDT_ENTRY_KERNEL_CS * 8)
9133 +#define __KERNEXEC_KERNEL_CS (GDT_ENTRY_KERNEXEC_KERNEL_CS * 8)
9134 #define __KERNEL_DS (GDT_ENTRY_KERNEL_DS * 8)
9135 #define __USER_DS (GDT_ENTRY_DEFAULT_USER_DS* 8 + 3)
9136 #define __USER_CS (GDT_ENTRY_DEFAULT_USER_CS* 8 + 3)
9137 diff -urNp linux-2.6.36.1/arch/x86/include/asm/smp.h linux-2.6.36.1/arch/x86/include/asm/smp.h
9138 --- linux-2.6.36.1/arch/x86/include/asm/smp.h 2010-11-26 18:26:23.000000000 -0500
9139 +++ linux-2.6.36.1/arch/x86/include/asm/smp.h 2010-11-26 18:27:07.000000000 -0500
9140 @@ -24,7 +24,7 @@ extern unsigned int num_processors;
9141 DECLARE_PER_CPU(cpumask_var_t, cpu_sibling_map);
9142 DECLARE_PER_CPU(cpumask_var_t, cpu_core_map);
9143 DECLARE_PER_CPU(u16, cpu_llc_id);
9144 -DECLARE_PER_CPU(int, cpu_number);
9145 +DECLARE_PER_CPU(unsigned int, cpu_number);
9147 static inline struct cpumask *cpu_sibling_mask(int cpu)
9149 diff -urNp linux-2.6.36.1/arch/x86/include/asm/spinlock.h linux-2.6.36.1/arch/x86/include/asm/spinlock.h
9150 --- linux-2.6.36.1/arch/x86/include/asm/spinlock.h 2010-10-20 16:30:22.000000000 -0400
9151 +++ linux-2.6.36.1/arch/x86/include/asm/spinlock.h 2010-11-06 18:58:15.000000000 -0400
9152 @@ -249,18 +249,50 @@ static inline int arch_write_can_lock(ar
9153 static inline void arch_read_lock(arch_rwlock_t *rw)
9155 asm volatile(LOCK_PREFIX " subl $1,(%0)\n\t"
9157 - "call __read_lock_failed\n\t"
9159 +#ifdef CONFIG_PAX_REFCOUNT
9160 +#ifdef CONFIG_X86_32
9166 + ".pushsection .fixup,\"ax\"\n"
9168 + LOCK_PREFIX " addl $1,(%0)\n"
9171 + _ASM_EXTABLE(0b, 1b)
9175 + "call __read_lock_failed\n\t"
9177 ::LOCK_PTR_REG (rw) : "memory");
9180 static inline void arch_write_lock(arch_rwlock_t *rw)
9182 asm volatile(LOCK_PREFIX " subl %1,(%0)\n\t"
9184 - "call __write_lock_failed\n\t"
9186 +#ifdef CONFIG_PAX_REFCOUNT
9187 +#ifdef CONFIG_X86_32
9193 + ".pushsection .fixup,\"ax\"\n"
9195 + LOCK_PREFIX " addl %1,(%0)\n"
9198 + _ASM_EXTABLE(0b, 1b)
9202 + "call __write_lock_failed\n\t"
9204 ::LOCK_PTR_REG (rw), "i" (RW_LOCK_BIAS) : "memory");
9207 @@ -286,12 +318,45 @@ static inline int arch_write_trylock(arc
9209 static inline void arch_read_unlock(arch_rwlock_t *rw)
9211 - asm volatile(LOCK_PREFIX "incl %0" :"+m" (rw->lock) : : "memory");
9212 + asm volatile(LOCK_PREFIX "incl %0\n"
9214 +#ifdef CONFIG_PAX_REFCOUNT
9215 +#ifdef CONFIG_X86_32
9221 + ".pushsection .fixup,\"ax\"\n"
9223 + LOCK_PREFIX "decl %0\n"
9226 + _ASM_EXTABLE(0b, 1b)
9229 + :"+m" (rw->lock) : : "memory");
9232 static inline void arch_write_unlock(arch_rwlock_t *rw)
9234 - asm volatile(LOCK_PREFIX "addl %1, %0"
9235 + asm volatile(LOCK_PREFIX "addl %1, %0\n"
9237 +#ifdef CONFIG_PAX_REFCOUNT
9238 +#ifdef CONFIG_X86_32
9244 + ".pushsection .fixup,\"ax\"\n"
9246 + LOCK_PREFIX "subl %1,%0\n"
9249 + _ASM_EXTABLE(0b, 1b)
9252 : "+m" (rw->lock) : "i" (RW_LOCK_BIAS) : "memory");
9255 diff -urNp linux-2.6.36.1/arch/x86/include/asm/system.h linux-2.6.36.1/arch/x86/include/asm/system.h
9256 --- linux-2.6.36.1/arch/x86/include/asm/system.h 2010-10-20 16:30:22.000000000 -0400
9257 +++ linux-2.6.36.1/arch/x86/include/asm/system.h 2010-11-06 18:58:15.000000000 -0400
9258 @@ -202,7 +202,7 @@ static inline unsigned long get_limit(un
9260 unsigned long __limit;
9261 asm("lsll %1,%0" : "=r" (__limit) : "r" (segment));
9262 - return __limit + 1;
9266 static inline void native_clts(void)
9267 @@ -342,7 +342,7 @@ void enable_hlt(void);
9269 void cpu_idle_wait(void);
9271 -extern unsigned long arch_align_stack(unsigned long sp);
9272 +#define arch_align_stack(x) ((x) & ~0xfUL)
9273 extern void free_init_pages(char *what, unsigned long begin, unsigned long end);
9275 void default_idle(void);
9276 diff -urNp linux-2.6.36.1/arch/x86/include/asm/uaccess_32.h linux-2.6.36.1/arch/x86/include/asm/uaccess_32.h
9277 --- linux-2.6.36.1/arch/x86/include/asm/uaccess_32.h 2010-10-20 16:30:22.000000000 -0400
9278 +++ linux-2.6.36.1/arch/x86/include/asm/uaccess_32.h 2010-11-06 18:58:15.000000000 -0400
9279 @@ -44,6 +44,9 @@ unsigned long __must_check __copy_from_u
9280 static __always_inline unsigned long __must_check
9281 __copy_to_user_inatomic(void __user *to, const void *from, unsigned long n)
9286 if (__builtin_constant_p(n)) {
9289 @@ -62,6 +65,8 @@ __copy_to_user_inatomic(void __user *to,
9293 + if (!__builtin_constant_p(n))
9294 + check_object_size(from, n, true);
9295 return __copy_to_user_ll(to, from, n);
9298 @@ -89,6 +94,9 @@ __copy_to_user(void __user *to, const vo
9299 static __always_inline unsigned long
9300 __copy_from_user_inatomic(void *to, const void __user *from, unsigned long n)
9305 /* Avoid zeroing the tail if the copy fails..
9306 * If 'n' is constant and 1, 2, or 4, we do still zero on a failure,
9307 * but as the zeroing behaviour is only significant when n is not
9308 @@ -138,6 +146,10 @@ static __always_inline unsigned long
9309 __copy_from_user(void *to, const void __user *from, unsigned long n)
9316 if (__builtin_constant_p(n)) {
9319 @@ -153,6 +165,8 @@ __copy_from_user(void *to, const void __
9323 + if (!__builtin_constant_p(n))
9324 + check_object_size(to, n, false);
9325 return __copy_from_user_ll(to, from, n);
9328 @@ -160,6 +174,10 @@ static __always_inline unsigned long __c
9329 const void __user *from, unsigned long n)
9336 if (__builtin_constant_p(n)) {
9339 @@ -182,15 +200,19 @@ static __always_inline unsigned long
9340 __copy_from_user_inatomic_nocache(void *to, const void __user *from,
9343 - return __copy_from_user_ll_nocache_nozero(to, from, n);
9348 -unsigned long __must_check copy_to_user(void __user *to,
9349 - const void *from, unsigned long n);
9350 -unsigned long __must_check _copy_from_user(void *to,
9351 - const void __user *from,
9353 + return __copy_from_user_ll_nocache_nozero(to, from, n);
9356 +extern void copy_to_user_overflow(void)
9357 +#ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9358 + __compiletime_error("copy_to_user() buffer size is not provably correct")
9360 + __compiletime_warning("copy_to_user() buffer size is not provably correct")
9364 extern void copy_from_user_overflow(void)
9365 #ifdef CONFIG_DEBUG_STRICT_USER_COPY_CHECKS
9366 @@ -200,17 +222,61 @@ extern void copy_from_user_overflow(void
9370 -static inline unsigned long __must_check copy_from_user(void *to,
9371 - const void __user *from,
9374 + * copy_to_user: - Copy a block of data into user space.
9375 + * @to: Destination address, in user space.
9376 + * @from: Source address, in kernel space.
9377 + * @n: Number of bytes to copy.
9379 + * Context: User context only. This function may sleep.
9381 + * Copy data from kernel space to user space.
9383 + * Returns number of bytes that could not be copied.
9384 + * On success, this will be zero.
9386 +static inline unsigned long __must_check
9387 +copy_to_user(void __user *to, const void *from, unsigned long n)
9389 + int sz = __compiletime_object_size(from);
9391 + if (unlikely(sz != -1 && sz < n))
9392 + copy_to_user_overflow();
9393 + else if (access_ok(VERIFY_WRITE, to, n))
9394 + n = __copy_to_user(to, from, n);
9399 + * copy_from_user: - Copy a block of data from user space.
9400 + * @to: Destination address, in kernel space.
9401 + * @from: Source address, in user space.
9402 + * @n: Number of bytes to copy.
9404 + * Context: User context only. This function may sleep.
9406 + * Copy data from user space to kernel space.
9408 + * Returns number of bytes that could not be copied.
9409 + * On success, this will be zero.
9411 + * If some data could not be copied, this function will pad the copied
9412 + * data to the requested size using zero bytes.
9414 +static inline unsigned long __must_check
9415 +copy_from_user(void *to, const void __user *from, unsigned long n)
9417 int sz = __compiletime_object_size(to);
9419 - if (likely(sz == -1 || sz >= n))
9420 - n = _copy_from_user(to, from, n);
9422 + if (unlikely(sz != -1 && sz < n))
9423 copy_from_user_overflow();
9425 + else if (access_ok(VERIFY_READ, from, n))
9426 + n = __copy_from_user(to, from, n);
9427 + else if ((long)n > 0) {
9428 + if (!__builtin_constant_p(n))
9429 + check_object_size(to, n, false);
9435 diff -urNp linux-2.6.36.1/arch/x86/include/asm/uaccess_64.h linux-2.6.36.1/arch/x86/include/asm/uaccess_64.h
9436 --- linux-2.6.36.1/arch/x86/include/asm/uaccess_64.h 2010-10-20 16:30:22.000000000 -0400
9437 +++ linux-2.6.36.1/arch/x86/include/asm/uaccess_64.h 2010-11-06 18:58:15.000000000 -0400
9439 #include <asm/alternative.h>
9440 #include <asm/cpufeature.h>
9441 #include <asm/page.h>
9442 +#include <asm/pgtable.h>
9444 +#define set_fs(x) (current_thread_info()->addr_limit = (x))
9447 * Copy To/From Userspace
9448 @@ -37,26 +40,26 @@ copy_user_generic(void *to, const void *
9452 -__must_check unsigned long
9453 -_copy_to_user(void __user *to, const void *from, unsigned len);
9454 -__must_check unsigned long
9455 -_copy_from_user(void *to, const void __user *from, unsigned len);
9456 +static __always_inline __must_check unsigned long
9457 +__copy_to_user(void __user *to, const void *from, unsigned len);
9458 +static __always_inline __must_check unsigned long
9459 +__copy_from_user(void *to, const void __user *from, unsigned len);
9460 __must_check unsigned long
9461 copy_in_user(void __user *to, const void __user *from, unsigned len);
9463 static inline unsigned long __must_check copy_from_user(void *to,
9464 const void __user *from,
9468 - int sz = __compiletime_object_size(to);
9471 - if (likely(sz == -1 || sz >= n))
9472 - n = _copy_from_user(to, from, n);
9473 -#ifdef CONFIG_DEBUG_VM
9475 - WARN(1, "Buffer overflow detected!\n");
9478 + if (access_ok(VERIFY_READ, from, n))
9479 + n = __copy_from_user(to, from, n);
9480 + else if ((int)n > 0) {
9481 + if (!__builtin_constant_p(n))
9482 + check_object_size(to, n, false);
9488 @@ -65,17 +68,35 @@ int copy_to_user(void __user *dst, const
9492 - return _copy_to_user(dst, src, size);
9493 + if (access_ok(VERIFY_WRITE, dst, size))
9494 + size = __copy_to_user(dst, src, size);
9498 static __always_inline __must_check
9499 -int __copy_from_user(void *dst, const void __user *src, unsigned size)
9500 +unsigned long __copy_from_user(void *dst, const void __user *src, unsigned size)
9503 + int sz = __compiletime_object_size(dst);
9507 - if (!__builtin_constant_p(size))
9509 + if ((int)size < 0)
9512 + if (unlikely(sz != -1 && sz < size)) {
9513 +#ifdef CONFIG_DEBUG_VM
9514 + WARN(1, "Buffer overflow detected!\n");
9519 + if (!__builtin_constant_p(size)) {
9520 + check_object_size(dst, size, false);
9521 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9522 + src += PAX_USER_SHADOW_BASE;
9523 return copy_user_generic(dst, (__force void *)src, size);
9526 case 1:__get_user_asm(*(u8 *)dst, (u8 __user *)src,
9527 ret, "b", "b", "=q", 1);
9528 @@ -108,18 +129,36 @@ int __copy_from_user(void *dst, const vo
9529 ret, "q", "", "=r", 8);
9532 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9533 + src += PAX_USER_SHADOW_BASE;
9534 return copy_user_generic(dst, (__force void *)src, size);
9538 static __always_inline __must_check
9539 -int __copy_to_user(void __user *dst, const void *src, unsigned size)
9540 +unsigned long __copy_to_user(void __user *dst, const void *src, unsigned size)
9543 + int sz = __compiletime_object_size(src);
9547 - if (!__builtin_constant_p(size))
9549 + if ((int)size < 0)
9552 + if (unlikely(sz != -1 && sz < size)) {
9553 +#ifdef CONFIG_DEBUG_VM
9554 + WARN(1, "Buffer overflow detected!\n");
9559 + if (!__builtin_constant_p(size)) {
9560 + check_object_size(src, size, true);
9561 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9562 + dst += PAX_USER_SHADOW_BASE;
9563 return copy_user_generic((__force void *)dst, src, size);
9566 case 1:__put_user_asm(*(u8 *)src, (u8 __user *)dst,
9567 ret, "b", "b", "iq", 1);
9568 @@ -152,19 +191,30 @@ int __copy_to_user(void __user *dst, con
9569 ret, "q", "", "er", 8);
9572 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9573 + dst += PAX_USER_SHADOW_BASE;
9574 return copy_user_generic((__force void *)dst, src, size);
9578 static __always_inline __must_check
9579 -int __copy_in_user(void __user *dst, const void __user *src, unsigned size)
9580 +unsigned long __copy_in_user(void __user *dst, const void __user *src, unsigned size)
9586 - if (!__builtin_constant_p(size))
9588 + if ((int)size < 0)
9591 + if (!__builtin_constant_p(size)) {
9592 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9593 + src += PAX_USER_SHADOW_BASE;
9594 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9595 + dst += PAX_USER_SHADOW_BASE;
9596 return copy_user_generic((__force void *)dst,
9597 (__force void *)src, size);
9602 @@ -204,6 +254,10 @@ int __copy_in_user(void __user *dst, con
9606 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9607 + src += PAX_USER_SHADOW_BASE;
9608 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9609 + dst += PAX_USER_SHADOW_BASE;
9610 return copy_user_generic((__force void *)dst,
9611 (__force void *)src, size);
9613 @@ -222,33 +276,45 @@ __must_check unsigned long __clear_user(
9614 static __must_check __always_inline int
9615 __copy_from_user_inatomic(void *dst, const void __user *src, unsigned size)
9617 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
9618 + src += PAX_USER_SHADOW_BASE;
9619 return copy_user_generic(dst, (__force const void *)src, size);
9622 -static __must_check __always_inline int
9623 +static __must_check __always_inline unsigned long
9624 __copy_to_user_inatomic(void __user *dst, const void *src, unsigned size)
9626 + if ((int)size < 0)
9629 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
9630 + dst += PAX_USER_SHADOW_BASE;
9631 return copy_user_generic((__force void *)dst, src, size);
9634 -extern long __copy_user_nocache(void *dst, const void __user *src,
9635 +extern unsigned long __copy_user_nocache(void *dst, const void __user *src,
9636 unsigned size, int zerorest);
9639 -__copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
9640 +static inline unsigned long __copy_from_user_nocache(void *dst, const void __user *src, unsigned size)
9644 + if ((int)size < 0)
9647 return __copy_user_nocache(dst, src, size, 1);
9651 -__copy_from_user_inatomic_nocache(void *dst, const void __user *src,
9652 +static inline unsigned long __copy_from_user_inatomic_nocache(void *dst, const void __user *src,
9655 + if ((int)size < 0)
9658 return __copy_user_nocache(dst, src, size, 0);
9662 +extern unsigned long
9663 copy_user_handle_tail(char *to, char *from, unsigned len, unsigned zerorest);
9665 #endif /* _ASM_X86_UACCESS_64_H */
9666 diff -urNp linux-2.6.36.1/arch/x86/include/asm/uaccess.h linux-2.6.36.1/arch/x86/include/asm/uaccess.h
9667 --- linux-2.6.36.1/arch/x86/include/asm/uaccess.h 2010-10-20 16:30:22.000000000 -0400
9668 +++ linux-2.6.36.1/arch/x86/include/asm/uaccess.h 2010-11-06 18:58:15.000000000 -0400
9670 #include <linux/thread_info.h>
9671 #include <linux/prefetch.h>
9672 #include <linux/string.h>
9673 +#include <linux/sched.h>
9674 #include <asm/asm.h>
9675 #include <asm/page.h>
9677 #define VERIFY_READ 0
9678 #define VERIFY_WRITE 1
9680 +extern void check_object_size(const void *ptr, unsigned long n, bool to);
9683 * The fs value determines whether argument validity checking should be
9684 * performed or not. If get_fs() == USER_DS, checking is performed, with
9687 #define get_ds() (KERNEL_DS)
9688 #define get_fs() (current_thread_info()->addr_limit)
9689 +#ifdef CONFIG_X86_32
9690 +void __set_fs(mm_segment_t x, int cpu);
9691 +void set_fs(mm_segment_t x);
9693 #define set_fs(x) (current_thread_info()->addr_limit = (x))
9696 #define segment_eq(a, b) ((a).seg == (b).seg)
9699 * checks that the pointer is in the user space range - after calling
9700 * this function, memory access functions may still return -EFAULT.
9702 -#define access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
9703 +#define __access_ok(type, addr, size) (likely(__range_not_ok(addr, size) == 0))
9704 +#define access_ok(type, addr, size) \
9706 + long __size = size; \
9707 + unsigned long __addr = (unsigned long)addr; \
9708 + unsigned long __addr_ao = __addr & PAGE_MASK; \
9709 + unsigned long __end_ao = __addr + __size - 1; \
9710 + bool __ret_ao = __range_not_ok(__addr, __size) == 0; \
9711 + if (__ret_ao && unlikely((__end_ao ^ __addr_ao) & PAGE_MASK)) { \
9712 + while(__addr_ao <= __end_ao) { \
9714 + __addr_ao += PAGE_SIZE; \
9715 + if (__size > PAGE_SIZE) \
9717 + if (__get_user(__c_ao, (char __user *)__addr)) \
9719 + if (type != VERIFY_WRITE) { \
9720 + __addr = __addr_ao; \
9723 + if (__put_user(__c_ao, (char __user *)__addr)) \
9725 + __addr = __addr_ao; \
9732 * The exception table consists of pairs of addresses: the first is the
9733 @@ -183,13 +217,21 @@ extern int __get_user_bad(void);
9734 asm volatile("call __put_user_" #size : "=a" (__ret_pu) \
9735 : "0" ((typeof(*(ptr)))(x)), "c" (ptr) : "ebx")
9738 +#ifdef CONFIG_X86_32
9739 +#define _ASM_LOAD_USER_DS(ds) "movw %w" #ds ",%%ds\n"
9740 +#define _ASM_LOAD_KERNEL_DS "pushl %%ss; popl %%ds\n"
9742 +#define _ASM_LOAD_USER_DS(ds)
9743 +#define _ASM_LOAD_KERNEL_DS
9746 #ifdef CONFIG_X86_32
9747 #define __put_user_asm_u64(x, addr, err, errret) \
9748 - asm volatile("1: movl %%eax,0(%2)\n" \
9749 - "2: movl %%edx,4(%2)\n" \
9750 + asm volatile(_ASM_LOAD_USER_DS(5) \
9751 + "1: movl %%eax,%%ds:0(%2)\n" \
9752 + "2: movl %%edx,%%ds:4(%2)\n" \
9754 + _ASM_LOAD_KERNEL_DS \
9755 ".section .fixup,\"ax\"\n" \
9758 @@ -197,15 +239,18 @@ extern int __get_user_bad(void);
9759 _ASM_EXTABLE(1b, 4b) \
9760 _ASM_EXTABLE(2b, 4b) \
9762 - : "A" (x), "r" (addr), "i" (errret), "0" (err))
9763 + : "A" (x), "r" (addr), "i" (errret), "0" (err), \
9766 #define __put_user_asm_ex_u64(x, addr) \
9767 - asm volatile("1: movl %%eax,0(%1)\n" \
9768 - "2: movl %%edx,4(%1)\n" \
9769 + asm volatile(_ASM_LOAD_USER_DS(2) \
9770 + "1: movl %%eax,%%ds:0(%1)\n" \
9771 + "2: movl %%edx,%%ds:4(%1)\n" \
9773 + _ASM_LOAD_KERNEL_DS \
9774 _ASM_EXTABLE(1b, 2b - 1b) \
9775 _ASM_EXTABLE(2b, 3b - 2b) \
9776 - : : "A" (x), "r" (addr))
9777 + : : "A" (x), "r" (addr), "r"(__USER_DS))
9779 #define __put_user_x8(x, ptr, __ret_pu) \
9780 asm volatile("call __put_user_8" : "=a" (__ret_pu) \
9781 @@ -374,16 +419,18 @@ do { \
9784 #define __get_user_asm(x, addr, err, itype, rtype, ltype, errret) \
9785 - asm volatile("1: mov"itype" %2,%"rtype"1\n" \
9786 + asm volatile(_ASM_LOAD_USER_DS(5) \
9787 + "1: mov"itype" %%ds:%2,%"rtype"1\n" \
9789 + _ASM_LOAD_KERNEL_DS \
9790 ".section .fixup,\"ax\"\n" \
9792 " xor"itype" %"rtype"1,%"rtype"1\n" \
9795 _ASM_EXTABLE(1b, 3b) \
9796 - : "=r" (err), ltype(x) \
9797 - : "m" (__m(addr)), "i" (errret), "0" (err))
9798 + : "=r" (err), ltype (x) \
9799 + : "m" (__m(addr)), "i" (errret), "0" (err), "r"(__USER_DS))
9801 #define __get_user_size_ex(x, ptr, size) \
9803 @@ -407,10 +454,12 @@ do { \
9806 #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \
9807 - asm volatile("1: mov"itype" %1,%"rtype"0\n" \
9808 + asm volatile(_ASM_LOAD_USER_DS(2) \
9809 + "1: mov"itype" %%ds:%1,%"rtype"0\n" \
9811 + _ASM_LOAD_KERNEL_DS \
9812 _ASM_EXTABLE(1b, 2b - 1b) \
9813 - : ltype(x) : "m" (__m(addr)))
9814 + : ltype(x) : "m" (__m(addr)), "r"(__USER_DS))
9816 #define __put_user_nocheck(x, ptr, size) \
9818 @@ -424,13 +473,24 @@ do { \
9820 unsigned long __gu_val; \
9821 __get_user_size(__gu_val, (ptr), (size), __gu_err, -EFAULT); \
9822 - (x) = (__force __typeof__(*(ptr)))__gu_val; \
9823 + (x) = (__typeof__(*(ptr)))__gu_val; \
9827 /* FIXME: this hack is definitely wrong -AK */
9828 struct __large_struct { unsigned long buf[100]; };
9829 -#define __m(x) (*(struct __large_struct __user *)(x))
9830 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9833 + unsigned long ____x = (unsigned long)(x); \
9834 + if (____x < PAX_USER_SHADOW_BASE) \
9835 + ____x += PAX_USER_SHADOW_BASE; \
9836 + (void __user *)____x; \
9839 +#define ____m(x) (x)
9841 +#define __m(x) (*(struct __large_struct __user *)____m(x))
9844 * Tell gcc we read from memory instead of writing: this is because
9845 @@ -438,21 +498,26 @@ struct __large_struct { unsigned long bu
9848 #define __put_user_asm(x, addr, err, itype, rtype, ltype, errret) \
9849 - asm volatile("1: mov"itype" %"rtype"1,%2\n" \
9850 + asm volatile(_ASM_LOAD_USER_DS(5) \
9851 + "1: mov"itype" %"rtype"1,%%ds:%2\n" \
9853 + _ASM_LOAD_KERNEL_DS \
9854 ".section .fixup,\"ax\"\n" \
9858 _ASM_EXTABLE(1b, 3b) \
9860 - : ltype(x), "m" (__m(addr)), "i" (errret), "0" (err))
9861 + : ltype (x), "m" (__m(addr)), "i" (errret), "0" (err),\
9864 #define __put_user_asm_ex(x, addr, itype, rtype, ltype) \
9865 - asm volatile("1: mov"itype" %"rtype"0,%1\n" \
9866 + asm volatile(_ASM_LOAD_USER_DS(2) \
9867 + "1: mov"itype" %"rtype"0,%%ds:%1\n" \
9869 + _ASM_LOAD_KERNEL_DS \
9870 _ASM_EXTABLE(1b, 2b - 1b) \
9871 - : : ltype(x), "m" (__m(addr)))
9872 + : : ltype(x), "m" (__m(addr)), "r"(__USER_DS))
9875 * uaccess_try and catch
9876 @@ -530,7 +595,7 @@ struct __large_struct { unsigned long bu
9877 #define get_user_ex(x, ptr) do { \
9878 unsigned long __gue_val; \
9879 __get_user_size_ex((__gue_val), (ptr), (sizeof(*(ptr)))); \
9880 - (x) = (__force __typeof__(*(ptr)))__gue_val; \
9881 + (x) = (__typeof__(*(ptr)))__gue_val; \
9884 #ifdef CONFIG_X86_WP_WORKS_OK
9885 @@ -567,6 +632,7 @@ extern struct movsl_mask {
9887 #define ARCH_HAS_NOCACHE_UACCESS 1
9889 +#define ARCH_HAS_SORT_EXTABLE
9890 #ifdef CONFIG_X86_32
9891 # include "uaccess_32.h"
9893 diff -urNp linux-2.6.36.1/arch/x86/include/asm/vgtod.h linux-2.6.36.1/arch/x86/include/asm/vgtod.h
9894 --- linux-2.6.36.1/arch/x86/include/asm/vgtod.h 2010-10-20 16:30:22.000000000 -0400
9895 +++ linux-2.6.36.1/arch/x86/include/asm/vgtod.h 2010-11-06 18:58:15.000000000 -0400
9896 @@ -14,6 +14,7 @@ struct vsyscall_gtod_data {
9898 struct timezone sys_tz;
9899 struct { /* extract of a clocksource struct */
9901 cycle_t (*vread)(void);
9904 diff -urNp linux-2.6.36.1/arch/x86/include/asm/vmi.h linux-2.6.36.1/arch/x86/include/asm/vmi.h
9905 --- linux-2.6.36.1/arch/x86/include/asm/vmi.h 2010-10-20 16:30:22.000000000 -0400
9906 +++ linux-2.6.36.1/arch/x86/include/asm/vmi.h 2010-11-06 18:58:15.000000000 -0400
9907 @@ -191,6 +191,7 @@ struct vrom_header {
9908 u8 reserved[96]; /* Reserved for headers */
9909 char vmi_init[8]; /* VMI_Init jump point */
9910 char get_reloc[8]; /* VMI_GetRelocationInfo jump point */
9911 + char rom_data[8048]; /* rest of the option ROM */
9912 } __attribute__((packed));
9915 diff -urNp linux-2.6.36.1/arch/x86/include/asm/vsyscall.h linux-2.6.36.1/arch/x86/include/asm/vsyscall.h
9916 --- linux-2.6.36.1/arch/x86/include/asm/vsyscall.h 2010-10-20 16:30:22.000000000 -0400
9917 +++ linux-2.6.36.1/arch/x86/include/asm/vsyscall.h 2010-11-06 18:58:15.000000000 -0400
9918 @@ -15,9 +15,10 @@ enum vsyscall_num {
9921 #include <linux/seqlock.h>
9922 +#include <linux/getcpu.h>
9923 +#include <linux/time.h>
9925 #define __section_vgetcpu_mode __attribute__ ((unused, __section__ (".vgetcpu_mode"), aligned(16)))
9926 -#define __section_jiffies __attribute__ ((unused, __section__ (".jiffies"), aligned(16)))
9928 /* Definitions for CONFIG_GENERIC_TIME definitions */
9929 #define __section_vsyscall_gtod_data __attribute__ \
9930 @@ -31,7 +32,6 @@ enum vsyscall_num {
9931 #define VGETCPU_LSL 2
9933 extern int __vgetcpu_mode;
9934 -extern volatile unsigned long __jiffies;
9936 /* kernel space (writeable) */
9937 extern int vgetcpu_mode;
9938 @@ -39,6 +39,9 @@ extern struct timezone sys_tz;
9940 extern void map_vsyscall(void);
9942 +extern int vgettimeofday(struct timeval * tv, struct timezone * tz);
9943 +extern time_t vtime(time_t *t);
9944 +extern long vgetcpu(unsigned *cpu, unsigned *node, struct getcpu_cache *tcache);
9945 #endif /* __KERNEL__ */
9947 #endif /* _ASM_X86_VSYSCALL_H */
9948 diff -urNp linux-2.6.36.1/arch/x86/include/asm/xsave.h linux-2.6.36.1/arch/x86/include/asm/xsave.h
9949 --- linux-2.6.36.1/arch/x86/include/asm/xsave.h 2010-10-20 16:30:22.000000000 -0400
9950 +++ linux-2.6.36.1/arch/x86/include/asm/xsave.h 2010-11-06 18:58:15.000000000 -0400
9951 @@ -65,6 +65,11 @@ static inline int xsave_user(struct xsav
9955 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9956 + if ((unsigned long)buf < PAX_USER_SHADOW_BASE)
9957 + buf = (struct xsave_struct __user *)((void __user*)buf + PAX_USER_SHADOW_BASE);
9961 * Clear the xsave header first, so that reserved fields are
9962 * initialized to zero.
9963 @@ -100,6 +105,11 @@ static inline int xrestore_user(struct x
9965 u32 hmask = mask >> 32;
9967 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
9968 + if ((unsigned long)xstate < PAX_USER_SHADOW_BASE)
9969 + xstate = (struct xsave_struct *)((void *)xstate + PAX_USER_SHADOW_BASE);
9972 __asm__ __volatile__("1: .byte " REX_PREFIX "0x0f,0xae,0x2f\n"
9974 ".section .fixup,\"ax\"\n"
9975 diff -urNp linux-2.6.36.1/arch/x86/Kconfig linux-2.6.36.1/arch/x86/Kconfig
9976 --- linux-2.6.36.1/arch/x86/Kconfig 2010-10-20 16:30:22.000000000 -0400
9977 +++ linux-2.6.36.1/arch/x86/Kconfig 2010-11-06 18:58:50.000000000 -0400
9978 @@ -1036,7 +1036,7 @@ choice
9982 - depends on !X86_NUMAQ
9983 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
9985 Linux can use up to 64 Gigabytes of physical memory on x86 systems.
9986 However, the address space of 32-bit x86 processors is only 4
9987 @@ -1073,7 +1073,7 @@ config NOHIGHMEM
9991 - depends on !X86_NUMAQ
9992 + depends on !X86_NUMAQ && !(PAX_PAGEEXEC && PAX_ENABLE_PAE)
9994 Select this if you have a 32-bit processor and between 1 and 4
9995 gigabytes of physical RAM.
9996 @@ -1127,7 +1127,7 @@ config PAGE_OFFSET
9998 default 0xB0000000 if VMSPLIT_3G_OPT
9999 default 0x80000000 if VMSPLIT_2G
10000 - default 0x78000000 if VMSPLIT_2G_OPT
10001 + default 0x70000000 if VMSPLIT_2G_OPT
10002 default 0x40000000 if VMSPLIT_1G
10005 @@ -1459,7 +1459,7 @@ config ARCH_USES_PG_UNCACHED
10008 bool "EFI runtime service support"
10010 + depends on ACPI && !PAX_KERNEXEC
10012 This enables the kernel to use EFI runtime services that are
10013 available (such as the EFI variable services).
10014 @@ -1546,6 +1546,7 @@ config KEXEC_JUMP
10015 config PHYSICAL_START
10016 hex "Physical address where the kernel is loaded" if (EMBEDDED || CRASH_DUMP)
10017 default "0x1000000"
10018 + range 0x400000 0x40000000
10020 This gives the physical address where the kernel is loaded.
10022 @@ -1609,6 +1610,7 @@ config X86_NEED_RELOCS
10023 config PHYSICAL_ALIGN
10024 hex "Alignment value to which kernel should be aligned" if X86_32
10025 default "0x1000000"
10026 + range 0x400000 0x1000000 if PAX_KERNEXEC
10027 range 0x2000 0x1000000
10029 This value puts the alignment restrictions on physical address
10030 @@ -1640,9 +1642,10 @@ config HOTPLUG_CPU
10031 Say N if you want to disable CPU hotplug.
10036 prompt "Compat VDSO support"
10037 depends on X86_32 || IA32_EMULATION
10038 + depends on !PAX_NOEXEC && !PAX_MEMORY_UDEREF
10040 Map the 32-bit VDSO to the predictable old-style address too.
10042 diff -urNp linux-2.6.36.1/arch/x86/Kconfig.cpu linux-2.6.36.1/arch/x86/Kconfig.cpu
10043 --- linux-2.6.36.1/arch/x86/Kconfig.cpu 2010-10-20 16:30:22.000000000 -0400
10044 +++ linux-2.6.36.1/arch/x86/Kconfig.cpu 2010-11-06 18:58:15.000000000 -0400
10045 @@ -336,7 +336,7 @@ config X86_PPRO_FENCE
10047 config X86_F00F_BUG
10049 - depends on M586MMX || M586TSC || M586 || M486 || M386
10050 + depends on (M586MMX || M586TSC || M586 || M486 || M386) && !PAX_KERNEXEC
10052 config X86_INVD_BUG
10054 @@ -360,7 +360,7 @@ config X86_POPAD_OK
10056 config X86_ALIGNMENT_16
10058 - depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK6 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
10059 + depends on MWINCHIP3D || MWINCHIPC6 || MCYRIXIII || X86_ELAN || MK8 || MK7 || MK6 || MCORE2 || MPENTIUM4 || MPENTIUMIII || MPENTIUMII || M686 || M586MMX || M586TSC || M586 || M486 || MVIAC3_2 || MGEODEGX1
10061 config X86_INTEL_USERCOPY
10063 @@ -406,7 +406,7 @@ config X86_CMPXCHG64
10067 - depends on (MK8 || MK7 || MCORE2 || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
10068 + depends on (MK8 || MK7 || MCORE2 || MPSC || MPENTIUM4 || MPENTIUMM || MPENTIUMIII || MPENTIUMII || M686 || MVIAC3_2 || MVIAC7 || MCRUSOE || MEFFICEON || X86_64 || MATOM || MGEODE_LX)
10070 config X86_MINIMUM_CPU_FAMILY
10072 diff -urNp linux-2.6.36.1/arch/x86/Kconfig.debug linux-2.6.36.1/arch/x86/Kconfig.debug
10073 --- linux-2.6.36.1/arch/x86/Kconfig.debug 2010-10-20 16:30:22.000000000 -0400
10074 +++ linux-2.6.36.1/arch/x86/Kconfig.debug 2010-11-06 18:58:15.000000000 -0400
10075 @@ -97,7 +97,7 @@ config X86_PTDUMP
10076 config DEBUG_RODATA
10077 bool "Write protect kernel read-only data structures"
10079 - depends on DEBUG_KERNEL
10080 + depends on DEBUG_KERNEL && BROKEN
10082 Mark the kernel read-only data as write-protected in the pagetables,
10083 in order to catch accidental (and incorrect) writes to such const
10084 diff -urNp linux-2.6.36.1/arch/x86/kernel/acpi/boot.c linux-2.6.36.1/arch/x86/kernel/acpi/boot.c
10085 --- linux-2.6.36.1/arch/x86/kernel/acpi/boot.c 2010-10-20 16:30:22.000000000 -0400
10086 +++ linux-2.6.36.1/arch/x86/kernel/acpi/boot.c 2010-11-06 18:58:15.000000000 -0400
10087 @@ -1472,7 +1472,7 @@ static struct dmi_system_id __initdata a
10088 DMI_MATCH(DMI_PRODUCT_NAME, "HP Compaq 6715b"),
10092 + { NULL, NULL, {{0, {0}}}, NULL}
10096 diff -urNp linux-2.6.36.1/arch/x86/kernel/acpi/sleep.c linux-2.6.36.1/arch/x86/kernel/acpi/sleep.c
10097 --- linux-2.6.36.1/arch/x86/kernel/acpi/sleep.c 2010-10-20 16:30:22.000000000 -0400
10098 +++ linux-2.6.36.1/arch/x86/kernel/acpi/sleep.c 2010-11-06 18:58:15.000000000 -0400
10099 @@ -11,11 +11,12 @@
10100 #include <linux/cpumask.h>
10101 #include <asm/segment.h>
10102 #include <asm/desc.h>
10103 +#include <asm/e820.h>
10105 #include "realmode/wakeup.h"
10108 -unsigned long acpi_wakeup_address;
10109 +unsigned long acpi_wakeup_address = 0x2000;
10110 unsigned long acpi_realmode_flags;
10112 /* address in low memory of the wakeup routine. */
10113 @@ -96,8 +97,12 @@ int acpi_save_state_mem(void)
10114 header->trampoline_segment = setup_trampoline() >> 4;
10116 stack_start.sp = temp_stack + sizeof(temp_stack);
10118 + pax_open_kernel();
10119 early_gdt_descr.address =
10120 (unsigned long)get_cpu_gdt_table(smp_processor_id());
10121 + pax_close_kernel();
10123 initial_gs = per_cpu_offset(smp_processor_id());
10125 initial_code = (unsigned long)wakeup_long64;
10126 diff -urNp linux-2.6.36.1/arch/x86/kernel/acpi/wakeup_32.S linux-2.6.36.1/arch/x86/kernel/acpi/wakeup_32.S
10127 --- linux-2.6.36.1/arch/x86/kernel/acpi/wakeup_32.S 2010-10-20 16:30:22.000000000 -0400
10128 +++ linux-2.6.36.1/arch/x86/kernel/acpi/wakeup_32.S 2010-11-06 18:58:15.000000000 -0400
10129 @@ -30,13 +30,11 @@ wakeup_pmode_return:
10130 # and restore the stack ... but you need gdt for this to work
10131 movl saved_context_esp, %esp
10133 - movl %cs:saved_magic, %eax
10134 - cmpl $0x12345678, %eax
10135 + cmpl $0x12345678, saved_magic
10138 # jump to place where we left off
10139 - movl saved_eip, %eax
10145 diff -urNp linux-2.6.36.1/arch/x86/kernel/alternative.c linux-2.6.36.1/arch/x86/kernel/alternative.c
10146 --- linux-2.6.36.1/arch/x86/kernel/alternative.c 2010-10-20 16:30:22.000000000 -0400
10147 +++ linux-2.6.36.1/arch/x86/kernel/alternative.c 2010-11-06 18:58:15.000000000 -0400
10148 @@ -248,7 +248,7 @@ static void alternatives_smp_lock(const
10149 if (!*poff || ptr < text || ptr >= text_end)
10151 /* turn DS segment override prefix into lock prefix */
10152 - if (*ptr == 0x3e)
10153 + if (*ktla_ktva(ptr) == 0x3e)
10154 text_poke(ptr, ((unsigned char []){0xf0}), 1);
10156 mutex_unlock(&text_mutex);
10157 @@ -269,7 +269,7 @@ static void alternatives_smp_unlock(cons
10158 if (!*poff || ptr < text || ptr >= text_end)
10160 /* turn lock prefix into DS segment override prefix */
10161 - if (*ptr == 0xf0)
10162 + if (*ktla_ktva(ptr) == 0xf0)
10163 text_poke(ptr, ((unsigned char []){0x3E}), 1);
10165 mutex_unlock(&text_mutex);
10166 @@ -437,7 +437,7 @@ void __init_or_module apply_paravirt(str
10168 BUG_ON(p->len > MAX_PATCH_LEN);
10169 /* prep the buffer with the original instructions */
10170 - memcpy(insnbuf, p->instr, p->len);
10171 + memcpy(insnbuf, ktla_ktva(p->instr), p->len);
10172 used = pv_init_ops.patch(p->instrtype, p->clobbers, insnbuf,
10173 (unsigned long)p->instr, p->len);
10175 @@ -505,7 +505,7 @@ void __init alternative_instructions(voi
10177 free_init_pages("SMP alternatives",
10178 (unsigned long)__smp_locks,
10179 - (unsigned long)__smp_locks_end);
10180 + PAGE_ALIGN((unsigned long)__smp_locks_end));
10184 @@ -522,13 +522,17 @@ void __init alternative_instructions(voi
10185 * instructions. And on the local CPU you need to be protected again NMI or MCE
10186 * handlers seeing an inconsistent instruction while you patch.
10188 -static void *__init_or_module text_poke_early(void *addr, const void *opcode,
10189 +static void *__kprobes text_poke_early(void *addr, const void *opcode,
10192 unsigned long flags;
10193 local_irq_save(flags);
10194 - memcpy(addr, opcode, len);
10196 + pax_open_kernel();
10197 + memcpy(ktla_ktva(addr), opcode, len);
10199 + pax_close_kernel();
10201 local_irq_restore(flags);
10202 /* Could also do a CLFLUSH here to speed up CPU recovery; but
10203 that causes hangs on some VIA CPUs. */
10204 @@ -550,36 +554,22 @@ static void *__init_or_module text_poke_
10206 void *__kprobes text_poke(void *addr, const void *opcode, size_t len)
10208 - unsigned long flags;
10210 + unsigned char *vaddr = ktla_ktva(addr);
10211 struct page *pages[2];
10215 if (!core_kernel_text((unsigned long)addr)) {
10216 - pages[0] = vmalloc_to_page(addr);
10217 - pages[1] = vmalloc_to_page(addr + PAGE_SIZE);
10218 + pages[0] = vmalloc_to_page(vaddr);
10219 + pages[1] = vmalloc_to_page(vaddr + PAGE_SIZE);
10221 - pages[0] = virt_to_page(addr);
10222 + pages[0] = virt_to_page(vaddr);
10223 WARN_ON(!PageReserved(pages[0]));
10224 - pages[1] = virt_to_page(addr + PAGE_SIZE);
10225 + pages[1] = virt_to_page(vaddr + PAGE_SIZE);
10228 - local_irq_save(flags);
10229 - set_fixmap(FIX_TEXT_POKE0, page_to_phys(pages[0]));
10231 - set_fixmap(FIX_TEXT_POKE1, page_to_phys(pages[1]));
10232 - vaddr = (char *)fix_to_virt(FIX_TEXT_POKE0);
10233 - memcpy(&vaddr[(unsigned long)addr & ~PAGE_MASK], opcode, len);
10234 - clear_fixmap(FIX_TEXT_POKE0);
10236 - clear_fixmap(FIX_TEXT_POKE1);
10237 - local_flush_tlb();
10239 - /* Could also do a CLFLUSH here to speed up CPU recovery; but
10240 - that causes hangs on some VIA CPUs. */
10241 + text_poke_early(addr, opcode, len);
10242 for (i = 0; i < len; i++)
10243 - BUG_ON(((char *)addr)[i] != ((char *)opcode)[i]);
10244 - local_irq_restore(flags);
10245 + BUG_ON(((char *)vaddr)[i] != ((char *)opcode)[i]);
10249 diff -urNp linux-2.6.36.1/arch/x86/kernel/amd_iommu.c linux-2.6.36.1/arch/x86/kernel/amd_iommu.c
10250 --- linux-2.6.36.1/arch/x86/kernel/amd_iommu.c 2010-10-20 16:30:22.000000000 -0400
10251 +++ linux-2.6.36.1/arch/x86/kernel/amd_iommu.c 2010-11-06 18:58:15.000000000 -0400
10252 @@ -2286,7 +2286,7 @@ static void prealloc_protection_domains(
10256 -static struct dma_map_ops amd_iommu_dma_ops = {
10257 +static const struct dma_map_ops amd_iommu_dma_ops = {
10258 .alloc_coherent = alloc_coherent,
10259 .free_coherent = free_coherent,
10260 .map_page = map_page,
10261 diff -urNp linux-2.6.36.1/arch/x86/kernel/apic/io_apic.c linux-2.6.36.1/arch/x86/kernel/apic/io_apic.c
10262 --- linux-2.6.36.1/arch/x86/kernel/apic/io_apic.c 2010-11-26 18:26:23.000000000 -0500
10263 +++ linux-2.6.36.1/arch/x86/kernel/apic/io_apic.c 2010-11-26 18:27:07.000000000 -0500
10264 @@ -696,7 +696,7 @@ struct IO_APIC_route_entry **alloc_ioapi
10265 ioapic_entries = kzalloc(sizeof(*ioapic_entries) * nr_ioapics,
10267 if (!ioapic_entries)
10271 for (apic = 0; apic < nr_ioapics; apic++) {
10272 ioapic_entries[apic] =
10273 @@ -713,7 +713,7 @@ nomem:
10274 kfree(ioapic_entries[apic]);
10275 kfree(ioapic_entries);
10282 @@ -1123,7 +1123,7 @@ int IO_APIC_get_PCI_irq_vector(int bus,
10284 EXPORT_SYMBOL(IO_APIC_get_PCI_irq_vector);
10286 -void lock_vector_lock(void)
10287 +void lock_vector_lock(void) __acquires(vector_lock)
10289 /* Used to the online set of cpus does not change
10290 * during assign_irq_vector.
10291 @@ -1131,7 +1131,7 @@ void lock_vector_lock(void)
10292 raw_spin_lock(&vector_lock);
10295 -void unlock_vector_lock(void)
10296 +void unlock_vector_lock(void) __releases(vector_lock)
10298 raw_spin_unlock(&vector_lock);
10300 diff -urNp linux-2.6.36.1/arch/x86/kernel/apm_32.c linux-2.6.36.1/arch/x86/kernel/apm_32.c
10301 --- linux-2.6.36.1/arch/x86/kernel/apm_32.c 2010-10-20 16:30:22.000000000 -0400
10302 +++ linux-2.6.36.1/arch/x86/kernel/apm_32.c 2010-11-06 18:58:15.000000000 -0400
10303 @@ -410,7 +410,7 @@ static DEFINE_MUTEX(apm_mutex);
10304 * This is for buggy BIOS's that refer to (real mode) segment 0x40
10305 * even though they are called in protected mode.
10307 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
10308 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
10309 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
10311 static const char driver_version[] = "1.16ac"; /* no spaces */
10312 @@ -588,7 +588,10 @@ static long __apm_bios_call(void *_call)
10314 gdt = get_cpu_gdt_table(cpu);
10315 save_desc_40 = gdt[0x40 / 8];
10317 + pax_open_kernel();
10318 gdt[0x40 / 8] = bad_bios_desc;
10319 + pax_close_kernel();
10321 apm_irq_save(flags);
10323 @@ -597,7 +600,11 @@ static long __apm_bios_call(void *_call)
10325 APM_DO_RESTORE_SEGS;
10326 apm_irq_restore(flags);
10328 + pax_open_kernel();
10329 gdt[0x40 / 8] = save_desc_40;
10330 + pax_close_kernel();
10334 return call->eax & 0xff;
10335 @@ -664,7 +671,10 @@ static long __apm_bios_call_simple(void
10337 gdt = get_cpu_gdt_table(cpu);
10338 save_desc_40 = gdt[0x40 / 8];
10340 + pax_open_kernel();
10341 gdt[0x40 / 8] = bad_bios_desc;
10342 + pax_close_kernel();
10344 apm_irq_save(flags);
10346 @@ -672,7 +682,11 @@ static long __apm_bios_call_simple(void
10348 APM_DO_RESTORE_SEGS;
10349 apm_irq_restore(flags);
10351 + pax_open_kernel();
10352 gdt[0x40 / 8] = save_desc_40;
10353 + pax_close_kernel();
10358 @@ -975,7 +989,7 @@ recalc:
10360 static void apm_power_off(void)
10362 - unsigned char po_bios_call[] = {
10363 + const unsigned char po_bios_call[] = {
10364 0xb8, 0x00, 0x10, /* movw $0x1000,ax */
10365 0x8e, 0xd0, /* movw ax,ss */
10366 0xbc, 0x00, 0xf0, /* movw $0xf000,sp */
10367 @@ -1931,7 +1945,10 @@ static const struct file_operations apm_
10368 static struct miscdevice apm_device = {
10379 @@ -2252,7 +2269,7 @@ static struct dmi_system_id __initdata a
10380 { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
10384 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
10388 @@ -2355,12 +2372,15 @@ static int __init apm_init(void)
10389 * code to that CPU.
10391 gdt = get_cpu_gdt_table(0);
10393 + pax_open_kernel();
10394 set_desc_base(&gdt[APM_CS >> 3],
10395 (unsigned long)__va((unsigned long)apm_info.bios.cseg << 4));
10396 set_desc_base(&gdt[APM_CS_16 >> 3],
10397 (unsigned long)__va((unsigned long)apm_info.bios.cseg_16 << 4));
10398 set_desc_base(&gdt[APM_DS >> 3],
10399 (unsigned long)__va((unsigned long)apm_info.bios.dseg << 4));
10400 + pax_close_kernel();
10402 proc_create("apm", 0, NULL, &apm_file_ops);
10404 diff -urNp linux-2.6.36.1/arch/x86/kernel/asm-offsets_32.c linux-2.6.36.1/arch/x86/kernel/asm-offsets_32.c
10405 --- linux-2.6.36.1/arch/x86/kernel/asm-offsets_32.c 2010-10-20 16:30:22.000000000 -0400
10406 +++ linux-2.6.36.1/arch/x86/kernel/asm-offsets_32.c 2010-11-06 18:58:15.000000000 -0400
10407 @@ -115,6 +115,11 @@ void foo(void)
10408 OFFSET(PV_CPU_iret, pv_cpu_ops, iret);
10409 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
10410 OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
10412 +#ifdef CONFIG_PAX_KERNEXEC
10413 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
10419 diff -urNp linux-2.6.36.1/arch/x86/kernel/asm-offsets_64.c linux-2.6.36.1/arch/x86/kernel/asm-offsets_64.c
10420 --- linux-2.6.36.1/arch/x86/kernel/asm-offsets_64.c 2010-10-20 16:30:22.000000000 -0400
10421 +++ linux-2.6.36.1/arch/x86/kernel/asm-offsets_64.c 2010-11-06 18:58:15.000000000 -0400
10422 @@ -63,6 +63,18 @@ int main(void)
10423 OFFSET(PV_CPU_irq_enable_sysexit, pv_cpu_ops, irq_enable_sysexit);
10424 OFFSET(PV_CPU_swapgs, pv_cpu_ops, swapgs);
10425 OFFSET(PV_MMU_read_cr2, pv_mmu_ops, read_cr2);
10427 +#ifdef CONFIG_PAX_KERNEXEC
10428 + OFFSET(PV_CPU_read_cr0, pv_cpu_ops, read_cr0);
10429 + OFFSET(PV_CPU_write_cr0, pv_cpu_ops, write_cr0);
10432 +#ifdef CONFIG_PAX_MEMORY_UDEREF
10433 + OFFSET(PV_MMU_read_cr3, pv_mmu_ops, read_cr3);
10434 + OFFSET(PV_MMU_write_cr3, pv_mmu_ops, write_cr3);
10435 + OFFSET(PV_MMU_set_pgd, pv_mmu_ops, set_pgd);
10441 @@ -115,6 +127,7 @@ int main(void)
10445 + DEFINE(TSS_size, sizeof(struct tss_struct));
10446 DEFINE(TSS_ist, offsetof(struct tss_struct, x86_tss.ist));
10448 DEFINE(crypto_tfm_ctx_offset, offsetof(struct crypto_tfm, __crt_ctx));
10449 diff -urNp linux-2.6.36.1/arch/x86/kernel/cpu/common.c linux-2.6.36.1/arch/x86/kernel/cpu/common.c
10450 --- linux-2.6.36.1/arch/x86/kernel/cpu/common.c 2010-10-20 16:30:22.000000000 -0400
10451 +++ linux-2.6.36.1/arch/x86/kernel/cpu/common.c 2010-11-11 18:21:08.000000000 -0500
10452 @@ -83,60 +83,6 @@ static const struct cpu_dev __cpuinitcon
10454 static const struct cpu_dev *this_cpu __cpuinitdata = &default_cpu;
10456 -DEFINE_PER_CPU_PAGE_ALIGNED(struct gdt_page, gdt_page) = { .gdt = {
10457 -#ifdef CONFIG_X86_64
10459 - * We need valid kernel segments for data and code in long mode too
10460 - * IRET will check the segment types kkeil 2000/10/28
10461 - * Also sysret mandates a special GDT layout
10463 - * TLS descriptors are currently at a different place compared to i386.
10464 - * Hopefully nobody expects them at a fixed place (Wine?)
10466 - [GDT_ENTRY_KERNEL32_CS] = GDT_ENTRY_INIT(0xc09b, 0, 0xfffff),
10467 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xa09b, 0, 0xfffff),
10468 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc093, 0, 0xfffff),
10469 - [GDT_ENTRY_DEFAULT_USER32_CS] = GDT_ENTRY_INIT(0xc0fb, 0, 0xfffff),
10470 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f3, 0, 0xfffff),
10471 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xa0fb, 0, 0xfffff),
10473 - [GDT_ENTRY_KERNEL_CS] = GDT_ENTRY_INIT(0xc09a, 0, 0xfffff),
10474 - [GDT_ENTRY_KERNEL_DS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10475 - [GDT_ENTRY_DEFAULT_USER_CS] = GDT_ENTRY_INIT(0xc0fa, 0, 0xfffff),
10476 - [GDT_ENTRY_DEFAULT_USER_DS] = GDT_ENTRY_INIT(0xc0f2, 0, 0xfffff),
10478 - * Segments used for calling PnP BIOS have byte granularity.
10479 - * They code segments and data segments have fixed 64k limits,
10480 - * the transfer segment sizes are set at run time.
10482 - /* 32-bit code */
10483 - [GDT_ENTRY_PNPBIOS_CS32] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
10484 - /* 16-bit code */
10485 - [GDT_ENTRY_PNPBIOS_CS16] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
10486 - /* 16-bit data */
10487 - [GDT_ENTRY_PNPBIOS_DS] = GDT_ENTRY_INIT(0x0092, 0, 0xffff),
10488 - /* 16-bit data */
10489 - [GDT_ENTRY_PNPBIOS_TS1] = GDT_ENTRY_INIT(0x0092, 0, 0),
10490 - /* 16-bit data */
10491 - [GDT_ENTRY_PNPBIOS_TS2] = GDT_ENTRY_INIT(0x0092, 0, 0),
10493 - * The APM segments have byte granularity and their bases
10494 - * are set at run time. All have 64k limits.
10496 - /* 32-bit code */
10497 - [GDT_ENTRY_APMBIOS_BASE] = GDT_ENTRY_INIT(0x409a, 0, 0xffff),
10498 - /* 16-bit code */
10499 - [GDT_ENTRY_APMBIOS_BASE+1] = GDT_ENTRY_INIT(0x009a, 0, 0xffff),
10501 - [GDT_ENTRY_APMBIOS_BASE+2] = GDT_ENTRY_INIT(0x4092, 0, 0xffff),
10503 - [GDT_ENTRY_ESPFIX_SS] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10504 - [GDT_ENTRY_PERCPU] = GDT_ENTRY_INIT(0xc092, 0, 0xfffff),
10505 - GDT_STACK_CANARY_INIT
10508 -EXPORT_PER_CPU_SYMBOL_GPL(gdt_page);
10510 static int __init x86_xsave_setup(char *s)
10512 setup_clear_cpu_cap(X86_FEATURE_XSAVE);
10513 @@ -352,7 +298,7 @@ void switch_to_new_gdt(int cpu)
10515 struct desc_ptr gdt_descr;
10517 - gdt_descr.address = (long)get_cpu_gdt_table(cpu);
10518 + gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
10519 gdt_descr.size = GDT_SIZE - 1;
10520 load_gdt(&gdt_descr);
10521 /* Reload the per-cpu base */
10522 @@ -820,6 +766,10 @@ static void __cpuinit identify_cpu(struc
10523 /* Filter out anything that depends on CPUID levels we don't have */
10524 filter_cpuid_features(c, true);
10526 +#if defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_KERNEXEC) || (defined(CONFIG_PAX_MEMORY_UDEREF) && defined(CONFIG_X86_32))
10527 + setup_clear_cpu_cap(X86_FEATURE_SEP);
10530 /* If the model name is still unset, do table lookup. */
10531 if (!c->x86_model_id[0]) {
10533 @@ -1135,7 +1085,7 @@ void __cpuinit cpu_init(void)
10536 cpu = stack_smp_processor_id();
10537 - t = &per_cpu(init_tss, cpu);
10538 + t = init_tss + cpu;
10539 oist = &per_cpu(orig_ist, cpu);
10542 @@ -1161,7 +1111,7 @@ void __cpuinit cpu_init(void)
10543 switch_to_new_gdt(cpu);
10544 loadsegment(fs, 0);
10546 - load_idt((const struct desc_ptr *)&idt_descr);
10547 + load_idt(&idt_descr);
10549 memset(me->thread.tls_array, 0, GDT_ENTRY_TLS_ENTRIES * 8);
10551 @@ -1170,7 +1120,6 @@ void __cpuinit cpu_init(void)
10552 wrmsrl(MSR_KERNEL_GS_BASE, 0);
10555 - x86_configure_nx();
10559 @@ -1224,7 +1173,7 @@ void __cpuinit cpu_init(void)
10561 int cpu = smp_processor_id();
10562 struct task_struct *curr = current;
10563 - struct tss_struct *t = &per_cpu(init_tss, cpu);
10564 + struct tss_struct *t = init_tss + cpu;
10565 struct thread_struct *thread = &curr->thread;
10567 if (cpumask_test_and_set_cpu(cpu, cpu_initialized_mask)) {
10568 diff -urNp linux-2.6.36.1/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c linux-2.6.36.1/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c
10569 --- linux-2.6.36.1/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2010-10-20 16:30:22.000000000 -0400
10570 +++ linux-2.6.36.1/arch/x86/kernel/cpu/cpufreq/acpi-cpufreq.c 2010-11-06 18:58:15.000000000 -0400
10571 @@ -481,7 +481,7 @@ static const struct dmi_system_id sw_any
10572 DMI_MATCH(DMI_PRODUCT_NAME, "X6DLP"),
10576 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
10579 static int acpi_cpufreq_blacklist(struct cpuinfo_x86 *c)
10580 diff -urNp linux-2.6.36.1/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c linux-2.6.36.1/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c
10581 --- linux-2.6.36.1/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2010-10-20 16:30:22.000000000 -0400
10582 +++ linux-2.6.36.1/arch/x86/kernel/cpu/cpufreq/speedstep-centrino.c 2010-11-06 18:58:15.000000000 -0400
10583 @@ -226,7 +226,7 @@ static struct cpu_model models[] =
10584 { &cpu_ids[CPU_MP4HT_D0], NULL, 0, NULL },
10585 { &cpu_ids[CPU_MP4HT_E0], NULL, 0, NULL },
10588 + { NULL, NULL, 0, NULL}
10592 diff -urNp linux-2.6.36.1/arch/x86/kernel/cpu/intel.c linux-2.6.36.1/arch/x86/kernel/cpu/intel.c
10593 --- linux-2.6.36.1/arch/x86/kernel/cpu/intel.c 2010-10-20 16:30:22.000000000 -0400
10594 +++ linux-2.6.36.1/arch/x86/kernel/cpu/intel.c 2010-11-06 18:58:15.000000000 -0400
10595 @@ -161,7 +161,7 @@ static void __cpuinit trap_init_f00f_bug
10596 * Update the IDT descriptor and reload the IDT so that
10597 * it uses the read-only mapped virtual address.
10599 - idt_descr.address = fix_to_virt(FIX_F00F_IDT);
10600 + idt_descr.address = (struct desc_struct *)fix_to_virt(FIX_F00F_IDT);
10601 load_idt(&idt_descr);
10604 diff -urNp linux-2.6.36.1/arch/x86/kernel/cpu/Makefile linux-2.6.36.1/arch/x86/kernel/cpu/Makefile
10605 --- linux-2.6.36.1/arch/x86/kernel/cpu/Makefile 2010-10-20 16:30:22.000000000 -0400
10606 +++ linux-2.6.36.1/arch/x86/kernel/cpu/Makefile 2010-11-06 18:58:15.000000000 -0400
10607 @@ -8,10 +8,6 @@ CFLAGS_REMOVE_common.o = -pg
10608 CFLAGS_REMOVE_perf_event.o = -pg
10611 -# Make sure load_percpu_segment has no stackprotector
10612 -nostackp := $(call cc-option, -fno-stack-protector)
10613 -CFLAGS_common.o := $(nostackp)
10615 obj-y := intel_cacheinfo.o scattered.o topology.o
10616 obj-y += proc.o capflags.o powerflags.o common.o
10617 obj-y += vmware.o hypervisor.o sched.o mshyperv.o
10618 diff -urNp linux-2.6.36.1/arch/x86/kernel/cpu/mcheck/mce.c linux-2.6.36.1/arch/x86/kernel/cpu/mcheck/mce.c
10619 --- linux-2.6.36.1/arch/x86/kernel/cpu/mcheck/mce.c 2010-10-20 16:30:22.000000000 -0400
10620 +++ linux-2.6.36.1/arch/x86/kernel/cpu/mcheck/mce.c 2010-11-06 18:58:15.000000000 -0400
10621 @@ -219,7 +219,7 @@ static void print_mce(struct mce *m)
10622 !(m->mcgstatus & MCG_STATUS_EIPV) ? " !INEXACT!" : "",
10625 - if (m->cs == __KERNEL_CS)
10626 + if (m->cs == __KERNEL_CS || m->cs == __KERNEXEC_KERNEL_CS)
10627 print_symbol("{%s}", m->ip);
10630 @@ -1460,14 +1460,14 @@ void __cpuinit mcheck_cpu_init(struct cp
10633 static DEFINE_SPINLOCK(mce_state_lock);
10634 -static int open_count; /* #times opened */
10635 +static atomic_t open_count; /* #times opened */
10636 static int open_exclu; /* already open exclusive? */
10638 static int mce_open(struct inode *inode, struct file *file)
10640 spin_lock(&mce_state_lock);
10642 - if (open_exclu || (open_count && (file->f_flags & O_EXCL))) {
10643 + if (open_exclu || (atomic_read(&open_count) && (file->f_flags & O_EXCL))) {
10644 spin_unlock(&mce_state_lock);
10647 @@ -1475,7 +1475,7 @@ static int mce_open(struct inode *inode,
10649 if (file->f_flags & O_EXCL)
10652 + atomic_inc(&open_count);
10654 spin_unlock(&mce_state_lock);
10656 @@ -1486,7 +1486,7 @@ static int mce_release(struct inode *ino
10658 spin_lock(&mce_state_lock);
10661 + atomic_dec(&open_count);
10664 spin_unlock(&mce_state_lock);
10665 @@ -1672,6 +1672,7 @@ static struct miscdevice mce_log_device
10669 + {NULL, NULL}, NULL, NULL
10673 diff -urNp linux-2.6.36.1/arch/x86/kernel/cpu/mtrr/generic.c linux-2.6.36.1/arch/x86/kernel/cpu/mtrr/generic.c
10674 --- linux-2.6.36.1/arch/x86/kernel/cpu/mtrr/generic.c 2010-10-20 16:30:22.000000000 -0400
10675 +++ linux-2.6.36.1/arch/x86/kernel/cpu/mtrr/generic.c 2010-11-06 18:58:15.000000000 -0400
10676 @@ -28,7 +28,7 @@ static struct fixed_range_block fixed_ra
10677 { MSR_MTRRfix64K_00000, 1 }, /* one 64k MTRR */
10678 { MSR_MTRRfix16K_80000, 2 }, /* two 16k MTRRs */
10679 { MSR_MTRRfix4K_C0000, 8 }, /* eight 4k MTRRs */
10684 static unsigned long smp_changes_mask;
10685 diff -urNp linux-2.6.36.1/arch/x86/kernel/cpu/mtrr/main.c linux-2.6.36.1/arch/x86/kernel/cpu/mtrr/main.c
10686 --- linux-2.6.36.1/arch/x86/kernel/cpu/mtrr/main.c 2010-10-20 16:30:22.000000000 -0400
10687 +++ linux-2.6.36.1/arch/x86/kernel/cpu/mtrr/main.c 2010-11-06 18:58:15.000000000 -0400
10688 @@ -61,7 +61,7 @@ static DEFINE_MUTEX(mtrr_mutex);
10689 u64 size_or_mask, size_and_mask;
10690 static bool mtrr_aps_delayed_init;
10692 -static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM];
10693 +static const struct mtrr_ops *mtrr_ops[X86_VENDOR_NUM] __read_only;
10695 const struct mtrr_ops *mtrr_if;
10697 diff -urNp linux-2.6.36.1/arch/x86/kernel/cpu/mtrr/mtrr.h linux-2.6.36.1/arch/x86/kernel/cpu/mtrr/mtrr.h
10698 --- linux-2.6.36.1/arch/x86/kernel/cpu/mtrr/mtrr.h 2010-10-20 16:30:22.000000000 -0400
10699 +++ linux-2.6.36.1/arch/x86/kernel/cpu/mtrr/mtrr.h 2010-11-06 18:58:15.000000000 -0400
10700 @@ -12,19 +12,19 @@
10701 extern unsigned int mtrr_usage_table[MTRR_MAX_VAR_RANGES];
10705 - u32 use_intel_if;
10706 - void (*set)(unsigned int reg, unsigned long base,
10707 + const u32 vendor;
10708 + const u32 use_intel_if;
10709 + void (* const set)(unsigned int reg, unsigned long base,
10710 unsigned long size, mtrr_type type);
10711 - void (*set_all)(void);
10712 + void (* const set_all)(void);
10714 - void (*get)(unsigned int reg, unsigned long *base,
10715 + void (* const get)(unsigned int reg, unsigned long *base,
10716 unsigned long *size, mtrr_type *type);
10717 - int (*get_free_region)(unsigned long base, unsigned long size,
10718 + int (* const get_free_region)(unsigned long base, unsigned long size,
10720 - int (*validate_add_page)(unsigned long base, unsigned long size,
10721 + int (* const validate_add_page)(unsigned long base, unsigned long size,
10722 unsigned int type);
10723 - int (*have_wrcomb)(void);
10724 + int (* const have_wrcomb)(void);
10727 extern int generic_get_free_region(unsigned long base, unsigned long size,
10728 diff -urNp linux-2.6.36.1/arch/x86/kernel/cpu/perfctr-watchdog.c linux-2.6.36.1/arch/x86/kernel/cpu/perfctr-watchdog.c
10729 --- linux-2.6.36.1/arch/x86/kernel/cpu/perfctr-watchdog.c 2010-10-20 16:30:22.000000000 -0400
10730 +++ linux-2.6.36.1/arch/x86/kernel/cpu/perfctr-watchdog.c 2010-11-06 18:58:15.000000000 -0400
10731 @@ -30,11 +30,11 @@ struct nmi_watchdog_ctlblk {
10733 /* Interface defining a CPU specific perfctr watchdog */
10735 - int (*reserve)(void);
10736 - void (*unreserve)(void);
10737 - int (*setup)(unsigned nmi_hz);
10738 - void (*rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
10739 - void (*stop)(void);
10740 + int (* const reserve)(void);
10741 + void (* const unreserve)(void);
10742 + int (* const setup)(unsigned nmi_hz);
10743 + void (* const rearm)(struct nmi_watchdog_ctlblk *wd, unsigned nmi_hz);
10744 + void (* const stop)(void);
10748 @@ -634,6 +634,7 @@ static const struct wd_ops p4_wd_ops = {
10749 #define ARCH_PERFMON_NMI_EVENT_SEL ARCH_PERFMON_UNHALTED_CORE_CYCLES_SEL
10750 #define ARCH_PERFMON_NMI_EVENT_UMASK ARCH_PERFMON_UNHALTED_CORE_CYCLES_UMASK
10752 +/* cannot be const, see probe_nmi_watchdog */
10753 static struct wd_ops intel_arch_wd_ops;
10755 static int setup_intel_arch_watchdog(unsigned nmi_hz)
10756 @@ -686,6 +687,7 @@ static int setup_intel_arch_watchdog(uns
10760 +/* cannot be const */
10761 static struct wd_ops intel_arch_wd_ops __read_mostly = {
10762 .reserve = single_msr_reserve,
10763 .unreserve = single_msr_unreserve,
10764 diff -urNp linux-2.6.36.1/arch/x86/kernel/cpu/perf_event.c linux-2.6.36.1/arch/x86/kernel/cpu/perf_event.c
10765 --- linux-2.6.36.1/arch/x86/kernel/cpu/perf_event.c 2010-10-20 16:30:22.000000000 -0400
10766 +++ linux-2.6.36.1/arch/x86/kernel/cpu/perf_event.c 2010-11-06 18:58:15.000000000 -0400
10767 @@ -1732,7 +1732,7 @@ perf_callchain_user(struct pt_regs *regs
10770 callchain_store(entry, frame.return_address);
10771 - fp = frame.next_frame;
10772 + fp = (__force const void __user *)frame.next_frame;
10776 diff -urNp linux-2.6.36.1/arch/x86/kernel/crash.c linux-2.6.36.1/arch/x86/kernel/crash.c
10777 --- linux-2.6.36.1/arch/x86/kernel/crash.c 2010-10-20 16:30:22.000000000 -0400
10778 +++ linux-2.6.36.1/arch/x86/kernel/crash.c 2010-11-06 18:58:15.000000000 -0400
10779 @@ -42,7 +42,7 @@ static void kdump_nmi_callback(int cpu,
10782 #ifdef CONFIG_X86_32
10783 - if (!user_mode_vm(regs)) {
10784 + if (!user_mode(regs)) {
10785 crash_fixup_ss_esp(&fixed_regs, regs);
10786 regs = &fixed_regs;
10788 diff -urNp linux-2.6.36.1/arch/x86/kernel/doublefault_32.c linux-2.6.36.1/arch/x86/kernel/doublefault_32.c
10789 --- linux-2.6.36.1/arch/x86/kernel/doublefault_32.c 2010-10-20 16:30:22.000000000 -0400
10790 +++ linux-2.6.36.1/arch/x86/kernel/doublefault_32.c 2010-11-06 18:58:15.000000000 -0400
10793 #define DOUBLEFAULT_STACKSIZE (1024)
10794 static unsigned long doublefault_stack[DOUBLEFAULT_STACKSIZE];
10795 -#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE)
10796 +#define STACK_START (unsigned long)(doublefault_stack+DOUBLEFAULT_STACKSIZE-2)
10798 #define ptr_ok(x) ((x) > PAGE_OFFSET && (x) < PAGE_OFFSET + MAXMEM)
10800 @@ -21,7 +21,7 @@ static void doublefault_fn(void)
10801 unsigned long gdt, tss;
10803 store_gdt(&gdt_desc);
10804 - gdt = gdt_desc.address;
10805 + gdt = (unsigned long)gdt_desc.address;
10807 printk(KERN_EMERG "PANIC: double fault, gdt at %08lx [%d bytes]\n", gdt, gdt_desc.size);
10809 @@ -58,10 +58,10 @@ struct tss_struct doublefault_tss __cach
10810 /* 0x2 bit is always set */
10811 .flags = X86_EFLAGS_SF | 0x2,
10814 + .es = __KERNEL_DS,
10818 + .ds = __KERNEL_DS,
10819 .fs = __KERNEL_PERCPU,
10821 .__cr3 = __pa_nodebug(swapper_pg_dir),
10822 diff -urNp linux-2.6.36.1/arch/x86/kernel/dumpstack_32.c linux-2.6.36.1/arch/x86/kernel/dumpstack_32.c
10823 --- linux-2.6.36.1/arch/x86/kernel/dumpstack_32.c 2010-10-20 16:30:22.000000000 -0400
10824 +++ linux-2.6.36.1/arch/x86/kernel/dumpstack_32.c 2010-11-06 18:58:15.000000000 -0400
10825 @@ -105,11 +105,12 @@ void show_registers(struct pt_regs *regs
10826 * When in-kernel, we also print out the stack and code at the
10827 * time of the fault..
10829 - if (!user_mode_vm(regs)) {
10830 + if (!user_mode(regs)) {
10831 unsigned int code_prologue = code_bytes * 43 / 64;
10832 unsigned int code_len = code_bytes;
10835 + unsigned long cs_base = get_desc_base(&get_cpu_gdt_table(smp_processor_id())[(0xffff & regs->cs) >> 3]);
10837 printk(KERN_EMERG "Stack:\n");
10838 show_stack_log_lvl(NULL, regs, ®s->sp,
10839 @@ -117,10 +118,10 @@ void show_registers(struct pt_regs *regs
10841 printk(KERN_EMERG "Code: ");
10843 - ip = (u8 *)regs->ip - code_prologue;
10844 + ip = (u8 *)regs->ip - code_prologue + cs_base;
10845 if (ip < (u8 *)PAGE_OFFSET || probe_kernel_address(ip, c)) {
10846 /* try starting at IP */
10847 - ip = (u8 *)regs->ip;
10848 + ip = (u8 *)regs->ip + cs_base;
10849 code_len = code_len - code_prologue + 1;
10851 for (i = 0; i < code_len; i++, ip++) {
10852 @@ -129,7 +130,7 @@ void show_registers(struct pt_regs *regs
10853 printk(" Bad EIP value.");
10856 - if (ip == (u8 *)regs->ip)
10857 + if (ip == (u8 *)regs->ip + cs_base)
10858 printk("<%02x> ", c);
10860 printk("%02x ", c);
10861 @@ -142,6 +143,7 @@ int is_valid_bugaddr(unsigned long ip)
10863 unsigned short ud2;
10865 + ip = ktla_ktva(ip);
10866 if (ip < PAGE_OFFSET)
10868 if (probe_kernel_address((unsigned short *)ip, ud2))
10869 diff -urNp linux-2.6.36.1/arch/x86/kernel/dumpstack.c linux-2.6.36.1/arch/x86/kernel/dumpstack.c
10870 --- linux-2.6.36.1/arch/x86/kernel/dumpstack.c 2010-10-20 16:30:22.000000000 -0400
10871 +++ linux-2.6.36.1/arch/x86/kernel/dumpstack.c 2010-11-13 16:29:01.000000000 -0500
10872 @@ -27,7 +27,7 @@ static int die_counter;
10874 void printk_address(unsigned long address, int reliable)
10876 - printk(" [<%p>] %s%pS\n", (void *) address,
10877 + printk(" [<%p>] %s%pA\n", (void *) address,
10878 reliable ? "" : "? ", (void *) address);
10881 @@ -206,7 +206,7 @@ void dump_stack(void)
10884 printk("Pid: %d, comm: %.20s xid: #%u %s %s %.*s\n",
10885 - current->pid, current->comm, current->xid, print_tainted(),
10886 + task_pid_nr(current), current->comm, current->xid, print_tainted(),
10887 init_utsname()->release,
10888 (int)strcspn(init_utsname()->version, " "),
10889 init_utsname()->version);
10890 @@ -262,7 +262,7 @@ void __kprobes oops_end(unsigned long fl
10891 panic("Fatal exception in interrupt");
10893 panic("Fatal exception");
10895 + do_group_exit(signr);
10898 int __kprobes __die(const char *str, struct pt_regs *regs, long err)
10899 @@ -289,7 +289,7 @@ int __kprobes __die(const char *str, str
10901 show_registers(regs);
10902 #ifdef CONFIG_X86_32
10903 - if (user_mode_vm(regs)) {
10904 + if (user_mode(regs)) {
10906 ss = regs->ss & 0xffff;
10908 @@ -317,7 +317,7 @@ void die(const char *str, struct pt_regs
10909 unsigned long flags = oops_begin();
10912 - if (!user_mode_vm(regs))
10913 + if (!user_mode(regs))
10914 report_bug(regs->ip, regs);
10916 if (__die(str, regs, err))
10917 diff -urNp linux-2.6.36.1/arch/x86/kernel/efi_32.c linux-2.6.36.1/arch/x86/kernel/efi_32.c
10918 --- linux-2.6.36.1/arch/x86/kernel/efi_32.c 2010-10-20 16:30:22.000000000 -0400
10919 +++ linux-2.6.36.1/arch/x86/kernel/efi_32.c 2010-11-06 18:58:15.000000000 -0400
10920 @@ -38,70 +38,38 @@
10923 static unsigned long efi_rt_eflags;
10924 -static pgd_t efi_bak_pg_dir_pointer[2];
10925 +static pgd_t __initdata efi_bak_pg_dir_pointer[KERNEL_PGD_PTRS];
10927 -void efi_call_phys_prelog(void)
10928 +void __init efi_call_phys_prelog(void)
10930 - unsigned long cr4;
10931 - unsigned long temp;
10932 struct desc_ptr gdt_descr;
10934 local_irq_save(efi_rt_eflags);
10937 - * If I don't have PAE, I should just duplicate two entries in page
10938 - * directory. If I have PAE, I just need to duplicate one entry in
10939 - * page directory.
10941 - cr4 = read_cr4_safe();
10943 - if (cr4 & X86_CR4_PAE) {
10944 - efi_bak_pg_dir_pointer[0].pgd =
10945 - swapper_pg_dir[pgd_index(0)].pgd;
10946 - swapper_pg_dir[0].pgd =
10947 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
10949 - efi_bak_pg_dir_pointer[0].pgd =
10950 - swapper_pg_dir[pgd_index(0)].pgd;
10951 - efi_bak_pg_dir_pointer[1].pgd =
10952 - swapper_pg_dir[pgd_index(0x400000)].pgd;
10953 - swapper_pg_dir[pgd_index(0)].pgd =
10954 - swapper_pg_dir[pgd_index(PAGE_OFFSET)].pgd;
10955 - temp = PAGE_OFFSET + 0x400000;
10956 - swapper_pg_dir[pgd_index(0x400000)].pgd =
10957 - swapper_pg_dir[pgd_index(temp)].pgd;
10959 + clone_pgd_range(efi_bak_pg_dir_pointer, swapper_pg_dir, KERNEL_PGD_PTRS);
10960 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
10961 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
10964 * After the lock is released, the original page table is restored.
10968 - gdt_descr.address = __pa(get_cpu_gdt_table(0));
10969 + gdt_descr.address = (struct desc_struct *)__pa(get_cpu_gdt_table(0));
10970 gdt_descr.size = GDT_SIZE - 1;
10971 load_gdt(&gdt_descr);
10974 -void efi_call_phys_epilog(void)
10975 +void __init efi_call_phys_epilog(void)
10977 - unsigned long cr4;
10978 struct desc_ptr gdt_descr;
10980 - gdt_descr.address = (unsigned long)get_cpu_gdt_table(0);
10981 + gdt_descr.address = get_cpu_gdt_table(0);
10982 gdt_descr.size = GDT_SIZE - 1;
10983 load_gdt(&gdt_descr);
10985 - cr4 = read_cr4_safe();
10987 - if (cr4 & X86_CR4_PAE) {
10988 - swapper_pg_dir[pgd_index(0)].pgd =
10989 - efi_bak_pg_dir_pointer[0].pgd;
10991 - swapper_pg_dir[pgd_index(0)].pgd =
10992 - efi_bak_pg_dir_pointer[0].pgd;
10993 - swapper_pg_dir[pgd_index(0x400000)].pgd =
10994 - efi_bak_pg_dir_pointer[1].pgd;
10996 + clone_pgd_range(swapper_pg_dir, efi_bak_pg_dir_pointer, KERNEL_PGD_PTRS);
10999 * After the lock is released, the original page table is restored.
11000 diff -urNp linux-2.6.36.1/arch/x86/kernel/efi_stub_32.S linux-2.6.36.1/arch/x86/kernel/efi_stub_32.S
11001 --- linux-2.6.36.1/arch/x86/kernel/efi_stub_32.S 2010-10-20 16:30:22.000000000 -0400
11002 +++ linux-2.6.36.1/arch/x86/kernel/efi_stub_32.S 2010-11-06 18:58:15.000000000 -0400
11006 #include <linux/linkage.h>
11007 +#include <linux/init.h>
11008 #include <asm/page_types.h>
11012 * service functions will comply with gcc calling convention, too.
11017 ENTRY(efi_call_phys)
11019 * 0. The function can only be called in Linux kernel. So CS has been
11020 @@ -36,9 +37,7 @@ ENTRY(efi_call_phys)
11021 * The mapping of lower virtual memory has been created in prelog and
11025 - subl $__PAGE_OFFSET, %edx
11027 + jmp 1f-__PAGE_OFFSET
11031 @@ -47,14 +46,8 @@ ENTRY(efi_call_phys)
11032 * parameter 2, ..., param n. To make things easy, we save the return
11033 * address of efi_call_phys in a global variable.
11036 - movl %edx, saved_return_addr
11037 - /* get the function pointer into ECX*/
11039 - movl %ecx, efi_rt_function_ptr
11041 - subl $__PAGE_OFFSET, %edx
11043 + popl (saved_return_addr)
11044 + popl (efi_rt_function_ptr)
11047 * 3. Clear PG bit in %CR0.
11048 @@ -73,9 +66,8 @@ ENTRY(efi_call_phys)
11050 * 5. Call the physical function.
11053 + call *(efi_rt_function_ptr-__PAGE_OFFSET)
11057 * 6. After EFI runtime service returns, control will return to
11058 * following instruction. We'd better readjust stack pointer first.
11059 @@ -88,35 +80,28 @@ ENTRY(efi_call_phys)
11061 orl $0x80000000, %edx
11067 * 8. Now restore the virtual mode from flat mode by
11068 * adding EIP with PAGE_OFFSET.
11072 + jmp 1f+__PAGE_OFFSET
11076 * 9. Balance the stack. And because EAX contain the return value,
11077 * we'd better not clobber it.
11079 - leal efi_rt_function_ptr, %edx
11080 - movl (%edx), %ecx
11082 + pushl (efi_rt_function_ptr)
11085 - * 10. Push the saved return address onto the stack and return.
11086 + * 10. Return to the saved return address.
11088 - leal saved_return_addr, %edx
11089 - movl (%edx), %ecx
11092 + jmpl *(saved_return_addr)
11093 ENDPROC(efi_call_phys)
11100 efi_rt_function_ptr:
11101 diff -urNp linux-2.6.36.1/arch/x86/kernel/entry_32.S linux-2.6.36.1/arch/x86/kernel/entry_32.S
11102 --- linux-2.6.36.1/arch/x86/kernel/entry_32.S 2010-10-20 16:30:22.000000000 -0400
11103 +++ linux-2.6.36.1/arch/x86/kernel/entry_32.S 2010-11-06 18:58:15.000000000 -0400
11104 @@ -192,7 +192,67 @@
11106 #endif /* CONFIG_X86_32_LAZY_GS */
11109 +.macro PAX_EXIT_KERNEL
11110 +#ifdef CONFIG_PAX_KERNEXEC
11111 +#ifdef CONFIG_PARAVIRT
11112 + push %eax; push %ecx;
11115 + cmp $__KERNEXEC_KERNEL_CS, %esi
11117 +#ifdef CONFIG_PARAVIRT
11118 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0);
11124 + ljmp $__KERNEL_CS, $1f
11126 +#ifdef CONFIG_PARAVIRT
11128 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0);
11133 +#ifdef CONFIG_PARAVIRT
11134 + pop %ecx; pop %eax
11139 +.macro PAX_ENTER_KERNEL
11140 +#ifdef CONFIG_PAX_KERNEXEC
11141 +#ifdef CONFIG_PARAVIRT
11142 + push %eax; push %ecx;
11143 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_read_cr0)
11151 + cmp $__KERNEL_CS, %esi
11153 + ljmp $__KERNEL_CS, $3f
11154 +1: ljmp $__KERNEXEC_KERNEL_CS, $2f
11156 +#ifdef CONFIG_PARAVIRT
11158 + call PARA_INDIRECT(pv_cpu_ops+PV_CPU_write_cr0)
11163 +#ifdef CONFIG_PARAVIRT
11164 + pop %ecx; pop %eax
11169 +.macro __SAVE_ALL _DS
11173 @@ -225,7 +285,7 @@
11175 CFI_ADJUST_CFA_OFFSET 4
11176 CFI_REL_OFFSET ebx, 0
11177 - movl $(__USER_DS), %edx
11181 movl $(__KERNEL_PERCPU), %edx
11182 @@ -233,6 +293,15 @@
11187 +#if defined(CONFIG_PAX_KERNEXEC) || defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC) || defined(CONFIG_PAX_MEMORY_UDEREF)
11188 + __SAVE_ALL __KERNEL_DS
11191 + __SAVE_ALL __USER_DS
11195 .macro RESTORE_INT_REGS
11197 CFI_ADJUST_CFA_OFFSET -4
11198 @@ -357,7 +426,15 @@ check_userspace:
11199 movb PT_CS(%esp), %al
11200 andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax
11201 cmpl $USER_RPL, %eax
11203 +#ifdef CONFIG_PAX_KERNEXEC
11204 + jae resume_userspace
11207 + jmp resume_kernel
11209 jb resume_kernel # not returning to v8086 or userspace
11212 ENTRY(resume_userspace)
11214 @@ -423,10 +500,9 @@ sysenter_past_esp:
11215 /*CFI_REL_OFFSET cs, 0*/
11217 * Push current_thread_info()->sysenter_return to the stack.
11218 - * A tiny bit of offset fixup is necessary - 4*4 means the 4 words
11219 - * pushed above; +8 corresponds to copy_thread's esp0 setting.
11221 - pushl (TI_sysenter_return-THREAD_SIZE+8+4*4)(%esp)
11222 + GET_THREAD_INFO(%ebp)
11223 + pushl TI_sysenter_return(%ebp)
11224 CFI_ADJUST_CFA_OFFSET 4
11225 CFI_REL_OFFSET eip, 0
11227 @@ -439,9 +515,19 @@ sysenter_past_esp:
11228 * Load the potential sixth argument from user stack.
11229 * Careful about security.
11231 + movl PT_OLDESP(%esp),%ebp
11233 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11234 + mov PT_OLDSS(%esp),%ds
11235 +1: movl %ds:(%ebp),%ebp
11239 cmpl $__PAGE_OFFSET-3,%ebp
11241 1: movl (%ebp),%ebp
11244 movl %ebp,PT_EBP(%esp)
11245 .section __ex_table,"a"
11247 @@ -464,12 +550,23 @@ sysenter_do_call:
11248 testl $_TIF_ALLWORK_MASK, %ecx
11252 +#ifdef CONFIG_PAX_RANDKSTACK
11254 + CFI_ADJUST_CFA_OFFSET 4
11255 + call pax_randomize_kstack
11257 + CFI_ADJUST_CFA_OFFSET -4
11260 /* if something modifies registers it must also disable sysexit */
11261 movl PT_EIP(%esp), %edx
11262 movl PT_OLDESP(%esp), %ecx
11265 1: mov PT_FS(%esp), %fs
11266 +2: mov PT_DS(%esp), %ds
11267 +3: mov PT_ES(%esp), %es
11269 ENABLE_INTERRUPTS_SYSEXIT
11271 @@ -513,11 +610,17 @@ sysexit_audit:
11274 .pushsection .fixup,"ax"
11275 -2: movl $0,PT_FS(%esp)
11276 +4: movl $0,PT_FS(%esp)
11278 +5: movl $0,PT_DS(%esp)
11280 +6: movl $0,PT_ES(%esp)
11282 .section __ex_table,"a"
11290 ENDPROC(ia32_sysenter_target)
11291 @@ -551,6 +654,10 @@ syscall_exit:
11292 testl $_TIF_ALLWORK_MASK, %ecx # current->work
11293 jne syscall_exit_work
11295 +#ifdef CONFIG_PAX_RANDKSTACK
11296 + call pax_randomize_kstack
11301 restore_all_notrace:
11302 @@ -611,14 +718,21 @@ ldt_ss:
11303 * compensating for the offset by changing to the ESPFIX segment with
11304 * a base address that matches for the difference.
11306 -#define GDT_ESPFIX_SS PER_CPU_VAR(gdt_page) + (GDT_ENTRY_ESPFIX_SS * 8)
11307 +#define GDT_ESPFIX_SS (GDT_ENTRY_ESPFIX_SS * 8)(%ebx)
11308 mov %esp, %edx /* load kernel esp */
11309 mov PT_OLDESP(%esp), %eax /* load userspace esp */
11310 mov %dx, %ax /* eax: new kernel esp */
11311 sub %eax, %edx /* offset (low word is 0) */
11313 + movl PER_CPU_VAR(cpu_number), %ebx
11314 + shll $PAGE_SHIFT_asm, %ebx
11315 + addl $cpu_gdt_table, %ebx
11317 + movl $cpu_gdt_table, %ebx
11320 - mov %dl, GDT_ESPFIX_SS + 4 /* bits 16..23 */
11321 - mov %dh, GDT_ESPFIX_SS + 7 /* bits 24..31 */
11322 + mov %dl, 4 + GDT_ESPFIX_SS /* bits 16..23 */
11323 + mov %dh, 7 + GDT_ESPFIX_SS /* bits 24..31 */
11325 CFI_ADJUST_CFA_OFFSET 4
11326 push %eax /* new kernel esp */
11327 @@ -655,25 +769,19 @@ work_resched:
11329 work_notifysig: # deal with pending signals and
11330 # notify-resume requests
11333 testl $X86_EFLAGS_VM, PT_EFLAGS(%esp)
11335 - jne work_notifysig_v86 # returning to kernel-space or
11336 + jz 1f # returning to kernel-space or
11339 - call do_notify_resume
11340 - jmp resume_userspace_sig
11343 -work_notifysig_v86:
11344 pushl %ecx # save ti_flags for do_notify_resume
11345 CFI_ADJUST_CFA_OFFSET 4
11346 call save_v86_state # %eax contains pt_regs pointer
11348 CFI_ADJUST_CFA_OFFSET -4
11355 call do_notify_resume
11356 @@ -708,6 +816,10 @@ END(syscall_exit_work)
11358 RING0_INT_FRAME # can't unwind into user space anyway
11360 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11364 GET_THREAD_INFO(%ebp)
11365 movl $-EFAULT,PT_EAX(%esp)
11366 jmp resume_userspace
11367 @@ -791,8 +903,15 @@ ptregs_clone:
11368 * normal stack and adjusts ESP with the matching offset.
11370 /* fixup the stack */
11371 - mov GDT_ESPFIX_SS + 4, %al /* bits 16..23 */
11372 - mov GDT_ESPFIX_SS + 7, %ah /* bits 24..31 */
11374 + movl PER_CPU_VAR(cpu_number), %ebx
11375 + shll $PAGE_SHIFT_asm, %ebx
11376 + addl $cpu_gdt_table, %ebx
11378 + movl $cpu_gdt_table, %ebx
11380 + mov 4 + GDT_ESPFIX_SS, %al /* bits 16..23 */
11381 + mov 7 + GDT_ESPFIX_SS, %ah /* bits 24..31 */
11383 addl %esp, %eax /* the adjusted stack pointer */
11385 @@ -1275,7 +1394,6 @@ return_to_handler:
11389 -.section .rodata,"a"
11390 #include "syscall_table_32.S"
11392 syscall_table_size=(.-sys_call_table)
11393 @@ -1332,9 +1450,12 @@ error_code:
11394 movl $-1, PT_ORIG_EAX(%esp) # no syscall to restart
11397 - movl $(__USER_DS), %ecx
11398 + movl $(__KERNEL_DS), %ecx
11405 movl %esp,%eax # pt_regs pointer
11407 @@ -1428,6 +1549,9 @@ nmi_stack_correct:
11408 xorl %edx,%edx # zero error code
11409 movl %esp,%eax # pt_regs pointer
11414 jmp restore_all_notrace
11417 @@ -1468,6 +1592,9 @@ nmi_espfix_stack:
11418 FIXUP_ESPFIX_STACK # %eax == %esp
11419 xorl %edx,%edx # zero error code
11425 lss 12+4(%esp), %esp # back to espfix stack
11426 CFI_ADJUST_CFA_OFFSET -24
11427 diff -urNp linux-2.6.36.1/arch/x86/kernel/entry_64.S linux-2.6.36.1/arch/x86/kernel/entry_64.S
11428 --- linux-2.6.36.1/arch/x86/kernel/entry_64.S 2010-10-20 16:30:22.000000000 -0400
11429 +++ linux-2.6.36.1/arch/x86/kernel/entry_64.S 2010-11-06 18:58:15.000000000 -0400
11431 #include <asm/paravirt.h>
11432 #include <asm/ftrace.h>
11433 #include <asm/percpu.h>
11434 +#include <asm/pgtable.h>
11436 /* Avoid __ASSEMBLER__'ifying <linux/audit.h> just for this. */
11437 #include <linux/elf-em.h>
11438 @@ -174,6 +175,189 @@ ENTRY(native_usergs_sysret64)
11439 ENDPROC(native_usergs_sysret64)
11440 #endif /* CONFIG_PARAVIRT */
11442 + .macro ljmpq sel, off
11443 +#if defined(CONFIG_MCORE2) || defined (CONFIG_MATOM)
11444 + .byte 0x48; ljmp *1234f(%rip)
11445 + .pushsection .rodata
11447 + 1234: .quad \off; .word \sel
11456 +ENTRY(pax_enter_kernel)
11458 +#ifdef CONFIG_PAX_KERNEXEC
11461 +#ifdef CONFIG_PARAVIRT
11462 + PV_SAVE_REGS(CLBR_RDI)
11469 + cmp $__KERNEL_CS,%edi
11471 + ljmpq __KERNEL_CS,3f
11472 +1: ljmpq __KERNEXEC_KERNEL_CS,2f
11473 +2: SET_RDI_INTO_CR0
11476 +#ifdef CONFIG_PARAVIRT
11477 + PV_RESTORE_REGS(CLBR_RDI)
11484 +ENDPROC(pax_enter_kernel)
11486 +ENTRY(pax_exit_kernel)
11488 +#ifdef CONFIG_PAX_KERNEXEC
11491 +#ifdef CONFIG_PARAVIRT
11492 + PV_SAVE_REGS(CLBR_RDI)
11496 + cmp $__KERNEXEC_KERNEL_CS,%edi
11500 + ljmpq __KERNEL_CS,1f
11501 +1: SET_RDI_INTO_CR0
11504 +#ifdef CONFIG_PARAVIRT
11505 + PV_RESTORE_REGS(CLBR_RDI);
11512 +ENDPROC(pax_exit_kernel)
11514 +ENTRY(pax_enter_kernel_user)
11516 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11520 +#ifdef CONFIG_PARAVIRT
11521 + PV_SAVE_REGS(CLBR_RDI)
11526 + add $__START_KERNEL_map,%rbx
11527 + sub phys_base(%rip),%rbx
11529 +#ifdef CONFIG_PARAVIRT
11531 + cmpl $0, pv_info+PARAVIRT_enabled
11534 + .rept USER_PGD_PTRS
11535 + mov i*8(%rbx),%rsi
11537 + lea i*8(%rbx),%rdi
11538 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
11546 + .rept USER_PGD_PTRS
11547 + movb $0,i*8(%rbx)
11551 +#ifdef CONFIG_PARAVIRT
11556 +#ifdef CONFIG_PAX_KERNEXEC
11562 +#ifdef CONFIG_PARAVIRT
11563 + PV_RESTORE_REGS(CLBR_RDI)
11571 +ENDPROC(pax_enter_kernel_user)
11573 +ENTRY(pax_exit_kernel_user)
11575 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11578 +#ifdef CONFIG_PARAVIRT
11580 + PV_SAVE_REGS(CLBR_RDI)
11583 +#ifdef CONFIG_PAX_KERNEXEC
11590 + add $__START_KERNEL_map,%rdi
11591 + sub phys_base(%rip),%rdi
11593 +#ifdef CONFIG_PARAVIRT
11594 + cmpl $0, pv_info+PARAVIRT_enabled
11598 + .rept USER_PGD_PTRS
11599 + mov i*8(%rbx),%rsi
11601 + lea i*8(%rbx),%rdi
11602 + call PARA_INDIRECT(pv_mmu_ops+PV_MMU_set_pgd)
11610 + .rept USER_PGD_PTRS
11611 + movb $0x67,i*8(%rdi)
11615 +#ifdef CONFIG_PARAVIRT
11616 +2: PV_RESTORE_REGS(CLBR_RDI)
11624 +ENDPROC(pax_exit_kernel_user)
11626 .macro TRACE_IRQS_IRETQ offset=ARGOFFSET
11627 #ifdef CONFIG_TRACE_IRQFLAGS
11628 @@ -317,7 +501,7 @@ ENTRY(save_args)
11629 leaq -ARGOFFSET+16(%rsp),%rdi /* arg1 for handler */
11630 movq_cfi rbp, 8 /* push %rbp */
11631 leaq 8(%rsp), %rbp /* mov %rsp, %ebp */
11632 - testl $3, CS(%rdi)
11633 + testb $3, CS(%rdi)
11637 @@ -409,7 +593,7 @@ ENTRY(ret_from_fork)
11641 - testl $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
11642 + testb $3, CS-ARGOFFSET(%rsp) # from kernel_thread?
11643 je int_ret_from_sys_call
11645 testl $_TIF_IA32, TI_flags(%rcx) # 32-bit compat task needs IRET
11646 @@ -468,6 +652,11 @@ ENTRY(system_call_after_swapgs)
11648 movq %rsp,PER_CPU_VAR(old_rsp)
11649 movq PER_CPU_VAR(kernel_stack),%rsp
11651 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11652 + call pax_enter_kernel_user
11656 * No need to follow this irqs off/on section - it's straight
11658 @@ -502,6 +691,11 @@ sysret_check:
11663 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11664 + call pax_exit_kernel_user
11668 * sysretq will re-enable interrupts:
11670 @@ -613,7 +807,7 @@ tracesys:
11671 GLOBAL(int_ret_from_sys_call)
11672 DISABLE_INTERRUPTS(CLBR_NONE)
11674 - testl $3,CS-ARGOFFSET(%rsp)
11675 + testb $3,CS-ARGOFFSET(%rsp)
11676 je retint_restore_args
11677 movl $_TIF_ALLWORK_MASK,%edi
11678 /* edi: mask to check */
11679 @@ -800,6 +994,16 @@ END(interrupt)
11680 CFI_ADJUST_CFA_OFFSET 10*8
11683 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11684 + testb $3, CS(%rdi)
11686 + call pax_enter_kernel
11688 +1: call pax_enter_kernel_user
11691 + call pax_enter_kernel
11696 @@ -826,7 +1030,7 @@ ret_from_intr:
11697 CFI_ADJUST_CFA_OFFSET -8
11699 GET_THREAD_INFO(%rcx)
11700 - testl $3,CS-ARGOFFSET(%rsp)
11701 + testb $3,CS-ARGOFFSET(%rsp)
11704 /* Interrupt came from user space */
11705 @@ -848,12 +1052,18 @@ retint_swapgs: /* return to user-space
11706 * The iretq could re-enable interrupts:
11708 DISABLE_INTERRUPTS(CLBR_ANY)
11710 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11711 + call pax_exit_kernel_user
11718 retint_restore_args: /* return to kernel space */
11719 DISABLE_INTERRUPTS(CLBR_ANY)
11720 + call pax_exit_kernel
11722 * The iretq could re-enable interrupts:
11724 @@ -1040,6 +1250,16 @@ ENTRY(\sym)
11725 CFI_ADJUST_CFA_OFFSET 15*8
11728 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11729 + testb $3, CS(%rsp)
11731 + call pax_enter_kernel
11733 +1: call pax_enter_kernel_user
11736 + call pax_enter_kernel
11738 movq %rsp,%rdi /* pt_regs pointer */
11739 xorl %esi,%esi /* no error code */
11741 @@ -1057,6 +1277,16 @@ ENTRY(\sym)
11745 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11746 + testb $3, CS(%rsp)
11748 + call pax_enter_kernel
11750 +1: call pax_enter_kernel_user
11753 + call pax_enter_kernel
11755 movq %rsp,%rdi /* pt_regs pointer */
11756 xorl %esi,%esi /* no error code */
11758 @@ -1065,7 +1295,7 @@ ENTRY(\sym)
11762 -#define INIT_TSS_IST(x) PER_CPU_VAR(init_tss) + (TSS_ist + ((x) - 1) * 8)
11763 +#define INIT_TSS_IST(x) (TSS_ist + ((x) - 1) * 8)(%r12)
11764 .macro paranoidzeroentry_ist sym do_sym ist
11767 @@ -1075,8 +1305,24 @@ ENTRY(\sym)
11771 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11772 + testb $3, CS(%rsp)
11774 + call pax_enter_kernel
11776 +1: call pax_enter_kernel_user
11779 + call pax_enter_kernel
11781 movq %rsp,%rdi /* pt_regs pointer */
11782 xorl %esi,%esi /* no error code */
11784 + imul $TSS_size, PER_CPU_VAR(cpu_number), %r12d
11785 + lea init_tss(%r12), %r12
11787 + lea init_tss(%rip), %r12
11789 subq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
11791 addq $EXCEPTION_STKSZ, INIT_TSS_IST(\ist)
11792 @@ -1093,6 +1339,16 @@ ENTRY(\sym)
11793 CFI_ADJUST_CFA_OFFSET 15*8
11796 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11797 + testb $3, CS(%rsp)
11799 + call pax_enter_kernel
11801 +1: call pax_enter_kernel_user
11804 + call pax_enter_kernel
11806 movq %rsp,%rdi /* pt_regs pointer */
11807 movq ORIG_RAX(%rsp),%rsi /* get error code */
11808 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
11809 @@ -1112,6 +1368,16 @@ ENTRY(\sym)
11813 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11814 + testb $3, CS(%rsp)
11816 + call pax_enter_kernel
11818 +1: call pax_enter_kernel_user
11821 + call pax_enter_kernel
11823 movq %rsp,%rdi /* pt_regs pointer */
11824 movq ORIG_RAX(%rsp),%rsi /* get error code */
11825 movq $-1,ORIG_RAX(%rsp) /* no syscall to restart */
11826 @@ -1373,14 +1639,27 @@ ENTRY(paranoid_exit)
11828 testl %ebx,%ebx /* swapgs needed? */
11829 jnz paranoid_restore
11830 - testl $3,CS(%rsp)
11831 + testb $3,CS(%rsp)
11832 jnz paranoid_userspace
11833 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11834 + call pax_exit_kernel
11835 + TRACE_IRQS_IRETQ 0
11836 + SWAPGS_UNSAFE_STACK
11841 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11842 + call pax_exit_kernel_user
11844 + call pax_exit_kernel
11847 SWAPGS_UNSAFE_STACK
11851 + call pax_exit_kernel
11855 @@ -1438,7 +1717,7 @@ ENTRY(error_entry)
11856 movq_cfi r14, R14+8
11857 movq_cfi r15, R15+8
11859 - testl $3,CS+8(%rsp)
11860 + testb $3,CS+8(%rsp)
11861 je error_kernelspace
11864 @@ -1502,6 +1781,16 @@ ENTRY(nmi)
11865 CFI_ADJUST_CFA_OFFSET 15*8
11868 +#ifdef CONFIG_PAX_MEMORY_UDEREF
11869 + testb $3, CS(%rsp)
11871 + call pax_enter_kernel
11873 +1: call pax_enter_kernel_user
11876 + call pax_enter_kernel
11878 /* paranoidentry do_nmi, 0; without TRACE_IRQS_OFF */
11881 @@ -1512,11 +1801,12 @@ ENTRY(nmi)
11882 DISABLE_INTERRUPTS(CLBR_NONE)
11883 testl %ebx,%ebx /* swapgs needed? */
11885 - testl $3,CS(%rsp)
11886 + testb $3,CS(%rsp)
11889 SWAPGS_UNSAFE_STACK
11891 + call pax_exit_kernel
11895 diff -urNp linux-2.6.36.1/arch/x86/kernel/ftrace.c linux-2.6.36.1/arch/x86/kernel/ftrace.c
11896 --- linux-2.6.36.1/arch/x86/kernel/ftrace.c 2010-10-20 16:30:22.000000000 -0400
11897 +++ linux-2.6.36.1/arch/x86/kernel/ftrace.c 2010-11-06 18:58:15.000000000 -0400
11898 @@ -174,7 +174,9 @@ void ftrace_nmi_enter(void)
11900 if (atomic_inc_return(&nmi_running) & MOD_CODE_WRITE_FLAG) {
11902 + pax_open_kernel();
11904 + pax_close_kernel();
11905 atomic_inc(&nmi_update_count);
11907 /* Must have previous changes seen before executions */
11908 @@ -260,7 +262,7 @@ do_ftrace_mod_code(unsigned long ip, voi
11912 -static unsigned char ftrace_nop[MCOUNT_INSN_SIZE];
11913 +static unsigned char ftrace_nop[MCOUNT_INSN_SIZE] __read_only;
11915 static unsigned char *ftrace_nop_replace(void)
11917 @@ -273,6 +275,8 @@ ftrace_modify_code(unsigned long ip, uns
11919 unsigned char replaced[MCOUNT_INSN_SIZE];
11921 + ip = ktla_ktva(ip);
11924 * Note: Due to modules and __init, code can
11925 * disappear and change, we need to protect against faulting
11926 @@ -329,7 +333,7 @@ int ftrace_update_ftrace_func(ftrace_fun
11927 unsigned char old[MCOUNT_INSN_SIZE], *new;
11930 - memcpy(old, &ftrace_call, MCOUNT_INSN_SIZE);
11931 + memcpy(old, (void *)ktla_ktva((unsigned long)ftrace_call), MCOUNT_INSN_SIZE);
11932 new = ftrace_call_replace(ip, (unsigned long)func);
11933 ret = ftrace_modify_code(ip, old, new);
11935 @@ -382,15 +386,15 @@ int __init ftrace_dyn_arch_init(void *da
11938 pr_info("converting mcount calls to 0f 1f 44 00 00\n");
11939 - memcpy(ftrace_nop, ftrace_test_p6nop, MCOUNT_INSN_SIZE);
11940 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_p6nop), MCOUNT_INSN_SIZE);
11943 pr_info("converting mcount calls to 66 66 66 66 90\n");
11944 - memcpy(ftrace_nop, ftrace_test_nop5, MCOUNT_INSN_SIZE);
11945 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_nop5), MCOUNT_INSN_SIZE);
11948 pr_info("converting mcount calls to jmp . + 5\n");
11949 - memcpy(ftrace_nop, ftrace_test_jmp, MCOUNT_INSN_SIZE);
11950 + memcpy(ftrace_nop, ktla_ktva(ftrace_test_jmp), MCOUNT_INSN_SIZE);
11954 @@ -411,6 +415,8 @@ static int ftrace_mod_jmp(unsigned long
11956 unsigned char code[MCOUNT_INSN_SIZE];
11958 + ip = ktla_ktva(ip);
11960 if (probe_kernel_read(code, (void *)ip, MCOUNT_INSN_SIZE))
11963 diff -urNp linux-2.6.36.1/arch/x86/kernel/head32.c linux-2.6.36.1/arch/x86/kernel/head32.c
11964 --- linux-2.6.36.1/arch/x86/kernel/head32.c 2010-10-20 16:30:22.000000000 -0400
11965 +++ linux-2.6.36.1/arch/x86/kernel/head32.c 2010-11-06 18:58:15.000000000 -0400
11967 #include <asm/apic.h>
11968 #include <asm/io_apic.h>
11969 #include <asm/bios_ebda.h>
11970 +#include <asm/boot.h>
11972 static void __init i386_default_early_setup(void)
11974 @@ -40,7 +41,7 @@ void __init i386_start_kernel(void)
11978 - reserve_early(__pa_symbol(&_text), __pa_symbol(&__bss_stop), "TEXT DATA BSS");
11979 + reserve_early(LOAD_PHYSICAL_ADDR, __pa_symbol(&__bss_stop), "TEXT DATA BSS");
11981 #ifdef CONFIG_BLK_DEV_INITRD
11982 /* Reserve INITRD */
11983 diff -urNp linux-2.6.36.1/arch/x86/kernel/head_32.S linux-2.6.36.1/arch/x86/kernel/head_32.S
11984 --- linux-2.6.36.1/arch/x86/kernel/head_32.S 2010-10-20 16:30:22.000000000 -0400
11985 +++ linux-2.6.36.1/arch/x86/kernel/head_32.S 2010-11-06 18:58:15.000000000 -0400
11987 /* Physical address */
11988 #define pa(X) ((X) - __PAGE_OFFSET)
11990 +#ifdef CONFIG_PAX_KERNEXEC
11993 +#define ta(X) ((X) - __PAGE_OFFSET)
11997 * References to members of the new_cpu_data structure.
12000 * and small than max_low_pfn, otherwise will waste some page table entries
12003 -#if PTRS_PER_PMD > 1
12004 -#define PAGE_TABLE_SIZE(pages) (((pages) / PTRS_PER_PMD) + PTRS_PER_PGD)
12006 -#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PGD)
12008 +#define PAGE_TABLE_SIZE(pages) ((pages) / PTRS_PER_PTE)
12010 /* Enough space to fit pagetables for the low memory linear map */
12011 MAPPING_BEYOND_END = \
12012 @@ -75,6 +77,12 @@ INIT_MAP_SIZE = PAGE_TABLE_SIZE(KERNEL_P
12013 RESERVE_BRK(pagetables, INIT_MAP_SIZE)
12016 + * Real beginning of normal "text" segment
12022 * 32-bit kernel entrypoint; only used by the boot CPU. On entry,
12023 * %esi points to the real-mode code as a 32-bit pointer.
12024 * CS and DS must be 4 GB flat segments, but we don't depend on
12025 @@ -82,6 +90,13 @@ RESERVE_BRK(pagetables, INIT_MAP_SIZE)
12030 +#ifdef CONFIG_PAX_KERNEXEC
12032 +/* PaX: fill first page in .text with int3 to catch NULL derefs in kernel mode */
12033 +.fill PAGE_SIZE-5,1,0xcc
12037 /* test KEEP_SEGMENTS flag to see if the bootloader is asking
12038 us to not reload segments */
12039 @@ -99,6 +114,55 @@ ENTRY(startup_32)
12044 + movl $pa(cpu_gdt_table),%edi
12045 + movl $__per_cpu_load,%eax
12046 + movw %ax,__KERNEL_PERCPU + 2(%edi)
12048 + movb %al,__KERNEL_PERCPU + 4(%edi)
12049 + movb %ah,__KERNEL_PERCPU + 7(%edi)
12050 + movl $__per_cpu_end - 1,%eax
12051 + subl $__per_cpu_start,%eax
12052 + movw %ax,__KERNEL_PERCPU + 0(%edi)
12055 +#ifdef CONFIG_PAX_MEMORY_UDEREF
12056 + movl $NR_CPUS,%ecx
12057 + movl $pa(cpu_gdt_table),%edi
12059 + movl $((((__PAGE_OFFSET-1) & 0xf0000000) >> 12) | 0x00c09700),GDT_ENTRY_KERNEL_DS * 8 + 4(%edi)
12060 + addl $PAGE_SIZE_asm,%edi
12064 +#ifdef CONFIG_PAX_KERNEXEC
12065 + movl $pa(boot_gdt),%edi
12066 + movl $__LOAD_PHYSICAL_ADDR,%eax
12067 + movw %ax,__BOOT_CS + 2(%edi)
12069 + movb %al,__BOOT_CS + 4(%edi)
12070 + movb %ah,__BOOT_CS + 7(%edi)
12073 + ljmp $(__BOOT_CS),$1f
12076 + movl $NR_CPUS,%ecx
12077 + movl $pa(cpu_gdt_table),%edi
12078 + addl $__PAGE_OFFSET,%eax
12080 + movw %ax,__KERNEL_CS + 2(%edi)
12081 + movw %ax,__KERNEXEC_KERNEL_CS + 2(%edi)
12083 + movb %al,__KERNEL_CS + 4(%edi)
12084 + movb %al,__KERNEXEC_KERNEL_CS + 4(%edi)
12085 + movb %ah,__KERNEL_CS + 7(%edi)
12086 + movb %ah,__KERNEXEC_KERNEL_CS + 7(%edi)
12088 + addl $PAGE_SIZE_asm,%edi
12093 * Clear BSS first so that there are no surprises...
12095 @@ -148,9 +212,7 @@ ENTRY(startup_32)
12096 cmpl $num_subarch_entries, %eax
12099 - movl pa(subarch_entries)(,%eax,4), %eax
12100 - subl $__PAGE_OFFSET, %eax
12102 + jmp *pa(subarch_entries)(,%eax,4)
12106 @@ -162,10 +224,10 @@ WEAK(xen_entry)
12110 - .long default_entry /* normal x86/PC */
12111 - .long lguest_entry /* lguest hypervisor */
12112 - .long xen_entry /* Xen hypervisor */
12113 - .long default_entry /* Moorestown MID */
12114 + .long ta(default_entry) /* normal x86/PC */
12115 + .long ta(lguest_entry) /* lguest hypervisor */
12116 + .long ta(xen_entry) /* Xen hypervisor */
12117 + .long ta(default_entry) /* Moorestown MID */
12118 num_subarch_entries = (. - subarch_entries) / 4
12120 #endif /* CONFIG_PARAVIRT */
12121 @@ -226,8 +288,11 @@ default_entry:
12122 movl %eax, pa(max_pfn_mapped)
12124 /* Do early initialization of the fixmap area */
12125 - movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
12126 - movl %eax,pa(swapper_pg_pmd+0x1000*KPMDS-8)
12127 +#ifdef CONFIG_COMPAT_VDSO
12128 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_pmd+0x1000*KPMDS-8)
12130 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_pmd+0x1000*KPMDS-8)
12132 #else /* Not PAE */
12134 page_pde_offset = (__PAGE_OFFSET >> 20);
12135 @@ -257,8 +322,11 @@ page_pde_offset = (__PAGE_OFFSET >> 20);
12136 movl %eax, pa(max_pfn_mapped)
12138 /* Do early initialization of the fixmap area */
12139 - movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,%eax
12140 - movl %eax,pa(swapper_pg_dir+0xffc)
12141 +#ifdef CONFIG_COMPAT_VDSO
12142 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR+_PAGE_USER,pa(swapper_pg_dir+0xffc)
12144 + movl $pa(swapper_pg_fixmap)+PDE_IDENT_ATTR,pa(swapper_pg_dir+0xffc)
12149 @@ -305,6 +373,7 @@ ENTRY(startup_32_smp)
12153 +#ifdef CONFIG_X86_PAE
12154 testb $X86_CR4_PAE, %al # check if PAE is enabled
12157 @@ -329,6 +398,9 @@ ENTRY(startup_32_smp)
12158 /* Make changes effective */
12161 + btsl $_PAGE_BIT_NX-32,pa(__supported_pte_mask+4)
12167 @@ -354,9 +426,7 @@ ENTRY(startup_32_smp)
12171 - jz 1f /* Initial CPU cleans BSS */
12174 + jnz checkCPUtype /* Initial CPU cleans BSS */
12175 #endif /* CONFIG_SMP */
12178 @@ -434,7 +504,7 @@ is386: movl $2,%ecx # set MP
12179 1: movl $(__KERNEL_DS),%eax # reload all the segment registers
12180 movl %eax,%ss # after changing gdt.
12182 - movl $(__USER_DS),%eax # DS/ES contains default USER segment
12183 +# movl $(__KERNEL_DS),%eax # DS/ES contains default KERNEL segment
12187 @@ -448,8 +518,11 @@ is386: movl $2,%ecx # set MP
12191 - movl $gdt_page,%eax
12192 + movl $cpu_gdt_table,%eax
12193 movl $stack_canary,%ecx
12195 + addl $__per_cpu_load,%ecx
12197 movw %cx, 8 * GDT_ENTRY_STACK_CANARY + 2(%eax)
12199 movb %cl, 8 * GDT_ENTRY_STACK_CANARY + 4(%eax)
12200 @@ -467,10 +540,6 @@ is386: movl $2,%ecx # set MP
12204 - cmpb $0,%cl # the first CPU calls start_kernel
12206 - movl (stack_start), %esp
12208 #endif /* CONFIG_SMP */
12209 jmp *(initial_code)
12211 @@ -556,22 +625,22 @@ early_page_fault:
12216 #ifdef CONFIG_PRINTK
12217 + cmpl $1,%ss:early_recursion_flag
12219 + incl %ss:early_recursion_flag
12222 movl $(__KERNEL_DS),%eax
12225 - cmpl $2,early_recursion_flag
12227 - incl early_recursion_flag
12230 pushl %edx /* trapno */
12239 @@ -579,8 +648,11 @@ hlt_loop:
12240 /* This is the default interrupt "handler" :-) */
12244 #ifdef CONFIG_PRINTK
12245 + cmpl $2,%ss:early_recursion_flag
12247 + incl %ss:early_recursion_flag
12252 @@ -589,9 +661,6 @@ ignore_int:
12253 movl $(__KERNEL_DS),%eax
12256 - cmpl $2,early_recursion_flag
12258 - incl early_recursion_flag
12262 @@ -620,31 +689,47 @@ ENTRY(initial_page_table)
12266 -__PAGE_ALIGNED_BSS
12267 - .align PAGE_SIZE_asm
12268 #ifdef CONFIG_X86_PAE
12269 +.section .swapper_pg_pmd,"a",@progbits
12271 .fill 1024*KPMDS,4,0
12273 +.section .swapper_pg_dir,"a",@progbits
12274 ENTRY(swapper_pg_dir)
12277 +.section .swapper_pg_fixmap,"a",@progbits
12280 #ifdef CONFIG_X86_TRAMPOLINE
12281 +.section .trampoline_pg_dir,"a",@progbits
12282 ENTRY(trampoline_pg_dir)
12283 +#ifdef CONFIG_X86_PAE
12290 +.section .empty_zero_page,"a",@progbits
12291 ENTRY(empty_zero_page)
12295 + * The IDT has to be page-aligned to simplify the Pentium
12296 + * F0 0F bug workaround.. We have a special link segment
12299 +.section .idt,"a",@progbits
12304 * This starts the data section.
12306 #ifdef CONFIG_X86_PAE
12307 -__PAGE_ALIGNED_DATA
12308 - /* Page-aligned for the benefit of paravirt? */
12309 - .align PAGE_SIZE_asm
12310 +.section .swapper_pg_dir,"a",@progbits
12312 ENTRY(swapper_pg_dir)
12313 .long pa(swapper_pg_pmd+PGD_IDENT_ATTR),0 /* low identity map */
12315 @@ -663,15 +748,24 @@ ENTRY(swapper_pg_dir)
12316 # error "Kernel PMDs should be 1, 2 or 3"
12318 .align PAGE_SIZE_asm /* needs to be page-sized too */
12320 +#ifdef CONFIG_PAX_PER_CPU_PGD
12331 - .long init_thread_union+THREAD_SIZE
12332 + .long init_thread_union+THREAD_SIZE-8
12337 +.section .rodata,"a",@progbits
12338 early_recursion_flag:
12341 @@ -707,7 +801,7 @@ fault_msg:
12342 .word 0 # 32 bit align gdt_desc.address
12345 - .long boot_gdt - __PAGE_OFFSET
12346 + .long pa(boot_gdt)
12348 .word 0 # 32-bit align idt_desc.address
12350 @@ -718,7 +812,7 @@ idt_descr:
12351 .word 0 # 32 bit align gdt_desc.address
12352 ENTRY(early_gdt_descr)
12353 .word GDT_ENTRIES*8-1
12354 - .long gdt_page /* Overwritten for secondary CPUs */
12355 + .long cpu_gdt_table /* Overwritten for secondary CPUs */
12358 * The boot_gdt must mirror the equivalent in setup.S and is
12359 @@ -727,5 +821,65 @@ ENTRY(early_gdt_descr)
12360 .align L1_CACHE_BYTES
12362 .fill GDT_ENTRY_BOOT_CS,8,0
12363 - .quad 0x00cf9a000000ffff /* kernel 4GB code at 0x00000000 */
12364 - .quad 0x00cf92000000ffff /* kernel 4GB data at 0x00000000 */
12365 + .quad 0x00cf9b000000ffff /* kernel 4GB code at 0x00000000 */
12366 + .quad 0x00cf93000000ffff /* kernel 4GB data at 0x00000000 */
12368 + .align PAGE_SIZE_asm
12369 +ENTRY(cpu_gdt_table)
12371 + .quad 0x0000000000000000 /* NULL descriptor */
12372 + .quad 0x0000000000000000 /* 0x0b reserved */
12373 + .quad 0x0000000000000000 /* 0x13 reserved */
12374 + .quad 0x0000000000000000 /* 0x1b reserved */
12376 +#ifdef CONFIG_PAX_KERNEXEC
12377 + .quad 0x00cf9b000000ffff /* 0x20 alternate kernel 4GB code at 0x00000000 */
12379 + .quad 0x0000000000000000 /* 0x20 unused */
12382 + .quad 0x0000000000000000 /* 0x28 unused */
12383 + .quad 0x0000000000000000 /* 0x33 TLS entry 1 */
12384 + .quad 0x0000000000000000 /* 0x3b TLS entry 2 */
12385 + .quad 0x0000000000000000 /* 0x43 TLS entry 3 */
12386 + .quad 0x0000000000000000 /* 0x4b reserved */
12387 + .quad 0x0000000000000000 /* 0x53 reserved */
12388 + .quad 0x0000000000000000 /* 0x5b reserved */
12390 + .quad 0x00cf9b000000ffff /* 0x60 kernel 4GB code at 0x00000000 */
12391 + .quad 0x00cf93000000ffff /* 0x68 kernel 4GB data at 0x00000000 */
12392 + .quad 0x00cffb000000ffff /* 0x73 user 4GB code at 0x00000000 */
12393 + .quad 0x00cff3000000ffff /* 0x7b user 4GB data at 0x00000000 */
12395 + .quad 0x0000000000000000 /* 0x80 TSS descriptor */
12396 + .quad 0x0000000000000000 /* 0x88 LDT descriptor */
12399 + * Segments used for calling PnP BIOS have byte granularity.
12400 + * The code segments and data segments have fixed 64k limits,
12401 + * the transfer segment sizes are set at run time.
12403 + .quad 0x00409b000000ffff /* 0x90 32-bit code */
12404 + .quad 0x00009b000000ffff /* 0x98 16-bit code */
12405 + .quad 0x000093000000ffff /* 0xa0 16-bit data */
12406 + .quad 0x0000930000000000 /* 0xa8 16-bit data */
12407 + .quad 0x0000930000000000 /* 0xb0 16-bit data */
12410 + * The APM segments have byte granularity and their bases
12411 + * are set at run time. All have 64k limits.
12413 + .quad 0x00409b000000ffff /* 0xb8 APM CS code */
12414 + .quad 0x00009b000000ffff /* 0xc0 APM CS 16 code (16 bit) */
12415 + .quad 0x004093000000ffff /* 0xc8 APM DS data */
12417 + .quad 0x00c0930000000000 /* 0xd0 - ESPFIX SS */
12418 + .quad 0x0040930000000000 /* 0xd8 - PERCPU */
12419 + .quad 0x0040910000000018 /* 0xe0 - STACK_CANARY */
12420 + .quad 0x0000000000000000 /* 0xe8 - PCIBIOS_CS */
12421 + .quad 0x0000000000000000 /* 0xf0 - PCIBIOS_DS */
12422 + .quad 0x0000000000000000 /* 0xf8 - GDT entry 31: double-fault TSS */
12424 + /* Be sure this is zeroed to avoid false validations in Xen */
12425 + .fill PAGE_SIZE_asm - GDT_SIZE,1,0
12427 diff -urNp linux-2.6.36.1/arch/x86/kernel/head_64.S linux-2.6.36.1/arch/x86/kernel/head_64.S
12428 --- linux-2.6.36.1/arch/x86/kernel/head_64.S 2010-10-20 16:30:22.000000000 -0400
12429 +++ linux-2.6.36.1/arch/x86/kernel/head_64.S 2010-11-11 18:21:08.000000000 -0500
12431 #include <asm/cache.h>
12432 #include <asm/processor-flags.h>
12433 #include <asm/percpu.h>
12434 +#include <asm/cpufeature.h>
12436 #ifdef CONFIG_PARAVIRT
12437 #include <asm/asm-offsets.h>
12438 @@ -38,6 +39,10 @@ L4_PAGE_OFFSET = pgd_index(__PAGE_OFFSET
12439 L3_PAGE_OFFSET = pud_index(__PAGE_OFFSET)
12440 L4_START_KERNEL = pgd_index(__START_KERNEL_map)
12441 L3_START_KERNEL = pud_index(__START_KERNEL_map)
12442 +L4_VMALLOC_START = pgd_index(VMALLOC_START)
12443 +L3_VMALLOC_START = pud_index(VMALLOC_START)
12444 +L4_VMEMMAP_START = pgd_index(VMEMMAP_START)
12445 +L3_VMEMMAP_START = pud_index(VMEMMAP_START)
12449 @@ -85,35 +90,22 @@ startup_64:
12451 addq %rbp, init_level4_pgt + 0(%rip)
12452 addq %rbp, init_level4_pgt + (L4_PAGE_OFFSET*8)(%rip)
12453 + addq %rbp, init_level4_pgt + (L4_VMALLOC_START*8)(%rip)
12454 + addq %rbp, init_level4_pgt + (L4_VMEMMAP_START*8)(%rip)
12455 addq %rbp, init_level4_pgt + (L4_START_KERNEL*8)(%rip)
12457 addq %rbp, level3_ident_pgt + 0(%rip)
12458 +#ifndef CONFIG_XEN
12459 + addq %rbp, level3_ident_pgt + 8(%rip)
12462 - addq %rbp, level3_kernel_pgt + (510*8)(%rip)
12463 - addq %rbp, level3_kernel_pgt + (511*8)(%rip)
12464 + addq %rbp, level3_vmemmap_pgt + (L3_VMEMMAP_START*8)(%rip)
12466 - addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
12467 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8)(%rip)
12468 + addq %rbp, level3_kernel_pgt + (L3_START_KERNEL*8+8)(%rip)
12470 - /* Add an Identity mapping if I am above 1G */
12471 - leaq _text(%rip), %rdi
12472 - andq $PMD_PAGE_MASK, %rdi
12475 - shrq $PUD_SHIFT, %rax
12476 - andq $(PTRS_PER_PUD - 1), %rax
12477 - jz ident_complete
12479 - leaq (level2_spare_pgt - __START_KERNEL_map + _KERNPG_TABLE)(%rbp), %rdx
12480 - leaq level3_ident_pgt(%rip), %rbx
12481 - movq %rdx, 0(%rbx, %rax, 8)
12484 - shrq $PMD_SHIFT, %rax
12485 - andq $(PTRS_PER_PMD - 1), %rax
12486 - leaq __PAGE_KERNEL_IDENT_LARGE_EXEC(%rdi), %rdx
12487 - leaq level2_spare_pgt(%rip), %rbx
12488 - movq %rdx, 0(%rbx, %rax, 8)
12490 + addq %rbp, level2_fixmap_pgt + (506*8)(%rip)
12491 + addq %rbp, level2_fixmap_pgt + (507*8)(%rip)
12494 * Fixup the kernel text+data virtual addresses. Note that
12495 @@ -161,8 +153,8 @@ ENTRY(secondary_startup_64)
12496 * after the boot processor executes this code.
12499 - /* Enable PAE mode and PGE */
12500 - movl $(X86_CR4_PAE | X86_CR4_PGE), %eax
12501 + /* Enable PAE mode and PSE/PGE */
12502 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
12505 /* Setup early boot stage 4 level pagetables. */
12506 @@ -184,9 +176,14 @@ ENTRY(secondary_startup_64)
12507 movl $MSR_EFER, %ecx
12509 btsl $_EFER_SCE, %eax /* Enable System Call */
12510 - btl $20,%edi /* No Execute supported? */
12511 + btl $(X86_FEATURE_NX & 31),%edi /* No Execute supported? */
12513 btsl $_EFER_NX, %eax
12514 + leaq init_level4_pgt(%rip), %rdi
12515 + btsq $_PAGE_BIT_NX, 8*L4_PAGE_OFFSET(%rdi)
12516 + btsq $_PAGE_BIT_NX, 8*L4_VMALLOC_START(%rdi)
12517 + btsq $_PAGE_BIT_NX, 8*L4_VMEMMAP_START(%rdi)
12518 + btsq $_PAGE_BIT_NX, __supported_pte_mask(%rip)
12519 1: wrmsr /* Make changes effective */
12522 @@ -270,7 +267,7 @@ ENTRY(secondary_startup_64)
12526 - .section ".init.text","ax"
12528 #ifdef CONFIG_EARLY_PRINTK
12529 .globl early_idt_handlers
12530 early_idt_handlers:
12531 @@ -315,18 +312,23 @@ ENTRY(early_idt_handler)
12532 #endif /* EARLY_PRINTK */
12537 #ifdef CONFIG_EARLY_PRINTK
12539 early_recursion_flag:
12543 + .section .rodata,"a",@progbits
12545 .asciz "PANIC: early exception %02lx rip %lx:%lx error %lx cr2 %lx\n"
12548 -#endif /* CONFIG_EARLY_PRINTK */
12550 +#endif /* CONFIG_EARLY_PRINTK */
12552 + .section .rodata,"a",@progbits
12553 #define NEXT_PAGE(name) \
12554 .balign PAGE_SIZE; \
12556 @@ -339,7 +341,6 @@ ENTRY(name)
12562 * This default setting generates an ident mapping at address 0x100000
12563 * and a mapping for the kernel that precisely maps virtual address
12564 @@ -350,13 +351,36 @@ NEXT_PAGE(init_level4_pgt)
12565 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12566 .org init_level4_pgt + L4_PAGE_OFFSET*8, 0
12567 .quad level3_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12568 + .org init_level4_pgt + L4_VMALLOC_START*8, 0
12569 + .quad level3_vmalloc_pgt - __START_KERNEL_map + _KERNPG_TABLE
12570 + .org init_level4_pgt + L4_VMEMMAP_START*8, 0
12571 + .quad level3_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
12572 .org init_level4_pgt + L4_START_KERNEL*8, 0
12573 /* (2^48-(2*1024*1024*1024))/(2^39) = 511 */
12574 .quad level3_kernel_pgt - __START_KERNEL_map + _PAGE_TABLE
12576 +#ifdef CONFIG_PAX_PER_CPU_PGD
12577 +NEXT_PAGE(cpu_pgd)
12583 NEXT_PAGE(level3_ident_pgt)
12584 .quad level2_ident_pgt - __START_KERNEL_map + _KERNPG_TABLE
12588 + .quad level2_ident_pgt + PAGE_SIZE - __START_KERNEL_map + _KERNPG_TABLE
12592 +NEXT_PAGE(level3_vmalloc_pgt)
12595 +NEXT_PAGE(level3_vmemmap_pgt)
12596 + .fill L3_VMEMMAP_START,8,0
12597 + .quad level2_vmemmap_pgt - __START_KERNEL_map + _KERNPG_TABLE
12599 NEXT_PAGE(level3_kernel_pgt)
12600 .fill L3_START_KERNEL,8,0
12601 @@ -364,20 +388,23 @@ NEXT_PAGE(level3_kernel_pgt)
12602 .quad level2_kernel_pgt - __START_KERNEL_map + _KERNPG_TABLE
12603 .quad level2_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
12605 +NEXT_PAGE(level2_vmemmap_pgt)
12608 NEXT_PAGE(level2_fixmap_pgt)
12610 - .quad level1_fixmap_pgt - __START_KERNEL_map + _PAGE_TABLE
12611 - /* 8MB reserved for vsyscalls + a 2MB hole = 4 + 1 entries */
12614 + .quad level1_vsyscall_pgt - __START_KERNEL_map + _PAGE_TABLE
12615 + /* 6MB reserved for vsyscalls + a 2MB hole = 3 + 1 entries */
12618 -NEXT_PAGE(level1_fixmap_pgt)
12619 +NEXT_PAGE(level1_vsyscall_pgt)
12622 -NEXT_PAGE(level2_ident_pgt)
12623 - /* Since I easily can, map the first 1G.
12624 + /* Since I easily can, map the first 2G.
12625 * Don't set NX because code runs from these pages.
12627 - PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, PTRS_PER_PMD)
12628 +NEXT_PAGE(level2_ident_pgt)
12629 + PMDS(0, __PAGE_KERNEL_IDENT_LARGE_EXEC, 2*PTRS_PER_PMD)
12631 NEXT_PAGE(level2_kernel_pgt)
12633 @@ -390,33 +417,55 @@ NEXT_PAGE(level2_kernel_pgt)
12634 * If you want to increase this then increase MODULES_VADDR
12637 - PMDS(0, __PAGE_KERNEL_LARGE_EXEC,
12638 - KERNEL_IMAGE_SIZE/PMD_SIZE)
12640 -NEXT_PAGE(level2_spare_pgt)
12642 + PMDS(0, __PAGE_KERNEL_LARGE_EXEC, KERNEL_IMAGE_SIZE/PMD_SIZE)
12649 +ENTRY(cpu_gdt_table)
12651 + .quad 0x0000000000000000 /* NULL descriptor */
12652 + .quad 0x00cf9b000000ffff /* __KERNEL32_CS */
12653 + .quad 0x00af9b000000ffff /* __KERNEL_CS */
12654 + .quad 0x00cf93000000ffff /* __KERNEL_DS */
12655 + .quad 0x00cffb000000ffff /* __USER32_CS */
12656 + .quad 0x00cff3000000ffff /* __USER_DS, __USER32_DS */
12657 + .quad 0x00affb000000ffff /* __USER_CS */
12659 +#ifdef CONFIG_PAX_KERNEXEC
12660 + .quad 0x00af9b000000ffff /* __KERNEXEC_KERNEL_CS */
12662 + .quad 0x0 /* unused */
12665 + .quad 0,0 /* TSS */
12666 + .quad 0,0 /* LDT */
12667 + .quad 0,0,0 /* three TLS descriptors */
12668 + .quad 0x0000f40000000000 /* node/CPU stored in limit */
12669 + /* asm/segment.h:GDT_ENTRIES must match this */
12671 + /* zero the remaining page */
12672 + .fill PAGE_SIZE / 8 - GDT_ENTRIES,8,0
12676 .globl early_gdt_descr
12678 .word GDT_ENTRIES*8-1
12679 early_gdt_descr_base:
12680 - .quad INIT_PER_CPU_VAR(gdt_page)
12681 + .quad cpu_gdt_table
12684 /* This must match the first entry in level2_kernel_pgt */
12685 .quad 0x0000000000000000
12687 #include "../../x86/xen/xen-head.S"
12689 - .section .bss, "aw", @nobits
12691 + .section .rodata,"a",@progbits
12692 .align L1_CACHE_BYTES
12694 - .skip IDT_ENTRIES * 16
12699 diff -urNp linux-2.6.36.1/arch/x86/kernel/i386_ksyms_32.c linux-2.6.36.1/arch/x86/kernel/i386_ksyms_32.c
12700 --- linux-2.6.36.1/arch/x86/kernel/i386_ksyms_32.c 2010-10-20 16:30:22.000000000 -0400
12701 +++ linux-2.6.36.1/arch/x86/kernel/i386_ksyms_32.c 2010-11-06 18:58:15.000000000 -0400
12702 @@ -20,8 +20,12 @@ extern void cmpxchg8b_emu(void);
12703 EXPORT_SYMBOL(cmpxchg8b_emu);
12706 +EXPORT_SYMBOL_GPL(cpu_gdt_table);
12708 /* Networking helper routines. */
12709 EXPORT_SYMBOL(csum_partial_copy_generic);
12710 +EXPORT_SYMBOL(csum_partial_copy_generic_to_user);
12711 +EXPORT_SYMBOL(csum_partial_copy_generic_from_user);
12713 EXPORT_SYMBOL(__get_user_1);
12714 EXPORT_SYMBOL(__get_user_2);
12715 @@ -36,3 +40,7 @@ EXPORT_SYMBOL(strstr);
12717 EXPORT_SYMBOL(csum_partial);
12718 EXPORT_SYMBOL(empty_zero_page);
12720 +#ifdef CONFIG_PAX_KERNEXEC
12721 +EXPORT_SYMBOL(__LOAD_PHYSICAL_ADDR);
12723 diff -urNp linux-2.6.36.1/arch/x86/kernel/init_task.c linux-2.6.36.1/arch/x86/kernel/init_task.c
12724 --- linux-2.6.36.1/arch/x86/kernel/init_task.c 2010-10-20 16:30:22.000000000 -0400
12725 +++ linux-2.6.36.1/arch/x86/kernel/init_task.c 2010-11-06 18:58:15.000000000 -0400
12726 @@ -38,5 +38,5 @@ EXPORT_SYMBOL(init_task);
12727 * section. Since TSS's are completely CPU-local, we want them
12728 * on exact cacheline boundaries, to eliminate cacheline ping-pong.
12730 -DEFINE_PER_CPU_SHARED_ALIGNED(struct tss_struct, init_tss) = INIT_TSS;
12732 +struct tss_struct init_tss[NR_CPUS] ____cacheline_internodealigned_in_smp = { [0 ... NR_CPUS-1] = INIT_TSS };
12733 +EXPORT_SYMBOL(init_tss);
12734 diff -urNp linux-2.6.36.1/arch/x86/kernel/ioport.c linux-2.6.36.1/arch/x86/kernel/ioport.c
12735 --- linux-2.6.36.1/arch/x86/kernel/ioport.c 2010-10-20 16:30:22.000000000 -0400
12736 +++ linux-2.6.36.1/arch/x86/kernel/ioport.c 2010-11-06 18:58:50.000000000 -0400
12738 #include <linux/sched.h>
12739 #include <linux/kernel.h>
12740 #include <linux/capability.h>
12741 +#include <linux/security.h>
12742 #include <linux/errno.h>
12743 #include <linux/types.h>
12744 #include <linux/ioport.h>
12745 @@ -41,6 +42,12 @@ asmlinkage long sys_ioperm(unsigned long
12747 if ((from + num <= from) || (from + num > IO_BITMAP_BITS))
12749 +#ifdef CONFIG_GRKERNSEC_IO
12750 + if (turn_on && grsec_disable_privio) {
12751 + gr_handle_ioperm();
12755 if (turn_on && !capable(CAP_SYS_RAWIO))
12758 @@ -67,7 +74,7 @@ asmlinkage long sys_ioperm(unsigned long
12759 * because the ->io_bitmap_max value must match the bitmap
12762 - tss = &per_cpu(init_tss, get_cpu());
12763 + tss = init_tss + get_cpu();
12765 set_bitmap(t->io_bitmap_ptr, from, num, !turn_on);
12767 @@ -112,6 +119,12 @@ long sys_iopl(unsigned int level, struct
12769 /* Trying to gain more privileges? */
12771 +#ifdef CONFIG_GRKERNSEC_IO
12772 + if (grsec_disable_privio) {
12773 + gr_handle_iopl();
12777 if (!capable(CAP_SYS_RAWIO))
12780 diff -urNp linux-2.6.36.1/arch/x86/kernel/irq_32.c linux-2.6.36.1/arch/x86/kernel/irq_32.c
12781 --- linux-2.6.36.1/arch/x86/kernel/irq_32.c 2010-10-20 16:30:22.000000000 -0400
12782 +++ linux-2.6.36.1/arch/x86/kernel/irq_32.c 2010-11-06 18:58:15.000000000 -0400
12783 @@ -94,7 +94,7 @@ execute_on_irq_stack(int overflow, struc
12786 /* build the stack frame on the IRQ stack */
12787 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
12788 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
12789 irqctx->tinfo.task = curctx->tinfo.task;
12790 irqctx->tinfo.previous_esp = current_stack_pointer;
12792 @@ -175,7 +175,7 @@ asmlinkage void do_softirq(void)
12793 irqctx->tinfo.previous_esp = current_stack_pointer;
12795 /* build the stack frame on the softirq stack */
12796 - isp = (u32 *) ((char *)irqctx + sizeof(*irqctx));
12797 + isp = (u32 *) ((char *)irqctx + sizeof(*irqctx) - 8);
12799 call_on_stack(__do_softirq, isp);
12801 diff -urNp linux-2.6.36.1/arch/x86/kernel/kgdb.c linux-2.6.36.1/arch/x86/kernel/kgdb.c
12802 --- linux-2.6.36.1/arch/x86/kernel/kgdb.c 2010-10-20 16:30:22.000000000 -0400
12803 +++ linux-2.6.36.1/arch/x86/kernel/kgdb.c 2010-11-06 18:58:15.000000000 -0400
12804 @@ -123,11 +123,11 @@ char *dbg_get_reg(int regno, void *mem,
12806 #ifdef CONFIG_X86_32
12808 - if (!user_mode_vm(regs))
12809 + if (!user_mode(regs))
12810 *(unsigned long *)mem = __KERNEL_DS;
12813 - if (!user_mode_vm(regs))
12814 + if (!user_mode(regs))
12815 *(unsigned long *)mem = kernel_stack_pointer(regs);
12818 @@ -715,7 +715,7 @@ void kgdb_arch_set_pc(struct pt_regs *re
12822 -struct kgdb_arch arch_kgdb_ops = {
12823 +const struct kgdb_arch arch_kgdb_ops = {
12824 /* Breakpoint instruction: */
12825 .gdb_bpt_instr = { 0xcc },
12826 .flags = KGDB_HW_BREAKPOINT,
12827 diff -urNp linux-2.6.36.1/arch/x86/kernel/kprobes.c linux-2.6.36.1/arch/x86/kernel/kprobes.c
12828 --- linux-2.6.36.1/arch/x86/kernel/kprobes.c 2010-10-20 16:30:22.000000000 -0400
12829 +++ linux-2.6.36.1/arch/x86/kernel/kprobes.c 2010-11-06 18:58:15.000000000 -0400
12830 @@ -114,9 +114,12 @@ static void __kprobes __synthesize_relat
12832 } __attribute__((packed)) *insn;
12834 - insn = (struct __arch_relative_insn *)from;
12835 + insn = (struct __arch_relative_insn *)(ktla_ktva(from));
12837 + pax_open_kernel();
12838 insn->raddr = (s32)((long)(to) - ((long)(from) + 5));
12840 + pax_close_kernel();
12843 /* Insert a jump instruction at address 'from', which jumps to address 'to'.*/
12844 @@ -317,7 +320,9 @@ static int __kprobes __copy_instruction(
12847 insn_get_length(&insn);
12848 + pax_open_kernel();
12849 memcpy(dest, insn.kaddr, insn.length);
12850 + pax_close_kernel();
12852 #ifdef CONFIG_X86_64
12853 if (insn_rip_relative(&insn)) {
12854 @@ -341,7 +346,9 @@ static int __kprobes __copy_instruction(
12856 BUG_ON((s64) (s32) newdisp != newdisp); /* Sanity check. */
12857 disp = (u8 *) dest + insn_offset_displacement(&insn);
12858 + pax_open_kernel();
12859 *(s32 *) disp = (s32) newdisp;
12860 + pax_close_kernel();
12863 return insn.length;
12864 @@ -355,12 +362,12 @@ static void __kprobes arch_copy_kprobe(s
12866 __copy_instruction(p->ainsn.insn, p->addr, 0);
12868 - if (can_boost(p->addr))
12869 + if (can_boost(ktla_ktva(p->addr)))
12870 p->ainsn.boostable = 0;
12872 p->ainsn.boostable = -1;
12874 - p->opcode = *p->addr;
12875 + p->opcode = *(ktla_ktva(p->addr));
12878 int __kprobes arch_prepare_kprobe(struct kprobe *p)
12879 @@ -477,7 +484,7 @@ static void __kprobes setup_singlestep(s
12880 * nor set current_kprobe, because it doesn't use single
12883 - regs->ip = (unsigned long)p->ainsn.insn;
12884 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
12885 preempt_enable_no_resched();
12888 @@ -496,7 +503,7 @@ static void __kprobes setup_singlestep(s
12889 if (p->opcode == BREAKPOINT_INSTRUCTION)
12890 regs->ip = (unsigned long)p->addr;
12892 - regs->ip = (unsigned long)p->ainsn.insn;
12893 + regs->ip = ktva_ktla((unsigned long)p->ainsn.insn);
12897 @@ -575,7 +582,7 @@ static int __kprobes kprobe_handler(stru
12898 setup_singlestep(p, regs, kcb, 0);
12901 - } else if (*addr != BREAKPOINT_INSTRUCTION) {
12902 + } else if (*(kprobe_opcode_t *)ktla_ktva((unsigned long)addr) != BREAKPOINT_INSTRUCTION) {
12904 * The breakpoint instruction was removed right
12905 * after we hit it. Another cpu has removed
12906 @@ -820,7 +827,7 @@ static void __kprobes resume_execution(s
12907 struct pt_regs *regs, struct kprobe_ctlblk *kcb)
12909 unsigned long *tos = stack_addr(regs);
12910 - unsigned long copy_ip = (unsigned long)p->ainsn.insn;
12911 + unsigned long copy_ip = ktva_ktla((unsigned long)p->ainsn.insn);
12912 unsigned long orig_ip = (unsigned long)p->addr;
12913 kprobe_opcode_t *insn = p->ainsn.insn;
12915 @@ -1002,7 +1009,7 @@ int __kprobes kprobe_exceptions_notify(s
12916 struct die_args *args = data;
12917 int ret = NOTIFY_DONE;
12919 - if (args->regs && user_mode_vm(args->regs))
12920 + if (args->regs && user_mode(args->regs))
12924 diff -urNp linux-2.6.36.1/arch/x86/kernel/ldt.c linux-2.6.36.1/arch/x86/kernel/ldt.c
12925 --- linux-2.6.36.1/arch/x86/kernel/ldt.c 2010-10-20 16:30:22.000000000 -0400
12926 +++ linux-2.6.36.1/arch/x86/kernel/ldt.c 2010-11-06 18:58:15.000000000 -0400
12927 @@ -67,13 +67,13 @@ static int alloc_ldt(mm_context_t *pc, i
12932 + load_LDT_nolock(pc);
12933 if (!cpumask_equal(mm_cpumask(current->mm),
12934 cpumask_of(smp_processor_id())))
12935 smp_call_function(flush_ldt, current->mm, 1);
12939 + load_LDT_nolock(pc);
12943 @@ -95,7 +95,7 @@ static inline int copy_ldt(mm_context_t
12946 for (i = 0; i < old->size; i++)
12947 - write_ldt_entry(new->ldt, i, old->ldt + i * LDT_ENTRY_SIZE);
12948 + write_ldt_entry(new->ldt, i, old->ldt + i);
12952 @@ -116,6 +116,24 @@ int init_new_context(struct task_struct
12953 retval = copy_ldt(&mm->context, &old_mm->context);
12954 mutex_unlock(&old_mm->context.lock);
12957 + if (tsk == current) {
12958 + mm->context.vdso = 0;
12960 +#ifdef CONFIG_X86_32
12961 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
12962 + mm->context.user_cs_base = 0UL;
12963 + mm->context.user_cs_limit = ~0UL;
12965 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_SMP)
12966 + cpus_clear(mm->context.cpu_user_cs_mask);
12977 @@ -230,6 +248,13 @@ static int write_ldt(void __user *ptr, u
12981 +#ifdef CONFIG_PAX_SEGMEXEC
12982 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (ldt_info.contents & MODIFY_LDT_CONTENTS_CODE)) {
12988 fill_ldt(&ldt, &ldt_info);
12991 diff -urNp linux-2.6.36.1/arch/x86/kernel/machine_kexec_32.c linux-2.6.36.1/arch/x86/kernel/machine_kexec_32.c
12992 --- linux-2.6.36.1/arch/x86/kernel/machine_kexec_32.c 2010-10-20 16:30:22.000000000 -0400
12993 +++ linux-2.6.36.1/arch/x86/kernel/machine_kexec_32.c 2010-11-06 18:58:15.000000000 -0400
12995 #include <asm/cacheflush.h>
12996 #include <asm/debugreg.h>
12998 -static void set_idt(void *newidt, __u16 limit)
12999 +static void set_idt(struct desc_struct *newidt, __u16 limit)
13001 struct desc_ptr curidt;
13003 @@ -39,7 +39,7 @@ static void set_idt(void *newidt, __u16
13007 -static void set_gdt(void *newgdt, __u16 limit)
13008 +static void set_gdt(struct desc_struct *newgdt, __u16 limit)
13010 struct desc_ptr curgdt;
13012 @@ -217,7 +217,7 @@ void machine_kexec(struct kimage *image)
13015 control_page = page_address(image->control_code_page);
13016 - memcpy(control_page, relocate_kernel, KEXEC_CONTROL_CODE_MAX_SIZE);
13017 + memcpy(control_page, (void *)ktla_ktva((unsigned long)relocate_kernel), KEXEC_CONTROL_CODE_MAX_SIZE);
13019 relocate_kernel_ptr = control_page;
13020 page_list[PA_CONTROL_PAGE] = __pa(control_page);
13021 diff -urNp linux-2.6.36.1/arch/x86/kernel/microcode_amd.c linux-2.6.36.1/arch/x86/kernel/microcode_amd.c
13022 --- linux-2.6.36.1/arch/x86/kernel/microcode_amd.c 2010-10-20 16:30:22.000000000 -0400
13023 +++ linux-2.6.36.1/arch/x86/kernel/microcode_amd.c 2010-11-06 18:58:15.000000000 -0400
13024 @@ -331,7 +331,7 @@ static void microcode_fini_cpu_amd(int c
13028 -static struct microcode_ops microcode_amd_ops = {
13029 +static const struct microcode_ops microcode_amd_ops = {
13030 .request_microcode_user = request_microcode_user,
13031 .request_microcode_fw = request_microcode_fw,
13032 .collect_cpu_info = collect_cpu_info_amd,
13033 @@ -339,7 +339,7 @@ static struct microcode_ops microcode_am
13034 .microcode_fini_cpu = microcode_fini_cpu_amd,
13037 -struct microcode_ops * __init init_amd_microcode(void)
13038 +const struct microcode_ops * __init init_amd_microcode(void)
13040 return µcode_amd_ops;
13042 diff -urNp linux-2.6.36.1/arch/x86/kernel/microcode_core.c linux-2.6.36.1/arch/x86/kernel/microcode_core.c
13043 --- linux-2.6.36.1/arch/x86/kernel/microcode_core.c 2010-10-20 16:30:22.000000000 -0400
13044 +++ linux-2.6.36.1/arch/x86/kernel/microcode_core.c 2010-11-06 18:58:15.000000000 -0400
13045 @@ -92,7 +92,7 @@ MODULE_LICENSE("GPL");
13047 #define MICROCODE_VERSION "2.00"
13049 -static struct microcode_ops *microcode_ops;
13050 +static const struct microcode_ops *microcode_ops;
13054 diff -urNp linux-2.6.36.1/arch/x86/kernel/microcode_intel.c linux-2.6.36.1/arch/x86/kernel/microcode_intel.c
13055 --- linux-2.6.36.1/arch/x86/kernel/microcode_intel.c 2010-10-20 16:30:22.000000000 -0400
13056 +++ linux-2.6.36.1/arch/x86/kernel/microcode_intel.c 2010-11-06 18:58:15.000000000 -0400
13057 @@ -446,13 +446,13 @@ static enum ucode_state request_microcod
13059 static int get_ucode_user(void *to, const void *from, size_t n)
13061 - return copy_from_user(to, from, n);
13062 + return copy_from_user(to, (__force const void __user *)from, n);
13065 static enum ucode_state
13066 request_microcode_user(int cpu, const void __user *buf, size_t size)
13068 - return generic_load_microcode(cpu, (void *)buf, size, &get_ucode_user);
13069 + return generic_load_microcode(cpu, (__force void *)buf, size, &get_ucode_user);
13072 static void microcode_fini_cpu(int cpu)
13073 @@ -463,7 +463,7 @@ static void microcode_fini_cpu(int cpu)
13077 -static struct microcode_ops microcode_intel_ops = {
13078 +static const struct microcode_ops microcode_intel_ops = {
13079 .request_microcode_user = request_microcode_user,
13080 .request_microcode_fw = request_microcode_fw,
13081 .collect_cpu_info = collect_cpu_info,
13082 @@ -471,7 +471,7 @@ static struct microcode_ops microcode_in
13083 .microcode_fini_cpu = microcode_fini_cpu,
13086 -struct microcode_ops * __init init_intel_microcode(void)
13087 +const struct microcode_ops * __init init_intel_microcode(void)
13089 return µcode_intel_ops;
13091 diff -urNp linux-2.6.36.1/arch/x86/kernel/module.c linux-2.6.36.1/arch/x86/kernel/module.c
13092 --- linux-2.6.36.1/arch/x86/kernel/module.c 2010-10-20 16:30:22.000000000 -0400
13093 +++ linux-2.6.36.1/arch/x86/kernel/module.c 2010-11-06 18:58:15.000000000 -0400
13095 #define DEBUGP(fmt...)
13098 -void *module_alloc(unsigned long size)
13099 +static void *__module_alloc(unsigned long size, pgprot_t prot)
13101 struct vm_struct *area;
13103 @@ -49,8 +49,18 @@ void *module_alloc(unsigned long size)
13107 - return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM,
13108 - PAGE_KERNEL_EXEC);
13109 + return __vmalloc_area(area, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, prot);
13112 +void *module_alloc(unsigned long size)
13115 +#ifdef CONFIG_PAX_KERNEXEC
13116 + return __module_alloc(size, PAGE_KERNEL);
13118 + return __module_alloc(size, PAGE_KERNEL_EXEC);
13123 /* Free memory returned from module_alloc */
13124 @@ -59,6 +69,40 @@ void module_free(struct module *mod, voi
13125 vfree(module_region);
13128 +#ifdef CONFIG_PAX_KERNEXEC
13129 +#ifdef CONFIG_X86_32
13130 +void *module_alloc_exec(unsigned long size)
13132 + struct vm_struct *area;
13137 + area = __get_vm_area(size, VM_ALLOC, (unsigned long)&MODULES_EXEC_VADDR, (unsigned long)&MODULES_EXEC_END);
13138 + return area ? area->addr : NULL;
13140 +EXPORT_SYMBOL(module_alloc_exec);
13142 +void module_free_exec(struct module *mod, void *module_region)
13144 + vunmap(module_region);
13146 +EXPORT_SYMBOL(module_free_exec);
13148 +void module_free_exec(struct module *mod, void *module_region)
13150 + module_free(mod, module_region);
13152 +EXPORT_SYMBOL(module_free_exec);
13154 +void *module_alloc_exec(unsigned long size)
13156 + return __module_alloc(size, PAGE_KERNEL_RX);
13158 +EXPORT_SYMBOL(module_alloc_exec);
13162 /* We don't need anything special. */
13163 int module_frob_arch_sections(Elf_Ehdr *hdr,
13165 @@ -78,14 +122,16 @@ int apply_relocate(Elf32_Shdr *sechdrs,
13167 Elf32_Rel *rel = (void *)sechdrs[relsec].sh_addr;
13169 - uint32_t *location;
13170 + uint32_t *plocation, location;
13172 DEBUGP("Applying relocate section %u to %u\n", relsec,
13173 sechdrs[relsec].sh_info);
13174 for (i = 0; i < sechdrs[relsec].sh_size / sizeof(*rel); i++) {
13175 /* This is where to make the change */
13176 - location = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr
13177 - + rel[i].r_offset;
13178 + plocation = (void *)sechdrs[sechdrs[relsec].sh_info].sh_addr + rel[i].r_offset;
13179 + location = (uint32_t)plocation;
13180 + if (sechdrs[sechdrs[relsec].sh_info].sh_flags & SHF_EXECINSTR)
13181 + plocation = ktla_ktva((void *)plocation);
13182 /* This is the symbol it is referring to. Note that all
13183 undefined symbols have been resolved. */
13184 sym = (Elf32_Sym *)sechdrs[symindex].sh_addr
13185 @@ -94,11 +140,15 @@ int apply_relocate(Elf32_Shdr *sechdrs,
13186 switch (ELF32_R_TYPE(rel[i].r_info)) {
13188 /* We add the value into the location given */
13189 - *location += sym->st_value;
13190 + pax_open_kernel();
13191 + *plocation += sym->st_value;
13192 + pax_close_kernel();
13195 /* Add the value, subtract its postition */
13196 - *location += sym->st_value - (uint32_t)location;
13197 + pax_open_kernel();
13198 + *plocation += sym->st_value - location;
13199 + pax_close_kernel();
13202 printk(KERN_ERR "module %s: Unknown relocation: %u\n",
13203 @@ -154,21 +204,30 @@ int apply_relocate_add(Elf64_Shdr *sechd
13204 case R_X86_64_NONE:
13207 + pax_open_kernel();
13209 + pax_close_kernel();
13212 + pax_open_kernel();
13214 + pax_close_kernel();
13215 if (val != *(u32 *)loc)
13219 + pax_open_kernel();
13221 + pax_close_kernel();
13222 if ((s64)val != *(s32 *)loc)
13225 case R_X86_64_PC32:
13227 + pax_open_kernel();
13229 + pax_close_kernel();
13232 if ((s64)val != *(s32 *)loc)
13234 diff -urNp linux-2.6.36.1/arch/x86/kernel/paravirt.c linux-2.6.36.1/arch/x86/kernel/paravirt.c
13235 --- linux-2.6.36.1/arch/x86/kernel/paravirt.c 2010-10-20 16:30:22.000000000 -0400
13236 +++ linux-2.6.36.1/arch/x86/kernel/paravirt.c 2010-11-06 18:58:15.000000000 -0400
13237 @@ -122,7 +122,7 @@ unsigned paravirt_patch_jmp(void *insnbu
13238 * corresponding structure. */
13239 static void *get_call_destination(u8 type)
13241 - struct paravirt_patch_template tmpl = {
13242 + const struct paravirt_patch_template tmpl = {
13243 .pv_init_ops = pv_init_ops,
13244 .pv_time_ops = pv_time_ops,
13245 .pv_cpu_ops = pv_cpu_ops,
13246 @@ -145,14 +145,14 @@ unsigned paravirt_patch_default(u8 type,
13247 if (opfunc == NULL)
13248 /* If there's no function, patch it with a ud2a (BUG) */
13249 ret = paravirt_patch_insns(insnbuf, len, ud2a, ud2a+sizeof(ud2a));
13250 - else if (opfunc == _paravirt_nop)
13251 + else if (opfunc == (void *)_paravirt_nop)
13252 /* If the operation is a nop, then nop the callsite */
13253 ret = paravirt_patch_nop();
13255 /* identity functions just return their single argument */
13256 - else if (opfunc == _paravirt_ident_32)
13257 + else if (opfunc == (void *)_paravirt_ident_32)
13258 ret = paravirt_patch_ident_32(insnbuf, len);
13259 - else if (opfunc == _paravirt_ident_64)
13260 + else if (opfunc == (void *)_paravirt_ident_64)
13261 ret = paravirt_patch_ident_64(insnbuf, len);
13263 else if (type == PARAVIRT_PATCH(pv_cpu_ops.iret) ||
13264 @@ -178,7 +178,7 @@ unsigned paravirt_patch_insns(void *insn
13265 if (insn_len > len || start == NULL)
13268 - memcpy(insnbuf, start, insn_len);
13269 + memcpy(insnbuf, ktla_ktva(start), insn_len);
13273 @@ -294,22 +294,22 @@ void arch_flush_lazy_mmu_mode(void)
13277 -struct pv_info pv_info = {
13278 +struct pv_info pv_info __read_only = {
13279 .name = "bare hardware",
13280 .paravirt_enabled = 0,
13282 .shared_kernel_pmd = 1, /* Only used when CONFIG_X86_PAE is set */
13285 -struct pv_init_ops pv_init_ops = {
13286 +struct pv_init_ops pv_init_ops __read_only = {
13287 .patch = native_patch,
13290 -struct pv_time_ops pv_time_ops = {
13291 +struct pv_time_ops pv_time_ops __read_only = {
13292 .sched_clock = native_sched_clock,
13295 -struct pv_irq_ops pv_irq_ops = {
13296 +struct pv_irq_ops pv_irq_ops __read_only = {
13297 .save_fl = __PV_IS_CALLEE_SAVE(native_save_fl),
13298 .restore_fl = __PV_IS_CALLEE_SAVE(native_restore_fl),
13299 .irq_disable = __PV_IS_CALLEE_SAVE(native_irq_disable),
13300 @@ -321,7 +321,7 @@ struct pv_irq_ops pv_irq_ops = {
13304 -struct pv_cpu_ops pv_cpu_ops = {
13305 +struct pv_cpu_ops pv_cpu_ops __read_only = {
13306 .cpuid = native_cpuid,
13307 .get_debugreg = native_get_debugreg,
13308 .set_debugreg = native_set_debugreg,
13309 @@ -382,7 +382,7 @@ struct pv_cpu_ops pv_cpu_ops = {
13310 .end_context_switch = paravirt_nop,
13313 -struct pv_apic_ops pv_apic_ops = {
13314 +struct pv_apic_ops pv_apic_ops __read_only = {
13315 #ifdef CONFIG_X86_LOCAL_APIC
13316 .startup_ipi_hook = paravirt_nop,
13318 @@ -396,7 +396,7 @@ struct pv_apic_ops pv_apic_ops = {
13319 #define PTE_IDENT __PV_IS_CALLEE_SAVE(_paravirt_ident_64)
13322 -struct pv_mmu_ops pv_mmu_ops = {
13323 +struct pv_mmu_ops pv_mmu_ops __read_only = {
13325 .read_cr2 = native_read_cr2,
13326 .write_cr2 = native_write_cr2,
13327 @@ -463,6 +463,12 @@ struct pv_mmu_ops pv_mmu_ops = {
13330 .set_fixmap = native_set_fixmap,
13332 +#ifdef CONFIG_PAX_KERNEXEC
13333 + .pax_open_kernel = native_pax_open_kernel,
13334 + .pax_close_kernel = native_pax_close_kernel,
13339 EXPORT_SYMBOL_GPL(pv_time_ops);
13340 diff -urNp linux-2.6.36.1/arch/x86/kernel/paravirt-spinlocks.c linux-2.6.36.1/arch/x86/kernel/paravirt-spinlocks.c
13341 --- linux-2.6.36.1/arch/x86/kernel/paravirt-spinlocks.c 2010-10-20 16:30:22.000000000 -0400
13342 +++ linux-2.6.36.1/arch/x86/kernel/paravirt-spinlocks.c 2010-11-06 18:58:15.000000000 -0400
13343 @@ -13,7 +13,7 @@ default_spin_lock_flags(arch_spinlock_t
13344 arch_spin_lock(lock);
13347 -struct pv_lock_ops pv_lock_ops = {
13348 +struct pv_lock_ops pv_lock_ops __read_only = {
13350 .spin_is_locked = __ticket_spin_is_locked,
13351 .spin_is_contended = __ticket_spin_is_contended,
13352 diff -urNp linux-2.6.36.1/arch/x86/kernel/pci-calgary_64.c linux-2.6.36.1/arch/x86/kernel/pci-calgary_64.c
13353 --- linux-2.6.36.1/arch/x86/kernel/pci-calgary_64.c 2010-10-20 16:30:22.000000000 -0400
13354 +++ linux-2.6.36.1/arch/x86/kernel/pci-calgary_64.c 2010-11-06 18:58:15.000000000 -0400
13355 @@ -475,7 +475,7 @@ static void calgary_free_coherent(struct
13356 free_pages((unsigned long)vaddr, get_order(size));
13359 -static struct dma_map_ops calgary_dma_ops = {
13360 +static const struct dma_map_ops calgary_dma_ops = {
13361 .alloc_coherent = calgary_alloc_coherent,
13362 .free_coherent = calgary_free_coherent,
13363 .map_sg = calgary_map_sg,
13364 diff -urNp linux-2.6.36.1/arch/x86/kernel/pci-dma.c linux-2.6.36.1/arch/x86/kernel/pci-dma.c
13365 --- linux-2.6.36.1/arch/x86/kernel/pci-dma.c 2010-10-20 16:30:22.000000000 -0400
13366 +++ linux-2.6.36.1/arch/x86/kernel/pci-dma.c 2010-11-06 18:58:15.000000000 -0400
13369 static int forbid_dac __read_mostly;
13371 -struct dma_map_ops *dma_ops = &nommu_dma_ops;
13372 +const struct dma_map_ops *dma_ops = &nommu_dma_ops;
13373 EXPORT_SYMBOL(dma_ops);
13375 static int iommu_sac_force __read_mostly;
13376 @@ -251,7 +251,7 @@ early_param("iommu", iommu_setup);
13378 int dma_supported(struct device *dev, u64 mask)
13380 - struct dma_map_ops *ops = get_dma_ops(dev);
13381 + const struct dma_map_ops *ops = get_dma_ops(dev);
13384 if (mask > 0xffffffff && forbid_dac > 0) {
13385 diff -urNp linux-2.6.36.1/arch/x86/kernel/pci-gart_64.c linux-2.6.36.1/arch/x86/kernel/pci-gart_64.c
13386 --- linux-2.6.36.1/arch/x86/kernel/pci-gart_64.c 2010-10-20 16:30:22.000000000 -0400
13387 +++ linux-2.6.36.1/arch/x86/kernel/pci-gart_64.c 2010-11-06 18:58:15.000000000 -0400
13388 @@ -699,7 +699,7 @@ static __init int init_k8_gatt(struct ag
13392 -static struct dma_map_ops gart_dma_ops = {
13393 +static const struct dma_map_ops gart_dma_ops = {
13394 .map_sg = gart_map_sg,
13395 .unmap_sg = gart_unmap_sg,
13396 .map_page = gart_map_page,
13397 diff -urNp linux-2.6.36.1/arch/x86/kernel/pci-nommu.c linux-2.6.36.1/arch/x86/kernel/pci-nommu.c
13398 --- linux-2.6.36.1/arch/x86/kernel/pci-nommu.c 2010-10-20 16:30:22.000000000 -0400
13399 +++ linux-2.6.36.1/arch/x86/kernel/pci-nommu.c 2010-11-06 18:58:15.000000000 -0400
13400 @@ -95,7 +95,7 @@ static void nommu_sync_sg_for_device(str
13401 flush_write_buffers();
13404 -struct dma_map_ops nommu_dma_ops = {
13405 +const struct dma_map_ops nommu_dma_ops = {
13406 .alloc_coherent = dma_generic_alloc_coherent,
13407 .free_coherent = nommu_free_coherent,
13408 .map_sg = nommu_map_sg,
13409 diff -urNp linux-2.6.36.1/arch/x86/kernel/pci-swiotlb.c linux-2.6.36.1/arch/x86/kernel/pci-swiotlb.c
13410 --- linux-2.6.36.1/arch/x86/kernel/pci-swiotlb.c 2010-10-20 16:30:22.000000000 -0400
13411 +++ linux-2.6.36.1/arch/x86/kernel/pci-swiotlb.c 2010-11-06 18:58:15.000000000 -0400
13412 @@ -25,7 +25,7 @@ static void *x86_swiotlb_alloc_coherent(
13413 return swiotlb_alloc_coherent(hwdev, size, dma_handle, flags);
13416 -static struct dma_map_ops swiotlb_dma_ops = {
13417 +static const struct dma_map_ops swiotlb_dma_ops = {
13418 .mapping_error = swiotlb_dma_mapping_error,
13419 .alloc_coherent = x86_swiotlb_alloc_coherent,
13420 .free_coherent = swiotlb_free_coherent,
13421 diff -urNp linux-2.6.36.1/arch/x86/kernel/process_32.c linux-2.6.36.1/arch/x86/kernel/process_32.c
13422 --- linux-2.6.36.1/arch/x86/kernel/process_32.c 2010-10-20 16:30:22.000000000 -0400
13423 +++ linux-2.6.36.1/arch/x86/kernel/process_32.c 2010-11-06 18:58:15.000000000 -0400
13424 @@ -67,6 +67,7 @@ asmlinkage void ret_from_fork(void) __as
13425 unsigned long thread_saved_pc(struct task_struct *tsk)
13427 return ((unsigned long *)tsk->thread.sp)[3];
13428 +//XXX return tsk->thread.eip;
13432 @@ -130,7 +131,7 @@ void __show_regs(struct pt_regs *regs, i
13434 unsigned short ss, gs;
13436 - if (user_mode_vm(regs)) {
13437 + if (user_mode(regs)) {
13439 ss = regs->ss & 0xffff;
13440 gs = get_user_gs(regs);
13441 @@ -200,7 +201,7 @@ int copy_thread(unsigned long clone_flag
13442 struct task_struct *tsk;
13445 - childregs = task_pt_regs(p);
13446 + childregs = task_stack_page(p) + THREAD_SIZE - sizeof(struct pt_regs) - 8;
13447 *childregs = *regs;
13449 childregs->sp = sp;
13450 @@ -234,6 +235,7 @@ int copy_thread(unsigned long clone_flag
13451 * Set a new TLS for the child thread?
13453 if (clone_flags & CLONE_SETTLS)
13454 +//XXX needs set_fs()?
13455 err = do_set_thread_area(p, -1,
13456 (struct user_desc __user *)childregs->si, 0);
13458 @@ -297,7 +299,7 @@ __switch_to(struct task_struct *prev_p,
13459 struct thread_struct *prev = &prev_p->thread,
13460 *next = &next_p->thread;
13461 int cpu = smp_processor_id();
13462 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
13463 + struct tss_struct *tss = init_tss + cpu;
13466 /* never put a printk in __switch_to... printk() calls wake_up*() indirectly */
13467 @@ -332,6 +334,11 @@ __switch_to(struct task_struct *prev_p,
13469 lazy_save_gs(prev->gs);
13471 +#ifdef CONFIG_PAX_MEMORY_UDEREF
13472 + if (!segment_eq(task_thread_info(prev_p)->addr_limit, task_thread_info(next_p)->addr_limit))
13473 + __set_fs(task_thread_info(next_p)->addr_limit, cpu);
13477 * Load the per-thread Thread-Local Storage descriptor.
13479 @@ -408,3 +415,27 @@ unsigned long get_wchan(struct task_stru
13483 +#ifdef CONFIG_PAX_RANDKSTACK
13484 +asmlinkage void pax_randomize_kstack(void)
13486 + struct thread_struct *thread = ¤t->thread;
13487 + unsigned long time;
13489 + if (!randomize_va_space)
13494 + /* P4 seems to return a 0 LSB, ignore it */
13495 +#ifdef CONFIG_MPENTIUM4
13503 + thread->sp0 ^= time;
13504 + load_sp0(init_tss + smp_processor_id(), thread);
13507 diff -urNp linux-2.6.36.1/arch/x86/kernel/process_64.c linux-2.6.36.1/arch/x86/kernel/process_64.c
13508 --- linux-2.6.36.1/arch/x86/kernel/process_64.c 2010-10-20 16:30:22.000000000 -0400
13509 +++ linux-2.6.36.1/arch/x86/kernel/process_64.c 2010-11-06 18:58:15.000000000 -0400
13510 @@ -89,7 +89,7 @@ static void __exit_idle(void)
13511 void exit_idle(void)
13513 /* idle loop has pid 0 */
13514 - if (current->pid)
13515 + if (task_pid_nr(current))
13519 @@ -380,7 +380,7 @@ __switch_to(struct task_struct *prev_p,
13520 struct thread_struct *prev = &prev_p->thread;
13521 struct thread_struct *next = &next_p->thread;
13522 int cpu = smp_processor_id();
13523 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
13524 + struct tss_struct *tss = init_tss + cpu;
13525 unsigned fsindex, gsindex;
13528 @@ -533,12 +533,11 @@ unsigned long get_wchan(struct task_stru
13529 if (!p || p == current || p->state == TASK_RUNNING)
13531 stack = (unsigned long)task_stack_page(p);
13532 - if (p->thread.sp < stack || p->thread.sp >= stack+THREAD_SIZE)
13533 + if (p->thread.sp < stack || p->thread.sp > stack+THREAD_SIZE-8-sizeof(u64))
13535 fp = *(u64 *)(p->thread.sp);
13537 - if (fp < (unsigned long)stack ||
13538 - fp >= (unsigned long)stack+THREAD_SIZE)
13539 + if (fp < stack || fp > stack+THREAD_SIZE-8-sizeof(u64))
13541 ip = *(u64 *)(fp+8);
13542 if (!in_sched_functions(ip))
13543 diff -urNp linux-2.6.36.1/arch/x86/kernel/process.c linux-2.6.36.1/arch/x86/kernel/process.c
13544 --- linux-2.6.36.1/arch/x86/kernel/process.c 2010-10-20 16:30:22.000000000 -0400
13545 +++ linux-2.6.36.1/arch/x86/kernel/process.c 2010-11-06 18:58:15.000000000 -0400
13546 @@ -74,7 +74,7 @@ void exit_thread(void)
13547 unsigned long *bp = t->io_bitmap_ptr;
13550 - struct tss_struct *tss = &per_cpu(init_tss, get_cpu());
13551 + struct tss_struct *tss = init_tss + get_cpu();
13553 t->io_bitmap_ptr = NULL;
13554 clear_thread_flag(TIF_IO_BITMAP);
13555 @@ -118,6 +118,9 @@ void flush_thread(void)
13557 struct task_struct *tsk = current;
13559 +#if defined(CONFIG_X86_32) && !defined(CONFIG_CC_STACKPROTECTOR)
13560 + loadsegment(gs, 0);
13562 flush_ptrace_hw_breakpoint(tsk);
13563 memset(tsk->thread.tls_array, 0, sizeof(tsk->thread.tls_array));
13565 @@ -280,8 +283,8 @@ int kernel_thread(int (*fn)(void *), voi
13566 regs.di = (unsigned long) arg;
13568 #ifdef CONFIG_X86_32
13569 - regs.ds = __USER_DS;
13570 - regs.es = __USER_DS;
13571 + regs.ds = __KERNEL_DS;
13572 + regs.es = __KERNEL_DS;
13573 regs.fs = __KERNEL_PERCPU;
13574 regs.gs = __KERNEL_STACK_CANARY;
13576 @@ -658,17 +661,3 @@ static int __init idle_setup(char *str)
13579 early_param("idle", idle_setup);
13581 -unsigned long arch_align_stack(unsigned long sp)
13583 - if (!(current->personality & ADDR_NO_RANDOMIZE) && randomize_va_space)
13584 - sp -= get_random_int() % 8192;
13585 - return sp & ~0xf;
13588 -unsigned long arch_randomize_brk(struct mm_struct *mm)
13590 - unsigned long range_end = mm->brk + 0x02000000;
13591 - return randomize_range(mm->brk, range_end, 0) ? : mm->brk;
13594 diff -urNp linux-2.6.36.1/arch/x86/kernel/ptrace.c linux-2.6.36.1/arch/x86/kernel/ptrace.c
13595 --- linux-2.6.36.1/arch/x86/kernel/ptrace.c 2010-10-20 16:30:22.000000000 -0400
13596 +++ linux-2.6.36.1/arch/x86/kernel/ptrace.c 2010-11-06 18:58:15.000000000 -0400
13597 @@ -804,7 +804,7 @@ static const struct user_regset_view use
13598 long arch_ptrace(struct task_struct *child, long request, long addr, long data)
13601 - unsigned long __user *datap = (unsigned long __user *)data;
13602 + unsigned long __user *datap = (__force unsigned long __user *)data;
13605 /* read the word at location addr in the USER area. */
13606 @@ -891,14 +891,14 @@ long arch_ptrace(struct task_struct *chi
13609 ret = do_get_thread_area(child, addr,
13610 - (struct user_desc __user *) data);
13611 + (__force struct user_desc __user *) data);
13614 case PTRACE_SET_THREAD_AREA:
13617 ret = do_set_thread_area(child, addr,
13618 - (struct user_desc __user *) data, 0);
13619 + (__force struct user_desc __user *) data, 0);
13623 @@ -1315,7 +1315,7 @@ static void fill_sigtrap_info(struct tas
13624 memset(info, 0, sizeof(*info));
13625 info->si_signo = SIGTRAP;
13626 info->si_code = si_code;
13627 - info->si_addr = user_mode_vm(regs) ? (void __user *)regs->ip : NULL;
13628 + info->si_addr = user_mode(regs) ? (__force void __user *)regs->ip : NULL;
13631 void user_single_step_siginfo(struct task_struct *tsk,
13632 diff -urNp linux-2.6.36.1/arch/x86/kernel/reboot.c linux-2.6.36.1/arch/x86/kernel/reboot.c
13633 --- linux-2.6.36.1/arch/x86/kernel/reboot.c 2010-11-26 18:26:24.000000000 -0500
13634 +++ linux-2.6.36.1/arch/x86/kernel/reboot.c 2010-11-26 18:27:07.000000000 -0500
13635 @@ -33,7 +33,7 @@ void (*pm_power_off)(void);
13636 EXPORT_SYMBOL(pm_power_off);
13638 static const struct desc_ptr no_idt = {};
13639 -static int reboot_mode;
13640 +static unsigned short reboot_mode;
13641 enum reboot_type reboot_type = BOOT_KBD;
13644 @@ -284,7 +284,7 @@ static struct dmi_system_id __initdata r
13645 DMI_MATCH(DMI_BOARD_NAME, "P4S800"),
13649 + { NULL, NULL, {{0, {0}}}, NULL}
13652 static int __init reboot_init(void)
13653 @@ -300,12 +300,12 @@ core_initcall(reboot_init);
13654 controller to pulse the CPU reset line, which is more thorough, but
13655 doesn't work with at least one type of 486 motherboard. It is easy
13656 to stop this code working; hence the copious comments. */
13657 -static const unsigned long long
13658 -real_mode_gdt_entries [3] =
13659 +static struct desc_struct
13660 +real_mode_gdt_entries [3] __read_only =
13662 - 0x0000000000000000ULL, /* Null descriptor */
13663 - 0x00009b000000ffffULL, /* 16-bit real-mode 64k code at 0x00000000 */
13664 - 0x000093000100ffffULL /* 16-bit real-mode 64k data at 0x00000100 */
13665 + GDT_ENTRY_INIT(0, 0, 0), /* Null descriptor */
13666 + GDT_ENTRY_INIT(0x9b, 0, 0xffff), /* 16-bit real-mode 64k code at 0x00000000 */
13667 + GDT_ENTRY_INIT(0x93, 0x100, 0xffff) /* 16-bit real-mode 64k data at 0x00000100 */
13670 static const struct desc_ptr
13671 @@ -354,7 +354,7 @@ static const unsigned char jump_to_bios
13672 * specified by the code and length parameters.
13673 * We assume that length will aways be less that 100!
13675 -void machine_real_restart(const unsigned char *code, int length)
13676 +void machine_real_restart(const unsigned char *code, unsigned int length)
13678 local_irq_disable();
13680 @@ -374,8 +374,8 @@ void machine_real_restart(const unsigned
13681 /* Remap the kernel at virtual address zero, as well as offset zero
13682 from the kernel segment. This assumes the kernel segment starts at
13683 virtual address PAGE_OFFSET. */
13684 - memcpy(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13685 - sizeof(swapper_pg_dir [0]) * KERNEL_PGD_PTRS);
13686 + clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13687 + min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
13690 * Use `swapper_pg_dir' as our page directory.
13691 @@ -387,16 +387,15 @@ void machine_real_restart(const unsigned
13692 boot)". This seems like a fairly standard thing that gets set by
13693 REBOOT.COM programs, and the previous reset routine did this
13695 - *((unsigned short *)0x472) = reboot_mode;
13696 + *(unsigned short *)(__va(0x472)) = reboot_mode;
13698 /* For the switch to real mode, copy some code to low memory. It has
13699 to be in the first 64k because it is running in 16-bit mode, and it
13700 has to have the same physical and virtual address, because it turns
13701 off paging. Copy it near the end of the first page, out of the way
13702 of BIOS variables. */
13703 - memcpy((void *)(0x1000 - sizeof(real_mode_switch) - 100),
13704 - real_mode_switch, sizeof (real_mode_switch));
13705 - memcpy((void *)(0x1000 - 100), code, length);
13706 + memcpy(__va(0x1000 - sizeof (real_mode_switch) - 100), real_mode_switch, sizeof (real_mode_switch));
13707 + memcpy(__va(0x1000 - 100), code, length);
13709 /* Set up the IDT for real mode. */
13710 load_idt(&real_mode_idt);
13711 diff -urNp linux-2.6.36.1/arch/x86/kernel/setup.c linux-2.6.36.1/arch/x86/kernel/setup.c
13712 --- linux-2.6.36.1/arch/x86/kernel/setup.c 2010-10-20 16:30:22.000000000 -0400
13713 +++ linux-2.6.36.1/arch/x86/kernel/setup.c 2010-11-06 18:58:15.000000000 -0400
13714 @@ -705,7 +705,7 @@ static void __init trim_bios_range(void)
13715 * area (640->1Mb) as ram even though it is not.
13718 - e820_remove_range(BIOS_BEGIN, BIOS_END - BIOS_BEGIN, E820_RAM, 1);
13719 + e820_remove_range(ISA_START_ADDRESS, ISA_END_ADDRESS - ISA_START_ADDRESS, E820_RAM, 1);
13720 sanitize_e820_map(e820.map, ARRAY_SIZE(e820.map), &e820.nr_map);
13723 @@ -797,14 +797,14 @@ void __init setup_arch(char **cmdline_p)
13725 if (!boot_params.hdr.root_flags)
13726 root_mountflags &= ~MS_RDONLY;
13727 - init_mm.start_code = (unsigned long) _text;
13728 - init_mm.end_code = (unsigned long) _etext;
13729 + init_mm.start_code = ktla_ktva((unsigned long) _text);
13730 + init_mm.end_code = ktla_ktva((unsigned long) _etext);
13731 init_mm.end_data = (unsigned long) _edata;
13732 init_mm.brk = _brk_end;
13734 - code_resource.start = virt_to_phys(_text);
13735 - code_resource.end = virt_to_phys(_etext)-1;
13736 - data_resource.start = virt_to_phys(_etext);
13737 + code_resource.start = virt_to_phys(ktla_ktva(_text));
13738 + code_resource.end = virt_to_phys(ktla_ktva(_etext))-1;
13739 + data_resource.start = virt_to_phys(_sdata);
13740 data_resource.end = virt_to_phys(_edata)-1;
13741 bss_resource.start = virt_to_phys(&__bss_start);
13742 bss_resource.end = virt_to_phys(&__bss_stop)-1;
13743 diff -urNp linux-2.6.36.1/arch/x86/kernel/setup_percpu.c linux-2.6.36.1/arch/x86/kernel/setup_percpu.c
13744 --- linux-2.6.36.1/arch/x86/kernel/setup_percpu.c 2010-10-20 16:30:22.000000000 -0400
13745 +++ linux-2.6.36.1/arch/x86/kernel/setup_percpu.c 2010-11-06 18:58:15.000000000 -0400
13746 @@ -21,19 +21,17 @@
13747 #include <asm/cpu.h>
13748 #include <asm/stackprotector.h>
13750 -DEFINE_PER_CPU(int, cpu_number);
13752 +DEFINE_PER_CPU(unsigned int, cpu_number);
13753 EXPORT_PER_CPU_SYMBOL(cpu_number);
13756 -#ifdef CONFIG_X86_64
13757 #define BOOT_PERCPU_OFFSET ((unsigned long)__per_cpu_load)
13759 -#define BOOT_PERCPU_OFFSET 0
13762 DEFINE_PER_CPU(unsigned long, this_cpu_off) = BOOT_PERCPU_OFFSET;
13763 EXPORT_PER_CPU_SYMBOL(this_cpu_off);
13765 -unsigned long __per_cpu_offset[NR_CPUS] __read_mostly = {
13766 +unsigned long __per_cpu_offset[NR_CPUS] __read_only = {
13767 [0 ... NR_CPUS-1] = BOOT_PERCPU_OFFSET,
13769 EXPORT_SYMBOL(__per_cpu_offset);
13770 @@ -161,10 +159,10 @@ static inline void setup_percpu_segment(
13772 #ifdef CONFIG_X86_32
13773 struct desc_struct gdt;
13774 + unsigned long base = per_cpu_offset(cpu);
13776 - pack_descriptor(&gdt, per_cpu_offset(cpu), 0xFFFFF,
13777 - 0x2 | DESCTYPE_S, 0x8);
13779 + pack_descriptor(&gdt, base, (VMALLOC_END - base - 1) >> PAGE_SHIFT,
13780 + 0x83 | DESCTYPE_S, 0xC);
13781 write_gdt_entry(get_cpu_gdt_table(cpu),
13782 GDT_ENTRY_PERCPU, &gdt, DESCTYPE_S);
13784 @@ -213,6 +211,11 @@ void __init setup_per_cpu_areas(void)
13785 /* alrighty, percpu areas up and running */
13786 delta = (unsigned long)pcpu_base_addr - (unsigned long)__per_cpu_start;
13787 for_each_possible_cpu(cpu) {
13788 +#ifdef CONFIG_CC_STACKPROTECTOR
13789 +#ifdef CONFIG_x86_32
13790 + unsigned long canary = per_cpu(stack_canary, cpu);
13793 per_cpu_offset(cpu) = delta + pcpu_unit_offsets[cpu];
13794 per_cpu(this_cpu_off, cpu) = per_cpu_offset(cpu);
13795 per_cpu(cpu_number, cpu) = cpu;
13796 @@ -249,6 +252,12 @@ void __init setup_per_cpu_areas(void)
13797 set_cpu_numa_node(cpu, early_cpu_to_node(cpu));
13800 +#ifdef CONFIG_CC_STACKPROTECTOR
13801 +#ifdef CONFIG_x86_32
13802 + if (cpu == boot_cpu_id)
13803 + per_cpu(stack_canary, cpu) = canary;
13807 * Up to this point, the boot CPU has been using .init.data
13808 * area. Reload any changed state for the boot CPU.
13809 diff -urNp linux-2.6.36.1/arch/x86/kernel/signal.c linux-2.6.36.1/arch/x86/kernel/signal.c
13810 --- linux-2.6.36.1/arch/x86/kernel/signal.c 2010-10-20 16:30:22.000000000 -0400
13811 +++ linux-2.6.36.1/arch/x86/kernel/signal.c 2010-11-06 18:58:15.000000000 -0400
13812 @@ -198,7 +198,7 @@ static unsigned long align_sigframe(unsi
13813 * Align the stack pointer according to the i386 ABI,
13814 * i.e. so that on function entry ((sp + 4) & 15) == 0.
13816 - sp = ((sp + 4) & -16ul) - 4;
13817 + sp = ((sp - 12) & -16ul) - 4;
13818 #else /* !CONFIG_X86_32 */
13819 sp = round_down(sp, 16) - 8;
13821 @@ -249,11 +249,11 @@ get_sigframe(struct k_sigaction *ka, str
13822 * Return an always-bogus address instead so we will die with SIGSEGV.
13824 if (onsigstack && !likely(on_sig_stack(sp)))
13825 - return (void __user *)-1L;
13826 + return (__force void __user *)-1L;
13828 /* save i387 state */
13829 if (used_math() && save_i387_xstate(*fpstate) < 0)
13830 - return (void __user *)-1L;
13831 + return (__force void __user *)-1L;
13833 return (void __user *)sp;
13835 @@ -308,9 +308,9 @@ __setup_frame(int sig, struct k_sigactio
13838 if (current->mm->context.vdso)
13839 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
13840 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, sigreturn);
13842 - restorer = &frame->retcode;
13843 + restorer = (void __user *)&frame->retcode;
13844 if (ka->sa.sa_flags & SA_RESTORER)
13845 restorer = ka->sa.sa_restorer;
13847 @@ -324,7 +324,7 @@ __setup_frame(int sig, struct k_sigactio
13848 * reasons and because gdb uses it as a signature to notice
13849 * signal handler stack frames.
13851 - err |= __put_user(*((u64 *)&retcode), (u64 *)frame->retcode);
13852 + err |= __put_user(*((u64 *)&retcode), (u64 __user *)frame->retcode);
13856 @@ -378,7 +378,10 @@ static int __setup_rt_frame(int sig, str
13857 err |= __copy_to_user(&frame->uc.uc_sigmask, set, sizeof(*set));
13859 /* Set up to return from userspace. */
13860 - restorer = VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
13861 + if (current->mm->context.vdso)
13862 + restorer = (__force void __user *)VDSO32_SYMBOL(current->mm->context.vdso, rt_sigreturn);
13864 + restorer = (void __user *)&frame->retcode;
13865 if (ka->sa.sa_flags & SA_RESTORER)
13866 restorer = ka->sa.sa_restorer;
13867 put_user_ex(restorer, &frame->pretcode);
13868 @@ -390,7 +393,7 @@ static int __setup_rt_frame(int sig, str
13869 * reasons and because gdb uses it as a signature to notice
13870 * signal handler stack frames.
13872 - put_user_ex(*((u64 *)&rt_retcode), (u64 *)frame->retcode);
13873 + put_user_ex(*((u64 *)&rt_retcode), (u64 __user *)frame->retcode);
13874 } put_user_catch(err);
13877 @@ -780,7 +783,7 @@ static void do_signal(struct pt_regs *re
13878 * X86_32: vm86 regs switched out by assembly code before reaching
13879 * here, so testing against kernel CS suffices.
13881 - if (!user_mode(regs))
13882 + if (!user_mode_novm(regs))
13885 if (current_thread_info()->status & TS_RESTORE_SIGMASK)
13886 diff -urNp linux-2.6.36.1/arch/x86/kernel/smpboot.c linux-2.6.36.1/arch/x86/kernel/smpboot.c
13887 --- linux-2.6.36.1/arch/x86/kernel/smpboot.c 2010-10-20 16:30:22.000000000 -0400
13888 +++ linux-2.6.36.1/arch/x86/kernel/smpboot.c 2010-11-06 18:58:15.000000000 -0400
13889 @@ -782,7 +782,11 @@ do_rest:
13890 (unsigned long)task_stack_page(c_idle.idle) -
13891 KERNEL_STACK_OFFSET + THREAD_SIZE;
13894 + pax_open_kernel();
13895 early_gdt_descr.address = (unsigned long)get_cpu_gdt_table(cpu);
13896 + pax_close_kernel();
13898 initial_code = (unsigned long)start_secondary;
13899 stack_start.sp = (void *) c_idle.idle->thread.sp;
13901 @@ -922,6 +926,12 @@ int __cpuinit native_cpu_up(unsigned int
13903 per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
13905 +#ifdef CONFIG_PAX_PER_CPU_PGD
13906 + clone_pgd_range(get_cpu_pgd(cpu) + KERNEL_PGD_BOUNDARY,
13907 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
13908 + KERNEL_PGD_PTRS);
13911 err = do_boot_cpu(apicid, cpu);
13914 diff -urNp linux-2.6.36.1/arch/x86/kernel/step.c linux-2.6.36.1/arch/x86/kernel/step.c
13915 --- linux-2.6.36.1/arch/x86/kernel/step.c 2010-10-20 16:30:22.000000000 -0400
13916 +++ linux-2.6.36.1/arch/x86/kernel/step.c 2010-11-06 18:58:15.000000000 -0400
13917 @@ -27,10 +27,10 @@ unsigned long convert_ip_to_linear(struc
13918 struct desc_struct *desc;
13919 unsigned long base;
13924 mutex_lock(&child->mm->context.lock);
13925 - if (unlikely((seg >> 3) >= child->mm->context.size))
13926 + if (unlikely(seg >= child->mm->context.size))
13927 addr = -1L; /* bogus selector, access would fault */
13929 desc = child->mm->context.ldt + seg;
13930 @@ -53,6 +53,9 @@ static int is_setting_trap_flag(struct t
13931 unsigned char opcode[15];
13932 unsigned long addr = convert_ip_to_linear(child, regs);
13934 + if (addr == -EINVAL)
13937 copied = access_process_vm(child, addr, opcode, sizeof(opcode), 0);
13938 for (i = 0; i < copied; i++) {
13939 switch (opcode[i]) {
13940 @@ -74,7 +77,7 @@ static int is_setting_trap_flag(struct t
13942 #ifdef CONFIG_X86_64
13943 case 0x40 ... 0x4f:
13944 - if (regs->cs != __USER_CS)
13945 + if ((regs->cs & 0xffff) != __USER_CS)
13946 /* 32-bit mode: register increment */
13948 /* 64-bit mode: REX prefix */
13949 diff -urNp linux-2.6.36.1/arch/x86/kernel/syscall_table_32.S linux-2.6.36.1/arch/x86/kernel/syscall_table_32.S
13950 --- linux-2.6.36.1/arch/x86/kernel/syscall_table_32.S 2010-10-20 16:30:22.000000000 -0400
13951 +++ linux-2.6.36.1/arch/x86/kernel/syscall_table_32.S 2010-11-06 18:58:15.000000000 -0400
13953 +.section .rodata,"a",@progbits
13954 ENTRY(sys_call_table)
13955 .long sys_restart_syscall /* 0 - old "setup()" system call, used for restarting */
13957 diff -urNp linux-2.6.36.1/arch/x86/kernel/sys_i386_32.c linux-2.6.36.1/arch/x86/kernel/sys_i386_32.c
13958 --- linux-2.6.36.1/arch/x86/kernel/sys_i386_32.c 2010-10-20 16:30:22.000000000 -0400
13959 +++ linux-2.6.36.1/arch/x86/kernel/sys_i386_32.c 2010-11-06 18:58:15.000000000 -0400
13960 @@ -24,6 +24,228 @@
13962 #include <asm/syscalls.h>
13964 +int i386_mmap_check(unsigned long addr, unsigned long len, unsigned long flags)
13966 + unsigned long pax_task_size = TASK_SIZE;
13968 +#ifdef CONFIG_PAX_SEGMEXEC
13969 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
13970 + pax_task_size = SEGMEXEC_TASK_SIZE;
13973 + if (len > pax_task_size || addr > pax_task_size - len)
13980 +arch_get_unmapped_area(struct file *filp, unsigned long addr,
13981 + unsigned long len, unsigned long pgoff, unsigned long flags)
13983 + struct mm_struct *mm = current->mm;
13984 + struct vm_area_struct *vma;
13985 + unsigned long start_addr, pax_task_size = TASK_SIZE;
13987 +#ifdef CONFIG_PAX_SEGMEXEC
13988 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
13989 + pax_task_size = SEGMEXEC_TASK_SIZE;
13992 + pax_task_size -= PAGE_SIZE;
13994 + if (len > pax_task_size)
13997 + if (flags & MAP_FIXED)
14000 +#ifdef CONFIG_PAX_RANDMMAP
14001 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14005 + addr = PAGE_ALIGN(addr);
14006 + if (pax_task_size - len >= addr) {
14007 + vma = find_vma(mm, addr);
14008 + if (check_heap_stack_gap(vma, addr, len))
14012 + if (len > mm->cached_hole_size) {
14013 + start_addr = addr = mm->free_area_cache;
14015 + start_addr = addr = mm->mmap_base;
14016 + mm->cached_hole_size = 0;
14019 +#ifdef CONFIG_PAX_PAGEEXEC
14020 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE) && start_addr >= mm->mmap_base) {
14021 + start_addr = 0x00110000UL;
14023 +#ifdef CONFIG_PAX_RANDMMAP
14024 + if (mm->pax_flags & MF_PAX_RANDMMAP)
14025 + start_addr += mm->delta_mmap & 0x03FFF000UL;
14028 + if (mm->start_brk <= start_addr && start_addr < mm->mmap_base)
14029 + start_addr = addr = mm->mmap_base;
14031 + addr = start_addr;
14036 + for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
14037 + /* At this point: (!vma || addr < vma->vm_end). */
14038 + if (pax_task_size - len < addr) {
14040 + * Start a new search - just in case we missed
14043 + if (start_addr != mm->mmap_base) {
14044 + start_addr = addr = mm->mmap_base;
14045 + mm->cached_hole_size = 0;
14046 + goto full_search;
14050 + if (check_heap_stack_gap(vma, addr, len))
14052 + if (addr + mm->cached_hole_size < vma->vm_start)
14053 + mm->cached_hole_size = vma->vm_start - addr;
14054 + addr = vma->vm_end;
14055 + if (mm->start_brk <= addr && addr < mm->mmap_base) {
14056 + start_addr = addr = mm->mmap_base;
14057 + mm->cached_hole_size = 0;
14058 + goto full_search;
14063 + * Remember the place where we stopped the search:
14065 + mm->free_area_cache = addr + len;
14070 +arch_get_unmapped_area_topdown(struct file *filp, const unsigned long addr0,
14071 + const unsigned long len, const unsigned long pgoff,
14072 + const unsigned long flags)
14074 + struct vm_area_struct *vma;
14075 + struct mm_struct *mm = current->mm;
14076 + unsigned long base = mm->mmap_base, addr = addr0, pax_task_size = TASK_SIZE;
14078 +#ifdef CONFIG_PAX_SEGMEXEC
14079 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
14080 + pax_task_size = SEGMEXEC_TASK_SIZE;
14083 + pax_task_size -= PAGE_SIZE;
14085 + /* requested length too big for entire address space */
14086 + if (len > pax_task_size)
14089 + if (flags & MAP_FIXED)
14092 +#ifdef CONFIG_PAX_PAGEEXEC
14093 + if (!(__supported_pte_mask & _PAGE_NX) && (mm->pax_flags & MF_PAX_PAGEEXEC) && (flags & MAP_EXECUTABLE))
14097 +#ifdef CONFIG_PAX_RANDMMAP
14098 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14101 + /* requesting a specific address */
14103 + addr = PAGE_ALIGN(addr);
14104 + if (pax_task_size - len >= addr) {
14105 + vma = find_vma(mm, addr);
14106 + if (check_heap_stack_gap(vma, addr, len))
14111 + /* check if free_area_cache is useful for us */
14112 + if (len <= mm->cached_hole_size) {
14113 + mm->cached_hole_size = 0;
14114 + mm->free_area_cache = mm->mmap_base;
14117 + /* either no address requested or can't fit in requested address hole */
14118 + addr = mm->free_area_cache;
14120 + /* make sure it can fit in the remaining address space */
14121 + if (addr > len) {
14122 + vma = find_vma(mm, addr-len);
14123 + if (check_heap_stack_gap(vma, addr - len, len))
14124 + /* remember the address as a hint for next time */
14125 + return (mm->free_area_cache = addr-len);
14128 + if (mm->mmap_base < len)
14131 + addr = mm->mmap_base-len;
14135 + * Lookup failure means no vma is above this address,
14136 + * else if new region fits below vma->vm_start,
14137 + * return with success:
14139 + vma = find_vma(mm, addr);
14140 + if (check_heap_stack_gap(vma, addr, len))
14141 + /* remember the address as a hint for next time */
14142 + return (mm->free_area_cache = addr);
14144 + /* remember the largest hole we saw so far */
14145 + if (addr + mm->cached_hole_size < vma->vm_start)
14146 + mm->cached_hole_size = vma->vm_start - addr;
14148 + /* try just below the current vma->vm_start */
14149 + addr = vma->vm_start-len;
14150 + } while (len < vma->vm_start);
14154 + * A failed mmap() very likely causes application failure,
14155 + * so fall back to the bottom-up function here. This scenario
14156 + * can happen with large stack limits and large mmap()
14160 +#ifdef CONFIG_PAX_SEGMEXEC
14161 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
14162 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
14166 + mm->mmap_base = TASK_UNMAPPED_BASE;
14168 +#ifdef CONFIG_PAX_RANDMMAP
14169 + if (mm->pax_flags & MF_PAX_RANDMMAP)
14170 + mm->mmap_base += mm->delta_mmap;
14173 + mm->free_area_cache = mm->mmap_base;
14174 + mm->cached_hole_size = ~0UL;
14175 + addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
14177 + * Restore the topdown base:
14179 + mm->mmap_base = base;
14180 + mm->free_area_cache = base;
14181 + mm->cached_hole_size = ~0UL;
14187 * Do a system call from kernel instead of calling sys_execve so we
14188 * end up with proper pt_regs.
14189 diff -urNp linux-2.6.36.1/arch/x86/kernel/sys_x86_64.c linux-2.6.36.1/arch/x86/kernel/sys_x86_64.c
14190 --- linux-2.6.36.1/arch/x86/kernel/sys_x86_64.c 2010-10-20 16:30:22.000000000 -0400
14191 +++ linux-2.6.36.1/arch/x86/kernel/sys_x86_64.c 2010-11-06 18:58:15.000000000 -0400
14192 @@ -32,8 +32,8 @@ out:
14196 -static void find_start_end(unsigned long flags, unsigned long *begin,
14197 - unsigned long *end)
14198 +static void find_start_end(struct mm_struct *mm, unsigned long flags,
14199 + unsigned long *begin, unsigned long *end)
14201 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT)) {
14202 unsigned long new_begin;
14203 @@ -52,7 +52,7 @@ static void find_start_end(unsigned long
14204 *begin = new_begin;
14207 - *begin = TASK_UNMAPPED_BASE;
14208 + *begin = mm->mmap_base;
14212 @@ -69,16 +69,19 @@ arch_get_unmapped_area(struct file *filp
14213 if (flags & MAP_FIXED)
14216 - find_start_end(flags, &begin, &end);
14217 + find_start_end(mm, flags, &begin, &end);
14222 +#ifdef CONFIG_PAX_RANDMMAP
14223 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14227 addr = PAGE_ALIGN(addr);
14228 vma = find_vma(mm, addr);
14229 - if (end - len >= addr &&
14230 - (!vma || addr + len <= vma->vm_start))
14231 + if (end - len >= addr && check_heap_stack_gap(vma, addr, len))
14234 if (((flags & MAP_32BIT) || test_thread_flag(TIF_IA32))
14235 @@ -106,7 +109,7 @@ full_search:
14239 - if (!vma || addr + len <= vma->vm_start) {
14240 + if (check_heap_stack_gap(vma, addr, len)) {
14242 * Remember the place where we stopped the search:
14244 @@ -128,7 +131,7 @@ arch_get_unmapped_area_topdown(struct fi
14246 struct vm_area_struct *vma;
14247 struct mm_struct *mm = current->mm;
14248 - unsigned long addr = addr0;
14249 + unsigned long base = mm->mmap_base, addr = addr0;
14251 /* requested length too big for entire address space */
14252 if (len > TASK_SIZE)
14253 @@ -141,12 +144,15 @@ arch_get_unmapped_area_topdown(struct fi
14254 if (!test_thread_flag(TIF_IA32) && (flags & MAP_32BIT))
14257 +#ifdef CONFIG_PAX_RANDMMAP
14258 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
14261 /* requesting a specific address */
14263 addr = PAGE_ALIGN(addr);
14264 vma = find_vma(mm, addr);
14265 - if (TASK_SIZE - len >= addr &&
14266 - (!vma || addr + len <= vma->vm_start))
14267 + if (TASK_SIZE - len >= addr && check_heap_stack_gap(vma, addr, len))
14271 @@ -162,7 +168,7 @@ arch_get_unmapped_area_topdown(struct fi
14272 /* make sure it can fit in the remaining address space */
14274 vma = find_vma(mm, addr-len);
14275 - if (!vma || addr <= vma->vm_start)
14276 + if (check_heap_stack_gap(vma, addr - len, len))
14277 /* remember the address as a hint for next time */
14278 return mm->free_area_cache = addr-len;
14280 @@ -179,7 +185,7 @@ arch_get_unmapped_area_topdown(struct fi
14281 * return with success:
14283 vma = find_vma(mm, addr);
14284 - if (!vma || addr+len <= vma->vm_start)
14285 + if (check_heap_stack_gap(vma, addr, len))
14286 /* remember the address as a hint for next time */
14287 return mm->free_area_cache = addr;
14289 @@ -198,13 +204,21 @@ bottomup:
14290 * can happen with large stack limits and large mmap()
14293 + mm->mmap_base = TASK_UNMAPPED_BASE;
14295 +#ifdef CONFIG_PAX_RANDMMAP
14296 + if (mm->pax_flags & MF_PAX_RANDMMAP)
14297 + mm->mmap_base += mm->delta_mmap;
14300 + mm->free_area_cache = mm->mmap_base;
14301 mm->cached_hole_size = ~0UL;
14302 - mm->free_area_cache = TASK_UNMAPPED_BASE;
14303 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
14305 * Restore the topdown base:
14307 - mm->free_area_cache = mm->mmap_base;
14308 + mm->mmap_base = base;
14309 + mm->free_area_cache = base;
14310 mm->cached_hole_size = ~0UL;
14313 diff -urNp linux-2.6.36.1/arch/x86/kernel/time.c linux-2.6.36.1/arch/x86/kernel/time.c
14314 --- linux-2.6.36.1/arch/x86/kernel/time.c 2010-10-20 16:30:22.000000000 -0400
14315 +++ linux-2.6.36.1/arch/x86/kernel/time.c 2010-11-06 18:58:15.000000000 -0400
14316 @@ -26,17 +26,13 @@
14320 -#ifdef CONFIG_X86_64
14321 -volatile unsigned long __jiffies __section_jiffies = INITIAL_JIFFIES;
14324 unsigned long profile_pc(struct pt_regs *regs)
14326 unsigned long pc = instruction_pointer(regs);
14328 - if (!user_mode_vm(regs) && in_lock_functions(pc)) {
14329 + if (!user_mode(regs) && in_lock_functions(pc)) {
14330 #ifdef CONFIG_FRAME_POINTER
14331 - return *(unsigned long *)(regs->bp + sizeof(long));
14332 + return ktla_ktva(*(unsigned long *)(regs->bp + sizeof(long)));
14334 unsigned long *sp =
14335 (unsigned long *)kernel_stack_pointer(regs);
14336 @@ -45,11 +41,17 @@ unsigned long profile_pc(struct pt_regs
14337 * or above a saved flags. Eflags has bits 22-31 zero,
14338 * kernel addresses don't.
14341 +#ifdef CONFIG_PAX_KERNEXEC
14342 + return ktla_ktva(sp[0]);
14354 diff -urNp linux-2.6.36.1/arch/x86/kernel/tls.c linux-2.6.36.1/arch/x86/kernel/tls.c
14355 --- linux-2.6.36.1/arch/x86/kernel/tls.c 2010-10-20 16:30:22.000000000 -0400
14356 +++ linux-2.6.36.1/arch/x86/kernel/tls.c 2010-11-06 18:58:15.000000000 -0400
14357 @@ -85,6 +85,11 @@ int do_set_thread_area(struct task_struc
14358 if (idx < GDT_ENTRY_TLS_MIN || idx > GDT_ENTRY_TLS_MAX)
14361 +#ifdef CONFIG_PAX_SEGMEXEC
14362 + if ((p->mm->pax_flags & MF_PAX_SEGMEXEC) && (info.contents & MODIFY_LDT_CONTENTS_CODE))
14366 set_tls_desc(p, idx, &info, 1);
14369 diff -urNp linux-2.6.36.1/arch/x86/kernel/trampoline_32.S linux-2.6.36.1/arch/x86/kernel/trampoline_32.S
14370 --- linux-2.6.36.1/arch/x86/kernel/trampoline_32.S 2010-10-20 16:30:22.000000000 -0400
14371 +++ linux-2.6.36.1/arch/x86/kernel/trampoline_32.S 2010-11-06 18:58:15.000000000 -0400
14373 #include <asm/segment.h>
14374 #include <asm/page_types.h>
14376 +#ifdef CONFIG_PAX_KERNEXEC
14379 +#define ta(X) ((X) - __PAGE_OFFSET)
14382 /* We can free up trampoline after bootup if cpu hotplug is not supported. */
14385 @@ -60,7 +66,7 @@ r_base = .
14386 inc %ax # protected mode (PE) bit
14387 lmsw %ax # into protected mode
14388 # flush prefetch and jump to startup_32_smp in arch/i386/kernel/head.S
14389 - ljmpl $__BOOT_CS, $(startup_32_smp-__PAGE_OFFSET)
14390 + ljmpl $__BOOT_CS, $ta(startup_32_smp)
14392 # These need to be in the same 64K segment as the above;
14393 # hence we don't use the boot_gdt_descr defined in head.S
14394 diff -urNp linux-2.6.36.1/arch/x86/kernel/trampoline_64.S linux-2.6.36.1/arch/x86/kernel/trampoline_64.S
14395 --- linux-2.6.36.1/arch/x86/kernel/trampoline_64.S 2010-10-20 16:30:22.000000000 -0400
14396 +++ linux-2.6.36.1/arch/x86/kernel/trampoline_64.S 2010-11-06 18:58:15.000000000 -0400
14397 @@ -91,7 +91,7 @@ startup_32:
14398 movl $__KERNEL_DS, %eax # Initialize the %ds segment register
14401 - movl $X86_CR4_PAE, %eax
14402 + movl $(X86_CR4_PSE | X86_CR4_PAE | X86_CR4_PGE), %eax
14403 movl %eax, %cr4 # Enable PAE mode
14405 # Setup trampoline 4 level pagetables
14406 @@ -138,7 +138,7 @@ tidt:
14407 # so the kernel can live anywhere
14410 - .short tgdt_end - tgdt # gdt limit
14411 + .short tgdt_end - tgdt - 1 # gdt limit
14412 .long tgdt - r_base
14414 .quad 0x00cf9b000000ffff # __KERNEL32_CS
14415 diff -urNp linux-2.6.36.1/arch/x86/kernel/traps.c linux-2.6.36.1/arch/x86/kernel/traps.c
14416 --- linux-2.6.36.1/arch/x86/kernel/traps.c 2010-11-26 18:26:24.000000000 -0500
14417 +++ linux-2.6.36.1/arch/x86/kernel/traps.c 2010-11-26 18:29:30.000000000 -0500
14418 @@ -70,12 +70,6 @@ asmlinkage int system_call(void);
14420 /* Do we ignore FPU interrupts ? */
14421 char ignore_fpu_irq;
14424 - * The IDT has to be page-aligned to simplify the Pentium
14425 - * F0 0F bug workaround.
14427 -gate_desc idt_table[NR_VECTORS] __page_aligned_data = { { { { 0, 0 } } }, };
14430 DECLARE_BITMAP(used_vectors, NR_VECTORS);
14431 @@ -110,13 +104,13 @@ static inline void preempt_conditional_c
14434 static void __kprobes
14435 -do_trap(int trapnr, int signr, char *str, struct pt_regs *regs,
14436 +do_trap(int trapnr, int signr, const char *str, struct pt_regs *regs,
14437 long error_code, siginfo_t *info)
14439 struct task_struct *tsk = current;
14441 #ifdef CONFIG_X86_32
14442 - if (regs->flags & X86_VM_MASK) {
14443 + if (v8086_mode(regs)) {
14445 * traps 0, 1, 3, 4, and 5 should be forwarded to vm86.
14446 * On nmi (interrupt 2), do_trap should not be called.
14447 @@ -127,7 +121,7 @@ do_trap(int trapnr, int signr, char *str
14451 - if (!user_mode(regs))
14452 + if (!user_mode_novm(regs))
14455 #ifdef CONFIG_X86_32
14456 @@ -150,7 +144,7 @@ trap_signal:
14457 printk_ratelimit()) {
14459 "%s[%d] trap %s ip:%lx sp:%lx error:%lx",
14460 - tsk->comm, tsk->pid, str,
14461 + tsk->comm, task_pid_nr(tsk), str,
14462 regs->ip, regs->sp, error_code);
14463 print_vma_addr(" in ", regs->ip);
14465 @@ -167,8 +161,20 @@ kernel_trap:
14466 if (!fixup_exception(regs)) {
14467 tsk->thread.error_code = error_code;
14468 tsk->thread.trap_no = trapnr;
14470 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14471 + if (trapnr == 12 && ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS))
14472 + str = "PAX: suspicious stack segment fault";
14475 die(str, regs, error_code);
14478 +#ifdef CONFIG_PAX_REFCOUNT
14480 + pax_report_refcount_overflow(regs);
14485 #ifdef CONFIG_X86_32
14486 @@ -257,14 +263,30 @@ do_general_protection(struct pt_regs *re
14487 conditional_sti(regs);
14489 #ifdef CONFIG_X86_32
14490 - if (regs->flags & X86_VM_MASK)
14491 + if (v8086_mode(regs))
14496 - if (!user_mode(regs))
14497 + if (!user_mode_novm(regs))
14500 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
14501 + if (!(__supported_pte_mask & _PAGE_NX) && tsk->mm && (tsk->mm->pax_flags & MF_PAX_PAGEEXEC)) {
14502 + struct mm_struct *mm = tsk->mm;
14503 + unsigned long limit;
14505 + down_write(&mm->mmap_sem);
14506 + limit = mm->context.user_cs_limit;
14507 + if (limit < TASK_SIZE) {
14508 + track_exec_limit(mm, limit, TASK_SIZE, VM_EXEC);
14509 + up_write(&mm->mmap_sem);
14512 + up_write(&mm->mmap_sem);
14516 tsk->thread.error_code = error_code;
14517 tsk->thread.trap_no = 13;
14519 @@ -297,6 +319,13 @@ gp_in_kernel:
14520 if (notify_die(DIE_GPF, "general protection fault", regs,
14521 error_code, 13, SIGSEGV) == NOTIFY_STOP)
14524 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14525 + if ((regs->cs & 0xFFFF) == __KERNEL_CS || (regs->cs & 0xFFFF) == __KERNEXEC_KERNEL_CS)
14526 + die("PAX: suspicious general protection fault", regs, error_code);
14530 die("general protection fault", regs, error_code);
14533 @@ -572,7 +601,7 @@ dotraplinkage void __kprobes do_debug(st
14534 /* It's safe to allow irq's after DR6 has been saved */
14535 preempt_conditional_sti(regs);
14537 - if (regs->flags & X86_VM_MASK) {
14538 + if (v8086_mode(regs)) {
14539 handle_vm86_trap((struct kernel_vm86_regs *) regs,
14541 preempt_conditional_cli(regs);
14542 @@ -586,7 +615,7 @@ dotraplinkage void __kprobes do_debug(st
14543 * We already checked v86 mode above, so we can check for kernel mode
14544 * by just checking the CPL of CS.
14546 - if ((dr6 & DR_STEP) && !user_mode(regs)) {
14547 + if ((dr6 & DR_STEP) && !user_mode_novm(regs)) {
14548 tsk->thread.debugreg6 &= ~DR_STEP;
14549 set_tsk_thread_flag(tsk, TIF_SINGLESTEP);
14550 regs->flags &= ~X86_EFLAGS_TF;
14551 @@ -615,7 +644,7 @@ void math_error(struct pt_regs *regs, in
14553 conditional_sti(regs);
14555 - if (!user_mode_vm(regs))
14556 + if (!user_mode(regs))
14558 if (!fixup_exception(regs)) {
14559 task->thread.error_code = error_code;
14560 diff -urNp linux-2.6.36.1/arch/x86/kernel/tsc.c linux-2.6.36.1/arch/x86/kernel/tsc.c
14561 --- linux-2.6.36.1/arch/x86/kernel/tsc.c 2010-10-20 16:30:22.000000000 -0400
14562 +++ linux-2.6.36.1/arch/x86/kernel/tsc.c 2010-11-06 18:58:15.000000000 -0400
14563 @@ -832,7 +832,7 @@ static struct dmi_system_id __initdata b
14564 DMI_MATCH(DMI_BOARD_NAME, "2635FA0"),
14568 + { NULL, NULL, {{0, {0}}}, NULL}
14571 static void __init check_system_tsc_reliable(void)
14572 diff -urNp linux-2.6.36.1/arch/x86/kernel/vm86_32.c linux-2.6.36.1/arch/x86/kernel/vm86_32.c
14573 --- linux-2.6.36.1/arch/x86/kernel/vm86_32.c 2010-11-26 18:26:24.000000000 -0500
14574 +++ linux-2.6.36.1/arch/x86/kernel/vm86_32.c 2010-11-26 18:27:07.000000000 -0500
14576 #include <linux/ptrace.h>
14577 #include <linux/audit.h>
14578 #include <linux/stddef.h>
14579 +#include <linux/grsecurity.h>
14581 #include <asm/uaccess.h>
14582 #include <asm/io.h>
14583 @@ -148,7 +149,7 @@ struct pt_regs *save_v86_state(struct ke
14587 - tss = &per_cpu(init_tss, get_cpu());
14588 + tss = init_tss + get_cpu();
14589 current->thread.sp0 = current->thread.saved_sp0;
14590 current->thread.sysenter_cs = __KERNEL_CS;
14591 load_sp0(tss, ¤t->thread);
14592 @@ -207,6 +208,13 @@ int sys_vm86old(struct vm86_struct __use
14593 struct task_struct *tsk;
14594 int tmp, ret = -EPERM;
14596 +#ifdef CONFIG_GRKERNSEC_VM86
14597 + if (!capable(CAP_SYS_RAWIO)) {
14598 + gr_handle_vm86();
14604 if (tsk->thread.saved_sp0)
14606 @@ -237,6 +245,14 @@ int sys_vm86(unsigned long cmd, unsigned
14608 struct vm86plus_struct __user *v86;
14610 +#ifdef CONFIG_GRKERNSEC_VM86
14611 + if (!capable(CAP_SYS_RAWIO)) {
14612 + gr_handle_vm86();
14620 case VM86_REQUEST_IRQ:
14621 @@ -323,7 +339,7 @@ static void do_sys_vm86(struct kernel_vm
14622 tsk->thread.saved_fs = info->regs32->fs;
14623 tsk->thread.saved_gs = get_user_gs(info->regs32);
14625 - tss = &per_cpu(init_tss, get_cpu());
14626 + tss = init_tss + get_cpu();
14627 tsk->thread.sp0 = (unsigned long) &info->VM86_TSS_ESP0;
14629 tsk->thread.sysenter_cs = 0;
14630 @@ -528,7 +544,7 @@ static void do_int(struct kernel_vm86_re
14631 goto cannot_handle;
14632 if (i == 0x21 && is_revectored(AH(regs), &KVM86->int21_revectored))
14633 goto cannot_handle;
14634 - intr_ptr = (unsigned long __user *) (i << 2);
14635 + intr_ptr = (__force unsigned long __user *) (i << 2);
14636 if (get_user(segoffs, intr_ptr))
14637 goto cannot_handle;
14638 if ((segoffs >> 16) == BIOSSEG)
14639 diff -urNp linux-2.6.36.1/arch/x86/kernel/vmi_32.c linux-2.6.36.1/arch/x86/kernel/vmi_32.c
14640 --- linux-2.6.36.1/arch/x86/kernel/vmi_32.c 2010-10-20 16:30:22.000000000 -0400
14641 +++ linux-2.6.36.1/arch/x86/kernel/vmi_32.c 2010-11-06 18:58:15.000000000 -0400
14642 @@ -46,12 +46,17 @@ typedef u32 __attribute__((regparm(1)))
14643 typedef u64 __attribute__((regparm(2))) (VROMLONGFUNC)(int);
14645 #define call_vrom_func(rom,func) \
14646 - (((VROMFUNC *)(rom->func))())
14647 + (((VROMFUNC *)(ktva_ktla(rom.func)))())
14649 #define call_vrom_long_func(rom,func,arg) \
14650 - (((VROMLONGFUNC *)(rom->func)) (arg))
14652 + u64 __reloc = ((VROMLONGFUNC *)(ktva_ktla(rom.func))) (arg);\
14653 + struct vmi_relocation_info *const __rel = (struct vmi_relocation_info *)&__reloc;\
14654 + __rel->eip = (unsigned char *)ktva_ktla((unsigned long)__rel->eip);\
14658 -static struct vrom_header *vmi_rom;
14659 +static struct vrom_header vmi_rom __attribute((__section__(".vmi.rom"), __aligned__(PAGE_SIZE)));
14660 static int disable_pge;
14661 static int disable_pse;
14662 static int disable_sep;
14663 @@ -78,10 +83,10 @@ static struct {
14664 void (*set_initial_ap_state)(int, int);
14665 void (*halt)(void);
14666 void (*set_lazy_mode)(int mode);
14668 +} vmi_ops __read_only;
14670 /* Cached VMI operations */
14671 -struct vmi_timer_ops vmi_timer_ops;
14672 +struct vmi_timer_ops vmi_timer_ops __read_only;
14675 * VMI patching routines.
14676 @@ -96,7 +101,7 @@ struct vmi_timer_ops vmi_timer_ops;
14677 static inline void patch_offset(void *insnbuf,
14678 unsigned long ip, unsigned long dest)
14680 - *(unsigned long *)(insnbuf+1) = dest-ip-5;
14681 + *(unsigned long *)(insnbuf+1) = dest-ip-5;
14684 static unsigned patch_internal(int call, unsigned len, void *insnbuf,
14685 @@ -104,6 +109,7 @@ static unsigned patch_internal(int call,
14688 struct vmi_relocation_info *const rel = (struct vmi_relocation_info *)&reloc;
14690 reloc = call_vrom_long_func(vmi_rom, get_reloc, call);
14691 switch(rel->type) {
14692 case VMI_RELOCATION_CALL_REL:
14693 @@ -382,13 +388,13 @@ static void vmi_set_pud(pud_t *pudp, pud
14695 static void vmi_pte_clear(struct mm_struct *mm, unsigned long addr, pte_t *ptep)
14697 - const pte_t pte = { .pte = 0 };
14698 + const pte_t pte = __pte(0ULL);
14699 vmi_ops.set_pte(pte, ptep, vmi_flags_addr(mm, addr, VMI_PAGE_PT, 0));
14702 static void vmi_pmd_clear(pmd_t *pmd)
14704 - const pte_t pte = { .pte = 0 };
14705 + const pte_t pte = __pte(0ULL);
14706 vmi_ops.set_pte(pte, (pte_t *)pmd, VMI_PAGE_PD);
14709 @@ -416,8 +422,8 @@ vmi_startup_ipi_hook(int phys_apicid, un
14710 ap.ss = __KERNEL_DS;
14711 ap.esp = (unsigned long) start_esp;
14713 - ap.ds = __USER_DS;
14714 - ap.es = __USER_DS;
14715 + ap.ds = __KERNEL_DS;
14716 + ap.es = __KERNEL_DS;
14717 ap.fs = __KERNEL_PERCPU;
14718 ap.gs = __KERNEL_STACK_CANARY;
14720 @@ -464,6 +470,18 @@ static void vmi_leave_lazy_mmu(void)
14721 paravirt_leave_lazy_mmu();
14724 +#ifdef CONFIG_PAX_KERNEXEC
14725 +static unsigned long vmi_pax_open_kernel(void)
14730 +static unsigned long vmi_pax_close_kernel(void)
14736 static inline int __init check_vmi_rom(struct vrom_header *rom)
14738 struct pci_header *pci;
14739 @@ -476,6 +494,10 @@ static inline int __init check_vmi_rom(s
14741 if (rom->vrom_signature != VMI_SIGNATURE)
14743 + if (rom->rom_length * 512 > sizeof(*rom)) {
14744 + printk(KERN_WARNING "PAX: VMI: ROM size too big: %x\n", rom->rom_length * 512);
14747 if (rom->api_version_maj != VMI_API_REV_MAJOR ||
14748 rom->api_version_min+1 < VMI_API_REV_MINOR+1) {
14749 printk(KERN_WARNING "VMI: Found mismatched rom version %d.%d\n",
14750 @@ -540,7 +562,7 @@ static inline int __init probe_vmi_rom(v
14751 struct vrom_header *romstart;
14752 romstart = (struct vrom_header *)isa_bus_to_virt(base);
14753 if (check_vmi_rom(romstart)) {
14754 - vmi_rom = romstart;
14755 + vmi_rom = *romstart;
14759 @@ -816,6 +838,11 @@ static inline int __init activate_vmi(vo
14761 para_fill(pv_irq_ops.safe_halt, Halt);
14763 +#ifdef CONFIG_PAX_KERNEXEC
14764 + pv_mmu_ops.pax_open_kernel = vmi_pax_open_kernel;
14765 + pv_mmu_ops.pax_close_kernel = vmi_pax_close_kernel;
14769 * Alternative instruction rewriting doesn't happen soon enough
14770 * to convert VMI_IRET to a call instead of a jump; so we have
14771 @@ -833,16 +860,16 @@ static inline int __init activate_vmi(vo
14773 void __init vmi_init(void)
14776 + if (!vmi_rom.rom_signature)
14779 - check_vmi_rom(vmi_rom);
14780 + check_vmi_rom(&vmi_rom);
14782 /* In case probing for or validating the ROM failed, basil */
14784 + if (!vmi_rom.rom_signature)
14787 - reserve_top_address(-vmi_rom->virtual_top);
14788 + reserve_top_address(-vmi_rom.virtual_top);
14790 #ifdef CONFIG_X86_IO_APIC
14791 /* This is virtual hardware; timer routing is wired correctly */
14792 @@ -854,7 +881,7 @@ void __init vmi_activate(void)
14794 unsigned long flags;
14797 + if (!vmi_rom.rom_signature)
14800 local_irq_save(flags);
14801 diff -urNp linux-2.6.36.1/arch/x86/kernel/vmlinux.lds.S linux-2.6.36.1/arch/x86/kernel/vmlinux.lds.S
14802 --- linux-2.6.36.1/arch/x86/kernel/vmlinux.lds.S 2010-10-20 16:30:22.000000000 -0400
14803 +++ linux-2.6.36.1/arch/x86/kernel/vmlinux.lds.S 2010-11-06 18:58:15.000000000 -0400
14805 #include <asm/page_types.h>
14806 #include <asm/cache.h>
14807 #include <asm/boot.h>
14808 +#include <asm/segment.h>
14810 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
14811 +#define __KERNEL_TEXT_OFFSET (LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR)
14813 +#define __KERNEL_TEXT_OFFSET 0
14816 #undef i386 /* in case the preprocessor is a 32bit one */
14818 @@ -34,13 +41,13 @@ OUTPUT_FORMAT(CONFIG_OUTPUT_FORMAT, CONF
14819 #ifdef CONFIG_X86_32
14821 ENTRY(phys_startup_32)
14822 -jiffies = jiffies_64;
14824 OUTPUT_ARCH(i386:x86-64)
14825 ENTRY(phys_startup_64)
14826 -jiffies_64 = jiffies;
14829 +jiffies = jiffies_64;
14831 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
14833 * On 64-bit, align RODATA to 2MB so that even with CONFIG_DEBUG_RODATA
14834 @@ -69,31 +76,46 @@ jiffies_64 = jiffies;
14837 text PT_LOAD FLAGS(5); /* R_E */
14838 - data PT_LOAD FLAGS(7); /* RWE */
14839 +#ifdef CONFIG_X86_32
14840 + module PT_LOAD FLAGS(5); /* R_E */
14843 + rodata PT_LOAD FLAGS(5); /* R_E */
14845 + rodata PT_LOAD FLAGS(4); /* R__ */
14847 + data PT_LOAD FLAGS(6); /* RW_ */
14848 #ifdef CONFIG_X86_64
14849 user PT_LOAD FLAGS(5); /* R_E */
14851 + init.begin PT_LOAD FLAGS(6); /* RW_ */
14853 percpu PT_LOAD FLAGS(6); /* RW_ */
14855 + text.init PT_LOAD FLAGS(5); /* R_E */
14856 + text.exit PT_LOAD FLAGS(5); /* R_E */
14857 init PT_LOAD FLAGS(7); /* RWE */
14859 note PT_NOTE FLAGS(0); /* ___ */
14864 #ifdef CONFIG_X86_32
14865 - . = LOAD_OFFSET + LOAD_PHYSICAL_ADDR;
14866 - phys_startup_32 = startup_32 - LOAD_OFFSET;
14867 + . = LOAD_OFFSET + ____LOAD_PHYSICAL_ADDR;
14869 - . = __START_KERNEL;
14870 - phys_startup_64 = startup_64 - LOAD_OFFSET;
14871 + . = __START_KERNEL;
14874 /* Text and read-only data */
14875 - .text : AT(ADDR(.text) - LOAD_OFFSET) {
14877 + .text (. - __KERNEL_TEXT_OFFSET): AT(ADDR(.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
14878 /* bootstrapping code */
14879 +#ifdef CONFIG_X86_32
14880 + phys_startup_32 = startup_32 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
14882 + phys_startup_64 = startup_64 - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
14884 + __LOAD_PHYSICAL_ADDR = . - LOAD_OFFSET + __KERNEL_TEXT_OFFSET;
14887 #ifdef CONFIG_X86_32
14888 . = ALIGN(PAGE_SIZE);
14889 @@ -108,13 +130,52 @@ SECTIONS
14893 - /* End of text section */
14897 - NOTES :text :note
14898 + . += __KERNEL_TEXT_OFFSET;
14900 +#ifdef CONFIG_X86_32
14901 + . = ALIGN(PAGE_SIZE);
14902 + .vmi.rom : AT(ADDR(.vmi.rom) - LOAD_OFFSET) {
14906 + . = ALIGN(PAGE_SIZE);
14907 + .module.text : AT(ADDR(.module.text) - LOAD_OFFSET) {
14909 +#if defined(CONFIG_PAX_KERNEXEC) && defined(CONFIG_MODULES)
14910 + MODULES_EXEC_VADDR = .;
14912 + . += (CONFIG_PAX_KERNEXEC_MODULE_TEXT * 1024 * 1024);
14913 + . = ALIGN(HPAGE_SIZE);
14914 + MODULES_EXEC_END = . - 1;
14920 + .text.end : AT(ADDR(.text.end) - LOAD_OFFSET) {
14921 + /* End of text section */
14922 + _etext = . - __KERNEL_TEXT_OFFSET;
14925 +#ifdef CONFIG_X86_32
14926 + . = ALIGN(PAGE_SIZE);
14927 + .rodata.page_aligned : AT(ADDR(.rodata.page_aligned) - LOAD_OFFSET) {
14929 + . = ALIGN(PAGE_SIZE);
14930 + *(.empty_zero_page)
14931 + *(.swapper_pg_fixmap)
14932 + *(.swapper_pg_pmd)
14933 + *(.swapper_pg_dir)
14934 + *(.trampoline_pg_dir)
14938 + . = ALIGN(PAGE_SIZE);
14939 + NOTES :rodata :note
14941 - EXCEPTION_TABLE(16) :text = 0x9090
14942 + EXCEPTION_TABLE(16) :rodata
14944 X64_ALIGN_DEBUG_RODATA_BEGIN
14946 @@ -122,16 +183,20 @@ SECTIONS
14949 .data : AT(ADDR(.data) - LOAD_OFFSET) {
14951 +#ifdef CONFIG_PAX_KERNEXEC
14952 + . = ALIGN(HPAGE_SIZE);
14954 + . = ALIGN(PAGE_SIZE);
14957 /* Start of data section */
14961 INIT_TASK_DATA(THREAD_SIZE)
14963 -#ifdef CONFIG_X86_32
14964 - /* 32 bit has nosave before _edata */
14968 PAGE_ALIGNED_DATA(PAGE_SIZE)
14970 @@ -194,12 +259,6 @@ SECTIONS
14972 vgetcpu_mode = VVIRT(.vgetcpu_mode);
14974 - . = ALIGN(L1_CACHE_BYTES);
14975 - .jiffies : AT(VLOAD(.jiffies)) {
14978 - jiffies = VVIRT(.jiffies);
14980 .vsyscall_3 ADDR(.vsyscall_0) + 3072: AT(VLOAD(.vsyscall_3)) {
14983 @@ -215,12 +274,19 @@ SECTIONS
14984 #endif /* CONFIG_X86_64 */
14986 /* Init code and data - will be freed after init */
14987 - . = ALIGN(PAGE_SIZE);
14988 .init.begin : AT(ADDR(.init.begin) - LOAD_OFFSET) {
14991 +#ifdef CONFIG_PAX_KERNEXEC
14992 + . = ALIGN(HPAGE_SIZE);
14994 + . = ALIGN(PAGE_SIZE);
14997 __init_begin = .; /* paired with __init_end */
15001 -#if defined(CONFIG_X86_64) && defined(CONFIG_SMP)
15004 * percpu offsets are zero-based on SMP. PERCPU_VADDR() changes the
15005 * output PHDR, so the next output section - .init.text - should
15006 @@ -229,12 +295,27 @@ SECTIONS
15007 PERCPU_VADDR(0, :percpu)
15010 - INIT_TEXT_SECTION(PAGE_SIZE)
15011 -#ifdef CONFIG_X86_64
15014 + . = ALIGN(PAGE_SIZE);
15016 + .init.text (. - __KERNEL_TEXT_OFFSET): AT(init_begin - LOAD_OFFSET) {
15017 + VMLINUX_SYMBOL(_sinittext) = .;
15019 + VMLINUX_SYMBOL(_einittext) = .;
15020 + . = ALIGN(PAGE_SIZE);
15024 + * .exit.text is discard at runtime, not link time, to deal with
15025 + * references from .altinstructions and .eh_frame
15027 + .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET + __KERNEL_TEXT_OFFSET) {
15031 + . = init_begin + SIZEOF(.init.text) + SIZEOF(.exit.text);
15033 - INIT_DATA_SECTION(16)
15034 + . = ALIGN(PAGE_SIZE);
15035 + INIT_DATA_SECTION(16) :init
15037 .x86_cpu_dev.init : AT(ADDR(.x86_cpu_dev.init) - LOAD_OFFSET) {
15038 __x86_cpu_dev_start = .;
15039 @@ -260,19 +341,11 @@ SECTIONS
15040 *(.altinstr_replacement)
15044 - * .exit.text is discard at runtime, not link time, to deal with
15045 - * references from .altinstructions and .eh_frame
15047 - .exit.text : AT(ADDR(.exit.text) - LOAD_OFFSET) {
15051 .exit.data : AT(ADDR(.exit.data) - LOAD_OFFSET) {
15055 -#if !defined(CONFIG_X86_64) || !defined(CONFIG_SMP)
15056 +#ifndef CONFIG_SMP
15060 @@ -291,16 +364,10 @@ SECTIONS
15061 .smp_locks : AT(ADDR(.smp_locks) - LOAD_OFFSET) {
15064 - . = ALIGN(PAGE_SIZE);
15065 __smp_locks_end = .;
15066 + . = ALIGN(PAGE_SIZE);
15069 -#ifdef CONFIG_X86_64
15070 - .data_nosave : AT(ADDR(.data_nosave) - LOAD_OFFSET) {
15076 . = ALIGN(PAGE_SIZE);
15077 .bss : AT(ADDR(.bss) - LOAD_OFFSET) {
15078 @@ -316,6 +383,7 @@ SECTIONS
15080 . += 64 * 1024; /* 64k alignment slop space */
15081 *(.brk_reservation) /* areas brk users have reserved */
15082 + . = ALIGN(HPAGE_SIZE);
15086 @@ -342,13 +410,12 @@ SECTIONS
15087 * for the boot processor.
15089 #define INIT_PER_CPU(x) init_per_cpu__##x = x + __per_cpu_load
15090 -INIT_PER_CPU(gdt_page);
15091 INIT_PER_CPU(irq_stack_union);
15094 * Build-time check on the image size:
15096 -. = ASSERT((_end - _text <= KERNEL_IMAGE_SIZE),
15097 +. = ASSERT((_end - _text - __KERNEL_TEXT_OFFSET <= KERNEL_IMAGE_SIZE),
15098 "kernel image bigger than KERNEL_IMAGE_SIZE");
15101 diff -urNp linux-2.6.36.1/arch/x86/kernel/vsyscall_64.c linux-2.6.36.1/arch/x86/kernel/vsyscall_64.c
15102 --- linux-2.6.36.1/arch/x86/kernel/vsyscall_64.c 2010-10-20 16:30:22.000000000 -0400
15103 +++ linux-2.6.36.1/arch/x86/kernel/vsyscall_64.c 2010-11-06 18:58:15.000000000 -0400
15104 @@ -80,6 +80,7 @@ void update_vsyscall(struct timespec *wa
15106 write_seqlock_irqsave(&vsyscall_gtod_data.lock, flags);
15107 /* copy vsyscall data */
15108 + strlcpy(vsyscall_gtod_data.clock.name, clock->name, sizeof vsyscall_gtod_data.clock.name);
15109 vsyscall_gtod_data.clock.vread = clock->vread;
15110 vsyscall_gtod_data.clock.cycle_last = clock->cycle_last;
15111 vsyscall_gtod_data.clock.mask = clock->mask;
15112 @@ -208,7 +209,7 @@ vgetcpu(unsigned *cpu, unsigned *node, s
15113 We do this here because otherwise user space would do it on
15114 its own in a likely inferior way (no access to jiffies).
15115 If you don't like it pass NULL. */
15116 - if (tcache && tcache->blob[0] == (j = __jiffies)) {
15117 + if (tcache && tcache->blob[0] == (j = jiffies)) {
15118 p = tcache->blob[1];
15119 } else if (__vgetcpu_mode == VGETCPU_RDTSCP) {
15120 /* Load per CPU data from RDTSCP */
15121 diff -urNp linux-2.6.36.1/arch/x86/kernel/x8664_ksyms_64.c linux-2.6.36.1/arch/x86/kernel/x8664_ksyms_64.c
15122 --- linux-2.6.36.1/arch/x86/kernel/x8664_ksyms_64.c 2010-10-20 16:30:22.000000000 -0400
15123 +++ linux-2.6.36.1/arch/x86/kernel/x8664_ksyms_64.c 2010-11-06 18:58:15.000000000 -0400
15124 @@ -29,8 +29,6 @@ EXPORT_SYMBOL(__put_user_8);
15125 EXPORT_SYMBOL(copy_user_generic_string);
15126 EXPORT_SYMBOL(copy_user_generic_unrolled);
15127 EXPORT_SYMBOL(__copy_user_nocache);
15128 -EXPORT_SYMBOL(_copy_from_user);
15129 -EXPORT_SYMBOL(_copy_to_user);
15131 EXPORT_SYMBOL(copy_page);
15132 EXPORT_SYMBOL(clear_page);
15133 diff -urNp linux-2.6.36.1/arch/x86/kernel/xsave.c linux-2.6.36.1/arch/x86/kernel/xsave.c
15134 --- linux-2.6.36.1/arch/x86/kernel/xsave.c 2010-10-20 16:30:22.000000000 -0400
15135 +++ linux-2.6.36.1/arch/x86/kernel/xsave.c 2010-11-06 18:58:15.000000000 -0400
15136 @@ -130,7 +130,7 @@ int check_for_xstate(struct i387_fxsave_
15137 fx_sw_user->xstate_size > fx_sw_user->extended_size)
15140 - err = __get_user(magic2, (__u32 *) (((void *)fpstate) +
15141 + err = __get_user(magic2, (__u32 __user *) (((void __user *)fpstate) +
15142 fx_sw_user->extended_size -
15143 FP_XSTATE_MAGIC2_SIZE));
15145 @@ -267,7 +267,7 @@ fx_only:
15146 * the other extended state.
15148 xrstor_state(init_xstate_buf, pcntxt_mask & ~XSTATE_FPSSE);
15149 - return fxrstor_checking((__force struct i387_fxsave_struct *)buf);
15150 + return fxrstor_checking((struct i387_fxsave_struct __user *)buf);
15154 @@ -299,7 +299,7 @@ int restore_i387_xstate(void __user *buf
15156 err = restore_user_xstate(buf);
15158 - err = fxrstor_checking((__force struct i387_fxsave_struct *)
15159 + err = fxrstor_checking((struct i387_fxsave_struct __user *)
15161 if (unlikely(err)) {
15163 diff -urNp linux-2.6.36.1/arch/x86/kvm/emulate.c linux-2.6.36.1/arch/x86/kvm/emulate.c
15164 --- linux-2.6.36.1/arch/x86/kvm/emulate.c 2010-10-20 16:30:22.000000000 -0400
15165 +++ linux-2.6.36.1/arch/x86/kvm/emulate.c 2010-11-06 18:58:15.000000000 -0400
15167 #define Src2CL (1<<29)
15168 #define Src2ImmByte (2<<29)
15169 #define Src2One (3<<29)
15170 -#define Src2Mask (7<<29)
15171 +#define Src2Mask (7U<<29)
15174 Group1_80, Group1_81, Group1_82, Group1_83,
15175 @@ -446,6 +446,7 @@ static u32 group2_table[] = {
15177 #define ____emulate_2op(_op, _src, _dst, _eflags, _x, _y, _suffix) \
15179 + unsigned long _tmp; \
15180 __asm__ __volatile__ ( \
15181 _PRE_EFLAGS("0", "4", "2") \
15182 _op _suffix " %"_x"3,%1; " \
15183 @@ -459,8 +460,6 @@ static u32 group2_table[] = {
15184 /* Raw emulation: instruction has two explicit operands. */
15185 #define __emulate_2op_nobyte(_op,_src,_dst,_eflags,_wx,_wy,_lx,_ly,_qx,_qy) \
15187 - unsigned long _tmp; \
15189 switch ((_dst).bytes) { \
15191 ____emulate_2op(_op,_src,_dst,_eflags,_wx,_wy,"w"); \
15192 @@ -476,7 +475,6 @@ static u32 group2_table[] = {
15194 #define __emulate_2op(_op,_src,_dst,_eflags,_bx,_by,_wx,_wy,_lx,_ly,_qx,_qy) \
15196 - unsigned long _tmp; \
15197 switch ((_dst).bytes) { \
15199 ____emulate_2op(_op,_src,_dst,_eflags,_bx,_by,"b"); \
15200 diff -urNp linux-2.6.36.1/arch/x86/kvm/lapic.c linux-2.6.36.1/arch/x86/kvm/lapic.c
15201 --- linux-2.6.36.1/arch/x86/kvm/lapic.c 2010-10-20 16:30:22.000000000 -0400
15202 +++ linux-2.6.36.1/arch/x86/kvm/lapic.c 2010-11-06 18:58:15.000000000 -0400
15204 #define APIC_BUS_CYCLE_NS 1
15206 /* #define apic_debug(fmt,arg...) printk(KERN_WARNING fmt,##arg) */
15207 -#define apic_debug(fmt, arg...)
15208 +#define apic_debug(fmt, arg...) do {} while (0)
15210 #define APIC_LVT_NUM 6
15211 /* 14 is the version for Xeon and Pentium 8.4.8*/
15212 diff -urNp linux-2.6.36.1/arch/x86/kvm/svm.c linux-2.6.36.1/arch/x86/kvm/svm.c
15213 --- linux-2.6.36.1/arch/x86/kvm/svm.c 2010-11-26 18:26:24.000000000 -0500
15214 +++ linux-2.6.36.1/arch/x86/kvm/svm.c 2010-11-26 18:27:07.000000000 -0500
15215 @@ -2921,7 +2921,11 @@ static void reload_tss(struct kvm_vcpu *
15216 int cpu = raw_smp_processor_id();
15218 struct svm_cpu_data *sd = per_cpu(svm_data, cpu);
15220 + pax_open_kernel();
15221 sd->tss_desc->type = 9; /* available 32/64-bit TSS */
15222 + pax_close_kernel();
15227 @@ -3476,7 +3480,7 @@ static void svm_fpu_deactivate(struct kv
15228 update_cr0_intercept(svm);
15231 -static struct kvm_x86_ops svm_x86_ops = {
15232 +static const struct kvm_x86_ops svm_x86_ops = {
15233 .cpu_has_kvm_support = has_svm,
15234 .disabled_by_bios = is_disabled,
15235 .hardware_setup = svm_hardware_setup,
15236 diff -urNp linux-2.6.36.1/arch/x86/kvm/vmx.c linux-2.6.36.1/arch/x86/kvm/vmx.c
15237 --- linux-2.6.36.1/arch/x86/kvm/vmx.c 2010-10-20 16:30:22.000000000 -0400
15238 +++ linux-2.6.36.1/arch/x86/kvm/vmx.c 2010-11-06 18:58:15.000000000 -0400
15239 @@ -711,7 +711,11 @@ static void reload_tss(void)
15241 native_store_gdt(&gdt);
15242 descs = (void *)gdt.address;
15244 + pax_open_kernel();
15245 descs[GDT_ENTRY_TSS].type = 9; /* available TSS */
15246 + pax_close_kernel();
15251 @@ -1616,8 +1620,11 @@ static __init int hardware_setup(void)
15252 if (!cpu_has_vmx_flexpriority())
15253 flexpriority_enabled = 0;
15255 - if (!cpu_has_vmx_tpr_shadow())
15256 - kvm_x86_ops->update_cr8_intercept = NULL;
15257 + if (!cpu_has_vmx_tpr_shadow()) {
15258 + pax_open_kernel();
15259 + *(void **)&kvm_x86_ops->update_cr8_intercept = NULL;
15260 + pax_close_kernel();
15263 if (enable_ept && !cpu_has_vmx_ept_2m_page())
15264 kvm_disable_largepages();
15265 @@ -2602,7 +2609,7 @@ static int vmx_vcpu_setup(struct vcpu_vm
15266 vmcs_writel(HOST_IDTR_BASE, dt.address); /* 22.2.4 */
15268 asm("mov $.Lkvm_vmx_return, %0" : "=r"(kvm_vmx_return));
15269 - vmcs_writel(HOST_RIP, kvm_vmx_return); /* 22.2.5 */
15270 + vmcs_writel(HOST_RIP, ktla_ktva(kvm_vmx_return)); /* 22.2.5 */
15271 vmcs_write32(VM_EXIT_MSR_STORE_COUNT, 0);
15272 vmcs_write32(VM_EXIT_MSR_LOAD_COUNT, 0);
15273 vmcs_write64(VM_EXIT_MSR_LOAD_ADDR, __pa(vmx->msr_autoload.host));
15274 @@ -3985,6 +3992,12 @@ static void vmx_vcpu_run(struct kvm_vcpu
15275 "jmp .Lkvm_vmx_return \n\t"
15276 ".Llaunched: " __ex(ASM_VMX_VMRESUME) "\n\t"
15277 ".Lkvm_vmx_return: "
15279 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15280 + "ljmp %[cs],$.Lkvm_vmx_return2\n\t"
15281 + ".Lkvm_vmx_return2: "
15284 /* Save guest registers, load host registers, keep flags */
15285 "xchg %0, (%%"R"sp) \n\t"
15286 "mov %%"R"ax, %c[rax](%0) \n\t"
15287 @@ -4031,8 +4044,13 @@ static void vmx_vcpu_run(struct kvm_vcpu
15288 [r15]"i"(offsetof(struct vcpu_vmx, vcpu.arch.regs[VCPU_REGS_R15])),
15290 [cr2]"i"(offsetof(struct vcpu_vmx, vcpu.arch.cr2))
15292 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
15293 + ,[cs]"i"(__KERNEL_CS)
15297 - , R"bx", R"di", R"si"
15298 + , R"ax", R"bx", R"di", R"si"
15299 #ifdef CONFIG_X86_64
15300 , "r8", "r9", "r10", "r11", "r12", "r13", "r14", "r15"
15302 @@ -4046,7 +4064,7 @@ static void vmx_vcpu_run(struct kvm_vcpu
15303 if (vmx->rmode.irq.pending)
15304 fixup_rmode_irq(vmx);
15306 - asm("mov %0, %%ds; mov %0, %%es" : : "r"(__USER_DS));
15307 + asm("mov %0, %%ds; mov %0, %%es; mov %0, %%ss" : : "r"(__KERNEL_DS));
15310 vmx_complete_interrupts(vmx);
15311 @@ -4280,7 +4298,7 @@ static void vmx_set_supported_cpuid(u32
15315 -static struct kvm_x86_ops vmx_x86_ops = {
15316 +static const struct kvm_x86_ops vmx_x86_ops = {
15317 .cpu_has_kvm_support = cpu_has_kvm_support,
15318 .disabled_by_bios = vmx_disabled_by_bios,
15319 .hardware_setup = hardware_setup,
15320 diff -urNp linux-2.6.36.1/arch/x86/kvm/x86.c linux-2.6.36.1/arch/x86/kvm/x86.c
15321 --- linux-2.6.36.1/arch/x86/kvm/x86.c 2010-11-26 18:26:24.000000000 -0500
15322 +++ linux-2.6.36.1/arch/x86/kvm/x86.c 2010-11-26 18:27:07.000000000 -0500
15323 @@ -90,7 +90,7 @@ static void update_cr8_intercept(struct
15324 static int kvm_dev_ioctl_get_supported_cpuid(struct kvm_cpuid2 *cpuid,
15325 struct kvm_cpuid_entry2 __user *entries);
15327 -struct kvm_x86_ops *kvm_x86_ops;
15328 +const struct kvm_x86_ops *kvm_x86_ops;
15329 EXPORT_SYMBOL_GPL(kvm_x86_ops);
15331 int ignore_msrs = 0;
15332 @@ -116,38 +116,38 @@ static struct kvm_shared_msrs_global __r
15333 static DEFINE_PER_CPU(struct kvm_shared_msrs, shared_msrs);
15335 struct kvm_stats_debugfs_item debugfs_entries[] = {
15336 - { "pf_fixed", VCPU_STAT(pf_fixed) },
15337 - { "pf_guest", VCPU_STAT(pf_guest) },
15338 - { "tlb_flush", VCPU_STAT(tlb_flush) },
15339 - { "invlpg", VCPU_STAT(invlpg) },
15340 - { "exits", VCPU_STAT(exits) },
15341 - { "io_exits", VCPU_STAT(io_exits) },
15342 - { "mmio_exits", VCPU_STAT(mmio_exits) },
15343 - { "signal_exits", VCPU_STAT(signal_exits) },
15344 - { "irq_window", VCPU_STAT(irq_window_exits) },
15345 - { "nmi_window", VCPU_STAT(nmi_window_exits) },
15346 - { "halt_exits", VCPU_STAT(halt_exits) },
15347 - { "halt_wakeup", VCPU_STAT(halt_wakeup) },
15348 - { "hypercalls", VCPU_STAT(hypercalls) },
15349 - { "request_irq", VCPU_STAT(request_irq_exits) },
15350 - { "irq_exits", VCPU_STAT(irq_exits) },
15351 - { "host_state_reload", VCPU_STAT(host_state_reload) },
15352 - { "efer_reload", VCPU_STAT(efer_reload) },
15353 - { "fpu_reload", VCPU_STAT(fpu_reload) },
15354 - { "insn_emulation", VCPU_STAT(insn_emulation) },
15355 - { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail) },
15356 - { "irq_injections", VCPU_STAT(irq_injections) },
15357 - { "nmi_injections", VCPU_STAT(nmi_injections) },
15358 - { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped) },
15359 - { "mmu_pte_write", VM_STAT(mmu_pte_write) },
15360 - { "mmu_pte_updated", VM_STAT(mmu_pte_updated) },
15361 - { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped) },
15362 - { "mmu_flooded", VM_STAT(mmu_flooded) },
15363 - { "mmu_recycled", VM_STAT(mmu_recycled) },
15364 - { "mmu_cache_miss", VM_STAT(mmu_cache_miss) },
15365 - { "mmu_unsync", VM_STAT(mmu_unsync) },
15366 - { "remote_tlb_flush", VM_STAT(remote_tlb_flush) },
15367 - { "largepages", VM_STAT(lpages) },
15368 + { "pf_fixed", VCPU_STAT(pf_fixed), NULL },
15369 + { "pf_guest", VCPU_STAT(pf_guest), NULL },
15370 + { "tlb_flush", VCPU_STAT(tlb_flush), NULL },
15371 + { "invlpg", VCPU_STAT(invlpg), NULL },
15372 + { "exits", VCPU_STAT(exits), NULL },
15373 + { "io_exits", VCPU_STAT(io_exits), NULL },
15374 + { "mmio_exits", VCPU_STAT(mmio_exits), NULL },
15375 + { "signal_exits", VCPU_STAT(signal_exits), NULL },
15376 + { "irq_window", VCPU_STAT(irq_window_exits), NULL },
15377 + { "nmi_window", VCPU_STAT(nmi_window_exits), NULL },
15378 + { "halt_exits", VCPU_STAT(halt_exits), NULL },
15379 + { "halt_wakeup", VCPU_STAT(halt_wakeup), NULL },
15380 + { "hypercalls", VCPU_STAT(hypercalls), NULL },
15381 + { "request_irq", VCPU_STAT(request_irq_exits), NULL },
15382 + { "irq_exits", VCPU_STAT(irq_exits), NULL },
15383 + { "host_state_reload", VCPU_STAT(host_state_reload), NULL },
15384 + { "efer_reload", VCPU_STAT(efer_reload), NULL },
15385 + { "fpu_reload", VCPU_STAT(fpu_reload), NULL },
15386 + { "insn_emulation", VCPU_STAT(insn_emulation), NULL },
15387 + { "insn_emulation_fail", VCPU_STAT(insn_emulation_fail), NULL },
15388 + { "irq_injections", VCPU_STAT(irq_injections), NULL },
15389 + { "nmi_injections", VCPU_STAT(nmi_injections), NULL },
15390 + { "mmu_shadow_zapped", VM_STAT(mmu_shadow_zapped), NULL },
15391 + { "mmu_pte_write", VM_STAT(mmu_pte_write), NULL },
15392 + { "mmu_pte_updated", VM_STAT(mmu_pte_updated), NULL },
15393 + { "mmu_pde_zapped", VM_STAT(mmu_pde_zapped), NULL },
15394 + { "mmu_flooded", VM_STAT(mmu_flooded), NULL },
15395 + { "mmu_recycled", VM_STAT(mmu_recycled), NULL },
15396 + { "mmu_cache_miss", VM_STAT(mmu_cache_miss), NULL },
15397 + { "mmu_unsync", VM_STAT(mmu_unsync), NULL },
15398 + { "remote_tlb_flush", VM_STAT(remote_tlb_flush), NULL },
15399 + { "largepages", VM_STAT(lpages), NULL },
15403 @@ -1740,6 +1740,8 @@ long kvm_arch_dev_ioctl(struct file *fil
15404 if (n < msr_list.nmsrs)
15407 + if (num_msrs_to_save > ARRAY_SIZE(msrs_to_save))
15409 if (copy_to_user(user_msr_list->indices, &msrs_to_save,
15410 num_msrs_to_save * sizeof(u32)))
15412 @@ -2197,7 +2199,7 @@ static int kvm_vcpu_ioctl_set_lapic(stru
15413 static int kvm_vcpu_ioctl_interrupt(struct kvm_vcpu *vcpu,
15414 struct kvm_interrupt *irq)
15416 - if (irq->irq < 0 || irq->irq >= 256)
15417 + if (irq->irq >= 256)
15419 if (irqchip_in_kernel(vcpu->kvm))
15421 @@ -4214,10 +4216,10 @@ void kvm_after_handle_nmi(struct kvm_vcp
15423 EXPORT_SYMBOL_GPL(kvm_after_handle_nmi);
15425 -int kvm_arch_init(void *opaque)
15426 +int kvm_arch_init(const void *opaque)
15429 - struct kvm_x86_ops *ops = (struct kvm_x86_ops *)opaque;
15430 + const struct kvm_x86_ops *ops = (const struct kvm_x86_ops *)opaque;
15433 printk(KERN_ERR "kvm: already loaded the other module\n");
15434 diff -urNp linux-2.6.36.1/arch/x86/lib/atomic64_cx8_32.S linux-2.6.36.1/arch/x86/lib/atomic64_cx8_32.S
15435 --- linux-2.6.36.1/arch/x86/lib/atomic64_cx8_32.S 2010-10-20 16:30:22.000000000 -0400
15436 +++ linux-2.6.36.1/arch/x86/lib/atomic64_cx8_32.S 2010-11-06 18:58:15.000000000 -0400
15437 @@ -86,13 +86,23 @@ ENTRY(atomic64_\func\()_return_cx8)
15439 \ins\()l %esi, %ebx
15440 \insc\()l %edi, %ecx
15442 +#ifdef CONFIG_PAX_REFCOUNT
15445 + _ASM_EXTABLE(2b, 3f)
15456 +#ifdef CONFIG_PAX_REFCOUNT
15463 @@ -116,13 +126,24 @@ ENTRY(atomic64_\func\()_return_cx8)
15468 +#ifdef CONFIG_PAX_REFCOUNT
15471 + _ASM_EXTABLE(2b, 3f)
15482 +#ifdef CONFIG_PAX_REFCOUNT
15489 @@ -176,6 +197,13 @@ ENTRY(atomic64_add_unless_cx8)
15494 +#ifdef CONFIG_PAX_REFCOUNT
15497 + _ASM_EXTABLE(1234b, 1234b)
15503 @@ -208,6 +236,13 @@ ENTRY(atomic64_inc_not_zero_cx8)
15508 +#ifdef CONFIG_PAX_REFCOUNT
15511 + _ASM_EXTABLE(1234b, 1234b)
15517 diff -urNp linux-2.6.36.1/arch/x86/lib/checksum_32.S linux-2.6.36.1/arch/x86/lib/checksum_32.S
15518 --- linux-2.6.36.1/arch/x86/lib/checksum_32.S 2010-10-20 16:30:22.000000000 -0400
15519 +++ linux-2.6.36.1/arch/x86/lib/checksum_32.S 2010-11-06 18:58:15.000000000 -0400
15521 #include <linux/linkage.h>
15522 #include <asm/dwarf2.h>
15523 #include <asm/errno.h>
15525 +#include <asm/segment.h>
15528 * computes a partial checksum, e.g. for TCP/UDP fragments
15530 @@ -304,9 +305,22 @@ unsigned int csum_partial_copy_generic (
15535 -ENTRY(csum_partial_copy_generic)
15537 +ENTRY(csum_partial_copy_generic_to_user)
15539 + pushl $(__USER_DS)
15540 + CFI_ADJUST_CFA_OFFSET 4
15542 + CFI_ADJUST_CFA_OFFSET -4
15543 + jmp csum_partial_copy_generic
15545 +ENTRY(csum_partial_copy_generic_from_user)
15546 + pushl $(__USER_DS)
15547 + CFI_ADJUST_CFA_OFFSET 4
15549 + CFI_ADJUST_CFA_OFFSET -4
15551 +ENTRY(csum_partial_copy_generic)
15553 CFI_ADJUST_CFA_OFFSET 4
15555 @@ -331,7 +345,7 @@ ENTRY(csum_partial_copy_generic)
15557 SRC(1: movw (%esi), %bx )
15559 -DST( movw %bx, (%edi) )
15560 +DST( movw %bx, %es:(%edi) )
15564 @@ -343,30 +357,30 @@ DST( movw %bx, (%edi) )
15565 SRC(1: movl (%esi), %ebx )
15566 SRC( movl 4(%esi), %edx )
15568 -DST( movl %ebx, (%edi) )
15569 +DST( movl %ebx, %es:(%edi) )
15571 -DST( movl %edx, 4(%edi) )
15572 +DST( movl %edx, %es:4(%edi) )
15574 SRC( movl 8(%esi), %ebx )
15575 SRC( movl 12(%esi), %edx )
15577 -DST( movl %ebx, 8(%edi) )
15578 +DST( movl %ebx, %es:8(%edi) )
15580 -DST( movl %edx, 12(%edi) )
15581 +DST( movl %edx, %es:12(%edi) )
15583 SRC( movl 16(%esi), %ebx )
15584 SRC( movl 20(%esi), %edx )
15586 -DST( movl %ebx, 16(%edi) )
15587 +DST( movl %ebx, %es:16(%edi) )
15589 -DST( movl %edx, 20(%edi) )
15590 +DST( movl %edx, %es:20(%edi) )
15592 SRC( movl 24(%esi), %ebx )
15593 SRC( movl 28(%esi), %edx )
15595 -DST( movl %ebx, 24(%edi) )
15596 +DST( movl %ebx, %es:24(%edi) )
15598 -DST( movl %edx, 28(%edi) )
15599 +DST( movl %edx, %es:28(%edi) )
15603 @@ -380,7 +394,7 @@ DST( movl %edx, 28(%edi) )
15604 shrl $2, %edx # This clears CF
15605 SRC(3: movl (%esi), %ebx )
15607 -DST( movl %ebx, (%edi) )
15608 +DST( movl %ebx, %es:(%edi) )
15612 @@ -392,12 +406,12 @@ DST( movl %ebx, (%edi) )
15614 SRC( movw (%esi), %cx )
15616 -DST( movw %cx, (%edi) )
15617 +DST( movw %cx, %es:(%edi) )
15621 SRC(5: movb (%esi), %cl )
15622 -DST( movb %cl, (%edi) )
15623 +DST( movb %cl, %es:(%edi) )
15627 @@ -408,7 +422,7 @@ DST( movb %cl, (%edi) )
15630 movl ARGBASE+20(%esp), %ebx # src_err_ptr
15631 - movl $-EFAULT, (%ebx)
15632 + movl $-EFAULT, %ss:(%ebx)
15634 # zero the complete destination - computing the rest
15636 @@ -421,11 +435,19 @@ DST( movb %cl, (%edi) )
15639 movl ARGBASE+24(%esp), %ebx # dst_err_ptr
15640 - movl $-EFAULT,(%ebx)
15641 + movl $-EFAULT,%ss:(%ebx)
15647 + CFI_ADJUST_CFA_OFFSET 4
15649 + CFI_ADJUST_CFA_OFFSET -4
15651 + CFI_ADJUST_CFA_OFFSET 4
15653 + CFI_ADJUST_CFA_OFFSET -4
15655 CFI_ADJUST_CFA_OFFSET -4
15657 @@ -439,26 +461,41 @@ DST( movb %cl, (%edi) )
15658 CFI_ADJUST_CFA_OFFSET -4
15661 -ENDPROC(csum_partial_copy_generic)
15662 +ENDPROC(csum_partial_copy_generic_to_user)
15666 /* Version for PentiumII/PPro */
15668 #define ROUND1(x) \
15670 SRC(movl x(%esi), %ebx ) ; \
15671 addl %ebx, %eax ; \
15672 - DST(movl %ebx, x(%edi) ) ;
15673 + DST(movl %ebx, %es:x(%edi)) ;
15677 SRC(movl x(%esi), %ebx ) ; \
15678 adcl %ebx, %eax ; \
15679 - DST(movl %ebx, x(%edi) ) ;
15680 + DST(movl %ebx, %es:x(%edi)) ;
15684 -ENTRY(csum_partial_copy_generic)
15686 +ENTRY(csum_partial_copy_generic_to_user)
15688 + pushl $(__USER_DS)
15689 + CFI_ADJUST_CFA_OFFSET 4
15691 + CFI_ADJUST_CFA_OFFSET -4
15692 + jmp csum_partial_copy_generic
15694 +ENTRY(csum_partial_copy_generic_from_user)
15695 + pushl $(__USER_DS)
15696 + CFI_ADJUST_CFA_OFFSET 4
15698 + CFI_ADJUST_CFA_OFFSET -4
15700 +ENTRY(csum_partial_copy_generic)
15702 CFI_ADJUST_CFA_OFFSET 4
15703 CFI_REL_OFFSET ebx, 0
15704 @@ -482,7 +519,7 @@ ENTRY(csum_partial_copy_generic)
15708 - lea 3f(%ebx,%ebx), %ebx
15709 + lea 3f(%ebx,%ebx,2), %ebx
15713 @@ -503,19 +540,19 @@ ENTRY(csum_partial_copy_generic)
15715 SRC( movw (%esi), %dx )
15717 -DST( movw %dx, (%edi) )
15718 +DST( movw %dx, %es:(%edi) )
15723 SRC( movb (%esi), %dl )
15724 -DST( movb %dl, (%edi) )
15725 +DST( movb %dl, %es:(%edi) )
15729 .section .fixup, "ax"
15730 6001: movl ARGBASE+20(%esp), %ebx # src_err_ptr
15731 - movl $-EFAULT, (%ebx)
15732 + movl $-EFAULT, %ss:(%ebx)
15733 # zero the complete destination (computing the rest is too much work)
15734 movl ARGBASE+8(%esp),%edi # dst
15735 movl ARGBASE+12(%esp),%ecx # len
15736 @@ -523,10 +560,18 @@ DST( movb %dl, (%edi) )
15739 6002: movl ARGBASE+24(%esp), %ebx # dst_err_ptr
15740 - movl $-EFAULT, (%ebx)
15741 + movl $-EFAULT, %ss:(%ebx)
15746 + CFI_ADJUST_CFA_OFFSET 4
15748 + CFI_ADJUST_CFA_OFFSET -4
15750 + CFI_ADJUST_CFA_OFFSET 4
15752 + CFI_ADJUST_CFA_OFFSET -4
15754 CFI_ADJUST_CFA_OFFSET -4
15756 @@ -538,7 +583,7 @@ DST( movb %dl, (%edi) )
15760 -ENDPROC(csum_partial_copy_generic)
15761 +ENDPROC(csum_partial_copy_generic_to_user)
15765 diff -urNp linux-2.6.36.1/arch/x86/lib/clear_page_64.S linux-2.6.36.1/arch/x86/lib/clear_page_64.S
15766 --- linux-2.6.36.1/arch/x86/lib/clear_page_64.S 2010-10-20 16:30:22.000000000 -0400
15767 +++ linux-2.6.36.1/arch/x86/lib/clear_page_64.S 2010-11-06 18:58:15.000000000 -0400
15768 @@ -43,7 +43,7 @@ ENDPROC(clear_page)
15770 #include <asm/cpufeature.h>
15772 - .section .altinstr_replacement,"ax"
15773 + .section .altinstr_replacement,"a"
15774 1: .byte 0xeb /* jmp <disp8> */
15775 .byte (clear_page_c - clear_page) - (2f - 1b) /* offset */
15777 diff -urNp linux-2.6.36.1/arch/x86/lib/copy_page_64.S linux-2.6.36.1/arch/x86/lib/copy_page_64.S
15778 --- linux-2.6.36.1/arch/x86/lib/copy_page_64.S 2010-10-20 16:30:22.000000000 -0400
15779 +++ linux-2.6.36.1/arch/x86/lib/copy_page_64.S 2010-11-06 18:58:15.000000000 -0400
15780 @@ -104,7 +104,7 @@ ENDPROC(copy_page)
15782 #include <asm/cpufeature.h>
15784 - .section .altinstr_replacement,"ax"
15785 + .section .altinstr_replacement,"a"
15786 1: .byte 0xeb /* jmp <disp8> */
15787 .byte (copy_page_c - copy_page) - (2f - 1b) /* offset */
15789 diff -urNp linux-2.6.36.1/arch/x86/lib/copy_user_64.S linux-2.6.36.1/arch/x86/lib/copy_user_64.S
15790 --- linux-2.6.36.1/arch/x86/lib/copy_user_64.S 2010-10-20 16:30:22.000000000 -0400
15791 +++ linux-2.6.36.1/arch/x86/lib/copy_user_64.S 2010-11-06 18:58:15.000000000 -0400
15792 @@ -15,13 +15,14 @@
15793 #include <asm/asm-offsets.h>
15794 #include <asm/thread_info.h>
15795 #include <asm/cpufeature.h>
15796 +#include <asm/pgtable.h>
15798 .macro ALTERNATIVE_JUMP feature,orig,alt
15800 .byte 0xe9 /* 32bit jump */
15801 .long \orig-1f /* by default jump to orig */
15803 - .section .altinstr_replacement,"ax"
15804 + .section .altinstr_replacement,"a"
15805 2: .byte 0xe9 /* near jump with 32bit immediate */
15806 .long \alt-1b /* offset */ /* or alternatively to alt */
15808 @@ -64,37 +65,13 @@
15812 -/* Standard copy_to_user with segment limit checking */
15813 -ENTRY(_copy_to_user)
15815 - GET_THREAD_INFO(%rax)
15819 - cmpq TI_addr_limit(%rax),%rcx
15821 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
15823 -ENDPROC(_copy_to_user)
15825 -/* Standard copy_from_user with segment limit checking */
15826 -ENTRY(_copy_from_user)
15828 - GET_THREAD_INFO(%rax)
15832 - cmpq TI_addr_limit(%rax),%rcx
15833 - jae bad_from_user
15834 - ALTERNATIVE_JUMP X86_FEATURE_REP_GOOD,copy_user_generic_unrolled,copy_user_generic_string
15836 -ENDPROC(_copy_from_user)
15838 .section .fixup,"ax"
15839 /* must zero dest */
15840 ENTRY(bad_from_user)
15848 diff -urNp linux-2.6.36.1/arch/x86/lib/copy_user_nocache_64.S linux-2.6.36.1/arch/x86/lib/copy_user_nocache_64.S
15849 --- linux-2.6.36.1/arch/x86/lib/copy_user_nocache_64.S 2010-10-20 16:30:22.000000000 -0400
15850 +++ linux-2.6.36.1/arch/x86/lib/copy_user_nocache_64.S 2010-11-06 18:58:15.000000000 -0400
15852 #include <asm/current.h>
15853 #include <asm/asm-offsets.h>
15854 #include <asm/thread_info.h>
15855 +#include <asm/pgtable.h>
15857 .macro ALIGN_DESTINATION
15858 #ifdef FIX_ALIGNMENT
15861 ENTRY(__copy_user_nocache)
15864 +#ifdef CONFIG_PAX_MEMORY_UDEREF
15865 + mov $PAX_USER_SHADOW_BASE,%rcx
15873 jb 20f /* less then 8 bytes, go to byte copy loop */
15875 diff -urNp linux-2.6.36.1/arch/x86/lib/csum-wrappers_64.c linux-2.6.36.1/arch/x86/lib/csum-wrappers_64.c
15876 --- linux-2.6.36.1/arch/x86/lib/csum-wrappers_64.c 2010-10-20 16:30:22.000000000 -0400
15877 +++ linux-2.6.36.1/arch/x86/lib/csum-wrappers_64.c 2010-11-06 18:58:15.000000000 -0400
15878 @@ -52,6 +52,8 @@ csum_partial_copy_from_user(const void _
15882 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
15883 + src += PAX_USER_SHADOW_BASE;
15884 isum = csum_partial_copy_generic((__force const void *)src,
15885 dst, len, isum, errp, NULL);
15886 if (unlikely(*errp))
15887 @@ -105,6 +107,8 @@ csum_partial_copy_to_user(const void *sr
15891 + if ((unsigned long)dst < PAX_USER_SHADOW_BASE)
15892 + dst += PAX_USER_SHADOW_BASE;
15893 return csum_partial_copy_generic(src, (void __force *)dst,
15894 len, isum, NULL, errp);
15896 diff -urNp linux-2.6.36.1/arch/x86/lib/getuser.S linux-2.6.36.1/arch/x86/lib/getuser.S
15897 --- linux-2.6.36.1/arch/x86/lib/getuser.S 2010-10-20 16:30:22.000000000 -0400
15898 +++ linux-2.6.36.1/arch/x86/lib/getuser.S 2010-11-06 18:58:15.000000000 -0400
15899 @@ -33,14 +33,38 @@
15900 #include <asm/asm-offsets.h>
15901 #include <asm/thread_info.h>
15902 #include <asm/asm.h>
15903 +#include <asm/segment.h>
15904 +#include <asm/pgtable.h>
15907 ENTRY(__get_user_1)
15910 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15911 + pushl $(__USER_DS)
15914 GET_THREAD_INFO(%_ASM_DX)
15915 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15918 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15919 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15920 + cmp %_ASM_DX,%_ASM_AX
15922 + add %_ASM_DX,%_ASM_AX
15928 1: movzb (%_ASM_AX),%edx
15930 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15938 @@ -49,11 +73,33 @@ ENDPROC(__get_user_1)
15939 ENTRY(__get_user_2)
15943 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15944 + pushl $(__USER_DS)
15948 GET_THREAD_INFO(%_ASM_DX)
15949 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15952 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15953 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15954 + cmp %_ASM_DX,%_ASM_AX
15956 + add %_ASM_DX,%_ASM_AX
15962 2: movzwl -1(%_ASM_AX),%edx
15964 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15972 @@ -62,11 +108,33 @@ ENDPROC(__get_user_2)
15973 ENTRY(__get_user_4)
15977 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
15978 + pushl $(__USER_DS)
15982 GET_THREAD_INFO(%_ASM_DX)
15983 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
15986 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
15987 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
15988 + cmp %_ASM_DX,%_ASM_AX
15990 + add %_ASM_DX,%_ASM_AX
15996 3: mov -3(%_ASM_AX),%edx
15998 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16006 @@ -80,6 +148,15 @@ ENTRY(__get_user_8)
16007 GET_THREAD_INFO(%_ASM_DX)
16008 cmp TI_addr_limit(%_ASM_DX),%_ASM_AX
16011 +#ifdef CONFIG_PAX_MEMORY_UDEREF
16012 + mov $PAX_USER_SHADOW_BASE,%_ASM_DX
16013 + cmp %_ASM_DX,%_ASM_AX
16015 + add %_ASM_DX,%_ASM_AX
16019 4: movq -7(%_ASM_AX),%_ASM_DX
16022 @@ -89,6 +166,12 @@ ENDPROC(__get_user_8)
16027 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16033 mov $(-EFAULT),%_ASM_AX
16035 diff -urNp linux-2.6.36.1/arch/x86/lib/insn.c linux-2.6.36.1/arch/x86/lib/insn.c
16036 --- linux-2.6.36.1/arch/x86/lib/insn.c 2010-10-20 16:30:22.000000000 -0400
16037 +++ linux-2.6.36.1/arch/x86/lib/insn.c 2010-11-06 18:58:15.000000000 -0400
16039 #include <linux/string.h>
16040 #include <asm/inat.h>
16041 #include <asm/insn.h>
16042 +#include <asm/pgtable_types.h>
16044 #define get_next(t, insn) \
16045 ({t r; r = *(t*)insn->next_byte; insn->next_byte += sizeof(t); r; })
16047 void insn_init(struct insn *insn, const void *kaddr, int x86_64)
16049 memset(insn, 0, sizeof(*insn));
16050 - insn->kaddr = kaddr;
16051 - insn->next_byte = kaddr;
16052 + insn->kaddr = ktla_ktva(kaddr);
16053 + insn->next_byte = ktla_ktva(kaddr);
16054 insn->x86_64 = x86_64 ? 1 : 0;
16055 insn->opnd_bytes = 4;
16057 diff -urNp linux-2.6.36.1/arch/x86/lib/mmx_32.c linux-2.6.36.1/arch/x86/lib/mmx_32.c
16058 --- linux-2.6.36.1/arch/x86/lib/mmx_32.c 2010-10-20 16:30:22.000000000 -0400
16059 +++ linux-2.6.36.1/arch/x86/lib/mmx_32.c 2010-11-06 18:58:15.000000000 -0400
16060 @@ -29,6 +29,7 @@ void *_mmx_memcpy(void *to, const void *
16064 + unsigned long cr0;
16066 if (unlikely(in_interrupt()))
16067 return __memcpy(to, from, len);
16068 @@ -39,44 +40,72 @@ void *_mmx_memcpy(void *to, const void *
16069 kernel_fpu_begin();
16071 __asm__ __volatile__ (
16072 - "1: prefetch (%0)\n" /* This set is 28 bytes */
16073 - " prefetch 64(%0)\n"
16074 - " prefetch 128(%0)\n"
16075 - " prefetch 192(%0)\n"
16076 - " prefetch 256(%0)\n"
16077 + "1: prefetch (%1)\n" /* This set is 28 bytes */
16078 + " prefetch 64(%1)\n"
16079 + " prefetch 128(%1)\n"
16080 + " prefetch 192(%1)\n"
16081 + " prefetch 256(%1)\n"
16083 ".section .fixup, \"ax\"\n"
16084 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16087 +#ifdef CONFIG_PAX_KERNEXEC
16088 + " movl %%cr0, %0\n"
16089 + " movl %0, %%eax\n"
16090 + " andl $0xFFFEFFFF, %%eax\n"
16091 + " movl %%eax, %%cr0\n"
16094 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16096 +#ifdef CONFIG_PAX_KERNEXEC
16097 + " movl %0, %%cr0\n"
16102 _ASM_EXTABLE(1b, 3b)
16104 + : "=&r" (cr0) : "r" (from) : "ax");
16106 for ( ; i > 5; i--) {
16107 __asm__ __volatile__ (
16108 - "1: prefetch 320(%0)\n"
16109 - "2: movq (%0), %%mm0\n"
16110 - " movq 8(%0), %%mm1\n"
16111 - " movq 16(%0), %%mm2\n"
16112 - " movq 24(%0), %%mm3\n"
16113 - " movq %%mm0, (%1)\n"
16114 - " movq %%mm1, 8(%1)\n"
16115 - " movq %%mm2, 16(%1)\n"
16116 - " movq %%mm3, 24(%1)\n"
16117 - " movq 32(%0), %%mm0\n"
16118 - " movq 40(%0), %%mm1\n"
16119 - " movq 48(%0), %%mm2\n"
16120 - " movq 56(%0), %%mm3\n"
16121 - " movq %%mm0, 32(%1)\n"
16122 - " movq %%mm1, 40(%1)\n"
16123 - " movq %%mm2, 48(%1)\n"
16124 - " movq %%mm3, 56(%1)\n"
16125 + "1: prefetch 320(%1)\n"
16126 + "2: movq (%1), %%mm0\n"
16127 + " movq 8(%1), %%mm1\n"
16128 + " movq 16(%1), %%mm2\n"
16129 + " movq 24(%1), %%mm3\n"
16130 + " movq %%mm0, (%2)\n"
16131 + " movq %%mm1, 8(%2)\n"
16132 + " movq %%mm2, 16(%2)\n"
16133 + " movq %%mm3, 24(%2)\n"
16134 + " movq 32(%1), %%mm0\n"
16135 + " movq 40(%1), %%mm1\n"
16136 + " movq 48(%1), %%mm2\n"
16137 + " movq 56(%1), %%mm3\n"
16138 + " movq %%mm0, 32(%2)\n"
16139 + " movq %%mm1, 40(%2)\n"
16140 + " movq %%mm2, 48(%2)\n"
16141 + " movq %%mm3, 56(%2)\n"
16142 ".section .fixup, \"ax\"\n"
16143 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16146 +#ifdef CONFIG_PAX_KERNEXEC
16147 + " movl %%cr0, %0\n"
16148 + " movl %0, %%eax\n"
16149 + " andl $0xFFFEFFFF, %%eax\n"
16150 + " movl %%eax, %%cr0\n"
16153 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16155 +#ifdef CONFIG_PAX_KERNEXEC
16156 + " movl %0, %%cr0\n"
16161 _ASM_EXTABLE(1b, 3b)
16162 - : : "r" (from), "r" (to) : "memory");
16163 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
16167 @@ -158,6 +187,7 @@ static void fast_clear_page(void *page)
16168 static void fast_copy_page(void *to, void *from)
16171 + unsigned long cr0;
16173 kernel_fpu_begin();
16175 @@ -166,42 +196,70 @@ static void fast_copy_page(void *to, voi
16176 * but that is for later. -AV
16178 __asm__ __volatile__(
16179 - "1: prefetch (%0)\n"
16180 - " prefetch 64(%0)\n"
16181 - " prefetch 128(%0)\n"
16182 - " prefetch 192(%0)\n"
16183 - " prefetch 256(%0)\n"
16184 + "1: prefetch (%1)\n"
16185 + " prefetch 64(%1)\n"
16186 + " prefetch 128(%1)\n"
16187 + " prefetch 192(%1)\n"
16188 + " prefetch 256(%1)\n"
16190 ".section .fixup, \"ax\"\n"
16191 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16194 +#ifdef CONFIG_PAX_KERNEXEC
16195 + " movl %%cr0, %0\n"
16196 + " movl %0, %%eax\n"
16197 + " andl $0xFFFEFFFF, %%eax\n"
16198 + " movl %%eax, %%cr0\n"
16201 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16203 +#ifdef CONFIG_PAX_KERNEXEC
16204 + " movl %0, %%cr0\n"
16209 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
16210 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
16212 for (i = 0; i < (4096-320)/64; i++) {
16213 __asm__ __volatile__ (
16214 - "1: prefetch 320(%0)\n"
16215 - "2: movq (%0), %%mm0\n"
16216 - " movntq %%mm0, (%1)\n"
16217 - " movq 8(%0), %%mm1\n"
16218 - " movntq %%mm1, 8(%1)\n"
16219 - " movq 16(%0), %%mm2\n"
16220 - " movntq %%mm2, 16(%1)\n"
16221 - " movq 24(%0), %%mm3\n"
16222 - " movntq %%mm3, 24(%1)\n"
16223 - " movq 32(%0), %%mm4\n"
16224 - " movntq %%mm4, 32(%1)\n"
16225 - " movq 40(%0), %%mm5\n"
16226 - " movntq %%mm5, 40(%1)\n"
16227 - " movq 48(%0), %%mm6\n"
16228 - " movntq %%mm6, 48(%1)\n"
16229 - " movq 56(%0), %%mm7\n"
16230 - " movntq %%mm7, 56(%1)\n"
16231 + "1: prefetch 320(%1)\n"
16232 + "2: movq (%1), %%mm0\n"
16233 + " movntq %%mm0, (%2)\n"
16234 + " movq 8(%1), %%mm1\n"
16235 + " movntq %%mm1, 8(%2)\n"
16236 + " movq 16(%1), %%mm2\n"
16237 + " movntq %%mm2, 16(%2)\n"
16238 + " movq 24(%1), %%mm3\n"
16239 + " movntq %%mm3, 24(%2)\n"
16240 + " movq 32(%1), %%mm4\n"
16241 + " movntq %%mm4, 32(%2)\n"
16242 + " movq 40(%1), %%mm5\n"
16243 + " movntq %%mm5, 40(%2)\n"
16244 + " movq 48(%1), %%mm6\n"
16245 + " movntq %%mm6, 48(%2)\n"
16246 + " movq 56(%1), %%mm7\n"
16247 + " movntq %%mm7, 56(%2)\n"
16248 ".section .fixup, \"ax\"\n"
16249 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16252 +#ifdef CONFIG_PAX_KERNEXEC
16253 + " movl %%cr0, %0\n"
16254 + " movl %0, %%eax\n"
16255 + " andl $0xFFFEFFFF, %%eax\n"
16256 + " movl %%eax, %%cr0\n"
16259 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16261 +#ifdef CONFIG_PAX_KERNEXEC
16262 + " movl %0, %%cr0\n"
16267 - _ASM_EXTABLE(1b, 3b) : : "r" (from), "r" (to) : "memory");
16268 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
16272 @@ -280,47 +338,76 @@ static void fast_clear_page(void *page)
16273 static void fast_copy_page(void *to, void *from)
16276 + unsigned long cr0;
16278 kernel_fpu_begin();
16280 __asm__ __volatile__ (
16281 - "1: prefetch (%0)\n"
16282 - " prefetch 64(%0)\n"
16283 - " prefetch 128(%0)\n"
16284 - " prefetch 192(%0)\n"
16285 - " prefetch 256(%0)\n"
16286 + "1: prefetch (%1)\n"
16287 + " prefetch 64(%1)\n"
16288 + " prefetch 128(%1)\n"
16289 + " prefetch 192(%1)\n"
16290 + " prefetch 256(%1)\n"
16292 ".section .fixup, \"ax\"\n"
16293 - "3: movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16296 +#ifdef CONFIG_PAX_KERNEXEC
16297 + " movl %%cr0, %0\n"
16298 + " movl %0, %%eax\n"
16299 + " andl $0xFFFEFFFF, %%eax\n"
16300 + " movl %%eax, %%cr0\n"
16303 + " movw $0x1AEB, 1b\n" /* jmp on 26 bytes */
16305 +#ifdef CONFIG_PAX_KERNEXEC
16306 + " movl %0, %%cr0\n"
16311 - _ASM_EXTABLE(1b, 3b) : : "r" (from));
16312 + _ASM_EXTABLE(1b, 3b) : "=&r" (cr0) : "r" (from) : "ax");
16314 for (i = 0; i < 4096/64; i++) {
16315 __asm__ __volatile__ (
16316 - "1: prefetch 320(%0)\n"
16317 - "2: movq (%0), %%mm0\n"
16318 - " movq 8(%0), %%mm1\n"
16319 - " movq 16(%0), %%mm2\n"
16320 - " movq 24(%0), %%mm3\n"
16321 - " movq %%mm0, (%1)\n"
16322 - " movq %%mm1, 8(%1)\n"
16323 - " movq %%mm2, 16(%1)\n"
16324 - " movq %%mm3, 24(%1)\n"
16325 - " movq 32(%0), %%mm0\n"
16326 - " movq 40(%0), %%mm1\n"
16327 - " movq 48(%0), %%mm2\n"
16328 - " movq 56(%0), %%mm3\n"
16329 - " movq %%mm0, 32(%1)\n"
16330 - " movq %%mm1, 40(%1)\n"
16331 - " movq %%mm2, 48(%1)\n"
16332 - " movq %%mm3, 56(%1)\n"
16333 + "1: prefetch 320(%1)\n"
16334 + "2: movq (%1), %%mm0\n"
16335 + " movq 8(%1), %%mm1\n"
16336 + " movq 16(%1), %%mm2\n"
16337 + " movq 24(%1), %%mm3\n"
16338 + " movq %%mm0, (%2)\n"
16339 + " movq %%mm1, 8(%2)\n"
16340 + " movq %%mm2, 16(%2)\n"
16341 + " movq %%mm3, 24(%2)\n"
16342 + " movq 32(%1), %%mm0\n"
16343 + " movq 40(%1), %%mm1\n"
16344 + " movq 48(%1), %%mm2\n"
16345 + " movq 56(%1), %%mm3\n"
16346 + " movq %%mm0, 32(%2)\n"
16347 + " movq %%mm1, 40(%2)\n"
16348 + " movq %%mm2, 48(%2)\n"
16349 + " movq %%mm3, 56(%2)\n"
16350 ".section .fixup, \"ax\"\n"
16351 - "3: movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16354 +#ifdef CONFIG_PAX_KERNEXEC
16355 + " movl %%cr0, %0\n"
16356 + " movl %0, %%eax\n"
16357 + " andl $0xFFFEFFFF, %%eax\n"
16358 + " movl %%eax, %%cr0\n"
16361 + " movw $0x05EB, 1b\n" /* jmp on 5 bytes */
16363 +#ifdef CONFIG_PAX_KERNEXEC
16364 + " movl %0, %%cr0\n"
16369 _ASM_EXTABLE(1b, 3b)
16370 - : : "r" (from), "r" (to) : "memory");
16371 + : "=&r" (cr0) : "r" (from), "r" (to) : "memory", "ax");
16375 diff -urNp linux-2.6.36.1/arch/x86/lib/putuser.S linux-2.6.36.1/arch/x86/lib/putuser.S
16376 --- linux-2.6.36.1/arch/x86/lib/putuser.S 2010-10-20 16:30:22.000000000 -0400
16377 +++ linux-2.6.36.1/arch/x86/lib/putuser.S 2010-11-06 18:58:15.000000000 -0400
16379 #include <asm/thread_info.h>
16380 #include <asm/errno.h>
16381 #include <asm/asm.h>
16383 +#include <asm/segment.h>
16384 +#include <asm/pgtable.h>
16388 @@ -29,59 +30,162 @@
16389 * as they get called from within inline assembly.
16392 -#define ENTER CFI_STARTPROC ; \
16393 - GET_THREAD_INFO(%_ASM_BX)
16394 +#define ENTER CFI_STARTPROC
16395 #define EXIT ret ; \
16398 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16399 +#define _DEST %_ASM_CX,%_ASM_BX
16401 +#define _DEST %_ASM_CX
16405 ENTRY(__put_user_1)
16408 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16409 + pushl $(__USER_DS)
16412 + GET_THREAD_INFO(%_ASM_BX)
16413 cmp TI_addr_limit(%_ASM_BX),%_ASM_CX
16415 -1: movb %al,(%_ASM_CX)
16417 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16418 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16419 + cmp %_ASM_BX,%_ASM_CX
16427 +1: movb %al,(_DEST)
16429 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16436 ENDPROC(__put_user_1)
16438 ENTRY(__put_user_2)
16441 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16442 + pushl $(__USER_DS)
16445 + GET_THREAD_INFO(%_ASM_BX)
16446 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16448 cmp %_ASM_BX,%_ASM_CX
16450 -2: movw %ax,(%_ASM_CX)
16452 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16453 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16454 + cmp %_ASM_BX,%_ASM_CX
16462 +2: movw %ax,(_DEST)
16464 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16471 ENDPROC(__put_user_2)
16473 ENTRY(__put_user_4)
16476 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16477 + pushl $(__USER_DS)
16480 + GET_THREAD_INFO(%_ASM_BX)
16481 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16483 cmp %_ASM_BX,%_ASM_CX
16485 -3: movl %eax,(%_ASM_CX)
16487 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16488 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16489 + cmp %_ASM_BX,%_ASM_CX
16497 +3: movl %eax,(_DEST)
16499 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16506 ENDPROC(__put_user_4)
16508 ENTRY(__put_user_8)
16511 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16512 + pushl $(__USER_DS)
16515 + GET_THREAD_INFO(%_ASM_BX)
16516 mov TI_addr_limit(%_ASM_BX),%_ASM_BX
16518 cmp %_ASM_BX,%_ASM_CX
16520 -4: mov %_ASM_AX,(%_ASM_CX)
16522 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
16523 + mov $PAX_USER_SHADOW_BASE,%_ASM_BX
16524 + cmp %_ASM_BX,%_ASM_CX
16532 +4: mov %_ASM_AX,(_DEST)
16533 #ifdef CONFIG_X86_32
16534 -5: movl %edx,4(%_ASM_CX)
16535 +5: movl %edx,4(_DEST)
16538 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16545 ENDPROC(__put_user_8)
16550 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_MEMORY_UDEREF)
16558 diff -urNp linux-2.6.36.1/arch/x86/lib/usercopy_32.c linux-2.6.36.1/arch/x86/lib/usercopy_32.c
16559 --- linux-2.6.36.1/arch/x86/lib/usercopy_32.c 2010-10-20 16:30:22.000000000 -0400
16560 +++ linux-2.6.36.1/arch/x86/lib/usercopy_32.c 2010-11-06 18:58:15.000000000 -0400
16561 @@ -36,31 +36,38 @@ static inline int __movsl_is_ok(unsigned
16562 * Copy a null terminated string from userspace.
16565 -#define __do_strncpy_from_user(dst, src, count, res) \
16567 - int __d0, __d1, __d2; \
16569 - __asm__ __volatile__( \
16570 - " testl %1,%1\n" \
16574 - " testb %%al,%%al\n" \
16578 - "1: subl %1,%0\n" \
16580 - ".section .fixup,\"ax\"\n" \
16581 - "3: movl %5,%0\n" \
16584 - _ASM_EXTABLE(0b,3b) \
16585 - : "=&d"(res), "=&c"(count), "=&a" (__d0), "=&S" (__d1), \
16587 - : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst) \
16590 +static long __do_strncpy_from_user(char *dst, const char __user *src, long count)
16592 + int __d0, __d1, __d2;
16593 + long res = -EFAULT;
16596 + __asm__ __volatile__(
16597 + " movw %w10,%%ds\n"
16602 + " testb %%al,%%al\n"
16606 + "1: subl %1,%0\n"
16610 + ".section .fixup,\"ax\"\n"
16611 + "3: movl %5,%0\n"
16614 + _ASM_EXTABLE(0b,3b)
16615 + : "=&d"(res), "=&c"(count), "=&a" (__d0), "=&S" (__d1),
16617 + : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst),
16624 * __strncpy_from_user: - Copy a NUL terminated string from userspace, with less checking.
16625 @@ -85,9 +92,7 @@ do { \
16627 __strncpy_from_user(char *dst, const char __user *src, long count)
16630 - __do_strncpy_from_user(dst, src, count, res);
16632 + return __do_strncpy_from_user(dst, src, count);
16634 EXPORT_SYMBOL(__strncpy_from_user);
16636 @@ -114,7 +119,7 @@ strncpy_from_user(char *dst, const char
16638 long res = -EFAULT;
16639 if (access_ok(VERIFY_READ, src, 1))
16640 - __do_strncpy_from_user(dst, src, count, res);
16641 + res = __do_strncpy_from_user(dst, src, count);
16644 EXPORT_SYMBOL(strncpy_from_user);
16645 @@ -123,24 +128,30 @@ EXPORT_SYMBOL(strncpy_from_user);
16649 -#define __do_clear_user(addr,size) \
16653 - __asm__ __volatile__( \
16654 - "0: rep; stosl\n" \
16655 - " movl %2,%0\n" \
16656 - "1: rep; stosb\n" \
16658 - ".section .fixup,\"ax\"\n" \
16659 - "3: lea 0(%2,%0,4),%0\n" \
16662 - _ASM_EXTABLE(0b,3b) \
16663 - _ASM_EXTABLE(1b,2b) \
16664 - : "=&c"(size), "=&D" (__d0) \
16665 - : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0)); \
16667 +static unsigned long __do_clear_user(void __user *addr, unsigned long size)
16672 + __asm__ __volatile__(
16673 + " movw %w6,%%es\n"
16674 + "0: rep; stosl\n"
16676 + "1: rep; stosb\n"
16680 + ".section .fixup,\"ax\"\n"
16681 + "3: lea 0(%2,%0,4),%0\n"
16684 + _ASM_EXTABLE(0b,3b)
16685 + _ASM_EXTABLE(1b,2b)
16686 + : "=&c"(size), "=&D" (__d0)
16687 + : "r"(size & 3), "0"(size / 4), "1"(addr), "a"(0),
16693 * clear_user: - Zero a block of memory in user space.
16694 @@ -157,7 +168,7 @@ clear_user(void __user *to, unsigned lon
16697 if (access_ok(VERIFY_WRITE, to, n))
16698 - __do_clear_user(to, n);
16699 + n = __do_clear_user(to, n);
16702 EXPORT_SYMBOL(clear_user);
16703 @@ -176,8 +187,7 @@ EXPORT_SYMBOL(clear_user);
16705 __clear_user(void __user *to, unsigned long n)
16707 - __do_clear_user(to, n);
16709 + return __do_clear_user(to, n);
16711 EXPORT_SYMBOL(__clear_user);
16713 @@ -200,14 +210,17 @@ long strnlen_user(const char __user *s,
16716 __asm__ __volatile__(
16717 + " movw %w8,%%es\n"
16720 - " andl %0,%%ecx\n"
16721 + " movl %0,%%ecx\n"
16722 "0: repne; scasb\n"
16729 ".section .fixup,\"ax\"\n"
16730 "2: xorl %%eax,%%eax\n"
16732 @@ -219,7 +232,7 @@ long strnlen_user(const char __user *s,
16735 :"=&r" (n), "=&D" (s), "=&a" (res), "=&c" (tmp)
16736 - :"0" (n), "1" (s), "2" (0), "3" (mask)
16737 + :"0" (n), "1" (s), "2" (0), "3" (mask), "r" (__USER_DS)
16741 @@ -227,10 +240,121 @@ EXPORT_SYMBOL(strnlen_user);
16743 #ifdef CONFIG_X86_INTEL_USERCOPY
16744 static unsigned long
16745 -__copy_user_intel(void __user *to, const void *from, unsigned long size)
16746 +__generic_copy_to_user_intel(void __user *to, const void *from, unsigned long size)
16749 + __asm__ __volatile__(
16750 + " movw %w6, %%es\n"
16751 + " .align 2,0x90\n"
16752 + "1: movl 32(%4), %%eax\n"
16753 + " cmpl $67, %0\n"
16755 + "2: movl 64(%4), %%eax\n"
16756 + " .align 2,0x90\n"
16757 + "3: movl 0(%4), %%eax\n"
16758 + "4: movl 4(%4), %%edx\n"
16759 + "5: movl %%eax, %%es:0(%3)\n"
16760 + "6: movl %%edx, %%es:4(%3)\n"
16761 + "7: movl 8(%4), %%eax\n"
16762 + "8: movl 12(%4),%%edx\n"
16763 + "9: movl %%eax, %%es:8(%3)\n"
16764 + "10: movl %%edx, %%es:12(%3)\n"
16765 + "11: movl 16(%4), %%eax\n"
16766 + "12: movl 20(%4), %%edx\n"
16767 + "13: movl %%eax, %%es:16(%3)\n"
16768 + "14: movl %%edx, %%es:20(%3)\n"
16769 + "15: movl 24(%4), %%eax\n"
16770 + "16: movl 28(%4), %%edx\n"
16771 + "17: movl %%eax, %%es:24(%3)\n"
16772 + "18: movl %%edx, %%es:28(%3)\n"
16773 + "19: movl 32(%4), %%eax\n"
16774 + "20: movl 36(%4), %%edx\n"
16775 + "21: movl %%eax, %%es:32(%3)\n"
16776 + "22: movl %%edx, %%es:36(%3)\n"
16777 + "23: movl 40(%4), %%eax\n"
16778 + "24: movl 44(%4), %%edx\n"
16779 + "25: movl %%eax, %%es:40(%3)\n"
16780 + "26: movl %%edx, %%es:44(%3)\n"
16781 + "27: movl 48(%4), %%eax\n"
16782 + "28: movl 52(%4), %%edx\n"
16783 + "29: movl %%eax, %%es:48(%3)\n"
16784 + "30: movl %%edx, %%es:52(%3)\n"
16785 + "31: movl 56(%4), %%eax\n"
16786 + "32: movl 60(%4), %%edx\n"
16787 + "33: movl %%eax, %%es:56(%3)\n"
16788 + "34: movl %%edx, %%es:60(%3)\n"
16789 + " addl $-64, %0\n"
16790 + " addl $64, %4\n"
16791 + " addl $64, %3\n"
16792 + " cmpl $63, %0\n"
16794 + "35: movl %0, %%eax\n"
16796 + " andl $3, %%eax\n"
16798 + "99: rep; movsl\n"
16799 + "36: movl %%eax, %0\n"
16800 + "37: rep; movsb\n"
16804 + ".section .fixup,\"ax\"\n"
16805 + "101: lea 0(%%eax,%0,4),%0\n"
16808 + ".section __ex_table,\"a\"\n"
16810 + " .long 1b,100b\n"
16811 + " .long 2b,100b\n"
16812 + " .long 3b,100b\n"
16813 + " .long 4b,100b\n"
16814 + " .long 5b,100b\n"
16815 + " .long 6b,100b\n"
16816 + " .long 7b,100b\n"
16817 + " .long 8b,100b\n"
16818 + " .long 9b,100b\n"
16819 + " .long 10b,100b\n"
16820 + " .long 11b,100b\n"
16821 + " .long 12b,100b\n"
16822 + " .long 13b,100b\n"
16823 + " .long 14b,100b\n"
16824 + " .long 15b,100b\n"
16825 + " .long 16b,100b\n"
16826 + " .long 17b,100b\n"
16827 + " .long 18b,100b\n"
16828 + " .long 19b,100b\n"
16829 + " .long 20b,100b\n"
16830 + " .long 21b,100b\n"
16831 + " .long 22b,100b\n"
16832 + " .long 23b,100b\n"
16833 + " .long 24b,100b\n"
16834 + " .long 25b,100b\n"
16835 + " .long 26b,100b\n"
16836 + " .long 27b,100b\n"
16837 + " .long 28b,100b\n"
16838 + " .long 29b,100b\n"
16839 + " .long 30b,100b\n"
16840 + " .long 31b,100b\n"
16841 + " .long 32b,100b\n"
16842 + " .long 33b,100b\n"
16843 + " .long 34b,100b\n"
16844 + " .long 35b,100b\n"
16845 + " .long 36b,100b\n"
16846 + " .long 37b,100b\n"
16847 + " .long 99b,101b\n"
16849 + : "=&c"(size), "=&D" (d0), "=&S" (d1)
16850 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
16851 + : "eax", "edx", "memory");
16855 +static unsigned long
16856 +__generic_copy_from_user_intel(void *to, const void __user *from, unsigned long size)
16859 __asm__ __volatile__(
16860 + " movw %w6, %%ds\n"
16862 "1: movl 32(%4), %%eax\n"
16864 @@ -239,36 +363,36 @@ __copy_user_intel(void __user *to, const
16866 "3: movl 0(%4), %%eax\n"
16867 "4: movl 4(%4), %%edx\n"
16868 - "5: movl %%eax, 0(%3)\n"
16869 - "6: movl %%edx, 4(%3)\n"
16870 + "5: movl %%eax, %%es:0(%3)\n"
16871 + "6: movl %%edx, %%es:4(%3)\n"
16872 "7: movl 8(%4), %%eax\n"
16873 "8: movl 12(%4),%%edx\n"
16874 - "9: movl %%eax, 8(%3)\n"
16875 - "10: movl %%edx, 12(%3)\n"
16876 + "9: movl %%eax, %%es:8(%3)\n"
16877 + "10: movl %%edx, %%es:12(%3)\n"
16878 "11: movl 16(%4), %%eax\n"
16879 "12: movl 20(%4), %%edx\n"
16880 - "13: movl %%eax, 16(%3)\n"
16881 - "14: movl %%edx, 20(%3)\n"
16882 + "13: movl %%eax, %%es:16(%3)\n"
16883 + "14: movl %%edx, %%es:20(%3)\n"
16884 "15: movl 24(%4), %%eax\n"
16885 "16: movl 28(%4), %%edx\n"
16886 - "17: movl %%eax, 24(%3)\n"
16887 - "18: movl %%edx, 28(%3)\n"
16888 + "17: movl %%eax, %%es:24(%3)\n"
16889 + "18: movl %%edx, %%es:28(%3)\n"
16890 "19: movl 32(%4), %%eax\n"
16891 "20: movl 36(%4), %%edx\n"
16892 - "21: movl %%eax, 32(%3)\n"
16893 - "22: movl %%edx, 36(%3)\n"
16894 + "21: movl %%eax, %%es:32(%3)\n"
16895 + "22: movl %%edx, %%es:36(%3)\n"
16896 "23: movl 40(%4), %%eax\n"
16897 "24: movl 44(%4), %%edx\n"
16898 - "25: movl %%eax, 40(%3)\n"
16899 - "26: movl %%edx, 44(%3)\n"
16900 + "25: movl %%eax, %%es:40(%3)\n"
16901 + "26: movl %%edx, %%es:44(%3)\n"
16902 "27: movl 48(%4), %%eax\n"
16903 "28: movl 52(%4), %%edx\n"
16904 - "29: movl %%eax, 48(%3)\n"
16905 - "30: movl %%edx, 52(%3)\n"
16906 + "29: movl %%eax, %%es:48(%3)\n"
16907 + "30: movl %%edx, %%es:52(%3)\n"
16908 "31: movl 56(%4), %%eax\n"
16909 "32: movl 60(%4), %%edx\n"
16910 - "33: movl %%eax, 56(%3)\n"
16911 - "34: movl %%edx, 60(%3)\n"
16912 + "33: movl %%eax, %%es:56(%3)\n"
16913 + "34: movl %%edx, %%es:60(%3)\n"
16917 @@ -282,6 +406,8 @@ __copy_user_intel(void __user *to, const
16918 "36: movl %%eax, %0\n"
16923 ".section .fixup,\"ax\"\n"
16924 "101: lea 0(%%eax,%0,4),%0\n"
16926 @@ -328,7 +454,7 @@ __copy_user_intel(void __user *to, const
16927 " .long 99b,101b\n"
16929 : "=&c"(size), "=&D" (d0), "=&S" (d1)
16930 - : "1"(to), "2"(from), "0"(size)
16931 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
16932 : "eax", "edx", "memory");
16935 @@ -338,6 +464,7 @@ __copy_user_zeroing_intel(void *to, cons
16938 __asm__ __volatile__(
16939 + " movw %w6, %%ds\n"
16941 "0: movl 32(%4), %%eax\n"
16943 @@ -346,36 +473,36 @@ __copy_user_zeroing_intel(void *to, cons
16945 "2: movl 0(%4), %%eax\n"
16946 "21: movl 4(%4), %%edx\n"
16947 - " movl %%eax, 0(%3)\n"
16948 - " movl %%edx, 4(%3)\n"
16949 + " movl %%eax, %%es:0(%3)\n"
16950 + " movl %%edx, %%es:4(%3)\n"
16951 "3: movl 8(%4), %%eax\n"
16952 "31: movl 12(%4),%%edx\n"
16953 - " movl %%eax, 8(%3)\n"
16954 - " movl %%edx, 12(%3)\n"
16955 + " movl %%eax, %%es:8(%3)\n"
16956 + " movl %%edx, %%es:12(%3)\n"
16957 "4: movl 16(%4), %%eax\n"
16958 "41: movl 20(%4), %%edx\n"
16959 - " movl %%eax, 16(%3)\n"
16960 - " movl %%edx, 20(%3)\n"
16961 + " movl %%eax, %%es:16(%3)\n"
16962 + " movl %%edx, %%es:20(%3)\n"
16963 "10: movl 24(%4), %%eax\n"
16964 "51: movl 28(%4), %%edx\n"
16965 - " movl %%eax, 24(%3)\n"
16966 - " movl %%edx, 28(%3)\n"
16967 + " movl %%eax, %%es:24(%3)\n"
16968 + " movl %%edx, %%es:28(%3)\n"
16969 "11: movl 32(%4), %%eax\n"
16970 "61: movl 36(%4), %%edx\n"
16971 - " movl %%eax, 32(%3)\n"
16972 - " movl %%edx, 36(%3)\n"
16973 + " movl %%eax, %%es:32(%3)\n"
16974 + " movl %%edx, %%es:36(%3)\n"
16975 "12: movl 40(%4), %%eax\n"
16976 "71: movl 44(%4), %%edx\n"
16977 - " movl %%eax, 40(%3)\n"
16978 - " movl %%edx, 44(%3)\n"
16979 + " movl %%eax, %%es:40(%3)\n"
16980 + " movl %%edx, %%es:44(%3)\n"
16981 "13: movl 48(%4), %%eax\n"
16982 "81: movl 52(%4), %%edx\n"
16983 - " movl %%eax, 48(%3)\n"
16984 - " movl %%edx, 52(%3)\n"
16985 + " movl %%eax, %%es:48(%3)\n"
16986 + " movl %%edx, %%es:52(%3)\n"
16987 "14: movl 56(%4), %%eax\n"
16988 "91: movl 60(%4), %%edx\n"
16989 - " movl %%eax, 56(%3)\n"
16990 - " movl %%edx, 60(%3)\n"
16991 + " movl %%eax, %%es:56(%3)\n"
16992 + " movl %%edx, %%es:60(%3)\n"
16996 @@ -389,6 +516,8 @@ __copy_user_zeroing_intel(void *to, cons
17002 ".section .fixup,\"ax\"\n"
17003 "9: lea 0(%%eax,%0,4),%0\n"
17005 @@ -423,7 +552,7 @@ __copy_user_zeroing_intel(void *to, cons
17008 : "=&c"(size), "=&D" (d0), "=&S" (d1)
17009 - : "1"(to), "2"(from), "0"(size)
17010 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
17011 : "eax", "edx", "memory");
17014 @@ -439,6 +568,7 @@ static unsigned long __copy_user_zeroing
17017 __asm__ __volatile__(
17018 + " movw %w6, %%ds\n"
17020 "0: movl 32(%4), %%eax\n"
17022 @@ -447,36 +577,36 @@ static unsigned long __copy_user_zeroing
17024 "2: movl 0(%4), %%eax\n"
17025 "21: movl 4(%4), %%edx\n"
17026 - " movnti %%eax, 0(%3)\n"
17027 - " movnti %%edx, 4(%3)\n"
17028 + " movnti %%eax, %%es:0(%3)\n"
17029 + " movnti %%edx, %%es:4(%3)\n"
17030 "3: movl 8(%4), %%eax\n"
17031 "31: movl 12(%4),%%edx\n"
17032 - " movnti %%eax, 8(%3)\n"
17033 - " movnti %%edx, 12(%3)\n"
17034 + " movnti %%eax, %%es:8(%3)\n"
17035 + " movnti %%edx, %%es:12(%3)\n"
17036 "4: movl 16(%4), %%eax\n"
17037 "41: movl 20(%4), %%edx\n"
17038 - " movnti %%eax, 16(%3)\n"
17039 - " movnti %%edx, 20(%3)\n"
17040 + " movnti %%eax, %%es:16(%3)\n"
17041 + " movnti %%edx, %%es:20(%3)\n"
17042 "10: movl 24(%4), %%eax\n"
17043 "51: movl 28(%4), %%edx\n"
17044 - " movnti %%eax, 24(%3)\n"
17045 - " movnti %%edx, 28(%3)\n"
17046 + " movnti %%eax, %%es:24(%3)\n"
17047 + " movnti %%edx, %%es:28(%3)\n"
17048 "11: movl 32(%4), %%eax\n"
17049 "61: movl 36(%4), %%edx\n"
17050 - " movnti %%eax, 32(%3)\n"
17051 - " movnti %%edx, 36(%3)\n"
17052 + " movnti %%eax, %%es:32(%3)\n"
17053 + " movnti %%edx, %%es:36(%3)\n"
17054 "12: movl 40(%4), %%eax\n"
17055 "71: movl 44(%4), %%edx\n"
17056 - " movnti %%eax, 40(%3)\n"
17057 - " movnti %%edx, 44(%3)\n"
17058 + " movnti %%eax, %%es:40(%3)\n"
17059 + " movnti %%edx, %%es:44(%3)\n"
17060 "13: movl 48(%4), %%eax\n"
17061 "81: movl 52(%4), %%edx\n"
17062 - " movnti %%eax, 48(%3)\n"
17063 - " movnti %%edx, 52(%3)\n"
17064 + " movnti %%eax, %%es:48(%3)\n"
17065 + " movnti %%edx, %%es:52(%3)\n"
17066 "14: movl 56(%4), %%eax\n"
17067 "91: movl 60(%4), %%edx\n"
17068 - " movnti %%eax, 56(%3)\n"
17069 - " movnti %%edx, 60(%3)\n"
17070 + " movnti %%eax, %%es:56(%3)\n"
17071 + " movnti %%edx, %%es:60(%3)\n"
17075 @@ -491,6 +621,8 @@ static unsigned long __copy_user_zeroing
17081 ".section .fixup,\"ax\"\n"
17082 "9: lea 0(%%eax,%0,4),%0\n"
17084 @@ -525,7 +657,7 @@ static unsigned long __copy_user_zeroing
17087 : "=&c"(size), "=&D" (d0), "=&S" (d1)
17088 - : "1"(to), "2"(from), "0"(size)
17089 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
17090 : "eax", "edx", "memory");
17093 @@ -536,6 +668,7 @@ static unsigned long __copy_user_intel_n
17096 __asm__ __volatile__(
17097 + " movw %w6, %%ds\n"
17099 "0: movl 32(%4), %%eax\n"
17101 @@ -544,36 +677,36 @@ static unsigned long __copy_user_intel_n
17103 "2: movl 0(%4), %%eax\n"
17104 "21: movl 4(%4), %%edx\n"
17105 - " movnti %%eax, 0(%3)\n"
17106 - " movnti %%edx, 4(%3)\n"
17107 + " movnti %%eax, %%es:0(%3)\n"
17108 + " movnti %%edx, %%es:4(%3)\n"
17109 "3: movl 8(%4), %%eax\n"
17110 "31: movl 12(%4),%%edx\n"
17111 - " movnti %%eax, 8(%3)\n"
17112 - " movnti %%edx, 12(%3)\n"
17113 + " movnti %%eax, %%es:8(%3)\n"
17114 + " movnti %%edx, %%es:12(%3)\n"
17115 "4: movl 16(%4), %%eax\n"
17116 "41: movl 20(%4), %%edx\n"
17117 - " movnti %%eax, 16(%3)\n"
17118 - " movnti %%edx, 20(%3)\n"
17119 + " movnti %%eax, %%es:16(%3)\n"
17120 + " movnti %%edx, %%es:20(%3)\n"
17121 "10: movl 24(%4), %%eax\n"
17122 "51: movl 28(%4), %%edx\n"
17123 - " movnti %%eax, 24(%3)\n"
17124 - " movnti %%edx, 28(%3)\n"
17125 + " movnti %%eax, %%es:24(%3)\n"
17126 + " movnti %%edx, %%es:28(%3)\n"
17127 "11: movl 32(%4), %%eax\n"
17128 "61: movl 36(%4), %%edx\n"
17129 - " movnti %%eax, 32(%3)\n"
17130 - " movnti %%edx, 36(%3)\n"
17131 + " movnti %%eax, %%es:32(%3)\n"
17132 + " movnti %%edx, %%es:36(%3)\n"
17133 "12: movl 40(%4), %%eax\n"
17134 "71: movl 44(%4), %%edx\n"
17135 - " movnti %%eax, 40(%3)\n"
17136 - " movnti %%edx, 44(%3)\n"
17137 + " movnti %%eax, %%es:40(%3)\n"
17138 + " movnti %%edx, %%es:44(%3)\n"
17139 "13: movl 48(%4), %%eax\n"
17140 "81: movl 52(%4), %%edx\n"
17141 - " movnti %%eax, 48(%3)\n"
17142 - " movnti %%edx, 52(%3)\n"
17143 + " movnti %%eax, %%es:48(%3)\n"
17144 + " movnti %%edx, %%es:52(%3)\n"
17145 "14: movl 56(%4), %%eax\n"
17146 "91: movl 60(%4), %%edx\n"
17147 - " movnti %%eax, 56(%3)\n"
17148 - " movnti %%edx, 60(%3)\n"
17149 + " movnti %%eax, %%es:56(%3)\n"
17150 + " movnti %%edx, %%es:60(%3)\n"
17154 @@ -588,6 +721,8 @@ static unsigned long __copy_user_intel_n
17160 ".section .fixup,\"ax\"\n"
17161 "9: lea 0(%%eax,%0,4),%0\n"
17163 @@ -616,7 +751,7 @@ static unsigned long __copy_user_intel_n
17166 : "=&c"(size), "=&D" (d0), "=&S" (d1)
17167 - : "1"(to), "2"(from), "0"(size)
17168 + : "1"(to), "2"(from), "0"(size), "r"(__USER_DS)
17169 : "eax", "edx", "memory");
17172 @@ -629,90 +764,146 @@ static unsigned long __copy_user_intel_n
17174 unsigned long __copy_user_zeroing_intel(void *to, const void __user *from,
17175 unsigned long size);
17176 -unsigned long __copy_user_intel(void __user *to, const void *from,
17177 +unsigned long __generic_copy_to_user_intel(void __user *to, const void *from,
17178 + unsigned long size);
17179 +unsigned long __generic_copy_from_user_intel(void *to, const void __user *from,
17180 unsigned long size);
17181 unsigned long __copy_user_zeroing_intel_nocache(void *to,
17182 const void __user *from, unsigned long size);
17183 #endif /* CONFIG_X86_INTEL_USERCOPY */
17185 /* Generic arbitrary sized copy. */
17186 -#define __copy_user(to, from, size) \
17188 - int __d0, __d1, __d2; \
17189 - __asm__ __volatile__( \
17192 - " movl %1,%0\n" \
17194 - " andl $7,%0\n" \
17195 - " subl %0,%3\n" \
17196 - "4: rep; movsb\n" \
17197 - " movl %3,%0\n" \
17198 - " shrl $2,%0\n" \
17199 - " andl $3,%3\n" \
17200 - " .align 2,0x90\n" \
17201 - "0: rep; movsl\n" \
17202 - " movl %3,%0\n" \
17203 - "1: rep; movsb\n" \
17205 - ".section .fixup,\"ax\"\n" \
17206 - "5: addl %3,%0\n" \
17208 - "3: lea 0(%3,%0,4),%0\n" \
17211 - ".section __ex_table,\"a\"\n" \
17213 - " .long 4b,5b\n" \
17214 - " .long 0b,3b\n" \
17215 - " .long 1b,2b\n" \
17217 - : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
17218 - : "3"(size), "0"(size), "1"(to), "2"(from) \
17222 -#define __copy_user_zeroing(to, from, size) \
17224 - int __d0, __d1, __d2; \
17225 - __asm__ __volatile__( \
17228 - " movl %1,%0\n" \
17230 - " andl $7,%0\n" \
17231 - " subl %0,%3\n" \
17232 - "4: rep; movsb\n" \
17233 - " movl %3,%0\n" \
17234 - " shrl $2,%0\n" \
17235 - " andl $3,%3\n" \
17236 - " .align 2,0x90\n" \
17237 - "0: rep; movsl\n" \
17238 - " movl %3,%0\n" \
17239 - "1: rep; movsb\n" \
17241 - ".section .fixup,\"ax\"\n" \
17242 - "5: addl %3,%0\n" \
17244 - "3: lea 0(%3,%0,4),%0\n" \
17245 - "6: pushl %0\n" \
17246 - " pushl %%eax\n" \
17247 - " xorl %%eax,%%eax\n" \
17248 - " rep; stosb\n" \
17249 - " popl %%eax\n" \
17253 - ".section __ex_table,\"a\"\n" \
17255 - " .long 4b,5b\n" \
17256 - " .long 0b,3b\n" \
17257 - " .long 1b,6b\n" \
17259 - : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2) \
17260 - : "3"(size), "0"(size), "1"(to), "2"(from) \
17263 +static unsigned long
17264 +__generic_copy_to_user(void __user *to, const void *from, unsigned long size)
17266 + int __d0, __d1, __d2;
17268 + __asm__ __volatile__(
17269 + " movw %w8,%%es\n"
17276 + "4: rep; movsb\n"
17280 + " .align 2,0x90\n"
17281 + "0: rep; movsl\n"
17283 + "1: rep; movsb\n"
17287 + ".section .fixup,\"ax\"\n"
17288 + "5: addl %3,%0\n"
17290 + "3: lea 0(%3,%0,4),%0\n"
17293 + ".section __ex_table,\"a\"\n"
17299 + : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
17300 + : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
17305 +static unsigned long
17306 +__generic_copy_from_user(void *to, const void __user *from, unsigned long size)
17308 + int __d0, __d1, __d2;
17310 + __asm__ __volatile__(
17311 + " movw %w8,%%ds\n"
17318 + "4: rep; movsb\n"
17322 + " .align 2,0x90\n"
17323 + "0: rep; movsl\n"
17325 + "1: rep; movsb\n"
17329 + ".section .fixup,\"ax\"\n"
17330 + "5: addl %3,%0\n"
17332 + "3: lea 0(%3,%0,4),%0\n"
17335 + ".section __ex_table,\"a\"\n"
17341 + : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
17342 + : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
17347 +static unsigned long
17348 +__copy_user_zeroing(void *to, const void __user *from, unsigned long size)
17350 + int __d0, __d1, __d2;
17352 + __asm__ __volatile__(
17353 + " movw %w8,%%ds\n"
17360 + "4: rep; movsb\n"
17364 + " .align 2,0x90\n"
17365 + "0: rep; movsl\n"
17367 + "1: rep; movsb\n"
17371 + ".section .fixup,\"ax\"\n"
17372 + "5: addl %3,%0\n"
17374 + "3: lea 0(%3,%0,4),%0\n"
17377 + " xorl %%eax,%%eax\n"
17383 + ".section __ex_table,\"a\"\n"
17389 + : "=&c"(size), "=&D" (__d0), "=&S" (__d1), "=r"(__d2)
17390 + : "3"(size), "0"(size), "1"(to), "2"(from), "r"(__USER_DS)
17395 unsigned long __copy_to_user_ll(void __user *to, const void *from,
17397 @@ -775,9 +966,9 @@ survive:
17400 if (movsl_is_ok(to, from, n))
17401 - __copy_user(to, from, n);
17402 + n = __generic_copy_to_user(to, from, n);
17404 - n = __copy_user_intel(to, from, n);
17405 + n = __generic_copy_to_user_intel(to, from, n);
17408 EXPORT_SYMBOL(__copy_to_user_ll);
17409 @@ -786,7 +977,7 @@ unsigned long __copy_from_user_ll(void *
17412 if (movsl_is_ok(to, from, n))
17413 - __copy_user_zeroing(to, from, n);
17414 + n = __copy_user_zeroing(to, from, n);
17416 n = __copy_user_zeroing_intel(to, from, n);
17418 @@ -797,10 +988,9 @@ unsigned long __copy_from_user_ll_nozero
17421 if (movsl_is_ok(to, from, n))
17422 - __copy_user(to, from, n);
17423 + n = __generic_copy_from_user(to, from, n);
17425 - n = __copy_user_intel((void __user *)to,
17426 - (const void *)from, n);
17427 + n = __generic_copy_from_user_intel(to, from, n);
17430 EXPORT_SYMBOL(__copy_from_user_ll_nozero);
17431 @@ -812,9 +1002,9 @@ unsigned long __copy_from_user_ll_nocach
17432 if (n > 64 && cpu_has_xmm2)
17433 n = __copy_user_zeroing_intel_nocache(to, from, n);
17435 - __copy_user_zeroing(to, from, n);
17436 + n = __copy_user_zeroing(to, from, n);
17438 - __copy_user_zeroing(to, from, n);
17439 + n = __copy_user_zeroing(to, from, n);
17443 @@ -827,65 +1017,53 @@ unsigned long __copy_from_user_ll_nocach
17444 if (n > 64 && cpu_has_xmm2)
17445 n = __copy_user_intel_nocache(to, from, n);
17447 - __copy_user(to, from, n);
17448 + n = __generic_copy_from_user(to, from, n);
17450 - __copy_user(to, from, n);
17451 + n = __generic_copy_from_user(to, from, n);
17455 EXPORT_SYMBOL(__copy_from_user_ll_nocache_nozero);
17458 - * copy_to_user: - Copy a block of data into user space.
17459 - * @to: Destination address, in user space.
17460 - * @from: Source address, in kernel space.
17461 - * @n: Number of bytes to copy.
17463 - * Context: User context only. This function may sleep.
17465 - * Copy data from kernel space to user space.
17467 - * Returns number of bytes that could not be copied.
17468 - * On success, this will be zero.
17471 -copy_to_user(void __user *to, const void *from, unsigned long n)
17472 +void copy_from_user_overflow(void)
17474 - if (access_ok(VERIFY_WRITE, to, n))
17475 - n = __copy_to_user(to, from, n);
17477 + WARN(1, "Buffer overflow detected!\n");
17479 -EXPORT_SYMBOL(copy_to_user);
17480 +EXPORT_SYMBOL(copy_from_user_overflow);
17483 - * copy_from_user: - Copy a block of data from user space.
17484 - * @to: Destination address, in kernel space.
17485 - * @from: Source address, in user space.
17486 - * @n: Number of bytes to copy.
17488 - * Context: User context only. This function may sleep.
17490 - * Copy data from user space to kernel space.
17492 - * Returns number of bytes that could not be copied.
17493 - * On success, this will be zero.
17495 - * If some data could not be copied, this function will pad the copied
17496 - * data to the requested size using zero bytes.
17499 -_copy_from_user(void *to, const void __user *from, unsigned long n)
17500 +void copy_to_user_overflow(void)
17502 - if (access_ok(VERIFY_READ, from, n))
17503 - n = __copy_from_user(to, from, n);
17505 - memset(to, 0, n);
17507 + WARN(1, "Buffer overflow detected!\n");
17509 -EXPORT_SYMBOL(_copy_from_user);
17510 +EXPORT_SYMBOL(copy_to_user_overflow);
17512 -void copy_from_user_overflow(void)
17513 +#ifdef CONFIG_PAX_MEMORY_UDEREF
17514 +void __set_fs(mm_segment_t x, int cpu)
17516 - WARN(1, "Buffer overflow detected!\n");
17517 + unsigned long limit = x.seg;
17518 + struct desc_struct d;
17520 + current_thread_info()->addr_limit = x;
17521 + if (unlikely(paravirt_enabled()))
17524 + if (likely(limit))
17525 + limit = (limit - 1UL) >> PAGE_SHIFT;
17526 + pack_descriptor(&d, 0UL, limit, 0xF3, 0xC);
17527 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_DEFAULT_USER_DS, &d, DESCTYPE_S);
17529 -EXPORT_SYMBOL(copy_from_user_overflow);
17531 +void set_fs(mm_segment_t x)
17533 + __set_fs(x, get_cpu());
17536 +EXPORT_SYMBOL(copy_from_user);
17538 +void set_fs(mm_segment_t x)
17540 + current_thread_info()->addr_limit = x;
17544 +EXPORT_SYMBOL(set_fs);
17545 diff -urNp linux-2.6.36.1/arch/x86/lib/usercopy_64.c linux-2.6.36.1/arch/x86/lib/usercopy_64.c
17546 --- linux-2.6.36.1/arch/x86/lib/usercopy_64.c 2010-10-20 16:30:22.000000000 -0400
17547 +++ linux-2.6.36.1/arch/x86/lib/usercopy_64.c 2010-11-06 18:58:15.000000000 -0400
17548 @@ -42,6 +42,8 @@ long
17549 __strncpy_from_user(char *dst, const char __user *src, long count)
17552 + if ((unsigned long)src < PAX_USER_SHADOW_BASE)
17553 + src += PAX_USER_SHADOW_BASE;
17554 __do_strncpy_from_user(dst, src, count, res);
17557 @@ -65,6 +67,8 @@ unsigned long __clear_user(void __user *
17561 + if ((unsigned long)addr < PAX_USER_SHADOW_BASE)
17562 + addr += PAX_USER_SHADOW_BASE;
17563 /* no memory constraint because it doesn't change any memory gcc knows
17566 @@ -151,10 +155,14 @@ EXPORT_SYMBOL(strlen_user);
17568 unsigned long copy_in_user(void __user *to, const void __user *from, unsigned len)
17570 - if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
17571 + if (access_ok(VERIFY_WRITE, to, len) && access_ok(VERIFY_READ, from, len)) {
17572 + if ((unsigned long)to < PAX_USER_SHADOW_BASE)
17573 + to += PAX_USER_SHADOW_BASE;
17574 + if ((unsigned long)from < PAX_USER_SHADOW_BASE)
17575 + from += PAX_USER_SHADOW_BASE;
17576 return copy_user_generic((__force void *)to, (__force void *)from, len);
17582 EXPORT_SYMBOL(copy_in_user);
17584 diff -urNp linux-2.6.36.1/arch/x86/Makefile linux-2.6.36.1/arch/x86/Makefile
17585 --- linux-2.6.36.1/arch/x86/Makefile 2010-10-20 16:30:22.000000000 -0400
17586 +++ linux-2.6.36.1/arch/x86/Makefile 2010-11-06 18:58:15.000000000 -0400
17587 @@ -191,3 +191,12 @@ define archhelp
17588 echo ' FDARGS="..." arguments for the booted kernel'
17589 echo ' FDINITRD=file initrd for the booted kernel'
17594 +*** ${VERSION}.${PATCHLEVEL} PaX kernels no longer build correctly with old versions of binutils.
17595 +*** Please upgrade your binutils to 2.18 or newer
17599 + $(if $(LDFLAGS_BUILD_ID),,$(error $(OLD_LD)))
17600 diff -urNp linux-2.6.36.1/arch/x86/mm/extable.c linux-2.6.36.1/arch/x86/mm/extable.c
17601 --- linux-2.6.36.1/arch/x86/mm/extable.c 2010-10-20 16:30:22.000000000 -0400
17602 +++ linux-2.6.36.1/arch/x86/mm/extable.c 2010-11-06 18:58:15.000000000 -0400
17604 #include <linux/module.h>
17605 #include <linux/spinlock.h>
17606 +#include <linux/sort.h>
17607 #include <asm/uaccess.h>
17608 +#include <asm/pgtable.h>
17611 + * The exception table needs to be sorted so that the binary
17612 + * search that we use to find entries in it works properly.
17613 + * This is used both for the kernel exception table and for
17614 + * the exception tables of modules that get loaded.
17616 +static int cmp_ex(const void *a, const void *b)
17618 + const struct exception_table_entry *x = a, *y = b;
17620 + /* avoid overflow */
17621 + if (x->insn > y->insn)
17623 + if (x->insn < y->insn)
17628 +static void swap_ex(void *a, void *b, int size)
17630 + struct exception_table_entry t, *x = a, *y = b;
17634 + pax_open_kernel();
17637 + pax_close_kernel();
17640 +void sort_extable(struct exception_table_entry *start,
17641 + struct exception_table_entry *finish)
17643 + sort(start, finish - start, sizeof(struct exception_table_entry),
17644 + cmp_ex, swap_ex);
17647 +#ifdef CONFIG_MODULES
17649 + * If the exception table is sorted, any referring to the module init
17650 + * will be at the beginning or the end.
17652 +void trim_init_extable(struct module *m)
17654 + /*trim the beginning*/
17655 + while (m->num_exentries && within_module_init(m->extable[0].insn, m)) {
17657 + m->num_exentries--;
17660 + while (m->num_exentries &&
17661 + within_module_init(m->extable[m->num_exentries-1].insn, m))
17662 + m->num_exentries--;
17664 +#endif /* CONFIG_MODULES */
17666 int fixup_exception(struct pt_regs *regs)
17668 const struct exception_table_entry *fixup;
17670 #ifdef CONFIG_PNPBIOS
17671 - if (unlikely(SEGMENT_IS_PNP_CODE(regs->cs))) {
17672 + if (unlikely(!v8086_mode(regs) && SEGMENT_IS_PNP_CODE(regs->cs))) {
17673 extern u32 pnp_bios_fault_eip, pnp_bios_fault_esp;
17674 extern u32 pnp_bios_is_utter_crap;
17675 pnp_bios_is_utter_crap = 1;
17676 diff -urNp linux-2.6.36.1/arch/x86/mm/fault.c linux-2.6.36.1/arch/x86/mm/fault.c
17677 --- linux-2.6.36.1/arch/x86/mm/fault.c 2010-10-20 16:30:22.000000000 -0400
17678 +++ linux-2.6.36.1/arch/x86/mm/fault.c 2010-11-13 16:29:01.000000000 -0500
17679 @@ -11,10 +11,18 @@
17680 #include <linux/kprobes.h> /* __kprobes, ... */
17681 #include <linux/mmiotrace.h> /* kmmio_handler, ... */
17682 #include <linux/perf_event.h> /* perf_sw_event */
17683 +#include <linux/unistd.h>
17684 +#include <linux/compiler.h>
17686 #include <asm/traps.h> /* dotraplinkage, ... */
17687 #include <asm/pgalloc.h> /* pgd_*(), ... */
17688 #include <asm/kmemcheck.h> /* kmemcheck_*(), ... */
17689 +#include <asm/vsyscall.h>
17690 +#include <asm/tlbflush.h>
17692 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
17693 +#include <asm/stacktrace.h>
17697 * Page fault error code bits:
17698 @@ -52,7 +60,7 @@ static inline int __kprobes notify_page_
17701 /* kprobe_running() needs smp_processor_id() */
17702 - if (kprobes_built_in() && !user_mode_vm(regs)) {
17703 + if (kprobes_built_in() && !user_mode(regs)) {
17705 if (kprobe_running() && kprobe_fault_handler(regs, 14))
17707 @@ -173,6 +181,30 @@ force_sig_info_fault(int si_signo, int s
17708 force_sig_info(si_signo, &info, tsk);
17711 +#ifdef CONFIG_PAX_EMUTRAMP
17712 +static int pax_handle_fetch_fault(struct pt_regs *regs);
17715 +#ifdef CONFIG_PAX_PAGEEXEC
17716 +static inline pmd_t * pax_get_pmd(struct mm_struct *mm, unsigned long address)
17722 + pgd = pgd_offset(mm, address);
17723 + if (!pgd_present(*pgd))
17725 + pud = pud_offset(pgd, address);
17726 + if (!pud_present(*pud))
17728 + pmd = pmd_offset(pud, address);
17729 + if (!pmd_present(*pmd))
17735 DEFINE_SPINLOCK(pgd_lock);
17736 LIST_HEAD(pgd_list);
17738 @@ -225,11 +257,24 @@ void vmalloc_sync_all(void)
17739 address += PMD_SIZE) {
17741 unsigned long flags;
17743 +#ifdef CONFIG_PAX_PER_CPU_PGD
17744 + unsigned long cpu;
17749 spin_lock_irqsave(&pgd_lock, flags);
17751 +#ifdef CONFIG_PAX_PER_CPU_PGD
17752 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
17753 + pgd_t *pgd = get_cpu_pgd(cpu);
17755 list_for_each_entry(page, &pgd_list, lru) {
17756 - if (!vmalloc_sync_one(page_address(page), address))
17757 + pgd_t *pgd = page_address(page);
17760 + if (!vmalloc_sync_one(pgd, address))
17763 spin_unlock_irqrestore(&pgd_lock, flags);
17764 @@ -259,6 +304,11 @@ static noinline __kprobes int vmalloc_fa
17765 * an interrupt in the middle of a task switch..
17767 pgd_paddr = read_cr3();
17769 +#ifdef CONFIG_PAX_PER_CPU_PGD
17770 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (pgd_paddr & PHYSICAL_PAGE_MASK));
17773 pmd_k = vmalloc_sync_one(__va(pgd_paddr), address);
17776 @@ -333,15 +383,27 @@ void vmalloc_sync_all(void)
17778 const pgd_t *pgd_ref = pgd_offset_k(address);
17779 unsigned long flags;
17781 +#ifdef CONFIG_PAX_PER_CPU_PGD
17782 + unsigned long cpu;
17787 if (pgd_none(*pgd_ref))
17790 spin_lock_irqsave(&pgd_lock, flags);
17792 +#ifdef CONFIG_PAX_PER_CPU_PGD
17793 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
17794 + pgd_t *pgd = pgd_offset_cpu(cpu, address);
17796 list_for_each_entry(page, &pgd_list, lru) {
17798 pgd = (pgd_t *)page_address(page) + pgd_index(address);
17801 if (pgd_none(*pgd))
17802 set_pgd(pgd, *pgd_ref);
17804 @@ -374,7 +436,14 @@ static noinline __kprobes int vmalloc_fa
17805 * happen within a race in page table update. In the later
17809 +#ifdef CONFIG_PAX_PER_CPU_PGD
17810 + BUG_ON(__pa(get_cpu_pgd(smp_processor_id())) != (read_cr3() & PHYSICAL_PAGE_MASK));
17811 + pgd = pgd_offset_cpu(smp_processor_id(), address);
17813 pgd = pgd_offset(current->active_mm, address);
17816 pgd_ref = pgd_offset_k(address);
17817 if (pgd_none(*pgd_ref))
17819 @@ -536,7 +605,7 @@ static int is_errata93(struct pt_regs *r
17820 static int is_errata100(struct pt_regs *regs, unsigned long address)
17822 #ifdef CONFIG_X86_64
17823 - if ((regs->cs == __USER32_CS || (regs->cs & (1<<2))) && (address >> 32))
17824 + if ((regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT)) && (address >> 32))
17828 @@ -563,7 +632,7 @@ static int is_f00f_bug(struct pt_regs *r
17831 static const char nx_warning[] = KERN_CRIT
17832 -"kernel tried to execute NX-protected page - exploit attempt? (uid: %d)\n";
17833 +"kernel tried to execute NX-protected page - exploit attempt? (uid: %d, task: %s, pid: %d)\n";
17836 show_fault_oops(struct pt_regs *regs, unsigned long error_code,
17837 @@ -572,15 +641,26 @@ show_fault_oops(struct pt_regs *regs, un
17838 if (!oops_may_print())
17841 - if (error_code & PF_INSTR) {
17842 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) {
17843 unsigned int level;
17845 pte_t *pte = lookup_address(address, &level);
17847 if (pte && pte_present(*pte) && !pte_exec(*pte))
17848 - printk(nx_warning, current_uid());
17849 + printk(nx_warning, current_uid(), current->comm, task_pid_nr(current));
17852 +#ifdef CONFIG_PAX_KERNEXEC
17853 + if (init_mm.start_code <= address && address < init_mm.end_code) {
17854 + if (current->signal->curr_ip)
17855 + printk(KERN_ERR "PAX: From %pI4: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
17856 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
17858 + printk(KERN_ERR "PAX: %s:%d, uid/euid: %u/%u, attempted to modify kernel code\n",
17859 + current->comm, task_pid_nr(current), current_uid(), current_euid());
17863 printk(KERN_ALERT "BUG: unable to handle kernel ");
17864 if (address < PAGE_SIZE)
17865 printk(KERN_CONT "NULL pointer dereference");
17866 @@ -705,6 +785,68 @@ __bad_area_nosemaphore(struct pt_regs *r
17867 unsigned long address, int si_code)
17869 struct task_struct *tsk = current;
17870 + struct mm_struct *mm = tsk->mm;
17872 +#ifdef CONFIG_X86_64
17873 + if (mm && (error_code & PF_INSTR) && mm->context.vdso) {
17874 + if (regs->ip == (unsigned long)vgettimeofday) {
17875 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_gettimeofday);
17877 + } else if (regs->ip == (unsigned long)vtime) {
17878 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, fallback_time);
17880 + } else if (regs->ip == (unsigned long)vgetcpu) {
17881 + regs->ip = (unsigned long)VDSO64_SYMBOL(mm->context.vdso, getcpu);
17887 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
17888 + if (mm && (error_code & PF_USER)) {
17889 + unsigned long ip = regs->ip;
17891 + if (v8086_mode(regs))
17892 + ip = ((regs->cs & 0xffff) << 4) + (ip & 0xffff);
17895 + * It's possible to have interrupts off here:
17897 + local_irq_enable();
17899 +#ifdef CONFIG_PAX_PAGEEXEC
17900 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) &&
17901 + (((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR)) || (!(error_code & (PF_PROT | PF_WRITE)) && ip == address))) {
17903 +#ifdef CONFIG_PAX_EMUTRAMP
17904 + switch (pax_handle_fetch_fault(regs)) {
17910 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
17911 + do_group_exit(SIGKILL);
17915 +#ifdef CONFIG_PAX_SEGMEXEC
17916 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && !(error_code & (PF_PROT | PF_WRITE)) && (ip + SEGMEXEC_TASK_SIZE == address)) {
17918 +#ifdef CONFIG_PAX_EMUTRAMP
17919 + switch (pax_handle_fetch_fault(regs)) {
17925 + pax_report_fault(regs, (void *)ip, (void *)regs->sp);
17926 + do_group_exit(SIGKILL);
17933 /* User mode accesses just cause a SIGSEGV */
17934 if (error_code & PF_USER) {
17935 @@ -851,6 +993,106 @@ static int spurious_fault_check(unsigned
17939 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
17940 +static int pax_handle_pageexec_fault(struct pt_regs *regs, struct mm_struct *mm, unsigned long address, unsigned long error_code)
17945 + unsigned char pte_mask;
17947 + if ((__supported_pte_mask & _PAGE_NX) || (error_code & (PF_PROT|PF_USER)) != (PF_PROT|PF_USER) || v8086_mode(regs) ||
17948 + !(mm->pax_flags & MF_PAX_PAGEEXEC))
17951 + /* PaX: it's our fault, let's handle it if we can */
17953 + /* PaX: take a look at read faults before acquiring any locks */
17954 + if (unlikely(!(error_code & PF_WRITE) && (regs->ip == address))) {
17955 + /* instruction fetch attempt from a protected page in user mode */
17956 + up_read(&mm->mmap_sem);
17958 +#ifdef CONFIG_PAX_EMUTRAMP
17959 + switch (pax_handle_fetch_fault(regs)) {
17965 + pax_report_fault(regs, (void *)regs->ip, (void *)regs->sp);
17966 + do_group_exit(SIGKILL);
17969 + pmd = pax_get_pmd(mm, address);
17970 + if (unlikely(!pmd))
17973 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
17974 + if (unlikely(!(pte_val(*pte) & _PAGE_PRESENT) || pte_user(*pte))) {
17975 + pte_unmap_unlock(pte, ptl);
17979 + if (unlikely((error_code & PF_WRITE) && !pte_write(*pte))) {
17980 + /* write attempt to a protected page in user mode */
17981 + pte_unmap_unlock(pte, ptl);
17986 + if (likely(address > get_limit(regs->cs) && cpu_isset(smp_processor_id(), mm->context.cpu_user_cs_mask)))
17988 + if (likely(address > get_limit(regs->cs)))
17991 + set_pte(pte, pte_mkread(*pte));
17992 + __flush_tlb_one(address);
17993 + pte_unmap_unlock(pte, ptl);
17994 + up_read(&mm->mmap_sem);
17998 + pte_mask = _PAGE_ACCESSED | _PAGE_USER | ((error_code & PF_WRITE) << (_PAGE_BIT_DIRTY-1));
18001 + * PaX: fill DTLB with user rights and retry
18003 + __asm__ __volatile__ (
18004 +#ifdef CONFIG_PAX_MEMORY_UDEREF
18005 + "movw %w4,%%es\n"
18008 +#if defined(CONFIG_M586) || defined(CONFIG_M586TSC)
18010 + * PaX: let this uncommented 'invlpg' remind us on the behaviour of Intel's
18011 + * (and AMD's) TLBs. namely, they do not cache PTEs that would raise *any*
18012 + * page fault when examined during a TLB load attempt. this is true not only
18013 + * for PTEs holding a non-present entry but also present entries that will
18014 + * raise a page fault (such as those set up by PaX, or the copy-on-write
18015 + * mechanism). in effect it means that we do *not* need to flush the TLBs
18016 + * for our target pages since their PTEs are simply not in the TLBs at all.
18018 + * the best thing in omitting it is that we gain around 15-20% speed in the
18019 + * fast path of the page fault handler and can get rid of tracing since we
18020 + * can no longer flush unintended entries.
18024 + "testb $0,%%es:(%0)\n"
18026 +#ifdef CONFIG_PAX_MEMORY_UDEREF
18031 + : "r" (address), "r" (pte), "q" (pte_mask), "i" (_PAGE_USER), "r" (__USER_DS)
18032 + : "memory", "cc");
18033 + pte_unmap_unlock(pte, ptl);
18034 + up_read(&mm->mmap_sem);
18040 * Handle a spurious fault caused by a stale TLB entry.
18042 @@ -917,6 +1159,9 @@ int show_unhandled_signals = 1;
18044 access_error(unsigned long error_code, int write, struct vm_area_struct *vma)
18046 + if ((__supported_pte_mask & _PAGE_NX) && (error_code & PF_INSTR) && !(vma->vm_flags & VM_EXEC))
18050 /* write, present and write, not present: */
18051 if (unlikely(!(vma->vm_flags & VM_WRITE)))
18052 @@ -950,17 +1195,31 @@ do_page_fault(struct pt_regs *regs, unsi
18054 struct vm_area_struct *vma;
18055 struct task_struct *tsk;
18056 - unsigned long address;
18057 struct mm_struct *mm;
18061 + /* Get the faulting address: */
18062 + unsigned long address = read_cr2();
18064 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
18065 + if (!user_mode(regs) && address < 2 * PAX_USER_SHADOW_BASE) {
18066 + if (!search_exception_tables(regs->ip)) {
18067 + bad_area_nosemaphore(regs, error_code, address);
18070 + if (address < PAX_USER_SHADOW_BASE) {
18071 + printk(KERN_ERR "PAX: please report this to pageexec@freemail.hu\n");
18072 + printk(KERN_ERR "PAX: faulting IP: %pA\n", (void *)regs->ip);
18073 + show_trace_log_lvl(NULL, NULL, (void *)regs->sp, regs->bp, KERN_ERR);
18075 + address -= PAX_USER_SHADOW_BASE;
18082 - /* Get the faulting address: */
18083 - address = read_cr2();
18086 * Detect and handle instructions that would cause a page fault for
18087 * both a tracked kernel page and a userspace page.
18088 @@ -1020,7 +1279,7 @@ do_page_fault(struct pt_regs *regs, unsi
18089 * User-mode registers count as a user access even for any
18090 * potential system fault or CPU buglet:
18092 - if (user_mode_vm(regs)) {
18093 + if (user_mode(regs)) {
18094 local_irq_enable();
18095 error_code |= PF_USER;
18097 @@ -1074,6 +1333,11 @@ do_page_fault(struct pt_regs *regs, unsi
18101 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_PAGEEXEC)
18102 + if (pax_handle_pageexec_fault(regs, mm, address, error_code))
18106 vma = find_vma(mm, address);
18107 if (unlikely(!vma)) {
18108 bad_area(regs, error_code, address);
18109 @@ -1085,18 +1349,24 @@ do_page_fault(struct pt_regs *regs, unsi
18110 bad_area(regs, error_code, address);
18113 - if (error_code & PF_USER) {
18115 - * Accessing the stack below %sp is always a bug.
18116 - * The large cushion allows instructions like enter
18117 - * and pusha to work. ("enter $65535, $31" pushes
18118 - * 32 pointers and then decrements %sp by 65535.)
18120 - if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < regs->sp)) {
18121 - bad_area(regs, error_code, address);
18125 + * Accessing the stack below %sp is always a bug.
18126 + * The large cushion allows instructions like enter
18127 + * and pusha to work. ("enter $65535, $31" pushes
18128 + * 32 pointers and then decrements %sp by 65535.)
18130 + if (unlikely(address + 65536 + 32 * sizeof(unsigned long) < task_pt_regs(tsk)->sp)) {
18131 + bad_area(regs, error_code, address);
18135 +#ifdef CONFIG_PAX_SEGMEXEC
18136 + if (unlikely((mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end - SEGMEXEC_TASK_SIZE - 1 < address - SEGMEXEC_TASK_SIZE - 1)) {
18137 + bad_area(regs, error_code, address);
18142 if (unlikely(expand_stack(vma, address))) {
18143 bad_area(regs, error_code, address);
18145 @@ -1140,3 +1410,199 @@ good_area:
18147 up_read(&mm->mmap_sem);
18150 +#ifdef CONFIG_PAX_EMUTRAMP
18151 +static int pax_handle_fetch_fault_32(struct pt_regs *regs)
18155 + do { /* PaX: gcc trampoline emulation #1 */
18156 + unsigned char mov1, mov2;
18157 + unsigned short jmp;
18158 + unsigned int addr1, addr2;
18160 +#ifdef CONFIG_X86_64
18161 + if ((regs->ip + 11) >> 32)
18165 + err = get_user(mov1, (unsigned char __user *)regs->ip);
18166 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
18167 + err |= get_user(mov2, (unsigned char __user *)(regs->ip + 5));
18168 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
18169 + err |= get_user(jmp, (unsigned short __user *)(regs->ip + 10));
18174 + if (mov1 == 0xB9 && mov2 == 0xB8 && jmp == 0xE0FF) {
18175 + regs->cx = addr1;
18176 + regs->ax = addr2;
18177 + regs->ip = addr2;
18182 + do { /* PaX: gcc trampoline emulation #2 */
18183 + unsigned char mov, jmp;
18184 + unsigned int addr1, addr2;
18186 +#ifdef CONFIG_X86_64
18187 + if ((regs->ip + 9) >> 32)
18191 + err = get_user(mov, (unsigned char __user *)regs->ip);
18192 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 1));
18193 + err |= get_user(jmp, (unsigned char __user *)(regs->ip + 5));
18194 + err |= get_user(addr2, (unsigned int __user *)(regs->ip + 6));
18199 + if (mov == 0xB9 && jmp == 0xE9) {
18200 + regs->cx = addr1;
18201 + regs->ip = (unsigned int)(regs->ip + addr2 + 10);
18206 + return 1; /* PaX in action */
18209 +#ifdef CONFIG_X86_64
18210 +static int pax_handle_fetch_fault_64(struct pt_regs *regs)
18214 + do { /* PaX: gcc trampoline emulation #1 */
18215 + unsigned short mov1, mov2, jmp1;
18216 + unsigned char jmp2;
18217 + unsigned int addr1;
18218 + unsigned long addr2;
18220 + err = get_user(mov1, (unsigned short __user *)regs->ip);
18221 + err |= get_user(addr1, (unsigned int __user *)(regs->ip + 2));
18222 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 6));
18223 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 8));
18224 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 16));
18225 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 18));
18230 + if (mov1 == 0xBB41 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
18231 + regs->r11 = addr1;
18232 + regs->r10 = addr2;
18233 + regs->ip = addr1;
18238 + do { /* PaX: gcc trampoline emulation #2 */
18239 + unsigned short mov1, mov2, jmp1;
18240 + unsigned char jmp2;
18241 + unsigned long addr1, addr2;
18243 + err = get_user(mov1, (unsigned short __user *)regs->ip);
18244 + err |= get_user(addr1, (unsigned long __user *)(regs->ip + 2));
18245 + err |= get_user(mov2, (unsigned short __user *)(regs->ip + 10));
18246 + err |= get_user(addr2, (unsigned long __user *)(regs->ip + 12));
18247 + err |= get_user(jmp1, (unsigned short __user *)(regs->ip + 20));
18248 + err |= get_user(jmp2, (unsigned char __user *)(regs->ip + 22));
18253 + if (mov1 == 0xBB49 && mov2 == 0xBA49 && jmp1 == 0xFF49 && jmp2 == 0xE3) {
18254 + regs->r11 = addr1;
18255 + regs->r10 = addr2;
18256 + regs->ip = addr1;
18261 + return 1; /* PaX in action */
18266 + * PaX: decide what to do with offenders (regs->ip = fault address)
18268 + * returns 1 when task should be killed
18269 + * 2 when gcc trampoline was detected
18271 +static int pax_handle_fetch_fault(struct pt_regs *regs)
18273 + if (v8086_mode(regs))
18276 + if (!(current->mm->pax_flags & MF_PAX_EMUTRAMP))
18279 +#ifdef CONFIG_X86_32
18280 + return pax_handle_fetch_fault_32(regs);
18282 + if (regs->cs == __USER32_CS || (regs->cs & SEGMENT_LDT))
18283 + return pax_handle_fetch_fault_32(regs);
18285 + return pax_handle_fetch_fault_64(regs);
18290 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
18291 +void pax_report_insns(void *pc, void *sp)
18295 + printk(KERN_ERR "PAX: bytes at PC: ");
18296 + for (i = 0; i < 20; i++) {
18298 + if (get_user(c, (__force unsigned char __user *)pc+i))
18299 + printk(KERN_CONT "?? ");
18301 + printk(KERN_CONT "%02x ", c);
18305 + printk(KERN_ERR "PAX: bytes at SP-%lu: ", (unsigned long)sizeof(long));
18306 + for (i = -1; i < 80 / (long)sizeof(long); i++) {
18308 + if (get_user(c, (__force unsigned long __user *)sp+i))
18309 +#ifdef CONFIG_X86_32
18310 + printk(KERN_CONT "???????? ");
18312 + printk(KERN_CONT "???????????????? ");
18315 + printk(KERN_CONT "%0*lx ", 2 * (int)sizeof(long), c);
18322 + * probe_kernel_write(): safely attempt to write to a location
18323 + * @dst: address to write to
18324 + * @src: pointer to the data that shall be written
18325 + * @size: size of the data chunk
18327 + * Safely write to address @dst from the buffer at @src. If a kernel fault
18328 + * happens, handle that and return -EFAULT.
18330 +long notrace probe_kernel_write(void *dst, const void *src, size_t size)
18333 + mm_segment_t old_fs = get_fs();
18335 + set_fs(KERNEL_DS);
18336 + pagefault_disable();
18337 + pax_open_kernel();
18338 + ret = __copy_to_user_inatomic((__force void __user *)dst, src, size);
18339 + pax_close_kernel();
18340 + pagefault_enable();
18343 + return ret ? -EFAULT : 0;
18345 diff -urNp linux-2.6.36.1/arch/x86/mm/gup.c linux-2.6.36.1/arch/x86/mm/gup.c
18346 --- linux-2.6.36.1/arch/x86/mm/gup.c 2010-10-20 16:30:22.000000000 -0400
18347 +++ linux-2.6.36.1/arch/x86/mm/gup.c 2010-11-06 18:58:15.000000000 -0400
18348 @@ -237,7 +237,7 @@ int __get_user_pages_fast(unsigned long
18350 len = (unsigned long) nr_pages << PAGE_SHIFT;
18352 - if (unlikely(!access_ok(write ? VERIFY_WRITE : VERIFY_READ,
18353 + if (unlikely(!__access_ok(write ? VERIFY_WRITE : VERIFY_READ,
18354 (void __user *)start, len)))
18357 diff -urNp linux-2.6.36.1/arch/x86/mm/highmem_32.c linux-2.6.36.1/arch/x86/mm/highmem_32.c
18358 --- linux-2.6.36.1/arch/x86/mm/highmem_32.c 2010-10-20 16:30:22.000000000 -0400
18359 +++ linux-2.6.36.1/arch/x86/mm/highmem_32.c 2010-11-06 18:58:15.000000000 -0400
18360 @@ -43,7 +43,10 @@ void *kmap_atomic_prot(struct page *page
18361 idx = type + KM_TYPE_NR*smp_processor_id();
18362 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
18363 BUG_ON(!pte_none(*(kmap_pte-idx)));
18365 + pax_open_kernel();
18366 set_pte(kmap_pte-idx, mk_pte(page, prot));
18367 + pax_close_kernel();
18369 return (void *)vaddr;
18371 diff -urNp linux-2.6.36.1/arch/x86/mm/hugetlbpage.c linux-2.6.36.1/arch/x86/mm/hugetlbpage.c
18372 --- linux-2.6.36.1/arch/x86/mm/hugetlbpage.c 2010-10-20 16:30:22.000000000 -0400
18373 +++ linux-2.6.36.1/arch/x86/mm/hugetlbpage.c 2010-11-06 18:58:15.000000000 -0400
18374 @@ -266,13 +266,20 @@ static unsigned long hugetlb_get_unmappe
18375 struct hstate *h = hstate_file(file);
18376 struct mm_struct *mm = current->mm;
18377 struct vm_area_struct *vma;
18378 - unsigned long start_addr;
18379 + unsigned long start_addr, pax_task_size = TASK_SIZE;
18381 +#ifdef CONFIG_PAX_SEGMEXEC
18382 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18383 + pax_task_size = SEGMEXEC_TASK_SIZE;
18386 + pax_task_size -= PAGE_SIZE;
18388 if (len > mm->cached_hole_size) {
18389 - start_addr = mm->free_area_cache;
18390 + start_addr = mm->free_area_cache;
18392 - start_addr = TASK_UNMAPPED_BASE;
18393 - mm->cached_hole_size = 0;
18394 + start_addr = mm->mmap_base;
18395 + mm->cached_hole_size = 0;
18399 @@ -280,26 +287,27 @@ full_search:
18401 for (vma = find_vma(mm, addr); ; vma = vma->vm_next) {
18402 /* At this point: (!vma || addr < vma->vm_end). */
18403 - if (TASK_SIZE - len < addr) {
18404 + if (pax_task_size - len < addr) {
18406 * Start a new search - just in case we missed
18409 - if (start_addr != TASK_UNMAPPED_BASE) {
18410 - start_addr = TASK_UNMAPPED_BASE;
18411 + if (start_addr != mm->mmap_base) {
18412 + start_addr = mm->mmap_base;
18413 mm->cached_hole_size = 0;
18418 - if (!vma || addr + len <= vma->vm_start) {
18419 - mm->free_area_cache = addr + len;
18422 + if (check_heap_stack_gap(vma, addr, len))
18424 if (addr + mm->cached_hole_size < vma->vm_start)
18425 mm->cached_hole_size = vma->vm_start - addr;
18426 addr = ALIGN(vma->vm_end, huge_page_size(h));
18429 + mm->free_area_cache = addr + len;
18433 static unsigned long hugetlb_get_unmapped_area_topdown(struct file *file,
18434 @@ -308,10 +316,9 @@ static unsigned long hugetlb_get_unmappe
18436 struct hstate *h = hstate_file(file);
18437 struct mm_struct *mm = current->mm;
18438 - struct vm_area_struct *vma, *prev_vma;
18439 - unsigned long base = mm->mmap_base, addr = addr0;
18440 + struct vm_area_struct *vma;
18441 + unsigned long base = mm->mmap_base, addr;
18442 unsigned long largest_hole = mm->cached_hole_size;
18443 - int first_time = 1;
18445 /* don't allow allocations above current base */
18446 if (mm->free_area_cache > base)
18447 @@ -321,7 +328,7 @@ static unsigned long hugetlb_get_unmappe
18449 mm->free_area_cache = base;
18453 /* make sure it can fit in the remaining address space */
18454 if (mm->free_area_cache < len)
18456 @@ -329,33 +336,27 @@ try_again:
18457 /* either no address requested or cant fit in requested address hole */
18458 addr = (mm->free_area_cache - len) & huge_page_mask(h);
18460 + vma = find_vma(mm, addr);
18462 * Lookup failure means no vma is above this address,
18463 * i.e. return with success:
18465 - if (!(vma = find_vma_prev(mm, addr, &prev_vma)))
18469 * new region fits between prev_vma->vm_end and
18470 * vma->vm_start, use it:
18472 - if (addr + len <= vma->vm_start &&
18473 - (!prev_vma || (addr >= prev_vma->vm_end))) {
18474 + if (check_heap_stack_gap(vma, addr, len)) {
18475 /* remember the address as a hint for next time */
18476 - mm->cached_hole_size = largest_hole;
18477 - return (mm->free_area_cache = addr);
18479 - /* pull free_area_cache down to the first hole */
18480 - if (mm->free_area_cache == vma->vm_end) {
18481 - mm->free_area_cache = vma->vm_start;
18482 - mm->cached_hole_size = largest_hole;
18484 + mm->cached_hole_size = largest_hole;
18485 + return (mm->free_area_cache = addr);
18487 + /* pull free_area_cache down to the first hole */
18488 + if (mm->free_area_cache == vma->vm_end) {
18489 + mm->free_area_cache = vma->vm_start;
18490 + mm->cached_hole_size = largest_hole;
18493 /* remember the largest hole we saw so far */
18494 if (addr + largest_hole < vma->vm_start)
18495 - largest_hole = vma->vm_start - addr;
18496 + largest_hole = vma->vm_start - addr;
18498 /* try just below the current vma->vm_start */
18499 addr = (vma->vm_start - len) & huge_page_mask(h);
18500 @@ -363,22 +364,26 @@ try_again:
18504 - * if hint left us with no space for the requested
18505 - * mapping then try again:
18507 - if (first_time) {
18508 - mm->free_area_cache = base;
18509 - largest_hole = 0;
18514 * A failed mmap() very likely causes application failure,
18515 * so fall back to the bottom-up function here. This scenario
18516 * can happen with large stack limits and large mmap()
18519 - mm->free_area_cache = TASK_UNMAPPED_BASE;
18521 +#ifdef CONFIG_PAX_SEGMEXEC
18522 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18523 + mm->mmap_base = SEGMEXEC_TASK_UNMAPPED_BASE;
18527 + mm->mmap_base = TASK_UNMAPPED_BASE;
18529 +#ifdef CONFIG_PAX_RANDMMAP
18530 + if (mm->pax_flags & MF_PAX_RANDMMAP)
18531 + mm->mmap_base += mm->delta_mmap;
18534 + mm->free_area_cache = mm->mmap_base;
18535 mm->cached_hole_size = ~0UL;
18536 addr = hugetlb_get_unmapped_area_bottomup(file, addr0,
18537 len, pgoff, flags);
18538 @@ -386,6 +391,7 @@ fail:
18540 * Restore the topdown base:
18542 + mm->mmap_base = base;
18543 mm->free_area_cache = base;
18544 mm->cached_hole_size = ~0UL;
18546 @@ -399,10 +405,19 @@ hugetlb_get_unmapped_area(struct file *f
18547 struct hstate *h = hstate_file(file);
18548 struct mm_struct *mm = current->mm;
18549 struct vm_area_struct *vma;
18550 + unsigned long pax_task_size = TASK_SIZE;
18552 if (len & ~huge_page_mask(h))
18554 - if (len > TASK_SIZE)
18556 +#ifdef CONFIG_PAX_SEGMEXEC
18557 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
18558 + pax_task_size = SEGMEXEC_TASK_SIZE;
18561 + pax_task_size -= PAGE_SIZE;
18563 + if (len > pax_task_size)
18566 if (flags & MAP_FIXED) {
18567 @@ -414,8 +429,7 @@ hugetlb_get_unmapped_area(struct file *f
18569 addr = ALIGN(addr, huge_page_size(h));
18570 vma = find_vma(mm, addr);
18571 - if (TASK_SIZE - len >= addr &&
18572 - (!vma || addr + len <= vma->vm_start))
18573 + if (pax_task_size - len >= addr && check_heap_stack_gap(vma, addr, len))
18576 if (mm->get_unmapped_area == arch_get_unmapped_area)
18577 diff -urNp linux-2.6.36.1/arch/x86/mm/init_32.c linux-2.6.36.1/arch/x86/mm/init_32.c
18578 --- linux-2.6.36.1/arch/x86/mm/init_32.c 2010-10-20 16:30:22.000000000 -0400
18579 +++ linux-2.6.36.1/arch/x86/mm/init_32.c 2010-11-06 18:58:15.000000000 -0400
18580 @@ -72,36 +72,6 @@ static __init void *alloc_low_page(void)
18584 - * Creates a middle page table and puts a pointer to it in the
18585 - * given global directory entry. This only returns the gd entry
18586 - * in non-PAE compilation mode, since the middle layer is folded.
18588 -static pmd_t * __init one_md_table_init(pgd_t *pgd)
18591 - pmd_t *pmd_table;
18593 -#ifdef CONFIG_X86_PAE
18594 - if (!(pgd_val(*pgd) & _PAGE_PRESENT)) {
18595 - if (after_bootmem)
18596 - pmd_table = (pmd_t *)alloc_bootmem_pages(PAGE_SIZE);
18598 - pmd_table = (pmd_t *)alloc_low_page();
18599 - paravirt_alloc_pmd(&init_mm, __pa(pmd_table) >> PAGE_SHIFT);
18600 - set_pgd(pgd, __pgd(__pa(pmd_table) | _PAGE_PRESENT));
18601 - pud = pud_offset(pgd, 0);
18602 - BUG_ON(pmd_table != pmd_offset(pud, 0));
18604 - return pmd_table;
18607 - pud = pud_offset(pgd, 0);
18608 - pmd_table = pmd_offset(pud, 0);
18610 - return pmd_table;
18614 * Create a page table and place a pointer to it in a middle page
18617 @@ -121,13 +91,28 @@ static pte_t * __init one_page_table_ini
18618 page_table = (pte_t *)alloc_low_page();
18620 paravirt_alloc_pte(&init_mm, __pa(page_table) >> PAGE_SHIFT);
18621 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
18622 + set_pmd(pmd, __pmd(__pa(page_table) | _KERNPG_TABLE));
18624 set_pmd(pmd, __pmd(__pa(page_table) | _PAGE_TABLE));
18626 BUG_ON(page_table != pte_offset_kernel(pmd, 0));
18629 return pte_offset_kernel(pmd, 0);
18632 +static pmd_t * __init one_md_table_init(pgd_t *pgd)
18635 + pmd_t *pmd_table;
18637 + pud = pud_offset(pgd, 0);
18638 + pmd_table = pmd_offset(pud, 0);
18640 + return pmd_table;
18643 pmd_t * __init populate_extra_pmd(unsigned long vaddr)
18645 int pgd_idx = pgd_index(vaddr);
18646 @@ -201,6 +186,7 @@ page_table_range_init(unsigned long star
18647 int pgd_idx, pmd_idx;
18648 unsigned long vaddr;
18654 @@ -210,8 +196,13 @@ page_table_range_init(unsigned long star
18655 pgd = pgd_base + pgd_idx;
18657 for ( ; (pgd_idx < PTRS_PER_PGD) && (vaddr != end); pgd++, pgd_idx++) {
18658 - pmd = one_md_table_init(pgd);
18659 - pmd = pmd + pmd_index(vaddr);
18660 + pud = pud_offset(pgd, vaddr);
18661 + pmd = pmd_offset(pud, vaddr);
18663 +#ifdef CONFIG_X86_PAE
18664 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
18667 for (; (pmd_idx < PTRS_PER_PMD) && (vaddr != end);
18668 pmd++, pmd_idx++) {
18669 pte = page_table_kmap_check(one_page_table_init(pmd),
18670 @@ -223,11 +214,20 @@ page_table_range_init(unsigned long star
18674 -static inline int is_kernel_text(unsigned long addr)
18675 +static inline int is_kernel_text(unsigned long start, unsigned long end)
18677 - if (addr >= PAGE_OFFSET && addr <= (unsigned long)__init_end)
18680 + if ((start > ktla_ktva((unsigned long)_etext) ||
18681 + end <= ktla_ktva((unsigned long)_stext)) &&
18682 + (start > ktla_ktva((unsigned long)_einittext) ||
18683 + end <= ktla_ktva((unsigned long)_sinittext)) &&
18685 +#ifdef CONFIG_ACPI_SLEEP
18686 + (start > (unsigned long)__va(acpi_wakeup_address) + 0x4000 || end <= (unsigned long)__va(acpi_wakeup_address)) &&
18689 + (start > (unsigned long)__va(0xfffff) || end <= (unsigned long)__va(0xc0000)))
18695 @@ -244,9 +244,10 @@ kernel_physical_mapping_init(unsigned lo
18696 unsigned long last_map_addr = end;
18697 unsigned long start_pfn, end_pfn;
18698 pgd_t *pgd_base = swapper_pg_dir;
18699 - int pgd_idx, pmd_idx, pte_ofs;
18700 + unsigned int pgd_idx, pmd_idx, pte_ofs;
18706 unsigned pages_2m, pages_4k;
18707 @@ -279,8 +280,13 @@ repeat:
18709 pgd_idx = pgd_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
18710 pgd = pgd_base + pgd_idx;
18711 - for (; pgd_idx < PTRS_PER_PGD; pgd++, pgd_idx++) {
18712 - pmd = one_md_table_init(pgd);
18713 + for (; pgd_idx < PTRS_PER_PGD && pfn < max_low_pfn; pgd++, pgd_idx++) {
18714 + pud = pud_offset(pgd, 0);
18715 + pmd = pmd_offset(pud, 0);
18717 +#ifdef CONFIG_X86_PAE
18718 + paravirt_alloc_pmd(&init_mm, __pa(pmd) >> PAGE_SHIFT);
18721 if (pfn >= end_pfn)
18723 @@ -292,14 +298,13 @@ repeat:
18725 for (; pmd_idx < PTRS_PER_PMD && pfn < end_pfn;
18726 pmd++, pmd_idx++) {
18727 - unsigned int addr = pfn * PAGE_SIZE + PAGE_OFFSET;
18728 + unsigned long address = pfn * PAGE_SIZE + PAGE_OFFSET;
18731 * Map with big pages if possible, otherwise
18732 * create normal page tables:
18735 - unsigned int addr2;
18736 pgprot_t prot = PAGE_KERNEL_LARGE;
18738 * first pass will use the same initial
18739 @@ -309,11 +314,7 @@ repeat:
18740 __pgprot(PTE_IDENT_ATTR |
18743 - addr2 = (pfn + PTRS_PER_PTE-1) * PAGE_SIZE +
18744 - PAGE_OFFSET + PAGE_SIZE-1;
18746 - if (is_kernel_text(addr) ||
18747 - is_kernel_text(addr2))
18748 + if (is_kernel_text(address, address + PMD_SIZE))
18749 prot = PAGE_KERNEL_LARGE_EXEC;
18752 @@ -330,7 +331,7 @@ repeat:
18753 pte_ofs = pte_index((pfn<<PAGE_SHIFT) + PAGE_OFFSET);
18755 for (; pte_ofs < PTRS_PER_PTE && pfn < end_pfn;
18756 - pte++, pfn++, pte_ofs++, addr += PAGE_SIZE) {
18757 + pte++, pfn++, pte_ofs++, address += PAGE_SIZE) {
18758 pgprot_t prot = PAGE_KERNEL;
18760 * first pass will use the same initial
18761 @@ -338,7 +339,7 @@ repeat:
18763 pgprot_t init_prot = __pgprot(PTE_IDENT_ATTR);
18765 - if (is_kernel_text(addr))
18766 + if (is_kernel_text(address, address + PAGE_SIZE))
18767 prot = PAGE_KERNEL_EXEC;
18770 @@ -491,7 +492,7 @@ void __init native_pagetable_setup_start
18772 pud = pud_offset(pgd, va);
18773 pmd = pmd_offset(pud, va);
18774 - if (!pmd_present(*pmd))
18775 + if (!pmd_present(*pmd) || pmd_huge(*pmd))
18778 pte = pte_offset_kernel(pmd, va);
18779 @@ -543,9 +544,7 @@ void __init early_ioremap_page_table_ran
18781 static void __init pagetable_init(void)
18783 - pgd_t *pgd_base = swapper_pg_dir;
18785 - permanent_kmaps_init(pgd_base);
18786 + permanent_kmaps_init(swapper_pg_dir);
18789 #ifdef CONFIG_ACPI_SLEEP
18790 @@ -553,12 +552,12 @@ static void __init pagetable_init(void)
18791 * ACPI suspend needs this for resume, because things like the intel-agp
18792 * driver might have split up a kernel 4MB mapping.
18794 -char swsusp_pg_dir[PAGE_SIZE]
18795 +pgd_t swsusp_pg_dir[PTRS_PER_PGD]
18796 __attribute__ ((aligned(PAGE_SIZE)));
18798 static inline void save_pg_dir(void)
18800 - memcpy(swsusp_pg_dir, swapper_pg_dir, PAGE_SIZE);
18801 + clone_pgd_range(swsusp_pg_dir, swapper_pg_dir, PTRS_PER_PGD);
18803 #else /* !CONFIG_ACPI_SLEEP */
18804 static inline void save_pg_dir(void)
18805 @@ -590,7 +589,7 @@ void zap_low_mappings(bool early)
18809 -pteval_t __supported_pte_mask __read_mostly = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
18810 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_GLOBAL | _PAGE_IOMAP);
18811 EXPORT_SYMBOL_GPL(__supported_pte_mask);
18813 /* user-defined highmem size */
18814 @@ -781,7 +780,7 @@ void __init setup_bootmem_allocator(void
18815 * Initialize the boot-time allocator (with low memory only):
18817 bootmap_size = bootmem_bootmap_pages(max_low_pfn)<<PAGE_SHIFT;
18818 - bootmap = find_e820_area(0, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
18819 + bootmap = find_e820_area(0x100000, max_pfn_mapped<<PAGE_SHIFT, bootmap_size,
18821 if (bootmap == -1L)
18822 panic("Cannot find bootmem map of size %ld\n", bootmap_size);
18823 @@ -871,6 +870,12 @@ void __init mem_init(void)
18827 +#ifdef CONFIG_PAX_PER_CPU_PGD
18828 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
18829 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
18830 + KERNEL_PGD_PTRS);
18833 #ifdef CONFIG_FLATMEM
18836 @@ -888,7 +893,7 @@ void __init mem_init(void)
18837 set_highmem_pages_init();
18839 codesize = (unsigned long) &_etext - (unsigned long) &_text;
18840 - datasize = (unsigned long) &_edata - (unsigned long) &_etext;
18841 + datasize = (unsigned long) &_edata - (unsigned long) &_sdata;
18842 initsize = (unsigned long) &__init_end - (unsigned long) &__init_begin;
18844 printk(KERN_INFO "Memory: %luk/%luk available (%dk kernel code, "
18845 @@ -929,10 +934,10 @@ void __init mem_init(void)
18846 ((unsigned long)&__init_end -
18847 (unsigned long)&__init_begin) >> 10,
18849 - (unsigned long)&_etext, (unsigned long)&_edata,
18850 - ((unsigned long)&_edata - (unsigned long)&_etext) >> 10,
18851 + (unsigned long)&_sdata, (unsigned long)&_edata,
18852 + ((unsigned long)&_edata - (unsigned long)&_sdata) >> 10,
18854 - (unsigned long)&_text, (unsigned long)&_etext,
18855 + ktla_ktva((unsigned long)&_text), ktla_ktva((unsigned long)&_etext),
18856 ((unsigned long)&_etext - (unsigned long)&_text) >> 10);
18859 @@ -1013,6 +1018,7 @@ void set_kernel_text_rw(void)
18860 if (!kernel_set_to_readonly)
18863 + start = ktla_ktva(start);
18864 pr_debug("Set kernel text: %lx - %lx for read write\n",
18865 start, start+size);
18867 @@ -1027,6 +1033,7 @@ void set_kernel_text_ro(void)
18868 if (!kernel_set_to_readonly)
18871 + start = ktla_ktva(start);
18872 pr_debug("Set kernel text: %lx - %lx for read only\n",
18873 start, start+size);
18875 @@ -1038,6 +1045,7 @@ void mark_rodata_ro(void)
18876 unsigned long start = PFN_ALIGN(_text);
18877 unsigned long size = PFN_ALIGN(_etext) - start;
18879 + start = ktla_ktva(start);
18880 set_pages_ro(virt_to_page(start), size >> PAGE_SHIFT);
18881 printk(KERN_INFO "Write protecting the kernel text: %luk\n",
18883 diff -urNp linux-2.6.36.1/arch/x86/mm/init_64.c linux-2.6.36.1/arch/x86/mm/init_64.c
18884 --- linux-2.6.36.1/arch/x86/mm/init_64.c 2010-10-20 16:30:22.000000000 -0400
18885 +++ linux-2.6.36.1/arch/x86/mm/init_64.c 2010-11-06 18:58:15.000000000 -0400
18887 #include <asm/numa.h>
18888 #include <asm/cacheflush.h>
18889 #include <asm/init.h>
18890 -#include <linux/bootmem.h>
18892 static unsigned long dma_reserve __initdata;
18894 @@ -74,7 +73,7 @@ early_param("gbpages", parse_direct_gbpa
18895 * around without checking the pgd every time.
18898 -pteval_t __supported_pte_mask __read_mostly = ~_PAGE_IOMAP;
18899 +pteval_t __supported_pte_mask __read_only = ~(_PAGE_NX | _PAGE_IOMAP);
18900 EXPORT_SYMBOL_GPL(__supported_pte_mask);
18902 int force_personality32;
18903 @@ -165,7 +164,9 @@ void set_pte_vaddr_pud(pud_t *pud_page,
18904 pmd = fill_pmd(pud, vaddr);
18905 pte = fill_pte(pmd, vaddr);
18907 + pax_open_kernel();
18908 set_pte(pte, new_pte);
18909 + pax_close_kernel();
18912 * It's enough to flush this one mapping.
18913 @@ -224,14 +225,12 @@ static void __init __init_extra_mapping(
18914 pgd = pgd_offset_k((unsigned long)__va(phys));
18915 if (pgd_none(*pgd)) {
18916 pud = (pud_t *) spp_getpage();
18917 - set_pgd(pgd, __pgd(__pa(pud) | _KERNPG_TABLE |
18919 + set_pgd(pgd, __pgd(__pa(pud) | _PAGE_TABLE));
18921 pud = pud_offset(pgd, (unsigned long)__va(phys));
18922 if (pud_none(*pud)) {
18923 pmd = (pmd_t *) spp_getpage();
18924 - set_pud(pud, __pud(__pa(pmd) | _KERNPG_TABLE |
18926 + set_pud(pud, __pud(__pa(pmd) | _PAGE_TABLE));
18928 pmd = pmd_offset(pud, phys);
18929 BUG_ON(!pmd_none(*pmd));
18930 @@ -680,6 +679,12 @@ void __init mem_init(void)
18934 +#ifdef CONFIG_PAX_PER_CPU_PGD
18935 + clone_pgd_range(get_cpu_pgd(0) + KERNEL_PGD_BOUNDARY,
18936 + swapper_pg_dir + KERNEL_PGD_BOUNDARY,
18937 + KERNEL_PGD_PTRS);
18940 /* clear_bss() already clear the empty_zero_page */
18943 @@ -886,8 +891,8 @@ int kern_addr_valid(unsigned long addr)
18944 static struct vm_area_struct gate_vma = {
18945 .vm_start = VSYSCALL_START,
18946 .vm_end = VSYSCALL_START + (VSYSCALL_MAPPED_PAGES * PAGE_SIZE),
18947 - .vm_page_prot = PAGE_READONLY_EXEC,
18948 - .vm_flags = VM_READ | VM_EXEC
18949 + .vm_page_prot = PAGE_READONLY,
18950 + .vm_flags = VM_READ
18953 struct vm_area_struct *get_gate_vma(struct task_struct *tsk)
18954 @@ -921,7 +926,7 @@ int in_gate_area_no_task(unsigned long a
18956 const char *arch_vma_name(struct vm_area_struct *vma)
18958 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
18959 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
18961 if (vma == &gate_vma)
18962 return "[vsyscall]";
18963 diff -urNp linux-2.6.36.1/arch/x86/mm/init.c linux-2.6.36.1/arch/x86/mm/init.c
18964 --- linux-2.6.36.1/arch/x86/mm/init.c 2010-10-20 16:30:22.000000000 -0400
18965 +++ linux-2.6.36.1/arch/x86/mm/init.c 2010-11-11 18:21:08.000000000 -0500
18966 @@ -70,11 +70,7 @@ static void __init find_early_table_spac
18967 * cause a hotspot and fill up ZONE_DMA. The page tables
18968 * need roughly 0.5KB per GB.
18970 -#ifdef CONFIG_X86_32
18975 + start = 0x100000;
18976 e820_table_start = find_e820_area(start, max_pfn_mapped<<PAGE_SHIFT,
18977 tables, PAGE_SIZE);
18978 if (e820_table_start == -1UL)
18979 @@ -321,7 +317,13 @@ unsigned long __init_refok init_memory_m
18981 int devmem_is_allowed(unsigned long pagenr)
18983 - if (pagenr <= 256)
18986 +#ifdef CONFIG_VM86
18987 + if (pagenr < (ISA_START_ADDRESS >> PAGE_SHIFT))
18990 + if ((ISA_START_ADDRESS >> PAGE_SHIFT) <= pagenr && pagenr < (ISA_END_ADDRESS >> PAGE_SHIFT))
18992 if (iomem_is_exclusive(pagenr << PAGE_SHIFT))
18994 @@ -380,6 +382,86 @@ void free_init_pages(char *what, unsigne
18996 void free_initmem(void)
18999 +#ifdef CONFIG_PAX_KERNEXEC
19000 +#ifdef CONFIG_X86_32
19001 + /* PaX: limit KERNEL_CS to actual size */
19002 + unsigned long addr, limit;
19003 + struct desc_struct d;
19006 + limit = paravirt_enabled() ? ktva_ktla(0xffffffff) : (unsigned long)&_etext;
19007 + limit = (limit - 1UL) >> PAGE_SHIFT;
19009 + memset(__LOAD_PHYSICAL_ADDR + PAGE_OFFSET, POISON_FREE_INITMEM, PAGE_SIZE);
19010 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
19011 + pack_descriptor(&d, get_desc_base(&get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_CS]), limit, 0x9B, 0xC);
19012 + write_gdt_entry(get_cpu_gdt_table(cpu), GDT_ENTRY_KERNEL_CS, &d, DESCTYPE_S);
19015 + /* PaX: make KERNEL_CS read-only */
19016 + addr = PFN_ALIGN(ktla_ktva((unsigned long)&_text));
19017 + if (!paravirt_enabled())
19018 + set_memory_ro(addr, (PFN_ALIGN(_sdata) - addr) >> PAGE_SHIFT);
19020 + for (addr = ktla_ktva((unsigned long)&_text); addr < (unsigned long)&_sdata; addr += PMD_SIZE) {
19021 + pgd = pgd_offset_k(addr);
19022 + pud = pud_offset(pgd, addr);
19023 + pmd = pmd_offset(pud, addr);
19024 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
19027 +#ifdef CONFIG_X86_PAE
19028 + set_memory_nx(PFN_ALIGN(__init_begin), (PFN_ALIGN(__init_end) - PFN_ALIGN(__init_begin)) >> PAGE_SHIFT);
19030 + for (addr = (unsigned long)&__init_begin; addr < (unsigned long)&__init_end; addr += PMD_SIZE) {
19031 + pgd = pgd_offset_k(addr);
19032 + pud = pud_offset(pgd, addr);
19033 + pmd = pmd_offset(pud, addr);
19034 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
19039 +#ifdef CONFIG_MODULES
19040 + set_memory_4k((unsigned long)MODULES_EXEC_VADDR, (MODULES_EXEC_END - MODULES_EXEC_VADDR) >> PAGE_SHIFT);
19047 + unsigned long addr, end;
19049 + /* PaX: make kernel code/rodata read-only, rest non-executable */
19050 + for (addr = __START_KERNEL_map; addr < __START_KERNEL_map + KERNEL_IMAGE_SIZE; addr += PMD_SIZE) {
19051 + pgd = pgd_offset_k(addr);
19052 + pud = pud_offset(pgd, addr);
19053 + pmd = pmd_offset(pud, addr);
19054 + if (!pmd_present(*pmd))
19056 + if ((unsigned long)_text <= addr && addr < (unsigned long)_sdata)
19057 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
19059 + set_pmd(pmd, __pmd(pmd_val(*pmd) | (_PAGE_NX & __supported_pte_mask)));
19062 + addr = (unsigned long)__va(__pa(__START_KERNEL_map));
19063 + end = addr + KERNEL_IMAGE_SIZE;
19064 + for (; addr < end; addr += PMD_SIZE) {
19065 + pgd = pgd_offset_k(addr);
19066 + pud = pud_offset(pgd, addr);
19067 + pmd = pmd_offset(pud, addr);
19068 + if (!pmd_present(*pmd))
19070 + if ((unsigned long)__va(__pa(_text)) <= addr && addr < (unsigned long)__va(__pa(_sdata)))
19071 + set_pmd(pmd, __pmd(pmd_val(*pmd) & ~_PAGE_RW));
19078 free_init_pages("unused kernel memory",
19079 (unsigned long)(&__init_begin),
19080 (unsigned long)(&__init_end));
19081 diff -urNp linux-2.6.36.1/arch/x86/mm/iomap_32.c linux-2.6.36.1/arch/x86/mm/iomap_32.c
19082 --- linux-2.6.36.1/arch/x86/mm/iomap_32.c 2010-10-20 16:30:22.000000000 -0400
19083 +++ linux-2.6.36.1/arch/x86/mm/iomap_32.c 2010-11-06 18:58:15.000000000 -0400
19084 @@ -65,7 +65,11 @@ void *kmap_atomic_prot_pfn(unsigned long
19085 debug_kmap_atomic(type);
19086 idx = type + KM_TYPE_NR * smp_processor_id();
19087 vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx);
19089 + pax_open_kernel();
19090 set_pte(kmap_pte - idx, pfn_pte(pfn, prot));
19091 + pax_close_kernel();
19093 arch_flush_lazy_mmu_mode();
19095 return (void *)vaddr;
19096 diff -urNp linux-2.6.36.1/arch/x86/mm/ioremap.c linux-2.6.36.1/arch/x86/mm/ioremap.c
19097 --- linux-2.6.36.1/arch/x86/mm/ioremap.c 2010-10-20 16:30:22.000000000 -0400
19098 +++ linux-2.6.36.1/arch/x86/mm/ioremap.c 2010-11-06 18:58:15.000000000 -0400
19099 @@ -104,7 +104,7 @@ static void __iomem *__ioremap_caller(re
19100 for (pfn = phys_addr >> PAGE_SHIFT; pfn <= last_pfn; pfn++) {
19101 int is_ram = page_is_ram(pfn);
19103 - if (is_ram && pfn_valid(pfn) && !PageReserved(pfn_to_page(pfn)))
19104 + if (is_ram && pfn_valid(pfn) && (pfn >= 0x100 || !PageReserved(pfn_to_page(pfn))))
19106 WARN_ON_ONCE(is_ram);
19108 @@ -344,7 +344,7 @@ static int __init early_ioremap_debug_se
19109 early_param("early_ioremap_debug", early_ioremap_debug_setup);
19111 static __initdata int after_paging_init;
19112 -static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __page_aligned_bss;
19113 +static pte_t bm_pte[PAGE_SIZE/sizeof(pte_t)] __read_only __aligned(PAGE_SIZE);
19115 static inline pmd_t * __init early_ioremap_pmd(unsigned long addr)
19117 @@ -376,8 +376,7 @@ void __init early_ioremap_init(void)
19118 slot_virt[i] = __fix_to_virt(FIX_BTMAP_BEGIN - NR_FIX_BTMAPS*i);
19120 pmd = early_ioremap_pmd(fix_to_virt(FIX_BTMAP_BEGIN));
19121 - memset(bm_pte, 0, sizeof(bm_pte));
19122 - pmd_populate_kernel(&init_mm, pmd, bm_pte);
19123 + pmd_populate_user(&init_mm, pmd, bm_pte);
19126 * The boot-ioremap range spans multiple pmds, for which
19127 diff -urNp linux-2.6.36.1/arch/x86/mm/kmemcheck/kmemcheck.c linux-2.6.36.1/arch/x86/mm/kmemcheck/kmemcheck.c
19128 --- linux-2.6.36.1/arch/x86/mm/kmemcheck/kmemcheck.c 2010-10-20 16:30:22.000000000 -0400
19129 +++ linux-2.6.36.1/arch/x86/mm/kmemcheck/kmemcheck.c 2010-11-06 18:58:15.000000000 -0400
19130 @@ -622,9 +622,9 @@ bool kmemcheck_fault(struct pt_regs *reg
19131 * memory (e.g. tracked pages)? For now, we need this to avoid
19132 * invoking kmemcheck for PnP BIOS calls.
19134 - if (regs->flags & X86_VM_MASK)
19135 + if (v8086_mode(regs))
19137 - if (regs->cs != __KERNEL_CS)
19138 + if (regs->cs != __KERNEL_CS && regs->cs != __KERNEXEC_KERNEL_CS)
19141 pte = kmemcheck_pte_lookup(address);
19142 diff -urNp linux-2.6.36.1/arch/x86/mm/mmap.c linux-2.6.36.1/arch/x86/mm/mmap.c
19143 --- linux-2.6.36.1/arch/x86/mm/mmap.c 2010-10-20 16:30:22.000000000 -0400
19144 +++ linux-2.6.36.1/arch/x86/mm/mmap.c 2010-11-06 18:58:15.000000000 -0400
19145 @@ -49,7 +49,7 @@ static unsigned int stack_maxrandom_size
19146 * Leave an at least ~128 MB hole with possible stack randomization.
19148 #define MIN_GAP (128*1024*1024UL + stack_maxrandom_size())
19149 -#define MAX_GAP (TASK_SIZE/6*5)
19150 +#define MAX_GAP (pax_task_size/6*5)
19153 * True on X86_32 or when emulating IA32 on X86_64
19154 @@ -94,27 +94,40 @@ static unsigned long mmap_rnd(void)
19155 return rnd << PAGE_SHIFT;
19158 -static unsigned long mmap_base(void)
19159 +static unsigned long mmap_base(struct mm_struct *mm)
19161 unsigned long gap = rlimit(RLIMIT_STACK);
19162 + unsigned long pax_task_size = TASK_SIZE;
19164 +#ifdef CONFIG_PAX_SEGMEXEC
19165 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
19166 + pax_task_size = SEGMEXEC_TASK_SIZE;
19171 else if (gap > MAX_GAP)
19174 - return PAGE_ALIGN(TASK_SIZE - gap - mmap_rnd());
19175 + return PAGE_ALIGN(pax_task_size - gap - mmap_rnd());
19179 * Bottom-up (legacy) layout on X86_32 did not support randomization, X86_64
19180 * does, but not when emulating X86_32
19182 -static unsigned long mmap_legacy_base(void)
19183 +static unsigned long mmap_legacy_base(struct mm_struct *mm)
19185 - if (mmap_is_ia32())
19186 + if (mmap_is_ia32()) {
19188 +#ifdef CONFIG_PAX_SEGMEXEC
19189 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
19190 + return SEGMEXEC_TASK_UNMAPPED_BASE;
19194 return TASK_UNMAPPED_BASE;
19197 return TASK_UNMAPPED_BASE + mmap_rnd();
19200 @@ -125,11 +138,23 @@ static unsigned long mmap_legacy_base(vo
19201 void arch_pick_mmap_layout(struct mm_struct *mm)
19203 if (mmap_is_legacy()) {
19204 - mm->mmap_base = mmap_legacy_base();
19205 + mm->mmap_base = mmap_legacy_base(mm);
19207 +#ifdef CONFIG_PAX_RANDMMAP
19208 + if (mm->pax_flags & MF_PAX_RANDMMAP)
19209 + mm->mmap_base += mm->delta_mmap;
19212 mm->get_unmapped_area = arch_get_unmapped_area;
19213 mm->unmap_area = arch_unmap_area;
19215 - mm->mmap_base = mmap_base();
19216 + mm->mmap_base = mmap_base(mm);
19218 +#ifdef CONFIG_PAX_RANDMMAP
19219 + if (mm->pax_flags & MF_PAX_RANDMMAP)
19220 + mm->mmap_base -= mm->delta_mmap + mm->delta_stack;
19223 mm->get_unmapped_area = arch_get_unmapped_area_topdown;
19224 mm->unmap_area = arch_unmap_area_topdown;
19226 diff -urNp linux-2.6.36.1/arch/x86/mm/numa_32.c linux-2.6.36.1/arch/x86/mm/numa_32.c
19227 --- linux-2.6.36.1/arch/x86/mm/numa_32.c 2010-10-20 16:30:22.000000000 -0400
19228 +++ linux-2.6.36.1/arch/x86/mm/numa_32.c 2010-11-06 18:58:15.000000000 -0400
19229 @@ -98,7 +98,6 @@ unsigned long node_memmap_size_bytes(int
19233 -extern unsigned long find_max_low_pfn(void);
19234 extern unsigned long highend_pfn, highstart_pfn;
19236 #define LARGE_PAGE_BYTES (PTRS_PER_PTE * PAGE_SIZE)
19237 diff -urNp linux-2.6.36.1/arch/x86/mm/pageattr.c linux-2.6.36.1/arch/x86/mm/pageattr.c
19238 --- linux-2.6.36.1/arch/x86/mm/pageattr.c 2010-10-20 16:30:22.000000000 -0400
19239 +++ linux-2.6.36.1/arch/x86/mm/pageattr.c 2010-11-06 18:58:15.000000000 -0400
19240 @@ -261,16 +261,17 @@ static inline pgprot_t static_protection
19241 * PCI BIOS based config access (CONFIG_PCI_GOBIOS) support.
19243 if (within(pfn, BIOS_BEGIN >> PAGE_SHIFT, BIOS_END >> PAGE_SHIFT))
19244 - pgprot_val(forbidden) |= _PAGE_NX;
19245 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
19248 * The kernel text needs to be executable for obvious reasons
19249 * Does not cover __inittext since that is gone later on. On
19250 * 64bit we do not enforce !NX on the low mapping
19252 - if (within(address, (unsigned long)_text, (unsigned long)_etext))
19253 - pgprot_val(forbidden) |= _PAGE_NX;
19254 + if (within(address, ktla_ktva((unsigned long)_text), ktla_ktva((unsigned long)_etext)))
19255 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
19257 +#ifdef CONFIG_DEBUG_RODATA
19259 * The .rodata section needs to be read-only. Using the pfn
19260 * catches all aliases.
19261 @@ -278,6 +279,7 @@ static inline pgprot_t static_protection
19262 if (within(pfn, __pa((unsigned long)__start_rodata) >> PAGE_SHIFT,
19263 __pa((unsigned long)__end_rodata) >> PAGE_SHIFT))
19264 pgprot_val(forbidden) |= _PAGE_RW;
19267 #if defined(CONFIG_X86_64) && defined(CONFIG_DEBUG_RODATA)
19269 @@ -316,6 +318,13 @@ static inline pgprot_t static_protection
19273 +#ifdef CONFIG_PAX_KERNEXEC
19274 + if (within(pfn, __pa((unsigned long)&_text), __pa((unsigned long)&_sdata))) {
19275 + pgprot_val(forbidden) |= _PAGE_RW;
19276 + pgprot_val(forbidden) |= _PAGE_NX & __supported_pte_mask;
19280 prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden));
19283 @@ -368,23 +377,37 @@ EXPORT_SYMBOL_GPL(lookup_address);
19284 static void __set_pmd_pte(pte_t *kpte, unsigned long address, pte_t pte)
19286 /* change init_mm */
19287 + pax_open_kernel();
19288 set_pte_atomic(kpte, pte);
19290 #ifdef CONFIG_X86_32
19291 if (!SHARED_KERNEL_PMD) {
19293 +#ifdef CONFIG_PAX_PER_CPU_PGD
19294 + unsigned long cpu;
19299 +#ifdef CONFIG_PAX_PER_CPU_PGD
19300 + for (cpu = 0; cpu < NR_CPUS; ++cpu) {
19301 + pgd_t *pgd = get_cpu_pgd(cpu);
19303 list_for_each_entry(page, &pgd_list, lru) {
19305 + pgd_t *pgd = (pgd_t *)page_address(page);
19311 - pgd = (pgd_t *)page_address(page) + pgd_index(address);
19312 + pgd += pgd_index(address);
19313 pud = pud_offset(pgd, address);
19314 pmd = pmd_offset(pud, address);
19315 set_pte_atomic((pte_t *)pmd, pte);
19319 + pax_close_kernel();
19323 diff -urNp linux-2.6.36.1/arch/x86/mm/pageattr-test.c linux-2.6.36.1/arch/x86/mm/pageattr-test.c
19324 --- linux-2.6.36.1/arch/x86/mm/pageattr-test.c 2010-10-20 16:30:22.000000000 -0400
19325 +++ linux-2.6.36.1/arch/x86/mm/pageattr-test.c 2010-11-06 18:58:15.000000000 -0400
19326 @@ -36,7 +36,7 @@ enum {
19328 static int pte_testbit(pte_t pte)
19330 - return pte_flags(pte) & _PAGE_UNUSED1;
19331 + return pte_flags(pte) & _PAGE_CPA_TEST;
19334 struct split_state {
19335 diff -urNp linux-2.6.36.1/arch/x86/mm/pat.c linux-2.6.36.1/arch/x86/mm/pat.c
19336 --- linux-2.6.36.1/arch/x86/mm/pat.c 2010-10-20 16:30:22.000000000 -0400
19337 +++ linux-2.6.36.1/arch/x86/mm/pat.c 2010-11-06 18:58:15.000000000 -0400
19338 @@ -361,7 +361,7 @@ int free_memtype(u64 start, u64 end)
19341 printk(KERN_INFO "%s:%d freeing invalid memtype %Lx-%Lx\n",
19342 - current->comm, current->pid, start, end);
19343 + current->comm, task_pid_nr(current), start, end);
19347 @@ -492,8 +492,8 @@ static inline int range_is_allowed(unsig
19348 while (cursor < to) {
19349 if (!devmem_is_allowed(pfn)) {
19351 - "Program %s tried to access /dev/mem between %Lx->%Lx.\n",
19352 - current->comm, from, to);
19353 + "Program %s tried to access /dev/mem between %Lx->%Lx (%Lx).\n",
19354 + current->comm, from, to, cursor);
19357 cursor += PAGE_SIZE;
19358 @@ -557,7 +557,7 @@ int kernel_map_sync_memtype(u64 base, un
19360 "%s:%d ioremap_change_attr failed %s "
19362 - current->comm, current->pid,
19363 + current->comm, task_pid_nr(current),
19365 base, (unsigned long long)(base + size));
19367 @@ -593,7 +593,7 @@ static int reserve_pfn_range(u64 paddr,
19368 if (want_flags != flags) {
19369 printk(KERN_WARNING
19370 "%s:%d map pfn RAM range req %s for %Lx-%Lx, got %s\n",
19371 - current->comm, current->pid,
19372 + current->comm, task_pid_nr(current),
19373 cattr_name(want_flags),
19374 (unsigned long long)paddr,
19375 (unsigned long long)(paddr + size),
19376 @@ -615,7 +615,7 @@ static int reserve_pfn_range(u64 paddr,
19377 free_memtype(paddr, paddr + size);
19378 printk(KERN_ERR "%s:%d map pfn expected mapping type %s"
19379 " for %Lx-%Lx, got %s\n",
19380 - current->comm, current->pid,
19381 + current->comm, task_pid_nr(current),
19382 cattr_name(want_flags),
19383 (unsigned long long)paddr,
19384 (unsigned long long)(paddr + size),
19385 diff -urNp linux-2.6.36.1/arch/x86/mm/pgtable_32.c linux-2.6.36.1/arch/x86/mm/pgtable_32.c
19386 --- linux-2.6.36.1/arch/x86/mm/pgtable_32.c 2010-10-20 16:30:22.000000000 -0400
19387 +++ linux-2.6.36.1/arch/x86/mm/pgtable_32.c 2010-11-06 18:58:15.000000000 -0400
19388 @@ -48,10 +48,13 @@ void set_pte_vaddr(unsigned long vaddr,
19391 pte = pte_offset_kernel(pmd, vaddr);
19393 + pax_open_kernel();
19394 if (pte_val(pteval))
19395 set_pte_at(&init_mm, vaddr, pte, pteval);
19397 pte_clear(&init_mm, vaddr, pte);
19398 + pax_close_kernel();
19401 * It's enough to flush this one mapping.
19402 diff -urNp linux-2.6.36.1/arch/x86/mm/pgtable.c linux-2.6.36.1/arch/x86/mm/pgtable.c
19403 --- linux-2.6.36.1/arch/x86/mm/pgtable.c 2010-10-20 16:30:22.000000000 -0400
19404 +++ linux-2.6.36.1/arch/x86/mm/pgtable.c 2010-11-06 18:58:15.000000000 -0400
19405 @@ -84,8 +84,58 @@ static inline void pgd_list_del(pgd_t *p
19406 list_del(&page->lru);
19409 -#define UNSHARED_PTRS_PER_PGD \
19410 - (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
19411 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19412 +pgdval_t clone_pgd_mask __read_only = ~_PAGE_PRESENT;
19414 +void __shadow_user_pgds(pgd_t *dst, const pgd_t *src, int count)
19417 + *dst++ = __pgd((pgd_val(*src++) | _PAGE_NX) & ~_PAGE_USER);
19421 +#ifdef CONFIG_PAX_PER_CPU_PGD
19422 +void __clone_user_pgds(pgd_t *dst, const pgd_t *src, int count)
19426 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
19427 + *dst++ = __pgd(pgd_val(*src++) & clone_pgd_mask);
19435 +#ifdef CONFIG_PAX_PER_CPU_PGD
19436 +static inline void pgd_ctor(pgd_t *pgd) {}
19437 +static inline void pgd_dtor(pgd_t *pgd) {}
19438 +#ifdef CONFIG_X86_64
19439 +#define pxd_t pud_t
19440 +#define pyd_t pgd_t
19441 +#define paravirt_release_pxd(pfn) paravirt_release_pud(pfn)
19442 +#define pxd_free(mm, pud) pud_free((mm), (pud))
19443 +#define pyd_populate(mm, pgd, pud) pgd_populate((mm), (pgd), (pud))
19444 +#define pyd_offset(mm ,address) pgd_offset((mm), (address))
19445 +#define PYD_SIZE PGDIR_SIZE
19447 +#define pxd_t pmd_t
19448 +#define pyd_t pud_t
19449 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
19450 +#define pxd_free(mm, pud) pmd_free((mm), (pud))
19451 +#define pyd_populate(mm, pgd, pud) pud_populate((mm), (pgd), (pud))
19452 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
19453 +#define PYD_SIZE PUD_SIZE
19456 +#define pxd_t pmd_t
19457 +#define pyd_t pud_t
19458 +#define paravirt_release_pxd(pfn) paravirt_release_pmd(pfn)
19459 +#define pxd_free(mm, pmd) pmd_free((mm), (pmd))
19460 +#define pyd_populate(mm, pud, pmd) pud_populate((mm), (pud), (pmd))
19461 +#define pyd_offset(mm ,address) pud_offset((mm), (address))
19462 +#define PYD_SIZE PUD_SIZE
19464 static void pgd_ctor(pgd_t *pgd)
19466 @@ -120,6 +170,7 @@ static void pgd_dtor(pgd_t *pgd)
19468 spin_unlock_irqrestore(&pgd_lock, flags);
19473 * List of all pgd's needed for non-PAE so it can invalidate entries
19474 @@ -132,7 +183,7 @@ static void pgd_dtor(pgd_t *pgd)
19478 -#ifdef CONFIG_X86_PAE
19479 +#if defined(CONFIG_X86_32) && defined(CONFIG_X86_PAE)
19481 * In PAE mode, we need to do a cr3 reload (=tlb flush) when
19482 * updating the top-level pagetable entries to guarantee the
19483 @@ -144,7 +195,7 @@ static void pgd_dtor(pgd_t *pgd)
19484 * not shared between pagetables (!SHARED_KERNEL_PMDS), we allocate
19485 * and initialize the kernel pmds here.
19487 -#define PREALLOCATED_PMDS UNSHARED_PTRS_PER_PGD
19488 +#define PREALLOCATED_PXDS (SHARED_KERNEL_PMD ? KERNEL_PGD_BOUNDARY : PTRS_PER_PGD)
19490 void pud_populate(struct mm_struct *mm, pud_t *pudp, pmd_t *pmd)
19492 @@ -163,36 +214,38 @@ void pud_populate(struct mm_struct *mm,
19493 if (mm == current->active_mm)
19494 write_cr3(read_cr3());
19496 +#elif defined(CONFIG_X86_64) && defined(CONFIG_PAX_PER_CPU_PGD)
19497 +#define PREALLOCATED_PXDS USER_PGD_PTRS
19498 #else /* !CONFIG_X86_PAE */
19500 /* No need to prepopulate any pagetable entries in non-PAE modes. */
19501 -#define PREALLOCATED_PMDS 0
19502 +#define PREALLOCATED_PXDS 0
19504 #endif /* CONFIG_X86_PAE */
19506 -static void free_pmds(pmd_t *pmds[])
19507 +static void free_pxds(pxd_t *pxds[])
19511 - for(i = 0; i < PREALLOCATED_PMDS; i++)
19513 - free_page((unsigned long)pmds[i]);
19514 + for(i = 0; i < PREALLOCATED_PXDS; i++)
19516 + free_page((unsigned long)pxds[i]);
19519 -static int preallocate_pmds(pmd_t *pmds[])
19520 +static int preallocate_pxds(pxd_t *pxds[])
19523 bool failed = false;
19525 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
19526 - pmd_t *pmd = (pmd_t *)__get_free_page(PGALLOC_GFP);
19528 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
19529 + pxd_t *pxd = (pxd_t *)__get_free_page(PGALLOC_GFP);
19542 @@ -205,51 +258,56 @@ static int preallocate_pmds(pmd_t *pmds[
19543 * preallocate which never got a corresponding vma will need to be
19546 -static void pgd_mop_up_pmds(struct mm_struct *mm, pgd_t *pgdp)
19547 +static void pgd_mop_up_pxds(struct mm_struct *mm, pgd_t *pgdp)
19551 - for(i = 0; i < PREALLOCATED_PMDS; i++) {
19552 + for(i = 0; i < PREALLOCATED_PXDS; i++) {
19553 pgd_t pgd = pgdp[i];
19555 if (pgd_val(pgd) != 0) {
19556 - pmd_t *pmd = (pmd_t *)pgd_page_vaddr(pgd);
19557 + pxd_t *pxd = (pxd_t *)pgd_page_vaddr(pgd);
19559 - pgdp[i] = native_make_pgd(0);
19560 + set_pgd(pgdp + i, native_make_pgd(0));
19562 - paravirt_release_pmd(pgd_val(pgd) >> PAGE_SHIFT);
19563 - pmd_free(mm, pmd);
19564 + paravirt_release_pxd(pgd_val(pgd) >> PAGE_SHIFT);
19565 + pxd_free(mm, pxd);
19570 -static void pgd_prepopulate_pmd(struct mm_struct *mm, pgd_t *pgd, pmd_t *pmds[])
19571 +static void pgd_prepopulate_pxd(struct mm_struct *mm, pgd_t *pgd, pxd_t *pxds[])
19575 unsigned long addr;
19578 - if (PREALLOCATED_PMDS == 0) /* Work around gcc-3.4.x bug */
19579 + if (PREALLOCATED_PXDS == 0) /* Work around gcc-3.4.x bug */
19582 - pud = pud_offset(pgd, 0);
19583 +#ifdef CONFIG_X86_64
19584 + pyd = pyd_offset(mm, 0L);
19586 + pyd = pyd_offset(pgd, 0L);
19589 - for (addr = i = 0; i < PREALLOCATED_PMDS;
19590 - i++, pud++, addr += PUD_SIZE) {
19591 - pmd_t *pmd = pmds[i];
19592 + for (addr = i = 0; i < PREALLOCATED_PXDS;
19593 + i++, pyd++, addr += PYD_SIZE) {
19594 + pxd_t *pxd = pxds[i];
19596 if (i >= KERNEL_PGD_BOUNDARY)
19597 - memcpy(pmd, (pmd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
19598 - sizeof(pmd_t) * PTRS_PER_PMD);
19599 + memcpy(pxd, (pxd_t *)pgd_page_vaddr(swapper_pg_dir[i]),
19600 + sizeof(pxd_t) * PTRS_PER_PMD);
19602 - pud_populate(mm, pud, pmd);
19603 + pyd_populate(mm, pyd, pxd);
19607 pgd_t *pgd_alloc(struct mm_struct *mm)
19610 - pmd_t *pmds[PREALLOCATED_PMDS];
19611 + pxd_t *pxds[PREALLOCATED_PXDS];
19613 unsigned long flags;
19615 pgd = (pgd_t *)__get_free_page(PGALLOC_GFP);
19616 @@ -259,11 +317,11 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
19620 - if (preallocate_pmds(pmds) != 0)
19621 + if (preallocate_pxds(pxds) != 0)
19624 if (paravirt_pgd_alloc(mm) != 0)
19625 - goto out_free_pmds;
19626 + goto out_free_pxds;
19629 * Make sure that pre-populating the pmds is atomic with
19630 @@ -273,14 +331,14 @@ pgd_t *pgd_alloc(struct mm_struct *mm)
19631 spin_lock_irqsave(&pgd_lock, flags);
19634 - pgd_prepopulate_pmd(mm, pgd, pmds);
19635 + pgd_prepopulate_pxd(mm, pgd, pxds);
19637 spin_unlock_irqrestore(&pgd_lock, flags);
19646 free_page((unsigned long)pgd);
19648 @@ -289,7 +347,7 @@ out:
19650 void pgd_free(struct mm_struct *mm, pgd_t *pgd)
19652 - pgd_mop_up_pmds(mm, pgd);
19653 + pgd_mop_up_pxds(mm, pgd);
19655 paravirt_pgd_free(mm, pgd);
19656 free_page((unsigned long)pgd);
19657 diff -urNp linux-2.6.36.1/arch/x86/mm/setup_nx.c linux-2.6.36.1/arch/x86/mm/setup_nx.c
19658 --- linux-2.6.36.1/arch/x86/mm/setup_nx.c 2010-10-20 16:30:22.000000000 -0400
19659 +++ linux-2.6.36.1/arch/x86/mm/setup_nx.c 2010-11-06 18:58:15.000000000 -0400
19661 #include <asm/pgtable.h>
19662 #include <asm/proto.h>
19664 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
19665 static int disable_nx __cpuinitdata;
19667 +#ifndef CONFIG_PAX_PAGEEXEC
19671 @@ -28,12 +30,17 @@ static int __init noexec_setup(char *str
19674 early_param("noexec", noexec_setup);
19679 void __cpuinit x86_configure_nx(void)
19681 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
19682 if (cpu_has_nx && !disable_nx)
19683 __supported_pte_mask |= _PAGE_NX;
19686 __supported_pte_mask &= ~_PAGE_NX;
19689 diff -urNp linux-2.6.36.1/arch/x86/mm/tlb.c linux-2.6.36.1/arch/x86/mm/tlb.c
19690 --- linux-2.6.36.1/arch/x86/mm/tlb.c 2010-10-20 16:30:22.000000000 -0400
19691 +++ linux-2.6.36.1/arch/x86/mm/tlb.c 2010-11-06 18:58:15.000000000 -0400
19693 #include <asm/uv/uv.h>
19695 DEFINE_PER_CPU_SHARED_ALIGNED(struct tlb_state, cpu_tlbstate)
19696 - = { &init_mm, 0, };
19697 + = { &init_mm, 0 };
19700 * Smarter SMP flushing macros.
19701 @@ -62,7 +62,11 @@ void leave_mm(int cpu)
19703 cpumask_clear_cpu(cpu,
19704 mm_cpumask(percpu_read(cpu_tlbstate.active_mm)));
19706 +#ifndef CONFIG_PAX_PER_CPU_PGD
19707 load_cr3(swapper_pg_dir);
19711 EXPORT_SYMBOL_GPL(leave_mm);
19713 diff -urNp linux-2.6.36.1/arch/x86/oprofile/backtrace.c linux-2.6.36.1/arch/x86/oprofile/backtrace.c
19714 --- linux-2.6.36.1/arch/x86/oprofile/backtrace.c 2010-10-20 16:30:22.000000000 -0400
19715 +++ linux-2.6.36.1/arch/x86/oprofile/backtrace.c 2010-11-06 18:58:15.000000000 -0400
19716 @@ -58,7 +58,7 @@ static struct frame_head *dump_user_back
19717 struct frame_head bufhead[2];
19719 /* Also check accessibility of one struct frame_head beyond */
19720 - if (!access_ok(VERIFY_READ, head, sizeof(bufhead)))
19721 + if (!__access_ok(VERIFY_READ, head, sizeof(bufhead)))
19723 if (__copy_from_user_inatomic(bufhead, head, sizeof(bufhead)))
19725 @@ -78,7 +78,7 @@ x86_backtrace(struct pt_regs * const reg
19727 struct frame_head *head = (struct frame_head *)frame_pointer(regs);
19729 - if (!user_mode_vm(regs)) {
19730 + if (!user_mode(regs)) {
19731 unsigned long stack = kernel_stack_pointer(regs);
19733 dump_trace(NULL, regs, (unsigned long *)stack, 0,
19734 diff -urNp linux-2.6.36.1/arch/x86/oprofile/op_model_p4.c linux-2.6.36.1/arch/x86/oprofile/op_model_p4.c
19735 --- linux-2.6.36.1/arch/x86/oprofile/op_model_p4.c 2010-10-20 16:30:22.000000000 -0400
19736 +++ linux-2.6.36.1/arch/x86/oprofile/op_model_p4.c 2010-11-06 18:58:15.000000000 -0400
19737 @@ -50,7 +50,7 @@ static inline void setup_num_counters(vo
19741 -static int inline addr_increment(void)
19742 +static inline int addr_increment(void)
19745 return smp_num_siblings == 2 ? 2 : 1;
19746 diff -urNp linux-2.6.36.1/arch/x86/pci/common.c linux-2.6.36.1/arch/x86/pci/common.c
19747 --- linux-2.6.36.1/arch/x86/pci/common.c 2010-10-20 16:30:22.000000000 -0400
19748 +++ linux-2.6.36.1/arch/x86/pci/common.c 2010-11-06 18:58:15.000000000 -0400
19749 @@ -32,8 +32,8 @@ int noioapicreroute = 1;
19750 int pcibios_last_bus = -1;
19751 unsigned long pirq_table_addr;
19752 struct pci_bus *pci_root_bus;
19753 -struct pci_raw_ops *raw_pci_ops;
19754 -struct pci_raw_ops *raw_pci_ext_ops;
19755 +const struct pci_raw_ops *raw_pci_ops;
19756 +const struct pci_raw_ops *raw_pci_ext_ops;
19758 int raw_pci_read(unsigned int domain, unsigned int bus, unsigned int devfn,
19759 int reg, int len, u32 *val)
19760 @@ -382,7 +382,7 @@ static const struct dmi_system_id __devi
19761 DMI_MATCH(DMI_PRODUCT_NAME, "ProLiant DL585 G2"),
19765 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
19768 void __init dmi_check_pciprobe(void)
19769 diff -urNp linux-2.6.36.1/arch/x86/pci/direct.c linux-2.6.36.1/arch/x86/pci/direct.c
19770 --- linux-2.6.36.1/arch/x86/pci/direct.c 2010-10-20 16:30:22.000000000 -0400
19771 +++ linux-2.6.36.1/arch/x86/pci/direct.c 2010-11-06 18:58:15.000000000 -0400
19772 @@ -79,7 +79,7 @@ static int pci_conf1_write(unsigned int
19774 #undef PCI_CONF1_ADDRESS
19776 -struct pci_raw_ops pci_direct_conf1 = {
19777 +const struct pci_raw_ops pci_direct_conf1 = {
19778 .read = pci_conf1_read,
19779 .write = pci_conf1_write,
19781 @@ -173,7 +173,7 @@ static int pci_conf2_write(unsigned int
19783 #undef PCI_CONF2_ADDRESS
19785 -struct pci_raw_ops pci_direct_conf2 = {
19786 +const struct pci_raw_ops pci_direct_conf2 = {
19787 .read = pci_conf2_read,
19788 .write = pci_conf2_write,
19790 @@ -189,7 +189,7 @@ struct pci_raw_ops pci_direct_conf2 = {
19791 * This should be close to trivial, but it isn't, because there are buggy
19792 * chipsets (yes, you guessed it, by Intel and Compaq) that have no class ID.
19794 -static int __init pci_sanity_check(struct pci_raw_ops *o)
19795 +static int __init pci_sanity_check(const struct pci_raw_ops *o)
19799 diff -urNp linux-2.6.36.1/arch/x86/pci/fixup.c linux-2.6.36.1/arch/x86/pci/fixup.c
19800 --- linux-2.6.36.1/arch/x86/pci/fixup.c 2010-10-20 16:30:22.000000000 -0400
19801 +++ linux-2.6.36.1/arch/x86/pci/fixup.c 2010-11-06 18:58:15.000000000 -0400
19802 @@ -364,7 +364,7 @@ static const struct dmi_system_id __devi
19803 DMI_MATCH(DMI_PRODUCT_NAME, "MS-6702E"),
19807 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19811 @@ -435,7 +435,7 @@ static const struct dmi_system_id __devi
19812 DMI_MATCH(DMI_PRODUCT_VERSION, "PSA40U"),
19816 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19819 static void __devinit pci_pre_fixup_toshiba_ohci1394(struct pci_dev *dev)
19820 diff -urNp linux-2.6.36.1/arch/x86/pci/irq.c linux-2.6.36.1/arch/x86/pci/irq.c
19821 --- linux-2.6.36.1/arch/x86/pci/irq.c 2010-10-20 16:30:22.000000000 -0400
19822 +++ linux-2.6.36.1/arch/x86/pci/irq.c 2010-11-06 18:58:15.000000000 -0400
19823 @@ -542,7 +542,7 @@ static __init int intel_router_probe(str
19824 static struct pci_device_id __initdata pirq_440gx[] = {
19825 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_0) },
19826 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82443GX_2) },
19828 + { PCI_DEVICE(0, 0) }
19831 /* 440GX has a proprietary PIRQ router -- don't use it */
19832 @@ -1113,7 +1113,7 @@ static struct dmi_system_id __initdata p
19833 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 360"),
19837 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
19840 void __init pcibios_irq_init(void)
19841 diff -urNp linux-2.6.36.1/arch/x86/pci/mmconfig_32.c linux-2.6.36.1/arch/x86/pci/mmconfig_32.c
19842 --- linux-2.6.36.1/arch/x86/pci/mmconfig_32.c 2010-10-20 16:30:22.000000000 -0400
19843 +++ linux-2.6.36.1/arch/x86/pci/mmconfig_32.c 2010-11-06 18:58:15.000000000 -0400
19844 @@ -117,7 +117,7 @@ static int pci_mmcfg_write(unsigned int
19848 -static struct pci_raw_ops pci_mmcfg = {
19849 +static const struct pci_raw_ops pci_mmcfg = {
19850 .read = pci_mmcfg_read,
19851 .write = pci_mmcfg_write,
19853 diff -urNp linux-2.6.36.1/arch/x86/pci/mmconfig_64.c linux-2.6.36.1/arch/x86/pci/mmconfig_64.c
19854 --- linux-2.6.36.1/arch/x86/pci/mmconfig_64.c 2010-10-20 16:30:22.000000000 -0400
19855 +++ linux-2.6.36.1/arch/x86/pci/mmconfig_64.c 2010-11-06 18:58:15.000000000 -0400
19856 @@ -81,7 +81,7 @@ static int pci_mmcfg_write(unsigned int
19860 -static struct pci_raw_ops pci_mmcfg = {
19861 +static const struct pci_raw_ops pci_mmcfg = {
19862 .read = pci_mmcfg_read,
19863 .write = pci_mmcfg_write,
19865 diff -urNp linux-2.6.36.1/arch/x86/pci/numaq_32.c linux-2.6.36.1/arch/x86/pci/numaq_32.c
19866 --- linux-2.6.36.1/arch/x86/pci/numaq_32.c 2010-10-20 16:30:22.000000000 -0400
19867 +++ linux-2.6.36.1/arch/x86/pci/numaq_32.c 2010-11-06 18:58:15.000000000 -0400
19868 @@ -108,7 +108,7 @@ static int pci_conf1_mq_write(unsigned i
19870 #undef PCI_CONF1_MQ_ADDRESS
19872 -static struct pci_raw_ops pci_direct_conf1_mq = {
19873 +static const struct pci_raw_ops pci_direct_conf1_mq = {
19874 .read = pci_conf1_mq_read,
19875 .write = pci_conf1_mq_write
19877 diff -urNp linux-2.6.36.1/arch/x86/pci/olpc.c linux-2.6.36.1/arch/x86/pci/olpc.c
19878 --- linux-2.6.36.1/arch/x86/pci/olpc.c 2010-10-20 16:30:22.000000000 -0400
19879 +++ linux-2.6.36.1/arch/x86/pci/olpc.c 2010-11-06 18:58:15.000000000 -0400
19880 @@ -297,7 +297,7 @@ static int pci_olpc_write(unsigned int s
19884 -static struct pci_raw_ops pci_olpc_conf = {
19885 +static const struct pci_raw_ops pci_olpc_conf = {
19886 .read = pci_olpc_read,
19887 .write = pci_olpc_write,
19889 diff -urNp linux-2.6.36.1/arch/x86/pci/pcbios.c linux-2.6.36.1/arch/x86/pci/pcbios.c
19890 --- linux-2.6.36.1/arch/x86/pci/pcbios.c 2010-10-20 16:30:22.000000000 -0400
19891 +++ linux-2.6.36.1/arch/x86/pci/pcbios.c 2010-11-06 18:58:15.000000000 -0400
19892 @@ -57,50 +57,93 @@ union bios32 {
19894 unsigned long address;
19895 unsigned short segment;
19896 -} bios32_indirect = { 0, __KERNEL_CS };
19897 +} bios32_indirect __read_only = { 0, __PCIBIOS_CS };
19900 * Returns the entry point for the given service, NULL on error
19903 -static unsigned long bios32_service(unsigned long service)
19904 +static unsigned long __devinit bios32_service(unsigned long service)
19906 unsigned char return_code; /* %al */
19907 unsigned long address; /* %ebx */
19908 unsigned long length; /* %ecx */
19909 unsigned long entry; /* %edx */
19910 unsigned long flags;
19911 + struct desc_struct d, *gdt;
19913 local_irq_save(flags);
19914 - __asm__("lcall *(%%edi); cld"
19916 + gdt = get_cpu_gdt_table(smp_processor_id());
19918 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x9B, 0xC);
19919 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
19920 + pack_descriptor(&d, 0UL, 0xFFFFFUL, 0x93, 0xC);
19921 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
19923 + __asm__("movw %w7, %%ds; lcall *(%%edi); push %%ss; pop %%ds; cld"
19924 : "=a" (return_code),
19930 - "D" (&bios32_indirect));
19931 + "D" (&bios32_indirect),
19932 + "r"(__PCIBIOS_DS)
19935 + pax_open_kernel();
19936 + gdt[GDT_ENTRY_PCIBIOS_CS].a = 0;
19937 + gdt[GDT_ENTRY_PCIBIOS_CS].b = 0;
19938 + gdt[GDT_ENTRY_PCIBIOS_DS].a = 0;
19939 + gdt[GDT_ENTRY_PCIBIOS_DS].b = 0;
19940 + pax_close_kernel();
19942 local_irq_restore(flags);
19944 switch (return_code) {
19946 - return address + entry;
19947 - case 0x80: /* Not present */
19948 - printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
19950 - default: /* Shouldn't happen */
19951 - printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
19952 - service, return_code);
19955 + unsigned char flags;
19957 + printk(KERN_INFO "bios32_service: base:%08lx length:%08lx entry:%08lx\n", address, length, entry);
19958 + if (address >= 0xFFFF0 || length > 0x100000 - address || length <= entry) {
19959 + printk(KERN_WARNING "bios32_service: not valid\n");
19962 + address = address + PAGE_OFFSET;
19963 + length += 16UL; /* some BIOSs underreport this... */
19965 + if (length >= 64*1024*1024) {
19966 + length >>= PAGE_SHIFT;
19970 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
19971 + gdt = get_cpu_gdt_table(cpu);
19972 + pack_descriptor(&d, address, length, 0x9b, flags);
19973 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_CS, &d, DESCTYPE_S);
19974 + pack_descriptor(&d, address, length, 0x93, flags);
19975 + write_gdt_entry(gdt, GDT_ENTRY_PCIBIOS_DS, &d, DESCTYPE_S);
19979 + case 0x80: /* Not present */
19980 + printk(KERN_WARNING "bios32_service(0x%lx): not present\n", service);
19982 + default: /* Shouldn't happen */
19983 + printk(KERN_WARNING "bios32_service(0x%lx): returned 0x%x -- BIOS bug!\n",
19984 + service, return_code);
19990 unsigned long address;
19991 unsigned short segment;
19992 -} pci_indirect = { 0, __KERNEL_CS };
19993 +} pci_indirect __read_only = { 0, __PCIBIOS_CS };
19995 -static int pci_bios_present;
19996 +static int pci_bios_present __read_only;
19998 static int __devinit check_pcibios(void)
20000 @@ -109,11 +152,13 @@ static int __devinit check_pcibios(void)
20001 unsigned long flags, pcibios_entry;
20003 if ((pcibios_entry = bios32_service(PCI_SERVICE))) {
20004 - pci_indirect.address = pcibios_entry + PAGE_OFFSET;
20005 + pci_indirect.address = pcibios_entry;
20007 local_irq_save(flags);
20009 - "lcall *(%%edi); cld\n\t"
20010 + __asm__("movw %w6, %%ds\n\t"
20011 + "lcall *%%ss:(%%edi); cld\n\t"
20017 @@ -122,7 +167,8 @@ static int __devinit check_pcibios(void)
20020 : "1" (PCIBIOS_PCI_BIOS_PRESENT),
20021 - "D" (&pci_indirect)
20022 + "D" (&pci_indirect),
20023 + "r" (__PCIBIOS_DS)
20025 local_irq_restore(flags);
20027 @@ -166,7 +212,10 @@ static int pci_bios_read(unsigned int se
20031 - __asm__("lcall *(%%esi); cld\n\t"
20032 + __asm__("movw %w6, %%ds\n\t"
20033 + "lcall *%%ss:(%%esi); cld\n\t"
20039 @@ -175,7 +224,8 @@ static int pci_bios_read(unsigned int se
20040 : "1" (PCIBIOS_READ_CONFIG_BYTE),
20043 - "S" (&pci_indirect));
20044 + "S" (&pci_indirect),
20045 + "r" (__PCIBIOS_DS));
20047 * Zero-extend the result beyond 8 bits, do not trust the
20048 * BIOS having done it:
20049 @@ -183,7 +233,10 @@ static int pci_bios_read(unsigned int se
20053 - __asm__("lcall *(%%esi); cld\n\t"
20054 + __asm__("movw %w6, %%ds\n\t"
20055 + "lcall *%%ss:(%%esi); cld\n\t"
20061 @@ -192,7 +245,8 @@ static int pci_bios_read(unsigned int se
20062 : "1" (PCIBIOS_READ_CONFIG_WORD),
20065 - "S" (&pci_indirect));
20066 + "S" (&pci_indirect),
20067 + "r" (__PCIBIOS_DS));
20069 * Zero-extend the result beyond 16 bits, do not trust the
20070 * BIOS having done it:
20071 @@ -200,7 +254,10 @@ static int pci_bios_read(unsigned int se
20075 - __asm__("lcall *(%%esi); cld\n\t"
20076 + __asm__("movw %w6, %%ds\n\t"
20077 + "lcall *%%ss:(%%esi); cld\n\t"
20083 @@ -209,7 +266,8 @@ static int pci_bios_read(unsigned int se
20084 : "1" (PCIBIOS_READ_CONFIG_DWORD),
20087 - "S" (&pci_indirect));
20088 + "S" (&pci_indirect),
20089 + "r" (__PCIBIOS_DS));
20093 @@ -232,7 +290,10 @@ static int pci_bios_write(unsigned int s
20097 - __asm__("lcall *(%%esi); cld\n\t"
20098 + __asm__("movw %w6, %%ds\n\t"
20099 + "lcall *%%ss:(%%esi); cld\n\t"
20105 @@ -241,10 +302,14 @@ static int pci_bios_write(unsigned int s
20109 - "S" (&pci_indirect));
20110 + "S" (&pci_indirect),
20111 + "r" (__PCIBIOS_DS));
20114 - __asm__("lcall *(%%esi); cld\n\t"
20115 + __asm__("movw %w6, %%ds\n\t"
20116 + "lcall *%%ss:(%%esi); cld\n\t"
20122 @@ -253,10 +318,14 @@ static int pci_bios_write(unsigned int s
20126 - "S" (&pci_indirect));
20127 + "S" (&pci_indirect),
20128 + "r" (__PCIBIOS_DS));
20131 - __asm__("lcall *(%%esi); cld\n\t"
20132 + __asm__("movw %w6, %%ds\n\t"
20133 + "lcall *%%ss:(%%esi); cld\n\t"
20139 @@ -265,7 +334,8 @@ static int pci_bios_write(unsigned int s
20143 - "S" (&pci_indirect));
20144 + "S" (&pci_indirect),
20145 + "r" (__PCIBIOS_DS));
20149 @@ -279,7 +349,7 @@ static int pci_bios_write(unsigned int s
20150 * Function table for BIOS32 access
20153 -static struct pci_raw_ops pci_bios_access = {
20154 +static const struct pci_raw_ops pci_bios_access = {
20155 .read = pci_bios_read,
20156 .write = pci_bios_write
20158 @@ -288,7 +358,7 @@ static struct pci_raw_ops pci_bios_acces
20159 * Try to find PCI BIOS.
20162 -static struct pci_raw_ops * __devinit pci_find_bios(void)
20163 +static const struct pci_raw_ops * __devinit pci_find_bios(void)
20165 union bios32 *check;
20167 @@ -369,10 +439,13 @@ struct irq_routing_table * pcibios_get_i
20169 DBG("PCI: Fetching IRQ routing table... ");
20170 __asm__("push %%es\n\t"
20171 + "movw %w8, %%ds\n\t"
20174 - "lcall *(%%esi); cld\n\t"
20175 + "lcall *%%ss:(%%esi); cld\n\t"
20182 @@ -383,7 +456,8 @@ struct irq_routing_table * pcibios_get_i
20185 "S" (&pci_indirect),
20188 + "r" (__PCIBIOS_DS)
20190 DBG("OK ret=%d, size=%d, map=%x\n", ret, opt.size, map);
20192 @@ -407,7 +481,10 @@ int pcibios_set_irq_routing(struct pci_d
20196 - __asm__("lcall *(%%esi); cld\n\t"
20197 + __asm__("movw %w5, %%ds\n\t"
20198 + "lcall *%%ss:(%%esi); cld\n\t"
20204 @@ -415,7 +492,8 @@ int pcibios_set_irq_routing(struct pci_d
20205 : "0" (PCIBIOS_SET_PCI_HW_INT),
20206 "b" ((dev->bus->number << 8) | dev->devfn),
20207 "c" ((irq << 8) | (pin + 10)),
20208 - "S" (&pci_indirect));
20209 + "S" (&pci_indirect),
20210 + "r" (__PCIBIOS_DS));
20211 return !(ret & 0xff00);
20213 EXPORT_SYMBOL(pcibios_set_irq_routing);
20214 diff -urNp linux-2.6.36.1/arch/x86/power/cpu.c linux-2.6.36.1/arch/x86/power/cpu.c
20215 --- linux-2.6.36.1/arch/x86/power/cpu.c 2010-10-20 16:30:22.000000000 -0400
20216 +++ linux-2.6.36.1/arch/x86/power/cpu.c 2010-11-06 18:58:15.000000000 -0400
20217 @@ -130,7 +130,7 @@ static void do_fpu_end(void)
20218 static void fix_processor_context(void)
20220 int cpu = smp_processor_id();
20221 - struct tss_struct *t = &per_cpu(init_tss, cpu);
20222 + struct tss_struct *t = init_tss + cpu;
20224 set_tss_desc(cpu, t); /*
20225 * This just modifies memory; should not be
20226 @@ -140,7 +140,9 @@ static void fix_processor_context(void)
20229 #ifdef CONFIG_X86_64
20230 + pax_open_kernel();
20231 get_cpu_gdt_table(cpu)[GDT_ENTRY_TSS].type = 9;
20232 + pax_close_kernel();
20234 syscall_init(); /* This sets MSR_*STAR and related */
20236 diff -urNp linux-2.6.36.1/arch/x86/vdso/Makefile linux-2.6.36.1/arch/x86/vdso/Makefile
20237 --- linux-2.6.36.1/arch/x86/vdso/Makefile 2010-10-20 16:30:22.000000000 -0400
20238 +++ linux-2.6.36.1/arch/x86/vdso/Makefile 2010-11-06 18:58:15.000000000 -0400
20239 @@ -123,7 +123,7 @@ quiet_cmd_vdso = VDSO $@
20240 -Wl,-T,$(filter %.lds,$^) $(filter %.o,$^) && \
20241 sh $(srctree)/$(src)/checkundef.sh '$(NM)' '$@'
20243 -VDSO_LDFLAGS = -fPIC -shared $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
20244 +VDSO_LDFLAGS = -fPIC -shared --no-undefined $(call cc-ldoption, -Wl$(comma)--hash-style=sysv)
20248 diff -urNp linux-2.6.36.1/arch/x86/vdso/vclock_gettime.c linux-2.6.36.1/arch/x86/vdso/vclock_gettime.c
20249 --- linux-2.6.36.1/arch/x86/vdso/vclock_gettime.c 2010-10-20 16:30:22.000000000 -0400
20250 +++ linux-2.6.36.1/arch/x86/vdso/vclock_gettime.c 2010-11-06 18:58:15.000000000 -0400
20251 @@ -22,24 +22,48 @@
20252 #include <asm/hpet.h>
20253 #include <asm/unistd.h>
20254 #include <asm/io.h>
20255 +#include <asm/fixmap.h>
20256 #include "vextern.h"
20258 #define gtod vdso_vsyscall_gtod_data
20260 +notrace noinline long __vdso_fallback_time(long *t)
20263 + asm volatile("syscall"
20265 + : "0" (__NR_time),"D" (t) : "r11", "cx", "memory");
20269 notrace static long vdso_fallback_gettime(long clock, struct timespec *ts)
20272 asm("syscall" : "=a" (ret) :
20273 - "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "memory");
20274 + "0" (__NR_clock_gettime),"D" (clock), "S" (ts) : "r11", "cx", "memory");
20278 +notrace static inline cycle_t __vdso_vread_hpet(void)
20280 + return readl((const void __iomem *)fix_to_virt(VSYSCALL_HPET) + 0xf0);
20283 +notrace static inline cycle_t __vdso_vread_tsc(void)
20285 + cycle_t ret = (cycle_t)vget_cycles();
20287 + return ret >= gtod->clock.cycle_last ? ret : gtod->clock.cycle_last;
20290 notrace static inline long vgetns(void)
20293 - cycles_t (*vread)(void);
20294 - vread = gtod->clock.vread;
20295 - v = (vread() - gtod->clock.cycle_last) & gtod->clock.mask;
20296 + if (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3])
20297 + v = __vdso_vread_tsc();
20299 + v = __vdso_vread_hpet();
20300 + v = (v - gtod->clock.cycle_last) & gtod->clock.mask;
20301 return (v * gtod->clock.mult) >> gtod->clock.shift;
20304 @@ -113,7 +137,9 @@ notrace static noinline int do_monotonic
20306 notrace int __vdso_clock_gettime(clockid_t clock, struct timespec *ts)
20308 - if (likely(gtod->sysctl_enabled))
20309 + if (likely(gtod->sysctl_enabled &&
20310 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
20311 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
20313 case CLOCK_REALTIME:
20314 if (likely(gtod->clock.vread))
20315 @@ -133,10 +159,20 @@ notrace int __vdso_clock_gettime(clockid
20316 int clock_gettime(clockid_t, struct timespec *)
20317 __attribute__((weak, alias("__vdso_clock_gettime")));
20319 -notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
20320 +notrace noinline int __vdso_fallback_gettimeofday(struct timeval *tv, struct timezone *tz)
20323 - if (likely(gtod->sysctl_enabled && gtod->clock.vread)) {
20324 + asm("syscall" : "=a" (ret) :
20325 + "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "r11", "cx", "memory");
20329 +notrace int __vdso_gettimeofday(struct timeval *tv, struct timezone *tz)
20331 + if (likely(gtod->sysctl_enabled &&
20332 + ((gtod->clock.name[0] == 'h' && gtod->clock.name[1] == 'p' && gtod->clock.name[2] == 'e' && gtod->clock.name[3] == 't' && !gtod->clock.name[4]) ||
20333 + (gtod->clock.name[0] == 't' && gtod->clock.name[1] == 's' && gtod->clock.name[2] == 'c' && !gtod->clock.name[3]))))
20335 if (likely(tv != NULL)) {
20336 BUILD_BUG_ON(offsetof(struct timeval, tv_usec) !=
20337 offsetof(struct timespec, tv_nsec) ||
20338 @@ -151,9 +187,7 @@ notrace int __vdso_gettimeofday(struct t
20342 - asm("syscall" : "=a" (ret) :
20343 - "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory");
20345 + return __vdso_fallback_gettimeofday(tv, tz);
20347 int gettimeofday(struct timeval *, struct timezone *)
20348 __attribute__((weak, alias("__vdso_gettimeofday")));
20349 diff -urNp linux-2.6.36.1/arch/x86/vdso/vdso32-setup.c linux-2.6.36.1/arch/x86/vdso/vdso32-setup.c
20350 --- linux-2.6.36.1/arch/x86/vdso/vdso32-setup.c 2010-10-20 16:30:22.000000000 -0400
20351 +++ linux-2.6.36.1/arch/x86/vdso/vdso32-setup.c 2010-11-06 18:58:15.000000000 -0400
20353 #include <asm/tlbflush.h>
20354 #include <asm/vdso.h>
20355 #include <asm/proto.h>
20356 +#include <asm/mman.h>
20360 @@ -226,7 +227,7 @@ static inline void map_compat_vdso(int m
20361 void enable_sep_cpu(void)
20363 int cpu = get_cpu();
20364 - struct tss_struct *tss = &per_cpu(init_tss, cpu);
20365 + struct tss_struct *tss = init_tss + cpu;
20367 if (!boot_cpu_has(X86_FEATURE_SEP)) {
20369 @@ -249,7 +250,7 @@ static int __init gate_vma_init(void)
20370 gate_vma.vm_start = FIXADDR_USER_START;
20371 gate_vma.vm_end = FIXADDR_USER_END;
20372 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
20373 - gate_vma.vm_page_prot = __P101;
20374 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
20376 * Make sure the vDSO gets into every core dump.
20377 * Dumping its contents makes post-mortem fully interpretable later
20378 @@ -331,14 +332,14 @@ int arch_setup_additional_pages(struct l
20380 addr = VDSO_HIGH_BASE;
20382 - addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, 0);
20383 + addr = get_unmapped_area(NULL, 0, PAGE_SIZE, 0, MAP_EXECUTABLE);
20384 if (IS_ERR_VALUE(addr)) {
20390 - current->mm->context.vdso = (void *)addr;
20391 + current->mm->context.vdso = addr;
20393 if (compat_uses_vma || !compat) {
20395 @@ -361,11 +362,11 @@ int arch_setup_additional_pages(struct l
20398 current_thread_info()->sysenter_return =
20399 - VDSO32_SYMBOL(addr, SYSENTER_RETURN);
20400 + (__force void __user *)VDSO32_SYMBOL(addr, SYSENTER_RETURN);
20404 - current->mm->context.vdso = NULL;
20405 + current->mm->context.vdso = 0;
20407 up_write(&mm->mmap_sem);
20409 @@ -412,8 +413,14 @@ __initcall(ia32_binfmt_init);
20411 const char *arch_vma_name(struct vm_area_struct *vma)
20413 - if (vma->vm_mm && vma->vm_start == (long)vma->vm_mm->context.vdso)
20414 + if (vma->vm_mm && vma->vm_start == vma->vm_mm->context.vdso)
20417 +#ifdef CONFIG_PAX_SEGMEXEC
20418 + if (vma->vm_mm && vma->vm_mirror && vma->vm_mirror->vm_start == vma->vm_mm->context.vdso)
20425 @@ -422,7 +429,7 @@ struct vm_area_struct *get_gate_vma(stru
20426 struct mm_struct *mm = tsk->mm;
20428 /* Check to see if this task was created in compat vdso mode */
20429 - if (mm && mm->context.vdso == (void *)VDSO_HIGH_BASE)
20430 + if (mm && mm->context.vdso == VDSO_HIGH_BASE)
20434 diff -urNp linux-2.6.36.1/arch/x86/vdso/vdso.lds.S linux-2.6.36.1/arch/x86/vdso/vdso.lds.S
20435 --- linux-2.6.36.1/arch/x86/vdso/vdso.lds.S 2010-10-20 16:30:22.000000000 -0400
20436 +++ linux-2.6.36.1/arch/x86/vdso/vdso.lds.S 2010-11-06 18:58:15.000000000 -0400
20437 @@ -35,3 +35,9 @@ VDSO64_PRELINK = VDSO_PRELINK;
20438 #define VEXTERN(x) VDSO64_ ## x = vdso_ ## x;
20439 #include "vextern.h"
20442 +#define VEXTERN(x) VDSO64_ ## x = __vdso_ ## x;
20443 +VEXTERN(fallback_gettimeofday)
20444 +VEXTERN(fallback_time)
20447 diff -urNp linux-2.6.36.1/arch/x86/vdso/vextern.h linux-2.6.36.1/arch/x86/vdso/vextern.h
20448 --- linux-2.6.36.1/arch/x86/vdso/vextern.h 2010-10-20 16:30:22.000000000 -0400
20449 +++ linux-2.6.36.1/arch/x86/vdso/vextern.h 2010-11-06 18:58:15.000000000 -0400
20451 put into vextern.h and be referenced as a pointer with vdso prefix.
20452 The main kernel later fills in the values. */
20455 VEXTERN(vgetcpu_mode)
20456 VEXTERN(vsyscall_gtod_data)
20457 diff -urNp linux-2.6.36.1/arch/x86/vdso/vma.c linux-2.6.36.1/arch/x86/vdso/vma.c
20458 --- linux-2.6.36.1/arch/x86/vdso/vma.c 2010-10-20 16:30:22.000000000 -0400
20459 +++ linux-2.6.36.1/arch/x86/vdso/vma.c 2010-11-06 18:58:15.000000000 -0400
20460 @@ -58,7 +58,7 @@ static int __init init_vdso_vars(void)
20464 - if (memcmp(vbase, "\177ELF", 4)) {
20465 + if (memcmp(vbase, ELFMAG, SELFMAG)) {
20466 printk("VDSO: I'm broken; not ELF\n");
20469 @@ -118,7 +118,7 @@ int arch_setup_additional_pages(struct l
20473 - current->mm->context.vdso = (void *)addr;
20474 + current->mm->context.vdso = addr;
20476 ret = install_special_mapping(mm, addr, vdso_size,
20478 @@ -126,7 +126,7 @@ int arch_setup_additional_pages(struct l
20482 - current->mm->context.vdso = NULL;
20483 + current->mm->context.vdso = 0;
20487 @@ -134,10 +134,3 @@ up_fail:
20488 up_write(&mm->mmap_sem);
20492 -static __init int vdso_setup(char *s)
20494 - vdso_enabled = simple_strtoul(s, NULL, 0);
20497 -__setup("vdso=", vdso_setup);
20498 diff -urNp linux-2.6.36.1/arch/x86/xen/enlighten.c linux-2.6.36.1/arch/x86/xen/enlighten.c
20499 --- linux-2.6.36.1/arch/x86/xen/enlighten.c 2010-11-26 18:26:24.000000000 -0500
20500 +++ linux-2.6.36.1/arch/x86/xen/enlighten.c 2010-11-26 18:27:07.000000000 -0500
20501 @@ -79,8 +79,6 @@ EXPORT_SYMBOL_GPL(xen_start_info);
20503 struct shared_info xen_dummy_shared_info;
20505 -void *xen_initial_gdt;
20507 RESERVE_BRK(shared_info_page_brk, PAGE_SIZE);
20508 __read_mostly int xen_have_vector_callback;
20509 EXPORT_SYMBOL_GPL(xen_have_vector_callback);
20510 @@ -573,7 +571,7 @@ static void xen_write_idt_entry(gate_des
20514 - start = __get_cpu_var(idt_desc).address;
20515 + start = (unsigned long)__get_cpu_var(idt_desc).address;
20516 end = start + __get_cpu_var(idt_desc).size + 1;
20519 @@ -1130,7 +1128,17 @@ asmlinkage void __init xen_start_kernel(
20520 __userpte_alloc_gfp &= ~__GFP_HIGHMEM;
20522 /* Work out if we support NX */
20523 - x86_configure_nx();
20524 +#if defined(CONFIG_X86_64) || defined(CONFIG_X86_PAE)
20525 + if ((cpuid_eax(0x80000000) & 0xffff0000) == 0x80000000 &&
20526 + (cpuid_edx(0x80000001) & (1U << (X86_FEATURE_NX & 31)))) {
20529 + __supported_pte_mask |= _PAGE_NX;
20530 + rdmsr(MSR_EFER, l, h);
20532 + wrmsr(MSR_EFER, l, h);
20536 xen_setup_features();
20538 @@ -1161,13 +1169,6 @@ asmlinkage void __init xen_start_kernel(
20540 machine_ops = xen_machine_ops;
20543 - * The only reliable way to retain the initial address of the
20544 - * percpu gdt_page is to remember it here, so we can go and
20545 - * mark it RW later, when the initial percpu area is freed.
20547 - xen_initial_gdt = &per_cpu(gdt_page, 0);
20551 pgd = (pgd_t *)xen_start_info->pt_base;
20552 diff -urNp linux-2.6.36.1/arch/x86/xen/mmu.c linux-2.6.36.1/arch/x86/xen/mmu.c
20553 --- linux-2.6.36.1/arch/x86/xen/mmu.c 2010-10-20 16:30:22.000000000 -0400
20554 +++ linux-2.6.36.1/arch/x86/xen/mmu.c 2010-11-06 18:58:15.000000000 -0400
20555 @@ -1773,6 +1773,8 @@ __init pgd_t *xen_setup_kernel_pagetable
20556 convert_pfn_mfn(init_level4_pgt);
20557 convert_pfn_mfn(level3_ident_pgt);
20558 convert_pfn_mfn(level3_kernel_pgt);
20559 + convert_pfn_mfn(level3_vmalloc_pgt);
20560 + convert_pfn_mfn(level3_vmemmap_pgt);
20562 l3 = m2v(pgd[pgd_index(__START_KERNEL_map)].pgd);
20563 l2 = m2v(l3[pud_index(__START_KERNEL_map)].pud);
20564 @@ -1791,7 +1793,10 @@ __init pgd_t *xen_setup_kernel_pagetable
20565 set_page_prot(init_level4_pgt, PAGE_KERNEL_RO);
20566 set_page_prot(level3_ident_pgt, PAGE_KERNEL_RO);
20567 set_page_prot(level3_kernel_pgt, PAGE_KERNEL_RO);
20568 + set_page_prot(level3_vmalloc_pgt, PAGE_KERNEL_RO);
20569 + set_page_prot(level3_vmemmap_pgt, PAGE_KERNEL_RO);
20570 set_page_prot(level3_user_vsyscall, PAGE_KERNEL_RO);
20571 + set_page_prot(level2_vmemmap_pgt, PAGE_KERNEL_RO);
20572 set_page_prot(level2_kernel_pgt, PAGE_KERNEL_RO);
20573 set_page_prot(level2_fixmap_pgt, PAGE_KERNEL_RO);
20575 diff -urNp linux-2.6.36.1/arch/x86/xen/pci-swiotlb-xen.c linux-2.6.36.1/arch/x86/xen/pci-swiotlb-xen.c
20576 --- linux-2.6.36.1/arch/x86/xen/pci-swiotlb-xen.c 2010-10-20 16:30:22.000000000 -0400
20577 +++ linux-2.6.36.1/arch/x86/xen/pci-swiotlb-xen.c 2010-11-06 18:58:15.000000000 -0400
20580 int xen_swiotlb __read_mostly;
20582 -static struct dma_map_ops xen_swiotlb_dma_ops = {
20583 +static const struct dma_map_ops xen_swiotlb_dma_ops = {
20584 .mapping_error = xen_swiotlb_dma_mapping_error,
20585 .alloc_coherent = xen_swiotlb_alloc_coherent,
20586 .free_coherent = xen_swiotlb_free_coherent,
20587 diff -urNp linux-2.6.36.1/arch/x86/xen/smp.c linux-2.6.36.1/arch/x86/xen/smp.c
20588 --- linux-2.6.36.1/arch/x86/xen/smp.c 2010-11-26 18:26:24.000000000 -0500
20589 +++ linux-2.6.36.1/arch/x86/xen/smp.c 2010-11-26 18:27:07.000000000 -0500
20590 @@ -169,11 +169,6 @@ static void __init xen_smp_prepare_boot_
20592 BUG_ON(smp_processor_id() != 0);
20593 native_smp_prepare_boot_cpu();
20595 - /* We've switched to the "real" per-cpu gdt, so make sure the
20596 - old memory can be recycled */
20597 - make_lowmem_page_readwrite(xen_initial_gdt);
20599 xen_setup_vcpu_info_placement();
20602 @@ -233,8 +228,8 @@ cpu_initialize_context(unsigned int cpu,
20603 gdt = get_cpu_gdt_table(cpu);
20605 ctxt->flags = VGCF_IN_KERNEL;
20606 - ctxt->user_regs.ds = __USER_DS;
20607 - ctxt->user_regs.es = __USER_DS;
20608 + ctxt->user_regs.ds = __KERNEL_DS;
20609 + ctxt->user_regs.es = __KERNEL_DS;
20610 ctxt->user_regs.ss = __KERNEL_DS;
20611 #ifdef CONFIG_X86_32
20612 ctxt->user_regs.fs = __KERNEL_PERCPU;
20613 diff -urNp linux-2.6.36.1/arch/x86/xen/xen-head.S linux-2.6.36.1/arch/x86/xen/xen-head.S
20614 --- linux-2.6.36.1/arch/x86/xen/xen-head.S 2010-10-20 16:30:22.000000000 -0400
20615 +++ linux-2.6.36.1/arch/x86/xen/xen-head.S 2010-11-06 18:58:15.000000000 -0400
20616 @@ -19,6 +19,17 @@ ENTRY(startup_xen)
20617 #ifdef CONFIG_X86_32
20618 mov %esi,xen_start_info
20619 mov $init_thread_union+THREAD_SIZE,%esp
20621 + movl $cpu_gdt_table,%edi
20622 + movl $__per_cpu_load,%eax
20623 + movw %ax,__KERNEL_PERCPU + 2(%edi)
20625 + movb %al,__KERNEL_PERCPU + 4(%edi)
20626 + movb %ah,__KERNEL_PERCPU + 7(%edi)
20627 + movl $__per_cpu_end - 1,%eax
20628 + subl $__per_cpu_start,%eax
20629 + movw %ax,__KERNEL_PERCPU + 0(%edi)
20632 mov %rsi,xen_start_info
20633 mov $init_thread_union+THREAD_SIZE,%rsp
20634 diff -urNp linux-2.6.36.1/arch/x86/xen/xen-ops.h linux-2.6.36.1/arch/x86/xen/xen-ops.h
20635 --- linux-2.6.36.1/arch/x86/xen/xen-ops.h 2010-10-20 16:30:22.000000000 -0400
20636 +++ linux-2.6.36.1/arch/x86/xen/xen-ops.h 2010-11-06 18:58:15.000000000 -0400
20638 extern const char xen_hypervisor_callback[];
20639 extern const char xen_failsafe_callback[];
20641 -extern void *xen_initial_gdt;
20644 void xen_copy_trap_info(struct trap_info *traps);
20646 diff -urNp linux-2.6.36.1/block/blk-iopoll.c linux-2.6.36.1/block/blk-iopoll.c
20647 --- linux-2.6.36.1/block/blk-iopoll.c 2010-10-20 16:30:22.000000000 -0400
20648 +++ linux-2.6.36.1/block/blk-iopoll.c 2010-11-06 18:58:15.000000000 -0400
20649 @@ -77,7 +77,7 @@ void blk_iopoll_complete(struct blk_iopo
20651 EXPORT_SYMBOL(blk_iopoll_complete);
20653 -static void blk_iopoll_softirq(struct softirq_action *h)
20654 +static void blk_iopoll_softirq(void)
20656 struct list_head *list = &__get_cpu_var(blk_cpu_iopoll);
20657 int rearm = 0, budget = blk_iopoll_budget;
20658 diff -urNp linux-2.6.36.1/block/blk-map.c linux-2.6.36.1/block/blk-map.c
20659 --- linux-2.6.36.1/block/blk-map.c 2010-10-20 16:30:22.000000000 -0400
20660 +++ linux-2.6.36.1/block/blk-map.c 2010-11-11 18:24:09.000000000 -0500
20661 @@ -54,7 +54,7 @@ static int __blk_rq_map_user(struct requ
20662 * direct dma. else, set up kernel bounce buffers
20664 uaddr = (unsigned long) ubuf;
20665 - if (blk_rq_aligned(q, ubuf, len) && !map_data)
20666 + if (blk_rq_aligned(q, (__force void *)ubuf, len) && !map_data)
20667 bio = bio_map_user(q, NULL, uaddr, len, reading, gfp_mask);
20669 bio = bio_copy_user(q, map_data, uaddr, len, reading, gfp_mask);
20670 @@ -205,6 +205,8 @@ int blk_rq_map_user_iov(struct request_q
20674 + if (!iov[i].iov_len)
20678 if (unaligned || (q->dma_pad_mask & len) || map_data)
20679 @@ -297,7 +299,7 @@ int blk_rq_map_kern(struct request_queue
20683 - do_copy = !blk_rq_aligned(q, kbuf, len) || object_is_on_stack(kbuf);
20684 + do_copy = !blk_rq_aligned(q, kbuf, len) || object_starts_on_stack(kbuf);
20686 bio = bio_copy_kern(q, kbuf, len, gfp_mask, reading);
20688 diff -urNp linux-2.6.36.1/block/blk-softirq.c linux-2.6.36.1/block/blk-softirq.c
20689 --- linux-2.6.36.1/block/blk-softirq.c 2010-10-20 16:30:22.000000000 -0400
20690 +++ linux-2.6.36.1/block/blk-softirq.c 2010-11-06 18:58:15.000000000 -0400
20691 @@ -17,7 +17,7 @@ static DEFINE_PER_CPU(struct list_head,
20692 * Softirq action handler - move entries to local list and loop over them
20693 * while passing them to the queue registered handler.
20695 -static void blk_done_softirq(struct softirq_action *h)
20696 +static void blk_done_softirq(void)
20698 struct list_head *cpu_list, local_list;
20700 diff -urNp linux-2.6.36.1/block/scsi_ioctl.c linux-2.6.36.1/block/scsi_ioctl.c
20701 --- linux-2.6.36.1/block/scsi_ioctl.c 2010-10-20 16:30:22.000000000 -0400
20702 +++ linux-2.6.36.1/block/scsi_ioctl.c 2010-11-11 18:32:59.000000000 -0500
20703 @@ -321,33 +321,47 @@ static int sg_io(struct request_queue *q
20704 if (hdr->iovec_count) {
20705 const int size = sizeof(struct sg_iovec) * hdr->iovec_count;
20706 size_t iov_data_len;
20707 - struct sg_iovec *iov;
20708 + struct sg_iovec *sg_iov;
20709 + struct iovec *iov;
20712 - iov = kmalloc(size, GFP_KERNEL);
20714 + sg_iov = kmalloc(size, GFP_KERNEL);
20720 - if (copy_from_user(iov, hdr->dxferp, size)) {
20722 + if (copy_from_user(sg_iov, hdr->dxferp, size)) {
20729 + * Sum up the vecs, making sure they don't overflow
20731 + iov = (struct iovec *) sg_iov;
20732 + iov_data_len = 0;
20733 + for (i = 0; i < hdr->iovec_count; i++) {
20734 + if (iov_data_len + iov[i].iov_len < iov_data_len) {
20739 + iov_data_len += iov[i].iov_len;
20742 /* SG_IO howto says that the shorter of the two wins */
20743 - iov_data_len = iov_length((struct iovec *)iov,
20744 - hdr->iovec_count);
20745 if (hdr->dxfer_len < iov_data_len) {
20746 - hdr->iovec_count = iov_shorten((struct iovec *)iov,
20747 + hdr->iovec_count = iov_shorten(iov,
20750 iov_data_len = hdr->dxfer_len;
20753 - ret = blk_rq_map_user_iov(q, rq, NULL, iov, hdr->iovec_count,
20754 + ret = blk_rq_map_user_iov(q, rq, NULL, sg_iov, hdr->iovec_count,
20755 iov_data_len, GFP_KERNEL);
20758 } else if (hdr->dxfer_len)
20759 ret = blk_rq_map_user(q, rq, NULL, hdr->dxferp, hdr->dxfer_len,
20761 diff -urNp linux-2.6.36.1/crypto/lrw.c linux-2.6.36.1/crypto/lrw.c
20762 --- linux-2.6.36.1/crypto/lrw.c 2010-10-20 16:30:22.000000000 -0400
20763 +++ linux-2.6.36.1/crypto/lrw.c 2010-11-06 18:58:15.000000000 -0400
20764 @@ -60,7 +60,7 @@ static int setkey(struct crypto_tfm *par
20765 struct priv *ctx = crypto_tfm_ctx(parent);
20766 struct crypto_cipher *child = ctx->child;
20768 - be128 tmp = { 0 };
20769 + be128 tmp = { 0, 0 };
20770 int bsize = crypto_cipher_blocksize(child);
20772 crypto_cipher_clear_flags(child, CRYPTO_TFM_REQ_MASK);
20773 diff -urNp linux-2.6.36.1/Documentation/dontdiff linux-2.6.36.1/Documentation/dontdiff
20774 --- linux-2.6.36.1/Documentation/dontdiff 2010-10-20 16:30:22.000000000 -0400
20775 +++ linux-2.6.36.1/Documentation/dontdiff 2010-11-11 18:21:08.000000000 -0500
20795 @@ -49,11 +52,16 @@
20812 @@ -62,6 +70,7 @@ aic7*reg_print.c*
20820 @@ -76,7 +85,10 @@ btfixupprep
20831 @@ -100,19 +112,23 @@ fore200e_mkfirm
20846 initramfs_data.cpio
20847 +initramfs_data.cpio.bz2
20848 initramfs_data.cpio.gz
20856 @@ -136,10 +152,13 @@ mkboot
20870 @@ -151,7 +170,9 @@ parse.h
20880 @@ -160,15 +181,18 @@ qconf
20899 @@ -189,14 +213,20 @@ version.h*
20920 diff -urNp linux-2.6.36.1/Documentation/filesystems/sysfs.txt linux-2.6.36.1/Documentation/filesystems/sysfs.txt
20921 --- linux-2.6.36.1/Documentation/filesystems/sysfs.txt 2010-10-20 16:30:22.000000000 -0400
20922 +++ linux-2.6.36.1/Documentation/filesystems/sysfs.txt 2010-11-06 18:58:15.000000000 -0400
20923 @@ -123,8 +123,8 @@ set of sysfs operations for forwarding r
20924 show and store methods of the attribute owners.
20927 - ssize_t (*show)(struct kobject *, struct attribute *, char *);
20928 - ssize_t (*store)(struct kobject *, struct attribute *, const char *, size_t);
20929 + ssize_t (* const show)(struct kobject *, struct attribute *, char *);
20930 + ssize_t (* const store)(struct kobject *, struct attribute *, const char *, size_t);
20933 [ Subsystems should have already defined a struct kobj_type as a
20934 diff -urNp linux-2.6.36.1/Documentation/kernel-parameters.txt linux-2.6.36.1/Documentation/kernel-parameters.txt
20935 --- linux-2.6.36.1/Documentation/kernel-parameters.txt 2010-10-20 16:30:22.000000000 -0400
20936 +++ linux-2.6.36.1/Documentation/kernel-parameters.txt 2010-11-06 18:58:15.000000000 -0400
20937 @@ -1835,6 +1835,12 @@ and is between 256 and 4096 characters.
20938 the specified number of seconds. This is to be used if
20939 your oopses keep scrolling off the screen.
20941 + pax_nouderef [X86-32] disables UDEREF. Most likely needed under certain
20942 + virtualization environments that don't cope well with the
20943 + expand down segment used by UDEREF on X86-32.
20945 + pax_softmode= [X86-32] 0/1 to disable/enable PaX softmode on boot already.
20950 diff -urNp linux-2.6.36.1/drivers/acpi/battery.c linux-2.6.36.1/drivers/acpi/battery.c
20951 --- linux-2.6.36.1/drivers/acpi/battery.c 2010-10-20 16:30:22.000000000 -0400
20952 +++ linux-2.6.36.1/drivers/acpi/battery.c 2010-11-06 18:58:15.000000000 -0400
20953 @@ -809,7 +809,7 @@ DECLARE_FILE_FUNCTIONS(alarm);
20956 static struct battery_file {
20957 - struct file_operations ops;
20958 + const struct file_operations ops;
20961 } acpi_battery_file[] = {
20962 diff -urNp linux-2.6.36.1/drivers/acpi/blacklist.c linux-2.6.36.1/drivers/acpi/blacklist.c
20963 --- linux-2.6.36.1/drivers/acpi/blacklist.c 2010-10-20 16:30:22.000000000 -0400
20964 +++ linux-2.6.36.1/drivers/acpi/blacklist.c 2010-11-06 18:58:15.000000000 -0400
20965 @@ -73,7 +73,7 @@ static struct acpi_blacklist_item acpi_b
20966 {"IBM ", "TP600E ", 0x00000105, ACPI_SIG_DSDT, less_than_or_equal,
20967 "Incorrect _ADR", 1},
20970 + {"", "", 0, NULL, all_versions, NULL, 0}
20973 #if CONFIG_ACPI_BLACKLIST_YEAR
20974 diff -urNp linux-2.6.36.1/drivers/acpi/dock.c linux-2.6.36.1/drivers/acpi/dock.c
20975 --- linux-2.6.36.1/drivers/acpi/dock.c 2010-10-20 16:30:22.000000000 -0400
20976 +++ linux-2.6.36.1/drivers/acpi/dock.c 2010-11-06 18:58:15.000000000 -0400
20977 @@ -77,7 +77,7 @@ struct dock_dependent_device {
20978 struct list_head list;
20979 struct list_head hotplug_list;
20980 acpi_handle handle;
20981 - struct acpi_dock_ops *ops;
20982 + const struct acpi_dock_ops *ops;
20986 @@ -589,7 +589,7 @@ EXPORT_SYMBOL_GPL(unregister_dock_notifi
20987 * the dock driver after _DCK is executed.
20990 -register_hotplug_dock_device(acpi_handle handle, struct acpi_dock_ops *ops,
20991 +register_hotplug_dock_device(acpi_handle handle, const struct acpi_dock_ops *ops,
20994 struct dock_dependent_device *dd;
20995 diff -urNp linux-2.6.36.1/drivers/acpi/osl.c linux-2.6.36.1/drivers/acpi/osl.c
20996 --- linux-2.6.36.1/drivers/acpi/osl.c 2010-10-20 16:30:22.000000000 -0400
20997 +++ linux-2.6.36.1/drivers/acpi/osl.c 2010-11-06 18:58:15.000000000 -0400
20998 @@ -497,6 +497,8 @@ acpi_os_read_memory(acpi_physical_addres
20999 void __iomem *virt_addr;
21001 virt_addr = ioremap(phys_addr, width);
21003 + return AE_NO_MEMORY;
21007 @@ -525,6 +527,8 @@ acpi_os_write_memory(acpi_physical_addre
21008 void __iomem *virt_addr;
21010 virt_addr = ioremap(phys_addr, width);
21012 + return AE_NO_MEMORY;
21016 diff -urNp linux-2.6.36.1/drivers/acpi/power_meter.c linux-2.6.36.1/drivers/acpi/power_meter.c
21017 --- linux-2.6.36.1/drivers/acpi/power_meter.c 2010-10-20 16:30:22.000000000 -0400
21018 +++ linux-2.6.36.1/drivers/acpi/power_meter.c 2010-11-06 18:58:15.000000000 -0400
21019 @@ -316,8 +316,6 @@ static ssize_t set_trip(struct device *d
21026 mutex_lock(&resource->lock);
21027 resource->trip[attr->index - 7] = temp;
21028 diff -urNp linux-2.6.36.1/drivers/acpi/proc.c linux-2.6.36.1/drivers/acpi/proc.c
21029 --- linux-2.6.36.1/drivers/acpi/proc.c 2010-10-20 16:30:22.000000000 -0400
21030 +++ linux-2.6.36.1/drivers/acpi/proc.c 2010-11-06 18:58:15.000000000 -0400
21031 @@ -338,20 +338,15 @@ acpi_system_write_wakeup_device(struct f
21032 size_t count, loff_t * ppos)
21034 struct list_head *node, *next;
21036 - char str[5] = "";
21037 - unsigned int len = count;
21038 + char strbuf[5] = {0};
21039 struct acpi_device *found_dev = NULL;
21048 - if (copy_from_user(strbuf, buffer, len))
21049 + if (copy_from_user(strbuf, buffer, count))
21051 - strbuf[len] = '\0';
21052 - sscanf(strbuf, "%s", str);
21053 + strbuf[count] = '\0';
21055 mutex_lock(&acpi_device_lock);
21056 list_for_each_safe(node, next, &acpi_wakeup_device_list) {
21057 @@ -360,7 +355,7 @@ acpi_system_write_wakeup_device(struct f
21058 if (!dev->wakeup.flags.valid)
21061 - if (!strncmp(dev->pnp.bus_id, str, 4)) {
21062 + if (!strncmp(dev->pnp.bus_id, strbuf, 4)) {
21063 dev->wakeup.state.enabled =
21064 dev->wakeup.state.enabled ? 0 : 1;
21066 diff -urNp linux-2.6.36.1/drivers/acpi/processor_driver.c linux-2.6.36.1/drivers/acpi/processor_driver.c
21067 --- linux-2.6.36.1/drivers/acpi/processor_driver.c 2010-10-20 16:30:22.000000000 -0400
21068 +++ linux-2.6.36.1/drivers/acpi/processor_driver.c 2010-11-06 18:58:15.000000000 -0400
21069 @@ -507,7 +507,7 @@ static int __cpuinit acpi_processor_add(
21073 - BUG_ON((pr->id >= nr_cpu_ids) || (pr->id < 0));
21074 + BUG_ON(pr->id >= nr_cpu_ids);
21078 diff -urNp linux-2.6.36.1/drivers/acpi/processor_idle.c linux-2.6.36.1/drivers/acpi/processor_idle.c
21079 --- linux-2.6.36.1/drivers/acpi/processor_idle.c 2010-10-20 16:30:22.000000000 -0400
21080 +++ linux-2.6.36.1/drivers/acpi/processor_idle.c 2010-11-06 18:58:15.000000000 -0400
21081 @@ -115,7 +115,7 @@ static struct dmi_system_id __cpuinitdat
21082 DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK Computer Inc."),
21083 DMI_MATCH(DMI_PRODUCT_NAME,"L8400B series Notebook PC")},
21086 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL},
21090 diff -urNp linux-2.6.36.1/drivers/acpi/sleep.c linux-2.6.36.1/drivers/acpi/sleep.c
21091 --- linux-2.6.36.1/drivers/acpi/sleep.c 2010-10-20 16:30:22.000000000 -0400
21092 +++ linux-2.6.36.1/drivers/acpi/sleep.c 2010-11-06 18:58:15.000000000 -0400
21093 @@ -319,7 +319,7 @@ static int acpi_suspend_state_valid(susp
21097 -static struct platform_suspend_ops acpi_suspend_ops = {
21098 +static const struct platform_suspend_ops acpi_suspend_ops = {
21099 .valid = acpi_suspend_state_valid,
21100 .begin = acpi_suspend_begin,
21101 .prepare_late = acpi_pm_prepare,
21102 @@ -347,7 +347,7 @@ static int acpi_suspend_begin_old(suspen
21103 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
21106 -static struct platform_suspend_ops acpi_suspend_ops_old = {
21107 +static const struct platform_suspend_ops acpi_suspend_ops_old = {
21108 .valid = acpi_suspend_state_valid,
21109 .begin = acpi_suspend_begin_old,
21110 .prepare_late = acpi_pm_pre_suspend,
21111 @@ -490,7 +490,7 @@ static void acpi_pm_thaw(void)
21112 acpi_enable_all_runtime_gpes();
21115 -static struct platform_hibernation_ops acpi_hibernation_ops = {
21116 +static const struct platform_hibernation_ops acpi_hibernation_ops = {
21117 .begin = acpi_hibernation_begin,
21118 .end = acpi_pm_end,
21119 .pre_snapshot = acpi_pm_prepare,
21120 @@ -533,7 +533,7 @@ static int acpi_hibernation_begin_old(vo
21121 * The following callbacks are used if the pre-ACPI 2.0 suspend ordering has
21124 -static struct platform_hibernation_ops acpi_hibernation_ops_old = {
21125 +static const struct platform_hibernation_ops acpi_hibernation_ops_old = {
21126 .begin = acpi_hibernation_begin_old,
21127 .end = acpi_pm_end,
21128 .pre_snapshot = acpi_pm_pre_suspend,
21129 diff -urNp linux-2.6.36.1/drivers/acpi/video.c linux-2.6.36.1/drivers/acpi/video.c
21130 --- linux-2.6.36.1/drivers/acpi/video.c 2010-10-20 16:30:22.000000000 -0400
21131 +++ linux-2.6.36.1/drivers/acpi/video.c 2010-11-06 18:58:15.000000000 -0400
21132 @@ -367,7 +367,7 @@ static int acpi_video_set_brightness(str
21133 vd->brightness->levels[request_level]);
21136 -static struct backlight_ops acpi_backlight_ops = {
21137 +static const struct backlight_ops acpi_backlight_ops = {
21138 .get_brightness = acpi_video_get_brightness,
21139 .update_status = acpi_video_set_brightness,
21141 diff -urNp linux-2.6.36.1/drivers/ata/ahci.c linux-2.6.36.1/drivers/ata/ahci.c
21142 --- linux-2.6.36.1/drivers/ata/ahci.c 2010-10-20 16:30:22.000000000 -0400
21143 +++ linux-2.6.36.1/drivers/ata/ahci.c 2010-11-06 18:58:15.000000000 -0400
21144 @@ -94,17 +94,17 @@ static struct scsi_host_template ahci_sh
21148 -static struct ata_port_operations ahci_vt8251_ops = {
21149 +static const struct ata_port_operations ahci_vt8251_ops = {
21150 .inherits = &ahci_ops,
21151 .hardreset = ahci_vt8251_hardreset,
21154 -static struct ata_port_operations ahci_p5wdh_ops = {
21155 +static const struct ata_port_operations ahci_p5wdh_ops = {
21156 .inherits = &ahci_ops,
21157 .hardreset = ahci_p5wdh_hardreset,
21160 -static struct ata_port_operations ahci_sb600_ops = {
21161 +static const struct ata_port_operations ahci_sb600_ops = {
21162 .inherits = &ahci_ops,
21163 .softreset = ahci_sb600_softreset,
21164 .pmp_softreset = ahci_sb600_softreset,
21165 @@ -388,7 +388,7 @@ static const struct pci_device_id ahci_p
21166 { PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID,
21167 PCI_CLASS_STORAGE_SATA_AHCI, 0xffffff, board_ahci },
21169 - { } /* terminate list */
21170 + { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
21174 diff -urNp linux-2.6.36.1/drivers/ata/ahci.h linux-2.6.36.1/drivers/ata/ahci.h
21175 --- linux-2.6.36.1/drivers/ata/ahci.h 2010-11-26 18:26:24.000000000 -0500
21176 +++ linux-2.6.36.1/drivers/ata/ahci.h 2010-11-26 18:27:07.000000000 -0500
21177 @@ -310,7 +310,7 @@ extern struct device_attribute *ahci_sde
21178 .shost_attrs = ahci_shost_attrs, \
21179 .sdev_attrs = ahci_sdev_attrs
21181 -extern struct ata_port_operations ahci_ops;
21182 +extern const struct ata_port_operations ahci_ops;
21184 void ahci_save_initial_config(struct device *dev,
21185 struct ahci_host_priv *hpriv,
21186 diff -urNp linux-2.6.36.1/drivers/ata/ata_generic.c linux-2.6.36.1/drivers/ata/ata_generic.c
21187 --- linux-2.6.36.1/drivers/ata/ata_generic.c 2010-10-20 16:30:22.000000000 -0400
21188 +++ linux-2.6.36.1/drivers/ata/ata_generic.c 2010-11-06 18:58:15.000000000 -0400
21189 @@ -100,7 +100,7 @@ static struct scsi_host_template generic
21190 ATA_BMDMA_SHT(DRV_NAME),
21193 -static struct ata_port_operations generic_port_ops = {
21194 +static const struct ata_port_operations generic_port_ops = {
21195 .inherits = &ata_bmdma_port_ops,
21196 .cable_detect = ata_cable_unknown,
21197 .set_mode = generic_set_mode,
21198 diff -urNp linux-2.6.36.1/drivers/ata/ata_piix.c linux-2.6.36.1/drivers/ata/ata_piix.c
21199 --- linux-2.6.36.1/drivers/ata/ata_piix.c 2010-10-20 16:30:22.000000000 -0400
21200 +++ linux-2.6.36.1/drivers/ata/ata_piix.c 2010-11-06 18:58:15.000000000 -0400
21201 @@ -306,7 +306,7 @@ static const struct pci_device_id piix_p
21202 { 0x8086, 0x1d00, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata },
21203 /* SATA Controller IDE (PBG) */
21204 { 0x8086, 0x1d08, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata },
21205 - { } /* terminate list */
21206 + { 0, 0, 0, 0, 0, 0, 0 } /* terminate list */
21209 static struct pci_driver piix_pci_driver = {
21210 @@ -324,12 +324,12 @@ static struct scsi_host_template piix_sh
21211 ATA_BMDMA_SHT(DRV_NAME),
21214 -static struct ata_port_operations piix_sata_ops = {
21215 +static const struct ata_port_operations piix_sata_ops = {
21216 .inherits = &ata_bmdma32_port_ops,
21217 .sff_irq_check = piix_irq_check,
21220 -static struct ata_port_operations piix_pata_ops = {
21221 +static const struct ata_port_operations piix_pata_ops = {
21222 .inherits = &piix_sata_ops,
21223 .cable_detect = ata_cable_40wire,
21224 .set_piomode = piix_set_piomode,
21225 @@ -337,18 +337,18 @@ static struct ata_port_operations piix_p
21226 .prereset = piix_pata_prereset,
21229 -static struct ata_port_operations piix_vmw_ops = {
21230 +static const struct ata_port_operations piix_vmw_ops = {
21231 .inherits = &piix_pata_ops,
21232 .bmdma_status = piix_vmw_bmdma_status,
21235 -static struct ata_port_operations ich_pata_ops = {
21236 +static const struct ata_port_operations ich_pata_ops = {
21237 .inherits = &piix_pata_ops,
21238 .cable_detect = ich_pata_cable_detect,
21239 .set_dmamode = ich_set_dmamode,
21242 -static struct ata_port_operations piix_sidpr_sata_ops = {
21243 +static const struct ata_port_operations piix_sidpr_sata_ops = {
21244 .inherits = &piix_sata_ops,
21245 .hardreset = sata_std_hardreset,
21246 .scr_read = piix_sidpr_scr_read,
21247 @@ -624,7 +624,7 @@ static const struct ich_laptop ich_lapto
21248 { 0x2653, 0x1043, 0x82D8 }, /* ICH6M on Asus Eee 701 */
21249 { 0x27df, 0x104d, 0x900e }, /* ICH7 on Sony TZ-90 */
21256 @@ -1116,7 +1116,7 @@ static int piix_broken_suspend(void)
21260 - { } /* terminate list */
21261 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL } /* terminate list */
21263 static const char *oemstrs[] = {
21265 diff -urNp linux-2.6.36.1/drivers/ata/libahci.c linux-2.6.36.1/drivers/ata/libahci.c
21266 --- linux-2.6.36.1/drivers/ata/libahci.c 2010-11-26 18:26:24.000000000 -0500
21267 +++ linux-2.6.36.1/drivers/ata/libahci.c 2010-11-26 18:27:07.000000000 -0500
21268 @@ -141,7 +141,7 @@ struct device_attribute *ahci_sdev_attrs
21270 EXPORT_SYMBOL_GPL(ahci_sdev_attrs);
21272 -struct ata_port_operations ahci_ops = {
21273 +const struct ata_port_operations ahci_ops = {
21274 .inherits = &sata_pmp_port_ops,
21276 .qc_defer = ahci_pmp_qc_defer,
21277 diff -urNp linux-2.6.36.1/drivers/ata/libata-acpi.c linux-2.6.36.1/drivers/ata/libata-acpi.c
21278 --- linux-2.6.36.1/drivers/ata/libata-acpi.c 2010-10-20 16:30:22.000000000 -0400
21279 +++ linux-2.6.36.1/drivers/ata/libata-acpi.c 2010-11-06 18:58:15.000000000 -0400
21280 @@ -218,12 +218,12 @@ static void ata_acpi_dev_uevent(acpi_han
21281 ata_acpi_uevent(dev->link->ap, dev, event);
21284 -static struct acpi_dock_ops ata_acpi_dev_dock_ops = {
21285 +static const struct acpi_dock_ops ata_acpi_dev_dock_ops = {
21286 .handler = ata_acpi_dev_notify_dock,
21287 .uevent = ata_acpi_dev_uevent,
21290 -static struct acpi_dock_ops ata_acpi_ap_dock_ops = {
21291 +static const struct acpi_dock_ops ata_acpi_ap_dock_ops = {
21292 .handler = ata_acpi_ap_notify_dock,
21293 .uevent = ata_acpi_ap_uevent,
21295 diff -urNp linux-2.6.36.1/drivers/ata/libata-core.c linux-2.6.36.1/drivers/ata/libata-core.c
21296 --- linux-2.6.36.1/drivers/ata/libata-core.c 2010-10-20 16:30:22.000000000 -0400
21297 +++ linux-2.6.36.1/drivers/ata/libata-core.c 2010-11-06 18:58:15.000000000 -0400
21298 @@ -899,7 +899,7 @@ static const struct ata_xfer_ent {
21299 { ATA_SHIFT_PIO, ATA_NR_PIO_MODES, XFER_PIO_0 },
21300 { ATA_SHIFT_MWDMA, ATA_NR_MWDMA_MODES, XFER_MW_DMA_0 },
21301 { ATA_SHIFT_UDMA, ATA_NR_UDMA_MODES, XFER_UDMA_0 },
21307 @@ -3071,7 +3071,7 @@ static const struct ata_timing ata_timin
21308 { XFER_UDMA_5, 0, 0, 0, 0, 0, 0, 0, 0, 20 },
21309 { XFER_UDMA_6, 0, 0, 0, 0, 0, 0, 0, 0, 15 },
21312 + { 0xFF, 0, 0, 0, 0, 0, 0, 0, 0 }
21315 #define ENOUGH(v, unit) (((v)-1)/(unit)+1)
21316 @@ -4260,7 +4260,7 @@ static const struct ata_blacklist_entry
21317 { "PIONEER DVD-RW DVRTD08", "1.00", ATA_HORKAGE_NOSETXFER },
21321 + { NULL, NULL, 0 }
21325 @@ -4865,7 +4865,7 @@ void ata_qc_free(struct ata_queued_cmd *
21326 struct ata_port *ap;
21329 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
21330 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
21334 @@ -4881,7 +4881,7 @@ void __ata_qc_complete(struct ata_queued
21335 struct ata_port *ap;
21336 struct ata_link *link;
21338 - WARN_ON_ONCE(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
21339 + BUG_ON(qc == NULL); /* ata_qc_from_tag _might_ return NULL */
21340 WARN_ON_ONCE(!(qc->flags & ATA_QCFLAG_ACTIVE));
21342 link = qc->dev->link;
21343 @@ -5866,7 +5866,7 @@ static void ata_host_stop(struct device
21347 -static void ata_finalize_port_ops(struct ata_port_operations *ops)
21348 +static void ata_finalize_port_ops(const struct ata_port_operations *ops)
21350 static DEFINE_SPINLOCK(lock);
21351 const struct ata_port_operations *cur;
21352 @@ -5878,6 +5878,7 @@ static void ata_finalize_port_ops(struct
21356 + pax_open_kernel();
21358 for (cur = ops->inherits; cur; cur = cur->inherits) {
21359 void **inherit = (void **)cur;
21360 @@ -5891,8 +5892,9 @@ static void ata_finalize_port_ops(struct
21364 - ops->inherits = NULL;
21365 + ((struct ata_port_operations *)ops)->inherits = NULL;
21367 + pax_close_kernel();
21368 spin_unlock(&lock);
21371 @@ -5989,7 +5991,7 @@ int ata_host_start(struct ata_host *host
21373 /* KILLME - the only user left is ipr */
21374 void ata_host_init(struct ata_host *host, struct device *dev,
21375 - unsigned long flags, struct ata_port_operations *ops)
21376 + unsigned long flags, const struct ata_port_operations *ops)
21378 spin_lock_init(&host->lock);
21380 @@ -6630,7 +6632,7 @@ static void ata_dummy_error_handler(stru
21384 -struct ata_port_operations ata_dummy_port_ops = {
21385 +const struct ata_port_operations ata_dummy_port_ops = {
21386 .qc_prep = ata_noop_qc_prep,
21387 .qc_issue = ata_dummy_qc_issue,
21388 .error_handler = ata_dummy_error_handler,
21389 diff -urNp linux-2.6.36.1/drivers/ata/libata-eh.c linux-2.6.36.1/drivers/ata/libata-eh.c
21390 --- linux-2.6.36.1/drivers/ata/libata-eh.c 2010-10-20 16:30:22.000000000 -0400
21391 +++ linux-2.6.36.1/drivers/ata/libata-eh.c 2010-11-06 18:58:15.000000000 -0400
21392 @@ -3685,7 +3685,7 @@ void ata_do_eh(struct ata_port *ap, ata_
21394 void ata_std_error_handler(struct ata_port *ap)
21396 - struct ata_port_operations *ops = ap->ops;
21397 + const struct ata_port_operations *ops = ap->ops;
21398 ata_reset_fn_t hardreset = ops->hardreset;
21400 /* ignore built-in hardreset if SCR access is not available */
21401 diff -urNp linux-2.6.36.1/drivers/ata/libata-pmp.c linux-2.6.36.1/drivers/ata/libata-pmp.c
21402 --- linux-2.6.36.1/drivers/ata/libata-pmp.c 2010-10-20 16:30:22.000000000 -0400
21403 +++ linux-2.6.36.1/drivers/ata/libata-pmp.c 2010-11-06 18:58:15.000000000 -0400
21404 @@ -868,7 +868,7 @@ static int sata_pmp_handle_link_fail(str
21406 static int sata_pmp_eh_recover(struct ata_port *ap)
21408 - struct ata_port_operations *ops = ap->ops;
21409 + const struct ata_port_operations *ops = ap->ops;
21410 int pmp_tries, link_tries[SATA_PMP_MAX_PORTS];
21411 struct ata_link *pmp_link = &ap->link;
21412 struct ata_device *pmp_dev = pmp_link->device;
21413 diff -urNp linux-2.6.36.1/drivers/ata/pata_acpi.c linux-2.6.36.1/drivers/ata/pata_acpi.c
21414 --- linux-2.6.36.1/drivers/ata/pata_acpi.c 2010-10-20 16:30:22.000000000 -0400
21415 +++ linux-2.6.36.1/drivers/ata/pata_acpi.c 2010-11-06 18:58:15.000000000 -0400
21416 @@ -216,7 +216,7 @@ static struct scsi_host_template pacpi_s
21417 ATA_BMDMA_SHT(DRV_NAME),
21420 -static struct ata_port_operations pacpi_ops = {
21421 +static const struct ata_port_operations pacpi_ops = {
21422 .inherits = &ata_bmdma_port_ops,
21423 .qc_issue = pacpi_qc_issue,
21424 .cable_detect = pacpi_cable_detect,
21425 diff -urNp linux-2.6.36.1/drivers/ata/pata_ali.c linux-2.6.36.1/drivers/ata/pata_ali.c
21426 --- linux-2.6.36.1/drivers/ata/pata_ali.c 2010-10-20 16:30:22.000000000 -0400
21427 +++ linux-2.6.36.1/drivers/ata/pata_ali.c 2010-11-06 18:58:15.000000000 -0400
21428 @@ -363,7 +363,7 @@ static struct scsi_host_template ali_sht
21429 * Port operations for PIO only ALi
21432 -static struct ata_port_operations ali_early_port_ops = {
21433 +static const struct ata_port_operations ali_early_port_ops = {
21434 .inherits = &ata_sff_port_ops,
21435 .cable_detect = ata_cable_40wire,
21436 .set_piomode = ali_set_piomode,
21437 @@ -380,7 +380,7 @@ static const struct ata_port_operations
21438 * Port operations for DMA capable ALi without cable
21441 -static struct ata_port_operations ali_20_port_ops = {
21442 +static const struct ata_port_operations ali_20_port_ops = {
21443 .inherits = &ali_dma_base_ops,
21444 .cable_detect = ata_cable_40wire,
21445 .mode_filter = ali_20_filter,
21446 @@ -391,7 +391,7 @@ static struct ata_port_operations ali_20
21448 * Port operations for DMA capable ALi with cable detect
21450 -static struct ata_port_operations ali_c2_port_ops = {
21451 +static const struct ata_port_operations ali_c2_port_ops = {
21452 .inherits = &ali_dma_base_ops,
21453 .check_atapi_dma = ali_check_atapi_dma,
21454 .cable_detect = ali_c2_cable_detect,
21455 @@ -402,7 +402,7 @@ static struct ata_port_operations ali_c2
21457 * Port operations for DMA capable ALi with cable detect
21459 -static struct ata_port_operations ali_c4_port_ops = {
21460 +static const struct ata_port_operations ali_c4_port_ops = {
21461 .inherits = &ali_dma_base_ops,
21462 .check_atapi_dma = ali_check_atapi_dma,
21463 .cable_detect = ali_c2_cable_detect,
21464 @@ -412,7 +412,7 @@ static struct ata_port_operations ali_c4
21466 * Port operations for DMA capable ALi with cable detect and LBA48
21468 -static struct ata_port_operations ali_c5_port_ops = {
21469 +static const struct ata_port_operations ali_c5_port_ops = {
21470 .inherits = &ali_dma_base_ops,
21471 .check_atapi_dma = ali_check_atapi_dma,
21472 .dev_config = ali_warn_atapi_dma,
21473 diff -urNp linux-2.6.36.1/drivers/ata/pata_amd.c linux-2.6.36.1/drivers/ata/pata_amd.c
21474 --- linux-2.6.36.1/drivers/ata/pata_amd.c 2010-10-20 16:30:22.000000000 -0400
21475 +++ linux-2.6.36.1/drivers/ata/pata_amd.c 2010-11-06 18:58:15.000000000 -0400
21476 @@ -397,28 +397,28 @@ static const struct ata_port_operations
21477 .prereset = amd_pre_reset,
21480 -static struct ata_port_operations amd33_port_ops = {
21481 +static const struct ata_port_operations amd33_port_ops = {
21482 .inherits = &amd_base_port_ops,
21483 .cable_detect = ata_cable_40wire,
21484 .set_piomode = amd33_set_piomode,
21485 .set_dmamode = amd33_set_dmamode,
21488 -static struct ata_port_operations amd66_port_ops = {
21489 +static const struct ata_port_operations amd66_port_ops = {
21490 .inherits = &amd_base_port_ops,
21491 .cable_detect = ata_cable_unknown,
21492 .set_piomode = amd66_set_piomode,
21493 .set_dmamode = amd66_set_dmamode,
21496 -static struct ata_port_operations amd100_port_ops = {
21497 +static const struct ata_port_operations amd100_port_ops = {
21498 .inherits = &amd_base_port_ops,
21499 .cable_detect = ata_cable_unknown,
21500 .set_piomode = amd100_set_piomode,
21501 .set_dmamode = amd100_set_dmamode,
21504 -static struct ata_port_operations amd133_port_ops = {
21505 +static const struct ata_port_operations amd133_port_ops = {
21506 .inherits = &amd_base_port_ops,
21507 .cable_detect = amd_cable_detect,
21508 .set_piomode = amd133_set_piomode,
21509 @@ -433,13 +433,13 @@ static const struct ata_port_operations
21510 .host_stop = nv_host_stop,
21513 -static struct ata_port_operations nv100_port_ops = {
21514 +static const struct ata_port_operations nv100_port_ops = {
21515 .inherits = &nv_base_port_ops,
21516 .set_piomode = nv100_set_piomode,
21517 .set_dmamode = nv100_set_dmamode,
21520 -static struct ata_port_operations nv133_port_ops = {
21521 +static const struct ata_port_operations nv133_port_ops = {
21522 .inherits = &nv_base_port_ops,
21523 .set_piomode = nv133_set_piomode,
21524 .set_dmamode = nv133_set_dmamode,
21525 diff -urNp linux-2.6.36.1/drivers/ata/pata_artop.c linux-2.6.36.1/drivers/ata/pata_artop.c
21526 --- linux-2.6.36.1/drivers/ata/pata_artop.c 2010-10-20 16:30:22.000000000 -0400
21527 +++ linux-2.6.36.1/drivers/ata/pata_artop.c 2010-11-06 18:58:15.000000000 -0400
21528 @@ -312,7 +312,7 @@ static struct scsi_host_template artop_s
21529 ATA_BMDMA_SHT(DRV_NAME),
21532 -static struct ata_port_operations artop6210_ops = {
21533 +static const struct ata_port_operations artop6210_ops = {
21534 .inherits = &ata_bmdma_port_ops,
21535 .cable_detect = ata_cable_40wire,
21536 .set_piomode = artop6210_set_piomode,
21537 @@ -321,7 +321,7 @@ static struct ata_port_operations artop6
21538 .qc_defer = artop6210_qc_defer,
21541 -static struct ata_port_operations artop6260_ops = {
21542 +static const struct ata_port_operations artop6260_ops = {
21543 .inherits = &ata_bmdma_port_ops,
21544 .cable_detect = artop6260_cable_detect,
21545 .set_piomode = artop6260_set_piomode,
21546 diff -urNp linux-2.6.36.1/drivers/ata/pata_at32.c linux-2.6.36.1/drivers/ata/pata_at32.c
21547 --- linux-2.6.36.1/drivers/ata/pata_at32.c 2010-10-20 16:30:22.000000000 -0400
21548 +++ linux-2.6.36.1/drivers/ata/pata_at32.c 2010-11-06 18:58:15.000000000 -0400
21549 @@ -173,7 +173,7 @@ static struct scsi_host_template at32_sh
21550 ATA_PIO_SHT(DRV_NAME),
21553 -static struct ata_port_operations at32_port_ops = {
21554 +static const struct ata_port_operations at32_port_ops = {
21555 .inherits = &ata_sff_port_ops,
21556 .cable_detect = ata_cable_40wire,
21557 .set_piomode = pata_at32_set_piomode,
21558 diff -urNp linux-2.6.36.1/drivers/ata/pata_at91.c linux-2.6.36.1/drivers/ata/pata_at91.c
21559 --- linux-2.6.36.1/drivers/ata/pata_at91.c 2010-10-20 16:30:22.000000000 -0400
21560 +++ linux-2.6.36.1/drivers/ata/pata_at91.c 2010-11-06 18:58:15.000000000 -0400
21561 @@ -196,7 +196,7 @@ static struct scsi_host_template pata_at
21562 ATA_PIO_SHT(DRV_NAME),
21565 -static struct ata_port_operations pata_at91_port_ops = {
21566 +static const struct ata_port_operations pata_at91_port_ops = {
21567 .inherits = &ata_sff_port_ops,
21569 .sff_data_xfer = pata_at91_data_xfer_noirq,
21570 diff -urNp linux-2.6.36.1/drivers/ata/pata_atiixp.c linux-2.6.36.1/drivers/ata/pata_atiixp.c
21571 --- linux-2.6.36.1/drivers/ata/pata_atiixp.c 2010-10-20 16:30:22.000000000 -0400
21572 +++ linux-2.6.36.1/drivers/ata/pata_atiixp.c 2010-11-06 18:58:15.000000000 -0400
21573 @@ -214,7 +214,7 @@ static struct scsi_host_template atiixp_
21574 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21577 -static struct ata_port_operations atiixp_port_ops = {
21578 +static const struct ata_port_operations atiixp_port_ops = {
21579 .inherits = &ata_bmdma_port_ops,
21581 .qc_prep = ata_bmdma_dumb_qc_prep,
21582 diff -urNp linux-2.6.36.1/drivers/ata/pata_atp867x.c linux-2.6.36.1/drivers/ata/pata_atp867x.c
21583 --- linux-2.6.36.1/drivers/ata/pata_atp867x.c 2010-10-20 16:30:22.000000000 -0400
21584 +++ linux-2.6.36.1/drivers/ata/pata_atp867x.c 2010-11-06 18:58:15.000000000 -0400
21585 @@ -275,7 +275,7 @@ static struct scsi_host_template atp867x
21586 ATA_BMDMA_SHT(DRV_NAME),
21589 -static struct ata_port_operations atp867x_ops = {
21590 +static const struct ata_port_operations atp867x_ops = {
21591 .inherits = &ata_bmdma_port_ops,
21592 .cable_detect = atp867x_cable_detect,
21593 .set_piomode = atp867x_set_piomode,
21594 diff -urNp linux-2.6.36.1/drivers/ata/pata_bf54x.c linux-2.6.36.1/drivers/ata/pata_bf54x.c
21595 --- linux-2.6.36.1/drivers/ata/pata_bf54x.c 2010-10-20 16:30:22.000000000 -0400
21596 +++ linux-2.6.36.1/drivers/ata/pata_bf54x.c 2010-11-06 18:58:15.000000000 -0400
21597 @@ -1420,7 +1420,7 @@ static struct scsi_host_template bfin_sh
21598 .dma_boundary = ATA_DMA_BOUNDARY,
21601 -static struct ata_port_operations bfin_pata_ops = {
21602 +static const struct ata_port_operations bfin_pata_ops = {
21603 .inherits = &ata_bmdma_port_ops,
21605 .set_piomode = bfin_set_piomode,
21606 diff -urNp linux-2.6.36.1/drivers/ata/pata_cmd640.c linux-2.6.36.1/drivers/ata/pata_cmd640.c
21607 --- linux-2.6.36.1/drivers/ata/pata_cmd640.c 2010-10-20 16:30:22.000000000 -0400
21608 +++ linux-2.6.36.1/drivers/ata/pata_cmd640.c 2010-11-06 18:58:15.000000000 -0400
21609 @@ -165,7 +165,7 @@ static struct scsi_host_template cmd640_
21610 ATA_PIO_SHT(DRV_NAME),
21613 -static struct ata_port_operations cmd640_port_ops = {
21614 +static const struct ata_port_operations cmd640_port_ops = {
21615 .inherits = &ata_sff_port_ops,
21616 /* In theory xfer_noirq is not needed once we kill the prefetcher */
21617 .sff_data_xfer = ata_sff_data_xfer_noirq,
21618 diff -urNp linux-2.6.36.1/drivers/ata/pata_cmd64x.c linux-2.6.36.1/drivers/ata/pata_cmd64x.c
21619 --- linux-2.6.36.1/drivers/ata/pata_cmd64x.c 2010-10-20 16:30:22.000000000 -0400
21620 +++ linux-2.6.36.1/drivers/ata/pata_cmd64x.c 2010-11-06 18:58:15.000000000 -0400
21621 @@ -268,18 +268,18 @@ static const struct ata_port_operations
21622 .set_dmamode = cmd64x_set_dmamode,
21625 -static struct ata_port_operations cmd64x_port_ops = {
21626 +static const struct ata_port_operations cmd64x_port_ops = {
21627 .inherits = &cmd64x_base_ops,
21628 .cable_detect = ata_cable_40wire,
21631 -static struct ata_port_operations cmd646r1_port_ops = {
21632 +static const struct ata_port_operations cmd646r1_port_ops = {
21633 .inherits = &cmd64x_base_ops,
21634 .bmdma_stop = cmd646r1_bmdma_stop,
21635 .cable_detect = ata_cable_40wire,
21638 -static struct ata_port_operations cmd648_port_ops = {
21639 +static const struct ata_port_operations cmd648_port_ops = {
21640 .inherits = &cmd64x_base_ops,
21641 .bmdma_stop = cmd648_bmdma_stop,
21642 .cable_detect = cmd648_cable_detect,
21643 diff -urNp linux-2.6.36.1/drivers/ata/pata_cs5520.c linux-2.6.36.1/drivers/ata/pata_cs5520.c
21644 --- linux-2.6.36.1/drivers/ata/pata_cs5520.c 2010-10-20 16:30:22.000000000 -0400
21645 +++ linux-2.6.36.1/drivers/ata/pata_cs5520.c 2010-11-06 18:58:15.000000000 -0400
21646 @@ -108,7 +108,7 @@ static struct scsi_host_template cs5520_
21647 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21650 -static struct ata_port_operations cs5520_port_ops = {
21651 +static const struct ata_port_operations cs5520_port_ops = {
21652 .inherits = &ata_bmdma_port_ops,
21653 .qc_prep = ata_bmdma_dumb_qc_prep,
21654 .cable_detect = ata_cable_40wire,
21655 diff -urNp linux-2.6.36.1/drivers/ata/pata_cs5530.c linux-2.6.36.1/drivers/ata/pata_cs5530.c
21656 --- linux-2.6.36.1/drivers/ata/pata_cs5530.c 2010-10-20 16:30:22.000000000 -0400
21657 +++ linux-2.6.36.1/drivers/ata/pata_cs5530.c 2010-11-06 18:58:15.000000000 -0400
21658 @@ -164,7 +164,7 @@ static struct scsi_host_template cs5530_
21659 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
21662 -static struct ata_port_operations cs5530_port_ops = {
21663 +static const struct ata_port_operations cs5530_port_ops = {
21664 .inherits = &ata_bmdma_port_ops,
21666 .qc_prep = ata_bmdma_dumb_qc_prep,
21667 diff -urNp linux-2.6.36.1/drivers/ata/pata_cs5535.c linux-2.6.36.1/drivers/ata/pata_cs5535.c
21668 --- linux-2.6.36.1/drivers/ata/pata_cs5535.c 2010-10-20 16:30:22.000000000 -0400
21669 +++ linux-2.6.36.1/drivers/ata/pata_cs5535.c 2010-11-06 18:58:15.000000000 -0400
21670 @@ -160,7 +160,7 @@ static struct scsi_host_template cs5535_
21671 ATA_BMDMA_SHT(DRV_NAME),
21674 -static struct ata_port_operations cs5535_port_ops = {
21675 +static const struct ata_port_operations cs5535_port_ops = {
21676 .inherits = &ata_bmdma_port_ops,
21677 .cable_detect = cs5535_cable_detect,
21678 .set_piomode = cs5535_set_piomode,
21679 diff -urNp linux-2.6.36.1/drivers/ata/pata_cs5536.c linux-2.6.36.1/drivers/ata/pata_cs5536.c
21680 --- linux-2.6.36.1/drivers/ata/pata_cs5536.c 2010-10-20 16:30:22.000000000 -0400
21681 +++ linux-2.6.36.1/drivers/ata/pata_cs5536.c 2010-11-06 18:58:15.000000000 -0400
21682 @@ -223,7 +223,7 @@ static struct scsi_host_template cs5536_
21683 ATA_BMDMA_SHT(DRV_NAME),
21686 -static struct ata_port_operations cs5536_port_ops = {
21687 +static const struct ata_port_operations cs5536_port_ops = {
21688 .inherits = &ata_bmdma32_port_ops,
21689 .cable_detect = cs5536_cable_detect,
21690 .set_piomode = cs5536_set_piomode,
21691 diff -urNp linux-2.6.36.1/drivers/ata/pata_cypress.c linux-2.6.36.1/drivers/ata/pata_cypress.c
21692 --- linux-2.6.36.1/drivers/ata/pata_cypress.c 2010-10-20 16:30:22.000000000 -0400
21693 +++ linux-2.6.36.1/drivers/ata/pata_cypress.c 2010-11-06 18:58:15.000000000 -0400
21694 @@ -115,7 +115,7 @@ static struct scsi_host_template cy82c69
21695 ATA_BMDMA_SHT(DRV_NAME),
21698 -static struct ata_port_operations cy82c693_port_ops = {
21699 +static const struct ata_port_operations cy82c693_port_ops = {
21700 .inherits = &ata_bmdma_port_ops,
21701 .cable_detect = ata_cable_40wire,
21702 .set_piomode = cy82c693_set_piomode,
21703 diff -urNp linux-2.6.36.1/drivers/ata/pata_efar.c linux-2.6.36.1/drivers/ata/pata_efar.c
21704 --- linux-2.6.36.1/drivers/ata/pata_efar.c 2010-10-20 16:30:22.000000000 -0400
21705 +++ linux-2.6.36.1/drivers/ata/pata_efar.c 2010-11-06 18:58:15.000000000 -0400
21706 @@ -238,7 +238,7 @@ static struct scsi_host_template efar_sh
21707 ATA_BMDMA_SHT(DRV_NAME),
21710 -static struct ata_port_operations efar_ops = {
21711 +static const struct ata_port_operations efar_ops = {
21712 .inherits = &ata_bmdma_port_ops,
21713 .cable_detect = efar_cable_detect,
21714 .set_piomode = efar_set_piomode,
21715 diff -urNp linux-2.6.36.1/drivers/ata/pata_hpt366.c linux-2.6.36.1/drivers/ata/pata_hpt366.c
21716 --- linux-2.6.36.1/drivers/ata/pata_hpt366.c 2010-10-20 16:30:22.000000000 -0400
21717 +++ linux-2.6.36.1/drivers/ata/pata_hpt366.c 2010-11-06 18:58:15.000000000 -0400
21718 @@ -269,7 +269,7 @@ static struct scsi_host_template hpt36x_
21719 * Configuration for HPT366/68
21722 -static struct ata_port_operations hpt366_port_ops = {
21723 +static const struct ata_port_operations hpt366_port_ops = {
21724 .inherits = &ata_bmdma_port_ops,
21725 .cable_detect = hpt36x_cable_detect,
21726 .mode_filter = hpt366_filter,
21727 diff -urNp linux-2.6.36.1/drivers/ata/pata_hpt37x.c linux-2.6.36.1/drivers/ata/pata_hpt37x.c
21728 --- linux-2.6.36.1/drivers/ata/pata_hpt37x.c 2010-10-20 16:30:22.000000000 -0400
21729 +++ linux-2.6.36.1/drivers/ata/pata_hpt37x.c 2010-11-06 18:58:15.000000000 -0400
21730 @@ -564,7 +564,7 @@ static struct scsi_host_template hpt37x_
21731 * Configuration for HPT370
21734 -static struct ata_port_operations hpt370_port_ops = {
21735 +static const struct ata_port_operations hpt370_port_ops = {
21736 .inherits = &ata_bmdma_port_ops,
21738 .bmdma_stop = hpt370_bmdma_stop,
21739 @@ -580,7 +580,7 @@ static struct ata_port_operations hpt370
21740 * Configuration for HPT370A. Close to 370 but less filters
21743 -static struct ata_port_operations hpt370a_port_ops = {
21744 +static const struct ata_port_operations hpt370a_port_ops = {
21745 .inherits = &hpt370_port_ops,
21746 .mode_filter = hpt370a_filter,
21748 @@ -590,7 +590,7 @@ static struct ata_port_operations hpt370
21749 * and DMA mode setting functionality.
21752 -static struct ata_port_operations hpt372_port_ops = {
21753 +static const struct ata_port_operations hpt372_port_ops = {
21754 .inherits = &ata_bmdma_port_ops,
21756 .bmdma_stop = hpt37x_bmdma_stop,
21757 @@ -606,7 +606,7 @@ static struct ata_port_operations hpt372
21758 * but we have a different cable detection procedure for function 1.
21761 -static struct ata_port_operations hpt374_fn1_port_ops = {
21762 +static const struct ata_port_operations hpt374_fn1_port_ops = {
21763 .inherits = &hpt372_port_ops,
21764 .cable_detect = hpt374_fn1_cable_detect,
21765 .prereset = hpt37x_pre_reset,
21766 diff -urNp linux-2.6.36.1/drivers/ata/pata_hpt3x2n.c linux-2.6.36.1/drivers/ata/pata_hpt3x2n.c
21767 --- linux-2.6.36.1/drivers/ata/pata_hpt3x2n.c 2010-10-20 16:30:22.000000000 -0400
21768 +++ linux-2.6.36.1/drivers/ata/pata_hpt3x2n.c 2010-11-06 18:58:15.000000000 -0400
21769 @@ -331,7 +331,7 @@ static struct scsi_host_template hpt3x2n
21770 * Configuration for HPT3x2n.
21773 -static struct ata_port_operations hpt3x2n_port_ops = {
21774 +static const struct ata_port_operations hpt3x2n_port_ops = {
21775 .inherits = &ata_bmdma_port_ops,
21777 .bmdma_stop = hpt3x2n_bmdma_stop,
21778 diff -urNp linux-2.6.36.1/drivers/ata/pata_hpt3x3.c linux-2.6.36.1/drivers/ata/pata_hpt3x3.c
21779 --- linux-2.6.36.1/drivers/ata/pata_hpt3x3.c 2010-10-20 16:30:22.000000000 -0400
21780 +++ linux-2.6.36.1/drivers/ata/pata_hpt3x3.c 2010-11-06 18:58:15.000000000 -0400
21781 @@ -141,7 +141,7 @@ static struct scsi_host_template hpt3x3_
21782 ATA_BMDMA_SHT(DRV_NAME),
21785 -static struct ata_port_operations hpt3x3_port_ops = {
21786 +static const struct ata_port_operations hpt3x3_port_ops = {
21787 .inherits = &ata_bmdma_port_ops,
21788 .cable_detect = ata_cable_40wire,
21789 .set_piomode = hpt3x3_set_piomode,
21790 diff -urNp linux-2.6.36.1/drivers/ata/pata_icside.c linux-2.6.36.1/drivers/ata/pata_icside.c
21791 --- linux-2.6.36.1/drivers/ata/pata_icside.c 2010-10-20 16:30:22.000000000 -0400
21792 +++ linux-2.6.36.1/drivers/ata/pata_icside.c 2010-11-06 18:58:15.000000000 -0400
21793 @@ -320,7 +320,7 @@ static void pata_icside_postreset(struct
21797 -static struct ata_port_operations pata_icside_port_ops = {
21798 +static const struct ata_port_operations pata_icside_port_ops = {
21799 .inherits = &ata_bmdma_port_ops,
21800 /* no need to build any PRD tables for DMA */
21801 .qc_prep = ata_noop_qc_prep,
21802 diff -urNp linux-2.6.36.1/drivers/ata/pata_isapnp.c linux-2.6.36.1/drivers/ata/pata_isapnp.c
21803 --- linux-2.6.36.1/drivers/ata/pata_isapnp.c 2010-10-20 16:30:22.000000000 -0400
21804 +++ linux-2.6.36.1/drivers/ata/pata_isapnp.c 2010-11-06 18:58:15.000000000 -0400
21805 @@ -23,12 +23,12 @@ static struct scsi_host_template isapnp_
21806 ATA_PIO_SHT(DRV_NAME),
21809 -static struct ata_port_operations isapnp_port_ops = {
21810 +static const struct ata_port_operations isapnp_port_ops = {
21811 .inherits = &ata_sff_port_ops,
21812 .cable_detect = ata_cable_40wire,
21815 -static struct ata_port_operations isapnp_noalt_port_ops = {
21816 +static const struct ata_port_operations isapnp_noalt_port_ops = {
21817 .inherits = &ata_sff_port_ops,
21818 .cable_detect = ata_cable_40wire,
21819 /* No altstatus so we don't want to use the lost interrupt poll */
21820 diff -urNp linux-2.6.36.1/drivers/ata/pata_it8213.c linux-2.6.36.1/drivers/ata/pata_it8213.c
21821 --- linux-2.6.36.1/drivers/ata/pata_it8213.c 2010-10-20 16:30:22.000000000 -0400
21822 +++ linux-2.6.36.1/drivers/ata/pata_it8213.c 2010-11-06 18:58:15.000000000 -0400
21823 @@ -233,7 +233,7 @@ static struct scsi_host_template it8213_
21827 -static struct ata_port_operations it8213_ops = {
21828 +static const struct ata_port_operations it8213_ops = {
21829 .inherits = &ata_bmdma_port_ops,
21830 .cable_detect = it8213_cable_detect,
21831 .set_piomode = it8213_set_piomode,
21832 diff -urNp linux-2.6.36.1/drivers/ata/pata_it821x.c linux-2.6.36.1/drivers/ata/pata_it821x.c
21833 --- linux-2.6.36.1/drivers/ata/pata_it821x.c 2010-10-20 16:30:22.000000000 -0400
21834 +++ linux-2.6.36.1/drivers/ata/pata_it821x.c 2010-11-06 18:58:15.000000000 -0400
21835 @@ -801,7 +801,7 @@ static struct scsi_host_template it821x_
21836 ATA_BMDMA_SHT(DRV_NAME),
21839 -static struct ata_port_operations it821x_smart_port_ops = {
21840 +static const struct ata_port_operations it821x_smart_port_ops = {
21841 .inherits = &ata_bmdma_port_ops,
21843 .check_atapi_dma= it821x_check_atapi_dma,
21844 @@ -815,7 +815,7 @@ static struct ata_port_operations it821x
21845 .port_start = it821x_port_start,
21848 -static struct ata_port_operations it821x_passthru_port_ops = {
21849 +static const struct ata_port_operations it821x_passthru_port_ops = {
21850 .inherits = &ata_bmdma_port_ops,
21852 .check_atapi_dma= it821x_check_atapi_dma,
21853 @@ -831,7 +831,7 @@ static struct ata_port_operations it821x
21854 .port_start = it821x_port_start,
21857 -static struct ata_port_operations it821x_rdc_port_ops = {
21858 +static const struct ata_port_operations it821x_rdc_port_ops = {
21859 .inherits = &ata_bmdma_port_ops,
21861 .check_atapi_dma= it821x_check_atapi_dma,
21862 diff -urNp linux-2.6.36.1/drivers/ata/pata_ixp4xx_cf.c linux-2.6.36.1/drivers/ata/pata_ixp4xx_cf.c
21863 --- linux-2.6.36.1/drivers/ata/pata_ixp4xx_cf.c 2010-10-20 16:30:22.000000000 -0400
21864 +++ linux-2.6.36.1/drivers/ata/pata_ixp4xx_cf.c 2010-11-06 18:58:15.000000000 -0400
21865 @@ -89,7 +89,7 @@ static struct scsi_host_template ixp4xx_
21866 ATA_PIO_SHT(DRV_NAME),
21869 -static struct ata_port_operations ixp4xx_port_ops = {
21870 +static const struct ata_port_operations ixp4xx_port_ops = {
21871 .inherits = &ata_sff_port_ops,
21872 .sff_data_xfer = ixp4xx_mmio_data_xfer,
21873 .cable_detect = ata_cable_40wire,
21874 diff -urNp linux-2.6.36.1/drivers/ata/pata_jmicron.c linux-2.6.36.1/drivers/ata/pata_jmicron.c
21875 --- linux-2.6.36.1/drivers/ata/pata_jmicron.c 2010-10-20 16:30:22.000000000 -0400
21876 +++ linux-2.6.36.1/drivers/ata/pata_jmicron.c 2010-11-06 18:58:15.000000000 -0400
21877 @@ -111,7 +111,7 @@ static struct scsi_host_template jmicron
21878 ATA_BMDMA_SHT(DRV_NAME),
21881 -static struct ata_port_operations jmicron_ops = {
21882 +static const struct ata_port_operations jmicron_ops = {
21883 .inherits = &ata_bmdma_port_ops,
21884 .prereset = jmicron_pre_reset,
21886 diff -urNp linux-2.6.36.1/drivers/ata/pata_legacy.c linux-2.6.36.1/drivers/ata/pata_legacy.c
21887 --- linux-2.6.36.1/drivers/ata/pata_legacy.c 2010-10-20 16:30:22.000000000 -0400
21888 +++ linux-2.6.36.1/drivers/ata/pata_legacy.c 2010-11-06 18:58:15.000000000 -0400
21889 @@ -116,7 +116,7 @@ struct legacy_probe {
21891 struct legacy_controller {
21893 - struct ata_port_operations *ops;
21894 + const struct ata_port_operations *ops;
21895 unsigned int pio_mask;
21896 unsigned int flags;
21897 unsigned int pflags;
21898 @@ -239,12 +239,12 @@ static const struct ata_port_operations
21899 * pio_mask as well.
21902 -static struct ata_port_operations simple_port_ops = {
21903 +static const struct ata_port_operations simple_port_ops = {
21904 .inherits = &legacy_base_port_ops,
21905 .sff_data_xfer = ata_sff_data_xfer_noirq,
21908 -static struct ata_port_operations legacy_port_ops = {
21909 +static const struct ata_port_operations legacy_port_ops = {
21910 .inherits = &legacy_base_port_ops,
21911 .sff_data_xfer = ata_sff_data_xfer_noirq,
21912 .set_mode = legacy_set_mode,
21913 @@ -340,7 +340,7 @@ static unsigned int pdc_data_xfer_vlb(st
21917 -static struct ata_port_operations pdc20230_port_ops = {
21918 +static const struct ata_port_operations pdc20230_port_ops = {
21919 .inherits = &legacy_base_port_ops,
21920 .set_piomode = pdc20230_set_piomode,
21921 .sff_data_xfer = pdc_data_xfer_vlb,
21922 @@ -373,7 +373,7 @@ static void ht6560a_set_piomode(struct a
21923 ioread8(ap->ioaddr.status_addr);
21926 -static struct ata_port_operations ht6560a_port_ops = {
21927 +static const struct ata_port_operations ht6560a_port_ops = {
21928 .inherits = &legacy_base_port_ops,
21929 .set_piomode = ht6560a_set_piomode,
21931 @@ -416,7 +416,7 @@ static void ht6560b_set_piomode(struct a
21932 ioread8(ap->ioaddr.status_addr);
21935 -static struct ata_port_operations ht6560b_port_ops = {
21936 +static const struct ata_port_operations ht6560b_port_ops = {
21937 .inherits = &legacy_base_port_ops,
21938 .set_piomode = ht6560b_set_piomode,
21940 @@ -515,7 +515,7 @@ static void opti82c611a_set_piomode(stru
21944 -static struct ata_port_operations opti82c611a_port_ops = {
21945 +static const struct ata_port_operations opti82c611a_port_ops = {
21946 .inherits = &legacy_base_port_ops,
21947 .set_piomode = opti82c611a_set_piomode,
21949 @@ -625,7 +625,7 @@ static unsigned int opti82c46x_qc_issue(
21950 return ata_sff_qc_issue(qc);
21953 -static struct ata_port_operations opti82c46x_port_ops = {
21954 +static const struct ata_port_operations opti82c46x_port_ops = {
21955 .inherits = &legacy_base_port_ops,
21956 .set_piomode = opti82c46x_set_piomode,
21957 .qc_issue = opti82c46x_qc_issue,
21958 @@ -787,20 +787,20 @@ static int qdi_port(struct platform_devi
21962 -static struct ata_port_operations qdi6500_port_ops = {
21963 +static const struct ata_port_operations qdi6500_port_ops = {
21964 .inherits = &legacy_base_port_ops,
21965 .set_piomode = qdi6500_set_piomode,
21966 .qc_issue = qdi_qc_issue,
21967 .sff_data_xfer = vlb32_data_xfer,
21970 -static struct ata_port_operations qdi6580_port_ops = {
21971 +static const struct ata_port_operations qdi6580_port_ops = {
21972 .inherits = &legacy_base_port_ops,
21973 .set_piomode = qdi6580_set_piomode,
21974 .sff_data_xfer = vlb32_data_xfer,
21977 -static struct ata_port_operations qdi6580dp_port_ops = {
21978 +static const struct ata_port_operations qdi6580dp_port_ops = {
21979 .inherits = &legacy_base_port_ops,
21980 .set_piomode = qdi6580dp_set_piomode,
21981 .qc_issue = qdi_qc_issue,
21982 @@ -872,7 +872,7 @@ static int winbond_port(struct platform_
21986 -static struct ata_port_operations winbond_port_ops = {
21987 +static const struct ata_port_operations winbond_port_ops = {
21988 .inherits = &legacy_base_port_ops,
21989 .set_piomode = winbond_set_piomode,
21990 .sff_data_xfer = vlb32_data_xfer,
21991 @@ -995,7 +995,7 @@ static __init int legacy_init_one(struct
21992 int pio_modes = controller->pio_mask;
21993 unsigned long io = probe->port;
21994 u32 mask = (1 << probe->slot);
21995 - struct ata_port_operations *ops = controller->ops;
21996 + const struct ata_port_operations *ops = controller->ops;
21997 struct legacy_data *ld = &legacy_data[probe->slot];
21998 struct ata_host *host = NULL;
21999 struct ata_port *ap;
22000 diff -urNp linux-2.6.36.1/drivers/ata/pata_macio.c linux-2.6.36.1/drivers/ata/pata_macio.c
22001 --- linux-2.6.36.1/drivers/ata/pata_macio.c 2010-10-20 16:30:22.000000000 -0400
22002 +++ linux-2.6.36.1/drivers/ata/pata_macio.c 2010-11-06 18:58:15.000000000 -0400
22003 @@ -918,9 +918,8 @@ static struct scsi_host_template pata_ma
22004 .slave_configure = pata_macio_slave_config,
22007 -static struct ata_port_operations pata_macio_ops = {
22008 +static const struct ata_port_operations pata_macio_ops = {
22009 .inherits = &ata_bmdma_port_ops,
22011 .freeze = pata_macio_freeze,
22012 .set_piomode = pata_macio_set_timings,
22013 .set_dmamode = pata_macio_set_timings,
22014 diff -urNp linux-2.6.36.1/drivers/ata/pata_marvell.c linux-2.6.36.1/drivers/ata/pata_marvell.c
22015 --- linux-2.6.36.1/drivers/ata/pata_marvell.c 2010-10-20 16:30:22.000000000 -0400
22016 +++ linux-2.6.36.1/drivers/ata/pata_marvell.c 2010-11-06 18:58:15.000000000 -0400
22017 @@ -100,7 +100,7 @@ static struct scsi_host_template marvell
22018 ATA_BMDMA_SHT(DRV_NAME),
22021 -static struct ata_port_operations marvell_ops = {
22022 +static const struct ata_port_operations marvell_ops = {
22023 .inherits = &ata_bmdma_port_ops,
22024 .cable_detect = marvell_cable_detect,
22025 .prereset = marvell_pre_reset,
22026 diff -urNp linux-2.6.36.1/drivers/ata/pata_mpc52xx.c linux-2.6.36.1/drivers/ata/pata_mpc52xx.c
22027 --- linux-2.6.36.1/drivers/ata/pata_mpc52xx.c 2010-10-20 16:30:22.000000000 -0400
22028 +++ linux-2.6.36.1/drivers/ata/pata_mpc52xx.c 2010-11-06 18:58:15.000000000 -0400
22029 @@ -609,7 +609,7 @@ static struct scsi_host_template mpc52xx
22030 ATA_PIO_SHT(DRV_NAME),
22033 -static struct ata_port_operations mpc52xx_ata_port_ops = {
22034 +static const struct ata_port_operations mpc52xx_ata_port_ops = {
22035 .inherits = &ata_sff_port_ops,
22036 .sff_dev_select = mpc52xx_ata_dev_select,
22037 .set_piomode = mpc52xx_ata_set_piomode,
22038 diff -urNp linux-2.6.36.1/drivers/ata/pata_mpiix.c linux-2.6.36.1/drivers/ata/pata_mpiix.c
22039 --- linux-2.6.36.1/drivers/ata/pata_mpiix.c 2010-10-20 16:30:22.000000000 -0400
22040 +++ linux-2.6.36.1/drivers/ata/pata_mpiix.c 2010-11-06 18:58:15.000000000 -0400
22041 @@ -140,7 +140,7 @@ static struct scsi_host_template mpiix_s
22042 ATA_PIO_SHT(DRV_NAME),
22045 -static struct ata_port_operations mpiix_port_ops = {
22046 +static const struct ata_port_operations mpiix_port_ops = {
22047 .inherits = &ata_sff_port_ops,
22048 .qc_issue = mpiix_qc_issue,
22049 .cable_detect = ata_cable_40wire,
22050 diff -urNp linux-2.6.36.1/drivers/ata/pata_netcell.c linux-2.6.36.1/drivers/ata/pata_netcell.c
22051 --- linux-2.6.36.1/drivers/ata/pata_netcell.c 2010-10-20 16:30:22.000000000 -0400
22052 +++ linux-2.6.36.1/drivers/ata/pata_netcell.c 2010-11-06 18:58:15.000000000 -0400
22053 @@ -34,7 +34,7 @@ static struct scsi_host_template netcell
22054 ATA_BMDMA_SHT(DRV_NAME),
22057 -static struct ata_port_operations netcell_ops = {
22058 +static const struct ata_port_operations netcell_ops = {
22059 .inherits = &ata_bmdma_port_ops,
22060 .cable_detect = ata_cable_80wire,
22061 .read_id = netcell_read_id,
22062 diff -urNp linux-2.6.36.1/drivers/ata/pata_ninja32.c linux-2.6.36.1/drivers/ata/pata_ninja32.c
22063 --- linux-2.6.36.1/drivers/ata/pata_ninja32.c 2010-10-20 16:30:22.000000000 -0400
22064 +++ linux-2.6.36.1/drivers/ata/pata_ninja32.c 2010-11-06 18:58:15.000000000 -0400
22065 @@ -81,7 +81,7 @@ static struct scsi_host_template ninja32
22066 ATA_BMDMA_SHT(DRV_NAME),
22069 -static struct ata_port_operations ninja32_port_ops = {
22070 +static const struct ata_port_operations ninja32_port_ops = {
22071 .inherits = &ata_bmdma_port_ops,
22072 .sff_dev_select = ninja32_dev_select,
22073 .cable_detect = ata_cable_40wire,
22074 diff -urNp linux-2.6.36.1/drivers/ata/pata_ns87410.c linux-2.6.36.1/drivers/ata/pata_ns87410.c
22075 --- linux-2.6.36.1/drivers/ata/pata_ns87410.c 2010-10-20 16:30:22.000000000 -0400
22076 +++ linux-2.6.36.1/drivers/ata/pata_ns87410.c 2010-11-06 18:58:15.000000000 -0400
22077 @@ -132,7 +132,7 @@ static struct scsi_host_template ns87410
22078 ATA_PIO_SHT(DRV_NAME),
22081 -static struct ata_port_operations ns87410_port_ops = {
22082 +static const struct ata_port_operations ns87410_port_ops = {
22083 .inherits = &ata_sff_port_ops,
22084 .qc_issue = ns87410_qc_issue,
22085 .cable_detect = ata_cable_40wire,
22086 diff -urNp linux-2.6.36.1/drivers/ata/pata_ns87415.c linux-2.6.36.1/drivers/ata/pata_ns87415.c
22087 --- linux-2.6.36.1/drivers/ata/pata_ns87415.c 2010-10-20 16:30:22.000000000 -0400
22088 +++ linux-2.6.36.1/drivers/ata/pata_ns87415.c 2010-11-06 18:58:15.000000000 -0400
22089 @@ -299,7 +299,7 @@ static u8 ns87560_bmdma_status(struct at
22091 #endif /* 87560 SuperIO Support */
22093 -static struct ata_port_operations ns87415_pata_ops = {
22094 +static const struct ata_port_operations ns87415_pata_ops = {
22095 .inherits = &ata_bmdma_port_ops,
22097 .check_atapi_dma = ns87415_check_atapi_dma,
22098 @@ -313,7 +313,7 @@ static struct ata_port_operations ns8741
22101 #if defined(CONFIG_SUPERIO)
22102 -static struct ata_port_operations ns87560_pata_ops = {
22103 +static const struct ata_port_operations ns87560_pata_ops = {
22104 .inherits = &ns87415_pata_ops,
22105 .sff_tf_read = ns87560_tf_read,
22106 .sff_check_status = ns87560_check_status,
22107 diff -urNp linux-2.6.36.1/drivers/ata/pata_octeon_cf.c linux-2.6.36.1/drivers/ata/pata_octeon_cf.c
22108 --- linux-2.6.36.1/drivers/ata/pata_octeon_cf.c 2010-10-20 16:30:22.000000000 -0400
22109 +++ linux-2.6.36.1/drivers/ata/pata_octeon_cf.c 2010-11-06 18:58:15.000000000 -0400
22110 @@ -782,6 +782,7 @@ static unsigned int octeon_cf_qc_issue(s
22114 +/* cannot be const */
22115 static struct ata_port_operations octeon_cf_ops = {
22116 .inherits = &ata_sff_port_ops,
22117 .check_atapi_dma = octeon_cf_check_atapi_dma,
22118 diff -urNp linux-2.6.36.1/drivers/ata/pata_oldpiix.c linux-2.6.36.1/drivers/ata/pata_oldpiix.c
22119 --- linux-2.6.36.1/drivers/ata/pata_oldpiix.c 2010-10-20 16:30:22.000000000 -0400
22120 +++ linux-2.6.36.1/drivers/ata/pata_oldpiix.c 2010-11-06 18:58:15.000000000 -0400
22121 @@ -208,7 +208,7 @@ static struct scsi_host_template oldpiix
22122 ATA_BMDMA_SHT(DRV_NAME),
22125 -static struct ata_port_operations oldpiix_pata_ops = {
22126 +static const struct ata_port_operations oldpiix_pata_ops = {
22127 .inherits = &ata_bmdma_port_ops,
22128 .qc_issue = oldpiix_qc_issue,
22129 .cable_detect = ata_cable_40wire,
22130 diff -urNp linux-2.6.36.1/drivers/ata/pata_opti.c linux-2.6.36.1/drivers/ata/pata_opti.c
22131 --- linux-2.6.36.1/drivers/ata/pata_opti.c 2010-10-20 16:30:22.000000000 -0400
22132 +++ linux-2.6.36.1/drivers/ata/pata_opti.c 2010-11-06 18:58:15.000000000 -0400
22133 @@ -152,7 +152,7 @@ static struct scsi_host_template opti_sh
22134 ATA_PIO_SHT(DRV_NAME),
22137 -static struct ata_port_operations opti_port_ops = {
22138 +static const struct ata_port_operations opti_port_ops = {
22139 .inherits = &ata_sff_port_ops,
22140 .cable_detect = ata_cable_40wire,
22141 .set_piomode = opti_set_piomode,
22142 diff -urNp linux-2.6.36.1/drivers/ata/pata_optidma.c linux-2.6.36.1/drivers/ata/pata_optidma.c
22143 --- linux-2.6.36.1/drivers/ata/pata_optidma.c 2010-10-20 16:30:22.000000000 -0400
22144 +++ linux-2.6.36.1/drivers/ata/pata_optidma.c 2010-11-06 18:58:15.000000000 -0400
22145 @@ -337,7 +337,7 @@ static struct scsi_host_template optidma
22146 ATA_BMDMA_SHT(DRV_NAME),
22149 -static struct ata_port_operations optidma_port_ops = {
22150 +static const struct ata_port_operations optidma_port_ops = {
22151 .inherits = &ata_bmdma_port_ops,
22152 .cable_detect = ata_cable_40wire,
22153 .set_piomode = optidma_set_pio_mode,
22154 @@ -346,7 +346,7 @@ static struct ata_port_operations optidm
22155 .prereset = optidma_pre_reset,
22158 -static struct ata_port_operations optiplus_port_ops = {
22159 +static const struct ata_port_operations optiplus_port_ops = {
22160 .inherits = &optidma_port_ops,
22161 .set_piomode = optiplus_set_pio_mode,
22162 .set_dmamode = optiplus_set_dma_mode,
22163 diff -urNp linux-2.6.36.1/drivers/ata/pata_palmld.c linux-2.6.36.1/drivers/ata/pata_palmld.c
22164 --- linux-2.6.36.1/drivers/ata/pata_palmld.c 2010-10-20 16:30:22.000000000 -0400
22165 +++ linux-2.6.36.1/drivers/ata/pata_palmld.c 2010-11-06 18:58:15.000000000 -0400
22166 @@ -37,7 +37,7 @@ static struct scsi_host_template palmld_
22167 ATA_PIO_SHT(DRV_NAME),
22170 -static struct ata_port_operations palmld_port_ops = {
22171 +static const struct ata_port_operations palmld_port_ops = {
22172 .inherits = &ata_sff_port_ops,
22173 .sff_data_xfer = ata_sff_data_xfer_noirq,
22174 .cable_detect = ata_cable_40wire,
22175 diff -urNp linux-2.6.36.1/drivers/ata/pata_pcmcia.c linux-2.6.36.1/drivers/ata/pata_pcmcia.c
22176 --- linux-2.6.36.1/drivers/ata/pata_pcmcia.c 2010-10-20 16:30:22.000000000 -0400
22177 +++ linux-2.6.36.1/drivers/ata/pata_pcmcia.c 2010-11-06 18:58:15.000000000 -0400
22178 @@ -152,14 +152,14 @@ static struct scsi_host_template pcmcia_
22179 ATA_PIO_SHT(DRV_NAME),
22182 -static struct ata_port_operations pcmcia_port_ops = {
22183 +static const struct ata_port_operations pcmcia_port_ops = {
22184 .inherits = &ata_sff_port_ops,
22185 .sff_data_xfer = ata_sff_data_xfer_noirq,
22186 .cable_detect = ata_cable_40wire,
22187 .set_mode = pcmcia_set_mode,
22190 -static struct ata_port_operations pcmcia_8bit_port_ops = {
22191 +static const struct ata_port_operations pcmcia_8bit_port_ops = {
22192 .inherits = &ata_sff_port_ops,
22193 .sff_data_xfer = ata_data_xfer_8bit,
22194 .cable_detect = ata_cable_40wire,
22195 @@ -244,7 +244,7 @@ static int pcmcia_init_one(struct pcmcia
22196 unsigned long io_base, ctl_base;
22197 void __iomem *io_addr, *ctl_addr;
22199 - struct ata_port_operations *ops = &pcmcia_port_ops;
22200 + const struct ata_port_operations *ops = &pcmcia_port_ops;
22202 /* Set up attributes in order to probe card and get resources */
22203 pdev->resource[0]->flags |= IO_DATA_PATH_WIDTH_AUTO;
22204 diff -urNp linux-2.6.36.1/drivers/ata/pata_pdc2027x.c linux-2.6.36.1/drivers/ata/pata_pdc2027x.c
22205 --- linux-2.6.36.1/drivers/ata/pata_pdc2027x.c 2010-10-20 16:30:22.000000000 -0400
22206 +++ linux-2.6.36.1/drivers/ata/pata_pdc2027x.c 2010-11-06 18:58:15.000000000 -0400
22207 @@ -132,14 +132,14 @@ static struct scsi_host_template pdc2027
22208 ATA_BMDMA_SHT(DRV_NAME),
22211 -static struct ata_port_operations pdc2027x_pata100_ops = {
22212 +static const struct ata_port_operations pdc2027x_pata100_ops = {
22213 .inherits = &ata_bmdma_port_ops,
22214 .check_atapi_dma = pdc2027x_check_atapi_dma,
22215 .cable_detect = pdc2027x_cable_detect,
22216 .prereset = pdc2027x_prereset,
22219 -static struct ata_port_operations pdc2027x_pata133_ops = {
22220 +static const struct ata_port_operations pdc2027x_pata133_ops = {
22221 .inherits = &pdc2027x_pata100_ops,
22222 .mode_filter = pdc2027x_mode_filter,
22223 .set_piomode = pdc2027x_set_piomode,
22224 diff -urNp linux-2.6.36.1/drivers/ata/pata_pdc202xx_old.c linux-2.6.36.1/drivers/ata/pata_pdc202xx_old.c
22225 --- linux-2.6.36.1/drivers/ata/pata_pdc202xx_old.c 2010-10-20 16:30:22.000000000 -0400
22226 +++ linux-2.6.36.1/drivers/ata/pata_pdc202xx_old.c 2010-11-06 18:58:15.000000000 -0400
22227 @@ -274,7 +274,7 @@ static struct scsi_host_template pdc202x
22228 ATA_BMDMA_SHT(DRV_NAME),
22231 -static struct ata_port_operations pdc2024x_port_ops = {
22232 +static const struct ata_port_operations pdc2024x_port_ops = {
22233 .inherits = &ata_bmdma_port_ops,
22235 .cable_detect = ata_cable_40wire,
22236 @@ -284,7 +284,7 @@ static struct ata_port_operations pdc202
22237 .sff_exec_command = pdc202xx_exec_command,
22240 -static struct ata_port_operations pdc2026x_port_ops = {
22241 +static const struct ata_port_operations pdc2026x_port_ops = {
22242 .inherits = &pdc2024x_port_ops,
22244 .check_atapi_dma = pdc2026x_check_atapi_dma,
22245 diff -urNp linux-2.6.36.1/drivers/ata/pata_piccolo.c linux-2.6.36.1/drivers/ata/pata_piccolo.c
22246 --- linux-2.6.36.1/drivers/ata/pata_piccolo.c 2010-10-20 16:30:22.000000000 -0400
22247 +++ linux-2.6.36.1/drivers/ata/pata_piccolo.c 2010-11-06 18:58:15.000000000 -0400
22248 @@ -67,7 +67,7 @@ static struct scsi_host_template tosh_sh
22249 ATA_BMDMA_SHT(DRV_NAME),
22252 -static struct ata_port_operations tosh_port_ops = {
22253 +static const struct ata_port_operations tosh_port_ops = {
22254 .inherits = &ata_bmdma_port_ops,
22255 .cable_detect = ata_cable_unknown,
22256 .set_piomode = tosh_set_piomode,
22257 diff -urNp linux-2.6.36.1/drivers/ata/pata_platform.c linux-2.6.36.1/drivers/ata/pata_platform.c
22258 --- linux-2.6.36.1/drivers/ata/pata_platform.c 2010-10-20 16:30:22.000000000 -0400
22259 +++ linux-2.6.36.1/drivers/ata/pata_platform.c 2010-11-06 18:58:15.000000000 -0400
22260 @@ -48,7 +48,7 @@ static struct scsi_host_template pata_pl
22261 ATA_PIO_SHT(DRV_NAME),
22264 -static struct ata_port_operations pata_platform_port_ops = {
22265 +static const struct ata_port_operations pata_platform_port_ops = {
22266 .inherits = &ata_sff_port_ops,
22267 .sff_data_xfer = ata_sff_data_xfer_noirq,
22268 .cable_detect = ata_cable_unknown,
22269 diff -urNp linux-2.6.36.1/drivers/ata/pata_pxa.c linux-2.6.36.1/drivers/ata/pata_pxa.c
22270 --- linux-2.6.36.1/drivers/ata/pata_pxa.c 2010-10-20 16:30:22.000000000 -0400
22271 +++ linux-2.6.36.1/drivers/ata/pata_pxa.c 2010-11-06 18:58:15.000000000 -0400
22272 @@ -198,7 +198,7 @@ static struct scsi_host_template pxa_ata
22273 ATA_BMDMA_SHT(DRV_NAME),
22276 -static struct ata_port_operations pxa_ata_port_ops = {
22277 +static const struct ata_port_operations pxa_ata_port_ops = {
22278 .inherits = &ata_bmdma_port_ops,
22279 .cable_detect = ata_cable_40wire,
22281 diff -urNp linux-2.6.36.1/drivers/ata/pata_qdi.c linux-2.6.36.1/drivers/ata/pata_qdi.c
22282 --- linux-2.6.36.1/drivers/ata/pata_qdi.c 2010-10-20 16:30:22.000000000 -0400
22283 +++ linux-2.6.36.1/drivers/ata/pata_qdi.c 2010-11-06 18:58:15.000000000 -0400
22284 @@ -157,7 +157,7 @@ static struct scsi_host_template qdi_sht
22285 ATA_PIO_SHT(DRV_NAME),
22288 -static struct ata_port_operations qdi6500_port_ops = {
22289 +static const struct ata_port_operations qdi6500_port_ops = {
22290 .inherits = &ata_sff_port_ops,
22291 .qc_issue = qdi_qc_issue,
22292 .sff_data_xfer = qdi_data_xfer,
22293 @@ -165,7 +165,7 @@ static struct ata_port_operations qdi650
22294 .set_piomode = qdi6500_set_piomode,
22297 -static struct ata_port_operations qdi6580_port_ops = {
22298 +static const struct ata_port_operations qdi6580_port_ops = {
22299 .inherits = &qdi6500_port_ops,
22300 .set_piomode = qdi6580_set_piomode,
22302 diff -urNp linux-2.6.36.1/drivers/ata/pata_radisys.c linux-2.6.36.1/drivers/ata/pata_radisys.c
22303 --- linux-2.6.36.1/drivers/ata/pata_radisys.c 2010-10-20 16:30:22.000000000 -0400
22304 +++ linux-2.6.36.1/drivers/ata/pata_radisys.c 2010-11-06 18:58:15.000000000 -0400
22305 @@ -187,7 +187,7 @@ static struct scsi_host_template radisys
22306 ATA_BMDMA_SHT(DRV_NAME),
22309 -static struct ata_port_operations radisys_pata_ops = {
22310 +static const struct ata_port_operations radisys_pata_ops = {
22311 .inherits = &ata_bmdma_port_ops,
22312 .qc_issue = radisys_qc_issue,
22313 .cable_detect = ata_cable_unknown,
22314 diff -urNp linux-2.6.36.1/drivers/ata/pata_rb532_cf.c linux-2.6.36.1/drivers/ata/pata_rb532_cf.c
22315 --- linux-2.6.36.1/drivers/ata/pata_rb532_cf.c 2010-10-20 16:30:22.000000000 -0400
22316 +++ linux-2.6.36.1/drivers/ata/pata_rb532_cf.c 2010-11-06 18:58:15.000000000 -0400
22317 @@ -69,7 +69,7 @@ static irqreturn_t rb532_pata_irq_handle
22318 return IRQ_HANDLED;
22321 -static struct ata_port_operations rb532_pata_port_ops = {
22322 +static const struct ata_port_operations rb532_pata_port_ops = {
22323 .inherits = &ata_sff_port_ops,
22324 .sff_data_xfer = ata_sff_data_xfer32,
22326 diff -urNp linux-2.6.36.1/drivers/ata/pata_rdc.c linux-2.6.36.1/drivers/ata/pata_rdc.c
22327 --- linux-2.6.36.1/drivers/ata/pata_rdc.c 2010-10-20 16:30:22.000000000 -0400
22328 +++ linux-2.6.36.1/drivers/ata/pata_rdc.c 2010-11-06 18:58:15.000000000 -0400
22329 @@ -273,7 +273,7 @@ static void rdc_set_dmamode(struct ata_p
22330 pci_write_config_byte(dev, 0x48, udma_enable);
22333 -static struct ata_port_operations rdc_pata_ops = {
22334 +static const struct ata_port_operations rdc_pata_ops = {
22335 .inherits = &ata_bmdma32_port_ops,
22336 .cable_detect = rdc_pata_cable_detect,
22337 .set_piomode = rdc_set_piomode,
22338 diff -urNp linux-2.6.36.1/drivers/ata/pata_rz1000.c linux-2.6.36.1/drivers/ata/pata_rz1000.c
22339 --- linux-2.6.36.1/drivers/ata/pata_rz1000.c 2010-10-20 16:30:22.000000000 -0400
22340 +++ linux-2.6.36.1/drivers/ata/pata_rz1000.c 2010-11-06 18:58:15.000000000 -0400
22341 @@ -54,7 +54,7 @@ static struct scsi_host_template rz1000_
22342 ATA_PIO_SHT(DRV_NAME),
22345 -static struct ata_port_operations rz1000_port_ops = {
22346 +static const struct ata_port_operations rz1000_port_ops = {
22347 .inherits = &ata_sff_port_ops,
22348 .cable_detect = ata_cable_40wire,
22349 .set_mode = rz1000_set_mode,
22350 diff -urNp linux-2.6.36.1/drivers/ata/pata_samsung_cf.c linux-2.6.36.1/drivers/ata/pata_samsung_cf.c
22351 --- linux-2.6.36.1/drivers/ata/pata_samsung_cf.c 2010-10-20 16:30:22.000000000 -0400
22352 +++ linux-2.6.36.1/drivers/ata/pata_samsung_cf.c 2010-11-06 18:58:15.000000000 -0400
22353 @@ -399,7 +399,7 @@ static struct scsi_host_template pata_s3
22354 ATA_PIO_SHT(DRV_NAME),
22357 -static struct ata_port_operations pata_s3c_port_ops = {
22358 +static const struct ata_port_operations pata_s3c_port_ops = {
22359 .inherits = &ata_sff_port_ops,
22360 .sff_check_status = pata_s3c_check_status,
22361 .sff_check_altstatus = pata_s3c_check_altstatus,
22362 @@ -413,7 +413,7 @@ static struct ata_port_operations pata_s
22363 .set_piomode = pata_s3c_set_piomode,
22366 -static struct ata_port_operations pata_s5p_port_ops = {
22367 +static const struct ata_port_operations pata_s5p_port_ops = {
22368 .inherits = &ata_sff_port_ops,
22369 .set_piomode = pata_s3c_set_piomode,
22371 diff -urNp linux-2.6.36.1/drivers/ata/pata_sc1200.c linux-2.6.36.1/drivers/ata/pata_sc1200.c
22372 --- linux-2.6.36.1/drivers/ata/pata_sc1200.c 2010-10-20 16:30:22.000000000 -0400
22373 +++ linux-2.6.36.1/drivers/ata/pata_sc1200.c 2010-11-06 18:58:15.000000000 -0400
22374 @@ -207,7 +207,7 @@ static struct scsi_host_template sc1200_
22375 .sg_tablesize = LIBATA_DUMB_MAX_PRD,
22378 -static struct ata_port_operations sc1200_port_ops = {
22379 +static const struct ata_port_operations sc1200_port_ops = {
22380 .inherits = &ata_bmdma_port_ops,
22381 .qc_prep = ata_bmdma_dumb_qc_prep,
22382 .qc_issue = sc1200_qc_issue,
22383 diff -urNp linux-2.6.36.1/drivers/ata/pata_scc.c linux-2.6.36.1/drivers/ata/pata_scc.c
22384 --- linux-2.6.36.1/drivers/ata/pata_scc.c 2010-10-20 16:30:22.000000000 -0400
22385 +++ linux-2.6.36.1/drivers/ata/pata_scc.c 2010-11-06 18:58:15.000000000 -0400
22386 @@ -926,7 +926,7 @@ static struct scsi_host_template scc_sht
22387 ATA_BMDMA_SHT(DRV_NAME),
22390 -static struct ata_port_operations scc_pata_ops = {
22391 +static const struct ata_port_operations scc_pata_ops = {
22392 .inherits = &ata_bmdma_port_ops,
22394 .set_piomode = scc_set_piomode,
22395 diff -urNp linux-2.6.36.1/drivers/ata/pata_sch.c linux-2.6.36.1/drivers/ata/pata_sch.c
22396 --- linux-2.6.36.1/drivers/ata/pata_sch.c 2010-10-20 16:30:22.000000000 -0400
22397 +++ linux-2.6.36.1/drivers/ata/pata_sch.c 2010-11-06 18:58:15.000000000 -0400
22398 @@ -75,7 +75,7 @@ static struct scsi_host_template sch_sht
22399 ATA_BMDMA_SHT(DRV_NAME),
22402 -static struct ata_port_operations sch_pata_ops = {
22403 +static const struct ata_port_operations sch_pata_ops = {
22404 .inherits = &ata_bmdma_port_ops,
22405 .cable_detect = ata_cable_unknown,
22406 .set_piomode = sch_set_piomode,
22407 diff -urNp linux-2.6.36.1/drivers/ata/pata_serverworks.c linux-2.6.36.1/drivers/ata/pata_serverworks.c
22408 --- linux-2.6.36.1/drivers/ata/pata_serverworks.c 2010-10-20 16:30:22.000000000 -0400
22409 +++ linux-2.6.36.1/drivers/ata/pata_serverworks.c 2010-11-06 18:58:15.000000000 -0400
22410 @@ -300,7 +300,7 @@ static struct scsi_host_template serverw
22411 ATA_BMDMA_SHT(DRV_NAME),
22414 -static struct ata_port_operations serverworks_osb4_port_ops = {
22415 +static const struct ata_port_operations serverworks_osb4_port_ops = {
22416 .inherits = &ata_bmdma_port_ops,
22417 .cable_detect = serverworks_cable_detect,
22418 .mode_filter = serverworks_osb4_filter,
22419 @@ -308,7 +308,7 @@ static struct ata_port_operations server
22420 .set_dmamode = serverworks_set_dmamode,
22423 -static struct ata_port_operations serverworks_csb_port_ops = {
22424 +static const struct ata_port_operations serverworks_csb_port_ops = {
22425 .inherits = &serverworks_osb4_port_ops,
22426 .mode_filter = serverworks_csb_filter,
22428 diff -urNp linux-2.6.36.1/drivers/ata/pata_sil680.c linux-2.6.36.1/drivers/ata/pata_sil680.c
22429 --- linux-2.6.36.1/drivers/ata/pata_sil680.c 2010-10-20 16:30:22.000000000 -0400
22430 +++ linux-2.6.36.1/drivers/ata/pata_sil680.c 2010-11-06 18:58:15.000000000 -0400
22431 @@ -214,8 +214,7 @@ static struct scsi_host_template sil680_
22432 ATA_BMDMA_SHT(DRV_NAME),
22436 -static struct ata_port_operations sil680_port_ops = {
22437 +static const struct ata_port_operations sil680_port_ops = {
22438 .inherits = &ata_bmdma32_port_ops,
22439 .sff_exec_command = sil680_sff_exec_command,
22440 .cable_detect = sil680_cable_detect,
22441 diff -urNp linux-2.6.36.1/drivers/ata/pata_sis.c linux-2.6.36.1/drivers/ata/pata_sis.c
22442 --- linux-2.6.36.1/drivers/ata/pata_sis.c 2010-10-20 16:30:22.000000000 -0400
22443 +++ linux-2.6.36.1/drivers/ata/pata_sis.c 2010-11-06 18:58:15.000000000 -0400
22444 @@ -503,47 +503,47 @@ static struct scsi_host_template sis_sht
22445 ATA_BMDMA_SHT(DRV_NAME),
22448 -static struct ata_port_operations sis_133_for_sata_ops = {
22449 +static const struct ata_port_operations sis_133_for_sata_ops = {
22450 .inherits = &ata_bmdma_port_ops,
22451 .set_piomode = sis_133_set_piomode,
22452 .set_dmamode = sis_133_set_dmamode,
22453 .cable_detect = sis_133_cable_detect,
22456 -static struct ata_port_operations sis_base_ops = {
22457 +static const struct ata_port_operations sis_base_ops = {
22458 .inherits = &ata_bmdma_port_ops,
22459 .prereset = sis_pre_reset,
22462 -static struct ata_port_operations sis_133_ops = {
22463 +static const struct ata_port_operations sis_133_ops = {
22464 .inherits = &sis_base_ops,
22465 .set_piomode = sis_133_set_piomode,
22466 .set_dmamode = sis_133_set_dmamode,
22467 .cable_detect = sis_133_cable_detect,
22470 -static struct ata_port_operations sis_133_early_ops = {
22471 +static const struct ata_port_operations sis_133_early_ops = {
22472 .inherits = &sis_base_ops,
22473 .set_piomode = sis_100_set_piomode,
22474 .set_dmamode = sis_133_early_set_dmamode,
22475 .cable_detect = sis_66_cable_detect,
22478 -static struct ata_port_operations sis_100_ops = {
22479 +static const struct ata_port_operations sis_100_ops = {
22480 .inherits = &sis_base_ops,
22481 .set_piomode = sis_100_set_piomode,
22482 .set_dmamode = sis_100_set_dmamode,
22483 .cable_detect = sis_66_cable_detect,
22486 -static struct ata_port_operations sis_66_ops = {
22487 +static const struct ata_port_operations sis_66_ops = {
22488 .inherits = &sis_base_ops,
22489 .set_piomode = sis_old_set_piomode,
22490 .set_dmamode = sis_66_set_dmamode,
22491 .cable_detect = sis_66_cable_detect,
22494 -static struct ata_port_operations sis_old_ops = {
22495 +static const struct ata_port_operations sis_old_ops = {
22496 .inherits = &sis_base_ops,
22497 .set_piomode = sis_old_set_piomode,
22498 .set_dmamode = sis_old_set_dmamode,
22499 diff -urNp linux-2.6.36.1/drivers/ata/pata_sl82c105.c linux-2.6.36.1/drivers/ata/pata_sl82c105.c
22500 --- linux-2.6.36.1/drivers/ata/pata_sl82c105.c 2010-10-20 16:30:22.000000000 -0400
22501 +++ linux-2.6.36.1/drivers/ata/pata_sl82c105.c 2010-11-06 18:58:15.000000000 -0400
22502 @@ -231,7 +231,7 @@ static struct scsi_host_template sl82c10
22503 ATA_BMDMA_SHT(DRV_NAME),
22506 -static struct ata_port_operations sl82c105_port_ops = {
22507 +static const struct ata_port_operations sl82c105_port_ops = {
22508 .inherits = &ata_bmdma_port_ops,
22509 .qc_defer = sl82c105_qc_defer,
22510 .bmdma_start = sl82c105_bmdma_start,
22511 diff -urNp linux-2.6.36.1/drivers/ata/pata_triflex.c linux-2.6.36.1/drivers/ata/pata_triflex.c
22512 --- linux-2.6.36.1/drivers/ata/pata_triflex.c 2010-10-20 16:30:22.000000000 -0400
22513 +++ linux-2.6.36.1/drivers/ata/pata_triflex.c 2010-11-06 18:58:15.000000000 -0400
22514 @@ -178,7 +178,7 @@ static struct scsi_host_template triflex
22515 ATA_BMDMA_SHT(DRV_NAME),
22518 -static struct ata_port_operations triflex_port_ops = {
22519 +static const struct ata_port_operations triflex_port_ops = {
22520 .inherits = &ata_bmdma_port_ops,
22521 .bmdma_start = triflex_bmdma_start,
22522 .bmdma_stop = triflex_bmdma_stop,
22523 diff -urNp linux-2.6.36.1/drivers/ata/pata_via.c linux-2.6.36.1/drivers/ata/pata_via.c
22524 --- linux-2.6.36.1/drivers/ata/pata_via.c 2010-10-20 16:30:22.000000000 -0400
22525 +++ linux-2.6.36.1/drivers/ata/pata_via.c 2010-11-06 18:58:15.000000000 -0400
22526 @@ -441,7 +441,7 @@ static struct scsi_host_template via_sht
22527 ATA_BMDMA_SHT(DRV_NAME),
22530 -static struct ata_port_operations via_port_ops = {
22531 +static const struct ata_port_operations via_port_ops = {
22532 .inherits = &ata_bmdma_port_ops,
22533 .cable_detect = via_cable_detect,
22534 .set_piomode = via_set_piomode,
22535 @@ -452,7 +452,7 @@ static struct ata_port_operations via_po
22536 .mode_filter = via_mode_filter,
22539 -static struct ata_port_operations via_port_ops_noirq = {
22540 +static const struct ata_port_operations via_port_ops_noirq = {
22541 .inherits = &via_port_ops,
22542 .sff_data_xfer = ata_sff_data_xfer_noirq,
22544 diff -urNp linux-2.6.36.1/drivers/ata/pdc_adma.c linux-2.6.36.1/drivers/ata/pdc_adma.c
22545 --- linux-2.6.36.1/drivers/ata/pdc_adma.c 2010-10-20 16:30:22.000000000 -0400
22546 +++ linux-2.6.36.1/drivers/ata/pdc_adma.c 2010-11-06 18:58:15.000000000 -0400
22547 @@ -146,7 +146,7 @@ static struct scsi_host_template adma_at
22548 .dma_boundary = ADMA_DMA_BOUNDARY,
22551 -static struct ata_port_operations adma_ata_ops = {
22552 +static const struct ata_port_operations adma_ata_ops = {
22553 .inherits = &ata_sff_port_ops,
22555 .lost_interrupt = ATA_OP_NULL,
22556 diff -urNp linux-2.6.36.1/drivers/ata/sata_dwc_460ex.c linux-2.6.36.1/drivers/ata/sata_dwc_460ex.c
22557 --- linux-2.6.36.1/drivers/ata/sata_dwc_460ex.c 2010-10-20 16:30:22.000000000 -0400
22558 +++ linux-2.6.36.1/drivers/ata/sata_dwc_460ex.c 2010-11-06 18:58:15.000000000 -0400
22559 @@ -1560,7 +1560,7 @@ static struct scsi_host_template sata_dw
22560 .dma_boundary = ATA_DMA_BOUNDARY,
22563 -static struct ata_port_operations sata_dwc_ops = {
22564 +static const struct ata_port_operations sata_dwc_ops = {
22565 .inherits = &ata_sff_port_ops,
22567 .error_handler = sata_dwc_error_handler,
22568 diff -urNp linux-2.6.36.1/drivers/ata/sata_fsl.c linux-2.6.36.1/drivers/ata/sata_fsl.c
22569 --- linux-2.6.36.1/drivers/ata/sata_fsl.c 2010-10-20 16:30:22.000000000 -0400
22570 +++ linux-2.6.36.1/drivers/ata/sata_fsl.c 2010-11-06 18:58:15.000000000 -0400
22571 @@ -1261,7 +1261,7 @@ static struct scsi_host_template sata_fs
22572 .dma_boundary = ATA_DMA_BOUNDARY,
22575 -static struct ata_port_operations sata_fsl_ops = {
22576 +static const struct ata_port_operations sata_fsl_ops = {
22577 .inherits = &sata_pmp_port_ops,
22579 .qc_defer = ata_std_qc_defer,
22580 diff -urNp linux-2.6.36.1/drivers/ata/sata_inic162x.c linux-2.6.36.1/drivers/ata/sata_inic162x.c
22581 --- linux-2.6.36.1/drivers/ata/sata_inic162x.c 2010-10-20 16:30:22.000000000 -0400
22582 +++ linux-2.6.36.1/drivers/ata/sata_inic162x.c 2010-11-06 18:58:15.000000000 -0400
22583 @@ -705,7 +705,7 @@ static int inic_port_start(struct ata_po
22587 -static struct ata_port_operations inic_port_ops = {
22588 +static const struct ata_port_operations inic_port_ops = {
22589 .inherits = &sata_port_ops,
22591 .check_atapi_dma = inic_check_atapi_dma,
22592 diff -urNp linux-2.6.36.1/drivers/ata/sata_mv.c linux-2.6.36.1/drivers/ata/sata_mv.c
22593 --- linux-2.6.36.1/drivers/ata/sata_mv.c 2010-10-20 16:30:22.000000000 -0400
22594 +++ linux-2.6.36.1/drivers/ata/sata_mv.c 2010-11-06 18:58:15.000000000 -0400
22595 @@ -663,7 +663,7 @@ static struct scsi_host_template mv6_sht
22596 .dma_boundary = MV_DMA_BOUNDARY,
22599 -static struct ata_port_operations mv5_ops = {
22600 +static const struct ata_port_operations mv5_ops = {
22601 .inherits = &ata_sff_port_ops,
22603 .lost_interrupt = ATA_OP_NULL,
22604 @@ -683,7 +683,7 @@ static struct ata_port_operations mv5_op
22605 .port_stop = mv_port_stop,
22608 -static struct ata_port_operations mv6_ops = {
22609 +static const struct ata_port_operations mv6_ops = {
22610 .inherits = &ata_bmdma_port_ops,
22612 .lost_interrupt = ATA_OP_NULL,
22613 @@ -717,7 +717,7 @@ static struct ata_port_operations mv6_op
22614 .port_stop = mv_port_stop,
22617 -static struct ata_port_operations mv_iie_ops = {
22618 +static const struct ata_port_operations mv_iie_ops = {
22619 .inherits = &mv6_ops,
22620 .dev_config = ATA_OP_NULL,
22621 .qc_prep = mv_qc_prep_iie,
22622 diff -urNp linux-2.6.36.1/drivers/ata/sata_nv.c linux-2.6.36.1/drivers/ata/sata_nv.c
22623 --- linux-2.6.36.1/drivers/ata/sata_nv.c 2010-10-20 16:30:22.000000000 -0400
22624 +++ linux-2.6.36.1/drivers/ata/sata_nv.c 2010-11-06 18:58:15.000000000 -0400
22625 @@ -465,7 +465,7 @@ static struct scsi_host_template nv_swnc
22626 * cases. Define nv_hardreset() which only kicks in for post-boot
22627 * probing and use it for all variants.
22629 -static struct ata_port_operations nv_generic_ops = {
22630 +static const struct ata_port_operations nv_generic_ops = {
22631 .inherits = &ata_bmdma_port_ops,
22632 .lost_interrupt = ATA_OP_NULL,
22633 .scr_read = nv_scr_read,
22634 @@ -473,20 +473,20 @@ static struct ata_port_operations nv_gen
22635 .hardreset = nv_hardreset,
22638 -static struct ata_port_operations nv_nf2_ops = {
22639 +static const struct ata_port_operations nv_nf2_ops = {
22640 .inherits = &nv_generic_ops,
22641 .freeze = nv_nf2_freeze,
22642 .thaw = nv_nf2_thaw,
22645 -static struct ata_port_operations nv_ck804_ops = {
22646 +static const struct ata_port_operations nv_ck804_ops = {
22647 .inherits = &nv_generic_ops,
22648 .freeze = nv_ck804_freeze,
22649 .thaw = nv_ck804_thaw,
22650 .host_stop = nv_ck804_host_stop,
22653 -static struct ata_port_operations nv_adma_ops = {
22654 +static const struct ata_port_operations nv_adma_ops = {
22655 .inherits = &nv_ck804_ops,
22657 .check_atapi_dma = nv_adma_check_atapi_dma,
22658 @@ -510,7 +510,7 @@ static struct ata_port_operations nv_adm
22659 .host_stop = nv_adma_host_stop,
22662 -static struct ata_port_operations nv_swncq_ops = {
22663 +static const struct ata_port_operations nv_swncq_ops = {
22664 .inherits = &nv_generic_ops,
22666 .qc_defer = ata_std_qc_defer,
22667 diff -urNp linux-2.6.36.1/drivers/ata/sata_promise.c linux-2.6.36.1/drivers/ata/sata_promise.c
22668 --- linux-2.6.36.1/drivers/ata/sata_promise.c 2010-10-20 16:30:22.000000000 -0400
22669 +++ linux-2.6.36.1/drivers/ata/sata_promise.c 2010-11-06 18:58:15.000000000 -0400
22670 @@ -196,7 +196,7 @@ static const struct ata_port_operations
22671 .error_handler = pdc_error_handler,
22674 -static struct ata_port_operations pdc_sata_ops = {
22675 +static const struct ata_port_operations pdc_sata_ops = {
22676 .inherits = &pdc_common_ops,
22677 .cable_detect = pdc_sata_cable_detect,
22678 .freeze = pdc_sata_freeze,
22679 @@ -209,14 +209,14 @@ static struct ata_port_operations pdc_sa
22681 /* First-generation chips need a more restrictive ->check_atapi_dma op,
22682 and ->freeze/thaw that ignore the hotplug controls. */
22683 -static struct ata_port_operations pdc_old_sata_ops = {
22684 +static const struct ata_port_operations pdc_old_sata_ops = {
22685 .inherits = &pdc_sata_ops,
22686 .freeze = pdc_freeze,
22688 .check_atapi_dma = pdc_old_sata_check_atapi_dma,
22691 -static struct ata_port_operations pdc_pata_ops = {
22692 +static const struct ata_port_operations pdc_pata_ops = {
22693 .inherits = &pdc_common_ops,
22694 .cable_detect = pdc_pata_cable_detect,
22695 .freeze = pdc_freeze,
22696 diff -urNp linux-2.6.36.1/drivers/ata/sata_qstor.c linux-2.6.36.1/drivers/ata/sata_qstor.c
22697 --- linux-2.6.36.1/drivers/ata/sata_qstor.c 2010-10-20 16:30:22.000000000 -0400
22698 +++ linux-2.6.36.1/drivers/ata/sata_qstor.c 2010-11-06 18:58:15.000000000 -0400
22699 @@ -131,7 +131,7 @@ static struct scsi_host_template qs_ata_
22700 .dma_boundary = QS_DMA_BOUNDARY,
22703 -static struct ata_port_operations qs_ata_ops = {
22704 +static const struct ata_port_operations qs_ata_ops = {
22705 .inherits = &ata_sff_port_ops,
22707 .check_atapi_dma = qs_check_atapi_dma,
22708 diff -urNp linux-2.6.36.1/drivers/ata/sata_sil24.c linux-2.6.36.1/drivers/ata/sata_sil24.c
22709 --- linux-2.6.36.1/drivers/ata/sata_sil24.c 2010-10-20 16:30:22.000000000 -0400
22710 +++ linux-2.6.36.1/drivers/ata/sata_sil24.c 2010-11-06 18:58:15.000000000 -0400
22711 @@ -389,7 +389,7 @@ static struct scsi_host_template sil24_s
22712 .dma_boundary = ATA_DMA_BOUNDARY,
22715 -static struct ata_port_operations sil24_ops = {
22716 +static const struct ata_port_operations sil24_ops = {
22717 .inherits = &sata_pmp_port_ops,
22719 .qc_defer = sil24_qc_defer,
22720 diff -urNp linux-2.6.36.1/drivers/ata/sata_sil.c linux-2.6.36.1/drivers/ata/sata_sil.c
22721 --- linux-2.6.36.1/drivers/ata/sata_sil.c 2010-10-20 16:30:22.000000000 -0400
22722 +++ linux-2.6.36.1/drivers/ata/sata_sil.c 2010-11-06 18:58:15.000000000 -0400
22723 @@ -182,7 +182,7 @@ static struct scsi_host_template sil_sht
22724 .sg_tablesize = ATA_MAX_PRD
22727 -static struct ata_port_operations sil_ops = {
22728 +static const struct ata_port_operations sil_ops = {
22729 .inherits = &ata_bmdma32_port_ops,
22730 .dev_config = sil_dev_config,
22731 .set_mode = sil_set_mode,
22732 diff -urNp linux-2.6.36.1/drivers/ata/sata_sis.c linux-2.6.36.1/drivers/ata/sata_sis.c
22733 --- linux-2.6.36.1/drivers/ata/sata_sis.c 2010-10-20 16:30:22.000000000 -0400
22734 +++ linux-2.6.36.1/drivers/ata/sata_sis.c 2010-11-06 18:58:15.000000000 -0400
22735 @@ -89,7 +89,7 @@ static struct scsi_host_template sis_sht
22736 ATA_BMDMA_SHT(DRV_NAME),
22739 -static struct ata_port_operations sis_ops = {
22740 +static const struct ata_port_operations sis_ops = {
22741 .inherits = &ata_bmdma_port_ops,
22742 .scr_read = sis_scr_read,
22743 .scr_write = sis_scr_write,
22744 diff -urNp linux-2.6.36.1/drivers/ata/sata_svw.c linux-2.6.36.1/drivers/ata/sata_svw.c
22745 --- linux-2.6.36.1/drivers/ata/sata_svw.c 2010-10-20 16:30:22.000000000 -0400
22746 +++ linux-2.6.36.1/drivers/ata/sata_svw.c 2010-11-06 18:58:15.000000000 -0400
22747 @@ -344,7 +344,7 @@ static struct scsi_host_template k2_sata
22751 -static struct ata_port_operations k2_sata_ops = {
22752 +static const struct ata_port_operations k2_sata_ops = {
22753 .inherits = &ata_bmdma_port_ops,
22754 .sff_tf_load = k2_sata_tf_load,
22755 .sff_tf_read = k2_sata_tf_read,
22756 diff -urNp linux-2.6.36.1/drivers/ata/sata_sx4.c linux-2.6.36.1/drivers/ata/sata_sx4.c
22757 --- linux-2.6.36.1/drivers/ata/sata_sx4.c 2010-10-20 16:30:22.000000000 -0400
22758 +++ linux-2.6.36.1/drivers/ata/sata_sx4.c 2010-11-06 18:58:15.000000000 -0400
22759 @@ -249,7 +249,7 @@ static struct scsi_host_template pdc_sat
22762 /* TODO: inherit from base port_ops after converting to new EH */
22763 -static struct ata_port_operations pdc_20621_ops = {
22764 +static const struct ata_port_operations pdc_20621_ops = {
22765 .inherits = &ata_sff_port_ops,
22767 .check_atapi_dma = pdc_check_atapi_dma,
22768 diff -urNp linux-2.6.36.1/drivers/ata/sata_uli.c linux-2.6.36.1/drivers/ata/sata_uli.c
22769 --- linux-2.6.36.1/drivers/ata/sata_uli.c 2010-10-20 16:30:22.000000000 -0400
22770 +++ linux-2.6.36.1/drivers/ata/sata_uli.c 2010-11-06 18:58:15.000000000 -0400
22771 @@ -80,7 +80,7 @@ static struct scsi_host_template uli_sht
22772 ATA_BMDMA_SHT(DRV_NAME),
22775 -static struct ata_port_operations uli_ops = {
22776 +static const struct ata_port_operations uli_ops = {
22777 .inherits = &ata_bmdma_port_ops,
22778 .scr_read = uli_scr_read,
22779 .scr_write = uli_scr_write,
22780 diff -urNp linux-2.6.36.1/drivers/ata/sata_via.c linux-2.6.36.1/drivers/ata/sata_via.c
22781 --- linux-2.6.36.1/drivers/ata/sata_via.c 2010-10-20 16:30:22.000000000 -0400
22782 +++ linux-2.6.36.1/drivers/ata/sata_via.c 2010-11-06 18:58:15.000000000 -0400
22783 @@ -115,32 +115,32 @@ static struct scsi_host_template svia_sh
22784 ATA_BMDMA_SHT(DRV_NAME),
22787 -static struct ata_port_operations svia_base_ops = {
22788 +static const struct ata_port_operations svia_base_ops = {
22789 .inherits = &ata_bmdma_port_ops,
22790 .sff_tf_load = svia_tf_load,
22793 -static struct ata_port_operations vt6420_sata_ops = {
22794 +static const struct ata_port_operations vt6420_sata_ops = {
22795 .inherits = &svia_base_ops,
22796 .freeze = svia_noop_freeze,
22797 .prereset = vt6420_prereset,
22798 .bmdma_start = vt6420_bmdma_start,
22801 -static struct ata_port_operations vt6421_pata_ops = {
22802 +static const struct ata_port_operations vt6421_pata_ops = {
22803 .inherits = &svia_base_ops,
22804 .cable_detect = vt6421_pata_cable_detect,
22805 .set_piomode = vt6421_set_pio_mode,
22806 .set_dmamode = vt6421_set_dma_mode,
22809 -static struct ata_port_operations vt6421_sata_ops = {
22810 +static const struct ata_port_operations vt6421_sata_ops = {
22811 .inherits = &svia_base_ops,
22812 .scr_read = svia_scr_read,
22813 .scr_write = svia_scr_write,
22816 -static struct ata_port_operations vt8251_ops = {
22817 +static const struct ata_port_operations vt8251_ops = {
22818 .inherits = &svia_base_ops,
22819 .hardreset = sata_std_hardreset,
22820 .scr_read = vt8251_scr_read,
22821 diff -urNp linux-2.6.36.1/drivers/ata/sata_vsc.c linux-2.6.36.1/drivers/ata/sata_vsc.c
22822 --- linux-2.6.36.1/drivers/ata/sata_vsc.c 2010-10-20 16:30:22.000000000 -0400
22823 +++ linux-2.6.36.1/drivers/ata/sata_vsc.c 2010-11-06 18:58:15.000000000 -0400
22824 @@ -300,7 +300,7 @@ static struct scsi_host_template vsc_sat
22828 -static struct ata_port_operations vsc_sata_ops = {
22829 +static const struct ata_port_operations vsc_sata_ops = {
22830 .inherits = &ata_bmdma_port_ops,
22831 /* The IRQ handling is not quite standard SFF behaviour so we
22832 cannot use the default lost interrupt handler */
22833 diff -urNp linux-2.6.36.1/drivers/atm/adummy.c linux-2.6.36.1/drivers/atm/adummy.c
22834 --- linux-2.6.36.1/drivers/atm/adummy.c 2010-10-20 16:30:22.000000000 -0400
22835 +++ linux-2.6.36.1/drivers/atm/adummy.c 2010-11-06 18:58:15.000000000 -0400
22836 @@ -114,7 +114,7 @@ adummy_send(struct atm_vcc *vcc, struct
22837 vcc->pop(vcc, skb);
22839 dev_kfree_skb_any(skb);
22840 - atomic_inc(&vcc->stats->tx);
22841 + atomic_inc_unchecked(&vcc->stats->tx);
22845 diff -urNp linux-2.6.36.1/drivers/atm/ambassador.c linux-2.6.36.1/drivers/atm/ambassador.c
22846 --- linux-2.6.36.1/drivers/atm/ambassador.c 2010-10-20 16:30:22.000000000 -0400
22847 +++ linux-2.6.36.1/drivers/atm/ambassador.c 2010-11-06 18:58:15.000000000 -0400
22848 @@ -454,7 +454,7 @@ static void tx_complete (amb_dev * dev,
22849 PRINTD (DBG_FLOW|DBG_TX, "tx_complete %p %p", dev, tx);
22852 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
22853 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
22855 // free the descriptor
22857 @@ -495,7 +495,7 @@ static void rx_complete (amb_dev * dev,
22858 dump_skb ("<<<", vc, skb);
22861 - atomic_inc(&atm_vcc->stats->rx);
22862 + atomic_inc_unchecked(&atm_vcc->stats->rx);
22863 __net_timestamp(skb);
22864 // end of our responsability
22865 atm_vcc->push (atm_vcc, skb);
22866 @@ -510,7 +510,7 @@ static void rx_complete (amb_dev * dev,
22868 PRINTK (KERN_INFO, "dropped over-size frame");
22869 // should we count this?
22870 - atomic_inc(&atm_vcc->stats->rx_drop);
22871 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
22875 @@ -1342,7 +1342,7 @@ static int amb_send (struct atm_vcc * at
22878 if (check_area (skb->data, skb->len)) {
22879 - atomic_inc(&atm_vcc->stats->tx_err);
22880 + atomic_inc_unchecked(&atm_vcc->stats->tx_err);
22881 return -ENOMEM; // ?
22884 diff -urNp linux-2.6.36.1/drivers/atm/atmtcp.c linux-2.6.36.1/drivers/atm/atmtcp.c
22885 --- linux-2.6.36.1/drivers/atm/atmtcp.c 2010-10-20 16:30:22.000000000 -0400
22886 +++ linux-2.6.36.1/drivers/atm/atmtcp.c 2010-11-06 18:58:15.000000000 -0400
22887 @@ -207,7 +207,7 @@ static int atmtcp_v_send(struct atm_vcc
22888 if (vcc->pop) vcc->pop(vcc,skb);
22889 else dev_kfree_skb(skb);
22890 if (dev_data) return 0;
22891 - atomic_inc(&vcc->stats->tx_err);
22892 + atomic_inc_unchecked(&vcc->stats->tx_err);
22895 size = skb->len+sizeof(struct atmtcp_hdr);
22896 @@ -215,7 +215,7 @@ static int atmtcp_v_send(struct atm_vcc
22898 if (vcc->pop) vcc->pop(vcc,skb);
22899 else dev_kfree_skb(skb);
22900 - atomic_inc(&vcc->stats->tx_err);
22901 + atomic_inc_unchecked(&vcc->stats->tx_err);
22904 hdr = (void *) skb_put(new_skb,sizeof(struct atmtcp_hdr));
22905 @@ -226,8 +226,8 @@ static int atmtcp_v_send(struct atm_vcc
22906 if (vcc->pop) vcc->pop(vcc,skb);
22907 else dev_kfree_skb(skb);
22908 out_vcc->push(out_vcc,new_skb);
22909 - atomic_inc(&vcc->stats->tx);
22910 - atomic_inc(&out_vcc->stats->rx);
22911 + atomic_inc_unchecked(&vcc->stats->tx);
22912 + atomic_inc_unchecked(&out_vcc->stats->rx);
22916 @@ -301,7 +301,7 @@ static int atmtcp_c_send(struct atm_vcc
22917 out_vcc = find_vcc(dev, ntohs(hdr->vpi), ntohs(hdr->vci));
22918 read_unlock(&vcc_sklist_lock);
22920 - atomic_inc(&vcc->stats->tx_err);
22921 + atomic_inc_unchecked(&vcc->stats->tx_err);
22924 skb_pull(skb,sizeof(struct atmtcp_hdr));
22925 @@ -313,8 +313,8 @@ static int atmtcp_c_send(struct atm_vcc
22926 __net_timestamp(new_skb);
22927 skb_copy_from_linear_data(skb, skb_put(new_skb, skb->len), skb->len);
22928 out_vcc->push(out_vcc,new_skb);
22929 - atomic_inc(&vcc->stats->tx);
22930 - atomic_inc(&out_vcc->stats->rx);
22931 + atomic_inc_unchecked(&vcc->stats->tx);
22932 + atomic_inc_unchecked(&out_vcc->stats->rx);
22934 if (vcc->pop) vcc->pop(vcc,skb);
22935 else dev_kfree_skb(skb);
22936 diff -urNp linux-2.6.36.1/drivers/atm/eni.c linux-2.6.36.1/drivers/atm/eni.c
22937 --- linux-2.6.36.1/drivers/atm/eni.c 2010-10-20 16:30:22.000000000 -0400
22938 +++ linux-2.6.36.1/drivers/atm/eni.c 2010-11-06 18:58:15.000000000 -0400
22939 @@ -526,7 +526,7 @@ static int rx_aal0(struct atm_vcc *vcc)
22940 DPRINTK(DEV_LABEL "(itf %d): trashing empty cell\n",
22943 - atomic_inc(&vcc->stats->rx_err);
22944 + atomic_inc_unchecked(&vcc->stats->rx_err);
22947 length = ATM_CELL_SIZE-1; /* no HEC */
22948 @@ -581,7 +581,7 @@ static int rx_aal5(struct atm_vcc *vcc)
22952 - atomic_inc(&vcc->stats->rx_err);
22953 + atomic_inc_unchecked(&vcc->stats->rx_err);
22956 size = (descr & MID_RED_COUNT)*(ATM_CELL_PAYLOAD >> 2);
22957 @@ -598,7 +598,7 @@ static int rx_aal5(struct atm_vcc *vcc)
22958 "(VCI=%d,length=%ld,size=%ld (descr 0x%lx))\n",
22959 vcc->dev->number,vcc->vci,length,size << 2,descr);
22961 - atomic_inc(&vcc->stats->rx_err);
22962 + atomic_inc_unchecked(&vcc->stats->rx_err);
22965 skb = eff ? atm_alloc_charge(vcc,eff << 2,GFP_ATOMIC) : NULL;
22966 @@ -771,7 +771,7 @@ rx_dequeued++;
22967 vcc->push(vcc,skb);
22970 - atomic_inc(&vcc->stats->rx);
22971 + atomic_inc_unchecked(&vcc->stats->rx);
22973 wake_up(&eni_dev->rx_wait);
22975 @@ -1228,7 +1228,7 @@ static void dequeue_tx(struct atm_dev *d
22977 if (vcc->pop) vcc->pop(vcc,skb);
22978 else dev_kfree_skb_irq(skb);
22979 - atomic_inc(&vcc->stats->tx);
22980 + atomic_inc_unchecked(&vcc->stats->tx);
22981 wake_up(&eni_dev->tx_wait);
22984 diff -urNp linux-2.6.36.1/drivers/atm/firestream.c linux-2.6.36.1/drivers/atm/firestream.c
22985 --- linux-2.6.36.1/drivers/atm/firestream.c 2010-10-20 16:30:22.000000000 -0400
22986 +++ linux-2.6.36.1/drivers/atm/firestream.c 2010-11-06 18:58:15.000000000 -0400
22987 @@ -749,7 +749,7 @@ static void process_txdone_queue (struct
22991 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
22992 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
22994 fs_dprintk (FS_DEBUG_TXMEM, "i");
22995 fs_dprintk (FS_DEBUG_ALLOC, "Free t-skb: %p\n", skb);
22996 @@ -816,7 +816,7 @@ static void process_incoming (struct fs_
22998 skb_put (skb, qe->p1 & 0xffff);
22999 ATM_SKB(skb)->vcc = atm_vcc;
23000 - atomic_inc(&atm_vcc->stats->rx);
23001 + atomic_inc_unchecked(&atm_vcc->stats->rx);
23002 __net_timestamp(skb);
23003 fs_dprintk (FS_DEBUG_ALLOC, "Free rec-skb: %p (pushed)\n", skb);
23004 atm_vcc->push (atm_vcc, skb);
23005 @@ -837,12 +837,12 @@ static void process_incoming (struct fs_
23009 - atomic_inc(&atm_vcc->stats->rx_drop);
23010 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
23012 case 0x1f: /* Reassembly abort: no buffers. */
23013 /* Silently increment error counter. */
23015 - atomic_inc(&atm_vcc->stats->rx_drop);
23016 + atomic_inc_unchecked(&atm_vcc->stats->rx_drop);
23018 default: /* Hmm. Haven't written the code to handle the others yet... -- REW */
23019 printk (KERN_WARNING "Don't know what to do with RX status %x: %s.\n",
23020 diff -urNp linux-2.6.36.1/drivers/atm/fore200e.c linux-2.6.36.1/drivers/atm/fore200e.c
23021 --- linux-2.6.36.1/drivers/atm/fore200e.c 2010-10-20 16:30:22.000000000 -0400
23022 +++ linux-2.6.36.1/drivers/atm/fore200e.c 2010-11-06 18:58:15.000000000 -0400
23023 @@ -933,9 +933,9 @@ fore200e_tx_irq(struct fore200e* fore200
23025 /* check error condition */
23026 if (*entry->status & STATUS_ERROR)
23027 - atomic_inc(&vcc->stats->tx_err);
23028 + atomic_inc_unchecked(&vcc->stats->tx_err);
23030 - atomic_inc(&vcc->stats->tx);
23031 + atomic_inc_unchecked(&vcc->stats->tx);
23035 @@ -1084,7 +1084,7 @@ fore200e_push_rpd(struct fore200e* fore2
23037 DPRINTK(2, "unable to alloc new skb, rx PDU length = %d\n", pdu_len);
23039 - atomic_inc(&vcc->stats->rx_drop);
23040 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23044 @@ -1127,14 +1127,14 @@ fore200e_push_rpd(struct fore200e* fore2
23046 dev_kfree_skb_any(skb);
23048 - atomic_inc(&vcc->stats->rx_drop);
23049 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23053 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
23055 vcc->push(vcc, skb);
23056 - atomic_inc(&vcc->stats->rx);
23057 + atomic_inc_unchecked(&vcc->stats->rx);
23059 ASSERT(atomic_read(&sk_atm(vcc)->sk_wmem_alloc) >= 0);
23061 @@ -1212,7 +1212,7 @@ fore200e_rx_irq(struct fore200e* fore200
23062 DPRINTK(2, "damaged PDU on %d.%d.%d\n",
23063 fore200e->atm_dev->number,
23064 entry->rpd->atm_header.vpi, entry->rpd->atm_header.vci);
23065 - atomic_inc(&vcc->stats->rx_err);
23066 + atomic_inc_unchecked(&vcc->stats->rx_err);
23070 @@ -1657,7 +1657,7 @@ fore200e_send(struct atm_vcc *vcc, struc
23074 - atomic_inc(&vcc->stats->tx_err);
23075 + atomic_inc_unchecked(&vcc->stats->tx_err);
23077 fore200e->tx_sat++;
23078 DPRINTK(2, "tx queue of device %s is saturated, PDU dropped - heartbeat is %08x\n",
23079 diff -urNp linux-2.6.36.1/drivers/atm/he.c linux-2.6.36.1/drivers/atm/he.c
23080 --- linux-2.6.36.1/drivers/atm/he.c 2010-10-20 16:30:22.000000000 -0400
23081 +++ linux-2.6.36.1/drivers/atm/he.c 2010-11-06 18:58:15.000000000 -0400
23082 @@ -1709,7 +1709,7 @@ he_service_rbrq(struct he_dev *he_dev, i
23084 if (RBRQ_HBUF_ERR(he_dev->rbrq_head)) {
23085 hprintk("HBUF_ERR! (cid 0x%x)\n", cid);
23086 - atomic_inc(&vcc->stats->rx_drop);
23087 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23088 goto return_host_buffers;
23091 @@ -1736,7 +1736,7 @@ he_service_rbrq(struct he_dev *he_dev, i
23092 RBRQ_LEN_ERR(he_dev->rbrq_head)
23094 vcc->vpi, vcc->vci);
23095 - atomic_inc(&vcc->stats->rx_err);
23096 + atomic_inc_unchecked(&vcc->stats->rx_err);
23097 goto return_host_buffers;
23100 @@ -1788,7 +1788,7 @@ he_service_rbrq(struct he_dev *he_dev, i
23101 vcc->push(vcc, skb);
23102 spin_lock(&he_dev->global_lock);
23104 - atomic_inc(&vcc->stats->rx);
23105 + atomic_inc_unchecked(&vcc->stats->rx);
23107 return_host_buffers:
23109 @@ -2114,7 +2114,7 @@ __enqueue_tpd(struct he_dev *he_dev, str
23110 tpd->vcc->pop(tpd->vcc, tpd->skb);
23112 dev_kfree_skb_any(tpd->skb);
23113 - atomic_inc(&tpd->vcc->stats->tx_err);
23114 + atomic_inc_unchecked(&tpd->vcc->stats->tx_err);
23116 pci_pool_free(he_dev->tpd_pool, tpd, TPD_ADDR(tpd->status));
23118 @@ -2526,7 +2526,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23119 vcc->pop(vcc, skb);
23121 dev_kfree_skb_any(skb);
23122 - atomic_inc(&vcc->stats->tx_err);
23123 + atomic_inc_unchecked(&vcc->stats->tx_err);
23127 @@ -2537,7 +2537,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23128 vcc->pop(vcc, skb);
23130 dev_kfree_skb_any(skb);
23131 - atomic_inc(&vcc->stats->tx_err);
23132 + atomic_inc_unchecked(&vcc->stats->tx_err);
23136 @@ -2549,7 +2549,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23137 vcc->pop(vcc, skb);
23139 dev_kfree_skb_any(skb);
23140 - atomic_inc(&vcc->stats->tx_err);
23141 + atomic_inc_unchecked(&vcc->stats->tx_err);
23142 spin_unlock_irqrestore(&he_dev->global_lock, flags);
23145 @@ -2591,7 +2591,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23146 vcc->pop(vcc, skb);
23148 dev_kfree_skb_any(skb);
23149 - atomic_inc(&vcc->stats->tx_err);
23150 + atomic_inc_unchecked(&vcc->stats->tx_err);
23151 spin_unlock_irqrestore(&he_dev->global_lock, flags);
23154 @@ -2622,7 +2622,7 @@ he_send(struct atm_vcc *vcc, struct sk_b
23155 __enqueue_tpd(he_dev, tpd, cid);
23156 spin_unlock_irqrestore(&he_dev->global_lock, flags);
23158 - atomic_inc(&vcc->stats->tx);
23159 + atomic_inc_unchecked(&vcc->stats->tx);
23163 diff -urNp linux-2.6.36.1/drivers/atm/horizon.c linux-2.6.36.1/drivers/atm/horizon.c
23164 --- linux-2.6.36.1/drivers/atm/horizon.c 2010-10-20 16:30:22.000000000 -0400
23165 +++ linux-2.6.36.1/drivers/atm/horizon.c 2010-11-06 18:58:15.000000000 -0400
23166 @@ -1034,7 +1034,7 @@ static void rx_schedule (hrz_dev * dev,
23168 struct atm_vcc * vcc = ATM_SKB(skb)->vcc;
23170 - atomic_inc(&vcc->stats->rx);
23171 + atomic_inc_unchecked(&vcc->stats->rx);
23172 __net_timestamp(skb);
23173 // end of our responsability
23174 vcc->push (vcc, skb);
23175 @@ -1186,7 +1186,7 @@ static void tx_schedule (hrz_dev * const
23176 dev->tx_iovec = NULL;
23179 - atomic_inc(&ATM_SKB(skb)->vcc->stats->tx);
23180 + atomic_inc_unchecked(&ATM_SKB(skb)->vcc->stats->tx);
23183 hrz_kfree_skb (skb);
23184 diff -urNp linux-2.6.36.1/drivers/atm/idt77252.c linux-2.6.36.1/drivers/atm/idt77252.c
23185 --- linux-2.6.36.1/drivers/atm/idt77252.c 2010-10-20 16:30:22.000000000 -0400
23186 +++ linux-2.6.36.1/drivers/atm/idt77252.c 2010-11-06 18:58:15.000000000 -0400
23187 @@ -811,7 +811,7 @@ drain_scq(struct idt77252_dev *card, str
23189 dev_kfree_skb(skb);
23191 - atomic_inc(&vcc->stats->tx);
23192 + atomic_inc_unchecked(&vcc->stats->tx);
23195 atomic_dec(&scq->used);
23196 @@ -1074,13 +1074,13 @@ dequeue_rx(struct idt77252_dev *card, st
23197 if ((sb = dev_alloc_skb(64)) == NULL) {
23198 printk("%s: Can't allocate buffers for aal0.\n",
23200 - atomic_add(i, &vcc->stats->rx_drop);
23201 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
23204 if (!atm_charge(vcc, sb->truesize)) {
23205 RXPRINTK("%s: atm_charge() dropped aal0 packets.\n",
23207 - atomic_add(i - 1, &vcc->stats->rx_drop);
23208 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop);
23212 @@ -1097,7 +1097,7 @@ dequeue_rx(struct idt77252_dev *card, st
23213 ATM_SKB(sb)->vcc = vcc;
23214 __net_timestamp(sb);
23215 vcc->push(vcc, sb);
23216 - atomic_inc(&vcc->stats->rx);
23217 + atomic_inc_unchecked(&vcc->stats->rx);
23219 cell += ATM_CELL_PAYLOAD;
23221 @@ -1134,13 +1134,13 @@ dequeue_rx(struct idt77252_dev *card, st
23223 card->name, len, rpp->len, readl(SAR_REG_CDC));
23224 recycle_rx_pool_skb(card, rpp);
23225 - atomic_inc(&vcc->stats->rx_err);
23226 + atomic_inc_unchecked(&vcc->stats->rx_err);
23229 if (stat & SAR_RSQE_CRC) {
23230 RXPRINTK("%s: AAL5 CRC error.\n", card->name);
23231 recycle_rx_pool_skb(card, rpp);
23232 - atomic_inc(&vcc->stats->rx_err);
23233 + atomic_inc_unchecked(&vcc->stats->rx_err);
23236 if (skb_queue_len(&rpp->queue) > 1) {
23237 @@ -1151,7 +1151,7 @@ dequeue_rx(struct idt77252_dev *card, st
23238 RXPRINTK("%s: Can't alloc RX skb.\n",
23240 recycle_rx_pool_skb(card, rpp);
23241 - atomic_inc(&vcc->stats->rx_err);
23242 + atomic_inc_unchecked(&vcc->stats->rx_err);
23245 if (!atm_charge(vcc, skb->truesize)) {
23246 @@ -1170,7 +1170,7 @@ dequeue_rx(struct idt77252_dev *card, st
23247 __net_timestamp(skb);
23249 vcc->push(vcc, skb);
23250 - atomic_inc(&vcc->stats->rx);
23251 + atomic_inc_unchecked(&vcc->stats->rx);
23255 @@ -1192,7 +1192,7 @@ dequeue_rx(struct idt77252_dev *card, st
23256 __net_timestamp(skb);
23258 vcc->push(vcc, skb);
23259 - atomic_inc(&vcc->stats->rx);
23260 + atomic_inc_unchecked(&vcc->stats->rx);
23262 if (skb->truesize > SAR_FB_SIZE_3)
23263 add_rx_skb(card, 3, SAR_FB_SIZE_3, 1);
23264 @@ -1304,14 +1304,14 @@ idt77252_rx_raw(struct idt77252_dev *car
23265 if (vcc->qos.aal != ATM_AAL0) {
23266 RPRINTK("%s: raw cell for non AAL0 vc %u.%u\n",
23267 card->name, vpi, vci);
23268 - atomic_inc(&vcc->stats->rx_drop);
23269 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23273 if ((sb = dev_alloc_skb(64)) == NULL) {
23274 printk("%s: Can't allocate buffers for AAL0.\n",
23276 - atomic_inc(&vcc->stats->rx_err);
23277 + atomic_inc_unchecked(&vcc->stats->rx_err);
23281 @@ -1330,7 +1330,7 @@ idt77252_rx_raw(struct idt77252_dev *car
23282 ATM_SKB(sb)->vcc = vcc;
23283 __net_timestamp(sb);
23284 vcc->push(vcc, sb);
23285 - atomic_inc(&vcc->stats->rx);
23286 + atomic_inc_unchecked(&vcc->stats->rx);
23289 skb_pull(queue, 64);
23290 @@ -1955,13 +1955,13 @@ idt77252_send_skb(struct atm_vcc *vcc, s
23293 printk("%s: NULL connection in send().\n", card->name);
23294 - atomic_inc(&vcc->stats->tx_err);
23295 + atomic_inc_unchecked(&vcc->stats->tx_err);
23296 dev_kfree_skb(skb);
23299 if (!test_bit(VCF_TX, &vc->flags)) {
23300 printk("%s: Trying to transmit on a non-tx VC.\n", card->name);
23301 - atomic_inc(&vcc->stats->tx_err);
23302 + atomic_inc_unchecked(&vcc->stats->tx_err);
23303 dev_kfree_skb(skb);
23306 @@ -1973,14 +1973,14 @@ idt77252_send_skb(struct atm_vcc *vcc, s
23309 printk("%s: Unsupported AAL: %d\n", card->name, vcc->qos.aal);
23310 - atomic_inc(&vcc->stats->tx_err);
23311 + atomic_inc_unchecked(&vcc->stats->tx_err);
23312 dev_kfree_skb(skb);
23316 if (skb_shinfo(skb)->nr_frags != 0) {
23317 printk("%s: No scatter-gather yet.\n", card->name);
23318 - atomic_inc(&vcc->stats->tx_err);
23319 + atomic_inc_unchecked(&vcc->stats->tx_err);
23320 dev_kfree_skb(skb);
23323 @@ -1988,7 +1988,7 @@ idt77252_send_skb(struct atm_vcc *vcc, s
23325 err = queue_skb(card, vc, skb, oam);
23327 - atomic_inc(&vcc->stats->tx_err);
23328 + atomic_inc_unchecked(&vcc->stats->tx_err);
23329 dev_kfree_skb(skb);
23332 @@ -2011,7 +2011,7 @@ idt77252_send_oam(struct atm_vcc *vcc, v
23333 skb = dev_alloc_skb(64);
23335 printk("%s: Out of memory in send_oam().\n", card->name);
23336 - atomic_inc(&vcc->stats->tx_err);
23337 + atomic_inc_unchecked(&vcc->stats->tx_err);
23340 atomic_add(skb->truesize, &sk_atm(vcc)->sk_wmem_alloc);
23341 diff -urNp linux-2.6.36.1/drivers/atm/iphase.c linux-2.6.36.1/drivers/atm/iphase.c
23342 --- linux-2.6.36.1/drivers/atm/iphase.c 2010-10-20 16:30:22.000000000 -0400
23343 +++ linux-2.6.36.1/drivers/atm/iphase.c 2010-11-06 18:58:15.000000000 -0400
23344 @@ -1124,7 +1124,7 @@ static int rx_pkt(struct atm_dev *dev)
23345 status = (u_short) (buf_desc_ptr->desc_mode);
23346 if (status & (RX_CER | RX_PTE | RX_OFL))
23348 - atomic_inc(&vcc->stats->rx_err);
23349 + atomic_inc_unchecked(&vcc->stats->rx_err);
23350 IF_ERR(printk("IA: bad packet, dropping it");)
23351 if (status & RX_CER) {
23352 IF_ERR(printk(" cause: packet CRC error\n");)
23353 @@ -1147,7 +1147,7 @@ static int rx_pkt(struct atm_dev *dev)
23354 len = dma_addr - buf_addr;
23355 if (len > iadev->rx_buf_sz) {
23356 printk("Over %d bytes sdu received, dropped!!!\n", iadev->rx_buf_sz);
23357 - atomic_inc(&vcc->stats->rx_err);
23358 + atomic_inc_unchecked(&vcc->stats->rx_err);
23359 goto out_free_desc;
23362 @@ -1297,7 +1297,7 @@ static void rx_dle_intr(struct atm_dev *
23363 ia_vcc = INPH_IA_VCC(vcc);
23364 if (ia_vcc == NULL)
23366 - atomic_inc(&vcc->stats->rx_err);
23367 + atomic_inc_unchecked(&vcc->stats->rx_err);
23368 dev_kfree_skb_any(skb);
23369 atm_return(vcc, atm_guess_pdu2truesize(len));
23371 @@ -1309,7 +1309,7 @@ static void rx_dle_intr(struct atm_dev *
23372 if ((length > iadev->rx_buf_sz) || (length >
23373 (skb->len - sizeof(struct cpcs_trailer))))
23375 - atomic_inc(&vcc->stats->rx_err);
23376 + atomic_inc_unchecked(&vcc->stats->rx_err);
23377 IF_ERR(printk("rx_dle_intr: Bad AAL5 trailer %d (skb len %d)",
23378 length, skb->len);)
23379 dev_kfree_skb_any(skb);
23380 @@ -1325,7 +1325,7 @@ static void rx_dle_intr(struct atm_dev *
23382 IF_RX(printk("rx_dle_intr: skb push");)
23383 vcc->push(vcc,skb);
23384 - atomic_inc(&vcc->stats->rx);
23385 + atomic_inc_unchecked(&vcc->stats->rx);
23386 iadev->rx_pkt_cnt++;
23389 @@ -2807,15 +2807,15 @@ static int ia_ioctl(struct atm_dev *dev,
23391 struct k_sonet_stats *stats;
23392 stats = &PRIV(_ia_dev[board])->sonet_stats;
23393 - printk("section_bip: %d\n", atomic_read(&stats->section_bip));
23394 - printk("line_bip : %d\n", atomic_read(&stats->line_bip));
23395 - printk("path_bip : %d\n", atomic_read(&stats->path_bip));
23396 - printk("line_febe : %d\n", atomic_read(&stats->line_febe));
23397 - printk("path_febe : %d\n", atomic_read(&stats->path_febe));
23398 - printk("corr_hcs : %d\n", atomic_read(&stats->corr_hcs));
23399 - printk("uncorr_hcs : %d\n", atomic_read(&stats->uncorr_hcs));
23400 - printk("tx_cells : %d\n", atomic_read(&stats->tx_cells));
23401 - printk("rx_cells : %d\n", atomic_read(&stats->rx_cells));
23402 + printk("section_bip: %d\n", atomic_read_unchecked(&stats->section_bip));
23403 + printk("line_bip : %d\n", atomic_read_unchecked(&stats->line_bip));
23404 + printk("path_bip : %d\n", atomic_read_unchecked(&stats->path_bip));
23405 + printk("line_febe : %d\n", atomic_read_unchecked(&stats->line_febe));
23406 + printk("path_febe : %d\n", atomic_read_unchecked(&stats->path_febe));
23407 + printk("corr_hcs : %d\n", atomic_read_unchecked(&stats->corr_hcs));
23408 + printk("uncorr_hcs : %d\n", atomic_read_unchecked(&stats->uncorr_hcs));
23409 + printk("tx_cells : %d\n", atomic_read_unchecked(&stats->tx_cells));
23410 + printk("rx_cells : %d\n", atomic_read_unchecked(&stats->rx_cells));
23412 ia_cmds.status = 0;
23414 @@ -2920,7 +2920,7 @@ static int ia_pkt_tx (struct atm_vcc *vc
23415 if ((desc == 0) || (desc > iadev->num_tx_desc))
23417 IF_ERR(printk(DEV_LABEL "invalid desc for send: %d\n", desc);)
23418 - atomic_inc(&vcc->stats->tx);
23419 + atomic_inc_unchecked(&vcc->stats->tx);
23421 vcc->pop(vcc, skb);
23423 @@ -3025,14 +3025,14 @@ static int ia_pkt_tx (struct atm_vcc *vc
23424 ATM_DESC(skb) = vcc->vci;
23425 skb_queue_tail(&iadev->tx_dma_q, skb);
23427 - atomic_inc(&vcc->stats->tx);
23428 + atomic_inc_unchecked(&vcc->stats->tx);
23429 iadev->tx_pkt_cnt++;
23430 /* Increment transaction counter */
23431 writel(2, iadev->dma+IPHASE5575_TX_COUNTER);
23434 /* add flow control logic */
23435 - if (atomic_read(&vcc->stats->tx) % 20 == 0) {
23436 + if (atomic_read_unchecked(&vcc->stats->tx) % 20 == 0) {
23437 if (iavcc->vc_desc_cnt > 10) {
23438 vcc->tx_quota = vcc->tx_quota * 3 / 4;
23439 printk("Tx1: vcc->tx_quota = %d \n", (u32)vcc->tx_quota );
23440 diff -urNp linux-2.6.36.1/drivers/atm/lanai.c linux-2.6.36.1/drivers/atm/lanai.c
23441 --- linux-2.6.36.1/drivers/atm/lanai.c 2010-10-20 16:30:22.000000000 -0400
23442 +++ linux-2.6.36.1/drivers/atm/lanai.c 2010-11-06 18:58:15.000000000 -0400
23443 @@ -1303,7 +1303,7 @@ static void lanai_send_one_aal5(struct l
23444 vcc_tx_add_aal5_trailer(lvcc, skb->len, 0, 0);
23445 lanai_endtx(lanai, lvcc);
23446 lanai_free_skb(lvcc->tx.atmvcc, skb);
23447 - atomic_inc(&lvcc->tx.atmvcc->stats->tx);
23448 + atomic_inc_unchecked(&lvcc->tx.atmvcc->stats->tx);
23451 /* Try to fill the buffer - don't call unless there is backlog */
23452 @@ -1426,7 +1426,7 @@ static void vcc_rx_aal5(struct lanai_vcc
23453 ATM_SKB(skb)->vcc = lvcc->rx.atmvcc;
23454 __net_timestamp(skb);
23455 lvcc->rx.atmvcc->push(lvcc->rx.atmvcc, skb);
23456 - atomic_inc(&lvcc->rx.atmvcc->stats->rx);
23457 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx);
23459 lvcc->rx.buf.ptr = end;
23460 cardvcc_write(lvcc, endptr, vcc_rxreadptr);
23461 @@ -1668,7 +1668,7 @@ static int handle_service(struct lanai_d
23462 DPRINTK("(itf %d) got RX service entry 0x%X for non-AAL5 "
23463 "vcc %d\n", lanai->number, (unsigned int) s, vci);
23464 lanai->stats.service_rxnotaal5++;
23465 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23466 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23469 if (likely(!(s & (SERVICE_TRASH | SERVICE_STREAM | SERVICE_CRCERR)))) {
23470 @@ -1680,7 +1680,7 @@ static int handle_service(struct lanai_d
23472 read_unlock(&vcc_sklist_lock);
23473 DPRINTK("got trashed rx pdu on vci %d\n", vci);
23474 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23475 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23476 lvcc->stats.x.aal5.service_trash++;
23477 bytes = (SERVICE_GET_END(s) * 16) -
23478 (((unsigned long) lvcc->rx.buf.ptr) -
23479 @@ -1692,7 +1692,7 @@ static int handle_service(struct lanai_d
23481 if (s & SERVICE_STREAM) {
23482 read_unlock(&vcc_sklist_lock);
23483 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23484 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23485 lvcc->stats.x.aal5.service_stream++;
23486 printk(KERN_ERR DEV_LABEL "(itf %d): Got AAL5 stream "
23487 "PDU on VCI %d!\n", lanai->number, vci);
23488 @@ -1700,7 +1700,7 @@ static int handle_service(struct lanai_d
23491 DPRINTK("got rx crc error on vci %d\n", vci);
23492 - atomic_inc(&lvcc->rx.atmvcc->stats->rx_err);
23493 + atomic_inc_unchecked(&lvcc->rx.atmvcc->stats->rx_err);
23494 lvcc->stats.x.aal5.service_rxcrc++;
23495 lvcc->rx.buf.ptr = &lvcc->rx.buf.start[SERVICE_GET_END(s) * 4];
23496 cardvcc_write(lvcc, SERVICE_GET_END(s), vcc_rxreadptr);
23497 diff -urNp linux-2.6.36.1/drivers/atm/nicstar.c linux-2.6.36.1/drivers/atm/nicstar.c
23498 --- linux-2.6.36.1/drivers/atm/nicstar.c 2010-10-20 16:30:22.000000000 -0400
23499 +++ linux-2.6.36.1/drivers/atm/nicstar.c 2010-11-06 18:58:15.000000000 -0400
23500 @@ -1653,7 +1653,7 @@ static int ns_send(struct atm_vcc *vcc,
23501 if ((vc = (vc_map *) vcc->dev_data) == NULL) {
23502 printk("nicstar%d: vcc->dev_data == NULL on ns_send().\n",
23504 - atomic_inc(&vcc->stats->tx_err);
23505 + atomic_inc_unchecked(&vcc->stats->tx_err);
23506 dev_kfree_skb_any(skb);
23509 @@ -1661,7 +1661,7 @@ static int ns_send(struct atm_vcc *vcc,
23511 printk("nicstar%d: Trying to transmit on a non-tx VC.\n",
23513 - atomic_inc(&vcc->stats->tx_err);
23514 + atomic_inc_unchecked(&vcc->stats->tx_err);
23515 dev_kfree_skb_any(skb);
23518 @@ -1669,14 +1669,14 @@ static int ns_send(struct atm_vcc *vcc,
23519 if (vcc->qos.aal != ATM_AAL5 && vcc->qos.aal != ATM_AAL0) {
23520 printk("nicstar%d: Only AAL0 and AAL5 are supported.\n",
23522 - atomic_inc(&vcc->stats->tx_err);
23523 + atomic_inc_unchecked(&vcc->stats->tx_err);
23524 dev_kfree_skb_any(skb);
23528 if (skb_shinfo(skb)->nr_frags != 0) {
23529 printk("nicstar%d: No scatter-gather yet.\n", card->index);
23530 - atomic_inc(&vcc->stats->tx_err);
23531 + atomic_inc_unchecked(&vcc->stats->tx_err);
23532 dev_kfree_skb_any(skb);
23535 @@ -1724,11 +1724,11 @@ static int ns_send(struct atm_vcc *vcc,
23538 if (push_scqe(card, vc, scq, &scqe, skb) != 0) {
23539 - atomic_inc(&vcc->stats->tx_err);
23540 + atomic_inc_unchecked(&vcc->stats->tx_err);
23541 dev_kfree_skb_any(skb);
23544 - atomic_inc(&vcc->stats->tx);
23545 + atomic_inc_unchecked(&vcc->stats->tx);
23549 @@ -2045,14 +2045,14 @@ static void dequeue_rx(ns_dev * card, ns
23551 ("nicstar%d: Can't allocate buffers for aal0.\n",
23553 - atomic_add(i, &vcc->stats->rx_drop);
23554 + atomic_add_unchecked(i, &vcc->stats->rx_drop);
23557 if (!atm_charge(vcc, sb->truesize)) {
23559 ("nicstar%d: atm_charge() dropped aal0 packets.\n",
23561 - atomic_add(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
23562 + atomic_add_unchecked(i - 1, &vcc->stats->rx_drop); /* already increased by 1 */
23563 dev_kfree_skb_any(sb);
23566 @@ -2067,7 +2067,7 @@ static void dequeue_rx(ns_dev * card, ns
23567 ATM_SKB(sb)->vcc = vcc;
23568 __net_timestamp(sb);
23569 vcc->push(vcc, sb);
23570 - atomic_inc(&vcc->stats->rx);
23571 + atomic_inc_unchecked(&vcc->stats->rx);
23572 cell += ATM_CELL_PAYLOAD;
23575 @@ -2084,7 +2084,7 @@ static void dequeue_rx(ns_dev * card, ns
23576 if (iovb == NULL) {
23577 printk("nicstar%d: Out of iovec buffers.\n",
23579 - atomic_inc(&vcc->stats->rx_drop);
23580 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23581 recycle_rx_buf(card, skb);
23584 @@ -2108,7 +2108,7 @@ static void dequeue_rx(ns_dev * card, ns
23585 small or large buffer itself. */
23586 } else if (NS_PRV_IOVCNT(iovb) >= NS_MAX_IOVECS) {
23587 printk("nicstar%d: received too big AAL5 SDU.\n", card->index);
23588 - atomic_inc(&vcc->stats->rx_err);
23589 + atomic_inc_unchecked(&vcc->stats->rx_err);
23590 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
23592 NS_PRV_IOVCNT(iovb) = 0;
23593 @@ -2128,7 +2128,7 @@ static void dequeue_rx(ns_dev * card, ns
23594 ("nicstar%d: Expected a small buffer, and this is not one.\n",
23596 which_list(card, skb);
23597 - atomic_inc(&vcc->stats->rx_err);
23598 + atomic_inc_unchecked(&vcc->stats->rx_err);
23599 recycle_rx_buf(card, skb);
23601 recycle_iov_buf(card, iovb);
23602 @@ -2141,7 +2141,7 @@ static void dequeue_rx(ns_dev * card, ns
23603 ("nicstar%d: Expected a large buffer, and this is not one.\n",
23605 which_list(card, skb);
23606 - atomic_inc(&vcc->stats->rx_err);
23607 + atomic_inc_unchecked(&vcc->stats->rx_err);
23608 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
23609 NS_PRV_IOVCNT(iovb));
23611 @@ -2164,7 +2164,7 @@ static void dequeue_rx(ns_dev * card, ns
23612 printk(" - PDU size mismatch.\n");
23615 - atomic_inc(&vcc->stats->rx_err);
23616 + atomic_inc_unchecked(&vcc->stats->rx_err);
23617 recycle_iovec_rx_bufs(card, (struct iovec *)iovb->data,
23618 NS_PRV_IOVCNT(iovb));
23620 @@ -2178,7 +2178,7 @@ static void dequeue_rx(ns_dev * card, ns
23621 /* skb points to a small buffer */
23622 if (!atm_charge(vcc, skb->truesize)) {
23623 push_rxbufs(card, skb);
23624 - atomic_inc(&vcc->stats->rx_drop);
23625 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23628 dequeue_sm_buf(card, skb);
23629 @@ -2188,7 +2188,7 @@ static void dequeue_rx(ns_dev * card, ns
23630 ATM_SKB(skb)->vcc = vcc;
23631 __net_timestamp(skb);
23632 vcc->push(vcc, skb);
23633 - atomic_inc(&vcc->stats->rx);
23634 + atomic_inc_unchecked(&vcc->stats->rx);
23636 } else if (NS_PRV_IOVCNT(iovb) == 2) { /* One small plus one large buffer */
23637 struct sk_buff *sb;
23638 @@ -2199,7 +2199,7 @@ static void dequeue_rx(ns_dev * card, ns
23639 if (len <= NS_SMBUFSIZE) {
23640 if (!atm_charge(vcc, sb->truesize)) {
23641 push_rxbufs(card, sb);
23642 - atomic_inc(&vcc->stats->rx_drop);
23643 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23646 dequeue_sm_buf(card, sb);
23647 @@ -2209,7 +2209,7 @@ static void dequeue_rx(ns_dev * card, ns
23648 ATM_SKB(sb)->vcc = vcc;
23649 __net_timestamp(sb);
23650 vcc->push(vcc, sb);
23651 - atomic_inc(&vcc->stats->rx);
23652 + atomic_inc_unchecked(&vcc->stats->rx);
23655 push_rxbufs(card, skb);
23656 @@ -2218,7 +2218,7 @@ static void dequeue_rx(ns_dev * card, ns
23658 if (!atm_charge(vcc, skb->truesize)) {
23659 push_rxbufs(card, skb);
23660 - atomic_inc(&vcc->stats->rx_drop);
23661 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23663 dequeue_lg_buf(card, skb);
23664 #ifdef NS_USE_DESTRUCTORS
23665 @@ -2231,7 +2231,7 @@ static void dequeue_rx(ns_dev * card, ns
23666 ATM_SKB(skb)->vcc = vcc;
23667 __net_timestamp(skb);
23668 vcc->push(vcc, skb);
23669 - atomic_inc(&vcc->stats->rx);
23670 + atomic_inc_unchecked(&vcc->stats->rx);
23673 push_rxbufs(card, sb);
23674 @@ -2252,7 +2252,7 @@ static void dequeue_rx(ns_dev * card, ns
23676 ("nicstar%d: Out of huge buffers.\n",
23678 - atomic_inc(&vcc->stats->rx_drop);
23679 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23680 recycle_iovec_rx_bufs(card,
23683 @@ -2303,7 +2303,7 @@ static void dequeue_rx(ns_dev * card, ns
23684 card->hbpool.count++;
23686 dev_kfree_skb_any(hb);
23687 - atomic_inc(&vcc->stats->rx_drop);
23688 + atomic_inc_unchecked(&vcc->stats->rx_drop);
23690 /* Copy the small buffer to the huge buffer */
23691 sb = (struct sk_buff *)iov->iov_base;
23692 @@ -2340,7 +2340,7 @@ static void dequeue_rx(ns_dev * card, ns
23693 #endif /* NS_USE_DESTRUCTORS */
23694 __net_timestamp(hb);
23695 vcc->push(vcc, hb);
23696 - atomic_inc(&vcc->stats->rx);
23697 + atomic_inc_unchecked(&vcc->stats->rx);
23701 diff -urNp linux-2.6.36.1/drivers/atm/solos-pci.c linux-2.6.36.1/drivers/atm/solos-pci.c
23702 --- linux-2.6.36.1/drivers/atm/solos-pci.c 2010-10-20 16:30:22.000000000 -0400
23703 +++ linux-2.6.36.1/drivers/atm/solos-pci.c 2010-11-06 18:58:15.000000000 -0400
23704 @@ -717,7 +717,7 @@ void solos_bh(unsigned long card_arg)
23706 atm_charge(vcc, skb->truesize);
23707 vcc->push(vcc, skb);
23708 - atomic_inc(&vcc->stats->rx);
23709 + atomic_inc_unchecked(&vcc->stats->rx);
23713 @@ -1025,7 +1025,7 @@ static uint32_t fpga_tx(struct solos_car
23714 vcc = SKB_CB(oldskb)->vcc;
23717 - atomic_inc(&vcc->stats->tx);
23718 + atomic_inc_unchecked(&vcc->stats->tx);
23719 solos_pop(vcc, oldskb);
23721 dev_kfree_skb_irq(oldskb);
23722 diff -urNp linux-2.6.36.1/drivers/atm/suni.c linux-2.6.36.1/drivers/atm/suni.c
23723 --- linux-2.6.36.1/drivers/atm/suni.c 2010-10-20 16:30:22.000000000 -0400
23724 +++ linux-2.6.36.1/drivers/atm/suni.c 2010-11-06 18:58:15.000000000 -0400
23725 @@ -50,8 +50,8 @@ static DEFINE_SPINLOCK(sunis_lock);
23728 #define ADD_LIMITED(s,v) \
23729 - atomic_add((v),&stats->s); \
23730 - if (atomic_read(&stats->s) < 0) atomic_set(&stats->s,INT_MAX);
23731 + atomic_add_unchecked((v),&stats->s); \
23732 + if (atomic_read_unchecked(&stats->s) < 0) atomic_set_unchecked(&stats->s,INT_MAX);
23735 static void suni_hz(unsigned long from_timer)
23736 diff -urNp linux-2.6.36.1/drivers/atm/uPD98402.c linux-2.6.36.1/drivers/atm/uPD98402.c
23737 --- linux-2.6.36.1/drivers/atm/uPD98402.c 2010-10-20 16:30:22.000000000 -0400
23738 +++ linux-2.6.36.1/drivers/atm/uPD98402.c 2010-11-06 18:58:15.000000000 -0400
23739 @@ -42,7 +42,7 @@ static int fetch_stats(struct atm_dev *d
23740 struct sonet_stats tmp;
23743 - atomic_add(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
23744 + atomic_add_unchecked(GET(HECCT),&PRIV(dev)->sonet_stats.uncorr_hcs);
23745 sonet_copy_stats(&PRIV(dev)->sonet_stats,&tmp);
23746 if (arg) error = copy_to_user(arg,&tmp,sizeof(tmp));
23747 if (zero && !error) {
23748 @@ -161,9 +161,9 @@ static int uPD98402_ioctl(struct atm_dev
23751 #define ADD_LIMITED(s,v) \
23752 - { atomic_add(GET(v),&PRIV(dev)->sonet_stats.s); \
23753 - if (atomic_read(&PRIV(dev)->sonet_stats.s) < 0) \
23754 - atomic_set(&PRIV(dev)->sonet_stats.s,INT_MAX); }
23755 + { atomic_add_unchecked(GET(v),&PRIV(dev)->sonet_stats.s); \
23756 + if (atomic_read_unchecked(&PRIV(dev)->sonet_stats.s) < 0) \
23757 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.s,INT_MAX); }
23760 static void stat_event(struct atm_dev *dev)
23761 @@ -194,7 +194,7 @@ static void uPD98402_int(struct atm_dev
23762 if (reason & uPD98402_INT_PFM) stat_event(dev);
23763 if (reason & uPD98402_INT_PCO) {
23764 (void) GET(PCOCR); /* clear interrupt cause */
23765 - atomic_add(GET(HECCT),
23766 + atomic_add_unchecked(GET(HECCT),
23767 &PRIV(dev)->sonet_stats.uncorr_hcs);
23769 if ((reason & uPD98402_INT_RFO) &&
23770 @@ -222,9 +222,9 @@ static int uPD98402_start(struct atm_dev
23771 PUT(~(uPD98402_INT_PFM | uPD98402_INT_ALM | uPD98402_INT_RFO |
23772 uPD98402_INT_LOS),PIMR); /* enable them */
23773 (void) fetch_stats(dev,NULL,1); /* clear kernel counters */
23774 - atomic_set(&PRIV(dev)->sonet_stats.corr_hcs,-1);
23775 - atomic_set(&PRIV(dev)->sonet_stats.tx_cells,-1);
23776 - atomic_set(&PRIV(dev)->sonet_stats.rx_cells,-1);
23777 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.corr_hcs,-1);
23778 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.tx_cells,-1);
23779 + atomic_set_unchecked(&PRIV(dev)->sonet_stats.rx_cells,-1);
23783 diff -urNp linux-2.6.36.1/drivers/atm/zatm.c linux-2.6.36.1/drivers/atm/zatm.c
23784 --- linux-2.6.36.1/drivers/atm/zatm.c 2010-10-20 16:30:22.000000000 -0400
23785 +++ linux-2.6.36.1/drivers/atm/zatm.c 2010-11-06 18:58:15.000000000 -0400
23786 @@ -459,7 +459,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
23789 dev_kfree_skb_irq(skb);
23790 - if (vcc) atomic_inc(&vcc->stats->rx_err);
23791 + if (vcc) atomic_inc_unchecked(&vcc->stats->rx_err);
23794 if (!atm_charge(vcc,skb->truesize)) {
23795 @@ -469,7 +469,7 @@ printk("dummy: 0x%08lx, 0x%08lx\n",dummy
23797 ATM_SKB(skb)->vcc = vcc;
23798 vcc->push(vcc,skb);
23799 - atomic_inc(&vcc->stats->rx);
23800 + atomic_inc_unchecked(&vcc->stats->rx);
23802 zout(pos & 0xffff,MTA(mbx));
23803 #if 0 /* probably a stupid idea */
23804 @@ -733,7 +733,7 @@ if (*ZATM_PRV_DSC(skb) != (uPD98401_TXPD
23805 skb_queue_head(&zatm_vcc->backlog,skb);
23808 - atomic_inc(&vcc->stats->tx);
23809 + atomic_inc_unchecked(&vcc->stats->tx);
23810 wake_up(&zatm_vcc->tx_wait);
23813 diff -urNp linux-2.6.36.1/drivers/char/agp/frontend.c linux-2.6.36.1/drivers/char/agp/frontend.c
23814 --- linux-2.6.36.1/drivers/char/agp/frontend.c 2010-10-20 16:30:22.000000000 -0400
23815 +++ linux-2.6.36.1/drivers/char/agp/frontend.c 2010-11-06 18:58:15.000000000 -0400
23816 @@ -818,7 +818,7 @@ static int agpioc_reserve_wrap(struct ag
23817 if (copy_from_user(&reserve, arg, sizeof(struct agp_region)))
23820 - if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment))
23821 + if ((unsigned) reserve.seg_count >= ~0U/sizeof(struct agp_segment_priv))
23824 client = agp_find_client_by_pid(reserve.pid);
23825 diff -urNp linux-2.6.36.1/drivers/char/agp/intel-agp.c linux-2.6.36.1/drivers/char/agp/intel-agp.c
23826 --- linux-2.6.36.1/drivers/char/agp/intel-agp.c 2010-10-20 16:30:22.000000000 -0400
23827 +++ linux-2.6.36.1/drivers/char/agp/intel-agp.c 2010-11-06 18:58:15.000000000 -0400
23828 @@ -1056,7 +1056,7 @@ static struct pci_device_id agp_intel_pc
23829 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_HB),
23830 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_M_HB),
23831 ID(PCI_DEVICE_ID_INTEL_SANDYBRIDGE_S_HB),
23833 + { 0, 0, 0, 0, 0, 0, 0 }
23836 MODULE_DEVICE_TABLE(pci, agp_intel_pci_table);
23837 diff -urNp linux-2.6.36.1/drivers/char/hpet.c linux-2.6.36.1/drivers/char/hpet.c
23838 --- linux-2.6.36.1/drivers/char/hpet.c 2010-10-20 16:30:22.000000000 -0400
23839 +++ linux-2.6.36.1/drivers/char/hpet.c 2010-11-06 18:58:50.000000000 -0400
23840 @@ -429,7 +429,7 @@ static int hpet_release(struct inode *in
23844 -static int hpet_ioctl_common(struct hpet_dev *, int, unsigned long, int);
23845 +static int hpet_ioctl_common(struct hpet_dev *, unsigned int, unsigned long, int);
23847 static long hpet_ioctl(struct file *file, unsigned int cmd,
23849 @@ -553,7 +553,7 @@ static inline unsigned long hpet_time_di
23853 -hpet_ioctl_common(struct hpet_dev *devp, int cmd, unsigned long arg, int kernel)
23854 +hpet_ioctl_common(struct hpet_dev *devp, unsigned int cmd, unsigned long arg, int kernel)
23856 struct hpet_timer __iomem *timer;
23857 struct hpet __iomem *hpet;
23858 @@ -596,11 +596,11 @@ hpet_ioctl_common(struct hpet_dev *devp,
23860 struct hpet_info info;
23862 + memset(&info, 0, sizeof(info));
23864 if (devp->hd_ireqfreq)
23866 hpet_time_div(hpetp, devp->hd_ireqfreq);
23868 - info.hi_ireqfreq = 0;
23870 readq(&timer->hpet_config) & Tn_PER_INT_CAP_MASK;
23871 info.hi_hpet = hpetp->hp_which;
23872 @@ -998,7 +998,7 @@ static struct acpi_driver hpet_acpi_driv
23876 -static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops };
23877 +static struct miscdevice hpet_misc = { HPET_MINOR, "hpet", &hpet_fops, {NULL, NULL}, NULL, NULL };
23879 static int __init hpet_init(void)
23881 diff -urNp linux-2.6.36.1/drivers/char/hvc_console.h linux-2.6.36.1/drivers/char/hvc_console.h
23882 --- linux-2.6.36.1/drivers/char/hvc_console.h 2010-10-20 16:30:22.000000000 -0400
23883 +++ linux-2.6.36.1/drivers/char/hvc_console.h 2010-11-06 18:58:15.000000000 -0400
23884 @@ -82,6 +82,7 @@ extern int hvc_instantiate(uint32_t vter
23885 /* register a vterm for hvc tty operation (module_init or hotplug add) */
23886 extern struct hvc_struct * hvc_alloc(uint32_t vtermno, int data,
23887 const struct hv_ops *ops, int outbuf_size);
23889 /* remove a vterm from hvc tty operation (module_exit or hotplug remove) */
23890 extern int hvc_remove(struct hvc_struct *hp);
23892 diff -urNp linux-2.6.36.1/drivers/char/hvcs.c linux-2.6.36.1/drivers/char/hvcs.c
23893 --- linux-2.6.36.1/drivers/char/hvcs.c 2010-10-20 16:30:22.000000000 -0400
23894 +++ linux-2.6.36.1/drivers/char/hvcs.c 2010-11-06 18:58:15.000000000 -0400
23895 @@ -270,7 +270,7 @@ struct hvcs_struct {
23896 unsigned int index;
23898 struct tty_struct *tty;
23900 + atomic_t open_count;
23903 * Used to tell the driver kernel_thread what operations need to take
23904 @@ -420,7 +420,7 @@ static ssize_t hvcs_vterm_state_store(st
23906 spin_lock_irqsave(&hvcsd->lock, flags);
23908 - if (hvcsd->open_count > 0) {
23909 + if (atomic_read(&hvcsd->open_count) > 0) {
23910 spin_unlock_irqrestore(&hvcsd->lock, flags);
23911 printk(KERN_INFO "HVCS: vterm state unchanged. "
23912 "The hvcs device node is still in use.\n");
23913 @@ -1136,7 +1136,7 @@ static int hvcs_open(struct tty_struct *
23914 if ((retval = hvcs_partner_connect(hvcsd)))
23915 goto error_release;
23917 - hvcsd->open_count = 1;
23918 + atomic_set(&hvcsd->open_count, 1);
23920 tty->driver_data = hvcsd;
23922 @@ -1170,7 +1170,7 @@ fast_open:
23924 spin_lock_irqsave(&hvcsd->lock, flags);
23925 kref_get(&hvcsd->kref);
23926 - hvcsd->open_count++;
23927 + atomic_inc(&hvcsd->open_count);
23928 hvcsd->todo_mask |= HVCS_SCHED_READ;
23929 spin_unlock_irqrestore(&hvcsd->lock, flags);
23931 @@ -1214,7 +1214,7 @@ static void hvcs_close(struct tty_struct
23932 hvcsd = tty->driver_data;
23934 spin_lock_irqsave(&hvcsd->lock, flags);
23935 - if (--hvcsd->open_count == 0) {
23936 + if (atomic_dec_and_test(&hvcsd->open_count)) {
23938 vio_disable_interrupts(hvcsd->vdev);
23940 @@ -1240,10 +1240,10 @@ static void hvcs_close(struct tty_struct
23941 free_irq(irq, hvcsd);
23942 kref_put(&hvcsd->kref, destroy_hvcs_struct);
23944 - } else if (hvcsd->open_count < 0) {
23945 + } else if (atomic_read(&hvcsd->open_count) < 0) {
23946 printk(KERN_ERR "HVCS: vty-server@%X open_count: %d"
23947 " is missmanaged.\n",
23948 - hvcsd->vdev->unit_address, hvcsd->open_count);
23949 + hvcsd->vdev->unit_address, atomic_read(&hvcsd->open_count));
23952 spin_unlock_irqrestore(&hvcsd->lock, flags);
23953 @@ -1259,7 +1259,7 @@ static void hvcs_hangup(struct tty_struc
23955 spin_lock_irqsave(&hvcsd->lock, flags);
23956 /* Preserve this so that we know how many kref refs to put */
23957 - temp_open_count = hvcsd->open_count;
23958 + temp_open_count = atomic_read(&hvcsd->open_count);
23961 * Don't kref put inside the spinlock because the destruction
23962 @@ -1274,7 +1274,7 @@ static void hvcs_hangup(struct tty_struc
23963 hvcsd->tty->driver_data = NULL;
23966 - hvcsd->open_count = 0;
23967 + atomic_set(&hvcsd->open_count, 0);
23969 /* This will drop any buffered data on the floor which is OK in a hangup
23971 @@ -1345,7 +1345,7 @@ static int hvcs_write(struct tty_struct
23972 * the middle of a write operation? This is a crummy place to do this
23973 * but we want to keep it all in the spinlock.
23975 - if (hvcsd->open_count <= 0) {
23976 + if (atomic_read(&hvcsd->open_count) <= 0) {
23977 spin_unlock_irqrestore(&hvcsd->lock, flags);
23980 @@ -1419,7 +1419,7 @@ static int hvcs_write_room(struct tty_st
23982 struct hvcs_struct *hvcsd = tty->driver_data;
23984 - if (!hvcsd || hvcsd->open_count <= 0)
23985 + if (!hvcsd || atomic_read(&hvcsd->open_count) <= 0)
23988 return HVCS_BUFF_LEN - hvcsd->chars_in_buffer;
23989 diff -urNp linux-2.6.36.1/drivers/char/ipmi/ipmi_msghandler.c linux-2.6.36.1/drivers/char/ipmi/ipmi_msghandler.c
23990 --- linux-2.6.36.1/drivers/char/ipmi/ipmi_msghandler.c 2010-10-20 16:30:22.000000000 -0400
23991 +++ linux-2.6.36.1/drivers/char/ipmi/ipmi_msghandler.c 2010-11-06 18:58:15.000000000 -0400
23992 @@ -414,7 +414,7 @@ struct ipmi_smi {
23993 struct proc_dir_entry *proc_dir;
23994 char proc_dir_name[10];
23996 - atomic_t stats[IPMI_NUM_STATS];
23997 + atomic_unchecked_t stats[IPMI_NUM_STATS];
24000 * run_to_completion duplicate of smb_info, smi_info
24001 @@ -447,9 +447,9 @@ static DEFINE_MUTEX(smi_watchers_mutex);
24004 #define ipmi_inc_stat(intf, stat) \
24005 - atomic_inc(&(intf)->stats[IPMI_STAT_ ## stat])
24006 + atomic_inc_unchecked(&(intf)->stats[IPMI_STAT_ ## stat])
24007 #define ipmi_get_stat(intf, stat) \
24008 - ((unsigned int) atomic_read(&(intf)->stats[IPMI_STAT_ ## stat]))
24009 + ((unsigned int) atomic_read_unchecked(&(intf)->stats[IPMI_STAT_ ## stat]))
24011 static int is_lan_addr(struct ipmi_addr *addr)
24013 @@ -2817,7 +2817,7 @@ int ipmi_register_smi(struct ipmi_smi_ha
24014 INIT_LIST_HEAD(&intf->cmd_rcvrs);
24015 init_waitqueue_head(&intf->waitq);
24016 for (i = 0; i < IPMI_NUM_STATS; i++)
24017 - atomic_set(&intf->stats[i], 0);
24018 + atomic_set_unchecked(&intf->stats[i], 0);
24020 intf->proc_dir = NULL;
24022 diff -urNp linux-2.6.36.1/drivers/char/ipmi/ipmi_si_intf.c linux-2.6.36.1/drivers/char/ipmi/ipmi_si_intf.c
24023 --- linux-2.6.36.1/drivers/char/ipmi/ipmi_si_intf.c 2010-10-20 16:30:22.000000000 -0400
24024 +++ linux-2.6.36.1/drivers/char/ipmi/ipmi_si_intf.c 2010-11-06 18:58:15.000000000 -0400
24025 @@ -286,7 +286,7 @@ struct smi_info {
24026 unsigned char slave_addr;
24028 /* Counters and things for the proc filesystem. */
24029 - atomic_t stats[SI_NUM_STATS];
24030 + atomic_unchecked_t stats[SI_NUM_STATS];
24032 struct task_struct *thread;
24034 @@ -294,9 +294,9 @@ struct smi_info {
24037 #define smi_inc_stat(smi, stat) \
24038 - atomic_inc(&(smi)->stats[SI_STAT_ ## stat])
24039 + atomic_inc_unchecked(&(smi)->stats[SI_STAT_ ## stat])
24040 #define smi_get_stat(smi, stat) \
24041 - ((unsigned int) atomic_read(&(smi)->stats[SI_STAT_ ## stat]))
24042 + ((unsigned int) atomic_read_unchecked(&(smi)->stats[SI_STAT_ ## stat]))
24044 #define SI_MAX_PARMS 4
24046 @@ -3171,7 +3171,7 @@ static int try_smi_init(struct smi_info
24047 atomic_set(&new_smi->req_events, 0);
24048 new_smi->run_to_completion = 0;
24049 for (i = 0; i < SI_NUM_STATS; i++)
24050 - atomic_set(&new_smi->stats[i], 0);
24051 + atomic_set_unchecked(&new_smi->stats[i], 0);
24053 new_smi->interrupt_disabled = 1;
24054 atomic_set(&new_smi->stop_operation, 0);
24055 diff -urNp linux-2.6.36.1/drivers/char/keyboard.c linux-2.6.36.1/drivers/char/keyboard.c
24056 --- linux-2.6.36.1/drivers/char/keyboard.c 2010-10-20 16:30:22.000000000 -0400
24057 +++ linux-2.6.36.1/drivers/char/keyboard.c 2010-11-06 18:58:50.000000000 -0400
24058 @@ -640,6 +640,16 @@ static void k_spec(struct vc_data *vc, u
24059 kbd->kbdmode == VC_MEDIUMRAW) &&
24060 value != KVAL(K_SAK))
24061 return; /* SAK is allowed even in raw mode */
24063 +#if defined(CONFIG_GRKERNSEC_PROC) || defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
24065 + void *func = fn_handler[value];
24066 + if (func == fn_show_state || func == fn_show_ptregs ||
24067 + func == fn_show_mem)
24072 fn_handler[value](vc);
24075 @@ -1396,7 +1406,7 @@ static const struct input_device_id kbd_
24076 .evbit = { BIT_MASK(EV_SND) },
24079 - { }, /* Terminating entry */
24080 + { 0 }, /* Terminating entry */
24083 MODULE_DEVICE_TABLE(input, kbd_ids);
24084 diff -urNp linux-2.6.36.1/drivers/char/mem.c linux-2.6.36.1/drivers/char/mem.c
24085 --- linux-2.6.36.1/drivers/char/mem.c 2010-10-20 16:30:22.000000000 -0400
24086 +++ linux-2.6.36.1/drivers/char/mem.c 2010-11-06 18:58:50.000000000 -0400
24088 #include <linux/raw.h>
24089 #include <linux/tty.h>
24090 #include <linux/capability.h>
24091 +#include <linux/security.h>
24092 #include <linux/ptrace.h>
24093 #include <linux/device.h>
24094 #include <linux/highmem.h>
24096 # include <linux/efi.h>
24099 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
24100 +extern struct file_operations grsec_fops;
24103 static inline unsigned long size_inside_page(unsigned long start,
24104 unsigned long size)
24106 @@ -120,6 +125,7 @@ static ssize_t read_mem(struct file *fil
24108 while (count > 0) {
24109 unsigned long remaining;
24112 sz = size_inside_page(p, count);
24114 @@ -135,7 +141,23 @@ static ssize_t read_mem(struct file *fil
24118 - remaining = copy_to_user(buf, ptr, sz);
24119 +#ifdef CONFIG_PAX_USERCOPY
24120 + temp = kmalloc(sz, GFP_KERNEL);
24122 + unxlate_dev_mem_ptr(p, ptr);
24125 + memcpy(temp, ptr, sz);
24130 + remaining = copy_to_user(buf, temp, sz);
24132 +#ifdef CONFIG_PAX_USERCOPY
24136 unxlate_dev_mem_ptr(p, ptr);
24139 @@ -161,6 +183,11 @@ static ssize_t write_mem(struct file *fi
24140 if (!valid_phys_addr_range(p, count))
24143 +#ifdef CONFIG_GRKERNSEC_KMEM
24144 + gr_handle_mem_write();
24150 #ifdef __ARCH_HAS_NO_PAGE_ZERO_MAPPED
24151 @@ -316,6 +343,11 @@ static int mmap_mem(struct file *file, s
24152 &vma->vm_page_prot))
24155 +#ifdef CONFIG_GRKERNSEC_KMEM
24156 + if (gr_handle_mem_mmap(vma->vm_pgoff << PAGE_SHIFT, vma))
24160 vma->vm_page_prot = phys_mem_access_prot(file, vma->vm_pgoff,
24162 vma->vm_page_prot);
24163 @@ -398,9 +430,8 @@ static ssize_t read_kmem(struct file *fi
24164 size_t count, loff_t *ppos)
24166 unsigned long p = *ppos;
24167 - ssize_t low_count, read, sz;
24168 + ssize_t low_count, read, sz, err = 0;
24169 char * kbuf; /* k-addr because vread() takes vmlist_lock rwlock */
24173 if (p < (unsigned long) high_memory) {
24174 @@ -422,6 +453,8 @@ static ssize_t read_kmem(struct file *fi
24177 while (low_count > 0) {
24180 sz = size_inside_page(p, low_count);
24183 @@ -431,7 +464,22 @@ static ssize_t read_kmem(struct file *fi
24185 kbuf = xlate_dev_kmem_ptr((char *)p);
24187 - if (copy_to_user(buf, kbuf, sz))
24188 +#ifdef CONFIG_PAX_USERCOPY
24189 + temp = kmalloc(sz, GFP_KERNEL);
24192 + memcpy(temp, kbuf, sz);
24197 + err = copy_to_user(buf, temp, sz);
24199 +#ifdef CONFIG_PAX_USERCOPY
24207 @@ -530,6 +578,11 @@ static ssize_t write_kmem(struct file *f
24208 char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */
24211 +#ifdef CONFIG_GRKERNSEC_KMEM
24212 + gr_handle_kmem_write();
24216 if (p < (unsigned long) high_memory) {
24217 unsigned long to_write = min_t(unsigned long, count,
24218 (unsigned long)high_memory - p);
24219 @@ -731,6 +784,16 @@ static loff_t memory_lseek(struct file *
24221 static int open_port(struct inode * inode, struct file * filp)
24223 +#ifdef CONFIG_GRKERNSEC_KMEM
24224 + gr_handle_open_port();
24228 + return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
24231 +static int open_mem(struct inode * inode, struct file * filp)
24233 return capable(CAP_SYS_RAWIO) ? 0 : -EPERM;
24236 @@ -738,7 +801,6 @@ static int open_port(struct inode * inod
24237 #define full_lseek null_lseek
24238 #define write_zero write_null
24239 #define read_full read_zero
24240 -#define open_mem open_port
24241 #define open_kmem open_mem
24242 #define open_oldmem open_mem
24244 @@ -855,6 +917,9 @@ static const struct memdev {
24245 #ifdef CONFIG_CRASH_DUMP
24246 [12] = { "oldmem", 0, &oldmem_fops, NULL },
24248 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
24249 + [13] = { "grsec",S_IRUSR | S_IWUGO, &grsec_fops, NULL },
24253 static int memory_open(struct inode *inode, struct file *filp)
24254 diff -urNp linux-2.6.36.1/drivers/char/n_gsm.c linux-2.6.36.1/drivers/char/n_gsm.c
24255 --- linux-2.6.36.1/drivers/char/n_gsm.c 2010-10-20 16:30:22.000000000 -0400
24256 +++ linux-2.6.36.1/drivers/char/n_gsm.c 2010-11-06 18:58:15.000000000 -0400
24257 @@ -1577,7 +1577,7 @@ static struct gsm_dlci *gsm_dlci_alloc(s
24259 spin_lock_init(&dlci->lock);
24260 dlci->fifo = &dlci->_fifo;
24261 - if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL) < 0) {
24262 + if (kfifo_alloc(&dlci->_fifo, 4096, GFP_KERNEL)) {
24266 diff -urNp linux-2.6.36.1/drivers/char/n_tty.c linux-2.6.36.1/drivers/char/n_tty.c
24267 --- linux-2.6.36.1/drivers/char/n_tty.c 2010-10-20 16:30:22.000000000 -0400
24268 +++ linux-2.6.36.1/drivers/char/n_tty.c 2010-11-06 18:58:15.000000000 -0400
24269 @@ -2116,6 +2116,7 @@ void n_tty_inherit_ops(struct tty_ldisc_
24271 *ops = tty_ldisc_N_TTY;
24273 - ops->refcount = ops->flags = 0;
24274 + atomic_set(&ops->refcount, 0);
24277 EXPORT_SYMBOL_GPL(n_tty_inherit_ops);
24278 diff -urNp linux-2.6.36.1/drivers/char/nvram.c linux-2.6.36.1/drivers/char/nvram.c
24279 --- linux-2.6.36.1/drivers/char/nvram.c 2010-10-20 16:30:22.000000000 -0400
24280 +++ linux-2.6.36.1/drivers/char/nvram.c 2010-11-06 18:58:15.000000000 -0400
24281 @@ -245,7 +245,7 @@ static ssize_t nvram_read(struct file *f
24283 spin_unlock_irq(&rtc_lock);
24285 - if (copy_to_user(buf, contents, tmp - contents))
24286 + if (tmp - contents > sizeof(contents) || copy_to_user(buf, contents, tmp - contents))
24290 @@ -434,7 +434,10 @@ static const struct file_operations nvra
24291 static struct miscdevice nvram_dev = {
24301 static int __init nvram_init(void)
24302 diff -urNp linux-2.6.36.1/drivers/char/pcmcia/ipwireless/tty.c linux-2.6.36.1/drivers/char/pcmcia/ipwireless/tty.c
24303 --- linux-2.6.36.1/drivers/char/pcmcia/ipwireless/tty.c 2010-10-20 16:30:22.000000000 -0400
24304 +++ linux-2.6.36.1/drivers/char/pcmcia/ipwireless/tty.c 2010-11-06 18:58:15.000000000 -0400
24305 @@ -51,7 +51,7 @@ struct ipw_tty {
24307 struct ipw_network *network;
24308 struct tty_struct *linux_tty;
24310 + atomic_t open_count;
24311 unsigned int control_lines;
24312 struct mutex ipw_tty_mutex;
24313 int tx_bytes_queued;
24314 @@ -127,10 +127,10 @@ static int ipw_open(struct tty_struct *l
24315 mutex_unlock(&tty->ipw_tty_mutex);
24318 - if (tty->open_count == 0)
24319 + if (atomic_read(&tty->open_count) == 0)
24320 tty->tx_bytes_queued = 0;
24322 - tty->open_count++;
24323 + atomic_inc(&tty->open_count);
24325 tty->linux_tty = linux_tty;
24326 linux_tty->driver_data = tty;
24327 @@ -146,9 +146,7 @@ static int ipw_open(struct tty_struct *l
24329 static void do_ipw_close(struct ipw_tty *tty)
24331 - tty->open_count--;
24333 - if (tty->open_count == 0) {
24334 + if (atomic_dec_return(&tty->open_count) == 0) {
24335 struct tty_struct *linux_tty = tty->linux_tty;
24337 if (linux_tty != NULL) {
24338 @@ -169,7 +167,7 @@ static void ipw_hangup(struct tty_struct
24341 mutex_lock(&tty->ipw_tty_mutex);
24342 - if (tty->open_count == 0) {
24343 + if (atomic_read(&tty->open_count) == 0) {
24344 mutex_unlock(&tty->ipw_tty_mutex);
24347 @@ -198,7 +196,7 @@ void ipwireless_tty_received(struct ipw_
24351 - if (!tty->open_count) {
24352 + if (!atomic_read(&tty->open_count)) {
24353 mutex_unlock(&tty->ipw_tty_mutex);
24356 @@ -240,7 +238,7 @@ static int ipw_write(struct tty_struct *
24359 mutex_lock(&tty->ipw_tty_mutex);
24360 - if (!tty->open_count) {
24361 + if (!atomic_read(&tty->open_count)) {
24362 mutex_unlock(&tty->ipw_tty_mutex);
24365 @@ -280,7 +278,7 @@ static int ipw_write_room(struct tty_str
24369 - if (!tty->open_count)
24370 + if (!atomic_read(&tty->open_count))
24373 room = IPWIRELESS_TX_QUEUE_SIZE - tty->tx_bytes_queued;
24374 @@ -322,7 +320,7 @@ static int ipw_chars_in_buffer(struct tt
24378 - if (!tty->open_count)
24379 + if (!atomic_read(&tty->open_count))
24382 return tty->tx_bytes_queued;
24383 @@ -403,7 +401,7 @@ static int ipw_tiocmget(struct tty_struc
24387 - if (!tty->open_count)
24388 + if (!atomic_read(&tty->open_count))
24391 return get_control_lines(tty);
24392 @@ -419,7 +417,7 @@ ipw_tiocmset(struct tty_struct *linux_tt
24396 - if (!tty->open_count)
24397 + if (!atomic_read(&tty->open_count))
24400 return set_control_lines(tty, set, clear);
24401 @@ -433,7 +431,7 @@ static int ipw_ioctl(struct tty_struct *
24405 - if (!tty->open_count)
24406 + if (!atomic_read(&tty->open_count))
24409 /* FIXME: Exactly how is the tty object locked here .. */
24410 @@ -582,7 +580,7 @@ void ipwireless_tty_free(struct ipw_tty
24411 against a parallel ioctl etc */
24412 mutex_lock(&ttyj->ipw_tty_mutex);
24414 - while (ttyj->open_count)
24415 + while (atomic_read(&ttyj->open_count))
24416 do_ipw_close(ttyj);
24417 ipwireless_disassociate_network_ttys(network,
24418 ttyj->channel_idx);
24419 diff -urNp linux-2.6.36.1/drivers/char/pty.c linux-2.6.36.1/drivers/char/pty.c
24420 --- linux-2.6.36.1/drivers/char/pty.c 2010-10-20 16:30:22.000000000 -0400
24421 +++ linux-2.6.36.1/drivers/char/pty.c 2010-11-06 18:58:15.000000000 -0400
24422 @@ -698,7 +698,18 @@ out:
24426 -static struct file_operations ptmx_fops;
24427 +static const struct file_operations ptmx_fops = {
24428 + .llseek = no_llseek,
24429 + .read = tty_read,
24430 + .write = tty_write,
24431 + .poll = tty_poll,
24432 + .unlocked_ioctl = tty_ioctl,
24433 + .compat_ioctl = tty_compat_ioctl,
24434 + .open = ptmx_open,
24435 + .release = tty_release,
24436 + .fasync = tty_fasync,
24440 static void __init unix98_pty_init(void)
24442 @@ -752,9 +763,6 @@ static void __init unix98_pty_init(void)
24443 register_sysctl_table(pty_root_table);
24445 /* Now create the /dev/ptmx special device */
24446 - tty_default_fops(&ptmx_fops);
24447 - ptmx_fops.open = ptmx_open;
24449 cdev_init(&ptmx_cdev, &ptmx_fops);
24450 if (cdev_add(&ptmx_cdev, MKDEV(TTYAUX_MAJOR, 2), 1) ||
24451 register_chrdev_region(MKDEV(TTYAUX_MAJOR, 2), 1, "/dev/ptmx") < 0)
24452 diff -urNp linux-2.6.36.1/drivers/char/random.c linux-2.6.36.1/drivers/char/random.c
24453 --- linux-2.6.36.1/drivers/char/random.c 2010-10-20 16:30:22.000000000 -0400
24454 +++ linux-2.6.36.1/drivers/char/random.c 2010-11-06 18:58:50.000000000 -0400
24455 @@ -254,8 +254,13 @@
24457 * Configuration information
24459 +#ifdef CONFIG_GRKERNSEC_RANDNET
24460 +#define INPUT_POOL_WORDS 512
24461 +#define OUTPUT_POOL_WORDS 128
24463 #define INPUT_POOL_WORDS 128
24464 #define OUTPUT_POOL_WORDS 32
24466 #define SEC_XFER_SIZE 512
24467 #define EXTRACT_SIZE 10
24469 @@ -293,10 +298,17 @@ static struct poolinfo {
24471 int tap1, tap2, tap3, tap4, tap5;
24472 } poolinfo_table[] = {
24473 +#ifdef CONFIG_GRKERNSEC_RANDNET
24474 + /* x^512 + x^411 + x^308 + x^208 +x^104 + x + 1 -- 225 */
24475 + { 512, 411, 308, 208, 104, 1 },
24476 + /* x^128 + x^103 + x^76 + x^51 + x^25 + x + 1 -- 105 */
24477 + { 128, 103, 76, 51, 25, 1 },
24479 /* x^128 + x^103 + x^76 + x^51 +x^25 + x + 1 -- 105 */
24480 { 128, 103, 76, 51, 25, 1 },
24481 /* x^32 + x^26 + x^20 + x^14 + x^7 + x + 1 -- 15 */
24482 { 32, 26, 20, 14, 7, 1 },
24485 /* x^2048 + x^1638 + x^1231 + x^819 + x^411 + x + 1 -- 115 */
24486 { 2048, 1638, 1231, 819, 411, 1 },
24487 @@ -902,7 +914,7 @@ static ssize_t extract_entropy_user(stru
24489 extract_buf(r, tmp);
24490 i = min_t(int, nbytes, EXTRACT_SIZE);
24491 - if (copy_to_user(buf, tmp, i)) {
24492 + if (i > sizeof(tmp) || copy_to_user(buf, tmp, i)) {
24496 @@ -1205,7 +1217,7 @@ EXPORT_SYMBOL(generate_random_uuid);
24497 #include <linux/sysctl.h>
24499 static int min_read_thresh = 8, min_write_thresh;
24500 -static int max_read_thresh = INPUT_POOL_WORDS * 32;
24501 +static int max_read_thresh = OUTPUT_POOL_WORDS * 32;
24502 static int max_write_thresh = INPUT_POOL_WORDS * 32;
24503 static char sysctl_bootid[16];
24505 diff -urNp linux-2.6.36.1/drivers/char/sonypi.c linux-2.6.36.1/drivers/char/sonypi.c
24506 --- linux-2.6.36.1/drivers/char/sonypi.c 2010-10-20 16:30:22.000000000 -0400
24507 +++ linux-2.6.36.1/drivers/char/sonypi.c 2010-11-06 18:58:15.000000000 -0400
24508 @@ -491,7 +491,7 @@ static struct sonypi_device {
24509 spinlock_t fifo_lock;
24510 wait_queue_head_t fifo_proc_list;
24511 struct fasync_struct *fifo_async;
24513 + atomic_t open_count;
24515 struct input_dev *input_jog_dev;
24516 struct input_dev *input_key_dev;
24517 @@ -898,7 +898,7 @@ static int sonypi_misc_fasync(int fd, st
24518 static int sonypi_misc_release(struct inode *inode, struct file *file)
24520 mutex_lock(&sonypi_device.lock);
24521 - sonypi_device.open_count--;
24522 + atomic_dec(&sonypi_device.open_count);
24523 mutex_unlock(&sonypi_device.lock);
24526 @@ -907,9 +907,9 @@ static int sonypi_misc_open(struct inode
24528 mutex_lock(&sonypi_device.lock);
24529 /* Flush input queue on first open */
24530 - if (!sonypi_device.open_count)
24531 + if (!atomic_read(&sonypi_device.open_count))
24532 kfifo_reset(&sonypi_device.fifo);
24533 - sonypi_device.open_count++;
24534 + atomic_inc(&sonypi_device.open_count);
24535 mutex_unlock(&sonypi_device.lock);
24538 diff -urNp linux-2.6.36.1/drivers/char/tpm/tpm_bios.c linux-2.6.36.1/drivers/char/tpm/tpm_bios.c
24539 --- linux-2.6.36.1/drivers/char/tpm/tpm_bios.c 2010-10-20 16:30:22.000000000 -0400
24540 +++ linux-2.6.36.1/drivers/char/tpm/tpm_bios.c 2010-11-06 18:58:15.000000000 -0400
24541 @@ -173,7 +173,7 @@ static void *tpm_bios_measurements_start
24544 if ((event->event_type == 0 && event->event_size == 0) ||
24545 - ((addr + sizeof(struct tcpa_event) + event->event_size) >= limit))
24546 + (event->event_size >= limit - addr - sizeof(struct tcpa_event)))
24550 @@ -198,7 +198,7 @@ static void *tpm_bios_measurements_next(
24553 if ((event->event_type == 0 && event->event_size == 0) ||
24554 - ((v + sizeof(struct tcpa_event) + event->event_size) >= limit))
24555 + (event->event_size >= limit - v - sizeof(struct tcpa_event)))
24559 @@ -291,7 +291,8 @@ static int tpm_binary_bios_measurements_
24562 for (i = 0; i < sizeof(struct tcpa_event) + event->event_size; i++)
24563 - seq_putc(m, data[i]);
24564 + if (!seq_putc(m, data[i]))
24569 @@ -410,6 +411,11 @@ static int read_log(struct tpm_bios_log
24570 log->bios_event_log_end = log->bios_event_log + len;
24572 virt = acpi_os_map_memory(start, len);
24574 + kfree(log->bios_event_log);
24575 + log->bios_event_log = NULL;
24579 memcpy(log->bios_event_log, virt, len);
24581 diff -urNp linux-2.6.36.1/drivers/char/tty_io.c linux-2.6.36.1/drivers/char/tty_io.c
24582 --- linux-2.6.36.1/drivers/char/tty_io.c 2010-10-20 16:30:22.000000000 -0400
24583 +++ linux-2.6.36.1/drivers/char/tty_io.c 2010-11-06 18:58:15.000000000 -0400
24584 @@ -139,21 +139,11 @@ EXPORT_SYMBOL(tty_mutex);
24585 /* Spinlock to protect the tty->tty_files list */
24586 DEFINE_SPINLOCK(tty_files_lock);
24588 -static ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
24589 -static ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
24590 ssize_t redirected_tty_write(struct file *, const char __user *,
24592 -static unsigned int tty_poll(struct file *, poll_table *);
24593 static int tty_open(struct inode *, struct file *);
24594 long tty_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
24595 -#ifdef CONFIG_COMPAT
24596 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
24597 - unsigned long arg);
24599 -#define tty_compat_ioctl NULL
24601 static int __tty_fasync(int fd, struct file *filp, int on);
24602 -static int tty_fasync(int fd, struct file *filp, int on);
24603 static void release_tty(struct tty_struct *tty, int idx);
24604 static void __proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
24605 static void proc_set_tty(struct task_struct *tsk, struct tty_struct *tty);
24606 @@ -925,7 +915,7 @@ EXPORT_SYMBOL(start_tty);
24607 * read calls may be outstanding in parallel.
24610 -static ssize_t tty_read(struct file *file, char __user *buf, size_t count,
24611 +ssize_t tty_read(struct file *file, char __user *buf, size_t count,
24615 @@ -951,6 +941,8 @@ static ssize_t tty_read(struct file *fil
24619 +EXPORT_SYMBOL(tty_read);
24621 void tty_write_unlock(struct tty_struct *tty)
24623 mutex_unlock(&tty->atomic_write_lock);
24624 @@ -1100,7 +1092,7 @@ void tty_write_message(struct tty_struct
24625 * write method will not be invoked in parallel for each device.
24628 -static ssize_t tty_write(struct file *file, const char __user *buf,
24629 +ssize_t tty_write(struct file *file, const char __user *buf,
24630 size_t count, loff_t *ppos)
24632 struct inode *inode = file->f_path.dentry->d_inode;
24633 @@ -1126,6 +1118,8 @@ static ssize_t tty_write(struct file *fi
24637 +EXPORT_SYMBOL(tty_write);
24639 ssize_t redirected_tty_write(struct file *file, const char __user *buf,
24640 size_t count, loff_t *ppos)
24642 @@ -1938,6 +1932,8 @@ got_driver:
24646 +EXPORT_SYMBOL(tty_release);
24649 * tty_poll - check tty status
24650 * @filp: file being polled
24651 @@ -1950,7 +1946,7 @@ got_driver:
24652 * may be re-entered freely by other callers.
24655 -static unsigned int tty_poll(struct file *filp, poll_table *wait)
24656 +unsigned int tty_poll(struct file *filp, poll_table *wait)
24658 struct tty_struct *tty = file_tty(filp);
24659 struct tty_ldisc *ld;
24660 @@ -2007,7 +2003,9 @@ out:
24664 -static int tty_fasync(int fd, struct file *filp, int on)
24665 +EXPORT_SYMBOL(tty_poll);
24667 +int tty_fasync(int fd, struct file *filp, int on)
24671 @@ -2016,6 +2014,8 @@ static int tty_fasync(int fd, struct fil
24675 +EXPORT_SYMBOL(tty_fasync);
24678 * tiocsti - fake input character
24679 * @tty: tty to fake input into
24680 @@ -2648,8 +2648,10 @@ long tty_ioctl(struct file *file, unsign
24684 +EXPORT_SYMBOL(tty_ioctl);
24686 #ifdef CONFIG_COMPAT
24687 -static long tty_compat_ioctl(struct file *file, unsigned int cmd,
24688 +long tty_compat_ioctl(struct file *file, unsigned int cmd,
24691 struct inode *inode = file->f_dentry->d_inode;
24692 @@ -2673,6 +2675,9 @@ static long tty_compat_ioctl(struct file
24697 +EXPORT_SYMBOL(tty_compat_ioctl);
24702 @@ -3116,11 +3121,6 @@ struct tty_struct *get_current_tty(void)
24704 EXPORT_SYMBOL_GPL(get_current_tty);
24706 -void tty_default_fops(struct file_operations *fops)
24708 - *fops = tty_fops;
24712 * Initialize the console device. This is called *early*, so
24713 * we can't necessarily depend on lots of kernel help here.
24714 diff -urNp linux-2.6.36.1/drivers/char/tty_ldisc.c linux-2.6.36.1/drivers/char/tty_ldisc.c
24715 --- linux-2.6.36.1/drivers/char/tty_ldisc.c 2010-10-20 16:30:22.000000000 -0400
24716 +++ linux-2.6.36.1/drivers/char/tty_ldisc.c 2010-11-06 18:58:15.000000000 -0400
24717 @@ -75,7 +75,7 @@ static void put_ldisc(struct tty_ldisc *
24718 if (atomic_dec_and_lock(&ld->users, &tty_ldisc_lock)) {
24719 struct tty_ldisc_ops *ldo = ld->ops;
24722 + atomic_dec(&ldo->refcount);
24723 module_put(ldo->owner);
24724 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
24726 @@ -109,7 +109,7 @@ int tty_register_ldisc(int disc, struct
24727 spin_lock_irqsave(&tty_ldisc_lock, flags);
24728 tty_ldiscs[disc] = new_ldisc;
24729 new_ldisc->num = disc;
24730 - new_ldisc->refcount = 0;
24731 + atomic_set(&new_ldisc->refcount, 0);
24732 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
24735 @@ -137,7 +137,7 @@ int tty_unregister_ldisc(int disc)
24738 spin_lock_irqsave(&tty_ldisc_lock, flags);
24739 - if (tty_ldiscs[disc]->refcount)
24740 + if (atomic_read(&tty_ldiscs[disc]->refcount))
24743 tty_ldiscs[disc] = NULL;
24744 @@ -158,7 +158,7 @@ static struct tty_ldisc_ops *get_ldops(i
24746 ret = ERR_PTR(-EAGAIN);
24747 if (try_module_get(ldops->owner)) {
24748 - ldops->refcount++;
24749 + atomic_inc(&ldops->refcount);
24753 @@ -171,7 +171,7 @@ static void put_ldops(struct tty_ldisc_o
24754 unsigned long flags;
24756 spin_lock_irqsave(&tty_ldisc_lock, flags);
24757 - ldops->refcount--;
24758 + atomic_dec(&ldops->refcount);
24759 module_put(ldops->owner);
24760 spin_unlock_irqrestore(&tty_ldisc_lock, flags);
24762 diff -urNp linux-2.6.36.1/drivers/char/vt_ioctl.c linux-2.6.36.1/drivers/char/vt_ioctl.c
24763 --- linux-2.6.36.1/drivers/char/vt_ioctl.c 2010-10-20 16:30:22.000000000 -0400
24764 +++ linux-2.6.36.1/drivers/char/vt_ioctl.c 2010-11-06 18:58:50.000000000 -0400
24765 @@ -210,9 +210,6 @@ do_kdsk_ioctl(int cmd, struct kbentry __
24766 if (copy_from_user(&tmp, user_kbe, sizeof(struct kbentry)))
24769 - if (!capable(CAP_SYS_TTY_CONFIG))
24774 key_map = key_maps[s];
24775 @@ -224,8 +221,12 @@ do_kdsk_ioctl(int cmd, struct kbentry __
24776 val = (i ? K_HOLE : K_NOSUCHMAP);
24777 return put_user(val, &user_kbe->kb_value);
24779 + if (!capable(CAP_SYS_TTY_CONFIG))
24785 if (!i && v == K_NOSUCHMAP) {
24786 /* deallocate map */
24787 key_map = key_maps[s];
24788 @@ -325,9 +326,6 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
24792 - if (!capable(CAP_SYS_TTY_CONFIG))
24795 kbs = kmalloc(sizeof(*kbs), GFP_KERNEL);
24798 @@ -361,6 +359,9 @@ do_kdgkb_ioctl(int cmd, struct kbsentry
24800 return ((p && *p) ? -EOVERFLOW : 0);
24802 + if (!capable(CAP_SYS_TTY_CONFIG))
24808 diff -urNp linux-2.6.36.1/drivers/cpuidle/sysfs.c linux-2.6.36.1/drivers/cpuidle/sysfs.c
24809 --- linux-2.6.36.1/drivers/cpuidle/sysfs.c 2010-10-20 16:30:22.000000000 -0400
24810 +++ linux-2.6.36.1/drivers/cpuidle/sysfs.c 2010-11-06 18:58:15.000000000 -0400
24811 @@ -300,7 +300,7 @@ static struct kobj_type ktype_state_cpui
24812 .release = cpuidle_state_sysfs_release,
24815 -static void inline cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
24816 +static inline void cpuidle_free_state_kobj(struct cpuidle_device *device, int i)
24818 kobject_put(&device->kobjs[i]->kobj);
24819 wait_for_completion(&device->kobjs[i]->kobj_unregister);
24820 diff -urNp linux-2.6.36.1/drivers/edac/edac_core.h linux-2.6.36.1/drivers/edac/edac_core.h
24821 --- linux-2.6.36.1/drivers/edac/edac_core.h 2010-10-20 16:30:22.000000000 -0400
24822 +++ linux-2.6.36.1/drivers/edac/edac_core.h 2010-11-06 18:58:15.000000000 -0400
24823 @@ -85,11 +85,11 @@ extern const char *edac_mem_types[];
24825 #else /* !CONFIG_EDAC_DEBUG */
24827 -#define debugf0( ... )
24828 -#define debugf1( ... )
24829 -#define debugf2( ... )
24830 -#define debugf3( ... )
24831 -#define debugf4( ... )
24832 +#define debugf0( ... ) do {} while (0)
24833 +#define debugf1( ... ) do {} while (0)
24834 +#define debugf2( ... ) do {} while (0)
24835 +#define debugf3( ... ) do {} while (0)
24836 +#define debugf4( ... ) do {} while (0)
24838 #endif /* !CONFIG_EDAC_DEBUG */
24840 diff -urNp linux-2.6.36.1/drivers/edac/edac_mc_sysfs.c linux-2.6.36.1/drivers/edac/edac_mc_sysfs.c
24841 --- linux-2.6.36.1/drivers/edac/edac_mc_sysfs.c 2010-10-20 16:30:22.000000000 -0400
24842 +++ linux-2.6.36.1/drivers/edac/edac_mc_sysfs.c 2010-11-06 18:58:15.000000000 -0400
24843 @@ -764,7 +764,7 @@ static void edac_inst_grp_release(struct
24846 /* Intermediate show/store table */
24847 -static struct sysfs_ops inst_grp_ops = {
24848 +static const struct sysfs_ops inst_grp_ops = {
24849 .show = inst_grp_show,
24850 .store = inst_grp_store
24852 diff -urNp linux-2.6.36.1/drivers/firewire/core-cdev.c linux-2.6.36.1/drivers/firewire/core-cdev.c
24853 --- linux-2.6.36.1/drivers/firewire/core-cdev.c 2010-10-20 16:30:22.000000000 -0400
24854 +++ linux-2.6.36.1/drivers/firewire/core-cdev.c 2010-11-06 18:58:15.000000000 -0400
24855 @@ -1329,8 +1329,7 @@ static int init_iso_resource(struct clie
24858 if ((request->channels == 0 && request->bandwidth == 0) ||
24859 - request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL ||
24860 - request->bandwidth < 0)
24861 + request->bandwidth > BANDWIDTH_AVAILABLE_INITIAL)
24864 r = kmalloc(sizeof(*r), GFP_KERNEL);
24865 diff -urNp linux-2.6.36.1/drivers/firmware/dmi_scan.c linux-2.6.36.1/drivers/firmware/dmi_scan.c
24866 --- linux-2.6.36.1/drivers/firmware/dmi_scan.c 2010-10-20 16:30:22.000000000 -0400
24867 +++ linux-2.6.36.1/drivers/firmware/dmi_scan.c 2010-11-06 18:58:15.000000000 -0400
24868 @@ -412,11 +412,6 @@ void __init dmi_scan_machine(void)
24873 - * no iounmap() for that ioremap(); it would be a no-op, but
24874 - * it's so early in setup that sucker gets confused into doing
24875 - * what it shouldn't if we actually call it.
24877 p = dmi_ioremap(0xF0000, 0x10000);
24880 diff -urNp linux-2.6.36.1/drivers/gpu/drm/drm_crtc_helper.c linux-2.6.36.1/drivers/gpu/drm/drm_crtc_helper.c
24881 --- linux-2.6.36.1/drivers/gpu/drm/drm_crtc_helper.c 2010-10-20 16:30:22.000000000 -0400
24882 +++ linux-2.6.36.1/drivers/gpu/drm/drm_crtc_helper.c 2010-11-06 18:58:15.000000000 -0400
24883 @@ -276,7 +276,7 @@ static bool drm_encoder_crtc_ok(struct d
24884 struct drm_crtc *tmp;
24887 - WARN(!crtc, "checking null crtc?");
24892 diff -urNp linux-2.6.36.1/drivers/gpu/drm/drm_drv.c linux-2.6.36.1/drivers/gpu/drm/drm_drv.c
24893 --- linux-2.6.36.1/drivers/gpu/drm/drm_drv.c 2010-10-20 16:30:22.000000000 -0400
24894 +++ linux-2.6.36.1/drivers/gpu/drm/drm_drv.c 2010-11-06 18:58:15.000000000 -0400
24895 @@ -428,7 +428,7 @@ long drm_ioctl(struct file *filp,
24897 dev = file_priv->minor->dev;
24898 atomic_inc(&dev->ioctl_count);
24899 - atomic_inc(&dev->counts[_DRM_STAT_IOCTLS]);
24900 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_IOCTLS]);
24901 ++file_priv->ioctl_count;
24903 DRM_DEBUG("pid=%d, cmd=0x%02x, nr=0x%02x, dev 0x%lx, auth=%d\n",
24904 diff -urNp linux-2.6.36.1/drivers/gpu/drm/drm_fops.c linux-2.6.36.1/drivers/gpu/drm/drm_fops.c
24905 --- linux-2.6.36.1/drivers/gpu/drm/drm_fops.c 2010-10-20 16:30:22.000000000 -0400
24906 +++ linux-2.6.36.1/drivers/gpu/drm/drm_fops.c 2010-11-06 18:58:15.000000000 -0400
24907 @@ -71,7 +71,7 @@ static int drm_setup(struct drm_device *
24910 for (i = 0; i < ARRAY_SIZE(dev->counts); i++)
24911 - atomic_set(&dev->counts[i], 0);
24912 + atomic_set_unchecked(&dev->counts[i], 0);
24914 dev->sigdata.lock = NULL;
24916 @@ -135,8 +135,8 @@ int drm_open(struct inode *inode, struct
24918 retcode = drm_open_helper(inode, filp, dev);
24920 - atomic_inc(&dev->counts[_DRM_STAT_OPENS]);
24921 - if (!dev->open_count++)
24922 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_OPENS]);
24923 + if (atomic_inc_return(&dev->open_count) == 1)
24924 retcode = drm_setup(dev);
24927 @@ -471,7 +471,7 @@ int drm_release(struct inode *inode, str
24929 mutex_lock(&drm_global_mutex);
24931 - DRM_DEBUG("open_count = %d\n", dev->open_count);
24932 + DRM_DEBUG("open_count = %d\n", atomic_read(&dev->open_count));
24934 if (dev->driver->preclose)
24935 dev->driver->preclose(dev, file_priv);
24936 @@ -483,7 +483,7 @@ int drm_release(struct inode *inode, str
24937 DRM_DEBUG("pid = %d, device = 0x%lx, open_count = %d\n",
24938 task_pid_nr(current),
24939 (long)old_encode_dev(file_priv->minor->device),
24940 - dev->open_count);
24941 + atomic_read(&dev->open_count));
24943 /* if the master has gone away we can't do anything with the lock */
24944 if (file_priv->minor->master)
24945 @@ -564,8 +564,8 @@ int drm_release(struct inode *inode, str
24946 * End inline drm_release
24949 - atomic_inc(&dev->counts[_DRM_STAT_CLOSES]);
24950 - if (!--dev->open_count) {
24951 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_CLOSES]);
24952 + if (atomic_dec_and_test(&dev->open_count)) {
24953 if (atomic_read(&dev->ioctl_count)) {
24954 DRM_ERROR("Device busy: %d\n",
24955 atomic_read(&dev->ioctl_count));
24956 diff -urNp linux-2.6.36.1/drivers/gpu/drm/drm_global.c linux-2.6.36.1/drivers/gpu/drm/drm_global.c
24957 --- linux-2.6.36.1/drivers/gpu/drm/drm_global.c 2010-10-20 16:30:22.000000000 -0400
24958 +++ linux-2.6.36.1/drivers/gpu/drm/drm_global.c 2010-11-06 18:58:15.000000000 -0400
24960 struct drm_global_item {
24961 struct mutex mutex;
24964 + atomic_t refcount;
24967 static struct drm_global_item glob[DRM_GLOBAL_NUM];
24968 @@ -49,7 +49,7 @@ void drm_global_init(void)
24969 struct drm_global_item *item = &glob[i];
24970 mutex_init(&item->mutex);
24971 item->object = NULL;
24972 - item->refcount = 0;
24973 + atomic_set(&item->refcount, 0);
24977 @@ -59,7 +59,7 @@ void drm_global_release(void)
24978 for (i = 0; i < DRM_GLOBAL_NUM; ++i) {
24979 struct drm_global_item *item = &glob[i];
24980 BUG_ON(item->object != NULL);
24981 - BUG_ON(item->refcount != 0);
24982 + BUG_ON(atomic_read(&item->refcount) != 0);
24986 @@ -70,7 +70,7 @@ int drm_global_item_ref(struct drm_globa
24989 mutex_lock(&item->mutex);
24990 - if (item->refcount == 0) {
24991 + if (atomic_read(&item->refcount) == 0) {
24992 item->object = kzalloc(ref->size, GFP_KERNEL);
24993 if (unlikely(item->object == NULL)) {
24995 @@ -83,7 +83,7 @@ int drm_global_item_ref(struct drm_globa
24999 - ++item->refcount;
25000 + atomic_inc(&item->refcount);
25001 ref->object = item->object;
25002 object = item->object;
25003 mutex_unlock(&item->mutex);
25004 @@ -100,9 +100,9 @@ void drm_global_item_unref(struct drm_gl
25005 struct drm_global_item *item = &glob[ref->global_type];
25007 mutex_lock(&item->mutex);
25008 - BUG_ON(item->refcount == 0);
25009 + BUG_ON(atomic_read(&item->refcount) == 0);
25010 BUG_ON(ref->object != item->object);
25011 - if (--item->refcount == 0) {
25012 + if (atomic_dec_and_test(&item->refcount)) {
25014 item->object = NULL;
25016 diff -urNp linux-2.6.36.1/drivers/gpu/drm/drm_info.c linux-2.6.36.1/drivers/gpu/drm/drm_info.c
25017 --- linux-2.6.36.1/drivers/gpu/drm/drm_info.c 2010-10-20 16:30:22.000000000 -0400
25018 +++ linux-2.6.36.1/drivers/gpu/drm/drm_info.c 2010-11-06 18:58:15.000000000 -0400
25019 @@ -86,10 +86,14 @@ int drm_vm_info(struct seq_file *m, void
25020 struct drm_local_map *map;
25021 struct drm_map_list *r_list;
25023 - /* Hardcoded from _DRM_FRAME_BUFFER,
25024 - _DRM_REGISTERS, _DRM_SHM, _DRM_AGP, and
25025 - _DRM_SCATTER_GATHER and _DRM_CONSISTENT */
25026 - const char *types[] = { "FB", "REG", "SHM", "AGP", "SG", "PCI" };
25027 + static const char * const types[] = {
25028 + [_DRM_FRAME_BUFFER] = "FB",
25029 + [_DRM_REGISTERS] = "REG",
25030 + [_DRM_SHM] = "SHM",
25031 + [_DRM_AGP] = "AGP",
25032 + [_DRM_SCATTER_GATHER] = "SG",
25033 + [_DRM_CONSISTENT] = "PCI",
25034 + [_DRM_GEM] = "GEM" };
25038 @@ -100,7 +104,7 @@ int drm_vm_info(struct seq_file *m, void
25042 - if (map->type < 0 || map->type > 5)
25043 + if (map->type >= ARRAY_SIZE(types))
25046 type = types[map->type];
25047 diff -urNp linux-2.6.36.1/drivers/gpu/drm/drm_ioctl.c linux-2.6.36.1/drivers/gpu/drm/drm_ioctl.c
25048 --- linux-2.6.36.1/drivers/gpu/drm/drm_ioctl.c 2010-10-20 16:30:22.000000000 -0400
25049 +++ linux-2.6.36.1/drivers/gpu/drm/drm_ioctl.c 2010-11-06 18:58:15.000000000 -0400
25050 @@ -353,7 +353,7 @@ int drm_getstats(struct drm_device *dev,
25051 stats->data[i].value =
25052 (file_priv->master->lock.hw_lock ? file_priv->master->lock.hw_lock->lock : 0);
25054 - stats->data[i].value = atomic_read(&dev->counts[i]);
25055 + stats->data[i].value = atomic_read_unchecked(&dev->counts[i]);
25056 stats->data[i].type = dev->types[i];
25059 diff -urNp linux-2.6.36.1/drivers/gpu/drm/drm_lock.c linux-2.6.36.1/drivers/gpu/drm/drm_lock.c
25060 --- linux-2.6.36.1/drivers/gpu/drm/drm_lock.c 2010-10-20 16:30:22.000000000 -0400
25061 +++ linux-2.6.36.1/drivers/gpu/drm/drm_lock.c 2010-11-06 18:58:15.000000000 -0400
25062 @@ -87,7 +87,7 @@ int drm_lock(struct drm_device *dev, voi
25063 if (drm_lock_take(&master->lock, lock->context)) {
25064 master->lock.file_priv = file_priv;
25065 master->lock.lock_time = jiffies;
25066 - atomic_inc(&dev->counts[_DRM_STAT_LOCKS]);
25067 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_LOCKS]);
25068 break; /* Got lock */
25071 @@ -167,7 +167,7 @@ int drm_unlock(struct drm_device *dev, v
25075 - atomic_inc(&dev->counts[_DRM_STAT_UNLOCKS]);
25076 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_UNLOCKS]);
25078 /* kernel_context_switch isn't used by any of the x86 drm
25079 * modules but is required by the Sparc driver.
25080 diff -urNp linux-2.6.36.1/drivers/gpu/drm/i810/i810_dma.c linux-2.6.36.1/drivers/gpu/drm/i810/i810_dma.c
25081 --- linux-2.6.36.1/drivers/gpu/drm/i810/i810_dma.c 2010-10-20 16:30:22.000000000 -0400
25082 +++ linux-2.6.36.1/drivers/gpu/drm/i810/i810_dma.c 2010-11-06 18:58:15.000000000 -0400
25083 @@ -952,8 +952,8 @@ static int i810_dma_vertex(struct drm_de
25084 dma->buflist[vertex->idx],
25085 vertex->discard, vertex->used);
25087 - atomic_add(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
25088 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
25089 + atomic_add_unchecked(vertex->used, &dev->counts[_DRM_STAT_SECONDARY]);
25090 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
25091 sarea_priv->last_enqueue = dev_priv->counter - 1;
25092 sarea_priv->last_dispatch = (int)hw_status[5];
25094 @@ -1113,8 +1113,8 @@ static int i810_dma_mc(struct drm_device
25095 i810_dma_dispatch_mc(dev, dma->buflist[mc->idx], mc->used,
25098 - atomic_add(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
25099 - atomic_inc(&dev->counts[_DRM_STAT_DMA]);
25100 + atomic_add_unchecked(mc->used, &dev->counts[_DRM_STAT_SECONDARY]);
25101 + atomic_inc_unchecked(&dev->counts[_DRM_STAT_DMA]);
25102 sarea_priv->last_enqueue = dev_priv->counter - 1;
25103 sarea_priv->last_dispatch = (int)hw_status[5];
25105 diff -urNp linux-2.6.36.1/drivers/gpu/drm/i915/dvo_ch7017.c linux-2.6.36.1/drivers/gpu/drm/i915/dvo_ch7017.c
25106 --- linux-2.6.36.1/drivers/gpu/drm/i915/dvo_ch7017.c 2010-10-20 16:30:22.000000000 -0400
25107 +++ linux-2.6.36.1/drivers/gpu/drm/i915/dvo_ch7017.c 2010-11-06 18:58:15.000000000 -0400
25108 @@ -402,7 +402,7 @@ static void ch7017_destroy(struct intel_
25112 -struct intel_dvo_dev_ops ch7017_ops = {
25113 +const struct intel_dvo_dev_ops ch7017_ops = {
25114 .init = ch7017_init,
25115 .detect = ch7017_detect,
25116 .mode_valid = ch7017_mode_valid,
25117 diff -urNp linux-2.6.36.1/drivers/gpu/drm/i915/dvo_ch7xxx.c linux-2.6.36.1/drivers/gpu/drm/i915/dvo_ch7xxx.c
25118 --- linux-2.6.36.1/drivers/gpu/drm/i915/dvo_ch7xxx.c 2010-10-20 16:30:22.000000000 -0400
25119 +++ linux-2.6.36.1/drivers/gpu/drm/i915/dvo_ch7xxx.c 2010-11-06 18:58:15.000000000 -0400
25120 @@ -322,7 +322,7 @@ static void ch7xxx_destroy(struct intel_
25124 -struct intel_dvo_dev_ops ch7xxx_ops = {
25125 +const struct intel_dvo_dev_ops ch7xxx_ops = {
25126 .init = ch7xxx_init,
25127 .detect = ch7xxx_detect,
25128 .mode_valid = ch7xxx_mode_valid,
25129 diff -urNp linux-2.6.36.1/drivers/gpu/drm/i915/dvo.h linux-2.6.36.1/drivers/gpu/drm/i915/dvo.h
25130 --- linux-2.6.36.1/drivers/gpu/drm/i915/dvo.h 2010-10-20 16:30:22.000000000 -0400
25131 +++ linux-2.6.36.1/drivers/gpu/drm/i915/dvo.h 2010-11-06 18:58:15.000000000 -0400
25132 @@ -122,23 +122,23 @@ struct intel_dvo_dev_ops {
25134 * \return singly-linked list of modes or NULL if no modes found.
25136 - struct drm_display_mode *(*get_modes)(struct intel_dvo_device *dvo);
25137 + struct drm_display_mode *(* const get_modes)(struct intel_dvo_device *dvo);
25140 * Clean up driver-specific bits of the output
25142 - void (*destroy) (struct intel_dvo_device *dvo);
25143 + void (* const destroy) (struct intel_dvo_device *dvo);
25146 * Debugging hook to dump device registers to log file
25148 - void (*dump_regs)(struct intel_dvo_device *dvo);
25149 + void (* const dump_regs)(struct intel_dvo_device *dvo);
25152 -extern struct intel_dvo_dev_ops sil164_ops;
25153 -extern struct intel_dvo_dev_ops ch7xxx_ops;
25154 -extern struct intel_dvo_dev_ops ivch_ops;
25155 -extern struct intel_dvo_dev_ops tfp410_ops;
25156 -extern struct intel_dvo_dev_ops ch7017_ops;
25157 +extern const struct intel_dvo_dev_ops sil164_ops;
25158 +extern const struct intel_dvo_dev_ops ch7xxx_ops;
25159 +extern const struct intel_dvo_dev_ops ivch_ops;
25160 +extern const struct intel_dvo_dev_ops tfp410_ops;
25161 +extern const struct intel_dvo_dev_ops ch7017_ops;
25163 #endif /* _INTEL_DVO_H */
25164 diff -urNp linux-2.6.36.1/drivers/gpu/drm/i915/dvo_ivch.c linux-2.6.36.1/drivers/gpu/drm/i915/dvo_ivch.c
25165 --- linux-2.6.36.1/drivers/gpu/drm/i915/dvo_ivch.c 2010-10-20 16:30:22.000000000 -0400
25166 +++ linux-2.6.36.1/drivers/gpu/drm/i915/dvo_ivch.c 2010-11-06 18:58:15.000000000 -0400
25167 @@ -412,7 +412,7 @@ static void ivch_destroy(struct intel_dv
25171 -struct intel_dvo_dev_ops ivch_ops= {
25172 +const struct intel_dvo_dev_ops ivch_ops= {
25175 .mode_valid = ivch_mode_valid,
25176 diff -urNp linux-2.6.36.1/drivers/gpu/drm/i915/dvo_sil164.c linux-2.6.36.1/drivers/gpu/drm/i915/dvo_sil164.c
25177 --- linux-2.6.36.1/drivers/gpu/drm/i915/dvo_sil164.c 2010-10-20 16:30:22.000000000 -0400
25178 +++ linux-2.6.36.1/drivers/gpu/drm/i915/dvo_sil164.c 2010-11-06 18:58:15.000000000 -0400
25179 @@ -254,7 +254,7 @@ static void sil164_destroy(struct intel_
25183 -struct intel_dvo_dev_ops sil164_ops = {
25184 +const struct intel_dvo_dev_ops sil164_ops = {
25185 .init = sil164_init,
25186 .detect = sil164_detect,
25187 .mode_valid = sil164_mode_valid,
25188 diff -urNp linux-2.6.36.1/drivers/gpu/drm/i915/dvo_tfp410.c linux-2.6.36.1/drivers/gpu/drm/i915/dvo_tfp410.c
25189 --- linux-2.6.36.1/drivers/gpu/drm/i915/dvo_tfp410.c 2010-10-20 16:30:22.000000000 -0400
25190 +++ linux-2.6.36.1/drivers/gpu/drm/i915/dvo_tfp410.c 2010-11-06 18:58:15.000000000 -0400
25191 @@ -295,7 +295,7 @@ static void tfp410_destroy(struct intel_
25195 -struct intel_dvo_dev_ops tfp410_ops = {
25196 +const struct intel_dvo_dev_ops tfp410_ops = {
25197 .init = tfp410_init,
25198 .detect = tfp410_detect,
25199 .mode_valid = tfp410_mode_valid,
25200 diff -urNp linux-2.6.36.1/drivers/gpu/drm/i915/i915_dma.c linux-2.6.36.1/drivers/gpu/drm/i915/i915_dma.c
25201 --- linux-2.6.36.1/drivers/gpu/drm/i915/i915_dma.c 2010-10-20 16:30:22.000000000 -0400
25202 +++ linux-2.6.36.1/drivers/gpu/drm/i915/i915_dma.c 2010-11-06 18:58:15.000000000 -0400
25203 @@ -1357,7 +1357,7 @@ static bool i915_switcheroo_can_switch(s
25206 spin_lock(&dev->count_lock);
25207 - can_switch = (dev->open_count == 0);
25208 + can_switch = (atomic_read(&dev->open_count) == 0);
25209 spin_unlock(&dev->count_lock);
25212 diff -urNp linux-2.6.36.1/drivers/gpu/drm/i915/i915_drv.c linux-2.6.36.1/drivers/gpu/drm/i915/i915_drv.c
25213 --- linux-2.6.36.1/drivers/gpu/drm/i915/i915_drv.c 2010-10-20 16:30:22.000000000 -0400
25214 +++ linux-2.6.36.1/drivers/gpu/drm/i915/i915_drv.c 2010-11-06 18:58:15.000000000 -0400
25215 @@ -492,7 +492,7 @@ static const struct dev_pm_ops i915_pm_o
25216 .restore = i915_pm_resume,
25219 -static struct vm_operations_struct i915_gem_vm_ops = {
25220 +static const struct vm_operations_struct i915_gem_vm_ops = {
25221 .fault = i915_gem_fault,
25222 .open = drm_gem_vm_open,
25223 .close = drm_gem_vm_close,
25224 diff -urNp linux-2.6.36.1/drivers/gpu/drm/i915/i915_gem.c linux-2.6.36.1/drivers/gpu/drm/i915/i915_gem.c
25225 --- linux-2.6.36.1/drivers/gpu/drm/i915/i915_gem.c 2010-10-20 16:30:22.000000000 -0400
25226 +++ linux-2.6.36.1/drivers/gpu/drm/i915/i915_gem.c 2010-11-06 18:58:50.000000000 -0400
25227 @@ -476,12 +476,17 @@ i915_gem_pread_ioctl(struct drm_device *
25230 if (!access_ok(VERIFY_WRITE,
25231 - (char __user *)(uintptr_t)args->data_ptr,
25232 + (char __user *) (uintptr_t)args->data_ptr,
25238 + if (!access_ok(VERIFY_WRITE, (char __user *) (uintptr_t)args->data_ptr, args->size)) {
25239 + drm_gem_object_unreference_unlocked(obj);
25243 if (i915_gem_object_needs_bit17_swizzle(obj)) {
25244 ret = i915_gem_shmem_pread_slow(dev, obj, args, file_priv);
25246 @@ -940,12 +945,17 @@ i915_gem_pwrite_ioctl(struct drm_device
25249 if (!access_ok(VERIFY_READ,
25250 - (char __user *)(uintptr_t)args->data_ptr,
25251 + (char __user *) (uintptr_t)args->data_ptr,
25257 + if (!access_ok(VERIFY_READ, (char __user *) (uintptr_t)args->data_ptr, args->size)) {
25258 + drm_gem_object_unreference_unlocked(obj);
25262 /* We can only do the GTT pwrite on untiled buffers, as otherwise
25263 * it would end up going through the fenced access, and we'll get
25264 * different detiling behavior between reading and writing.
25265 diff -urNp linux-2.6.36.1/drivers/gpu/drm/nouveau/nouveau_backlight.c linux-2.6.36.1/drivers/gpu/drm/nouveau/nouveau_backlight.c
25266 --- linux-2.6.36.1/drivers/gpu/drm/nouveau/nouveau_backlight.c 2010-10-20 16:30:22.000000000 -0400
25267 +++ linux-2.6.36.1/drivers/gpu/drm/nouveau/nouveau_backlight.c 2010-11-06 18:58:15.000000000 -0400
25268 @@ -58,7 +58,7 @@ static int nv40_set_intensity(struct bac
25272 -static struct backlight_ops nv40_bl_ops = {
25273 +static const struct backlight_ops nv40_bl_ops = {
25274 .options = BL_CORE_SUSPENDRESUME,
25275 .get_brightness = nv40_get_intensity,
25276 .update_status = nv40_set_intensity,
25277 @@ -81,7 +81,7 @@ static int nv50_set_intensity(struct bac
25281 -static struct backlight_ops nv50_bl_ops = {
25282 +static const struct backlight_ops nv50_bl_ops = {
25283 .options = BL_CORE_SUSPENDRESUME,
25284 .get_brightness = nv50_get_intensity,
25285 .update_status = nv50_set_intensity,
25286 diff -urNp linux-2.6.36.1/drivers/gpu/drm/nouveau/nouveau_state.c linux-2.6.36.1/drivers/gpu/drm/nouveau/nouveau_state.c
25287 --- linux-2.6.36.1/drivers/gpu/drm/nouveau/nouveau_state.c 2010-10-20 16:30:22.000000000 -0400
25288 +++ linux-2.6.36.1/drivers/gpu/drm/nouveau/nouveau_state.c 2010-11-06 18:58:15.000000000 -0400
25289 @@ -501,7 +501,7 @@ static bool nouveau_switcheroo_can_switc
25292 spin_lock(&dev->count_lock);
25293 - can_switch = (dev->open_count == 0);
25294 + can_switch = (atomic_read(&dev->open_count) == 0);
25295 spin_unlock(&dev->count_lock);
25298 diff -urNp linux-2.6.36.1/drivers/gpu/drm/radeon/mkregtable.c linux-2.6.36.1/drivers/gpu/drm/radeon/mkregtable.c
25299 --- linux-2.6.36.1/drivers/gpu/drm/radeon/mkregtable.c 2010-10-20 16:30:22.000000000 -0400
25300 +++ linux-2.6.36.1/drivers/gpu/drm/radeon/mkregtable.c 2010-11-06 18:58:15.000000000 -0400
25301 @@ -637,14 +637,14 @@ static int parser_auth(struct table *t,
25303 regmatch_t match[4];
25311 struct offset *offset;
25312 char last_reg_s[10];
25314 + unsigned long last_reg;
25317 (&mask_rex, "(0x[0-9a-fA-F]*) *([_a-zA-Z0-9]*)", REG_EXTENDED)) {
25318 diff -urNp linux-2.6.36.1/drivers/gpu/drm/radeon/radeon_device.c linux-2.6.36.1/drivers/gpu/drm/radeon/radeon_device.c
25319 --- linux-2.6.36.1/drivers/gpu/drm/radeon/radeon_device.c 2010-10-20 16:30:22.000000000 -0400
25320 +++ linux-2.6.36.1/drivers/gpu/drm/radeon/radeon_device.c 2010-11-06 18:58:15.000000000 -0400
25321 @@ -578,7 +578,7 @@ static bool radeon_switcheroo_can_switch
25324 spin_lock(&dev->count_lock);
25325 - can_switch = (dev->open_count == 0);
25326 + can_switch = (atomic_read(&dev->open_count) == 0);
25327 spin_unlock(&dev->count_lock);
25330 diff -urNp linux-2.6.36.1/drivers/gpu/drm/radeon/radeon_state.c linux-2.6.36.1/drivers/gpu/drm/radeon/radeon_state.c
25331 --- linux-2.6.36.1/drivers/gpu/drm/radeon/radeon_state.c 2010-10-20 16:30:22.000000000 -0400
25332 +++ linux-2.6.36.1/drivers/gpu/drm/radeon/radeon_state.c 2010-11-06 18:58:15.000000000 -0400
25333 @@ -2168,7 +2168,7 @@ static int radeon_cp_clear(struct drm_de
25334 if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS)
25335 sarea_priv->nbox = RADEON_NR_SAREA_CLIPRECTS;
25337 - if (DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
25338 + if (sarea_priv->nbox > RADEON_NR_SAREA_CLIPRECTS || DRM_COPY_FROM_USER(&depth_boxes, clear->depth_boxes,
25339 sarea_priv->nbox * sizeof(depth_boxes[0])))
25342 @@ -3031,7 +3031,7 @@ static int radeon_cp_getparam(struct drm
25344 drm_radeon_private_t *dev_priv = dev->dev_private;
25345 drm_radeon_getparam_t *param = data;
25349 DRM_DEBUG("pid=%d\n", DRM_CURRENTPID);
25351 diff -urNp linux-2.6.36.1/drivers/gpu/drm/radeon/radeon_ttm.c linux-2.6.36.1/drivers/gpu/drm/radeon/radeon_ttm.c
25352 --- linux-2.6.36.1/drivers/gpu/drm/radeon/radeon_ttm.c 2010-10-20 16:30:22.000000000 -0400
25353 +++ linux-2.6.36.1/drivers/gpu/drm/radeon/radeon_ttm.c 2010-11-06 18:58:15.000000000 -0400
25354 @@ -601,8 +601,9 @@ void radeon_ttm_fini(struct radeon_devic
25355 DRM_INFO("radeon: ttm finalized\n");
25358 -static struct vm_operations_struct radeon_ttm_vm_ops;
25359 -static const struct vm_operations_struct *ttm_vm_ops = NULL;
25360 +extern int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf);
25361 +extern void ttm_bo_vm_open(struct vm_area_struct *vma);
25362 +extern void ttm_bo_vm_close(struct vm_area_struct *vma);
25364 static int radeon_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
25366 @@ -610,17 +611,22 @@ static int radeon_ttm_fault(struct vm_ar
25367 struct radeon_device *rdev;
25370 - bo = (struct ttm_buffer_object *)vma->vm_private_data;
25371 - if (bo == NULL) {
25372 + bo = (struct ttm_buffer_object *)vma->vm_private_data;
25374 return VM_FAULT_NOPAGE;
25376 rdev = radeon_get_rdev(bo->bdev);
25377 mutex_lock(&rdev->vram_mutex);
25378 - r = ttm_vm_ops->fault(vma, vmf);
25379 + r = ttm_bo_vm_fault(vma, vmf);
25380 mutex_unlock(&rdev->vram_mutex);
25384 +static const struct vm_operations_struct radeon_ttm_vm_ops = {
25385 + .fault = radeon_ttm_fault,
25386 + .open = ttm_bo_vm_open,
25387 + .close = ttm_bo_vm_close
25390 int radeon_mmap(struct file *filp, struct vm_area_struct *vma)
25392 struct drm_file *file_priv;
25393 @@ -633,18 +639,11 @@ int radeon_mmap(struct file *filp, struc
25395 file_priv = (struct drm_file *)filp->private_data;
25396 rdev = file_priv->minor->dev->dev_private;
25397 - if (rdev == NULL) {
25401 r = ttm_bo_mmap(filp, vma, &rdev->mman.bdev);
25402 - if (unlikely(r != 0)) {
25406 - if (unlikely(ttm_vm_ops == NULL)) {
25407 - ttm_vm_ops = vma->vm_ops;
25408 - radeon_ttm_vm_ops = *ttm_vm_ops;
25409 - radeon_ttm_vm_ops.fault = &radeon_ttm_fault;
25411 vma->vm_ops = &radeon_ttm_vm_ops;
25414 diff -urNp linux-2.6.36.1/drivers/gpu/drm/ttm/ttm_bo.c linux-2.6.36.1/drivers/gpu/drm/ttm/ttm_bo.c
25415 --- linux-2.6.36.1/drivers/gpu/drm/ttm/ttm_bo.c 2010-10-20 16:30:22.000000000 -0400
25416 +++ linux-2.6.36.1/drivers/gpu/drm/ttm/ttm_bo.c 2010-11-06 18:58:15.000000000 -0400
25418 #include <linux/module.h>
25420 #define TTM_ASSERT_LOCKED(param)
25421 -#define TTM_DEBUG(fmt, arg...)
25422 +#define TTM_DEBUG(fmt, arg...) do {} while (0)
25423 #define TTM_BO_HASH_ORDER 13
25425 static int ttm_bo_setup_vm(struct ttm_buffer_object *bo);
25426 diff -urNp linux-2.6.36.1/drivers/gpu/drm/ttm/ttm_bo_vm.c linux-2.6.36.1/drivers/gpu/drm/ttm/ttm_bo_vm.c
25427 --- linux-2.6.36.1/drivers/gpu/drm/ttm/ttm_bo_vm.c 2010-10-20 16:30:22.000000000 -0400
25428 +++ linux-2.6.36.1/drivers/gpu/drm/ttm/ttm_bo_vm.c 2010-11-06 18:58:15.000000000 -0400
25429 @@ -69,11 +69,11 @@ static struct ttm_buffer_object *ttm_bo_
25433 -static int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
25434 +int ttm_bo_vm_fault(struct vm_area_struct *vma, struct vm_fault *vmf)
25436 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)
25437 vma->vm_private_data;
25438 - struct ttm_bo_device *bdev = bo->bdev;
25439 + struct ttm_bo_device *bdev;
25440 unsigned long page_offset;
25441 unsigned long page_last;
25443 @@ -84,6 +84,10 @@ static int ttm_bo_vm_fault(struct vm_are
25444 unsigned long address = (unsigned long)vmf->virtual_address;
25445 int retval = VM_FAULT_NOPAGE;
25448 + return VM_FAULT_NOPAGE;
25452 * Work around locking order reversal in fault / nopfn
25453 * between mmap_sem and bo_reserve: Perform a trylock operation
25454 @@ -212,22 +216,25 @@ out_unlock:
25455 ttm_bo_unreserve(bo);
25458 +EXPORT_SYMBOL(ttm_bo_vm_fault);
25460 -static void ttm_bo_vm_open(struct vm_area_struct *vma)
25461 +void ttm_bo_vm_open(struct vm_area_struct *vma)
25463 struct ttm_buffer_object *bo =
25464 (struct ttm_buffer_object *)vma->vm_private_data;
25466 (void)ttm_bo_reference(bo);
25468 +EXPORT_SYMBOL(ttm_bo_vm_open);
25470 -static void ttm_bo_vm_close(struct vm_area_struct *vma)
25471 +void ttm_bo_vm_close(struct vm_area_struct *vma)
25473 struct ttm_buffer_object *bo = (struct ttm_buffer_object *)vma->vm_private_data;
25476 vma->vm_private_data = NULL;
25478 +EXPORT_SYMBOL(ttm_bo_vm_close);
25480 static const struct vm_operations_struct ttm_bo_vm_ops = {
25481 .fault = ttm_bo_vm_fault,
25482 diff -urNp linux-2.6.36.1/drivers/hid/hidraw.c linux-2.6.36.1/drivers/hid/hidraw.c
25483 --- linux-2.6.36.1/drivers/hid/hidraw.c 2010-10-20 16:30:22.000000000 -0400
25484 +++ linux-2.6.36.1/drivers/hid/hidraw.c 2010-11-06 18:58:50.000000000 -0400
25485 @@ -250,7 +250,7 @@ static long hidraw_ioctl(struct file *fi
25487 mutex_lock(&minors_lock);
25488 dev = hidraw_table[minor];
25490 + if (dev == NULL) {
25494 diff -urNp linux-2.6.36.1/drivers/hid/usbhid/hiddev.c linux-2.6.36.1/drivers/hid/usbhid/hiddev.c
25495 --- linux-2.6.36.1/drivers/hid/usbhid/hiddev.c 2010-10-20 16:30:22.000000000 -0400
25496 +++ linux-2.6.36.1/drivers/hid/usbhid/hiddev.c 2010-11-06 18:58:15.000000000 -0400
25497 @@ -614,7 +614,7 @@ static long hiddev_ioctl(struct file *fi
25498 return put_user(HID_VERSION, (int __user *)arg);
25500 case HIDIOCAPPLICATION:
25501 - if (arg < 0 || arg >= hid->maxapplication)
25502 + if (arg >= hid->maxapplication)
25505 for (i = 0; i < hid->maxcollection; i++)
25506 diff -urNp linux-2.6.36.1/drivers/hwmon/k8temp.c linux-2.6.36.1/drivers/hwmon/k8temp.c
25507 --- linux-2.6.36.1/drivers/hwmon/k8temp.c 2010-10-20 16:30:22.000000000 -0400
25508 +++ linux-2.6.36.1/drivers/hwmon/k8temp.c 2010-11-06 18:58:15.000000000 -0400
25509 @@ -138,7 +138,7 @@ static DEVICE_ATTR(name, S_IRUGO, show_n
25511 static const struct pci_device_id k8temp_ids[] = {
25512 { PCI_DEVICE(PCI_VENDOR_ID_AMD, PCI_DEVICE_ID_AMD_K8_NB_MISC) },
25514 + { 0, 0, 0, 0, 0, 0, 0 },
25517 MODULE_DEVICE_TABLE(pci, k8temp_ids);
25518 diff -urNp linux-2.6.36.1/drivers/hwmon/sis5595.c linux-2.6.36.1/drivers/hwmon/sis5595.c
25519 --- linux-2.6.36.1/drivers/hwmon/sis5595.c 2010-10-20 16:30:22.000000000 -0400
25520 +++ linux-2.6.36.1/drivers/hwmon/sis5595.c 2010-11-06 18:58:15.000000000 -0400
25521 @@ -699,7 +699,7 @@ static struct sis5595_data *sis5595_upda
25523 static const struct pci_device_id sis5595_pci_ids[] = {
25524 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
25526 + { 0, 0, 0, 0, 0, 0, 0 }
25529 MODULE_DEVICE_TABLE(pci, sis5595_pci_ids);
25530 diff -urNp linux-2.6.36.1/drivers/hwmon/via686a.c linux-2.6.36.1/drivers/hwmon/via686a.c
25531 --- linux-2.6.36.1/drivers/hwmon/via686a.c 2010-10-20 16:30:22.000000000 -0400
25532 +++ linux-2.6.36.1/drivers/hwmon/via686a.c 2010-11-06 18:58:15.000000000 -0400
25533 @@ -769,7 +769,7 @@ static struct via686a_data *via686a_upda
25535 static const struct pci_device_id via686a_pci_ids[] = {
25536 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_82C686_4) },
25538 + { 0, 0, 0, 0, 0, 0, 0 }
25541 MODULE_DEVICE_TABLE(pci, via686a_pci_ids);
25542 diff -urNp linux-2.6.36.1/drivers/hwmon/vt8231.c linux-2.6.36.1/drivers/hwmon/vt8231.c
25543 --- linux-2.6.36.1/drivers/hwmon/vt8231.c 2010-10-20 16:30:22.000000000 -0400
25544 +++ linux-2.6.36.1/drivers/hwmon/vt8231.c 2010-11-06 18:58:15.000000000 -0400
25545 @@ -699,7 +699,7 @@ static struct platform_driver vt8231_dri
25547 static const struct pci_device_id vt8231_pci_ids[] = {
25548 { PCI_DEVICE(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_8231_4) },
25550 + { 0, 0, 0, 0, 0, 0, 0 }
25553 MODULE_DEVICE_TABLE(pci, vt8231_pci_ids);
25554 diff -urNp linux-2.6.36.1/drivers/hwmon/w83791d.c linux-2.6.36.1/drivers/hwmon/w83791d.c
25555 --- linux-2.6.36.1/drivers/hwmon/w83791d.c 2010-10-20 16:30:22.000000000 -0400
25556 +++ linux-2.6.36.1/drivers/hwmon/w83791d.c 2010-11-06 18:58:15.000000000 -0400
25557 @@ -329,8 +329,8 @@ static int w83791d_detect(struct i2c_cli
25558 struct i2c_board_info *info);
25559 static int w83791d_remove(struct i2c_client *client);
25561 -static int w83791d_read(struct i2c_client *client, u8 register);
25562 -static int w83791d_write(struct i2c_client *client, u8 register, u8 value);
25563 +static int w83791d_read(struct i2c_client *client, u8 reg);
25564 +static int w83791d_write(struct i2c_client *client, u8 reg, u8 value);
25565 static struct w83791d_data *w83791d_update_device(struct device *dev);
25568 diff -urNp linux-2.6.36.1/drivers/i2c/busses/i2c-i801.c linux-2.6.36.1/drivers/i2c/busses/i2c-i801.c
25569 --- linux-2.6.36.1/drivers/i2c/busses/i2c-i801.c 2010-10-20 16:30:22.000000000 -0400
25570 +++ linux-2.6.36.1/drivers/i2c/busses/i2c-i801.c 2010-11-06 18:58:15.000000000 -0400
25571 @@ -592,7 +592,7 @@ static const struct pci_device_id i801_i
25572 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_ICH10_5) },
25573 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_PCH_SMBUS) },
25574 { PCI_DEVICE(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_CPT_SMBUS) },
25576 + { 0, 0, 0, 0, 0, 0, 0 }
25579 MODULE_DEVICE_TABLE(pci, i801_ids);
25580 diff -urNp linux-2.6.36.1/drivers/i2c/busses/i2c-piix4.c linux-2.6.36.1/drivers/i2c/busses/i2c-piix4.c
25581 --- linux-2.6.36.1/drivers/i2c/busses/i2c-piix4.c 2010-10-20 16:30:22.000000000 -0400
25582 +++ linux-2.6.36.1/drivers/i2c/busses/i2c-piix4.c 2010-11-06 18:58:15.000000000 -0400
25583 @@ -124,7 +124,7 @@ static struct dmi_system_id __devinitdat
25585 .matches = { DMI_MATCH(DMI_SYS_VENDOR, "IBM"), },
25588 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25591 static int __devinit piix4_setup(struct pci_dev *PIIX4_dev,
25592 @@ -491,7 +491,7 @@ static const struct pci_device_id piix4_
25593 PCI_DEVICE_ID_SERVERWORKS_HT1000SB) },
25594 { PCI_DEVICE(PCI_VENDOR_ID_SERVERWORKS,
25595 PCI_DEVICE_ID_SERVERWORKS_HT1100LD) },
25597 + { 0, 0, 0, 0, 0, 0, 0 }
25600 MODULE_DEVICE_TABLE (pci, piix4_ids);
25601 diff -urNp linux-2.6.36.1/drivers/i2c/busses/i2c-sis630.c linux-2.6.36.1/drivers/i2c/busses/i2c-sis630.c
25602 --- linux-2.6.36.1/drivers/i2c/busses/i2c-sis630.c 2010-10-20 16:30:22.000000000 -0400
25603 +++ linux-2.6.36.1/drivers/i2c/busses/i2c-sis630.c 2010-11-06 18:58:15.000000000 -0400
25604 @@ -471,7 +471,7 @@ static struct i2c_adapter sis630_adapter
25605 static const struct pci_device_id sis630_ids[] __devinitconst = {
25606 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_503) },
25607 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_LPC) },
25609 + { 0, 0, 0, 0, 0, 0, 0 }
25612 MODULE_DEVICE_TABLE (pci, sis630_ids);
25613 diff -urNp linux-2.6.36.1/drivers/i2c/busses/i2c-sis96x.c linux-2.6.36.1/drivers/i2c/busses/i2c-sis96x.c
25614 --- linux-2.6.36.1/drivers/i2c/busses/i2c-sis96x.c 2010-10-20 16:30:22.000000000 -0400
25615 +++ linux-2.6.36.1/drivers/i2c/busses/i2c-sis96x.c 2010-11-06 18:58:15.000000000 -0400
25616 @@ -247,7 +247,7 @@ static struct i2c_adapter sis96x_adapter
25618 static const struct pci_device_id sis96x_ids[] = {
25619 { PCI_DEVICE(PCI_VENDOR_ID_SI, PCI_DEVICE_ID_SI_SMBUS) },
25621 + { 0, 0, 0, 0, 0, 0, 0 }
25624 MODULE_DEVICE_TABLE (pci, sis96x_ids);
25625 diff -urNp linux-2.6.36.1/drivers/ide/ide-cd.c linux-2.6.36.1/drivers/ide/ide-cd.c
25626 --- linux-2.6.36.1/drivers/ide/ide-cd.c 2010-10-20 16:30:22.000000000 -0400
25627 +++ linux-2.6.36.1/drivers/ide/ide-cd.c 2010-11-06 18:58:15.000000000 -0400
25628 @@ -776,7 +776,7 @@ static void cdrom_do_block_pc(ide_drive_
25629 alignment = queue_dma_alignment(q) | q->dma_pad_mask;
25630 if ((unsigned long)buf & alignment
25631 || blk_rq_bytes(rq) & q->dma_pad_mask
25632 - || object_is_on_stack(buf))
25633 + || object_starts_on_stack(buf))
25637 diff -urNp linux-2.6.36.1/drivers/ieee1394/dv1394.c linux-2.6.36.1/drivers/ieee1394/dv1394.c
25638 --- linux-2.6.36.1/drivers/ieee1394/dv1394.c 2010-10-20 16:30:22.000000000 -0400
25639 +++ linux-2.6.36.1/drivers/ieee1394/dv1394.c 2010-11-06 18:58:15.000000000 -0400
25640 @@ -738,7 +738,7 @@ static void frame_prepare(struct video_c
25641 based upon DIF section and sequence
25644 -static void inline
25645 +static inline void
25646 frame_put_packet (struct frame *f, struct packet *p)
25648 int section_type = p->data[0] >> 5; /* section type is in bits 5 - 7 */
25649 @@ -2173,7 +2173,7 @@ static const struct ieee1394_device_id d
25650 .specifier_id = AVC_UNIT_SPEC_ID_ENTRY & 0xffffff,
25651 .version = AVC_SW_VERSION_ENTRY & 0xffffff
25654 + { 0, 0, 0, 0, 0, 0 }
25657 MODULE_DEVICE_TABLE(ieee1394, dv1394_id_table);
25658 diff -urNp linux-2.6.36.1/drivers/ieee1394/eth1394.c linux-2.6.36.1/drivers/ieee1394/eth1394.c
25659 --- linux-2.6.36.1/drivers/ieee1394/eth1394.c 2010-10-20 16:30:22.000000000 -0400
25660 +++ linux-2.6.36.1/drivers/ieee1394/eth1394.c 2010-11-06 18:58:15.000000000 -0400
25661 @@ -446,7 +446,7 @@ static const struct ieee1394_device_id e
25662 .specifier_id = ETHER1394_GASP_SPECIFIER_ID,
25663 .version = ETHER1394_GASP_VERSION,
25666 + { 0, 0, 0, 0, 0, 0 }
25669 MODULE_DEVICE_TABLE(ieee1394, eth1394_id_table);
25670 diff -urNp linux-2.6.36.1/drivers/ieee1394/hosts.c linux-2.6.36.1/drivers/ieee1394/hosts.c
25671 --- linux-2.6.36.1/drivers/ieee1394/hosts.c 2010-10-20 16:30:22.000000000 -0400
25672 +++ linux-2.6.36.1/drivers/ieee1394/hosts.c 2010-11-06 18:58:15.000000000 -0400
25673 @@ -78,6 +78,7 @@ static int dummy_isoctl(struct hpsb_iso
25676 static struct hpsb_host_driver dummy_driver = {
25678 .transmit_packet = dummy_transmit_packet,
25679 .devctl = dummy_devctl,
25680 .isoctl = dummy_isoctl
25681 diff -urNp linux-2.6.36.1/drivers/ieee1394/ohci1394.c linux-2.6.36.1/drivers/ieee1394/ohci1394.c
25682 --- linux-2.6.36.1/drivers/ieee1394/ohci1394.c 2010-10-20 16:30:22.000000000 -0400
25683 +++ linux-2.6.36.1/drivers/ieee1394/ohci1394.c 2010-11-06 18:58:15.000000000 -0400
25684 @@ -148,9 +148,9 @@ printk(level "%s: " fmt "\n" , OHCI1394_
25685 printk(level "%s: fw-host%d: " fmt "\n" , OHCI1394_DRIVER_NAME, ohci->host->id , ## args)
25687 /* Module Parameters */
25688 -static int phys_dma = 1;
25689 +static int phys_dma;
25690 module_param(phys_dma, int, 0444);
25691 -MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 1).");
25692 +MODULE_PARM_DESC(phys_dma, "Enable physical DMA (default = 0).");
25694 static void dma_trm_tasklet(unsigned long data);
25695 static void dma_trm_reset(struct dma_trm_ctx *d);
25696 @@ -3445,7 +3445,7 @@ static struct pci_device_id ohci1394_pci
25697 .subvendor = PCI_ANY_ID,
25698 .subdevice = PCI_ANY_ID,
25701 + { 0, 0, 0, 0, 0, 0, 0 },
25704 MODULE_DEVICE_TABLE(pci, ohci1394_pci_tbl);
25705 diff -urNp linux-2.6.36.1/drivers/ieee1394/raw1394.c linux-2.6.36.1/drivers/ieee1394/raw1394.c
25706 --- linux-2.6.36.1/drivers/ieee1394/raw1394.c 2010-10-20 16:30:22.000000000 -0400
25707 +++ linux-2.6.36.1/drivers/ieee1394/raw1394.c 2010-11-06 18:58:15.000000000 -0400
25708 @@ -3001,7 +3001,7 @@ static const struct ieee1394_device_id r
25709 .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
25710 .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
25711 .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff},
25713 + { 0, 0, 0, 0, 0, 0 }
25716 MODULE_DEVICE_TABLE(ieee1394, raw1394_id_table);
25717 diff -urNp linux-2.6.36.1/drivers/ieee1394/sbp2.c linux-2.6.36.1/drivers/ieee1394/sbp2.c
25718 --- linux-2.6.36.1/drivers/ieee1394/sbp2.c 2010-10-20 16:30:22.000000000 -0400
25719 +++ linux-2.6.36.1/drivers/ieee1394/sbp2.c 2010-11-06 18:58:15.000000000 -0400
25720 @@ -289,7 +289,7 @@ static const struct ieee1394_device_id s
25721 .match_flags = IEEE1394_MATCH_SPECIFIER_ID | IEEE1394_MATCH_VERSION,
25722 .specifier_id = SBP2_UNIT_SPEC_ID_ENTRY & 0xffffff,
25723 .version = SBP2_SW_VERSION_ENTRY & 0xffffff},
25725 + { 0, 0, 0, 0, 0, 0 }
25727 MODULE_DEVICE_TABLE(ieee1394, sbp2_id_table);
25729 @@ -2107,7 +2107,7 @@ MODULE_DESCRIPTION("IEEE-1394 SBP-2 prot
25730 MODULE_SUPPORTED_DEVICE(SBP2_DEVICE_NAME);
25731 MODULE_LICENSE("GPL");
25733 -static int sbp2_module_init(void)
25734 +static int __init sbp2_module_init(void)
25738 diff -urNp linux-2.6.36.1/drivers/ieee1394/video1394.c linux-2.6.36.1/drivers/ieee1394/video1394.c
25739 --- linux-2.6.36.1/drivers/ieee1394/video1394.c 2010-10-20 16:30:22.000000000 -0400
25740 +++ linux-2.6.36.1/drivers/ieee1394/video1394.c 2010-11-06 18:58:15.000000000 -0400
25741 @@ -1307,7 +1307,7 @@ static const struct ieee1394_device_id v
25742 .specifier_id = CAMERA_UNIT_SPEC_ID_ENTRY & 0xffffff,
25743 .version = (CAMERA_SW_VERSION_ENTRY + 2) & 0xffffff
25746 + { 0, 0, 0, 0, 0, 0 }
25749 MODULE_DEVICE_TABLE(ieee1394, video1394_id_table);
25750 diff -urNp linux-2.6.36.1/drivers/infiniband/core/cm.c linux-2.6.36.1/drivers/infiniband/core/cm.c
25751 --- linux-2.6.36.1/drivers/infiniband/core/cm.c 2010-10-20 16:30:22.000000000 -0400
25752 +++ linux-2.6.36.1/drivers/infiniband/core/cm.c 2010-11-06 18:58:15.000000000 -0400
25753 @@ -113,7 +113,7 @@ static char const counter_group_names[CM
25755 struct cm_counter_group {
25756 struct kobject obj;
25757 - atomic_long_t counter[CM_ATTR_COUNT];
25758 + atomic_long_unchecked_t counter[CM_ATTR_COUNT];
25761 struct cm_counter_attribute {
25762 @@ -1387,7 +1387,7 @@ static void cm_dup_req_handler(struct cm
25763 struct ib_mad_send_buf *msg = NULL;
25766 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25767 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25768 counter[CM_REQ_COUNTER]);
25770 /* Quick state check to discard duplicate REQs. */
25771 @@ -1765,7 +1765,7 @@ static void cm_dup_rep_handler(struct cm
25775 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25776 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25777 counter[CM_REP_COUNTER]);
25778 ret = cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg);
25780 @@ -1932,7 +1932,7 @@ static int cm_rtu_handler(struct cm_work
25781 if (cm_id_priv->id.state != IB_CM_REP_SENT &&
25782 cm_id_priv->id.state != IB_CM_MRA_REP_RCVD) {
25783 spin_unlock_irq(&cm_id_priv->lock);
25784 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25785 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25786 counter[CM_RTU_COUNTER]);
25789 @@ -2111,7 +2111,7 @@ static int cm_dreq_handler(struct cm_wor
25790 cm_id_priv = cm_acquire_id(dreq_msg->remote_comm_id,
25791 dreq_msg->local_comm_id);
25793 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25794 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25795 counter[CM_DREQ_COUNTER]);
25796 cm_issue_drep(work->port, work->mad_recv_wc);
25798 @@ -2132,7 +2132,7 @@ static int cm_dreq_handler(struct cm_wor
25799 case IB_CM_MRA_REP_RCVD:
25801 case IB_CM_TIMEWAIT:
25802 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25803 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25804 counter[CM_DREQ_COUNTER]);
25805 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
25807 @@ -2146,7 +2146,7 @@ static int cm_dreq_handler(struct cm_wor
25810 case IB_CM_DREQ_RCVD:
25811 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25812 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25813 counter[CM_DREQ_COUNTER]);
25816 @@ -2504,7 +2504,7 @@ static int cm_mra_handler(struct cm_work
25817 ib_modify_mad(cm_id_priv->av.port->mad_agent,
25818 cm_id_priv->msg, timeout)) {
25819 if (cm_id_priv->id.lap_state == IB_CM_MRA_LAP_RCVD)
25820 - atomic_long_inc(&work->port->
25821 + atomic_long_inc_unchecked(&work->port->
25822 counter_group[CM_RECV_DUPLICATES].
25823 counter[CM_MRA_COUNTER]);
25825 @@ -2513,7 +2513,7 @@ static int cm_mra_handler(struct cm_work
25827 case IB_CM_MRA_REQ_RCVD:
25828 case IB_CM_MRA_REP_RCVD:
25829 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25830 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25831 counter[CM_MRA_COUNTER]);
25834 @@ -2675,7 +2675,7 @@ static int cm_lap_handler(struct cm_work
25835 case IB_CM_LAP_IDLE:
25837 case IB_CM_MRA_LAP_SENT:
25838 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25839 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25840 counter[CM_LAP_COUNTER]);
25841 if (cm_alloc_response_msg(work->port, work->mad_recv_wc, &msg))
25843 @@ -2691,7 +2691,7 @@ static int cm_lap_handler(struct cm_work
25846 case IB_CM_LAP_RCVD:
25847 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25848 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25849 counter[CM_LAP_COUNTER]);
25852 @@ -2975,7 +2975,7 @@ static int cm_sidr_req_handler(struct cm
25853 cur_cm_id_priv = cm_insert_remote_sidr(cm_id_priv);
25854 if (cur_cm_id_priv) {
25855 spin_unlock_irq(&cm.lock);
25856 - atomic_long_inc(&work->port->counter_group[CM_RECV_DUPLICATES].
25857 + atomic_long_inc_unchecked(&work->port->counter_group[CM_RECV_DUPLICATES].
25858 counter[CM_SIDR_REQ_COUNTER]);
25859 goto out; /* Duplicate message. */
25861 @@ -3186,10 +3186,10 @@ static void cm_send_handler(struct ib_ma
25862 if (!msg->context[0] && (attr_index != CM_REJ_COUNTER))
25865 - atomic_long_add(1 + msg->retries,
25866 + atomic_long_add_unchecked(1 + msg->retries,
25867 &port->counter_group[CM_XMIT].counter[attr_index]);
25869 - atomic_long_add(msg->retries,
25870 + atomic_long_add_unchecked(msg->retries,
25871 &port->counter_group[CM_XMIT_RETRIES].
25872 counter[attr_index]);
25874 @@ -3399,7 +3399,7 @@ static void cm_recv_handler(struct ib_ma
25877 attr_id = be16_to_cpu(mad_recv_wc->recv_buf.mad->mad_hdr.attr_id);
25878 - atomic_long_inc(&port->counter_group[CM_RECV].
25879 + atomic_long_inc_unchecked(&port->counter_group[CM_RECV].
25880 counter[attr_id - CM_ATTR_ID_OFFSET]);
25882 work = kmalloc(sizeof *work + sizeof(struct ib_sa_path_rec) * paths,
25883 @@ -3597,7 +3597,7 @@ static ssize_t cm_show_counter(struct ko
25884 cm_attr = container_of(attr, struct cm_counter_attribute, attr);
25886 return sprintf(buf, "%ld\n",
25887 - atomic_long_read(&group->counter[cm_attr->index]));
25888 + atomic_long_read_unchecked(&group->counter[cm_attr->index]));
25891 static const struct sysfs_ops cm_counter_ops = {
25892 diff -urNp linux-2.6.36.1/drivers/infiniband/hw/qib/qib.h linux-2.6.36.1/drivers/infiniband/hw/qib/qib.h
25893 --- linux-2.6.36.1/drivers/infiniband/hw/qib/qib.h 2010-10-20 16:30:22.000000000 -0400
25894 +++ linux-2.6.36.1/drivers/infiniband/hw/qib/qib.h 2010-11-06 18:58:15.000000000 -0400
25896 #include <linux/completion.h>
25897 #include <linux/kref.h>
25898 #include <linux/sched.h>
25899 +#include <linux/slab.h>
25901 #include "qib_common.h"
25902 #include "qib_verbs.h"
25903 diff -urNp linux-2.6.36.1/drivers/input/keyboard/atkbd.c linux-2.6.36.1/drivers/input/keyboard/atkbd.c
25904 --- linux-2.6.36.1/drivers/input/keyboard/atkbd.c 2010-10-20 16:30:22.000000000 -0400
25905 +++ linux-2.6.36.1/drivers/input/keyboard/atkbd.c 2010-11-06 18:58:15.000000000 -0400
25906 @@ -1240,7 +1240,7 @@ static struct serio_device_id atkbd_seri
25908 .extra = SERIO_ANY,
25914 MODULE_DEVICE_TABLE(serio, atkbd_serio_ids);
25915 diff -urNp linux-2.6.36.1/drivers/input/mouse/lifebook.c linux-2.6.36.1/drivers/input/mouse/lifebook.c
25916 --- linux-2.6.36.1/drivers/input/mouse/lifebook.c 2010-10-20 16:30:22.000000000 -0400
25917 +++ linux-2.6.36.1/drivers/input/mouse/lifebook.c 2010-11-06 18:58:15.000000000 -0400
25918 @@ -123,7 +123,7 @@ static const struct dmi_system_id __init
25919 DMI_MATCH(DMI_PRODUCT_NAME, "LifeBook B142"),
25923 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL}
25926 void __init lifebook_module_init(void)
25927 diff -urNp linux-2.6.36.1/drivers/input/mouse/psmouse-base.c linux-2.6.36.1/drivers/input/mouse/psmouse-base.c
25928 --- linux-2.6.36.1/drivers/input/mouse/psmouse-base.c 2010-10-20 16:30:22.000000000 -0400
25929 +++ linux-2.6.36.1/drivers/input/mouse/psmouse-base.c 2010-11-06 18:58:15.000000000 -0400
25930 @@ -1462,7 +1462,7 @@ static struct serio_device_id psmouse_se
25932 .extra = SERIO_ANY,
25938 MODULE_DEVICE_TABLE(serio, psmouse_serio_ids);
25939 diff -urNp linux-2.6.36.1/drivers/input/mouse/synaptics.c linux-2.6.36.1/drivers/input/mouse/synaptics.c
25940 --- linux-2.6.36.1/drivers/input/mouse/synaptics.c 2010-10-20 16:30:22.000000000 -0400
25941 +++ linux-2.6.36.1/drivers/input/mouse/synaptics.c 2010-11-06 18:58:15.000000000 -0400
25942 @@ -476,7 +476,7 @@ static void synaptics_process_packet(str
25945 if (SYN_MODEL_PEN(priv->model_id))
25946 - ; /* Nothing, treat a pen as a single finger */
25947 + break; /* Nothing, treat a pen as a single finger */
25950 if (SYN_CAP_PALMDETECT(priv->capabilities))
25951 @@ -705,7 +705,6 @@ static const struct dmi_system_id __init
25952 DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
25953 DMI_MATCH(DMI_PRODUCT_NAME, "PORTEGE M300"),
25958 /* Toshiba Portege M300 */
25959 @@ -714,9 +713,8 @@ static const struct dmi_system_id __init
25960 DMI_MATCH(DMI_PRODUCT_NAME, "Portable PC"),
25961 DMI_MATCH(DMI_PRODUCT_VERSION, "Version 1.0"),
25966 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
25970 diff -urNp linux-2.6.36.1/drivers/input/mousedev.c linux-2.6.36.1/drivers/input/mousedev.c
25971 --- linux-2.6.36.1/drivers/input/mousedev.c 2010-10-20 16:30:22.000000000 -0400
25972 +++ linux-2.6.36.1/drivers/input/mousedev.c 2010-11-06 18:58:15.000000000 -0400
25973 @@ -762,7 +762,7 @@ static ssize_t mousedev_read(struct file
25975 spin_unlock_irq(&client->packet_lock);
25977 - if (copy_to_user(buffer, data, count))
25978 + if (count > sizeof(data) || copy_to_user(buffer, data, count))
25982 @@ -1064,7 +1064,7 @@ static struct input_handler mousedev_han
25984 #ifdef CONFIG_INPUT_MOUSEDEV_PSAUX
25985 static struct miscdevice psaux_mouse = {
25986 - PSMOUSE_MINOR, "psaux", &mousedev_fops
25987 + PSMOUSE_MINOR, "psaux", &mousedev_fops, {NULL, NULL}, NULL, NULL
25989 static int psaux_registered;
25991 diff -urNp linux-2.6.36.1/drivers/input/serio/i8042-x86ia64io.h linux-2.6.36.1/drivers/input/serio/i8042-x86ia64io.h
25992 --- linux-2.6.36.1/drivers/input/serio/i8042-x86ia64io.h 2010-10-20 16:30:22.000000000 -0400
25993 +++ linux-2.6.36.1/drivers/input/serio/i8042-x86ia64io.h 2010-11-06 18:58:15.000000000 -0400
25994 @@ -183,7 +183,7 @@ static const struct dmi_system_id __init
25995 DMI_MATCH(DMI_PRODUCT_VERSION, "Rev 1"),
25999 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
26003 @@ -413,7 +413,7 @@ static const struct dmi_system_id __init
26004 DMI_MATCH(DMI_PRODUCT_VERSION, "0100"),
26008 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
26011 static const struct dmi_system_id __initconst i8042_dmi_reset_table[] = {
26012 @@ -487,7 +487,7 @@ static const struct dmi_system_id __init
26013 DMI_MATCH(DMI_PRODUCT_NAME, "Vostro 1720"),
26017 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
26021 @@ -506,7 +506,7 @@ static const struct dmi_system_id __init
26022 DMI_MATCH(DMI_BOARD_VENDOR, "MICRO-STAR INTERNATIONAL CO., LTD"),
26026 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
26029 static const struct dmi_system_id __initconst i8042_dmi_laptop_table[] = {
26030 @@ -530,7 +530,7 @@ static const struct dmi_system_id __init
26031 DMI_MATCH(DMI_CHASSIS_TYPE, "14"), /* Sub-Notebook */
26035 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
26039 @@ -604,7 +604,7 @@ static const struct dmi_system_id __init
26040 DMI_MATCH(DMI_PRODUCT_NAME, "TravelMate 4280"),
26044 + { NULL, NULL, {DMI_MATCH(DMI_NONE, {0})}, NULL }
26047 #endif /* CONFIG_X86 */
26048 diff -urNp linux-2.6.36.1/drivers/input/serio/serio_raw.c linux-2.6.36.1/drivers/input/serio/serio_raw.c
26049 --- linux-2.6.36.1/drivers/input/serio/serio_raw.c 2010-10-20 16:30:22.000000000 -0400
26050 +++ linux-2.6.36.1/drivers/input/serio/serio_raw.c 2010-11-06 18:58:15.000000000 -0400
26051 @@ -376,7 +376,7 @@ static struct serio_device_id serio_raw_
26053 .extra = SERIO_ANY,
26059 MODULE_DEVICE_TABLE(serio, serio_raw_serio_ids);
26060 diff -urNp linux-2.6.36.1/drivers/isdn/gigaset/common.c linux-2.6.36.1/drivers/isdn/gigaset/common.c
26061 --- linux-2.6.36.1/drivers/isdn/gigaset/common.c 2010-10-20 16:30:22.000000000 -0400
26062 +++ linux-2.6.36.1/drivers/isdn/gigaset/common.c 2010-11-06 18:58:15.000000000 -0400
26063 @@ -723,7 +723,7 @@ struct cardstate *gigaset_initcs(struct
26064 cs->commands_pending = 0;
26065 cs->cur_at_seq = 0;
26067 - cs->open_count = 0;
26068 + atomic_set(&cs->open_count, 0);
26071 cs->tty_dev = NULL;
26072 diff -urNp linux-2.6.36.1/drivers/isdn/gigaset/gigaset.h linux-2.6.36.1/drivers/isdn/gigaset/gigaset.h
26073 --- linux-2.6.36.1/drivers/isdn/gigaset/gigaset.h 2010-10-20 16:30:22.000000000 -0400
26074 +++ linux-2.6.36.1/drivers/isdn/gigaset/gigaset.h 2010-11-06 18:58:15.000000000 -0400
26075 @@ -434,7 +434,7 @@ struct cardstate {
26076 spinlock_t cmdlock;
26077 unsigned curlen, cmdbytes;
26079 - unsigned open_count;
26080 + atomic_t open_count;
26081 struct tty_struct *tty;
26082 struct tasklet_struct if_wake_tasklet;
26083 unsigned control_state;
26084 diff -urNp linux-2.6.36.1/drivers/isdn/gigaset/interface.c linux-2.6.36.1/drivers/isdn/gigaset/interface.c
26085 --- linux-2.6.36.1/drivers/isdn/gigaset/interface.c 2010-10-20 16:30:22.000000000 -0400
26086 +++ linux-2.6.36.1/drivers/isdn/gigaset/interface.c 2010-11-06 18:58:15.000000000 -0400
26087 @@ -160,9 +160,7 @@ static int if_open(struct tty_struct *tt
26088 return -ERESTARTSYS;
26089 tty->driver_data = cs;
26091 - ++cs->open_count;
26093 - if (cs->open_count == 1) {
26094 + if (atomic_inc_return(&cs->open_count) == 1) {
26095 spin_lock_irqsave(&cs->lock, flags);
26097 spin_unlock_irqrestore(&cs->lock, flags);
26098 @@ -190,10 +188,10 @@ static void if_close(struct tty_struct *
26100 if (!cs->connected)
26101 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
26102 - else if (!cs->open_count)
26103 + else if (!atomic_read(&cs->open_count))
26104 dev_warn(cs->dev, "%s: device not opened\n", __func__);
26106 - if (!--cs->open_count) {
26107 + if (!atomic_dec_return(&cs->open_count)) {
26108 spin_lock_irqsave(&cs->lock, flags);
26110 spin_unlock_irqrestore(&cs->lock, flags);
26111 @@ -228,7 +226,7 @@ static int if_ioctl(struct tty_struct *t
26112 if (!cs->connected) {
26113 gig_dbg(DEBUG_IF, "not connected");
26115 - } else if (!cs->open_count)
26116 + } else if (!atomic_read(&cs->open_count))
26117 dev_warn(cs->dev, "%s: device not opened\n", __func__);
26120 @@ -358,7 +356,7 @@ static int if_write(struct tty_struct *t
26124 - if (!cs->open_count) {
26125 + if (!atomic_read(&cs->open_count)) {
26126 dev_warn(cs->dev, "%s: device not opened\n", __func__);
26129 @@ -411,7 +409,7 @@ static int if_write_room(struct tty_stru
26130 if (!cs->connected) {
26131 gig_dbg(DEBUG_IF, "not connected");
26133 - } else if (!cs->open_count)
26134 + } else if (!atomic_read(&cs->open_count))
26135 dev_warn(cs->dev, "%s: device not opened\n", __func__);
26136 else if (cs->mstate != MS_LOCKED) {
26137 dev_warn(cs->dev, "can't write to unlocked device\n");
26138 @@ -441,7 +439,7 @@ static int if_chars_in_buffer(struct tty
26140 if (!cs->connected)
26141 gig_dbg(DEBUG_IF, "not connected");
26142 - else if (!cs->open_count)
26143 + else if (!atomic_read(&cs->open_count))
26144 dev_warn(cs->dev, "%s: device not opened\n", __func__);
26145 else if (cs->mstate != MS_LOCKED)
26146 dev_warn(cs->dev, "can't write to unlocked device\n");
26147 @@ -469,7 +467,7 @@ static void if_throttle(struct tty_struc
26149 if (!cs->connected)
26150 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
26151 - else if (!cs->open_count)
26152 + else if (!atomic_read(&cs->open_count))
26153 dev_warn(cs->dev, "%s: device not opened\n", __func__);
26155 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
26156 @@ -493,7 +491,7 @@ static void if_unthrottle(struct tty_str
26158 if (!cs->connected)
26159 gig_dbg(DEBUG_IF, "not connected"); /* nothing to do */
26160 - else if (!cs->open_count)
26161 + else if (!atomic_read(&cs->open_count))
26162 dev_warn(cs->dev, "%s: device not opened\n", __func__);
26164 gig_dbg(DEBUG_IF, "%s: not implemented\n", __func__);
26165 @@ -524,7 +522,7 @@ static void if_set_termios(struct tty_st
26169 - if (!cs->open_count) {
26170 + if (!atomic_read(&cs->open_count)) {
26171 dev_warn(cs->dev, "%s: device not opened\n", __func__);
26174 diff -urNp linux-2.6.36.1/drivers/isdn/hardware/avm/b1.c linux-2.6.36.1/drivers/isdn/hardware/avm/b1.c
26175 --- linux-2.6.36.1/drivers/isdn/hardware/avm/b1.c 2010-10-20 16:30:22.000000000 -0400
26176 +++ linux-2.6.36.1/drivers/isdn/hardware/avm/b1.c 2010-11-06 18:58:50.000000000 -0400
26177 @@ -176,7 +176,7 @@ int b1_load_t4file(avmcard *card, capilo
26180 if (t4file->user) {
26181 - if (copy_from_user(buf, dp, left))
26182 + if (left > sizeof(buf) || copy_from_user(buf, dp, left))
26185 memcpy(buf, dp, left);
26186 @@ -224,7 +224,7 @@ int b1_load_config(avmcard *card, capilo
26189 if (config->user) {
26190 - if (copy_from_user(buf, dp, left))
26191 + if (left > sizeof(buf) || copy_from_user(buf, dp, left))
26194 memcpy(buf, dp, left);
26195 diff -urNp linux-2.6.36.1/drivers/isdn/icn/icn.c linux-2.6.36.1/drivers/isdn/icn/icn.c
26196 --- linux-2.6.36.1/drivers/isdn/icn/icn.c 2010-10-20 16:30:22.000000000 -0400
26197 +++ linux-2.6.36.1/drivers/isdn/icn/icn.c 2010-11-06 18:58:50.000000000 -0400
26198 @@ -1045,7 +1045,7 @@ icn_writecmd(const u_char * buf, int len
26202 - if (copy_from_user(msg, buf, count))
26203 + if (count > sizeof(msg) || copy_from_user(msg, buf, count))
26206 memcpy(msg, buf, count);
26207 diff -urNp linux-2.6.36.1/drivers/lguest/core.c linux-2.6.36.1/drivers/lguest/core.c
26208 --- linux-2.6.36.1/drivers/lguest/core.c 2010-10-20 16:30:22.000000000 -0400
26209 +++ linux-2.6.36.1/drivers/lguest/core.c 2010-11-06 18:58:15.000000000 -0400
26210 @@ -92,9 +92,17 @@ static __init int map_switcher(void)
26211 * it's worked so far. The end address needs +1 because __get_vm_area
26212 * allocates an extra guard page, so we need space for that.
26215 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
26216 + switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
26217 + VM_ALLOC | VM_KERNEXEC, SWITCHER_ADDR, SWITCHER_ADDR
26218 + + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
26220 switcher_vma = __get_vm_area(TOTAL_SWITCHER_PAGES * PAGE_SIZE,
26221 VM_ALLOC, SWITCHER_ADDR, SWITCHER_ADDR
26222 + (TOTAL_SWITCHER_PAGES+1) * PAGE_SIZE);
26225 if (!switcher_vma) {
26227 printk("lguest: could not map switcher pages high\n");
26228 diff -urNp linux-2.6.36.1/drivers/macintosh/via-pmu-backlight.c linux-2.6.36.1/drivers/macintosh/via-pmu-backlight.c
26229 --- linux-2.6.36.1/drivers/macintosh/via-pmu-backlight.c 2010-10-20 16:30:22.000000000 -0400
26230 +++ linux-2.6.36.1/drivers/macintosh/via-pmu-backlight.c 2010-11-06 18:58:15.000000000 -0400
26233 #define MAX_PMU_LEVEL 0xFF
26235 -static struct backlight_ops pmu_backlight_data;
26236 +static const struct backlight_ops pmu_backlight_data;
26237 static DEFINE_SPINLOCK(pmu_backlight_lock);
26238 static int sleeping, uses_pmu_bl;
26239 static u8 bl_curve[FB_BACKLIGHT_LEVELS];
26240 @@ -115,7 +115,7 @@ static int pmu_backlight_get_brightness(
26241 return bd->props.brightness;
26244 -static struct backlight_ops pmu_backlight_data = {
26245 +static const struct backlight_ops pmu_backlight_data = {
26246 .get_brightness = pmu_backlight_get_brightness,
26247 .update_status = pmu_backlight_update_status,
26249 diff -urNp linux-2.6.36.1/drivers/macintosh/via-pmu.c linux-2.6.36.1/drivers/macintosh/via-pmu.c
26250 --- linux-2.6.36.1/drivers/macintosh/via-pmu.c 2010-10-20 16:30:22.000000000 -0400
26251 +++ linux-2.6.36.1/drivers/macintosh/via-pmu.c 2010-11-06 18:58:15.000000000 -0400
26252 @@ -2256,7 +2256,7 @@ static int pmu_sleep_valid(suspend_state
26253 && (pmac_call_feature(PMAC_FTR_SLEEP_STATE, NULL, 0, -1) >= 0);
26256 -static struct platform_suspend_ops pmu_pm_ops = {
26257 +static const struct platform_suspend_ops pmu_pm_ops = {
26258 .enter = powerbook_sleep,
26259 .valid = pmu_sleep_valid,
26261 diff -urNp linux-2.6.36.1/drivers/md/bitmap.c linux-2.6.36.1/drivers/md/bitmap.c
26262 --- linux-2.6.36.1/drivers/md/bitmap.c 2010-10-20 16:30:22.000000000 -0400
26263 +++ linux-2.6.36.1/drivers/md/bitmap.c 2010-11-06 18:58:15.000000000 -0400
26266 # define PRINTK(x...) printk(KERN_DEBUG x)
26268 -# define PRINTK(x...)
26269 +# define PRINTK(x...) do {} while (0)
26273 diff -urNp linux-2.6.36.1/drivers/md/dm-table.c linux-2.6.36.1/drivers/md/dm-table.c
26274 --- linux-2.6.36.1/drivers/md/dm-table.c 2010-10-20 16:30:22.000000000 -0400
26275 +++ linux-2.6.36.1/drivers/md/dm-table.c 2010-11-06 18:58:15.000000000 -0400
26276 @@ -366,7 +366,7 @@ static int device_area_is_invalid(struct
26280 - if ((start >= dev_size) || (start + len > dev_size)) {
26281 + if ((start >= dev_size) || (len > dev_size - start)) {
26282 DMWARN("%s: %s too small for target: "
26283 "start=%llu, len=%llu, dev_size=%llu",
26284 dm_device_name(ti->table->md), bdevname(bdev, b),
26285 diff -urNp linux-2.6.36.1/drivers/md/md.c linux-2.6.36.1/drivers/md/md.c
26286 --- linux-2.6.36.1/drivers/md/md.c 2010-10-20 16:30:22.000000000 -0400
26287 +++ linux-2.6.36.1/drivers/md/md.c 2010-11-26 18:18:12.000000000 -0500
26288 @@ -6403,7 +6403,7 @@ static int md_seq_show(struct seq_file *
26289 chunk_kb ? "KB" : "B");
26290 if (bitmap->file) {
26291 seq_printf(seq, ", file: ");
26292 - seq_path(seq, &bitmap->file->f_path, " \t\n");
26293 + seq_path(seq, &bitmap->file->f_path, " \t\n\\");
26296 seq_printf(seq, "\n");
26297 @@ -6497,7 +6497,7 @@ static int is_mddev_idle(mddev_t *mddev,
26298 struct gendisk *disk = rdev->bdev->bd_contains->bd_disk;
26299 curr_events = (int)part_stat_read(&disk->part0, sectors[0]) +
26300 (int)part_stat_read(&disk->part0, sectors[1]) -
26301 - atomic_read(&disk->sync_io);
26302 + atomic_read_unchecked(&disk->sync_io);
26303 /* sync IO will cause sync_io to increase before the disk_stats
26304 * as sync_io is counted when a request starts, and
26305 * disk_stats is counted when it completes.
26306 diff -urNp linux-2.6.36.1/drivers/md/md.h linux-2.6.36.1/drivers/md/md.h
26307 --- linux-2.6.36.1/drivers/md/md.h 2010-10-20 16:30:22.000000000 -0400
26308 +++ linux-2.6.36.1/drivers/md/md.h 2010-11-06 18:58:15.000000000 -0400
26309 @@ -362,7 +362,7 @@ static inline void rdev_dec_pending(mdk_
26311 static inline void md_sync_acct(struct block_device *bdev, unsigned long nr_sectors)
26313 - atomic_add(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
26314 + atomic_add_unchecked(nr_sectors, &bdev->bd_contains->bd_disk->sync_io);
26317 struct mdk_personality
26318 diff -urNp linux-2.6.36.1/drivers/media/dvb/dvb-core/dvbdev.c linux-2.6.36.1/drivers/media/dvb/dvb-core/dvbdev.c
26319 --- linux-2.6.36.1/drivers/media/dvb/dvb-core/dvbdev.c 2010-10-20 16:30:22.000000000 -0400
26320 +++ linux-2.6.36.1/drivers/media/dvb/dvb-core/dvbdev.c 2010-11-06 18:58:15.000000000 -0400
26321 @@ -196,6 +196,7 @@ int dvb_register_device(struct dvb_adapt
26322 const struct dvb_device *template, void *priv, int type)
26324 struct dvb_device *dvbdev;
26325 + /* cannot be const, see this function */
26326 struct file_operations *dvbdevfops;
26327 struct device *clsdev;
26329 diff -urNp linux-2.6.36.1/drivers/media/IR/lirc_dev.c linux-2.6.36.1/drivers/media/IR/lirc_dev.c
26330 --- linux-2.6.36.1/drivers/media/IR/lirc_dev.c 2010-10-20 16:30:22.000000000 -0400
26331 +++ linux-2.6.36.1/drivers/media/IR/lirc_dev.c 2010-11-06 18:58:15.000000000 -0400
26332 @@ -155,7 +155,7 @@ static int lirc_thread(void *irctl)
26336 -static struct file_operations fops = {
26337 +static const struct file_operations fops = {
26338 .owner = THIS_MODULE,
26339 .read = lirc_dev_fop_read,
26340 .write = lirc_dev_fop_write,
26341 diff -urNp linux-2.6.36.1/drivers/media/radio/radio-cadet.c linux-2.6.36.1/drivers/media/radio/radio-cadet.c
26342 --- linux-2.6.36.1/drivers/media/radio/radio-cadet.c 2010-10-20 16:30:22.000000000 -0400
26343 +++ linux-2.6.36.1/drivers/media/radio/radio-cadet.c 2010-11-06 18:58:50.000000000 -0400
26344 @@ -347,7 +347,7 @@ static ssize_t cadet_read(struct file *f
26345 while (i < count && dev->rdsin != dev->rdsout)
26346 readbuf[i++] = dev->rdsbuf[dev->rdsout++];
26348 - if (copy_to_user(data, readbuf, i))
26349 + if (i > sizeof(readbuf) || copy_to_user(data, readbuf, i))
26353 diff -urNp linux-2.6.36.1/drivers/message/fusion/mptbase.c linux-2.6.36.1/drivers/message/fusion/mptbase.c
26354 --- linux-2.6.36.1/drivers/message/fusion/mptbase.c 2010-10-20 16:30:22.000000000 -0400
26355 +++ linux-2.6.36.1/drivers/message/fusion/mptbase.c 2010-11-06 19:06:37.000000000 -0400
26356 @@ -6681,8 +6681,13 @@ static int mpt_iocinfo_proc_show(struct
26357 seq_printf(m, " MaxChainDepth = 0x%02x frames\n", ioc->facts.MaxChainDepth);
26358 seq_printf(m, " MinBlockSize = 0x%02x bytes\n", 4*ioc->facts.BlockSize);
26360 +#ifdef CONFIG_GRKERNSEC_HIDESYM
26361 + seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n", NULL, NULL);
26363 seq_printf(m, " RequestFrames @ 0x%p (Dma @ 0x%p)\n",
26364 (void *)ioc->req_frames, (void *)(ulong)ioc->req_frames_dma);
26368 * Rounding UP to nearest 4-kB boundary here...
26370 diff -urNp linux-2.6.36.1/drivers/message/fusion/mptdebug.h linux-2.6.36.1/drivers/message/fusion/mptdebug.h
26371 --- linux-2.6.36.1/drivers/message/fusion/mptdebug.h 2010-10-20 16:30:22.000000000 -0400
26372 +++ linux-2.6.36.1/drivers/message/fusion/mptdebug.h 2010-11-06 18:58:15.000000000 -0400
26377 -#define MPT_CHECK_LOGGING(IOC, CMD, BITS)
26378 +#define MPT_CHECK_LOGGING(IOC, CMD, BITS) do {} while (0)
26382 diff -urNp linux-2.6.36.1/drivers/message/fusion/mptsas.c linux-2.6.36.1/drivers/message/fusion/mptsas.c
26383 --- linux-2.6.36.1/drivers/message/fusion/mptsas.c 2010-10-20 16:30:22.000000000 -0400
26384 +++ linux-2.6.36.1/drivers/message/fusion/mptsas.c 2010-11-06 18:58:15.000000000 -0400
26385 @@ -439,6 +439,23 @@ mptsas_is_end_device(struct mptsas_devin
26389 +static inline void
26390 +mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
26392 + if (phy_info->port_details) {
26393 + phy_info->port_details->rphy = rphy;
26394 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
26395 + ioc->name, rphy));
26399 + dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
26400 + &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
26401 + dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
26402 + ioc->name, rphy, rphy->dev.release));
26408 mptsas_port_delete(MPT_ADAPTER *ioc, struct mptsas_portinfo_details * port_details)
26409 @@ -477,23 +494,6 @@ mptsas_get_rphy(struct mptsas_phyinfo *p
26413 -static inline void
26414 -mptsas_set_rphy(MPT_ADAPTER *ioc, struct mptsas_phyinfo *phy_info, struct sas_rphy *rphy)
26416 - if (phy_info->port_details) {
26417 - phy_info->port_details->rphy = rphy;
26418 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "sas_rphy_add: rphy=%p\n",
26419 - ioc->name, rphy));
26423 - dsaswideprintk(ioc, dev_printk(KERN_DEBUG,
26424 - &rphy->dev, MYIOC_s_FMT "add:", ioc->name));
26425 - dsaswideprintk(ioc, printk(MYIOC_s_DEBUG_FMT "rphy=%p release=%p\n",
26426 - ioc->name, rphy, rphy->dev.release));
26430 static inline struct sas_port *
26431 mptsas_get_port(struct mptsas_phyinfo *phy_info)
26433 diff -urNp linux-2.6.36.1/drivers/message/fusion/mptscsih.c linux-2.6.36.1/drivers/message/fusion/mptscsih.c
26434 --- linux-2.6.36.1/drivers/message/fusion/mptscsih.c 2010-10-20 16:30:22.000000000 -0400
26435 +++ linux-2.6.36.1/drivers/message/fusion/mptscsih.c 2010-11-06 18:58:15.000000000 -0400
26436 @@ -1268,15 +1268,16 @@ mptscsih_info(struct Scsi_Host *SChost)
26438 h = shost_priv(SChost);
26441 - if (h->info_kbuf == NULL)
26442 - if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
26443 - return h->info_kbuf;
26444 - h->info_kbuf[0] = '\0';
26448 - mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
26449 - h->info_kbuf[size-1] = '\0';
26451 + if (h->info_kbuf == NULL)
26452 + if ((h->info_kbuf = kmalloc(0x1000 /* 4Kb */, GFP_KERNEL)) == NULL)
26453 + return h->info_kbuf;
26454 + h->info_kbuf[0] = '\0';
26456 + mpt_print_ioc_summary(h->ioc, h->info_kbuf, &size, 0, 0);
26457 + h->info_kbuf[size-1] = '\0';
26459 return h->info_kbuf;
26461 diff -urNp linux-2.6.36.1/drivers/message/i2o/i2o_proc.c linux-2.6.36.1/drivers/message/i2o/i2o_proc.c
26462 --- linux-2.6.36.1/drivers/message/i2o/i2o_proc.c 2010-10-20 16:30:22.000000000 -0400
26463 +++ linux-2.6.36.1/drivers/message/i2o/i2o_proc.c 2010-11-06 18:58:15.000000000 -0400
26464 @@ -255,13 +255,6 @@ static char *scsi_devices[] = {
26465 "Array Controller Device"
26468 -static char *chtostr(u8 * chars, int n)
26472 - return strncat(tmp, (char *)chars, n);
26475 static int i2o_report_query_status(struct seq_file *seq, int block_status,
26478 @@ -838,8 +831,7 @@ static int i2o_seq_show_ddm_table(struct
26480 seq_printf(seq, "%-#7x", ddm_table.i2o_vendor_id);
26481 seq_printf(seq, "%-#8x", ddm_table.module_id);
26482 - seq_printf(seq, "%-29s",
26483 - chtostr(ddm_table.module_name_version, 28));
26484 + seq_printf(seq, "%-.28s", ddm_table.module_name_version);
26485 seq_printf(seq, "%9d ", ddm_table.data_size);
26486 seq_printf(seq, "%8d", ddm_table.code_size);
26488 @@ -940,8 +932,8 @@ static int i2o_seq_show_drivers_stored(s
26490 seq_printf(seq, "%-#7x", dst->i2o_vendor_id);
26491 seq_printf(seq, "%-#8x", dst->module_id);
26492 - seq_printf(seq, "%-29s", chtostr(dst->module_name_version, 28));
26493 - seq_printf(seq, "%-9s", chtostr(dst->date, 8));
26494 + seq_printf(seq, "%-.28s", dst->module_name_version);
26495 + seq_printf(seq, "%-.8s", dst->date);
26496 seq_printf(seq, "%8d ", dst->module_size);
26497 seq_printf(seq, "%8d ", dst->mpb_size);
26498 seq_printf(seq, "0x%04x", dst->module_flags);
26499 @@ -1272,14 +1264,10 @@ static int i2o_seq_show_dev_identity(str
26500 seq_printf(seq, "Device Class : %s\n", i2o_get_class_name(work16[0]));
26501 seq_printf(seq, "Owner TID : %0#5x\n", work16[2]);
26502 seq_printf(seq, "Parent TID : %0#5x\n", work16[3]);
26503 - seq_printf(seq, "Vendor info : %s\n",
26504 - chtostr((u8 *) (work32 + 2), 16));
26505 - seq_printf(seq, "Product info : %s\n",
26506 - chtostr((u8 *) (work32 + 6), 16));
26507 - seq_printf(seq, "Description : %s\n",
26508 - chtostr((u8 *) (work32 + 10), 16));
26509 - seq_printf(seq, "Product rev. : %s\n",
26510 - chtostr((u8 *) (work32 + 14), 8));
26511 + seq_printf(seq, "Vendor info : %.16s\n", (u8 *) (work32 + 2));
26512 + seq_printf(seq, "Product info : %.16s\n", (u8 *) (work32 + 6));
26513 + seq_printf(seq, "Description : %.16s\n", (u8 *) (work32 + 10));
26514 + seq_printf(seq, "Product rev. : %.8s\n", (u8 *) (work32 + 14));
26516 seq_printf(seq, "Serial number : ");
26517 print_serial_number(seq, (u8 *) (work32 + 16),
26518 @@ -1324,10 +1312,8 @@ static int i2o_seq_show_ddm_identity(str
26521 seq_printf(seq, "Registering DDM TID : 0x%03x\n", result.ddm_tid);
26522 - seq_printf(seq, "Module name : %s\n",
26523 - chtostr(result.module_name, 24));
26524 - seq_printf(seq, "Module revision : %s\n",
26525 - chtostr(result.module_rev, 8));
26526 + seq_printf(seq, "Module name : %.24s\n", result.module_name);
26527 + seq_printf(seq, "Module revision : %.8s\n", result.module_rev);
26529 seq_printf(seq, "Serial number : ");
26530 print_serial_number(seq, result.serial_number, sizeof(result) - 36);
26531 @@ -1358,14 +1344,10 @@ static int i2o_seq_show_uinfo(struct seq
26535 - seq_printf(seq, "Device name : %s\n",
26536 - chtostr(result.device_name, 64));
26537 - seq_printf(seq, "Service name : %s\n",
26538 - chtostr(result.service_name, 64));
26539 - seq_printf(seq, "Physical name : %s\n",
26540 - chtostr(result.physical_location, 64));
26541 - seq_printf(seq, "Instance number : %s\n",
26542 - chtostr(result.instance_number, 4));
26543 + seq_printf(seq, "Device name : %.64s\n", result.device_name);
26544 + seq_printf(seq, "Service name : %.64s\n", result.service_name);
26545 + seq_printf(seq, "Physical name : %.64s\n", result.physical_location);
26546 + seq_printf(seq, "Instance number : %.4s\n", result.instance_number);
26550 diff -urNp linux-2.6.36.1/drivers/mfd/janz-cmodio.c linux-2.6.36.1/drivers/mfd/janz-cmodio.c
26551 --- linux-2.6.36.1/drivers/mfd/janz-cmodio.c 2010-10-20 16:30:22.000000000 -0400
26552 +++ linux-2.6.36.1/drivers/mfd/janz-cmodio.c 2010-11-06 18:58:15.000000000 -0400
26555 #include <linux/kernel.h>
26556 #include <linux/module.h>
26557 +#include <linux/slab.h>
26558 #include <linux/init.h>
26559 #include <linux/pci.h>
26560 #include <linux/interrupt.h>
26561 diff -urNp linux-2.6.36.1/drivers/misc/kgdbts.c linux-2.6.36.1/drivers/misc/kgdbts.c
26562 --- linux-2.6.36.1/drivers/misc/kgdbts.c 2010-10-20 16:30:22.000000000 -0400
26563 +++ linux-2.6.36.1/drivers/misc/kgdbts.c 2010-11-06 18:58:15.000000000 -0400
26564 @@ -118,7 +118,7 @@
26566 #define MAX_CONFIG_LEN 40
26568 -static struct kgdb_io kgdbts_io_ops;
26569 +static const struct kgdb_io kgdbts_io_ops;
26570 static char get_buf[BUFMAX];
26571 static int get_buf_cnt;
26572 static char put_buf[BUFMAX];
26573 @@ -1114,7 +1114,7 @@ static void kgdbts_post_exp_handler(void
26574 module_put(THIS_MODULE);
26577 -static struct kgdb_io kgdbts_io_ops = {
26578 +static const struct kgdb_io kgdbts_io_ops = {
26580 .read_char = kgdbts_get_char,
26581 .write_char = kgdbts_put_char,
26582 diff -urNp linux-2.6.36.1/drivers/misc/sgi-gru/gruhandles.c linux-2.6.36.1/drivers/misc/sgi-gru/gruhandles.c
26583 --- linux-2.6.36.1/drivers/misc/sgi-gru/gruhandles.c 2010-10-20 16:30:22.000000000 -0400
26584 +++ linux-2.6.36.1/drivers/misc/sgi-gru/gruhandles.c 2010-11-06 18:58:15.000000000 -0400
26585 @@ -44,8 +44,8 @@ static void update_mcs_stats(enum mcs_op
26586 unsigned long nsec;
26588 nsec = CLKS2NSEC(clks);
26589 - atomic_long_inc(&mcs_op_statistics[op].count);
26590 - atomic_long_add(nsec, &mcs_op_statistics[op].total);
26591 + atomic_long_inc_unchecked(&mcs_op_statistics[op].count);
26592 + atomic_long_add_unchecked(nsec, &mcs_op_statistics[op].total);
26593 if (mcs_op_statistics[op].max < nsec)
26594 mcs_op_statistics[op].max = nsec;
26596 diff -urNp linux-2.6.36.1/drivers/misc/sgi-gru/gruprocfs.c linux-2.6.36.1/drivers/misc/sgi-gru/gruprocfs.c
26597 --- linux-2.6.36.1/drivers/misc/sgi-gru/gruprocfs.c 2010-10-20 16:30:22.000000000 -0400
26598 +++ linux-2.6.36.1/drivers/misc/sgi-gru/gruprocfs.c 2010-11-06 18:58:15.000000000 -0400
26601 #define printstat(s, f) printstat_val(s, &gru_stats.f, #f)
26603 -static void printstat_val(struct seq_file *s, atomic_long_t *v, char *id)
26604 +static void printstat_val(struct seq_file *s, atomic_long_unchecked_t *v, char *id)
26606 - unsigned long val = atomic_long_read(v);
26607 + unsigned long val = atomic_long_read_unchecked(v);
26609 seq_printf(s, "%16lu %s\n", val, id);
26611 @@ -134,8 +134,8 @@ static int mcs_statistics_show(struct se
26613 seq_printf(s, "%-20s%12s%12s%12s\n", "#id", "count", "aver-clks", "max-clks");
26614 for (op = 0; op < mcsop_last; op++) {
26615 - count = atomic_long_read(&mcs_op_statistics[op].count);
26616 - total = atomic_long_read(&mcs_op_statistics[op].total);
26617 + count = atomic_long_read_unchecked(&mcs_op_statistics[op].count);
26618 + total = atomic_long_read_unchecked(&mcs_op_statistics[op].total);
26619 max = mcs_op_statistics[op].max;
26620 seq_printf(s, "%-20s%12ld%12ld%12ld\n", id[op], count,
26621 count ? total / count : 0, max);
26622 diff -urNp linux-2.6.36.1/drivers/misc/sgi-gru/grutables.h linux-2.6.36.1/drivers/misc/sgi-gru/grutables.h
26623 --- linux-2.6.36.1/drivers/misc/sgi-gru/grutables.h 2010-10-20 16:30:22.000000000 -0400
26624 +++ linux-2.6.36.1/drivers/misc/sgi-gru/grutables.h 2010-11-06 18:58:15.000000000 -0400
26625 @@ -167,82 +167,82 @@ extern unsigned int gru_max_gids;
26628 struct gru_stats_s {
26629 - atomic_long_t vdata_alloc;
26630 - atomic_long_t vdata_free;
26631 - atomic_long_t gts_alloc;
26632 - atomic_long_t gts_free;
26633 - atomic_long_t gms_alloc;
26634 - atomic_long_t gms_free;
26635 - atomic_long_t gts_double_allocate;
26636 - atomic_long_t assign_context;
26637 - atomic_long_t assign_context_failed;
26638 - atomic_long_t free_context;
26639 - atomic_long_t load_user_context;
26640 - atomic_long_t load_kernel_context;
26641 - atomic_long_t lock_kernel_context;
26642 - atomic_long_t unlock_kernel_context;
26643 - atomic_long_t steal_user_context;
26644 - atomic_long_t steal_kernel_context;
26645 - atomic_long_t steal_context_failed;
26646 - atomic_long_t nopfn;
26647 - atomic_long_t asid_new;
26648 - atomic_long_t asid_next;
26649 - atomic_long_t asid_wrap;
26650 - atomic_long_t asid_reuse;
26651 - atomic_long_t intr;
26652 - atomic_long_t intr_cbr;
26653 - atomic_long_t intr_tfh;
26654 - atomic_long_t intr_spurious;
26655 - atomic_long_t intr_mm_lock_failed;
26656 - atomic_long_t call_os;
26657 - atomic_long_t call_os_wait_queue;
26658 - atomic_long_t user_flush_tlb;
26659 - atomic_long_t user_unload_context;
26660 - atomic_long_t user_exception;
26661 - atomic_long_t set_context_option;
26662 - atomic_long_t check_context_retarget_intr;
26663 - atomic_long_t check_context_unload;
26664 - atomic_long_t tlb_dropin;
26665 - atomic_long_t tlb_preload_page;
26666 - atomic_long_t tlb_dropin_fail_no_asid;
26667 - atomic_long_t tlb_dropin_fail_upm;
26668 - atomic_long_t tlb_dropin_fail_invalid;
26669 - atomic_long_t tlb_dropin_fail_range_active;
26670 - atomic_long_t tlb_dropin_fail_idle;
26671 - atomic_long_t tlb_dropin_fail_fmm;
26672 - atomic_long_t tlb_dropin_fail_no_exception;
26673 - atomic_long_t tfh_stale_on_fault;
26674 - atomic_long_t mmu_invalidate_range;
26675 - atomic_long_t mmu_invalidate_page;
26676 - atomic_long_t flush_tlb;
26677 - atomic_long_t flush_tlb_gru;
26678 - atomic_long_t flush_tlb_gru_tgh;
26679 - atomic_long_t flush_tlb_gru_zero_asid;
26681 - atomic_long_t copy_gpa;
26682 - atomic_long_t read_gpa;
26684 - atomic_long_t mesq_receive;
26685 - atomic_long_t mesq_receive_none;
26686 - atomic_long_t mesq_send;
26687 - atomic_long_t mesq_send_failed;
26688 - atomic_long_t mesq_noop;
26689 - atomic_long_t mesq_send_unexpected_error;
26690 - atomic_long_t mesq_send_lb_overflow;
26691 - atomic_long_t mesq_send_qlimit_reached;
26692 - atomic_long_t mesq_send_amo_nacked;
26693 - atomic_long_t mesq_send_put_nacked;
26694 - atomic_long_t mesq_page_overflow;
26695 - atomic_long_t mesq_qf_locked;
26696 - atomic_long_t mesq_qf_noop_not_full;
26697 - atomic_long_t mesq_qf_switch_head_failed;
26698 - atomic_long_t mesq_qf_unexpected_error;
26699 - atomic_long_t mesq_noop_unexpected_error;
26700 - atomic_long_t mesq_noop_lb_overflow;
26701 - atomic_long_t mesq_noop_qlimit_reached;
26702 - atomic_long_t mesq_noop_amo_nacked;
26703 - atomic_long_t mesq_noop_put_nacked;
26704 - atomic_long_t mesq_noop_page_overflow;
26705 + atomic_long_unchecked_t vdata_alloc;
26706 + atomic_long_unchecked_t vdata_free;
26707 + atomic_long_unchecked_t gts_alloc;
26708 + atomic_long_unchecked_t gts_free;
26709 + atomic_long_unchecked_t gms_alloc;
26710 + atomic_long_unchecked_t gms_free;
26711 + atomic_long_unchecked_t gts_double_allocate;
26712 + atomic_long_unchecked_t assign_context;
26713 + atomic_long_unchecked_t assign_context_failed;
26714 + atomic_long_unchecked_t free_context;
26715 + atomic_long_unchecked_t load_user_context;
26716 + atomic_long_unchecked_t load_kernel_context;
26717 + atomic_long_unchecked_t lock_kernel_context;
26718 + atomic_long_unchecked_t unlock_kernel_context;
26719 + atomic_long_unchecked_t steal_user_context;
26720 + atomic_long_unchecked_t steal_kernel_context;
26721 + atomic_long_unchecked_t steal_context_failed;
26722 + atomic_long_unchecked_t nopfn;
26723 + atomic_long_unchecked_t asid_new;
26724 + atomic_long_unchecked_t asid_next;
26725 + atomic_long_unchecked_t asid_wrap;
26726 + atomic_long_unchecked_t asid_reuse;
26727 + atomic_long_unchecked_t intr;
26728 + atomic_long_unchecked_t intr_cbr;
26729 + atomic_long_unchecked_t intr_tfh;
26730 + atomic_long_unchecked_t intr_spurious;
26731 + atomic_long_unchecked_t intr_mm_lock_failed;
26732 + atomic_long_unchecked_t call_os;
26733 + atomic_long_unchecked_t call_os_wait_queue;
26734 + atomic_long_unchecked_t user_flush_tlb;
26735 + atomic_long_unchecked_t user_unload_context;
26736 + atomic_long_unchecked_t user_exception;
26737 + atomic_long_unchecked_t set_context_option;
26738 + atomic_long_unchecked_t check_context_retarget_intr;
26739 + atomic_long_unchecked_t check_context_unload;
26740 + atomic_long_unchecked_t tlb_dropin;
26741 + atomic_long_unchecked_t tlb_preload_page;
26742 + atomic_long_unchecked_t tlb_dropin_fail_no_asid;
26743 + atomic_long_unchecked_t tlb_dropin_fail_upm;
26744 + atomic_long_unchecked_t tlb_dropin_fail_invalid;
26745 + atomic_long_unchecked_t tlb_dropin_fail_range_active;
26746 + atomic_long_unchecked_t tlb_dropin_fail_idle;
26747 + atomic_long_unchecked_t tlb_dropin_fail_fmm;
26748 + atomic_long_unchecked_t tlb_dropin_fail_no_exception;
26749 + atomic_long_unchecked_t tfh_stale_on_fault;
26750 + atomic_long_unchecked_t mmu_invalidate_range;
26751 + atomic_long_unchecked_t mmu_invalidate_page;
26752 + atomic_long_unchecked_t flush_tlb;
26753 + atomic_long_unchecked_t flush_tlb_gru;
26754 + atomic_long_unchecked_t flush_tlb_gru_tgh;
26755 + atomic_long_unchecked_t flush_tlb_gru_zero_asid;
26757 + atomic_long_unchecked_t copy_gpa;
26758 + atomic_long_unchecked_t read_gpa;
26760 + atomic_long_unchecked_t mesq_receive;
26761 + atomic_long_unchecked_t mesq_receive_none;
26762 + atomic_long_unchecked_t mesq_send;
26763 + atomic_long_unchecked_t mesq_send_failed;
26764 + atomic_long_unchecked_t mesq_noop;
26765 + atomic_long_unchecked_t mesq_send_unexpected_error;
26766 + atomic_long_unchecked_t mesq_send_lb_overflow;
26767 + atomic_long_unchecked_t mesq_send_qlimit_reached;
26768 + atomic_long_unchecked_t mesq_send_amo_nacked;
26769 + atomic_long_unchecked_t mesq_send_put_nacked;
26770 + atomic_long_unchecked_t mesq_page_overflow;
26771 + atomic_long_unchecked_t mesq_qf_locked;
26772 + atomic_long_unchecked_t mesq_qf_noop_not_full;
26773 + atomic_long_unchecked_t mesq_qf_switch_head_failed;
26774 + atomic_long_unchecked_t mesq_qf_unexpected_error;
26775 + atomic_long_unchecked_t mesq_noop_unexpected_error;
26776 + atomic_long_unchecked_t mesq_noop_lb_overflow;
26777 + atomic_long_unchecked_t mesq_noop_qlimit_reached;
26778 + atomic_long_unchecked_t mesq_noop_amo_nacked;
26779 + atomic_long_unchecked_t mesq_noop_put_nacked;
26780 + atomic_long_unchecked_t mesq_noop_page_overflow;
26784 @@ -251,8 +251,8 @@ enum mcs_op {cchop_allocate, cchop_start
26785 tghop_invalidate, mcsop_last};
26787 struct mcs_op_statistic {
26788 - atomic_long_t count;
26789 - atomic_long_t total;
26790 + atomic_long_unchecked_t count;
26791 + atomic_long_unchecked_t total;
26795 @@ -275,7 +275,7 @@ extern struct mcs_op_statistic mcs_op_st
26797 #define STAT(id) do { \
26798 if (gru_options & OPT_STATS) \
26799 - atomic_long_inc(&gru_stats.id); \
26800 + atomic_long_inc_unchecked(&gru_stats.id); \
26803 #ifdef CONFIG_SGI_GRU_DEBUG
26804 diff -urNp linux-2.6.36.1/drivers/mtd/devices/doc2000.c linux-2.6.36.1/drivers/mtd/devices/doc2000.c
26805 --- linux-2.6.36.1/drivers/mtd/devices/doc2000.c 2010-10-20 16:30:22.000000000 -0400
26806 +++ linux-2.6.36.1/drivers/mtd/devices/doc2000.c 2010-11-06 18:58:15.000000000 -0400
26807 @@ -776,7 +776,7 @@ static int doc_write(struct mtd_info *mt
26809 /* The ECC will not be calculated correctly if less than 512 is written */
26811 - if (len != 0x200 && eccbuf)
26812 + if (len != 0x200)
26813 printk(KERN_WARNING
26814 "ECC needs a full sector write (adr: %lx size %lx)\n",
26815 (long) to, (long) len);
26816 diff -urNp linux-2.6.36.1/drivers/mtd/devices/doc2001.c linux-2.6.36.1/drivers/mtd/devices/doc2001.c
26817 --- linux-2.6.36.1/drivers/mtd/devices/doc2001.c 2010-10-20 16:30:22.000000000 -0400
26818 +++ linux-2.6.36.1/drivers/mtd/devices/doc2001.c 2010-11-06 18:58:15.000000000 -0400
26819 @@ -393,7 +393,7 @@ static int doc_read (struct mtd_info *mt
26820 struct Nand *mychip = &this->chips[from >> (this->chipshift)];
26822 /* Don't allow read past end of device */
26823 - if (from >= this->totlen)
26824 + if (from >= this->totlen || !len)
26827 /* Don't allow a single read to cross a 512-byte block boundary */
26828 diff -urNp linux-2.6.36.1/drivers/mtd/nand/denali.c linux-2.6.36.1/drivers/mtd/nand/denali.c
26829 --- linux-2.6.36.1/drivers/mtd/nand/denali.c 2010-10-20 16:30:22.000000000 -0400
26830 +++ linux-2.6.36.1/drivers/mtd/nand/denali.c 2010-11-06 18:58:15.000000000 -0400
26832 #include <linux/pci.h>
26833 #include <linux/mtd/mtd.h>
26834 #include <linux/module.h>
26835 +#include <linux/slab.h>
26837 #include "denali.h"
26839 diff -urNp linux-2.6.36.1/drivers/mtd/ubi/build.c linux-2.6.36.1/drivers/mtd/ubi/build.c
26840 --- linux-2.6.36.1/drivers/mtd/ubi/build.c 2010-10-20 16:30:22.000000000 -0400
26841 +++ linux-2.6.36.1/drivers/mtd/ubi/build.c 2010-11-06 18:58:15.000000000 -0400
26842 @@ -1283,7 +1283,7 @@ module_exit(ubi_exit);
26843 static int __init bytes_str_to_int(const char *str)
26846 - unsigned long result;
26847 + unsigned long result, scale = 1;
26849 result = simple_strtoul(str, &endp, 0);
26850 if (str == endp || result >= INT_MAX) {
26851 @@ -1294,11 +1294,11 @@ static int __init bytes_str_to_int(const
26863 if (endp[1] == 'i' && endp[2] == 'B')
26866 @@ -1309,7 +1309,13 @@ static int __init bytes_str_to_int(const
26871 + if ((intoverflow_t)result*scale >= INT_MAX) {
26872 + printk(KERN_ERR "UBI error: incorrect bytes count: \"%s\"\n",
26877 + return result*scale;
26881 diff -urNp linux-2.6.36.1/drivers/net/cxgb3/cxgb3_main.c linux-2.6.36.1/drivers/net/cxgb3/cxgb3_main.c
26882 --- linux-2.6.36.1/drivers/net/cxgb3/cxgb3_main.c 2010-10-20 16:30:22.000000000 -0400
26883 +++ linux-2.6.36.1/drivers/net/cxgb3/cxgb3_main.c 2010-11-06 18:58:50.000000000 -0400
26884 @@ -2296,7 +2296,7 @@ static int cxgb_extension_ioctl(struct n
26885 case CHELSIO_GET_QSET_NUM:{
26886 struct ch_reg edata;
26888 - memset(&edata, 0, sizeof(struct ch_reg));
26889 + memset(&edata, 0, sizeof(edata));
26891 edata.cmd = CHELSIO_GET_QSET_NUM;
26892 edata.val = pi->nqsets;
26893 diff -urNp linux-2.6.36.1/drivers/net/e1000e/82571.c linux-2.6.36.1/drivers/net/e1000e/82571.c
26894 --- linux-2.6.36.1/drivers/net/e1000e/82571.c 2010-10-20 16:30:22.000000000 -0400
26895 +++ linux-2.6.36.1/drivers/net/e1000e/82571.c 2010-11-06 18:58:15.000000000 -0400
26896 @@ -207,6 +207,7 @@ static s32 e1000_init_mac_params_82571(s
26898 struct e1000_hw *hw = &adapter->hw;
26899 struct e1000_mac_info *mac = &hw->mac;
26900 + /* cannot be const */
26901 struct e1000_mac_operations *func = &mac->ops;
26904 @@ -1703,7 +1704,7 @@ static void e1000_clear_hw_cntrs_82571(s
26908 -static struct e1000_mac_operations e82571_mac_ops = {
26909 +static const struct e1000_mac_operations e82571_mac_ops = {
26910 /* .check_mng_mode: mac type dependent */
26911 /* .check_for_link: media type dependent */
26912 .id_led_init = e1000e_id_led_init,
26913 @@ -1725,7 +1726,7 @@ static struct e1000_mac_operations e8257
26914 .read_mac_addr = e1000_read_mac_addr_82571,
26917 -static struct e1000_phy_operations e82_phy_ops_igp = {
26918 +static const struct e1000_phy_operations e82_phy_ops_igp = {
26919 .acquire = e1000_get_hw_semaphore_82571,
26920 .check_polarity = e1000_check_polarity_igp,
26921 .check_reset_block = e1000e_check_reset_block_generic,
26922 @@ -1743,7 +1744,7 @@ static struct e1000_phy_operations e82_p
26923 .cfg_on_link_up = NULL,
26926 -static struct e1000_phy_operations e82_phy_ops_m88 = {
26927 +static const struct e1000_phy_operations e82_phy_ops_m88 = {
26928 .acquire = e1000_get_hw_semaphore_82571,
26929 .check_polarity = e1000_check_polarity_m88,
26930 .check_reset_block = e1000e_check_reset_block_generic,
26931 @@ -1761,7 +1762,7 @@ static struct e1000_phy_operations e82_p
26932 .cfg_on_link_up = NULL,
26935 -static struct e1000_phy_operations e82_phy_ops_bm = {
26936 +static const struct e1000_phy_operations e82_phy_ops_bm = {
26937 .acquire = e1000_get_hw_semaphore_82571,
26938 .check_polarity = e1000_check_polarity_m88,
26939 .check_reset_block = e1000e_check_reset_block_generic,
26940 @@ -1779,7 +1780,7 @@ static struct e1000_phy_operations e82_p
26941 .cfg_on_link_up = NULL,
26944 -static struct e1000_nvm_operations e82571_nvm_ops = {
26945 +static const struct e1000_nvm_operations e82571_nvm_ops = {
26946 .acquire = e1000_acquire_nvm_82571,
26947 .read = e1000e_read_nvm_eerd,
26948 .release = e1000_release_nvm_82571,
26949 diff -urNp linux-2.6.36.1/drivers/net/e1000e/e1000.h linux-2.6.36.1/drivers/net/e1000e/e1000.h
26950 --- linux-2.6.36.1/drivers/net/e1000e/e1000.h 2010-10-20 16:30:22.000000000 -0400
26951 +++ linux-2.6.36.1/drivers/net/e1000e/e1000.h 2010-11-06 18:58:15.000000000 -0400
26952 @@ -379,9 +379,9 @@ struct e1000_info {
26954 u32 max_hw_frame_size;
26955 s32 (*get_variants)(struct e1000_adapter *);
26956 - struct e1000_mac_operations *mac_ops;
26957 - struct e1000_phy_operations *phy_ops;
26958 - struct e1000_nvm_operations *nvm_ops;
26959 + const struct e1000_mac_operations *mac_ops;
26960 + const struct e1000_phy_operations *phy_ops;
26961 + const struct e1000_nvm_operations *nvm_ops;
26964 /* hardware capability, feature, and workaround flags */
26965 diff -urNp linux-2.6.36.1/drivers/net/e1000e/es2lan.c linux-2.6.36.1/drivers/net/e1000e/es2lan.c
26966 --- linux-2.6.36.1/drivers/net/e1000e/es2lan.c 2010-10-20 16:30:22.000000000 -0400
26967 +++ linux-2.6.36.1/drivers/net/e1000e/es2lan.c 2010-11-06 18:58:15.000000000 -0400
26968 @@ -205,6 +205,7 @@ static s32 e1000_init_mac_params_80003es
26970 struct e1000_hw *hw = &adapter->hw;
26971 struct e1000_mac_info *mac = &hw->mac;
26972 + /* cannot be const */
26973 struct e1000_mac_operations *func = &mac->ops;
26975 /* Set media type */
26976 @@ -1431,7 +1432,7 @@ static void e1000_clear_hw_cntrs_80003es
26980 -static struct e1000_mac_operations es2_mac_ops = {
26981 +static const struct e1000_mac_operations es2_mac_ops = {
26982 .read_mac_addr = e1000_read_mac_addr_80003es2lan,
26983 .id_led_init = e1000e_id_led_init,
26984 .check_mng_mode = e1000e_check_mng_mode_generic,
26985 @@ -1453,7 +1454,7 @@ static struct e1000_mac_operations es2_m
26986 .setup_led = e1000e_setup_led_generic,
26989 -static struct e1000_phy_operations es2_phy_ops = {
26990 +static const struct e1000_phy_operations es2_phy_ops = {
26991 .acquire = e1000_acquire_phy_80003es2lan,
26992 .check_polarity = e1000_check_polarity_m88,
26993 .check_reset_block = e1000e_check_reset_block_generic,
26994 @@ -1471,7 +1472,7 @@ static struct e1000_phy_operations es2_p
26995 .cfg_on_link_up = e1000_cfg_on_link_up_80003es2lan,
26998 -static struct e1000_nvm_operations es2_nvm_ops = {
26999 +static const struct e1000_nvm_operations es2_nvm_ops = {
27000 .acquire = e1000_acquire_nvm_80003es2lan,
27001 .read = e1000e_read_nvm_eerd,
27002 .release = e1000_release_nvm_80003es2lan,
27003 diff -urNp linux-2.6.36.1/drivers/net/e1000e/hw.h linux-2.6.36.1/drivers/net/e1000e/hw.h
27004 --- linux-2.6.36.1/drivers/net/e1000e/hw.h 2010-10-20 16:30:22.000000000 -0400
27005 +++ linux-2.6.36.1/drivers/net/e1000e/hw.h 2010-11-06 18:58:15.000000000 -0400
27006 @@ -800,13 +800,13 @@ struct e1000_phy_operations {
27008 /* Function pointers for the NVM. */
27009 struct e1000_nvm_operations {
27010 - s32 (*acquire)(struct e1000_hw *);
27011 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
27012 - void (*release)(struct e1000_hw *);
27013 - s32 (*update)(struct e1000_hw *);
27014 - s32 (*valid_led_default)(struct e1000_hw *, u16 *);
27015 - s32 (*validate)(struct e1000_hw *);
27016 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
27017 + s32 (* const acquire)(struct e1000_hw *);
27018 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
27019 + void (* const release)(struct e1000_hw *);
27020 + s32 (* const update)(struct e1000_hw *);
27021 + s32 (* const valid_led_default)(struct e1000_hw *, u16 *);
27022 + s32 (* const validate)(struct e1000_hw *);
27023 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
27026 struct e1000_mac_info {
27027 @@ -886,6 +886,7 @@ struct e1000_phy_info {
27030 struct e1000_nvm_info {
27031 + /* cannot be const */
27032 struct e1000_nvm_operations ops;
27034 enum e1000_nvm_type type;
27035 diff -urNp linux-2.6.36.1/drivers/net/e1000e/ich8lan.c linux-2.6.36.1/drivers/net/e1000e/ich8lan.c
27036 --- linux-2.6.36.1/drivers/net/e1000e/ich8lan.c 2010-10-20 16:30:22.000000000 -0400
27037 +++ linux-2.6.36.1/drivers/net/e1000e/ich8lan.c 2010-11-06 18:58:15.000000000 -0400
27038 @@ -3856,7 +3856,7 @@ static void e1000_clear_hw_cntrs_ich8lan
27042 -static struct e1000_mac_operations ich8_mac_ops = {
27043 +static const struct e1000_mac_operations ich8_mac_ops = {
27044 .id_led_init = e1000e_id_led_init,
27045 /* check_mng_mode dependent on mac type */
27046 .check_for_link = e1000_check_for_copper_link_ich8lan,
27047 @@ -3875,7 +3875,7 @@ static struct e1000_mac_operations ich8_
27048 /* id_led_init dependent on mac type */
27051 -static struct e1000_phy_operations ich8_phy_ops = {
27052 +static const struct e1000_phy_operations ich8_phy_ops = {
27053 .acquire = e1000_acquire_swflag_ich8lan,
27054 .check_reset_block = e1000_check_reset_block_ich8lan,
27056 @@ -3889,7 +3889,7 @@ static struct e1000_phy_operations ich8_
27057 .write_reg = e1000e_write_phy_reg_igp,
27060 -static struct e1000_nvm_operations ich8_nvm_ops = {
27061 +static const struct e1000_nvm_operations ich8_nvm_ops = {
27062 .acquire = e1000_acquire_nvm_ich8lan,
27063 .read = e1000_read_nvm_ich8lan,
27064 .release = e1000_release_nvm_ich8lan,
27065 diff -urNp linux-2.6.36.1/drivers/net/eql.c linux-2.6.36.1/drivers/net/eql.c
27066 --- linux-2.6.36.1/drivers/net/eql.c 2010-10-20 16:30:22.000000000 -0400
27067 +++ linux-2.6.36.1/drivers/net/eql.c 2010-11-06 18:58:50.000000000 -0400
27068 @@ -555,7 +555,7 @@ static int eql_g_master_cfg(struct net_d
27070 master_config_t mc;
27072 - memset(&mc, 0, sizeof(master_config_t));
27073 + memset(&mc, 0, sizeof(mc));
27075 if (eql_is_master(dev)) {
27076 eql = netdev_priv(dev);
27077 diff -urNp linux-2.6.36.1/drivers/net/igb/e1000_82575.c linux-2.6.36.1/drivers/net/igb/e1000_82575.c
27078 --- linux-2.6.36.1/drivers/net/igb/e1000_82575.c 2010-10-20 16:30:22.000000000 -0400
27079 +++ linux-2.6.36.1/drivers/net/igb/e1000_82575.c 2010-11-06 18:58:15.000000000 -0400
27080 @@ -1698,7 +1698,7 @@ u16 igb_rxpbs_adjust_82580(u32 data)
27084 -static struct e1000_mac_operations e1000_mac_ops_82575 = {
27085 +static const struct e1000_mac_operations e1000_mac_ops_82575 = {
27086 .init_hw = igb_init_hw_82575,
27087 .check_for_link = igb_check_for_link_82575,
27088 .rar_set = igb_rar_set,
27089 @@ -1706,13 +1706,13 @@ static struct e1000_mac_operations e1000
27090 .get_speed_and_duplex = igb_get_speed_and_duplex_copper,
27093 -static struct e1000_phy_operations e1000_phy_ops_82575 = {
27094 +static const struct e1000_phy_operations e1000_phy_ops_82575 = {
27095 .acquire = igb_acquire_phy_82575,
27096 .get_cfg_done = igb_get_cfg_done_82575,
27097 .release = igb_release_phy_82575,
27100 -static struct e1000_nvm_operations e1000_nvm_ops_82575 = {
27101 +static const struct e1000_nvm_operations e1000_nvm_ops_82575 = {
27102 .acquire = igb_acquire_nvm_82575,
27103 .read = igb_read_nvm_eerd,
27104 .release = igb_release_nvm_82575,
27105 diff -urNp linux-2.6.36.1/drivers/net/igb/e1000_hw.h linux-2.6.36.1/drivers/net/igb/e1000_hw.h
27106 --- linux-2.6.36.1/drivers/net/igb/e1000_hw.h 2010-10-20 16:30:22.000000000 -0400
27107 +++ linux-2.6.36.1/drivers/net/igb/e1000_hw.h 2010-11-06 18:58:15.000000000 -0400
27108 @@ -323,17 +323,17 @@ struct e1000_phy_operations {
27111 struct e1000_nvm_operations {
27112 - s32 (*acquire)(struct e1000_hw *);
27113 - s32 (*read)(struct e1000_hw *, u16, u16, u16 *);
27114 - void (*release)(struct e1000_hw *);
27115 - s32 (*write)(struct e1000_hw *, u16, u16, u16 *);
27116 + s32 (* const acquire)(struct e1000_hw *);
27117 + s32 (* const read)(struct e1000_hw *, u16, u16, u16 *);
27118 + void (* const release)(struct e1000_hw *);
27119 + s32 (* const write)(struct e1000_hw *, u16, u16, u16 *);
27122 struct e1000_info {
27123 s32 (*get_invariants)(struct e1000_hw *);
27124 - struct e1000_mac_operations *mac_ops;
27125 - struct e1000_phy_operations *phy_ops;
27126 - struct e1000_nvm_operations *nvm_ops;
27127 + const struct e1000_mac_operations *mac_ops;
27128 + const struct e1000_phy_operations *phy_ops;
27129 + const struct e1000_nvm_operations *nvm_ops;
27132 extern const struct e1000_info e1000_82575_info;
27133 @@ -412,6 +412,7 @@ struct e1000_phy_info {
27136 struct e1000_nvm_info {
27137 + /* cannot be const */
27138 struct e1000_nvm_operations ops;
27140 enum e1000_nvm_type type;
27141 diff -urNp linux-2.6.36.1/drivers/net/irda/vlsi_ir.c linux-2.6.36.1/drivers/net/irda/vlsi_ir.c
27142 --- linux-2.6.36.1/drivers/net/irda/vlsi_ir.c 2010-10-20 16:30:22.000000000 -0400
27143 +++ linux-2.6.36.1/drivers/net/irda/vlsi_ir.c 2010-11-06 18:58:15.000000000 -0400
27144 @@ -907,13 +907,12 @@ static netdev_tx_t vlsi_hard_start_xmit(
27145 /* no race - tx-ring already empty */
27146 vlsi_set_baud(idev, iobase);
27147 netif_wake_queue(ndev);
27152 /* keep the speed change pending like it would
27153 * for any len>0 packet. tx completion interrupt
27154 * will apply it when the tx ring becomes empty.
27157 spin_unlock_irqrestore(&idev->lock, flags);
27158 dev_kfree_skb_any(skb);
27159 return NETDEV_TX_OK;
27160 diff -urNp linux-2.6.36.1/drivers/net/pcnet32.c linux-2.6.36.1/drivers/net/pcnet32.c
27161 --- linux-2.6.36.1/drivers/net/pcnet32.c 2010-10-20 16:30:22.000000000 -0400
27162 +++ linux-2.6.36.1/drivers/net/pcnet32.c 2010-11-06 18:58:15.000000000 -0400
27163 @@ -82,7 +82,7 @@ static int cards_found;
27165 * VLB I/O addresses
27167 -static unsigned int pcnet32_portlist[] __initdata =
27168 +static unsigned int pcnet32_portlist[] __devinitdata =
27169 { 0x300, 0x320, 0x340, 0x360, 0 };
27171 static int pcnet32_debug;
27172 diff -urNp linux-2.6.36.1/drivers/net/ppp_generic.c linux-2.6.36.1/drivers/net/ppp_generic.c
27173 --- linux-2.6.36.1/drivers/net/ppp_generic.c 2010-10-20 16:30:22.000000000 -0400
27174 +++ linux-2.6.36.1/drivers/net/ppp_generic.c 2010-11-06 18:58:15.000000000 -0400
27175 @@ -985,7 +985,6 @@ ppp_net_ioctl(struct net_device *dev, st
27176 void __user *addr = (void __user *) ifr->ifr_ifru.ifru_data;
27177 struct ppp_stats stats;
27178 struct ppp_comp_stats cstats;
27182 case SIOCGPPPSTATS:
27183 @@ -1007,8 +1006,7 @@ ppp_net_ioctl(struct net_device *dev, st
27187 - vers = PPP_VERSION;
27188 - if (copy_to_user(addr, vers, strlen(vers) + 1))
27189 + if (copy_to_user(addr, PPP_VERSION, sizeof(PPP_VERSION)))
27193 diff -urNp linux-2.6.36.1/drivers/net/tg3.c linux-2.6.36.1/drivers/net/tg3.c
27194 --- linux-2.6.36.1/drivers/net/tg3.c 2010-10-20 16:30:22.000000000 -0400
27195 +++ linux-2.6.36.1/drivers/net/tg3.c 2010-11-06 18:58:15.000000000 -0400
27196 @@ -12433,7 +12433,7 @@ static void __devinit tg3_read_vpd(struc
27197 cnt = pci_read_vpd(tp->pdev, pos,
27198 TG3_NVM_VPD_LEN - pos,
27200 - if (cnt == -ETIMEDOUT || -EINTR)
27201 + if (cnt == -ETIMEDOUT || cnt == -EINTR)
27204 goto out_not_found;
27205 diff -urNp linux-2.6.36.1/drivers/net/tg3.h linux-2.6.36.1/drivers/net/tg3.h
27206 --- linux-2.6.36.1/drivers/net/tg3.h 2010-10-20 16:30:22.000000000 -0400
27207 +++ linux-2.6.36.1/drivers/net/tg3.h 2010-11-06 18:58:15.000000000 -0400
27208 @@ -131,6 +131,7 @@
27209 #define CHIPREV_ID_5750_A0 0x4000
27210 #define CHIPREV_ID_5750_A1 0x4001
27211 #define CHIPREV_ID_5750_A3 0x4003
27212 +#define CHIPREV_ID_5750_C1 0x4201
27213 #define CHIPREV_ID_5750_C2 0x4202
27214 #define CHIPREV_ID_5752_A0_HW 0x5000
27215 #define CHIPREV_ID_5752_A0 0x6000
27216 diff -urNp linux-2.6.36.1/drivers/net/tulip/de4x5.c linux-2.6.36.1/drivers/net/tulip/de4x5.c
27217 --- linux-2.6.36.1/drivers/net/tulip/de4x5.c 2010-10-20 16:30:22.000000000 -0400
27218 +++ linux-2.6.36.1/drivers/net/tulip/de4x5.c 2010-11-06 18:58:50.000000000 -0400
27219 @@ -5401,7 +5401,7 @@ de4x5_ioctl(struct net_device *dev, stru
27220 for (i=0; i<ETH_ALEN; i++) {
27221 tmp.addr[i] = dev->dev_addr[i];
27223 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
27224 + if (ioc->len > sizeof(tmp.addr) || copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
27227 case DE4X5_SET_HWADDR: /* Set the hardware address */
27228 @@ -5441,7 +5441,7 @@ de4x5_ioctl(struct net_device *dev, stru
27229 spin_lock_irqsave(&lp->lock, flags);
27230 memcpy(&statbuf, &lp->pktStats, ioc->len);
27231 spin_unlock_irqrestore(&lp->lock, flags);
27232 - if (copy_to_user(ioc->data, &statbuf, ioc->len))
27233 + if (ioc->len > sizeof(statbuf) || copy_to_user(ioc->data, &statbuf, ioc->len))
27237 @@ -5474,7 +5474,7 @@ de4x5_ioctl(struct net_device *dev, stru
27238 tmp.lval[6] = inl(DE4X5_STRR); j+=4;
27239 tmp.lval[7] = inl(DE4X5_SIGR); j+=4;
27241 - if (copy_to_user(ioc->data, tmp.addr, ioc->len)) return -EFAULT;
27242 + if (copy_to_user(ioc->data, tmp.lval, ioc->len)) return -EFAULT;
27245 #define DE4X5_DUMP 0x0f /* Dump the DE4X5 Status */
27246 diff -urNp linux-2.6.36.1/drivers/net/usb/hso.c linux-2.6.36.1/drivers/net/usb/hso.c
27247 --- linux-2.6.36.1/drivers/net/usb/hso.c 2010-10-20 16:30:22.000000000 -0400
27248 +++ linux-2.6.36.1/drivers/net/usb/hso.c 2010-11-06 18:58:50.000000000 -0400
27249 @@ -257,7 +257,7 @@ struct hso_serial {
27251 /* from usb_serial_port */
27252 struct tty_struct *tty;
27254 + atomic_t open_count;
27255 spinlock_t serial_lock;
27257 int (*write_data) (struct hso_serial *serial);
27258 @@ -1200,7 +1200,7 @@ static void put_rxbuf_data_and_resubmit_
27261 urb = serial->rx_urb[0];
27262 - if (serial->open_count > 0) {
27263 + if (atomic_read(&serial->open_count) > 0) {
27264 count = put_rxbuf_data(urb, serial);
27267 @@ -1236,7 +1236,7 @@ static void hso_std_serial_read_bulk_cal
27268 DUMP1(urb->transfer_buffer, urb->actual_length);
27270 /* Anyone listening? */
27271 - if (serial->open_count == 0)
27272 + if (atomic_read(&serial->open_count) == 0)
27276 @@ -1331,8 +1331,7 @@ static int hso_serial_open(struct tty_st
27277 spin_unlock_irq(&serial->serial_lock);
27279 /* check for port already opened, if not set the termios */
27280 - serial->open_count++;
27281 - if (serial->open_count == 1) {
27282 + if (atomic_inc_return(&serial->open_count) == 1) {
27283 serial->rx_state = RX_IDLE;
27284 /* Force default termio settings */
27285 _hso_serial_set_termios(tty, NULL);
27286 @@ -1344,7 +1343,7 @@ static int hso_serial_open(struct tty_st
27287 result = hso_start_serial_device(serial->parent, GFP_KERNEL);
27289 hso_stop_serial_device(serial->parent);
27290 - serial->open_count--;
27291 + atomic_dec(&serial->open_count);
27292 kref_put(&serial->parent->ref, hso_serial_ref_free);
27295 @@ -1381,10 +1380,10 @@ static void hso_serial_close(struct tty_
27297 /* reset the rts and dtr */
27298 /* do the actual close */
27299 - serial->open_count--;
27300 + atomic_dec(&serial->open_count);
27302 - if (serial->open_count <= 0) {
27303 - serial->open_count = 0;
27304 + if (atomic_read(&serial->open_count) <= 0) {
27305 + atomic_set(&serial->open_count, 0);
27306 spin_lock_irq(&serial->serial_lock);
27307 if (serial->tty == tty) {
27308 serial->tty->driver_data = NULL;
27309 @@ -1466,7 +1465,7 @@ static void hso_serial_set_termios(struc
27311 /* the actual setup */
27312 spin_lock_irqsave(&serial->serial_lock, flags);
27313 - if (serial->open_count)
27314 + if (atomic_read(&serial->open_count))
27315 _hso_serial_set_termios(tty, old);
27317 tty->termios = old;
27318 @@ -1652,10 +1651,11 @@ static int hso_get_count(struct hso_seri
27319 struct uart_icount cnow;
27320 struct hso_tiocmget *tiocmget = serial->tiocmget;
27322 - memset(&icount, 0, sizeof(struct serial_icounter_struct));
27327 + memset(&icount, 0, sizeof(icount));
27329 spin_lock_irq(&serial->serial_lock);
27330 memcpy(&cnow, &tiocmget->icount, sizeof(struct uart_icount));
27331 spin_unlock_irq(&serial->serial_lock);
27332 @@ -1930,7 +1930,7 @@ static void intr_callback(struct urb *ur
27333 D1("Pending read interrupt on port %d\n", i);
27334 spin_lock(&serial->serial_lock);
27335 if (serial->rx_state == RX_IDLE &&
27336 - serial->open_count > 0) {
27337 + atomic_read(&serial->open_count) > 0) {
27338 /* Setup and send a ctrl req read on
27340 if (!serial->rx_urb_filled[0]) {
27341 @@ -3120,7 +3120,7 @@ static int hso_resume(struct usb_interfa
27342 /* Start all serial ports */
27343 for (i = 0; i < HSO_SERIAL_TTY_MINORS; i++) {
27344 if (serial_table[i] && (serial_table[i]->interface == iface)) {
27345 - if (dev2ser(serial_table[i])->open_count) {
27346 + if (atomic_read(&dev2ser(serial_table[i])->open_count)) {
27348 hso_start_serial_device(serial_table[i], GFP_NOIO);
27349 hso_kick_transmit(dev2ser(serial_table[i]));
27350 diff -urNp linux-2.6.36.1/drivers/net/wireless/b43/debugfs.c linux-2.6.36.1/drivers/net/wireless/b43/debugfs.c
27351 --- linux-2.6.36.1/drivers/net/wireless/b43/debugfs.c 2010-10-20 16:30:22.000000000 -0400
27352 +++ linux-2.6.36.1/drivers/net/wireless/b43/debugfs.c 2010-11-06 18:58:15.000000000 -0400
27353 @@ -43,7 +43,7 @@ static struct dentry *rootdir;
27354 struct b43_debugfs_fops {
27355 ssize_t (*read)(struct b43_wldev *dev, char *buf, size_t bufsize);
27356 int (*write)(struct b43_wldev *dev, const char *buf, size_t count);
27357 - struct file_operations fops;
27358 + const struct file_operations fops;
27359 /* Offset of struct b43_dfs_file in struct b43_dfsentry */
27360 size_t file_struct_offset;
27362 diff -urNp linux-2.6.36.1/drivers/net/wireless/b43legacy/debugfs.c linux-2.6.36.1/drivers/net/wireless/b43legacy/debugfs.c
27363 --- linux-2.6.36.1/drivers/net/wireless/b43legacy/debugfs.c 2010-10-20 16:30:22.000000000 -0400
27364 +++ linux-2.6.36.1/drivers/net/wireless/b43legacy/debugfs.c 2010-11-06 18:58:15.000000000 -0400
27365 @@ -44,7 +44,7 @@ static struct dentry *rootdir;
27366 struct b43legacy_debugfs_fops {
27367 ssize_t (*read)(struct b43legacy_wldev *dev, char *buf, size_t bufsize);
27368 int (*write)(struct b43legacy_wldev *dev, const char *buf, size_t count);
27369 - struct file_operations fops;
27370 + const struct file_operations fops;
27371 /* Offset of struct b43legacy_dfs_file in struct b43legacy_dfsentry */
27372 size_t file_struct_offset;
27373 /* Take wl->irq_lock before calling read/write? */
27374 diff -urNp linux-2.6.36.1/drivers/net/wireless/iwlwifi/iwl-debug.h linux-2.6.36.1/drivers/net/wireless/iwlwifi/iwl-debug.h
27375 --- linux-2.6.36.1/drivers/net/wireless/iwlwifi/iwl-debug.h 2010-10-20 16:30:22.000000000 -0400
27376 +++ linux-2.6.36.1/drivers/net/wireless/iwlwifi/iwl-debug.h 2010-11-06 18:58:15.000000000 -0400
27377 @@ -68,8 +68,8 @@ do {
27381 -#define IWL_DEBUG(__priv, level, fmt, args...)
27382 -#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...)
27383 +#define IWL_DEBUG(__priv, level, fmt, args...) do {} while (0)
27384 +#define IWL_DEBUG_LIMIT(__priv, level, fmt, args...) do {} while (0)
27385 static inline void iwl_print_hex_dump(struct iwl_priv *priv, int level,
27386 const void *p, u32 len)
27388 diff -urNp linux-2.6.36.1/drivers/net/wireless/libertas/debugfs.c linux-2.6.36.1/drivers/net/wireless/libertas/debugfs.c
27389 --- linux-2.6.36.1/drivers/net/wireless/libertas/debugfs.c 2010-10-20 16:30:22.000000000 -0400
27390 +++ linux-2.6.36.1/drivers/net/wireless/libertas/debugfs.c 2010-11-06 18:58:15.000000000 -0400
27391 @@ -701,7 +701,7 @@ out_unlock:
27392 struct lbs_debugfs_files {
27395 - struct file_operations fops;
27396 + const struct file_operations fops;
27399 static const struct lbs_debugfs_files debugfs_files[] = {
27400 diff -urNp linux-2.6.36.1/drivers/net/wireless/rndis_wlan.c linux-2.6.36.1/drivers/net/wireless/rndis_wlan.c
27401 --- linux-2.6.36.1/drivers/net/wireless/rndis_wlan.c 2010-10-20 16:30:22.000000000 -0400
27402 +++ linux-2.6.36.1/drivers/net/wireless/rndis_wlan.c 2010-11-06 18:58:15.000000000 -0400
27403 @@ -1236,7 +1236,7 @@ static int set_rts_threshold(struct usbn
27405 netdev_dbg(usbdev->net, "%s(): %i\n", __func__, rts_threshold);
27407 - if (rts_threshold < 0 || rts_threshold > 2347)
27408 + if (rts_threshold > 2347)
27409 rts_threshold = 2347;
27411 tmp = cpu_to_le32(rts_threshold);
27412 diff -urNp linux-2.6.36.1/drivers/oprofile/buffer_sync.c linux-2.6.36.1/drivers/oprofile/buffer_sync.c
27413 --- linux-2.6.36.1/drivers/oprofile/buffer_sync.c 2010-10-20 16:30:22.000000000 -0400
27414 +++ linux-2.6.36.1/drivers/oprofile/buffer_sync.c 2010-11-06 18:58:15.000000000 -0400
27415 @@ -342,7 +342,7 @@ static void add_data(struct op_entry *en
27416 if (cookie == NO_COOKIE)
27418 if (cookie == INVALID_COOKIE) {
27419 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
27420 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
27423 if (cookie != last_cookie) {
27424 @@ -386,14 +386,14 @@ add_sample(struct mm_struct *mm, struct
27425 /* add userspace sample */
27428 - atomic_inc(&oprofile_stats.sample_lost_no_mm);
27429 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mm);
27433 cookie = lookup_dcookie(mm, s->eip, &offset);
27435 if (cookie == INVALID_COOKIE) {
27436 - atomic_inc(&oprofile_stats.sample_lost_no_mapping);
27437 + atomic_inc_unchecked(&oprofile_stats.sample_lost_no_mapping);
27441 @@ -562,7 +562,7 @@ void sync_buffer(int cpu)
27442 /* ignore backtraces if failed to add a sample */
27443 if (state == sb_bt_start) {
27444 state = sb_bt_ignore;
27445 - atomic_inc(&oprofile_stats.bt_lost_no_mapping);
27446 + atomic_inc_unchecked(&oprofile_stats.bt_lost_no_mapping);
27450 diff -urNp linux-2.6.36.1/drivers/oprofile/event_buffer.c linux-2.6.36.1/drivers/oprofile/event_buffer.c
27451 --- linux-2.6.36.1/drivers/oprofile/event_buffer.c 2010-10-20 16:30:22.000000000 -0400
27452 +++ linux-2.6.36.1/drivers/oprofile/event_buffer.c 2010-11-06 18:58:15.000000000 -0400
27453 @@ -53,7 +53,7 @@ void add_event_entry(unsigned long value
27456 if (buffer_pos == buffer_size) {
27457 - atomic_inc(&oprofile_stats.event_lost_overflow);
27458 + atomic_inc_unchecked(&oprofile_stats.event_lost_overflow);
27462 diff -urNp linux-2.6.36.1/drivers/oprofile/oprof.c linux-2.6.36.1/drivers/oprofile/oprof.c
27463 --- linux-2.6.36.1/drivers/oprofile/oprof.c 2010-10-20 16:30:22.000000000 -0400
27464 +++ linux-2.6.36.1/drivers/oprofile/oprof.c 2010-11-06 18:58:15.000000000 -0400
27465 @@ -110,7 +110,7 @@ static void switch_worker(struct work_st
27466 if (oprofile_ops.switch_events())
27469 - atomic_inc(&oprofile_stats.multiplex_counter);
27470 + atomic_inc_unchecked(&oprofile_stats.multiplex_counter);
27471 start_switch_worker();
27474 diff -urNp linux-2.6.36.1/drivers/oprofile/oprofilefs.c linux-2.6.36.1/drivers/oprofile/oprofilefs.c
27475 --- linux-2.6.36.1/drivers/oprofile/oprofilefs.c 2010-10-20 16:30:22.000000000 -0400
27476 +++ linux-2.6.36.1/drivers/oprofile/oprofilefs.c 2010-11-06 18:58:15.000000000 -0400
27477 @@ -187,7 +187,7 @@ static const struct file_operations atom
27480 int oprofilefs_create_ro_atomic(struct super_block *sb, struct dentry *root,
27481 - char const *name, atomic_t *val)
27482 + char const *name, atomic_unchecked_t *val)
27484 struct dentry *d = __oprofilefs_create_file(sb, root, name,
27485 &atomic_ro_fops, 0444);
27486 diff -urNp linux-2.6.36.1/drivers/oprofile/oprofile_stats.c linux-2.6.36.1/drivers/oprofile/oprofile_stats.c
27487 --- linux-2.6.36.1/drivers/oprofile/oprofile_stats.c 2010-10-20 16:30:22.000000000 -0400
27488 +++ linux-2.6.36.1/drivers/oprofile/oprofile_stats.c 2010-11-06 18:58:15.000000000 -0400
27489 @@ -30,11 +30,11 @@ void oprofile_reset_stats(void)
27490 cpu_buf->sample_invalid_eip = 0;
27493 - atomic_set(&oprofile_stats.sample_lost_no_mm, 0);
27494 - atomic_set(&oprofile_stats.sample_lost_no_mapping, 0);
27495 - atomic_set(&oprofile_stats.event_lost_overflow, 0);
27496 - atomic_set(&oprofile_stats.bt_lost_no_mapping, 0);
27497 - atomic_set(&oprofile_stats.multiplex_counter, 0);
27498 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mm, 0);
27499 + atomic_set_unchecked(&oprofile_stats.sample_lost_no_mapping, 0);
27500 + atomic_set_unchecked(&oprofile_stats.event_lost_overflow, 0);
27501 + atomic_set_unchecked(&oprofile_stats.bt_lost_no_mapping, 0);
27502 + atomic_set_unchecked(&oprofile_stats.multiplex_counter, 0);
27506 diff -urNp linux-2.6.36.1/drivers/oprofile/oprofile_stats.h linux-2.6.36.1/drivers/oprofile/oprofile_stats.h
27507 --- linux-2.6.36.1/drivers/oprofile/oprofile_stats.h 2010-10-20 16:30:22.000000000 -0400
27508 +++ linux-2.6.36.1/drivers/oprofile/oprofile_stats.h 2010-11-06 18:58:15.000000000 -0400
27509 @@ -13,11 +13,11 @@
27510 #include <asm/atomic.h>
27512 struct oprofile_stat_struct {
27513 - atomic_t sample_lost_no_mm;
27514 - atomic_t sample_lost_no_mapping;
27515 - atomic_t bt_lost_no_mapping;
27516 - atomic_t event_lost_overflow;
27517 - atomic_t multiplex_counter;
27518 + atomic_unchecked_t sample_lost_no_mm;
27519 + atomic_unchecked_t sample_lost_no_mapping;
27520 + atomic_unchecked_t bt_lost_no_mapping;
27521 + atomic_unchecked_t event_lost_overflow;
27522 + atomic_unchecked_t multiplex_counter;
27525 extern struct oprofile_stat_struct oprofile_stats;
27526 diff -urNp linux-2.6.36.1/drivers/parport/procfs.c linux-2.6.36.1/drivers/parport/procfs.c
27527 --- linux-2.6.36.1/drivers/parport/procfs.c 2010-10-20 16:30:22.000000000 -0400
27528 +++ linux-2.6.36.1/drivers/parport/procfs.c 2010-11-06 18:58:50.000000000 -0400
27529 @@ -64,7 +64,7 @@ static int do_active_device(ctl_table *t
27533 - return copy_to_user(result, buffer, len) ? -EFAULT : 0;
27534 + return (len > sizeof(buffer) || copy_to_user(result, buffer, len)) ? -EFAULT : 0;
27537 #ifdef CONFIG_PARPORT_1284
27538 @@ -106,7 +106,7 @@ static int do_autoprobe(ctl_table *table
27542 - return copy_to_user (result, buffer, len) ? -EFAULT : 0;
27543 + return (len > sizeof(buffer) || copy_to_user (result, buffer, len)) ? -EFAULT : 0;
27545 #endif /* IEEE1284.3 support. */
27547 diff -urNp linux-2.6.36.1/drivers/pci/hotplug/acpiphp_glue.c linux-2.6.36.1/drivers/pci/hotplug/acpiphp_glue.c
27548 --- linux-2.6.36.1/drivers/pci/hotplug/acpiphp_glue.c 2010-10-20 16:30:22.000000000 -0400
27549 +++ linux-2.6.36.1/drivers/pci/hotplug/acpiphp_glue.c 2010-11-06 18:58:15.000000000 -0400
27550 @@ -110,7 +110,7 @@ static int post_dock_fixups(struct notif
27554 -static struct acpi_dock_ops acpiphp_dock_ops = {
27555 +static const struct acpi_dock_ops acpiphp_dock_ops = {
27556 .handler = handle_hotplug_event_func,
27559 diff -urNp linux-2.6.36.1/drivers/pci/hotplug/cpqphp_nvram.c linux-2.6.36.1/drivers/pci/hotplug/cpqphp_nvram.c
27560 --- linux-2.6.36.1/drivers/pci/hotplug/cpqphp_nvram.c 2010-10-20 16:30:22.000000000 -0400
27561 +++ linux-2.6.36.1/drivers/pci/hotplug/cpqphp_nvram.c 2010-11-06 18:58:15.000000000 -0400
27562 @@ -428,9 +428,13 @@ static u32 store_HRT (void __iomem *rom_
27564 void compaq_nvram_init (void __iomem *rom_start)
27567 +#ifndef CONFIG_PAX_KERNEXEC
27569 compaq_int15_entry_point = (rom_start + ROM_INT15_PHY_ADDR - ROM_PHY_ADDR);
27573 dbg("int15 entry = %p\n", compaq_int15_entry_point);
27575 /* initialize our int15 lock */
27576 diff -urNp linux-2.6.36.1/drivers/pci/intel-iommu.c linux-2.6.36.1/drivers/pci/intel-iommu.c
27577 --- linux-2.6.36.1/drivers/pci/intel-iommu.c 2010-10-20 16:30:22.000000000 -0400
27578 +++ linux-2.6.36.1/drivers/pci/intel-iommu.c 2010-11-06 18:58:15.000000000 -0400
27579 @@ -2934,7 +2934,7 @@ static int intel_mapping_error(struct de
27583 -struct dma_map_ops intel_dma_ops = {
27584 +const struct dma_map_ops intel_dma_ops = {
27585 .alloc_coherent = intel_alloc_coherent,
27586 .free_coherent = intel_free_coherent,
27587 .map_sg = intel_map_sg,
27588 diff -urNp linux-2.6.36.1/drivers/pci/pcie/portdrv_pci.c linux-2.6.36.1/drivers/pci/pcie/portdrv_pci.c
27589 --- linux-2.6.36.1/drivers/pci/pcie/portdrv_pci.c 2010-10-20 16:30:22.000000000 -0400
27590 +++ linux-2.6.36.1/drivers/pci/pcie/portdrv_pci.c 2010-11-06 18:58:15.000000000 -0400
27591 @@ -276,7 +276,7 @@ static void pcie_portdrv_err_resume(stru
27592 static const struct pci_device_id port_pci_ids[] = { {
27593 /* handle any PCI-Express port */
27594 PCI_DEVICE_CLASS(((PCI_CLASS_BRIDGE_PCI << 8) | 0x00), ~0),
27595 - }, { /* end: all zeroes */ }
27596 + }, { 0, 0, 0, 0, 0, 0, 0 }
27598 MODULE_DEVICE_TABLE(pci, port_pci_ids);
27600 diff -urNp linux-2.6.36.1/drivers/pci/probe.c linux-2.6.36.1/drivers/pci/probe.c
27601 --- linux-2.6.36.1/drivers/pci/probe.c 2010-10-20 16:30:22.000000000 -0400
27602 +++ linux-2.6.36.1/drivers/pci/probe.c 2010-11-06 18:58:15.000000000 -0400
27603 @@ -62,14 +62,14 @@ static ssize_t pci_bus_show_cpuaffinity(
27607 -static ssize_t inline pci_bus_show_cpumaskaffinity(struct device *dev,
27608 +static inline ssize_t pci_bus_show_cpumaskaffinity(struct device *dev,
27609 struct device_attribute *attr,
27612 return pci_bus_show_cpuaffinity(dev, 0, attr, buf);
27615 -static ssize_t inline pci_bus_show_cpulistaffinity(struct device *dev,
27616 +static inline ssize_t pci_bus_show_cpulistaffinity(struct device *dev,
27617 struct device_attribute *attr,
27620 diff -urNp linux-2.6.36.1/drivers/pci/proc.c linux-2.6.36.1/drivers/pci/proc.c
27621 --- linux-2.6.36.1/drivers/pci/proc.c 2010-10-20 16:30:22.000000000 -0400
27622 +++ linux-2.6.36.1/drivers/pci/proc.c 2010-11-06 18:58:50.000000000 -0400
27623 @@ -479,7 +479,16 @@ static const struct file_operations proc
27624 static int __init pci_proc_init(void)
27626 struct pci_dev *dev = NULL;
27628 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
27629 +#ifdef CONFIG_GRKERNSEC_PROC_USER
27630 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR, NULL);
27631 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
27632 + proc_bus_pci_dir = proc_mkdir_mode("bus/pci", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
27635 proc_bus_pci_dir = proc_mkdir("bus/pci", NULL);
27637 proc_create("devices", 0, proc_bus_pci_dir,
27638 &proc_bus_pci_dev_operations);
27639 proc_initialized = 1;
27640 diff -urNp linux-2.6.36.1/drivers/pcmcia/ti113x.h linux-2.6.36.1/drivers/pcmcia/ti113x.h
27641 --- linux-2.6.36.1/drivers/pcmcia/ti113x.h 2010-10-20 16:30:22.000000000 -0400
27642 +++ linux-2.6.36.1/drivers/pcmcia/ti113x.h 2010-11-06 18:58:15.000000000 -0400
27643 @@ -936,7 +936,7 @@ static struct pci_device_id ene_tune_tbl
27644 DEVID(PCI_VENDOR_ID_MOTOROLA, 0x3410, 0xECC0, PCI_ANY_ID,
27645 ENE_TEST_C9_TLTENABLE | ENE_TEST_C9_PFENABLE, ENE_TEST_C9_TLTENABLE),
27648 + { 0, 0, 0, 0, 0, 0, 0 }
27651 static void ene_tune_bridge(struct pcmcia_socket *sock, struct pci_bus *bus)
27652 diff -urNp linux-2.6.36.1/drivers/pcmcia/yenta_socket.c linux-2.6.36.1/drivers/pcmcia/yenta_socket.c
27653 --- linux-2.6.36.1/drivers/pcmcia/yenta_socket.c 2010-10-20 16:30:22.000000000 -0400
27654 +++ linux-2.6.36.1/drivers/pcmcia/yenta_socket.c 2010-11-06 18:58:15.000000000 -0400
27655 @@ -1427,7 +1427,7 @@ static struct pci_device_id yenta_table[
27657 /* match any cardbus bridge */
27658 CB_ID(PCI_ANY_ID, PCI_ANY_ID, DEFAULT),
27659 - { /* all zeroes */ }
27660 + { 0, 0, 0, 0, 0, 0, 0 }
27662 MODULE_DEVICE_TABLE(pci, yenta_table);
27664 diff -urNp linux-2.6.36.1/drivers/platform/x86/acer-wmi.c linux-2.6.36.1/drivers/platform/x86/acer-wmi.c
27665 --- linux-2.6.36.1/drivers/platform/x86/acer-wmi.c 2010-10-20 16:30:22.000000000 -0400
27666 +++ linux-2.6.36.1/drivers/platform/x86/acer-wmi.c 2010-11-06 18:58:15.000000000 -0400
27667 @@ -915,7 +915,7 @@ static int update_bl_status(struct backl
27671 -static struct backlight_ops acer_bl_ops = {
27672 +static const struct backlight_ops acer_bl_ops = {
27673 .get_brightness = read_brightness,
27674 .update_status = update_bl_status,
27676 diff -urNp linux-2.6.36.1/drivers/platform/x86/asus_acpi.c linux-2.6.36.1/drivers/platform/x86/asus_acpi.c
27677 --- linux-2.6.36.1/drivers/platform/x86/asus_acpi.c 2010-10-20 16:30:22.000000000 -0400
27678 +++ linux-2.6.36.1/drivers/platform/x86/asus_acpi.c 2010-11-06 18:58:15.000000000 -0400
27679 @@ -1467,7 +1467,7 @@ static int asus_hotk_remove(struct acpi_
27683 -static struct backlight_ops asus_backlight_data = {
27684 +static const struct backlight_ops asus_backlight_data = {
27685 .get_brightness = read_brightness,
27686 .update_status = set_brightness_status,
27688 diff -urNp linux-2.6.36.1/drivers/platform/x86/asus-laptop.c linux-2.6.36.1/drivers/platform/x86/asus-laptop.c
27689 --- linux-2.6.36.1/drivers/platform/x86/asus-laptop.c 2010-11-26 18:26:24.000000000 -0500
27690 +++ linux-2.6.36.1/drivers/platform/x86/asus-laptop.c 2010-11-26 18:27:11.000000000 -0500
27691 @@ -224,7 +224,6 @@ struct asus_laptop {
27692 struct asus_led gled;
27693 struct asus_led kled;
27694 struct workqueue_struct *led_workqueue;
27696 int wireless_status;
27699 @@ -621,7 +620,7 @@ static int update_bl_status(struct backl
27700 return asus_lcd_set(asus, value);
27703 -static struct backlight_ops asusbl_ops = {
27704 +static const struct backlight_ops asusbl_ops = {
27705 .get_brightness = asus_read_brightness,
27706 .update_status = update_bl_status,
27708 diff -urNp linux-2.6.36.1/drivers/platform/x86/dell-laptop.c linux-2.6.36.1/drivers/platform/x86/dell-laptop.c
27709 --- linux-2.6.36.1/drivers/platform/x86/dell-laptop.c 2010-10-20 16:30:22.000000000 -0400
27710 +++ linux-2.6.36.1/drivers/platform/x86/dell-laptop.c 2010-11-06 18:58:15.000000000 -0400
27711 @@ -475,7 +475,7 @@ out:
27712 return buffer->output[1];
27715 -static struct backlight_ops dell_ops = {
27716 +static const struct backlight_ops dell_ops = {
27717 .get_brightness = dell_get_intensity,
27718 .update_status = dell_send_intensity,
27720 diff -urNp linux-2.6.36.1/drivers/platform/x86/eeepc-laptop.c linux-2.6.36.1/drivers/platform/x86/eeepc-laptop.c
27721 --- linux-2.6.36.1/drivers/platform/x86/eeepc-laptop.c 2010-10-20 16:30:22.000000000 -0400
27722 +++ linux-2.6.36.1/drivers/platform/x86/eeepc-laptop.c 2010-11-06 18:58:15.000000000 -0400
27723 @@ -1114,7 +1114,7 @@ static int update_bl_status(struct backl
27724 return set_brightness(bd, bd->props.brightness);
27727 -static struct backlight_ops eeepcbl_ops = {
27728 +static const struct backlight_ops eeepcbl_ops = {
27729 .get_brightness = read_brightness,
27730 .update_status = update_bl_status,
27732 diff -urNp linux-2.6.36.1/drivers/platform/x86/fujitsu-laptop.c linux-2.6.36.1/drivers/platform/x86/fujitsu-laptop.c
27733 --- linux-2.6.36.1/drivers/platform/x86/fujitsu-laptop.c 2010-10-20 16:30:22.000000000 -0400
27734 +++ linux-2.6.36.1/drivers/platform/x86/fujitsu-laptop.c 2010-11-06 18:58:15.000000000 -0400
27735 @@ -437,7 +437,7 @@ static int bl_update_status(struct backl
27739 -static struct backlight_ops fujitsubl_ops = {
27740 +static const struct backlight_ops fujitsubl_ops = {
27741 .get_brightness = bl_get_brightness,
27742 .update_status = bl_update_status,
27744 diff -urNp linux-2.6.36.1/drivers/platform/x86/sony-laptop.c linux-2.6.36.1/drivers/platform/x86/sony-laptop.c
27745 --- linux-2.6.36.1/drivers/platform/x86/sony-laptop.c 2010-10-20 16:30:22.000000000 -0400
27746 +++ linux-2.6.36.1/drivers/platform/x86/sony-laptop.c 2010-11-06 18:58:15.000000000 -0400
27747 @@ -856,7 +856,7 @@ static int sony_backlight_get_brightness
27750 static struct backlight_device *sony_backlight_device;
27751 -static struct backlight_ops sony_backlight_ops = {
27752 +static const struct backlight_ops sony_backlight_ops = {
27753 .update_status = sony_backlight_update_status,
27754 .get_brightness = sony_backlight_get_brightness,
27756 diff -urNp linux-2.6.36.1/drivers/platform/x86/thinkpad_acpi.c linux-2.6.36.1/drivers/platform/x86/thinkpad_acpi.c
27757 --- linux-2.6.36.1/drivers/platform/x86/thinkpad_acpi.c 2010-10-20 16:30:22.000000000 -0400
27758 +++ linux-2.6.36.1/drivers/platform/x86/thinkpad_acpi.c 2010-11-06 18:58:15.000000000 -0400
27759 @@ -6109,7 +6109,7 @@ static void tpacpi_brightness_notify_cha
27760 BACKLIGHT_UPDATE_HOTKEY);
27763 -static struct backlight_ops ibm_backlight_data = {
27764 +static const struct backlight_ops ibm_backlight_data = {
27765 .get_brightness = brightness_get,
27766 .update_status = brightness_update_status,
27768 diff -urNp linux-2.6.36.1/drivers/platform/x86/toshiba_acpi.c linux-2.6.36.1/drivers/platform/x86/toshiba_acpi.c
27769 --- linux-2.6.36.1/drivers/platform/x86/toshiba_acpi.c 2010-10-20 16:30:22.000000000 -0400
27770 +++ linux-2.6.36.1/drivers/platform/x86/toshiba_acpi.c 2010-11-06 18:58:15.000000000 -0400
27771 @@ -847,7 +847,7 @@ static void remove_toshiba_proc_entries(
27772 remove_proc_entry("version", toshiba_proc_dir);
27775 -static struct backlight_ops toshiba_backlight_data = {
27776 +static const struct backlight_ops toshiba_backlight_data = {
27777 .get_brightness = get_lcd,
27778 .update_status = set_lcd_status,
27780 diff -urNp linux-2.6.36.1/drivers/pnp/pnpbios/bioscalls.c linux-2.6.36.1/drivers/pnp/pnpbios/bioscalls.c
27781 --- linux-2.6.36.1/drivers/pnp/pnpbios/bioscalls.c 2010-10-20 16:30:22.000000000 -0400
27782 +++ linux-2.6.36.1/drivers/pnp/pnpbios/bioscalls.c 2010-11-06 18:58:15.000000000 -0400
27783 @@ -59,7 +59,7 @@ do { \
27784 set_desc_limit(&gdt[(selname) >> 3], (size) - 1); \
27787 -static struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4092,
27788 +static const struct desc_struct bad_bios_desc = GDT_ENTRY_INIT(0x4093,
27789 (unsigned long)__va(0x400UL), PAGE_SIZE - 0x400 - 1);
27792 @@ -96,7 +96,10 @@ static inline u16 call_pnp_bios(u16 func
27795 save_desc_40 = get_cpu_gdt_table(cpu)[0x40 / 8];
27797 + pax_open_kernel();
27798 get_cpu_gdt_table(cpu)[0x40 / 8] = bad_bios_desc;
27799 + pax_close_kernel();
27801 /* On some boxes IRQ's during PnP BIOS calls are deadly. */
27802 spin_lock_irqsave(&pnp_bios_lock, flags);
27803 @@ -134,7 +137,10 @@ static inline u16 call_pnp_bios(u16 func
27805 spin_unlock_irqrestore(&pnp_bios_lock, flags);
27807 + pax_open_kernel();
27808 get_cpu_gdt_table(cpu)[0x40 / 8] = save_desc_40;
27809 + pax_close_kernel();
27813 /* If we get here and this is set then the PnP BIOS faulted on us. */
27814 @@ -468,7 +474,7 @@ int pnp_bios_read_escd(char *data, u32 n
27818 -void pnpbios_calls_init(union pnp_bios_install_struct *header)
27819 +void __init pnpbios_calls_init(union pnp_bios_install_struct *header)
27823 @@ -476,6 +482,8 @@ void pnpbios_calls_init(union pnp_bios_i
27824 pnp_bios_callpoint.offset = header->fields.pm16offset;
27825 pnp_bios_callpoint.segment = PNP_CS16;
27827 + pax_open_kernel();
27829 for_each_possible_cpu(i) {
27830 struct desc_struct *gdt = get_cpu_gdt_table(i);
27832 @@ -487,4 +495,6 @@ void pnpbios_calls_init(union pnp_bios_i
27833 set_desc_base(&gdt[GDT_ENTRY_PNPBIOS_DS],
27834 (unsigned long)__va(header->fields.pm16dseg));
27837 + pax_close_kernel();
27839 diff -urNp linux-2.6.36.1/drivers/pnp/quirks.c linux-2.6.36.1/drivers/pnp/quirks.c
27840 --- linux-2.6.36.1/drivers/pnp/quirks.c 2010-10-20 16:30:22.000000000 -0400
27841 +++ linux-2.6.36.1/drivers/pnp/quirks.c 2010-11-06 18:58:15.000000000 -0400
27842 @@ -322,7 +322,7 @@ static struct pnp_fixup pnp_fixups[] = {
27843 /* PnP resources that might overlap PCI BARs */
27844 {"PNP0c01", quirk_system_pci_resources},
27845 {"PNP0c02", quirk_system_pci_resources},
27850 void pnp_fixup_device(struct pnp_dev *dev)
27851 diff -urNp linux-2.6.36.1/drivers/pnp/resource.c linux-2.6.36.1/drivers/pnp/resource.c
27852 --- linux-2.6.36.1/drivers/pnp/resource.c 2010-10-20 16:30:22.000000000 -0400
27853 +++ linux-2.6.36.1/drivers/pnp/resource.c 2010-11-06 18:58:15.000000000 -0400
27854 @@ -360,7 +360,7 @@ int pnp_check_irq(struct pnp_dev *dev, s
27857 /* check if the resource is valid */
27858 - if (*irq < 0 || *irq > 15)
27862 /* check if the resource is reserved */
27863 @@ -424,7 +424,7 @@ int pnp_check_dma(struct pnp_dev *dev, s
27866 /* check if the resource is valid */
27867 - if (*dma < 0 || *dma == 4 || *dma > 7)
27868 + if (*dma == 4 || *dma > 7)
27871 /* check if the resource is reserved */
27872 diff -urNp linux-2.6.36.1/drivers/s390/cio/qdio_debug.c linux-2.6.36.1/drivers/s390/cio/qdio_debug.c
27873 --- linux-2.6.36.1/drivers/s390/cio/qdio_debug.c 2010-10-20 16:30:22.000000000 -0400
27874 +++ linux-2.6.36.1/drivers/s390/cio/qdio_debug.c 2010-11-06 18:58:15.000000000 -0400
27875 @@ -233,7 +233,7 @@ static int qperf_seq_open(struct inode *
27876 filp->f_path.dentry->d_inode->i_private);
27879 -static struct file_operations debugfs_perf_fops = {
27880 +static const struct file_operations debugfs_perf_fops = {
27881 .owner = THIS_MODULE,
27882 .open = qperf_seq_open,
27884 diff -urNp linux-2.6.36.1/drivers/scsi/ipr.c linux-2.6.36.1/drivers/scsi/ipr.c
27885 --- linux-2.6.36.1/drivers/scsi/ipr.c 2010-10-20 16:30:22.000000000 -0400
27886 +++ linux-2.6.36.1/drivers/scsi/ipr.c 2010-11-06 18:58:15.000000000 -0400
27887 @@ -6156,7 +6156,7 @@ static bool ipr_qc_fill_rtf(struct ata_q
27891 -static struct ata_port_operations ipr_sata_ops = {
27892 +static const struct ata_port_operations ipr_sata_ops = {
27893 .phy_reset = ipr_ata_phy_reset,
27894 .hardreset = ipr_sata_reset,
27895 .post_internal_cmd = ipr_ata_post_internal,
27896 diff -urNp linux-2.6.36.1/drivers/scsi/libfc/fc_exch.c linux-2.6.36.1/drivers/scsi/libfc/fc_exch.c
27897 --- linux-2.6.36.1/drivers/scsi/libfc/fc_exch.c 2010-10-20 16:30:22.000000000 -0400
27898 +++ linux-2.6.36.1/drivers/scsi/libfc/fc_exch.c 2010-11-06 18:58:15.000000000 -0400
27899 @@ -100,12 +100,12 @@ struct fc_exch_mgr {
27900 * all together if not used XXX
27903 - atomic_t no_free_exch;
27904 - atomic_t no_free_exch_xid;
27905 - atomic_t xid_not_found;
27906 - atomic_t xid_busy;
27907 - atomic_t seq_not_found;
27908 - atomic_t non_bls_resp;
27909 + atomic_unchecked_t no_free_exch;
27910 + atomic_unchecked_t no_free_exch_xid;
27911 + atomic_unchecked_t xid_not_found;
27912 + atomic_unchecked_t xid_busy;
27913 + atomic_unchecked_t seq_not_found;
27914 + atomic_unchecked_t non_bls_resp;
27917 #define fc_seq_exch(sp) container_of(sp, struct fc_exch, seq)
27918 @@ -670,7 +670,7 @@ static struct fc_exch *fc_exch_em_alloc(
27919 /* allocate memory for exchange */
27920 ep = mempool_alloc(mp->ep_pool, GFP_ATOMIC);
27922 - atomic_inc(&mp->stats.no_free_exch);
27923 + atomic_inc_unchecked(&mp->stats.no_free_exch);
27926 memset(ep, 0, sizeof(*ep));
27927 @@ -718,7 +718,7 @@ out:
27930 spin_unlock_bh(&pool->lock);
27931 - atomic_inc(&mp->stats.no_free_exch_xid);
27932 + atomic_inc_unchecked(&mp->stats.no_free_exch_xid);
27933 mempool_free(ep, mp->ep_pool);
27936 @@ -863,7 +863,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27937 xid = ntohs(fh->fh_ox_id); /* we originated exch */
27938 ep = fc_exch_find(mp, xid);
27940 - atomic_inc(&mp->stats.xid_not_found);
27941 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27942 reject = FC_RJT_OX_ID;
27945 @@ -893,7 +893,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27946 ep = fc_exch_find(mp, xid);
27947 if ((f_ctl & FC_FC_FIRST_SEQ) && fc_sof_is_init(fr_sof(fp))) {
27949 - atomic_inc(&mp->stats.xid_busy);
27950 + atomic_inc_unchecked(&mp->stats.xid_busy);
27951 reject = FC_RJT_RX_ID;
27954 @@ -904,7 +904,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27956 xid = ep->xid; /* get our XID */
27958 - atomic_inc(&mp->stats.xid_not_found);
27959 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27960 reject = FC_RJT_RX_ID; /* XID not found */
27963 @@ -921,7 +921,7 @@ static enum fc_pf_rjt_reason fc_seq_look
27966 if (sp->id != fh->fh_seq_id) {
27967 - atomic_inc(&mp->stats.seq_not_found);
27968 + atomic_inc_unchecked(&mp->stats.seq_not_found);
27969 reject = FC_RJT_SEQ_ID; /* sequence/exch should exist */
27972 @@ -1338,22 +1338,22 @@ static void fc_exch_recv_seq_resp(struct
27974 ep = fc_exch_find(mp, ntohs(fh->fh_ox_id));
27976 - atomic_inc(&mp->stats.xid_not_found);
27977 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27980 if (ep->esb_stat & ESB_ST_COMPLETE) {
27981 - atomic_inc(&mp->stats.xid_not_found);
27982 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27985 if (ep->rxid == FC_XID_UNKNOWN)
27986 ep->rxid = ntohs(fh->fh_rx_id);
27987 if (ep->sid != 0 && ep->sid != ntoh24(fh->fh_d_id)) {
27988 - atomic_inc(&mp->stats.xid_not_found);
27989 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27992 if (ep->did != ntoh24(fh->fh_s_id) &&
27993 ep->did != FC_FID_FLOGI) {
27994 - atomic_inc(&mp->stats.xid_not_found);
27995 + atomic_inc_unchecked(&mp->stats.xid_not_found);
27999 @@ -1362,7 +1362,7 @@ static void fc_exch_recv_seq_resp(struct
28000 sp->ssb_stat |= SSB_ST_RESP;
28001 sp->id = fh->fh_seq_id;
28002 } else if (sp->id != fh->fh_seq_id) {
28003 - atomic_inc(&mp->stats.seq_not_found);
28004 + atomic_inc_unchecked(&mp->stats.seq_not_found);
28008 @@ -1425,9 +1425,9 @@ static void fc_exch_recv_resp(struct fc_
28009 sp = fc_seq_lookup_orig(mp, fp); /* doesn't hold sequence */
28012 - atomic_inc(&mp->stats.xid_not_found);
28013 + atomic_inc_unchecked(&mp->stats.xid_not_found);
28015 - atomic_inc(&mp->stats.non_bls_resp);
28016 + atomic_inc_unchecked(&mp->stats.non_bls_resp);
28020 diff -urNp linux-2.6.36.1/drivers/scsi/libsas/sas_ata.c linux-2.6.36.1/drivers/scsi/libsas/sas_ata.c
28021 --- linux-2.6.36.1/drivers/scsi/libsas/sas_ata.c 2010-11-26 18:26:24.000000000 -0500
28022 +++ linux-2.6.36.1/drivers/scsi/libsas/sas_ata.c 2010-11-26 18:27:55.000000000 -0500
28023 @@ -344,10 +344,10 @@ static int sas_ata_scr_read(struct ata_l
28027 -static struct ata_port_operations sas_sata_ops = {
28028 +static const struct ata_port_operations sas_sata_ops = {
28029 .phy_reset = sas_ata_phy_reset,
28030 .post_internal_cmd = sas_ata_post_internal,
28031 - .qc_defer = ata_std_qc_defer,
28032 + .qc_defer = ata_std_qc_defer,
28033 .qc_prep = ata_noop_qc_prep,
28034 .qc_issue = sas_ata_qc_issue,
28035 .qc_fill_rtf = sas_ata_qc_fill_rtf,
28036 diff -urNp linux-2.6.36.1/drivers/scsi/mpt2sas/mpt2sas_debug.h linux-2.6.36.1/drivers/scsi/mpt2sas/mpt2sas_debug.h
28037 --- linux-2.6.36.1/drivers/scsi/mpt2sas/mpt2sas_debug.h 2010-10-20 16:30:22.000000000 -0400
28038 +++ linux-2.6.36.1/drivers/scsi/mpt2sas/mpt2sas_debug.h 2010-11-06 18:58:15.000000000 -0400
28043 -#define MPT_CHECK_LOGGING(IOC, CMD, BITS)
28044 +#define MPT_CHECK_LOGGING(IOC, CMD, BITS) do {} while (0)
28045 #endif /* CONFIG_SCSI_MPT2SAS_LOGGING */
28048 diff -urNp linux-2.6.36.1/drivers/scsi/qla2xxx/qla_os.c linux-2.6.36.1/drivers/scsi/qla2xxx/qla_os.c
28049 --- linux-2.6.36.1/drivers/scsi/qla2xxx/qla_os.c 2010-10-20 16:30:22.000000000 -0400
28050 +++ linux-2.6.36.1/drivers/scsi/qla2xxx/qla_os.c 2010-11-06 18:58:15.000000000 -0400
28051 @@ -3946,7 +3946,7 @@ static struct pci_driver qla2xxx_pci_dri
28052 .err_handler = &qla2xxx_err_handler,
28055 -static struct file_operations apidev_fops = {
28056 +static const struct file_operations apidev_fops = {
28057 .owner = THIS_MODULE,
28060 diff -urNp linux-2.6.36.1/drivers/scsi/scsi_logging.h linux-2.6.36.1/drivers/scsi/scsi_logging.h
28061 --- linux-2.6.36.1/drivers/scsi/scsi_logging.h 2010-10-20 16:30:22.000000000 -0400
28062 +++ linux-2.6.36.1/drivers/scsi/scsi_logging.h 2010-11-06 18:58:15.000000000 -0400
28063 @@ -51,7 +51,7 @@ do { \
28067 -#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD)
28068 +#define SCSI_CHECK_LOGGING(SHIFT, BITS, LEVEL, CMD) do {} while (0)
28069 #endif /* CONFIG_SCSI_LOGGING */
28072 diff -urNp linux-2.6.36.1/drivers/scsi/sg.c linux-2.6.36.1/drivers/scsi/sg.c
28073 --- linux-2.6.36.1/drivers/scsi/sg.c 2010-10-20 16:30:22.000000000 -0400
28074 +++ linux-2.6.36.1/drivers/scsi/sg.c 2010-11-06 18:58:15.000000000 -0400
28075 @@ -2307,7 +2307,7 @@ struct sg_proc_leaf {
28076 const struct file_operations * fops;
28079 -static struct sg_proc_leaf sg_proc_leaf_arr[] = {
28080 +static const struct sg_proc_leaf sg_proc_leaf_arr[] = {
28081 {"allow_dio", &adio_fops},
28082 {"debug", &debug_fops},
28083 {"def_reserved_size", &dressz_fops},
28084 @@ -2322,7 +2322,7 @@ sg_proc_init(void)
28087 int num_leaves = ARRAY_SIZE(sg_proc_leaf_arr);
28088 - struct sg_proc_leaf * leaf;
28089 + const struct sg_proc_leaf * leaf;
28091 sg_proc_sgp = proc_mkdir(sg_proc_sg_dirname, NULL);
28093 diff -urNp linux-2.6.36.1/drivers/serial/8250_pci.c linux-2.6.36.1/drivers/serial/8250_pci.c
28094 --- linux-2.6.36.1/drivers/serial/8250_pci.c 2010-10-20 16:30:22.000000000 -0400
28095 +++ linux-2.6.36.1/drivers/serial/8250_pci.c 2010-11-06 18:58:15.000000000 -0400
28096 @@ -3777,7 +3777,7 @@ static struct pci_device_id serial_pci_t
28097 PCI_ANY_ID, PCI_ANY_ID,
28098 PCI_CLASS_COMMUNICATION_MULTISERIAL << 8,
28099 0xffff00, pbn_default },
28101 + { 0, 0, 0, 0, 0, 0, 0 }
28104 static struct pci_driver serial_pci_driver = {
28105 diff -urNp linux-2.6.36.1/drivers/serial/kgdboc.c linux-2.6.36.1/drivers/serial/kgdboc.c
28106 --- linux-2.6.36.1/drivers/serial/kgdboc.c 2010-10-20 16:30:22.000000000 -0400
28107 +++ linux-2.6.36.1/drivers/serial/kgdboc.c 2010-11-06 18:58:15.000000000 -0400
28110 #define MAX_CONFIG_LEN 40
28112 -static struct kgdb_io kgdboc_io_ops;
28113 +/* cannot be const, see configure_kgdboc() */
28114 +static struct kgdb_io kgdboc_io_ops;
28116 /* -1 = init not run yet, 0 = unconfigured, 1 = configured. */
28117 static int configured = -1;
28118 @@ -233,6 +234,7 @@ static void kgdboc_post_exp_handler(void
28122 +/* cannot be const, see configure_kgdboc() */
28123 static struct kgdb_io kgdboc_io_ops = {
28125 .read_char = kgdboc_get_char,
28126 diff -urNp linux-2.6.36.1/drivers/staging/comedi/comedi_fops.c linux-2.6.36.1/drivers/staging/comedi/comedi_fops.c
28127 --- linux-2.6.36.1/drivers/staging/comedi/comedi_fops.c 2010-10-20 16:30:22.000000000 -0400
28128 +++ linux-2.6.36.1/drivers/staging/comedi/comedi_fops.c 2010-11-06 18:58:15.000000000 -0400
28129 @@ -1425,7 +1425,7 @@ static void comedi_unmap(struct vm_area_
28130 mutex_unlock(&dev->mutex);
28133 -static struct vm_operations_struct comedi_vm_ops = {
28134 +static const struct vm_operations_struct comedi_vm_ops = {
28135 .close = comedi_unmap,
28138 diff -urNp linux-2.6.36.1/drivers/staging/dream/pmem.c linux-2.6.36.1/drivers/staging/dream/pmem.c
28139 --- linux-2.6.36.1/drivers/staging/dream/pmem.c 2010-10-20 16:30:22.000000000 -0400
28140 +++ linux-2.6.36.1/drivers/staging/dream/pmem.c 2010-11-06 18:58:15.000000000 -0400
28141 @@ -1201,7 +1201,7 @@ static ssize_t debug_read(struct file *f
28142 return simple_read_from_buffer(buf, count, ppos, buffer, n);
28145 -static struct file_operations debug_fops = {
28146 +static const struct file_operations debug_fops = {
28147 .read = debug_read,
28148 .open = debug_open,
28150 diff -urNp linux-2.6.36.1/drivers/staging/dream/qdsp5/adsp_driver.c linux-2.6.36.1/drivers/staging/dream/qdsp5/adsp_driver.c
28151 --- linux-2.6.36.1/drivers/staging/dream/qdsp5/adsp_driver.c 2010-10-20 16:30:22.000000000 -0400
28152 +++ linux-2.6.36.1/drivers/staging/dream/qdsp5/adsp_driver.c 2010-11-06 18:58:15.000000000 -0400
28153 @@ -577,7 +577,7 @@ static struct adsp_device *inode_to_devi
28154 static dev_t adsp_devno;
28155 static struct class *adsp_class;
28157 -static struct file_operations adsp_fops = {
28158 +static const struct file_operations adsp_fops = {
28159 .owner = THIS_MODULE,
28161 .unlocked_ioctl = adsp_ioctl,
28162 diff -urNp linux-2.6.36.1/drivers/staging/dream/qdsp5/audio_aac.c linux-2.6.36.1/drivers/staging/dream/qdsp5/audio_aac.c
28163 --- linux-2.6.36.1/drivers/staging/dream/qdsp5/audio_aac.c 2010-10-20 16:30:22.000000000 -0400
28164 +++ linux-2.6.36.1/drivers/staging/dream/qdsp5/audio_aac.c 2010-11-06 18:58:15.000000000 -0400
28165 @@ -1023,7 +1023,7 @@ done:
28169 -static struct file_operations audio_aac_fops = {
28170 +static const struct file_operations audio_aac_fops = {
28171 .owner = THIS_MODULE,
28172 .open = audio_open,
28173 .release = audio_release,
28174 diff -urNp linux-2.6.36.1/drivers/staging/dream/qdsp5/audio_amrnb.c linux-2.6.36.1/drivers/staging/dream/qdsp5/audio_amrnb.c
28175 --- linux-2.6.36.1/drivers/staging/dream/qdsp5/audio_amrnb.c 2010-10-20 16:30:22.000000000 -0400
28176 +++ linux-2.6.36.1/drivers/staging/dream/qdsp5/audio_amrnb.c 2010-11-06 18:58:15.000000000 -0400
28177 @@ -834,7 +834,7 @@ done:
28181 -static struct file_operations audio_amrnb_fops = {
28182 +static const struct file_operations audio_amrnb_fops = {
28183 .owner = THIS_MODULE,
28184 .open = audamrnb_open,
28185 .release = audamrnb_release,
28186 diff -urNp linux-2.6.36.1/drivers/staging/dream/qdsp5/audio_evrc.c linux-2.6.36.1/drivers/staging/dream/qdsp5/audio_evrc.c
28187 --- linux-2.6.36.1/drivers/staging/dream/qdsp5/audio_evrc.c 2010-10-20 16:30:22.000000000 -0400
28188 +++ linux-2.6.36.1/drivers/staging/dream/qdsp5/audio_evrc.c 2010-11-06 18:58:15.000000000 -0400
28189 @@ -806,7 +806,7 @@ dma_fail:
28193 -static struct file_operations audio_evrc_fops = {
28194 +static const struct file_operations audio_evrc_fops = {
28195 .owner = THIS_MODULE,
28196 .open = audevrc_open,
28197 .release = audevrc_release,
28198 diff -urNp linux-2.6.36.1/drivers/staging/dream/qdsp5/audio_in.c linux-2.6.36.1/drivers/staging/dream/qdsp5/audio_in.c
28199 --- linux-2.6.36.1/drivers/staging/dream/qdsp5/audio_in.c 2010-10-20 16:30:22.000000000 -0400
28200 +++ linux-2.6.36.1/drivers/staging/dream/qdsp5/audio_in.c 2010-11-06 18:58:15.000000000 -0400
28201 @@ -914,7 +914,7 @@ static int audpre_open(struct inode *ino
28205 -static struct file_operations audio_fops = {
28206 +static const struct file_operations audio_fops = {
28207 .owner = THIS_MODULE,
28208 .open = audio_in_open,
28209 .release = audio_in_release,
28210 @@ -923,7 +923,7 @@ static struct file_operations audio_fops
28211 .unlocked_ioctl = audio_in_ioctl,
28214 -static struct file_operations audpre_fops = {
28215 +static const struct file_operations audpre_fops = {
28216 .owner = THIS_MODULE,
28217 .open = audpre_open,
28218 .unlocked_ioctl = audpre_ioctl,
28219 diff -urNp linux-2.6.36.1/drivers/staging/dream/qdsp5/audio_mp3.c linux-2.6.36.1/drivers/staging/dream/qdsp5/audio_mp3.c
28220 --- linux-2.6.36.1/drivers/staging/dream/qdsp5/audio_mp3.c 2010-10-20 16:30:22.000000000 -0400
28221 +++ linux-2.6.36.1/drivers/staging/dream/qdsp5/audio_mp3.c 2010-11-06 18:58:15.000000000 -0400
28222 @@ -941,7 +941,7 @@ done:
28226 -static struct file_operations audio_mp3_fops = {
28227 +static const struct file_operations audio_mp3_fops = {
28228 .owner = THIS_MODULE,
28229 .open = audio_open,
28230 .release = audio_release,
28231 diff -urNp linux-2.6.36.1/drivers/staging/dream/qdsp5/audio_out.c linux-2.6.36.1/drivers/staging/dream/qdsp5/audio_out.c
28232 --- linux-2.6.36.1/drivers/staging/dream/qdsp5/audio_out.c 2010-10-20 16:30:22.000000000 -0400
28233 +++ linux-2.6.36.1/drivers/staging/dream/qdsp5/audio_out.c 2010-11-06 18:58:15.000000000 -0400
28234 @@ -800,7 +800,7 @@ static int audpp_open(struct inode *inod
28238 -static struct file_operations audio_fops = {
28239 +static const struct file_operations audio_fops = {
28240 .owner = THIS_MODULE,
28241 .open = audio_open,
28242 .release = audio_release,
28243 @@ -809,7 +809,7 @@ static struct file_operations audio_fops
28244 .unlocked_ioctl = audio_ioctl,
28247 -static struct file_operations audpp_fops = {
28248 +static const struct file_operations audpp_fops = {
28249 .owner = THIS_MODULE,
28250 .open = audpp_open,
28251 .unlocked_ioctl = audpp_ioctl,
28252 diff -urNp linux-2.6.36.1/drivers/staging/dream/qdsp5/audio_qcelp.c linux-2.6.36.1/drivers/staging/dream/qdsp5/audio_qcelp.c
28253 --- linux-2.6.36.1/drivers/staging/dream/qdsp5/audio_qcelp.c 2010-10-20 16:30:22.000000000 -0400
28254 +++ linux-2.6.36.1/drivers/staging/dream/qdsp5/audio_qcelp.c 2010-11-06 18:58:15.000000000 -0400
28255 @@ -817,7 +817,7 @@ err:
28259 -static struct file_operations audio_qcelp_fops = {
28260 +static const struct file_operations audio_qcelp_fops = {
28261 .owner = THIS_MODULE,
28262 .open = audqcelp_open,
28263 .release = audqcelp_release,
28264 diff -urNp linux-2.6.36.1/drivers/staging/dream/qdsp5/snd.c linux-2.6.36.1/drivers/staging/dream/qdsp5/snd.c
28265 --- linux-2.6.36.1/drivers/staging/dream/qdsp5/snd.c 2010-10-20 16:30:22.000000000 -0400
28266 +++ linux-2.6.36.1/drivers/staging/dream/qdsp5/snd.c 2010-11-06 18:58:15.000000000 -0400
28267 @@ -242,7 +242,7 @@ err:
28271 -static struct file_operations snd_fops = {
28272 +static const struct file_operations snd_fops = {
28273 .owner = THIS_MODULE,
28275 .release = snd_release,
28276 diff -urNp linux-2.6.36.1/drivers/staging/go7007/go7007-v4l2.c linux-2.6.36.1/drivers/staging/go7007/go7007-v4l2.c
28277 --- linux-2.6.36.1/drivers/staging/go7007/go7007-v4l2.c 2010-10-20 16:30:22.000000000 -0400
28278 +++ linux-2.6.36.1/drivers/staging/go7007/go7007-v4l2.c 2010-11-06 18:58:15.000000000 -0400
28279 @@ -1673,7 +1673,7 @@ static int go7007_vm_fault(struct vm_are
28283 -static struct vm_operations_struct go7007_vm_ops = {
28284 +static const struct vm_operations_struct go7007_vm_ops = {
28285 .open = go7007_vm_open,
28286 .close = go7007_vm_close,
28287 .fault = go7007_vm_fault,
28288 diff -urNp linux-2.6.36.1/drivers/staging/hv/hv.c linux-2.6.36.1/drivers/staging/hv/hv.c
28289 --- linux-2.6.36.1/drivers/staging/hv/hv.c 2010-10-20 16:30:22.000000000 -0400
28290 +++ linux-2.6.36.1/drivers/staging/hv/hv.c 2010-11-06 18:58:15.000000000 -0400
28291 @@ -162,7 +162,7 @@ static u64 HvDoHypercall(u64 Control, vo
28292 u64 outputAddress = (Output) ? virt_to_phys(Output) : 0;
28293 u32 outputAddressHi = outputAddress >> 32;
28294 u32 outputAddressLo = outputAddress & 0xFFFFFFFF;
28295 - volatile void *hypercallPage = gHvContext.HypercallPage;
28296 + volatile void *hypercallPage = ktva_ktla(gHvContext.HypercallPage);
28298 DPRINT_DBG(VMBUS, "Hypercall <control %llx input %p output %p>",
28299 Control, Input, Output);
28300 diff -urNp linux-2.6.36.1/drivers/staging/msm/msm_fb_bl.c linux-2.6.36.1/drivers/staging/msm/msm_fb_bl.c
28301 --- linux-2.6.36.1/drivers/staging/msm/msm_fb_bl.c 2010-10-20 16:30:22.000000000 -0400
28302 +++ linux-2.6.36.1/drivers/staging/msm/msm_fb_bl.c 2010-11-06 18:58:15.000000000 -0400
28303 @@ -42,7 +42,7 @@ static int msm_fb_bl_update_status(struc
28307 -static struct backlight_ops msm_fb_bl_ops = {
28308 +static const struct backlight_ops msm_fb_bl_ops = {
28309 .get_brightness = msm_fb_bl_get_brightness,
28310 .update_status = msm_fb_bl_update_status,
28312 diff -urNp linux-2.6.36.1/drivers/staging/phison/phison.c linux-2.6.36.1/drivers/staging/phison/phison.c
28313 --- linux-2.6.36.1/drivers/staging/phison/phison.c 2010-11-26 18:26:24.000000000 -0500
28314 +++ linux-2.6.36.1/drivers/staging/phison/phison.c 2010-11-26 18:27:11.000000000 -0500
28315 @@ -43,7 +43,7 @@ static struct scsi_host_template phison_
28316 ATA_BMDMA_SHT(DRV_NAME),
28319 -static struct ata_port_operations phison_ops = {
28320 +static const struct ata_port_operations phison_ops = {
28321 .inherits = &ata_bmdma_port_ops,
28322 .prereset = phison_pre_reset,
28324 diff -urNp linux-2.6.36.1/drivers/staging/pohmelfs/inode.c linux-2.6.36.1/drivers/staging/pohmelfs/inode.c
28325 --- linux-2.6.36.1/drivers/staging/pohmelfs/inode.c 2010-10-20 16:30:22.000000000 -0400
28326 +++ linux-2.6.36.1/drivers/staging/pohmelfs/inode.c 2010-11-06 18:58:15.000000000 -0400
28327 @@ -1852,7 +1852,7 @@ static int pohmelfs_fill_super(struct su
28328 mutex_init(&psb->mcache_lock);
28329 psb->mcache_root = RB_ROOT;
28330 psb->mcache_timeout = msecs_to_jiffies(5000);
28331 - atomic_long_set(&psb->mcache_gen, 0);
28332 + atomic_long_set_unchecked(&psb->mcache_gen, 0);
28334 psb->trans_max_pages = 100;
28336 diff -urNp linux-2.6.36.1/drivers/staging/pohmelfs/mcache.c linux-2.6.36.1/drivers/staging/pohmelfs/mcache.c
28337 --- linux-2.6.36.1/drivers/staging/pohmelfs/mcache.c 2010-10-20 16:30:22.000000000 -0400
28338 +++ linux-2.6.36.1/drivers/staging/pohmelfs/mcache.c 2010-11-06 18:58:15.000000000 -0400
28339 @@ -121,7 +121,7 @@ struct pohmelfs_mcache *pohmelfs_mcache_
28343 - m->gen = atomic_long_inc_return(&psb->mcache_gen);
28344 + m->gen = atomic_long_inc_return_unchecked(&psb->mcache_gen);
28346 mutex_lock(&psb->mcache_lock);
28347 err = pohmelfs_mcache_insert(psb, m);
28348 diff -urNp linux-2.6.36.1/drivers/staging/pohmelfs/netfs.h linux-2.6.36.1/drivers/staging/pohmelfs/netfs.h
28349 --- linux-2.6.36.1/drivers/staging/pohmelfs/netfs.h 2010-10-20 16:30:22.000000000 -0400
28350 +++ linux-2.6.36.1/drivers/staging/pohmelfs/netfs.h 2010-11-06 18:58:15.000000000 -0400
28351 @@ -571,7 +571,7 @@ struct pohmelfs_config;
28352 struct pohmelfs_sb {
28353 struct rb_root mcache_root;
28354 struct mutex mcache_lock;
28355 - atomic_long_t mcache_gen;
28356 + atomic_long_unchecked_t mcache_gen;
28357 unsigned long mcache_timeout;
28360 diff -urNp linux-2.6.36.1/drivers/staging/rtl8192u/ieee80211/proc.c linux-2.6.36.1/drivers/staging/rtl8192u/ieee80211/proc.c
28361 --- linux-2.6.36.1/drivers/staging/rtl8192u/ieee80211/proc.c 2010-10-20 16:30:22.000000000 -0400
28362 +++ linux-2.6.36.1/drivers/staging/rtl8192u/ieee80211/proc.c 2010-11-06 18:58:15.000000000 -0400
28363 @@ -99,7 +99,7 @@ static int crypto_info_open(struct inode
28364 return seq_open(file, &crypto_seq_ops);
28367 -static struct file_operations proc_crypto_ops = {
28368 +static const struct file_operations proc_crypto_ops = {
28369 .open = crypto_info_open,
28371 .llseek = seq_lseek,
28372 diff -urNp linux-2.6.36.1/drivers/staging/samsung-laptop/samsung-laptop.c linux-2.6.36.1/drivers/staging/samsung-laptop/samsung-laptop.c
28373 --- linux-2.6.36.1/drivers/staging/samsung-laptop/samsung-laptop.c 2010-10-20 16:30:22.000000000 -0400
28374 +++ linux-2.6.36.1/drivers/staging/samsung-laptop/samsung-laptop.c 2010-11-06 18:58:15.000000000 -0400
28375 @@ -269,7 +269,7 @@ static int update_status(struct backligh
28379 -static struct backlight_ops backlight_ops = {
28380 +static const struct backlight_ops backlight_ops = {
28381 .get_brightness = get_brightness,
28382 .update_status = update_status,
28384 diff -urNp linux-2.6.36.1/drivers/staging/spectra/ffsport.c linux-2.6.36.1/drivers/staging/spectra/ffsport.c
28385 --- linux-2.6.36.1/drivers/staging/spectra/ffsport.c 2010-10-20 16:30:22.000000000 -0400
28386 +++ linux-2.6.36.1/drivers/staging/spectra/ffsport.c 2010-11-06 18:58:15.000000000 -0400
28387 @@ -602,7 +602,7 @@ int GLOB_SBD_unlocked_ioctl(struct block
28391 -static struct block_device_operations GLOB_SBD_ops = {
28392 +static const struct block_device_operations GLOB_SBD_ops = {
28393 .owner = THIS_MODULE,
28394 .open = GLOB_SBD_open,
28395 .release = GLOB_SBD_release,
28396 diff -urNp linux-2.6.36.1/drivers/staging/vme/devices/vme_user.c linux-2.6.36.1/drivers/staging/vme/devices/vme_user.c
28397 --- linux-2.6.36.1/drivers/staging/vme/devices/vme_user.c 2010-10-20 16:30:22.000000000 -0400
28398 +++ linux-2.6.36.1/drivers/staging/vme/devices/vme_user.c 2010-11-06 18:58:15.000000000 -0400
28399 @@ -137,7 +137,7 @@ static long vme_user_unlocked_ioctl(stru
28400 static int __init vme_user_probe(struct device *, int, int);
28401 static int __exit vme_user_remove(struct device *, int, int);
28403 -static struct file_operations vme_user_fops = {
28404 +static const struct file_operations vme_user_fops = {
28405 .open = vme_user_open,
28406 .release = vme_user_release,
28407 .read = vme_user_read,
28408 diff -urNp linux-2.6.36.1/drivers/usb/atm/cxacru.c linux-2.6.36.1/drivers/usb/atm/cxacru.c
28409 --- linux-2.6.36.1/drivers/usb/atm/cxacru.c 2010-10-20 16:30:22.000000000 -0400
28410 +++ linux-2.6.36.1/drivers/usb/atm/cxacru.c 2010-11-06 18:58:15.000000000 -0400
28411 @@ -473,7 +473,7 @@ static ssize_t cxacru_sysfs_store_adsl_c
28412 ret = sscanf(buf + pos, "%x=%x%n", &index, &value, &tmp);
28415 - if (index < 0 || index > 0x7f)
28416 + if (index > 0x7f)
28420 diff -urNp linux-2.6.36.1/drivers/usb/atm/usbatm.c linux-2.6.36.1/drivers/usb/atm/usbatm.c
28421 --- linux-2.6.36.1/drivers/usb/atm/usbatm.c 2010-10-20 16:30:22.000000000 -0400
28422 +++ linux-2.6.36.1/drivers/usb/atm/usbatm.c 2010-11-06 18:58:15.000000000 -0400
28423 @@ -332,7 +332,7 @@ static void usbatm_extract_one_cell(stru
28424 if (printk_ratelimit())
28425 atm_warn(instance, "%s: OAM not supported (vpi %d, vci %d)!\n",
28426 __func__, vpi, vci);
28427 - atomic_inc(&vcc->stats->rx_err);
28428 + atomic_inc_unchecked(&vcc->stats->rx_err);
28432 @@ -360,7 +360,7 @@ static void usbatm_extract_one_cell(stru
28433 if (length > ATM_MAX_AAL5_PDU) {
28434 atm_rldbg(instance, "%s: bogus length %u (vcc: 0x%p)!\n",
28435 __func__, length, vcc);
28436 - atomic_inc(&vcc->stats->rx_err);
28437 + atomic_inc_unchecked(&vcc->stats->rx_err);
28441 @@ -369,14 +369,14 @@ static void usbatm_extract_one_cell(stru
28442 if (sarb->len < pdu_length) {
28443 atm_rldbg(instance, "%s: bogus pdu_length %u (sarb->len: %u, vcc: 0x%p)!\n",
28444 __func__, pdu_length, sarb->len, vcc);
28445 - atomic_inc(&vcc->stats->rx_err);
28446 + atomic_inc_unchecked(&vcc->stats->rx_err);
28450 if (crc32_be(~0, skb_tail_pointer(sarb) - pdu_length, pdu_length) != 0xc704dd7b) {
28451 atm_rldbg(instance, "%s: packet failed crc check (vcc: 0x%p)!\n",
28453 - atomic_inc(&vcc->stats->rx_err);
28454 + atomic_inc_unchecked(&vcc->stats->rx_err);
28458 @@ -386,7 +386,7 @@ static void usbatm_extract_one_cell(stru
28459 if (printk_ratelimit())
28460 atm_err(instance, "%s: no memory for skb (length: %u)!\n",
28462 - atomic_inc(&vcc->stats->rx_drop);
28463 + atomic_inc_unchecked(&vcc->stats->rx_drop);
28467 @@ -411,7 +411,7 @@ static void usbatm_extract_one_cell(stru
28469 vcc->push(vcc, skb);
28471 - atomic_inc(&vcc->stats->rx);
28472 + atomic_inc_unchecked(&vcc->stats->rx);
28476 @@ -614,7 +614,7 @@ static void usbatm_tx_process(unsigned l
28477 struct atm_vcc *vcc = UDSL_SKB(skb)->atm.vcc;
28479 usbatm_pop(vcc, skb);
28480 - atomic_inc(&vcc->stats->tx);
28481 + atomic_inc_unchecked(&vcc->stats->tx);
28483 skb = skb_dequeue(&instance->sndqueue);
28485 @@ -773,11 +773,11 @@ static int usbatm_atm_proc_read(struct a
28487 return sprintf(page,
28488 "AAL5: tx %d ( %d err ), rx %d ( %d err, %d drop )\n",
28489 - atomic_read(&atm_dev->stats.aal5.tx),
28490 - atomic_read(&atm_dev->stats.aal5.tx_err),
28491 - atomic_read(&atm_dev->stats.aal5.rx),
28492 - atomic_read(&atm_dev->stats.aal5.rx_err),
28493 - atomic_read(&atm_dev->stats.aal5.rx_drop));
28494 + atomic_read_unchecked(&atm_dev->stats.aal5.tx),
28495 + atomic_read_unchecked(&atm_dev->stats.aal5.tx_err),
28496 + atomic_read_unchecked(&atm_dev->stats.aal5.rx),
28497 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_err),
28498 + atomic_read_unchecked(&atm_dev->stats.aal5.rx_drop));
28501 if (instance->disconnected)
28502 diff -urNp linux-2.6.36.1/drivers/usb/class/cdc-acm.c linux-2.6.36.1/drivers/usb/class/cdc-acm.c
28503 --- linux-2.6.36.1/drivers/usb/class/cdc-acm.c 2010-10-20 16:30:22.000000000 -0400
28504 +++ linux-2.6.36.1/drivers/usb/class/cdc-acm.c 2010-11-06 18:58:15.000000000 -0400
28505 @@ -1634,7 +1634,7 @@ static const struct usb_device_id acm_id
28506 { USB_INTERFACE_INFO(USB_CLASS_COMM, USB_CDC_SUBCLASS_ACM,
28507 USB_CDC_ACM_PROTO_AT_CDMA) },
28510 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }
28513 MODULE_DEVICE_TABLE(usb, acm_ids);
28514 diff -urNp linux-2.6.36.1/drivers/usb/class/cdc-wdm.c linux-2.6.36.1/drivers/usb/class/cdc-wdm.c
28515 --- linux-2.6.36.1/drivers/usb/class/cdc-wdm.c 2010-10-20 16:30:22.000000000 -0400
28516 +++ linux-2.6.36.1/drivers/usb/class/cdc-wdm.c 2010-11-06 18:58:15.000000000 -0400
28517 @@ -342,7 +342,7 @@ static ssize_t wdm_write
28521 - if (!file->f_flags && O_NONBLOCK)
28522 + if (!(file->f_flags & O_NONBLOCK))
28523 r = wait_event_interruptible(desc->wait, !test_bit(WDM_IN_USE,
28526 diff -urNp linux-2.6.36.1/drivers/usb/class/usblp.c linux-2.6.36.1/drivers/usb/class/usblp.c
28527 --- linux-2.6.36.1/drivers/usb/class/usblp.c 2010-10-20 16:30:22.000000000 -0400
28528 +++ linux-2.6.36.1/drivers/usb/class/usblp.c 2010-11-06 18:58:15.000000000 -0400
28529 @@ -227,7 +227,7 @@ static const struct quirk_printer_struct
28530 { 0x0482, 0x0010, USBLP_QUIRK_BIDIR }, /* Kyocera Mita FS 820, by zut <kernel@zut.de> */
28531 { 0x04f9, 0x000d, USBLP_QUIRK_BIDIR }, /* Brother Industries, Ltd HL-1440 Laser Printer */
28532 { 0x04b8, 0x0202, USBLP_QUIRK_BAD_CLASS }, /* Seiko Epson Receipt Printer M129C */
28537 static int usblp_wwait(struct usblp *usblp, int nonblock);
28538 @@ -1397,7 +1397,7 @@ static const struct usb_device_id usblp_
28539 { USB_INTERFACE_INFO(7, 1, 2) },
28540 { USB_INTERFACE_INFO(7, 1, 3) },
28541 { USB_DEVICE(0x04b8, 0x0202) }, /* Seiko Epson Receipt Printer M129C */
28542 - { } /* Terminating entry */
28543 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
28546 MODULE_DEVICE_TABLE(usb, usblp_ids);
28547 diff -urNp linux-2.6.36.1/drivers/usb/core/hcd.c linux-2.6.36.1/drivers/usb/core/hcd.c
28548 --- linux-2.6.36.1/drivers/usb/core/hcd.c 2010-10-20 16:30:22.000000000 -0400
28549 +++ linux-2.6.36.1/drivers/usb/core/hcd.c 2010-11-06 18:58:15.000000000 -0400
28550 @@ -2420,7 +2420,7 @@ EXPORT_SYMBOL_GPL(usb_hcd_platform_shutd
28552 #if defined(CONFIG_USB_MON) || defined(CONFIG_USB_MON_MODULE)
28554 -struct usb_mon_operations *mon_ops;
28555 +const struct usb_mon_operations *mon_ops;
28558 * The registration is unlocked.
28559 @@ -2430,7 +2430,7 @@ struct usb_mon_operations *mon_ops;
28560 * symbols from usbcore, usbcore gets referenced and cannot be unloaded first.
28563 -int usb_mon_register (struct usb_mon_operations *ops)
28564 +int usb_mon_register (const struct usb_mon_operations *ops)
28568 diff -urNp linux-2.6.36.1/drivers/usb/core/hub.c linux-2.6.36.1/drivers/usb/core/hub.c
28569 --- linux-2.6.36.1/drivers/usb/core/hub.c 2010-11-26 18:26:24.000000000 -0500
28570 +++ linux-2.6.36.1/drivers/usb/core/hub.c 2010-11-26 18:27:11.000000000 -0500
28571 @@ -3459,7 +3459,7 @@ static const struct usb_device_id hub_id
28572 .bDeviceClass = USB_CLASS_HUB},
28573 { .match_flags = USB_DEVICE_ID_MATCH_INT_CLASS,
28574 .bInterfaceClass = USB_CLASS_HUB},
28575 - { } /* Terminating entry */
28576 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
28579 MODULE_DEVICE_TABLE (usb, hub_id_table);
28580 diff -urNp linux-2.6.36.1/drivers/usb/core/message.c linux-2.6.36.1/drivers/usb/core/message.c
28581 --- linux-2.6.36.1/drivers/usb/core/message.c 2010-11-26 18:26:24.000000000 -0500
28582 +++ linux-2.6.36.1/drivers/usb/core/message.c 2010-11-26 18:27:11.000000000 -0500
28583 @@ -869,8 +869,8 @@ char *usb_cache_string(struct usb_device
28584 buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO);
28586 len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE);
28588 - smallbuf = kmalloc(++len, GFP_NOIO);
28590 + smallbuf = kmalloc(len, GFP_NOIO);
28593 memcpy(smallbuf, buf, len);
28594 diff -urNp linux-2.6.36.1/drivers/usb/early/ehci-dbgp.c linux-2.6.36.1/drivers/usb/early/ehci-dbgp.c
28595 --- linux-2.6.36.1/drivers/usb/early/ehci-dbgp.c 2010-10-20 16:30:22.000000000 -0400
28596 +++ linux-2.6.36.1/drivers/usb/early/ehci-dbgp.c 2010-11-06 18:58:15.000000000 -0400
28597 @@ -96,6 +96,7 @@ static inline u32 dbgp_len_update(u32 x,
28601 +/* cannot be const, see kgdbdbgp_parse_config */
28602 static struct kgdb_io kgdbdbgp_io_ops;
28603 #define dbgp_kgdb_mode (dbg_io_ops == &kgdbdbgp_io_ops)
28605 @@ -1026,6 +1027,7 @@ static void kgdbdbgp_write_char(u8 chr)
28606 early_dbgp_write(NULL, &chr, 1);
28609 +/* cannot be const, see kgdbdbgp_parse_config() */
28610 static struct kgdb_io kgdbdbgp_io_ops = {
28611 .name = "kgdbdbgp",
28612 .read_char = kgdbdbgp_read_char,
28613 diff -urNp linux-2.6.36.1/drivers/usb/host/ehci-pci.c linux-2.6.36.1/drivers/usb/host/ehci-pci.c
28614 --- linux-2.6.36.1/drivers/usb/host/ehci-pci.c 2010-10-20 16:30:22.000000000 -0400
28615 +++ linux-2.6.36.1/drivers/usb/host/ehci-pci.c 2010-11-06 18:58:15.000000000 -0400
28616 @@ -445,7 +445,7 @@ static const struct pci_device_id pci_id
28617 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_EHCI, ~0),
28618 .driver_data = (unsigned long) &ehci_pci_hc_driver,
28620 - { /* end: all zeroes */ }
28621 + { 0, 0, 0, 0, 0, 0, 0 }
28623 MODULE_DEVICE_TABLE(pci, pci_ids);
28625 diff -urNp linux-2.6.36.1/drivers/usb/host/uhci-hcd.c linux-2.6.36.1/drivers/usb/host/uhci-hcd.c
28626 --- linux-2.6.36.1/drivers/usb/host/uhci-hcd.c 2010-10-20 16:30:22.000000000 -0400
28627 +++ linux-2.6.36.1/drivers/usb/host/uhci-hcd.c 2010-11-06 18:58:15.000000000 -0400
28628 @@ -948,7 +948,7 @@ static const struct pci_device_id uhci_p
28629 /* handle any USB UHCI controller */
28630 PCI_DEVICE_CLASS(PCI_CLASS_SERIAL_USB_UHCI, ~0),
28631 .driver_data = (unsigned long) &uhci_driver,
28632 - }, { /* end: all zeroes */ }
28633 + }, { 0, 0, 0, 0, 0, 0, 0 }
28636 MODULE_DEVICE_TABLE(pci, uhci_pci_ids);
28637 diff -urNp linux-2.6.36.1/drivers/usb/mon/mon_main.c linux-2.6.36.1/drivers/usb/mon/mon_main.c
28638 --- linux-2.6.36.1/drivers/usb/mon/mon_main.c 2010-10-20 16:30:22.000000000 -0400
28639 +++ linux-2.6.36.1/drivers/usb/mon/mon_main.c 2010-11-06 18:58:15.000000000 -0400
28640 @@ -240,7 +240,7 @@ static struct notifier_block mon_nb = {
28644 -static struct usb_mon_operations mon_ops_0 = {
28645 +static const struct usb_mon_operations mon_ops_0 = {
28646 .urb_submit = mon_submit,
28647 .urb_submit_error = mon_submit_error,
28648 .urb_complete = mon_complete,
28649 diff -urNp linux-2.6.36.1/drivers/usb/storage/debug.h linux-2.6.36.1/drivers/usb/storage/debug.h
28650 --- linux-2.6.36.1/drivers/usb/storage/debug.h 2010-10-20 16:30:22.000000000 -0400
28651 +++ linux-2.6.36.1/drivers/usb/storage/debug.h 2010-11-06 18:58:15.000000000 -0400
28652 @@ -54,9 +54,9 @@ void usb_stor_show_sense( unsigned char
28653 #define US_DEBUGPX(x...) printk( x )
28654 #define US_DEBUG(x) x
28656 -#define US_DEBUGP(x...)
28657 -#define US_DEBUGPX(x...)
28658 -#define US_DEBUG(x)
28659 +#define US_DEBUGP(x...) do {} while (0)
28660 +#define US_DEBUGPX(x...) do {} while (0)
28661 +#define US_DEBUG(x) do {} while (0)
28665 diff -urNp linux-2.6.36.1/drivers/usb/storage/usb.c linux-2.6.36.1/drivers/usb/storage/usb.c
28666 --- linux-2.6.36.1/drivers/usb/storage/usb.c 2010-10-20 16:30:22.000000000 -0400
28667 +++ linux-2.6.36.1/drivers/usb/storage/usb.c 2010-11-06 18:58:15.000000000 -0400
28668 @@ -122,7 +122,7 @@ MODULE_PARM_DESC(quirks, "supplemental l
28670 static struct us_unusual_dev us_unusual_dev_list[] = {
28671 # include "unusual_devs.h"
28672 - { } /* Terminating entry */
28673 + { NULL, NULL, 0, 0, NULL } /* Terminating entry */
28677 diff -urNp linux-2.6.36.1/drivers/usb/storage/usual-tables.c linux-2.6.36.1/drivers/usb/storage/usual-tables.c
28678 --- linux-2.6.36.1/drivers/usb/storage/usual-tables.c 2010-10-20 16:30:22.000000000 -0400
28679 +++ linux-2.6.36.1/drivers/usb/storage/usual-tables.c 2010-11-06 18:58:15.000000000 -0400
28682 struct usb_device_id usb_storage_usb_ids[] = {
28683 # include "unusual_devs.h"
28684 - { } /* Terminating entry */
28685 + { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 } /* Terminating entry */
28687 EXPORT_SYMBOL_GPL(usb_storage_usb_ids);
28689 diff -urNp linux-2.6.36.1/drivers/uwb/wlp/messages.c linux-2.6.36.1/drivers/uwb/wlp/messages.c
28690 --- linux-2.6.36.1/drivers/uwb/wlp/messages.c 2010-10-20 16:30:22.000000000 -0400
28691 +++ linux-2.6.36.1/drivers/uwb/wlp/messages.c 2010-11-06 18:58:15.000000000 -0400
28692 @@ -920,7 +920,7 @@ int wlp_parse_f0(struct wlp *wlp, struct
28693 size_t len = skb->len;
28696 - struct wlp_nonce enonce, rnonce;
28697 + struct wlp_nonce enonce = {{0}}, rnonce = {{0}};
28698 enum wlp_assc_error assc_err;
28699 char enonce_buf[WLP_WSS_NONCE_STRSIZE];
28700 char rnonce_buf[WLP_WSS_NONCE_STRSIZE];
28701 diff -urNp linux-2.6.36.1/drivers/vhost/vhost.c linux-2.6.36.1/drivers/vhost/vhost.c
28702 --- linux-2.6.36.1/drivers/vhost/vhost.c 2010-10-20 16:30:22.000000000 -0400
28703 +++ linux-2.6.36.1/drivers/vhost/vhost.c 2010-11-06 18:58:15.000000000 -0400
28704 @@ -503,7 +503,7 @@ static int init_used(struct vhost_virtqu
28705 return get_user(vq->last_used_idx, &used->idx);
28708 -static long vhost_set_vring(struct vhost_dev *d, int ioctl, void __user *argp)
28709 +static long vhost_set_vring(struct vhost_dev *d, unsigned int ioctl, void __user *argp)
28711 struct file *eventfp, *filep = NULL,
28712 *pollstart = NULL, *pollstop = NULL;
28713 diff -urNp linux-2.6.36.1/drivers/video/atmel_lcdfb.c linux-2.6.36.1/drivers/video/atmel_lcdfb.c
28714 --- linux-2.6.36.1/drivers/video/atmel_lcdfb.c 2010-10-20 16:30:22.000000000 -0400
28715 +++ linux-2.6.36.1/drivers/video/atmel_lcdfb.c 2010-11-06 18:58:15.000000000 -0400
28716 @@ -111,7 +111,7 @@ static int atmel_bl_get_brightness(struc
28717 return lcdc_readl(sinfo, ATMEL_LCDC_CONTRAST_VAL);
28720 -static struct backlight_ops atmel_lcdc_bl_ops = {
28721 +static const struct backlight_ops atmel_lcdc_bl_ops = {
28722 .update_status = atmel_bl_update_status,
28723 .get_brightness = atmel_bl_get_brightness,
28725 diff -urNp linux-2.6.36.1/drivers/video/aty/aty128fb.c linux-2.6.36.1/drivers/video/aty/aty128fb.c
28726 --- linux-2.6.36.1/drivers/video/aty/aty128fb.c 2010-10-20 16:30:22.000000000 -0400
28727 +++ linux-2.6.36.1/drivers/video/aty/aty128fb.c 2010-11-06 18:58:15.000000000 -0400
28728 @@ -1786,7 +1786,7 @@ static int aty128_bl_get_brightness(stru
28729 return bd->props.brightness;
28732 -static struct backlight_ops aty128_bl_data = {
28733 +static const struct backlight_ops aty128_bl_data = {
28734 .get_brightness = aty128_bl_get_brightness,
28735 .update_status = aty128_bl_update_status,
28737 diff -urNp linux-2.6.36.1/drivers/video/aty/atyfb_base.c linux-2.6.36.1/drivers/video/aty/atyfb_base.c
28738 --- linux-2.6.36.1/drivers/video/aty/atyfb_base.c 2010-10-20 16:30:22.000000000 -0400
28739 +++ linux-2.6.36.1/drivers/video/aty/atyfb_base.c 2010-11-06 18:58:15.000000000 -0400
28740 @@ -2221,7 +2221,7 @@ static int aty_bl_get_brightness(struct
28741 return bd->props.brightness;
28744 -static struct backlight_ops aty_bl_data = {
28745 +static const struct backlight_ops aty_bl_data = {
28746 .get_brightness = aty_bl_get_brightness,
28747 .update_status = aty_bl_update_status,
28749 diff -urNp linux-2.6.36.1/drivers/video/aty/radeon_backlight.c linux-2.6.36.1/drivers/video/aty/radeon_backlight.c
28750 --- linux-2.6.36.1/drivers/video/aty/radeon_backlight.c 2010-10-20 16:30:22.000000000 -0400
28751 +++ linux-2.6.36.1/drivers/video/aty/radeon_backlight.c 2010-11-06 18:58:15.000000000 -0400
28752 @@ -128,7 +128,7 @@ static int radeon_bl_get_brightness(stru
28753 return bd->props.brightness;
28756 -static struct backlight_ops radeon_bl_data = {
28757 +static const struct backlight_ops radeon_bl_data = {
28758 .get_brightness = radeon_bl_get_brightness,
28759 .update_status = radeon_bl_update_status,
28761 diff -urNp linux-2.6.36.1/drivers/video/backlight/88pm860x_bl.c linux-2.6.36.1/drivers/video/backlight/88pm860x_bl.c
28762 --- linux-2.6.36.1/drivers/video/backlight/88pm860x_bl.c 2010-10-20 16:30:22.000000000 -0400
28763 +++ linux-2.6.36.1/drivers/video/backlight/88pm860x_bl.c 2010-11-06 18:58:15.000000000 -0400
28764 @@ -155,7 +155,7 @@ out:
28768 -static struct backlight_ops pm860x_backlight_ops = {
28769 +static const struct backlight_ops pm860x_backlight_ops = {
28770 .options = BL_CORE_SUSPENDRESUME,
28771 .update_status = pm860x_backlight_update_status,
28772 .get_brightness = pm860x_backlight_get_brightness,
28773 diff -urNp linux-2.6.36.1/drivers/video/backlight/max8925_bl.c linux-2.6.36.1/drivers/video/backlight/max8925_bl.c
28774 --- linux-2.6.36.1/drivers/video/backlight/max8925_bl.c 2010-10-20 16:30:22.000000000 -0400
28775 +++ linux-2.6.36.1/drivers/video/backlight/max8925_bl.c 2010-11-06 18:58:15.000000000 -0400
28776 @@ -92,7 +92,7 @@ static int max8925_backlight_get_brightn
28780 -static struct backlight_ops max8925_backlight_ops = {
28781 +static const struct backlight_ops max8925_backlight_ops = {
28782 .options = BL_CORE_SUSPENDRESUME,
28783 .update_status = max8925_backlight_update_status,
28784 .get_brightness = max8925_backlight_get_brightness,
28785 diff -urNp linux-2.6.36.1/drivers/video/fbcmap.c linux-2.6.36.1/drivers/video/fbcmap.c
28786 --- linux-2.6.36.1/drivers/video/fbcmap.c 2010-10-20 16:30:22.000000000 -0400
28787 +++ linux-2.6.36.1/drivers/video/fbcmap.c 2010-11-06 18:58:15.000000000 -0400
28788 @@ -266,8 +266,7 @@ int fb_set_user_cmap(struct fb_cmap_user
28792 - if (cmap->start < 0 || (!info->fbops->fb_setcolreg &&
28793 - !info->fbops->fb_setcmap)) {
28794 + if (!info->fbops->fb_setcolreg && !info->fbops->fb_setcmap) {
28798 diff -urNp linux-2.6.36.1/drivers/video/fbmem.c linux-2.6.36.1/drivers/video/fbmem.c
28799 --- linux-2.6.36.1/drivers/video/fbmem.c 2010-10-20 16:30:22.000000000 -0400
28800 +++ linux-2.6.36.1/drivers/video/fbmem.c 2010-11-06 18:58:15.000000000 -0400
28801 @@ -403,7 +403,7 @@ static void fb_do_show_logo(struct fb_in
28802 image->dx += image->width + 8;
28804 } else if (rotate == FB_ROTATE_UD) {
28805 - for (x = 0; x < num && image->dx >= 0; x++) {
28806 + for (x = 0; x < num && (__s32)image->dx >= 0; x++) {
28807 info->fbops->fb_imageblit(info, image);
28808 image->dx -= image->width + 8;
28810 @@ -415,7 +415,7 @@ static void fb_do_show_logo(struct fb_in
28811 image->dy += image->height + 8;
28813 } else if (rotate == FB_ROTATE_CCW) {
28814 - for (x = 0; x < num && image->dy >= 0; x++) {
28815 + for (x = 0; x < num && (__s32)image->dy >= 0; x++) {
28816 info->fbops->fb_imageblit(info, image);
28817 image->dy -= image->height + 8;
28819 @@ -1119,7 +1119,7 @@ static long do_fb_ioctl(struct fb_info *
28821 if (con2fb.console < 1 || con2fb.console > MAX_NR_CONSOLES)
28823 - if (con2fb.framebuffer < 0 || con2fb.framebuffer >= FB_MAX)
28824 + if (con2fb.framebuffer >= FB_MAX)
28826 if (!registered_fb[con2fb.framebuffer])
28827 request_module("fb%d", con2fb.framebuffer);
28828 diff -urNp linux-2.6.36.1/drivers/video/fbmon.c linux-2.6.36.1/drivers/video/fbmon.c
28829 --- linux-2.6.36.1/drivers/video/fbmon.c 2010-10-20 16:30:22.000000000 -0400
28830 +++ linux-2.6.36.1/drivers/video/fbmon.c 2010-11-06 18:58:15.000000000 -0400
28833 #define DPRINTK(fmt, args...) printk(fmt,## args)
28835 -#define DPRINTK(fmt, args...)
28836 +#define DPRINTK(fmt, args...) do {} while (0)
28839 #define FBMON_FIX_HEADER 1
28840 diff -urNp linux-2.6.36.1/drivers/video/i810/i810_accel.c linux-2.6.36.1/drivers/video/i810/i810_accel.c
28841 --- linux-2.6.36.1/drivers/video/i810/i810_accel.c 2010-10-20 16:30:22.000000000 -0400
28842 +++ linux-2.6.36.1/drivers/video/i810/i810_accel.c 2010-11-06 18:58:15.000000000 -0400
28843 @@ -73,6 +73,7 @@ static inline int wait_for_space(struct
28846 printk("ringbuffer lockup!!!\n");
28847 + printk("head:%u tail:%u iring.size:%u space:%u\n", head, tail, par->iring.size, space);
28848 i810_report_error(mmio);
28849 par->dev_flags |= LOCKUP;
28850 info->pixmap.scan_align = 1;
28851 diff -urNp linux-2.6.36.1/drivers/video/i810/i810_main.c linux-2.6.36.1/drivers/video/i810/i810_main.c
28852 --- linux-2.6.36.1/drivers/video/i810/i810_main.c 2010-10-20 16:30:22.000000000 -0400
28853 +++ linux-2.6.36.1/drivers/video/i810/i810_main.c 2010-11-06 18:58:15.000000000 -0400
28854 @@ -120,7 +120,7 @@ static struct pci_device_id i810fb_pci_t
28855 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 4 },
28856 { PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_82815_CGC,
28857 PCI_ANY_ID, PCI_ANY_ID, 0, 0, 5 },
28859 + { 0, 0, 0, 0, 0, 0, 0 },
28862 static struct pci_driver i810fb_driver = {
28863 diff -urNp linux-2.6.36.1/drivers/video/modedb.c linux-2.6.36.1/drivers/video/modedb.c
28864 --- linux-2.6.36.1/drivers/video/modedb.c 2010-10-20 16:30:22.000000000 -0400
28865 +++ linux-2.6.36.1/drivers/video/modedb.c 2010-11-06 18:58:15.000000000 -0400
28866 @@ -40,240 +40,240 @@ static const struct fb_videomode modedb[
28868 /* 640x400 @ 70 Hz, 31.5 kHz hsync */
28869 NULL, 70, 640, 400, 39721, 40, 24, 39, 9, 96, 2,
28870 - 0, FB_VMODE_NONINTERLACED
28871 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28873 /* 640x480 @ 60 Hz, 31.5 kHz hsync */
28874 NULL, 60, 640, 480, 39721, 40, 24, 32, 11, 96, 2,
28875 - 0, FB_VMODE_NONINTERLACED
28876 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28878 /* 800x600 @ 56 Hz, 35.15 kHz hsync */
28879 NULL, 56, 800, 600, 27777, 128, 24, 22, 1, 72, 2,
28880 - 0, FB_VMODE_NONINTERLACED
28881 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28883 /* 1024x768 @ 87 Hz interlaced, 35.5 kHz hsync */
28884 NULL, 87, 1024, 768, 22271, 56, 24, 33, 8, 160, 8,
28885 - 0, FB_VMODE_INTERLACED
28886 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28888 /* 640x400 @ 85 Hz, 37.86 kHz hsync */
28889 NULL, 85, 640, 400, 31746, 96, 32, 41, 1, 64, 3,
28890 - FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28891 + FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28893 /* 640x480 @ 72 Hz, 36.5 kHz hsync */
28894 NULL, 72, 640, 480, 31746, 144, 40, 30, 8, 40, 3,
28895 - 0, FB_VMODE_NONINTERLACED
28896 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28898 /* 640x480 @ 75 Hz, 37.50 kHz hsync */
28899 NULL, 75, 640, 480, 31746, 120, 16, 16, 1, 64, 3,
28900 - 0, FB_VMODE_NONINTERLACED
28901 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28903 /* 800x600 @ 60 Hz, 37.8 kHz hsync */
28904 NULL, 60, 800, 600, 25000, 88, 40, 23, 1, 128, 4,
28905 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28906 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28908 /* 640x480 @ 85 Hz, 43.27 kHz hsync */
28909 NULL, 85, 640, 480, 27777, 80, 56, 25, 1, 56, 3,
28910 - 0, FB_VMODE_NONINTERLACED
28911 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28913 /* 1152x864 @ 89 Hz interlaced, 44 kHz hsync */
28914 NULL, 89, 1152, 864, 15384, 96, 16, 110, 1, 216, 10,
28915 - 0, FB_VMODE_INTERLACED
28916 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28918 /* 800x600 @ 72 Hz, 48.0 kHz hsync */
28919 NULL, 72, 800, 600, 20000, 64, 56, 23, 37, 120, 6,
28920 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28921 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28923 /* 1024x768 @ 60 Hz, 48.4 kHz hsync */
28924 NULL, 60, 1024, 768, 15384, 168, 8, 29, 3, 144, 6,
28925 - 0, FB_VMODE_NONINTERLACED
28926 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28928 /* 640x480 @ 100 Hz, 53.01 kHz hsync */
28929 NULL, 100, 640, 480, 21834, 96, 32, 36, 8, 96, 6,
28930 - 0, FB_VMODE_NONINTERLACED
28931 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28933 /* 1152x864 @ 60 Hz, 53.5 kHz hsync */
28934 NULL, 60, 1152, 864, 11123, 208, 64, 16, 4, 256, 8,
28935 - 0, FB_VMODE_NONINTERLACED
28936 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28938 /* 800x600 @ 85 Hz, 55.84 kHz hsync */
28939 NULL, 85, 800, 600, 16460, 160, 64, 36, 16, 64, 5,
28940 - 0, FB_VMODE_NONINTERLACED
28941 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28943 /* 1024x768 @ 70 Hz, 56.5 kHz hsync */
28944 NULL, 70, 1024, 768, 13333, 144, 24, 29, 3, 136, 6,
28945 - 0, FB_VMODE_NONINTERLACED
28946 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28948 /* 1280x1024 @ 87 Hz interlaced, 51 kHz hsync */
28949 NULL, 87, 1280, 1024, 12500, 56, 16, 128, 1, 216, 12,
28950 - 0, FB_VMODE_INTERLACED
28951 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
28953 /* 800x600 @ 100 Hz, 64.02 kHz hsync */
28954 NULL, 100, 800, 600, 14357, 160, 64, 30, 4, 64, 6,
28955 - 0, FB_VMODE_NONINTERLACED
28956 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28958 /* 1024x768 @ 76 Hz, 62.5 kHz hsync */
28959 NULL, 76, 1024, 768, 11764, 208, 8, 36, 16, 120, 3,
28960 - 0, FB_VMODE_NONINTERLACED
28961 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28963 /* 1152x864 @ 70 Hz, 62.4 kHz hsync */
28964 NULL, 70, 1152, 864, 10869, 106, 56, 20, 1, 160, 10,
28965 - 0, FB_VMODE_NONINTERLACED
28966 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28968 /* 1280x1024 @ 61 Hz, 64.2 kHz hsync */
28969 NULL, 61, 1280, 1024, 9090, 200, 48, 26, 1, 184, 3,
28970 - 0, FB_VMODE_NONINTERLACED
28971 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28973 /* 1400x1050 @ 60Hz, 63.9 kHz hsync */
28974 NULL, 60, 1400, 1050, 9259, 136, 40, 13, 1, 112, 3,
28975 - 0, FB_VMODE_NONINTERLACED
28976 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28978 /* 1400x1050 @ 75,107 Hz, 82,392 kHz +hsync +vsync*/
28979 NULL, 75, 1400, 1050, 7190, 120, 56, 23, 10, 112, 13,
28980 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28981 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28983 /* 1400x1050 @ 60 Hz, ? kHz +hsync +vsync*/
28984 NULL, 60, 1400, 1050, 9259, 128, 40, 12, 0, 112, 3,
28985 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
28986 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28988 /* 1024x768 @ 85 Hz, 70.24 kHz hsync */
28989 NULL, 85, 1024, 768, 10111, 192, 32, 34, 14, 160, 6,
28990 - 0, FB_VMODE_NONINTERLACED
28991 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28993 /* 1152x864 @ 78 Hz, 70.8 kHz hsync */
28994 NULL, 78, 1152, 864, 9090, 228, 88, 32, 0, 84, 12,
28995 - 0, FB_VMODE_NONINTERLACED
28996 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
28998 /* 1280x1024 @ 70 Hz, 74.59 kHz hsync */
28999 NULL, 70, 1280, 1024, 7905, 224, 32, 28, 8, 160, 8,
29000 - 0, FB_VMODE_NONINTERLACED
29001 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29003 /* 1600x1200 @ 60Hz, 75.00 kHz hsync */
29004 NULL, 60, 1600, 1200, 6172, 304, 64, 46, 1, 192, 3,
29005 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
29006 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29008 /* 1152x864 @ 84 Hz, 76.0 kHz hsync */
29009 NULL, 84, 1152, 864, 7407, 184, 312, 32, 0, 128, 12,
29010 - 0, FB_VMODE_NONINTERLACED
29011 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29013 /* 1280x1024 @ 74 Hz, 78.85 kHz hsync */
29014 NULL, 74, 1280, 1024, 7407, 256, 32, 34, 3, 144, 3,
29015 - 0, FB_VMODE_NONINTERLACED
29016 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29018 /* 1024x768 @ 100Hz, 80.21 kHz hsync */
29019 NULL, 100, 1024, 768, 8658, 192, 32, 21, 3, 192, 10,
29020 - 0, FB_VMODE_NONINTERLACED
29021 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29023 /* 1280x1024 @ 76 Hz, 81.13 kHz hsync */
29024 NULL, 76, 1280, 1024, 7407, 248, 32, 34, 3, 104, 3,
29025 - 0, FB_VMODE_NONINTERLACED
29026 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29028 /* 1600x1200 @ 70 Hz, 87.50 kHz hsync */
29029 NULL, 70, 1600, 1200, 5291, 304, 64, 46, 1, 192, 3,
29030 - 0, FB_VMODE_NONINTERLACED
29031 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29033 /* 1152x864 @ 100 Hz, 89.62 kHz hsync */
29034 NULL, 100, 1152, 864, 7264, 224, 32, 17, 2, 128, 19,
29035 - 0, FB_VMODE_NONINTERLACED
29036 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29038 /* 1280x1024 @ 85 Hz, 91.15 kHz hsync */
29039 NULL, 85, 1280, 1024, 6349, 224, 64, 44, 1, 160, 3,
29040 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
29041 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29043 /* 1600x1200 @ 75 Hz, 93.75 kHz hsync */
29044 NULL, 75, 1600, 1200, 4938, 304, 64, 46, 1, 192, 3,
29045 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
29046 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29048 /* 1680x1050 @ 60 Hz, 65.191 kHz hsync */
29049 NULL, 60, 1680, 1050, 6848, 280, 104, 30, 3, 176, 6,
29050 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
29051 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29053 /* 1600x1200 @ 85 Hz, 105.77 kHz hsync */
29054 NULL, 85, 1600, 1200, 4545, 272, 16, 37, 4, 192, 3,
29055 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
29056 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29058 /* 1280x1024 @ 100 Hz, 107.16 kHz hsync */
29059 NULL, 100, 1280, 1024, 5502, 256, 32, 26, 7, 128, 15,
29060 - 0, FB_VMODE_NONINTERLACED
29061 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29063 /* 1800x1440 @ 64Hz, 96.15 kHz hsync */
29064 NULL, 64, 1800, 1440, 4347, 304, 96, 46, 1, 192, 3,
29065 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
29066 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29068 /* 1800x1440 @ 70Hz, 104.52 kHz hsync */
29069 NULL, 70, 1800, 1440, 4000, 304, 96, 46, 1, 192, 3,
29070 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
29071 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29073 /* 512x384 @ 78 Hz, 31.50 kHz hsync */
29074 NULL, 78, 512, 384, 49603, 48, 16, 16, 1, 64, 3,
29075 - 0, FB_VMODE_NONINTERLACED
29076 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29078 /* 512x384 @ 85 Hz, 34.38 kHz hsync */
29079 NULL, 85, 512, 384, 45454, 48, 16, 16, 1, 64, 3,
29080 - 0, FB_VMODE_NONINTERLACED
29081 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29083 /* 320x200 @ 70 Hz, 31.5 kHz hsync, 8:5 aspect ratio */
29084 NULL, 70, 320, 200, 79440, 16, 16, 20, 4, 48, 1,
29085 - 0, FB_VMODE_DOUBLE
29086 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
29088 /* 320x240 @ 60 Hz, 31.5 kHz hsync, 4:3 aspect ratio */
29089 NULL, 60, 320, 240, 79440, 16, 16, 16, 5, 48, 1,
29090 - 0, FB_VMODE_DOUBLE
29091 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
29093 /* 320x240 @ 72 Hz, 36.5 kHz hsync */
29094 NULL, 72, 320, 240, 63492, 16, 16, 16, 4, 48, 2,
29095 - 0, FB_VMODE_DOUBLE
29096 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
29098 /* 400x300 @ 56 Hz, 35.2 kHz hsync, 4:3 aspect ratio */
29099 NULL, 56, 400, 300, 55555, 64, 16, 10, 1, 32, 1,
29100 - 0, FB_VMODE_DOUBLE
29101 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
29103 /* 400x300 @ 60 Hz, 37.8 kHz hsync */
29104 NULL, 60, 400, 300, 50000, 48, 16, 11, 1, 64, 2,
29105 - 0, FB_VMODE_DOUBLE
29106 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
29108 /* 400x300 @ 72 Hz, 48.0 kHz hsync */
29109 NULL, 72, 400, 300, 40000, 32, 24, 11, 19, 64, 3,
29110 - 0, FB_VMODE_DOUBLE
29111 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
29113 /* 480x300 @ 56 Hz, 35.2 kHz hsync, 8:5 aspect ratio */
29114 NULL, 56, 480, 300, 46176, 80, 16, 10, 1, 40, 1,
29115 - 0, FB_VMODE_DOUBLE
29116 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
29118 /* 480x300 @ 60 Hz, 37.8 kHz hsync */
29119 NULL, 60, 480, 300, 41858, 56, 16, 11, 1, 80, 2,
29120 - 0, FB_VMODE_DOUBLE
29121 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
29123 /* 480x300 @ 63 Hz, 39.6 kHz hsync */
29124 NULL, 63, 480, 300, 40000, 56, 16, 11, 1, 80, 2,
29125 - 0, FB_VMODE_DOUBLE
29126 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
29128 /* 480x300 @ 72 Hz, 48.0 kHz hsync */
29129 NULL, 72, 480, 300, 33386, 40, 24, 11, 19, 80, 3,
29130 - 0, FB_VMODE_DOUBLE
29131 + 0, FB_VMODE_DOUBLE, FB_MODE_IS_UNKNOWN
29133 /* 1920x1200 @ 60 Hz, 74.5 Khz hsync */
29134 NULL, 60, 1920, 1200, 5177, 128, 336, 1, 38, 208, 3,
29135 FB_SYNC_HOR_HIGH_ACT | FB_SYNC_VERT_HIGH_ACT,
29136 - FB_VMODE_NONINTERLACED
29137 + FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29139 /* 1152x768, 60 Hz, PowerBook G4 Titanium I and II */
29140 NULL, 60, 1152, 768, 14047, 158, 26, 29, 3, 136, 6,
29141 - FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED
29142 + FB_SYNC_HOR_HIGH_ACT|FB_SYNC_VERT_HIGH_ACT, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29144 /* 1366x768, 60 Hz, 47.403 kHz hsync, WXGA 16:9 aspect ratio */
29145 NULL, 60, 1366, 768, 13806, 120, 10, 14, 3, 32, 5,
29146 - 0, FB_VMODE_NONINTERLACED
29147 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29149 /* 1280x800, 60 Hz, 47.403 kHz hsync, WXGA 16:10 aspect ratio */
29150 NULL, 60, 1280, 800, 12048, 200, 64, 24, 1, 136, 3,
29151 - 0, FB_VMODE_NONINTERLACED
29152 + 0, FB_VMODE_NONINTERLACED, FB_MODE_IS_UNKNOWN
29154 /* 720x576i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
29155 NULL, 50, 720, 576, 74074, 64, 16, 39, 5, 64, 5,
29156 - 0, FB_VMODE_INTERLACED
29157 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
29159 /* 800x520i @ 50 Hz, 15.625 kHz hsync (PAL RGB) */
29160 NULL, 50, 800, 520, 58823, 144, 64, 72, 28, 80, 5,
29161 - 0, FB_VMODE_INTERLACED
29162 + 0, FB_VMODE_INTERLACED, FB_MODE_IS_UNKNOWN
29166 diff -urNp linux-2.6.36.1/drivers/video/nvidia/nv_backlight.c linux-2.6.36.1/drivers/video/nvidia/nv_backlight.c
29167 --- linux-2.6.36.1/drivers/video/nvidia/nv_backlight.c 2010-10-20 16:30:22.000000000 -0400
29168 +++ linux-2.6.36.1/drivers/video/nvidia/nv_backlight.c 2010-11-06 18:58:15.000000000 -0400
29169 @@ -87,7 +87,7 @@ static int nvidia_bl_get_brightness(stru
29170 return bd->props.brightness;
29173 -static struct backlight_ops nvidia_bl_ops = {
29174 +static const struct backlight_ops nvidia_bl_ops = {
29175 .get_brightness = nvidia_bl_get_brightness,
29176 .update_status = nvidia_bl_update_status,
29178 diff -urNp linux-2.6.36.1/drivers/video/omap2/displays/panel-taal.c linux-2.6.36.1/drivers/video/omap2/displays/panel-taal.c
29179 --- linux-2.6.36.1/drivers/video/omap2/displays/panel-taal.c 2010-10-20 16:30:22.000000000 -0400
29180 +++ linux-2.6.36.1/drivers/video/omap2/displays/panel-taal.c 2010-11-06 18:58:15.000000000 -0400
29181 @@ -465,7 +465,7 @@ static int taal_bl_get_intensity(struct
29185 -static struct backlight_ops taal_bl_ops = {
29186 +static const struct backlight_ops taal_bl_ops = {
29187 .get_brightness = taal_bl_get_intensity,
29188 .update_status = taal_bl_update_status,
29190 diff -urNp linux-2.6.36.1/drivers/video/riva/fbdev.c linux-2.6.36.1/drivers/video/riva/fbdev.c
29191 --- linux-2.6.36.1/drivers/video/riva/fbdev.c 2010-10-20 16:30:22.000000000 -0400
29192 +++ linux-2.6.36.1/drivers/video/riva/fbdev.c 2010-11-06 18:58:15.000000000 -0400
29193 @@ -331,7 +331,7 @@ static int riva_bl_get_brightness(struct
29194 return bd->props.brightness;
29197 -static struct backlight_ops riva_bl_ops = {
29198 +static const struct backlight_ops riva_bl_ops = {
29199 .get_brightness = riva_bl_get_brightness,
29200 .update_status = riva_bl_update_status,
29202 diff -urNp linux-2.6.36.1/drivers/video/uvesafb.c linux-2.6.36.1/drivers/video/uvesafb.c
29203 --- linux-2.6.36.1/drivers/video/uvesafb.c 2010-10-20 16:30:22.000000000 -0400
29204 +++ linux-2.6.36.1/drivers/video/uvesafb.c 2010-11-06 18:58:15.000000000 -0400
29206 #include <linux/io.h>
29207 #include <linux/mutex.h>
29208 #include <linux/slab.h>
29209 +#include <linux/moduleloader.h>
29210 #include <video/edid.h>
29211 #include <video/uvesafb.h>
29213 @@ -121,7 +122,7 @@ static int uvesafb_helper_start(void)
29217 - return call_usermodehelper(v86d_path, argv, envp, 1);
29218 + return call_usermodehelper(v86d_path, argv, envp, UMH_WAIT_PROC);
29222 @@ -569,10 +570,32 @@ static int __devinit uvesafb_vbe_getpmi(
29223 if ((task->t.regs.eax & 0xffff) != 0x4f || task->t.regs.es < 0xc000) {
29224 par->pmi_setpal = par->ypan = 0;
29227 +#ifdef CONFIG_PAX_KERNEXEC
29228 +#ifdef CONFIG_MODULES
29229 + par->pmi_code = module_alloc_exec((u16)task->t.regs.ecx);
29231 + if (!par->pmi_code) {
29232 + par->pmi_setpal = par->ypan = 0;
29237 par->pmi_base = (u16 *)phys_to_virt(((u32)task->t.regs.es << 4)
29238 + task->t.regs.edi);
29240 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29241 + pax_open_kernel();
29242 + memcpy(par->pmi_code, par->pmi_base, (u16)task->t.regs.ecx);
29243 + pax_close_kernel();
29245 + par->pmi_start = ktva_ktla(par->pmi_code + par->pmi_base[1]);
29246 + par->pmi_pal = ktva_ktla(par->pmi_code + par->pmi_base[2]);
29248 par->pmi_start = (u8 *)par->pmi_base + par->pmi_base[1];
29249 par->pmi_pal = (u8 *)par->pmi_base + par->pmi_base[2];
29252 printk(KERN_INFO "uvesafb: protected mode interface info at "
29254 (u16)task->t.regs.es, (u16)task->t.regs.edi);
29255 @@ -1800,6 +1823,11 @@ out:
29256 if (par->vbe_modes)
29257 kfree(par->vbe_modes);
29259 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29260 + if (par->pmi_code)
29261 + module_free_exec(NULL, par->pmi_code);
29264 framebuffer_release(info);
29267 @@ -1826,6 +1854,12 @@ static int uvesafb_remove(struct platfor
29268 kfree(par->vbe_state_orig);
29269 if (par->vbe_state_saved)
29270 kfree(par->vbe_state_saved);
29272 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29273 + if (par->pmi_code)
29274 + module_free_exec(NULL, par->pmi_code);
29279 framebuffer_release(info);
29280 diff -urNp linux-2.6.36.1/drivers/video/vesafb.c linux-2.6.36.1/drivers/video/vesafb.c
29281 --- linux-2.6.36.1/drivers/video/vesafb.c 2010-10-20 16:30:22.000000000 -0400
29282 +++ linux-2.6.36.1/drivers/video/vesafb.c 2010-11-06 18:58:15.000000000 -0400
29286 #include <linux/module.h>
29287 +#include <linux/moduleloader.h>
29288 #include <linux/kernel.h>
29289 #include <linux/errno.h>
29290 #include <linux/string.h>
29291 @@ -52,8 +53,8 @@ static int vram_remap __initdata; /*
29292 static int vram_total __initdata; /* Set total amount of memory */
29293 static int pmi_setpal __read_mostly = 1; /* pmi for palette changes ??? */
29294 static int ypan __read_mostly; /* 0..nothing, 1..ypan, 2..ywrap */
29295 -static void (*pmi_start)(void) __read_mostly;
29296 -static void (*pmi_pal) (void) __read_mostly;
29297 +static void (*pmi_start)(void) __read_only;
29298 +static void (*pmi_pal) (void) __read_only;
29299 static int depth __read_mostly;
29300 static int vga_compat __read_mostly;
29301 /* --------------------------------------------------------------------- */
29302 @@ -232,6 +233,7 @@ static int __init vesafb_probe(struct pl
29303 unsigned int size_vmode;
29304 unsigned int size_remap;
29305 unsigned int size_total;
29306 + void *pmi_code = NULL;
29308 if (screen_info.orig_video_isVGA != VIDEO_TYPE_VLFB)
29310 @@ -274,10 +276,6 @@ static int __init vesafb_probe(struct pl
29311 size_remap = size_total;
29312 vesafb_fix.smem_len = size_remap;
29315 - screen_info.vesapm_seg = 0;
29318 if (!request_mem_region(vesafb_fix.smem_start, size_total, "vesafb")) {
29319 printk(KERN_WARNING
29320 "vesafb: cannot reserve video memory at 0x%lx\n",
29321 @@ -319,9 +317,21 @@ static int __init vesafb_probe(struct pl
29322 printk(KERN_INFO "vesafb: mode is %dx%dx%d, linelength=%d, pages=%d\n",
29323 vesafb_defined.xres, vesafb_defined.yres, vesafb_defined.bits_per_pixel, vesafb_fix.line_length, screen_info.pages);
29327 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29328 + pmi_code = module_alloc_exec(screen_info.vesapm_size);
29330 +#elif !defined(CONFIG_PAX_KERNEXEC)
29335 + screen_info.vesapm_seg = 0;
29337 if (screen_info.vesapm_seg) {
29338 - printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x\n",
29339 - screen_info.vesapm_seg,screen_info.vesapm_off);
29340 + printk(KERN_INFO "vesafb: protected mode interface info at %04x:%04x %04x bytes\n",
29341 + screen_info.vesapm_seg,screen_info.vesapm_off,screen_info.vesapm_size);
29344 if (screen_info.vesapm_seg < 0xc000)
29345 @@ -329,9 +339,25 @@ static int __init vesafb_probe(struct pl
29347 if (ypan || pmi_setpal) {
29348 unsigned short *pmi_base;
29349 - pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
29350 - pmi_start = (void*)((char*)pmi_base + pmi_base[1]);
29351 - pmi_pal = (void*)((char*)pmi_base + pmi_base[2]);
29353 + pmi_base = (unsigned short*)phys_to_virt(((unsigned long)screen_info.vesapm_seg << 4) + screen_info.vesapm_off);
29355 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29356 + pax_open_kernel();
29357 + memcpy(pmi_code, pmi_base, screen_info.vesapm_size);
29359 + pmi_code = pmi_base;
29362 + pmi_start = (void*)((char*)pmi_code + pmi_base[1]);
29363 + pmi_pal = (void*)((char*)pmi_code + pmi_base[2]);
29365 +#if defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29366 + pmi_start = ktva_ktla(pmi_start);
29367 + pmi_pal = ktva_ktla(pmi_pal);
29368 + pax_close_kernel();
29371 printk(KERN_INFO "vesafb: pmi: set display start = %p, set palette = %p\n",pmi_start,pmi_pal);
29373 printk(KERN_INFO "vesafb: pmi: ports = ");
29374 @@ -473,6 +499,11 @@ static int __init vesafb_probe(struct pl
29375 info->node, info->fix.id);
29379 +#if defined(__i386__) && defined(CONFIG_MODULES) && defined(CONFIG_PAX_KERNEXEC)
29380 + module_free_exec(NULL, pmi_code);
29383 if (info->screen_base)
29384 iounmap(info->screen_base);
29385 framebuffer_release(info);
29386 diff -urNp linux-2.6.36.1/fs/9p/vfs_inode.c linux-2.6.36.1/fs/9p/vfs_inode.c
29387 --- linux-2.6.36.1/fs/9p/vfs_inode.c 2010-10-20 16:30:22.000000000 -0400
29388 +++ linux-2.6.36.1/fs/9p/vfs_inode.c 2010-11-06 18:58:15.000000000 -0400
29389 @@ -1539,7 +1539,7 @@ static void *v9fs_vfs_follow_link(struct
29391 v9fs_vfs_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
29393 - char *s = nd_get_link(nd);
29394 + const char *s = nd_get_link(nd);
29396 P9_DPRINTK(P9_DEBUG_VFS, " %s %s\n", dentry->d_name.name,
29397 IS_ERR(s) ? "<error>" : s);
29398 diff -urNp linux-2.6.36.1/fs/aio.c linux-2.6.36.1/fs/aio.c
29399 --- linux-2.6.36.1/fs/aio.c 2010-10-20 16:30:22.000000000 -0400
29400 +++ linux-2.6.36.1/fs/aio.c 2010-11-06 18:58:15.000000000 -0400
29401 @@ -130,7 +130,7 @@ static int aio_setup_ring(struct kioctx
29402 size += sizeof(struct io_event) * nr_events;
29403 nr_pages = (size + PAGE_SIZE-1) >> PAGE_SHIFT;
29405 - if (nr_pages < 0)
29406 + if (nr_pages <= 0)
29409 nr_events = (PAGE_SIZE * nr_pages - sizeof(struct aio_ring)) / sizeof(struct io_event);
29410 diff -urNp linux-2.6.36.1/fs/attr.c linux-2.6.36.1/fs/attr.c
29411 --- linux-2.6.36.1/fs/attr.c 2010-10-20 16:30:22.000000000 -0400
29412 +++ linux-2.6.36.1/fs/attr.c 2010-11-06 18:58:50.000000000 -0400
29413 @@ -98,6 +98,7 @@ int inode_newsize_ok(const struct inode
29414 unsigned long limit;
29416 limit = rlimit(RLIMIT_FSIZE);
29417 + gr_learn_resource(current, RLIMIT_FSIZE, (unsigned long)offset, 1);
29418 if (limit != RLIM_INFINITY && offset > limit)
29420 if (offset > inode->i_sb->s_maxbytes)
29421 diff -urNp linux-2.6.36.1/fs/autofs/root.c linux-2.6.36.1/fs/autofs/root.c
29422 --- linux-2.6.36.1/fs/autofs/root.c 2010-10-20 16:30:22.000000000 -0400
29423 +++ linux-2.6.36.1/fs/autofs/root.c 2010-11-06 19:50:37.000000000 -0400
29424 @@ -27,7 +27,9 @@ static int autofs_root_unlink(struct ino
29425 static int autofs_root_rmdir(struct inode *,struct dentry *);
29426 static int autofs_root_mkdir(struct inode *,struct dentry *,int);
29427 static long autofs_root_ioctl(struct file *,unsigned int,unsigned long);
29428 +#ifdef CONFIG_COMPAT
29429 static long autofs_root_compat_ioctl(struct file *,unsigned int,unsigned long);
29432 const struct file_operations autofs_root_operations = {
29433 .llseek = generic_file_llseek,
29434 @@ -306,7 +308,8 @@ static int autofs_root_symlink(struct in
29435 set_bit(n,sbi->symlink_bitmap);
29436 sl = &sbi->symlink[n];
29437 sl->len = strlen(symname);
29438 - sl->data = kmalloc(slsize = sl->len+1, GFP_KERNEL);
29439 + slsize = sl->len+1;
29440 + sl->data = kmalloc(slsize, GFP_KERNEL);
29442 clear_bit(n,sbi->symlink_bitmap);
29444 diff -urNp linux-2.6.36.1/fs/autofs4/root.c linux-2.6.36.1/fs/autofs4/root.c
29445 --- linux-2.6.36.1/fs/autofs4/root.c 2010-10-20 16:30:22.000000000 -0400
29446 +++ linux-2.6.36.1/fs/autofs4/root.c 2010-11-06 19:50:56.000000000 -0400
29447 @@ -28,7 +28,9 @@ static int autofs4_dir_unlink(struct ino
29448 static int autofs4_dir_rmdir(struct inode *,struct dentry *);
29449 static int autofs4_dir_mkdir(struct inode *,struct dentry *,int);
29450 static long autofs4_root_ioctl(struct file *,unsigned int,unsigned long);
29451 +#ifdef CONFIG_COMPAT
29452 static long autofs4_root_compat_ioctl(struct file *,unsigned int,unsigned long);
29454 static int autofs4_dir_open(struct inode *inode, struct file *file);
29455 static struct dentry *autofs4_lookup(struct inode *,struct dentry *, struct nameidata *);
29456 static void *autofs4_follow_link(struct dentry *, struct nameidata *);
29457 diff -urNp linux-2.6.36.1/fs/autofs4/symlink.c linux-2.6.36.1/fs/autofs4/symlink.c
29458 --- linux-2.6.36.1/fs/autofs4/symlink.c 2010-10-20 16:30:22.000000000 -0400
29459 +++ linux-2.6.36.1/fs/autofs4/symlink.c 2010-11-06 18:58:15.000000000 -0400
29461 static void *autofs4_follow_link(struct dentry *dentry, struct nameidata *nd)
29463 struct autofs_info *ino = autofs4_dentry_ino(dentry);
29464 - nd_set_link(nd, (char *)ino->u.symlink);
29465 + nd_set_link(nd, ino->u.symlink);
29469 diff -urNp linux-2.6.36.1/fs/befs/linuxvfs.c linux-2.6.36.1/fs/befs/linuxvfs.c
29470 --- linux-2.6.36.1/fs/befs/linuxvfs.c 2010-10-20 16:30:22.000000000 -0400
29471 +++ linux-2.6.36.1/fs/befs/linuxvfs.c 2010-11-06 18:58:15.000000000 -0400
29472 @@ -493,7 +493,7 @@ static void befs_put_link(struct dentry
29474 befs_inode_info *befs_ino = BEFS_I(dentry->d_inode);
29475 if (befs_ino->i_flags & BEFS_LONG_SYMLINK) {
29476 - char *link = nd_get_link(nd);
29477 + const char *link = nd_get_link(nd);
29481 diff -urNp linux-2.6.36.1/fs/binfmt_aout.c linux-2.6.36.1/fs/binfmt_aout.c
29482 --- linux-2.6.36.1/fs/binfmt_aout.c 2010-10-20 16:30:22.000000000 -0400
29483 +++ linux-2.6.36.1/fs/binfmt_aout.c 2010-11-06 18:58:50.000000000 -0400
29485 #include <linux/string.h>
29486 #include <linux/fs.h>
29487 #include <linux/file.h>
29488 +#include <linux/security.h>
29489 #include <linux/stat.h>
29490 #include <linux/fcntl.h>
29491 #include <linux/ptrace.h>
29492 @@ -86,6 +87,8 @@ static int aout_core_dump(struct coredum
29494 # define START_STACK(u) ((void __user *)u.start_stack)
29496 + memset(&dump, 0, sizeof(dump));
29501 @@ -97,10 +100,12 @@ static int aout_core_dump(struct coredum
29503 /* If the size of the dump file exceeds the rlimit, then see what would happen
29504 if we wrote the stack, but not the data area. */
29505 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE, 1);
29506 if ((dump.u_dsize + dump.u_ssize+1) * PAGE_SIZE > cprm->limit)
29509 /* Make sure we have enough room to write the stack and data areas. */
29510 + gr_learn_resource(current, RLIMIT_CORE, (dump.u_ssize + 1) * PAGE_SIZE, 1);
29511 if ((dump.u_ssize + 1) * PAGE_SIZE > cprm->limit)
29514 @@ -234,6 +239,8 @@ static int load_aout_binary(struct linux
29515 rlim = rlimit(RLIMIT_DATA);
29516 if (rlim >= RLIM_INFINITY)
29519 + gr_learn_resource(current, RLIMIT_DATA, ex.a_data + ex.a_bss, 1);
29520 if (ex.a_data + ex.a_bss > rlim)
29523 @@ -262,6 +269,27 @@ static int load_aout_binary(struct linux
29524 install_exec_creds(bprm);
29525 current->flags &= ~PF_FORKNOEXEC;
29527 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
29528 + current->mm->pax_flags = 0UL;
29531 +#ifdef CONFIG_PAX_PAGEEXEC
29532 + if (!(N_FLAGS(ex) & F_PAX_PAGEEXEC)) {
29533 + current->mm->pax_flags |= MF_PAX_PAGEEXEC;
29535 +#ifdef CONFIG_PAX_EMUTRAMP
29536 + if (N_FLAGS(ex) & F_PAX_EMUTRAMP)
29537 + current->mm->pax_flags |= MF_PAX_EMUTRAMP;
29540 +#ifdef CONFIG_PAX_MPROTECT
29541 + if (!(N_FLAGS(ex) & F_PAX_MPROTECT))
29542 + current->mm->pax_flags |= MF_PAX_MPROTECT;
29548 if (N_MAGIC(ex) == OMAGIC) {
29549 unsigned long text_addr, map_size;
29551 @@ -334,7 +362,7 @@ static int load_aout_binary(struct linux
29553 down_write(¤t->mm->mmap_sem);
29554 error = do_mmap(bprm->file, N_DATADDR(ex), ex.a_data,
29555 - PROT_READ | PROT_WRITE | PROT_EXEC,
29556 + PROT_READ | PROT_WRITE,
29557 MAP_FIXED | MAP_PRIVATE | MAP_DENYWRITE | MAP_EXECUTABLE,
29558 fd_offset + ex.a_text);
29559 up_write(¤t->mm->mmap_sem);
29560 diff -urNp linux-2.6.36.1/fs/binfmt_elf.c linux-2.6.36.1/fs/binfmt_elf.c
29561 --- linux-2.6.36.1/fs/binfmt_elf.c 2010-10-20 16:30:22.000000000 -0400
29562 +++ linux-2.6.36.1/fs/binfmt_elf.c 2010-11-06 18:58:50.000000000 -0400
29563 @@ -51,6 +51,10 @@ static int elf_core_dump(struct coredump
29564 #define elf_core_dump NULL
29567 +#ifdef CONFIG_PAX_MPROTECT
29568 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags);
29571 #if ELF_EXEC_PAGESIZE > PAGE_SIZE
29572 #define ELF_MIN_ALIGN ELF_EXEC_PAGESIZE
29574 @@ -70,6 +74,11 @@ static struct linux_binfmt elf_format =
29575 .load_binary = load_elf_binary,
29576 .load_shlib = load_elf_library,
29577 .core_dump = elf_core_dump,
29579 +#ifdef CONFIG_PAX_MPROTECT
29580 + .handle_mprotect= elf_handle_mprotect,
29583 .min_coredump = ELF_EXEC_PAGESIZE,
29586 @@ -78,6 +87,8 @@ static struct linux_binfmt elf_format =
29588 static int set_brk(unsigned long start, unsigned long end)
29590 + unsigned long e = end;
29592 start = ELF_PAGEALIGN(start);
29593 end = ELF_PAGEALIGN(end);
29595 @@ -88,7 +99,7 @@ static int set_brk(unsigned long start,
29596 if (BAD_ADDR(addr))
29599 - current->mm->start_brk = current->mm->brk = end;
29600 + current->mm->start_brk = current->mm->brk = e;
29604 @@ -149,7 +160,7 @@ create_elf_tables(struct linux_binprm *b
29605 elf_addr_t __user *u_rand_bytes;
29606 const char *k_platform = ELF_PLATFORM;
29607 const char *k_base_platform = ELF_BASE_PLATFORM;
29608 - unsigned char k_rand_bytes[16];
29609 + u32 k_rand_bytes[4];
29611 elf_addr_t *elf_info;
29613 @@ -196,8 +207,12 @@ create_elf_tables(struct linux_binprm *b
29614 * Generate 16 random bytes for userspace PRNG seeding.
29616 get_random_bytes(k_rand_bytes, sizeof(k_rand_bytes));
29617 - u_rand_bytes = (elf_addr_t __user *)
29618 - STACK_ALLOC(p, sizeof(k_rand_bytes));
29619 + srandom32(k_rand_bytes[0] ^ random32());
29620 + srandom32(k_rand_bytes[1] ^ random32());
29621 + srandom32(k_rand_bytes[2] ^ random32());
29622 + srandom32(k_rand_bytes[3] ^ random32());
29623 + p = STACK_ROUND(p, sizeof(k_rand_bytes));
29624 + u_rand_bytes = (elf_addr_t __user *) p;
29625 if (__copy_to_user(u_rand_bytes, k_rand_bytes, sizeof(k_rand_bytes)))
29628 @@ -386,10 +401,10 @@ static unsigned long load_elf_interp(str
29630 struct elf_phdr *elf_phdata;
29631 struct elf_phdr *eppnt;
29632 - unsigned long load_addr = 0;
29633 + unsigned long load_addr = 0, pax_task_size = TASK_SIZE;
29634 int load_addr_set = 0;
29635 unsigned long last_bss = 0, elf_bss = 0;
29636 - unsigned long error = ~0UL;
29637 + unsigned long error = -EINVAL;
29638 unsigned long total_size;
29639 int retval, i, size;
29641 @@ -435,6 +450,11 @@ static unsigned long load_elf_interp(str
29645 +#ifdef CONFIG_PAX_SEGMEXEC
29646 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC)
29647 + pax_task_size = SEGMEXEC_TASK_SIZE;
29650 eppnt = elf_phdata;
29651 for (i = 0; i < interp_elf_ex->e_phnum; i++, eppnt++) {
29652 if (eppnt->p_type == PT_LOAD) {
29653 @@ -478,8 +498,8 @@ static unsigned long load_elf_interp(str
29654 k = load_addr + eppnt->p_vaddr;
29656 eppnt->p_filesz > eppnt->p_memsz ||
29657 - eppnt->p_memsz > TASK_SIZE ||
29658 - TASK_SIZE - eppnt->p_memsz < k) {
29659 + eppnt->p_memsz > pax_task_size ||
29660 + pax_task_size - eppnt->p_memsz < k) {
29664 @@ -533,6 +553,177 @@ out:
29668 +#if (defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)) && defined(CONFIG_PAX_SOFTMODE)
29669 +static unsigned long pax_parse_softmode(const struct elf_phdr * const elf_phdata)
29671 + unsigned long pax_flags = 0UL;
29673 +#ifdef CONFIG_PAX_PAGEEXEC
29674 + if (elf_phdata->p_flags & PF_PAGEEXEC)
29675 + pax_flags |= MF_PAX_PAGEEXEC;
29678 +#ifdef CONFIG_PAX_SEGMEXEC
29679 + if (elf_phdata->p_flags & PF_SEGMEXEC)
29680 + pax_flags |= MF_PAX_SEGMEXEC;
29683 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29684 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29685 + if ((__supported_pte_mask & _PAGE_NX))
29686 + pax_flags &= ~MF_PAX_SEGMEXEC;
29688 + pax_flags &= ~MF_PAX_PAGEEXEC;
29692 +#ifdef CONFIG_PAX_EMUTRAMP
29693 + if (elf_phdata->p_flags & PF_EMUTRAMP)
29694 + pax_flags |= MF_PAX_EMUTRAMP;
29697 +#ifdef CONFIG_PAX_MPROTECT
29698 + if (elf_phdata->p_flags & PF_MPROTECT)
29699 + pax_flags |= MF_PAX_MPROTECT;
29702 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
29703 + if (randomize_va_space && (elf_phdata->p_flags & PF_RANDMMAP))
29704 + pax_flags |= MF_PAX_RANDMMAP;
29707 + return pax_flags;
29711 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
29712 +static unsigned long pax_parse_hardmode(const struct elf_phdr * const elf_phdata)
29714 + unsigned long pax_flags = 0UL;
29716 +#ifdef CONFIG_PAX_PAGEEXEC
29717 + if (!(elf_phdata->p_flags & PF_NOPAGEEXEC))
29718 + pax_flags |= MF_PAX_PAGEEXEC;
29721 +#ifdef CONFIG_PAX_SEGMEXEC
29722 + if (!(elf_phdata->p_flags & PF_NOSEGMEXEC))
29723 + pax_flags |= MF_PAX_SEGMEXEC;
29726 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29727 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29728 + if ((__supported_pte_mask & _PAGE_NX))
29729 + pax_flags &= ~MF_PAX_SEGMEXEC;
29731 + pax_flags &= ~MF_PAX_PAGEEXEC;
29735 +#ifdef CONFIG_PAX_EMUTRAMP
29736 + if (!(elf_phdata->p_flags & PF_NOEMUTRAMP))
29737 + pax_flags |= MF_PAX_EMUTRAMP;
29740 +#ifdef CONFIG_PAX_MPROTECT
29741 + if (!(elf_phdata->p_flags & PF_NOMPROTECT))
29742 + pax_flags |= MF_PAX_MPROTECT;
29745 +#if defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)
29746 + if (randomize_va_space && !(elf_phdata->p_flags & PF_NORANDMMAP))
29747 + pax_flags |= MF_PAX_RANDMMAP;
29750 + return pax_flags;
29754 +#ifdef CONFIG_PAX_EI_PAX
29755 +static unsigned long pax_parse_ei_pax(const struct elfhdr * const elf_ex)
29757 + unsigned long pax_flags = 0UL;
29759 +#ifdef CONFIG_PAX_PAGEEXEC
29760 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_PAGEEXEC))
29761 + pax_flags |= MF_PAX_PAGEEXEC;
29764 +#ifdef CONFIG_PAX_SEGMEXEC
29765 + if (!(elf_ex->e_ident[EI_PAX] & EF_PAX_SEGMEXEC))
29766 + pax_flags |= MF_PAX_SEGMEXEC;
29769 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_PAX_SEGMEXEC)
29770 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) == (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29771 + if ((__supported_pte_mask & _PAGE_NX))
29772 + pax_flags &= ~MF_PAX_SEGMEXEC;
29774 + pax_flags &= ~MF_PAX_PAGEEXEC;
29778 +#ifdef CONFIG_PAX_EMUTRAMP
29779 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && (elf_ex->e_ident[EI_PAX] & EF_PAX_EMUTRAMP))
29780 + pax_flags |= MF_PAX_EMUTRAMP;
29783 +#ifdef CONFIG_PAX_MPROTECT
29784 + if ((pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) && !(elf_ex->e_ident[EI_PAX] & EF_PAX_MPROTECT))
29785 + pax_flags |= MF_PAX_MPROTECT;
29788 +#ifdef CONFIG_PAX_ASLR
29789 + if (randomize_va_space && !(elf_ex->e_ident[EI_PAX] & EF_PAX_RANDMMAP))
29790 + pax_flags |= MF_PAX_RANDMMAP;
29793 + return pax_flags;
29797 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
29798 +static long pax_parse_elf_flags(const struct elfhdr * const elf_ex, const struct elf_phdr * const elf_phdata)
29800 + unsigned long pax_flags = 0UL;
29802 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
29806 +#ifdef CONFIG_PAX_EI_PAX
29807 + pax_flags = pax_parse_ei_pax(elf_ex);
29810 +#ifdef CONFIG_PAX_PT_PAX_FLAGS
29811 + for (i = 0UL; i < elf_ex->e_phnum; i++)
29812 + if (elf_phdata[i].p_type == PT_PAX_FLAGS) {
29813 + if (((elf_phdata[i].p_flags & PF_PAGEEXEC) && (elf_phdata[i].p_flags & PF_NOPAGEEXEC)) ||
29814 + ((elf_phdata[i].p_flags & PF_SEGMEXEC) && (elf_phdata[i].p_flags & PF_NOSEGMEXEC)) ||
29815 + ((elf_phdata[i].p_flags & PF_EMUTRAMP) && (elf_phdata[i].p_flags & PF_NOEMUTRAMP)) ||
29816 + ((elf_phdata[i].p_flags & PF_MPROTECT) && (elf_phdata[i].p_flags & PF_NOMPROTECT)) ||
29817 + ((elf_phdata[i].p_flags & PF_RANDMMAP) && (elf_phdata[i].p_flags & PF_NORANDMMAP)))
29820 +#ifdef CONFIG_PAX_SOFTMODE
29821 + if (pax_softmode)
29822 + pax_flags = pax_parse_softmode(&elf_phdata[i]);
29826 + pax_flags = pax_parse_hardmode(&elf_phdata[i]);
29831 + if (0 > pax_check_flags(&pax_flags))
29834 + current->mm->pax_flags = pax_flags;
29840 * These are the functions used to load ELF style executables and shared
29841 * libraries. There is no binary dependent code anywhere else.
29842 @@ -549,6 +740,11 @@ static unsigned long randomize_stack_top
29844 unsigned int random_variable = 0;
29846 +#ifdef CONFIG_PAX_RANDUSTACK
29847 + if (randomize_va_space)
29848 + return stack_top - current->mm->delta_stack;
29851 if ((current->flags & PF_RANDOMIZE) &&
29852 !(current->personality & ADDR_NO_RANDOMIZE)) {
29853 random_variable = get_random_int() & STACK_RND_MASK;
29854 @@ -567,7 +763,7 @@ static int load_elf_binary(struct linux_
29855 unsigned long load_addr = 0, load_bias = 0;
29856 int load_addr_set = 0;
29857 char * elf_interpreter = NULL;
29858 - unsigned long error;
29859 + unsigned long error = 0;
29860 struct elf_phdr *elf_ppnt, *elf_phdata;
29861 unsigned long elf_bss, elf_brk;
29863 @@ -577,11 +773,11 @@ static int load_elf_binary(struct linux_
29864 unsigned long start_code, end_code, start_data, end_data;
29865 unsigned long reloc_func_desc = 0;
29866 int executable_stack = EXSTACK_DEFAULT;
29867 - unsigned long def_flags = 0;
29869 struct elfhdr elf_ex;
29870 struct elfhdr interp_elf_ex;
29872 + unsigned long pax_task_size = TASK_SIZE;
29874 loc = kmalloc(sizeof(*loc), GFP_KERNEL);
29876 @@ -719,11 +915,80 @@ static int load_elf_binary(struct linux_
29878 /* OK, This is the point of no return */
29879 current->flags &= ~PF_FORKNOEXEC;
29880 - current->mm->def_flags = def_flags;
29882 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
29883 + current->mm->pax_flags = 0UL;
29886 +#ifdef CONFIG_PAX_DLRESOLVE
29887 + current->mm->call_dl_resolve = 0UL;
29890 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
29891 + current->mm->call_syscall = 0UL;
29894 +#ifdef CONFIG_PAX_ASLR
29895 + current->mm->delta_mmap = 0UL;
29896 + current->mm->delta_stack = 0UL;
29899 + current->mm->def_flags = 0;
29901 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS)
29902 + if (0 > pax_parse_elf_flags(&loc->elf_ex, elf_phdata)) {
29903 + send_sig(SIGKILL, current, 0);
29904 + goto out_free_dentry;
29908 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
29909 + pax_set_initial_flags(bprm);
29910 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
29911 + if (pax_set_initial_flags_func)
29912 + (pax_set_initial_flags_func)(bprm);
29915 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
29916 + if ((current->mm->pax_flags & MF_PAX_PAGEEXEC) && !(__supported_pte_mask & _PAGE_NX)) {
29917 + current->mm->context.user_cs_limit = PAGE_SIZE;
29918 + current->mm->def_flags |= VM_PAGEEXEC;
29922 +#ifdef CONFIG_PAX_SEGMEXEC
29923 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
29924 + current->mm->context.user_cs_base = SEGMEXEC_TASK_SIZE;
29925 + current->mm->context.user_cs_limit = TASK_SIZE-SEGMEXEC_TASK_SIZE;
29926 + pax_task_size = SEGMEXEC_TASK_SIZE;
29930 +#if defined(CONFIG_ARCH_TRACK_EXEC_LIMIT) || defined(CONFIG_PAX_SEGMEXEC)
29931 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29932 + set_user_cs(current->mm->context.user_cs_base, current->mm->context.user_cs_limit, get_cpu());
29937 /* Do this immediately, since STACK_TOP as used in setup_arg_pages
29938 may depend on the personality. */
29939 SET_PERSONALITY(loc->elf_ex);
29941 +#ifdef CONFIG_PAX_ASLR
29942 + if (current->mm->pax_flags & MF_PAX_RANDMMAP) {
29943 + current->mm->delta_mmap = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN)-1)) << PAGE_SHIFT;
29944 + current->mm->delta_stack = (pax_get_random_long() & ((1UL << PAX_DELTA_STACK_LEN)-1)) << PAGE_SHIFT;
29948 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
29949 + if (current->mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
29950 + executable_stack = EXSTACK_DISABLE_X;
29951 + current->personality &= ~READ_IMPLIES_EXEC;
29955 if (elf_read_implies_exec(loc->elf_ex, executable_stack))
29956 current->personality |= READ_IMPLIES_EXEC;
29958 @@ -805,6 +1070,20 @@ static int load_elf_binary(struct linux_
29960 load_bias = ELF_PAGESTART(ELF_ET_DYN_BASE - vaddr);
29963 +#ifdef CONFIG_PAX_RANDMMAP
29964 + /* PaX: randomize base address at the default exe base if requested */
29965 + if ((current->mm->pax_flags & MF_PAX_RANDMMAP) && elf_interpreter) {
29966 +#ifdef CONFIG_SPARC64
29967 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << (PAGE_SHIFT+1);
29969 + load_bias = (pax_get_random_long() & ((1UL << PAX_DELTA_MMAP_LEN) - 1)) << PAGE_SHIFT;
29971 + load_bias = ELF_PAGESTART(PAX_ELF_ET_DYN_BASE - vaddr + load_bias);
29972 + elf_flags |= MAP_FIXED;
29978 error = elf_map(bprm->file, load_bias + vaddr, elf_ppnt,
29979 @@ -837,9 +1116,9 @@ static int load_elf_binary(struct linux_
29980 * allowed task size. Note that p_filesz must always be
29981 * <= p_memsz so it is only necessary to check p_memsz.
29983 - if (BAD_ADDR(k) || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
29984 - elf_ppnt->p_memsz > TASK_SIZE ||
29985 - TASK_SIZE - elf_ppnt->p_memsz < k) {
29986 + if (k >= pax_task_size || elf_ppnt->p_filesz > elf_ppnt->p_memsz ||
29987 + elf_ppnt->p_memsz > pax_task_size ||
29988 + pax_task_size - elf_ppnt->p_memsz < k) {
29989 /* set_brk can never work. Avoid overflows. */
29990 send_sig(SIGKILL, current, 0);
29992 @@ -867,6 +1146,11 @@ static int load_elf_binary(struct linux_
29993 start_data += load_bias;
29994 end_data += load_bias;
29996 +#ifdef CONFIG_PAX_RANDMMAP
29997 + if (current->mm->pax_flags & MF_PAX_RANDMMAP)
29998 + elf_brk += PAGE_SIZE + ((pax_get_random_long() & ~PAGE_MASK) << 4);
30001 /* Calling set_brk effectively mmaps the pages that we need
30002 * for the bss and break sections. We must do this before
30003 * mapping in the interpreter, to make sure it doesn't wind
30004 @@ -878,9 +1162,11 @@ static int load_elf_binary(struct linux_
30005 goto out_free_dentry;
30007 if (likely(elf_bss != elf_brk) && unlikely(padzero(elf_bss))) {
30008 - send_sig(SIGSEGV, current, 0);
30009 - retval = -EFAULT; /* Nobody gets to see this, but.. */
30010 - goto out_free_dentry;
30012 + * This bss-zeroing can fail if the ELF
30013 + * file specifies odd protections. So
30014 + * we don't check the return value
30018 if (elf_interpreter) {
30019 @@ -1091,7 +1377,7 @@ out:
30020 * Decide what to dump of a segment, part, all or none.
30022 static unsigned long vma_dump_size(struct vm_area_struct *vma,
30023 - unsigned long mm_flags)
30024 + unsigned long mm_flags, long signr)
30026 #define FILTER(type) (mm_flags & (1UL << MMF_DUMP_##type))
30028 @@ -1125,7 +1411,7 @@ static unsigned long vma_dump_size(struc
30029 if (vma->vm_file == NULL)
30032 - if (FILTER(MAPPED_PRIVATE))
30033 + if (signr == SIGKILL || FILTER(MAPPED_PRIVATE))
30037 @@ -1347,9 +1633,9 @@ static void fill_auxv_note(struct memelf
30039 elf_addr_t *auxv = (elf_addr_t *) mm->saved_auxv;
30044 - while (auxv[i - 2] != AT_NULL);
30045 + } while (auxv[i - 2] != AT_NULL);
30046 fill_note(note, "CORE", NT_AUXV, i * sizeof(elf_addr_t), auxv);
30049 @@ -1855,14 +2141,14 @@ static void fill_extnum_info(struct elfh
30052 static size_t elf_core_vma_data_size(struct vm_area_struct *gate_vma,
30053 - unsigned long mm_flags)
30054 + struct coredump_params *cprm)
30056 struct vm_area_struct *vma;
30059 for (vma = first_vma(current, gate_vma); vma != NULL;
30060 vma = next_vma(vma, gate_vma))
30061 - size += vma_dump_size(vma, mm_flags);
30062 + size += vma_dump_size(vma, cprm->mm_flags, cprm->signr);
30066 @@ -1956,7 +2242,7 @@ static int elf_core_dump(struct coredump
30068 dataoff = offset = roundup(offset, ELF_EXEC_PAGESIZE);
30070 - offset += elf_core_vma_data_size(gate_vma, cprm->mm_flags);
30071 + offset += elf_core_vma_data_size(gate_vma, cprm);
30072 offset += elf_core_extra_data_size();
30075 @@ -1970,10 +2256,12 @@ static int elf_core_dump(struct coredump
30078 size += sizeof(*elf);
30079 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
30080 if (size > cprm->limit || !dump_write(cprm->file, elf, sizeof(*elf)))
30083 size += sizeof(*phdr4note);
30084 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
30085 if (size > cprm->limit
30086 || !dump_write(cprm->file, phdr4note, sizeof(*phdr4note)))
30088 @@ -1987,7 +2275,7 @@ static int elf_core_dump(struct coredump
30089 phdr.p_offset = offset;
30090 phdr.p_vaddr = vma->vm_start;
30092 - phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags);
30093 + phdr.p_filesz = vma_dump_size(vma, cprm->mm_flags, cprm->signr);
30094 phdr.p_memsz = vma->vm_end - vma->vm_start;
30095 offset += phdr.p_filesz;
30096 phdr.p_flags = vma->vm_flags & VM_READ ? PF_R : 0;
30097 @@ -1998,6 +2286,7 @@ static int elf_core_dump(struct coredump
30098 phdr.p_align = ELF_EXEC_PAGESIZE;
30100 size += sizeof(phdr);
30101 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
30102 if (size > cprm->limit
30103 || !dump_write(cprm->file, &phdr, sizeof(phdr)))
30105 @@ -2022,7 +2311,7 @@ static int elf_core_dump(struct coredump
30106 unsigned long addr;
30109 - end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags);
30110 + end = vma->vm_start + vma_dump_size(vma, cprm->mm_flags, cprm->signr);
30112 for (addr = vma->vm_start; addr < end; addr += PAGE_SIZE) {
30114 @@ -2031,6 +2320,7 @@ static int elf_core_dump(struct coredump
30115 page = get_dump_page(addr);
30117 void *kaddr = kmap(page);
30118 + gr_learn_resource(current, RLIMIT_CORE, size + PAGE_SIZE, 1);
30119 stop = ((size += PAGE_SIZE) > cprm->limit) ||
30120 !dump_write(cprm->file, kaddr,
30122 @@ -2048,6 +2338,7 @@ static int elf_core_dump(struct coredump
30124 if (e_phnum == PN_XNUM) {
30125 size += sizeof(*shdr4extnum);
30126 + gr_learn_resource(current, RLIMIT_CORE, size, 1);
30127 if (size > cprm->limit
30128 || !dump_write(cprm->file, shdr4extnum,
30129 sizeof(*shdr4extnum)))
30130 @@ -2068,6 +2359,97 @@ out:
30132 #endif /* CONFIG_ELF_CORE */
30134 +#ifdef CONFIG_PAX_MPROTECT
30135 +/* PaX: non-PIC ELF libraries need relocations on their executable segments
30136 + * therefore we'll grant them VM_MAYWRITE once during their life. Similarly
30137 + * we'll remove VM_MAYWRITE for good on RELRO segments.
30139 + * The checks favour ld-linux.so behaviour which operates on a per ELF segment
30140 + * basis because we want to allow the common case and not the special ones.
30142 +static void elf_handle_mprotect(struct vm_area_struct *vma, unsigned long newflags)
30144 + struct elfhdr elf_h;
30145 + struct elf_phdr elf_p;
30147 + unsigned long oldflags;
30148 + bool is_textrel_rw, is_textrel_rx, is_relro;
30150 + if (!(vma->vm_mm->pax_flags & MF_PAX_MPROTECT))
30153 + oldflags = vma->vm_flags & (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ);
30154 + newflags &= VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_EXEC | VM_WRITE | VM_READ;
30156 +#ifdef CONFIG_PAX_ELFRELOCS
30157 + /* possible TEXTREL */
30158 + is_textrel_rw = vma->vm_file && !vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYREAD | VM_EXEC | VM_READ) && newflags == (VM_WRITE | VM_READ);
30159 + is_textrel_rx = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYEXEC | VM_MAYWRITE | VM_MAYREAD | VM_WRITE | VM_READ) && newflags == (VM_EXEC | VM_READ);
30161 + is_textrel_rw = false;
30162 + is_textrel_rx = false;
30165 + /* possible RELRO */
30166 + is_relro = vma->vm_file && vma->anon_vma && oldflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ) && newflags == (VM_MAYWRITE | VM_MAYREAD | VM_READ);
30168 + if (!is_textrel_rw && !is_textrel_rx && !is_relro)
30171 + if (sizeof(elf_h) != kernel_read(vma->vm_file, 0UL, (char *)&elf_h, sizeof(elf_h)) ||
30172 + memcmp(elf_h.e_ident, ELFMAG, SELFMAG) ||
30174 +#ifdef CONFIG_PAX_ETEXECRELOCS
30175 + ((is_textrel_rw || is_textrel_rx) && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
30177 + ((is_textrel_rw || is_textrel_rx) && elf_h.e_type != ET_DYN) ||
30180 + (is_relro && (elf_h.e_type != ET_DYN && elf_h.e_type != ET_EXEC)) ||
30181 + !elf_check_arch(&elf_h) ||
30182 + elf_h.e_phentsize != sizeof(struct elf_phdr) ||
30183 + elf_h.e_phnum > 65536UL / sizeof(struct elf_phdr))
30186 + for (i = 0UL; i < elf_h.e_phnum; i++) {
30187 + if (sizeof(elf_p) != kernel_read(vma->vm_file, elf_h.e_phoff + i*sizeof(elf_p), (char *)&elf_p, sizeof(elf_p)))
30189 + switch (elf_p.p_type) {
30191 + if (!is_textrel_rw && !is_textrel_rx)
30194 + while ((i+1) * sizeof(elf_dyn) <= elf_p.p_filesz) {
30197 + if (sizeof(dyn) != kernel_read(vma->vm_file, elf_p.p_offset + i*sizeof(dyn), (char *)&dyn, sizeof(dyn)))
30199 + if (dyn.d_tag == DT_NULL)
30201 + if (dyn.d_tag == DT_TEXTREL || (dyn.d_tag == DT_FLAGS && (dyn.d_un.d_val & DF_TEXTREL))) {
30202 + gr_log_textrel(vma);
30203 + if (is_textrel_rw)
30204 + vma->vm_flags |= VM_MAYWRITE;
30206 + /* PaX: disallow write access after relocs are done, hopefully noone else needs it... */
30207 + vma->vm_flags &= ~VM_MAYWRITE;
30214 + case PT_GNU_RELRO:
30217 + if ((elf_p.p_offset >> PAGE_SHIFT) == vma->vm_pgoff && ELF_PAGEALIGN(elf_p.p_memsz) == vma->vm_end - vma->vm_start)
30218 + vma->vm_flags &= ~VM_MAYWRITE;
30225 static int __init init_elf_binfmt(void)
30227 return register_binfmt(&elf_format);
30228 diff -urNp linux-2.6.36.1/fs/binfmt_flat.c linux-2.6.36.1/fs/binfmt_flat.c
30229 --- linux-2.6.36.1/fs/binfmt_flat.c 2010-10-20 16:30:22.000000000 -0400
30230 +++ linux-2.6.36.1/fs/binfmt_flat.c 2010-11-06 18:58:15.000000000 -0400
30231 @@ -567,7 +567,9 @@ static int load_flat_file(struct linux_b
30232 realdatastart = (unsigned long) -ENOMEM;
30233 printk("Unable to allocate RAM for process data, errno %d\n",
30234 (int)-realdatastart);
30235 + down_write(¤t->mm->mmap_sem);
30236 do_munmap(current->mm, textpos, text_len);
30237 + up_write(¤t->mm->mmap_sem);
30238 ret = realdatastart;
30241 @@ -591,8 +593,10 @@ static int load_flat_file(struct linux_b
30243 if (IS_ERR_VALUE(result)) {
30244 printk("Unable to read data+bss, errno %d\n", (int)-result);
30245 + down_write(¤t->mm->mmap_sem);
30246 do_munmap(current->mm, textpos, text_len);
30247 do_munmap(current->mm, realdatastart, len);
30248 + up_write(¤t->mm->mmap_sem);
30252 @@ -661,8 +665,10 @@ static int load_flat_file(struct linux_b
30254 if (IS_ERR_VALUE(result)) {
30255 printk("Unable to read code+data+bss, errno %d\n",(int)-result);
30256 + down_write(¤t->mm->mmap_sem);
30257 do_munmap(current->mm, textpos, text_len + data_len + extra +
30258 MAX_SHARED_LIBS * sizeof(unsigned long));
30259 + up_write(¤t->mm->mmap_sem);
30263 diff -urNp linux-2.6.36.1/fs/binfmt_misc.c linux-2.6.36.1/fs/binfmt_misc.c
30264 --- linux-2.6.36.1/fs/binfmt_misc.c 2010-10-20 16:30:22.000000000 -0400
30265 +++ linux-2.6.36.1/fs/binfmt_misc.c 2010-11-06 18:58:15.000000000 -0400
30266 @@ -694,7 +694,7 @@ static int bm_fill_super(struct super_bl
30267 static struct tree_descr bm_files[] = {
30268 [2] = {"status", &bm_status_operations, S_IWUSR|S_IRUGO},
30269 [3] = {"register", &bm_register_operations, S_IWUSR},
30270 - /* last one */ {""}
30271 + /* last one */ {"", NULL, 0}
30273 int err = simple_fill_super(sb, 0x42494e4d, bm_files);
30275 diff -urNp linux-2.6.36.1/fs/bio.c linux-2.6.36.1/fs/bio.c
30276 --- linux-2.6.36.1/fs/bio.c 2010-10-20 16:30:22.000000000 -0400
30277 +++ linux-2.6.36.1/fs/bio.c 2010-11-11 18:29:28.000000000 -0500
30278 @@ -370,6 +370,9 @@ struct bio *bio_kmalloc(gfp_t gfp_mask,
30282 + if (nr_iovecs > UIO_MAXIOV)
30285 bio = kmalloc(sizeof(struct bio) + nr_iovecs * sizeof(struct bio_vec),
30287 if (unlikely(!bio))
30288 @@ -697,8 +700,12 @@ static void bio_free_map_data(struct bio
30289 static struct bio_map_data *bio_alloc_map_data(int nr_segs, int iov_count,
30292 - struct bio_map_data *bmd = kmalloc(sizeof(*bmd), gfp_mask);
30293 + struct bio_map_data *bmd;
30295 + if (iov_count > UIO_MAXIOV)
30298 + bmd = kmalloc(sizeof(*bmd), gfp_mask);
30302 @@ -827,6 +834,12 @@ struct bio *bio_copy_user_iov(struct req
30303 end = (uaddr + iov[i].iov_len + PAGE_SIZE - 1) >> PAGE_SHIFT;
30304 start = uaddr >> PAGE_SHIFT;
30307 + * Overflow, abort
30310 + return ERR_PTR(-EINVAL);
30312 nr_pages += end - start;
30313 len += iov[i].iov_len;
30315 @@ -955,6 +968,12 @@ static struct bio *__bio_map_user_iov(st
30316 unsigned long end = (uaddr + len + PAGE_SIZE - 1) >> PAGE_SHIFT;
30317 unsigned long start = uaddr >> PAGE_SHIFT;
30320 + * Overflow, abort
30323 + return ERR_PTR(-EINVAL);
30325 nr_pages += end - start;
30327 * buffer must be aligned to at least hardsector size for now
30328 @@ -982,7 +1001,7 @@ static struct bio *__bio_map_user_iov(st
30329 unsigned long start = uaddr >> PAGE_SHIFT;
30330 const int local_nr_pages = end - start;
30331 const int page_limit = cur_page + local_nr_pages;
30334 ret = get_user_pages_fast(uaddr, local_nr_pages,
30335 write_to_vm, &pages[cur_page]);
30336 if (ret < local_nr_pages) {
30337 @@ -1214,7 +1233,7 @@ static void bio_copy_kern_endio(struct b
30338 const int read = bio_data_dir(bio) == READ;
30339 struct bio_map_data *bmd = bio->bi_private;
30341 - char *p = bmd->sgvecs[0].iov_base;
30342 + char *p = (__force char *)bmd->sgvecs[0].iov_base;
30344 __bio_for_each_segment(bvec, bio, i, 0) {
30345 char *addr = page_address(bvec->bv_page);
30346 diff -urNp linux-2.6.36.1/fs/block_dev.c linux-2.6.36.1/fs/block_dev.c
30347 --- linux-2.6.36.1/fs/block_dev.c 2010-10-20 16:30:22.000000000 -0400
30348 +++ linux-2.6.36.1/fs/block_dev.c 2010-11-06 18:58:15.000000000 -0400
30349 @@ -648,7 +648,7 @@ static bool bd_may_claim(struct block_de
30350 else if (bdev->bd_contains == bdev)
30351 return true; /* is a whole device which isn't held */
30353 - else if (whole->bd_holder == bd_claim)
30354 + else if (whole->bd_holder == (void *)bd_claim)
30355 return true; /* is a partition of a device that is being partitioned */
30356 else if (whole->bd_holder != NULL)
30357 return false; /* is a partition of a held device */
30358 diff -urNp linux-2.6.36.1/fs/btrfs/ctree.c linux-2.6.36.1/fs/btrfs/ctree.c
30359 --- linux-2.6.36.1/fs/btrfs/ctree.c 2010-10-20 16:30:22.000000000 -0400
30360 +++ linux-2.6.36.1/fs/btrfs/ctree.c 2010-11-06 18:58:15.000000000 -0400
30361 @@ -468,9 +468,12 @@ static noinline int __btrfs_cow_block(st
30362 free_extent_buffer(buf);
30363 add_root_to_dirty_list(root);
30365 - if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID)
30366 - parent_start = parent->start;
30368 + if (root->root_key.objectid == BTRFS_TREE_RELOC_OBJECTID) {
30370 + parent_start = parent->start;
30372 + parent_start = 0;
30376 WARN_ON(trans->transid != btrfs_header_generation(parent));
30377 @@ -3763,7 +3766,6 @@ setup_items_for_insert(struct btrfs_tran
30381 - struct btrfs_disk_key disk_key;
30382 btrfs_cpu_key_to_disk(&disk_key, cpu_key);
30383 ret = fixup_low_keys(trans, root, path, &disk_key, 1);
30385 diff -urNp linux-2.6.36.1/fs/btrfs/disk-io.c linux-2.6.36.1/fs/btrfs/disk-io.c
30386 --- linux-2.6.36.1/fs/btrfs/disk-io.c 2010-10-20 16:30:22.000000000 -0400
30387 +++ linux-2.6.36.1/fs/btrfs/disk-io.c 2010-11-06 18:58:15.000000000 -0400
30389 #include "tree-log.h"
30390 #include "free-space-cache.h"
30392 -static struct extent_io_ops btree_extent_io_ops;
30393 +static const struct extent_io_ops btree_extent_io_ops;
30394 static void end_workqueue_fn(struct btrfs_work *work);
30395 static void free_fs_root(struct btrfs_root *root);
30397 @@ -2597,7 +2597,7 @@ out:
30401 -static struct extent_io_ops btree_extent_io_ops = {
30402 +static const struct extent_io_ops btree_extent_io_ops = {
30403 .write_cache_pages_lock_hook = btree_lock_page_hook,
30404 .readpage_end_io_hook = btree_readpage_end_io_hook,
30405 .submit_bio_hook = btree_submit_bio_hook,
30406 diff -urNp linux-2.6.36.1/fs/btrfs/extent_io.h linux-2.6.36.1/fs/btrfs/extent_io.h
30407 --- linux-2.6.36.1/fs/btrfs/extent_io.h 2010-10-20 16:30:22.000000000 -0400
30408 +++ linux-2.6.36.1/fs/btrfs/extent_io.h 2010-11-06 18:58:15.000000000 -0400
30409 @@ -51,36 +51,36 @@ typedef int (extent_submit_bio_hook_t)(s
30410 struct bio *bio, int mirror_num,
30411 unsigned long bio_flags, u64 bio_offset);
30412 struct extent_io_ops {
30413 - int (*fill_delalloc)(struct inode *inode, struct page *locked_page,
30414 + int (* const fill_delalloc)(struct inode *inode, struct page *locked_page,
30415 u64 start, u64 end, int *page_started,
30416 unsigned long *nr_written);
30417 - int (*writepage_start_hook)(struct page *page, u64 start, u64 end);
30418 - int (*writepage_io_hook)(struct page *page, u64 start, u64 end);
30419 + int (* const writepage_start_hook)(struct page *page, u64 start, u64 end);
30420 + int (* const writepage_io_hook)(struct page *page, u64 start, u64 end);
30421 extent_submit_bio_hook_t *submit_bio_hook;
30422 - int (*merge_bio_hook)(struct page *page, unsigned long offset,
30423 + int (* const merge_bio_hook)(struct page *page, unsigned long offset,
30424 size_t size, struct bio *bio,
30425 unsigned long bio_flags);
30426 - int (*readpage_io_hook)(struct page *page, u64 start, u64 end);
30427 - int (*readpage_io_failed_hook)(struct bio *bio, struct page *page,
30428 + int (* const readpage_io_hook)(struct page *page, u64 start, u64 end);
30429 + int (* const readpage_io_failed_hook)(struct bio *bio, struct page *page,
30430 u64 start, u64 end,
30431 struct extent_state *state);
30432 - int (*writepage_io_failed_hook)(struct bio *bio, struct page *page,
30433 + int (* const writepage_io_failed_hook)(struct bio *bio, struct page *page,
30434 u64 start, u64 end,
30435 struct extent_state *state);
30436 - int (*readpage_end_io_hook)(struct page *page, u64 start, u64 end,
30437 + int (* const readpage_end_io_hook)(struct page *page, u64 start, u64 end,
30438 struct extent_state *state);
30439 - int (*writepage_end_io_hook)(struct page *page, u64 start, u64 end,
30440 + int (* const writepage_end_io_hook)(struct page *page, u64 start, u64 end,
30441 struct extent_state *state, int uptodate);
30442 - int (*set_bit_hook)(struct inode *inode, struct extent_state *state,
30443 + int (* const set_bit_hook)(struct inode *inode, struct extent_state *state,
30445 - int (*clear_bit_hook)(struct inode *inode, struct extent_state *state,
30446 + int (* const clear_bit_hook)(struct inode *inode, struct extent_state *state,
30448 - int (*merge_extent_hook)(struct inode *inode,
30449 + int (* const merge_extent_hook)(struct inode *inode,
30450 struct extent_state *new,
30451 struct extent_state *other);
30452 - int (*split_extent_hook)(struct inode *inode,
30453 + int (* const split_extent_hook)(struct inode *inode,
30454 struct extent_state *orig, u64 split);
30455 - int (*write_cache_pages_lock_hook)(struct page *page);
30456 + int (* const write_cache_pages_lock_hook)(struct page *page);
30459 struct extent_io_tree {
30460 @@ -90,7 +90,7 @@ struct extent_io_tree {
30463 spinlock_t buffer_lock;
30464 - struct extent_io_ops *ops;
30465 + const struct extent_io_ops *ops;
30468 struct extent_state {
30469 diff -urNp linux-2.6.36.1/fs/btrfs/free-space-cache.c linux-2.6.36.1/fs/btrfs/free-space-cache.c
30470 --- linux-2.6.36.1/fs/btrfs/free-space-cache.c 2010-10-20 16:30:22.000000000 -0400
30471 +++ linux-2.6.36.1/fs/btrfs/free-space-cache.c 2010-11-06 18:58:15.000000000 -0400
30472 @@ -1075,8 +1075,6 @@ u64 btrfs_alloc_from_cluster(struct btrf
30475 if (entry->bytes < bytes || entry->offset < min_start) {
30476 - struct rb_node *node;
30478 node = rb_next(&entry->offset_index);
30481 @@ -1227,7 +1225,7 @@ again:
30483 while (entry->bitmap || found_bitmap ||
30484 (!entry->bitmap && entry->bytes < min_bytes)) {
30485 - struct rb_node *node = rb_next(&entry->offset_index);
30486 + node = rb_next(&entry->offset_index);
30488 if (entry->bitmap && entry->bytes > bytes + empty_size) {
30489 ret = btrfs_bitmap_cluster(block_group, entry, cluster,
30490 diff -urNp linux-2.6.36.1/fs/btrfs/inode.c linux-2.6.36.1/fs/btrfs/inode.c
30491 --- linux-2.6.36.1/fs/btrfs/inode.c 2010-10-20 16:30:22.000000000 -0400
30492 +++ linux-2.6.36.1/fs/btrfs/inode.c 2010-11-06 18:58:15.000000000 -0400
30493 @@ -64,7 +64,7 @@ static const struct inode_operations btr
30494 static const struct address_space_operations btrfs_aops;
30495 static const struct address_space_operations btrfs_symlink_aops;
30496 static const struct file_operations btrfs_dir_file_operations;
30497 -static struct extent_io_ops btrfs_extent_io_ops;
30498 +static const struct extent_io_ops btrfs_extent_io_ops;
30500 static struct kmem_cache *btrfs_inode_cachep;
30501 struct kmem_cache *btrfs_trans_handle_cachep;
30502 @@ -6964,7 +6964,7 @@ static const struct file_operations btrf
30503 .fsync = btrfs_sync_file,
30506 -static struct extent_io_ops btrfs_extent_io_ops = {
30507 +static const struct extent_io_ops btrfs_extent_io_ops = {
30508 .fill_delalloc = run_delalloc_range,
30509 .submit_bio_hook = btrfs_submit_bio_hook,
30510 .merge_bio_hook = btrfs_merge_bio_hook,
30511 diff -urNp linux-2.6.36.1/fs/btrfs/relocation.c linux-2.6.36.1/fs/btrfs/relocation.c
30512 --- linux-2.6.36.1/fs/btrfs/relocation.c 2010-10-20 16:30:22.000000000 -0400
30513 +++ linux-2.6.36.1/fs/btrfs/relocation.c 2010-11-06 18:58:15.000000000 -0400
30514 @@ -1239,7 +1239,7 @@ static int __update_reloc_root(struct bt
30516 spin_unlock(&rc->reloc_root_tree.lock);
30518 - BUG_ON((struct btrfs_root *)node->data != root);
30519 + BUG_ON(!node || (struct btrfs_root *)node->data != root);
30522 spin_lock(&rc->reloc_root_tree.lock);
30523 diff -urNp linux-2.6.36.1/fs/cachefiles/bind.c linux-2.6.36.1/fs/cachefiles/bind.c
30524 --- linux-2.6.36.1/fs/cachefiles/bind.c 2010-10-20 16:30:22.000000000 -0400
30525 +++ linux-2.6.36.1/fs/cachefiles/bind.c 2010-11-06 18:58:15.000000000 -0400
30526 @@ -39,13 +39,11 @@ int cachefiles_daemon_bind(struct cachef
30529 /* start by checking things over */
30530 - ASSERT(cache->fstop_percent >= 0 &&
30531 - cache->fstop_percent < cache->fcull_percent &&
30532 + ASSERT(cache->fstop_percent < cache->fcull_percent &&
30533 cache->fcull_percent < cache->frun_percent &&
30534 cache->frun_percent < 100);
30536 - ASSERT(cache->bstop_percent >= 0 &&
30537 - cache->bstop_percent < cache->bcull_percent &&
30538 + ASSERT(cache->bstop_percent < cache->bcull_percent &&
30539 cache->bcull_percent < cache->brun_percent &&
30540 cache->brun_percent < 100);
30542 diff -urNp linux-2.6.36.1/fs/cachefiles/daemon.c linux-2.6.36.1/fs/cachefiles/daemon.c
30543 --- linux-2.6.36.1/fs/cachefiles/daemon.c 2010-10-20 16:30:22.000000000 -0400
30544 +++ linux-2.6.36.1/fs/cachefiles/daemon.c 2010-11-06 18:58:15.000000000 -0400
30545 @@ -195,7 +195,7 @@ static ssize_t cachefiles_daemon_read(st
30549 - if (copy_to_user(_buffer, buffer, n) != 0)
30550 + if (n > sizeof(buffer) || copy_to_user(_buffer, buffer, n) != 0)
30554 @@ -221,7 +221,7 @@ static ssize_t cachefiles_daemon_write(s
30555 if (test_bit(CACHEFILES_DEAD, &cache->flags))
30558 - if (datalen < 0 || datalen > PAGE_SIZE - 1)
30559 + if (datalen > PAGE_SIZE - 1)
30560 return -EOPNOTSUPP;
30562 /* drag the command string into the kernel so we can parse it */
30563 @@ -385,7 +385,7 @@ static int cachefiles_daemon_fstop(struc
30564 if (args[0] != '%' || args[1] != '\0')
30567 - if (fstop < 0 || fstop >= cache->fcull_percent)
30568 + if (fstop >= cache->fcull_percent)
30569 return cachefiles_daemon_range_error(cache, args);
30571 cache->fstop_percent = fstop;
30572 @@ -457,7 +457,7 @@ static int cachefiles_daemon_bstop(struc
30573 if (args[0] != '%' || args[1] != '\0')
30576 - if (bstop < 0 || bstop >= cache->bcull_percent)
30577 + if (bstop >= cache->bcull_percent)
30578 return cachefiles_daemon_range_error(cache, args);
30580 cache->bstop_percent = bstop;
30581 diff -urNp linux-2.6.36.1/fs/cachefiles/rdwr.c linux-2.6.36.1/fs/cachefiles/rdwr.c
30582 --- linux-2.6.36.1/fs/cachefiles/rdwr.c 2010-10-20 16:30:22.000000000 -0400
30583 +++ linux-2.6.36.1/fs/cachefiles/rdwr.c 2010-11-06 18:58:15.000000000 -0400
30584 @@ -945,7 +945,7 @@ int cachefiles_write_page(struct fscache
30587 ret = file->f_op->write(
30588 - file, (const void __user *) data, len, &pos);
30589 + file, (__force const void __user *) data, len, &pos);
30593 diff -urNp linux-2.6.36.1/fs/ceph/dir.c linux-2.6.36.1/fs/ceph/dir.c
30594 --- linux-2.6.36.1/fs/ceph/dir.c 2010-10-20 16:30:22.000000000 -0400
30595 +++ linux-2.6.36.1/fs/ceph/dir.c 2010-11-06 18:58:15.000000000 -0400
30596 @@ -230,7 +230,7 @@ static int ceph_readdir(struct file *fil
30597 struct ceph_client *client = ceph_inode_to_client(inode);
30598 struct ceph_mds_client *mdsc = &client->mdsc;
30599 unsigned frag = fpos_frag(filp->f_pos);
30600 - int off = fpos_off(filp->f_pos);
30601 + unsigned int off = fpos_off(filp->f_pos);
30604 struct ceph_mds_reply_info_parsed *rinfo;
30605 @@ -359,7 +359,7 @@ more:
30606 rinfo = &fi->last_readdir->r_reply_info;
30607 dout("readdir frag %x num %d off %d chunkoff %d\n", frag,
30608 rinfo->dir_nr, off, fi->offset);
30609 - while (off - fi->offset >= 0 && off - fi->offset < rinfo->dir_nr) {
30610 + while (off >= fi->offset && off - fi->offset < rinfo->dir_nr) {
30611 u64 pos = ceph_make_fpos(frag, off);
30612 struct ceph_mds_reply_inode *in =
30613 rinfo->dir_in[off - fi->offset].in;
30614 diff -urNp linux-2.6.36.1/fs/cifs/cifs_uniupr.h linux-2.6.36.1/fs/cifs/cifs_uniupr.h
30615 --- linux-2.6.36.1/fs/cifs/cifs_uniupr.h 2010-10-20 16:30:22.000000000 -0400
30616 +++ linux-2.6.36.1/fs/cifs/cifs_uniupr.h 2010-11-06 18:58:15.000000000 -0400
30617 @@ -132,7 +132,7 @@ const struct UniCaseRange CifsUniUpperRa
30618 {0x0490, 0x04cc, UniCaseRangeU0490},
30619 {0x1e00, 0x1ffc, UniCaseRangeU1e00},
30620 {0xff40, 0xff5a, UniCaseRangeUff40},
30626 diff -urNp linux-2.6.36.1/fs/cifs/link.c linux-2.6.36.1/fs/cifs/link.c
30627 --- linux-2.6.36.1/fs/cifs/link.c 2010-10-20 16:30:22.000000000 -0400
30628 +++ linux-2.6.36.1/fs/cifs/link.c 2010-11-06 18:58:15.000000000 -0400
30629 @@ -216,7 +216,7 @@ cifs_symlink(struct inode *inode, struct
30631 void cifs_put_link(struct dentry *direntry, struct nameidata *nd, void *cookie)
30633 - char *p = nd_get_link(nd);
30634 + const char *p = nd_get_link(nd);
30638 diff -urNp linux-2.6.36.1/fs/compat_binfmt_elf.c linux-2.6.36.1/fs/compat_binfmt_elf.c
30639 --- linux-2.6.36.1/fs/compat_binfmt_elf.c 2010-10-20 16:30:22.000000000 -0400
30640 +++ linux-2.6.36.1/fs/compat_binfmt_elf.c 2010-11-06 18:58:15.000000000 -0400
30641 @@ -30,11 +30,13 @@
30647 #define elfhdr elf32_hdr
30648 #define elf_phdr elf32_phdr
30649 #define elf_shdr elf32_shdr
30650 #define elf_note elf32_note
30651 +#define elf_dyn Elf32_Dyn
30652 #define elf_addr_t Elf32_Addr
30655 diff -urNp linux-2.6.36.1/fs/compat.c linux-2.6.36.1/fs/compat.c
30656 --- linux-2.6.36.1/fs/compat.c 2010-10-20 16:30:22.000000000 -0400
30657 +++ linux-2.6.36.1/fs/compat.c 2010-11-06 18:58:50.000000000 -0400
30658 @@ -593,7 +593,7 @@ ssize_t compat_rw_copy_check_uvector(int
30662 - if (nr_segs > UIO_MAXIOV || nr_segs < 0)
30663 + if (nr_segs > UIO_MAXIOV)
30665 if (nr_segs > fast_segs) {
30667 @@ -1435,14 +1435,12 @@ static int compat_copy_strings(int argc,
30668 if (!kmapped_page || kpos != (pos & PAGE_MASK)) {
30671 -#ifdef CONFIG_STACK_GROWSUP
30672 ret = expand_stack_downwards(bprm->vma, pos);
30674 /* We've exceed the stack rlimit. */
30679 ret = get_user_pages(current, bprm->mm, pos,
30680 1, 1, 1, &page, NULL);
30682 @@ -1488,6 +1486,11 @@ int compat_do_execve(char * filename,
30683 compat_uptr_t __user *envp,
30684 struct pt_regs * regs)
30686 +#ifdef CONFIG_GRKERNSEC
30687 + struct file *old_exec_file;
30688 + struct acl_subject_label *old_acl;
30689 + struct rlimit old_rlim[RLIM_NLIMITS];
30691 struct linux_binprm *bprm;
30693 struct files_struct *displaced;
30694 @@ -1524,6 +1527,14 @@ int compat_do_execve(char * filename,
30695 bprm->filename = filename;
30696 bprm->interp = filename;
30698 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
30699 + retval = -EAGAIN;
30700 + if (gr_handle_nproc())
30702 + retval = -EACCES;
30703 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt))
30706 retval = bprm_mm_init(bprm);
30709 @@ -1553,9 +1564,40 @@ int compat_do_execve(char * filename,
30713 + if (!gr_tpe_allow(file)) {
30714 + retval = -EACCES;
30718 + if (gr_check_crash_exec(file)) {
30719 + retval = -EACCES;
30723 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
30725 + gr_handle_exec_args(bprm, (char __user * __user *)argv);
30727 +#ifdef CONFIG_GRKERNSEC
30728 + old_acl = current->acl;
30729 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
30730 + old_exec_file = current->exec_file;
30732 + current->exec_file = file;
30735 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
30736 + bprm->unsafe & LSM_UNSAFE_SHARE);
30740 retval = search_binary_handler(bprm, regs);
30744 +#ifdef CONFIG_GRKERNSEC
30745 + if (old_exec_file)
30746 + fput(old_exec_file);
30749 /* execve succeeded */
30750 current->fs->in_exec = 0;
30751 @@ -1566,6 +1608,14 @@ int compat_do_execve(char * filename,
30752 put_files_struct(displaced);
30756 +#ifdef CONFIG_GRKERNSEC
30757 + current->acl = old_acl;
30758 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
30759 + fput(current->exec_file);
30760 + current->exec_file = old_exec_file;
30766 diff -urNp linux-2.6.36.1/fs/compat_ioctl.c linux-2.6.36.1/fs/compat_ioctl.c
30767 --- linux-2.6.36.1/fs/compat_ioctl.c 2010-10-20 16:30:22.000000000 -0400
30768 +++ linux-2.6.36.1/fs/compat_ioctl.c 2010-11-06 18:58:15.000000000 -0400
30769 @@ -210,6 +210,8 @@ static int do_video_set_spu_palette(unsi
30771 err = get_user(palp, &up->palette);
30772 err |= get_user(length, &up->length);
30776 up_native = compat_alloc_user_space(sizeof(struct video_spu_palette));
30777 err = put_user(compat_ptr(palp), &up_native->palette);
30778 diff -urNp linux-2.6.36.1/fs/debugfs/inode.c linux-2.6.36.1/fs/debugfs/inode.c
30779 --- linux-2.6.36.1/fs/debugfs/inode.c 2010-10-20 16:30:22.000000000 -0400
30780 +++ linux-2.6.36.1/fs/debugfs/inode.c 2010-11-06 18:58:15.000000000 -0400
30781 @@ -129,7 +129,7 @@ static inline int debugfs_positive(struc
30783 static int debug_fill_super(struct super_block *sb, void *data, int silent)
30785 - static struct tree_descr debug_files[] = {{""}};
30786 + static struct tree_descr debug_files[] = {{"", NULL, 0}};
30788 return simple_fill_super(sb, DEBUGFS_MAGIC, debug_files);
30790 diff -urNp linux-2.6.36.1/fs/dlm/lockspace.c linux-2.6.36.1/fs/dlm/lockspace.c
30791 --- linux-2.6.36.1/fs/dlm/lockspace.c 2010-10-20 16:30:22.000000000 -0400
30792 +++ linux-2.6.36.1/fs/dlm/lockspace.c 2010-11-06 18:58:15.000000000 -0400
30793 @@ -200,7 +200,7 @@ static int dlm_uevent(struct kset *kset,
30797 -static struct kset_uevent_ops dlm_uevent_ops = {
30798 +static const struct kset_uevent_ops dlm_uevent_ops = {
30799 .uevent = dlm_uevent,
30802 diff -urNp linux-2.6.36.1/fs/ecryptfs/inode.c linux-2.6.36.1/fs/ecryptfs/inode.c
30803 --- linux-2.6.36.1/fs/ecryptfs/inode.c 2010-10-20 16:30:22.000000000 -0400
30804 +++ linux-2.6.36.1/fs/ecryptfs/inode.c 2010-11-06 18:58:15.000000000 -0400
30805 @@ -740,7 +740,7 @@ static int ecryptfs_readlink_lower(struc
30808 rc = lower_dentry->d_inode->i_op->readlink(lower_dentry,
30809 - (char __user *)lower_buf,
30810 + (__force char __user *)lower_buf,
30814 @@ -786,7 +786,7 @@ static void *ecryptfs_follow_link(struct
30818 - rc = dentry->d_inode->i_op->readlink(dentry, (char __user *)buf, len);
30819 + rc = dentry->d_inode->i_op->readlink(dentry, (__force char __user *)buf, len);
30823 @@ -801,7 +801,7 @@ out:
30825 ecryptfs_put_link(struct dentry *dentry, struct nameidata *nd, void *ptr)
30827 - char *buf = nd_get_link(nd);
30828 + const char *buf = nd_get_link(nd);
30829 if (!IS_ERR(buf)) {
30830 /* Free the char* */
30832 diff -urNp linux-2.6.36.1/fs/ecryptfs/miscdev.c linux-2.6.36.1/fs/ecryptfs/miscdev.c
30833 --- linux-2.6.36.1/fs/ecryptfs/miscdev.c 2010-10-20 16:30:22.000000000 -0400
30834 +++ linux-2.6.36.1/fs/ecryptfs/miscdev.c 2010-11-06 18:58:15.000000000 -0400
30835 @@ -328,7 +328,7 @@ check_list:
30836 goto out_unlock_msg_ctx;
30838 if (msg_ctx->msg) {
30839 - if (copy_to_user(&buf[i], packet_length, packet_length_size))
30840 + if (packet_length_size > sizeof(packet_length) || copy_to_user(&buf[i], packet_length, packet_length_size))
30841 goto out_unlock_msg_ctx;
30842 i += packet_length_size;
30843 if (copy_to_user(&buf[i], msg_ctx->msg, msg_ctx->msg_size))
30844 diff -urNp linux-2.6.36.1/fs/exec.c linux-2.6.36.1/fs/exec.c
30845 --- linux-2.6.36.1/fs/exec.c 2010-10-20 16:30:22.000000000 -0400
30846 +++ linux-2.6.36.1/fs/exec.c 2010-11-06 19:14:10.000000000 -0400
30847 @@ -54,12 +54,24 @@
30848 #include <linux/fsnotify.h>
30849 #include <linux/fs_struct.h>
30850 #include <linux/pipe_fs_i.h>
30851 +#include <linux/random.h>
30852 +#include <linux/seq_file.h>
30854 +#ifdef CONFIG_PAX_REFCOUNT
30855 +#include <linux/kallsyms.h>
30856 +#include <linux/kdebug.h>
30859 #include <asm/uaccess.h>
30860 #include <asm/mmu_context.h>
30861 #include <asm/tlb.h>
30862 #include "internal.h"
30864 +#ifdef CONFIG_PAX_HOOK_ACL_FLAGS
30865 +void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
30866 +EXPORT_SYMBOL(pax_set_initial_flags_func);
30870 char core_pattern[CORENAME_MAX_SIZE] = "core";
30871 unsigned int core_pipe_limit;
30872 @@ -113,7 +125,7 @@ SYSCALL_DEFINE1(uselib, const char __use
30875 file = do_filp_open(AT_FDCWD, tmp,
30876 - O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
30877 + O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
30878 MAY_READ | MAY_EXEC | MAY_OPEN);
30880 error = PTR_ERR(file);
30881 @@ -161,18 +173,10 @@ static struct page *get_arg_page(struct
30887 -#ifdef CONFIG_STACK_GROWSUP
30889 - ret = expand_stack_downwards(bprm->vma, pos);
30894 - ret = get_user_pages(current, bprm->mm, pos,
30895 - 1, write, 1, &page, NULL);
30897 + if (0 > expand_stack_downwards(bprm->vma, pos))
30899 + if (0 >= get_user_pages(current, bprm->mm, pos, 1, write, 1, &page, NULL))
30903 @@ -245,6 +249,11 @@ static int __bprm_mm_init(struct linux_b
30904 vma->vm_end = STACK_TOP_MAX;
30905 vma->vm_start = vma->vm_end - PAGE_SIZE;
30906 vma->vm_flags = VM_STACK_FLAGS | VM_STACK_INCOMPLETE_SETUP;
30908 +#ifdef CONFIG_PAX_SEGMEXEC
30909 + vma->vm_flags &= ~(VM_EXEC | VM_MAYEXEC);
30912 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
30913 INIT_LIST_HEAD(&vma->anon_vma_chain);
30914 err = insert_vm_struct(mm, vma);
30915 @@ -254,6 +263,12 @@ static int __bprm_mm_init(struct linux_b
30916 mm->stack_vm = mm->total_vm = 1;
30917 up_write(&mm->mmap_sem);
30918 bprm->p = vma->vm_end - sizeof(void *);
30920 +#ifdef CONFIG_PAX_RANDUSTACK
30921 + if (randomize_va_space)
30922 + bprm->p ^= (pax_get_random_long() & ~15) & ~PAGE_MASK;
30927 up_write(&mm->mmap_sem);
30928 @@ -485,7 +500,7 @@ int copy_strings_kernel(int argc, const
30930 mm_segment_t oldfs = get_fs();
30932 - r = copy_strings(argc, (const char __user *const __user *)argv, bprm);
30933 + r = copy_strings(argc, (__force const char __user *const __user *)argv, bprm);
30937 @@ -515,7 +530,8 @@ static int shift_arg_pages(struct vm_are
30938 unsigned long new_end = old_end - shift;
30939 struct mmu_gather *tlb;
30941 - BUG_ON(new_start > new_end);
30942 + if (new_start >= new_end || new_start < mmap_min_addr)
30946 * ensure there are no vmas between where we want to go
30947 @@ -524,6 +540,10 @@ static int shift_arg_pages(struct vm_are
30948 if (vma != find_vma(mm, new_start))
30951 +#ifdef CONFIG_PAX_SEGMEXEC
30952 + BUG_ON(pax_find_mirror_vma(vma));
30956 * cover the whole range: [new_start, old_end)
30958 @@ -619,8 +639,28 @@ int setup_arg_pages(struct linux_binprm
30959 bprm->exec -= stack_shift;
30961 down_write(&mm->mmap_sem);
30963 + /* Move stack pages down in memory. */
30964 + if (stack_shift) {
30965 + ret = shift_arg_pages(vma, stack_shift);
30970 vm_flags = VM_STACK_FLAGS;
30972 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
30973 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
30974 + vm_flags &= ~VM_EXEC;
30976 +#ifdef CONFIG_PAX_MPROTECT
30977 + if (mm->pax_flags & MF_PAX_MPROTECT)
30978 + vm_flags &= ~VM_MAYEXEC;
30985 * Adjust stack execute permissions; explicitly enable for
30986 * EXSTACK_ENABLE_X, disable for EXSTACK_DISABLE_X and leave alone
30987 @@ -639,13 +679,6 @@ int setup_arg_pages(struct linux_binprm
30989 BUG_ON(prev != vma);
30991 - /* Move stack pages down in memory. */
30992 - if (stack_shift) {
30993 - ret = shift_arg_pages(vma, stack_shift);
30998 /* mprotect_fixup is overkill to remove the temporary stack flags */
30999 vma->vm_flags &= ~VM_STACK_INCOMPLETE_SETUP;
31001 @@ -686,7 +719,7 @@ struct file *open_exec(const char *name)
31004 file = do_filp_open(AT_FDCWD, name,
31005 - O_LARGEFILE | O_RDONLY | FMODE_EXEC, 0,
31006 + O_LARGEFILE | O_RDONLY | FMODE_EXEC | FMODE_GREXEC, 0,
31007 MAY_EXEC | MAY_OPEN);
31010 @@ -723,7 +756,7 @@ int kernel_read(struct file *file, loff_
31013 /* The cast to a user pointer is valid due to the set_fs() */
31014 - result = vfs_read(file, (void __user *)addr, count, &pos);
31015 + result = vfs_read(file, (__force void __user *)addr, count, &pos);
31019 @@ -1140,7 +1173,7 @@ int check_unsafe_exec(struct linux_binpr
31023 - if (p->fs->users > n_fs) {
31024 + if (atomic_read(&p->fs->users) > n_fs) {
31025 bprm->unsafe |= LSM_UNSAFE_SHARE;
31028 @@ -1336,6 +1369,11 @@ int do_execve(const char * filename,
31029 const char __user *const __user *envp,
31030 struct pt_regs * regs)
31032 +#ifdef CONFIG_GRKERNSEC
31033 + struct file *old_exec_file;
31034 + struct acl_subject_label *old_acl;
31035 + struct rlimit old_rlim[RLIM_NLIMITS];
31037 struct linux_binprm *bprm;
31039 struct files_struct *displaced;
31040 @@ -1372,6 +1410,18 @@ int do_execve(const char * filename,
31041 bprm->filename = filename;
31042 bprm->interp = filename;
31044 + gr_learn_resource(current, RLIMIT_NPROC, atomic_read(¤t->cred->user->processes), 1);
31046 + if (gr_handle_nproc()) {
31047 + retval = -EAGAIN;
31051 + if (!gr_acl_handle_execve(file->f_dentry, file->f_vfsmnt)) {
31052 + retval = -EACCES;
31056 retval = bprm_mm_init(bprm);
31059 @@ -1401,10 +1451,41 @@ int do_execve(const char * filename,
31063 + if (!gr_tpe_allow(file)) {
31064 + retval = -EACCES;
31068 + if (gr_check_crash_exec(file)) {
31069 + retval = -EACCES;
31073 + gr_log_chroot_exec(file->f_dentry, file->f_vfsmnt);
31075 + gr_handle_exec_args(bprm, argv);
31077 +#ifdef CONFIG_GRKERNSEC
31078 + old_acl = current->acl;
31079 + memcpy(old_rlim, current->signal->rlim, sizeof(old_rlim));
31080 + old_exec_file = current->exec_file;
31082 + current->exec_file = file;
31085 + retval = gr_set_proc_label(file->f_dentry, file->f_vfsmnt,
31086 + bprm->unsafe & LSM_UNSAFE_SHARE);
31090 current->flags &= ~PF_KTHREAD;
31091 retval = search_binary_handler(bprm,regs);
31095 +#ifdef CONFIG_GRKERNSEC
31096 + if (old_exec_file)
31097 + fput(old_exec_file);
31100 /* execve succeeded */
31101 current->fs->in_exec = 0;
31102 @@ -1415,6 +1496,14 @@ int do_execve(const char * filename,
31103 put_files_struct(displaced);
31107 +#ifdef CONFIG_GRKERNSEC
31108 + current->acl = old_acl;
31109 + memcpy(current->signal->rlim, old_rlim, sizeof(old_rlim));
31110 + fput(current->exec_file);
31111 + current->exec_file = old_exec_file;
31117 @@ -1578,6 +1667,217 @@ out:
31121 +int pax_check_flags(unsigned long *flags)
31125 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_SEGMEXEC)
31126 + if (*flags & MF_PAX_SEGMEXEC)
31128 + *flags &= ~MF_PAX_SEGMEXEC;
31129 + retval = -EINVAL;
31133 + if ((*flags & MF_PAX_PAGEEXEC)
31135 +#ifdef CONFIG_PAX_PAGEEXEC
31136 + && (*flags & MF_PAX_SEGMEXEC)
31141 + *flags &= ~MF_PAX_PAGEEXEC;
31142 + retval = -EINVAL;
31145 + if ((*flags & MF_PAX_MPROTECT)
31147 +#ifdef CONFIG_PAX_MPROTECT
31148 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
31153 + *flags &= ~MF_PAX_MPROTECT;
31154 + retval = -EINVAL;
31157 + if ((*flags & MF_PAX_EMUTRAMP)
31159 +#ifdef CONFIG_PAX_EMUTRAMP
31160 + && !(*flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC))
31165 + *flags &= ~MF_PAX_EMUTRAMP;
31166 + retval = -EINVAL;
31172 +EXPORT_SYMBOL(pax_check_flags);
31174 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
31175 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp)
31177 + struct task_struct *tsk = current;
31178 + struct mm_struct *mm = current->mm;
31179 + char *buffer_exec = (char *)__get_free_page(GFP_KERNEL);
31180 + char *buffer_fault = (char *)__get_free_page(GFP_KERNEL);
31181 + char *path_exec = NULL;
31182 + char *path_fault = NULL;
31183 + unsigned long start = 0UL, end = 0UL, offset = 0UL;
31185 + if (buffer_exec && buffer_fault) {
31186 + struct vm_area_struct *vma, *vma_exec = NULL, *vma_fault = NULL;
31188 + down_read(&mm->mmap_sem);
31190 + while (vma && (!vma_exec || !vma_fault)) {
31191 + if ((vma->vm_flags & VM_EXECUTABLE) && vma->vm_file)
31193 + if (vma->vm_start <= (unsigned long)pc && (unsigned long)pc < vma->vm_end)
31195 + vma = vma->vm_next;
31198 + path_exec = d_path(&vma_exec->vm_file->f_path, buffer_exec, PAGE_SIZE);
31199 + if (IS_ERR(path_exec))
31200 + path_exec = "<path too long>";
31202 + path_exec = mangle_path(buffer_exec, path_exec, "\t\n\\");
31205 + path_exec = buffer_exec;
31207 + path_exec = "<path too long>";
31211 + start = vma_fault->vm_start;
31212 + end = vma_fault->vm_end;
31213 + offset = vma_fault->vm_pgoff << PAGE_SHIFT;
31214 + if (vma_fault->vm_file) {
31215 + path_fault = d_path(&vma_fault->vm_file->f_path, buffer_fault, PAGE_SIZE);
31216 + if (IS_ERR(path_fault))
31217 + path_fault = "<path too long>";
31219 + path_fault = mangle_path(buffer_fault, path_fault, "\t\n\\");
31220 + if (path_fault) {
31222 + path_fault = buffer_fault;
31224 + path_fault = "<path too long>";
31227 + path_fault = "<anonymous mapping>";
31229 + up_read(&mm->mmap_sem);
31231 + if (tsk->signal->curr_ip)
31232 + printk(KERN_ERR "PAX: From %pI4: execution attempt in: %s, %08lx-%08lx %08lx\n", &tsk->signal->curr_ip, path_fault, start, end, offset);
31234 + printk(KERN_ERR "PAX: execution attempt in: %s, %08lx-%08lx %08lx\n", path_fault, start, end, offset);
31235 + printk(KERN_ERR "PAX: terminating task: %s(%s):%d, uid/euid: %u/%u, "
31236 + "PC: %p, SP: %p\n", path_exec, tsk->comm, task_pid_nr(tsk),
31237 + task_uid(tsk), task_euid(tsk), pc, sp);
31238 + free_page((unsigned long)buffer_exec);
31239 + free_page((unsigned long)buffer_fault);
31240 + pax_report_insns(pc, sp);
31241 + do_coredump(SIGKILL, SIGKILL, regs);
31245 +#ifdef CONFIG_PAX_REFCOUNT
31246 +void pax_report_refcount_overflow(struct pt_regs *regs)
31248 + if (current->signal->curr_ip)
31249 + printk(KERN_ERR "PAX: From %pI4: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
31250 + ¤t->signal->curr_ip, current->comm, task_pid_nr(current), current_uid(), current_euid());
31252 + printk(KERN_ERR "PAX: refcount overflow detected in: %s:%d, uid/euid: %u/%u\n",
31253 + current->comm, task_pid_nr(current), current_uid(), current_euid());
31254 + print_symbol(KERN_ERR "PAX: refcount overflow occured at: %s\n", instruction_pointer(regs));
31256 + force_sig_info(SIGKILL, SEND_SIG_FORCED, current);
31260 +#ifdef CONFIG_PAX_USERCOPY
31261 +/* 0: not at all, 1: fully, 2: fully inside frame, -1: partially (implies an error) */
31262 +int object_is_on_stack(const void *obj, unsigned long len)
31264 + const void * const stack = task_stack_page(current);
31265 + const void * const stackend = stack + THREAD_SIZE;
31267 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
31268 + const void *frame = NULL;
31269 + const void *oldframe;
31272 + if (obj + len < obj)
31275 + if (obj + len <= stack || stackend <= obj)
31278 + if (obj < stack || stackend < obj + len)
31281 +#if defined(CONFIG_FRAME_POINTER) && defined(CONFIG_X86)
31282 + oldframe = __builtin_frame_address(1);
31284 + frame = __builtin_frame_address(2);
31286 + low ----------------------------------------------> high
31287 + [saved bp][saved ip][args][local vars][saved bp][saved ip]
31288 + ^----------------^
31289 + allow copies only within here
31291 + while (stack <= frame && frame < stackend) {
31292 + /* if obj + len extends past the last frame, this
31293 + check won't pass and the next frame will be 0,
31294 + causing us to bail out and correctly report
31295 + the copy as invalid
31297 + if (obj + len <= frame)
31298 + return obj >= oldframe + 2 * sizeof(void *) ? 2 : -1;
31299 + oldframe = frame;
31300 + frame = *(const void * const *)frame;
31309 +void pax_report_leak_to_user(const void *ptr, unsigned long len)
31311 + if (current->signal->curr_ip)
31312 + printk(KERN_ERR "PAX: From %pI4: kernel memory leak attempt detected from %p (%lu bytes)\n",
31313 + ¤t->signal->curr_ip, ptr, len);
31315 + printk(KERN_ERR "PAX: kernel memory leak attempt detected from %p (%lu bytes)\n", ptr, len);
31317 + do_group_exit(SIGKILL);
31320 +void pax_report_overflow_from_user(const void *ptr, unsigned long len)
31322 + if (current->signal->curr_ip)
31323 + printk(KERN_ERR "PAX: From %pI4: kernel memory overflow attempt detected to %p (%lu bytes)\n",
31324 + ¤t->signal->curr_ip, ptr, len);
31326 + printk(KERN_ERR "PAX: kernel memory overflow attempt detected to %p (%lu bytes)\n", ptr, len);
31328 + do_group_exit(SIGKILL);
31332 static int zap_process(struct task_struct *start, int exit_code)
31334 struct task_struct *t;
31335 @@ -1788,17 +2088,17 @@ static void wait_for_dump_helpers(struct
31336 pipe = file->f_path.dentry->d_inode->i_pipe;
31341 + atomic_inc(&pipe->readers);
31342 + atomic_dec(&pipe->writers);
31344 - while ((pipe->readers > 1) && (!signal_pending(current))) {
31345 + while ((atomic_read(&pipe->readers) > 1) && (!signal_pending(current))) {
31346 wake_up_interruptible_sync(&pipe->wait);
31347 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
31353 + atomic_dec(&pipe->readers);
31354 + atomic_inc(&pipe->writers);
31358 @@ -1906,6 +2206,10 @@ void do_coredump(long signr, int exit_co
31360 clear_thread_flag(TIF_SIGPENDING);
31362 + if (signr == SIGKILL || signr == SIGILL)
31363 + gr_handle_brute_attach(current);
31364 + gr_learn_resource(current, RLIMIT_CORE, binfmt->min_coredump, 1);
31366 ispipe = format_corename(corename, signr);
31369 diff -urNp linux-2.6.36.1/fs/ext2/balloc.c linux-2.6.36.1/fs/ext2/balloc.c
31370 --- linux-2.6.36.1/fs/ext2/balloc.c 2010-10-20 16:30:22.000000000 -0400
31371 +++ linux-2.6.36.1/fs/ext2/balloc.c 2010-11-06 18:58:50.000000000 -0400
31372 @@ -1193,7 +1193,7 @@ static int ext2_has_free_blocks(struct e
31374 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
31375 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
31376 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
31377 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
31378 sbi->s_resuid != current_fsuid() &&
31379 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
31381 diff -urNp linux-2.6.36.1/fs/ext2/xattr.c linux-2.6.36.1/fs/ext2/xattr.c
31382 --- linux-2.6.36.1/fs/ext2/xattr.c 2010-10-20 16:30:22.000000000 -0400
31383 +++ linux-2.6.36.1/fs/ext2/xattr.c 2010-11-06 18:58:15.000000000 -0400
31388 -# define ea_idebug(f...)
31389 -# define ea_bdebug(f...)
31390 +# define ea_idebug(inode, f...) do {} while (0)
31391 +# define ea_bdebug(bh, f...) do {} while (0)
31394 static int ext2_xattr_set2(struct inode *, struct buffer_head *,
31395 diff -urNp linux-2.6.36.1/fs/ext3/balloc.c linux-2.6.36.1/fs/ext3/balloc.c
31396 --- linux-2.6.36.1/fs/ext3/balloc.c 2010-10-20 16:30:22.000000000 -0400
31397 +++ linux-2.6.36.1/fs/ext3/balloc.c 2010-11-06 18:58:50.000000000 -0400
31398 @@ -1422,7 +1422,7 @@ static int ext3_has_free_blocks(struct e
31400 free_blocks = percpu_counter_read_positive(&sbi->s_freeblocks_counter);
31401 root_blocks = le32_to_cpu(sbi->s_es->s_r_blocks_count);
31402 - if (free_blocks < root_blocks + 1 && !capable(CAP_SYS_RESOURCE) &&
31403 + if (free_blocks < root_blocks + 1 && !capable_nolog(CAP_SYS_RESOURCE) &&
31404 sbi->s_resuid != current_fsuid() &&
31405 (sbi->s_resgid == 0 || !in_group_p (sbi->s_resgid))) {
31407 diff -urNp linux-2.6.36.1/fs/ext3/namei.c linux-2.6.36.1/fs/ext3/namei.c
31408 --- linux-2.6.36.1/fs/ext3/namei.c 2010-10-20 16:30:22.000000000 -0400
31409 +++ linux-2.6.36.1/fs/ext3/namei.c 2010-11-06 18:58:15.000000000 -0400
31410 @@ -1168,7 +1168,7 @@ static struct ext3_dir_entry_2 *do_split
31411 char *data1 = (*bh)->b_data, *data2;
31412 unsigned split, move, size;
31413 struct ext3_dir_entry_2 *de = NULL, *de2;
31417 bh2 = ext3_append (handle, dir, &newblock, &err);
31419 diff -urNp linux-2.6.36.1/fs/ext3/xattr.c linux-2.6.36.1/fs/ext3/xattr.c
31420 --- linux-2.6.36.1/fs/ext3/xattr.c 2010-10-20 16:30:22.000000000 -0400
31421 +++ linux-2.6.36.1/fs/ext3/xattr.c 2010-11-06 18:58:15.000000000 -0400
31426 -# define ea_idebug(f...)
31427 -# define ea_bdebug(f...)
31428 +# define ea_idebug(f...) do {} while (0)
31429 +# define ea_bdebug(f...) do {} while (0)
31432 static void ext3_xattr_cache_insert(struct buffer_head *);
31433 diff -urNp linux-2.6.36.1/fs/ext4/balloc.c linux-2.6.36.1/fs/ext4/balloc.c
31434 --- linux-2.6.36.1/fs/ext4/balloc.c 2010-10-20 16:30:22.000000000 -0400
31435 +++ linux-2.6.36.1/fs/ext4/balloc.c 2010-11-06 18:58:50.000000000 -0400
31436 @@ -518,7 +518,7 @@ int ext4_has_free_blocks(struct ext4_sb_
31437 /* Hm, nope. Are (enough) root reserved blocks available? */
31438 if (sbi->s_resuid == current_fsuid() ||
31439 ((sbi->s_resgid != 0) && in_group_p(sbi->s_resgid)) ||
31440 - capable(CAP_SYS_RESOURCE)) {
31441 + capable_nolog(CAP_SYS_RESOURCE)) {
31442 if (free_blocks >= (nblocks + dirty_blocks))
31445 diff -urNp linux-2.6.36.1/fs/ext4/namei.c linux-2.6.36.1/fs/ext4/namei.c
31446 --- linux-2.6.36.1/fs/ext4/namei.c 2010-10-20 16:30:22.000000000 -0400
31447 +++ linux-2.6.36.1/fs/ext4/namei.c 2010-11-06 18:58:15.000000000 -0400
31448 @@ -1170,7 +1170,7 @@ static struct ext4_dir_entry_2 *do_split
31449 char *data1 = (*bh)->b_data, *data2;
31450 unsigned split, move, size;
31451 struct ext4_dir_entry_2 *de = NULL, *de2;
31455 bh2 = ext4_append (handle, dir, &newblock, &err);
31457 diff -urNp linux-2.6.36.1/fs/ext4/xattr.c linux-2.6.36.1/fs/ext4/xattr.c
31458 --- linux-2.6.36.1/fs/ext4/xattr.c 2010-10-20 16:30:22.000000000 -0400
31459 +++ linux-2.6.36.1/fs/ext4/xattr.c 2010-11-06 18:58:15.000000000 -0400
31464 -# define ea_idebug(f...)
31465 -# define ea_bdebug(f...)
31466 +# define ea_idebug(inode, f...) do {} while (0)
31467 +# define ea_bdebug(bh, f...) do {} while (0)
31470 static void ext4_xattr_cache_insert(struct buffer_head *);
31471 diff -urNp linux-2.6.36.1/fs/fcntl.c linux-2.6.36.1/fs/fcntl.c
31472 --- linux-2.6.36.1/fs/fcntl.c 2010-10-20 16:30:22.000000000 -0400
31473 +++ linux-2.6.36.1/fs/fcntl.c 2010-11-06 18:58:50.000000000 -0400
31474 @@ -224,6 +224,11 @@ int __f_setown(struct file *filp, struct
31478 + if (gr_handle_chroot_fowner(pid, type))
31480 + if (gr_check_protected_task_fowner(pid, type))
31483 f_modown(filp, pid, type, force);
31486 @@ -348,6 +353,7 @@ static long do_fcntl(int fd, unsigned in
31489 case F_DUPFD_CLOEXEC:
31490 + gr_learn_resource(current, RLIMIT_NOFILE, arg, 0);
31491 if (arg >= rlimit(RLIMIT_NOFILE))
31493 err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
31494 diff -urNp linux-2.6.36.1/fs/fifo.c linux-2.6.36.1/fs/fifo.c
31495 --- linux-2.6.36.1/fs/fifo.c 2010-10-20 16:30:22.000000000 -0400
31496 +++ linux-2.6.36.1/fs/fifo.c 2010-11-06 18:58:15.000000000 -0400
31497 @@ -58,10 +58,10 @@ static int fifo_open(struct inode *inode
31499 filp->f_op = &read_pipefifo_fops;
31501 - if (pipe->readers++ == 0)
31502 + if (atomic_inc_return(&pipe->readers) == 1)
31503 wake_up_partner(inode);
31505 - if (!pipe->writers) {
31506 + if (!atomic_read(&pipe->writers)) {
31507 if ((filp->f_flags & O_NONBLOCK)) {
31508 /* suppress POLLHUP until we have
31510 @@ -82,15 +82,15 @@ static int fifo_open(struct inode *inode
31511 * errno=ENXIO when there is no process reading the FIFO.
31514 - if ((filp->f_flags & O_NONBLOCK) && !pipe->readers)
31515 + if ((filp->f_flags & O_NONBLOCK) && !atomic_read(&pipe->readers))
31518 filp->f_op = &write_pipefifo_fops;
31520 - if (!pipe->writers++)
31521 + if (atomic_inc_return(&pipe->writers) == 1)
31522 wake_up_partner(inode);
31524 - if (!pipe->readers) {
31525 + if (!atomic_read(&pipe->readers)) {
31526 wait_for_partner(inode, &pipe->r_counter);
31527 if (signal_pending(current))
31529 @@ -106,11 +106,11 @@ static int fifo_open(struct inode *inode
31531 filp->f_op = &rdwr_pipefifo_fops;
31535 + atomic_inc(&pipe->readers);
31536 + atomic_inc(&pipe->writers);
31539 - if (pipe->readers == 1 || pipe->writers == 1)
31540 + if (atomic_read(&pipe->readers) == 1 || atomic_read(&pipe->writers) == 1)
31541 wake_up_partner(inode);
31544 @@ -124,19 +124,19 @@ static int fifo_open(struct inode *inode
31548 - if (!--pipe->readers)
31549 + if (atomic_dec_and_test(&pipe->readers))
31550 wake_up_interruptible(&pipe->wait);
31551 ret = -ERESTARTSYS;
31555 - if (!--pipe->writers)
31556 + if (atomic_dec_and_test(&pipe->writers))
31557 wake_up_interruptible(&pipe->wait);
31558 ret = -ERESTARTSYS;
31562 - if (!pipe->readers && !pipe->writers)
31563 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers))
31564 free_pipe_info(inode);
31567 diff -urNp linux-2.6.36.1/fs/file.c linux-2.6.36.1/fs/file.c
31568 --- linux-2.6.36.1/fs/file.c 2010-10-20 16:30:22.000000000 -0400
31569 +++ linux-2.6.36.1/fs/file.c 2010-11-06 18:58:50.000000000 -0400
31571 #include <linux/slab.h>
31572 #include <linux/vmalloc.h>
31573 #include <linux/file.h>
31574 +#include <linux/security.h>
31575 #include <linux/fdtable.h>
31576 #include <linux/bitops.h>
31577 #include <linux/interrupt.h>
31578 @@ -250,6 +251,7 @@ int expand_files(struct files_struct *fi
31579 * N.B. For clone tasks sharing a files structure, this test
31580 * will limit the total number of files that can be opened.
31582 + gr_learn_resource(current, RLIMIT_NOFILE, nr, 0);
31583 if (nr >= rlimit(RLIMIT_NOFILE))
31586 diff -urNp linux-2.6.36.1/fs/fs_struct.c linux-2.6.36.1/fs/fs_struct.c
31587 --- linux-2.6.36.1/fs/fs_struct.c 2010-10-20 16:30:22.000000000 -0400
31588 +++ linux-2.6.36.1/fs/fs_struct.c 2010-11-06 19:16:06.000000000 -0400
31590 #include <linux/slab.h>
31591 #include <linux/fs_struct.h>
31592 #include <linux/vserver/global.h>
31593 +#include <linux/grsecurity.h>
31596 * Replace the fs->{rootmnt,root} with {mnt,dentry}. Put the old values.
31597 @@ -17,6 +18,7 @@ void set_fs_root(struct fs_struct *fs, s
31598 old_root = fs->root;
31601 + gr_set_chroot_entries(current, path);
31602 spin_unlock(&fs->lock);
31603 if (old_root.dentry)
31604 path_put(&old_root);
31605 @@ -56,6 +58,7 @@ void chroot_fs_refs(struct path *old_roo
31606 && fs->root.mnt == old_root->mnt) {
31607 path_get(new_root);
31608 fs->root = *new_root;
31609 + gr_set_chroot_entries(p, new_root);
31612 if (fs->pwd.dentry == old_root->dentry
31613 @@ -89,7 +92,8 @@ void exit_fs(struct task_struct *tsk)
31615 spin_lock(&fs->lock);
31617 - kill = !--fs->users;
31618 + gr_clear_chroot_entries(tsk);
31619 + kill = !atomic_dec_return(&fs->users);
31620 spin_unlock(&fs->lock);
31623 @@ -102,7 +106,7 @@ struct fs_struct *copy_fs_struct(struct
31624 struct fs_struct *fs = kmem_cache_alloc(fs_cachep, GFP_KERNEL);
31625 /* We don't need to lock fs - think why ;-) */
31628 + atomic_set(&fs->users, 1);
31630 spin_lock_init(&fs->lock);
31631 fs->umask = old->umask;
31632 @@ -122,8 +126,9 @@ int unshare_fs_struct(void)
31634 task_lock(current);
31635 spin_lock(&fs->lock);
31636 - kill = !--fs->users;
31637 + kill = !atomic_dec_return(&fs->users);
31638 current->fs = new_fs;
31639 + gr_set_chroot_entries(current, &new_fs->root);
31640 spin_unlock(&fs->lock);
31641 task_unlock(current);
31643 @@ -142,7 +147,7 @@ EXPORT_SYMBOL(current_umask);
31645 /* to be mentioned only in INIT_TASK */
31646 struct fs_struct init_fs = {
31648 + .users = ATOMIC_INIT(1),
31649 .lock = __SPIN_LOCK_UNLOCKED(init_fs.lock),
31652 @@ -157,12 +162,13 @@ void daemonize_fs_struct(void)
31653 task_lock(current);
31655 spin_lock(&init_fs.lock);
31657 + atomic_inc(&init_fs.users);
31658 spin_unlock(&init_fs.lock);
31660 spin_lock(&fs->lock);
31661 current->fs = &init_fs;
31662 - kill = !--fs->users;
31663 + gr_set_chroot_entries(current, ¤t->fs->root);
31664 + kill = !atomic_dec_return(&fs->users);
31665 spin_unlock(&fs->lock);
31667 task_unlock(current);
31668 diff -urNp linux-2.6.36.1/fs/fuse/control.c linux-2.6.36.1/fs/fuse/control.c
31669 --- linux-2.6.36.1/fs/fuse/control.c 2010-10-20 16:30:22.000000000 -0400
31670 +++ linux-2.6.36.1/fs/fuse/control.c 2010-11-06 18:58:15.000000000 -0400
31671 @@ -293,7 +293,7 @@ void fuse_ctl_remove_conn(struct fuse_co
31673 static int fuse_ctl_fill_super(struct super_block *sb, void *data, int silent)
31675 - struct tree_descr empty_descr = {""};
31676 + struct tree_descr empty_descr = {"", NULL, 0};
31677 struct fuse_conn *fc;
31680 diff -urNp linux-2.6.36.1/fs/fuse/cuse.c linux-2.6.36.1/fs/fuse/cuse.c
31681 --- linux-2.6.36.1/fs/fuse/cuse.c 2010-10-20 16:30:22.000000000 -0400
31682 +++ linux-2.6.36.1/fs/fuse/cuse.c 2010-11-06 18:58:15.000000000 -0400
31683 @@ -529,8 +529,18 @@ static int cuse_channel_release(struct i
31687 -static struct file_operations cuse_channel_fops; /* initialized during init */
31689 +static const struct file_operations cuse_channel_fops = { /* initialized during init */
31690 + .owner = THIS_MODULE,
31691 + .llseek = no_llseek,
31692 + .read = do_sync_read,
31693 + .aio_read = fuse_dev_read,
31694 + .write = do_sync_write,
31695 + .aio_write = fuse_dev_write,
31696 + .poll = fuse_dev_poll,
31697 + .open = cuse_channel_open,
31698 + .release = cuse_channel_release,
31699 + .fasync = fuse_dev_fasync,
31702 /**************************************************************************
31703 * Misc stuff and module initializatiion
31704 @@ -576,12 +586,6 @@ static int __init cuse_init(void)
31705 for (i = 0; i < CUSE_CONNTBL_LEN; i++)
31706 INIT_LIST_HEAD(&cuse_conntbl[i]);
31708 - /* inherit and extend fuse_dev_operations */
31709 - cuse_channel_fops = fuse_dev_operations;
31710 - cuse_channel_fops.owner = THIS_MODULE;
31711 - cuse_channel_fops.open = cuse_channel_open;
31712 - cuse_channel_fops.release = cuse_channel_release;
31714 cuse_class = class_create(THIS_MODULE, "cuse");
31715 if (IS_ERR(cuse_class))
31716 return PTR_ERR(cuse_class);
31717 diff -urNp linux-2.6.36.1/fs/fuse/dev.c linux-2.6.36.1/fs/fuse/dev.c
31718 --- linux-2.6.36.1/fs/fuse/dev.c 2010-10-20 16:30:22.000000000 -0400
31719 +++ linux-2.6.36.1/fs/fuse/dev.c 2010-11-06 18:58:15.000000000 -0400
31720 @@ -1049,7 +1049,7 @@ static ssize_t fuse_dev_do_read(struct f
31724 -static ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
31725 +ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
31726 unsigned long nr_segs, loff_t pos)
31728 struct fuse_copy_state cs;
31729 @@ -1063,6 +1063,8 @@ static ssize_t fuse_dev_read(struct kioc
31730 return fuse_dev_do_read(fc, file, &cs, iov_length(iov, nr_segs));
31733 +EXPORT_SYMBOL_GPL(fuse_dev_read);
31735 static int fuse_dev_pipe_buf_steal(struct pipe_inode_info *pipe,
31736 struct pipe_buffer *buf)
31738 @@ -1106,7 +1108,7 @@ static ssize_t fuse_dev_splice_read(stru
31742 - if (!pipe->readers) {
31743 + if (!atomic_read(&pipe->readers)) {
31744 send_sig(SIGPIPE, current, 0);
31747 @@ -1604,7 +1606,7 @@ static ssize_t fuse_dev_do_write(struct
31751 -static ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
31752 +ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
31753 unsigned long nr_segs, loff_t pos)
31755 struct fuse_copy_state cs;
31756 @@ -1617,6 +1619,8 @@ static ssize_t fuse_dev_write(struct kio
31757 return fuse_dev_do_write(fc, &cs, iov_length(iov, nr_segs));
31760 +EXPORT_SYMBOL_GPL(fuse_dev_write);
31762 static ssize_t fuse_dev_splice_write(struct pipe_inode_info *pipe,
31763 struct file *out, loff_t *ppos,
31764 size_t len, unsigned int flags)
31765 @@ -1695,7 +1699,7 @@ out:
31769 -static unsigned fuse_dev_poll(struct file *file, poll_table *wait)
31770 +unsigned fuse_dev_poll(struct file *file, poll_table *wait)
31772 unsigned mask = POLLOUT | POLLWRNORM;
31773 struct fuse_conn *fc = fuse_get_conn(file);
31774 @@ -1714,6 +1718,8 @@ static unsigned fuse_dev_poll(struct fil
31778 +EXPORT_SYMBOL_GPL(fuse_dev_poll);
31781 * Abort all requests on the given list (pending or processing)
31783 @@ -1831,7 +1837,7 @@ int fuse_dev_release(struct inode *inode
31785 EXPORT_SYMBOL_GPL(fuse_dev_release);
31787 -static int fuse_dev_fasync(int fd, struct file *file, int on)
31788 +int fuse_dev_fasync(int fd, struct file *file, int on)
31790 struct fuse_conn *fc = fuse_get_conn(file);
31792 @@ -1841,6 +1847,8 @@ static int fuse_dev_fasync(int fd, struc
31793 return fasync_helper(fd, file, on, &fc->fasync);
31796 +EXPORT_SYMBOL_GPL(fuse_dev_fasync);
31798 const struct file_operations fuse_dev_operations = {
31799 .owner = THIS_MODULE,
31800 .llseek = no_llseek,
31801 diff -urNp linux-2.6.36.1/fs/fuse/dir.c linux-2.6.36.1/fs/fuse/dir.c
31802 --- linux-2.6.36.1/fs/fuse/dir.c 2010-10-20 16:30:22.000000000 -0400
31803 +++ linux-2.6.36.1/fs/fuse/dir.c 2010-11-06 18:58:15.000000000 -0400
31804 @@ -1127,7 +1127,7 @@ static char *read_link(struct dentry *de
31808 -static void free_link(char *link)
31809 +static void free_link(const char *link)
31812 free_page((unsigned long) link);
31813 diff -urNp linux-2.6.36.1/fs/fuse/fuse_i.h linux-2.6.36.1/fs/fuse/fuse_i.h
31814 --- linux-2.6.36.1/fs/fuse/fuse_i.h 2010-10-20 16:30:22.000000000 -0400
31815 +++ linux-2.6.36.1/fs/fuse/fuse_i.h 2010-11-06 18:58:15.000000000 -0400
31816 @@ -525,6 +525,16 @@ extern const struct file_operations fuse
31818 extern const struct dentry_operations fuse_dentry_operations;
31820 +extern ssize_t fuse_dev_read(struct kiocb *iocb, const struct iovec *iov,
31821 + unsigned long nr_segs, loff_t pos);
31823 +extern ssize_t fuse_dev_write(struct kiocb *iocb, const struct iovec *iov,
31824 + unsigned long nr_segs, loff_t pos);
31826 +extern unsigned fuse_dev_poll(struct file *file, poll_table *wait);
31828 +extern int fuse_dev_fasync(int fd, struct file *file, int on);
31831 * Inode to nodeid comparison.
31833 diff -urNp linux-2.6.36.1/fs/hfs/inode.c linux-2.6.36.1/fs/hfs/inode.c
31834 --- linux-2.6.36.1/fs/hfs/inode.c 2010-10-20 16:30:22.000000000 -0400
31835 +++ linux-2.6.36.1/fs/hfs/inode.c 2010-11-06 18:58:15.000000000 -0400
31836 @@ -447,7 +447,7 @@ int hfs_write_inode(struct inode *inode,
31838 if (S_ISDIR(main_inode->i_mode)) {
31839 if (fd.entrylength < sizeof(struct hfs_cat_dir))
31842 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
31843 sizeof(struct hfs_cat_dir));
31844 if (rec.type != HFS_CDR_DIR ||
31845 @@ -468,7 +468,7 @@ int hfs_write_inode(struct inode *inode,
31846 sizeof(struct hfs_cat_file));
31848 if (fd.entrylength < sizeof(struct hfs_cat_file))
31851 hfs_bnode_read(fd.bnode, &rec, fd.entryoffset,
31852 sizeof(struct hfs_cat_file));
31853 if (rec.type != HFS_CDR_FIL ||
31854 diff -urNp linux-2.6.36.1/fs/hfsplus/inode.c linux-2.6.36.1/fs/hfsplus/inode.c
31855 --- linux-2.6.36.1/fs/hfsplus/inode.c 2010-10-20 16:30:22.000000000 -0400
31856 +++ linux-2.6.36.1/fs/hfsplus/inode.c 2010-11-06 18:58:15.000000000 -0400
31857 @@ -477,7 +477,7 @@ int hfsplus_cat_read_inode(struct inode
31858 struct hfsplus_cat_folder *folder = &entry.folder;
31860 if (fd->entrylength < sizeof(struct hfsplus_cat_folder))
31863 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
31864 sizeof(struct hfsplus_cat_folder));
31865 hfsplus_get_perms(inode, &folder->permissions, 1);
31866 @@ -494,7 +494,7 @@ int hfsplus_cat_read_inode(struct inode
31867 struct hfsplus_cat_file *file = &entry.file;
31869 if (fd->entrylength < sizeof(struct hfsplus_cat_file))
31872 hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
31873 sizeof(struct hfsplus_cat_file));
31875 @@ -550,7 +550,7 @@ int hfsplus_cat_write_inode(struct inode
31876 struct hfsplus_cat_folder *folder = &entry.folder;
31878 if (fd.entrylength < sizeof(struct hfsplus_cat_folder))
31881 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
31882 sizeof(struct hfsplus_cat_folder));
31883 /* simple node checks? */
31884 @@ -572,7 +572,7 @@ int hfsplus_cat_write_inode(struct inode
31885 struct hfsplus_cat_file *file = &entry.file;
31887 if (fd.entrylength < sizeof(struct hfsplus_cat_file))
31890 hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
31891 sizeof(struct hfsplus_cat_file));
31892 hfsplus_inode_write_fork(inode, &file->data_fork);
31893 diff -urNp linux-2.6.36.1/fs/hugetlbfs/inode.c linux-2.6.36.1/fs/hugetlbfs/inode.c
31894 --- linux-2.6.36.1/fs/hugetlbfs/inode.c 2010-10-20 16:30:22.000000000 -0400
31895 +++ linux-2.6.36.1/fs/hugetlbfs/inode.c 2010-11-06 18:58:50.000000000 -0400
31896 @@ -891,7 +891,7 @@ static struct file_system_type hugetlbfs
31897 .kill_sb = kill_litter_super,
31900 -static struct vfsmount *hugetlbfs_vfsmount;
31901 +struct vfsmount *hugetlbfs_vfsmount;
31903 static int can_do_hugetlb_shm(void)
31905 diff -urNp linux-2.6.36.1/fs/ioctl.c linux-2.6.36.1/fs/ioctl.c
31906 --- linux-2.6.36.1/fs/ioctl.c 2010-10-20 16:30:22.000000000 -0400
31907 +++ linux-2.6.36.1/fs/ioctl.c 2010-11-06 18:58:15.000000000 -0400
31908 @@ -87,7 +87,7 @@ int fiemap_fill_next_extent(struct fiema
31909 u64 phys, u64 len, u32 flags)
31911 struct fiemap_extent extent;
31912 - struct fiemap_extent *dest = fieinfo->fi_extents_start;
31913 + struct fiemap_extent __user *dest = fieinfo->fi_extents_start;
31915 /* only count the extents */
31916 if (fieinfo->fi_extents_max == 0) {
31917 @@ -197,7 +197,7 @@ static int ioctl_fiemap(struct file *fil
31919 fieinfo.fi_flags = fiemap.fm_flags;
31920 fieinfo.fi_extents_max = fiemap.fm_extent_count;
31921 - fieinfo.fi_extents_start = (struct fiemap_extent *)(arg + sizeof(fiemap));
31922 + fieinfo.fi_extents_start = (struct fiemap_extent __user *)(arg + sizeof(fiemap));
31924 if (fiemap.fm_extent_count != 0 &&
31925 !access_ok(VERIFY_WRITE, fieinfo.fi_extents_start,
31926 @@ -210,7 +210,7 @@ static int ioctl_fiemap(struct file *fil
31927 error = inode->i_op->fiemap(inode, &fieinfo, fiemap.fm_start, len);
31928 fiemap.fm_flags = fieinfo.fi_flags;
31929 fiemap.fm_mapped_extents = fieinfo.fi_extents_mapped;
31930 - if (copy_to_user((char *)arg, &fiemap, sizeof(fiemap)))
31931 + if (copy_to_user((__force char __user *)arg, &fiemap, sizeof(fiemap)))
31935 diff -urNp linux-2.6.36.1/fs/jffs2/debug.h linux-2.6.36.1/fs/jffs2/debug.h
31936 --- linux-2.6.36.1/fs/jffs2/debug.h 2010-10-20 16:30:22.000000000 -0400
31937 +++ linux-2.6.36.1/fs/jffs2/debug.h 2010-11-06 18:58:15.000000000 -0400
31938 @@ -53,13 +53,13 @@
31939 #if CONFIG_JFFS2_FS_DEBUG > 0
31943 +#define D1(x) do {} while (0);
31946 #if CONFIG_JFFS2_FS_DEBUG > 1
31950 +#define D2(x) do {} while (0);
31953 /* The prefixes of JFFS2 messages */
31954 @@ -115,73 +115,73 @@
31955 #ifdef JFFS2_DBG_READINODE_MESSAGES
31956 #define dbg_readinode(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31958 -#define dbg_readinode(fmt, ...)
31959 +#define dbg_readinode(fmt, ...) do {} while (0)
31961 #ifdef JFFS2_DBG_READINODE2_MESSAGES
31962 #define dbg_readinode2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31964 -#define dbg_readinode2(fmt, ...)
31965 +#define dbg_readinode2(fmt, ...) do {} while (0)
31968 /* Fragtree build debugging messages */
31969 #ifdef JFFS2_DBG_FRAGTREE_MESSAGES
31970 #define dbg_fragtree(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31972 -#define dbg_fragtree(fmt, ...)
31973 +#define dbg_fragtree(fmt, ...) do {} while (0)
31975 #ifdef JFFS2_DBG_FRAGTREE2_MESSAGES
31976 #define dbg_fragtree2(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31978 -#define dbg_fragtree2(fmt, ...)
31979 +#define dbg_fragtree2(fmt, ...) do {} while (0)
31982 /* Directory entry list manilulation debugging messages */
31983 #ifdef JFFS2_DBG_DENTLIST_MESSAGES
31984 #define dbg_dentlist(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31986 -#define dbg_dentlist(fmt, ...)
31987 +#define dbg_dentlist(fmt, ...) do {} while (0)
31990 /* Print the messages about manipulating node_refs */
31991 #ifdef JFFS2_DBG_NODEREF_MESSAGES
31992 #define dbg_noderef(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
31994 -#define dbg_noderef(fmt, ...)
31995 +#define dbg_noderef(fmt, ...) do {} while (0)
31998 /* Manipulations with the list of inodes (JFFS2 inocache) */
31999 #ifdef JFFS2_DBG_INOCACHE_MESSAGES
32000 #define dbg_inocache(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32002 -#define dbg_inocache(fmt, ...)
32003 +#define dbg_inocache(fmt, ...) do {} while (0)
32006 /* Summary debugging messages */
32007 #ifdef JFFS2_DBG_SUMMARY_MESSAGES
32008 #define dbg_summary(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32010 -#define dbg_summary(fmt, ...)
32011 +#define dbg_summary(fmt, ...) do {} while (0)
32014 /* File system build messages */
32015 #ifdef JFFS2_DBG_FSBUILD_MESSAGES
32016 #define dbg_fsbuild(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32018 -#define dbg_fsbuild(fmt, ...)
32019 +#define dbg_fsbuild(fmt, ...) do {} while (0)
32022 /* Watch the object allocations */
32023 #ifdef JFFS2_DBG_MEMALLOC_MESSAGES
32024 #define dbg_memalloc(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32026 -#define dbg_memalloc(fmt, ...)
32027 +#define dbg_memalloc(fmt, ...) do {} while (0)
32030 /* Watch the XATTR subsystem */
32031 #ifdef JFFS2_DBG_XATTR_MESSAGES
32032 #define dbg_xattr(fmt, ...) JFFS2_DEBUG(fmt, ##__VA_ARGS__)
32034 -#define dbg_xattr(fmt, ...)
32035 +#define dbg_xattr(fmt, ...) do {} while (0)
32038 /* "Sanity" checks */
32039 diff -urNp linux-2.6.36.1/fs/jffs2/erase.c linux-2.6.36.1/fs/jffs2/erase.c
32040 --- linux-2.6.36.1/fs/jffs2/erase.c 2010-10-20 16:30:22.000000000 -0400
32041 +++ linux-2.6.36.1/fs/jffs2/erase.c 2010-11-06 18:58:15.000000000 -0400
32042 @@ -439,7 +439,8 @@ static void jffs2_mark_erased_block(stru
32043 struct jffs2_unknown_node marker = {
32044 .magic = cpu_to_je16(JFFS2_MAGIC_BITMASK),
32045 .nodetype = cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
32046 - .totlen = cpu_to_je32(c->cleanmarker_size)
32047 + .totlen = cpu_to_je32(c->cleanmarker_size),
32048 + .hdr_crc = cpu_to_je32(0)
32051 jffs2_prealloc_raw_node_refs(c, jeb, 1);
32052 diff -urNp linux-2.6.36.1/fs/jffs2/summary.h linux-2.6.36.1/fs/jffs2/summary.h
32053 --- linux-2.6.36.1/fs/jffs2/summary.h 2010-10-20 16:30:22.000000000 -0400
32054 +++ linux-2.6.36.1/fs/jffs2/summary.h 2010-11-06 18:58:15.000000000 -0400
32055 @@ -194,18 +194,18 @@ int jffs2_sum_scan_sumnode(struct jffs2_
32057 #define jffs2_sum_active() (0)
32058 #define jffs2_sum_init(a) (0)
32059 -#define jffs2_sum_exit(a)
32060 -#define jffs2_sum_disable_collecting(a)
32061 +#define jffs2_sum_exit(a) do {} while (0)
32062 +#define jffs2_sum_disable_collecting(a) do {} while (0)
32063 #define jffs2_sum_is_disabled(a) (0)
32064 -#define jffs2_sum_reset_collected(a)
32065 +#define jffs2_sum_reset_collected(a) do {} while (0)
32066 #define jffs2_sum_add_kvec(a,b,c,d) (0)
32067 -#define jffs2_sum_move_collected(a,b)
32068 +#define jffs2_sum_move_collected(a,b) do {} while (0)
32069 #define jffs2_sum_write_sumnode(a) (0)
32070 -#define jffs2_sum_add_padding_mem(a,b)
32071 -#define jffs2_sum_add_inode_mem(a,b,c)
32072 -#define jffs2_sum_add_dirent_mem(a,b,c)
32073 -#define jffs2_sum_add_xattr_mem(a,b,c)
32074 -#define jffs2_sum_add_xref_mem(a,b,c)
32075 +#define jffs2_sum_add_padding_mem(a,b) do {} while (0)
32076 +#define jffs2_sum_add_inode_mem(a,b,c) do {} while (0)
32077 +#define jffs2_sum_add_dirent_mem(a,b,c) do {} while (0)
32078 +#define jffs2_sum_add_xattr_mem(a,b,c) do {} while (0)
32079 +#define jffs2_sum_add_xref_mem(a,b,c) do {} while (0)
32080 #define jffs2_sum_scan_sumnode(a,b,c,d,e) (0)
32082 #endif /* CONFIG_JFFS2_SUMMARY */
32083 diff -urNp linux-2.6.36.1/fs/jffs2/wbuf.c linux-2.6.36.1/fs/jffs2/wbuf.c
32084 --- linux-2.6.36.1/fs/jffs2/wbuf.c 2010-10-20 16:30:22.000000000 -0400
32085 +++ linux-2.6.36.1/fs/jffs2/wbuf.c 2010-11-06 18:58:15.000000000 -0400
32086 @@ -1012,7 +1012,8 @@ static const struct jffs2_unknown_node o
32088 .magic = constant_cpu_to_je16(JFFS2_MAGIC_BITMASK),
32089 .nodetype = constant_cpu_to_je16(JFFS2_NODETYPE_CLEANMARKER),
32090 - .totlen = constant_cpu_to_je32(8)
32091 + .totlen = constant_cpu_to_je32(8),
32092 + .hdr_crc = constant_cpu_to_je32(0)
32096 diff -urNp linux-2.6.36.1/fs/Kconfig.binfmt linux-2.6.36.1/fs/Kconfig.binfmt
32097 --- linux-2.6.36.1/fs/Kconfig.binfmt 2010-10-20 16:30:22.000000000 -0400
32098 +++ linux-2.6.36.1/fs/Kconfig.binfmt 2010-11-06 18:58:15.000000000 -0400
32099 @@ -86,7 +86,7 @@ config HAVE_AOUT
32102 tristate "Kernel support for a.out and ECOFF binaries"
32103 - depends on HAVE_AOUT
32104 + depends on HAVE_AOUT && BROKEN
32106 A.out (Assembler.OUTput) is a set of formats for libraries and
32107 executables used in the earliest versions of UNIX. Linux used
32108 diff -urNp linux-2.6.36.1/fs/lockd/svc.c linux-2.6.36.1/fs/lockd/svc.c
32109 --- linux-2.6.36.1/fs/lockd/svc.c 2010-10-20 16:30:22.000000000 -0400
32110 +++ linux-2.6.36.1/fs/lockd/svc.c 2010-11-06 18:58:15.000000000 -0400
32113 static struct svc_program nlmsvc_program;
32115 -struct nlmsvc_binding * nlmsvc_ops;
32116 +const struct nlmsvc_binding * nlmsvc_ops;
32117 EXPORT_SYMBOL_GPL(nlmsvc_ops);
32119 static DEFINE_MUTEX(nlmsvc_mutex);
32120 diff -urNp linux-2.6.36.1/fs/locks.c linux-2.6.36.1/fs/locks.c
32121 --- linux-2.6.36.1/fs/locks.c 2010-10-20 16:30:22.000000000 -0400
32122 +++ linux-2.6.36.1/fs/locks.c 2010-11-06 18:58:15.000000000 -0400
32123 @@ -2008,16 +2008,16 @@ void locks_remove_flock(struct file *fil
32126 if (filp->f_op && filp->f_op->flock) {
32127 - struct file_lock fl = {
32128 + struct file_lock flock = {
32129 .fl_pid = current->tgid,
32131 .fl_flags = FL_FLOCK,
32132 .fl_type = F_UNLCK,
32133 .fl_end = OFFSET_MAX,
32135 - filp->f_op->flock(filp, F_SETLKW, &fl);
32136 - if (fl.fl_ops && fl.fl_ops->fl_release_private)
32137 - fl.fl_ops->fl_release_private(&fl);
32138 + filp->f_op->flock(filp, F_SETLKW, &flock);
32139 + if (flock.fl_ops && flock.fl_ops->fl_release_private)
32140 + flock.fl_ops->fl_release_private(&flock);
32144 diff -urNp linux-2.6.36.1/fs/namei.c linux-2.6.36.1/fs/namei.c
32145 --- linux-2.6.36.1/fs/namei.c 2010-10-20 16:30:22.000000000 -0400
32146 +++ linux-2.6.36.1/fs/namei.c 2010-11-26 18:18:12.000000000 -0500
32147 @@ -221,14 +221,6 @@ int generic_permission(struct inode *ino
32151 - * Read/write DACs are always overridable.
32152 - * Executable DACs are overridable if at least one exec bit is set.
32154 - if (!(mask & MAY_EXEC) || execute_ok(inode))
32155 - if (capable(CAP_DAC_OVERRIDE))
32159 * Searching includes executable on directories, else just read.
32161 mask &= MAY_READ | MAY_WRITE | MAY_EXEC;
32162 @@ -236,6 +228,14 @@ int generic_permission(struct inode *ino
32163 if (capable(CAP_DAC_READ_SEARCH))
32167 + * Read/write DACs are always overridable.
32168 + * Executable DACs are overridable if at least one exec bit is set.
32170 + if (!(mask & MAY_EXEC) || execute_ok(inode))
32171 + if (capable(CAP_DAC_OVERRIDE))
32177 @@ -473,7 +473,8 @@ static int exec_permission(struct inode
32181 - if (capable(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH))
32182 + if (capable_nolog(CAP_DAC_OVERRIDE) || capable(CAP_DAC_READ_SEARCH) ||
32183 + capable(CAP_DAC_OVERRIDE))
32187 @@ -542,7 +543,7 @@ __do_follow_link(struct path *path, stru
32188 *p = dentry->d_inode->i_op->follow_link(dentry, nd);
32189 error = PTR_ERR(*p);
32191 - char *s = nd_get_link(nd);
32192 + const char *s = nd_get_link(nd);
32195 error = __vfs_follow_link(nd, s);
32196 @@ -575,6 +576,13 @@ static inline int do_follow_link(struct
32197 err = security_inode_follow_link(path->dentry, nd);
32201 + if (gr_handle_follow_link(path->dentry->d_parent->d_inode,
32202 + path->dentry->d_inode, path->dentry, nd->path.mnt)) {
32207 current->link_count++;
32208 current->total_link_count++;
32210 @@ -967,11 +975,18 @@ return_reval:
32214 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt)) {
32215 + path_put(&nd->path);
32220 path_put_conditional(&next, nd);
32223 + if (!(nd->flags & LOOKUP_PARENT) && !gr_acl_handle_hidden_file(nd->path.dentry, nd->path.mnt))
32226 path_put(&nd->path);
32229 @@ -1486,12 +1501,19 @@ static int __open_namei_create(struct na
32231 struct dentry *dir = nd->path.dentry;
32233 + if (!gr_acl_handle_creat(path->dentry, nd->path.dentry, nd->path.mnt, open_flag, mode)) {
32238 if (!IS_POSIXACL(dir->d_inode))
32239 mode &= ~current_umask();
32240 error = security_path_mknod(&nd->path, path->dentry, mode, 0);
32243 error = vfs_create(dir->d_inode, path->dentry, mode, nd);
32245 + gr_handle_create(path->dentry, nd->path.mnt);
32247 mutex_unlock(&dir->d_inode->i_mutex);
32248 dput(nd->path.dentry);
32249 @@ -1594,6 +1616,7 @@ static struct file *do_last(struct namei
32250 int mode, const char *pathname)
32252 struct dentry *dir = nd->path.dentry;
32253 + int flag = open_to_namei_flags(open_flag);
32255 int error = -EISDIR;
32257 @@ -1642,6 +1665,22 @@ static struct file *do_last(struct namei
32259 path_to_nameidata(path, nd);
32260 audit_inode(pathname, nd->path.dentry);
32262 + if (gr_handle_rofs_blockwrite(nd->path.dentry, nd->path.mnt, acc_mode)) {
32267 + if (gr_handle_rawio(nd->path.dentry->d_inode)) {
32272 + if (!gr_acl_handle_open(nd->path.dentry, nd->path.mnt, flag)) {
32280 @@ -1694,6 +1733,24 @@ static struct file *do_last(struct namei
32282 * It already exists.
32285 + if (gr_handle_rofs_blockwrite(path->dentry, nd->path.mnt, acc_mode)) {
32287 + goto exit_mutex_unlock;
32289 + if (gr_handle_rawio(path->dentry->d_inode)) {
32291 + goto exit_mutex_unlock;
32293 + if (!gr_acl_handle_open(path->dentry, nd->path.mnt, flag)) {
32295 + goto exit_mutex_unlock;
32297 + if (gr_handle_fifo(path->dentry, nd->path.mnt, dir, flag, acc_mode)) {
32299 + goto exit_mutex_unlock;
32302 mutex_unlock(&dir->d_inode->i_mutex);
32303 audit_inode(pathname, path->dentry);
32305 @@ -2014,6 +2071,17 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
32306 error = may_mknod(mode);
32310 + if (gr_handle_chroot_mknod(dentry, nd.path.mnt, mode)) {
32315 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
32320 error = mnt_want_write(nd.path.mnt);
32323 @@ -2034,6 +2102,9 @@ SYSCALL_DEFINE4(mknodat, int, dfd, const
32326 mnt_drop_write(nd.path.mnt);
32329 + gr_handle_create(dentry, nd.path.mnt);
32333 @@ -2086,6 +2157,11 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
32334 if (IS_ERR(dentry))
32337 + if (!gr_acl_handle_mkdir(dentry, nd.path.dentry, nd.path.mnt)) {
32342 if (!IS_POSIXACL(nd.path.dentry->d_inode))
32343 mode &= ~current_umask();
32344 error = mnt_want_write(nd.path.mnt);
32345 @@ -2097,6 +2173,10 @@ SYSCALL_DEFINE3(mkdirat, int, dfd, const
32346 error = vfs_mkdir(nd.path.dentry->d_inode, dentry, mode);
32348 mnt_drop_write(nd.path.mnt);
32351 + gr_handle_create(dentry, nd.path.mnt);
32356 @@ -2178,6 +2258,8 @@ static long do_rmdir(int dfd, const char
32358 struct dentry *dentry;
32359 struct nameidata nd;
32360 + ino_t saved_ino = 0;
32361 + dev_t saved_dev = 0;
32363 error = user_path_parent(dfd, pathname, &nd, &name);
32365 @@ -2202,6 +2284,19 @@ static long do_rmdir(int dfd, const char
32366 error = PTR_ERR(dentry);
32367 if (IS_ERR(dentry))
32370 + if (dentry->d_inode != NULL) {
32371 + if (dentry->d_inode->i_nlink <= 1) {
32372 + saved_ino = dentry->d_inode->i_ino;
32373 + saved_dev = dentry->d_inode->i_sb->s_dev;
32376 + if (!gr_acl_handle_rmdir(dentry, nd.path.mnt)) {
32382 error = mnt_want_write(nd.path.mnt);
32385 @@ -2209,6 +2304,8 @@ static long do_rmdir(int dfd, const char
32388 error = vfs_rmdir(nd.path.dentry->d_inode, dentry);
32389 + if (!error && (saved_dev || saved_ino))
32390 + gr_handle_delete(saved_ino, saved_dev);
32392 mnt_drop_write(nd.path.mnt);
32394 @@ -2271,6 +2368,8 @@ static long do_unlinkat(int dfd, const c
32395 struct dentry *dentry;
32396 struct nameidata nd;
32397 struct inode *inode = NULL;
32398 + ino_t saved_ino = 0;
32399 + dev_t saved_dev = 0;
32401 error = user_path_parent(dfd, pathname, &nd, &name);
32403 @@ -2290,8 +2389,19 @@ static long do_unlinkat(int dfd, const c
32404 if (nd.last.name[nd.last.len])
32406 inode = dentry->d_inode;
32409 + if (inode->i_nlink <= 1) {
32410 + saved_ino = inode->i_ino;
32411 + saved_dev = inode->i_sb->s_dev;
32414 atomic_inc(&inode->i_count);
32416 + if (!gr_acl_handle_unlink(dentry, nd.path.mnt)) {
32421 error = mnt_want_write(nd.path.mnt);
32424 @@ -2299,6 +2409,8 @@ static long do_unlinkat(int dfd, const c
32427 error = vfs_unlink(nd.path.dentry->d_inode, dentry);
32428 + if (!error && (saved_ino || saved_dev))
32429 + gr_handle_delete(saved_ino, saved_dev);
32431 mnt_drop_write(nd.path.mnt);
32433 @@ -2376,6 +2488,11 @@ SYSCALL_DEFINE3(symlinkat, const char __
32434 if (IS_ERR(dentry))
32437 + if (!gr_acl_handle_symlink(dentry, nd.path.dentry, nd.path.mnt, from)) {
32442 error = mnt_want_write(nd.path.mnt);
32445 @@ -2383,6 +2500,8 @@ SYSCALL_DEFINE3(symlinkat, const char __
32447 goto out_drop_write;
32448 error = vfs_symlink(nd.path.dentry->d_inode, dentry, from);
32450 + gr_handle_create(dentry, nd.path.mnt);
32452 mnt_drop_write(nd.path.mnt);
32454 @@ -2475,6 +2594,20 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
32455 error = PTR_ERR(new_dentry);
32456 if (IS_ERR(new_dentry))
32459 + if (gr_handle_hardlink(old_path.dentry, old_path.mnt,
32460 + old_path.dentry->d_inode,
32461 + old_path.dentry->d_inode->i_mode, to)) {
32466 + if (!gr_acl_handle_link(new_dentry, nd.path.dentry, nd.path.mnt,
32467 + old_path.dentry, old_path.mnt, to)) {
32472 error = mnt_want_write(nd.path.mnt);
32475 @@ -2482,6 +2615,8 @@ SYSCALL_DEFINE5(linkat, int, olddfd, con
32477 goto out_drop_write;
32478 error = vfs_link(old_path.dentry, nd.path.dentry->d_inode, new_dentry);
32480 + gr_handle_create(new_dentry, nd.path.mnt);
32482 mnt_drop_write(nd.path.mnt);
32484 @@ -2715,6 +2850,12 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
32485 if (new_dentry == trap)
32488 + error = gr_acl_handle_rename(new_dentry, new_dir, newnd.path.mnt,
32489 + old_dentry, old_dir->d_inode, oldnd.path.mnt,
32494 error = mnt_want_write(oldnd.path.mnt);
32497 @@ -2724,6 +2865,9 @@ SYSCALL_DEFINE4(renameat, int, olddfd, c
32499 error = vfs_rename(old_dir->d_inode, old_dentry,
32500 new_dir->d_inode, new_dentry);
32502 + gr_handle_rename(old_dir->d_inode, new_dir->d_inode, old_dentry,
32503 + new_dentry, oldnd.path.mnt, new_dentry->d_inode ? 1 : 0);
32505 mnt_drop_write(oldnd.path.mnt);
32507 diff -urNp linux-2.6.36.1/fs/namespace.c linux-2.6.36.1/fs/namespace.c
32508 --- linux-2.6.36.1/fs/namespace.c 2010-10-20 16:30:22.000000000 -0400
32509 +++ linux-2.6.36.1/fs/namespace.c 2010-11-06 19:18:03.000000000 -0400
32510 @@ -1142,6 +1142,9 @@ static int do_umount(struct vfsmount *mn
32511 if (!(sb->s_flags & MS_RDONLY))
32512 retval = do_remount_sb(sb, MS_RDONLY, NULL, 0);
32513 up_write(&sb->s_umount);
32515 + gr_log_remount(mnt->mnt_devname, retval);
32520 @@ -1161,6 +1164,9 @@ static int do_umount(struct vfsmount *mn
32521 br_write_unlock(vfsmount_lock);
32522 up_write(&namespace_sem);
32523 release_mounts(&umount_list);
32525 + gr_log_unmount(mnt->mnt_devname, retval);
32530 @@ -2056,6 +2062,16 @@ long do_mount(char *dev_name, char *dir_
32531 MS_NOATIME | MS_NODIRATIME | MS_RELATIME| MS_KERNMOUNT |
32534 + if (gr_handle_rofs_mount(path.dentry, path.mnt, mnt_flags)) {
32539 + if (gr_handle_chroot_mount(path.dentry, path.mnt, dev_name)) {
32544 if (flags & MS_REMOUNT)
32545 retval = do_remount(&path, flags & ~MS_REMOUNT, mnt_flags,
32547 @@ -2070,6 +2086,9 @@ long do_mount(char *dev_name, char *dir_
32548 dev_name, data_page);
32552 + gr_log_mount(dev_name, dir_name, retval);
32557 @@ -2276,6 +2295,12 @@ SYSCALL_DEFINE2(pivot_root, const char _
32561 + if (gr_handle_chroot_pivot()) {
32567 get_fs_root(current->fs, &root);
32568 down_write(&namespace_sem);
32569 mutex_lock(&old.dentry->d_inode->i_mutex);
32570 diff -urNp linux-2.6.36.1/fs/nfs/inode.c linux-2.6.36.1/fs/nfs/inode.c
32571 --- linux-2.6.36.1/fs/nfs/inode.c 2010-10-20 16:30:22.000000000 -0400
32572 +++ linux-2.6.36.1/fs/nfs/inode.c 2010-11-06 18:58:15.000000000 -0400
32573 @@ -982,16 +982,16 @@ static int nfs_size_need_update(const st
32574 return nfs_size_to_loff_t(fattr->size) > i_size_read(inode);
32577 -static atomic_long_t nfs_attr_generation_counter;
32578 +static atomic_long_unchecked_t nfs_attr_generation_counter;
32580 static unsigned long nfs_read_attr_generation_counter(void)
32582 - return atomic_long_read(&nfs_attr_generation_counter);
32583 + return atomic_long_read_unchecked(&nfs_attr_generation_counter);
32586 unsigned long nfs_inc_attr_generation_counter(void)
32588 - return atomic_long_inc_return(&nfs_attr_generation_counter);
32589 + return atomic_long_inc_return_unchecked(&nfs_attr_generation_counter);
32592 void nfs_fattr_init(struct nfs_fattr *fattr)
32593 diff -urNp linux-2.6.36.1/fs/nfs/nfs4proc.c linux-2.6.36.1/fs/nfs/nfs4proc.c
32594 --- linux-2.6.36.1/fs/nfs/nfs4proc.c 2010-10-20 16:30:22.000000000 -0400
32595 +++ linux-2.6.36.1/fs/nfs/nfs4proc.c 2010-11-06 18:58:15.000000000 -0400
32596 @@ -1184,7 +1184,7 @@ static int _nfs4_do_open_reclaim(struct
32597 static int nfs4_do_open_reclaim(struct nfs_open_context *ctx, struct nfs4_state *state)
32599 struct nfs_server *server = NFS_SERVER(state->inode);
32600 - struct nfs4_exception exception = { };
32601 + struct nfs4_exception exception = {0, 0};
32604 err = _nfs4_do_open_reclaim(ctx, state);
32605 @@ -1226,7 +1226,7 @@ static int _nfs4_open_delegation_recall(
32607 int nfs4_open_delegation_recall(struct nfs_open_context *ctx, struct nfs4_state *state, const nfs4_stateid *stateid)
32609 - struct nfs4_exception exception = { };
32610 + struct nfs4_exception exception = {0, 0};
32611 struct nfs_server *server = NFS_SERVER(state->inode);
32614 @@ -1595,7 +1595,7 @@ static int _nfs4_open_expired(struct nfs
32615 static int nfs4_do_open_expired(struct nfs_open_context *ctx, struct nfs4_state *state)
32617 struct nfs_server *server = NFS_SERVER(state->inode);
32618 - struct nfs4_exception exception = { };
32619 + struct nfs4_exception exception = {0, 0};
32623 @@ -1711,7 +1711,7 @@ out_err:
32625 static struct nfs4_state *nfs4_do_open(struct inode *dir, struct path *path, fmode_t fmode, int flags, struct iattr *sattr, struct rpc_cred *cred)
32627 - struct nfs4_exception exception = { };
32628 + struct nfs4_exception exception = {0, 0};
32629 struct nfs4_state *res;
32632 @@ -1802,7 +1802,7 @@ static int nfs4_do_setattr(struct inode
32633 struct nfs4_state *state)
32635 struct nfs_server *server = NFS_SERVER(inode);
32636 - struct nfs4_exception exception = { };
32637 + struct nfs4_exception exception = {0, 0};
32640 err = nfs4_handle_exception(server,
32641 @@ -2179,7 +2179,7 @@ static int _nfs4_server_capabilities(str
32643 int nfs4_server_capabilities(struct nfs_server *server, struct nfs_fh *fhandle)
32645 - struct nfs4_exception exception = { };
32646 + struct nfs4_exception exception = {0, 0};
32649 err = nfs4_handle_exception(server,
32650 @@ -2213,7 +2213,7 @@ static int _nfs4_lookup_root(struct nfs_
32651 static int nfs4_lookup_root(struct nfs_server *server, struct nfs_fh *fhandle,
32652 struct nfs_fsinfo *info)
32654 - struct nfs4_exception exception = { };
32655 + struct nfs4_exception exception = {0, 0};
32658 err = nfs4_handle_exception(server,
32659 @@ -2301,7 +2301,7 @@ static int _nfs4_proc_getattr(struct nfs
32661 static int nfs4_proc_getattr(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
32663 - struct nfs4_exception exception = { };
32664 + struct nfs4_exception exception = {0, 0};
32667 err = nfs4_handle_exception(server,
32668 @@ -2389,7 +2389,7 @@ static int nfs4_proc_lookupfh(struct nfs
32669 struct qstr *name, struct nfs_fh *fhandle,
32670 struct nfs_fattr *fattr)
32672 - struct nfs4_exception exception = { };
32673 + struct nfs4_exception exception = {0, 0};
32676 err = _nfs4_proc_lookupfh(server, dirfh, name, fhandle, fattr);
32677 @@ -2418,7 +2418,7 @@ static int _nfs4_proc_lookup(struct inod
32679 static int nfs4_proc_lookup(struct inode *dir, struct qstr *name, struct nfs_fh *fhandle, struct nfs_fattr *fattr)
32681 - struct nfs4_exception exception = { };
32682 + struct nfs4_exception exception = {0, 0};
32685 err = nfs4_handle_exception(NFS_SERVER(dir),
32686 @@ -2485,7 +2485,7 @@ static int _nfs4_proc_access(struct inod
32688 static int nfs4_proc_access(struct inode *inode, struct nfs_access_entry *entry)
32690 - struct nfs4_exception exception = { };
32691 + struct nfs4_exception exception = {0, 0};
32694 err = nfs4_handle_exception(NFS_SERVER(inode),
32695 @@ -2541,7 +2541,7 @@ static int _nfs4_proc_readlink(struct in
32696 static int nfs4_proc_readlink(struct inode *inode, struct page *page,
32697 unsigned int pgbase, unsigned int pglen)
32699 - struct nfs4_exception exception = { };
32700 + struct nfs4_exception exception = {0, 0};
32703 err = nfs4_handle_exception(NFS_SERVER(inode),
32704 @@ -2637,7 +2637,7 @@ out:
32706 static int nfs4_proc_remove(struct inode *dir, struct qstr *name)
32708 - struct nfs4_exception exception = { };
32709 + struct nfs4_exception exception = {0, 0};
32712 err = nfs4_handle_exception(NFS_SERVER(dir),
32713 @@ -2713,7 +2713,7 @@ out:
32714 static int nfs4_proc_rename(struct inode *old_dir, struct qstr *old_name,
32715 struct inode *new_dir, struct qstr *new_name)
32717 - struct nfs4_exception exception = { };
32718 + struct nfs4_exception exception = {0, 0};
32721 err = nfs4_handle_exception(NFS_SERVER(old_dir),
32722 @@ -2762,7 +2762,7 @@ out:
32724 static int nfs4_proc_link(struct inode *inode, struct inode *dir, struct qstr *name)
32726 - struct nfs4_exception exception = { };
32727 + struct nfs4_exception exception = {0, 0};
32730 err = nfs4_handle_exception(NFS_SERVER(inode),
32731 @@ -2854,7 +2854,7 @@ out:
32732 static int nfs4_proc_symlink(struct inode *dir, struct dentry *dentry,
32733 struct page *page, unsigned int len, struct iattr *sattr)
32735 - struct nfs4_exception exception = { };
32736 + struct nfs4_exception exception = {0, 0};
32739 err = nfs4_handle_exception(NFS_SERVER(dir),
32740 @@ -2885,7 +2885,7 @@ out:
32741 static int nfs4_proc_mkdir(struct inode *dir, struct dentry *dentry,
32742 struct iattr *sattr)
32744 - struct nfs4_exception exception = { };
32745 + struct nfs4_exception exception = {0, 0};
32748 err = nfs4_handle_exception(NFS_SERVER(dir),
32749 @@ -2934,7 +2934,7 @@ static int _nfs4_proc_readdir(struct den
32750 static int nfs4_proc_readdir(struct dentry *dentry, struct rpc_cred *cred,
32751 u64 cookie, struct page *page, unsigned int count, int plus)
32753 - struct nfs4_exception exception = { };
32754 + struct nfs4_exception exception = {0, 0};
32757 err = nfs4_handle_exception(NFS_SERVER(dentry->d_inode),
32758 @@ -2982,7 +2982,7 @@ out:
32759 static int nfs4_proc_mknod(struct inode *dir, struct dentry *dentry,
32760 struct iattr *sattr, dev_t rdev)
32762 - struct nfs4_exception exception = { };
32763 + struct nfs4_exception exception = {0, 0};
32766 err = nfs4_handle_exception(NFS_SERVER(dir),
32767 @@ -3014,7 +3014,7 @@ static int _nfs4_proc_statfs(struct nfs_
32769 static int nfs4_proc_statfs(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsstat *fsstat)
32771 - struct nfs4_exception exception = { };
32772 + struct nfs4_exception exception = {0, 0};
32775 err = nfs4_handle_exception(server,
32776 @@ -3045,7 +3045,7 @@ static int _nfs4_do_fsinfo(struct nfs_se
32778 static int nfs4_do_fsinfo(struct nfs_server *server, struct nfs_fh *fhandle, struct nfs_fsinfo *fsinfo)
32780 - struct nfs4_exception exception = { };
32781 + struct nfs4_exception exception = {0, 0};
32785 @@ -3091,7 +3091,7 @@ static int _nfs4_proc_pathconf(struct nf
32786 static int nfs4_proc_pathconf(struct nfs_server *server, struct nfs_fh *fhandle,
32787 struct nfs_pathconf *pathconf)
32789 - struct nfs4_exception exception = { };
32790 + struct nfs4_exception exception = {0, 0};
32794 @@ -3408,7 +3408,7 @@ out_free:
32796 static ssize_t nfs4_get_acl_uncached(struct inode *inode, void *buf, size_t buflen)
32798 - struct nfs4_exception exception = { };
32799 + struct nfs4_exception exception = {0, 0};
32802 ret = __nfs4_get_acl_uncached(inode, buf, buflen);
32803 @@ -3464,7 +3464,7 @@ static int __nfs4_proc_set_acl(struct in
32805 static int nfs4_proc_set_acl(struct inode *inode, const void *buf, size_t buflen)
32807 - struct nfs4_exception exception = { };
32808 + struct nfs4_exception exception = {0, 0};
32811 err = nfs4_handle_exception(NFS_SERVER(inode),
32812 @@ -3749,7 +3749,7 @@ out:
32813 int nfs4_proc_delegreturn(struct inode *inode, struct rpc_cred *cred, const nfs4_stateid *stateid, int issync)
32815 struct nfs_server *server = NFS_SERVER(inode);
32816 - struct nfs4_exception exception = { };
32817 + struct nfs4_exception exception = {0, 0};
32820 err = _nfs4_proc_delegreturn(inode, cred, stateid, issync);
32821 @@ -3822,7 +3822,7 @@ out:
32823 static int nfs4_proc_getlk(struct nfs4_state *state, int cmd, struct file_lock *request)
32825 - struct nfs4_exception exception = { };
32826 + struct nfs4_exception exception = {0, 0};
32830 @@ -4233,7 +4233,7 @@ static int _nfs4_do_setlk(struct nfs4_st
32831 static int nfs4_lock_reclaim(struct nfs4_state *state, struct file_lock *request)
32833 struct nfs_server *server = NFS_SERVER(state->inode);
32834 - struct nfs4_exception exception = { };
32835 + struct nfs4_exception exception = {0, 0};
32839 @@ -4251,7 +4251,7 @@ static int nfs4_lock_reclaim(struct nfs4
32840 static int nfs4_lock_expired(struct nfs4_state *state, struct file_lock *request)
32842 struct nfs_server *server = NFS_SERVER(state->inode);
32843 - struct nfs4_exception exception = { };
32844 + struct nfs4_exception exception = {0, 0};
32847 err = nfs4_set_lock_state(state, request);
32848 @@ -4316,7 +4316,7 @@ out:
32850 static int nfs4_proc_setlk(struct nfs4_state *state, int cmd, struct file_lock *request)
32852 - struct nfs4_exception exception = { };
32853 + struct nfs4_exception exception = {0, 0};
32857 @@ -4376,7 +4376,7 @@ nfs4_proc_lock(struct file *filp, int cm
32858 int nfs4_lock_delegation_recall(struct nfs4_state *state, struct file_lock *fl)
32860 struct nfs_server *server = NFS_SERVER(state->inode);
32861 - struct nfs4_exception exception = { };
32862 + struct nfs4_exception exception = {0, 0};
32865 err = nfs4_set_lock_state(state, fl);
32866 diff -urNp linux-2.6.36.1/fs/nfsd/lockd.c linux-2.6.36.1/fs/nfsd/lockd.c
32867 --- linux-2.6.36.1/fs/nfsd/lockd.c 2010-10-20 16:30:22.000000000 -0400
32868 +++ linux-2.6.36.1/fs/nfsd/lockd.c 2010-11-06 18:58:15.000000000 -0400
32869 @@ -61,7 +61,7 @@ nlm_fclose(struct file *filp)
32873 -static struct nlmsvc_binding nfsd_nlm_ops = {
32874 +static const struct nlmsvc_binding nfsd_nlm_ops = {
32875 .fopen = nlm_fopen, /* open file for locking */
32876 .fclose = nlm_fclose, /* close file */
32878 diff -urNp linux-2.6.36.1/fs/nfsd/nfsctl.c linux-2.6.36.1/fs/nfsd/nfsctl.c
32879 --- linux-2.6.36.1/fs/nfsd/nfsctl.c 2010-10-20 16:30:22.000000000 -0400
32880 +++ linux-2.6.36.1/fs/nfsd/nfsctl.c 2010-11-06 18:58:15.000000000 -0400
32881 @@ -163,7 +163,7 @@ static int export_features_open(struct i
32882 return single_open(file, export_features_show, NULL);
32885 -static struct file_operations export_features_operations = {
32886 +static const struct file_operations export_features_operations = {
32887 .open = export_features_open,
32889 .llseek = seq_lseek,
32890 diff -urNp linux-2.6.36.1/fs/nfsd/vfs.c linux-2.6.36.1/fs/nfsd/vfs.c
32891 --- linux-2.6.36.1/fs/nfsd/vfs.c 2010-10-20 16:30:22.000000000 -0400
32892 +++ linux-2.6.36.1/fs/nfsd/vfs.c 2010-11-06 18:58:15.000000000 -0400
32893 @@ -926,7 +926,7 @@ nfsd_vfs_read(struct svc_rqst *rqstp, st
32897 - host_err = vfs_readv(file, (struct iovec __user *)vec, vlen, &offset);
32898 + host_err = vfs_readv(file, (__force struct iovec __user *)vec, vlen, &offset);
32902 @@ -1039,7 +1039,7 @@ nfsd_vfs_write(struct svc_rqst *rqstp, s
32904 /* Write the data. */
32905 oldfs = get_fs(); set_fs(KERNEL_DS);
32906 - host_err = vfs_writev(file, (struct iovec __user *)vec, vlen, &offset);
32907 + host_err = vfs_writev(file, (__force struct iovec __user *)vec, vlen, &offset);
32911 @@ -1556,7 +1556,7 @@ nfsd_readlink(struct svc_rqst *rqstp, st
32914 oldfs = get_fs(); set_fs(KERNEL_DS);
32915 - host_err = inode->i_op->readlink(dentry, buf, *lenp);
32916 + host_err = inode->i_op->readlink(dentry, (__force char __user *)buf, *lenp);
32920 diff -urNp linux-2.6.36.1/fs/nls/nls_base.c linux-2.6.36.1/fs/nls/nls_base.c
32921 --- linux-2.6.36.1/fs/nls/nls_base.c 2010-10-20 16:30:22.000000000 -0400
32922 +++ linux-2.6.36.1/fs/nls/nls_base.c 2010-11-06 18:58:15.000000000 -0400
32923 @@ -41,7 +41,7 @@ static const struct utf8_table utf8_tabl
32924 {0xF8, 0xF0, 3*6, 0x1FFFFF, 0x10000, /* 4 byte sequence */},
32925 {0xFC, 0xF8, 4*6, 0x3FFFFFF, 0x200000, /* 5 byte sequence */},
32926 {0xFE, 0xFC, 5*6, 0x7FFFFFFF, 0x4000000, /* 6 byte sequence */},
32927 - {0, /* end of table */}
32928 + {0, 0, 0, 0, 0, /* end of table */}
32931 #define UNICODE_MAX 0x0010ffff
32932 diff -urNp linux-2.6.36.1/fs/ntfs/dir.c linux-2.6.36.1/fs/ntfs/dir.c
32933 --- linux-2.6.36.1/fs/ntfs/dir.c 2010-10-20 16:30:22.000000000 -0400
32934 +++ linux-2.6.36.1/fs/ntfs/dir.c 2010-11-06 18:58:15.000000000 -0400
32935 @@ -1329,7 +1329,7 @@ find_next_index_buffer:
32936 ia = (INDEX_ALLOCATION*)(kaddr + (ia_pos & ~PAGE_CACHE_MASK &
32937 ~(s64)(ndir->itype.index.block_size - 1)));
32938 /* Bounds checks. */
32939 - if (unlikely((u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
32940 + if (unlikely(!kaddr || (u8*)ia < kaddr || (u8*)ia > kaddr + PAGE_CACHE_SIZE)) {
32941 ntfs_error(sb, "Out of bounds check failed. Corrupt directory "
32942 "inode 0x%lx or driver bug.", vdir->i_ino);
32944 diff -urNp linux-2.6.36.1/fs/ntfs/file.c linux-2.6.36.1/fs/ntfs/file.c
32945 --- linux-2.6.36.1/fs/ntfs/file.c 2010-10-20 16:30:22.000000000 -0400
32946 +++ linux-2.6.36.1/fs/ntfs/file.c 2010-11-06 18:58:15.000000000 -0400
32947 @@ -2223,6 +2223,6 @@ const struct inode_operations ntfs_file_
32948 #endif /* NTFS_RW */
32951 -const struct file_operations ntfs_empty_file_ops = {};
32952 +const struct file_operations ntfs_empty_file_ops __read_only;
32954 -const struct inode_operations ntfs_empty_inode_ops = {};
32955 +const struct inode_operations ntfs_empty_inode_ops __read_only;
32956 diff -urNp linux-2.6.36.1/fs/ocfs2/localalloc.c linux-2.6.36.1/fs/ocfs2/localalloc.c
32957 --- linux-2.6.36.1/fs/ocfs2/localalloc.c 2010-10-20 16:30:22.000000000 -0400
32958 +++ linux-2.6.36.1/fs/ocfs2/localalloc.c 2010-11-06 18:58:15.000000000 -0400
32959 @@ -1307,7 +1307,7 @@ static int ocfs2_local_alloc_slide_windo
32963 - atomic_inc(&osb->alloc_stats.moves);
32964 + atomic_inc_unchecked(&osb->alloc_stats.moves);
32968 diff -urNp linux-2.6.36.1/fs/ocfs2/ocfs2.h linux-2.6.36.1/fs/ocfs2/ocfs2.h
32969 --- linux-2.6.36.1/fs/ocfs2/ocfs2.h 2010-10-20 16:30:22.000000000 -0400
32970 +++ linux-2.6.36.1/fs/ocfs2/ocfs2.h 2010-11-06 18:58:15.000000000 -0400
32971 @@ -223,11 +223,11 @@ enum ocfs2_vol_state
32973 struct ocfs2_alloc_stats
32976 - atomic_t local_data;
32977 - atomic_t bitmap_data;
32978 - atomic_t bg_allocs;
32979 - atomic_t bg_extends;
32980 + atomic_unchecked_t moves;
32981 + atomic_unchecked_t local_data;
32982 + atomic_unchecked_t bitmap_data;
32983 + atomic_unchecked_t bg_allocs;
32984 + atomic_unchecked_t bg_extends;
32987 enum ocfs2_local_alloc_state
32988 diff -urNp linux-2.6.36.1/fs/ocfs2/suballoc.c linux-2.6.36.1/fs/ocfs2/suballoc.c
32989 --- linux-2.6.36.1/fs/ocfs2/suballoc.c 2010-10-20 16:30:22.000000000 -0400
32990 +++ linux-2.6.36.1/fs/ocfs2/suballoc.c 2010-11-06 18:58:15.000000000 -0400
32991 @@ -877,7 +877,7 @@ static int ocfs2_reserve_suballoc_bits(s
32992 mlog_errno(status);
32995 - atomic_inc(&osb->alloc_stats.bg_extends);
32996 + atomic_inc_unchecked(&osb->alloc_stats.bg_extends);
32998 /* You should never ask for this much metadata */
32999 BUG_ON(bits_wanted >
33000 @@ -2004,7 +2004,7 @@ int ocfs2_claim_metadata(handle_t *handl
33001 mlog_errno(status);
33004 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
33005 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
33007 *suballoc_loc = res.sr_bg_blkno;
33008 *suballoc_bit_start = res.sr_bit_offset;
33009 @@ -2211,7 +2211,7 @@ int ocfs2_claim_new_inode(handle_t *hand
33010 mlog_errno(status);
33013 - atomic_inc(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
33014 + atomic_inc_unchecked(&OCFS2_SB(ac->ac_inode->i_sb)->alloc_stats.bg_allocs);
33016 BUG_ON(res.sr_bits != 1);
33018 @@ -2316,7 +2316,7 @@ int __ocfs2_claim_clusters(handle_t *han
33022 - atomic_inc(&osb->alloc_stats.local_data);
33023 + atomic_inc_unchecked(&osb->alloc_stats.local_data);
33025 if (min_clusters > (osb->bitmap_cpg - 1)) {
33026 /* The only paths asking for contiguousness
33027 @@ -2342,7 +2342,7 @@ int __ocfs2_claim_clusters(handle_t *han
33028 ocfs2_desc_bitmap_to_cluster_off(ac->ac_inode,
33030 res.sr_bit_offset);
33031 - atomic_inc(&osb->alloc_stats.bitmap_data);
33032 + atomic_inc_unchecked(&osb->alloc_stats.bitmap_data);
33033 *num_clusters = res.sr_bits;
33036 diff -urNp linux-2.6.36.1/fs/ocfs2/super.c linux-2.6.36.1/fs/ocfs2/super.c
33037 --- linux-2.6.36.1/fs/ocfs2/super.c 2010-10-20 16:30:22.000000000 -0400
33038 +++ linux-2.6.36.1/fs/ocfs2/super.c 2010-11-06 18:58:15.000000000 -0400
33039 @@ -292,11 +292,11 @@ static int ocfs2_osb_dump(struct ocfs2_s
33040 "%10s => GlobalAllocs: %d LocalAllocs: %d "
33041 "SubAllocs: %d LAWinMoves: %d SAExtends: %d\n",
33043 - atomic_read(&osb->alloc_stats.bitmap_data),
33044 - atomic_read(&osb->alloc_stats.local_data),
33045 - atomic_read(&osb->alloc_stats.bg_allocs),
33046 - atomic_read(&osb->alloc_stats.moves),
33047 - atomic_read(&osb->alloc_stats.bg_extends));
33048 + atomic_read_unchecked(&osb->alloc_stats.bitmap_data),
33049 + atomic_read_unchecked(&osb->alloc_stats.local_data),
33050 + atomic_read_unchecked(&osb->alloc_stats.bg_allocs),
33051 + atomic_read_unchecked(&osb->alloc_stats.moves),
33052 + atomic_read_unchecked(&osb->alloc_stats.bg_extends));
33054 out += snprintf(buf + out, len - out,
33055 "%10s => State: %u Descriptor: %llu Size: %u bits "
33056 @@ -2046,11 +2046,11 @@ static int ocfs2_initialize_super(struct
33057 spin_lock_init(&osb->osb_xattr_lock);
33058 ocfs2_init_steal_slots(osb);
33060 - atomic_set(&osb->alloc_stats.moves, 0);
33061 - atomic_set(&osb->alloc_stats.local_data, 0);
33062 - atomic_set(&osb->alloc_stats.bitmap_data, 0);
33063 - atomic_set(&osb->alloc_stats.bg_allocs, 0);
33064 - atomic_set(&osb->alloc_stats.bg_extends, 0);
33065 + atomic_set_unchecked(&osb->alloc_stats.moves, 0);
33066 + atomic_set_unchecked(&osb->alloc_stats.local_data, 0);
33067 + atomic_set_unchecked(&osb->alloc_stats.bitmap_data, 0);
33068 + atomic_set_unchecked(&osb->alloc_stats.bg_allocs, 0);
33069 + atomic_set_unchecked(&osb->alloc_stats.bg_extends, 0);
33071 /* Copy the blockcheck stats from the superblock probe */
33072 osb->osb_ecc_stats = *stats;
33073 diff -urNp linux-2.6.36.1/fs/ocfs2/symlink.c linux-2.6.36.1/fs/ocfs2/symlink.c
33074 --- linux-2.6.36.1/fs/ocfs2/symlink.c 2010-10-20 16:30:22.000000000 -0400
33075 +++ linux-2.6.36.1/fs/ocfs2/symlink.c 2010-11-06 18:58:15.000000000 -0400
33076 @@ -148,7 +148,7 @@ bail:
33078 static void ocfs2_fast_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
33080 - char *link = nd_get_link(nd);
33081 + const char *link = nd_get_link(nd);
33085 diff -urNp linux-2.6.36.1/fs/open.c linux-2.6.36.1/fs/open.c
33086 --- linux-2.6.36.1/fs/open.c 2010-10-20 16:30:22.000000000 -0400
33087 +++ linux-2.6.36.1/fs/open.c 2010-11-26 18:20:21.000000000 -0500
33088 @@ -112,6 +112,10 @@ static long do_sys_truncate(const char _
33089 error = locks_verify_truncate(inode, NULL, length);
33091 error = security_path_truncate(&path);
33093 + if (!error && !gr_acl_handle_truncate(path.dentry, path.mnt))
33097 error = do_truncate(path.dentry, length, 0, NULL);
33099 @@ -345,6 +349,9 @@ SYSCALL_DEFINE3(faccessat, int, dfd, con
33100 if (__mnt_is_readonly(path.mnt))
33103 + if (!res && !gr_acl_handle_access(path.dentry, path.mnt, mode))
33109 @@ -371,6 +378,8 @@ SYSCALL_DEFINE1(chdir, const char __user
33113 + gr_log_chdir(path.dentry, path.mnt);
33115 set_fs_pwd(current->fs, &path);
33118 @@ -397,6 +406,13 @@ SYSCALL_DEFINE1(fchdir, unsigned int, fd
33121 error = inode_permission(inode, MAY_EXEC | MAY_CHDIR);
33123 + if (!error && !gr_chroot_fchdir(file->f_path.dentry, file->f_path.mnt))
33127 + gr_log_chdir(file->f_path.dentry, file->f_path.mnt);
33130 set_fs_pwd(current->fs, &file->f_path);
33132 @@ -425,7 +441,18 @@ SYSCALL_DEFINE1(chroot, const char __use
33136 + if (gr_handle_chroot_chroot(path.dentry, path.mnt))
33137 + goto dput_and_out;
33139 + if (gr_handle_chroot_caps(&path)) {
33141 + goto dput_and_out;
33144 set_fs_root(current->fs, &path);
33146 + gr_handle_chroot_chdir(&path);
33151 @@ -453,12 +480,25 @@ SYSCALL_DEFINE2(fchmod, unsigned int, fd
33152 err = mnt_want_write_file(file);
33156 mutex_lock(&inode->i_mutex);
33158 + if (!gr_acl_handle_fchmod(dentry, file->f_vfsmnt, mode)) {
33163 err = security_path_chmod(dentry, file->f_vfsmnt, mode);
33166 if (mode == (mode_t) -1)
33167 mode = inode->i_mode;
33169 + if (gr_handle_chroot_chmod(dentry, file->f_vfsmnt, mode)) {
33174 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
33175 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
33176 err = notify_change(dentry, &newattrs);
33177 @@ -486,12 +526,25 @@ SYSCALL_DEFINE3(fchmodat, int, dfd, cons
33178 error = mnt_want_write(path.mnt);
33182 mutex_lock(&inode->i_mutex);
33184 + if (!gr_acl_handle_chmod(path.dentry, path.mnt, mode)) {
33189 error = security_path_chmod(path.dentry, path.mnt, mode);
33192 if (mode == (mode_t) -1)
33193 mode = inode->i_mode;
33195 + if (gr_handle_chroot_chmod(path.dentry, path.mnt, mode)) {
33200 newattrs.ia_mode = (mode & S_IALLUGO) | (inode->i_mode & ~S_IALLUGO);
33201 newattrs.ia_valid = ATTR_MODE | ATTR_CTIME;
33202 error = notify_change(path.dentry, &newattrs);
33203 @@ -515,6 +568,9 @@ static int chown_common(struct path *pat
33205 struct iattr newattrs;
33207 + if (!gr_acl_handle_chown(path->dentry, path->mnt))
33210 newattrs.ia_valid = ATTR_CTIME;
33211 if (user != (uid_t) -1) {
33212 newattrs.ia_valid |= ATTR_UID;
33213 diff -urNp linux-2.6.36.1/fs/pipe.c linux-2.6.36.1/fs/pipe.c
33214 --- linux-2.6.36.1/fs/pipe.c 2010-11-26 18:26:25.000000000 -0500
33215 +++ linux-2.6.36.1/fs/pipe.c 2010-11-06 18:58:50.000000000 -0400
33216 @@ -420,9 +420,9 @@ redo:
33218 if (bufs) /* More to do? */
33220 - if (!pipe->writers)
33221 + if (!atomic_read(&pipe->writers))
33223 - if (!pipe->waiting_writers) {
33224 + if (!atomic_read(&pipe->waiting_writers)) {
33225 /* syscall merging: Usually we must not sleep
33226 * if O_NONBLOCK is set, or if we got some data.
33227 * But if a writer sleeps in kernel space, then
33228 @@ -481,7 +481,7 @@ pipe_write(struct kiocb *iocb, const str
33229 mutex_lock(&inode->i_mutex);
33230 pipe = inode->i_pipe;
33232 - if (!pipe->readers) {
33233 + if (!atomic_read(&pipe->readers)) {
33234 send_sig(SIGPIPE, current, 0);
33237 @@ -530,7 +530,7 @@ redo1:
33241 - if (!pipe->readers) {
33242 + if (!atomic_read(&pipe->readers)) {
33243 send_sig(SIGPIPE, current, 0);
33246 @@ -616,9 +616,9 @@ redo2:
33247 kill_fasync(&pipe->fasync_readers, SIGIO, POLL_IN);
33250 - pipe->waiting_writers++;
33251 + atomic_inc(&pipe->waiting_writers);
33253 - pipe->waiting_writers--;
33254 + atomic_dec(&pipe->waiting_writers);
33257 mutex_unlock(&inode->i_mutex);
33258 @@ -685,7 +685,7 @@ pipe_poll(struct file *filp, poll_table
33260 if (filp->f_mode & FMODE_READ) {
33261 mask = (nrbufs > 0) ? POLLIN | POLLRDNORM : 0;
33262 - if (!pipe->writers && filp->f_version != pipe->w_counter)
33263 + if (!atomic_read(&pipe->writers) && filp->f_version != pipe->w_counter)
33267 @@ -695,7 +695,7 @@ pipe_poll(struct file *filp, poll_table
33268 * Most Unices do not set POLLERR for FIFOs but on Linux they
33269 * behave exactly like pipes for poll().
33271 - if (!pipe->readers)
33272 + if (!atomic_read(&pipe->readers))
33276 @@ -709,10 +709,10 @@ pipe_release(struct inode *inode, int de
33278 mutex_lock(&inode->i_mutex);
33279 pipe = inode->i_pipe;
33280 - pipe->readers -= decr;
33281 - pipe->writers -= decw;
33282 + atomic_sub(decr, &pipe->readers);
33283 + atomic_sub(decw, &pipe->writers);
33285 - if (!pipe->readers && !pipe->writers) {
33286 + if (!atomic_read(&pipe->readers) && !atomic_read(&pipe->writers)) {
33287 free_pipe_info(inode);
33289 wake_up_interruptible_sync(&pipe->wait);
33290 @@ -802,7 +802,7 @@ pipe_read_open(struct inode *inode, stru
33292 if (inode->i_pipe) {
33294 - inode->i_pipe->readers++;
33295 + atomic_inc(&inode->i_pipe->readers);
33298 mutex_unlock(&inode->i_mutex);
33299 @@ -819,7 +819,7 @@ pipe_write_open(struct inode *inode, str
33301 if (inode->i_pipe) {
33303 - inode->i_pipe->writers++;
33304 + atomic_inc(&inode->i_pipe->writers);
33307 mutex_unlock(&inode->i_mutex);
33308 @@ -837,9 +837,9 @@ pipe_rdwr_open(struct inode *inode, stru
33309 if (inode->i_pipe) {
33311 if (filp->f_mode & FMODE_READ)
33312 - inode->i_pipe->readers++;
33313 + atomic_inc(&inode->i_pipe->readers);
33314 if (filp->f_mode & FMODE_WRITE)
33315 - inode->i_pipe->writers++;
33316 + atomic_inc(&inode->i_pipe->writers);
33319 mutex_unlock(&inode->i_mutex);
33320 @@ -931,7 +931,7 @@ void free_pipe_info(struct inode *inode)
33321 inode->i_pipe = NULL;
33324 -static struct vfsmount *pipe_mnt __read_mostly;
33325 +struct vfsmount *pipe_mnt __read_mostly;
33328 * pipefs_dname() is called from d_path().
33329 @@ -959,7 +959,8 @@ static struct inode * get_pipe_inode(voi
33331 inode->i_pipe = pipe;
33333 - pipe->readers = pipe->writers = 1;
33334 + atomic_set(&pipe->readers, 1);
33335 + atomic_set(&pipe->writers, 1);
33336 inode->i_fop = &rdwr_pipefifo_fops;
33339 diff -urNp linux-2.6.36.1/fs/proc/array.c linux-2.6.36.1/fs/proc/array.c
33340 --- linux-2.6.36.1/fs/proc/array.c 2010-10-20 16:30:22.000000000 -0400
33341 +++ linux-2.6.36.1/fs/proc/array.c 2010-11-06 18:58:50.000000000 -0400
33343 #include <linux/tty.h>
33344 #include <linux/string.h>
33345 #include <linux/mman.h>
33346 +#include <linux/grsecurity.h>
33347 #include <linux/proc_fs.h>
33348 #include <linux/ioport.h>
33349 #include <linux/uaccess.h>
33350 @@ -337,6 +338,21 @@ static void task_cpus_allowed(struct seq
33351 seq_printf(m, "\n");
33354 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
33355 +static inline void task_pax(struct seq_file *m, struct task_struct *p)
33358 + seq_printf(m, "PaX:\t%c%c%c%c%c\n",
33359 + p->mm->pax_flags & MF_PAX_PAGEEXEC ? 'P' : 'p',
33360 + p->mm->pax_flags & MF_PAX_EMUTRAMP ? 'E' : 'e',
33361 + p->mm->pax_flags & MF_PAX_MPROTECT ? 'M' : 'm',
33362 + p->mm->pax_flags & MF_PAX_RANDMMAP ? 'R' : 'r',
33363 + p->mm->pax_flags & MF_PAX_SEGMEXEC ? 'S' : 's');
33365 + seq_printf(m, "PaX:\t-----\n");
33369 int proc_pid_status(struct seq_file *m, struct pid_namespace *ns,
33370 struct pid *pid, struct task_struct *task)
33372 @@ -357,9 +373,24 @@ int proc_pid_status(struct seq_file *m,
33373 task_show_regs(m, task);
33375 task_context_switch_counts(m, task);
33377 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
33378 + task_pax(m, task);
33381 +#if defined(CONFIG_GRKERNSEC) && !defined(CONFIG_GRKERNSEC_NO_RBAC)
33382 + task_grsec_rbac(m, task);
33388 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33389 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
33390 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
33391 + _mm->pax_flags & MF_PAX_SEGMEXEC))
33394 static int do_task_stat(struct seq_file *m, struct pid_namespace *ns,
33395 struct pid *pid, struct task_struct *task, int whole)
33397 @@ -452,6 +483,19 @@ static int do_task_stat(struct seq_file
33398 gtime = task->gtime;
33401 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33402 + if (PAX_RAND_FLAGS(mm)) {
33408 +#ifdef CONFIG_GRKERNSEC_HIDESYM
33414 /* scale priority and nice values from timeslices to -20..20 */
33415 /* to make it look like a "normal" Unix priority/nice value */
33416 priority = task_prio(task);
33417 @@ -492,9 +536,15 @@ static int do_task_stat(struct seq_file
33419 mm ? get_mm_rss(mm) : 0,
33421 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33422 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->start_code : 0),
33423 + PAX_RAND_FLAGS(mm) ? 1 : (mm ? mm->end_code : 0),
33424 + PAX_RAND_FLAGS(mm) ? 0 : ((permitted && mm) ? mm->start_stack : 0),
33426 mm ? mm->start_code : 0,
33427 mm ? mm->end_code : 0,
33428 (permitted && mm) ? mm->start_stack : 0,
33432 /* The signal information here is obsolete.
33433 @@ -547,3 +597,10 @@ int proc_pid_statm(struct seq_file *m, s
33438 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
33439 +int proc_pid_ipaddr(struct task_struct *task, char *buffer)
33441 + return sprintf(buffer, "%pI4\n", &task->signal->curr_ip);
33444 diff -urNp linux-2.6.36.1/fs/proc/base.c linux-2.6.36.1/fs/proc/base.c
33445 --- linux-2.6.36.1/fs/proc/base.c 2010-10-20 16:30:22.000000000 -0400
33446 +++ linux-2.6.36.1/fs/proc/base.c 2010-11-06 18:58:50.000000000 -0400
33447 @@ -104,6 +104,22 @@ struct pid_entry {
33451 +struct getdents_callback {
33452 + struct linux_dirent __user * current_dir;
33453 + struct linux_dirent __user * previous;
33454 + struct file * file;
33459 +static int gr_fake_filldir(void * __buf, const char *name, int namlen,
33460 + loff_t offset, u64 ino, unsigned int d_type)
33462 + struct getdents_callback * buf = (struct getdents_callback *) __buf;
33463 + buf->error = -EINVAL;
33467 #define NOD(NAME, MODE, IOP, FOP, OP) { \
33469 .len = sizeof(NAME) - 1, \
33470 @@ -203,6 +219,9 @@ static int check_mem_permission(struct t
33471 if (task == current)
33474 + if (gr_handle_proc_ptrace(task) || gr_acl_handle_procpidmem(task))
33478 * If current is actively ptrace'ing, and would also be
33479 * permitted to freshly attach with ptrace now, permit it.
33480 @@ -250,6 +269,9 @@ static int proc_pid_cmdline(struct task_
33482 goto out_mm; /* Shh! No looking before we're done */
33484 + if (gr_acl_handle_procpidmem(task))
33487 len = mm->arg_end - mm->arg_start;
33489 if (len > PAGE_SIZE)
33490 @@ -277,12 +299,28 @@ out:
33494 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33495 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
33496 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
33497 + _mm->pax_flags & MF_PAX_SEGMEXEC))
33500 static int proc_pid_auxv(struct task_struct *task, char *buffer)
33503 struct mm_struct *mm = get_task_mm(task);
33505 unsigned int nwords = 0;
33507 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
33508 + /* allow if we're currently ptracing this task */
33509 + if (PAX_RAND_FLAGS(mm) &&
33510 + (!(task->ptrace & PT_PTRACED) || (task->parent != current))) {
33518 } while (mm->saved_auxv[nwords - 2] != 0); /* AT_NULL */
33519 @@ -296,7 +334,7 @@ static int proc_pid_auxv(struct task_str
33523 -#ifdef CONFIG_KALLSYMS
33524 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33526 * Provides a wchan file via kallsyms in a proper one-value-per-file format.
33527 * Returns the resolved symbol. If that fails, simply return the address.
33528 @@ -318,7 +356,7 @@ static int proc_pid_wchan(struct task_st
33530 #endif /* CONFIG_KALLSYMS */
33532 -#ifdef CONFIG_STACKTRACE
33533 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33535 #define MAX_STACK_TRACE_DEPTH 64
33537 @@ -509,7 +547,7 @@ static int proc_pid_limits(struct task_s
33541 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
33542 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
33543 static int proc_pid_syscall(struct task_struct *task, char *buffer)
33546 @@ -928,6 +966,9 @@ static ssize_t environ_read(struct file
33550 + if (gr_acl_handle_procpidmem(task))
33553 if (!ptrace_may_access(task, PTRACE_MODE_READ))
33556 @@ -1614,7 +1655,11 @@ static struct inode *proc_pid_make_inode
33558 cred = __task_cred(task);
33559 inode->i_uid = cred->euid;
33560 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33561 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33563 inode->i_gid = cred->egid;
33567 security_task_to_inode(task, inode);
33568 @@ -1632,6 +1677,9 @@ static int pid_getattr(struct vfsmount *
33569 struct inode *inode = dentry->d_inode;
33570 struct task_struct *task;
33571 const struct cred *cred;
33572 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33573 + const struct cred *tmpcred = current_cred();
33576 generic_fillattr(inode, stat);
33578 @@ -1639,12 +1687,34 @@ static int pid_getattr(struct vfsmount *
33581 task = pid_task(proc_pid(inode), PIDTYPE_PID);
33583 + if (task && (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))) {
33584 + rcu_read_unlock();
33589 + cred = __task_cred(task);
33590 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33591 + if (!tmpcred->uid || (tmpcred->uid == cred->uid)
33592 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33593 + || in_group_p(CONFIG_GRKERNSEC_PROC_GID)
33597 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
33598 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33599 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
33600 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33601 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
33603 task_dumpable(task)) {
33604 - cred = __task_cred(task);
33605 stat->uid = cred->euid;
33606 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33607 + stat->gid = CONFIG_GRKERNSEC_PROC_GID;
33609 stat->gid = cred->egid;
33614 @@ -1676,11 +1746,20 @@ static int pid_revalidate(struct dentry
33617 if ((inode->i_mode == (S_IFDIR|S_IRUGO|S_IXUGO)) ||
33618 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33619 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IXUSR)) ||
33620 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33621 + (inode->i_mode == (S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP)) ||
33623 task_dumpable(task)) {
33625 cred = __task_cred(task);
33626 inode->i_uid = cred->euid;
33627 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33628 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33630 inode->i_gid = cred->egid;
33635 @@ -1801,7 +1880,8 @@ static int proc_fd_info(struct inode *in
33636 int fd = proc_fd(inode);
33639 - files = get_files_struct(task);
33640 + if (!gr_acl_handle_procpidmem(task))
33641 + files = get_files_struct(task);
33642 put_task_struct(task);
33645 @@ -2053,12 +2133,22 @@ static const struct file_operations proc
33646 static int proc_fd_permission(struct inode *inode, int mask)
33649 + struct task_struct *task;
33651 rv = generic_permission(inode, mask, NULL);
33655 if (task_pid(current) == proc_pid(inode))
33658 + task = get_proc_task(inode);
33659 + if (task == NULL)
33662 + if (gr_acl_handle_procpidmem(task))
33665 + put_task_struct(task);
33670 @@ -2167,6 +2257,9 @@ static struct dentry *proc_pident_lookup
33674 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
33678 * Yes, it does not scale. And it should not. Don't add
33679 * new entries into /proc/<tgid>/ without very good reasons.
33680 @@ -2211,6 +2304,9 @@ static int proc_pident_readdir(struct fi
33684 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
33690 @@ -2480,7 +2576,7 @@ static void *proc_self_follow_link(struc
33691 static void proc_self_put_link(struct dentry *dentry, struct nameidata *nd,
33694 - char *s = nd_get_link(nd);
33695 + const char *s = nd_get_link(nd);
33699 @@ -2680,7 +2776,7 @@ static const struct pid_entry tgid_base_
33700 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
33702 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
33703 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
33704 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
33705 INF("syscall", S_IRUSR, proc_pid_syscall),
33707 INF("cmdline", S_IRUGO, proc_pid_cmdline),
33708 @@ -2705,10 +2801,10 @@ static const struct pid_entry tgid_base_
33709 #ifdef CONFIG_SECURITY
33710 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
33712 -#ifdef CONFIG_KALLSYMS
33713 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33714 INF("wchan", S_IRUGO, proc_pid_wchan),
33716 -#ifdef CONFIG_STACKTRACE
33717 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33718 ONE("stack", S_IRUSR, proc_pid_stack),
33720 #ifdef CONFIG_SCHEDSTATS
33721 @@ -2739,6 +2835,9 @@ static const struct pid_entry tgid_base_
33722 INF("io", S_IRUGO, proc_tgid_io_accounting),
33724 ONE("nsproxy", S_IRUGO, proc_pid_nsproxy),
33725 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
33726 + INF("ipaddr", S_IRUSR, proc_pid_ipaddr),
33730 static int proc_tgid_base_readdir(struct file * filp,
33731 @@ -2863,7 +2962,14 @@ static struct dentry *proc_pid_instantia
33735 +#ifdef CONFIG_GRKERNSEC_PROC_USER
33736 + inode->i_mode = S_IFDIR|S_IRUSR|S_IXUSR;
33737 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33738 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33739 + inode->i_mode = S_IFDIR|S_IRUSR|S_IRGRP|S_IXUSR|S_IXGRP;
33741 inode->i_mode = S_IFDIR|S_IRUGO|S_IXUGO;
33743 inode->i_op = &proc_tgid_base_inode_operations;
33744 inode->i_fop = &proc_tgid_base_operations;
33745 inode->i_flags|=S_IMMUTABLE;
33746 @@ -2905,7 +3011,11 @@ struct dentry *proc_pid_lookup(struct in
33750 + if (gr_pid_is_chrooted(task) || gr_check_hidden_task(task))
33751 + goto out_put_task;
33753 result = proc_pid_instantiate(dir, dentry, task, NULL);
33755 put_task_struct(task);
33758 @@ -2970,6 +3080,11 @@ int proc_pid_readdir(struct file * filp,
33760 unsigned int nr = filp->f_pos - FIRST_PROCESS_ENTRY;
33761 struct task_struct *reaper = get_proc_task_real(filp->f_path.dentry->d_inode);
33762 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33763 + const struct cred *tmpcred = current_cred();
33764 + const struct cred *itercred;
33766 + filldir_t __filldir = filldir;
33767 struct tgid_iter iter;
33768 struct pid_namespace *ns;
33770 @@ -2988,8 +3103,27 @@ int proc_pid_readdir(struct file * filp,
33771 for (iter = next_tgid(ns, iter);
33773 iter.tgid += 1, iter = next_tgid(ns, iter)) {
33774 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33776 + itercred = __task_cred(iter.task);
33778 + if (gr_pid_is_chrooted(iter.task) || gr_check_hidden_task(iter.task)
33779 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33780 + || (tmpcred->uid && (itercred->uid != tmpcred->uid)
33781 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33782 + && !in_group_p(CONFIG_GRKERNSEC_PROC_GID)
33787 + __filldir = &gr_fake_filldir;
33789 + __filldir = filldir;
33790 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33791 + rcu_read_unlock();
33793 filp->f_pos = iter.tgid + TGID_OFFSET;
33794 if (!vx_proc_task_visible(iter.task))
33796 - if (proc_pid_fill_cache(filp, dirent, filldir, iter) < 0) {
33797 + if (proc_pid_fill_cache(filp, dirent, __filldir, iter) < 0) {
33798 put_task_struct(iter.task);
33799 @@ -3016,7 +3150,7 @@ static const struct pid_entry tid_base_s
33800 REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations),
33802 REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations),
33803 -#ifdef CONFIG_HAVE_ARCH_TRACEHOOK
33804 +#if defined(CONFIG_HAVE_ARCH_TRACEHOOK) && !defined(CONFIG_GRKERNSEC_PROC_MEMMAP)
33805 INF("syscall", S_IRUSR, proc_pid_syscall),
33807 INF("cmdline", S_IRUGO, proc_pid_cmdline),
33808 @@ -3040,10 +3174,10 @@ static const struct pid_entry tid_base_s
33809 #ifdef CONFIG_SECURITY
33810 DIR("attr", S_IRUGO|S_IXUGO, proc_attr_dir_inode_operations, proc_attr_dir_operations),
33812 -#ifdef CONFIG_KALLSYMS
33813 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33814 INF("wchan", S_IRUGO, proc_pid_wchan),
33816 -#ifdef CONFIG_STACKTRACE
33817 +#if defined(CONFIG_STACKTRACE) && !defined(CONFIG_GRKERNSEC_HIDESYM)
33818 ONE("stack", S_IRUSR, proc_pid_stack),
33820 #ifdef CONFIG_SCHEDSTATS
33821 diff -urNp linux-2.6.36.1/fs/proc/cmdline.c linux-2.6.36.1/fs/proc/cmdline.c
33822 --- linux-2.6.36.1/fs/proc/cmdline.c 2010-10-20 16:30:22.000000000 -0400
33823 +++ linux-2.6.36.1/fs/proc/cmdline.c 2010-11-06 18:58:50.000000000 -0400
33824 @@ -23,7 +23,11 @@ static const struct file_operations cmdl
33826 static int __init proc_cmdline_init(void)
33828 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
33829 + proc_create_grsec("cmdline", 0, NULL, &cmdline_proc_fops);
33831 proc_create("cmdline", 0, NULL, &cmdline_proc_fops);
33835 module_init(proc_cmdline_init);
33836 diff -urNp linux-2.6.36.1/fs/proc/devices.c linux-2.6.36.1/fs/proc/devices.c
33837 --- linux-2.6.36.1/fs/proc/devices.c 2010-10-20 16:30:22.000000000 -0400
33838 +++ linux-2.6.36.1/fs/proc/devices.c 2010-11-06 18:58:50.000000000 -0400
33839 @@ -64,7 +64,11 @@ static const struct file_operations proc
33841 static int __init proc_devices_init(void)
33843 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
33844 + proc_create_grsec("devices", 0, NULL, &proc_devinfo_operations);
33846 proc_create("devices", 0, NULL, &proc_devinfo_operations);
33850 module_init(proc_devices_init);
33851 diff -urNp linux-2.6.36.1/fs/proc/inode.c linux-2.6.36.1/fs/proc/inode.c
33852 --- linux-2.6.36.1/fs/proc/inode.c 2010-10-20 16:30:22.000000000 -0400
33853 +++ linux-2.6.36.1/fs/proc/inode.c 2010-11-06 18:58:50.000000000 -0400
33854 @@ -426,7 +426,11 @@ struct inode *proc_get_inode(struct supe
33856 inode->i_mode = de->mode;
33857 inode->i_uid = de->uid;
33858 +#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
33859 + inode->i_gid = CONFIG_GRKERNSEC_PROC_GID;
33861 inode->i_gid = de->gid;
33865 inode->i_size = de->size;
33866 diff -urNp linux-2.6.36.1/fs/proc/internal.h linux-2.6.36.1/fs/proc/internal.h
33867 --- linux-2.6.36.1/fs/proc/internal.h 2010-10-20 16:30:22.000000000 -0400
33868 +++ linux-2.6.36.1/fs/proc/internal.h 2010-11-06 18:58:50.000000000 -0400
33869 @@ -51,6 +51,9 @@ extern int proc_pid_status(struct seq_fi
33870 extern int proc_pid_nsproxy(struct seq_file *m, struct pid_namespace *ns,
33871 struct pid *pid, struct task_struct *task);
33873 +#ifdef CONFIG_GRKERNSEC_PROC_IPADDR
33874 +extern int proc_pid_ipaddr(struct task_struct *task, char *buffer);
33876 extern loff_t mem_lseek(struct file *file, loff_t offset, int orig);
33878 extern const struct file_operations proc_maps_operations;
33879 diff -urNp linux-2.6.36.1/fs/proc/Kconfig linux-2.6.36.1/fs/proc/Kconfig
33880 --- linux-2.6.36.1/fs/proc/Kconfig 2010-10-20 16:30:22.000000000 -0400
33881 +++ linux-2.6.36.1/fs/proc/Kconfig 2010-11-06 18:58:50.000000000 -0400
33882 @@ -30,12 +30,12 @@ config PROC_FS
33885 bool "/proc/kcore support" if !ARM
33886 - depends on PROC_FS && MMU
33887 + depends on PROC_FS && MMU && !GRKERNSEC_PROC_ADD
33890 bool "/proc/vmcore support (EXPERIMENTAL)"
33891 - depends on PROC_FS && CRASH_DUMP
33893 + depends on PROC_FS && CRASH_DUMP && !GRKERNSEC
33896 Exports the dump image of crashed kernel in ELF format.
33898 @@ -59,8 +59,8 @@ config PROC_SYSCTL
33901 config PROC_PAGE_MONITOR
33903 - depends on PROC_FS && MMU
33905 + depends on PROC_FS && MMU && !GRKERNSEC
33906 bool "Enable /proc page monitoring" if EMBEDDED
33908 Various /proc files exist to monitor process memory utilization:
33909 diff -urNp linux-2.6.36.1/fs/proc/kcore.c linux-2.6.36.1/fs/proc/kcore.c
33910 --- linux-2.6.36.1/fs/proc/kcore.c 2010-10-20 16:30:22.000000000 -0400
33911 +++ linux-2.6.36.1/fs/proc/kcore.c 2010-11-06 18:58:50.000000000 -0400
33912 @@ -478,9 +478,10 @@ read_kcore(struct file *file, char __use
33913 * the addresses in the elf_phdr on our list.
33915 start = kc_offset_to_vaddr(*fpos - elf_buflen);
33916 - if ((tsz = (PAGE_SIZE - (start & ~PAGE_MASK))) > buflen)
33917 + tsz = PAGE_SIZE - (start & ~PAGE_MASK);
33918 + if (tsz > buflen)
33923 struct kcore_list *m;
33925 @@ -509,20 +510,18 @@ read_kcore(struct file *file, char __use
33928 if (kern_addr_valid(start)) {
33932 - n = copy_to_user(buffer, (char *)start, tsz);
33934 - * We cannot distingush between fault on source
33935 - * and fault on destination. When this happens
33936 - * we clear too and hope it will trigger the
33940 - if (clear_user(buffer + tsz - n,
33942 + elf_buf = kmalloc(tsz, GFP_KERNEL);
33945 + if (!__copy_from_user(elf_buf, (const void __user *)start, tsz)) {
33946 + if (copy_to_user(buffer, elf_buf, tsz)) {
33953 if (clear_user(buffer, tsz))
33955 @@ -542,6 +541,9 @@ read_kcore(struct file *file, char __use
33957 static int open_kcore(struct inode *inode, struct file *filp)
33959 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
33962 if (!capable(CAP_SYS_RAWIO))
33964 if (kcore_need_update)
33965 diff -urNp linux-2.6.36.1/fs/proc/meminfo.c linux-2.6.36.1/fs/proc/meminfo.c
33966 --- linux-2.6.36.1/fs/proc/meminfo.c 2010-10-20 16:30:22.000000000 -0400
33967 +++ linux-2.6.36.1/fs/proc/meminfo.c 2010-11-06 18:58:15.000000000 -0400
33968 @@ -149,7 +149,7 @@ static int meminfo_proc_show(struct seq_
33970 vmi.largest_chunk >> 10
33971 #ifdef CONFIG_MEMORY_FAILURE
33972 - ,atomic_long_read(&mce_bad_pages) << (PAGE_SHIFT - 10)
33973 + ,atomic_long_read_unchecked(&mce_bad_pages) << (PAGE_SHIFT - 10)
33977 diff -urNp linux-2.6.36.1/fs/proc/nommu.c linux-2.6.36.1/fs/proc/nommu.c
33978 --- linux-2.6.36.1/fs/proc/nommu.c 2010-10-20 16:30:22.000000000 -0400
33979 +++ linux-2.6.36.1/fs/proc/nommu.c 2010-11-06 18:58:15.000000000 -0400
33980 @@ -66,7 +66,7 @@ static int nommu_region_show(struct seq_
33983 seq_printf(m, "%*c", len, ' ');
33984 - seq_path(m, &file->f_path, "");
33985 + seq_path(m, &file->f_path, "\n\\");
33989 diff -urNp linux-2.6.36.1/fs/proc/proc_net.c linux-2.6.36.1/fs/proc/proc_net.c
33990 --- linux-2.6.36.1/fs/proc/proc_net.c 2010-10-20 16:30:22.000000000 -0400
33991 +++ linux-2.6.36.1/fs/proc/proc_net.c 2010-11-06 18:58:50.000000000 -0400
33992 @@ -105,6 +105,17 @@ static struct net *get_proc_task_net(str
33993 struct task_struct *task;
33994 struct nsproxy *ns;
33995 struct net *net = NULL;
33996 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
33997 + const struct cred *cred = current_cred();
34000 +#ifdef CONFIG_GRKERNSEC_PROC_USER
34003 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34004 + if (cred->fsuid && !in_group_p(CONFIG_GRKERNSEC_PROC_GID))
34009 task = pid_task(proc_pid(dir), PIDTYPE_PID);
34010 diff -urNp linux-2.6.36.1/fs/proc/proc_sysctl.c linux-2.6.36.1/fs/proc/proc_sysctl.c
34011 --- linux-2.6.36.1/fs/proc/proc_sysctl.c 2010-10-20 16:30:22.000000000 -0400
34012 +++ linux-2.6.36.1/fs/proc/proc_sysctl.c 2010-11-06 18:58:50.000000000 -0400
34014 #include <linux/security.h>
34015 #include "internal.h"
34017 +extern __u32 gr_handle_sysctl(const struct ctl_table *table, const int op);
34019 static const struct dentry_operations proc_sys_dentry_operations;
34020 static const struct file_operations proc_sys_file_operations;
34021 static const struct inode_operations proc_sys_inode_operations;
34022 @@ -109,6 +111,9 @@ static struct dentry *proc_sys_lookup(st
34026 + if (gr_handle_sysctl(p, MAY_EXEC))
34029 err = ERR_PTR(-ENOMEM);
34030 inode = proc_sys_make_inode(dir->i_sb, h ? h : head, p);
34032 @@ -228,6 +233,9 @@ static int scan(struct ctl_table_header
34033 if (*pos < file->f_pos)
34036 + if (gr_handle_sysctl(table, 0))
34039 res = proc_sys_fill_cache(file, dirent, filldir, head, table);
34042 @@ -353,6 +361,9 @@ static int proc_sys_getattr(struct vfsmo
34044 return PTR_ERR(head);
34046 + if (table && gr_handle_sysctl(table, MAY_EXEC))
34049 generic_fillattr(inode, stat);
34051 stat->mode = (stat->mode & S_IFMT) | table->mode;
34052 diff -urNp linux-2.6.36.1/fs/proc/root.c linux-2.6.36.1/fs/proc/root.c
34053 --- linux-2.6.36.1/fs/proc/root.c 2010-10-20 16:30:22.000000000 -0400
34054 +++ linux-2.6.36.1/fs/proc/root.c 2010-11-06 18:58:50.000000000 -0400
34055 @@ -133,7 +133,15 @@ void __init proc_root_init(void)
34056 #ifdef CONFIG_PROC_DEVICETREE
34057 proc_device_tree_init();
34059 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
34060 +#ifdef CONFIG_GRKERNSEC_PROC_USER
34061 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR, NULL);
34062 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
34063 + proc_mkdir_mode("bus", S_IRUSR | S_IXUSR | S_IRGRP | S_IXGRP, NULL);
34066 proc_mkdir("bus", NULL);
34071 diff -urNp linux-2.6.36.1/fs/proc/task_mmu.c linux-2.6.36.1/fs/proc/task_mmu.c
34072 --- linux-2.6.36.1/fs/proc/task_mmu.c 2010-10-20 16:30:22.000000000 -0400
34073 +++ linux-2.6.36.1/fs/proc/task_mmu.c 2010-11-06 18:58:50.000000000 -0400
34074 @@ -49,8 +49,13 @@ void task_mem(struct seq_file *m, struct
34075 "VmExe:\t%8lu kB\n"
34076 "VmLib:\t%8lu kB\n"
34077 "VmPTE:\t%8lu kB\n"
34078 - "VmSwap:\t%8lu kB\n",
34079 - hiwater_vm << (PAGE_SHIFT-10),
34080 + "VmSwap:\t%8lu kB\n"
34082 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
34083 + "CsBase:\t%8lx\nCsLim:\t%8lx\n"
34086 + ,hiwater_vm << (PAGE_SHIFT-10),
34087 (total_vm - mm->reserved_vm) << (PAGE_SHIFT-10),
34088 mm->locked_vm << (PAGE_SHIFT-10),
34089 hiwater_rss << (PAGE_SHIFT-10),
34090 @@ -58,7 +63,13 @@ void task_mem(struct seq_file *m, struct
34091 data << (PAGE_SHIFT-10),
34092 mm->stack_vm << (PAGE_SHIFT-10), text, lib,
34093 (PTRS_PER_PTE*sizeof(pte_t)*mm->nr_ptes) >> 10,
34094 - swap << (PAGE_SHIFT-10));
34095 + swap << (PAGE_SHIFT-10)
34097 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
34098 + , mm->context.user_cs_base, mm->context.user_cs_limit
34104 unsigned long task_vsize(struct mm_struct *mm)
34105 @@ -203,6 +214,12 @@ static int do_maps_open(struct inode *in
34109 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34110 +#define PAX_RAND_FLAGS(_mm) (_mm != NULL && _mm != current->mm && \
34111 + (_mm->pax_flags & MF_PAX_RANDMMAP || \
34112 + _mm->pax_flags & MF_PAX_SEGMEXEC))
34115 static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma)
34117 struct mm_struct *mm = vma->vm_mm;
34118 @@ -210,7 +227,6 @@ static void show_map_vma(struct seq_file
34119 int flags = vma->vm_flags;
34120 unsigned long ino = 0;
34121 unsigned long long pgoff = 0;
34122 - unsigned long start;
34126 @@ -221,20 +237,24 @@ static void show_map_vma(struct seq_file
34127 pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT;
34130 - /* We don't show the stack guard page in /proc/maps */
34131 - start = vma->vm_start;
34132 - if (vma->vm_flags & VM_GROWSDOWN)
34133 - if (!vma_stack_continue(vma->vm_prev, vma->vm_start))
34134 - start += PAGE_SIZE;
34136 seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n",
34138 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34139 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_start,
34140 + PAX_RAND_FLAGS(mm) ? 0UL : vma->vm_end,
34145 flags & VM_READ ? 'r' : '-',
34146 flags & VM_WRITE ? 'w' : '-',
34147 flags & VM_EXEC ? 'x' : '-',
34148 flags & VM_MAYSHARE ? 's' : 'p',
34149 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34150 + PAX_RAND_FLAGS(mm) ? 0UL : pgoff,
34154 MAJOR(dev), MINOR(dev), ino, &len);
34157 @@ -243,16 +263,16 @@ static void show_map_vma(struct seq_file
34160 pad_len_spaces(m, len);
34161 - seq_path(m, &file->f_path, "\n");
34162 + seq_path(m, &file->f_path, "\n\\");
34164 const char *name = arch_vma_name(vma);
34167 - if (vma->vm_start <= mm->start_brk &&
34168 - vma->vm_end >= mm->brk) {
34169 + if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
34171 - } else if (vma->vm_start <= mm->start_stack &&
34172 - vma->vm_end >= mm->start_stack) {
34173 + } else if ((vma->vm_flags & (VM_GROWSDOWN | VM_GROWSUP)) ||
34174 + (vma->vm_start <= mm->start_stack &&
34175 + vma->vm_end >= mm->start_stack)) {
34179 @@ -394,11 +414,16 @@ static int show_smap(struct seq_file *m,
34182 memset(&mss, 0, sizeof mss);
34184 - /* mmap_sem is held in m_start */
34185 - if (vma->vm_mm && !is_vm_hugetlb_page(vma))
34186 - walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
34188 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34189 + if (!PAX_RAND_FLAGS(vma->vm_mm)) {
34192 + /* mmap_sem is held in m_start */
34193 + if (vma->vm_mm && !is_vm_hugetlb_page(vma))
34194 + walk_page_range(vma->vm_start, vma->vm_end, &smaps_walk);
34195 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34198 show_map_vma(m, vma);
34201 @@ -413,7 +438,11 @@ static int show_smap(struct seq_file *m,
34203 "KernelPageSize: %8lu kB\n"
34204 "MMUPageSize: %8lu kB\n",
34205 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
34206 + PAX_RAND_FLAGS(vma->vm_mm) ? 0UL : (vma->vm_end - vma->vm_start) >> 10,
34208 (vma->vm_end - vma->vm_start) >> 10,
34210 mss.resident >> 10,
34211 (unsigned long)(mss.pss >> (10 + PSS_SHIFT)),
34212 mss.shared_clean >> 10,
34213 diff -urNp linux-2.6.36.1/fs/proc/task_nommu.c linux-2.6.36.1/fs/proc/task_nommu.c
34214 --- linux-2.6.36.1/fs/proc/task_nommu.c 2010-10-20 16:30:22.000000000 -0400
34215 +++ linux-2.6.36.1/fs/proc/task_nommu.c 2010-11-06 18:58:15.000000000 -0400
34216 @@ -51,7 +51,7 @@ void task_mem(struct seq_file *m, struct
34218 bytes += kobjsize(mm);
34220 - if (current->fs && current->fs->users > 1)
34221 + if (current->fs && atomic_read(¤t->fs->users) > 1)
34222 sbytes += kobjsize(current->fs);
34224 bytes += kobjsize(current->fs);
34225 @@ -165,7 +165,7 @@ static int nommu_vma_show(struct seq_fil
34228 pad_len_spaces(m, len);
34229 - seq_path(m, &file->f_path, "");
34230 + seq_path(m, &file->f_path, "\n\\");
34232 if (vma->vm_start <= mm->start_stack &&
34233 vma->vm_end >= mm->start_stack) {
34234 diff -urNp linux-2.6.36.1/fs/readdir.c linux-2.6.36.1/fs/readdir.c
34235 --- linux-2.6.36.1/fs/readdir.c 2010-10-20 16:30:22.000000000 -0400
34236 +++ linux-2.6.36.1/fs/readdir.c 2010-11-06 18:58:50.000000000 -0400
34238 #include <linux/security.h>
34239 #include <linux/syscalls.h>
34240 #include <linux/unistd.h>
34241 +#include <linux/namei.h>
34243 #include <asm/uaccess.h>
34245 @@ -67,6 +68,7 @@ struct old_linux_dirent {
34247 struct readdir_callback {
34248 struct old_linux_dirent __user * dirent;
34249 + struct file * file;
34253 @@ -84,6 +86,10 @@ static int fillonedir(void * __buf, cons
34254 buf->result = -EOVERFLOW;
34258 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
34262 dirent = buf->dirent;
34263 if (!access_ok(VERIFY_WRITE, dirent,
34264 @@ -116,6 +122,7 @@ SYSCALL_DEFINE3(old_readdir, unsigned in
34267 buf.dirent = dirent;
34270 error = vfs_readdir(file, fillonedir, &buf);
34272 @@ -142,6 +149,7 @@ struct linux_dirent {
34273 struct getdents_callback {
34274 struct linux_dirent __user * current_dir;
34275 struct linux_dirent __user * previous;
34276 + struct file * file;
34280 @@ -163,6 +171,10 @@ static int filldir(void * __buf, const c
34281 buf->error = -EOVERFLOW;
34285 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
34288 dirent = buf->previous;
34290 if (__put_user(offset, &dirent->d_off))
34291 @@ -210,6 +222,7 @@ SYSCALL_DEFINE3(getdents, unsigned int,
34292 buf.previous = NULL;
34297 error = vfs_readdir(file, filldir, &buf);
34299 @@ -229,6 +242,7 @@ out:
34300 struct getdents_callback64 {
34301 struct linux_dirent64 __user * current_dir;
34302 struct linux_dirent64 __user * previous;
34303 + struct file *file;
34307 @@ -244,6 +258,10 @@ static int filldir64(void * __buf, const
34308 buf->error = -EINVAL; /* only used if we fail.. */
34309 if (reclen > buf->count)
34312 + if (!gr_acl_handle_filldir(buf->file, name, namlen, ino))
34315 dirent = buf->previous;
34317 if (__put_user(offset, &dirent->d_off))
34318 @@ -291,6 +309,7 @@ SYSCALL_DEFINE3(getdents64, unsigned int
34320 buf.current_dir = dirent;
34321 buf.previous = NULL;
34326 diff -urNp linux-2.6.36.1/fs/reiserfs/do_balan.c linux-2.6.36.1/fs/reiserfs/do_balan.c
34327 --- linux-2.6.36.1/fs/reiserfs/do_balan.c 2010-10-20 16:30:22.000000000 -0400
34328 +++ linux-2.6.36.1/fs/reiserfs/do_balan.c 2010-11-06 18:58:15.000000000 -0400
34329 @@ -2051,7 +2051,7 @@ void do_balance(struct tree_balance *tb,
34333 - atomic_inc(&(fs_generation(tb->tb_sb)));
34334 + atomic_inc_unchecked(&(fs_generation(tb->tb_sb)));
34335 do_balance_starts(tb);
34337 /* balance leaf returns 0 except if combining L R and S into
34338 diff -urNp linux-2.6.36.1/fs/reiserfs/item_ops.c linux-2.6.36.1/fs/reiserfs/item_ops.c
34339 --- linux-2.6.36.1/fs/reiserfs/item_ops.c 2010-10-20 16:30:22.000000000 -0400
34340 +++ linux-2.6.36.1/fs/reiserfs/item_ops.c 2010-11-06 18:58:15.000000000 -0400
34341 @@ -102,7 +102,7 @@ static void sd_print_vi(struct virtual_i
34342 vi->vi_index, vi->vi_type, vi->vi_ih);
34345 -static struct item_operations stat_data_ops = {
34346 +static const struct item_operations stat_data_ops = {
34347 .bytes_number = sd_bytes_number,
34348 .decrement_key = sd_decrement_key,
34349 .is_left_mergeable = sd_is_left_mergeable,
34350 @@ -196,7 +196,7 @@ static void direct_print_vi(struct virtu
34351 vi->vi_index, vi->vi_type, vi->vi_ih);
34354 -static struct item_operations direct_ops = {
34355 +static const struct item_operations direct_ops = {
34356 .bytes_number = direct_bytes_number,
34357 .decrement_key = direct_decrement_key,
34358 .is_left_mergeable = direct_is_left_mergeable,
34359 @@ -341,7 +341,7 @@ static void indirect_print_vi(struct vir
34360 vi->vi_index, vi->vi_type, vi->vi_ih);
34363 -static struct item_operations indirect_ops = {
34364 +static const struct item_operations indirect_ops = {
34365 .bytes_number = indirect_bytes_number,
34366 .decrement_key = indirect_decrement_key,
34367 .is_left_mergeable = indirect_is_left_mergeable,
34368 @@ -628,7 +628,7 @@ static void direntry_print_vi(struct vir
34372 -static struct item_operations direntry_ops = {
34373 +static const struct item_operations direntry_ops = {
34374 .bytes_number = direntry_bytes_number,
34375 .decrement_key = direntry_decrement_key,
34376 .is_left_mergeable = direntry_is_left_mergeable,
34377 @@ -724,7 +724,7 @@ static void errcatch_print_vi(struct vir
34378 "Invalid item type observed, run fsck ASAP");
34381 -static struct item_operations errcatch_ops = {
34382 +static const struct item_operations errcatch_ops = {
34383 errcatch_bytes_number,
34384 errcatch_decrement_key,
34385 errcatch_is_left_mergeable,
34386 @@ -746,7 +746,7 @@ static struct item_operations errcatch_o
34387 #error Item types must use disk-format assigned values.
34390 -struct item_operations *item_ops[TYPE_ANY + 1] = {
34391 +const struct item_operations * const item_ops[TYPE_ANY + 1] = {
34395 diff -urNp linux-2.6.36.1/fs/reiserfs/procfs.c linux-2.6.36.1/fs/reiserfs/procfs.c
34396 --- linux-2.6.36.1/fs/reiserfs/procfs.c 2010-10-20 16:30:22.000000000 -0400
34397 +++ linux-2.6.36.1/fs/reiserfs/procfs.c 2010-11-06 18:58:15.000000000 -0400
34398 @@ -113,7 +113,7 @@ static int show_super(struct seq_file *m
34399 "SMALL_TAILS " : "NO_TAILS ",
34400 replay_only(sb) ? "REPLAY_ONLY " : "",
34401 convert_reiserfs(sb) ? "CONV " : "",
34402 - atomic_read(&r->s_generation_counter),
34403 + atomic_read_unchecked(&r->s_generation_counter),
34404 SF(s_disk_reads), SF(s_disk_writes), SF(s_fix_nodes),
34405 SF(s_do_balance), SF(s_unneeded_left_neighbor),
34406 SF(s_good_search_by_key_reada), SF(s_bmaps),
34407 diff -urNp linux-2.6.36.1/fs/select.c linux-2.6.36.1/fs/select.c
34408 --- linux-2.6.36.1/fs/select.c 2010-10-20 16:30:22.000000000 -0400
34409 +++ linux-2.6.36.1/fs/select.c 2010-11-06 18:58:50.000000000 -0400
34411 #include <linux/module.h>
34412 #include <linux/slab.h>
34413 #include <linux/poll.h>
34414 +#include <linux/security.h>
34415 #include <linux/personality.h> /* for STICKY_TIMEOUTS */
34416 #include <linux/file.h>
34417 #include <linux/fdtable.h>
34418 @@ -838,6 +839,7 @@ int do_sys_poll(struct pollfd __user *uf
34419 struct poll_list *walk = head;
34420 unsigned long todo = nfds;
34422 + gr_learn_resource(current, RLIMIT_NOFILE, nfds, 1);
34423 if (nfds > rlimit(RLIMIT_NOFILE))
34426 diff -urNp linux-2.6.36.1/fs/seq_file.c linux-2.6.36.1/fs/seq_file.c
34427 --- linux-2.6.36.1/fs/seq_file.c 2010-10-20 16:30:22.000000000 -0400
34428 +++ linux-2.6.36.1/fs/seq_file.c 2010-11-06 18:58:15.000000000 -0400
34429 @@ -76,7 +76,8 @@ static int traverse(struct seq_file *m,
34433 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
34434 + m->size = PAGE_SIZE;
34435 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
34439 @@ -116,7 +117,8 @@ static int traverse(struct seq_file *m,
34443 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
34445 + m->buf = kmalloc(m->size, GFP_KERNEL);
34446 return !m->buf ? -ENOMEM : -EAGAIN;
34449 @@ -169,7 +171,8 @@ ssize_t seq_read(struct file *file, char
34450 m->version = file->f_version;
34451 /* grab buffer if we didn't have one */
34453 - m->buf = kmalloc(m->size = PAGE_SIZE, GFP_KERNEL);
34454 + m->size = PAGE_SIZE;
34455 + m->buf = kmalloc(PAGE_SIZE, GFP_KERNEL);
34459 @@ -210,7 +213,8 @@ ssize_t seq_read(struct file *file, char
34463 - m->buf = kmalloc(m->size <<= 1, GFP_KERNEL);
34465 + m->buf = kmalloc(m->size, GFP_KERNEL);
34469 diff -urNp linux-2.6.36.1/fs/smbfs/symlink.c linux-2.6.36.1/fs/smbfs/symlink.c
34470 --- linux-2.6.36.1/fs/smbfs/symlink.c 2010-10-20 16:30:22.000000000 -0400
34471 +++ linux-2.6.36.1/fs/smbfs/symlink.c 2010-11-06 18:58:15.000000000 -0400
34472 @@ -55,7 +55,7 @@ static void *smb_follow_link(struct dent
34474 static void smb_put_link(struct dentry *dentry, struct nameidata *nd, void *p)
34476 - char *s = nd_get_link(nd);
34477 + const char *s = nd_get_link(nd);
34481 diff -urNp linux-2.6.36.1/fs/splice.c linux-2.6.36.1/fs/splice.c
34482 --- linux-2.6.36.1/fs/splice.c 2010-10-20 16:30:22.000000000 -0400
34483 +++ linux-2.6.36.1/fs/splice.c 2010-11-06 18:58:15.000000000 -0400
34484 @@ -186,7 +186,7 @@ ssize_t splice_to_pipe(struct pipe_inode
34488 - if (!pipe->readers) {
34489 + if (!atomic_read(&pipe->readers)) {
34490 send_sig(SIGPIPE, current, 0);
34493 @@ -240,9 +240,9 @@ ssize_t splice_to_pipe(struct pipe_inode
34497 - pipe->waiting_writers++;
34498 + atomic_inc(&pipe->waiting_writers);
34500 - pipe->waiting_writers--;
34501 + atomic_dec(&pipe->waiting_writers);
34505 @@ -556,7 +556,7 @@ static ssize_t kernel_readv(struct file
34508 /* The cast to a user pointer is valid due to the set_fs() */
34509 - res = vfs_readv(file, (const struct iovec __user *)vec, vlen, &pos);
34510 + res = vfs_readv(file, (__force const struct iovec __user *)vec, vlen, &pos);
34514 @@ -571,7 +571,7 @@ static ssize_t kernel_write(struct file
34517 /* The cast to a user pointer is valid due to the set_fs() */
34518 - res = vfs_write(file, (const char __user *)buf, count, &pos);
34519 + res = vfs_write(file, (__force const char __user *)buf, count, &pos);
34523 @@ -622,7 +622,7 @@ ssize_t default_file_splice_read(struct
34526 this_len = min_t(size_t, len, PAGE_CACHE_SIZE - offset);
34527 - vec[i].iov_base = (void __user *) page_address(page);
34528 + vec[i].iov_base = (__force void __user *) page_address(page);
34529 vec[i].iov_len = this_len;
34530 spd.pages[i] = page;
34532 @@ -849,10 +849,10 @@ EXPORT_SYMBOL(splice_from_pipe_feed);
34533 int splice_from_pipe_next(struct pipe_inode_info *pipe, struct splice_desc *sd)
34535 while (!pipe->nrbufs) {
34536 - if (!pipe->writers)
34537 + if (!atomic_read(&pipe->writers))
34540 - if (!pipe->waiting_writers && sd->num_spliced)
34541 + if (!atomic_read(&pipe->waiting_writers) && sd->num_spliced)
34544 if (sd->flags & SPLICE_F_NONBLOCK)
34545 @@ -1189,7 +1189,7 @@ ssize_t splice_direct_to_actor(struct fi
34546 * out of the pipe right after the splice_to_pipe(). So set
34547 * PIPE_READERS appropriately.
34549 - pipe->readers = 1;
34550 + atomic_set(&pipe->readers, 1);
34552 current->splice_pipe = pipe;
34554 @@ -1757,9 +1757,9 @@ static int ipipe_prep(struct pipe_inode_
34555 ret = -ERESTARTSYS;
34558 - if (!pipe->writers)
34559 + if (!atomic_read(&pipe->writers))
34561 - if (!pipe->waiting_writers) {
34562 + if (!atomic_read(&pipe->waiting_writers)) {
34563 if (flags & SPLICE_F_NONBLOCK) {
34566 @@ -1791,7 +1791,7 @@ static int opipe_prep(struct pipe_inode_
34569 while (pipe->nrbufs >= pipe->buffers) {
34570 - if (!pipe->readers) {
34571 + if (!atomic_read(&pipe->readers)) {
34572 send_sig(SIGPIPE, current, 0);
34575 @@ -1804,9 +1804,9 @@ static int opipe_prep(struct pipe_inode_
34576 ret = -ERESTARTSYS;
34579 - pipe->waiting_writers++;
34580 + atomic_inc(&pipe->waiting_writers);
34582 - pipe->waiting_writers--;
34583 + atomic_dec(&pipe->waiting_writers);
34587 @@ -1842,14 +1842,14 @@ retry:
34588 pipe_double_lock(ipipe, opipe);
34591 - if (!opipe->readers) {
34592 + if (!atomic_read(&opipe->readers)) {
34593 send_sig(SIGPIPE, current, 0);
34599 - if (!ipipe->nrbufs && !ipipe->writers)
34600 + if (!ipipe->nrbufs && !atomic_read(&ipipe->writers))
34604 @@ -1949,7 +1949,7 @@ static int link_pipe(struct pipe_inode_i
34605 pipe_double_lock(ipipe, opipe);
34608 - if (!opipe->readers) {
34609 + if (!atomic_read(&opipe->readers)) {
34610 send_sig(SIGPIPE, current, 0);
34613 @@ -1994,7 +1994,7 @@ static int link_pipe(struct pipe_inode_i
34614 * return EAGAIN if we have the potential of some data in the
34615 * future, otherwise just return 0
34617 - if (!ret && ipipe->waiting_writers && (flags & SPLICE_F_NONBLOCK))
34618 + if (!ret && atomic_read(&ipipe->waiting_writers) && (flags & SPLICE_F_NONBLOCK))
34621 pipe_unlock(ipipe);
34622 diff -urNp linux-2.6.36.1/fs/sysfs/symlink.c linux-2.6.36.1/fs/sysfs/symlink.c
34623 --- linux-2.6.36.1/fs/sysfs/symlink.c 2010-10-20 16:30:22.000000000 -0400
34624 +++ linux-2.6.36.1/fs/sysfs/symlink.c 2010-11-06 18:58:15.000000000 -0400
34625 @@ -286,7 +286,7 @@ static void *sysfs_follow_link(struct de
34627 static void sysfs_put_link(struct dentry *dentry, struct nameidata *nd, void *cookie)
34629 - char *page = nd_get_link(nd);
34630 + const char *page = nd_get_link(nd);
34632 free_page((unsigned long)page);
34634 diff -urNp linux-2.6.36.1/fs/udf/misc.c linux-2.6.36.1/fs/udf/misc.c
34635 --- linux-2.6.36.1/fs/udf/misc.c 2010-10-20 16:30:22.000000000 -0400
34636 +++ linux-2.6.36.1/fs/udf/misc.c 2010-11-06 18:58:15.000000000 -0400
34637 @@ -142,8 +142,8 @@ struct genericFormat *udf_add_extendedat
34638 iinfo->i_lenEAttr += size;
34639 return (struct genericFormat *)&ea[offset];
34643 + if (loc & 0x02) {
34648 diff -urNp linux-2.6.36.1/fs/udf/udfdecl.h linux-2.6.36.1/fs/udf/udfdecl.h
34649 --- linux-2.6.36.1/fs/udf/udfdecl.h 2010-10-20 16:30:22.000000000 -0400
34650 +++ linux-2.6.36.1/fs/udf/udfdecl.h 2010-11-06 18:58:15.000000000 -0400
34651 @@ -26,7 +26,7 @@ do { \
34655 -#define udf_debug(f, a...) /**/
34656 +#define udf_debug(f, a...) do {} while (0)
34659 #define udf_info(f, a...) \
34660 diff -urNp linux-2.6.36.1/fs/utimes.c linux-2.6.36.1/fs/utimes.c
34661 --- linux-2.6.36.1/fs/utimes.c 2010-10-20 16:30:22.000000000 -0400
34662 +++ linux-2.6.36.1/fs/utimes.c 2010-11-06 18:58:50.000000000 -0400
34664 #include <linux/compiler.h>
34665 #include <linux/file.h>
34666 #include <linux/fs.h>
34667 +#include <linux/security.h>
34668 #include <linux/linkage.h>
34669 #include <linux/mount.h>
34670 #include <linux/namei.h>
34671 @@ -101,6 +102,12 @@ static int utimes_common(struct path *pa
34672 goto mnt_drop_write_and_out;
34676 + if (!gr_acl_handle_utime(path->dentry, path->mnt)) {
34678 + goto mnt_drop_write_and_out;
34681 mutex_lock(&inode->i_mutex);
34682 error = notify_change(path->dentry, &newattrs);
34683 mutex_unlock(&inode->i_mutex);
34684 diff -urNp linux-2.6.36.1/fs/xattr.c linux-2.6.36.1/fs/xattr.c
34685 --- linux-2.6.36.1/fs/xattr.c 2010-10-20 16:30:22.000000000 -0400
34686 +++ linux-2.6.36.1/fs/xattr.c 2010-11-28 09:39:04.000000000 -0500
34687 @@ -247,7 +247,7 @@ EXPORT_SYMBOL_GPL(vfs_removexattr);
34688 * Extended attribute SET operations
34691 -setxattr(struct dentry *d, const char __user *name, const void __user *value,
34692 +setxattr(struct path *path, const char __user *name, const void __user *value,
34693 size_t size, int flags)
34696 @@ -271,7 +271,12 @@ setxattr(struct dentry *d, const char __
34697 return PTR_ERR(kvalue);
34700 - error = vfs_setxattr(d, kname, kvalue, size, flags);
34702 + if (!gr_acl_handle_setxattr(path->dentry, path->mnt))
34706 + error = vfs_setxattr(path->dentry, kname, kvalue, size, flags);
34710 @@ -288,7 +293,7 @@ SYSCALL_DEFINE5(setxattr, const char __u
34712 error = mnt_want_write(path.mnt);
34714 - error = setxattr(path.dentry, name, value, size, flags);
34715 + error = setxattr(&path, name, value, size, flags);
34716 mnt_drop_write(path.mnt);
34719 @@ -307,7 +312,7 @@ SYSCALL_DEFINE5(lsetxattr, const char __
34721 error = mnt_want_write(path.mnt);
34723 - error = setxattr(path.dentry, name, value, size, flags);
34724 + error = setxattr(&path, name, value, size, flags);
34725 mnt_drop_write(path.mnt);
34728 @@ -318,17 +323,15 @@ SYSCALL_DEFINE5(fsetxattr, int, fd, cons
34729 const void __user *,value, size_t, size, int, flags)
34732 - struct dentry *dentry;
34733 int error = -EBADF;
34738 - dentry = f->f_path.dentry;
34739 - audit_inode(NULL, dentry);
34740 + audit_inode(NULL, f->f_path.dentry);
34741 error = mnt_want_write_file(f);
34743 - error = setxattr(dentry, name, value, size, flags);
34744 + error = setxattr(&f->f_path, name, value, size, flags);
34745 mnt_drop_write(f->f_path.mnt);
34748 diff -urNp linux-2.6.36.1/fs/xfs/linux-2.6/xfs_ioctl.c linux-2.6.36.1/fs/xfs/linux-2.6/xfs_ioctl.c
34749 --- linux-2.6.36.1/fs/xfs/linux-2.6/xfs_ioctl.c 2010-10-20 16:30:22.000000000 -0400
34750 +++ linux-2.6.36.1/fs/xfs/linux-2.6/xfs_ioctl.c 2010-11-13 16:29:01.000000000 -0500
34751 @@ -127,7 +127,7 @@ xfs_find_handle(
34755 - if (copy_to_user(hreq->ohandle, &handle, hsize) ||
34756 + if (hsize > sizeof(handle) || copy_to_user(hreq->ohandle, &handle, hsize) ||
34757 copy_to_user(hreq->ohandlen, &hsize, sizeof(__s32)))
34760 @@ -416,7 +416,7 @@ xfs_attrlist_by_handle(
34761 if (IS_ERR(dentry))
34762 return PTR_ERR(dentry);
34764 - kbuf = kmalloc(al_hreq.buflen, GFP_KERNEL);
34765 + kbuf = kzalloc(al_hreq.buflen, GFP_KERNEL);
34769 diff -urNp linux-2.6.36.1/fs/xfs/linux-2.6/xfs_iops.c linux-2.6.36.1/fs/xfs/linux-2.6/xfs_iops.c
34770 --- linux-2.6.36.1/fs/xfs/linux-2.6/xfs_iops.c 2010-10-20 16:30:22.000000000 -0400
34771 +++ linux-2.6.36.1/fs/xfs/linux-2.6/xfs_iops.c 2010-11-06 18:58:15.000000000 -0400
34772 @@ -472,7 +472,7 @@ xfs_vn_put_link(
34773 struct nameidata *nd,
34776 - char *s = nd_get_link(nd);
34777 + const char *s = nd_get_link(nd);
34781 diff -urNp linux-2.6.36.1/fs/xfs/xfs_bmap.c linux-2.6.36.1/fs/xfs/xfs_bmap.c
34782 --- linux-2.6.36.1/fs/xfs/xfs_bmap.c 2010-10-20 16:30:22.000000000 -0400
34783 +++ linux-2.6.36.1/fs/xfs/xfs_bmap.c 2010-11-06 18:58:15.000000000 -0400
34784 @@ -287,7 +287,7 @@ xfs_bmap_validate_ret(
34788 -#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap)
34789 +#define xfs_bmap_validate_ret(bno,len,flags,mval,onmap,nmap) do {} while (0)
34793 diff -urNp linux-2.6.36.1/grsecurity/gracl_alloc.c linux-2.6.36.1/grsecurity/gracl_alloc.c
34794 --- linux-2.6.36.1/grsecurity/gracl_alloc.c 1969-12-31 19:00:00.000000000 -0500
34795 +++ linux-2.6.36.1/grsecurity/gracl_alloc.c 2010-11-06 18:58:50.000000000 -0400
34797 +#include <linux/kernel.h>
34798 +#include <linux/mm.h>
34799 +#include <linux/slab.h>
34800 +#include <linux/vmalloc.h>
34801 +#include <linux/gracl.h>
34802 +#include <linux/grsecurity.h>
34804 +static unsigned long alloc_stack_next = 1;
34805 +static unsigned long alloc_stack_size = 1;
34806 +static void **alloc_stack;
34808 +static __inline__ int
34811 + if (alloc_stack_next == 1)
34814 + kfree(alloc_stack[alloc_stack_next - 2]);
34816 + alloc_stack_next--;
34821 +static __inline__ int
34822 +alloc_push(void *buf)
34824 + if (alloc_stack_next >= alloc_stack_size)
34827 + alloc_stack[alloc_stack_next - 1] = buf;
34829 + alloc_stack_next++;
34835 +acl_alloc(unsigned long len)
34837 + void *ret = NULL;
34839 + if (!len || len > PAGE_SIZE)
34842 + ret = kmalloc(len, GFP_KERNEL);
34845 + if (alloc_push(ret)) {
34856 +acl_alloc_num(unsigned long num, unsigned long len)
34858 + if (!len || (num > (PAGE_SIZE / len)))
34861 + return acl_alloc(num * len);
34865 +acl_free_all(void)
34867 + if (gr_acl_is_enabled() || !alloc_stack)
34870 + while (alloc_pop()) ;
34872 + if (alloc_stack) {
34873 + if ((alloc_stack_size * sizeof (void *)) <= PAGE_SIZE)
34874 + kfree(alloc_stack);
34876 + vfree(alloc_stack);
34879 + alloc_stack = NULL;
34880 + alloc_stack_size = 1;
34881 + alloc_stack_next = 1;
34887 +acl_alloc_stack_init(unsigned long size)
34889 + if ((size * sizeof (void *)) <= PAGE_SIZE)
34891 + (void **) kmalloc(size * sizeof (void *), GFP_KERNEL);
34893 + alloc_stack = (void **) vmalloc(size * sizeof (void *));
34895 + alloc_stack_size = size;
34897 + if (!alloc_stack)
34902 diff -urNp linux-2.6.36.1/grsecurity/gracl.c linux-2.6.36.1/grsecurity/gracl.c
34903 --- linux-2.6.36.1/grsecurity/gracl.c 1969-12-31 19:00:00.000000000 -0500
34904 +++ linux-2.6.36.1/grsecurity/gracl.c 2010-11-26 18:18:12.000000000 -0500
34906 +#include <linux/kernel.h>
34907 +#include <linux/module.h>
34908 +#include <linux/sched.h>
34909 +#include <linux/mm.h>
34910 +#include <linux/file.h>
34911 +#include <linux/fs.h>
34912 +#include <linux/namei.h>
34913 +#include <linux/mount.h>
34914 +#include <linux/tty.h>
34915 +#include <linux/proc_fs.h>
34916 +#include <linux/smp_lock.h>
34917 +#include <linux/slab.h>
34918 +#include <linux/vmalloc.h>
34919 +#include <linux/types.h>
34920 +#include <linux/sysctl.h>
34921 +#include <linux/netdevice.h>
34922 +#include <linux/ptrace.h>
34923 +#include <linux/gracl.h>
34924 +#include <linux/gralloc.h>
34925 +#include <linux/grsecurity.h>
34926 +#include <linux/grinternal.h>
34927 +#include <linux/pid_namespace.h>
34928 +#include <linux/fdtable.h>
34929 +#include <linux/percpu.h>
34931 +#include <asm/uaccess.h>
34932 +#include <asm/errno.h>
34933 +#include <asm/mman.h>
34935 +static struct acl_role_db acl_role_set;
34936 +static struct name_db name_set;
34937 +static struct inodev_db inodev_set;
34939 +/* for keeping track of userspace pointers used for subjects, so we
34940 + can share references in the kernel as well
34943 +static struct path real_root;
34945 +static struct acl_subj_map_db subj_map_set;
34947 +static struct acl_role_label *default_role;
34949 +static struct acl_role_label *role_list;
34951 +static u16 acl_sp_role_value;
34953 +extern char *gr_shared_page[4];
34954 +static DECLARE_MUTEX(gr_dev_sem);
34955 +DEFINE_RWLOCK(gr_inode_lock);
34957 +struct gr_arg *gr_usermode;
34959 +static unsigned int gr_status __read_only = GR_STATUS_INIT;
34961 +extern int chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum);
34962 +extern void gr_clear_learn_entries(void);
34964 +#ifdef CONFIG_GRKERNSEC_RESLOG
34965 +extern void gr_log_resource(const struct task_struct *task,
34966 + const int res, const unsigned long wanted, const int gt);
34969 +unsigned char *gr_system_salt;
34970 +unsigned char *gr_system_sum;
34972 +static struct sprole_pw **acl_special_roles = NULL;
34973 +static __u16 num_sprole_pws = 0;
34975 +static struct acl_role_label *kernel_role = NULL;
34977 +static unsigned int gr_auth_attempts = 0;
34978 +static unsigned long gr_auth_expires = 0UL;
34980 +extern struct vfsmount *sock_mnt;
34981 +extern struct vfsmount *pipe_mnt;
34982 +extern struct vfsmount *shm_mnt;
34983 +#ifdef CONFIG_HUGETLBFS
34984 +extern struct vfsmount *hugetlbfs_vfsmount;
34987 +static struct acl_object_label *fakefs_obj;
34989 +extern int gr_init_uidset(void);
34990 +extern void gr_free_uidset(void);
34991 +extern void gr_remove_uid(uid_t uid);
34992 +extern int gr_find_uid(uid_t uid);
34994 +extern spinlock_t vfsmount_lock;
34997 +gr_acl_is_enabled(void)
34999 + return (gr_status & GR_READY);
35002 +static char gr_task_roletype_to_char(struct task_struct *task)
35004 + switch (task->role->roletype &
35005 + (GR_ROLE_DEFAULT | GR_ROLE_USER | GR_ROLE_GROUP |
35006 + GR_ROLE_SPECIAL)) {
35007 + case GR_ROLE_DEFAULT:
35009 + case GR_ROLE_USER:
35011 + case GR_ROLE_GROUP:
35013 + case GR_ROLE_SPECIAL:
35020 +char gr_roletype_to_char(void)
35022 + return gr_task_roletype_to_char(current);
35026 +gr_acl_tpe_check(void)
35028 + if (unlikely(!(gr_status & GR_READY)))
35030 + if (current->role->roletype & GR_ROLE_TPE)
35037 +gr_handle_rawio(const struct inode *inode)
35039 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
35040 + if (inode && S_ISBLK(inode->i_mode) &&
35041 + grsec_enable_chroot_caps && proc_is_chrooted(current) &&
35042 + !capable(CAP_SYS_RAWIO))
35049 +gr_streq(const char *a, const char *b, const unsigned int lena, const unsigned int lenb)
35051 + if (likely(lena != lenb))
35054 + return !memcmp(a, b, lena);
35058 +gen_full_path(struct path *path, struct path *root, char *buf, int buflen)
35062 + retval = __d_path(path, root, buf, buflen);
35063 + if (unlikely(IS_ERR(retval)))
35064 + retval = strcpy(buf, "<path too long>");
35065 + else if (unlikely(retval[1] == '/' && retval[2] == '\0'))
35066 + retval[1] = '\0';
35072 +__d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
35073 + char *buf, int buflen)
35075 + struct path path;
35078 + path.dentry = (struct dentry *)dentry;
35079 + path.mnt = (struct vfsmount *)vfsmnt;
35081 + /* we can use real_root.dentry, real_root.mnt, because this is only called
35082 + by the RBAC system */
35083 + res = gen_full_path(&path, &real_root, buf, buflen);
35089 +d_real_path(const struct dentry *dentry, const struct vfsmount *vfsmnt,
35090 + char *buf, int buflen)
35093 + struct path path;
35094 + struct path root;
35095 + struct task_struct *reaper = &init_task;
35097 + path.dentry = (struct dentry *)dentry;
35098 + path.mnt = (struct vfsmount *)vfsmnt;
35100 + /* we can't use real_root.dentry, real_root.mnt, because they belong only to the RBAC system */
35101 + get_fs_root(reaper->fs, &root);
35103 + spin_lock(&dcache_lock);
35104 + res = gen_full_path(&path, &root, buf, buflen);
35105 + spin_unlock(&dcache_lock);
35112 +gr_to_filename_rbac(const struct dentry *dentry, const struct vfsmount *mnt)
35115 + spin_lock(&dcache_lock);
35116 + ret = __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
35118 + spin_unlock(&dcache_lock);
35123 +gr_to_filename_nolock(const struct dentry *dentry, const struct vfsmount *mnt)
35125 + return __d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0],smp_processor_id()),
35130 +gr_to_filename(const struct dentry *dentry, const struct vfsmount *mnt)
35132 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
35137 +gr_to_filename1(const struct dentry *dentry, const struct vfsmount *mnt)
35139 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[1], smp_processor_id()),
35144 +gr_to_filename2(const struct dentry *dentry, const struct vfsmount *mnt)
35146 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[2], smp_processor_id()),
35151 +gr_to_filename3(const struct dentry *dentry, const struct vfsmount *mnt)
35153 + return d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[3], smp_processor_id()),
35158 +to_gr_audit(const __u32 reqmode)
35160 + /* masks off auditable permission flags, then shifts them to create
35161 + auditing flags, and adds the special case of append auditing if
35162 + we're requesting write */
35163 + return (((reqmode & ~GR_AUDITS) << 10) | ((reqmode & GR_WRITE) ? GR_AUDIT_APPEND : 0));
35166 +struct acl_subject_label *
35167 +lookup_subject_map(const struct acl_subject_label *userp)
35169 + unsigned int index = shash(userp, subj_map_set.s_size);
35170 + struct subject_map *match;
35172 + match = subj_map_set.s_hash[index];
35174 + while (match && match->user != userp)
35175 + match = match->next;
35177 + if (match != NULL)
35178 + return match->kernel;
35184 +insert_subj_map_entry(struct subject_map *subjmap)
35186 + unsigned int index = shash(subjmap->user, subj_map_set.s_size);
35187 + struct subject_map **curr;
35189 + subjmap->prev = NULL;
35191 + curr = &subj_map_set.s_hash[index];
35192 + if (*curr != NULL)
35193 + (*curr)->prev = subjmap;
35195 + subjmap->next = *curr;
35201 +static struct acl_role_label *
35202 +lookup_acl_role_label(const struct task_struct *task, const uid_t uid,
35205 + unsigned int index = rhash(uid, GR_ROLE_USER, acl_role_set.r_size);
35206 + struct acl_role_label *match;
35207 + struct role_allowed_ip *ipp;
35209 + u32 curr_ip = task->signal->curr_ip;
35211 + task->signal->saved_ip = curr_ip;
35213 + match = acl_role_set.r_hash[index];
35216 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_USER)) == (GR_ROLE_DOMAIN | GR_ROLE_USER)) {
35217 + for (x = 0; x < match->domain_child_num; x++) {
35218 + if (match->domain_children[x] == uid)
35221 + } else if (match->uidgid == uid && match->roletype & GR_ROLE_USER)
35223 + match = match->next;
35226 + if (match == NULL) {
35228 + index = rhash(gid, GR_ROLE_GROUP, acl_role_set.r_size);
35229 + match = acl_role_set.r_hash[index];
35232 + if ((match->roletype & (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) == (GR_ROLE_DOMAIN | GR_ROLE_GROUP)) {
35233 + for (x = 0; x < match->domain_child_num; x++) {
35234 + if (match->domain_children[x] == gid)
35237 + } else if (match->uidgid == gid && match->roletype & GR_ROLE_GROUP)
35239 + match = match->next;
35242 + if (match == NULL)
35243 + match = default_role;
35244 + if (match->allowed_ips == NULL)
35247 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
35249 + ((ntohl(curr_ip) & ipp->netmask) ==
35250 + (ntohl(ipp->addr) & ipp->netmask)))
35253 + match = default_role;
35255 + } else if (match->allowed_ips == NULL) {
35258 + for (ipp = match->allowed_ips; ipp; ipp = ipp->next) {
35260 + ((ntohl(curr_ip) & ipp->netmask) ==
35261 + (ntohl(ipp->addr) & ipp->netmask)))
35270 +struct acl_subject_label *
35271 +lookup_acl_subj_label(const ino_t ino, const dev_t dev,
35272 + const struct acl_role_label *role)
35274 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
35275 + struct acl_subject_label *match;
35277 + match = role->subj_hash[index];
35279 + while (match && (match->inode != ino || match->device != dev ||
35280 + (match->mode & GR_DELETED))) {
35281 + match = match->next;
35284 + if (match && !(match->mode & GR_DELETED))
35290 +struct acl_subject_label *
35291 +lookup_acl_subj_label_deleted(const ino_t ino, const dev_t dev,
35292 + const struct acl_role_label *role)
35294 + unsigned int index = fhash(ino, dev, role->subj_hash_size);
35295 + struct acl_subject_label *match;
35297 + match = role->subj_hash[index];
35299 + while (match && (match->inode != ino || match->device != dev ||
35300 + !(match->mode & GR_DELETED))) {
35301 + match = match->next;
35304 + if (match && (match->mode & GR_DELETED))
35310 +static struct acl_object_label *
35311 +lookup_acl_obj_label(const ino_t ino, const dev_t dev,
35312 + const struct acl_subject_label *subj)
35314 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
35315 + struct acl_object_label *match;
35317 + match = subj->obj_hash[index];
35319 + while (match && (match->inode != ino || match->device != dev ||
35320 + (match->mode & GR_DELETED))) {
35321 + match = match->next;
35324 + if (match && !(match->mode & GR_DELETED))
35330 +static struct acl_object_label *
35331 +lookup_acl_obj_label_create(const ino_t ino, const dev_t dev,
35332 + const struct acl_subject_label *subj)
35334 + unsigned int index = fhash(ino, dev, subj->obj_hash_size);
35335 + struct acl_object_label *match;
35337 + match = subj->obj_hash[index];
35339 + while (match && (match->inode != ino || match->device != dev ||
35340 + !(match->mode & GR_DELETED))) {
35341 + match = match->next;
35344 + if (match && (match->mode & GR_DELETED))
35347 + match = subj->obj_hash[index];
35349 + while (match && (match->inode != ino || match->device != dev ||
35350 + (match->mode & GR_DELETED))) {
35351 + match = match->next;
35354 + if (match && !(match->mode & GR_DELETED))
35360 +static struct name_entry *
35361 +lookup_name_entry(const char *name)
35363 + unsigned int len = strlen(name);
35364 + unsigned int key = full_name_hash(name, len);
35365 + unsigned int index = key % name_set.n_size;
35366 + struct name_entry *match;
35368 + match = name_set.n_hash[index];
35370 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len)))
35371 + match = match->next;
35376 +static struct name_entry *
35377 +lookup_name_entry_create(const char *name)
35379 + unsigned int len = strlen(name);
35380 + unsigned int key = full_name_hash(name, len);
35381 + unsigned int index = key % name_set.n_size;
35382 + struct name_entry *match;
35384 + match = name_set.n_hash[index];
35386 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
35387 + !match->deleted))
35388 + match = match->next;
35390 + if (match && match->deleted)
35393 + match = name_set.n_hash[index];
35395 + while (match && (match->key != key || !gr_streq(match->name, name, match->len, len) ||
35397 + match = match->next;
35399 + if (match && !match->deleted)
35405 +static struct inodev_entry *
35406 +lookup_inodev_entry(const ino_t ino, const dev_t dev)
35408 + unsigned int index = fhash(ino, dev, inodev_set.i_size);
35409 + struct inodev_entry *match;
35411 + match = inodev_set.i_hash[index];
35413 + while (match && (match->nentry->inode != ino || match->nentry->device != dev))
35414 + match = match->next;
35420 +insert_inodev_entry(struct inodev_entry *entry)
35422 + unsigned int index = fhash(entry->nentry->inode, entry->nentry->device,
35423 + inodev_set.i_size);
35424 + struct inodev_entry **curr;
35426 + entry->prev = NULL;
35428 + curr = &inodev_set.i_hash[index];
35429 + if (*curr != NULL)
35430 + (*curr)->prev = entry;
35432 + entry->next = *curr;
35439 +__insert_acl_role_label(struct acl_role_label *role, uid_t uidgid)
35441 + unsigned int index =
35442 + rhash(uidgid, role->roletype & (GR_ROLE_USER | GR_ROLE_GROUP), acl_role_set.r_size);
35443 + struct acl_role_label **curr;
35444 + struct acl_role_label *tmp;
35446 + curr = &acl_role_set.r_hash[index];
35448 + /* if role was already inserted due to domains and already has
35449 + a role in the same bucket as it attached, then we need to
35450 + combine these two buckets
35452 + if (role->next) {
35453 + tmp = role->next;
35454 + while (tmp->next)
35456 + tmp->next = *curr;
35458 + role->next = *curr;
35465 +insert_acl_role_label(struct acl_role_label *role)
35469 + if (role_list == NULL) {
35470 + role_list = role;
35471 + role->prev = NULL;
35473 + role->prev = role_list;
35474 + role_list = role;
35477 + /* used for hash chains */
35478 + role->next = NULL;
35480 + if (role->roletype & GR_ROLE_DOMAIN) {
35481 + for (i = 0; i < role->domain_child_num; i++)
35482 + __insert_acl_role_label(role, role->domain_children[i]);
35484 + __insert_acl_role_label(role, role->uidgid);
35488 +insert_name_entry(char *name, const ino_t inode, const dev_t device, __u8 deleted)
35490 + struct name_entry **curr, *nentry;
35491 + struct inodev_entry *ientry;
35492 + unsigned int len = strlen(name);
35493 + unsigned int key = full_name_hash(name, len);
35494 + unsigned int index = key % name_set.n_size;
35496 + curr = &name_set.n_hash[index];
35498 + while (*curr && ((*curr)->key != key || !gr_streq((*curr)->name, name, (*curr)->len, len)))
35499 + curr = &((*curr)->next);
35501 + if (*curr != NULL)
35504 + nentry = acl_alloc(sizeof (struct name_entry));
35505 + if (nentry == NULL)
35507 + ientry = acl_alloc(sizeof (struct inodev_entry));
35508 + if (ientry == NULL)
35510 + ientry->nentry = nentry;
35512 + nentry->key = key;
35513 + nentry->name = name;
35514 + nentry->inode = inode;
35515 + nentry->device = device;
35516 + nentry->len = len;
35517 + nentry->deleted = deleted;
35519 + nentry->prev = NULL;
35520 + curr = &name_set.n_hash[index];
35521 + if (*curr != NULL)
35522 + (*curr)->prev = nentry;
35523 + nentry->next = *curr;
35526 + /* insert us into the table searchable by inode/dev */
35527 + insert_inodev_entry(ientry);
35533 +insert_acl_obj_label(struct acl_object_label *obj,
35534 + struct acl_subject_label *subj)
35536 + unsigned int index =
35537 + fhash(obj->inode, obj->device, subj->obj_hash_size);
35538 + struct acl_object_label **curr;
35541 + obj->prev = NULL;
35543 + curr = &subj->obj_hash[index];
35544 + if (*curr != NULL)
35545 + (*curr)->prev = obj;
35547 + obj->next = *curr;
35554 +insert_acl_subj_label(struct acl_subject_label *obj,
35555 + struct acl_role_label *role)
35557 + unsigned int index = fhash(obj->inode, obj->device, role->subj_hash_size);
35558 + struct acl_subject_label **curr;
35560 + obj->prev = NULL;
35562 + curr = &role->subj_hash[index];
35563 + if (*curr != NULL)
35564 + (*curr)->prev = obj;
35566 + obj->next = *curr;
35572 +/* allocating chained hash tables, so optimal size is where lambda ~ 1 */
35575 +create_table(__u32 * len, int elementsize)
35577 + unsigned int table_sizes[] = {
35578 + 7, 13, 31, 61, 127, 251, 509, 1021, 2039, 4093, 8191, 16381,
35579 + 32749, 65521, 131071, 262139, 524287, 1048573, 2097143,
35580 + 4194301, 8388593, 16777213, 33554393, 67108859
35582 + void *newtable = NULL;
35583 + unsigned int pwr = 0;
35585 + while ((pwr < ((sizeof (table_sizes) / sizeof (table_sizes[0])) - 1)) &&
35586 + table_sizes[pwr] <= *len)
35589 + if (table_sizes[pwr] <= *len || (table_sizes[pwr] > ULONG_MAX / elementsize))
35592 + if ((table_sizes[pwr] * elementsize) <= PAGE_SIZE)
35594 + kmalloc(table_sizes[pwr] * elementsize, GFP_KERNEL);
35596 + newtable = vmalloc(table_sizes[pwr] * elementsize);
35598 + *len = table_sizes[pwr];
35604 +init_variables(const struct gr_arg *arg)
35606 + struct task_struct *reaper = &init_task;
35607 + unsigned int stacksize;
35609 + subj_map_set.s_size = arg->role_db.num_subjects;
35610 + acl_role_set.r_size = arg->role_db.num_roles + arg->role_db.num_domain_children;
35611 + name_set.n_size = arg->role_db.num_objects;
35612 + inodev_set.i_size = arg->role_db.num_objects;
35614 + if (!subj_map_set.s_size || !acl_role_set.r_size ||
35615 + !name_set.n_size || !inodev_set.i_size)
35618 + if (!gr_init_uidset())
35621 + /* set up the stack that holds allocation info */
35623 + stacksize = arg->role_db.num_pointers + 5;
35625 + if (!acl_alloc_stack_init(stacksize))
35628 + /* grab reference for the real root dentry and vfsmount */
35629 + get_fs_root(reaper->fs, &real_root);
35631 + fakefs_obj = acl_alloc(sizeof(struct acl_object_label));
35632 + if (fakefs_obj == NULL)
35634 + fakefs_obj->mode = GR_FIND | GR_READ | GR_WRITE | GR_EXEC;
35636 + subj_map_set.s_hash =
35637 + (struct subject_map **) create_table(&subj_map_set.s_size, sizeof(void *));
35638 + acl_role_set.r_hash =
35639 + (struct acl_role_label **) create_table(&acl_role_set.r_size, sizeof(void *));
35640 + name_set.n_hash = (struct name_entry **) create_table(&name_set.n_size, sizeof(void *));
35641 + inodev_set.i_hash =
35642 + (struct inodev_entry **) create_table(&inodev_set.i_size, sizeof(void *));
35644 + if (!subj_map_set.s_hash || !acl_role_set.r_hash ||
35645 + !name_set.n_hash || !inodev_set.i_hash)
35648 + memset(subj_map_set.s_hash, 0,
35649 + sizeof(struct subject_map *) * subj_map_set.s_size);
35650 + memset(acl_role_set.r_hash, 0,
35651 + sizeof (struct acl_role_label *) * acl_role_set.r_size);
35652 + memset(name_set.n_hash, 0,
35653 + sizeof (struct name_entry *) * name_set.n_size);
35654 + memset(inodev_set.i_hash, 0,
35655 + sizeof (struct inodev_entry *) * inodev_set.i_size);
35660 +/* free information not needed after startup
35661 + currently contains user->kernel pointer mappings for subjects
35665 +free_init_variables(void)
35669 + if (subj_map_set.s_hash) {
35670 + for (i = 0; i < subj_map_set.s_size; i++) {
35671 + if (subj_map_set.s_hash[i]) {
35672 + kfree(subj_map_set.s_hash[i]);
35673 + subj_map_set.s_hash[i] = NULL;
35677 + if ((subj_map_set.s_size * sizeof (struct subject_map *)) <=
35679 + kfree(subj_map_set.s_hash);
35681 + vfree(subj_map_set.s_hash);
35688 +free_variables(void)
35690 + struct acl_subject_label *s;
35691 + struct acl_role_label *r;
35692 + struct task_struct *task, *task2;
35695 + gr_clear_learn_entries();
35697 + read_lock(&tasklist_lock);
35698 + do_each_thread(task2, task) {
35699 + task->acl_sp_role = 0;
35700 + task->acl_role_id = 0;
35701 + task->acl = NULL;
35702 + task->role = NULL;
35703 + } while_each_thread(task2, task);
35704 + read_unlock(&tasklist_lock);
35706 + /* release the reference to the real root dentry and vfsmount */
35707 + path_put(&real_root);
35709 + /* free all object hash tables */
35711 + FOR_EACH_ROLE_START(r)
35712 + if (r->subj_hash == NULL)
35714 + FOR_EACH_SUBJECT_START(r, s, x)
35715 + if (s->obj_hash == NULL)
35717 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
35718 + kfree(s->obj_hash);
35720 + vfree(s->obj_hash);
35721 + FOR_EACH_SUBJECT_END(s, x)
35722 + FOR_EACH_NESTED_SUBJECT_START(r, s)
35723 + if (s->obj_hash == NULL)
35725 + if ((s->obj_hash_size * sizeof (struct acl_object_label *)) <= PAGE_SIZE)
35726 + kfree(s->obj_hash);
35728 + vfree(s->obj_hash);
35729 + FOR_EACH_NESTED_SUBJECT_END(s)
35730 + if ((r->subj_hash_size * sizeof (struct acl_subject_label *)) <= PAGE_SIZE)
35731 + kfree(r->subj_hash);
35733 + vfree(r->subj_hash);
35734 + r->subj_hash = NULL;
35736 + FOR_EACH_ROLE_END(r)
35740 + if (acl_role_set.r_hash) {
35741 + if ((acl_role_set.r_size * sizeof (struct acl_role_label *)) <=
35743 + kfree(acl_role_set.r_hash);
35745 + vfree(acl_role_set.r_hash);
35747 + if (name_set.n_hash) {
35748 + if ((name_set.n_size * sizeof (struct name_entry *)) <=
35750 + kfree(name_set.n_hash);
35752 + vfree(name_set.n_hash);
35755 + if (inodev_set.i_hash) {
35756 + if ((inodev_set.i_size * sizeof (struct inodev_entry *)) <=
35758 + kfree(inodev_set.i_hash);
35760 + vfree(inodev_set.i_hash);
35763 + gr_free_uidset();
35765 + memset(&name_set, 0, sizeof (struct name_db));
35766 + memset(&inodev_set, 0, sizeof (struct inodev_db));
35767 + memset(&acl_role_set, 0, sizeof (struct acl_role_db));
35768 + memset(&subj_map_set, 0, sizeof (struct acl_subj_map_db));
35770 + default_role = NULL;
35771 + role_list = NULL;
35777 +count_user_objs(struct acl_object_label *userp)
35779 + struct acl_object_label o_tmp;
35783 + if (copy_from_user(&o_tmp, userp,
35784 + sizeof (struct acl_object_label)))
35787 + userp = o_tmp.prev;
35794 +static struct acl_subject_label *
35795 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role);
35798 +copy_user_glob(struct acl_object_label *obj)
35800 + struct acl_object_label *g_tmp, **guser;
35801 + unsigned int len;
35804 + if (obj->globbed == NULL)
35807 + guser = &obj->globbed;
35809 + g_tmp = (struct acl_object_label *)
35810 + acl_alloc(sizeof (struct acl_object_label));
35811 + if (g_tmp == NULL)
35814 + if (copy_from_user(g_tmp, *guser,
35815 + sizeof (struct acl_object_label)))
35818 + len = strnlen_user(g_tmp->filename, PATH_MAX);
35820 + if (!len || len >= PATH_MAX)
35823 + if ((tmp = (char *) acl_alloc(len)) == NULL)
35826 + if (copy_from_user(tmp, g_tmp->filename, len))
35828 + tmp[len-1] = '\0';
35829 + g_tmp->filename = tmp;
35832 + guser = &(g_tmp->next);
35839 +copy_user_objs(struct acl_object_label *userp, struct acl_subject_label *subj,
35840 + struct acl_role_label *role)
35842 + struct acl_object_label *o_tmp;
35843 + unsigned int len;
35848 + if ((o_tmp = (struct acl_object_label *)
35849 + acl_alloc(sizeof (struct acl_object_label))) == NULL)
35852 + if (copy_from_user(o_tmp, userp,
35853 + sizeof (struct acl_object_label)))
35856 + userp = o_tmp->prev;
35858 + len = strnlen_user(o_tmp->filename, PATH_MAX);
35860 + if (!len || len >= PATH_MAX)
35863 + if ((tmp = (char *) acl_alloc(len)) == NULL)
35866 + if (copy_from_user(tmp, o_tmp->filename, len))
35868 + tmp[len-1] = '\0';
35869 + o_tmp->filename = tmp;
35871 + insert_acl_obj_label(o_tmp, subj);
35872 + if (!insert_name_entry(o_tmp->filename, o_tmp->inode,
35873 + o_tmp->device, (o_tmp->mode & GR_DELETED) ? 1 : 0))
35876 + ret = copy_user_glob(o_tmp);
35880 + if (o_tmp->nested) {
35881 + o_tmp->nested = do_copy_user_subj(o_tmp->nested, role);
35882 + if (IS_ERR(o_tmp->nested))
35883 + return PTR_ERR(o_tmp->nested);
35885 + /* insert into nested subject list */
35886 + o_tmp->nested->next = role->hash->first;
35887 + role->hash->first = o_tmp->nested;
35895 +count_user_subjs(struct acl_subject_label *userp)
35897 + struct acl_subject_label s_tmp;
35901 + if (copy_from_user(&s_tmp, userp,
35902 + sizeof (struct acl_subject_label)))
35905 + userp = s_tmp.prev;
35906 + /* do not count nested subjects against this count, since
35907 + they are not included in the hash table, but are
35908 + attached to objects. We have already counted
35909 + the subjects in userspace for the allocation
35912 + if (!(s_tmp.mode & GR_NESTED))
35920 +copy_user_allowedips(struct acl_role_label *rolep)
35922 + struct role_allowed_ip *ruserip, *rtmp = NULL, *rlast;
35924 + ruserip = rolep->allowed_ips;
35926 + while (ruserip) {
35929 + if ((rtmp = (struct role_allowed_ip *)
35930 + acl_alloc(sizeof (struct role_allowed_ip))) == NULL)
35933 + if (copy_from_user(rtmp, ruserip,
35934 + sizeof (struct role_allowed_ip)))
35937 + ruserip = rtmp->prev;
35940 + rtmp->prev = NULL;
35941 + rolep->allowed_ips = rtmp;
35943 + rlast->next = rtmp;
35944 + rtmp->prev = rlast;
35948 + rtmp->next = NULL;
35955 +copy_user_transitions(struct acl_role_label *rolep)
35957 + struct role_transition *rusertp, *rtmp = NULL, *rlast;
35959 + unsigned int len;
35962 + rusertp = rolep->transitions;
35964 + while (rusertp) {
35967 + if ((rtmp = (struct role_transition *)
35968 + acl_alloc(sizeof (struct role_transition))) == NULL)
35971 + if (copy_from_user(rtmp, rusertp,
35972 + sizeof (struct role_transition)))
35975 + rusertp = rtmp->prev;
35977 + len = strnlen_user(rtmp->rolename, GR_SPROLE_LEN);
35979 + if (!len || len >= GR_SPROLE_LEN)
35982 + if ((tmp = (char *) acl_alloc(len)) == NULL)
35985 + if (copy_from_user(tmp, rtmp->rolename, len))
35987 + tmp[len-1] = '\0';
35988 + rtmp->rolename = tmp;
35991 + rtmp->prev = NULL;
35992 + rolep->transitions = rtmp;
35994 + rlast->next = rtmp;
35995 + rtmp->prev = rlast;
35999 + rtmp->next = NULL;
36005 +static struct acl_subject_label *
36006 +do_copy_user_subj(struct acl_subject_label *userp, struct acl_role_label *role)
36008 + struct acl_subject_label *s_tmp = NULL, *s_tmp2;
36009 + unsigned int len;
36012 + struct acl_ip_label **i_tmp, *i_utmp2;
36013 + struct gr_hash_struct ghash;
36014 + struct subject_map *subjmap;
36015 + unsigned int i_num;
36018 + s_tmp = lookup_subject_map(userp);
36020 + /* we've already copied this subject into the kernel, just return
36021 + the reference to it, and don't copy it over again
36026 + if ((s_tmp = (struct acl_subject_label *)
36027 + acl_alloc(sizeof (struct acl_subject_label))) == NULL)
36028 + return ERR_PTR(-ENOMEM);
36030 + subjmap = (struct subject_map *)kmalloc(sizeof (struct subject_map), GFP_KERNEL);
36031 + if (subjmap == NULL)
36032 + return ERR_PTR(-ENOMEM);
36034 + subjmap->user = userp;
36035 + subjmap->kernel = s_tmp;
36036 + insert_subj_map_entry(subjmap);
36038 + if (copy_from_user(s_tmp, userp,
36039 + sizeof (struct acl_subject_label)))
36040 + return ERR_PTR(-EFAULT);
36042 + len = strnlen_user(s_tmp->filename, PATH_MAX);
36044 + if (!len || len >= PATH_MAX)
36045 + return ERR_PTR(-EINVAL);
36047 + if ((tmp = (char *) acl_alloc(len)) == NULL)
36048 + return ERR_PTR(-ENOMEM);
36050 + if (copy_from_user(tmp, s_tmp->filename, len))
36051 + return ERR_PTR(-EFAULT);
36052 + tmp[len-1] = '\0';
36053 + s_tmp->filename = tmp;
36055 + if (!strcmp(s_tmp->filename, "/"))
36056 + role->root_label = s_tmp;
36058 + if (copy_from_user(&ghash, s_tmp->hash, sizeof(struct gr_hash_struct)))
36059 + return ERR_PTR(-EFAULT);
36061 + /* copy user and group transition tables */
36063 + if (s_tmp->user_trans_num) {
36066 + uidlist = (uid_t *)acl_alloc_num(s_tmp->user_trans_num, sizeof(uid_t));
36067 + if (uidlist == NULL)
36068 + return ERR_PTR(-ENOMEM);
36069 + if (copy_from_user(uidlist, s_tmp->user_transitions, s_tmp->user_trans_num * sizeof(uid_t)))
36070 + return ERR_PTR(-EFAULT);
36072 + s_tmp->user_transitions = uidlist;
36075 + if (s_tmp->group_trans_num) {
36078 + gidlist = (gid_t *)acl_alloc_num(s_tmp->group_trans_num, sizeof(gid_t));
36079 + if (gidlist == NULL)
36080 + return ERR_PTR(-ENOMEM);
36081 + if (copy_from_user(gidlist, s_tmp->group_transitions, s_tmp->group_trans_num * sizeof(gid_t)))
36082 + return ERR_PTR(-EFAULT);
36084 + s_tmp->group_transitions = gidlist;
36087 + /* set up object hash table */
36088 + num_objs = count_user_objs(ghash.first);
36090 + s_tmp->obj_hash_size = num_objs;
36091 + s_tmp->obj_hash =
36092 + (struct acl_object_label **)
36093 + create_table(&(s_tmp->obj_hash_size), sizeof(void *));
36095 + if (!s_tmp->obj_hash)
36096 + return ERR_PTR(-ENOMEM);
36098 + memset(s_tmp->obj_hash, 0,
36099 + s_tmp->obj_hash_size *
36100 + sizeof (struct acl_object_label *));
36102 + /* add in objects */
36103 + err = copy_user_objs(ghash.first, s_tmp, role);
36106 + return ERR_PTR(err);
36108 + /* set pointer for parent subject */
36109 + if (s_tmp->parent_subject) {
36110 + s_tmp2 = do_copy_user_subj(s_tmp->parent_subject, role);
36112 + if (IS_ERR(s_tmp2))
36115 + s_tmp->parent_subject = s_tmp2;
36118 + /* add in ip acls */
36120 + if (!s_tmp->ip_num) {
36121 + s_tmp->ips = NULL;
36126 + (struct acl_ip_label **) acl_alloc_num(s_tmp->ip_num,
36127 + sizeof (struct acl_ip_label *));
36130 + return ERR_PTR(-ENOMEM);
36132 + for (i_num = 0; i_num < s_tmp->ip_num; i_num++) {
36133 + *(i_tmp + i_num) =
36134 + (struct acl_ip_label *)
36135 + acl_alloc(sizeof (struct acl_ip_label));
36136 + if (!*(i_tmp + i_num))
36137 + return ERR_PTR(-ENOMEM);
36139 + if (copy_from_user
36140 + (&i_utmp2, s_tmp->ips + i_num,
36141 + sizeof (struct acl_ip_label *)))
36142 + return ERR_PTR(-EFAULT);
36144 + if (copy_from_user
36145 + (*(i_tmp + i_num), i_utmp2,
36146 + sizeof (struct acl_ip_label)))
36147 + return ERR_PTR(-EFAULT);
36149 + if ((*(i_tmp + i_num))->iface == NULL)
36152 + len = strnlen_user((*(i_tmp + i_num))->iface, IFNAMSIZ);
36153 + if (!len || len >= IFNAMSIZ)
36154 + return ERR_PTR(-EINVAL);
36155 + tmp = acl_alloc(len);
36157 + return ERR_PTR(-ENOMEM);
36158 + if (copy_from_user(tmp, (*(i_tmp + i_num))->iface, len))
36159 + return ERR_PTR(-EFAULT);
36160 + (*(i_tmp + i_num))->iface = tmp;
36163 + s_tmp->ips = i_tmp;
36166 + if (!insert_name_entry(s_tmp->filename, s_tmp->inode,
36167 + s_tmp->device, (s_tmp->mode & GR_DELETED) ? 1 : 0))
36168 + return ERR_PTR(-ENOMEM);
36174 +copy_user_subjs(struct acl_subject_label *userp, struct acl_role_label *role)
36176 + struct acl_subject_label s_pre;
36177 + struct acl_subject_label * ret;
36181 + if (copy_from_user(&s_pre, userp,
36182 + sizeof (struct acl_subject_label)))
36185 + /* do not add nested subjects here, add
36186 + while parsing objects
36189 + if (s_pre.mode & GR_NESTED) {
36190 + userp = s_pre.prev;
36194 + ret = do_copy_user_subj(userp, role);
36196 + err = PTR_ERR(ret);
36200 + insert_acl_subj_label(ret, role);
36202 + userp = s_pre.prev;
36209 +copy_user_acl(struct gr_arg *arg)
36211 + struct acl_role_label *r_tmp = NULL, **r_utmp, *r_utmp2;
36212 + struct sprole_pw *sptmp;
36213 + struct gr_hash_struct *ghash;
36214 + uid_t *domainlist;
36215 + unsigned int r_num;
36216 + unsigned int len;
36222 + /* we need a default and kernel role */
36223 + if (arg->role_db.num_roles < 2)
36226 + /* copy special role authentication info from userspace */
36228 + num_sprole_pws = arg->num_sprole_pws;
36229 + acl_special_roles = (struct sprole_pw **) acl_alloc_num(num_sprole_pws, sizeof(struct sprole_pw *));
36231 + if (!acl_special_roles) {
36236 + for (i = 0; i < num_sprole_pws; i++) {
36237 + sptmp = (struct sprole_pw *) acl_alloc(sizeof(struct sprole_pw));
36242 + if (copy_from_user(sptmp, arg->sprole_pws + i,
36243 + sizeof (struct sprole_pw))) {
36249 + strnlen_user(sptmp->rolename, GR_SPROLE_LEN);
36251 + if (!len || len >= GR_SPROLE_LEN) {
36256 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
36261 + if (copy_from_user(tmp, sptmp->rolename, len)) {
36265 + tmp[len-1] = '\0';
36266 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
36267 + printk(KERN_ALERT "Copying special role %s\n", tmp);
36269 + sptmp->rolename = tmp;
36270 + acl_special_roles[i] = sptmp;
36273 + r_utmp = (struct acl_role_label **) arg->role_db.r_table;
36275 + for (r_num = 0; r_num < arg->role_db.num_roles; r_num++) {
36276 + r_tmp = acl_alloc(sizeof (struct acl_role_label));
36283 + if (copy_from_user(&r_utmp2, r_utmp + r_num,
36284 + sizeof (struct acl_role_label *))) {
36289 + if (copy_from_user(r_tmp, r_utmp2,
36290 + sizeof (struct acl_role_label))) {
36295 + len = strnlen_user(r_tmp->rolename, GR_SPROLE_LEN);
36297 + if (!len || len >= PATH_MAX) {
36302 + if ((tmp = (char *) acl_alloc(len)) == NULL) {
36306 + if (copy_from_user(tmp, r_tmp->rolename, len)) {
36310 + tmp[len-1] = '\0';
36311 + r_tmp->rolename = tmp;
36313 + if (!strcmp(r_tmp->rolename, "default")
36314 + && (r_tmp->roletype & GR_ROLE_DEFAULT)) {
36315 + default_role = r_tmp;
36316 + } else if (!strcmp(r_tmp->rolename, ":::kernel:::")) {
36317 + kernel_role = r_tmp;
36320 + if ((ghash = (struct gr_hash_struct *) acl_alloc(sizeof(struct gr_hash_struct))) == NULL) {
36324 + if (copy_from_user(ghash, r_tmp->hash, sizeof(struct gr_hash_struct))) {
36329 + r_tmp->hash = ghash;
36331 + num_subjs = count_user_subjs(r_tmp->hash->first);
36333 + r_tmp->subj_hash_size = num_subjs;
36334 + r_tmp->subj_hash =
36335 + (struct acl_subject_label **)
36336 + create_table(&(r_tmp->subj_hash_size), sizeof(void *));
36338 + if (!r_tmp->subj_hash) {
36343 + err = copy_user_allowedips(r_tmp);
36347 + /* copy domain info */
36348 + if (r_tmp->domain_children != NULL) {
36349 + domainlist = acl_alloc_num(r_tmp->domain_child_num, sizeof(uid_t));
36350 + if (domainlist == NULL) {
36354 + if (copy_from_user(domainlist, r_tmp->domain_children, r_tmp->domain_child_num * sizeof(uid_t))) {
36358 + r_tmp->domain_children = domainlist;
36361 + err = copy_user_transitions(r_tmp);
36365 + memset(r_tmp->subj_hash, 0,
36366 + r_tmp->subj_hash_size *
36367 + sizeof (struct acl_subject_label *));
36369 + err = copy_user_subjs(r_tmp->hash->first, r_tmp);
36374 + /* set nested subject list to null */
36375 + r_tmp->hash->first = NULL;
36377 + insert_acl_role_label(r_tmp);
36382 + free_variables();
36389 +gracl_init(struct gr_arg *args)
36393 + memcpy(gr_system_salt, args->salt, GR_SALT_LEN);
36394 + memcpy(gr_system_sum, args->sum, GR_SHA_LEN);
36396 + if (init_variables(args)) {
36397 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_INITF_ACL_MSG, GR_VERSION);
36399 + free_variables();
36403 + error = copy_user_acl(args);
36404 + free_init_variables();
36406 + free_variables();
36410 + if ((error = gr_set_acls(0))) {
36411 + free_variables();
36415 + pax_open_kernel();
36416 + gr_status |= GR_READY;
36417 + pax_close_kernel();
36423 +/* derived from glibc fnmatch() 0: match, 1: no match*/
36426 +glob_match(const char *p, const char *n)
36430 + while ((c = *p++) != '\0') {
36435 + else if (*n == '/')
36443 + for (c = *p++; c == '?' || c == '*'; c = *p++) {
36446 + else if (c == '?') {
36456 + const char *endp;
36458 + if ((endp = strchr(n, '/')) == NULL)
36459 + endp = n + strlen(n);
36462 + for (--p; n < endp; ++n)
36463 + if (!glob_match(p, n))
36465 + } else if (c == '/') {
36466 + while (*n != '\0' && *n != '/')
36468 + if (*n == '/' && !glob_match(p, n + 1))
36471 + for (--p; n < endp; ++n)
36472 + if (*n == c && !glob_match(p, n))
36483 + if (*n == '\0' || *n == '/')
36486 + not = (*p == '!' || *p == '^');
36492 + unsigned char fn = (unsigned char)*n;
36502 + if (c == '-' && *p != ']') {
36503 + unsigned char cend = *p++;
36505 + if (cend == '\0')
36508 + if (cold <= fn && fn <= cend)
36522 + while (c != ']') {
36549 +static struct acl_object_label *
36550 +chk_glob_label(struct acl_object_label *globbed,
36551 + struct dentry *dentry, struct vfsmount *mnt, char **path)
36553 + struct acl_object_label *tmp;
36555 + if (*path == NULL)
36556 + *path = gr_to_filename_nolock(dentry, mnt);
36561 + if (!glob_match(tmp->filename, *path))
36569 +static struct acl_object_label *
36570 +__full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
36571 + const ino_t curr_ino, const dev_t curr_dev,
36572 + const struct acl_subject_label *subj, char **path, const int checkglob)
36574 + struct acl_subject_label *tmpsubj;
36575 + struct acl_object_label *retval;
36576 + struct acl_object_label *retval2;
36578 + tmpsubj = (struct acl_subject_label *) subj;
36579 + read_lock(&gr_inode_lock);
36581 + retval = lookup_acl_obj_label(curr_ino, curr_dev, tmpsubj);
36583 + if (checkglob && retval->globbed) {
36584 + retval2 = chk_glob_label(retval->globbed, (struct dentry *)orig_dentry,
36585 + (struct vfsmount *)orig_mnt, path);
36587 + retval = retval2;
36591 + } while ((tmpsubj = tmpsubj->parent_subject));
36592 + read_unlock(&gr_inode_lock);
36597 +static __inline__ struct acl_object_label *
36598 +full_lookup(const struct dentry *orig_dentry, const struct vfsmount *orig_mnt,
36599 + const struct dentry *curr_dentry,
36600 + const struct acl_subject_label *subj, char **path, const int checkglob)
36602 + return __full_lookup(orig_dentry, orig_mnt,
36603 + curr_dentry->d_inode->i_ino,
36604 + curr_dentry->d_inode->i_sb->s_dev, subj, path, checkglob);
36607 +static struct acl_object_label *
36608 +__chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
36609 + const struct acl_subject_label *subj, char *path, const int checkglob)
36611 + struct dentry *dentry = (struct dentry *) l_dentry;
36612 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
36613 + struct acl_object_label *retval;
36615 + spin_lock(&dcache_lock);
36617 + if (unlikely(mnt == shm_mnt || mnt == pipe_mnt || mnt == sock_mnt ||
36618 +#ifdef CONFIG_HUGETLBFS
36619 + mnt == hugetlbfs_vfsmount ||
36621 + /* ignore Eric Biederman */
36622 + IS_PRIVATE(l_dentry->d_inode))) {
36623 + retval = fakefs_obj;
36628 + if (dentry == real_root.dentry && mnt == real_root.mnt)
36631 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
36632 + if (mnt->mnt_parent == mnt)
36635 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
36636 + if (retval != NULL)
36639 + dentry = mnt->mnt_mountpoint;
36640 + mnt = mnt->mnt_parent;
36644 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
36645 + if (retval != NULL)
36648 + dentry = dentry->d_parent;
36651 + retval = full_lookup(l_dentry, l_mnt, dentry, subj, &path, checkglob);
36653 + if (retval == NULL)
36654 + retval = full_lookup(l_dentry, l_mnt, real_root.dentry, subj, &path, checkglob);
36656 + spin_unlock(&dcache_lock);
36660 +static __inline__ struct acl_object_label *
36661 +chk_obj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
36662 + const struct acl_subject_label *subj)
36664 + char *path = NULL;
36665 + return __chk_obj_label(l_dentry, l_mnt, subj, path, 1);
36668 +static __inline__ struct acl_object_label *
36669 +chk_obj_label_noglob(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
36670 + const struct acl_subject_label *subj)
36672 + char *path = NULL;
36673 + return __chk_obj_label(l_dentry, l_mnt, subj, path, 0);
36676 +static __inline__ struct acl_object_label *
36677 +chk_obj_create_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
36678 + const struct acl_subject_label *subj, char *path)
36680 + return __chk_obj_label(l_dentry, l_mnt, subj, path, 1);
36683 +static struct acl_subject_label *
36684 +chk_subj_label(const struct dentry *l_dentry, const struct vfsmount *l_mnt,
36685 + const struct acl_role_label *role)
36687 + struct dentry *dentry = (struct dentry *) l_dentry;
36688 + struct vfsmount *mnt = (struct vfsmount *) l_mnt;
36689 + struct acl_subject_label *retval;
36691 + spin_lock(&dcache_lock);
36694 + if (dentry == real_root.dentry && mnt == real_root.mnt)
36696 + if (dentry == mnt->mnt_root || IS_ROOT(dentry)) {
36697 + if (mnt->mnt_parent == mnt)
36700 + read_lock(&gr_inode_lock);
36702 + lookup_acl_subj_label(dentry->d_inode->i_ino,
36703 + dentry->d_inode->i_sb->s_dev, role);
36704 + read_unlock(&gr_inode_lock);
36705 + if (retval != NULL)
36708 + dentry = mnt->mnt_mountpoint;
36709 + mnt = mnt->mnt_parent;
36713 + read_lock(&gr_inode_lock);
36714 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
36715 + dentry->d_inode->i_sb->s_dev, role);
36716 + read_unlock(&gr_inode_lock);
36717 + if (retval != NULL)
36720 + dentry = dentry->d_parent;
36723 + read_lock(&gr_inode_lock);
36724 + retval = lookup_acl_subj_label(dentry->d_inode->i_ino,
36725 + dentry->d_inode->i_sb->s_dev, role);
36726 + read_unlock(&gr_inode_lock);
36728 + if (unlikely(retval == NULL)) {
36729 + read_lock(&gr_inode_lock);
36730 + retval = lookup_acl_subj_label(real_root.dentry->d_inode->i_ino,
36731 + real_root.dentry->d_inode->i_sb->s_dev, role);
36732 + read_unlock(&gr_inode_lock);
36735 + spin_unlock(&dcache_lock);
36741 +gr_log_learn(const struct dentry *dentry, const struct vfsmount *mnt, const __u32 mode)
36743 + struct task_struct *task = current;
36744 + const struct cred *cred = current_cred();
36746 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
36747 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
36748 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
36749 + 1UL, 1UL, gr_to_filename(dentry, mnt), (unsigned long) mode, &task->signal->saved_ip);
36755 +gr_log_learn_sysctl(const char *path, const __u32 mode)
36757 + struct task_struct *task = current;
36758 + const struct cred *cred = current_cred();
36760 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename, task->role->roletype,
36761 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
36762 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
36763 + 1UL, 1UL, path, (unsigned long) mode, &task->signal->saved_ip);
36769 +gr_log_learn_id_change(const char type, const unsigned int real,
36770 + const unsigned int effective, const unsigned int fs)
36772 + struct task_struct *task = current;
36773 + const struct cred *cred = current_cred();
36775 + security_learn(GR_ID_LEARN_MSG, task->role->rolename, task->role->roletype,
36776 + cred->uid, cred->gid, task->exec_file ? gr_to_filename1(task->exec_file->f_path.dentry,
36777 + task->exec_file->f_path.mnt) : task->acl->filename, task->acl->filename,
36778 + type, real, effective, fs, &task->signal->saved_ip);
36784 +gr_check_link(const struct dentry * new_dentry,
36785 + const struct dentry * parent_dentry,
36786 + const struct vfsmount * parent_mnt,
36787 + const struct dentry * old_dentry, const struct vfsmount * old_mnt)
36789 + struct acl_object_label *obj;
36790 + __u32 oldmode, newmode;
36793 + if (unlikely(!(gr_status & GR_READY)))
36794 + return (GR_CREATE | GR_LINK);
36796 + obj = chk_obj_label(old_dentry, old_mnt, current->acl);
36797 + oldmode = obj->mode;
36799 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
36800 + oldmode |= (GR_CREATE | GR_LINK);
36802 + needmode = GR_CREATE | GR_AUDIT_CREATE | GR_SUPPRESS;
36803 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
36804 + needmode |= GR_SETID | GR_AUDIT_SETID;
36807 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
36808 + oldmode | needmode);
36810 + needmode = newmode & (GR_FIND | GR_APPEND | GR_WRITE | GR_EXEC |
36811 + GR_SETID | GR_READ | GR_FIND | GR_DELETE |
36812 + GR_INHERIT | GR_AUDIT_INHERIT);
36814 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID) && !(newmode & GR_SETID))
36817 + if ((oldmode & needmode) != needmode)
36820 + needmode = oldmode & (GR_NOPTRACE | GR_PTRACERD | GR_INHERIT | GR_AUDITS);
36821 + if ((newmode & needmode) != needmode)
36824 + if ((newmode & (GR_CREATE | GR_LINK)) == (GR_CREATE | GR_LINK))
36827 + needmode = oldmode;
36828 + if (old_dentry->d_inode->i_mode & (S_ISUID | S_ISGID))
36829 + needmode |= GR_SETID;
36831 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) {
36832 + gr_log_learn(old_dentry, old_mnt, needmode);
36833 + return (GR_CREATE | GR_LINK);
36834 + } else if (newmode & GR_SUPPRESS)
36835 + return GR_SUPPRESS;
36841 +gr_search_file(const struct dentry * dentry, const __u32 mode,
36842 + const struct vfsmount * mnt)
36844 + __u32 retval = mode;
36845 + struct acl_subject_label *curracl;
36846 + struct acl_object_label *currobj;
36848 + if (unlikely(!(gr_status & GR_READY)))
36849 + return (mode & ~GR_AUDITS);
36851 + curracl = current->acl;
36853 + currobj = chk_obj_label(dentry, mnt, curracl);
36854 + retval = currobj->mode & mode;
36857 + ((curracl->mode & (GR_LEARN | GR_INHERITLEARN)) && !(mode & GR_NOPTRACE)
36858 + && (retval != (mode & ~(GR_AUDITS | GR_SUPPRESS))))) {
36859 + __u32 new_mode = mode;
36861 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
36863 + retval = new_mode;
36865 + if (new_mode & GR_EXEC && curracl->mode & GR_INHERITLEARN)
36866 + new_mode |= GR_INHERIT;
36868 + if (!(mode & GR_NOLEARN))
36869 + gr_log_learn(dentry, mnt, new_mode);
36876 +gr_check_create(const struct dentry * new_dentry, const struct dentry * parent,
36877 + const struct vfsmount * mnt, const __u32 mode)
36879 + struct name_entry *match;
36880 + struct acl_object_label *matchpo;
36881 + struct acl_subject_label *curracl;
36885 + if (unlikely(!(gr_status & GR_READY)))
36886 + return (mode & ~GR_AUDITS);
36888 + preempt_disable();
36889 + path = gr_to_filename_rbac(new_dentry, mnt);
36890 + match = lookup_name_entry_create(path);
36893 + goto check_parent;
36895 + curracl = current->acl;
36897 + read_lock(&gr_inode_lock);
36898 + matchpo = lookup_acl_obj_label_create(match->inode, match->device, curracl);
36899 + read_unlock(&gr_inode_lock);
36902 + if ((matchpo->mode & mode) !=
36903 + (mode & ~(GR_AUDITS | GR_SUPPRESS))
36904 + && curracl->mode & (GR_LEARN | GR_INHERITLEARN)) {
36905 + __u32 new_mode = mode;
36907 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
36909 + gr_log_learn(new_dentry, mnt, new_mode);
36911 + preempt_enable();
36914 + preempt_enable();
36915 + return (matchpo->mode & mode);
36919 + curracl = current->acl;
36921 + matchpo = chk_obj_create_label(parent, mnt, curracl, path);
36922 + retval = matchpo->mode & mode;
36924 + if ((retval != (mode & ~(GR_AUDITS | GR_SUPPRESS)))
36925 + && (curracl->mode & (GR_LEARN | GR_INHERITLEARN))) {
36926 + __u32 new_mode = mode;
36928 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
36930 + gr_log_learn(new_dentry, mnt, new_mode);
36931 + preempt_enable();
36935 + preempt_enable();
36940 +gr_check_hidden_task(const struct task_struct *task)
36942 + if (unlikely(!(gr_status & GR_READY)))
36945 + if (!(task->acl->mode & GR_PROCFIND) && !(current->acl->mode & GR_VIEW))
36952 +gr_check_protected_task(const struct task_struct *task)
36954 + if (unlikely(!(gr_status & GR_READY) || !task))
36957 + if ((task->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
36958 + task->acl != current->acl)
36965 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
36967 + struct task_struct *p;
36970 + if (unlikely(!(gr_status & GR_READY) || !pid))
36973 + read_lock(&tasklist_lock);
36974 + do_each_pid_task(pid, type, p) {
36975 + if ((p->acl->mode & GR_PROTECTED) && !(current->acl->mode & GR_KILL) &&
36976 + p->acl != current->acl) {
36980 + } while_each_pid_task(pid, type, p);
36982 + read_unlock(&tasklist_lock);
36988 +gr_copy_label(struct task_struct *tsk)
36990 + tsk->signal->used_accept = 0;
36991 + tsk->acl_sp_role = 0;
36992 + tsk->acl_role_id = current->acl_role_id;
36993 + tsk->acl = current->acl;
36994 + tsk->role = current->role;
36995 + tsk->signal->curr_ip = current->signal->curr_ip;
36996 + tsk->signal->saved_ip = current->signal->saved_ip;
36997 + if (current->exec_file)
36998 + get_file(current->exec_file);
36999 + tsk->exec_file = current->exec_file;
37000 + tsk->is_writable = current->is_writable;
37001 + if (unlikely(current->signal->used_accept)) {
37002 + current->signal->curr_ip = 0;
37003 + current->signal->saved_ip = 0;
37010 +gr_set_proc_res(struct task_struct *task)
37012 + struct acl_subject_label *proc;
37013 + unsigned short i;
37015 + proc = task->acl;
37017 + if (proc->mode & (GR_LEARN | GR_INHERITLEARN))
37020 + for (i = 0; i < RLIM_NLIMITS; i++) {
37021 + if (!(proc->resmask & (1 << i)))
37024 + task->signal->rlim[i].rlim_cur = proc->res[i].rlim_cur;
37025 + task->signal->rlim[i].rlim_max = proc->res[i].rlim_max;
37032 +gr_check_user_change(int real, int effective, int fs)
37039 + int effectiveok = 0;
37042 + if (unlikely(!(gr_status & GR_READY)))
37045 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
37046 + gr_log_learn_id_change('u', real, effective, fs);
37048 + num = current->acl->user_trans_num;
37049 + uidlist = current->acl->user_transitions;
37051 + if (uidlist == NULL)
37056 + if (effective == -1)
37061 + if (current->acl->user_trans_type & GR_ID_ALLOW) {
37062 + for (i = 0; i < num; i++) {
37063 + curuid = (int)uidlist[i];
37064 + if (real == curuid)
37066 + if (effective == curuid)
37068 + if (fs == curuid)
37071 + } else if (current->acl->user_trans_type & GR_ID_DENY) {
37072 + for (i = 0; i < num; i++) {
37073 + curuid = (int)uidlist[i];
37074 + if (real == curuid)
37076 + if (effective == curuid)
37078 + if (fs == curuid)
37081 + /* not in deny list */
37089 + if (realok && effectiveok && fsok)
37092 + gr_log_int(GR_DONT_AUDIT, GR_USRCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
37098 +gr_check_group_change(int real, int effective, int fs)
37105 + int effectiveok = 0;
37108 + if (unlikely(!(gr_status & GR_READY)))
37111 + if (current->acl->mode & (GR_LEARN | GR_INHERITLEARN))
37112 + gr_log_learn_id_change('g', real, effective, fs);
37114 + num = current->acl->group_trans_num;
37115 + gidlist = current->acl->group_transitions;
37117 + if (gidlist == NULL)
37122 + if (effective == -1)
37127 + if (current->acl->group_trans_type & GR_ID_ALLOW) {
37128 + for (i = 0; i < num; i++) {
37129 + curgid = (int)gidlist[i];
37130 + if (real == curgid)
37132 + if (effective == curgid)
37134 + if (fs == curgid)
37137 + } else if (current->acl->group_trans_type & GR_ID_DENY) {
37138 + for (i = 0; i < num; i++) {
37139 + curgid = (int)gidlist[i];
37140 + if (real == curgid)
37142 + if (effective == curgid)
37144 + if (fs == curgid)
37147 + /* not in deny list */
37155 + if (realok && effectiveok && fsok)
37158 + gr_log_int(GR_DONT_AUDIT, GR_GRPCHANGE_ACL_MSG, realok ? (effectiveok ? (fsok ? 0 : fs) : effective) : real);
37164 +gr_set_role_label(struct task_struct *task, const uid_t uid, const uid_t gid)
37166 + struct acl_role_label *role = task->role;
37167 + struct acl_subject_label *subj = NULL;
37168 + struct acl_object_label *obj;
37169 + struct file *filp;
37171 + if (unlikely(!(gr_status & GR_READY)))
37174 + filp = task->exec_file;
37176 + /* kernel process, we'll give them the kernel role */
37177 + if (unlikely(!filp)) {
37178 + task->role = kernel_role;
37179 + task->acl = kernel_role->root_label;
37181 + } else if (!task->role || !(task->role->roletype & GR_ROLE_SPECIAL))
37182 + role = lookup_acl_role_label(task, uid, gid);
37184 + /* perform subject lookup in possibly new role
37185 + we can use this result below in the case where role == task->role
37187 + subj = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, role);
37189 + /* if we changed uid/gid, but result in the same role
37190 + and are using inheritance, don't lose the inherited subject
37191 + if current subject is other than what normal lookup
37192 + would result in, we arrived via inheritance, don't
37195 + if (role != task->role || (!(task->acl->mode & GR_INHERITLEARN) &&
37196 + (subj == task->acl)))
37197 + task->acl = subj;
37199 + task->role = role;
37201 + task->is_writable = 0;
37203 + /* ignore additional mmap checks for processes that are writable
37204 + by the default ACL */
37205 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
37206 + if (unlikely(obj->mode & GR_WRITE))
37207 + task->is_writable = 1;
37208 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
37209 + if (unlikely(obj->mode & GR_WRITE))
37210 + task->is_writable = 1;
37212 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
37213 + printk(KERN_ALERT "Set role label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
37216 + gr_set_proc_res(task);
37222 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
37223 + const int unsafe_share)
37225 + struct task_struct *task = current;
37226 + struct acl_subject_label *newacl;
37227 + struct acl_object_label *obj;
37230 + if (unlikely(!(gr_status & GR_READY)))
37233 + newacl = chk_subj_label(dentry, mnt, task->role);
37236 + if ((((task->ptrace & PT_PTRACED) || unsafe_share) &&
37237 + !(task->acl->mode & GR_POVERRIDE) && (task->acl != newacl) &&
37238 + !(task->role->roletype & GR_ROLE_GOD) &&
37239 + !gr_search_file(dentry, GR_PTRACERD, mnt) &&
37240 + !(task->acl->mode & (GR_LEARN | GR_INHERITLEARN)))) {
37241 + task_unlock(task);
37242 + if (unsafe_share)
37243 + gr_log_fs_generic(GR_DONT_AUDIT, GR_UNSAFESHARE_EXEC_ACL_MSG, dentry, mnt);
37245 + gr_log_fs_generic(GR_DONT_AUDIT, GR_PTRACE_EXEC_ACL_MSG, dentry, mnt);
37248 + task_unlock(task);
37250 + obj = chk_obj_label(dentry, mnt, task->acl);
37251 + retmode = obj->mode & (GR_INHERIT | GR_AUDIT_INHERIT);
37253 + if (!(task->acl->mode & GR_INHERITLEARN) &&
37254 + ((newacl->mode & GR_LEARN) || !(retmode & GR_INHERIT))) {
37256 + task->acl = obj->nested;
37258 + task->acl = newacl;
37259 + } else if (retmode & GR_INHERIT && retmode & GR_AUDIT_INHERIT)
37260 + gr_log_str_fs(GR_DO_AUDIT, GR_INHERIT_ACL_MSG, task->acl->filename, dentry, mnt);
37262 + task->is_writable = 0;
37264 + /* ignore additional mmap checks for processes that are writable
37265 + by the default ACL */
37266 + obj = chk_obj_label(dentry, mnt, default_role->root_label);
37267 + if (unlikely(obj->mode & GR_WRITE))
37268 + task->is_writable = 1;
37269 + obj = chk_obj_label(dentry, mnt, task->role->root_label);
37270 + if (unlikely(obj->mode & GR_WRITE))
37271 + task->is_writable = 1;
37273 + gr_set_proc_res(task);
37275 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
37276 + printk(KERN_ALERT "Set subject label for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
37281 +/* always called with valid inodev ptr */
37283 +do_handle_delete(struct inodev_entry *inodev, const ino_t ino, const dev_t dev)
37285 + struct acl_object_label *matchpo;
37286 + struct acl_subject_label *matchps;
37287 + struct acl_subject_label *subj;
37288 + struct acl_role_label *role;
37291 + FOR_EACH_ROLE_START(role)
37292 + FOR_EACH_SUBJECT_START(role, subj, x)
37293 + if ((matchpo = lookup_acl_obj_label(ino, dev, subj)) != NULL)
37294 + matchpo->mode |= GR_DELETED;
37295 + FOR_EACH_SUBJECT_END(subj,x)
37296 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
37297 + if (subj->inode == ino && subj->device == dev)
37298 + subj->mode |= GR_DELETED;
37299 + FOR_EACH_NESTED_SUBJECT_END(subj)
37300 + if ((matchps = lookup_acl_subj_label(ino, dev, role)) != NULL)
37301 + matchps->mode |= GR_DELETED;
37302 + FOR_EACH_ROLE_END(role)
37304 + inodev->nentry->deleted = 1;
37310 +gr_handle_delete(const ino_t ino, const dev_t dev)
37312 + struct inodev_entry *inodev;
37314 + if (unlikely(!(gr_status & GR_READY)))
37317 + write_lock(&gr_inode_lock);
37318 + inodev = lookup_inodev_entry(ino, dev);
37319 + if (inodev != NULL)
37320 + do_handle_delete(inodev, ino, dev);
37321 + write_unlock(&gr_inode_lock);
37327 +update_acl_obj_label(const ino_t oldinode, const dev_t olddevice,
37328 + const ino_t newinode, const dev_t newdevice,
37329 + struct acl_subject_label *subj)
37331 + unsigned int index = fhash(oldinode, olddevice, subj->obj_hash_size);
37332 + struct acl_object_label *match;
37334 + match = subj->obj_hash[index];
37336 + while (match && (match->inode != oldinode ||
37337 + match->device != olddevice ||
37338 + !(match->mode & GR_DELETED)))
37339 + match = match->next;
37341 + if (match && (match->inode == oldinode)
37342 + && (match->device == olddevice)
37343 + && (match->mode & GR_DELETED)) {
37344 + if (match->prev == NULL) {
37345 + subj->obj_hash[index] = match->next;
37346 + if (match->next != NULL)
37347 + match->next->prev = NULL;
37349 + match->prev->next = match->next;
37350 + if (match->next != NULL)
37351 + match->next->prev = match->prev;
37353 + match->prev = NULL;
37354 + match->next = NULL;
37355 + match->inode = newinode;
37356 + match->device = newdevice;
37357 + match->mode &= ~GR_DELETED;
37359 + insert_acl_obj_label(match, subj);
37366 +update_acl_subj_label(const ino_t oldinode, const dev_t olddevice,
37367 + const ino_t newinode, const dev_t newdevice,
37368 + struct acl_role_label *role)
37370 + unsigned int index = fhash(oldinode, olddevice, role->subj_hash_size);
37371 + struct acl_subject_label *match;
37373 + match = role->subj_hash[index];
37375 + while (match && (match->inode != oldinode ||
37376 + match->device != olddevice ||
37377 + !(match->mode & GR_DELETED)))
37378 + match = match->next;
37380 + if (match && (match->inode == oldinode)
37381 + && (match->device == olddevice)
37382 + && (match->mode & GR_DELETED)) {
37383 + if (match->prev == NULL) {
37384 + role->subj_hash[index] = match->next;
37385 + if (match->next != NULL)
37386 + match->next->prev = NULL;
37388 + match->prev->next = match->next;
37389 + if (match->next != NULL)
37390 + match->next->prev = match->prev;
37392 + match->prev = NULL;
37393 + match->next = NULL;
37394 + match->inode = newinode;
37395 + match->device = newdevice;
37396 + match->mode &= ~GR_DELETED;
37398 + insert_acl_subj_label(match, role);
37405 +update_inodev_entry(const ino_t oldinode, const dev_t olddevice,
37406 + const ino_t newinode, const dev_t newdevice)
37408 + unsigned int index = fhash(oldinode, olddevice, inodev_set.i_size);
37409 + struct inodev_entry *match;
37411 + match = inodev_set.i_hash[index];
37413 + while (match && (match->nentry->inode != oldinode ||
37414 + match->nentry->device != olddevice || !match->nentry->deleted))
37415 + match = match->next;
37417 + if (match && (match->nentry->inode == oldinode)
37418 + && (match->nentry->device == olddevice) &&
37419 + match->nentry->deleted) {
37420 + if (match->prev == NULL) {
37421 + inodev_set.i_hash[index] = match->next;
37422 + if (match->next != NULL)
37423 + match->next->prev = NULL;
37425 + match->prev->next = match->next;
37426 + if (match->next != NULL)
37427 + match->next->prev = match->prev;
37429 + match->prev = NULL;
37430 + match->next = NULL;
37431 + match->nentry->inode = newinode;
37432 + match->nentry->device = newdevice;
37433 + match->nentry->deleted = 0;
37435 + insert_inodev_entry(match);
37442 +do_handle_create(const struct name_entry *matchn, const struct dentry *dentry,
37443 + const struct vfsmount *mnt)
37445 + struct acl_subject_label *subj;
37446 + struct acl_role_label *role;
37449 + FOR_EACH_ROLE_START(role)
37450 + update_acl_subj_label(matchn->inode, matchn->device,
37451 + dentry->d_inode->i_ino,
37452 + dentry->d_inode->i_sb->s_dev, role);
37454 + FOR_EACH_NESTED_SUBJECT_START(role, subj)
37455 + if ((subj->inode == dentry->d_inode->i_ino) &&
37456 + (subj->device == dentry->d_inode->i_sb->s_dev)) {
37457 + subj->inode = dentry->d_inode->i_ino;
37458 + subj->device = dentry->d_inode->i_sb->s_dev;
37460 + FOR_EACH_NESTED_SUBJECT_END(subj)
37461 + FOR_EACH_SUBJECT_START(role, subj, x)
37462 + update_acl_obj_label(matchn->inode, matchn->device,
37463 + dentry->d_inode->i_ino,
37464 + dentry->d_inode->i_sb->s_dev, subj);
37465 + FOR_EACH_SUBJECT_END(subj,x)
37466 + FOR_EACH_ROLE_END(role)
37468 + update_inodev_entry(matchn->inode, matchn->device,
37469 + dentry->d_inode->i_ino, dentry->d_inode->i_sb->s_dev);
37475 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
37477 + struct name_entry *matchn;
37479 + if (unlikely(!(gr_status & GR_READY)))
37482 + preempt_disable();
37483 + matchn = lookup_name_entry(gr_to_filename_rbac(dentry, mnt));
37485 + if (unlikely((unsigned long)matchn)) {
37486 + write_lock(&gr_inode_lock);
37487 + do_handle_create(matchn, dentry, mnt);
37488 + write_unlock(&gr_inode_lock);
37490 + preempt_enable();
37496 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
37497 + struct dentry *old_dentry,
37498 + struct dentry *new_dentry,
37499 + struct vfsmount *mnt, const __u8 replace)
37501 + struct name_entry *matchn;
37502 + struct inodev_entry *inodev;
37504 + /* vfs_rename swaps the name and parent link for old_dentry and
37506 + at this point, old_dentry has the new name, parent link, and inode
37507 + for the renamed file
37508 + if a file is being replaced by a rename, new_dentry has the inode
37509 + and name for the replaced file
37512 + if (unlikely(!(gr_status & GR_READY)))
37515 + preempt_disable();
37516 + matchn = lookup_name_entry(gr_to_filename_rbac(old_dentry, mnt));
37518 + /* we wouldn't have to check d_inode if it weren't for
37519 + NFS silly-renaming
37522 + write_lock(&gr_inode_lock);
37523 + if (unlikely(replace && new_dentry->d_inode)) {
37524 + inodev = lookup_inodev_entry(new_dentry->d_inode->i_ino,
37525 + new_dentry->d_inode->i_sb->s_dev);
37526 + if (inodev != NULL && (new_dentry->d_inode->i_nlink <= 1))
37527 + do_handle_delete(inodev, new_dentry->d_inode->i_ino,
37528 + new_dentry->d_inode->i_sb->s_dev);
37531 + inodev = lookup_inodev_entry(old_dentry->d_inode->i_ino,
37532 + old_dentry->d_inode->i_sb->s_dev);
37533 + if (inodev != NULL && (old_dentry->d_inode->i_nlink <= 1))
37534 + do_handle_delete(inodev, old_dentry->d_inode->i_ino,
37535 + old_dentry->d_inode->i_sb->s_dev);
37537 + if (unlikely((unsigned long)matchn))
37538 + do_handle_create(matchn, old_dentry, mnt);
37540 + write_unlock(&gr_inode_lock);
37541 + preempt_enable();
37547 +lookup_special_role_auth(__u16 mode, const char *rolename, unsigned char **salt,
37548 + unsigned char **sum)
37550 + struct acl_role_label *r;
37551 + struct role_allowed_ip *ipp;
37552 + struct role_transition *trans;
37555 + u32 curr_ip = current->signal->curr_ip;
37557 + current->signal->saved_ip = curr_ip;
37559 + /* check transition table */
37561 + for (trans = current->role->transitions; trans; trans = trans->next) {
37562 + if (!strcmp(rolename, trans->rolename)) {
37571 + /* handle special roles that do not require authentication
37574 + FOR_EACH_ROLE_START(r)
37575 + if (!strcmp(rolename, r->rolename) &&
37576 + (r->roletype & GR_ROLE_SPECIAL)) {
37578 + if (r->allowed_ips != NULL) {
37579 + for (ipp = r->allowed_ips; ipp; ipp = ipp->next) {
37580 + if ((ntohl(curr_ip) & ipp->netmask) ==
37581 + (ntohl(ipp->addr) & ipp->netmask))
37589 + if (((mode == GR_SPROLE) && (r->roletype & GR_ROLE_NOPW)) ||
37590 + ((mode == GR_SPROLEPAM) && (r->roletype & GR_ROLE_PAM))) {
37596 + FOR_EACH_ROLE_END(r)
37598 + for (i = 0; i < num_sprole_pws; i++) {
37599 + if (!strcmp(rolename, acl_special_roles[i]->rolename)) {
37600 + *salt = acl_special_roles[i]->salt;
37601 + *sum = acl_special_roles[i]->sum;
37610 +assign_special_role(char *rolename)
37612 + struct acl_object_label *obj;
37613 + struct acl_role_label *r;
37614 + struct acl_role_label *assigned = NULL;
37615 + struct task_struct *tsk;
37616 + struct file *filp;
37618 + FOR_EACH_ROLE_START(r)
37619 + if (!strcmp(rolename, r->rolename) &&
37620 + (r->roletype & GR_ROLE_SPECIAL)) {
37624 + FOR_EACH_ROLE_END(r)
37629 + read_lock(&tasklist_lock);
37630 + read_lock(&grsec_exec_file_lock);
37632 + tsk = current->real_parent;
37636 + filp = tsk->exec_file;
37637 + if (filp == NULL)
37640 + tsk->is_writable = 0;
37642 + tsk->acl_sp_role = 1;
37643 + tsk->acl_role_id = ++acl_sp_role_value;
37644 + tsk->role = assigned;
37645 + tsk->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role);
37647 + /* ignore additional mmap checks for processes that are writable
37648 + by the default ACL */
37649 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
37650 + if (unlikely(obj->mode & GR_WRITE))
37651 + tsk->is_writable = 1;
37652 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, tsk->role->root_label);
37653 + if (unlikely(obj->mode & GR_WRITE))
37654 + tsk->is_writable = 1;
37656 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
37657 + printk(KERN_ALERT "Assigning special role:%s subject:%s to process (%s:%d)\n", tsk->role->rolename, tsk->acl->filename, tsk->comm, tsk->pid);
37661 + read_unlock(&grsec_exec_file_lock);
37662 + read_unlock(&tasklist_lock);
37666 +int gr_check_secure_terminal(struct task_struct *task)
37668 + struct task_struct *p, *p2, *p3;
37669 + struct files_struct *files;
37670 + struct fdtable *fdt;
37671 + struct file *our_file = NULL, *file;
37674 + if (task->signal->tty == NULL)
37677 + files = get_files_struct(task);
37678 + if (files != NULL) {
37680 + fdt = files_fdtable(files);
37681 + for (i=0; i < fdt->max_fds; i++) {
37682 + file = fcheck_files(files, i);
37683 + if (file && (our_file == NULL) && (file->private_data == task->signal->tty)) {
37688 + rcu_read_unlock();
37689 + put_files_struct(files);
37692 + if (our_file == NULL)
37695 + read_lock(&tasklist_lock);
37696 + do_each_thread(p2, p) {
37697 + files = get_files_struct(p);
37698 + if (files == NULL ||
37699 + (p->signal && p->signal->tty == task->signal->tty)) {
37700 + if (files != NULL)
37701 + put_files_struct(files);
37705 + fdt = files_fdtable(files);
37706 + for (i=0; i < fdt->max_fds; i++) {
37707 + file = fcheck_files(files, i);
37708 + if (file && S_ISCHR(file->f_path.dentry->d_inode->i_mode) &&
37709 + file->f_path.dentry->d_inode->i_rdev == our_file->f_path.dentry->d_inode->i_rdev) {
37711 + while (p3->pid > 0) {
37714 + p3 = p3->real_parent;
37718 + gr_log_ttysniff(GR_DONT_AUDIT_GOOD, GR_TTYSNIFF_ACL_MSG, p);
37719 + gr_handle_alertkill(p);
37720 + rcu_read_unlock();
37721 + put_files_struct(files);
37722 + read_unlock(&tasklist_lock);
37727 + rcu_read_unlock();
37728 + put_files_struct(files);
37729 + } while_each_thread(p2, p);
37730 + read_unlock(&tasklist_lock);
37737 +write_grsec_handler(struct file *file, const char * buf, size_t count, loff_t *ppos)
37739 + struct gr_arg_wrapper uwrap;
37740 + unsigned char *sprole_salt = NULL;
37741 + unsigned char *sprole_sum = NULL;
37742 + int error = sizeof (struct gr_arg_wrapper);
37745 + down(&gr_dev_sem);
37747 + if ((gr_status & GR_READY) && !(current->acl->mode & GR_KERNELAUTH)) {
37752 + if (count != sizeof (struct gr_arg_wrapper)) {
37753 + gr_log_int_int(GR_DONT_AUDIT_GOOD, GR_DEV_ACL_MSG, (int)count, (int)sizeof(struct gr_arg_wrapper));
37759 + if (gr_auth_expires && time_after_eq(get_seconds(), gr_auth_expires)) {
37760 + gr_auth_expires = 0;
37761 + gr_auth_attempts = 0;
37764 + if (copy_from_user(&uwrap, buf, sizeof (struct gr_arg_wrapper))) {
37769 + if ((uwrap.version != GRSECURITY_VERSION) || (uwrap.size != sizeof(struct gr_arg))) {
37774 + if (copy_from_user(gr_usermode, uwrap.arg, sizeof (struct gr_arg))) {
37779 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_SPROLEPAM &&
37780 + gr_auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
37781 + time_after(gr_auth_expires, get_seconds())) {
37786 + /* if non-root trying to do anything other than use a special role,
37787 + do not attempt authentication, do not count towards authentication
37791 + if (gr_usermode->mode != GR_SPROLE && gr_usermode->mode != GR_STATUS &&
37792 + gr_usermode->mode != GR_UNSPROLE && gr_usermode->mode != GR_SPROLEPAM &&
37798 + /* ensure pw and special role name are null terminated */
37800 + gr_usermode->pw[GR_PW_LEN - 1] = '\0';
37801 + gr_usermode->sp_role[GR_SPROLE_LEN - 1] = '\0';
37804 + * We have our enough of the argument structure..(we have yet
37805 + * to copy_from_user the tables themselves) . Copy the tables
37806 + * only if we need them, i.e. for loading operations. */
37808 + switch (gr_usermode->mode) {
37810 + if (gr_status & GR_READY) {
37812 + if (!gr_check_secure_terminal(current))
37817 + case GR_SHUTDOWN:
37818 + if ((gr_status & GR_READY)
37819 + && !(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
37820 + pax_open_kernel();
37821 + gr_status &= ~GR_READY;
37822 + pax_close_kernel();
37824 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTS_ACL_MSG);
37825 + free_variables();
37826 + memset(gr_usermode, 0, sizeof (struct gr_arg));
37827 + memset(gr_system_salt, 0, GR_SALT_LEN);
37828 + memset(gr_system_sum, 0, GR_SHA_LEN);
37829 + } else if (gr_status & GR_READY) {
37830 + gr_log_noargs(GR_DONT_AUDIT, GR_SHUTF_ACL_MSG);
37833 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SHUTI_ACL_MSG);
37838 + if (!(gr_status & GR_READY) && !(error2 = gracl_init(gr_usermode)))
37839 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_ENABLE_ACL_MSG, GR_VERSION);
37841 + if (gr_status & GR_READY)
37845 + gr_log_str(GR_DONT_AUDIT, GR_ENABLEF_ACL_MSG, GR_VERSION);
37849 + if (!(gr_status & GR_READY)) {
37850 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOADI_ACL_MSG, GR_VERSION);
37852 + } else if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
37855 + pax_open_kernel();
37856 + gr_status &= ~GR_READY;
37857 + pax_close_kernel();
37859 + free_variables();
37860 + if (!(error2 = gracl_init(gr_usermode))) {
37862 + gr_log_str(GR_DONT_AUDIT_GOOD, GR_RELOAD_ACL_MSG, GR_VERSION);
37866 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
37869 + gr_log_str(GR_DONT_AUDIT, GR_RELOADF_ACL_MSG, GR_VERSION);
37874 + if (unlikely(!(gr_status & GR_READY))) {
37875 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODI_ACL_MSG);
37880 + if (!(chkpw(gr_usermode, gr_system_salt, gr_system_sum))) {
37881 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SEGVMODS_ACL_MSG);
37882 + if (gr_usermode->segv_device && gr_usermode->segv_inode) {
37883 + struct acl_subject_label *segvacl;
37885 + lookup_acl_subj_label(gr_usermode->segv_inode,
37886 + gr_usermode->segv_device,
37889 + segvacl->crashes = 0;
37890 + segvacl->expires = 0;
37892 + } else if (gr_find_uid(gr_usermode->segv_uid) >= 0) {
37893 + gr_remove_uid(gr_usermode->segv_uid);
37896 + gr_log_noargs(GR_DONT_AUDIT, GR_SEGVMODF_ACL_MSG);
37901 + case GR_SPROLEPAM:
37902 + if (unlikely(!(gr_status & GR_READY))) {
37903 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_SPROLEI_ACL_MSG);
37908 + if (current->role->expires && time_after_eq(get_seconds(), current->role->expires)) {
37909 + current->role->expires = 0;
37910 + current->role->auth_attempts = 0;
37913 + if (current->role->auth_attempts >= CONFIG_GRKERNSEC_ACL_MAXTRIES &&
37914 + time_after(current->role->expires, get_seconds())) {
37919 + if (lookup_special_role_auth
37920 + (gr_usermode->mode, gr_usermode->sp_role, &sprole_salt, &sprole_sum)
37921 + && ((!sprole_salt && !sprole_sum)
37922 + || !(chkpw(gr_usermode, sprole_salt, sprole_sum)))) {
37924 + assign_special_role(gr_usermode->sp_role);
37925 + read_lock(&tasklist_lock);
37926 + if (current->real_parent)
37927 + p = current->real_parent->role->rolename;
37928 + read_unlock(&tasklist_lock);
37929 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLES_ACL_MSG,
37930 + p, acl_sp_role_value);
37932 + gr_log_str(GR_DONT_AUDIT, GR_SPROLEF_ACL_MSG, gr_usermode->sp_role);
37934 + if(!(current->role->auth_attempts++))
37935 + current->role->expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
37940 + case GR_UNSPROLE:
37941 + if (unlikely(!(gr_status & GR_READY))) {
37942 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_UNSPROLEI_ACL_MSG);
37947 + if (current->role->roletype & GR_ROLE_SPECIAL) {
37951 + read_lock(&tasklist_lock);
37952 + if (current->real_parent) {
37953 + p = current->real_parent->role->rolename;
37954 + i = current->real_parent->acl_role_id;
37956 + read_unlock(&tasklist_lock);
37958 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_UNSPROLES_ACL_MSG, p, i);
37966 + gr_log_int(GR_DONT_AUDIT, GR_INVMODE_ACL_MSG, gr_usermode->mode);
37971 + if (error != -EPERM)
37974 + if(!(gr_auth_attempts++))
37975 + gr_auth_expires = get_seconds() + CONFIG_GRKERNSEC_ACL_TIMEOUT;
37983 +gr_set_acls(const int type)
37985 + struct acl_object_label *obj;
37986 + struct task_struct *task, *task2;
37987 + struct file *filp;
37988 + struct acl_role_label *role = current->role;
37989 + __u16 acl_role_id = current->acl_role_id;
37990 + const struct cred *cred;
37992 + struct name_entry *nmatch;
37993 + struct acl_subject_label *tmpsubj;
37996 + read_lock(&tasklist_lock);
37997 + read_lock(&grsec_exec_file_lock);
37998 + do_each_thread(task2, task) {
37999 + /* check to see if we're called from the exit handler,
38000 + if so, only replace ACLs that have inherited the admin
38003 + if (type && (task->role != role ||
38004 + task->acl_role_id != acl_role_id))
38007 + task->acl_role_id = 0;
38008 + task->acl_sp_role = 0;
38010 + if ((filp = task->exec_file)) {
38011 + cred = __task_cred(task);
38012 + task->role = lookup_acl_role_label(task, cred->uid, cred->gid);
38014 + /* the following is to apply the correct subject
38015 + on binaries running when the RBAC system
38016 + is enabled, when the binaries have been
38017 + replaced or deleted since their execution
38019 + when the RBAC system starts, the inode/dev
38020 + from exec_file will be one the RBAC system
38021 + is unaware of. It only knows the inode/dev
38022 + of the present file on disk, or the absence
38025 + preempt_disable();
38026 + tmpname = gr_to_filename_rbac(filp->f_path.dentry, filp->f_path.mnt);
38028 + nmatch = lookup_name_entry(tmpname);
38029 + preempt_enable();
38032 + if (nmatch->deleted)
38033 + tmpsubj = lookup_acl_subj_label_deleted(nmatch->inode, nmatch->device, task->role);
38035 + tmpsubj = lookup_acl_subj_label(nmatch->inode, nmatch->device, task->role);
38036 + if (tmpsubj != NULL)
38037 + task->acl = tmpsubj;
38039 + if (tmpsubj == NULL)
38040 + task->acl = chk_subj_label(filp->f_path.dentry, filp->f_path.mnt,
38043 + struct acl_subject_label *curr;
38044 + curr = task->acl;
38046 + task->is_writable = 0;
38047 + /* ignore additional mmap checks for processes that are writable
38048 + by the default ACL */
38049 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
38050 + if (unlikely(obj->mode & GR_WRITE))
38051 + task->is_writable = 1;
38052 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, task->role->root_label);
38053 + if (unlikely(obj->mode & GR_WRITE))
38054 + task->is_writable = 1;
38056 + gr_set_proc_res(task);
38058 +#ifdef CONFIG_GRKERNSEC_ACL_DEBUG
38059 + printk(KERN_ALERT "gr_set_acls for (%s:%d): role:%s, subject:%s\n", task->comm, task->pid, task->role->rolename, task->acl->filename);
38062 + read_unlock(&grsec_exec_file_lock);
38063 + read_unlock(&tasklist_lock);
38064 + rcu_read_unlock();
38065 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_DEFACL_MSG, task->comm, task->pid);
38069 + // it's a kernel process
38070 + task->role = kernel_role;
38071 + task->acl = kernel_role->root_label;
38072 +#ifdef CONFIG_GRKERNSEC_ACL_HIDEKERN
38073 + task->acl->mode &= ~GR_PROCFIND;
38076 + } while_each_thread(task2, task);
38077 + read_unlock(&grsec_exec_file_lock);
38078 + read_unlock(&tasklist_lock);
38079 + rcu_read_unlock();
38085 +gr_learn_resource(const struct task_struct *task,
38086 + const int res, const unsigned long wanted, const int gt)
38088 + struct acl_subject_label *acl;
38089 + const struct cred *cred;
38091 + if (unlikely((gr_status & GR_READY) &&
38092 + task->acl && (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))))
38093 + goto skip_reslog;
38095 +#ifdef CONFIG_GRKERNSEC_RESLOG
38096 + gr_log_resource(task, res, wanted, gt);
38100 + if (unlikely(!(gr_status & GR_READY) || !wanted || res >= GR_NLIMITS))
38105 + if (likely(!acl || !(acl->mode & (GR_LEARN | GR_INHERITLEARN)) ||
38106 + !(acl->resmask & (1 << (unsigned short) res))))
38109 + if (wanted >= acl->res[res].rlim_cur) {
38110 + unsigned long res_add;
38112 + res_add = wanted;
38115 + res_add += GR_RLIM_CPU_BUMP;
38117 + case RLIMIT_FSIZE:
38118 + res_add += GR_RLIM_FSIZE_BUMP;
38120 + case RLIMIT_DATA:
38121 + res_add += GR_RLIM_DATA_BUMP;
38123 + case RLIMIT_STACK:
38124 + res_add += GR_RLIM_STACK_BUMP;
38126 + case RLIMIT_CORE:
38127 + res_add += GR_RLIM_CORE_BUMP;
38130 + res_add += GR_RLIM_RSS_BUMP;
38132 + case RLIMIT_NPROC:
38133 + res_add += GR_RLIM_NPROC_BUMP;
38135 + case RLIMIT_NOFILE:
38136 + res_add += GR_RLIM_NOFILE_BUMP;
38138 + case RLIMIT_MEMLOCK:
38139 + res_add += GR_RLIM_MEMLOCK_BUMP;
38142 + res_add += GR_RLIM_AS_BUMP;
38144 + case RLIMIT_LOCKS:
38145 + res_add += GR_RLIM_LOCKS_BUMP;
38147 + case RLIMIT_SIGPENDING:
38148 + res_add += GR_RLIM_SIGPENDING_BUMP;
38150 + case RLIMIT_MSGQUEUE:
38151 + res_add += GR_RLIM_MSGQUEUE_BUMP;
38153 + case RLIMIT_NICE:
38154 + res_add += GR_RLIM_NICE_BUMP;
38156 + case RLIMIT_RTPRIO:
38157 + res_add += GR_RLIM_RTPRIO_BUMP;
38159 + case RLIMIT_RTTIME:
38160 + res_add += GR_RLIM_RTTIME_BUMP;
38164 + acl->res[res].rlim_cur = res_add;
38166 + if (wanted > acl->res[res].rlim_max)
38167 + acl->res[res].rlim_max = res_add;
38169 + /* only log the subject filename, since resource logging is supported for
38170 + single-subject learning only */
38172 + cred = __task_cred(task);
38173 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
38174 + task->role->roletype, cred->uid, cred->gid, acl->filename,
38175 + acl->filename, acl->res[res].rlim_cur, acl->res[res].rlim_max,
38176 + "", (unsigned long) res, &task->signal->saved_ip);
38177 + rcu_read_unlock();
38183 +#if defined(CONFIG_PAX_HAVE_ACL_FLAGS) && (defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR))
38185 +pax_set_initial_flags(struct linux_binprm *bprm)
38187 + struct task_struct *task = current;
38188 + struct acl_subject_label *proc;
38189 + unsigned long flags;
38191 + if (unlikely(!(gr_status & GR_READY)))
38194 + flags = pax_get_flags(task);
38196 + proc = task->acl;
38198 + if (proc->pax_flags & GR_PAX_DISABLE_PAGEEXEC)
38199 + flags &= ~MF_PAX_PAGEEXEC;
38200 + if (proc->pax_flags & GR_PAX_DISABLE_SEGMEXEC)
38201 + flags &= ~MF_PAX_SEGMEXEC;
38202 + if (proc->pax_flags & GR_PAX_DISABLE_RANDMMAP)
38203 + flags &= ~MF_PAX_RANDMMAP;
38204 + if (proc->pax_flags & GR_PAX_DISABLE_EMUTRAMP)
38205 + flags &= ~MF_PAX_EMUTRAMP;
38206 + if (proc->pax_flags & GR_PAX_DISABLE_MPROTECT)
38207 + flags &= ~MF_PAX_MPROTECT;
38209 + if (proc->pax_flags & GR_PAX_ENABLE_PAGEEXEC)
38210 + flags |= MF_PAX_PAGEEXEC;
38211 + if (proc->pax_flags & GR_PAX_ENABLE_SEGMEXEC)
38212 + flags |= MF_PAX_SEGMEXEC;
38213 + if (proc->pax_flags & GR_PAX_ENABLE_RANDMMAP)
38214 + flags |= MF_PAX_RANDMMAP;
38215 + if (proc->pax_flags & GR_PAX_ENABLE_EMUTRAMP)
38216 + flags |= MF_PAX_EMUTRAMP;
38217 + if (proc->pax_flags & GR_PAX_ENABLE_MPROTECT)
38218 + flags |= MF_PAX_MPROTECT;
38220 + pax_set_flags(task, flags);
38226 +#ifdef CONFIG_SYSCTL
38227 +/* Eric Biederman likes breaking userland ABI and every inode-based security
38228 + system to save 35kb of memory */
38230 +/* we modify the passed in filename, but adjust it back before returning */
38231 +static struct acl_object_label *gr_lookup_by_name(char *name, unsigned int len)
38233 + struct name_entry *nmatch;
38234 + char *p, *lastp = NULL;
38235 + struct acl_object_label *obj = NULL, *tmp;
38236 + struct acl_subject_label *tmpsubj;
38239 + read_lock(&gr_inode_lock);
38241 + p = name + len - 1;
38243 + nmatch = lookup_name_entry(name);
38244 + if (lastp != NULL)
38247 + if (nmatch == NULL)
38248 + goto next_component;
38249 + tmpsubj = current->acl;
38251 + obj = lookup_acl_obj_label(nmatch->inode, nmatch->device, tmpsubj);
38252 + if (obj != NULL) {
38253 + tmp = obj->globbed;
38255 + if (!glob_match(tmp->filename, name)) {
38263 + } while ((tmpsubj = tmpsubj->parent_subject));
38269 + while (*p != '/')
38281 + read_unlock(&gr_inode_lock);
38282 + /* obj returned will always be non-null */
38286 +/* returns 0 when allowing, non-zero on error
38287 + op of 0 is used for readdir, so we don't log the names of hidden files
38290 +gr_handle_sysctl(const struct ctl_table *table, const int op)
38292 + struct ctl_table *tmp;
38293 + const char *proc_sys = "/proc/sys";
38295 + struct acl_object_label *obj;
38296 + unsigned short len = 0, pos = 0, depth = 0, i;
38300 + if (unlikely(!(gr_status & GR_READY)))
38303 + /* for now, ignore operations on non-sysctl entries if it's not a
38305 + if (table->child != NULL && op != 0)
38309 + /* it's only a read if it's an entry, read on dirs is for readdir */
38310 + if (op & MAY_READ)
38312 + if (op & MAY_WRITE)
38313 + mode |= GR_WRITE;
38315 + preempt_disable();
38317 + path = per_cpu_ptr(gr_shared_page[0], smp_processor_id());
38319 + /* it's only a read/write if it's an actual entry, not a dir
38320 + (which are opened for readdir)
38323 + /* convert the requested sysctl entry into a pathname */
38325 + for (tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
38326 + len += strlen(tmp->procname);
38331 + if ((len + depth + strlen(proc_sys) + 1) > PAGE_SIZE) {
38336 + memset(path, 0, PAGE_SIZE);
38338 + memcpy(path, proc_sys, strlen(proc_sys));
38340 + pos += strlen(proc_sys);
38342 + for (; depth > 0; depth--) {
38345 + for (i = 1, tmp = (struct ctl_table *)table; tmp != NULL; tmp = tmp->parent) {
38346 + if (depth == i) {
38347 + memcpy(path + pos, tmp->procname,
38348 + strlen(tmp->procname));
38349 + pos += strlen(tmp->procname);
38355 + obj = gr_lookup_by_name(path, pos);
38356 + err = obj->mode & (mode | to_gr_audit(mode) | GR_SUPPRESS);
38358 + if (unlikely((current->acl->mode & (GR_LEARN | GR_INHERITLEARN)) &&
38359 + ((err & mode) != mode))) {
38360 + __u32 new_mode = mode;
38362 + new_mode &= ~(GR_AUDITS | GR_SUPPRESS);
38365 + gr_log_learn_sysctl(path, new_mode);
38366 + } else if (!(err & GR_FIND) && !(err & GR_SUPPRESS) && op != 0) {
38367 + gr_log_hidden_sysctl(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, path);
38369 + } else if (!(err & GR_FIND)) {
38371 + } else if (((err & mode) & ~GR_FIND) != (mode & ~GR_FIND) && !(err & GR_SUPPRESS)) {
38372 + gr_log_str4(GR_DONT_AUDIT, GR_SYSCTL_ACL_MSG, "denied",
38373 + path, (mode & GR_READ) ? " reading" : "",
38374 + (mode & GR_WRITE) ? " writing" : "");
38376 + } else if ((err & mode) != mode) {
38378 + } else if ((((err & mode) & ~GR_FIND) == (mode & ~GR_FIND)) && (err & GR_AUDITS)) {
38379 + gr_log_str4(GR_DO_AUDIT, GR_SYSCTL_ACL_MSG, "successful",
38380 + path, (mode & GR_READ) ? " reading" : "",
38381 + (mode & GR_WRITE) ? " writing" : "");
38387 + preempt_enable();
38394 +gr_handle_proc_ptrace(struct task_struct *task)
38396 + struct file *filp;
38397 + struct task_struct *tmp = task;
38398 + struct task_struct *curtemp = current;
38401 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
38402 + if (unlikely(!(gr_status & GR_READY)))
38406 + read_lock(&tasklist_lock);
38407 + read_lock(&grsec_exec_file_lock);
38408 + filp = task->exec_file;
38410 + while (tmp->pid > 0) {
38411 + if (tmp == curtemp)
38413 + tmp = tmp->real_parent;
38416 + if (!filp || (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
38417 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE))))) {
38418 + read_unlock(&grsec_exec_file_lock);
38419 + read_unlock(&tasklist_lock);
38423 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
38424 + if (!(gr_status & GR_READY)) {
38425 + read_unlock(&grsec_exec_file_lock);
38426 + read_unlock(&tasklist_lock);
38431 + retmode = gr_search_file(filp->f_path.dentry, GR_NOPTRACE, filp->f_path.mnt);
38432 + read_unlock(&grsec_exec_file_lock);
38433 + read_unlock(&tasklist_lock);
38435 + if (retmode & GR_NOPTRACE)
38438 + if (!(current->acl->mode & GR_POVERRIDE) && !(current->role->roletype & GR_ROLE_GOD)
38439 + && (current->acl != task->acl || (current->acl != current->role->root_label
38440 + && current->pid != task->pid)))
38446 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p)
38448 + if (unlikely(!(gr_status & GR_READY)))
38451 + if (!(current->role->roletype & GR_ROLE_GOD))
38454 + seq_printf(m, "RBAC:\t%.64s:%c:%.950s\n",
38455 + p->role->rolename, gr_task_roletype_to_char(p),
38456 + p->acl->filename);
38460 +gr_handle_ptrace(struct task_struct *task, const long request)
38462 + struct task_struct *tmp = task;
38463 + struct task_struct *curtemp = current;
38466 +#ifndef CONFIG_GRKERNSEC_HARDEN_PTRACE
38467 + if (unlikely(!(gr_status & GR_READY)))
38471 + read_lock(&tasklist_lock);
38472 + while (tmp->pid > 0) {
38473 + if (tmp == curtemp)
38475 + tmp = tmp->real_parent;
38478 + if (tmp->pid == 0 && ((grsec_enable_harden_ptrace && current_uid() && !(gr_status & GR_READY)) ||
38479 + ((gr_status & GR_READY) && !(current->acl->mode & GR_RELAXPTRACE)))) {
38480 + read_unlock(&tasklist_lock);
38481 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
38484 + read_unlock(&tasklist_lock);
38486 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
38487 + if (!(gr_status & GR_READY))
38491 + read_lock(&grsec_exec_file_lock);
38492 + if (unlikely(!task->exec_file)) {
38493 + read_unlock(&grsec_exec_file_lock);
38497 + retmode = gr_search_file(task->exec_file->f_path.dentry, GR_PTRACERD | GR_NOPTRACE, task->exec_file->f_path.mnt);
38498 + read_unlock(&grsec_exec_file_lock);
38500 + if (retmode & GR_NOPTRACE) {
38501 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
38505 + if (retmode & GR_PTRACERD) {
38506 + switch (request) {
38507 + case PTRACE_POKETEXT:
38508 + case PTRACE_POKEDATA:
38509 + case PTRACE_POKEUSR:
38510 +#if !defined(CONFIG_PPC32) && !defined(CONFIG_PPC64) && !defined(CONFIG_PARISC) && !defined(CONFIG_ALPHA) && !defined(CONFIG_IA64)
38511 + case PTRACE_SETREGS:
38512 + case PTRACE_SETFPREGS:
38515 + case PTRACE_SETFPXREGS:
38517 +#ifdef CONFIG_ALTIVEC
38518 + case PTRACE_SETVRREGS:
38524 + } else if (!(current->acl->mode & GR_POVERRIDE) &&
38525 + !(current->role->roletype & GR_ROLE_GOD) &&
38526 + (current->acl != task->acl)) {
38527 + gr_log_ptrace(GR_DONT_AUDIT, GR_PTRACE_ACL_MSG, task);
38534 +static int is_writable_mmap(const struct file *filp)
38536 + struct task_struct *task = current;
38537 + struct acl_object_label *obj, *obj2;
38539 + if (gr_status & GR_READY && !(task->acl->mode & GR_OVERRIDE) &&
38540 + !task->is_writable && S_ISREG(filp->f_path.dentry->d_inode->i_mode) && filp->f_path.mnt != shm_mnt) {
38541 + obj = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt, default_role->root_label);
38542 + obj2 = chk_obj_label(filp->f_path.dentry, filp->f_path.mnt,
38543 + task->role->root_label);
38544 + if (unlikely((obj->mode & GR_WRITE) || (obj2->mode & GR_WRITE))) {
38545 + gr_log_fs_generic(GR_DONT_AUDIT, GR_WRITLIB_ACL_MSG, filp->f_path.dentry, filp->f_path.mnt);
38553 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot)
38557 + if (unlikely(!file || !(prot & PROT_EXEC)))
38560 + if (is_writable_mmap(file))
38564 + gr_search_file(file->f_path.dentry,
38565 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
38566 + file->f_path.mnt);
38568 + if (!gr_tpe_allow(file))
38571 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
38572 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
38574 + } else if (unlikely(!(mode & GR_EXEC))) {
38576 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
38577 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MMAP_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
38585 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
38589 + if (unlikely(!file || !(prot & PROT_EXEC)))
38592 + if (is_writable_mmap(file))
38596 + gr_search_file(file->f_path.dentry,
38597 + GR_EXEC | GR_AUDIT_EXEC | GR_SUPPRESS,
38598 + file->f_path.mnt);
38600 + if (!gr_tpe_allow(file))
38603 + if (unlikely(!(mode & GR_EXEC) && !(mode & GR_SUPPRESS))) {
38604 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
38606 + } else if (unlikely(!(mode & GR_EXEC))) {
38608 + } else if (unlikely(mode & GR_EXEC && mode & GR_AUDIT_EXEC)) {
38609 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_MPROTECT_ACL_MSG, file->f_path.dentry, file->f_path.mnt);
38617 +gr_acl_handle_psacct(struct task_struct *task, const long code)
38619 + unsigned long runtime;
38620 + unsigned long cputime;
38621 + unsigned int wday, cday;
38625 + struct timespec timeval;
38627 + if (unlikely(!(gr_status & GR_READY) || !task->acl ||
38628 + !(task->acl->mode & GR_PROCACCT)))
38631 + do_posix_clock_monotonic_gettime(&timeval);
38632 + runtime = timeval.tv_sec - task->start_time.tv_sec;
38633 + wday = runtime / (3600 * 24);
38634 + runtime -= wday * (3600 * 24);
38635 + whr = runtime / 3600;
38636 + runtime -= whr * 3600;
38637 + wmin = runtime / 60;
38638 + runtime -= wmin * 60;
38641 + cputime = (task->utime + task->stime) / HZ;
38642 + cday = cputime / (3600 * 24);
38643 + cputime -= cday * (3600 * 24);
38644 + chr = cputime / 3600;
38645 + cputime -= chr * 3600;
38646 + cmin = cputime / 60;
38647 + cputime -= cmin * 60;
38650 + gr_log_procacct(GR_DO_AUDIT, GR_ACL_PROCACCT_MSG, task, wday, whr, wmin, wsec, cday, chr, cmin, csec, code);
38655 +void gr_set_kernel_label(struct task_struct *task)
38657 + if (gr_status & GR_READY) {
38658 + task->role = kernel_role;
38659 + task->acl = kernel_role->root_label;
38664 +#ifdef CONFIG_TASKSTATS
38665 +int gr_is_taskstats_denied(int pid)
38667 + struct task_struct *task;
38668 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
38669 + const struct cred *cred;
38673 + /* restrict taskstats viewing to un-chrooted root users
38674 + who have the 'view' subject flag if the RBAC system is enabled
38678 + read_lock(&tasklist_lock);
38679 + task = find_task_by_vpid(pid);
38681 +#ifdef CONFIG_GRKERNSEC_CHROOT
38682 + if (proc_is_chrooted(task))
38685 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
38686 + cred = __task_cred(task);
38687 +#ifdef CONFIG_GRKERNSEC_PROC_USER
38688 + if (cred->uid != 0)
38690 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
38691 + if (cred->uid != 0 && !groups_search(cred->group_info, CONFIG_GRKERNSEC_PROC_GID))
38695 + if (gr_status & GR_READY) {
38696 + if (!(task->acl->mode & GR_VIEW))
38702 + read_unlock(&tasklist_lock);
38703 + rcu_read_unlock();
38709 +/* AUXV entries are filled via a descendant of search_binary_handler
38710 + after we've already applied the subject for the target
38712 +int gr_acl_enable_at_secure(void)
38714 + if (unlikely(!(gr_status & GR_READY)))
38717 + if (current->acl->mode & GR_ATSECURE)
38723 +int gr_acl_handle_filldir(const struct file *file, const char *name, const unsigned int namelen, const ino_t ino)
38725 + struct task_struct *task = current;
38726 + struct dentry *dentry = file->f_path.dentry;
38727 + struct vfsmount *mnt = file->f_path.mnt;
38728 + struct acl_object_label *obj, *tmp;
38729 + struct acl_subject_label *subj;
38730 + unsigned int bufsize;
38734 + if (unlikely(!(gr_status & GR_READY)))
38737 + if (task->acl->mode & (GR_LEARN | GR_INHERITLEARN))
38740 + /* ignore Eric Biederman */
38741 + if (IS_PRIVATE(dentry->d_inode))
38744 + subj = task->acl;
38746 + obj = lookup_acl_obj_label(ino, dentry->d_inode->i_sb->s_dev, subj);
38748 + return (obj->mode & GR_FIND) ? 1 : 0;
38749 + } while ((subj = subj->parent_subject));
38751 + /* this is purely an optimization since we're looking for an object
38752 + for the directory we're doing a readdir on
38753 + if it's possible for any globbed object to match the entry we're
38754 + filling into the directory, then the object we find here will be
38755 + an anchor point with attached globbed objects
38757 + obj = chk_obj_label_noglob(dentry, mnt, task->acl);
38758 + if (obj->globbed == NULL)
38759 + return (obj->mode & GR_FIND) ? 1 : 0;
38761 + is_not_root = ((obj->filename[0] == '/') &&
38762 + (obj->filename[1] == '\0')) ? 0 : 1;
38763 + bufsize = PAGE_SIZE - namelen - is_not_root;
38765 + /* check bufsize > PAGE_SIZE || bufsize == 0 */
38766 + if (unlikely((bufsize - 1) > (PAGE_SIZE - 1)))
38769 + preempt_disable();
38770 + path = d_real_path(dentry, mnt, per_cpu_ptr(gr_shared_page[0], smp_processor_id()),
38773 + bufsize = strlen(path);
38775 + /* if base is "/", don't append an additional slash */
38777 + *(path + bufsize) = '/';
38778 + memcpy(path + bufsize + is_not_root, name, namelen);
38779 + *(path + bufsize + namelen + is_not_root) = '\0';
38781 + tmp = obj->globbed;
38783 + if (!glob_match(tmp->filename, path)) {
38784 + preempt_enable();
38785 + return (tmp->mode & GR_FIND) ? 1 : 0;
38789 + preempt_enable();
38790 + return (obj->mode & GR_FIND) ? 1 : 0;
38793 +#ifdef CONFIG_NETFILTER_XT_MATCH_GRADM_MODULE
38794 +EXPORT_SYMBOL(gr_acl_is_enabled);
38796 +EXPORT_SYMBOL(gr_learn_resource);
38797 +EXPORT_SYMBOL(gr_set_kernel_label);
38798 +#ifdef CONFIG_SECURITY
38799 +EXPORT_SYMBOL(gr_check_user_change);
38800 +EXPORT_SYMBOL(gr_check_group_change);
38803 diff -urNp linux-2.6.36.1/grsecurity/gracl_cap.c linux-2.6.36.1/grsecurity/gracl_cap.c
38804 --- linux-2.6.36.1/grsecurity/gracl_cap.c 1969-12-31 19:00:00.000000000 -0500
38805 +++ linux-2.6.36.1/grsecurity/gracl_cap.c 2010-11-26 18:18:12.000000000 -0500
38807 +#include <linux/kernel.h>
38808 +#include <linux/module.h>
38809 +#include <linux/sched.h>
38810 +#include <linux/gracl.h>
38811 +#include <linux/grsecurity.h>
38812 +#include <linux/grinternal.h>
38814 +static const char *captab_log[] = {
38816 + "CAP_DAC_OVERRIDE",
38817 + "CAP_DAC_READ_SEARCH",
38824 + "CAP_LINUX_IMMUTABLE",
38825 + "CAP_NET_BIND_SERVICE",
38826 + "CAP_NET_BROADCAST",
38831 + "CAP_SYS_MODULE",
38833 + "CAP_SYS_CHROOT",
38834 + "CAP_SYS_PTRACE",
38839 + "CAP_SYS_RESOURCE",
38841 + "CAP_SYS_TTY_CONFIG",
38844 + "CAP_AUDIT_WRITE",
38845 + "CAP_AUDIT_CONTROL",
38847 + "CAP_MAC_OVERRIDE",
38851 +EXPORT_SYMBOL(gr_is_capable);
38852 +EXPORT_SYMBOL(gr_is_capable_nolog);
38855 +gr_is_capable(const int cap)
38857 + struct task_struct *task = current;
38858 + const struct cred *cred = current_cred();
38859 + struct acl_subject_label *curracl;
38860 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
38861 + kernel_cap_t cap_audit = __cap_empty_set;
38863 + if (!gr_acl_is_enabled())
38866 + curracl = task->acl;
38868 + cap_drop = curracl->cap_lower;
38869 + cap_mask = curracl->cap_mask;
38870 + cap_audit = curracl->cap_invert_audit;
38872 + while ((curracl = curracl->parent_subject)) {
38873 + /* if the cap isn't specified in the current computed mask but is specified in the
38874 + current level subject, and is lowered in the current level subject, then add
38875 + it to the set of dropped capabilities
38876 + otherwise, add the current level subject's mask to the current computed mask
38878 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
38879 + cap_raise(cap_mask, cap);
38880 + if (cap_raised(curracl->cap_lower, cap))
38881 + cap_raise(cap_drop, cap);
38882 + if (cap_raised(curracl->cap_invert_audit, cap))
38883 + cap_raise(cap_audit, cap);
38887 + if (!cap_raised(cap_drop, cap)) {
38888 + if (cap_raised(cap_audit, cap))
38889 + gr_log_cap(GR_DO_AUDIT, GR_CAP_ACL_MSG2, task, captab_log[cap]);
38893 + curracl = task->acl;
38895 + if ((curracl->mode & (GR_LEARN | GR_INHERITLEARN))
38896 + && cap_raised(cred->cap_effective, cap)) {
38897 + security_learn(GR_LEARN_AUDIT_MSG, task->role->rolename,
38898 + task->role->roletype, cred->uid,
38899 + cred->gid, task->exec_file ?
38900 + gr_to_filename(task->exec_file->f_path.dentry,
38901 + task->exec_file->f_path.mnt) : curracl->filename,
38902 + curracl->filename, 0UL,
38903 + 0UL, "", (unsigned long) cap, &task->signal->saved_ip);
38907 + if ((cap >= 0) && (cap < (sizeof(captab_log)/sizeof(captab_log[0]))) && cap_raised(cred->cap_effective, cap) && !cap_raised(cap_audit, cap))
38908 + gr_log_cap(GR_DONT_AUDIT, GR_CAP_ACL_MSG, task, captab_log[cap]);
38913 +gr_is_capable_nolog(const int cap)
38915 + struct acl_subject_label *curracl;
38916 + kernel_cap_t cap_drop = __cap_empty_set, cap_mask = __cap_empty_set;
38918 + if (!gr_acl_is_enabled())
38921 + curracl = current->acl;
38923 + cap_drop = curracl->cap_lower;
38924 + cap_mask = curracl->cap_mask;
38926 + while ((curracl = curracl->parent_subject)) {
38927 + /* if the cap isn't specified in the current computed mask but is specified in the
38928 + current level subject, and is lowered in the current level subject, then add
38929 + it to the set of dropped capabilities
38930 + otherwise, add the current level subject's mask to the current computed mask
38932 + if (!cap_raised(cap_mask, cap) && cap_raised(curracl->cap_mask, cap)) {
38933 + cap_raise(cap_mask, cap);
38934 + if (cap_raised(curracl->cap_lower, cap))
38935 + cap_raise(cap_drop, cap);
38939 + if (!cap_raised(cap_drop, cap))
38945 diff -urNp linux-2.6.36.1/grsecurity/gracl_fs.c linux-2.6.36.1/grsecurity/gracl_fs.c
38946 --- linux-2.6.36.1/grsecurity/gracl_fs.c 1969-12-31 19:00:00.000000000 -0500
38947 +++ linux-2.6.36.1/grsecurity/gracl_fs.c 2010-11-26 18:18:12.000000000 -0500
38949 +#include <linux/kernel.h>
38950 +#include <linux/sched.h>
38951 +#include <linux/types.h>
38952 +#include <linux/fs.h>
38953 +#include <linux/file.h>
38954 +#include <linux/stat.h>
38955 +#include <linux/grsecurity.h>
38956 +#include <linux/grinternal.h>
38957 +#include <linux/gracl.h>
38960 +gr_acl_handle_hidden_file(const struct dentry * dentry,
38961 + const struct vfsmount * mnt)
38965 + if (unlikely(!dentry->d_inode))
38969 + gr_search_file(dentry, GR_FIND | GR_AUDIT_FIND | GR_SUPPRESS, mnt);
38971 + if (unlikely(mode & GR_FIND && mode & GR_AUDIT_FIND)) {
38972 + gr_log_fs_rbac_generic(GR_DO_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
38974 + } else if (unlikely(!(mode & GR_FIND) && !(mode & GR_SUPPRESS))) {
38975 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, GR_HIDDEN_ACL_MSG, dentry, mnt);
38977 + } else if (unlikely(!(mode & GR_FIND)))
38984 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
38987 + __u32 reqmode = GR_FIND;
38990 + if (unlikely(!dentry->d_inode))
38993 + if (unlikely(fmode & O_APPEND))
38994 + reqmode |= GR_APPEND;
38995 + else if (unlikely(fmode & FMODE_WRITE))
38996 + reqmode |= GR_WRITE;
38997 + if (likely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
38998 + reqmode |= GR_READ;
38999 + if ((fmode & FMODE_GREXEC) && (fmode & FMODE_EXEC))
39000 + reqmode &= ~GR_READ;
39002 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
39005 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
39006 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
39007 + reqmode & GR_READ ? " reading" : "",
39008 + reqmode & GR_WRITE ? " writing" : reqmode &
39009 + GR_APPEND ? " appending" : "");
39012 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
39014 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_OPEN_ACL_MSG, dentry, mnt,
39015 + reqmode & GR_READ ? " reading" : "",
39016 + reqmode & GR_WRITE ? " writing" : reqmode &
39017 + GR_APPEND ? " appending" : "");
39019 + } else if (unlikely((mode & reqmode) != reqmode))
39026 +gr_acl_handle_creat(const struct dentry * dentry,
39027 + const struct dentry * p_dentry,
39028 + const struct vfsmount * p_mnt, const int fmode,
39031 + __u32 reqmode = GR_WRITE | GR_CREATE;
39034 + if (unlikely(fmode & O_APPEND))
39035 + reqmode |= GR_APPEND;
39036 + if (unlikely((fmode & FMODE_READ) && !(fmode & O_DIRECTORY)))
39037 + reqmode |= GR_READ;
39038 + if (unlikely((fmode & O_CREAT) && (imode & (S_ISUID | S_ISGID))))
39039 + reqmode |= GR_SETID;
39042 + gr_check_create(dentry, p_dentry, p_mnt,
39043 + reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
39045 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
39046 + gr_log_fs_rbac_mode2(GR_DO_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
39047 + reqmode & GR_READ ? " reading" : "",
39048 + reqmode & GR_WRITE ? " writing" : reqmode &
39049 + GR_APPEND ? " appending" : "");
39052 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
39054 + gr_log_fs_rbac_mode2(GR_DONT_AUDIT, GR_CREATE_ACL_MSG, dentry, p_mnt,
39055 + reqmode & GR_READ ? " reading" : "",
39056 + reqmode & GR_WRITE ? " writing" : reqmode &
39057 + GR_APPEND ? " appending" : "");
39059 + } else if (unlikely((mode & reqmode) != reqmode))
39066 +gr_acl_handle_access(const struct dentry * dentry, const struct vfsmount * mnt,
39069 + __u32 mode, reqmode = GR_FIND;
39071 + if ((fmode & S_IXOTH) && !S_ISDIR(dentry->d_inode->i_mode))
39072 + reqmode |= GR_EXEC;
39073 + if (fmode & S_IWOTH)
39074 + reqmode |= GR_WRITE;
39075 + if (fmode & S_IROTH)
39076 + reqmode |= GR_READ;
39079 + gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS,
39082 + if (unlikely(((mode & reqmode) == reqmode) && mode & GR_AUDITS)) {
39083 + gr_log_fs_rbac_mode3(GR_DO_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
39084 + reqmode & GR_READ ? " reading" : "",
39085 + reqmode & GR_WRITE ? " writing" : "",
39086 + reqmode & GR_EXEC ? " executing" : "");
39089 + if (unlikely((mode & reqmode) != reqmode && !(mode & GR_SUPPRESS)))
39091 + gr_log_fs_rbac_mode3(GR_DONT_AUDIT, GR_ACCESS_ACL_MSG, dentry, mnt,
39092 + reqmode & GR_READ ? " reading" : "",
39093 + reqmode & GR_WRITE ? " writing" : "",
39094 + reqmode & GR_EXEC ? " executing" : "");
39096 + } else if (unlikely((mode & reqmode) != reqmode))
39102 +static __u32 generic_fs_handler(const struct dentry *dentry, const struct vfsmount *mnt, __u32 reqmode, const char *fmt)
39106 + mode = gr_search_file(dentry, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS, mnt);
39108 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
39109 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, dentry, mnt);
39111 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
39112 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, dentry, mnt);
39114 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
39117 + return (reqmode);
39121 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
39123 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_RMDIR_ACL_MSG);
39127 +gr_acl_handle_unlink(const struct dentry *dentry, const struct vfsmount *mnt)
39129 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_DELETE , GR_UNLINK_ACL_MSG);
39133 +gr_acl_handle_truncate(const struct dentry *dentry, const struct vfsmount *mnt)
39135 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_TRUNCATE_ACL_MSG);
39139 +gr_acl_handle_utime(const struct dentry *dentry, const struct vfsmount *mnt)
39141 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_ATIME_ACL_MSG);
39145 +gr_acl_handle_fchmod(const struct dentry *dentry, const struct vfsmount *mnt,
39148 + if (unlikely(dentry->d_inode && S_ISSOCK(dentry->d_inode->i_mode)))
39151 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
39152 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
39153 + GR_FCHMOD_ACL_MSG);
39155 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_FCHMOD_ACL_MSG);
39160 +gr_acl_handle_chmod(const struct dentry *dentry, const struct vfsmount *mnt,
39163 + if (unlikely((mode != (mode_t)-1) && (mode & (S_ISUID | S_ISGID)))) {
39164 + return generic_fs_handler(dentry, mnt, GR_WRITE | GR_SETID,
39165 + GR_CHMOD_ACL_MSG);
39167 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHMOD_ACL_MSG);
39172 +gr_acl_handle_chown(const struct dentry *dentry, const struct vfsmount *mnt)
39174 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_CHOWN_ACL_MSG);
39178 +gr_acl_handle_setxattr(const struct dentry *dentry, const struct vfsmount *mnt)
39180 + return generic_fs_handler(dentry, mnt, GR_WRITE, GR_SETXATTR_ACL_MSG);
39184 +gr_acl_handle_execve(const struct dentry *dentry, const struct vfsmount *mnt)
39186 + return generic_fs_handler(dentry, mnt, GR_EXEC, GR_EXEC_ACL_MSG);
39190 +gr_acl_handle_unix(const struct dentry *dentry, const struct vfsmount *mnt)
39192 + return generic_fs_handler(dentry, mnt, GR_READ | GR_WRITE,
39193 + GR_UNIXCONNECT_ACL_MSG);
39196 +/* hardlinks require at minimum create permission,
39197 + any additional privilege required is based on the
39198 + privilege of the file being linked to
39201 +gr_acl_handle_link(const struct dentry * new_dentry,
39202 + const struct dentry * parent_dentry,
39203 + const struct vfsmount * parent_mnt,
39204 + const struct dentry * old_dentry,
39205 + const struct vfsmount * old_mnt, const char *to)
39208 + __u32 needmode = GR_CREATE | GR_LINK;
39209 + __u32 needaudit = GR_AUDIT_CREATE | GR_AUDIT_LINK;
39212 + gr_check_link(new_dentry, parent_dentry, parent_mnt, old_dentry,
39215 + if (unlikely(((mode & needmode) == needmode) && (mode & needaudit))) {
39216 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
39218 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
39219 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_LINK_ACL_MSG, old_dentry, old_mnt, to);
39221 + } else if (unlikely((mode & needmode) != needmode))
39228 +gr_acl_handle_symlink(const struct dentry * new_dentry,
39229 + const struct dentry * parent_dentry,
39230 + const struct vfsmount * parent_mnt, const char *from)
39232 + __u32 needmode = GR_WRITE | GR_CREATE;
39236 + gr_check_create(new_dentry, parent_dentry, parent_mnt,
39237 + GR_CREATE | GR_AUDIT_CREATE |
39238 + GR_WRITE | GR_AUDIT_WRITE | GR_SUPPRESS);
39240 + if (unlikely(mode & GR_WRITE && mode & GR_AUDITS)) {
39241 + gr_log_fs_str_rbac(GR_DO_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
39243 + } else if (unlikely(((mode & needmode) != needmode) && !(mode & GR_SUPPRESS))) {
39244 + gr_log_fs_str_rbac(GR_DONT_AUDIT, GR_SYMLINK_ACL_MSG, from, new_dentry, parent_mnt);
39246 + } else if (unlikely((mode & needmode) != needmode))
39249 + return (GR_WRITE | GR_CREATE);
39252 +static __u32 generic_fs_create_handler(const struct dentry *new_dentry, const struct dentry *parent_dentry, const struct vfsmount *parent_mnt, __u32 reqmode, const char *fmt)
39256 + mode = gr_check_create(new_dentry, parent_dentry, parent_mnt, reqmode | to_gr_audit(reqmode) | GR_SUPPRESS);
39258 + if (unlikely(((mode & (reqmode)) == (reqmode)) && mode & GR_AUDITS)) {
39259 + gr_log_fs_rbac_generic(GR_DO_AUDIT, fmt, new_dentry, parent_mnt);
39261 + } else if (unlikely((mode & (reqmode)) != (reqmode) && !(mode & GR_SUPPRESS))) {
39262 + gr_log_fs_rbac_generic(GR_DONT_AUDIT, fmt, new_dentry, parent_mnt);
39264 + } else if (unlikely((mode & (reqmode)) != (reqmode)))
39267 + return (reqmode);
39271 +gr_acl_handle_mknod(const struct dentry * new_dentry,
39272 + const struct dentry * parent_dentry,
39273 + const struct vfsmount * parent_mnt,
39276 + __u32 reqmode = GR_WRITE | GR_CREATE;
39277 + if (unlikely(mode & (S_ISUID | S_ISGID)))
39278 + reqmode |= GR_SETID;
39280 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
39281 + reqmode, GR_MKNOD_ACL_MSG);
39285 +gr_acl_handle_mkdir(const struct dentry *new_dentry,
39286 + const struct dentry *parent_dentry,
39287 + const struct vfsmount *parent_mnt)
39289 + return generic_fs_create_handler(new_dentry, parent_dentry, parent_mnt,
39290 + GR_WRITE | GR_CREATE, GR_MKDIR_ACL_MSG);
39293 +#define RENAME_CHECK_SUCCESS(old, new) \
39294 + (((old & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)) && \
39295 + ((new & (GR_WRITE | GR_READ)) == (GR_WRITE | GR_READ)))
39298 +gr_acl_handle_rename(struct dentry *new_dentry,
39299 + struct dentry *parent_dentry,
39300 + const struct vfsmount *parent_mnt,
39301 + struct dentry *old_dentry,
39302 + struct inode *old_parent_inode,
39303 + struct vfsmount *old_mnt, const char *newname)
39305 + __u32 comp1, comp2;
39308 + if (unlikely(!gr_acl_is_enabled()))
39311 + if (!new_dentry->d_inode) {
39312 + comp1 = gr_check_create(new_dentry, parent_dentry, parent_mnt,
39313 + GR_READ | GR_WRITE | GR_CREATE | GR_AUDIT_READ |
39314 + GR_AUDIT_WRITE | GR_AUDIT_CREATE | GR_SUPPRESS);
39315 + comp2 = gr_search_file(old_dentry, GR_READ | GR_WRITE |
39316 + GR_DELETE | GR_AUDIT_DELETE |
39317 + GR_AUDIT_READ | GR_AUDIT_WRITE |
39318 + GR_SUPPRESS, old_mnt);
39320 + comp1 = gr_search_file(new_dentry, GR_READ | GR_WRITE |
39321 + GR_CREATE | GR_DELETE |
39322 + GR_AUDIT_CREATE | GR_AUDIT_DELETE |
39323 + GR_AUDIT_READ | GR_AUDIT_WRITE |
39324 + GR_SUPPRESS, parent_mnt);
39326 + gr_search_file(old_dentry,
39327 + GR_READ | GR_WRITE | GR_AUDIT_READ |
39328 + GR_DELETE | GR_AUDIT_DELETE |
39329 + GR_AUDIT_WRITE | GR_SUPPRESS, old_mnt);
39332 + if (RENAME_CHECK_SUCCESS(comp1, comp2) &&
39333 + ((comp1 & GR_AUDITS) || (comp2 & GR_AUDITS)))
39334 + gr_log_fs_rbac_str(GR_DO_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
39335 + else if (!RENAME_CHECK_SUCCESS(comp1, comp2) && !(comp1 & GR_SUPPRESS)
39336 + && !(comp2 & GR_SUPPRESS)) {
39337 + gr_log_fs_rbac_str(GR_DONT_AUDIT, GR_RENAME_ACL_MSG, old_dentry, old_mnt, newname);
39339 + } else if (unlikely(!RENAME_CHECK_SUCCESS(comp1, comp2)))
39346 +gr_acl_handle_exit(void)
39350 + struct file *exec_file;
39352 + if (unlikely(current->acl_sp_role && gr_acl_is_enabled())) {
39353 + id = current->acl_role_id;
39354 + rolename = current->role->rolename;
39356 + gr_log_str_int(GR_DONT_AUDIT_GOOD, GR_SPROLEL_ACL_MSG, rolename, id);
39359 + write_lock(&grsec_exec_file_lock);
39360 + exec_file = current->exec_file;
39361 + current->exec_file = NULL;
39362 + write_unlock(&grsec_exec_file_lock);
39369 +gr_acl_handle_procpidmem(const struct task_struct *task)
39371 + if (unlikely(!gr_acl_is_enabled()))
39374 + if (task != current && task->acl->mode & GR_PROTPROCFD)
39379 diff -urNp linux-2.6.36.1/grsecurity/gracl_ip.c linux-2.6.36.1/grsecurity/gracl_ip.c
39380 --- linux-2.6.36.1/grsecurity/gracl_ip.c 1969-12-31 19:00:00.000000000 -0500
39381 +++ linux-2.6.36.1/grsecurity/gracl_ip.c 2010-11-26 18:21:00.000000000 -0500
39383 +#include <linux/kernel.h>
39384 +#include <asm/uaccess.h>
39385 +#include <asm/errno.h>
39386 +#include <net/sock.h>
39387 +#include <linux/file.h>
39388 +#include <linux/fs.h>
39389 +#include <linux/net.h>
39390 +#include <linux/in.h>
39391 +#include <linux/skbuff.h>
39392 +#include <linux/ip.h>
39393 +#include <linux/udp.h>
39394 +#include <linux/smp_lock.h>
39395 +#include <linux/types.h>
39396 +#include <linux/sched.h>
39397 +#include <linux/netdevice.h>
39398 +#include <linux/inetdevice.h>
39399 +#include <linux/gracl.h>
39400 +#include <linux/grsecurity.h>
39401 +#include <linux/grinternal.h>
39403 +#define GR_BIND 0x01
39404 +#define GR_CONNECT 0x02
39405 +#define GR_INVERT 0x04
39406 +#define GR_BINDOVERRIDE 0x08
39407 +#define GR_CONNECTOVERRIDE 0x10
39408 +#define GR_SOCK_FAMILY 0x20
39410 +static const char * gr_protocols[IPPROTO_MAX] = {
39411 + "ip", "icmp", "igmp", "ggp", "ipencap", "st", "tcp", "cbt",
39412 + "egp", "igp", "bbn-rcc", "nvp", "pup", "argus", "emcon", "xnet",
39413 + "chaos", "udp", "mux", "dcn", "hmp", "prm", "xns-idp", "trunk-1",
39414 + "trunk-2", "leaf-1", "leaf-2", "rdp", "irtp", "iso-tp4", "netblt", "mfe-nsp",
39415 + "merit-inp", "sep", "3pc", "idpr", "xtp", "ddp", "idpr-cmtp", "tp++",
39416 + "il", "ipv6", "sdrp", "ipv6-route", "ipv6-frag", "idrp", "rsvp", "gre",
39417 + "mhrp", "bna", "ipv6-crypt", "ipv6-auth", "i-nlsp", "swipe", "narp", "mobile",
39418 + "tlsp", "skip", "ipv6-icmp", "ipv6-nonxt", "ipv6-opts", "unknown:61", "cftp", "unknown:63",
39419 + "sat-expak", "kryptolan", "rvd", "ippc", "unknown:68", "sat-mon", "visa", "ipcv",
39420 + "cpnx", "cphb", "wsn", "pvp", "br-sat-mon", "sun-nd", "wb-mon", "wb-expak",
39421 + "iso-ip", "vmtp", "secure-vmtp", "vines", "ttp", "nfsnet-igp", "dgp", "tcf",
39422 + "eigrp", "ospf", "sprite-rpc", "larp", "mtp", "ax.25", "ipip", "micp",
39423 + "scc-sp", "etherip", "encap", "unknown:99", "gmtp", "ifmp", "pnni", "pim",
39424 + "aris", "scps", "qnx", "a/n", "ipcomp", "snp", "compaq-peer", "ipx-in-ip",
39425 + "vrrp", "pgm", "unknown:114", "l2tp", "ddx", "iatp", "stp", "srp",
39426 + "uti", "smp", "sm", "ptp", "isis", "fire", "crtp", "crdup",
39427 + "sscopmce", "iplt", "sps", "pipe", "sctp", "fc", "unkown:134", "unknown:135",
39428 + "unknown:136", "unknown:137", "unknown:138", "unknown:139", "unknown:140", "unknown:141", "unknown:142", "unknown:143",
39429 + "unknown:144", "unknown:145", "unknown:146", "unknown:147", "unknown:148", "unknown:149", "unknown:150", "unknown:151",
39430 + "unknown:152", "unknown:153", "unknown:154", "unknown:155", "unknown:156", "unknown:157", "unknown:158", "unknown:159",
39431 + "unknown:160", "unknown:161", "unknown:162", "unknown:163", "unknown:164", "unknown:165", "unknown:166", "unknown:167",
39432 + "unknown:168", "unknown:169", "unknown:170", "unknown:171", "unknown:172", "unknown:173", "unknown:174", "unknown:175",
39433 + "unknown:176", "unknown:177", "unknown:178", "unknown:179", "unknown:180", "unknown:181", "unknown:182", "unknown:183",
39434 + "unknown:184", "unknown:185", "unknown:186", "unknown:187", "unknown:188", "unknown:189", "unknown:190", "unknown:191",
39435 + "unknown:192", "unknown:193", "unknown:194", "unknown:195", "unknown:196", "unknown:197", "unknown:198", "unknown:199",
39436 + "unknown:200", "unknown:201", "unknown:202", "unknown:203", "unknown:204", "unknown:205", "unknown:206", "unknown:207",
39437 + "unknown:208", "unknown:209", "unknown:210", "unknown:211", "unknown:212", "unknown:213", "unknown:214", "unknown:215",
39438 + "unknown:216", "unknown:217", "unknown:218", "unknown:219", "unknown:220", "unknown:221", "unknown:222", "unknown:223",
39439 + "unknown:224", "unknown:225", "unknown:226", "unknown:227", "unknown:228", "unknown:229", "unknown:230", "unknown:231",
39440 + "unknown:232", "unknown:233", "unknown:234", "unknown:235", "unknown:236", "unknown:237", "unknown:238", "unknown:239",
39441 + "unknown:240", "unknown:241", "unknown:242", "unknown:243", "unknown:244", "unknown:245", "unknown:246", "unknown:247",
39442 + "unknown:248", "unknown:249", "unknown:250", "unknown:251", "unknown:252", "unknown:253", "unknown:254", "unknown:255",
39445 +static const char * gr_socktypes[SOCK_MAX] = {
39446 + "unknown:0", "stream", "dgram", "raw", "rdm", "seqpacket", "unknown:6",
39447 + "unknown:7", "unknown:8", "unknown:9", "packet"
39450 +static const char * gr_sockfamilies[AF_MAX+1] = {
39451 + "unix", "local", "inet", "ax25", "ipx", "appletalk", "netrom", "bridge", "atmpvc", "x25",
39452 + "inet6", "rose", "decnet", "netbeui", "security", "key", "netlink", "route", "packet", "ash",
39453 + "econet", "atmsvc", "rds", "sna", "irda", "ppox", "wanpipe", "llc", "tipc", "bluetooth",
39454 + "iucv", "rxrpc", "isdn", "phonet", "ieee802154", "ciaf"
39458 +gr_proto_to_name(unsigned char proto)
39460 + return gr_protocols[proto];
39464 +gr_socktype_to_name(unsigned char type)
39466 + return gr_socktypes[type];
39470 +gr_sockfamily_to_name(unsigned char family)
39472 + return gr_sockfamilies[family];
39476 +gr_search_socket(const int domain, const int type, const int protocol)
39478 + struct acl_subject_label *curr;
39479 + const struct cred *cred = current_cred();
39481 + if (unlikely(!gr_acl_is_enabled()))
39484 + if ((domain < 0) || (type < 0) || (protocol < 0) ||
39485 + (domain >= AF_MAX) || (type >= SOCK_MAX) || (protocol >= IPPROTO_MAX))
39486 + goto exit; // let the kernel handle it
39488 + curr = current->acl;
39490 + if (curr->sock_families[domain / 32] & (1 << (domain % 32))) {
39491 + /* the family is allowed, if this is PF_INET allow it only if
39492 + the extra sock type/protocol checks pass */
39493 + if (domain == PF_INET)
39497 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
39498 + __u32 fakeip = 0;
39499 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
39500 + current->role->roletype, cred->uid,
39501 + cred->gid, current->exec_file ?
39502 + gr_to_filename(current->exec_file->f_path.dentry,
39503 + current->exec_file->f_path.mnt) :
39504 + curr->filename, curr->filename,
39505 + &fakeip, domain, 0, 0, GR_SOCK_FAMILY,
39506 + ¤t->signal->saved_ip);
39513 + /* the rest of this checking is for IPv4 only */
39517 + if ((curr->ip_type & (1 << type)) &&
39518 + (curr->ip_proto[protocol / 32] & (1 << (protocol % 32))))
39521 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
39522 + /* we don't place acls on raw sockets , and sometimes
39523 + dgram/ip sockets are opened for ioctl and not
39524 + bind/connect, so we'll fake a bind learn log */
39525 + if (type == SOCK_RAW || type == SOCK_PACKET) {
39526 + __u32 fakeip = 0;
39527 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
39528 + current->role->roletype, cred->uid,
39529 + cred->gid, current->exec_file ?
39530 + gr_to_filename(current->exec_file->f_path.dentry,
39531 + current->exec_file->f_path.mnt) :
39532 + curr->filename, curr->filename,
39533 + &fakeip, 0, type,
39534 + protocol, GR_CONNECT, ¤t->signal->saved_ip);
39535 + } else if ((type == SOCK_DGRAM) && (protocol == IPPROTO_IP)) {
39536 + __u32 fakeip = 0;
39537 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
39538 + current->role->roletype, cred->uid,
39539 + cred->gid, current->exec_file ?
39540 + gr_to_filename(current->exec_file->f_path.dentry,
39541 + current->exec_file->f_path.mnt) :
39542 + curr->filename, curr->filename,
39543 + &fakeip, 0, type,
39544 + protocol, GR_BIND, ¤t->signal->saved_ip);
39546 + /* we'll log when they use connect or bind */
39551 + gr_log_str3(GR_DONT_AUDIT, GR_SOCK_MSG, gr_sockfamily_to_name(domain),
39552 + gr_socktype_to_name(type), gr_proto_to_name(protocol));
39559 +int check_ip_policy(struct acl_ip_label *ip, __u32 ip_addr, __u16 ip_port, __u8 protocol, const int mode, const int type, __u32 our_addr, __u32 our_netmask)
39561 + if ((ip->mode & mode) &&
39562 + (ip_port >= ip->low) &&
39563 + (ip_port <= ip->high) &&
39564 + ((ntohl(ip_addr) & our_netmask) ==
39565 + (ntohl(our_addr) & our_netmask))
39566 + && (ip->proto[protocol / 32] & (1 << (protocol % 32)))
39567 + && (ip->type & (1 << type))) {
39568 + if (ip->mode & GR_INVERT)
39569 + return 2; // specifically denied
39571 + return 1; // allowed
39574 + return 0; // not specifically allowed, may continue parsing
39578 +gr_search_connectbind(const int full_mode, struct sock *sk,
39579 + struct sockaddr_in *addr, const int type)
39581 + char iface[IFNAMSIZ] = {0};
39582 + struct acl_subject_label *curr;
39583 + struct acl_ip_label *ip;
39584 + struct inet_sock *isk;
39585 + struct net_device *dev;
39586 + struct in_device *idev;
39589 + int mode = full_mode & (GR_BIND | GR_CONNECT);
39590 + __u32 ip_addr = 0;
39592 + __u32 our_netmask;
39594 + __u16 ip_port = 0;
39595 + const struct cred *cred = current_cred();
39597 + if (unlikely(!gr_acl_is_enabled() || sk->sk_family != PF_INET))
39600 + curr = current->acl;
39601 + isk = inet_sk(sk);
39603 + /* INADDR_ANY overriding for binds, inaddr_any_override is already in network order */
39604 + if ((full_mode & GR_BINDOVERRIDE) && addr->sin_addr.s_addr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0)
39605 + addr->sin_addr.s_addr = curr->inaddr_any_override;
39606 + if ((full_mode & GR_CONNECT) && isk->inet_saddr == htonl(INADDR_ANY) && curr->inaddr_any_override != 0) {
39607 + struct sockaddr_in saddr;
39610 + saddr.sin_family = AF_INET;
39611 + saddr.sin_addr.s_addr = curr->inaddr_any_override;
39612 + saddr.sin_port = isk->inet_sport;
39614 + err = security_socket_bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
39618 + err = sk->sk_socket->ops->bind(sk->sk_socket, (struct sockaddr *)&saddr, sizeof(struct sockaddr_in));
39626 + ip_addr = addr->sin_addr.s_addr;
39627 + ip_port = ntohs(addr->sin_port);
39629 + if (curr->mode & (GR_LEARN | GR_INHERITLEARN)) {
39630 + security_learn(GR_IP_LEARN_MSG, current->role->rolename,
39631 + current->role->roletype, cred->uid,
39632 + cred->gid, current->exec_file ?
39633 + gr_to_filename(current->exec_file->f_path.dentry,
39634 + current->exec_file->f_path.mnt) :
39635 + curr->filename, curr->filename,
39636 + &ip_addr, ip_port, type,
39637 + sk->sk_protocol, mode, ¤t->signal->saved_ip);
39641 + for (i = 0; i < curr->ip_num; i++) {
39642 + ip = *(curr->ips + i);
39643 + if (ip->iface != NULL) {
39644 + strncpy(iface, ip->iface, IFNAMSIZ - 1);
39645 + p = strchr(iface, ':');
39648 + dev = dev_get_by_name(sock_net(sk), iface);
39651 + idev = in_dev_get(dev);
39652 + if (idev == NULL) {
39658 + if (!strcmp(ip->iface, ifa->ifa_label)) {
39659 + our_addr = ifa->ifa_address;
39660 + our_netmask = 0xffffffff;
39661 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
39663 + rcu_read_unlock();
39664 + in_dev_put(idev);
39667 + } else if (ret == 2) {
39668 + rcu_read_unlock();
39669 + in_dev_put(idev);
39674 + } endfor_ifa(idev);
39675 + rcu_read_unlock();
39676 + in_dev_put(idev);
39679 + our_addr = ip->addr;
39680 + our_netmask = ip->netmask;
39681 + ret = check_ip_policy(ip, ip_addr, ip_port, sk->sk_protocol, mode, type, our_addr, our_netmask);
39684 + else if (ret == 2)
39690 + if (mode == GR_BIND)
39691 + gr_log_int5_str2(GR_DONT_AUDIT, GR_BIND_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
39692 + else if (mode == GR_CONNECT)
39693 + gr_log_int5_str2(GR_DONT_AUDIT, GR_CONNECT_ACL_MSG, &ip_addr, ip_port, gr_socktype_to_name(type), gr_proto_to_name(sk->sk_protocol));
39699 +gr_search_connect(struct socket *sock, struct sockaddr_in *addr)
39701 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sock->sk, addr, sock->type);
39705 +gr_search_bind(struct socket *sock, struct sockaddr_in *addr)
39707 + return gr_search_connectbind(GR_BIND | GR_BINDOVERRIDE, sock->sk, addr, sock->type);
39710 +int gr_search_listen(struct socket *sock)
39712 + struct sock *sk = sock->sk;
39713 + struct sockaddr_in addr;
39715 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
39716 + addr.sin_port = inet_sk(sk)->inet_sport;
39718 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
39721 +int gr_search_accept(struct socket *sock)
39723 + struct sock *sk = sock->sk;
39724 + struct sockaddr_in addr;
39726 + addr.sin_addr.s_addr = inet_sk(sk)->inet_saddr;
39727 + addr.sin_port = inet_sk(sk)->inet_sport;
39729 + return gr_search_connectbind(GR_BIND | GR_CONNECTOVERRIDE, sock->sk, &addr, sock->type);
39733 +gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr)
39736 + return gr_search_connectbind(GR_CONNECT, sk, addr, SOCK_DGRAM);
39738 + struct sockaddr_in sin;
39739 + const struct inet_sock *inet = inet_sk(sk);
39741 + sin.sin_addr.s_addr = inet->inet_daddr;
39742 + sin.sin_port = inet->inet_dport;
39744 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
39749 +gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb)
39751 + struct sockaddr_in sin;
39753 + if (unlikely(skb->len < sizeof (struct udphdr)))
39754 + return 0; // skip this packet
39756 + sin.sin_addr.s_addr = ip_hdr(skb)->saddr;
39757 + sin.sin_port = udp_hdr(skb)->source;
39759 + return gr_search_connectbind(GR_CONNECT | GR_CONNECTOVERRIDE, sk, &sin, SOCK_DGRAM);
39761 diff -urNp linux-2.6.36.1/grsecurity/gracl_learn.c linux-2.6.36.1/grsecurity/gracl_learn.c
39762 --- linux-2.6.36.1/grsecurity/gracl_learn.c 1969-12-31 19:00:00.000000000 -0500
39763 +++ linux-2.6.36.1/grsecurity/gracl_learn.c 2010-11-06 18:58:50.000000000 -0400
39765 +#include <linux/kernel.h>
39766 +#include <linux/mm.h>
39767 +#include <linux/sched.h>
39768 +#include <linux/poll.h>
39769 +#include <linux/smp_lock.h>
39770 +#include <linux/string.h>
39771 +#include <linux/file.h>
39772 +#include <linux/types.h>
39773 +#include <linux/vmalloc.h>
39774 +#include <linux/grinternal.h>
39776 +extern ssize_t write_grsec_handler(struct file * file, const char __user * buf,
39777 + size_t count, loff_t *ppos);
39778 +extern int gr_acl_is_enabled(void);
39780 +static DECLARE_WAIT_QUEUE_HEAD(learn_wait);
39781 +static int gr_learn_attached;
39783 +/* use a 512k buffer */
39784 +#define LEARN_BUFFER_SIZE (512 * 1024)
39786 +static DEFINE_SPINLOCK(gr_learn_lock);
39787 +static DECLARE_MUTEX(gr_learn_user_sem);
39789 +/* we need to maintain two buffers, so that the kernel context of grlearn
39790 + uses a semaphore around the userspace copying, and the other kernel contexts
39791 + use a spinlock when copying into the buffer, since they cannot sleep
39793 +static char *learn_buffer;
39794 +static char *learn_buffer_user;
39795 +static int learn_buffer_len;
39796 +static int learn_buffer_user_len;
39799 +read_learn(struct file *file, char __user * buf, size_t count, loff_t * ppos)
39801 + DECLARE_WAITQUEUE(wait, current);
39802 + ssize_t retval = 0;
39804 + add_wait_queue(&learn_wait, &wait);
39805 + set_current_state(TASK_INTERRUPTIBLE);
39807 + down(&gr_learn_user_sem);
39808 + spin_lock(&gr_learn_lock);
39809 + if (learn_buffer_len)
39811 + spin_unlock(&gr_learn_lock);
39812 + up(&gr_learn_user_sem);
39813 + if (file->f_flags & O_NONBLOCK) {
39814 + retval = -EAGAIN;
39817 + if (signal_pending(current)) {
39818 + retval = -ERESTARTSYS;
39825 + memcpy(learn_buffer_user, learn_buffer, learn_buffer_len);
39826 + learn_buffer_user_len = learn_buffer_len;
39827 + retval = learn_buffer_len;
39828 + learn_buffer_len = 0;
39830 + spin_unlock(&gr_learn_lock);
39832 + if (copy_to_user(buf, learn_buffer_user, learn_buffer_user_len))
39833 + retval = -EFAULT;
39835 + up(&gr_learn_user_sem);
39837 + set_current_state(TASK_RUNNING);
39838 + remove_wait_queue(&learn_wait, &wait);
39842 +static unsigned int
39843 +poll_learn(struct file * file, poll_table * wait)
39845 + poll_wait(file, &learn_wait, wait);
39847 + if (learn_buffer_len)
39848 + return (POLLIN | POLLRDNORM);
39854 +gr_clear_learn_entries(void)
39858 + down(&gr_learn_user_sem);
39859 + if (learn_buffer != NULL) {
39860 + spin_lock(&gr_learn_lock);
39861 + tmp = learn_buffer;
39862 + learn_buffer = NULL;
39863 + spin_unlock(&gr_learn_lock);
39864 + vfree(learn_buffer);
39866 + if (learn_buffer_user != NULL) {
39867 + vfree(learn_buffer_user);
39868 + learn_buffer_user = NULL;
39870 + learn_buffer_len = 0;
39871 + up(&gr_learn_user_sem);
39877 +gr_add_learn_entry(const char *fmt, ...)
39880 + unsigned int len;
39882 + if (!gr_learn_attached)
39885 + spin_lock(&gr_learn_lock);
39887 + /* leave a gap at the end so we know when it's "full" but don't have to
39888 + compute the exact length of the string we're trying to append
39890 + if (learn_buffer_len > LEARN_BUFFER_SIZE - 16384) {
39891 + spin_unlock(&gr_learn_lock);
39892 + wake_up_interruptible(&learn_wait);
39895 + if (learn_buffer == NULL) {
39896 + spin_unlock(&gr_learn_lock);
39900 + va_start(args, fmt);
39901 + len = vsnprintf(learn_buffer + learn_buffer_len, LEARN_BUFFER_SIZE - learn_buffer_len, fmt, args);
39904 + learn_buffer_len += len + 1;
39906 + spin_unlock(&gr_learn_lock);
39907 + wake_up_interruptible(&learn_wait);
39913 +open_learn(struct inode *inode, struct file *file)
39915 + if (file->f_mode & FMODE_READ && gr_learn_attached)
39917 + if (file->f_mode & FMODE_READ) {
39919 + down(&gr_learn_user_sem);
39920 + if (learn_buffer == NULL)
39921 + learn_buffer = vmalloc(LEARN_BUFFER_SIZE);
39922 + if (learn_buffer_user == NULL)
39923 + learn_buffer_user = vmalloc(LEARN_BUFFER_SIZE);
39924 + if (learn_buffer == NULL) {
39925 + retval = -ENOMEM;
39928 + if (learn_buffer_user == NULL) {
39929 + retval = -ENOMEM;
39932 + learn_buffer_len = 0;
39933 + learn_buffer_user_len = 0;
39934 + gr_learn_attached = 1;
39936 + up(&gr_learn_user_sem);
39943 +close_learn(struct inode *inode, struct file *file)
39947 + if (file->f_mode & FMODE_READ) {
39948 + down(&gr_learn_user_sem);
39949 + if (learn_buffer != NULL) {
39950 + spin_lock(&gr_learn_lock);
39951 + tmp = learn_buffer;
39952 + learn_buffer = NULL;
39953 + spin_unlock(&gr_learn_lock);
39956 + if (learn_buffer_user != NULL) {
39957 + vfree(learn_buffer_user);
39958 + learn_buffer_user = NULL;
39960 + learn_buffer_len = 0;
39961 + learn_buffer_user_len = 0;
39962 + gr_learn_attached = 0;
39963 + up(&gr_learn_user_sem);
39969 +const struct file_operations grsec_fops = {
39970 + .read = read_learn,
39971 + .write = write_grsec_handler,
39972 + .open = open_learn,
39973 + .release = close_learn,
39974 + .poll = poll_learn,
39976 diff -urNp linux-2.6.36.1/grsecurity/gracl_res.c linux-2.6.36.1/grsecurity/gracl_res.c
39977 --- linux-2.6.36.1/grsecurity/gracl_res.c 1969-12-31 19:00:00.000000000 -0500
39978 +++ linux-2.6.36.1/grsecurity/gracl_res.c 2010-11-06 18:58:50.000000000 -0400
39980 +#include <linux/kernel.h>
39981 +#include <linux/sched.h>
39982 +#include <linux/gracl.h>
39983 +#include <linux/grinternal.h>
39985 +static const char *restab_log[] = {
39986 + [RLIMIT_CPU] = "RLIMIT_CPU",
39987 + [RLIMIT_FSIZE] = "RLIMIT_FSIZE",
39988 + [RLIMIT_DATA] = "RLIMIT_DATA",
39989 + [RLIMIT_STACK] = "RLIMIT_STACK",
39990 + [RLIMIT_CORE] = "RLIMIT_CORE",
39991 + [RLIMIT_RSS] = "RLIMIT_RSS",
39992 + [RLIMIT_NPROC] = "RLIMIT_NPROC",
39993 + [RLIMIT_NOFILE] = "RLIMIT_NOFILE",
39994 + [RLIMIT_MEMLOCK] = "RLIMIT_MEMLOCK",
39995 + [RLIMIT_AS] = "RLIMIT_AS",
39996 + [RLIMIT_LOCKS] = "RLIMIT_LOCKS",
39997 + [RLIMIT_SIGPENDING] = "RLIMIT_SIGPENDING",
39998 + [RLIMIT_MSGQUEUE] = "RLIMIT_MSGQUEUE",
39999 + [RLIMIT_NICE] = "RLIMIT_NICE",
40000 + [RLIMIT_RTPRIO] = "RLIMIT_RTPRIO",
40001 + [RLIMIT_RTTIME] = "RLIMIT_RTTIME",
40002 + [GR_CRASH_RES] = "RLIMIT_CRASH"
40006 +gr_log_resource(const struct task_struct *task,
40007 + const int res, const unsigned long wanted, const int gt)
40009 + const struct cred *cred;
40010 + unsigned long rlim;
40012 + if (!gr_acl_is_enabled() && !grsec_resource_logging)
40015 + // not yet supported resource
40016 + if (unlikely(!restab_log[res]))
40019 + if (res == RLIMIT_CPU || res == RLIMIT_RTTIME)
40020 + rlim = task_rlimit_max(task, res);
40022 + rlim = task_rlimit(task, res);
40024 + if (likely((rlim == RLIM_INFINITY) || (gt && wanted <= rlim) || (!gt && wanted < rlim)))
40028 + cred = __task_cred(task);
40030 + if (res == RLIMIT_NPROC &&
40031 + (cap_raised(cred->cap_effective, CAP_SYS_ADMIN) ||
40032 + cap_raised(cred->cap_effective, CAP_SYS_RESOURCE)))
40033 + goto out_rcu_unlock;
40034 + else if (res == RLIMIT_MEMLOCK &&
40035 + cap_raised(cred->cap_effective, CAP_IPC_LOCK))
40036 + goto out_rcu_unlock;
40037 + else if (res == RLIMIT_NICE && cap_raised(cred->cap_effective, CAP_SYS_NICE))
40038 + goto out_rcu_unlock;
40039 + rcu_read_unlock();
40041 + gr_log_res_ulong2_str(GR_DONT_AUDIT, GR_RESOURCE_MSG, task, wanted, restab_log[res], rlim);
40045 + rcu_read_unlock();
40048 diff -urNp linux-2.6.36.1/grsecurity/gracl_segv.c linux-2.6.36.1/grsecurity/gracl_segv.c
40049 --- linux-2.6.36.1/grsecurity/gracl_segv.c 1969-12-31 19:00:00.000000000 -0500
40050 +++ linux-2.6.36.1/grsecurity/gracl_segv.c 2010-11-06 18:58:50.000000000 -0400
40052 +#include <linux/kernel.h>
40053 +#include <linux/mm.h>
40054 +#include <asm/uaccess.h>
40055 +#include <asm/errno.h>
40056 +#include <asm/mman.h>
40057 +#include <net/sock.h>
40058 +#include <linux/file.h>
40059 +#include <linux/fs.h>
40060 +#include <linux/net.h>
40061 +#include <linux/in.h>
40062 +#include <linux/smp_lock.h>
40063 +#include <linux/slab.h>
40064 +#include <linux/types.h>
40065 +#include <linux/sched.h>
40066 +#include <linux/timer.h>
40067 +#include <linux/gracl.h>
40068 +#include <linux/grsecurity.h>
40069 +#include <linux/grinternal.h>
40071 +static struct crash_uid *uid_set;
40072 +static unsigned short uid_used;
40073 +static DEFINE_SPINLOCK(gr_uid_lock);
40074 +extern rwlock_t gr_inode_lock;
40075 +extern struct acl_subject_label *
40076 + lookup_acl_subj_label(const ino_t inode, const dev_t dev,
40077 + struct acl_role_label *role);
40078 +extern int specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t);
40081 +gr_init_uidset(void)
40084 + kmalloc(GR_UIDTABLE_MAX * sizeof (struct crash_uid), GFP_KERNEL);
40087 + return uid_set ? 1 : 0;
40091 +gr_free_uidset(void)
40100 +gr_find_uid(const uid_t uid)
40102 + struct crash_uid *tmp = uid_set;
40104 + int low = 0, high = uid_used - 1, mid;
40106 + while (high >= low) {
40107 + mid = (low + high) >> 1;
40108 + buid = tmp[mid].uid;
40120 +static __inline__ void
40121 +gr_insertsort(void)
40123 + unsigned short i, j;
40124 + struct crash_uid index;
40126 + for (i = 1; i < uid_used; i++) {
40127 + index = uid_set[i];
40129 + while ((j > 0) && uid_set[j - 1].uid > index.uid) {
40130 + uid_set[j] = uid_set[j - 1];
40133 + uid_set[j] = index;
40139 +static __inline__ void
40140 +gr_insert_uid(const uid_t uid, const unsigned long expires)
40144 + if (uid_used == GR_UIDTABLE_MAX)
40147 + loc = gr_find_uid(uid);
40150 + uid_set[loc].expires = expires;
40154 + uid_set[uid_used].uid = uid;
40155 + uid_set[uid_used].expires = expires;
40164 +gr_remove_uid(const unsigned short loc)
40166 + unsigned short i;
40168 + for (i = loc + 1; i < uid_used; i++)
40169 + uid_set[i - 1] = uid_set[i];
40177 +gr_check_crash_uid(const uid_t uid)
40182 + if (unlikely(!gr_acl_is_enabled()))
40185 + spin_lock(&gr_uid_lock);
40186 + loc = gr_find_uid(uid);
40191 + if (time_before_eq(uid_set[loc].expires, get_seconds()))
40192 + gr_remove_uid(loc);
40197 + spin_unlock(&gr_uid_lock);
40201 +static __inline__ int
40202 +proc_is_setxid(const struct cred *cred)
40204 + if (cred->uid != cred->euid || cred->uid != cred->suid ||
40205 + cred->uid != cred->fsuid)
40207 + if (cred->gid != cred->egid || cred->gid != cred->sgid ||
40208 + cred->gid != cred->fsgid)
40213 +static __inline__ int
40214 +gr_fake_force_sig(int sig, struct task_struct *t)
40216 + unsigned long int flags;
40217 + int ret, blocked, ignored;
40218 + struct k_sigaction *action;
40220 + spin_lock_irqsave(&t->sighand->siglock, flags);
40221 + action = &t->sighand->action[sig-1];
40222 + ignored = action->sa.sa_handler == SIG_IGN;
40223 + blocked = sigismember(&t->blocked, sig);
40224 + if (blocked || ignored) {
40225 + action->sa.sa_handler = SIG_DFL;
40227 + sigdelset(&t->blocked, sig);
40228 + recalc_sigpending_and_wake(t);
40231 + if (action->sa.sa_handler == SIG_DFL)
40232 + t->signal->flags &= ~SIGNAL_UNKILLABLE;
40233 + ret = specific_send_sig_info(sig, SEND_SIG_PRIV, t);
40235 + spin_unlock_irqrestore(&t->sighand->siglock, flags);
40241 +gr_handle_crash(struct task_struct *task, const int sig)
40243 + struct acl_subject_label *curr;
40244 + struct acl_subject_label *curr2;
40245 + struct task_struct *tsk, *tsk2;
40246 + const struct cred *cred;
40247 + const struct cred *cred2;
40249 + if (sig != SIGSEGV && sig != SIGKILL && sig != SIGBUS && sig != SIGILL)
40252 + if (unlikely(!gr_acl_is_enabled()))
40255 + curr = task->acl;
40257 + if (!(curr->resmask & (1 << GR_CRASH_RES)))
40260 + if (time_before_eq(curr->expires, get_seconds())) {
40261 + curr->expires = 0;
40262 + curr->crashes = 0;
40267 + if (!curr->expires)
40268 + curr->expires = get_seconds() + curr->res[GR_CRASH_RES].rlim_max;
40270 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
40271 + time_after(curr->expires, get_seconds())) {
40273 + cred = __task_cred(task);
40274 + if (cred->uid && proc_is_setxid(cred)) {
40275 + gr_log_crash1(GR_DONT_AUDIT, GR_SEGVSTART_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
40276 + spin_lock(&gr_uid_lock);
40277 + gr_insert_uid(cred->uid, curr->expires);
40278 + spin_unlock(&gr_uid_lock);
40279 + curr->expires = 0;
40280 + curr->crashes = 0;
40281 + read_lock(&tasklist_lock);
40282 + do_each_thread(tsk2, tsk) {
40283 + cred2 = __task_cred(tsk);
40284 + if (tsk != task && cred2->uid == cred->uid)
40285 + gr_fake_force_sig(SIGKILL, tsk);
40286 + } while_each_thread(tsk2, tsk);
40287 + read_unlock(&tasklist_lock);
40289 + gr_log_crash2(GR_DONT_AUDIT, GR_SEGVNOSUID_ACL_MSG, task, curr->res[GR_CRASH_RES].rlim_max);
40290 + read_lock(&tasklist_lock);
40291 + do_each_thread(tsk2, tsk) {
40292 + if (likely(tsk != task)) {
40293 + curr2 = tsk->acl;
40295 + if (curr2->device == curr->device &&
40296 + curr2->inode == curr->inode)
40297 + gr_fake_force_sig(SIGKILL, tsk);
40299 + } while_each_thread(tsk2, tsk);
40300 + read_unlock(&tasklist_lock);
40302 + rcu_read_unlock();
40309 +gr_check_crash_exec(const struct file *filp)
40311 + struct acl_subject_label *curr;
40313 + if (unlikely(!gr_acl_is_enabled()))
40316 + read_lock(&gr_inode_lock);
40317 + curr = lookup_acl_subj_label(filp->f_path.dentry->d_inode->i_ino,
40318 + filp->f_path.dentry->d_inode->i_sb->s_dev,
40320 + read_unlock(&gr_inode_lock);
40322 + if (!curr || !(curr->resmask & (1 << GR_CRASH_RES)) ||
40323 + (!curr->crashes && !curr->expires))
40326 + if ((curr->crashes >= curr->res[GR_CRASH_RES].rlim_cur) &&
40327 + time_after(curr->expires, get_seconds()))
40329 + else if (time_before_eq(curr->expires, get_seconds())) {
40330 + curr->crashes = 0;
40331 + curr->expires = 0;
40338 +gr_handle_alertkill(struct task_struct *task)
40340 + struct acl_subject_label *curracl;
40342 + struct task_struct *p, *p2;
40344 + if (unlikely(!gr_acl_is_enabled()))
40347 + curracl = task->acl;
40348 + curr_ip = task->signal->curr_ip;
40350 + if ((curracl->mode & GR_KILLIPPROC) && curr_ip) {
40351 + read_lock(&tasklist_lock);
40352 + do_each_thread(p2, p) {
40353 + if (p->signal->curr_ip == curr_ip)
40354 + gr_fake_force_sig(SIGKILL, p);
40355 + } while_each_thread(p2, p);
40356 + read_unlock(&tasklist_lock);
40357 + } else if (curracl->mode & GR_KILLPROC)
40358 + gr_fake_force_sig(SIGKILL, task);
40362 diff -urNp linux-2.6.36.1/grsecurity/gracl_shm.c linux-2.6.36.1/grsecurity/gracl_shm.c
40363 --- linux-2.6.36.1/grsecurity/gracl_shm.c 1969-12-31 19:00:00.000000000 -0500
40364 +++ linux-2.6.36.1/grsecurity/gracl_shm.c 2010-11-06 18:58:50.000000000 -0400
40366 +#include <linux/kernel.h>
40367 +#include <linux/mm.h>
40368 +#include <linux/sched.h>
40369 +#include <linux/file.h>
40370 +#include <linux/ipc.h>
40371 +#include <linux/gracl.h>
40372 +#include <linux/grsecurity.h>
40373 +#include <linux/grinternal.h>
40376 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
40377 + const time_t shm_createtime, const uid_t cuid, const int shmid)
40379 + struct task_struct *task;
40381 + if (!gr_acl_is_enabled())
40385 + read_lock(&tasklist_lock);
40387 + task = find_task_by_vpid(shm_cprid);
40389 + if (unlikely(!task))
40390 + task = find_task_by_vpid(shm_lapid);
40392 + if (unlikely(task && (time_before_eq((unsigned long)task->start_time.tv_sec, (unsigned long)shm_createtime) ||
40393 + (task->pid == shm_lapid)) &&
40394 + (task->acl->mode & GR_PROTSHM) &&
40395 + (task->acl != current->acl))) {
40396 + read_unlock(&tasklist_lock);
40397 + rcu_read_unlock();
40398 + gr_log_int3(GR_DONT_AUDIT, GR_SHMAT_ACL_MSG, cuid, shm_cprid, shmid);
40401 + read_unlock(&tasklist_lock);
40402 + rcu_read_unlock();
40406 diff -urNp linux-2.6.36.1/grsecurity/grsec_chdir.c linux-2.6.36.1/grsecurity/grsec_chdir.c
40407 --- linux-2.6.36.1/grsecurity/grsec_chdir.c 1969-12-31 19:00:00.000000000 -0500
40408 +++ linux-2.6.36.1/grsecurity/grsec_chdir.c 2010-11-06 18:58:50.000000000 -0400
40410 +#include <linux/kernel.h>
40411 +#include <linux/sched.h>
40412 +#include <linux/fs.h>
40413 +#include <linux/file.h>
40414 +#include <linux/grsecurity.h>
40415 +#include <linux/grinternal.h>
40418 +gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt)
40420 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
40421 + if ((grsec_enable_chdir && grsec_enable_group &&
40422 + in_group_p(grsec_audit_gid)) || (grsec_enable_chdir &&
40423 + !grsec_enable_group)) {
40424 + gr_log_fs_generic(GR_DO_AUDIT, GR_CHDIR_AUDIT_MSG, dentry, mnt);
40429 diff -urNp linux-2.6.36.1/grsecurity/grsec_chroot.c linux-2.6.36.1/grsecurity/grsec_chroot.c
40430 --- linux-2.6.36.1/grsecurity/grsec_chroot.c 1969-12-31 19:00:00.000000000 -0500
40431 +++ linux-2.6.36.1/grsecurity/grsec_chroot.c 2010-11-06 20:00:34.000000000 -0400
40433 +#include <linux/kernel.h>
40434 +#include <linux/module.h>
40435 +#include <linux/sched.h>
40436 +#include <linux/file.h>
40437 +#include <linux/fs.h>
40438 +#include <linux/mount.h>
40439 +#include <linux/types.h>
40440 +#include <linux/pid_namespace.h>
40441 +#include <linux/grsecurity.h>
40442 +#include <linux/grinternal.h>
40444 +void gr_set_chroot_entries(struct task_struct *task, struct path *path)
40446 +#ifdef CONFIG_GRKERNSEC
40447 + if (task->pid > 1 && path->dentry != init_task.fs->root.dentry &&
40448 + path->dentry != task->nsproxy->mnt_ns->root->mnt_root)
40449 + task->gr_is_chrooted = 1;
40451 + task->gr_is_chrooted = 0;
40453 + task->gr_chroot_dentry = path->dentry;
40458 +void gr_clear_chroot_entries(struct task_struct *task)
40460 +#ifdef CONFIG_GRKERNSEC
40461 + task->gr_is_chrooted = 0;
40462 + task->gr_chroot_dentry = NULL;
40468 +gr_handle_chroot_unix(struct pid *pid)
40470 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
40471 + struct task_struct *p;
40473 + if (unlikely(!grsec_enable_chroot_unix))
40476 + if (likely(!proc_is_chrooted(current)))
40480 + read_lock(&tasklist_lock);
40481 + p = pid_task(pid, PIDTYPE_PID);
40482 + if (unlikely(!have_same_root(current, p))) {
40483 + read_unlock(&tasklist_lock);
40484 + rcu_read_unlock();
40485 + gr_log_noargs(GR_DONT_AUDIT, GR_UNIX_CHROOT_MSG);
40488 + read_unlock(&tasklist_lock);
40489 + rcu_read_unlock();
40495 +gr_handle_chroot_nice(void)
40497 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
40498 + if (grsec_enable_chroot_nice && proc_is_chrooted(current)) {
40499 + gr_log_noargs(GR_DONT_AUDIT, GR_NICE_CHROOT_MSG);
40507 +gr_handle_chroot_setpriority(struct task_struct *p, const int niceval)
40509 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
40510 + if (grsec_enable_chroot_nice && (niceval < task_nice(p))
40511 + && proc_is_chrooted(current)) {
40512 + gr_log_str_int(GR_DONT_AUDIT, GR_PRIORITY_CHROOT_MSG, p->comm, p->pid);
40520 +gr_handle_chroot_rawio(const struct inode *inode)
40522 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
40523 + if (grsec_enable_chroot_caps && proc_is_chrooted(current) &&
40524 + inode && S_ISBLK(inode->i_mode) && !capable(CAP_SYS_RAWIO))
40531 +gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
40533 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
40534 + struct task_struct *p;
40536 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || !pid)
40539 + read_lock(&tasklist_lock);
40540 + do_each_pid_task(pid, type, p) {
40541 + if (!have_same_root(current, p)) {
40545 + } while_each_pid_task(pid, type, p);
40547 + read_unlock(&tasklist_lock);
40554 +gr_pid_is_chrooted(struct task_struct *p)
40556 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
40557 + if (!grsec_enable_chroot_findtask || !proc_is_chrooted(current) || p == NULL)
40560 + if ((p->exit_state & (EXIT_ZOMBIE | EXIT_DEAD)) ||
40561 + !have_same_root(current, p)) {
40568 +EXPORT_SYMBOL(gr_pid_is_chrooted);
40570 +#if defined(CONFIG_GRKERNSEC_CHROOT_DOUBLE) || defined(CONFIG_GRKERNSEC_CHROOT_FCHDIR)
40571 +int gr_is_outside_chroot(const struct dentry *u_dentry, const struct vfsmount *u_mnt)
40573 + struct dentry *dentry = (struct dentry *)u_dentry;
40574 + struct vfsmount *mnt = (struct vfsmount *)u_mnt;
40575 + struct path realroot, currentroot;
40576 + struct task_struct *reaper = &init_task;
40579 + get_fs_root(reaper->fs, &realroot);
40580 + get_fs_root(current->fs, ¤troot);
40582 + spin_lock(&dcache_lock);
40584 + if (unlikely((dentry == realroot.dentry && mnt == realroot.mnt)
40585 + || (dentry == currentroot.dentry && mnt == currentroot.mnt)))
40587 + if (unlikely(dentry == mnt->mnt_root || IS_ROOT(dentry))) {
40588 + if (mnt->mnt_parent == mnt)
40590 + dentry = mnt->mnt_mountpoint;
40591 + mnt = mnt->mnt_parent;
40594 + dentry = dentry->d_parent;
40596 + spin_unlock(&dcache_lock);
40598 + path_put(¤troot);
40600 + /* access is outside of chroot */
40601 + if (dentry == realroot.dentry && mnt == realroot.mnt)
40604 + path_put(&realroot);
40610 +gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt)
40612 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
40613 + if (!grsec_enable_chroot_fchdir)
40616 + if (!proc_is_chrooted(current))
40618 + else if (!gr_is_outside_chroot(u_dentry, u_mnt)) {
40619 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_FCHDIR_MSG, u_dentry, u_mnt);
40627 +gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
40628 + const time_t shm_createtime)
40630 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
40631 + struct pid *pid = NULL;
40632 + time_t starttime;
40634 + if (unlikely(!grsec_enable_chroot_shmat))
40637 + if (likely(!proc_is_chrooted(current)))
40641 + read_lock(&tasklist_lock);
40643 + pid = find_vpid(shm_cprid);
40645 + struct task_struct *p;
40646 + p = pid_task(pid, PIDTYPE_PID);
40647 + starttime = p->start_time.tv_sec;
40648 + if (unlikely(!have_same_root(current, p) &&
40649 + time_before_eq((unsigned long)starttime, (unsigned long)shm_createtime))) {
40650 + read_unlock(&tasklist_lock);
40651 + rcu_read_unlock();
40652 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
40656 + pid = find_vpid(shm_lapid);
40658 + struct task_struct *p;
40659 + p = pid_task(pid, PIDTYPE_PID);
40660 + if (unlikely(!have_same_root(current, p))) {
40661 + read_unlock(&tasklist_lock);
40662 + rcu_read_unlock();
40663 + gr_log_noargs(GR_DONT_AUDIT, GR_SHMAT_CHROOT_MSG);
40669 + read_unlock(&tasklist_lock);
40670 + rcu_read_unlock();
40676 +gr_log_chroot_exec(const struct dentry *dentry, const struct vfsmount *mnt)
40678 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
40679 + if (grsec_enable_chroot_execlog && proc_is_chrooted(current))
40680 + gr_log_fs_generic(GR_DO_AUDIT, GR_EXEC_CHROOT_MSG, dentry, mnt);
40686 +gr_handle_chroot_mknod(const struct dentry *dentry,
40687 + const struct vfsmount *mnt, const int mode)
40689 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
40690 + if (grsec_enable_chroot_mknod && !S_ISFIFO(mode) && !S_ISREG(mode) &&
40691 + proc_is_chrooted(current)) {
40692 + gr_log_fs_generic(GR_DONT_AUDIT, GR_MKNOD_CHROOT_MSG, dentry, mnt);
40700 +gr_handle_chroot_mount(const struct dentry *dentry,
40701 + const struct vfsmount *mnt, const char *dev_name)
40703 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
40704 + if (grsec_enable_chroot_mount && proc_is_chrooted(current)) {
40705 + gr_log_str_fs(GR_DONT_AUDIT, GR_MOUNT_CHROOT_MSG, dev_name, dentry, mnt);
40713 +gr_handle_chroot_pivot(void)
40715 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
40716 + if (grsec_enable_chroot_pivot && proc_is_chrooted(current)) {
40717 + gr_log_noargs(GR_DONT_AUDIT, GR_PIVOT_CHROOT_MSG);
40725 +gr_handle_chroot_chroot(const struct dentry *dentry, const struct vfsmount *mnt)
40727 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
40728 + if (grsec_enable_chroot_double && proc_is_chrooted(current) &&
40729 + !gr_is_outside_chroot(dentry, mnt)) {
40730 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHROOT_CHROOT_MSG, dentry, mnt);
40738 +gr_handle_chroot_caps(struct path *path)
40740 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
40741 + if (grsec_enable_chroot_caps && current->pid > 1 && current->fs != NULL &&
40742 + (init_task.fs->root.dentry != path->dentry) &&
40743 + (current->nsproxy->mnt_ns->root->mnt_root != path->dentry)) {
40745 + kernel_cap_t chroot_caps = GR_CHROOT_CAPS;
40746 + const struct cred *old = current_cred();
40747 + struct cred *new = prepare_creds();
40751 + new->cap_permitted = cap_drop(old->cap_permitted,
40753 + new->cap_inheritable = cap_drop(old->cap_inheritable,
40755 + new->cap_effective = cap_drop(old->cap_effective,
40758 + commit_creds(new);
40767 +gr_handle_chroot_sysctl(const int op)
40769 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
40770 + if (grsec_enable_chroot_sysctl && (op & MAY_WRITE) &&
40771 + proc_is_chrooted(current))
40778 +gr_handle_chroot_chdir(struct path *path)
40780 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
40781 + if (grsec_enable_chroot_chdir)
40782 + set_fs_pwd(current->fs, path);
40788 +gr_handle_chroot_chmod(const struct dentry *dentry,
40789 + const struct vfsmount *mnt, const int mode)
40791 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
40792 + if (grsec_enable_chroot_chmod &&
40793 + ((mode & S_ISUID) || ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP))) &&
40794 + proc_is_chrooted(current)) {
40795 + gr_log_fs_generic(GR_DONT_AUDIT, GR_CHMOD_CHROOT_MSG, dentry, mnt);
40802 +#ifdef CONFIG_SECURITY
40803 +EXPORT_SYMBOL(gr_handle_chroot_caps);
40805 diff -urNp linux-2.6.36.1/grsecurity/grsec_disabled.c linux-2.6.36.1/grsecurity/grsec_disabled.c
40806 --- linux-2.6.36.1/grsecurity/grsec_disabled.c 1969-12-31 19:00:00.000000000 -0500
40807 +++ linux-2.6.36.1/grsecurity/grsec_disabled.c 2010-11-26 18:18:12.000000000 -0500
40809 +#include <linux/kernel.h>
40810 +#include <linux/module.h>
40811 +#include <linux/sched.h>
40812 +#include <linux/file.h>
40813 +#include <linux/fs.h>
40814 +#include <linux/kdev_t.h>
40815 +#include <linux/net.h>
40816 +#include <linux/in.h>
40817 +#include <linux/ip.h>
40818 +#include <linux/skbuff.h>
40819 +#include <linux/sysctl.h>
40821 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
40823 +pax_set_initial_flags(struct linux_binprm *bprm)
40829 +#ifdef CONFIG_SYSCTL
40831 +gr_handle_sysctl(const struct ctl_table * table, const int op)
40837 +#ifdef CONFIG_TASKSTATS
40838 +int gr_is_taskstats_denied(int pid)
40845 +gr_acl_is_enabled(void)
40851 +gr_handle_rawio(const struct inode *inode)
40857 +gr_acl_handle_psacct(struct task_struct *task, const long code)
40863 +gr_handle_ptrace(struct task_struct *task, const long request)
40869 +gr_handle_proc_ptrace(struct task_struct *task)
40875 +gr_learn_resource(const struct task_struct *task,
40876 + const int res, const unsigned long wanted, const int gt)
40882 +gr_set_acls(const int type)
40888 +gr_check_hidden_task(const struct task_struct *tsk)
40894 +gr_check_protected_task(const struct task_struct *task)
40900 +gr_check_protected_task_fowner(struct pid *pid, enum pid_type type)
40906 +gr_copy_label(struct task_struct *tsk)
40912 +gr_set_pax_flags(struct task_struct *task)
40918 +gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
40919 + const int unsafe_share)
40925 +gr_handle_delete(const ino_t ino, const dev_t dev)
40931 +gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt)
40937 +gr_handle_crash(struct task_struct *task, const int sig)
40943 +gr_check_crash_exec(const struct file *filp)
40949 +gr_check_crash_uid(const uid_t uid)
40955 +gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
40956 + struct dentry *old_dentry,
40957 + struct dentry *new_dentry,
40958 + struct vfsmount *mnt, const __u8 replace)
40964 +gr_search_socket(const int family, const int type, const int protocol)
40970 +gr_search_connectbind(const int mode, const struct socket *sock,
40971 + const struct sockaddr_in *addr)
40977 +gr_is_capable(const int cap)
40983 +gr_is_capable_nolog(const int cap)
40989 +gr_handle_alertkill(struct task_struct *task)
40995 +gr_acl_handle_execve(const struct dentry * dentry, const struct vfsmount * mnt)
41001 +gr_acl_handle_hidden_file(const struct dentry * dentry,
41002 + const struct vfsmount * mnt)
41008 +gr_acl_handle_open(const struct dentry * dentry, const struct vfsmount * mnt,
41015 +gr_acl_handle_rmdir(const struct dentry * dentry, const struct vfsmount * mnt)
41021 +gr_acl_handle_unlink(const struct dentry * dentry, const struct vfsmount * mnt)
41027 +gr_acl_handle_mmap(const struct file *file, const unsigned long prot,
41028 + unsigned int *vm_flags)
41034 +gr_acl_handle_truncate(const struct dentry * dentry,
41035 + const struct vfsmount * mnt)
41041 +gr_acl_handle_utime(const struct dentry * dentry, const struct vfsmount * mnt)
41047 +gr_acl_handle_access(const struct dentry * dentry,
41048 + const struct vfsmount * mnt, const int fmode)
41054 +gr_acl_handle_fchmod(const struct dentry * dentry, const struct vfsmount * mnt,
41061 +gr_acl_handle_chmod(const struct dentry * dentry, const struct vfsmount * mnt,
41068 +gr_acl_handle_chown(const struct dentry * dentry, const struct vfsmount * mnt)
41074 +gr_acl_handle_setxattr(const struct dentry * dentry, const struct vfsmount * mnt)
41080 +grsecurity_init(void)
41086 +gr_acl_handle_mknod(const struct dentry * new_dentry,
41087 + const struct dentry * parent_dentry,
41088 + const struct vfsmount * parent_mnt,
41095 +gr_acl_handle_mkdir(const struct dentry * new_dentry,
41096 + const struct dentry * parent_dentry,
41097 + const struct vfsmount * parent_mnt)
41103 +gr_acl_handle_symlink(const struct dentry * new_dentry,
41104 + const struct dentry * parent_dentry,
41105 + const struct vfsmount * parent_mnt, const char *from)
41111 +gr_acl_handle_link(const struct dentry * new_dentry,
41112 + const struct dentry * parent_dentry,
41113 + const struct vfsmount * parent_mnt,
41114 + const struct dentry * old_dentry,
41115 + const struct vfsmount * old_mnt, const char *to)
41121 +gr_acl_handle_rename(const struct dentry *new_dentry,
41122 + const struct dentry *parent_dentry,
41123 + const struct vfsmount *parent_mnt,
41124 + const struct dentry *old_dentry,
41125 + const struct inode *old_parent_inode,
41126 + const struct vfsmount *old_mnt, const char *newname)
41132 +gr_acl_handle_filldir(const struct file *file, const char *name,
41133 + const int namelen, const ino_t ino)
41139 +gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
41140 + const time_t shm_createtime, const uid_t cuid, const int shmid)
41146 +gr_search_bind(const struct socket *sock, const struct sockaddr_in *addr)
41152 +gr_search_accept(const struct socket *sock)
41158 +gr_search_listen(const struct socket *sock)
41164 +gr_search_connect(const struct socket *sock, const struct sockaddr_in *addr)
41170 +gr_acl_handle_unix(const struct dentry * dentry, const struct vfsmount * mnt)
41176 +gr_acl_handle_creat(const struct dentry * dentry,
41177 + const struct dentry * p_dentry,
41178 + const struct vfsmount * p_mnt, const int fmode,
41185 +gr_acl_handle_exit(void)
41191 +gr_acl_handle_mprotect(const struct file *file, const unsigned long prot)
41197 +gr_set_role_label(const uid_t uid, const gid_t gid)
41203 +gr_acl_handle_procpidmem(const struct task_struct *task)
41209 +gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb)
41215 +gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr)
41221 +gr_set_kernel_label(struct task_struct *task)
41227 +gr_check_user_change(int real, int effective, int fs)
41233 +gr_check_group_change(int real, int effective, int fs)
41238 +int gr_acl_enable_at_secure(void)
41243 +EXPORT_SYMBOL(gr_is_capable);
41244 +EXPORT_SYMBOL(gr_is_capable_nolog);
41245 +EXPORT_SYMBOL(gr_learn_resource);
41246 +EXPORT_SYMBOL(gr_set_kernel_label);
41247 +#ifdef CONFIG_SECURITY
41248 +EXPORT_SYMBOL(gr_check_user_change);
41249 +EXPORT_SYMBOL(gr_check_group_change);
41251 diff -urNp linux-2.6.36.1/grsecurity/grsec_exec.c linux-2.6.36.1/grsecurity/grsec_exec.c
41252 --- linux-2.6.36.1/grsecurity/grsec_exec.c 1969-12-31 19:00:00.000000000 -0500
41253 +++ linux-2.6.36.1/grsecurity/grsec_exec.c 2010-11-06 19:52:16.000000000 -0400
41255 +#include <linux/kernel.h>
41256 +#include <linux/sched.h>
41257 +#include <linux/file.h>
41258 +#include <linux/binfmts.h>
41259 +#include <linux/smp_lock.h>
41260 +#include <linux/fs.h>
41261 +#include <linux/types.h>
41262 +#include <linux/grdefs.h>
41263 +#include <linux/grinternal.h>
41264 +#include <linux/capability.h>
41266 +#include <asm/uaccess.h>
41268 +#ifdef CONFIG_GRKERNSEC_EXECLOG
41269 +static char gr_exec_arg_buf[132];
41270 +static DECLARE_MUTEX(gr_exec_arg_sem);
41274 +gr_handle_nproc(void)
41276 +#ifdef CONFIG_GRKERNSEC_EXECVE
41277 + const struct cred *cred = current_cred();
41278 + if (grsec_enable_execve && cred->user &&
41279 + (atomic_read(&cred->user->processes) > rlimit(RLIMIT_NPROC)) &&
41280 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE)) {
41281 + gr_log_noargs(GR_DONT_AUDIT, GR_NPROC_MSG);
41289 +gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv)
41291 +#ifdef CONFIG_GRKERNSEC_EXECLOG
41292 + char *grarg = gr_exec_arg_buf;
41293 + unsigned int i, x, execlen = 0;
41296 + if (!((grsec_enable_execlog && grsec_enable_group &&
41297 + in_group_p(grsec_audit_gid))
41298 + || (grsec_enable_execlog && !grsec_enable_group)))
41301 + down(&gr_exec_arg_sem);
41302 + memset(grarg, 0, sizeof(gr_exec_arg_buf));
41304 + if (unlikely(argv == NULL))
41307 + for (i = 0; i < bprm->argc && execlen < 128; i++) {
41308 + const char __user *p;
41309 + unsigned int len;
41311 + if (copy_from_user(&p, argv + i, sizeof(p)))
41315 + len = strnlen_user(p, 128 - execlen);
41316 + if (len > 128 - execlen)
41317 + len = 128 - execlen;
41318 + else if (len > 0)
41320 + if (copy_from_user(grarg + execlen, p, len))
41323 + /* rewrite unprintable characters */
41324 + for (x = 0; x < len; x++) {
41325 + c = *(grarg + execlen + x);
41326 + if (c < 32 || c > 126)
41327 + *(grarg + execlen + x) = ' ';
41331 + *(grarg + execlen) = ' ';
41332 + *(grarg + execlen + 1) = '\0';
41337 + gr_log_fs_str(GR_DO_AUDIT, GR_EXEC_AUDIT_MSG, bprm->file->f_path.dentry,
41338 + bprm->file->f_path.mnt, grarg);
41339 + up(&gr_exec_arg_sem);
41343 diff -urNp linux-2.6.36.1/grsecurity/grsec_fifo.c linux-2.6.36.1/grsecurity/grsec_fifo.c
41344 --- linux-2.6.36.1/grsecurity/grsec_fifo.c 1969-12-31 19:00:00.000000000 -0500
41345 +++ linux-2.6.36.1/grsecurity/grsec_fifo.c 2010-11-06 18:58:50.000000000 -0400
41347 +#include <linux/kernel.h>
41348 +#include <linux/sched.h>
41349 +#include <linux/fs.h>
41350 +#include <linux/file.h>
41351 +#include <linux/grinternal.h>
41354 +gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
41355 + const struct dentry *dir, const int flag, const int acc_mode)
41357 +#ifdef CONFIG_GRKERNSEC_FIFO
41358 + const struct cred *cred = current_cred();
41360 + if (grsec_enable_fifo && S_ISFIFO(dentry->d_inode->i_mode) &&
41361 + !(flag & O_EXCL) && (dir->d_inode->i_mode & S_ISVTX) &&
41362 + (dentry->d_inode->i_uid != dir->d_inode->i_uid) &&
41363 + (cred->fsuid != dentry->d_inode->i_uid)) {
41364 + if (!generic_permission(dentry->d_inode, acc_mode, NULL))
41365 + gr_log_fs_int2(GR_DONT_AUDIT, GR_FIFO_MSG, dentry, mnt, dentry->d_inode->i_uid, dentry->d_inode->i_gid);
41371 diff -urNp linux-2.6.36.1/grsecurity/grsec_fork.c linux-2.6.36.1/grsecurity/grsec_fork.c
41372 --- linux-2.6.36.1/grsecurity/grsec_fork.c 1969-12-31 19:00:00.000000000 -0500
41373 +++ linux-2.6.36.1/grsecurity/grsec_fork.c 2010-11-06 18:58:50.000000000 -0400
41375 +#include <linux/kernel.h>
41376 +#include <linux/sched.h>
41377 +#include <linux/grsecurity.h>
41378 +#include <linux/grinternal.h>
41379 +#include <linux/errno.h>
41382 +gr_log_forkfail(const int retval)
41384 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
41385 + if (grsec_enable_forkfail && (retval == -EAGAIN || retval == -ENOMEM)) {
41386 + switch (retval) {
41388 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "EAGAIN");
41391 + gr_log_str(GR_DONT_AUDIT, GR_FAILFORK_MSG, "ENOMEM");
41398 diff -urNp linux-2.6.36.1/grsecurity/grsec_init.c linux-2.6.36.1/grsecurity/grsec_init.c
41399 --- linux-2.6.36.1/grsecurity/grsec_init.c 1969-12-31 19:00:00.000000000 -0500
41400 +++ linux-2.6.36.1/grsecurity/grsec_init.c 2010-11-06 18:58:50.000000000 -0400
41402 +#include <linux/kernel.h>
41403 +#include <linux/sched.h>
41404 +#include <linux/mm.h>
41405 +#include <linux/smp_lock.h>
41406 +#include <linux/gracl.h>
41407 +#include <linux/slab.h>
41408 +#include <linux/vmalloc.h>
41409 +#include <linux/percpu.h>
41410 +#include <linux/module.h>
41412 +int grsec_enable_link;
41413 +int grsec_enable_dmesg;
41414 +int grsec_enable_harden_ptrace;
41415 +int grsec_enable_fifo;
41416 +int grsec_enable_execve;
41417 +int grsec_enable_execlog;
41418 +int grsec_enable_signal;
41419 +int grsec_enable_forkfail;
41420 +int grsec_enable_audit_ptrace;
41421 +int grsec_enable_time;
41422 +int grsec_enable_audit_textrel;
41423 +int grsec_enable_group;
41424 +int grsec_audit_gid;
41425 +int grsec_enable_chdir;
41426 +int grsec_enable_mount;
41427 +int grsec_enable_rofs;
41428 +int grsec_enable_chroot_findtask;
41429 +int grsec_enable_chroot_mount;
41430 +int grsec_enable_chroot_shmat;
41431 +int grsec_enable_chroot_fchdir;
41432 +int grsec_enable_chroot_double;
41433 +int grsec_enable_chroot_pivot;
41434 +int grsec_enable_chroot_chdir;
41435 +int grsec_enable_chroot_chmod;
41436 +int grsec_enable_chroot_mknod;
41437 +int grsec_enable_chroot_nice;
41438 +int grsec_enable_chroot_execlog;
41439 +int grsec_enable_chroot_caps;
41440 +int grsec_enable_chroot_sysctl;
41441 +int grsec_enable_chroot_unix;
41442 +int grsec_enable_tpe;
41443 +int grsec_tpe_gid;
41444 +int grsec_enable_blackhole;
41445 +#ifdef CONFIG_IPV6_MODULE
41446 +EXPORT_SYMBOL(grsec_enable_blackhole);
41448 +int grsec_lastack_retries;
41449 +int grsec_enable_tpe_all;
41450 +int grsec_enable_tpe_invert;
41451 +int grsec_enable_socket_all;
41452 +int grsec_socket_all_gid;
41453 +int grsec_enable_socket_client;
41454 +int grsec_socket_client_gid;
41455 +int grsec_enable_socket_server;
41456 +int grsec_socket_server_gid;
41457 +int grsec_resource_logging;
41458 +int grsec_disable_privio;
41459 +int grsec_enable_log_rwxmaps;
41462 +DEFINE_SPINLOCK(grsec_alert_lock);
41463 +unsigned long grsec_alert_wtime = 0;
41464 +unsigned long grsec_alert_fyet = 0;
41466 +DEFINE_SPINLOCK(grsec_audit_lock);
41468 +DEFINE_RWLOCK(grsec_exec_file_lock);
41470 +char *gr_shared_page[4];
41472 +char *gr_alert_log_fmt;
41473 +char *gr_audit_log_fmt;
41474 +char *gr_alert_log_buf;
41475 +char *gr_audit_log_buf;
41477 +extern struct gr_arg *gr_usermode;
41478 +extern unsigned char *gr_system_salt;
41479 +extern unsigned char *gr_system_sum;
41482 +grsecurity_init(void)
41485 + /* create the per-cpu shared pages */
41488 + memset((char *)(0x41a + PAGE_OFFSET), 0, 36);
41491 + for (j = 0; j < 4; j++) {
41492 + gr_shared_page[j] = (char *)__alloc_percpu(PAGE_SIZE, __alignof__(unsigned long long));
41493 + if (gr_shared_page[j] == NULL) {
41494 + panic("Unable to allocate grsecurity shared page");
41499 + /* allocate log buffers */
41500 + gr_alert_log_fmt = kmalloc(512, GFP_KERNEL);
41501 + if (!gr_alert_log_fmt) {
41502 + panic("Unable to allocate grsecurity alert log format buffer");
41505 + gr_audit_log_fmt = kmalloc(512, GFP_KERNEL);
41506 + if (!gr_audit_log_fmt) {
41507 + panic("Unable to allocate grsecurity audit log format buffer");
41510 + gr_alert_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
41511 + if (!gr_alert_log_buf) {
41512 + panic("Unable to allocate grsecurity alert log buffer");
41515 + gr_audit_log_buf = (char *) get_zeroed_page(GFP_KERNEL);
41516 + if (!gr_audit_log_buf) {
41517 + panic("Unable to allocate grsecurity audit log buffer");
41521 + /* allocate memory for authentication structure */
41522 + gr_usermode = kmalloc(sizeof(struct gr_arg), GFP_KERNEL);
41523 + gr_system_salt = kmalloc(GR_SALT_LEN, GFP_KERNEL);
41524 + gr_system_sum = kmalloc(GR_SHA_LEN, GFP_KERNEL);
41526 + if (!gr_usermode || !gr_system_salt || !gr_system_sum) {
41527 + panic("Unable to allocate grsecurity authentication structure");
41532 +#ifdef CONFIG_GRKERNSEC_IO
41533 +#if !defined(CONFIG_GRKERNSEC_SYSCTL_DISTRO)
41534 + grsec_disable_privio = 1;
41535 +#elif defined(CONFIG_GRKERNSEC_SYSCTL_ON)
41536 + grsec_disable_privio = 1;
41538 + grsec_disable_privio = 0;
41542 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
41543 + /* for backward compatibility, tpe_invert always defaults to on if
41544 + enabled in the kernel
41546 + grsec_enable_tpe_invert = 1;
41549 +#if !defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_SYSCTL_ON)
41550 +#ifndef CONFIG_GRKERNSEC_SYSCTL
41554 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
41555 + grsec_enable_audit_textrel = 1;
41557 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
41558 + grsec_enable_log_rwxmaps = 1;
41560 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
41561 + grsec_enable_group = 1;
41562 + grsec_audit_gid = CONFIG_GRKERNSEC_AUDIT_GID;
41564 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
41565 + grsec_enable_chdir = 1;
41567 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
41568 + grsec_enable_harden_ptrace = 1;
41570 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
41571 + grsec_enable_mount = 1;
41573 +#ifdef CONFIG_GRKERNSEC_LINK
41574 + grsec_enable_link = 1;
41576 +#ifdef CONFIG_GRKERNSEC_DMESG
41577 + grsec_enable_dmesg = 1;
41579 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
41580 + grsec_enable_blackhole = 1;
41581 + grsec_lastack_retries = 4;
41583 +#ifdef CONFIG_GRKERNSEC_FIFO
41584 + grsec_enable_fifo = 1;
41586 +#ifdef CONFIG_GRKERNSEC_EXECVE
41587 + grsec_enable_execve = 1;
41589 +#ifdef CONFIG_GRKERNSEC_EXECLOG
41590 + grsec_enable_execlog = 1;
41592 +#ifdef CONFIG_GRKERNSEC_SIGNAL
41593 + grsec_enable_signal = 1;
41595 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
41596 + grsec_enable_forkfail = 1;
41598 +#ifdef CONFIG_GRKERNSEC_TIME
41599 + grsec_enable_time = 1;
41601 +#ifdef CONFIG_GRKERNSEC_RESLOG
41602 + grsec_resource_logging = 1;
41604 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
41605 + grsec_enable_chroot_findtask = 1;
41607 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
41608 + grsec_enable_chroot_unix = 1;
41610 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
41611 + grsec_enable_chroot_mount = 1;
41613 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
41614 + grsec_enable_chroot_fchdir = 1;
41616 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
41617 + grsec_enable_chroot_shmat = 1;
41619 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
41620 + grsec_enable_audit_ptrace = 1;
41622 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
41623 + grsec_enable_chroot_double = 1;
41625 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
41626 + grsec_enable_chroot_pivot = 1;
41628 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
41629 + grsec_enable_chroot_chdir = 1;
41631 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
41632 + grsec_enable_chroot_chmod = 1;
41634 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
41635 + grsec_enable_chroot_mknod = 1;
41637 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
41638 + grsec_enable_chroot_nice = 1;
41640 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
41641 + grsec_enable_chroot_execlog = 1;
41643 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
41644 + grsec_enable_chroot_caps = 1;
41646 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
41647 + grsec_enable_chroot_sysctl = 1;
41649 +#ifdef CONFIG_GRKERNSEC_TPE
41650 + grsec_enable_tpe = 1;
41651 + grsec_tpe_gid = CONFIG_GRKERNSEC_TPE_GID;
41652 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
41653 + grsec_enable_tpe_all = 1;
41656 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
41657 + grsec_enable_socket_all = 1;
41658 + grsec_socket_all_gid = CONFIG_GRKERNSEC_SOCKET_ALL_GID;
41660 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
41661 + grsec_enable_socket_client = 1;
41662 + grsec_socket_client_gid = CONFIG_GRKERNSEC_SOCKET_CLIENT_GID;
41664 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
41665 + grsec_enable_socket_server = 1;
41666 + grsec_socket_server_gid = CONFIG_GRKERNSEC_SOCKET_SERVER_GID;
41672 diff -urNp linux-2.6.36.1/grsecurity/grsec_link.c linux-2.6.36.1/grsecurity/grsec_link.c
41673 --- linux-2.6.36.1/grsecurity/grsec_link.c 1969-12-31 19:00:00.000000000 -0500
41674 +++ linux-2.6.36.1/grsecurity/grsec_link.c 2010-11-06 18:58:50.000000000 -0400
41676 +#include <linux/kernel.h>
41677 +#include <linux/sched.h>
41678 +#include <linux/fs.h>
41679 +#include <linux/file.h>
41680 +#include <linux/grinternal.h>
41683 +gr_handle_follow_link(const struct inode *parent,
41684 + const struct inode *inode,
41685 + const struct dentry *dentry, const struct vfsmount *mnt)
41687 +#ifdef CONFIG_GRKERNSEC_LINK
41688 + const struct cred *cred = current_cred();
41690 + if (grsec_enable_link && S_ISLNK(inode->i_mode) &&
41691 + (parent->i_mode & S_ISVTX) && (parent->i_uid != inode->i_uid) &&
41692 + (parent->i_mode & S_IWOTH) && (cred->fsuid != inode->i_uid)) {
41693 + gr_log_fs_int2(GR_DONT_AUDIT, GR_SYMLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid);
41701 +gr_handle_hardlink(const struct dentry *dentry,
41702 + const struct vfsmount *mnt,
41703 + struct inode *inode, const int mode, const char *to)
41705 +#ifdef CONFIG_GRKERNSEC_LINK
41706 + const struct cred *cred = current_cred();
41708 + if (grsec_enable_link && cred->fsuid != inode->i_uid &&
41709 + (!S_ISREG(mode) || (mode & S_ISUID) ||
41710 + ((mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
41711 + (generic_permission(inode, MAY_READ | MAY_WRITE, NULL))) &&
41712 + !capable(CAP_FOWNER) && cred->uid) {
41713 + gr_log_fs_int2_str(GR_DONT_AUDIT, GR_HARDLINK_MSG, dentry, mnt, inode->i_uid, inode->i_gid, to);
41719 diff -urNp linux-2.6.36.1/grsecurity/grsec_log.c linux-2.6.36.1/grsecurity/grsec_log.c
41720 --- linux-2.6.36.1/grsecurity/grsec_log.c 1969-12-31 19:00:00.000000000 -0500
41721 +++ linux-2.6.36.1/grsecurity/grsec_log.c 2010-11-06 18:58:50.000000000 -0400
41723 +#include <linux/kernel.h>
41724 +#include <linux/sched.h>
41725 +#include <linux/file.h>
41726 +#include <linux/tty.h>
41727 +#include <linux/fs.h>
41728 +#include <linux/grinternal.h>
41730 +#ifdef CONFIG_TREE_PREEMPT_RCU
41731 +#define DISABLE_PREEMPT() preempt_disable()
41732 +#define ENABLE_PREEMPT() preempt_enable()
41734 +#define DISABLE_PREEMPT()
41735 +#define ENABLE_PREEMPT()
41738 +#define BEGIN_LOCKS(x) \
41739 + DISABLE_PREEMPT(); \
41740 + rcu_read_lock(); \
41741 + read_lock(&tasklist_lock); \
41742 + read_lock(&grsec_exec_file_lock); \
41743 + if (x != GR_DO_AUDIT) \
41744 + spin_lock(&grsec_alert_lock); \
41746 + spin_lock(&grsec_audit_lock)
41748 +#define END_LOCKS(x) \
41749 + if (x != GR_DO_AUDIT) \
41750 + spin_unlock(&grsec_alert_lock); \
41752 + spin_unlock(&grsec_audit_lock); \
41753 + read_unlock(&grsec_exec_file_lock); \
41754 + read_unlock(&tasklist_lock); \
41755 + rcu_read_unlock(); \
41756 + ENABLE_PREEMPT(); \
41757 + if (x == GR_DONT_AUDIT) \
41758 + gr_handle_alertkill(current)
41765 +extern char *gr_alert_log_fmt;
41766 +extern char *gr_audit_log_fmt;
41767 +extern char *gr_alert_log_buf;
41768 +extern char *gr_audit_log_buf;
41770 +static int gr_log_start(int audit)
41772 + char *loglevel = (audit == GR_DO_AUDIT) ? KERN_INFO : KERN_ALERT;
41773 + char *fmt = (audit == GR_DO_AUDIT) ? gr_audit_log_fmt : gr_alert_log_fmt;
41774 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
41776 + if (audit == GR_DO_AUDIT)
41779 + if (!grsec_alert_wtime || jiffies - grsec_alert_wtime > CONFIG_GRKERNSEC_FLOODTIME * HZ) {
41780 + grsec_alert_wtime = jiffies;
41781 + grsec_alert_fyet = 0;
41782 + } else if ((jiffies - grsec_alert_wtime < CONFIG_GRKERNSEC_FLOODTIME * HZ) && (grsec_alert_fyet < CONFIG_GRKERNSEC_FLOODBURST)) {
41783 + grsec_alert_fyet++;
41784 + } else if (grsec_alert_fyet == CONFIG_GRKERNSEC_FLOODBURST) {
41785 + grsec_alert_wtime = jiffies;
41786 + grsec_alert_fyet++;
41787 + printk(KERN_ALERT "grsec: more alerts, logging disabled for %d seconds\n", CONFIG_GRKERNSEC_FLOODTIME);
41789 + } else return FLOODING;
41792 + memset(buf, 0, PAGE_SIZE);
41793 + if (current->signal->curr_ip && gr_acl_is_enabled()) {
41794 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: (%.64s:%c:%.950s) ");
41795 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
41796 + } else if (current->signal->curr_ip) {
41797 + sprintf(fmt, "%s%s", loglevel, "grsec: From %pI4: ");
41798 + snprintf(buf, PAGE_SIZE - 1, fmt, ¤t->signal->curr_ip);
41799 + } else if (gr_acl_is_enabled()) {
41800 + sprintf(fmt, "%s%s", loglevel, "grsec: (%.64s:%c:%.950s) ");
41801 + snprintf(buf, PAGE_SIZE - 1, fmt, current->role->rolename, gr_roletype_to_char(), current->acl->filename);
41803 + sprintf(fmt, "%s%s", loglevel, "grsec: ");
41804 + strcpy(buf, fmt);
41807 + return NO_FLOODING;
41810 +static void gr_log_middle(int audit, const char *msg, va_list ap)
41811 + __attribute__ ((format (printf, 2, 0)));
41813 +static void gr_log_middle(int audit, const char *msg, va_list ap)
41815 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
41816 + unsigned int len = strlen(buf);
41818 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
41823 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
41824 + __attribute__ ((format (printf, 2, 3)));
41826 +static void gr_log_middle_varargs(int audit, const char *msg, ...)
41828 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
41829 + unsigned int len = strlen(buf);
41832 + va_start(ap, msg);
41833 + vsnprintf(buf + len, PAGE_SIZE - len - 1, msg, ap);
41839 +static void gr_log_end(int audit)
41841 + char *buf = (audit == GR_DO_AUDIT) ? gr_audit_log_buf : gr_alert_log_buf;
41842 + unsigned int len = strlen(buf);
41844 + snprintf(buf + len, PAGE_SIZE - len - 1, DEFAULTSECMSG, DEFAULTSECARGS(current, current_cred(), __task_cred(current->real_parent)));
41845 + printk("%s\n", buf);
41850 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...)
41853 + char *result = (audit == GR_DO_AUDIT) ? "successful" : "denied";
41854 + char *str1, *str2, *str3;
41857 + unsigned long ulong1, ulong2;
41858 + struct dentry *dentry;
41859 + struct vfsmount *mnt;
41860 + struct file *file;
41861 + struct task_struct *task;
41862 + const struct cred *cred, *pcred;
41865 + BEGIN_LOCKS(audit);
41866 + logtype = gr_log_start(audit);
41867 + if (logtype == FLOODING) {
41868 + END_LOCKS(audit);
41871 + va_start(ap, argtypes);
41872 + switch (argtypes) {
41873 + case GR_TTYSNIFF:
41874 + task = va_arg(ap, struct task_struct *);
41875 + gr_log_middle_varargs(audit, msg, &task->signal->curr_ip, gr_task_fullpath0(task), task->comm, task->pid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid);
41877 + case GR_SYSCTL_HIDDEN:
41878 + str1 = va_arg(ap, char *);
41879 + gr_log_middle_varargs(audit, msg, result, str1);
41882 + dentry = va_arg(ap, struct dentry *);
41883 + mnt = va_arg(ap, struct vfsmount *);
41884 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt));
41886 + case GR_RBAC_STR:
41887 + dentry = va_arg(ap, struct dentry *);
41888 + mnt = va_arg(ap, struct vfsmount *);
41889 + str1 = va_arg(ap, char *);
41890 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1);
41892 + case GR_STR_RBAC:
41893 + str1 = va_arg(ap, char *);
41894 + dentry = va_arg(ap, struct dentry *);
41895 + mnt = va_arg(ap, struct vfsmount *);
41896 + gr_log_middle_varargs(audit, msg, result, str1, gr_to_filename(dentry, mnt));
41898 + case GR_RBAC_MODE2:
41899 + dentry = va_arg(ap, struct dentry *);
41900 + mnt = va_arg(ap, struct vfsmount *);
41901 + str1 = va_arg(ap, char *);
41902 + str2 = va_arg(ap, char *);
41903 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2);
41905 + case GR_RBAC_MODE3:
41906 + dentry = va_arg(ap, struct dentry *);
41907 + mnt = va_arg(ap, struct vfsmount *);
41908 + str1 = va_arg(ap, char *);
41909 + str2 = va_arg(ap, char *);
41910 + str3 = va_arg(ap, char *);
41911 + gr_log_middle_varargs(audit, msg, result, gr_to_filename(dentry, mnt), str1, str2, str3);
41913 + case GR_FILENAME:
41914 + dentry = va_arg(ap, struct dentry *);
41915 + mnt = va_arg(ap, struct vfsmount *);
41916 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt));
41918 + case GR_STR_FILENAME:
41919 + str1 = va_arg(ap, char *);
41920 + dentry = va_arg(ap, struct dentry *);
41921 + mnt = va_arg(ap, struct vfsmount *);
41922 + gr_log_middle_varargs(audit, msg, str1, gr_to_filename(dentry, mnt));
41924 + case GR_FILENAME_STR:
41925 + dentry = va_arg(ap, struct dentry *);
41926 + mnt = va_arg(ap, struct vfsmount *);
41927 + str1 = va_arg(ap, char *);
41928 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), str1);
41930 + case GR_FILENAME_TWO_INT:
41931 + dentry = va_arg(ap, struct dentry *);
41932 + mnt = va_arg(ap, struct vfsmount *);
41933 + num1 = va_arg(ap, int);
41934 + num2 = va_arg(ap, int);
41935 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2);
41937 + case GR_FILENAME_TWO_INT_STR:
41938 + dentry = va_arg(ap, struct dentry *);
41939 + mnt = va_arg(ap, struct vfsmount *);
41940 + num1 = va_arg(ap, int);
41941 + num2 = va_arg(ap, int);
41942 + str1 = va_arg(ap, char *);
41943 + gr_log_middle_varargs(audit, msg, gr_to_filename(dentry, mnt), num1, num2, str1);
41946 + file = va_arg(ap, struct file *);
41947 + ulong1 = va_arg(ap, unsigned long);
41948 + ulong2 = va_arg(ap, unsigned long);
41949 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>", ulong1, ulong2);
41952 + task = va_arg(ap, struct task_struct *);
41953 + gr_log_middle_varargs(audit, msg, task->exec_file ? gr_to_filename(task->exec_file->f_path.dentry, task->exec_file->f_path.mnt) : "(none)", task->comm, task->pid);
41955 + case GR_RESOURCE:
41956 + task = va_arg(ap, struct task_struct *);
41957 + cred = __task_cred(task);
41958 + pcred = __task_cred(task->real_parent);
41959 + ulong1 = va_arg(ap, unsigned long);
41960 + str1 = va_arg(ap, char *);
41961 + ulong2 = va_arg(ap, unsigned long);
41962 + gr_log_middle_varargs(audit, msg, ulong1, str1, ulong2, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
41965 + task = va_arg(ap, struct task_struct *);
41966 + cred = __task_cred(task);
41967 + pcred = __task_cred(task->real_parent);
41968 + str1 = va_arg(ap, char *);
41969 + gr_log_middle_varargs(audit, msg, str1, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
41972 + str1 = va_arg(ap, char *);
41973 + voidptr = va_arg(ap, void *);
41974 + gr_log_middle_varargs(audit, msg, str1, voidptr);
41977 + task = va_arg(ap, struct task_struct *);
41978 + cred = __task_cred(task);
41979 + pcred = __task_cred(task->real_parent);
41980 + num1 = va_arg(ap, int);
41981 + gr_log_middle_varargs(audit, msg, num1, gr_task_fullpath0(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath0(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid);
41984 + task = va_arg(ap, struct task_struct *);
41985 + cred = __task_cred(task);
41986 + pcred = __task_cred(task->real_parent);
41987 + ulong1 = va_arg(ap, unsigned long);
41988 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, cred->uid, ulong1);
41991 + task = va_arg(ap, struct task_struct *);
41992 + cred = __task_cred(task);
41993 + pcred = __task_cred(task->real_parent);
41994 + ulong1 = va_arg(ap, unsigned long);
41995 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, cred->uid, cred->euid, cred->gid, cred->egid, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, pcred->uid, pcred->euid, pcred->gid, pcred->egid, ulong1);
41998 + file = va_arg(ap, struct file *);
41999 + gr_log_middle_varargs(audit, msg, file ? gr_to_filename(file->f_path.dentry, file->f_path.mnt) : "<anonymous mapping>");
42003 + unsigned int wday, cday;
42007 + char cur_tty[64] = { 0 };
42008 + char parent_tty[64] = { 0 };
42010 + task = va_arg(ap, struct task_struct *);
42011 + wday = va_arg(ap, unsigned int);
42012 + cday = va_arg(ap, unsigned int);
42013 + whr = va_arg(ap, int);
42014 + chr = va_arg(ap, int);
42015 + wmin = va_arg(ap, int);
42016 + cmin = va_arg(ap, int);
42017 + wsec = va_arg(ap, int);
42018 + csec = va_arg(ap, int);
42019 + ulong1 = va_arg(ap, unsigned long);
42020 + cred = __task_cred(task);
42021 + pcred = __task_cred(task->real_parent);
42023 + gr_log_middle_varargs(audit, msg, gr_task_fullpath(task), task->comm, task->pid, &task->signal->curr_ip, tty_name(task->signal->tty, cur_tty), cred->uid, cred->euid, cred->gid, cred->egid, wday, whr, wmin, wsec, cday, chr, cmin, csec, (task->flags & PF_SIGNALED) ? "killed by signal" : "exited", ulong1, gr_parent_task_fullpath(task), task->real_parent->comm, task->real_parent->pid, &task->real_parent->signal->curr_ip, tty_name(task->real_parent->signal->tty, parent_tty), pcred->uid, pcred->euid, pcred->gid, pcred->egid);
42027 + gr_log_middle(audit, msg, ap);
42030 + gr_log_end(audit);
42031 + END_LOCKS(audit);
42033 diff -urNp linux-2.6.36.1/grsecurity/grsec_mem.c linux-2.6.36.1/grsecurity/grsec_mem.c
42034 --- linux-2.6.36.1/grsecurity/grsec_mem.c 1969-12-31 19:00:00.000000000 -0500
42035 +++ linux-2.6.36.1/grsecurity/grsec_mem.c 2010-11-06 18:58:50.000000000 -0400
42037 +#include <linux/kernel.h>
42038 +#include <linux/sched.h>
42039 +#include <linux/mm.h>
42040 +#include <linux/mman.h>
42041 +#include <linux/grinternal.h>
42044 +gr_handle_ioperm(void)
42046 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPERM_MSG);
42051 +gr_handle_iopl(void)
42053 + gr_log_noargs(GR_DONT_AUDIT, GR_IOPL_MSG);
42058 +gr_handle_mem_write(void)
42060 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_WRITE_MSG);
42065 +gr_handle_kmem_write(void)
42067 + gr_log_noargs(GR_DONT_AUDIT, GR_KMEM_MSG);
42072 +gr_handle_open_port(void)
42074 + gr_log_noargs(GR_DONT_AUDIT, GR_PORT_OPEN_MSG);
42079 +gr_handle_mem_mmap(const unsigned long offset, struct vm_area_struct *vma)
42081 + unsigned long start, end;
42084 + end = start + vma->vm_end - vma->vm_start;
42086 + if (start > end) {
42087 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
42091 + /* allowed ranges : ISA I/O BIOS */
42092 + if ((start >= __pa(high_memory))
42093 +#if defined(CONFIG_X86) || defined(CONFIG_PPC)
42094 + || (start >= 0x000a0000 && end <= 0x00100000)
42095 + || (start >= 0x00000000 && end <= 0x00001000)
42100 + if (vma->vm_flags & VM_WRITE) {
42101 + gr_log_noargs(GR_DONT_AUDIT, GR_MEM_MMAP_MSG);
42104 + vma->vm_flags &= ~VM_MAYWRITE;
42110 +gr_log_nonroot_mod_load(const char *modname)
42112 + gr_log_str(GR_DONT_AUDIT, GR_NONROOT_MODLOAD_MSG, modname);
42117 +gr_handle_vm86(void)
42119 + gr_log_noargs(GR_DONT_AUDIT, GR_VM86_MSG);
42122 diff -urNp linux-2.6.36.1/grsecurity/grsec_mount.c linux-2.6.36.1/grsecurity/grsec_mount.c
42123 --- linux-2.6.36.1/grsecurity/grsec_mount.c 1969-12-31 19:00:00.000000000 -0500
42124 +++ linux-2.6.36.1/grsecurity/grsec_mount.c 2010-11-06 18:58:50.000000000 -0400
42126 +#include <linux/kernel.h>
42127 +#include <linux/sched.h>
42128 +#include <linux/mount.h>
42129 +#include <linux/grsecurity.h>
42130 +#include <linux/grinternal.h>
42133 +gr_log_remount(const char *devname, const int retval)
42135 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
42136 + if (grsec_enable_mount && (retval >= 0))
42137 + gr_log_str(GR_DO_AUDIT, GR_REMOUNT_AUDIT_MSG, devname ? devname : "none");
42143 +gr_log_unmount(const char *devname, const int retval)
42145 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
42146 + if (grsec_enable_mount && (retval >= 0))
42147 + gr_log_str(GR_DO_AUDIT, GR_UNMOUNT_AUDIT_MSG, devname ? devname : "none");
42153 +gr_log_mount(const char *from, const char *to, const int retval)
42155 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
42156 + if (grsec_enable_mount && (retval >= 0))
42157 + gr_log_str_str(GR_DO_AUDIT, GR_MOUNT_AUDIT_MSG, from, to);
42163 +gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags)
42165 +#ifdef CONFIG_GRKERNSEC_ROFS
42166 + if (grsec_enable_rofs && !(mnt_flags & MNT_READONLY)) {
42167 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_MOUNT_MSG, dentry, mnt);
42176 +gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode)
42178 +#ifdef CONFIG_GRKERNSEC_ROFS
42179 + if (grsec_enable_rofs && (acc_mode & MAY_WRITE) &&
42180 + dentry->d_inode && S_ISBLK(dentry->d_inode->i_mode)) {
42181 + gr_log_fs_generic(GR_DO_AUDIT, GR_ROFS_BLOCKWRITE_MSG, dentry, mnt);
42188 diff -urNp linux-2.6.36.1/grsecurity/grsec_pax.c linux-2.6.36.1/grsecurity/grsec_pax.c
42189 --- linux-2.6.36.1/grsecurity/grsec_pax.c 1969-12-31 19:00:00.000000000 -0500
42190 +++ linux-2.6.36.1/grsecurity/grsec_pax.c 2010-11-06 18:58:50.000000000 -0400
42192 +#include <linux/kernel.h>
42193 +#include <linux/sched.h>
42194 +#include <linux/mm.h>
42195 +#include <linux/file.h>
42196 +#include <linux/grinternal.h>
42197 +#include <linux/grsecurity.h>
42200 +gr_log_textrel(struct vm_area_struct * vma)
42202 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
42203 + if (grsec_enable_audit_textrel)
42204 + gr_log_textrel_ulong_ulong(GR_DO_AUDIT, GR_TEXTREL_AUDIT_MSG, vma->vm_file, vma->vm_start, vma->vm_pgoff);
42210 +gr_log_rwxmmap(struct file *file)
42212 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
42213 + if (grsec_enable_log_rwxmaps)
42214 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMMAP_MSG, file);
42220 +gr_log_rwxmprotect(struct file *file)
42222 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
42223 + if (grsec_enable_log_rwxmaps)
42224 + gr_log_rwxmap(GR_DONT_AUDIT, GR_RWXMPROTECT_MSG, file);
42228 diff -urNp linux-2.6.36.1/grsecurity/grsec_ptrace.c linux-2.6.36.1/grsecurity/grsec_ptrace.c
42229 --- linux-2.6.36.1/grsecurity/grsec_ptrace.c 1969-12-31 19:00:00.000000000 -0500
42230 +++ linux-2.6.36.1/grsecurity/grsec_ptrace.c 2010-11-06 18:58:50.000000000 -0400
42232 +#include <linux/kernel.h>
42233 +#include <linux/sched.h>
42234 +#include <linux/grinternal.h>
42235 +#include <linux/grsecurity.h>
42238 +gr_audit_ptrace(struct task_struct *task)
42240 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
42241 + if (grsec_enable_audit_ptrace)
42242 + gr_log_ptrace(GR_DO_AUDIT, GR_PTRACE_AUDIT_MSG, task);
42246 diff -urNp linux-2.6.36.1/grsecurity/grsec_sig.c linux-2.6.36.1/grsecurity/grsec_sig.c
42247 --- linux-2.6.36.1/grsecurity/grsec_sig.c 1969-12-31 19:00:00.000000000 -0500
42248 +++ linux-2.6.36.1/grsecurity/grsec_sig.c 2010-11-06 18:58:50.000000000 -0400
42250 +#include <linux/kernel.h>
42251 +#include <linux/sched.h>
42252 +#include <linux/delay.h>
42253 +#include <linux/grsecurity.h>
42254 +#include <linux/grinternal.h>
42256 +char *signames[] = {
42257 + [SIGSEGV] = "Segmentation fault",
42258 + [SIGILL] = "Illegal instruction",
42259 + [SIGABRT] = "Abort",
42260 + [SIGBUS] = "Invalid alignment/Bus error"
42264 +gr_log_signal(const int sig, const void *addr, const struct task_struct *t)
42266 +#ifdef CONFIG_GRKERNSEC_SIGNAL
42267 + if (grsec_enable_signal && ((sig == SIGSEGV) || (sig == SIGILL) ||
42268 + (sig == SIGABRT) || (sig == SIGBUS))) {
42269 + if (t->pid == current->pid) {
42270 + gr_log_sig_addr(GR_DONT_AUDIT_GOOD, GR_UNISIGLOG_MSG, signames[sig], addr);
42272 + gr_log_sig_task(GR_DONT_AUDIT_GOOD, GR_DUALSIGLOG_MSG, t, sig);
42280 +gr_handle_signal(const struct task_struct *p, const int sig)
42282 +#ifdef CONFIG_GRKERNSEC
42283 + if (current->pid > 1 && gr_check_protected_task(p)) {
42284 + gr_log_sig_task(GR_DONT_AUDIT, GR_SIG_ACL_MSG, p, sig);
42286 + } else if (gr_pid_is_chrooted((struct task_struct *)p)) {
42293 +void gr_handle_brute_attach(struct task_struct *p)
42295 +#ifdef CONFIG_GRKERNSEC_BRUTE
42296 + read_lock(&tasklist_lock);
42297 + read_lock(&grsec_exec_file_lock);
42298 + if (p->real_parent && p->real_parent->exec_file == p->exec_file)
42299 + p->real_parent->brute = 1;
42300 + read_unlock(&grsec_exec_file_lock);
42301 + read_unlock(&tasklist_lock);
42306 +void gr_handle_brute_check(void)
42308 +#ifdef CONFIG_GRKERNSEC_BRUTE
42309 + if (current->brute)
42310 + msleep(30 * 1000);
42315 diff -urNp linux-2.6.36.1/grsecurity/grsec_sock.c linux-2.6.36.1/grsecurity/grsec_sock.c
42316 --- linux-2.6.36.1/grsecurity/grsec_sock.c 1969-12-31 19:00:00.000000000 -0500
42317 +++ linux-2.6.36.1/grsecurity/grsec_sock.c 2010-11-06 18:58:50.000000000 -0400
42319 +#include <linux/kernel.h>
42320 +#include <linux/module.h>
42321 +#include <linux/sched.h>
42322 +#include <linux/file.h>
42323 +#include <linux/net.h>
42324 +#include <linux/in.h>
42325 +#include <linux/ip.h>
42326 +#include <net/sock.h>
42327 +#include <net/inet_sock.h>
42328 +#include <linux/grsecurity.h>
42329 +#include <linux/grinternal.h>
42330 +#include <linux/gracl.h>
42332 +kernel_cap_t gr_cap_rtnetlink(struct sock *sock);
42333 +EXPORT_SYMBOL(gr_cap_rtnetlink);
42335 +extern int gr_search_udp_recvmsg(const struct sock *sk, const struct sk_buff *skb);
42336 +extern int gr_search_udp_sendmsg(const struct sock *sk, const struct sockaddr_in *addr);
42338 +EXPORT_SYMBOL(gr_search_udp_recvmsg);
42339 +EXPORT_SYMBOL(gr_search_udp_sendmsg);
42341 +#ifdef CONFIG_UNIX_MODULE
42342 +EXPORT_SYMBOL(gr_acl_handle_unix);
42343 +EXPORT_SYMBOL(gr_acl_handle_mknod);
42344 +EXPORT_SYMBOL(gr_handle_chroot_unix);
42345 +EXPORT_SYMBOL(gr_handle_create);
42348 +#ifdef CONFIG_GRKERNSEC
42349 +#define gr_conn_table_size 32749
42350 +struct conn_table_entry {
42351 + struct conn_table_entry *next;
42352 + struct signal_struct *sig;
42355 +struct conn_table_entry *gr_conn_table[gr_conn_table_size];
42356 +DEFINE_SPINLOCK(gr_conn_table_lock);
42358 +extern const char * gr_socktype_to_name(unsigned char type);
42359 +extern const char * gr_proto_to_name(unsigned char proto);
42361 +static __inline__ int
42362 +conn_hash(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport, unsigned int size)
42364 + return ((daddr + saddr + (sport << 8) + (dport << 16)) % size);
42367 +static __inline__ int
42368 +conn_match(const struct signal_struct *sig, __u32 saddr, __u32 daddr,
42369 + __u16 sport, __u16 dport)
42371 + if (unlikely(sig->gr_saddr == saddr && sig->gr_daddr == daddr &&
42372 + sig->gr_sport == sport && sig->gr_dport == dport))
42378 +static void gr_add_to_task_ip_table_nolock(struct signal_struct *sig, struct conn_table_entry *newent)
42380 + struct conn_table_entry **match;
42381 + unsigned int index;
42383 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
42384 + sig->gr_sport, sig->gr_dport,
42385 + gr_conn_table_size);
42387 + newent->sig = sig;
42389 + match = &gr_conn_table[index];
42390 + newent->next = *match;
42396 +static void gr_del_task_from_ip_table_nolock(struct signal_struct *sig)
42398 + struct conn_table_entry *match, *last = NULL;
42399 + unsigned int index;
42401 + index = conn_hash(sig->gr_saddr, sig->gr_daddr,
42402 + sig->gr_sport, sig->gr_dport,
42403 + gr_conn_table_size);
42405 + match = gr_conn_table[index];
42406 + while (match && !conn_match(match->sig,
42407 + sig->gr_saddr, sig->gr_daddr, sig->gr_sport,
42408 + sig->gr_dport)) {
42410 + match = match->next;
42415 + last->next = match->next;
42417 + gr_conn_table[index] = NULL;
42424 +static struct signal_struct * gr_lookup_task_ip_table(__u32 saddr, __u32 daddr,
42425 + __u16 sport, __u16 dport)
42427 + struct conn_table_entry *match;
42428 + unsigned int index;
42430 + index = conn_hash(saddr, daddr, sport, dport, gr_conn_table_size);
42432 + match = gr_conn_table[index];
42433 + while (match && !conn_match(match->sig, saddr, daddr, sport, dport))
42434 + match = match->next;
42437 + return match->sig;
42444 +void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet)
42446 +#ifdef CONFIG_GRKERNSEC
42447 + struct signal_struct *sig = task->signal;
42448 + struct conn_table_entry *newent;
42450 + newent = kmalloc(sizeof(struct conn_table_entry), GFP_ATOMIC);
42451 + if (newent == NULL)
42453 + /* no bh lock needed since we are called with bh disabled */
42454 + spin_lock(&gr_conn_table_lock);
42455 + gr_del_task_from_ip_table_nolock(sig);
42456 + sig->gr_saddr = inet->inet_rcv_saddr;
42457 + sig->gr_daddr = inet->inet_daddr;
42458 + sig->gr_sport = inet->inet_sport;
42459 + sig->gr_dport = inet->inet_dport;
42460 + gr_add_to_task_ip_table_nolock(sig, newent);
42461 + spin_unlock(&gr_conn_table_lock);
42466 +void gr_del_task_from_ip_table(struct task_struct *task)
42468 +#ifdef CONFIG_GRKERNSEC
42469 + spin_lock_bh(&gr_conn_table_lock);
42470 + gr_del_task_from_ip_table_nolock(task->signal);
42471 + spin_unlock_bh(&gr_conn_table_lock);
42477 +gr_attach_curr_ip(const struct sock *sk)
42479 +#ifdef CONFIG_GRKERNSEC
42480 + struct signal_struct *p, *set;
42481 + const struct inet_sock *inet = inet_sk(sk);
42483 + if (unlikely(sk->sk_protocol != IPPROTO_TCP))
42486 + set = current->signal;
42488 + spin_lock_bh(&gr_conn_table_lock);
42489 + p = gr_lookup_task_ip_table(inet->inet_daddr, inet->inet_rcv_saddr,
42490 + inet->inet_dport, inet->inet_sport);
42491 + if (unlikely(p != NULL)) {
42492 + set->curr_ip = p->curr_ip;
42493 + set->used_accept = 1;
42494 + gr_del_task_from_ip_table_nolock(p);
42495 + spin_unlock_bh(&gr_conn_table_lock);
42498 + spin_unlock_bh(&gr_conn_table_lock);
42500 + set->curr_ip = inet->inet_daddr;
42501 + set->used_accept = 1;
42507 +gr_handle_sock_all(const int family, const int type, const int protocol)
42509 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
42510 + if (grsec_enable_socket_all && in_group_p(grsec_socket_all_gid) &&
42511 + (family != AF_UNIX) && (family != AF_LOCAL)) {
42512 + gr_log_int_str2(GR_DONT_AUDIT, GR_SOCK2_MSG, family, gr_socktype_to_name(type), gr_proto_to_name(protocol));
42520 +gr_handle_sock_server(const struct sockaddr *sck)
42522 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
42523 + if (grsec_enable_socket_server &&
42524 + in_group_p(grsec_socket_server_gid) &&
42525 + sck && (sck->sa_family != AF_UNIX) &&
42526 + (sck->sa_family != AF_LOCAL)) {
42527 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
42535 +gr_handle_sock_server_other(const struct sock *sck)
42537 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
42538 + if (grsec_enable_socket_server &&
42539 + in_group_p(grsec_socket_server_gid) &&
42540 + sck && (sck->sk_family != AF_UNIX) &&
42541 + (sck->sk_family != AF_LOCAL)) {
42542 + gr_log_noargs(GR_DONT_AUDIT, GR_BIND_MSG);
42550 +gr_handle_sock_client(const struct sockaddr *sck)
42552 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
42553 + if (grsec_enable_socket_client && in_group_p(grsec_socket_client_gid) &&
42554 + sck && (sck->sa_family != AF_UNIX) &&
42555 + (sck->sa_family != AF_LOCAL)) {
42556 + gr_log_noargs(GR_DONT_AUDIT, GR_CONNECT_MSG);
42564 +gr_cap_rtnetlink(struct sock *sock)
42566 +#ifdef CONFIG_GRKERNSEC
42567 + if (!gr_acl_is_enabled())
42568 + return current_cap();
42569 + else if (sock->sk_protocol == NETLINK_ISCSI &&
42570 + cap_raised(current_cap(), CAP_SYS_ADMIN) &&
42571 + gr_is_capable(CAP_SYS_ADMIN))
42572 + return current_cap();
42573 + else if (sock->sk_protocol == NETLINK_AUDIT &&
42574 + cap_raised(current_cap(), CAP_AUDIT_WRITE) &&
42575 + gr_is_capable(CAP_AUDIT_WRITE) &&
42576 + cap_raised(current_cap(), CAP_AUDIT_CONTROL) &&
42577 + gr_is_capable(CAP_AUDIT_CONTROL))
42578 + return current_cap();
42579 + else if (cap_raised(current_cap(), CAP_NET_ADMIN) &&
42580 + ((sock->sk_protocol == NETLINK_ROUTE) ?
42581 + gr_is_capable_nolog(CAP_NET_ADMIN) :
42582 + gr_is_capable(CAP_NET_ADMIN)))
42583 + return current_cap();
42585 + return __cap_empty_set;
42587 + return current_cap();
42590 diff -urNp linux-2.6.36.1/grsecurity/grsec_sysctl.c linux-2.6.36.1/grsecurity/grsec_sysctl.c
42591 --- linux-2.6.36.1/grsecurity/grsec_sysctl.c 1969-12-31 19:00:00.000000000 -0500
42592 +++ linux-2.6.36.1/grsecurity/grsec_sysctl.c 2010-11-06 18:58:50.000000000 -0400
42594 +#include <linux/kernel.h>
42595 +#include <linux/sched.h>
42596 +#include <linux/sysctl.h>
42597 +#include <linux/grsecurity.h>
42598 +#include <linux/grinternal.h>
42601 +gr_handle_sysctl_mod(const char *dirname, const char *name, const int op)
42603 +#ifdef CONFIG_GRKERNSEC_SYSCTL
42604 + if (!strcmp(dirname, "grsecurity") && grsec_lock && (op & MAY_WRITE)) {
42605 + gr_log_str(GR_DONT_AUDIT, GR_SYSCTL_MSG, name);
42612 +#ifdef CONFIG_GRKERNSEC_ROFS
42613 +static int __maybe_unused one = 1;
42616 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
42617 +struct ctl_table grsecurity_table[] = {
42618 +#ifdef CONFIG_GRKERNSEC_SYSCTL
42619 +#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
42620 +#ifdef CONFIG_GRKERNSEC_IO
42622 + .procname = "disable_priv_io",
42623 + .data = &grsec_disable_privio,
42624 + .maxlen = sizeof(int),
42626 + .proc_handler = &proc_dointvec,
42630 +#ifdef CONFIG_GRKERNSEC_LINK
42632 + .procname = "linking_restrictions",
42633 + .data = &grsec_enable_link,
42634 + .maxlen = sizeof(int),
42636 + .proc_handler = &proc_dointvec,
42639 +#ifdef CONFIG_GRKERNSEC_FIFO
42641 + .procname = "fifo_restrictions",
42642 + .data = &grsec_enable_fifo,
42643 + .maxlen = sizeof(int),
42645 + .proc_handler = &proc_dointvec,
42648 +#ifdef CONFIG_GRKERNSEC_EXECVE
42650 + .procname = "execve_limiting",
42651 + .data = &grsec_enable_execve,
42652 + .maxlen = sizeof(int),
42654 + .proc_handler = &proc_dointvec,
42657 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
42659 + .procname = "ip_blackhole",
42660 + .data = &grsec_enable_blackhole,
42661 + .maxlen = sizeof(int),
42663 + .proc_handler = &proc_dointvec,
42666 + .procname = "lastack_retries",
42667 + .data = &grsec_lastack_retries,
42668 + .maxlen = sizeof(int),
42670 + .proc_handler = &proc_dointvec,
42673 +#ifdef CONFIG_GRKERNSEC_EXECLOG
42675 + .procname = "exec_logging",
42676 + .data = &grsec_enable_execlog,
42677 + .maxlen = sizeof(int),
42679 + .proc_handler = &proc_dointvec,
42682 +#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
42684 + .procname = "rwxmap_logging",
42685 + .data = &grsec_enable_log_rwxmaps,
42686 + .maxlen = sizeof(int),
42688 + .proc_handler = &proc_dointvec,
42691 +#ifdef CONFIG_GRKERNSEC_SIGNAL
42693 + .procname = "signal_logging",
42694 + .data = &grsec_enable_signal,
42695 + .maxlen = sizeof(int),
42697 + .proc_handler = &proc_dointvec,
42700 +#ifdef CONFIG_GRKERNSEC_FORKFAIL
42702 + .procname = "forkfail_logging",
42703 + .data = &grsec_enable_forkfail,
42704 + .maxlen = sizeof(int),
42706 + .proc_handler = &proc_dointvec,
42709 +#ifdef CONFIG_GRKERNSEC_TIME
42711 + .procname = "timechange_logging",
42712 + .data = &grsec_enable_time,
42713 + .maxlen = sizeof(int),
42715 + .proc_handler = &proc_dointvec,
42718 +#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
42720 + .procname = "chroot_deny_shmat",
42721 + .data = &grsec_enable_chroot_shmat,
42722 + .maxlen = sizeof(int),
42724 + .proc_handler = &proc_dointvec,
42727 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
42729 + .procname = "chroot_deny_unix",
42730 + .data = &grsec_enable_chroot_unix,
42731 + .maxlen = sizeof(int),
42733 + .proc_handler = &proc_dointvec,
42736 +#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
42738 + .procname = "chroot_deny_mount",
42739 + .data = &grsec_enable_chroot_mount,
42740 + .maxlen = sizeof(int),
42742 + .proc_handler = &proc_dointvec,
42745 +#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
42747 + .procname = "chroot_deny_fchdir",
42748 + .data = &grsec_enable_chroot_fchdir,
42749 + .maxlen = sizeof(int),
42751 + .proc_handler = &proc_dointvec,
42754 +#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
42756 + .procname = "chroot_deny_chroot",
42757 + .data = &grsec_enable_chroot_double,
42758 + .maxlen = sizeof(int),
42760 + .proc_handler = &proc_dointvec,
42763 +#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
42765 + .procname = "chroot_deny_pivot",
42766 + .data = &grsec_enable_chroot_pivot,
42767 + .maxlen = sizeof(int),
42769 + .proc_handler = &proc_dointvec,
42772 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
42774 + .procname = "chroot_enforce_chdir",
42775 + .data = &grsec_enable_chroot_chdir,
42776 + .maxlen = sizeof(int),
42778 + .proc_handler = &proc_dointvec,
42781 +#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
42783 + .procname = "chroot_deny_chmod",
42784 + .data = &grsec_enable_chroot_chmod,
42785 + .maxlen = sizeof(int),
42787 + .proc_handler = &proc_dointvec,
42790 +#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
42792 + .procname = "chroot_deny_mknod",
42793 + .data = &grsec_enable_chroot_mknod,
42794 + .maxlen = sizeof(int),
42796 + .proc_handler = &proc_dointvec,
42799 +#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
42801 + .procname = "chroot_restrict_nice",
42802 + .data = &grsec_enable_chroot_nice,
42803 + .maxlen = sizeof(int),
42805 + .proc_handler = &proc_dointvec,
42808 +#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
42810 + .procname = "chroot_execlog",
42811 + .data = &grsec_enable_chroot_execlog,
42812 + .maxlen = sizeof(int),
42814 + .proc_handler = &proc_dointvec,
42817 +#ifdef CONFIG_GRKERNSEC_CHROOT_CAPS
42819 + .procname = "chroot_caps",
42820 + .data = &grsec_enable_chroot_caps,
42821 + .maxlen = sizeof(int),
42823 + .proc_handler = &proc_dointvec,
42826 +#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
42828 + .procname = "chroot_deny_sysctl",
42829 + .data = &grsec_enable_chroot_sysctl,
42830 + .maxlen = sizeof(int),
42832 + .proc_handler = &proc_dointvec,
42835 +#ifdef CONFIG_GRKERNSEC_TPE
42837 + .procname = "tpe",
42838 + .data = &grsec_enable_tpe,
42839 + .maxlen = sizeof(int),
42841 + .proc_handler = &proc_dointvec,
42844 + .procname = "tpe_gid",
42845 + .data = &grsec_tpe_gid,
42846 + .maxlen = sizeof(int),
42848 + .proc_handler = &proc_dointvec,
42851 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
42853 + .procname = "tpe_invert",
42854 + .data = &grsec_enable_tpe_invert,
42855 + .maxlen = sizeof(int),
42857 + .proc_handler = &proc_dointvec,
42860 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
42862 + .procname = "tpe_restrict_all",
42863 + .data = &grsec_enable_tpe_all,
42864 + .maxlen = sizeof(int),
42866 + .proc_handler = &proc_dointvec,
42869 +#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
42871 + .procname = "socket_all",
42872 + .data = &grsec_enable_socket_all,
42873 + .maxlen = sizeof(int),
42875 + .proc_handler = &proc_dointvec,
42878 + .procname = "socket_all_gid",
42879 + .data = &grsec_socket_all_gid,
42880 + .maxlen = sizeof(int),
42882 + .proc_handler = &proc_dointvec,
42885 +#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
42887 + .procname = "socket_client",
42888 + .data = &grsec_enable_socket_client,
42889 + .maxlen = sizeof(int),
42891 + .proc_handler = &proc_dointvec,
42894 + .procname = "socket_client_gid",
42895 + .data = &grsec_socket_client_gid,
42896 + .maxlen = sizeof(int),
42898 + .proc_handler = &proc_dointvec,
42901 +#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
42903 + .procname = "socket_server",
42904 + .data = &grsec_enable_socket_server,
42905 + .maxlen = sizeof(int),
42907 + .proc_handler = &proc_dointvec,
42910 + .procname = "socket_server_gid",
42911 + .data = &grsec_socket_server_gid,
42912 + .maxlen = sizeof(int),
42914 + .proc_handler = &proc_dointvec,
42917 +#ifdef CONFIG_GRKERNSEC_AUDIT_GROUP
42919 + .procname = "audit_group",
42920 + .data = &grsec_enable_group,
42921 + .maxlen = sizeof(int),
42923 + .proc_handler = &proc_dointvec,
42926 + .procname = "audit_gid",
42927 + .data = &grsec_audit_gid,
42928 + .maxlen = sizeof(int),
42930 + .proc_handler = &proc_dointvec,
42933 +#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
42935 + .procname = "audit_chdir",
42936 + .data = &grsec_enable_chdir,
42937 + .maxlen = sizeof(int),
42939 + .proc_handler = &proc_dointvec,
42942 +#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
42944 + .procname = "audit_mount",
42945 + .data = &grsec_enable_mount,
42946 + .maxlen = sizeof(int),
42948 + .proc_handler = &proc_dointvec,
42951 +#ifdef CONFIG_GRKERNSEC_AUDIT_TEXTREL
42953 + .procname = "audit_textrel",
42954 + .data = &grsec_enable_audit_textrel,
42955 + .maxlen = sizeof(int),
42957 + .proc_handler = &proc_dointvec,
42960 +#ifdef CONFIG_GRKERNSEC_DMESG
42962 + .procname = "dmesg",
42963 + .data = &grsec_enable_dmesg,
42964 + .maxlen = sizeof(int),
42966 + .proc_handler = &proc_dointvec,
42969 +#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
42971 + .procname = "chroot_findtask",
42972 + .data = &grsec_enable_chroot_findtask,
42973 + .maxlen = sizeof(int),
42975 + .proc_handler = &proc_dointvec,
42978 +#ifdef CONFIG_GRKERNSEC_RESLOG
42980 + .procname = "resource_logging",
42981 + .data = &grsec_resource_logging,
42982 + .maxlen = sizeof(int),
42984 + .proc_handler = &proc_dointvec,
42987 +#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
42989 + .procname = "audit_ptrace",
42990 + .data = &grsec_enable_audit_ptrace,
42991 + .maxlen = sizeof(int),
42993 + .proc_handler = &proc_dointvec,
42996 +#ifdef CONFIG_GRKERNSEC_HARDEN_PTRACE
42998 + .procname = "harden_ptrace",
42999 + .data = &grsec_enable_harden_ptrace,
43000 + .maxlen = sizeof(int),
43002 + .proc_handler = &proc_dointvec,
43006 + .procname = "grsec_lock",
43007 + .data = &grsec_lock,
43008 + .maxlen = sizeof(int),
43010 + .proc_handler = &proc_dointvec,
43013 +#ifdef CONFIG_GRKERNSEC_ROFS
43015 + .procname = "romount_protect",
43016 + .data = &grsec_enable_rofs,
43017 + .maxlen = sizeof(int),
43019 + .proc_handler = &proc_dointvec_minmax,
43027 diff -urNp linux-2.6.36.1/grsecurity/grsec_time.c linux-2.6.36.1/grsecurity/grsec_time.c
43028 --- linux-2.6.36.1/grsecurity/grsec_time.c 1969-12-31 19:00:00.000000000 -0500
43029 +++ linux-2.6.36.1/grsecurity/grsec_time.c 2010-11-06 18:58:50.000000000 -0400
43031 +#include <linux/kernel.h>
43032 +#include <linux/sched.h>
43033 +#include <linux/grinternal.h>
43036 +gr_log_timechange(void)
43038 +#ifdef CONFIG_GRKERNSEC_TIME
43039 + if (grsec_enable_time)
43040 + gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
43044 diff -urNp linux-2.6.36.1/grsecurity/grsec_tpe.c linux-2.6.36.1/grsecurity/grsec_tpe.c
43045 --- linux-2.6.36.1/grsecurity/grsec_tpe.c 1969-12-31 19:00:00.000000000 -0500
43046 +++ linux-2.6.36.1/grsecurity/grsec_tpe.c 2010-11-06 18:58:50.000000000 -0400
43048 +#include <linux/kernel.h>
43049 +#include <linux/sched.h>
43050 +#include <linux/file.h>
43051 +#include <linux/fs.h>
43052 +#include <linux/grinternal.h>
43054 +extern int gr_acl_tpe_check(void);
43057 +gr_tpe_allow(const struct file *file)
43059 +#ifdef CONFIG_GRKERNSEC
43060 + struct inode *inode = file->f_path.dentry->d_parent->d_inode;
43061 + const struct cred *cred = current_cred();
43063 + if (cred->uid && ((grsec_enable_tpe &&
43064 +#ifdef CONFIG_GRKERNSEC_TPE_INVERT
43065 + ((grsec_enable_tpe_invert && !in_group_p(grsec_tpe_gid)) ||
43066 + (!grsec_enable_tpe_invert && in_group_p(grsec_tpe_gid)))
43068 + in_group_p(grsec_tpe_gid)
43070 + ) || gr_acl_tpe_check()) &&
43071 + (inode->i_uid || (!inode->i_uid && ((inode->i_mode & S_IWGRP) ||
43072 + (inode->i_mode & S_IWOTH))))) {
43073 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
43076 +#ifdef CONFIG_GRKERNSEC_TPE_ALL
43077 + if (cred->uid && grsec_enable_tpe && grsec_enable_tpe_all &&
43078 + ((inode->i_uid && (inode->i_uid != cred->uid)) ||
43079 + (inode->i_mode & S_IWGRP) || (inode->i_mode & S_IWOTH))) {
43080 + gr_log_fs_generic(GR_DONT_AUDIT, GR_EXEC_TPE_MSG, file->f_path.dentry, file->f_path.mnt);
43087 diff -urNp linux-2.6.36.1/grsecurity/grsum.c linux-2.6.36.1/grsecurity/grsum.c
43088 --- linux-2.6.36.1/grsecurity/grsum.c 1969-12-31 19:00:00.000000000 -0500
43089 +++ linux-2.6.36.1/grsecurity/grsum.c 2010-11-06 18:58:50.000000000 -0400
43091 +#include <linux/err.h>
43092 +#include <linux/kernel.h>
43093 +#include <linux/sched.h>
43094 +#include <linux/mm.h>
43095 +#include <linux/scatterlist.h>
43096 +#include <linux/crypto.h>
43097 +#include <linux/gracl.h>
43100 +#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
43101 +#error "crypto and sha256 must be built into the kernel"
43105 +chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
43108 + struct crypto_hash *tfm;
43109 + struct hash_desc desc;
43110 + struct scatterlist sg;
43111 + unsigned char temp_sum[GR_SHA_LEN];
43112 + volatile int retval = 0;
43113 + volatile int dummy = 0;
43116 + sg_init_table(&sg, 1);
43118 + tfm = crypto_alloc_hash("sha256", 0, CRYPTO_ALG_ASYNC);
43119 + if (IS_ERR(tfm)) {
43120 + /* should never happen, since sha256 should be built in */
43127 + crypto_hash_init(&desc);
43130 + sg_set_buf(&sg, p, GR_SALT_LEN);
43131 + crypto_hash_update(&desc, &sg, sg.length);
43134 + sg_set_buf(&sg, p, strlen(p));
43136 + crypto_hash_update(&desc, &sg, sg.length);
43138 + crypto_hash_final(&desc, temp_sum);
43140 + memset(entry->pw, 0, GR_PW_LEN);
43142 + for (i = 0; i < GR_SHA_LEN; i++)
43143 + if (sum[i] != temp_sum[i])
43146 + dummy = 1; // waste a cycle
43148 + crypto_free_hash(tfm);
43152 diff -urNp linux-2.6.36.1/grsecurity/Kconfig linux-2.6.36.1/grsecurity/Kconfig
43153 --- linux-2.6.36.1/grsecurity/Kconfig 1969-12-31 19:00:00.000000000 -0500
43154 +++ linux-2.6.36.1/grsecurity/Kconfig 2010-11-13 16:29:01.000000000 -0500
43157 +# grecurity configuration
43163 + bool "Grsecurity"
43165 + select CRYPTO_SHA256
43167 + If you say Y here, you will be able to configure many features
43168 + that will enhance the security of your system. It is highly
43169 + recommended that you say Y here and read through the help
43170 + for each option so that you fully understand the features and
43171 + can evaluate their usefulness for your machine.
43174 + prompt "Security Level"
43175 + depends on GRKERNSEC
43176 + default GRKERNSEC_CUSTOM
43178 +config GRKERNSEC_LOW
43180 + select GRKERNSEC_LINK
43181 + select GRKERNSEC_FIFO
43182 + select GRKERNSEC_EXECVE
43183 + select GRKERNSEC_RANDNET
43184 + select GRKERNSEC_DMESG
43185 + select GRKERNSEC_CHROOT
43186 + select GRKERNSEC_CHROOT_CHDIR
43189 + If you choose this option, several of the grsecurity options will
43190 + be enabled that will give you greater protection against a number
43191 + of attacks, while assuring that none of your software will have any
43192 + conflicts with the additional security measures. If you run a lot
43193 + of unusual software, or you are having problems with the higher
43194 + security levels, you should say Y here. With this option, the
43195 + following features are enabled:
43197 + - Linking restrictions
43198 + - FIFO restrictions
43199 + - Enforcing RLIMIT_NPROC on execve
43200 + - Restricted dmesg
43201 + - Enforced chdir("/") on chroot
43202 + - Runtime module disabling
43204 +config GRKERNSEC_MEDIUM
43207 + select PAX_EI_PAX
43208 + select PAX_PT_PAX_FLAGS
43209 + select PAX_HAVE_ACL_FLAGS
43210 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
43211 + select GRKERNSEC_CHROOT
43212 + select GRKERNSEC_CHROOT_SYSCTL
43213 + select GRKERNSEC_LINK
43214 + select GRKERNSEC_FIFO
43215 + select GRKERNSEC_EXECVE
43216 + select GRKERNSEC_DMESG
43217 + select GRKERNSEC_RANDNET
43218 + select GRKERNSEC_FORKFAIL
43219 + select GRKERNSEC_TIME
43220 + select GRKERNSEC_SIGNAL
43221 + select GRKERNSEC_CHROOT
43222 + select GRKERNSEC_CHROOT_UNIX
43223 + select GRKERNSEC_CHROOT_MOUNT
43224 + select GRKERNSEC_CHROOT_PIVOT
43225 + select GRKERNSEC_CHROOT_DOUBLE
43226 + select GRKERNSEC_CHROOT_CHDIR
43227 + select GRKERNSEC_CHROOT_MKNOD
43228 + select GRKERNSEC_PROC
43229 + select GRKERNSEC_PROC_USERGROUP
43230 + select PAX_RANDUSTACK
43232 + select PAX_RANDMMAP
43233 + select PAX_REFCOUNT if (X86 || SPARC64)
43234 + select PAX_USERCOPY if ((X86 || SPARC32 || SPARC64 || PPC) && (SLAB || SLUB || SLOB))
43237 + If you say Y here, several features in addition to those included
43238 + in the low additional security level will be enabled. These
43239 + features provide even more security to your system, though in rare
43240 + cases they may be incompatible with very old or poorly written
43241 + software. If you enable this option, make sure that your auth
43242 + service (identd) is running as gid 1001. With this option,
43243 + the following features (in addition to those provided in the
43244 + low additional security level) will be enabled:
43246 + - Failed fork logging
43247 + - Time change logging
43249 + - Deny mounts in chroot
43250 + - Deny double chrooting
43251 + - Deny sysctl writes in chroot
43252 + - Deny mknod in chroot
43253 + - Deny access to abstract AF_UNIX sockets out of chroot
43254 + - Deny pivot_root in chroot
43255 + - Denied writes of /dev/kmem, /dev/mem, and /dev/port
43256 + - /proc restrictions with special GID set to 10 (usually wheel)
43257 + - Address Space Layout Randomization (ASLR)
43258 + - Prevent exploitation of most refcount overflows
43259 + - Bounds checking of copying between the kernel and userland
43261 +config GRKERNSEC_HIGH
43263 + select GRKERNSEC_LINK
43264 + select GRKERNSEC_FIFO
43265 + select GRKERNSEC_EXECVE
43266 + select GRKERNSEC_DMESG
43267 + select GRKERNSEC_FORKFAIL
43268 + select GRKERNSEC_TIME
43269 + select GRKERNSEC_SIGNAL
43270 + select GRKERNSEC_CHROOT
43271 + select GRKERNSEC_CHROOT_SHMAT
43272 + select GRKERNSEC_CHROOT_UNIX
43273 + select GRKERNSEC_CHROOT_MOUNT
43274 + select GRKERNSEC_CHROOT_FCHDIR
43275 + select GRKERNSEC_CHROOT_PIVOT
43276 + select GRKERNSEC_CHROOT_DOUBLE
43277 + select GRKERNSEC_CHROOT_CHDIR
43278 + select GRKERNSEC_CHROOT_MKNOD
43279 + select GRKERNSEC_CHROOT_CAPS
43280 + select GRKERNSEC_CHROOT_SYSCTL
43281 + select GRKERNSEC_CHROOT_FINDTASK
43282 + select GRKERNSEC_PROC
43283 + select GRKERNSEC_PROC_MEMMAP if (PAX_NOEXEC || PAX_ASLR)
43284 + select GRKERNSEC_HIDESYM
43285 + select GRKERNSEC_BRUTE
43286 + select GRKERNSEC_PROC_USERGROUP
43287 + select GRKERNSEC_KMEM
43288 + select GRKERNSEC_RESLOG
43289 + select GRKERNSEC_RANDNET
43290 + select GRKERNSEC_PROC_ADD
43291 + select GRKERNSEC_CHROOT_CHMOD
43292 + select GRKERNSEC_CHROOT_NICE
43293 + select GRKERNSEC_AUDIT_MOUNT
43294 + select GRKERNSEC_MODHARDEN if (MODULES)
43295 + select GRKERNSEC_HARDEN_PTRACE
43296 + select GRKERNSEC_VM86 if (X86_32)
43298 + select PAX_RANDUSTACK
43300 + select PAX_RANDMMAP
43301 + select PAX_NOEXEC
43302 + select PAX_MPROTECT
43303 + select PAX_EI_PAX
43304 + select PAX_PT_PAX_FLAGS
43305 + select PAX_HAVE_ACL_FLAGS
43306 + select PAX_KERNEXEC if ((PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN)
43307 + select PAX_MEMORY_UDEREF if (X86 && !XEN)
43308 + select PAX_RANDKSTACK if (X86_TSC && !X86_64)
43309 + select PAX_SEGMEXEC if (X86_32)
43310 + select PAX_PAGEEXEC
43311 + select PAX_EMUPLT if (ALPHA || PARISC || SPARC32 || SPARC64)
43312 + select PAX_EMUTRAMP if (PARISC)
43313 + select PAX_EMUSIGRT if (PARISC)
43314 + select PAX_ETEXECRELOCS if (ALPHA || IA64 || PARISC)
43315 + select PAX_ELFRELOCS if (PAX_ETEXECRELOCS || (IA64 || PPC || X86))
43316 + select PAX_REFCOUNT if (X86 || SPARC64)
43317 + select PAX_USERCOPY if ((X86 || PPC || SPARC32 || SPARC64) && (SLAB || SLUB || SLOB))
43319 + If you say Y here, many of the features of grsecurity will be
43320 + enabled, which will protect you against many kinds of attacks
43321 + against your system. The heightened security comes at a cost
43322 + of an increased chance of incompatibilities with rare software
43323 + on your machine. Since this security level enables PaX, you should
43324 + view <http://pax.grsecurity.net> and read about the PaX
43325 + project. While you are there, download chpax and run it on
43326 + binaries that cause problems with PaX. Also remember that
43327 + since the /proc restrictions are enabled, you must run your
43328 + identd as gid 1001. This security level enables the following
43329 + features in addition to those listed in the low and medium
43332 + - Additional /proc restrictions
43333 + - Chmod restrictions in chroot
43334 + - No signals, ptrace, or viewing of processes outside of chroot
43335 + - Capability restrictions in chroot
43336 + - Deny fchdir out of chroot
43337 + - Priority restrictions in chroot
43338 + - Segmentation-based implementation of PaX
43339 + - Mprotect restrictions
43340 + - Removal of addresses from /proc/<pid>/[smaps|maps|stat]
43341 + - Kernel stack randomization
43342 + - Mount/unmount/remount logging
43343 + - Kernel symbol hiding
43344 + - Prevention of memory exhaustion-based exploits
43345 + - Hardening of module auto-loading
43346 + - Ptrace restrictions
43347 + - Restricted vm86 mode
43349 +config GRKERNSEC_CUSTOM
43352 + If you say Y here, you will be able to configure every grsecurity
43353 + option, which allows you to enable many more features that aren't
43354 + covered in the basic security levels. These additional features
43355 + include TPE, socket restrictions, and the sysctl system for
43356 + grsecurity. It is advised that you read through the help for
43357 + each option to determine its usefulness in your situation.
43361 +menu "Address Space Protection"
43362 +depends on GRKERNSEC
43364 +config GRKERNSEC_KMEM
43365 + bool "Deny writing to /dev/kmem, /dev/mem, and /dev/port"
43367 + If you say Y here, /dev/kmem and /dev/mem won't be allowed to
43368 + be written to via mmap or otherwise to modify the running kernel.
43369 + /dev/port will also not be allowed to be opened. If you have module
43370 + support disabled, enabling this will close up four ways that are
43371 + currently used to insert malicious code into the running kernel.
43372 + Even with all these features enabled, we still highly recommend that
43373 + you use the RBAC system, as it is still possible for an attacker to
43374 + modify the running kernel through privileged I/O granted by ioperm/iopl.
43375 + If you are not using XFree86, you may be able to stop this additional
43376 + case by enabling the 'Disable privileged I/O' option. Though nothing
43377 + legitimately writes to /dev/kmem, XFree86 does need to write to /dev/mem,
43378 + but only to video memory, which is the only writing we allow in this
43379 + case. If /dev/kmem or /dev/mem are mmaped without PROT_WRITE, they will
43380 + not be allowed to mprotect it with PROT_WRITE later.
43381 + It is highly recommended that you say Y here if you meet all the
43382 + conditions above.
43384 +config GRKERNSEC_VM86
43385 + bool "Restrict VM86 mode"
43386 + depends on X86_32
43389 + If you say Y here, only processes with CAP_SYS_RAWIO will be able to
43390 + make use of a special execution mode on 32bit x86 processors called
43391 + Virtual 8086 (VM86) mode. XFree86 may need vm86 mode for certain
43392 + video cards and will still work with this option enabled. The purpose
43393 + of the option is to prevent exploitation of emulation errors in
43394 + virtualization of vm86 mode like the one discovered in VMWare in 2009.
43395 + Nearly all users should be able to enable this option.
43397 +config GRKERNSEC_IO
43398 + bool "Disable privileged I/O"
43401 + select RTC_INTF_DEV
43402 + select RTC_DRV_CMOS
43405 + If you say Y here, all ioperm and iopl calls will return an error.
43406 + Ioperm and iopl can be used to modify the running kernel.
43407 + Unfortunately, some programs need this access to operate properly,
43408 + the most notable of which are XFree86 and hwclock. hwclock can be
43409 + remedied by having RTC support in the kernel, so real-time
43410 + clock support is enabled if this option is enabled, to ensure
43411 + that hwclock operates correctly. XFree86 still will not
43412 + operate correctly with this option enabled, so DO NOT CHOOSE Y
43413 + IF YOU USE XFree86. If you use XFree86 and you still want to
43414 + protect your kernel against modification, use the RBAC system.
43416 +config GRKERNSEC_PROC_MEMMAP
43417 + bool "Remove addresses from /proc/<pid>/[smaps|maps|stat]"
43418 + default y if (PAX_NOEXEC || PAX_ASLR)
43419 + depends on PAX_NOEXEC || PAX_ASLR
43421 + If you say Y here, the /proc/<pid>/maps and /proc/<pid>/stat files will
43422 + give no information about the addresses of its mappings if
43423 + PaX features that rely on random addresses are enabled on the task.
43424 + If you use PaX it is greatly recommended that you say Y here as it
43425 + closes up a hole that makes the full ASLR useless for suid
43428 +config GRKERNSEC_BRUTE
43429 + bool "Deter exploit bruteforcing"
43431 + If you say Y here, attempts to bruteforce exploits against forking
43432 + daemons such as apache or sshd will be deterred. When a child of a
43433 + forking daemon is killed by PaX or crashes due to an illegal
43434 + instruction, the parent process will be delayed 30 seconds upon every
43435 + subsequent fork until the administrator is able to assess the
43436 + situation and restart the daemon. It is recommended that you also
43437 + enable signal logging in the auditing section so that logs are
43438 + generated when a process performs an illegal instruction.
43440 +config GRKERNSEC_MODHARDEN
43441 + bool "Harden module auto-loading"
43442 + depends on MODULES
43444 + If you say Y here, module auto-loading in response to use of some
43445 + feature implemented by an unloaded module will be restricted to
43446 + root users. Enabling this option helps defend against attacks
43447 + by unprivileged users who abuse the auto-loading behavior to
43448 + cause a vulnerable module to load that is then exploited.
43450 + If this option prevents a legitimate use of auto-loading for a
43451 + non-root user, the administrator can execute modprobe manually
43452 + with the exact name of the module mentioned in the alert log.
43453 + Alternatively, the administrator can add the module to the list
43454 + of modules loaded at boot by modifying init scripts.
43456 + Modification of init scripts will most likely be needed on
43457 + Ubuntu servers with encrypted home directory support enabled,
43458 + as the first non-root user logging in will cause the ecb(aes),
43459 + ecb(aes)-all, cbc(aes), and cbc(aes)-all modules to be loaded.
43461 +config GRKERNSEC_HIDESYM
43462 + bool "Hide kernel symbols"
43464 + If you say Y here, getting information on loaded modules, and
43465 + displaying all kernel symbols through a syscall will be restricted
43466 + to users with CAP_SYS_MODULE. For software compatibility reasons,
43467 + /proc/kallsyms will be restricted to the root user. The RBAC
43468 + system can hide that entry even from root.
43470 + This option also prevents leaking of kernel addresses through
43471 + several /proc entries.
43473 + Note that this option is only effective provided the following
43474 + conditions are met:
43475 + 1) The kernel using grsecurity is not precompiled by some distribution
43476 + 2) You have also enabled GRKERNSEC_DMESG
43477 + 3) You are using the RBAC system and hiding other files such as your
43478 + kernel image and System.map. Alternatively, enabling this option
43479 + causes the permissions on /boot, /lib/modules, and the kernel
43480 + source directory to change at compile time to prevent
43481 + reading by non-root users.
43482 + If the above conditions are met, this option will aid in providing a
43483 + useful protection against local kernel exploitation of overflows
43484 + and arbitrary read/write vulnerabilities.
43487 +menu "Role Based Access Control Options"
43488 +depends on GRKERNSEC
43490 +config GRKERNSEC_NO_RBAC
43491 + bool "Disable RBAC system"
43493 + If you say Y here, the /dev/grsec device will be removed from the kernel,
43494 + preventing the RBAC system from being enabled. You should only say Y
43495 + here if you have no intention of using the RBAC system, so as to prevent
43496 + an attacker with root access from misusing the RBAC system to hide files
43497 + and processes when loadable module support and /dev/[k]mem have been
43500 +config GRKERNSEC_ACL_HIDEKERN
43501 + bool "Hide kernel processes"
43503 + If you say Y here, all kernel threads will be hidden to all
43504 + processes but those whose subject has the "view hidden processes"
43507 +config GRKERNSEC_ACL_MAXTRIES
43508 + int "Maximum tries before password lockout"
43511 + This option enforces the maximum number of times a user can attempt
43512 + to authorize themselves with the grsecurity RBAC system before being
43513 + denied the ability to attempt authorization again for a specified time.
43514 + The lower the number, the harder it will be to brute-force a password.
43516 +config GRKERNSEC_ACL_TIMEOUT
43517 + int "Time to wait after max password tries, in seconds"
43520 + This option specifies the time the user must wait after attempting to
43521 + authorize to the RBAC system with the maximum number of invalid
43522 + passwords. The higher the number, the harder it will be to brute-force
43526 +menu "Filesystem Protections"
43527 +depends on GRKERNSEC
43529 +config GRKERNSEC_PROC
43530 + bool "Proc restrictions"
43532 + If you say Y here, the permissions of the /proc filesystem
43533 + will be altered to enhance system security and privacy. You MUST
43534 + choose either a user only restriction or a user and group restriction.
43535 + Depending upon the option you choose, you can either restrict users to
43536 + see only the processes they themselves run, or choose a group that can
43537 + view all processes and files normally restricted to root if you choose
43538 + the "restrict to user only" option. NOTE: If you're running identd as
43539 + a non-root user, you will have to run it as the group you specify here.
43541 +config GRKERNSEC_PROC_USER
43542 + bool "Restrict /proc to user only"
43543 + depends on GRKERNSEC_PROC
43545 + If you say Y here, non-root users will only be able to view their own
43546 + processes, and restricts them from viewing network-related information,
43547 + and viewing kernel symbol and module information.
43549 +config GRKERNSEC_PROC_USERGROUP
43550 + bool "Allow special group"
43551 + depends on GRKERNSEC_PROC && !GRKERNSEC_PROC_USER
43553 + If you say Y here, you will be able to select a group that will be
43554 + able to view all processes, network-related information, and
43555 + kernel and symbol information. This option is useful if you want
43556 + to run identd as a non-root user.
43558 +config GRKERNSEC_PROC_GID
43559 + int "GID for special group"
43560 + depends on GRKERNSEC_PROC_USERGROUP
43563 +config GRKERNSEC_PROC_ADD
43564 + bool "Additional restrictions"
43565 + depends on GRKERNSEC_PROC_USER || GRKERNSEC_PROC_USERGROUP
43567 + If you say Y here, additional restrictions will be placed on
43568 + /proc that keep normal users from viewing device information and
43569 + slabinfo information that could be useful for exploits.
43571 +config GRKERNSEC_LINK
43572 + bool "Linking restrictions"
43574 + If you say Y here, /tmp race exploits will be prevented, since users
43575 + will no longer be able to follow symlinks owned by other users in
43576 + world-writable +t directories (i.e. /tmp), unless the owner of the
43577 + symlink is the owner of the directory. users will also not be
43578 + able to hardlink to files they do not own. If the sysctl option is
43579 + enabled, a sysctl option with name "linking_restrictions" is created.
43581 +config GRKERNSEC_FIFO
43582 + bool "FIFO restrictions"
43584 + If you say Y here, users will not be able to write to FIFOs they don't
43585 + own in world-writable +t directories (i.e. /tmp), unless the owner of
43586 + the FIFO is the same owner of the directory it's held in. If the sysctl
43587 + option is enabled, a sysctl option with name "fifo_restrictions" is
43590 +config GRKERNSEC_ROFS
43591 + bool "Runtime read-only mount protection"
43593 + If you say Y here, a sysctl option with name "romount_protect" will
43594 + be created. By setting this option to 1 at runtime, filesystems
43595 + will be protected in the following ways:
43596 + * No new writable mounts will be allowed
43597 + * Existing read-only mounts won't be able to be remounted read/write
43598 + * Write operations will be denied on all block devices
43599 + This option acts independently of grsec_lock: once it is set to 1,
43600 + it cannot be turned off. Therefore, please be mindful of the resulting
43601 + behavior if this option is enabled in an init script on a read-only
43602 + filesystem. This feature is mainly intended for secure embedded systems.
43604 +config GRKERNSEC_CHROOT
43605 + bool "Chroot jail restrictions"
43607 + If you say Y here, you will be able to choose several options that will
43608 + make breaking out of a chrooted jail much more difficult. If you
43609 + encounter no software incompatibilities with the following options, it
43610 + is recommended that you enable each one.
43612 +config GRKERNSEC_CHROOT_MOUNT
43613 + bool "Deny mounts"
43614 + depends on GRKERNSEC_CHROOT
43616 + If you say Y here, processes inside a chroot will not be able to
43617 + mount or remount filesystems. If the sysctl option is enabled, a
43618 + sysctl option with name "chroot_deny_mount" is created.
43620 +config GRKERNSEC_CHROOT_DOUBLE
43621 + bool "Deny double-chroots"
43622 + depends on GRKERNSEC_CHROOT
43624 + If you say Y here, processes inside a chroot will not be able to chroot
43625 + again outside the chroot. This is a widely used method of breaking
43626 + out of a chroot jail and should not be allowed. If the sysctl
43627 + option is enabled, a sysctl option with name
43628 + "chroot_deny_chroot" is created.
43630 +config GRKERNSEC_CHROOT_PIVOT
43631 + bool "Deny pivot_root in chroot"
43632 + depends on GRKERNSEC_CHROOT
43634 + If you say Y here, processes inside a chroot will not be able to use
43635 + a function called pivot_root() that was introduced in Linux 2.3.41. It
43636 + works similar to chroot in that it changes the root filesystem. This
43637 + function could be misused in a chrooted process to attempt to break out
43638 + of the chroot, and therefore should not be allowed. If the sysctl
43639 + option is enabled, a sysctl option with name "chroot_deny_pivot" is
43642 +config GRKERNSEC_CHROOT_CHDIR
43643 + bool "Enforce chdir(\"/\") on all chroots"
43644 + depends on GRKERNSEC_CHROOT
43646 + If you say Y here, the current working directory of all newly-chrooted
43647 + applications will be set to the the root directory of the chroot.
43648 + The man page on chroot(2) states:
43649 + Note that this call does not change the current working
43650 + directory, so that `.' can be outside the tree rooted at
43651 + `/'. In particular, the super-user can escape from a
43652 + `chroot jail' by doing `mkdir foo; chroot foo; cd ..'.
43654 + It is recommended that you say Y here, since it's not known to break
43655 + any software. If the sysctl option is enabled, a sysctl option with
43656 + name "chroot_enforce_chdir" is created.
43658 +config GRKERNSEC_CHROOT_CHMOD
43659 + bool "Deny (f)chmod +s"
43660 + depends on GRKERNSEC_CHROOT
43662 + If you say Y here, processes inside a chroot will not be able to chmod
43663 + or fchmod files to make them have suid or sgid bits. This protects
43664 + against another published method of breaking a chroot. If the sysctl
43665 + option is enabled, a sysctl option with name "chroot_deny_chmod" is
43668 +config GRKERNSEC_CHROOT_FCHDIR
43669 + bool "Deny fchdir out of chroot"
43670 + depends on GRKERNSEC_CHROOT
43672 + If you say Y here, a well-known method of breaking chroots by fchdir'ing
43673 + to a file descriptor of the chrooting process that points to a directory
43674 + outside the filesystem will be stopped. If the sysctl option
43675 + is enabled, a sysctl option with name "chroot_deny_fchdir" is created.
43677 +config GRKERNSEC_CHROOT_MKNOD
43678 + bool "Deny mknod"
43679 + depends on GRKERNSEC_CHROOT
43681 + If you say Y here, processes inside a chroot will not be allowed to
43682 + mknod. The problem with using mknod inside a chroot is that it
43683 + would allow an attacker to create a device entry that is the same
43684 + as one on the physical root of your system, which could range from
43685 + anything from the console device to a device for your harddrive (which
43686 + they could then use to wipe the drive or steal data). It is recommended
43687 + that you say Y here, unless you run into software incompatibilities.
43688 + If the sysctl option is enabled, a sysctl option with name
43689 + "chroot_deny_mknod" is created.
43691 +config GRKERNSEC_CHROOT_SHMAT
43692 + bool "Deny shmat() out of chroot"
43693 + depends on GRKERNSEC_CHROOT
43695 + If you say Y here, processes inside a chroot will not be able to attach
43696 + to shared memory segments that were created outside of the chroot jail.
43697 + It is recommended that you say Y here. If the sysctl option is enabled,
43698 + a sysctl option with name "chroot_deny_shmat" is created.
43700 +config GRKERNSEC_CHROOT_UNIX
43701 + bool "Deny access to abstract AF_UNIX sockets out of chroot"
43702 + depends on GRKERNSEC_CHROOT
43704 + If you say Y here, processes inside a chroot will not be able to
43705 + connect to abstract (meaning not belonging to a filesystem) Unix
43706 + domain sockets that were bound outside of a chroot. It is recommended
43707 + that you say Y here. If the sysctl option is enabled, a sysctl option
43708 + with name "chroot_deny_unix" is created.
43710 +config GRKERNSEC_CHROOT_FINDTASK
43711 + bool "Protect outside processes"
43712 + depends on GRKERNSEC_CHROOT
43714 + If you say Y here, processes inside a chroot will not be able to
43715 + kill, send signals with fcntl, ptrace, capget, getpgid, setpgid,
43716 + getsid, or view any process outside of the chroot. If the sysctl
43717 + option is enabled, a sysctl option with name "chroot_findtask" is
43720 +config GRKERNSEC_CHROOT_NICE
43721 + bool "Restrict priority changes"
43722 + depends on GRKERNSEC_CHROOT
43724 + If you say Y here, processes inside a chroot will not be able to raise
43725 + the priority of processes in the chroot, or alter the priority of
43726 + processes outside the chroot. This provides more security than simply
43727 + removing CAP_SYS_NICE from the process' capability set. If the
43728 + sysctl option is enabled, a sysctl option with name "chroot_restrict_nice"
43731 +config GRKERNSEC_CHROOT_SYSCTL
43732 + bool "Deny sysctl writes"
43733 + depends on GRKERNSEC_CHROOT
43735 + If you say Y here, an attacker in a chroot will not be able to
43736 + write to sysctl entries, either by sysctl(2) or through a /proc
43737 + interface. It is strongly recommended that you say Y here. If the
43738 + sysctl option is enabled, a sysctl option with name
43739 + "chroot_deny_sysctl" is created.
43741 +config GRKERNSEC_CHROOT_CAPS
43742 + bool "Capability restrictions"
43743 + depends on GRKERNSEC_CHROOT
43745 + If you say Y here, the capabilities on all root processes within a
43746 + chroot jail will be lowered to stop module insertion, raw i/o,
43747 + system and net admin tasks, rebooting the system, modifying immutable
43748 + files, modifying IPC owned by another, and changing the system time.
43749 + This is left an option because it can break some apps. Disable this
43750 + if your chrooted apps are having problems performing those kinds of
43751 + tasks. If the sysctl option is enabled, a sysctl option with
43752 + name "chroot_caps" is created.
43755 +menu "Kernel Auditing"
43756 +depends on GRKERNSEC
43758 +config GRKERNSEC_AUDIT_GROUP
43759 + bool "Single group for auditing"
43761 + If you say Y here, the exec, chdir, and (un)mount logging features
43762 + will only operate on a group you specify. This option is recommended
43763 + if you only want to watch certain users instead of having a large
43764 + amount of logs from the entire system. If the sysctl option is enabled,
43765 + a sysctl option with name "audit_group" is created.
43767 +config GRKERNSEC_AUDIT_GID
43768 + int "GID for auditing"
43769 + depends on GRKERNSEC_AUDIT_GROUP
43772 +config GRKERNSEC_EXECLOG
43773 + bool "Exec logging"
43775 + If you say Y here, all execve() calls will be logged (since the
43776 + other exec*() calls are frontends to execve(), all execution
43777 + will be logged). Useful for shell-servers that like to keep track
43778 + of their users. If the sysctl option is enabled, a sysctl option with
43779 + name "exec_logging" is created.
43780 + WARNING: This option when enabled will produce a LOT of logs, especially
43781 + on an active system.
43783 +config GRKERNSEC_RESLOG
43784 + bool "Resource logging"
43786 + If you say Y here, all attempts to overstep resource limits will
43787 + be logged with the resource name, the requested size, and the current
43788 + limit. It is highly recommended that you say Y here. If the sysctl
43789 + option is enabled, a sysctl option with name "resource_logging" is
43790 + created. If the RBAC system is enabled, the sysctl value is ignored.
43792 +config GRKERNSEC_CHROOT_EXECLOG
43793 + bool "Log execs within chroot"
43795 + If you say Y here, all executions inside a chroot jail will be logged
43796 + to syslog. This can cause a large amount of logs if certain
43797 + applications (eg. djb's daemontools) are installed on the system, and
43798 + is therefore left as an option. If the sysctl option is enabled, a
43799 + sysctl option with name "chroot_execlog" is created.
43801 +config GRKERNSEC_AUDIT_PTRACE
43802 + bool "Ptrace logging"
43804 + If you say Y here, all attempts to attach to a process via ptrace
43805 + will be logged. If the sysctl option is enabled, a sysctl option
43806 + with name "audit_ptrace" is created.
43808 +config GRKERNSEC_AUDIT_CHDIR
43809 + bool "Chdir logging"
43811 + If you say Y here, all chdir() calls will be logged. If the sysctl
43812 + option is enabled, a sysctl option with name "audit_chdir" is created.
43814 +config GRKERNSEC_AUDIT_MOUNT
43815 + bool "(Un)Mount logging"
43817 + If you say Y here, all mounts and unmounts will be logged. If the
43818 + sysctl option is enabled, a sysctl option with name "audit_mount" is
43821 +config GRKERNSEC_SIGNAL
43822 + bool "Signal logging"
43824 + If you say Y here, certain important signals will be logged, such as
43825 + SIGSEGV, which will as a result inform you of when a error in a program
43826 + occurred, which in some cases could mean a possible exploit attempt.
43827 + If the sysctl option is enabled, a sysctl option with name
43828 + "signal_logging" is created.
43830 +config GRKERNSEC_FORKFAIL
43831 + bool "Fork failure logging"
43833 + If you say Y here, all failed fork() attempts will be logged.
43834 + This could suggest a fork bomb, or someone attempting to overstep
43835 + their process limit. If the sysctl option is enabled, a sysctl option
43836 + with name "forkfail_logging" is created.
43838 +config GRKERNSEC_TIME
43839 + bool "Time change logging"
43841 + If you say Y here, any changes of the system clock will be logged.
43842 + If the sysctl option is enabled, a sysctl option with name
43843 + "timechange_logging" is created.
43845 +config GRKERNSEC_PROC_IPADDR
43846 + bool "/proc/<pid>/ipaddr support"
43848 + If you say Y here, a new entry will be added to each /proc/<pid>
43849 + directory that contains the IP address of the person using the task.
43850 + The IP is carried across local TCP and AF_UNIX stream sockets.
43851 + This information can be useful for IDS/IPSes to perform remote response
43852 + to a local attack. The entry is readable by only the owner of the
43853 + process (and root if he has CAP_DAC_OVERRIDE, which can be removed via
43854 + the RBAC system), and thus does not create privacy concerns.
43856 +config GRKERNSEC_RWXMAP_LOG
43857 + bool 'Denied RWX mmap/mprotect logging'
43858 + depends on PAX_MPROTECT && !PAX_EMUPLT && !PAX_EMUSIGRT
43860 + If you say Y here, calls to mmap() and mprotect() with explicit
43861 + usage of PROT_WRITE and PROT_EXEC together will be logged when
43862 + denied by the PAX_MPROTECT feature. If the sysctl option is
43863 + enabled, a sysctl option with name "rwxmap_logging" is created.
43865 +config GRKERNSEC_AUDIT_TEXTREL
43866 + bool 'ELF text relocations logging (READ HELP)'
43867 + depends on PAX_MPROTECT
43869 + If you say Y here, text relocations will be logged with the filename
43870 + of the offending library or binary. The purpose of the feature is
43871 + to help Linux distribution developers get rid of libraries and
43872 + binaries that need text relocations which hinder the future progress
43873 + of PaX. Only Linux distribution developers should say Y here, and
43874 + never on a production machine, as this option creates an information
43875 + leak that could aid an attacker in defeating the randomization of
43876 + a single memory region. If the sysctl option is enabled, a sysctl
43877 + option with name "audit_textrel" is created.
43881 +menu "Executable Protections"
43882 +depends on GRKERNSEC
43884 +config GRKERNSEC_EXECVE
43885 + bool "Enforce RLIMIT_NPROC on execs"
43887 + If you say Y here, users with a resource limit on processes will
43888 + have the value checked during execve() calls. The current system
43889 + only checks the system limit during fork() calls. If the sysctl option
43890 + is enabled, a sysctl option with name "execve_limiting" is created.
43892 +config GRKERNSEC_DMESG
43893 + bool "Dmesg(8) restriction"
43895 + If you say Y here, non-root users will not be able to use dmesg(8)
43896 + to view up to the last 4kb of messages in the kernel's log buffer.
43897 + The kernel's log buffer often contains kernel addresses and other
43898 + identifying information useful to an attacker in fingerprinting a
43899 + system for a targeted exploit.
43900 + If the sysctl option is enabled, a sysctl option with name "dmesg" is
43903 +config GRKERNSEC_HARDEN_PTRACE
43904 + bool "Deter ptrace-based process snooping"
43906 + If you say Y here, TTY sniffers and other malicious monitoring
43907 + programs implemented through ptrace will be defeated. If you
43908 + have been using the RBAC system, this option has already been
43909 + enabled for several years for all users, with the ability to make
43910 + fine-grained exceptions.
43912 + This option only affects the ability of non-root users to ptrace
43913 + processes that are not a descendent of the ptracing process.
43914 + This means that strace ./binary and gdb ./binary will still work,
43915 + but attaching to arbitrary processes will not. If the sysctl
43916 + option is enabled, a sysctl option with name "harden_ptrace" is
43919 +config GRKERNSEC_TPE
43920 + bool "Trusted Path Execution (TPE)"
43922 + If you say Y here, you will be able to choose a gid to add to the
43923 + supplementary groups of users you want to mark as "untrusted."
43924 + These users will not be able to execute any files that are not in
43925 + root-owned directories writable only by root. If the sysctl option
43926 + is enabled, a sysctl option with name "tpe" is created.
43928 +config GRKERNSEC_TPE_ALL
43929 + bool "Partially restrict all non-root users"
43930 + depends on GRKERNSEC_TPE
43932 + If you say Y here, all non-root users will be covered under
43933 + a weaker TPE restriction. This is separate from, and in addition to,
43934 + the main TPE options that you have selected elsewhere. Thus, if a
43935 + "trusted" GID is chosen, this restriction applies to even that GID.
43936 + Under this restriction, all non-root users will only be allowed to
43937 + execute files in directories they own that are not group or
43938 + world-writable, or in directories owned by root and writable only by
43939 + root. If the sysctl option is enabled, a sysctl option with name
43940 + "tpe_restrict_all" is created.
43942 +config GRKERNSEC_TPE_INVERT
43943 + bool "Invert GID option"
43944 + depends on GRKERNSEC_TPE
43946 + If you say Y here, the group you specify in the TPE configuration will
43947 + decide what group TPE restrictions will be *disabled* for. This
43948 + option is useful if you want TPE restrictions to be applied to most
43949 + users on the system. If the sysctl option is enabled, a sysctl option
43950 + with name "tpe_invert" is created. Unlike other sysctl options, this
43951 + entry will default to on for backward-compatibility.
43953 +config GRKERNSEC_TPE_GID
43954 + int "GID for untrusted users"
43955 + depends on GRKERNSEC_TPE && !GRKERNSEC_TPE_INVERT
43958 + Setting this GID determines what group TPE restrictions will be
43959 + *enabled* for. If the sysctl option is enabled, a sysctl option
43960 + with name "tpe_gid" is created.
43962 +config GRKERNSEC_TPE_GID
43963 + int "GID for trusted users"
43964 + depends on GRKERNSEC_TPE && GRKERNSEC_TPE_INVERT
43967 + Setting this GID determines what group TPE restrictions will be
43968 + *disabled* for. If the sysctl option is enabled, a sysctl option
43969 + with name "tpe_gid" is created.
43972 +menu "Network Protections"
43973 +depends on GRKERNSEC
43975 +config GRKERNSEC_RANDNET
43976 + bool "Larger entropy pools"
43978 + If you say Y here, the entropy pools used for many features of Linux
43979 + and grsecurity will be doubled in size. Since several grsecurity
43980 + features use additional randomness, it is recommended that you say Y
43981 + here. Saying Y here has a similar effect as modifying
43982 + /proc/sys/kernel/random/poolsize.
43984 +config GRKERNSEC_BLACKHOLE
43985 + bool "TCP/UDP blackhole and LAST_ACK DoS prevention"
43987 + If you say Y here, neither TCP resets nor ICMP
43988 + destination-unreachable packets will be sent in response to packets
43989 + sent to ports for which no associated listening process exists.
43990 + This feature supports both IPV4 and IPV6 and exempts the
43991 + loopback interface from blackholing. Enabling this feature
43992 + makes a host more resilient to DoS attacks and reduces network
43993 + visibility against scanners.
43995 + The blackhole feature as-implemented is equivalent to the FreeBSD
43996 + blackhole feature, as it prevents RST responses to all packets, not
43997 + just SYNs. Under most application behavior this causes no
43998 + problems, but applications (like haproxy) may not close certain
43999 + connections in a way that cleanly terminates them on the remote
44000 + end, leaving the remote host in LAST_ACK state. Because of this
44001 + side-effect and to prevent intentional LAST_ACK DoSes, this
44002 + feature also adds automatic mitigation against such attacks.
44003 + The mitigation drastically reduces the amount of time a socket
44004 + can spend in LAST_ACK state. If you're using haproxy and not
44005 + all servers it connects to have this option enabled, consider
44006 + disabling this feature on the haproxy host.
44008 + If the sysctl option is enabled, two sysctl options with names
44009 + "ip_blackhole" and "lastack_retries" will be created.
44010 + While "ip_blackhole" takes the standard zero/non-zero on/off
44011 + toggle, "lastack_retries" uses the same kinds of values as
44012 + "tcp_retries1" and "tcp_retries2". The default value of 4
44013 + prevents a socket from lasting more than 45 seconds in LAST_ACK
44016 +config GRKERNSEC_SOCKET
44017 + bool "Socket restrictions"
44019 + If you say Y here, you will be able to choose from several options.
44020 + If you assign a GID on your system and add it to the supplementary
44021 + groups of users you want to restrict socket access to, this patch
44022 + will perform up to three things, based on the option(s) you choose.
44024 +config GRKERNSEC_SOCKET_ALL
44025 + bool "Deny any sockets to group"
44026 + depends on GRKERNSEC_SOCKET
44028 + If you say Y here, you will be able to choose a GID of whose users will
44029 + be unable to connect to other hosts from your machine or run server
44030 + applications from your machine. If the sysctl option is enabled, a
44031 + sysctl option with name "socket_all" is created.
44033 +config GRKERNSEC_SOCKET_ALL_GID
44034 + int "GID to deny all sockets for"
44035 + depends on GRKERNSEC_SOCKET_ALL
44038 + Here you can choose the GID to disable socket access for. Remember to
44039 + add the users you want socket access disabled for to the GID
44040 + specified here. If the sysctl option is enabled, a sysctl option
44041 + with name "socket_all_gid" is created.
44043 +config GRKERNSEC_SOCKET_CLIENT
44044 + bool "Deny client sockets to group"
44045 + depends on GRKERNSEC_SOCKET
44047 + If you say Y here, you will be able to choose a GID of whose users will
44048 + be unable to connect to other hosts from your machine, but will be
44049 + able to run servers. If this option is enabled, all users in the group
44050 + you specify will have to use passive mode when initiating ftp transfers
44051 + from the shell on your machine. If the sysctl option is enabled, a
44052 + sysctl option with name "socket_client" is created.
44054 +config GRKERNSEC_SOCKET_CLIENT_GID
44055 + int "GID to deny client sockets for"
44056 + depends on GRKERNSEC_SOCKET_CLIENT
44059 + Here you can choose the GID to disable client socket access for.
44060 + Remember to add the users you want client socket access disabled for to
44061 + the GID specified here. If the sysctl option is enabled, a sysctl
44062 + option with name "socket_client_gid" is created.
44064 +config GRKERNSEC_SOCKET_SERVER
44065 + bool "Deny server sockets to group"
44066 + depends on GRKERNSEC_SOCKET
44068 + If you say Y here, you will be able to choose a GID of whose users will
44069 + be unable to run server applications from your machine. If the sysctl
44070 + option is enabled, a sysctl option with name "socket_server" is created.
44072 +config GRKERNSEC_SOCKET_SERVER_GID
44073 + int "GID to deny server sockets for"
44074 + depends on GRKERNSEC_SOCKET_SERVER
44077 + Here you can choose the GID to disable server socket access for.
44078 + Remember to add the users you want server socket access disabled for to
44079 + the GID specified here. If the sysctl option is enabled, a sysctl
44080 + option with name "socket_server_gid" is created.
44083 +menu "Sysctl support"
44084 +depends on GRKERNSEC && SYSCTL
44086 +config GRKERNSEC_SYSCTL
44087 + bool "Sysctl support"
44089 + If you say Y here, you will be able to change the options that
44090 + grsecurity runs with at bootup, without having to recompile your
44091 + kernel. You can echo values to files in /proc/sys/kernel/grsecurity
44092 + to enable (1) or disable (0) various features. All the sysctl entries
44093 + are mutable until the "grsec_lock" entry is set to a non-zero value.
44094 + All features enabled in the kernel configuration are disabled at boot
44095 + if you do not say Y to the "Turn on features by default" option.
44096 + All options should be set at startup, and the grsec_lock entry should
44097 + be set to a non-zero value after all the options are set.
44098 + *THIS IS EXTREMELY IMPORTANT*
44100 +config GRKERNSEC_SYSCTL_DISTRO
44101 + bool "Extra sysctl support for distro makers (READ HELP)"
44102 + depends on GRKERNSEC_SYSCTL && GRKERNSEC_IO
44104 + If you say Y here, additional sysctl options will be created
44105 + for features that affect processes running as root. Therefore,
44106 + it is critical when using this option that the grsec_lock entry be
44107 + enabled after boot. Only distros with prebuilt kernel packages
44108 + with this option enabled that can ensure grsec_lock is enabled
44109 + after boot should use this option.
44110 + *Failure to set grsec_lock after boot makes all grsec features
44111 + this option covers useless*
44113 + Currently this option creates the following sysctl entries:
44114 + "Disable Privileged I/O": "disable_priv_io"
44116 +config GRKERNSEC_SYSCTL_ON
44117 + bool "Turn on features by default"
44118 + depends on GRKERNSEC_SYSCTL
44120 + If you say Y here, instead of having all features enabled in the
44121 + kernel configuration disabled at boot time, the features will be
44122 + enabled at boot time. It is recommended you say Y here unless
44123 + there is some reason you would want all sysctl-tunable features to
44124 + be disabled by default. As mentioned elsewhere, it is important
44125 + to enable the grsec_lock entry once you have finished modifying
44126 + the sysctl entries.
44129 +menu "Logging Options"
44130 +depends on GRKERNSEC
44132 +config GRKERNSEC_FLOODTIME
44133 + int "Seconds in between log messages (minimum)"
44136 + This option allows you to enforce the number of seconds between
44137 + grsecurity log messages. The default should be suitable for most
44138 + people, however, if you choose to change it, choose a value small enough
44139 + to allow informative logs to be produced, but large enough to
44140 + prevent flooding.
44142 +config GRKERNSEC_FLOODBURST
44143 + int "Number of messages in a burst (maximum)"
44146 + This option allows you to choose the maximum number of messages allowed
44147 + within the flood time interval you chose in a separate option. The
44148 + default should be suitable for most people, however if you find that
44149 + many of your logs are being interpreted as flooding, you may want to
44150 + raise this value.
44155 diff -urNp linux-2.6.36.1/grsecurity/Makefile linux-2.6.36.1/grsecurity/Makefile
44156 --- linux-2.6.36.1/grsecurity/Makefile 1969-12-31 19:00:00.000000000 -0500
44157 +++ linux-2.6.36.1/grsecurity/Makefile 2010-11-06 18:58:50.000000000 -0400
44159 +# grsecurity's ACL system was originally written in 2001 by Michael Dalton
44160 +# during 2001-2009 it has been completely redesigned by Brad Spengler
44161 +# into an RBAC system
44163 +# All code in this directory and various hooks inserted throughout the kernel
44164 +# are copyright Brad Spengler - Open Source Security, Inc., and released
44165 +# under the GPL v2 or higher
44167 +obj-y = grsec_chdir.o grsec_chroot.o grsec_exec.o grsec_fifo.o grsec_fork.o \
44168 + grsec_mount.o grsec_sig.o grsec_sock.o grsec_sysctl.o \
44169 + grsec_time.o grsec_tpe.o grsec_link.o grsec_pax.o grsec_ptrace.o
44171 +obj-$(CONFIG_GRKERNSEC) += grsec_init.o grsum.o gracl.o gracl_ip.o gracl_segv.o \
44172 + gracl_cap.o gracl_alloc.o gracl_shm.o grsec_mem.o gracl_fs.o \
44173 + gracl_learn.o grsec_log.o
44174 +obj-$(CONFIG_GRKERNSEC_RESLOG) += gracl_res.o
44176 +ifndef CONFIG_GRKERNSEC
44177 +obj-y += grsec_disabled.o
44180 +ifdef CONFIG_GRKERNSEC_HIDESYM
44181 +extra-y := grsec_hidesym.o
44182 +$(obj)/grsec_hidesym.o:
44183 + @-chmod -f 500 /boot
44184 + @-chmod -f 500 /lib/modules
44186 + @echo ' grsec: protected kernel image paths'
44188 diff -urNp linux-2.6.36.1/include/acpi/acoutput.h linux-2.6.36.1/include/acpi/acoutput.h
44189 --- linux-2.6.36.1/include/acpi/acoutput.h 2010-10-20 16:30:22.000000000 -0400
44190 +++ linux-2.6.36.1/include/acpi/acoutput.h 2010-11-06 18:58:15.000000000 -0400
44191 @@ -269,8 +269,8 @@
44192 * leaving no executable debug code!
44194 #define ACPI_FUNCTION_NAME(a)
44195 -#define ACPI_DEBUG_PRINT(pl)
44196 -#define ACPI_DEBUG_PRINT_RAW(pl)
44197 +#define ACPI_DEBUG_PRINT(pl) do {} while (0)
44198 +#define ACPI_DEBUG_PRINT_RAW(pl) do {} while (0)
44200 #endif /* ACPI_DEBUG_OUTPUT */
44202 diff -urNp linux-2.6.36.1/include/acpi/acpi_drivers.h linux-2.6.36.1/include/acpi/acpi_drivers.h
44203 --- linux-2.6.36.1/include/acpi/acpi_drivers.h 2010-10-20 16:30:22.000000000 -0400
44204 +++ linux-2.6.36.1/include/acpi/acpi_drivers.h 2010-11-06 18:58:15.000000000 -0400
44205 @@ -121,8 +121,8 @@ int acpi_processor_set_thermal_limit(acp
44207 -------------------------------------------------------------------------- */
44208 struct acpi_dock_ops {
44209 - acpi_notify_handler handler;
44210 - acpi_notify_handler uevent;
44211 + const acpi_notify_handler handler;
44212 + const acpi_notify_handler uevent;
44215 #if defined(CONFIG_ACPI_DOCK) || defined(CONFIG_ACPI_DOCK_MODULE)
44216 @@ -130,7 +130,7 @@ extern int is_dock_device(acpi_handle ha
44217 extern int register_dock_notifier(struct notifier_block *nb);
44218 extern void unregister_dock_notifier(struct notifier_block *nb);
44219 extern int register_hotplug_dock_device(acpi_handle handle,
44220 - struct acpi_dock_ops *ops,
44221 + const struct acpi_dock_ops *ops,
44223 extern void unregister_hotplug_dock_device(acpi_handle handle);
44225 @@ -146,7 +146,7 @@ static inline void unregister_dock_notif
44228 static inline int register_hotplug_dock_device(acpi_handle handle,
44229 - struct acpi_dock_ops *ops,
44230 + const struct acpi_dock_ops *ops,
44234 diff -urNp linux-2.6.36.1/include/asm-generic/atomic-long.h linux-2.6.36.1/include/asm-generic/atomic-long.h
44235 --- linux-2.6.36.1/include/asm-generic/atomic-long.h 2010-10-20 16:30:22.000000000 -0400
44236 +++ linux-2.6.36.1/include/asm-generic/atomic-long.h 2010-11-06 18:58:15.000000000 -0400
44239 typedef atomic64_t atomic_long_t;
44241 +#ifdef CONFIG_PAX_REFCOUNT
44242 +typedef atomic64_unchecked_t atomic_long_unchecked_t;
44244 +typedef atomic64_t atomic_long_unchecked_t;
44247 #define ATOMIC_LONG_INIT(i) ATOMIC64_INIT(i)
44249 static inline long atomic_long_read(atomic_long_t *l)
44250 @@ -31,6 +37,15 @@ static inline long atomic_long_read(atom
44251 return (long)atomic64_read(v);
44254 +#ifdef CONFIG_PAX_REFCOUNT
44255 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
44257 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44259 + return (long)atomic64_read_unchecked(v);
44263 static inline void atomic_long_set(atomic_long_t *l, long i)
44265 atomic64_t *v = (atomic64_t *)l;
44266 @@ -38,6 +53,15 @@ static inline void atomic_long_set(atomi
44267 atomic64_set(v, i);
44270 +#ifdef CONFIG_PAX_REFCOUNT
44271 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
44273 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44275 + atomic64_set_unchecked(v, i);
44279 static inline void atomic_long_inc(atomic_long_t *l)
44281 atomic64_t *v = (atomic64_t *)l;
44282 @@ -45,6 +69,15 @@ static inline void atomic_long_inc(atomi
44286 +#ifdef CONFIG_PAX_REFCOUNT
44287 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
44289 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44291 + atomic64_inc_unchecked(v);
44295 static inline void atomic_long_dec(atomic_long_t *l)
44297 atomic64_t *v = (atomic64_t *)l;
44298 @@ -52,6 +85,15 @@ static inline void atomic_long_dec(atomi
44302 +#ifdef CONFIG_PAX_REFCOUNT
44303 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
44305 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44307 + atomic64_dec_unchecked(v);
44311 static inline void atomic_long_add(long i, atomic_long_t *l)
44313 atomic64_t *v = (atomic64_t *)l;
44314 @@ -59,6 +101,15 @@ static inline void atomic_long_add(long
44315 atomic64_add(i, v);
44318 +#ifdef CONFIG_PAX_REFCOUNT
44319 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
44321 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44323 + atomic64_add_unchecked(i, v);
44327 static inline void atomic_long_sub(long i, atomic_long_t *l)
44329 atomic64_t *v = (atomic64_t *)l;
44330 @@ -66,6 +117,15 @@ static inline void atomic_long_sub(long
44331 atomic64_sub(i, v);
44334 +#ifdef CONFIG_PAX_REFCOUNT
44335 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
44337 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44339 + atomic64_sub_unchecked(i, v);
44343 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
44345 atomic64_t *v = (atomic64_t *)l;
44346 @@ -115,6 +175,15 @@ static inline long atomic_long_inc_retur
44347 return (long)atomic64_inc_return(v);
44350 +#ifdef CONFIG_PAX_REFCOUNT
44351 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
44353 + atomic64_unchecked_t *v = (atomic64_unchecked_t *)l;
44355 + return (long)atomic64_inc_return_unchecked(v);
44359 static inline long atomic_long_dec_return(atomic_long_t *l)
44361 atomic64_t *v = (atomic64_t *)l;
44362 @@ -140,6 +209,12 @@ static inline long atomic_long_add_unles
44364 typedef atomic_t atomic_long_t;
44366 +#ifdef CONFIG_PAX_REFCOUNT
44367 +typedef atomic_unchecked_t atomic_long_unchecked_t;
44369 +typedef atomic_t atomic_long_unchecked_t;
44372 #define ATOMIC_LONG_INIT(i) ATOMIC_INIT(i)
44373 static inline long atomic_long_read(atomic_long_t *l)
44375 @@ -148,6 +223,15 @@ static inline long atomic_long_read(atom
44376 return (long)atomic_read(v);
44379 +#ifdef CONFIG_PAX_REFCOUNT
44380 +static inline long atomic_long_read_unchecked(atomic_long_unchecked_t *l)
44382 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44384 + return (long)atomic_read_unchecked(v);
44388 static inline void atomic_long_set(atomic_long_t *l, long i)
44390 atomic_t *v = (atomic_t *)l;
44391 @@ -155,6 +239,15 @@ static inline void atomic_long_set(atomi
44395 +#ifdef CONFIG_PAX_REFCOUNT
44396 +static inline void atomic_long_set_unchecked(atomic_long_unchecked_t *l, long i)
44398 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44400 + atomic_set_unchecked(v, i);
44404 static inline void atomic_long_inc(atomic_long_t *l)
44406 atomic_t *v = (atomic_t *)l;
44407 @@ -162,6 +255,15 @@ static inline void atomic_long_inc(atomi
44411 +#ifdef CONFIG_PAX_REFCOUNT
44412 +static inline void atomic_long_inc_unchecked(atomic_long_unchecked_t *l)
44414 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44416 + atomic_inc_unchecked(v);
44420 static inline void atomic_long_dec(atomic_long_t *l)
44422 atomic_t *v = (atomic_t *)l;
44423 @@ -169,6 +271,15 @@ static inline void atomic_long_dec(atomi
44427 +#ifdef CONFIG_PAX_REFCOUNT
44428 +static inline void atomic_long_dec_unchecked(atomic_long_unchecked_t *l)
44430 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44432 + atomic_dec_unchecked(v);
44436 static inline void atomic_long_add(long i, atomic_long_t *l)
44438 atomic_t *v = (atomic_t *)l;
44439 @@ -176,6 +287,15 @@ static inline void atomic_long_add(long
44443 +#ifdef CONFIG_PAX_REFCOUNT
44444 +static inline void atomic_long_add_unchecked(long i, atomic_long_unchecked_t *l)
44446 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44448 + atomic_add_unchecked(i, v);
44452 static inline void atomic_long_sub(long i, atomic_long_t *l)
44454 atomic_t *v = (atomic_t *)l;
44455 @@ -183,6 +303,15 @@ static inline void atomic_long_sub(long
44459 +#ifdef CONFIG_PAX_REFCOUNT
44460 +static inline void atomic_long_sub_unchecked(long i, atomic_long_unchecked_t *l)
44462 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44464 + atomic_sub_unchecked(i, v);
44468 static inline int atomic_long_sub_and_test(long i, atomic_long_t *l)
44470 atomic_t *v = (atomic_t *)l;
44471 @@ -232,6 +361,15 @@ static inline long atomic_long_inc_retur
44472 return (long)atomic_inc_return(v);
44475 +#ifdef CONFIG_PAX_REFCOUNT
44476 +static inline long atomic_long_inc_return_unchecked(atomic_long_unchecked_t *l)
44478 + atomic_unchecked_t *v = (atomic_unchecked_t *)l;
44480 + return (long)atomic_inc_return_unchecked(v);
44484 static inline long atomic_long_dec_return(atomic_long_t *l)
44486 atomic_t *v = (atomic_t *)l;
44487 @@ -255,4 +393,41 @@ static inline long atomic_long_add_unles
44489 #endif /* BITS_PER_LONG == 64 */
44491 +#ifdef CONFIG_PAX_REFCOUNT
44492 +static inline void pax_refcount_needs_these_functions(void)
44494 + atomic_read_unchecked((atomic_unchecked_t *)NULL);
44495 + atomic_set_unchecked((atomic_unchecked_t *)NULL, 0);
44496 + atomic_add_unchecked(0, (atomic_unchecked_t *)NULL);
44497 + atomic_sub_unchecked(0, (atomic_unchecked_t *)NULL);
44498 + atomic_inc_unchecked((atomic_unchecked_t *)NULL);
44499 + atomic_inc_return_unchecked((atomic_unchecked_t *)NULL);
44500 + atomic_add_return_unchecked(0, (atomic_unchecked_t *)NULL);
44502 + atomic_long_read_unchecked((atomic_long_unchecked_t *)NULL);
44503 + atomic_long_set_unchecked((atomic_long_unchecked_t *)NULL, 0);
44504 + atomic_long_add_unchecked(0, (atomic_long_unchecked_t *)NULL);
44505 + atomic_long_sub_unchecked(0, (atomic_long_unchecked_t *)NULL);
44506 + atomic_long_inc_unchecked((atomic_long_unchecked_t *)NULL);
44507 + atomic_long_inc_return_unchecked((atomic_long_unchecked_t *)NULL);
44508 + atomic_long_dec_unchecked((atomic_long_unchecked_t *)NULL);
44511 +#define atomic_read_unchecked(v) atomic_read(v)
44512 +#define atomic_set_unchecked(v, i) atomic_set((v), (i))
44513 +#define atomic_add_unchecked(i, v) atomic_add((i), (v))
44514 +#define atomic_sub_unchecked(i, v) atomic_sub((i), (v))
44515 +#define atomic_inc_unchecked(v) atomic_inc(v)
44516 +#define atomic_inc_return_unchecked(v) atomic_inc_return(v)
44517 +#define atomic_add_return_unchecked(i, v) atomic_add_return((i), (v))
44519 +#define atomic_long_read_unchecked(v) atomic_long_read(v)
44520 +#define atomic_long_set_unchecked(v, i) atomic_long_set((v), (i))
44521 +#define atomic_long_add_unchecked(i, v) atomic_long_add((i), (v))
44522 +#define atomic_long_sub_unchecked(i, v) atomic_long_sub((i), (v))
44523 +#define atomic_long_inc_unchecked(v) atomic_long_inc(v)
44524 +#define atomic_long_inc_return_unchecked(v) atomic_long_inc_return(v)
44525 +#define atomic_long_dec_unchecked(v) atomic_long_dec(v)
44528 #endif /* _ASM_GENERIC_ATOMIC_LONG_H */
44529 diff -urNp linux-2.6.36.1/include/asm-generic/dma-mapping-common.h linux-2.6.36.1/include/asm-generic/dma-mapping-common.h
44530 --- linux-2.6.36.1/include/asm-generic/dma-mapping-common.h 2010-10-20 16:30:22.000000000 -0400
44531 +++ linux-2.6.36.1/include/asm-generic/dma-mapping-common.h 2010-11-06 18:58:15.000000000 -0400
44532 @@ -11,7 +11,7 @@ static inline dma_addr_t dma_map_single_
44533 enum dma_data_direction dir,
44534 struct dma_attrs *attrs)
44536 - struct dma_map_ops *ops = get_dma_ops(dev);
44537 + const struct dma_map_ops *ops = get_dma_ops(dev);
44540 kmemcheck_mark_initialized(ptr, size);
44541 @@ -30,7 +30,7 @@ static inline void dma_unmap_single_attr
44542 enum dma_data_direction dir,
44543 struct dma_attrs *attrs)
44545 - struct dma_map_ops *ops = get_dma_ops(dev);
44546 + const struct dma_map_ops *ops = get_dma_ops(dev);
44548 BUG_ON(!valid_dma_direction(dir));
44549 if (ops->unmap_page)
44550 @@ -42,7 +42,7 @@ static inline int dma_map_sg_attrs(struc
44551 int nents, enum dma_data_direction dir,
44552 struct dma_attrs *attrs)
44554 - struct dma_map_ops *ops = get_dma_ops(dev);
44555 + const struct dma_map_ops *ops = get_dma_ops(dev);
44557 struct scatterlist *s;
44559 @@ -59,7 +59,7 @@ static inline void dma_unmap_sg_attrs(st
44560 int nents, enum dma_data_direction dir,
44561 struct dma_attrs *attrs)
44563 - struct dma_map_ops *ops = get_dma_ops(dev);
44564 + const struct dma_map_ops *ops = get_dma_ops(dev);
44566 BUG_ON(!valid_dma_direction(dir));
44567 debug_dma_unmap_sg(dev, sg, nents, dir);
44568 @@ -71,7 +71,7 @@ static inline dma_addr_t dma_map_page(st
44569 size_t offset, size_t size,
44570 enum dma_data_direction dir)
44572 - struct dma_map_ops *ops = get_dma_ops(dev);
44573 + const struct dma_map_ops *ops = get_dma_ops(dev);
44576 kmemcheck_mark_initialized(page_address(page) + offset, size);
44577 @@ -85,7 +85,7 @@ static inline dma_addr_t dma_map_page(st
44578 static inline void dma_unmap_page(struct device *dev, dma_addr_t addr,
44579 size_t size, enum dma_data_direction dir)
44581 - struct dma_map_ops *ops = get_dma_ops(dev);
44582 + const struct dma_map_ops *ops = get_dma_ops(dev);
44584 BUG_ON(!valid_dma_direction(dir));
44585 if (ops->unmap_page)
44586 @@ -97,7 +97,7 @@ static inline void dma_sync_single_for_c
44588 enum dma_data_direction dir)
44590 - struct dma_map_ops *ops = get_dma_ops(dev);
44591 + const struct dma_map_ops *ops = get_dma_ops(dev);
44593 BUG_ON(!valid_dma_direction(dir));
44594 if (ops->sync_single_for_cpu)
44595 @@ -109,7 +109,7 @@ static inline void dma_sync_single_for_d
44596 dma_addr_t addr, size_t size,
44597 enum dma_data_direction dir)
44599 - struct dma_map_ops *ops = get_dma_ops(dev);
44600 + const struct dma_map_ops *ops = get_dma_ops(dev);
44602 BUG_ON(!valid_dma_direction(dir));
44603 if (ops->sync_single_for_device)
44604 @@ -139,7 +139,7 @@ static inline void
44605 dma_sync_sg_for_cpu(struct device *dev, struct scatterlist *sg,
44606 int nelems, enum dma_data_direction dir)
44608 - struct dma_map_ops *ops = get_dma_ops(dev);
44609 + const struct dma_map_ops *ops = get_dma_ops(dev);
44611 BUG_ON(!valid_dma_direction(dir));
44612 if (ops->sync_sg_for_cpu)
44613 @@ -151,7 +151,7 @@ static inline void
44614 dma_sync_sg_for_device(struct device *dev, struct scatterlist *sg,
44615 int nelems, enum dma_data_direction dir)
44617 - struct dma_map_ops *ops = get_dma_ops(dev);
44618 + const struct dma_map_ops *ops = get_dma_ops(dev);
44620 BUG_ON(!valid_dma_direction(dir));
44621 if (ops->sync_sg_for_device)
44622 diff -urNp linux-2.6.36.1/include/asm-generic/futex.h linux-2.6.36.1/include/asm-generic/futex.h
44623 --- linux-2.6.36.1/include/asm-generic/futex.h 2010-10-20 16:30:22.000000000 -0400
44624 +++ linux-2.6.36.1/include/asm-generic/futex.h 2010-11-06 18:58:15.000000000 -0400
44626 #include <asm/errno.h>
44629 -futex_atomic_op_inuser (int encoded_op, int __user *uaddr)
44630 +futex_atomic_op_inuser (int encoded_op, u32 __user *uaddr)
44632 int op = (encoded_op >> 28) & 7;
44633 int cmp = (encoded_op >> 24) & 15;
44634 @@ -48,7 +48,7 @@ futex_atomic_op_inuser (int encoded_op,
44638 -futex_atomic_cmpxchg_inatomic(int __user *uaddr, int oldval, int newval)
44639 +futex_atomic_cmpxchg_inatomic(u32 __user *uaddr, int oldval, int newval)
44643 diff -urNp linux-2.6.36.1/include/asm-generic/int-l64.h linux-2.6.36.1/include/asm-generic/int-l64.h
44644 --- linux-2.6.36.1/include/asm-generic/int-l64.h 2010-10-20 16:30:22.000000000 -0400
44645 +++ linux-2.6.36.1/include/asm-generic/int-l64.h 2010-11-06 18:58:15.000000000 -0400
44646 @@ -46,6 +46,8 @@ typedef unsigned int u32;
44647 typedef signed long s64;
44648 typedef unsigned long u64;
44650 +typedef unsigned int intoverflow_t __attribute__ ((mode(TI)));
44653 #define U8_C(x) x ## U
44655 diff -urNp linux-2.6.36.1/include/asm-generic/int-ll64.h linux-2.6.36.1/include/asm-generic/int-ll64.h
44656 --- linux-2.6.36.1/include/asm-generic/int-ll64.h 2010-10-20 16:30:22.000000000 -0400
44657 +++ linux-2.6.36.1/include/asm-generic/int-ll64.h 2010-11-06 18:58:15.000000000 -0400
44658 @@ -51,6 +51,8 @@ typedef unsigned int u32;
44659 typedef signed long long s64;
44660 typedef unsigned long long u64;
44662 +typedef unsigned long long intoverflow_t;
44665 #define U8_C(x) x ## U
44667 diff -urNp linux-2.6.36.1/include/asm-generic/kmap_types.h linux-2.6.36.1/include/asm-generic/kmap_types.h
44668 --- linux-2.6.36.1/include/asm-generic/kmap_types.h 2010-10-20 16:30:22.000000000 -0400
44669 +++ linux-2.6.36.1/include/asm-generic/kmap_types.h 2010-11-06 18:58:15.000000000 -0400
44670 @@ -29,10 +29,11 @@ KMAP_D(16) KM_IRQ_PTE,
44672 KMAP_D(18) KM_NMI_PTE,
44674 +KMAP_D(20) KM_CLEARPAGE,
44676 * Remember to update debug_kmap_atomic() when adding new kmap types!
44678 -KMAP_D(20) KM_TYPE_NR
44679 +KMAP_D(21) KM_TYPE_NR
44683 diff -urNp linux-2.6.36.1/include/asm-generic/pgtable.h linux-2.6.36.1/include/asm-generic/pgtable.h
44684 --- linux-2.6.36.1/include/asm-generic/pgtable.h 2010-10-20 16:30:22.000000000 -0400
44685 +++ linux-2.6.36.1/include/asm-generic/pgtable.h 2010-11-06 18:58:15.000000000 -0400
44686 @@ -344,6 +344,14 @@ extern void untrack_pfn_vma(struct vm_ar
44687 unsigned long size);
44690 +#ifndef __HAVE_ARCH_PAX_OPEN_KERNEL
44691 +static inline unsigned long pax_open_kernel(void) { return 0; }
44694 +#ifndef __HAVE_ARCH_PAX_CLOSE_KERNEL
44695 +static inline unsigned long pax_close_kernel(void) { return 0; }
44698 #endif /* !__ASSEMBLY__ */
44700 #endif /* _ASM_GENERIC_PGTABLE_H */
44701 diff -urNp linux-2.6.36.1/include/asm-generic/pgtable-nopmd.h linux-2.6.36.1/include/asm-generic/pgtable-nopmd.h
44702 --- linux-2.6.36.1/include/asm-generic/pgtable-nopmd.h 2010-10-20 16:30:22.000000000 -0400
44703 +++ linux-2.6.36.1/include/asm-generic/pgtable-nopmd.h 2010-11-06 18:58:15.000000000 -0400
44705 #ifndef _PGTABLE_NOPMD_H
44706 #define _PGTABLE_NOPMD_H
44708 -#ifndef __ASSEMBLY__
44710 #include <asm-generic/pgtable-nopud.h>
44714 #define __PAGETABLE_PMD_FOLDED
44716 +#define PMD_SHIFT PUD_SHIFT
44717 +#define PTRS_PER_PMD 1
44718 +#define PMD_SIZE (_AC(1,UL) << PMD_SHIFT)
44719 +#define PMD_MASK (~(PMD_SIZE-1))
44721 +#ifndef __ASSEMBLY__
44726 * Having the pmd type consist of a pud gets the size right, and allows
44727 * us to conceptually access the pud entry that this pmd is folded into
44728 @@ -16,11 +21,6 @@ struct mm_struct;
44730 typedef struct { pud_t pud; } pmd_t;
44732 -#define PMD_SHIFT PUD_SHIFT
44733 -#define PTRS_PER_PMD 1
44734 -#define PMD_SIZE (1UL << PMD_SHIFT)
44735 -#define PMD_MASK (~(PMD_SIZE-1))
44738 * The "pud_xxx()" functions here are trivial for a folded two-level
44739 * setup: the pmd is never bad, and a pmd always exists (as it's folded
44740 diff -urNp linux-2.6.36.1/include/asm-generic/pgtable-nopud.h linux-2.6.36.1/include/asm-generic/pgtable-nopud.h
44741 --- linux-2.6.36.1/include/asm-generic/pgtable-nopud.h 2010-10-20 16:30:22.000000000 -0400
44742 +++ linux-2.6.36.1/include/asm-generic/pgtable-nopud.h 2010-11-06 18:58:15.000000000 -0400
44744 #ifndef _PGTABLE_NOPUD_H
44745 #define _PGTABLE_NOPUD_H
44747 -#ifndef __ASSEMBLY__
44749 #define __PAGETABLE_PUD_FOLDED
44751 +#define PUD_SHIFT PGDIR_SHIFT
44752 +#define PTRS_PER_PUD 1
44753 +#define PUD_SIZE (_AC(1,UL) << PUD_SHIFT)
44754 +#define PUD_MASK (~(PUD_SIZE-1))
44756 +#ifndef __ASSEMBLY__
44759 * Having the pud type consist of a pgd gets the size right, and allows
44760 * us to conceptually access the pgd entry that this pud is folded into
44763 typedef struct { pgd_t pgd; } pud_t;
44765 -#define PUD_SHIFT PGDIR_SHIFT
44766 -#define PTRS_PER_PUD 1
44767 -#define PUD_SIZE (1UL << PUD_SHIFT)
44768 -#define PUD_MASK (~(PUD_SIZE-1))
44771 * The "pgd_xxx()" functions here are trivial for a folded two-level
44772 * setup: the pud is never bad, and a pud always exists (as it's folded
44773 diff -urNp linux-2.6.36.1/include/asm-generic/vmlinux.lds.h linux-2.6.36.1/include/asm-generic/vmlinux.lds.h
44774 --- linux-2.6.36.1/include/asm-generic/vmlinux.lds.h 2010-10-20 16:30:22.000000000 -0400
44775 +++ linux-2.6.36.1/include/asm-generic/vmlinux.lds.h 2010-11-06 18:58:15.000000000 -0400
44776 @@ -209,6 +209,7 @@
44777 .rodata : AT(ADDR(.rodata) - LOAD_OFFSET) { \
44778 VMLINUX_SYMBOL(__start_rodata) = .; \
44779 *(.rodata) *(.rodata.*) \
44780 + *(.data..read_only) \
44781 *(__vermagic) /* Kernel version magic */ \
44782 *(__markers_strings) /* Markers: strings */ \
44783 *(__tracepoints_strings)/* Tracepoints: strings */ \
44784 @@ -667,22 +668,24 @@
44785 * section in the linker script will go there too. @phdr should have
44788 - * Note that this macros defines __per_cpu_load as an absolute symbol.
44789 + * Note that this macros defines per_cpu_load as an absolute symbol.
44790 * If there is no need to put the percpu section at a predetermined
44791 * address, use PERCPU().
44793 #define PERCPU_VADDR(vaddr, phdr) \
44794 - VMLINUX_SYMBOL(__per_cpu_load) = .; \
44795 - .data..percpu vaddr : AT(VMLINUX_SYMBOL(__per_cpu_load) \
44796 + per_cpu_load = .; \
44797 + .data..percpu vaddr : AT(VMLINUX_SYMBOL(per_cpu_load) \
44799 + VMLINUX_SYMBOL(__per_cpu_load) = . + per_cpu_load; \
44800 VMLINUX_SYMBOL(__per_cpu_start) = .; \
44801 *(.data..percpu..first) \
44802 - *(.data..percpu..page_aligned) \
44804 + . = ALIGN(PAGE_SIZE); \
44805 + *(.data..percpu..page_aligned) \
44806 *(.data..percpu..shared_aligned) \
44807 VMLINUX_SYMBOL(__per_cpu_end) = .; \
44809 - . = VMLINUX_SYMBOL(__per_cpu_load) + SIZEOF(.data..percpu);
44810 + . = VMLINUX_SYMBOL(per_cpu_load) + SIZEOF(.data..percpu);
44813 * PERCPU - define output section for percpu area, simple version
44814 diff -urNp linux-2.6.36.1/include/drm/drm_pciids.h linux-2.6.36.1/include/drm/drm_pciids.h
44815 --- linux-2.6.36.1/include/drm/drm_pciids.h 2010-10-20 16:30:22.000000000 -0400
44816 +++ linux-2.6.36.1/include/drm/drm_pciids.h 2010-11-06 18:58:15.000000000 -0400
44817 @@ -419,7 +419,7 @@
44818 {0x1002, 0x9713, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
44819 {0x1002, 0x9714, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
44820 {0x1002, 0x9715, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS880|RADEON_NEW_MEMMAP|RADEON_IS_IGP}, \
44822 + {0, 0, 0, 0, 0, 0}
44824 #define r128_PCI_IDS \
44825 {0x1002, 0x4c45, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44826 @@ -459,14 +459,14 @@
44827 {0x1002, 0x5446, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44828 {0x1002, 0x544C, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44829 {0x1002, 0x5452, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44831 + {0, 0, 0, 0, 0, 0}
44833 #define mga_PCI_IDS \
44834 {0x102b, 0x0520, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
44835 {0x102b, 0x0521, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G200}, \
44836 {0x102b, 0x0525, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G400}, \
44837 {0x102b, 0x2527, PCI_ANY_ID, PCI_ANY_ID, 0, 0, MGA_CARD_TYPE_G550}, \
44839 + {0, 0, 0, 0, 0, 0}
44841 #define mach64_PCI_IDS \
44842 {0x1002, 0x4749, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44843 @@ -489,7 +489,7 @@
44844 {0x1002, 0x4c53, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44845 {0x1002, 0x4c4d, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44846 {0x1002, 0x4c4e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44848 + {0, 0, 0, 0, 0, 0}
44850 #define sisdrv_PCI_IDS \
44851 {0x1039, 0x0300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44852 @@ -500,7 +500,7 @@
44853 {0x1039, 0x7300, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44854 {0x18CA, 0x0040, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
44855 {0x18CA, 0x0042, PCI_ANY_ID, PCI_ANY_ID, 0, 0, SIS_CHIP_315}, \
44857 + {0, 0, 0, 0, 0, 0}
44859 #define tdfx_PCI_IDS \
44860 {0x121a, 0x0003, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44861 @@ -509,7 +509,7 @@
44862 {0x121a, 0x0007, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44863 {0x121a, 0x0009, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44864 {0x121a, 0x000b, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44866 + {0, 0, 0, 0, 0, 0}
44868 #define viadrv_PCI_IDS \
44869 {0x1106, 0x3022, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44870 @@ -521,14 +521,14 @@
44871 {0x1106, 0x3343, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44872 {0x1106, 0x3230, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_DX9_0}, \
44873 {0x1106, 0x3157, PCI_ANY_ID, PCI_ANY_ID, 0, 0, VIA_PRO_GROUP_A}, \
44875 + {0, 0, 0, 0, 0, 0}
44877 #define i810_PCI_IDS \
44878 {0x8086, 0x7121, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44879 {0x8086, 0x7123, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44880 {0x8086, 0x7125, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44881 {0x8086, 0x1132, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44883 + {0, 0, 0, 0, 0, 0}
44885 #define i830_PCI_IDS \
44886 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44887 @@ -536,11 +536,11 @@
44888 {0x8086, 0x3582, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44889 {0x8086, 0x2572, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44890 {0x8086, 0x358e, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44892 + {0, 0, 0, 0, 0, 0}
44894 #define gamma_PCI_IDS \
44895 {0x3d3d, 0x0008, PCI_ANY_ID, PCI_ANY_ID, 0, 0, 0}, \
44897 + {0, 0, 0, 0, 0, 0}
44899 #define savage_PCI_IDS \
44900 {0x5333, 0x8a20, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_SAVAGE3D}, \
44901 @@ -566,10 +566,10 @@
44902 {0x5333, 0x8d02, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_TWISTER}, \
44903 {0x5333, 0x8d03, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
44904 {0x5333, 0x8d04, PCI_ANY_ID, PCI_ANY_ID, 0, 0, S3_PROSAVAGEDDR}, \
44906 + {0, 0, 0, 0, 0, 0}
44908 #define ffb_PCI_IDS \
44910 + {0, 0, 0, 0, 0, 0}
44912 #define i915_PCI_IDS \
44913 {0x8086, 0x3577, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
44914 @@ -603,4 +603,4 @@
44915 {0x8086, 0x0042, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
44916 {0x8086, 0x0046, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
44917 {0x8086, 0x0102, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \
44919 + {0, 0, 0, 0, 0, 0}
44920 diff -urNp linux-2.6.36.1/include/drm/drmP.h linux-2.6.36.1/include/drm/drmP.h
44921 --- linux-2.6.36.1/include/drm/drmP.h 2010-10-20 16:30:22.000000000 -0400
44922 +++ linux-2.6.36.1/include/drm/drmP.h 2010-11-06 18:58:15.000000000 -0400
44923 @@ -813,7 +813,7 @@ struct drm_driver {
44924 void (*vgaarb_irq)(struct drm_device *dev, bool state);
44926 /* Driver private ops for this object */
44927 - struct vm_operations_struct *gem_vm_ops;
44928 + const struct vm_operations_struct *gem_vm_ops;
44932 @@ -923,7 +923,7 @@ struct drm_device {
44934 /** \name Usage Counters */
44936 - int open_count; /**< Outstanding files open */
44937 + atomic_t open_count; /**< Outstanding files open */
44938 atomic_t ioctl_count; /**< Outstanding IOCTLs pending */
44939 atomic_t vma_count; /**< Outstanding vma areas open */
44940 int buf_use; /**< Buffers in use -- cannot alloc */
44941 @@ -934,7 +934,7 @@ struct drm_device {
44943 unsigned long counters;
44944 enum drm_stat_type types[15];
44945 - atomic_t counts[15];
44946 + atomic_unchecked_t counts[15];
44949 struct list_head filelist;
44950 diff -urNp linux-2.6.36.1/include/linux/a.out.h linux-2.6.36.1/include/linux/a.out.h
44951 --- linux-2.6.36.1/include/linux/a.out.h 2010-10-20 16:30:22.000000000 -0400
44952 +++ linux-2.6.36.1/include/linux/a.out.h 2010-11-06 18:58:15.000000000 -0400
44953 @@ -39,6 +39,14 @@ enum machine_type {
44954 M_MIPS2 = 152 /* MIPS R6000/R4000 binary */
44957 +/* Constants for the N_FLAGS field */
44958 +#define F_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
44959 +#define F_PAX_EMUTRAMP 2 /* Emulate trampolines */
44960 +#define F_PAX_MPROTECT 4 /* Restrict mprotect() */
44961 +#define F_PAX_RANDMMAP 8 /* Randomize mmap() base */
44962 +/*#define F_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
44963 +#define F_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
44965 #if !defined (N_MAGIC)
44966 #define N_MAGIC(exec) ((exec).a_info & 0xffff)
44968 diff -urNp linux-2.6.36.1/include/linux/atmdev.h linux-2.6.36.1/include/linux/atmdev.h
44969 --- linux-2.6.36.1/include/linux/atmdev.h 2010-10-20 16:30:22.000000000 -0400
44970 +++ linux-2.6.36.1/include/linux/atmdev.h 2010-11-06 18:58:15.000000000 -0400
44971 @@ -237,7 +237,7 @@ struct compat_atm_iobuf {
44974 struct k_atm_aal_stats {
44975 -#define __HANDLE_ITEM(i) atomic_t i
44976 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
44978 #undef __HANDLE_ITEM
44980 diff -urNp linux-2.6.36.1/include/linux/binfmts.h linux-2.6.36.1/include/linux/binfmts.h
44981 --- linux-2.6.36.1/include/linux/binfmts.h 2010-10-20 16:30:22.000000000 -0400
44982 +++ linux-2.6.36.1/include/linux/binfmts.h 2010-11-06 18:58:15.000000000 -0400
44983 @@ -87,6 +87,7 @@ struct linux_binfmt {
44984 int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
44985 int (*load_shlib)(struct file *);
44986 int (*core_dump)(struct coredump_params *cprm);
44987 + void (*handle_mprotect)(struct vm_area_struct *vma, unsigned long newflags);
44988 unsigned long min_coredump; /* minimal dump size */
44991 diff -urNp linux-2.6.36.1/include/linux/blkdev.h linux-2.6.36.1/include/linux/blkdev.h
44992 --- linux-2.6.36.1/include/linux/blkdev.h 2010-10-20 16:30:22.000000000 -0400
44993 +++ linux-2.6.36.1/include/linux/blkdev.h 2010-11-06 18:58:15.000000000 -0400
44994 @@ -1249,19 +1249,19 @@ static inline int blk_integrity_rq(struc
44995 #endif /* CONFIG_BLK_DEV_INTEGRITY */
44997 struct block_device_operations {
44998 - int (*open) (struct block_device *, fmode_t);
44999 - int (*release) (struct gendisk *, fmode_t);
45000 - int (*ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
45001 - int (*compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
45002 - int (*direct_access) (struct block_device *, sector_t,
45003 + int (* const open) (struct block_device *, fmode_t);
45004 + int (* const release) (struct gendisk *, fmode_t);
45005 + int (* const ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
45006 + int (* const compat_ioctl) (struct block_device *, fmode_t, unsigned, unsigned long);
45007 + int (* const direct_access) (struct block_device *, sector_t,
45008 void **, unsigned long *);
45009 - int (*media_changed) (struct gendisk *);
45010 - void (*unlock_native_capacity) (struct gendisk *);
45011 - int (*revalidate_disk) (struct gendisk *);
45012 - int (*getgeo)(struct block_device *, struct hd_geometry *);
45013 + int (* const media_changed) (struct gendisk *);
45014 + void (* const unlock_native_capacity) (struct gendisk *);
45015 + int (* const revalidate_disk) (struct gendisk *);
45016 + int (* const getgeo)(struct block_device *, struct hd_geometry *);
45017 /* this callback is with swap_lock and sometimes page table lock held */
45018 - void (*swap_slot_free_notify) (struct block_device *, unsigned long);
45019 - struct module *owner;
45020 + void (* const swap_slot_free_notify) (struct block_device *, unsigned long);
45021 + struct module * const owner;
45024 extern int __blkdev_driver_ioctl(struct block_device *, fmode_t, unsigned int,
45025 diff -urNp linux-2.6.36.1/include/linux/cache.h linux-2.6.36.1/include/linux/cache.h
45026 --- linux-2.6.36.1/include/linux/cache.h 2010-10-20 16:30:22.000000000 -0400
45027 +++ linux-2.6.36.1/include/linux/cache.h 2010-11-06 18:58:15.000000000 -0400
45029 #define __read_mostly
45032 +#ifndef __read_only
45033 +#define __read_only __read_mostly
45036 #ifndef ____cacheline_aligned
45037 #define ____cacheline_aligned __attribute__((__aligned__(SMP_CACHE_BYTES)))
45039 diff -urNp linux-2.6.36.1/include/linux/capability.h linux-2.6.36.1/include/linux/capability.h
45040 --- linux-2.6.36.1/include/linux/capability.h 2010-10-20 16:30:22.000000000 -0400
45041 +++ linux-2.6.36.1/include/linux/capability.h 2010-11-06 18:58:50.000000000 -0400
45042 @@ -558,6 +558,7 @@ extern const kernel_cap_t __cap_init_eff
45043 (security_real_capable_noaudit((t), (cap)) == 0)
45045 extern int capable(int cap);
45046 +int capable_nolog(int cap);
45048 /* audit system wants to get cap info from files as well */
45050 diff -urNp linux-2.6.36.1/include/linux/compiler-gcc4.h linux-2.6.36.1/include/linux/compiler-gcc4.h
45051 --- linux-2.6.36.1/include/linux/compiler-gcc4.h 2010-10-20 16:30:22.000000000 -0400
45052 +++ linux-2.6.36.1/include/linux/compiler-gcc4.h 2010-11-06 18:58:15.000000000 -0400
45057 +#define __alloc_size(...) __attribute((alloc_size(__VA_ARGS__)))
45058 +#define __bos(ptr, arg) __builtin_object_size((ptr), (arg))
45059 +#define __bos0(ptr) __bos((ptr), 0)
45060 +#define __bos1(ptr) __bos((ptr), 1)
45063 #if __GNUC_MINOR__ > 0
45064 diff -urNp linux-2.6.36.1/include/linux/compiler.h linux-2.6.36.1/include/linux/compiler.h
45065 --- linux-2.6.36.1/include/linux/compiler.h 2010-10-20 16:30:22.000000000 -0400
45066 +++ linux-2.6.36.1/include/linux/compiler.h 2010-11-06 18:58:15.000000000 -0400
45067 @@ -269,6 +269,22 @@ void ftrace_likely_update(struct ftrace_
45071 +#ifndef __alloc_size
45072 +#define __alloc_size
45087 /* Simple shorthand for a section definition */
45089 # define __section(S) __attribute__ ((__section__(#S)))
45090 diff -urNp linux-2.6.36.1/include/linux/decompress/mm.h linux-2.6.36.1/include/linux/decompress/mm.h
45091 --- linux-2.6.36.1/include/linux/decompress/mm.h 2010-10-20 16:30:22.000000000 -0400
45092 +++ linux-2.6.36.1/include/linux/decompress/mm.h 2010-11-06 18:58:15.000000000 -0400
45093 @@ -78,7 +78,7 @@ static void free(void *where)
45094 * warnings when not needed (indeed large_malloc / large_free are not
45095 * needed by inflate */
45097 -#define malloc(a) kmalloc(a, GFP_KERNEL)
45098 +#define malloc(a) kmalloc((a), GFP_KERNEL)
45099 #define free(a) kfree(a)
45101 #define large_malloc(a) vmalloc(a)
45102 diff -urNp linux-2.6.36.1/include/linux/dma-mapping.h linux-2.6.36.1/include/linux/dma-mapping.h
45103 --- linux-2.6.36.1/include/linux/dma-mapping.h 2010-10-20 16:30:22.000000000 -0400
45104 +++ linux-2.6.36.1/include/linux/dma-mapping.h 2010-11-06 18:58:15.000000000 -0400
45105 @@ -16,40 +16,40 @@ enum dma_data_direction {
45108 struct dma_map_ops {
45109 - void* (*alloc_coherent)(struct device *dev, size_t size,
45110 + void* (* const alloc_coherent)(struct device *dev, size_t size,
45111 dma_addr_t *dma_handle, gfp_t gfp);
45112 - void (*free_coherent)(struct device *dev, size_t size,
45113 + void (* const free_coherent)(struct device *dev, size_t size,
45114 void *vaddr, dma_addr_t dma_handle);
45115 - dma_addr_t (*map_page)(struct device *dev, struct page *page,
45116 + dma_addr_t (* const map_page)(struct device *dev, struct page *page,
45117 unsigned long offset, size_t size,
45118 enum dma_data_direction dir,
45119 struct dma_attrs *attrs);
45120 - void (*unmap_page)(struct device *dev, dma_addr_t dma_handle,
45121 + void (* const unmap_page)(struct device *dev, dma_addr_t dma_handle,
45122 size_t size, enum dma_data_direction dir,
45123 struct dma_attrs *attrs);
45124 - int (*map_sg)(struct device *dev, struct scatterlist *sg,
45125 + int (* const map_sg)(struct device *dev, struct scatterlist *sg,
45126 int nents, enum dma_data_direction dir,
45127 struct dma_attrs *attrs);
45128 - void (*unmap_sg)(struct device *dev,
45129 + void (* const unmap_sg)(struct device *dev,
45130 struct scatterlist *sg, int nents,
45131 enum dma_data_direction dir,
45132 struct dma_attrs *attrs);
45133 - void (*sync_single_for_cpu)(struct device *dev,
45134 + void (* const sync_single_for_cpu)(struct device *dev,
45135 dma_addr_t dma_handle, size_t size,
45136 enum dma_data_direction dir);
45137 - void (*sync_single_for_device)(struct device *dev,
45138 + void (* const sync_single_for_device)(struct device *dev,
45139 dma_addr_t dma_handle, size_t size,
45140 enum dma_data_direction dir);
45141 - void (*sync_sg_for_cpu)(struct device *dev,
45142 + void (* const sync_sg_for_cpu)(struct device *dev,
45143 struct scatterlist *sg, int nents,
45144 enum dma_data_direction dir);
45145 - void (*sync_sg_for_device)(struct device *dev,
45146 + void (* const sync_sg_for_device)(struct device *dev,
45147 struct scatterlist *sg, int nents,
45148 enum dma_data_direction dir);
45149 - int (*mapping_error)(struct device *dev, dma_addr_t dma_addr);
45150 - int (*dma_supported)(struct device *dev, u64 mask);
45151 - int (*set_dma_mask)(struct device *dev, u64 mask);
45153 + int (* const mapping_error)(struct device *dev, dma_addr_t dma_addr);
45154 + int (* const dma_supported)(struct device *dev, u64 mask);
45155 + int (* set_dma_mask)(struct device *dev, u64 mask);
45156 + const int is_phys;
45159 #define DMA_BIT_MASK(n) (((n) == 64) ? ~0ULL : ((1ULL<<(n))-1))
45160 diff -urNp linux-2.6.36.1/include/linux/elf.h linux-2.6.36.1/include/linux/elf.h
45161 --- linux-2.6.36.1/include/linux/elf.h 2010-10-20 16:30:22.000000000 -0400
45162 +++ linux-2.6.36.1/include/linux/elf.h 2010-11-06 18:58:15.000000000 -0400
45163 @@ -49,6 +49,17 @@ typedef __s64 Elf64_Sxword;
45164 #define PT_GNU_EH_FRAME 0x6474e550
45166 #define PT_GNU_STACK (PT_LOOS + 0x474e551)
45167 +#define PT_GNU_RELRO (PT_LOOS + 0x474e552)
45169 +#define PT_PAX_FLAGS (PT_LOOS + 0x5041580)
45171 +/* Constants for the e_flags field */
45172 +#define EF_PAX_PAGEEXEC 1 /* Paging based non-executable pages */
45173 +#define EF_PAX_EMUTRAMP 2 /* Emulate trampolines */
45174 +#define EF_PAX_MPROTECT 4 /* Restrict mprotect() */
45175 +#define EF_PAX_RANDMMAP 8 /* Randomize mmap() base */
45176 +/*#define EF_PAX_RANDEXEC 16*/ /* Randomize ET_EXEC base */
45177 +#define EF_PAX_SEGMEXEC 32 /* Segmentation based non-executable pages */
45180 * Extended Numbering
45181 @@ -106,6 +117,8 @@ typedef __s64 Elf64_Sxword;
45182 #define DT_DEBUG 21
45183 #define DT_TEXTREL 22
45184 #define DT_JMPREL 23
45185 +#define DT_FLAGS 30
45186 + #define DF_TEXTREL 0x00000004
45187 #define DT_ENCODING 32
45188 #define OLD_DT_LOOS 0x60000000
45189 #define DT_LOOS 0x6000000d
45190 @@ -252,6 +265,19 @@ typedef struct elf64_hdr {
45194 +#define PF_PAGEEXEC (1U << 4) /* Enable PAGEEXEC */
45195 +#define PF_NOPAGEEXEC (1U << 5) /* Disable PAGEEXEC */
45196 +#define PF_SEGMEXEC (1U << 6) /* Enable SEGMEXEC */
45197 +#define PF_NOSEGMEXEC (1U << 7) /* Disable SEGMEXEC */
45198 +#define PF_MPROTECT (1U << 8) /* Enable MPROTECT */
45199 +#define PF_NOMPROTECT (1U << 9) /* Disable MPROTECT */
45200 +/*#define PF_RANDEXEC (1U << 10)*/ /* Enable RANDEXEC */
45201 +/*#define PF_NORANDEXEC (1U << 11)*/ /* Disable RANDEXEC */
45202 +#define PF_EMUTRAMP (1U << 12) /* Enable EMUTRAMP */
45203 +#define PF_NOEMUTRAMP (1U << 13) /* Disable EMUTRAMP */
45204 +#define PF_RANDMMAP (1U << 14) /* Enable RANDMMAP */
45205 +#define PF_NORANDMMAP (1U << 15) /* Disable RANDMMAP */
45207 typedef struct elf32_phdr{
45209 Elf32_Off p_offset;
45210 @@ -344,6 +370,8 @@ typedef struct elf64_shdr {
45216 #define ELFMAG0 0x7f /* EI_MAG */
45217 #define ELFMAG1 'E'
45218 #define ELFMAG2 'L'
45219 @@ -421,6 +449,7 @@ extern Elf32_Dyn _DYNAMIC [];
45220 #define elf_note elf32_note
45221 #define elf_addr_t Elf32_Off
45222 #define Elf_Half Elf32_Half
45223 +#define elf_dyn Elf32_Dyn
45227 @@ -431,6 +460,7 @@ extern Elf64_Dyn _DYNAMIC [];
45228 #define elf_note elf64_note
45229 #define elf_addr_t Elf64_Off
45230 #define Elf_Half Elf64_Half
45231 +#define elf_dyn Elf64_Dyn
45235 diff -urNp linux-2.6.36.1/include/linux/fs.h linux-2.6.36.1/include/linux/fs.h
45236 --- linux-2.6.36.1/include/linux/fs.h 2010-10-20 16:30:22.000000000 -0400
45237 +++ linux-2.6.36.1/include/linux/fs.h 2010-11-06 19:01:56.000000000 -0400
45238 @@ -92,6 +92,11 @@ struct inodes_stat_t {
45239 /* Expect random access pattern */
45240 #define FMODE_RANDOM ((__force fmode_t)0x1000)
45242 +/* Hack for grsec so as not to require read permission simply to execute
45245 +#define FMODE_GREXEC ((__force fmode_t)0x2000)
45247 /* File was opened by fanotify and shouldn't generate fanotify events */
45248 #define FMODE_NONOTIFY ((__force fmode_t)0x1000000)
45250 @@ -569,41 +574,41 @@ typedef int (*read_actor_t)(read_descrip
45251 unsigned long, unsigned long);
45253 struct address_space_operations {
45254 - int (*writepage)(struct page *page, struct writeback_control *wbc);
45255 - int (*readpage)(struct file *, struct page *);
45256 - void (*sync_page)(struct page *);
45257 + int (* const writepage)(struct page *page, struct writeback_control *wbc);
45258 + int (* const readpage)(struct file *, struct page *);
45259 + void (* const sync_page)(struct page *);
45261 /* Write back some dirty pages from this mapping. */
45262 - int (*writepages)(struct address_space *, struct writeback_control *);
45263 + int (* const writepages)(struct address_space *, struct writeback_control *);
45265 /* Set a page dirty. Return true if this dirtied it */
45266 - int (*set_page_dirty)(struct page *page);
45267 + int (* const set_page_dirty)(struct page *page);
45269 - int (*readpages)(struct file *filp, struct address_space *mapping,
45270 + int (* const readpages)(struct file *filp, struct address_space *mapping,
45271 struct list_head *pages, unsigned nr_pages);
45273 - int (*write_begin)(struct file *, struct address_space *mapping,
45274 + int (* const write_begin)(struct file *, struct address_space *mapping,
45275 loff_t pos, unsigned len, unsigned flags,
45276 struct page **pagep, void **fsdata);
45277 - int (*write_end)(struct file *, struct address_space *mapping,
45278 + int (* const write_end)(struct file *, struct address_space *mapping,
45279 loff_t pos, unsigned len, unsigned copied,
45280 struct page *page, void *fsdata);
45282 /* Unfortunately this kludge is needed for FIBMAP. Don't use it */
45283 - sector_t (*bmap)(struct address_space *, sector_t);
45284 - void (*invalidatepage) (struct page *, unsigned long);
45285 - int (*releasepage) (struct page *, gfp_t);
45286 - ssize_t (*direct_IO)(int, struct kiocb *, const struct iovec *iov,
45287 + sector_t (* const bmap)(struct address_space *, sector_t);
45288 + void (* const invalidatepage) (struct page *, unsigned long);
45289 + int (* const releasepage) (struct page *, gfp_t);
45290 + ssize_t (* const direct_IO)(int, struct kiocb *, const struct iovec *iov,
45291 loff_t offset, unsigned long nr_segs);
45292 - int (*get_xip_mem)(struct address_space *, pgoff_t, int,
45293 + int (* const get_xip_mem)(struct address_space *, pgoff_t, int,
45294 void **, unsigned long *);
45295 /* migrate the contents of a page to the specified target */
45296 - int (*migratepage) (struct address_space *,
45297 + int (* const migratepage) (struct address_space *,
45298 struct page *, struct page *);
45299 - int (*launder_page) (struct page *);
45300 - int (*is_partially_uptodate) (struct page *, read_descriptor_t *,
45301 + int (* const launder_page) (struct page *);
45302 + int (* const is_partially_uptodate) (struct page *, read_descriptor_t *,
45304 - int (*error_remove_page)(struct address_space *, struct page *);
45305 + int (* const error_remove_page)(struct address_space *, struct page *);
45309 @@ -1029,19 +1034,19 @@ static inline int file_check_writeable(s
45310 typedef struct files_struct *fl_owner_t;
45312 struct file_lock_operations {
45313 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
45314 - void (*fl_release_private)(struct file_lock *);
45315 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
45316 + void (* const fl_release_private)(struct file_lock *);
45319 struct lock_manager_operations {
45320 - int (*fl_compare_owner)(struct file_lock *, struct file_lock *);
45321 - void (*fl_notify)(struct file_lock *); /* unblock callback */
45322 - int (*fl_grant)(struct file_lock *, struct file_lock *, int);
45323 - void (*fl_copy_lock)(struct file_lock *, struct file_lock *);
45324 - void (*fl_release_private)(struct file_lock *);
45325 - void (*fl_break)(struct file_lock *);
45326 - int (*fl_mylease)(struct file_lock *, struct file_lock *);
45327 - int (*fl_change)(struct file_lock **, int);
45328 + int (* const fl_compare_owner)(struct file_lock *, struct file_lock *);
45329 + void (* const fl_notify)(struct file_lock *); /* unblock callback */
45330 + int (* const fl_grant)(struct file_lock *, struct file_lock *, int);
45331 + void (* const fl_copy_lock)(struct file_lock *, struct file_lock *);
45332 + void (* const fl_release_private)(struct file_lock *);
45333 + void (* const fl_break)(struct file_lock *);
45334 + int (* const fl_mylease)(struct file_lock *, struct file_lock *);
45335 + int (* const fl_change)(struct file_lock **, int);
45338 struct lock_manager {
45339 @@ -1442,7 +1447,7 @@ struct fiemap_extent_info {
45340 unsigned int fi_flags; /* Flags as passed from user */
45341 unsigned int fi_extents_mapped; /* Number of mapped extents */
45342 unsigned int fi_extents_max; /* Size of fiemap_extent array */
45343 - struct fiemap_extent *fi_extents_start; /* Start of fiemap_extent
45344 + struct fiemap_extent __user *fi_extents_start; /* Start of fiemap_extent
45347 int fiemap_fill_next_extent(struct fiemap_extent_info *info, u64 logical,
45348 diff -urNp linux-2.6.36.1/include/linux/fs_struct.h linux-2.6.36.1/include/linux/fs_struct.h
45349 --- linux-2.6.36.1/include/linux/fs_struct.h 2010-10-20 16:30:22.000000000 -0400
45350 +++ linux-2.6.36.1/include/linux/fs_struct.h 2010-11-06 18:58:15.000000000 -0400
45352 #include <linux/path.h>
45360 diff -urNp linux-2.6.36.1/include/linux/genhd.h linux-2.6.36.1/include/linux/genhd.h
45361 --- linux-2.6.36.1/include/linux/genhd.h 2010-10-20 16:30:22.000000000 -0400
45362 +++ linux-2.6.36.1/include/linux/genhd.h 2010-11-06 18:58:15.000000000 -0400
45363 @@ -162,7 +162,7 @@ struct gendisk {
45365 struct timer_rand_state *random;
45367 - atomic_t sync_io; /* RAID */
45368 + atomic_unchecked_t sync_io; /* RAID */
45369 struct work_struct async_notify;
45370 #ifdef CONFIG_BLK_DEV_INTEGRITY
45371 struct blk_integrity *integrity;
45372 diff -urNp linux-2.6.36.1/include/linux/gracl.h linux-2.6.36.1/include/linux/gracl.h
45373 --- linux-2.6.36.1/include/linux/gracl.h 1969-12-31 19:00:00.000000000 -0500
45374 +++ linux-2.6.36.1/include/linux/gracl.h 2010-11-26 18:18:12.000000000 -0500
45379 +#include <linux/grdefs.h>
45380 +#include <linux/resource.h>
45381 +#include <linux/capability.h>
45382 +#include <linux/dcache.h>
45383 +#include <asm/resource.h>
45385 +/* Major status information */
45387 +#define GR_VERSION "grsecurity 2.2.1"
45388 +#define GRSECURITY_VERSION 0x2201
45399 + GR_SPROLEPAM = 8,
45402 +/* Password setup definitions
45403 + * kernel/grhash.c */
45406 + GR_SALT_LEN = 16,
45411 + GR_SPROLE_LEN = 64,
45414 +#define GR_NLIMITS 32
45416 +/* Begin Data Structures */
45418 +struct sprole_pw {
45419 + unsigned char *rolename;
45420 + unsigned char salt[GR_SALT_LEN];
45421 + unsigned char sum[GR_SHA_LEN]; /* 256-bit SHA hash of the password */
45424 +struct name_entry {
45431 + struct name_entry *prev;
45432 + struct name_entry *next;
45435 +struct inodev_entry {
45436 + struct name_entry *nentry;
45437 + struct inodev_entry *prev;
45438 + struct inodev_entry *next;
45441 +struct acl_role_db {
45442 + struct acl_role_label **r_hash;
45446 +struct inodev_db {
45447 + struct inodev_entry **i_hash;
45452 + struct name_entry **n_hash;
45456 +struct crash_uid {
45458 + unsigned long expires;
45461 +struct gr_hash_struct {
45463 + void **nametable;
45465 + __u32 table_size;
45470 +/* Userspace Grsecurity ACL data structures */
45472 +struct acl_subject_label {
45477 + kernel_cap_t cap_mask;
45478 + kernel_cap_t cap_lower;
45479 + kernel_cap_t cap_invert_audit;
45481 + struct rlimit res[GR_NLIMITS];
45484 + __u8 user_trans_type;
45485 + __u8 group_trans_type;
45486 + uid_t *user_transitions;
45487 + gid_t *group_transitions;
45488 + __u16 user_trans_num;
45489 + __u16 group_trans_num;
45491 + __u32 sock_families[2];
45492 + __u32 ip_proto[8];
45494 + struct acl_ip_label **ips;
45496 + __u32 inaddr_any_override;
45499 + unsigned long expires;
45501 + struct acl_subject_label *parent_subject;
45502 + struct gr_hash_struct *hash;
45503 + struct acl_subject_label *prev;
45504 + struct acl_subject_label *next;
45506 + struct acl_object_label **obj_hash;
45507 + __u32 obj_hash_size;
45511 +struct role_allowed_ip {
45515 + struct role_allowed_ip *prev;
45516 + struct role_allowed_ip *next;
45519 +struct role_transition {
45522 + struct role_transition *prev;
45523 + struct role_transition *next;
45526 +struct acl_role_label {
45531 + __u16 auth_attempts;
45532 + unsigned long expires;
45534 + struct acl_subject_label *root_label;
45535 + struct gr_hash_struct *hash;
45537 + struct acl_role_label *prev;
45538 + struct acl_role_label *next;
45540 + struct role_transition *transitions;
45541 + struct role_allowed_ip *allowed_ips;
45542 + uid_t *domain_children;
45543 + __u16 domain_child_num;
45545 + struct acl_subject_label **subj_hash;
45546 + __u32 subj_hash_size;
45549 +struct user_acl_role_db {
45550 + struct acl_role_label **r_table;
45551 + __u32 num_pointers; /* Number of allocations to track */
45552 + __u32 num_roles; /* Number of roles */
45553 + __u32 num_domain_children; /* Number of domain children */
45554 + __u32 num_subjects; /* Number of subjects */
45555 + __u32 num_objects; /* Number of objects */
45558 +struct acl_object_label {
45564 + struct acl_subject_label *nested;
45565 + struct acl_object_label *globbed;
45567 + /* next two structures not used */
45569 + struct acl_object_label *prev;
45570 + struct acl_object_label *next;
45573 +struct acl_ip_label {
45582 + /* next two structures not used */
45584 + struct acl_ip_label *prev;
45585 + struct acl_ip_label *next;
45589 + struct user_acl_role_db role_db;
45590 + unsigned char pw[GR_PW_LEN];
45591 + unsigned char salt[GR_SALT_LEN];
45592 + unsigned char sum[GR_SHA_LEN];
45593 + unsigned char sp_role[GR_SPROLE_LEN];
45594 + struct sprole_pw *sprole_pws;
45595 + dev_t segv_device;
45596 + ino_t segv_inode;
45598 + __u16 num_sprole_pws;
45602 +struct gr_arg_wrapper {
45603 + struct gr_arg *arg;
45608 +struct subject_map {
45609 + struct acl_subject_label *user;
45610 + struct acl_subject_label *kernel;
45611 + struct subject_map *prev;
45612 + struct subject_map *next;
45615 +struct acl_subj_map_db {
45616 + struct subject_map **s_hash;
45620 +/* End Data Structures Section */
45622 +/* Hash functions generated by empirical testing by Brad Spengler
45623 + Makes good use of the low bits of the inode. Generally 0-1 times
45624 + in loop for successful match. 0-3 for unsuccessful match.
45625 + Shift/add algorithm with modulus of table size and an XOR*/
45627 +static __inline__ unsigned int
45628 +rhash(const uid_t uid, const __u16 type, const unsigned int sz)
45630 + return ((((uid + type) << (16 + type)) ^ uid) % sz);
45633 + static __inline__ unsigned int
45634 +shash(const struct acl_subject_label *userp, const unsigned int sz)
45636 + return ((const unsigned long)userp % sz);
45639 +static __inline__ unsigned int
45640 +fhash(const ino_t ino, const dev_t dev, const unsigned int sz)
45642 + return (((ino + dev) ^ ((ino << 13) + (ino << 23) + (dev << 9))) % sz);
45645 +static __inline__ unsigned int
45646 +nhash(const char *name, const __u16 len, const unsigned int sz)
45648 + return full_name_hash((const unsigned char *)name, len) % sz;
45651 +#define FOR_EACH_ROLE_START(role) \
45652 + role = role_list; \
45655 +#define FOR_EACH_ROLE_END(role) \
45656 + role = role->prev; \
45659 +#define FOR_EACH_SUBJECT_START(role,subj,iter) \
45662 + while (iter < role->subj_hash_size) { \
45663 + if (subj == NULL) \
45664 + subj = role->subj_hash[iter]; \
45665 + if (subj == NULL) { \
45670 +#define FOR_EACH_SUBJECT_END(subj,iter) \
45671 + subj = subj->next; \
45672 + if (subj == NULL) \
45677 +#define FOR_EACH_NESTED_SUBJECT_START(role,subj) \
45678 + subj = role->hash->first; \
45679 + while (subj != NULL) {
45681 +#define FOR_EACH_NESTED_SUBJECT_END(subj) \
45682 + subj = subj->next; \
45687 diff -urNp linux-2.6.36.1/include/linux/gralloc.h linux-2.6.36.1/include/linux/gralloc.h
45688 --- linux-2.6.36.1/include/linux/gralloc.h 1969-12-31 19:00:00.000000000 -0500
45689 +++ linux-2.6.36.1/include/linux/gralloc.h 2010-11-06 18:58:50.000000000 -0400
45691 +#ifndef __GRALLOC_H
45692 +#define __GRALLOC_H
45694 +void acl_free_all(void);
45695 +int acl_alloc_stack_init(unsigned long size);
45696 +void *acl_alloc(unsigned long len);
45697 +void *acl_alloc_num(unsigned long num, unsigned long len);
45700 diff -urNp linux-2.6.36.1/include/linux/grdefs.h linux-2.6.36.1/include/linux/grdefs.h
45701 --- linux-2.6.36.1/include/linux/grdefs.h 1969-12-31 19:00:00.000000000 -0500
45702 +++ linux-2.6.36.1/include/linux/grdefs.h 2010-11-26 18:18:12.000000000 -0500
45707 +/* Begin grsecurity status declarations */
45711 + GR_STATUS_INIT = 0x00 // disabled state
45714 +/* Begin ACL declarations */
45719 + GR_ROLE_USER = 0x0001,
45720 + GR_ROLE_GROUP = 0x0002,
45721 + GR_ROLE_DEFAULT = 0x0004,
45722 + GR_ROLE_SPECIAL = 0x0008,
45723 + GR_ROLE_AUTH = 0x0010,
45724 + GR_ROLE_NOPW = 0x0020,
45725 + GR_ROLE_GOD = 0x0040,
45726 + GR_ROLE_LEARN = 0x0080,
45727 + GR_ROLE_TPE = 0x0100,
45728 + GR_ROLE_DOMAIN = 0x0200,
45729 + GR_ROLE_PAM = 0x0400
45732 +/* ACL Subject and Object mode flags */
45734 + GR_DELETED = 0x80000000
45737 +/* ACL Object-only mode flags */
45739 + GR_READ = 0x00000001,
45740 + GR_APPEND = 0x00000002,
45741 + GR_WRITE = 0x00000004,
45742 + GR_EXEC = 0x00000008,
45743 + GR_FIND = 0x00000010,
45744 + GR_INHERIT = 0x00000020,
45745 + GR_SETID = 0x00000040,
45746 + GR_CREATE = 0x00000080,
45747 + GR_DELETE = 0x00000100,
45748 + GR_LINK = 0x00000200,
45749 + GR_AUDIT_READ = 0x00000400,
45750 + GR_AUDIT_APPEND = 0x00000800,
45751 + GR_AUDIT_WRITE = 0x00001000,
45752 + GR_AUDIT_EXEC = 0x00002000,
45753 + GR_AUDIT_FIND = 0x00004000,
45754 + GR_AUDIT_INHERIT= 0x00008000,
45755 + GR_AUDIT_SETID = 0x00010000,
45756 + GR_AUDIT_CREATE = 0x00020000,
45757 + GR_AUDIT_DELETE = 0x00040000,
45758 + GR_AUDIT_LINK = 0x00080000,
45759 + GR_PTRACERD = 0x00100000,
45760 + GR_NOPTRACE = 0x00200000,
45761 + GR_SUPPRESS = 0x00400000,
45762 + GR_NOLEARN = 0x00800000
45765 +#define GR_AUDITS (GR_AUDIT_READ | GR_AUDIT_WRITE | GR_AUDIT_APPEND | GR_AUDIT_EXEC | \
45766 + GR_AUDIT_FIND | GR_AUDIT_INHERIT | GR_AUDIT_SETID | \
45767 + GR_AUDIT_CREATE | GR_AUDIT_DELETE | GR_AUDIT_LINK)
45769 +/* ACL subject-only mode flags */
45771 + GR_KILL = 0x00000001,
45772 + GR_VIEW = 0x00000002,
45773 + GR_PROTECTED = 0x00000004,
45774 + GR_LEARN = 0x00000008,
45775 + GR_OVERRIDE = 0x00000010,
45776 + /* just a placeholder, this mode is only used in userspace */
45777 + GR_DUMMY = 0x00000020,
45778 + GR_PROTSHM = 0x00000040,
45779 + GR_KILLPROC = 0x00000080,
45780 + GR_KILLIPPROC = 0x00000100,
45781 + /* just a placeholder, this mode is only used in userspace */
45782 + GR_NOTROJAN = 0x00000200,
45783 + GR_PROTPROCFD = 0x00000400,
45784 + GR_PROCACCT = 0x00000800,
45785 + GR_RELAXPTRACE = 0x00001000,
45786 + GR_NESTED = 0x00002000,
45787 + GR_INHERITLEARN = 0x00004000,
45788 + GR_PROCFIND = 0x00008000,
45789 + GR_POVERRIDE = 0x00010000,
45790 + GR_KERNELAUTH = 0x00020000,
45791 + GR_ATSECURE = 0x00040000
45795 + GR_PAX_ENABLE_SEGMEXEC = 0x0001,
45796 + GR_PAX_ENABLE_PAGEEXEC = 0x0002,
45797 + GR_PAX_ENABLE_MPROTECT = 0x0004,
45798 + GR_PAX_ENABLE_RANDMMAP = 0x0008,
45799 + GR_PAX_ENABLE_EMUTRAMP = 0x0010,
45800 + GR_PAX_DISABLE_SEGMEXEC = 0x0100,
45801 + GR_PAX_DISABLE_PAGEEXEC = 0x0200,
45802 + GR_PAX_DISABLE_MPROTECT = 0x0400,
45803 + GR_PAX_DISABLE_RANDMMAP = 0x0800,
45804 + GR_PAX_DISABLE_EMUTRAMP = 0x1000,
45808 + GR_ID_USER = 0x01,
45809 + GR_ID_GROUP = 0x02,
45813 + GR_ID_ALLOW = 0x01,
45814 + GR_ID_DENY = 0x02,
45817 +#define GR_CRASH_RES 31
45818 +#define GR_UIDTABLE_MAX 500
45820 +/* begin resource learning section */
45822 + GR_RLIM_CPU_BUMP = 60,
45823 + GR_RLIM_FSIZE_BUMP = 50000,
45824 + GR_RLIM_DATA_BUMP = 10000,
45825 + GR_RLIM_STACK_BUMP = 1000,
45826 + GR_RLIM_CORE_BUMP = 10000,
45827 + GR_RLIM_RSS_BUMP = 500000,
45828 + GR_RLIM_NPROC_BUMP = 1,
45829 + GR_RLIM_NOFILE_BUMP = 5,
45830 + GR_RLIM_MEMLOCK_BUMP = 50000,
45831 + GR_RLIM_AS_BUMP = 500000,
45832 + GR_RLIM_LOCKS_BUMP = 2,
45833 + GR_RLIM_SIGPENDING_BUMP = 5,
45834 + GR_RLIM_MSGQUEUE_BUMP = 10000,
45835 + GR_RLIM_NICE_BUMP = 1,
45836 + GR_RLIM_RTPRIO_BUMP = 1,
45837 + GR_RLIM_RTTIME_BUMP = 1000000
45841 diff -urNp linux-2.6.36.1/include/linux/grinternal.h linux-2.6.36.1/include/linux/grinternal.h
45842 --- linux-2.6.36.1/include/linux/grinternal.h 1969-12-31 19:00:00.000000000 -0500
45843 +++ linux-2.6.36.1/include/linux/grinternal.h 2010-11-06 18:58:50.000000000 -0400
45845 +#ifndef __GRINTERNAL_H
45846 +#define __GRINTERNAL_H
45848 +#ifdef CONFIG_GRKERNSEC
45850 +#include <linux/fs.h>
45851 +#include <linux/mnt_namespace.h>
45852 +#include <linux/nsproxy.h>
45853 +#include <linux/gracl.h>
45854 +#include <linux/grdefs.h>
45855 +#include <linux/grmsg.h>
45857 +void gr_add_learn_entry(const char *fmt, ...)
45858 + __attribute__ ((format (printf, 1, 2)));
45859 +__u32 gr_search_file(const struct dentry *dentry, const __u32 mode,
45860 + const struct vfsmount *mnt);
45861 +__u32 gr_check_create(const struct dentry *new_dentry,
45862 + const struct dentry *parent,
45863 + const struct vfsmount *mnt, const __u32 mode);
45864 +int gr_check_protected_task(const struct task_struct *task);
45865 +__u32 to_gr_audit(const __u32 reqmode);
45866 +int gr_set_acls(const int type);
45868 +int gr_acl_is_enabled(void);
45869 +char gr_roletype_to_char(void);
45871 +void gr_handle_alertkill(struct task_struct *task);
45872 +char *gr_to_filename(const struct dentry *dentry,
45873 + const struct vfsmount *mnt);
45874 +char *gr_to_filename1(const struct dentry *dentry,
45875 + const struct vfsmount *mnt);
45876 +char *gr_to_filename2(const struct dentry *dentry,
45877 + const struct vfsmount *mnt);
45878 +char *gr_to_filename3(const struct dentry *dentry,
45879 + const struct vfsmount *mnt);
45881 +extern int grsec_enable_harden_ptrace;
45882 +extern int grsec_enable_link;
45883 +extern int grsec_enable_fifo;
45884 +extern int grsec_enable_execve;
45885 +extern int grsec_enable_shm;
45886 +extern int grsec_enable_execlog;
45887 +extern int grsec_enable_signal;
45888 +extern int grsec_enable_audit_ptrace;
45889 +extern int grsec_enable_forkfail;
45890 +extern int grsec_enable_time;
45891 +extern int grsec_enable_rofs;
45892 +extern int grsec_enable_chroot_shmat;
45893 +extern int grsec_enable_chroot_findtask;
45894 +extern int grsec_enable_chroot_mount;
45895 +extern int grsec_enable_chroot_double;
45896 +extern int grsec_enable_chroot_pivot;
45897 +extern int grsec_enable_chroot_chdir;
45898 +extern int grsec_enable_chroot_chmod;
45899 +extern int grsec_enable_chroot_mknod;
45900 +extern int grsec_enable_chroot_fchdir;
45901 +extern int grsec_enable_chroot_nice;
45902 +extern int grsec_enable_chroot_execlog;
45903 +extern int grsec_enable_chroot_caps;
45904 +extern int grsec_enable_chroot_sysctl;
45905 +extern int grsec_enable_chroot_unix;
45906 +extern int grsec_enable_tpe;
45907 +extern int grsec_tpe_gid;
45908 +extern int grsec_enable_tpe_all;
45909 +extern int grsec_enable_tpe_invert;
45910 +extern int grsec_enable_socket_all;
45911 +extern int grsec_socket_all_gid;
45912 +extern int grsec_enable_socket_client;
45913 +extern int grsec_socket_client_gid;
45914 +extern int grsec_enable_socket_server;
45915 +extern int grsec_socket_server_gid;
45916 +extern int grsec_audit_gid;
45917 +extern int grsec_enable_group;
45918 +extern int grsec_enable_audit_textrel;
45919 +extern int grsec_enable_log_rwxmaps;
45920 +extern int grsec_enable_mount;
45921 +extern int grsec_enable_chdir;
45922 +extern int grsec_resource_logging;
45923 +extern int grsec_enable_blackhole;
45924 +extern int grsec_lastack_retries;
45925 +extern int grsec_lock;
45927 +extern spinlock_t grsec_alert_lock;
45928 +extern unsigned long grsec_alert_wtime;
45929 +extern unsigned long grsec_alert_fyet;
45931 +extern spinlock_t grsec_audit_lock;
45933 +extern rwlock_t grsec_exec_file_lock;
45935 +#define gr_task_fullpath(tsk) ((tsk)->exec_file ? \
45936 + gr_to_filename2((tsk)->exec_file->f_path.dentry, \
45937 + (tsk)->exec_file->f_vfsmnt) : "/")
45939 +#define gr_parent_task_fullpath(tsk) ((tsk)->real_parent->exec_file ? \
45940 + gr_to_filename3((tsk)->real_parent->exec_file->f_path.dentry, \
45941 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
45943 +#define gr_task_fullpath0(tsk) ((tsk)->exec_file ? \
45944 + gr_to_filename((tsk)->exec_file->f_path.dentry, \
45945 + (tsk)->exec_file->f_vfsmnt) : "/")
45947 +#define gr_parent_task_fullpath0(tsk) ((tsk)->real_parent->exec_file ? \
45948 + gr_to_filename1((tsk)->real_parent->exec_file->f_path.dentry, \
45949 + (tsk)->real_parent->exec_file->f_vfsmnt) : "/")
45951 +#define proc_is_chrooted(tsk_a) ((tsk_a)->gr_is_chrooted)
45953 +#define have_same_root(tsk_a,tsk_b) ((tsk_a)->gr_chroot_dentry == (tsk_b)->gr_chroot_dentry)
45955 +#define DEFAULTSECARGS(task, cred, pcred) gr_task_fullpath(task), (task)->comm, \
45956 + (task)->pid, (cred)->uid, \
45957 + (cred)->euid, (cred)->gid, (cred)->egid, \
45958 + gr_parent_task_fullpath(task), \
45959 + (task)->real_parent->comm, (task)->real_parent->pid, \
45960 + (pcred)->uid, (pcred)->euid, \
45961 + (pcred)->gid, (pcred)->egid
45963 +#define GR_CHROOT_CAPS {{ \
45964 + CAP_TO_MASK(CAP_LINUX_IMMUTABLE) | CAP_TO_MASK(CAP_NET_ADMIN) | \
45965 + CAP_TO_MASK(CAP_SYS_MODULE) | CAP_TO_MASK(CAP_SYS_RAWIO) | \
45966 + CAP_TO_MASK(CAP_SYS_PACCT) | CAP_TO_MASK(CAP_SYS_ADMIN) | \
45967 + CAP_TO_MASK(CAP_SYS_BOOT) | CAP_TO_MASK(CAP_SYS_TIME) | \
45968 + CAP_TO_MASK(CAP_NET_RAW) | CAP_TO_MASK(CAP_SYS_TTY_CONFIG) | \
45969 + CAP_TO_MASK(CAP_IPC_OWNER) , 0 }}
45971 +#define security_learn(normal_msg,args...) \
45973 + read_lock(&grsec_exec_file_lock); \
45974 + gr_add_learn_entry(normal_msg "\n", ## args); \
45975 + read_unlock(&grsec_exec_file_lock); \
45981 + GR_DONT_AUDIT_GOOD
45992 + GR_SYSCTL_HIDDEN,
45995 + GR_ONE_INT_TWO_STR,
46000 + GR_FIVE_INT_TWO_STR,
46006 + GR_FILENAME_TWO_INT,
46007 + GR_FILENAME_TWO_INT_STR,
46020 +#define gr_log_hidden_sysctl(audit, msg, str) gr_log_varargs(audit, msg, GR_SYSCTL_HIDDEN, str)
46021 +#define gr_log_ttysniff(audit, msg, task) gr_log_varargs(audit, msg, GR_TTYSNIFF, task)
46022 +#define gr_log_fs_rbac_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_RBAC, dentry, mnt)
46023 +#define gr_log_fs_rbac_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_RBAC_STR, dentry, mnt, str)
46024 +#define gr_log_fs_str_rbac(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_RBAC, str, dentry, mnt)
46025 +#define gr_log_fs_rbac_mode2(audit, msg, dentry, mnt, str1, str2) gr_log_varargs(audit, msg, GR_RBAC_MODE2, dentry, mnt, str1, str2)
46026 +#define gr_log_fs_rbac_mode3(audit, msg, dentry, mnt, str1, str2, str3) gr_log_varargs(audit, msg, GR_RBAC_MODE3, dentry, mnt, str1, str2, str3)
46027 +#define gr_log_fs_generic(audit, msg, dentry, mnt) gr_log_varargs(audit, msg, GR_FILENAME, dentry, mnt)
46028 +#define gr_log_noargs(audit, msg) gr_log_varargs(audit, msg, GR_NOARGS)
46029 +#define gr_log_int(audit, msg, num) gr_log_varargs(audit, msg, GR_ONE_INT, num)
46030 +#define gr_log_int_str2(audit, msg, num, str1, str2) gr_log_varargs(audit, msg, GR_ONE_INT_TWO_STR, num, str1, str2)
46031 +#define gr_log_str(audit, msg, str) gr_log_varargs(audit, msg, GR_ONE_STR, str)
46032 +#define gr_log_str_int(audit, msg, str, num) gr_log_varargs(audit, msg, GR_STR_INT, str, num)
46033 +#define gr_log_int_int(audit, msg, num1, num2) gr_log_varargs(audit, msg, GR_TWO_INT, num1, num2)
46034 +#define gr_log_int3(audit, msg, num1, num2, num3) gr_log_varargs(audit, msg, GR_THREE_INT, num1, num2, num3)
46035 +#define gr_log_int5_str2(audit, msg, num1, num2, str1, str2) gr_log_varargs(audit, msg, GR_FIVE_INT_TWO_STR, num1, num2, str1, str2)
46036 +#define gr_log_str_str(audit, msg, str1, str2) gr_log_varargs(audit, msg, GR_TWO_STR, str1, str2)
46037 +#define gr_log_str3(audit, msg, str1, str2, str3) gr_log_varargs(audit, msg, GR_THREE_STR, str1, str2, str3)
46038 +#define gr_log_str4(audit, msg, str1, str2, str3, str4) gr_log_varargs(audit, msg, GR_FOUR_STR, str1, str2, str3, str4)
46039 +#define gr_log_str_fs(audit, msg, str, dentry, mnt) gr_log_varargs(audit, msg, GR_STR_FILENAME, str, dentry, mnt)
46040 +#define gr_log_fs_str(audit, msg, dentry, mnt, str) gr_log_varargs(audit, msg, GR_FILENAME_STR, dentry, mnt, str)
46041 +#define gr_log_fs_int2(audit, msg, dentry, mnt, num1, num2) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT, dentry, mnt, num1, num2)
46042 +#define gr_log_fs_int2_str(audit, msg, dentry, mnt, num1, num2, str) gr_log_varargs(audit, msg, GR_FILENAME_TWO_INT_STR, dentry, mnt, num1, num2, str)
46043 +#define gr_log_textrel_ulong_ulong(audit, msg, file, ulong1, ulong2) gr_log_varargs(audit, msg, GR_TEXTREL, file, ulong1, ulong2)
46044 +#define gr_log_ptrace(audit, msg, task) gr_log_varargs(audit, msg, GR_PTRACE, task)
46045 +#define gr_log_res_ulong2_str(audit, msg, task, ulong1, str, ulong2) gr_log_varargs(audit, msg, GR_RESOURCE, task, ulong1, str, ulong2)
46046 +#define gr_log_cap(audit, msg, task, str) gr_log_varargs(audit, msg, GR_CAP, task, str)
46047 +#define gr_log_sig_addr(audit, msg, str, addr) gr_log_varargs(audit, msg, GR_SIG, str, addr)
46048 +#define gr_log_sig_task(audit, msg, task, num) gr_log_varargs(audit, msg, GR_SIG2, task, num)
46049 +#define gr_log_crash1(audit, msg, task, ulong) gr_log_varargs(audit, msg, GR_CRASH1, task, ulong)
46050 +#define gr_log_crash2(audit, msg, task, ulong1) gr_log_varargs(audit, msg, GR_CRASH2, task, ulong1)
46051 +#define gr_log_procacct(audit, msg, task, num1, num2, num3, num4, num5, num6, num7, num8, num9) gr_log_varargs(audit, msg, GR_PSACCT, task, num1, num2, num3, num4, num5, num6, num7, num8, num9)
46052 +#define gr_log_rwxmap(audit, msg, str) gr_log_varargs(audit, msg, GR_RWXMAP, str)
46054 +void gr_log_varargs(int audit, const char *msg, int argtypes, ...);
46059 diff -urNp linux-2.6.36.1/include/linux/grmsg.h linux-2.6.36.1/include/linux/grmsg.h
46060 --- linux-2.6.36.1/include/linux/grmsg.h 1969-12-31 19:00:00.000000000 -0500
46061 +++ linux-2.6.36.1/include/linux/grmsg.h 2010-11-26 18:18:12.000000000 -0500
46063 +#define DEFAULTSECMSG "%.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u, parent %.256s[%.16s:%d] uid/euid:%u/%u gid/egid:%u/%u"
46064 +#define GR_ACL_PROCACCT_MSG "%.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u run time:[%ud %uh %um %us] cpu time:[%ud %uh %um %us] %s with exit code %ld, parent %.256s[%.16s:%d] IP:%pI4 TTY:%.64s uid/euid:%u/%u gid/egid:%u/%u"
46065 +#define GR_PTRACE_ACL_MSG "denied ptrace of %.950s(%.16s:%d) by "
46066 +#define GR_STOPMOD_MSG "denied modification of module state by "
46067 +#define GR_ROFS_BLOCKWRITE_MSG "denied write to block device %.950s by "
46068 +#define GR_ROFS_MOUNT_MSG "denied writable mount of %.950s by "
46069 +#define GR_IOPERM_MSG "denied use of ioperm() by "
46070 +#define GR_IOPL_MSG "denied use of iopl() by "
46071 +#define GR_SHMAT_ACL_MSG "denied attach of shared memory of UID %u, PID %d, ID %u by "
46072 +#define GR_UNIX_CHROOT_MSG "denied connect() to abstract AF_UNIX socket outside of chroot by "
46073 +#define GR_SHMAT_CHROOT_MSG "denied attach of shared memory outside of chroot by "
46074 +#define GR_KMEM_MSG "denied write of /dev/kmem by "
46075 +#define GR_PORT_OPEN_MSG "denied open of /dev/port by "
46076 +#define GR_MEM_WRITE_MSG "denied write of /dev/mem by "
46077 +#define GR_MEM_MMAP_MSG "denied mmap write of /dev/[k]mem by "
46078 +#define GR_SYMLINK_MSG "not following symlink %.950s owned by %d.%d by "
46079 +#define GR_LEARN_AUDIT_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%lu\t%lu\t%.4095s\t%lu\t%pI4"
46080 +#define GR_ID_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%c\t%d\t%d\t%d\t%pI4"
46081 +#define GR_HIDDEN_ACL_MSG "%s access to hidden file %.950s by "
46082 +#define GR_OPEN_ACL_MSG "%s open of %.950s for%s%s by "
46083 +#define GR_CREATE_ACL_MSG "%s create of %.950s for%s%s by "
46084 +#define GR_FIFO_MSG "denied writing FIFO %.950s of %d.%d by "
46085 +#define GR_MKNOD_CHROOT_MSG "denied mknod of %.950s from chroot by "
46086 +#define GR_MKNOD_ACL_MSG "%s mknod of %.950s by "
46087 +#define GR_UNIXCONNECT_ACL_MSG "%s connect() to the unix domain socket %.950s by "
46088 +#define GR_TTYSNIFF_ACL_MSG "terminal being sniffed by IP:%pI4 %.480s[%.16s:%d], parent %.480s[%.16s:%d] against "
46089 +#define GR_MKDIR_ACL_MSG "%s mkdir of %.950s by "
46090 +#define GR_RMDIR_ACL_MSG "%s rmdir of %.950s by "
46091 +#define GR_UNLINK_ACL_MSG "%s unlink of %.950s by "
46092 +#define GR_SYMLINK_ACL_MSG "%s symlink from %.480s to %.480s by "
46093 +#define GR_HARDLINK_MSG "denied hardlink of %.930s (owned by %d.%d) to %.30s for "
46094 +#define GR_LINK_ACL_MSG "%s link of %.480s to %.480s by "
46095 +#define GR_INHERIT_ACL_MSG "successful inherit of %.480s's ACL for %.480s by "
46096 +#define GR_RENAME_ACL_MSG "%s rename of %.480s to %.480s by "
46097 +#define GR_UNSAFESHARE_EXEC_ACL_MSG "denied exec with cloned fs of %.950s by "
46098 +#define GR_PTRACE_EXEC_ACL_MSG "denied ptrace of %.950s by "
46099 +#define GR_NPROC_MSG "denied overstep of process limit by "
46100 +#define GR_EXEC_ACL_MSG "%s execution of %.950s by "
46101 +#define GR_EXEC_TPE_MSG "denied untrusted exec of %.950s by "
46102 +#define GR_SEGVSTART_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning uid %u from login for %lu seconds"
46103 +#define GR_SEGVNOSUID_ACL_MSG "possible exploit bruteforcing on " DEFAULTSECMSG " banning execution for %lu seconds"
46104 +#define GR_MOUNT_CHROOT_MSG "denied mount of %.256s as %.930s from chroot by "
46105 +#define GR_PIVOT_CHROOT_MSG "denied pivot_root from chroot by "
46106 +#define GR_TRUNCATE_ACL_MSG "%s truncate of %.950s by "
46107 +#define GR_ATIME_ACL_MSG "%s access time change of %.950s by "
46108 +#define GR_ACCESS_ACL_MSG "%s access of %.950s for%s%s%s by "
46109 +#define GR_CHROOT_CHROOT_MSG "denied double chroot to %.950s by "
46110 +#define GR_FCHMOD_ACL_MSG "%s fchmod of %.950s by "
46111 +#define GR_CHMOD_CHROOT_MSG "denied chmod +s of %.950s by "
46112 +#define GR_CHMOD_ACL_MSG "%s chmod of %.950s by "
46113 +#define GR_CHROOT_FCHDIR_MSG "denied fchdir outside of chroot to %.950s by "
46114 +#define GR_CHOWN_ACL_MSG "%s chown of %.950s by "
46115 +#define GR_SETXATTR_ACL_MSG "%s setting extended attributes of %.950s by "
46116 +#define GR_WRITLIB_ACL_MSG "denied load of writable library %.950s by "
46117 +#define GR_INITF_ACL_MSG "init_variables() failed %s by "
46118 +#define GR_DISABLED_ACL_MSG "Error loading %s, trying to run kernel with acls disabled. To disable acls at startup use <kernel image name> gracl=off from your boot loader"
46119 +#define GR_DEV_ACL_MSG "/dev/grsec: %d bytes sent %d required, being fed garbaged by "
46120 +#define GR_SHUTS_ACL_MSG "shutdown auth success for "
46121 +#define GR_SHUTF_ACL_MSG "shutdown auth failure for "
46122 +#define GR_SHUTI_ACL_MSG "ignoring shutdown for disabled RBAC system for "
46123 +#define GR_SEGVMODS_ACL_MSG "segvmod auth success for "
46124 +#define GR_SEGVMODF_ACL_MSG "segvmod auth failure for "
46125 +#define GR_SEGVMODI_ACL_MSG "ignoring segvmod for disabled RBAC system for "
46126 +#define GR_ENABLE_ACL_MSG "%s RBAC system loaded by "
46127 +#define GR_ENABLEF_ACL_MSG "unable to load %s for "
46128 +#define GR_RELOADI_ACL_MSG "ignoring reload request for disabled RBAC system"
46129 +#define GR_RELOAD_ACL_MSG "%s RBAC system reloaded by "
46130 +#define GR_RELOADF_ACL_MSG "failed reload of %s for "
46131 +#define GR_SPROLEI_ACL_MSG "ignoring change to special role for disabled RBAC system for "
46132 +#define GR_SPROLES_ACL_MSG "successful change to special role %s (id %d) by "
46133 +#define GR_SPROLEL_ACL_MSG "special role %s (id %d) exited by "
46134 +#define GR_SPROLEF_ACL_MSG "special role %s failure for "
46135 +#define GR_UNSPROLEI_ACL_MSG "ignoring unauth of special role for disabled RBAC system for "
46136 +#define GR_UNSPROLES_ACL_MSG "successful unauth of special role %s (id %d) by "
46137 +#define GR_INVMODE_ACL_MSG "invalid mode %d by "
46138 +#define GR_PRIORITY_CHROOT_MSG "denied priority change of process (%.16s:%d) by "
46139 +#define GR_FAILFORK_MSG "failed fork with errno %s by "
46140 +#define GR_NICE_CHROOT_MSG "denied priority change by "
46141 +#define GR_UNISIGLOG_MSG "%.32s occurred at %p in "
46142 +#define GR_DUALSIGLOG_MSG "signal %d sent to " DEFAULTSECMSG " by "
46143 +#define GR_SIG_ACL_MSG "denied send of signal %d to protected task " DEFAULTSECMSG " by "
46144 +#define GR_SYSCTL_MSG "denied modification of grsecurity sysctl value : %.32s by "
46145 +#define GR_SYSCTL_ACL_MSG "%s sysctl of %.950s for%s%s by "
46146 +#define GR_TIME_MSG "time set by "
46147 +#define GR_DEFACL_MSG "fatal: unable to find subject for (%.16s:%d), loaded by "
46148 +#define GR_MMAP_ACL_MSG "%s executable mmap of %.950s by "
46149 +#define GR_MPROTECT_ACL_MSG "%s executable mprotect of %.950s by "
46150 +#define GR_SOCK_MSG "denied socket(%.16s,%.16s,%.16s) by "
46151 +#define GR_SOCK2_MSG "denied socket(%d,%.16s,%.16s) by "
46152 +#define GR_BIND_MSG "denied bind() by "
46153 +#define GR_CONNECT_MSG "denied connect() by "
46154 +#define GR_BIND_ACL_MSG "denied bind() to %pI4 port %u sock type %.16s protocol %.16s by "
46155 +#define GR_CONNECT_ACL_MSG "denied connect() to %pI4 port %u sock type %.16s protocol %.16s by "
46156 +#define GR_IP_LEARN_MSG "%s\t%u\t%u\t%u\t%.4095s\t%.4095s\t%pI4\t%u\t%u\t%u\t%u\t%pI4"
46157 +#define GR_EXEC_CHROOT_MSG "exec of %.980s within chroot by process "
46158 +#define GR_CAP_ACL_MSG "use of %s denied for "
46159 +#define GR_CAP_ACL_MSG2 "use of %s permitted for "
46160 +#define GR_USRCHANGE_ACL_MSG "change to uid %u denied for "
46161 +#define GR_GRPCHANGE_ACL_MSG "change to gid %u denied for "
46162 +#define GR_REMOUNT_AUDIT_MSG "remount of %.256s by "
46163 +#define GR_UNMOUNT_AUDIT_MSG "unmount of %.256s by "
46164 +#define GR_MOUNT_AUDIT_MSG "mount of %.256s to %.256s by "
46165 +#define GR_CHDIR_AUDIT_MSG "chdir to %.980s by "
46166 +#define GR_EXEC_AUDIT_MSG "exec of %.930s (%.128s) by "
46167 +#define GR_RESOURCE_MSG "denied resource overstep by requesting %lu for %.16s against limit %lu for "
46168 +#define GR_RWXMMAP_MSG "denied RWX mmap of %.950s by "
46169 +#define GR_RWXMPROTECT_MSG "denied RWX mprotect of %.950s by "
46170 +#define GR_TEXTREL_AUDIT_MSG "text relocation in %s, VMA:0x%08lx 0x%08lx by "
46171 +#define GR_NONROOT_MODLOAD_MSG "denied kernel module auto-load of %.64s by "
46172 +#define GR_VM86_MSG "denied use of vm86 by "
46173 +#define GR_PTRACE_AUDIT_MSG "process %.950s(%.16s:%d) attached to via ptrace by "
46174 diff -urNp linux-2.6.36.1/include/linux/grsecurity.h linux-2.6.36.1/include/linux/grsecurity.h
46175 --- linux-2.6.36.1/include/linux/grsecurity.h 1969-12-31 19:00:00.000000000 -0500
46176 +++ linux-2.6.36.1/include/linux/grsecurity.h 2010-11-26 18:18:12.000000000 -0500
46178 +#ifndef GR_SECURITY_H
46179 +#define GR_SECURITY_H
46180 +#include <linux/fs.h>
46181 +#include <linux/fs_struct.h>
46182 +#include <linux/binfmts.h>
46183 +#include <linux/gracl.h>
46185 +/* notify of brain-dead configs */
46186 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_SEGMEXEC) && !defined(CONFIG_PAX_KERNEXEC)
46187 +#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC, SEGMEXEC, and KERNEXEC are disabled."
46189 +#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
46190 +#error "CONFIG_PAX_NOEXEC enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
46192 +#if defined(CONFIG_PAX_ASLR) && (defined(CONFIG_PAX_RANDMMAP) || defined(CONFIG_PAX_RANDUSTACK)) && !defined(CONFIG_PAX_EI_PAX) && !defined(CONFIG_PAX_PT_PAX_FLAGS)
46193 +#error "CONFIG_PAX_ASLR enabled, but neither CONFIG_PAX_EI_PAX nor CONFIG_PAX_PT_PAX_FLAGS are enabled."
46195 +#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
46196 +#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
46198 +#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
46199 +#error "CONFIG_PAX enabled, but no PaX options are enabled."
46202 +void gr_handle_brute_attach(struct task_struct *p);
46203 +void gr_handle_brute_check(void);
46205 +char gr_roletype_to_char(void);
46207 +int gr_acl_enable_at_secure(void);
46209 +int gr_check_user_change(int real, int effective, int fs);
46210 +int gr_check_group_change(int real, int effective, int fs);
46212 +void gr_del_task_from_ip_table(struct task_struct *p);
46214 +int gr_pid_is_chrooted(struct task_struct *p);
46215 +int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
46216 +int gr_handle_chroot_nice(void);
46217 +int gr_handle_chroot_sysctl(const int op);
46218 +int gr_handle_chroot_setpriority(struct task_struct *p,
46219 + const int niceval);
46220 +int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
46221 +int gr_handle_chroot_chroot(const struct dentry *dentry,
46222 + const struct vfsmount *mnt);
46223 +int gr_handle_chroot_caps(struct path *path);
46224 +void gr_handle_chroot_chdir(struct path *path);
46225 +int gr_handle_chroot_chmod(const struct dentry *dentry,
46226 + const struct vfsmount *mnt, const int mode);
46227 +int gr_handle_chroot_mknod(const struct dentry *dentry,
46228 + const struct vfsmount *mnt, const int mode);
46229 +int gr_handle_chroot_mount(const struct dentry *dentry,
46230 + const struct vfsmount *mnt,
46231 + const char *dev_name);
46232 +int gr_handle_chroot_pivot(void);
46233 +int gr_handle_chroot_unix(struct pid *pid);
46235 +int gr_handle_rawio(const struct inode *inode);
46236 +int gr_handle_nproc(void);
46238 +void gr_handle_ioperm(void);
46239 +void gr_handle_iopl(void);
46241 +int gr_tpe_allow(const struct file *file);
46243 +void gr_set_chroot_entries(struct task_struct *task, struct path *path);
46244 +void gr_clear_chroot_entries(struct task_struct *task);
46246 +void gr_log_forkfail(const int retval);
46247 +void gr_log_timechange(void);
46248 +void gr_log_signal(const int sig, const void *addr, const struct task_struct *t);
46249 +void gr_log_chdir(const struct dentry *dentry,
46250 + const struct vfsmount *mnt);
46251 +void gr_log_chroot_exec(const struct dentry *dentry,
46252 + const struct vfsmount *mnt);
46253 +void gr_handle_exec_args(struct linux_binprm *bprm, const char __user *const __user *argv);
46254 +void gr_log_remount(const char *devname, const int retval);
46255 +void gr_log_unmount(const char *devname, const int retval);
46256 +void gr_log_mount(const char *from, const char *to, const int retval);
46257 +void gr_log_textrel(struct vm_area_struct *vma);
46258 +void gr_log_rwxmmap(struct file *file);
46259 +void gr_log_rwxmprotect(struct file *file);
46261 +int gr_handle_follow_link(const struct inode *parent,
46262 + const struct inode *inode,
46263 + const struct dentry *dentry,
46264 + const struct vfsmount *mnt);
46265 +int gr_handle_fifo(const struct dentry *dentry,
46266 + const struct vfsmount *mnt,
46267 + const struct dentry *dir, const int flag,
46268 + const int acc_mode);
46269 +int gr_handle_hardlink(const struct dentry *dentry,
46270 + const struct vfsmount *mnt,
46271 + struct inode *inode,
46272 + const int mode, const char *to);
46274 +int gr_is_capable(const int cap);
46275 +int gr_is_capable_nolog(const int cap);
46276 +void gr_learn_resource(const struct task_struct *task, const int limit,
46277 + const unsigned long wanted, const int gt);
46278 +void gr_copy_label(struct task_struct *tsk);
46279 +void gr_handle_crash(struct task_struct *task, const int sig);
46280 +int gr_handle_signal(const struct task_struct *p, const int sig);
46281 +int gr_check_crash_uid(const uid_t uid);
46282 +int gr_check_protected_task(const struct task_struct *task);
46283 +int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
46284 +int gr_acl_handle_mmap(const struct file *file,
46285 + const unsigned long prot);
46286 +int gr_acl_handle_mprotect(const struct file *file,
46287 + const unsigned long prot);
46288 +int gr_check_hidden_task(const struct task_struct *tsk);
46289 +__u32 gr_acl_handle_truncate(const struct dentry *dentry,
46290 + const struct vfsmount *mnt);
46291 +__u32 gr_acl_handle_utime(const struct dentry *dentry,
46292 + const struct vfsmount *mnt);
46293 +__u32 gr_acl_handle_access(const struct dentry *dentry,
46294 + const struct vfsmount *mnt, const int fmode);
46295 +__u32 gr_acl_handle_fchmod(const struct dentry *dentry,
46296 + const struct vfsmount *mnt, mode_t mode);
46297 +__u32 gr_acl_handle_chmod(const struct dentry *dentry,
46298 + const struct vfsmount *mnt, mode_t mode);
46299 +__u32 gr_acl_handle_chown(const struct dentry *dentry,
46300 + const struct vfsmount *mnt);
46301 +__u32 gr_acl_handle_setxattr(const struct dentry *dentry,
46302 + const struct vfsmount *mnt);
46303 +int gr_handle_ptrace(struct task_struct *task, const long request);
46304 +int gr_handle_proc_ptrace(struct task_struct *task);
46305 +__u32 gr_acl_handle_execve(const struct dentry *dentry,
46306 + const struct vfsmount *mnt);
46307 +int gr_check_crash_exec(const struct file *filp);
46308 +int gr_acl_is_enabled(void);
46309 +void gr_set_kernel_label(struct task_struct *task);
46310 +void gr_set_role_label(struct task_struct *task, const uid_t uid,
46311 + const gid_t gid);
46312 +int gr_set_proc_label(const struct dentry *dentry,
46313 + const struct vfsmount *mnt,
46314 + const int unsafe_share);
46315 +__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
46316 + const struct vfsmount *mnt);
46317 +__u32 gr_acl_handle_open(const struct dentry *dentry,
46318 + const struct vfsmount *mnt, const int fmode);
46319 +__u32 gr_acl_handle_creat(const struct dentry *dentry,
46320 + const struct dentry *p_dentry,
46321 + const struct vfsmount *p_mnt, const int fmode,
46322 + const int imode);
46323 +void gr_handle_create(const struct dentry *dentry,
46324 + const struct vfsmount *mnt);
46325 +__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
46326 + const struct dentry *parent_dentry,
46327 + const struct vfsmount *parent_mnt,
46329 +__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
46330 + const struct dentry *parent_dentry,
46331 + const struct vfsmount *parent_mnt);
46332 +__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
46333 + const struct vfsmount *mnt);
46334 +void gr_handle_delete(const ino_t ino, const dev_t dev);
46335 +__u32 gr_acl_handle_unlink(const struct dentry *dentry,
46336 + const struct vfsmount *mnt);
46337 +__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
46338 + const struct dentry *parent_dentry,
46339 + const struct vfsmount *parent_mnt,
46340 + const char *from);
46341 +__u32 gr_acl_handle_link(const struct dentry *new_dentry,
46342 + const struct dentry *parent_dentry,
46343 + const struct vfsmount *parent_mnt,
46344 + const struct dentry *old_dentry,
46345 + const struct vfsmount *old_mnt, const char *to);
46346 +int gr_acl_handle_rename(struct dentry *new_dentry,
46347 + struct dentry *parent_dentry,
46348 + const struct vfsmount *parent_mnt,
46349 + struct dentry *old_dentry,
46350 + struct inode *old_parent_inode,
46351 + struct vfsmount *old_mnt, const char *newname);
46352 +void gr_handle_rename(struct inode *old_dir, struct inode *new_dir,
46353 + struct dentry *old_dentry,
46354 + struct dentry *new_dentry,
46355 + struct vfsmount *mnt, const __u8 replace);
46356 +__u32 gr_check_link(const struct dentry *new_dentry,
46357 + const struct dentry *parent_dentry,
46358 + const struct vfsmount *parent_mnt,
46359 + const struct dentry *old_dentry,
46360 + const struct vfsmount *old_mnt);
46361 +int gr_acl_handle_filldir(const struct file *file, const char *name,
46362 + const unsigned int namelen, const ino_t ino);
46364 +__u32 gr_acl_handle_unix(const struct dentry *dentry,
46365 + const struct vfsmount *mnt);
46366 +void gr_acl_handle_exit(void);
46367 +void gr_acl_handle_psacct(struct task_struct *task, const long code);
46368 +int gr_acl_handle_procpidmem(const struct task_struct *task);
46369 +int gr_handle_rofs_mount(struct dentry *dentry, struct vfsmount *mnt, int mnt_flags);
46370 +int gr_handle_rofs_blockwrite(struct dentry *dentry, struct vfsmount *mnt, int acc_mode);
46371 +void gr_audit_ptrace(struct task_struct *task);
46373 +#ifdef CONFIG_GRKERNSEC
46374 +void task_grsec_rbac(struct seq_file *m, struct task_struct *p);
46375 +void gr_log_nonroot_mod_load(const char *modname);
46376 +void gr_handle_vm86(void);
46377 +void gr_handle_mem_write(void);
46378 +void gr_handle_kmem_write(void);
46379 +void gr_handle_open_port(void);
46380 +int gr_handle_mem_mmap(const unsigned long offset,
46381 + struct vm_area_struct *vma);
46383 +extern int grsec_enable_dmesg;
46384 +extern int grsec_disable_privio;
46388 diff -urNp linux-2.6.36.1/include/linux/grsock.h linux-2.6.36.1/include/linux/grsock.h
46389 --- linux-2.6.36.1/include/linux/grsock.h 1969-12-31 19:00:00.000000000 -0500
46390 +++ linux-2.6.36.1/include/linux/grsock.h 2010-11-06 18:58:50.000000000 -0400
46392 +#ifndef __GRSOCK_H
46393 +#define __GRSOCK_H
46395 +extern void gr_attach_curr_ip(const struct sock *sk);
46396 +extern int gr_handle_sock_all(const int family, const int type,
46397 + const int protocol);
46398 +extern int gr_handle_sock_server(const struct sockaddr *sck);
46399 +extern int gr_handle_sock_server_other(const struct sock *sck);
46400 +extern int gr_handle_sock_client(const struct sockaddr *sck);
46401 +extern int gr_search_connect(struct socket * sock,
46402 + struct sockaddr_in * addr);
46403 +extern int gr_search_bind(struct socket * sock,
46404 + struct sockaddr_in * addr);
46405 +extern int gr_search_listen(struct socket * sock);
46406 +extern int gr_search_accept(struct socket * sock);
46407 +extern int gr_search_socket(const int domain, const int type,
46408 + const int protocol);
46411 diff -urNp linux-2.6.36.1/include/linux/highmem.h linux-2.6.36.1/include/linux/highmem.h
46412 --- linux-2.6.36.1/include/linux/highmem.h 2010-10-20 16:30:22.000000000 -0400
46413 +++ linux-2.6.36.1/include/linux/highmem.h 2010-11-06 18:58:15.000000000 -0400
46414 @@ -155,6 +155,18 @@ static inline void clear_highpage(struct
46415 kunmap_atomic(kaddr, KM_USER0);
46418 +static inline void sanitize_highpage(struct page *page)
46421 + unsigned long flags;
46423 + local_irq_save(flags);
46424 + kaddr = kmap_atomic(page, KM_CLEARPAGE);
46425 + clear_page(kaddr);
46426 + kunmap_atomic(kaddr, KM_CLEARPAGE);
46427 + local_irq_restore(flags);
46430 static inline void zero_user_segments(struct page *page,
46431 unsigned start1, unsigned end1,
46432 unsigned start2, unsigned end2)
46433 diff -urNp linux-2.6.36.1/include/linux/init.h linux-2.6.36.1/include/linux/init.h
46434 --- linux-2.6.36.1/include/linux/init.h 2010-10-20 16:30:22.000000000 -0400
46435 +++ linux-2.6.36.1/include/linux/init.h 2010-11-06 18:58:15.000000000 -0400
46436 @@ -286,13 +286,13 @@ void __init parse_early_options(char *cm
46438 /* Each module must use one module_init(). */
46439 #define module_init(initfn) \
46440 - static inline initcall_t __inittest(void) \
46441 + static inline __used initcall_t __inittest(void) \
46442 { return initfn; } \
46443 int init_module(void) __attribute__((alias(#initfn)));
46445 /* This is only required if you want to be unloadable. */
46446 #define module_exit(exitfn) \
46447 - static inline exitcall_t __exittest(void) \
46448 + static inline __used exitcall_t __exittest(void) \
46449 { return exitfn; } \
46450 void cleanup_module(void) __attribute__((alias(#exitfn)));
46452 diff -urNp linux-2.6.36.1/include/linux/interrupt.h linux-2.6.36.1/include/linux/interrupt.h
46453 --- linux-2.6.36.1/include/linux/interrupt.h 2010-10-20 16:30:22.000000000 -0400
46454 +++ linux-2.6.36.1/include/linux/interrupt.h 2010-11-06 18:58:15.000000000 -0400
46455 @@ -392,7 +392,7 @@ enum
46456 /* map softirq index to softirq name. update 'softirq_to_name' in
46457 * kernel/softirq.c when adding a new softirq.
46459 -extern char *softirq_to_name[NR_SOFTIRQS];
46460 +extern const char * const softirq_to_name[NR_SOFTIRQS];
46462 /* softirq mask and active fields moved to irq_cpustat_t in
46463 * asm/hardirq.h to get better cache usage. KAO
46464 @@ -400,12 +400,12 @@ extern char *softirq_to_name[NR_SOFTIRQS
46466 struct softirq_action
46468 - void (*action)(struct softirq_action *);
46469 + void (*action)(void);
46472 asmlinkage void do_softirq(void);
46473 asmlinkage void __do_softirq(void);
46474 -extern void open_softirq(int nr, void (*action)(struct softirq_action *));
46475 +extern void open_softirq(int nr, void (*action)(void));
46476 extern void softirq_init(void);
46477 #define __raise_softirq_irqoff(nr) do { or_softirq_pending(1UL << (nr)); } while (0)
46478 extern void raise_softirq_irqoff(unsigned int nr);
46479 diff -urNp linux-2.6.36.1/include/linux/jbd2.h linux-2.6.36.1/include/linux/jbd2.h
46480 --- linux-2.6.36.1/include/linux/jbd2.h 2010-10-20 16:30:22.000000000 -0400
46481 +++ linux-2.6.36.1/include/linux/jbd2.h 2010-11-06 18:58:15.000000000 -0400
46482 @@ -67,7 +67,7 @@ extern u8 jbd2_journal_enable_debug;
46486 -#define jbd_debug(f, a...) /**/
46487 +#define jbd_debug(f, a...) do {} while (0)
46490 extern void *jbd2_alloc(size_t size, gfp_t flags);
46491 diff -urNp linux-2.6.36.1/include/linux/jbd.h linux-2.6.36.1/include/linux/jbd.h
46492 --- linux-2.6.36.1/include/linux/jbd.h 2010-10-20 16:30:22.000000000 -0400
46493 +++ linux-2.6.36.1/include/linux/jbd.h 2010-11-06 18:58:15.000000000 -0400
46494 @@ -67,7 +67,7 @@ extern u8 journal_enable_debug;
46498 -#define jbd_debug(f, a...) /**/
46499 +#define jbd_debug(f, a...) do {} while (0)
46502 static inline void *jbd_alloc(size_t size, gfp_t flags)
46503 diff -urNp linux-2.6.36.1/include/linux/kallsyms.h linux-2.6.36.1/include/linux/kallsyms.h
46504 --- linux-2.6.36.1/include/linux/kallsyms.h 2010-10-20 16:30:22.000000000 -0400
46505 +++ linux-2.6.36.1/include/linux/kallsyms.h 2010-11-15 17:10:35.000000000 -0500
46510 -#ifdef CONFIG_KALLSYMS
46511 +#if !defined(__INCLUDED_BY_HIDESYM) || !defined(CONFIG_KALLSYMS)
46512 +#if defined(CONFIG_KALLSYMS) && !defined(CONFIG_GRKERNSEC_HIDESYM)
46513 /* Lookup the address for a symbol. Returns 0 if not found. */
46514 unsigned long kallsyms_lookup_name(const char *name);
46516 @@ -92,6 +93,14 @@ static inline int lookup_symbol_attrs(un
46517 /* Stupid that this does nothing, but I didn't create this mess. */
46518 #define __print_symbol(fmt, addr)
46519 #endif /*CONFIG_KALLSYMS*/
46520 +#else /* when included by kallsyms.c or vsnprintf.c, with HIDESYM enabled */
46521 +extern void __print_symbol(const char *fmt, unsigned long address);
46522 +extern int sprint_symbol(char *buffer, unsigned long address);
46523 +const char *kallsyms_lookup(unsigned long addr,
46524 + unsigned long *symbolsize,
46525 + unsigned long *offset,
46526 + char **modname, char *namebuf);
46529 /* This macro allows us to keep printk typechecking */
46530 static void __check_printsym_format(const char *fmt, ...)
46531 diff -urNp linux-2.6.36.1/include/linux/kgdb.h linux-2.6.36.1/include/linux/kgdb.h
46532 --- linux-2.6.36.1/include/linux/kgdb.h 2010-10-20 16:30:22.000000000 -0400
46533 +++ linux-2.6.36.1/include/linux/kgdb.h 2010-11-06 18:58:15.000000000 -0400
46534 @@ -276,22 +276,22 @@ struct kgdb_arch {
46538 - int (*read_char) (void);
46539 - void (*write_char) (u8);
46540 - void (*flush) (void);
46541 - int (*init) (void);
46542 - void (*pre_exception) (void);
46543 - void (*post_exception) (void);
46544 + int (* const read_char) (void);
46545 + void (* const write_char) (u8);
46546 + void (* const flush) (void);
46547 + int (* const init) (void);
46548 + void (* const pre_exception) (void);
46549 + void (* const post_exception) (void);
46553 -extern struct kgdb_arch arch_kgdb_ops;
46554 +extern const struct kgdb_arch arch_kgdb_ops;
46556 extern unsigned long __weak kgdb_arch_pc(int exception, struct pt_regs *regs);
46558 -extern int kgdb_register_io_module(struct kgdb_io *local_kgdb_io_ops);
46559 -extern void kgdb_unregister_io_module(struct kgdb_io *local_kgdb_io_ops);
46560 -extern struct kgdb_io *dbg_io_ops;
46561 +extern int kgdb_register_io_module(const struct kgdb_io *local_kgdb_io_ops);
46562 +extern void kgdb_unregister_io_module(const struct kgdb_io *local_kgdb_io_ops);
46563 +extern const struct kgdb_io *dbg_io_ops;
46565 extern int kgdb_hex2long(char **ptr, unsigned long *long_val);
46566 extern char *kgdb_mem2hex(char *mem, char *buf, int count);
46567 diff -urNp linux-2.6.36.1/include/linux/kvm_host.h linux-2.6.36.1/include/linux/kvm_host.h
46568 --- linux-2.6.36.1/include/linux/kvm_host.h 2010-10-20 16:30:22.000000000 -0400
46569 +++ linux-2.6.36.1/include/linux/kvm_host.h 2010-11-06 18:58:15.000000000 -0400
46570 @@ -245,7 +245,7 @@ void kvm_vcpu_uninit(struct kvm_vcpu *vc
46571 void vcpu_load(struct kvm_vcpu *vcpu);
46572 void vcpu_put(struct kvm_vcpu *vcpu);
46574 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
46575 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
46576 struct module *module);
46577 void kvm_exit(void);
46579 @@ -369,7 +369,7 @@ int kvm_arch_vcpu_ioctl_set_guest_debug(
46580 struct kvm_guest_debug *dbg);
46581 int kvm_arch_vcpu_ioctl_run(struct kvm_vcpu *vcpu, struct kvm_run *kvm_run);
46583 -int kvm_arch_init(void *opaque);
46584 +int kvm_arch_init(const void *opaque);
46585 void kvm_arch_exit(void);
46587 int kvm_arch_vcpu_init(struct kvm_vcpu *vcpu);
46588 diff -urNp linux-2.6.36.1/include/linux/libata.h linux-2.6.36.1/include/linux/libata.h
46589 --- linux-2.6.36.1/include/linux/libata.h 2010-10-20 16:30:22.000000000 -0400
46590 +++ linux-2.6.36.1/include/linux/libata.h 2010-11-06 18:58:15.000000000 -0400
46591 @@ -64,11 +64,11 @@
46592 #ifdef ATA_VERBOSE_DEBUG
46593 #define VPRINTK(fmt, args...) printk(KERN_ERR "%s: " fmt, __func__, ## args)
46595 -#define VPRINTK(fmt, args...)
46596 +#define VPRINTK(fmt, args...) do {} while (0)
46597 #endif /* ATA_VERBOSE_DEBUG */
46599 -#define DPRINTK(fmt, args...)
46600 -#define VPRINTK(fmt, args...)
46601 +#define DPRINTK(fmt, args...) do {} while (0)
46602 +#define VPRINTK(fmt, args...) do {} while (0)
46603 #endif /* ATA_DEBUG */
46605 #define BPRINTK(fmt, args...) if (ap->flags & ATA_FLAG_DEBUGMSG) printk(KERN_ERR "%s: " fmt, __func__, ## args)
46606 @@ -524,11 +524,11 @@ struct ata_ioports {
46610 - struct device *dev;
46611 + struct device *dev;
46612 void __iomem * const *iomap;
46613 unsigned int n_ports;
46614 void *private_data;
46615 - struct ata_port_operations *ops;
46616 + const struct ata_port_operations *ops;
46617 unsigned long flags;
46618 #ifdef CONFIG_ATA_ACPI
46619 acpi_handle acpi_handle;
46620 @@ -710,7 +710,7 @@ struct ata_link {
46623 struct Scsi_Host *scsi_host; /* our co-allocated scsi host */
46624 - struct ata_port_operations *ops;
46625 + const struct ata_port_operations *ops;
46627 /* Flags owned by the EH context. Only EH should touch these once the
46629 @@ -897,7 +897,7 @@ struct ata_port_info {
46630 unsigned long pio_mask;
46631 unsigned long mwdma_mask;
46632 unsigned long udma_mask;
46633 - struct ata_port_operations *port_ops;
46634 + const struct ata_port_operations *port_ops;
46635 void *private_data;
46638 @@ -921,7 +921,7 @@ extern const unsigned long sata_deb_timi
46639 extern const unsigned long sata_deb_timing_hotplug[];
46640 extern const unsigned long sata_deb_timing_long[];
46642 -extern struct ata_port_operations ata_dummy_port_ops;
46643 +extern const struct ata_port_operations ata_dummy_port_ops;
46644 extern const struct ata_port_info ata_dummy_port_info;
46646 static inline const unsigned long *
46647 @@ -965,7 +965,7 @@ extern int ata_host_activate(struct ata_
46648 struct scsi_host_template *sht);
46649 extern void ata_host_detach(struct ata_host *host);
46650 extern void ata_host_init(struct ata_host *, struct device *,
46651 - unsigned long, struct ata_port_operations *);
46652 + unsigned long, const struct ata_port_operations *);
46653 extern int ata_scsi_detect(struct scsi_host_template *sht);
46654 extern int ata_scsi_ioctl(struct scsi_device *dev, int cmd, void __user *arg);
46655 extern int ata_scsi_queuecmd(struct scsi_cmnd *cmd, void (*done)(struct scsi_cmnd *));
46656 diff -urNp linux-2.6.36.1/include/linux/lockd/bind.h linux-2.6.36.1/include/linux/lockd/bind.h
46657 --- linux-2.6.36.1/include/linux/lockd/bind.h 2010-10-20 16:30:22.000000000 -0400
46658 +++ linux-2.6.36.1/include/linux/lockd/bind.h 2010-11-06 18:58:15.000000000 -0400
46659 @@ -23,13 +23,13 @@ struct svc_rqst;
46660 * This is the set of functions for lockd->nfsd communication
46662 struct nlmsvc_binding {
46663 - __be32 (*fopen)(struct svc_rqst *,
46664 + __be32 (* const fopen)(struct svc_rqst *,
46667 - void (*fclose)(struct file *);
46668 + void (* const fclose)(struct file *);
46671 -extern struct nlmsvc_binding * nlmsvc_ops;
46672 +extern const struct nlmsvc_binding * nlmsvc_ops;
46675 * Similar to nfs_client_initdata, but without the NFS-specific
46676 diff -urNp linux-2.6.36.1/include/linux/mm.h linux-2.6.36.1/include/linux/mm.h
46677 --- linux-2.6.36.1/include/linux/mm.h 2010-10-20 16:30:22.000000000 -0400
46678 +++ linux-2.6.36.1/include/linux/mm.h 2010-11-06 18:58:50.000000000 -0400
46679 @@ -107,7 +107,14 @@ extern unsigned int kobjsize(const void
46681 #define VM_CAN_NONLINEAR 0x08000000 /* Has ->fault & does nonlinear pages */
46682 #define VM_MIXEDMAP 0x10000000 /* Can contain "struct page" and pure PFN pages */
46684 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
46685 +#define VM_SAO 0x00000000 /* Strong Access Ordering (powerpc) */
46686 +#define VM_PAGEEXEC 0x20000000 /* vma->vm_page_prot needs special handling */
46688 #define VM_SAO 0x20000000 /* Strong Access Ordering (powerpc) */
46691 #define VM_PFN_AT_MMAP 0x40000000 /* PFNMAP vma that is fully mapped at mmap time */
46692 #define VM_MERGEABLE 0x80000000 /* KSM may merge identical pages */
46694 @@ -1021,6 +1028,15 @@ struct shrinker {
46695 extern void register_shrinker(struct shrinker *);
46696 extern void unregister_shrinker(struct shrinker *);
46699 +pgprot_t vm_get_page_prot(unsigned long vm_flags);
46701 +static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
46703 + return __pgprot(0);
46707 int vma_wants_writenotify(struct vm_area_struct *vma);
46709 extern pte_t *get_locked_pte(struct mm_struct *mm, unsigned long addr, spinlock_t **ptl);
46710 @@ -1297,6 +1313,7 @@ out:
46713 extern int do_munmap(struct mm_struct *, unsigned long, size_t);
46714 +extern int __do_munmap(struct mm_struct *, unsigned long, size_t);
46716 extern unsigned long do_brk(unsigned long, unsigned long);
46718 @@ -1353,6 +1370,10 @@ extern struct vm_area_struct * find_vma(
46719 extern struct vm_area_struct * find_vma_prev(struct mm_struct * mm, unsigned long addr,
46720 struct vm_area_struct **pprev);
46722 +extern struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma);
46723 +extern __must_check long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma);
46724 +extern void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl);
46726 /* Look up the first VMA which intersects the interval start_addr..end_addr-1,
46727 NULL if none. Assume start_addr < end_addr. */
46728 static inline struct vm_area_struct * find_vma_intersection(struct mm_struct * mm, unsigned long start_addr, unsigned long end_addr)
46729 @@ -1369,15 +1390,6 @@ static inline unsigned long vma_pages(st
46730 return (vma->vm_end - vma->vm_start) >> PAGE_SHIFT;
46734 -pgprot_t vm_get_page_prot(unsigned long vm_flags);
46736 -static inline pgprot_t vm_get_page_prot(unsigned long vm_flags)
46738 - return __pgprot(0);
46742 struct vm_area_struct *find_extend_vma(struct mm_struct *, unsigned long addr);
46743 int remap_pfn_range(struct vm_area_struct *, unsigned long addr,
46744 unsigned long pfn, unsigned long size, pgprot_t);
46745 @@ -1484,7 +1496,7 @@ extern int unpoison_memory(unsigned long
46746 extern int sysctl_memory_failure_early_kill;
46747 extern int sysctl_memory_failure_recovery;
46748 extern void shake_page(struct page *p, int access);
46749 -extern atomic_long_t mce_bad_pages;
46750 +extern atomic_long_unchecked_t mce_bad_pages;
46751 extern int soft_offline_page(struct page *page, int flags);
46752 #ifdef CONFIG_MEMORY_FAILURE
46753 int is_hwpoison_address(unsigned long addr);
46754 @@ -1497,5 +1509,11 @@ static inline int is_hwpoison_address(un
46756 extern void dump_page(struct page *page);
46758 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
46759 +extern void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot);
46761 +static inline void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot) {}
46764 #endif /* __KERNEL__ */
46765 #endif /* _LINUX_MM_H */
46766 diff -urNp linux-2.6.36.1/include/linux/mm_types.h linux-2.6.36.1/include/linux/mm_types.h
46767 --- linux-2.6.36.1/include/linux/mm_types.h 2010-10-20 16:30:22.000000000 -0400
46768 +++ linux-2.6.36.1/include/linux/mm_types.h 2010-11-06 18:58:15.000000000 -0400
46769 @@ -183,6 +183,8 @@ struct vm_area_struct {
46771 struct mempolicy *vm_policy; /* NUMA policy for the VMA */
46774 + struct vm_area_struct *vm_mirror;/* PaX: mirror vma or NULL */
46777 struct core_thread {
46778 @@ -310,6 +312,24 @@ struct mm_struct {
46779 #ifdef CONFIG_MMU_NOTIFIER
46780 struct mmu_notifier_mm *mmu_notifier_mm;
46783 +#if defined(CONFIG_PAX_EI_PAX) || defined(CONFIG_PAX_PT_PAX_FLAGS) || defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
46784 + unsigned long pax_flags;
46787 +#ifdef CONFIG_PAX_DLRESOLVE
46788 + unsigned long call_dl_resolve;
46791 +#if defined(CONFIG_PPC32) && defined(CONFIG_PAX_EMUSIGRT)
46792 + unsigned long call_syscall;
46795 +#ifdef CONFIG_PAX_ASLR
46796 + unsigned long delta_mmap; /* randomized offset */
46797 + unsigned long delta_stack; /* randomized offset */
46802 /* Future-safe accessor for struct mm_struct's cpu_vm_mask. */
46803 diff -urNp linux-2.6.36.1/include/linux/mmu_notifier.h linux-2.6.36.1/include/linux/mmu_notifier.h
46804 --- linux-2.6.36.1/include/linux/mmu_notifier.h 2010-10-20 16:30:22.000000000 -0400
46805 +++ linux-2.6.36.1/include/linux/mmu_notifier.h 2010-11-06 18:58:15.000000000 -0400
46806 @@ -235,12 +235,12 @@ static inline void mmu_notifier_mm_destr
46808 #define ptep_clear_flush_notify(__vma, __address, __ptep) \
46812 struct vm_area_struct *___vma = __vma; \
46813 unsigned long ___address = __address; \
46814 - __pte = ptep_clear_flush(___vma, ___address, __ptep); \
46815 + ___pte = ptep_clear_flush(___vma, ___address, __ptep); \
46816 mmu_notifier_invalidate_page(___vma->vm_mm, ___address); \
46821 #define ptep_clear_flush_young_notify(__vma, __address, __ptep) \
46822 diff -urNp linux-2.6.36.1/include/linux/mmzone.h linux-2.6.36.1/include/linux/mmzone.h
46823 --- linux-2.6.36.1/include/linux/mmzone.h 2010-10-20 16:30:22.000000000 -0400
46824 +++ linux-2.6.36.1/include/linux/mmzone.h 2010-11-06 18:58:15.000000000 -0400
46825 @@ -352,7 +352,7 @@ struct zone {
46826 unsigned long flags; /* zone flags, see below */
46828 /* Zone statistics */
46829 - atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
46830 + atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
46833 * The target ratio of ACTIVE_ANON to INACTIVE_ANON pages on
46834 diff -urNp linux-2.6.36.1/include/linux/mod_devicetable.h linux-2.6.36.1/include/linux/mod_devicetable.h
46835 --- linux-2.6.36.1/include/linux/mod_devicetable.h 2010-10-20 16:30:22.000000000 -0400
46836 +++ linux-2.6.36.1/include/linux/mod_devicetable.h 2010-11-06 18:58:15.000000000 -0400
46838 typedef unsigned long kernel_ulong_t;
46841 -#define PCI_ANY_ID (~0)
46842 +#define PCI_ANY_ID ((__u16)~0)
46844 struct pci_device_id {
46845 __u32 vendor, device; /* Vendor and device ID or PCI_ANY_ID*/
46846 @@ -131,7 +131,7 @@ struct usb_device_id {
46847 #define USB_DEVICE_ID_MATCH_INT_SUBCLASS 0x0100
46848 #define USB_DEVICE_ID_MATCH_INT_PROTOCOL 0x0200
46850 -#define HID_ANY_ID (~0)
46851 +#define HID_ANY_ID (~0U)
46853 struct hid_device_id {
46855 diff -urNp linux-2.6.36.1/include/linux/module.h linux-2.6.36.1/include/linux/module.h
46856 --- linux-2.6.36.1/include/linux/module.h 2010-10-20 16:30:22.000000000 -0400
46857 +++ linux-2.6.36.1/include/linux/module.h 2010-11-06 18:58:15.000000000 -0400
46858 @@ -297,16 +297,16 @@ struct module
46861 /* If this is non-NULL, vfree after init() returns */
46862 - void *module_init;
46863 + void *module_init_rx, *module_init_rw;
46865 /* Here is the actual code + data, vfree'd on unload. */
46866 - void *module_core;
46867 + void *module_core_rx, *module_core_rw;
46869 /* Here are the sizes of the init and core sections */
46870 - unsigned int init_size, core_size;
46871 + unsigned int init_size_rw, core_size_rw;
46873 /* The size of the executable code in each section. */
46874 - unsigned int init_text_size, core_text_size;
46875 + unsigned int init_size_rx, core_size_rx;
46877 /* Arch-specific module values */
46878 struct mod_arch_specific arch;
46879 @@ -408,16 +408,46 @@ bool is_module_address(unsigned long add
46880 bool is_module_percpu_address(unsigned long addr);
46881 bool is_module_text_address(unsigned long addr);
46883 +static inline int within_module_range(unsigned long addr, void *start, unsigned long size)
46886 +#ifdef CONFIG_PAX_KERNEXEC
46887 + if (ktla_ktva(addr) >= (unsigned long)start &&
46888 + ktla_ktva(addr) < (unsigned long)start + size)
46892 + return ((void *)addr >= start && (void *)addr < start + size);
46895 +static inline int within_module_core_rx(unsigned long addr, struct module *mod)
46897 + return within_module_range(addr, mod->module_core_rx, mod->core_size_rx);
46900 +static inline int within_module_core_rw(unsigned long addr, struct module *mod)
46902 + return within_module_range(addr, mod->module_core_rw, mod->core_size_rw);
46905 +static inline int within_module_init_rx(unsigned long addr, struct module *mod)
46907 + return within_module_range(addr, mod->module_init_rx, mod->init_size_rx);
46910 +static inline int within_module_init_rw(unsigned long addr, struct module *mod)
46912 + return within_module_range(addr, mod->module_init_rw, mod->init_size_rw);
46915 static inline int within_module_core(unsigned long addr, struct module *mod)
46917 - return (unsigned long)mod->module_core <= addr &&
46918 - addr < (unsigned long)mod->module_core + mod->core_size;
46919 + return within_module_core_rx(addr, mod) || within_module_core_rw(addr, mod);
46922 static inline int within_module_init(unsigned long addr, struct module *mod)
46924 - return (unsigned long)mod->module_init <= addr &&
46925 - addr < (unsigned long)mod->module_init + mod->init_size;
46926 + return within_module_init_rx(addr, mod) || within_module_init_rw(addr, mod);
46929 /* Search for module by name: must hold module_mutex. */
46930 diff -urNp linux-2.6.36.1/include/linux/moduleloader.h linux-2.6.36.1/include/linux/moduleloader.h
46931 --- linux-2.6.36.1/include/linux/moduleloader.h 2010-10-20 16:30:22.000000000 -0400
46932 +++ linux-2.6.36.1/include/linux/moduleloader.h 2010-11-06 18:58:15.000000000 -0400
46933 @@ -20,9 +20,21 @@ unsigned int arch_mod_section_prepend(st
46934 sections. Returns NULL on failure. */
46935 void *module_alloc(unsigned long size);
46937 +#ifdef CONFIG_PAX_KERNEXEC
46938 +void *module_alloc_exec(unsigned long size);
46940 +#define module_alloc_exec(x) module_alloc(x)
46943 /* Free memory returned from module_alloc. */
46944 void module_free(struct module *mod, void *module_region);
46946 +#ifdef CONFIG_PAX_KERNEXEC
46947 +void module_free_exec(struct module *mod, void *module_region);
46949 +#define module_free_exec(x, y) module_free((x), (y))
46952 /* Apply the given relocation to the (simplified) ELF. Return -error
46954 int apply_relocate(Elf_Shdr *sechdrs,
46955 diff -urNp linux-2.6.36.1/include/linux/moduleparam.h linux-2.6.36.1/include/linux/moduleparam.h
46956 --- linux-2.6.36.1/include/linux/moduleparam.h 2010-10-20 16:30:22.000000000 -0400
46957 +++ linux-2.6.36.1/include/linux/moduleparam.h 2010-11-06 18:58:15.000000000 -0400
46958 @@ -253,7 +253,7 @@ static inline void __kernel_param_unlock
46959 * @len is usually just sizeof(string).
46961 #define module_param_string(name, string, len, perm) \
46962 - static const struct kparam_string __param_string_##name \
46963 + static const struct kparam_string __param_string_##name __used \
46964 = { len, string }; \
46965 __module_param_call(MODULE_PARAM_PREFIX, name, \
46966 ¶m_ops_string, \
46967 @@ -368,7 +368,7 @@ extern int param_get_invbool(char *buffe
46968 * module_param_named() for why this might be necessary.
46970 #define module_param_array_named(name, array, type, nump, perm) \
46971 - static const struct kparam_array __param_arr_##name \
46972 + static const struct kparam_array __param_arr_##name __used \
46973 = { ARRAY_SIZE(array), nump, ¶m_ops_##type, \
46974 sizeof(array[0]), array }; \
46975 __module_param_call(MODULE_PARAM_PREFIX, name, \
46976 diff -urNp linux-2.6.36.1/include/linux/namei.h linux-2.6.36.1/include/linux/namei.h
46977 --- linux-2.6.36.1/include/linux/namei.h 2010-10-20 16:30:22.000000000 -0400
46978 +++ linux-2.6.36.1/include/linux/namei.h 2010-11-06 18:58:15.000000000 -0400
46979 @@ -22,7 +22,7 @@ struct nameidata {
46980 unsigned int flags;
46983 - char *saved_names[MAX_NESTED_LINKS + 1];
46984 + const char *saved_names[MAX_NESTED_LINKS + 1];
46988 @@ -81,12 +81,12 @@ extern int follow_up(struct path *);
46989 extern struct dentry *lock_rename(struct dentry *, struct dentry *);
46990 extern void unlock_rename(struct dentry *, struct dentry *);
46992 -static inline void nd_set_link(struct nameidata *nd, char *path)
46993 +static inline void nd_set_link(struct nameidata *nd, const char *path)
46995 nd->saved_names[nd->depth] = path;
46998 -static inline char *nd_get_link(struct nameidata *nd)
46999 +static inline const char *nd_get_link(const struct nameidata *nd)
47001 return nd->saved_names[nd->depth];
47003 diff -urNp linux-2.6.36.1/include/linux/netfilter/xt_gradm.h linux-2.6.36.1/include/linux/netfilter/xt_gradm.h
47004 --- linux-2.6.36.1/include/linux/netfilter/xt_gradm.h 1969-12-31 19:00:00.000000000 -0500
47005 +++ linux-2.6.36.1/include/linux/netfilter/xt_gradm.h 2010-11-06 18:58:50.000000000 -0400
47007 +#ifndef _LINUX_NETFILTER_XT_GRADM_H
47008 +#define _LINUX_NETFILTER_XT_GRADM_H 1
47010 +struct xt_gradm_mtinfo {
47016 diff -urNp linux-2.6.36.1/include/linux/oprofile.h linux-2.6.36.1/include/linux/oprofile.h
47017 --- linux-2.6.36.1/include/linux/oprofile.h 2010-10-20 16:30:22.000000000 -0400
47018 +++ linux-2.6.36.1/include/linux/oprofile.h 2010-11-06 18:58:15.000000000 -0400
47019 @@ -129,9 +129,9 @@ int oprofilefs_create_ulong(struct super
47020 int oprofilefs_create_ro_ulong(struct super_block * sb, struct dentry * root,
47021 char const * name, ulong * val);
47023 -/** Create a file for read-only access to an atomic_t. */
47024 +/** Create a file for read-only access to an atomic_unchecked_t. */
47025 int oprofilefs_create_ro_atomic(struct super_block * sb, struct dentry * root,
47026 - char const * name, atomic_t * val);
47027 + char const * name, atomic_unchecked_t * val);
47029 /** create a directory */
47030 struct dentry * oprofilefs_mkdir(struct super_block * sb, struct dentry * root,
47031 diff -urNp linux-2.6.36.1/include/linux/pipe_fs_i.h linux-2.6.36.1/include/linux/pipe_fs_i.h
47032 --- linux-2.6.36.1/include/linux/pipe_fs_i.h 2010-10-20 16:30:22.000000000 -0400
47033 +++ linux-2.6.36.1/include/linux/pipe_fs_i.h 2010-11-06 18:58:15.000000000 -0400
47034 @@ -45,9 +45,9 @@ struct pipe_buffer {
47035 struct pipe_inode_info {
47036 wait_queue_head_t wait;
47037 unsigned int nrbufs, curbuf, buffers;
47038 - unsigned int readers;
47039 - unsigned int writers;
47040 - unsigned int waiting_writers;
47041 + atomic_t readers;
47042 + atomic_t writers;
47043 + atomic_t waiting_writers;
47044 unsigned int r_counter;
47045 unsigned int w_counter;
47046 struct page *tmp_page;
47047 diff -urNp linux-2.6.36.1/include/linux/poison.h linux-2.6.36.1/include/linux/poison.h
47048 --- linux-2.6.36.1/include/linux/poison.h 2010-10-20 16:30:22.000000000 -0400
47049 +++ linux-2.6.36.1/include/linux/poison.h 2010-11-06 18:58:15.000000000 -0400
47051 * under normal circumstances, used to verify that nobody uses
47052 * non-initialized list entries.
47054 -#define LIST_POISON1 ((void *) 0x00100100 + POISON_POINTER_DELTA)
47055 -#define LIST_POISON2 ((void *) 0x00200200 + POISON_POINTER_DELTA)
47056 +#define LIST_POISON1 ((void *) (long)0xFFFFFF01)
47057 +#define LIST_POISON2 ((void *) (long)0xFFFFFF02)
47059 /********** include/linux/timer.h **********/
47061 diff -urNp linux-2.6.36.1/include/linux/proc_fs.h linux-2.6.36.1/include/linux/proc_fs.h
47062 --- linux-2.6.36.1/include/linux/proc_fs.h 2010-10-20 16:30:22.000000000 -0400
47063 +++ linux-2.6.36.1/include/linux/proc_fs.h 2010-11-06 18:58:50.000000000 -0400
47064 @@ -155,6 +155,19 @@ static inline struct proc_dir_entry *pro
47065 return proc_create_data(name, mode, parent, proc_fops, NULL);
47068 +static inline struct proc_dir_entry *proc_create_grsec(const char *name, mode_t mode,
47069 + struct proc_dir_entry *parent, const struct file_operations *proc_fops)
47071 +#ifdef CONFIG_GRKERNSEC_PROC_USER
47072 + return proc_create_data(name, S_IRUSR, parent, proc_fops, NULL);
47073 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
47074 + return proc_create_data(name, S_IRUSR | S_IRGRP, parent, proc_fops, NULL);
47076 + return proc_create_data(name, mode, parent, proc_fops, NULL);
47081 static inline struct proc_dir_entry *create_proc_read_entry(const char *name,
47082 mode_t mode, struct proc_dir_entry *base,
47083 read_proc_t *read_proc, void * data)
47084 diff -urNp linux-2.6.36.1/include/linux/random.h linux-2.6.36.1/include/linux/random.h
47085 --- linux-2.6.36.1/include/linux/random.h 2010-10-20 16:30:22.000000000 -0400
47086 +++ linux-2.6.36.1/include/linux/random.h 2010-11-06 18:58:15.000000000 -0400
47087 @@ -80,12 +80,17 @@ void srandom32(u32 seed);
47089 u32 prandom32(struct rnd_state *);
47091 +static inline unsigned long pax_get_random_long(void)
47093 + return random32() + (sizeof(long) > 4 ? (unsigned long)random32() << 32 : 0);
47097 * Handle minimum values for seeds
47099 static inline u32 __seed(u32 x, u32 m)
47101 - return (x < m) ? x + m : x;
47102 + return (x <= m) ? x + m + 1 : x;
47106 diff -urNp linux-2.6.36.1/include/linux/reiserfs_fs.h linux-2.6.36.1/include/linux/reiserfs_fs.h
47107 --- linux-2.6.36.1/include/linux/reiserfs_fs.h 2010-10-20 16:30:22.000000000 -0400
47108 +++ linux-2.6.36.1/include/linux/reiserfs_fs.h 2010-11-06 18:58:15.000000000 -0400
47109 @@ -1404,7 +1404,7 @@ static inline loff_t max_reiserfs_offset
47110 #define REISERFS_USER_MEM 1 /* reiserfs user memory mode */
47112 #define fs_generation(s) (REISERFS_SB(s)->s_generation_counter)
47113 -#define get_generation(s) atomic_read (&fs_generation(s))
47114 +#define get_generation(s) atomic_read_unchecked (&fs_generation(s))
47115 #define FILESYSTEM_CHANGED_TB(tb) (get_generation((tb)->tb_sb) != (tb)->fs_gen)
47116 #define __fs_changed(gen,s) (gen != get_generation (s))
47117 #define fs_changed(gen,s) \
47118 @@ -1616,24 +1616,24 @@ static inline struct super_block *sb_fro
47121 struct item_operations {
47122 - int (*bytes_number) (struct item_head * ih, int block_size);
47123 - void (*decrement_key) (struct cpu_key *);
47124 - int (*is_left_mergeable) (struct reiserfs_key * ih,
47125 + int (* const bytes_number) (struct item_head * ih, int block_size);
47126 + void (* const decrement_key) (struct cpu_key *);
47127 + int (* const is_left_mergeable) (struct reiserfs_key * ih,
47128 unsigned long bsize);
47129 - void (*print_item) (struct item_head *, char *item);
47130 - void (*check_item) (struct item_head *, char *item);
47131 + void (* const print_item) (struct item_head *, char *item);
47132 + void (* const check_item) (struct item_head *, char *item);
47134 - int (*create_vi) (struct virtual_node * vn, struct virtual_item * vi,
47135 + int (* const create_vi) (struct virtual_node * vn, struct virtual_item * vi,
47136 int is_affected, int insert_size);
47137 - int (*check_left) (struct virtual_item * vi, int free,
47138 + int (* const check_left) (struct virtual_item * vi, int free,
47139 int start_skip, int end_skip);
47140 - int (*check_right) (struct virtual_item * vi, int free);
47141 - int (*part_size) (struct virtual_item * vi, int from, int to);
47142 - int (*unit_num) (struct virtual_item * vi);
47143 - void (*print_vi) (struct virtual_item * vi);
47144 + int (* const check_right) (struct virtual_item * vi, int free);
47145 + int (* const part_size) (struct virtual_item * vi, int from, int to);
47146 + int (* const unit_num) (struct virtual_item * vi);
47147 + void (* const print_vi) (struct virtual_item * vi);
47150 -extern struct item_operations *item_ops[TYPE_ANY + 1];
47151 +extern const struct item_operations * const item_ops[TYPE_ANY + 1];
47153 #define op_bytes_number(ih,bsize) item_ops[le_ih_k_type (ih)]->bytes_number (ih, bsize)
47154 #define op_is_left_mergeable(key,bsize) item_ops[le_key_k_type (le_key_version (key), key)]->is_left_mergeable (key, bsize)
47155 diff -urNp linux-2.6.36.1/include/linux/reiserfs_fs_sb.h linux-2.6.36.1/include/linux/reiserfs_fs_sb.h
47156 --- linux-2.6.36.1/include/linux/reiserfs_fs_sb.h 2010-10-20 16:30:22.000000000 -0400
47157 +++ linux-2.6.36.1/include/linux/reiserfs_fs_sb.h 2010-11-06 18:58:15.000000000 -0400
47158 @@ -386,7 +386,7 @@ struct reiserfs_sb_info {
47159 /* Comment? -Hans */
47160 wait_queue_head_t s_wait;
47161 /* To be obsoleted soon by per buffer seals.. -Hans */
47162 - atomic_t s_generation_counter; // increased by one every time the
47163 + atomic_unchecked_t s_generation_counter; // increased by one every time the
47164 // tree gets re-balanced
47165 unsigned long s_properties; /* File system properties. Currently holds
47166 on-disk FS format */
47167 diff -urNp linux-2.6.36.1/include/linux/rmap.h linux-2.6.36.1/include/linux/rmap.h
47168 --- linux-2.6.36.1/include/linux/rmap.h 2010-10-20 16:30:22.000000000 -0400
47169 +++ linux-2.6.36.1/include/linux/rmap.h 2010-11-06 18:58:15.000000000 -0400
47170 @@ -145,8 +145,8 @@ static inline void anon_vma_unlock(struc
47171 void anon_vma_init(void); /* create anon_vma_cachep */
47172 int anon_vma_prepare(struct vm_area_struct *);
47173 void unlink_anon_vmas(struct vm_area_struct *);
47174 -int anon_vma_clone(struct vm_area_struct *, struct vm_area_struct *);
47175 -int anon_vma_fork(struct vm_area_struct *, struct vm_area_struct *);
47176 +int anon_vma_clone(struct vm_area_struct *, const struct vm_area_struct *);
47177 +int anon_vma_fork(struct vm_area_struct *, const struct vm_area_struct *);
47178 void __anon_vma_link(struct vm_area_struct *);
47179 void anon_vma_free(struct anon_vma *);
47181 diff -urNp linux-2.6.36.1/include/linux/sched.h linux-2.6.36.1/include/linux/sched.h
47182 --- linux-2.6.36.1/include/linux/sched.h 2010-10-20 16:30:22.000000000 -0400
47183 +++ linux-2.6.36.1/include/linux/sched.h 2010-11-26 18:18:12.000000000 -0500
47184 @@ -100,6 +100,7 @@ struct robust_list_head;
47187 struct perf_event_context;
47188 +struct linux_binprm;
47191 * List of flags we want to share for kernel threads,
47192 @@ -374,10 +375,12 @@ struct user_namespace;
47193 #define DEFAULT_MAX_MAP_COUNT (USHRT_MAX - MAPCOUNT_ELF_CORE_MARGIN)
47195 extern int sysctl_max_map_count;
47196 +extern unsigned long sysctl_heap_stack_gap;
47198 #include <linux/aio.h>
47201 +extern bool check_heap_stack_gap(struct vm_area_struct *vma, unsigned long addr, unsigned long len);
47202 extern void arch_pick_mmap_layout(struct mm_struct *mm);
47203 extern unsigned long
47204 arch_get_unmapped_area(struct file *, unsigned long, unsigned long,
47205 @@ -621,6 +624,16 @@ struct signal_struct {
47206 struct tty_audit_buf *tty_audit_buf;
47209 +#ifdef CONFIG_GRKERNSEC
47216 + u8 used_accept:1;
47219 int oom_adj; /* OOM kill score adjustment (bit shift) */
47220 int oom_score_adj; /* OOM kill score adjustment */
47222 @@ -1162,7 +1175,7 @@ struct rcu_node;
47224 struct task_struct {
47225 volatile long state; /* -1 unrunnable, 0 runnable, >0 stopped */
47227 + struct thread_info *stack;
47229 unsigned int flags; /* per process flags, defined below */
47230 unsigned int ptrace;
47231 @@ -1270,8 +1283,8 @@ struct task_struct {
47232 struct list_head thread_group;
47234 struct completion *vfork_done; /* for vfork() */
47235 - int __user *set_child_tid; /* CLONE_CHILD_SETTID */
47236 - int __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
47237 + pid_t __user *set_child_tid; /* CLONE_CHILD_SETTID */
47238 + pid_t __user *clear_child_tid; /* CLONE_CHILD_CLEARTID */
47240 cputime_t utime, stime, utimescaled, stimescaled;
47242 @@ -1287,16 +1300,6 @@ struct task_struct {
47243 struct task_cputime cputime_expires;
47244 struct list_head cpu_timers[3];
47246 -/* process credentials */
47247 - const struct cred *real_cred; /* objective and real subjective task
47248 - * credentials (COW) */
47249 - const struct cred *cred; /* effective (overridable) subjective task
47250 - * credentials (COW) */
47251 - struct mutex cred_guard_mutex; /* guard against foreign influences on
47252 - * credential calculations
47253 - * (notably. ptrace) */
47254 - struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
47256 char comm[TASK_COMM_LEN]; /* executable name excluding path
47257 - access with [gs]et_task_comm (which lock
47258 it with task_lock())
47259 @@ -1380,6 +1383,15 @@ struct task_struct {
47260 int softirqs_enabled;
47261 int softirq_context;
47264 +/* process credentials */
47265 + const struct cred *real_cred; /* objective and real subjective task
47266 + * credentials (COW) */
47267 + struct mutex cred_guard_mutex; /* guard against foreign influences on
47268 + * credential calculations
47269 + * (notably. ptrace) */
47270 + struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */
47272 #ifdef CONFIG_LOCKDEP
47273 # define MAX_LOCK_DEPTH 48UL
47274 u64 curr_chain_key;
47275 @@ -1400,6 +1412,9 @@ struct task_struct {
47277 struct backing_dev_info *backing_dev_info;
47279 + const struct cred *cred; /* effective (overridable) subjective task
47280 + * credentials (COW) */
47282 struct io_context *io_context;
47284 unsigned long ptrace_message;
47285 @@ -1465,6 +1480,20 @@ struct task_struct {
47286 unsigned long default_timer_slack_ns;
47288 struct list_head *scm_work_list;
47290 +#ifdef CONFIG_GRKERNSEC
47292 + struct dentry *gr_chroot_dentry;
47293 + struct acl_subject_label *acl;
47294 + struct acl_role_label *role;
47295 + struct file *exec_file;
47300 + u8 gr_is_chrooted;
47303 #ifdef CONFIG_FUNCTION_GRAPH_TRACER
47304 /* Index of current stored address in ret_stack */
47305 int curr_ret_stack;
47306 @@ -1496,6 +1525,52 @@ struct task_struct {
47310 +#define MF_PAX_PAGEEXEC 0x01000000 /* Paging based non-executable pages */
47311 +#define MF_PAX_EMUTRAMP 0x02000000 /* Emulate trampolines */
47312 +#define MF_PAX_MPROTECT 0x04000000 /* Restrict mprotect() */
47313 +#define MF_PAX_RANDMMAP 0x08000000 /* Randomize mmap() base */
47314 +/*#define MF_PAX_RANDEXEC 0x10000000*/ /* Randomize ET_EXEC base */
47315 +#define MF_PAX_SEGMEXEC 0x20000000 /* Segmentation based non-executable pages */
47317 +#ifdef CONFIG_PAX_SOFTMODE
47318 +extern unsigned int pax_softmode;
47321 +extern int pax_check_flags(unsigned long *);
47323 +/* if tsk != current then task_lock must be held on it */
47324 +#if defined(CONFIG_PAX_NOEXEC) || defined(CONFIG_PAX_ASLR)
47325 +static inline unsigned long pax_get_flags(struct task_struct *tsk)
47327 + if (likely(tsk->mm))
47328 + return tsk->mm->pax_flags;
47333 +/* if tsk != current then task_lock must be held on it */
47334 +static inline long pax_set_flags(struct task_struct *tsk, unsigned long flags)
47336 + if (likely(tsk->mm)) {
47337 + tsk->mm->pax_flags = flags;
47344 +#ifdef CONFIG_PAX_HAVE_ACL_FLAGS
47345 +extern void pax_set_initial_flags(struct linux_binprm *bprm);
47346 +#elif defined(CONFIG_PAX_HOOK_ACL_FLAGS)
47347 +extern void (*pax_set_initial_flags_func)(struct linux_binprm *bprm);
47350 +void pax_report_fault(struct pt_regs *regs, void *pc, void *sp);
47351 +void pax_report_insns(void *pc, void *sp);
47352 +void pax_report_refcount_overflow(struct pt_regs *regs);
47353 +void pax_report_leak_to_user(const void *ptr, unsigned long len);
47354 +void pax_report_overflow_from_user(const void *ptr, unsigned long len);
47356 /* Future-safe accessor for struct task_struct's cpus_allowed. */
47357 #define tsk_cpus_allowed(tsk) (&(tsk)->cpus_allowed)
47359 @@ -2103,7 +2178,7 @@ extern void __cleanup_sighand(struct sig
47360 extern void exit_itimers(struct signal_struct *);
47361 extern void flush_itimer_signals(void);
47363 -extern NORET_TYPE void do_group_exit(int);
47364 +extern NORET_TYPE void do_group_exit(int) ATTRIB_NORET;
47366 extern void daemonize(const char *, ...);
47367 extern int allow_signal(int);
47368 @@ -2221,8 +2296,8 @@ static inline void unlock_task_sighand(s
47370 #ifndef __HAVE_THREAD_FUNCTIONS
47372 -#define task_thread_info(task) ((struct thread_info *)(task)->stack)
47373 -#define task_stack_page(task) ((task)->stack)
47374 +#define task_thread_info(task) ((task)->stack)
47375 +#define task_stack_page(task) ((void *)(task)->stack)
47377 static inline void setup_thread_stack(struct task_struct *p, struct task_struct *org)
47379 @@ -2237,13 +2312,17 @@ static inline unsigned long *end_of_stac
47383 -static inline int object_is_on_stack(void *obj)
47384 +static inline int object_starts_on_stack(void *obj)
47386 - void *stack = task_stack_page(current);
47387 + const void *stack = task_stack_page(current);
47389 return (obj >= stack) && (obj < (stack + THREAD_SIZE));
47392 +#ifdef CONFIG_PAX_USERCOPY
47393 +extern int object_is_on_stack(const void *obj, unsigned long len);
47396 extern void thread_info_cache_init(void);
47398 #ifdef CONFIG_DEBUG_STACK_USAGE
47399 diff -urNp linux-2.6.36.1/include/linux/screen_info.h linux-2.6.36.1/include/linux/screen_info.h
47400 --- linux-2.6.36.1/include/linux/screen_info.h 2010-10-20 16:30:22.000000000 -0400
47401 +++ linux-2.6.36.1/include/linux/screen_info.h 2010-11-06 18:58:15.000000000 -0400
47402 @@ -43,7 +43,8 @@ struct screen_info {
47403 __u16 pages; /* 0x32 */
47404 __u16 vesa_attributes; /* 0x34 */
47405 __u32 capabilities; /* 0x36 */
47406 - __u8 _reserved[6]; /* 0x3a */
47407 + __u16 vesapm_size; /* 0x3a */
47408 + __u8 _reserved[4]; /* 0x3c */
47409 } __attribute__((packed));
47411 #define VIDEO_TYPE_MDA 0x10 /* Monochrome Text Display */
47412 diff -urNp linux-2.6.36.1/include/linux/security.h linux-2.6.36.1/include/linux/security.h
47413 --- linux-2.6.36.1/include/linux/security.h 2010-10-20 16:30:22.000000000 -0400
47414 +++ linux-2.6.36.1/include/linux/security.h 2010-11-06 18:58:50.000000000 -0400
47416 #include <linux/key.h>
47417 #include <linux/xfrm.h>
47418 #include <linux/slab.h>
47419 +#include <linux/grsecurity.h>
47420 #include <net/flow.h>
47422 /* Maximum number of letters for an LSM name string */
47423 diff -urNp linux-2.6.36.1/include/linux/shm.h linux-2.6.36.1/include/linux/shm.h
47424 --- linux-2.6.36.1/include/linux/shm.h 2010-10-20 16:30:22.000000000 -0400
47425 +++ linux-2.6.36.1/include/linux/shm.h 2010-11-06 18:58:50.000000000 -0400
47426 @@ -95,6 +95,10 @@ struct shmid_kernel /* private to the ke
47429 struct user_struct *mlock_user;
47430 +#ifdef CONFIG_GRKERNSEC
47431 + time_t shm_createtime;
47436 /* shm_mode upper byte flags */
47437 diff -urNp linux-2.6.36.1/include/linux/slab.h linux-2.6.36.1/include/linux/slab.h
47438 --- linux-2.6.36.1/include/linux/slab.h 2010-10-20 16:30:22.000000000 -0400
47439 +++ linux-2.6.36.1/include/linux/slab.h 2010-11-06 18:58:15.000000000 -0400
47442 #include <linux/gfp.h>
47443 #include <linux/types.h>
47444 +#include <linux/err.h>
47447 * Flags to pass to kmem_cache_create().
47448 @@ -87,10 +88,13 @@
47449 * ZERO_SIZE_PTR can be passed to kfree though in the same way that NULL can.
47450 * Both make kfree a no-op.
47452 -#define ZERO_SIZE_PTR ((void *)16)
47453 +#define ZERO_SIZE_PTR \
47455 + BUILD_BUG_ON(!(MAX_ERRNO & ~PAGE_MASK));\
47456 + (void *)(-MAX_ERRNO-1L); \
47459 -#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) <= \
47460 - (unsigned long)ZERO_SIZE_PTR)
47461 +#define ZERO_OR_NULL_PTR(x) ((unsigned long)(x) - 1 >= (unsigned long)ZERO_SIZE_PTR - 1)
47464 * struct kmem_cache related prototypes
47465 @@ -144,6 +148,7 @@ void * __must_check krealloc(const void
47466 void kfree(const void *);
47467 void kzfree(const void *);
47468 size_t ksize(const void *);
47469 +void check_object_size(const void *ptr, unsigned long n, bool to);
47472 * Allocator specific definitions. These are mainly used to establish optimized
47473 @@ -336,4 +341,37 @@ static inline void *kzalloc_node(size_t
47475 void __init kmem_cache_init_late(void);
47477 +#define kmalloc(x, y) \
47479 + void *___retval; \
47480 + intoverflow_t ___x = (intoverflow_t)x; \
47481 + if (WARN(___x > ULONG_MAX, "kmalloc size overflow\n"))\
47482 + ___retval = NULL; \
47484 + ___retval = kmalloc((size_t)___x, (y)); \
47488 +#define kmalloc_node(x, y, z) \
47490 + void *___retval; \
47491 + intoverflow_t ___x = (intoverflow_t)x; \
47492 + if (WARN(___x > ULONG_MAX, "kmalloc_node size overflow\n"))\
47493 + ___retval = NULL; \
47495 + ___retval = kmalloc_node((size_t)___x, (y), (z));\
47499 +#define kzalloc(x, y) \
47501 + void *___retval; \
47502 + intoverflow_t ___x = (intoverflow_t)x; \
47503 + if (WARN(___x > ULONG_MAX, "kzalloc size overflow\n"))\
47504 + ___retval = NULL; \
47506 + ___retval = kzalloc((size_t)___x, (y)); \
47510 #endif /* _LINUX_SLAB_H */
47511 diff -urNp linux-2.6.36.1/include/linux/slub_def.h linux-2.6.36.1/include/linux/slub_def.h
47512 --- linux-2.6.36.1/include/linux/slub_def.h 2010-10-20 16:30:22.000000000 -0400
47513 +++ linux-2.6.36.1/include/linux/slub_def.h 2010-11-06 18:58:15.000000000 -0400
47514 @@ -80,7 +80,7 @@ struct kmem_cache {
47515 struct kmem_cache_order_objects max;
47516 struct kmem_cache_order_objects min;
47517 gfp_t allocflags; /* gfp flags to use on each alloc */
47518 - int refcount; /* Refcount for slab cache destroy */
47519 + atomic_t refcount; /* Refcount for slab cache destroy */
47520 void (*ctor)(void *);
47521 int inuse; /* Offset to metadata */
47522 int align; /* Alignment */
47523 diff -urNp linux-2.6.36.1/include/linux/socket.h linux-2.6.36.1/include/linux/socket.h
47524 --- linux-2.6.36.1/include/linux/socket.h 2010-10-20 16:30:22.000000000 -0400
47525 +++ linux-2.6.36.1/include/linux/socket.h 2010-11-15 17:15:00.000000000 -0500
47526 @@ -322,7 +322,7 @@ extern int csum_partial_copy_fromiovecen
47528 unsigned int len, __wsum *csump);
47530 -extern long verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode);
47531 +extern int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode);
47532 extern int memcpy_toiovec(struct iovec *v, unsigned char *kdata, int len);
47533 extern int memcpy_toiovecend(const struct iovec *v, unsigned char *kdata,
47534 int offset, int len);
47535 diff -urNp linux-2.6.36.1/include/linux/sonet.h linux-2.6.36.1/include/linux/sonet.h
47536 --- linux-2.6.36.1/include/linux/sonet.h 2010-10-20 16:30:22.000000000 -0400
47537 +++ linux-2.6.36.1/include/linux/sonet.h 2010-11-06 18:58:15.000000000 -0400
47538 @@ -61,7 +61,7 @@ struct sonet_stats {
47539 #include <asm/atomic.h>
47541 struct k_sonet_stats {
47542 -#define __HANDLE_ITEM(i) atomic_t i
47543 +#define __HANDLE_ITEM(i) atomic_unchecked_t i
47545 #undef __HANDLE_ITEM
47547 diff -urNp linux-2.6.36.1/include/linux/suspend.h linux-2.6.36.1/include/linux/suspend.h
47548 --- linux-2.6.36.1/include/linux/suspend.h 2010-10-20 16:30:22.000000000 -0400
47549 +++ linux-2.6.36.1/include/linux/suspend.h 2010-11-06 18:58:15.000000000 -0400
47550 @@ -106,15 +106,15 @@ typedef int __bitwise suspend_state_t;
47551 * which require special recovery actions in that situation.
47553 struct platform_suspend_ops {
47554 - int (*valid)(suspend_state_t state);
47555 - int (*begin)(suspend_state_t state);
47556 - int (*prepare)(void);
47557 - int (*prepare_late)(void);
47558 - int (*enter)(suspend_state_t state);
47559 - void (*wake)(void);
47560 - void (*finish)(void);
47561 - void (*end)(void);
47562 - void (*recover)(void);
47563 + int (* const valid)(suspend_state_t state);
47564 + int (* const begin)(suspend_state_t state);
47565 + int (* const prepare)(void);
47566 + int (* const prepare_late)(void);
47567 + int (* const enter)(suspend_state_t state);
47568 + void (* const wake)(void);
47569 + void (* const finish)(void);
47570 + void (* const end)(void);
47571 + void (* const recover)(void);
47574 #ifdef CONFIG_SUSPEND
47575 @@ -122,7 +122,7 @@ struct platform_suspend_ops {
47576 * suspend_set_ops - set platform dependent suspend operations
47577 * @ops: The new suspend operations to set.
47579 -extern void suspend_set_ops(struct platform_suspend_ops *ops);
47580 +extern void suspend_set_ops(const struct platform_suspend_ops *ops);
47581 extern int suspend_valid_only_mem(suspend_state_t state);
47584 @@ -147,7 +147,7 @@ extern int pm_suspend(suspend_state_t st
47585 #else /* !CONFIG_SUSPEND */
47586 #define suspend_valid_only_mem NULL
47588 -static inline void suspend_set_ops(struct platform_suspend_ops *ops) {}
47589 +static inline void suspend_set_ops(const struct platform_suspend_ops *ops) {}
47590 static inline int pm_suspend(suspend_state_t state) { return -ENOSYS; }
47591 #endif /* !CONFIG_SUSPEND */
47593 @@ -217,16 +217,16 @@ extern void mark_free_pages(struct zone
47594 * platforms which require special recovery actions in that situation.
47596 struct platform_hibernation_ops {
47597 - int (*begin)(void);
47598 - void (*end)(void);
47599 - int (*pre_snapshot)(void);
47600 - void (*finish)(void);
47601 - int (*prepare)(void);
47602 - int (*enter)(void);
47603 - void (*leave)(void);
47604 - int (*pre_restore)(void);
47605 - void (*restore_cleanup)(void);
47606 - void (*recover)(void);
47607 + int (* const begin)(void);
47608 + void (* const end)(void);
47609 + int (* const pre_snapshot)(void);
47610 + void (* const finish)(void);
47611 + int (* const prepare)(void);
47612 + int (* const enter)(void);
47613 + void (* const leave)(void);
47614 + int (* const pre_restore)(void);
47615 + void (* const restore_cleanup)(void);
47616 + void (* const recover)(void);
47619 #ifdef CONFIG_HIBERNATION
47620 @@ -245,7 +245,7 @@ extern void swsusp_set_page_free(struct
47621 extern void swsusp_unset_page_free(struct page *);
47622 extern unsigned long get_safe_page(gfp_t gfp_mask);
47624 -extern void hibernation_set_ops(struct platform_hibernation_ops *ops);
47625 +extern void hibernation_set_ops(const struct platform_hibernation_ops *ops);
47626 extern int hibernate(void);
47627 extern bool system_entering_hibernation(void);
47628 #else /* CONFIG_HIBERNATION */
47629 @@ -253,7 +253,7 @@ static inline int swsusp_page_is_forbidd
47630 static inline void swsusp_set_page_free(struct page *p) {}
47631 static inline void swsusp_unset_page_free(struct page *p) {}
47633 -static inline void hibernation_set_ops(struct platform_hibernation_ops *ops) {}
47634 +static inline void hibernation_set_ops(const struct platform_hibernation_ops *ops) {}
47635 static inline int hibernate(void) { return -ENOSYS; }
47636 static inline bool system_entering_hibernation(void) { return false; }
47637 #endif /* CONFIG_HIBERNATION */
47638 diff -urNp linux-2.6.36.1/include/linux/sysctl.h linux-2.6.36.1/include/linux/sysctl.h
47639 --- linux-2.6.36.1/include/linux/sysctl.h 2010-10-20 16:30:22.000000000 -0400
47640 +++ linux-2.6.36.1/include/linux/sysctl.h 2010-11-06 18:58:15.000000000 -0400
47641 @@ -155,7 +155,11 @@ enum
47642 KERN_PANIC_ON_NMI=76, /* int: whether we will panic on an unrecovered */
47646 +#ifdef CONFIG_PAX_SOFTMODE
47648 + PAX_SOFTMODE=1 /* PaX: disable/enable soft mode */
47652 /* CTL_VM names: */
47654 diff -urNp linux-2.6.36.1/include/linux/sysfs.h linux-2.6.36.1/include/linux/sysfs.h
47655 --- linux-2.6.36.1/include/linux/sysfs.h 2010-10-20 16:30:22.000000000 -0400
47656 +++ linux-2.6.36.1/include/linux/sysfs.h 2010-11-06 18:58:15.000000000 -0400
47657 @@ -110,8 +110,8 @@ struct bin_attribute {
47658 #define sysfs_bin_attr_init(bin_attr) sysfs_attr_init(&(bin_attr)->attr)
47661 - ssize_t (*show)(struct kobject *, struct attribute *,char *);
47662 - ssize_t (*store)(struct kobject *,struct attribute *,const char *, size_t);
47663 + ssize_t (* const show)(struct kobject *, struct attribute *,char *);
47664 + ssize_t (* const store)(struct kobject *,struct attribute *,const char *, size_t);
47667 struct sysfs_dirent;
47668 diff -urNp linux-2.6.36.1/include/linux/thread_info.h linux-2.6.36.1/include/linux/thread_info.h
47669 --- linux-2.6.36.1/include/linux/thread_info.h 2010-10-20 16:30:22.000000000 -0400
47670 +++ linux-2.6.36.1/include/linux/thread_info.h 2010-11-06 18:58:15.000000000 -0400
47671 @@ -23,7 +23,7 @@ struct restart_block {
47673 /* For futex_wait and futex_wait_requeue_pi */
47676 + u32 __user *uaddr;
47680 diff -urNp linux-2.6.36.1/include/linux/tty.h linux-2.6.36.1/include/linux/tty.h
47681 --- linux-2.6.36.1/include/linux/tty.h 2010-10-20 16:30:22.000000000 -0400
47682 +++ linux-2.6.36.1/include/linux/tty.h 2010-11-06 18:58:15.000000000 -0400
47684 #include <linux/tty_driver.h>
47685 #include <linux/tty_ldisc.h>
47686 #include <linux/mutex.h>
47687 +#include <linux/poll.h>
47688 #include <linux/smp_lock.h>
47690 #include <asm/system.h>
47691 @@ -463,7 +464,6 @@ extern int tty_perform_flush(struct tty_
47692 extern dev_t tty_devnum(struct tty_struct *tty);
47693 extern void proc_clear_tty(struct task_struct *p);
47694 extern struct tty_struct *get_current_tty(void);
47695 -extern void tty_default_fops(struct file_operations *fops);
47696 extern struct tty_struct *alloc_tty_struct(void);
47697 extern void tty_add_file(struct tty_struct *tty, struct file *file);
47698 extern void free_tty_struct(struct tty_struct *tty);
47699 @@ -526,6 +526,18 @@ extern void tty_ldisc_begin(void);
47700 /* This last one is just for the tty layer internals and shouldn't be used elsewhere */
47701 extern void tty_ldisc_enable(struct tty_struct *tty);
47704 +extern ssize_t tty_read(struct file *, char __user *, size_t, loff_t *);
47705 +extern ssize_t tty_write(struct file *, const char __user *, size_t, loff_t *);
47706 +extern unsigned int tty_poll(struct file *, poll_table *);
47707 +#ifdef CONFIG_COMPAT
47708 +extern long tty_compat_ioctl(struct file *file, unsigned int cmd,
47709 + unsigned long arg);
47711 +#define tty_compat_ioctl NULL
47713 +extern int tty_release(struct inode *, struct file *);
47714 +extern int tty_fasync(int fd, struct file *filp, int on);
47717 extern struct tty_ldisc_ops tty_ldisc_N_TTY;
47718 diff -urNp linux-2.6.36.1/include/linux/tty_ldisc.h linux-2.6.36.1/include/linux/tty_ldisc.h
47719 --- linux-2.6.36.1/include/linux/tty_ldisc.h 2010-10-20 16:30:22.000000000 -0400
47720 +++ linux-2.6.36.1/include/linux/tty_ldisc.h 2010-11-06 18:58:15.000000000 -0400
47721 @@ -147,7 +147,7 @@ struct tty_ldisc_ops {
47723 struct module *owner;
47726 + atomic_t refcount;
47730 diff -urNp linux-2.6.36.1/include/linux/types.h linux-2.6.36.1/include/linux/types.h
47731 --- linux-2.6.36.1/include/linux/types.h 2010-10-20 16:30:22.000000000 -0400
47732 +++ linux-2.6.36.1/include/linux/types.h 2010-11-06 18:58:15.000000000 -0400
47733 @@ -207,10 +207,26 @@ typedef struct {
47737 +#ifdef CONFIG_PAX_REFCOUNT
47740 +} atomic_unchecked_t;
47742 +typedef atomic_t atomic_unchecked_t;
47745 #ifdef CONFIG_64BIT
47750 +#ifdef CONFIG_PAX_REFCOUNT
47753 +} atomic64_unchecked_t;
47755 +typedef atomic64_t atomic64_unchecked_t;
47760 diff -urNp linux-2.6.36.1/include/linux/uaccess.h linux-2.6.36.1/include/linux/uaccess.h
47761 --- linux-2.6.36.1/include/linux/uaccess.h 2010-10-20 16:30:22.000000000 -0400
47762 +++ linux-2.6.36.1/include/linux/uaccess.h 2010-11-06 18:58:15.000000000 -0400
47763 @@ -76,11 +76,11 @@ static inline unsigned long __copy_from_
47765 mm_segment_t old_fs = get_fs(); \
47767 - set_fs(KERNEL_DS); \
47768 pagefault_disable(); \
47769 + set_fs(KERNEL_DS); \
47770 ret = __copy_from_user_inatomic(&(retval), (__force typeof(retval) __user *)(addr), sizeof(retval)); \
47771 - pagefault_enable(); \
47773 + pagefault_enable(); \
47777 @@ -93,8 +93,8 @@ static inline unsigned long __copy_from_
47778 * Safely read from address @src to the buffer at @dst. If a kernel fault
47779 * happens, handle that and return -EFAULT.
47781 -extern long probe_kernel_read(void *dst, void *src, size_t size);
47782 -extern long __probe_kernel_read(void *dst, void *src, size_t size);
47783 +extern long probe_kernel_read(void *dst, const void *src, size_t size);
47784 +extern long __probe_kernel_read(void *dst, const void *src, size_t size);
47787 * probe_kernel_write(): safely attempt to write to a location
47788 @@ -105,7 +105,7 @@ extern long __probe_kernel_read(void *ds
47789 * Safely write to address @dst from the buffer at @src. If a kernel fault
47790 * happens, handle that and return -EFAULT.
47792 -extern long notrace probe_kernel_write(void *dst, void *src, size_t size);
47793 -extern long notrace __probe_kernel_write(void *dst, void *src, size_t size);
47794 +extern long notrace probe_kernel_write(void *dst, const void *src, size_t size);
47795 +extern long notrace __probe_kernel_write(void *dst, const void *src, size_t size);
47797 #endif /* __LINUX_UACCESS_H__ */
47798 diff -urNp linux-2.6.36.1/include/linux/usb/hcd.h linux-2.6.36.1/include/linux/usb/hcd.h
47799 --- linux-2.6.36.1/include/linux/usb/hcd.h 2010-10-20 16:30:22.000000000 -0400
47800 +++ linux-2.6.36.1/include/linux/usb/hcd.h 2010-11-06 18:58:15.000000000 -0400
47801 @@ -578,7 +578,7 @@ struct usb_mon_operations {
47802 /* void (*urb_unlink)(struct usb_bus *bus, struct urb *urb); */
47805 -extern struct usb_mon_operations *mon_ops;
47806 +extern const struct usb_mon_operations *mon_ops;
47808 static inline void usbmon_urb_submit(struct usb_bus *bus, struct urb *urb)
47810 @@ -600,7 +600,7 @@ static inline void usbmon_urb_complete(s
47811 (*mon_ops->urb_complete)(bus, urb, status);
47814 -int usb_mon_register(struct usb_mon_operations *ops);
47815 +int usb_mon_register(const struct usb_mon_operations *ops);
47816 void usb_mon_deregister(void);
47819 diff -urNp linux-2.6.36.1/include/linux/vmalloc.h linux-2.6.36.1/include/linux/vmalloc.h
47820 --- linux-2.6.36.1/include/linux/vmalloc.h 2010-10-20 16:30:22.000000000 -0400
47821 +++ linux-2.6.36.1/include/linux/vmalloc.h 2010-11-06 18:58:15.000000000 -0400
47822 @@ -15,6 +15,11 @@ extern bool vmap_lazy_unmap;
47823 #define VM_MAP 0x00000004 /* vmap()ed pages */
47824 #define VM_USERMAP 0x00000008 /* suitable for remap_vmalloc_range */
47825 #define VM_VPAGES 0x00000010 /* buffer for pages was vmalloc'ed */
47827 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
47828 +#define VM_KERNEXEC 0x00000020 /* allocate from executable kernel memory range */
47831 /* bits [20..32] reserved for arch specific ioremap internals */
47834 @@ -123,4 +128,81 @@ struct vm_struct **pcpu_get_vm_areas(con
47836 void pcpu_free_vm_areas(struct vm_struct **vms, int nr_vms);
47838 +#define vmalloc(x) \
47840 + void *___retval; \
47841 + intoverflow_t ___x = (intoverflow_t)x; \
47842 + if (WARN(___x > ULONG_MAX, "vmalloc size overflow\n")) \
47843 + ___retval = NULL; \
47845 + ___retval = vmalloc((unsigned long)___x); \
47849 +#define __vmalloc(x, y, z) \
47851 + void *___retval; \
47852 + intoverflow_t ___x = (intoverflow_t)x; \
47853 + if (WARN(___x > ULONG_MAX, "__vmalloc size overflow\n"))\
47854 + ___retval = NULL; \
47856 + ___retval = __vmalloc((unsigned long)___x, (y), (z));\
47860 +#define vmalloc_user(x) \
47862 + void *___retval; \
47863 + intoverflow_t ___x = (intoverflow_t)x; \
47864 + if (WARN(___x > ULONG_MAX, "vmalloc_user size overflow\n"))\
47865 + ___retval = NULL; \
47867 + ___retval = vmalloc_user((unsigned long)___x); \
47871 +#define vmalloc_exec(x) \
47873 + void *___retval; \
47874 + intoverflow_t ___x = (intoverflow_t)x; \
47875 + if (WARN(___x > ULONG_MAX, "vmalloc_exec size overflow\n"))\
47876 + ___retval = NULL; \
47878 + ___retval = vmalloc_exec((unsigned long)___x); \
47882 +#define vmalloc_node(x, y) \
47884 + void *___retval; \
47885 + intoverflow_t ___x = (intoverflow_t)x; \
47886 + if (WARN(___x > ULONG_MAX, "vmalloc_node size overflow\n"))\
47887 + ___retval = NULL; \
47889 + ___retval = vmalloc_node((unsigned long)___x, (y));\
47893 +#define vmalloc_32(x) \
47895 + void *___retval; \
47896 + intoverflow_t ___x = (intoverflow_t)x; \
47897 + if (WARN(___x > ULONG_MAX, "vmalloc_32 size overflow\n"))\
47898 + ___retval = NULL; \
47900 + ___retval = vmalloc_32((unsigned long)___x); \
47904 +#define vmalloc_32_user(x) \
47906 + void *___retval; \
47907 + intoverflow_t ___x = (intoverflow_t)x; \
47908 + if (WARN(___x > ULONG_MAX, "vmalloc_32_user size overflow\n"))\
47909 + ___retval = NULL; \
47911 + ___retval = vmalloc_32_user((unsigned long)___x);\
47915 #endif /* _LINUX_VMALLOC_H */
47916 diff -urNp linux-2.6.36.1/include/linux/vmstat.h linux-2.6.36.1/include/linux/vmstat.h
47917 --- linux-2.6.36.1/include/linux/vmstat.h 2010-10-20 16:30:22.000000000 -0400
47918 +++ linux-2.6.36.1/include/linux/vmstat.h 2010-11-06 18:58:15.000000000 -0400
47919 @@ -140,18 +140,18 @@ static inline void vm_events_fold_cpu(in
47921 * Zone based page accounting with per cpu differentials.
47923 -extern atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
47924 +extern atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
47926 static inline void zone_page_state_add(long x, struct zone *zone,
47927 enum zone_stat_item item)
47929 - atomic_long_add(x, &zone->vm_stat[item]);
47930 - atomic_long_add(x, &vm_stat[item]);
47931 + atomic_long_add_unchecked(x, &zone->vm_stat[item]);
47932 + atomic_long_add_unchecked(x, &vm_stat[item]);
47935 static inline unsigned long global_page_state(enum zone_stat_item item)
47937 - long x = atomic_long_read(&vm_stat[item]);
47938 + long x = atomic_long_read_unchecked(&vm_stat[item]);
47942 @@ -162,7 +162,7 @@ static inline unsigned long global_page_
47943 static inline unsigned long zone_page_state(struct zone *zone,
47944 enum zone_stat_item item)
47946 - long x = atomic_long_read(&zone->vm_stat[item]);
47947 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
47951 @@ -179,7 +179,7 @@ static inline unsigned long zone_page_st
47952 static inline unsigned long zone_page_state_snapshot(struct zone *zone,
47953 enum zone_stat_item item)
47955 - long x = atomic_long_read(&zone->vm_stat[item]);
47956 + long x = atomic_long_read_unchecked(&zone->vm_stat[item]);
47960 @@ -268,8 +268,8 @@ static inline void __mod_zone_page_state
47962 static inline void __inc_zone_state(struct zone *zone, enum zone_stat_item item)
47964 - atomic_long_inc(&zone->vm_stat[item]);
47965 - atomic_long_inc(&vm_stat[item]);
47966 + atomic_long_inc_unchecked(&zone->vm_stat[item]);
47967 + atomic_long_inc_unchecked(&vm_stat[item]);
47970 static inline void __inc_zone_page_state(struct page *page,
47971 @@ -280,8 +280,8 @@ static inline void __inc_zone_page_state
47973 static inline void __dec_zone_state(struct zone *zone, enum zone_stat_item item)
47975 - atomic_long_dec(&zone->vm_stat[item]);
47976 - atomic_long_dec(&vm_stat[item]);
47977 + atomic_long_dec_unchecked(&zone->vm_stat[item]);
47978 + atomic_long_dec_unchecked(&vm_stat[item]);
47981 static inline void __dec_zone_page_state(struct page *page,
47982 diff -urNp linux-2.6.36.1/include/net/inetpeer.h linux-2.6.36.1/include/net/inetpeer.h
47983 --- linux-2.6.36.1/include/net/inetpeer.h 2010-10-20 16:30:22.000000000 -0400
47984 +++ linux-2.6.36.1/include/net/inetpeer.h 2010-11-06 18:58:15.000000000 -0400
47985 @@ -30,8 +30,8 @@ struct inet_peer {
47989 - atomic_t rid; /* Frag reception counter */
47990 - atomic_t ip_id_count; /* IP ID for the next packet */
47991 + atomic_unchecked_t rid; /* Frag reception counter */
47992 + atomic_unchecked_t ip_id_count; /* IP ID for the next packet */
47994 __u32 tcp_ts_stamp;
47996 @@ -62,7 +62,7 @@ static inline __u16 inet_getid(struct in
47999 inet_peer_refcheck(p);
48000 - return atomic_add_return(more, &p->ip_id_count) - more;
48001 + return atomic_add_return_unchecked(more, &p->ip_id_count) - more;
48004 #endif /* _NET_INETPEER_H */
48005 diff -urNp linux-2.6.36.1/include/net/irda/ircomm_tty.h linux-2.6.36.1/include/net/irda/ircomm_tty.h
48006 --- linux-2.6.36.1/include/net/irda/ircomm_tty.h 2010-10-20 16:30:22.000000000 -0400
48007 +++ linux-2.6.36.1/include/net/irda/ircomm_tty.h 2010-11-06 18:58:15.000000000 -0400
48008 @@ -105,8 +105,8 @@ struct ircomm_tty_cb {
48009 unsigned short close_delay;
48010 unsigned short closing_wait; /* time to wait before closing */
48013 - int blocked_open; /* # of blocked opens */
48014 + atomic_t open_count;
48015 + atomic_t blocked_open; /* # of blocked opens */
48017 /* Protect concurent access to :
48018 * o self->open_count
48019 diff -urNp linux-2.6.36.1/include/net/neighbour.h linux-2.6.36.1/include/net/neighbour.h
48020 --- linux-2.6.36.1/include/net/neighbour.h 2010-10-20 16:30:22.000000000 -0400
48021 +++ linux-2.6.36.1/include/net/neighbour.h 2010-11-06 18:58:15.000000000 -0400
48022 @@ -116,12 +116,12 @@ struct neighbour {
48026 - void (*solicit)(struct neighbour *, struct sk_buff*);
48027 - void (*error_report)(struct neighbour *, struct sk_buff*);
48028 - int (*output)(struct sk_buff*);
48029 - int (*connected_output)(struct sk_buff*);
48030 - int (*hh_output)(struct sk_buff*);
48031 - int (*queue_xmit)(struct sk_buff*);
48032 + void (* const solicit)(struct neighbour *, struct sk_buff*);
48033 + void (* const error_report)(struct neighbour *, struct sk_buff*);
48034 + int (* const output)(struct sk_buff*);
48035 + int (* const connected_output)(struct sk_buff*);
48036 + int (* const hh_output)(struct sk_buff*);
48037 + int (* const queue_xmit)(struct sk_buff*);
48040 struct pneigh_entry {
48041 diff -urNp linux-2.6.36.1/include/net/sctp/sctp.h linux-2.6.36.1/include/net/sctp/sctp.h
48042 --- linux-2.6.36.1/include/net/sctp/sctp.h 2010-10-20 16:30:22.000000000 -0400
48043 +++ linux-2.6.36.1/include/net/sctp/sctp.h 2010-11-06 18:58:15.000000000 -0400
48044 @@ -305,8 +305,8 @@ extern int sctp_debug_flag;
48046 #else /* SCTP_DEBUG */
48048 -#define SCTP_DEBUG_PRINTK(whatever...)
48049 -#define SCTP_DEBUG_PRINTK_IPADDR(whatever...)
48050 +#define SCTP_DEBUG_PRINTK(whatever...) do {} while (0)
48051 +#define SCTP_DEBUG_PRINTK_IPADDR(whatever...) do {} while (0)
48052 #define SCTP_ENABLE_DEBUG
48053 #define SCTP_DISABLE_DEBUG
48054 #define SCTP_ASSERT(expr, str, func)
48055 diff -urNp linux-2.6.36.1/include/net/tcp.h linux-2.6.36.1/include/net/tcp.h
48056 --- linux-2.6.36.1/include/net/tcp.h 2010-10-20 16:30:22.000000000 -0400
48057 +++ linux-2.6.36.1/include/net/tcp.h 2010-11-06 18:58:15.000000000 -0400
48058 @@ -1373,6 +1373,7 @@ enum tcp_seq_states {
48059 struct tcp_seq_afinfo {
48061 sa_family_t family;
48062 + /* cannot be const */
48063 struct file_operations seq_fops;
48064 struct seq_operations seq_ops;
48066 diff -urNp linux-2.6.36.1/include/net/udp.h linux-2.6.36.1/include/net/udp.h
48067 --- linux-2.6.36.1/include/net/udp.h 2010-10-20 16:30:22.000000000 -0400
48068 +++ linux-2.6.36.1/include/net/udp.h 2010-11-06 18:58:15.000000000 -0400
48069 @@ -220,6 +220,7 @@ struct udp_seq_afinfo {
48071 sa_family_t family;
48072 struct udp_table *udp_table;
48073 + /* cannot be const */
48074 struct file_operations seq_fops;
48075 struct seq_operations seq_ops;
48077 diff -urNp linux-2.6.36.1/include/sound/ac97_codec.h linux-2.6.36.1/include/sound/ac97_codec.h
48078 --- linux-2.6.36.1/include/sound/ac97_codec.h 2010-10-20 16:30:22.000000000 -0400
48079 +++ linux-2.6.36.1/include/sound/ac97_codec.h 2010-11-06 18:58:15.000000000 -0400
48080 @@ -419,15 +419,15 @@
48083 struct snd_ac97_build_ops {
48084 - int (*build_3d) (struct snd_ac97 *ac97);
48085 - int (*build_specific) (struct snd_ac97 *ac97);
48086 - int (*build_spdif) (struct snd_ac97 *ac97);
48087 - int (*build_post_spdif) (struct snd_ac97 *ac97);
48088 + int (* const build_3d) (struct snd_ac97 *ac97);
48089 + int (* const build_specific) (struct snd_ac97 *ac97);
48090 + int (* const build_spdif) (struct snd_ac97 *ac97);
48091 + int (* const build_post_spdif) (struct snd_ac97 *ac97);
48093 - void (*suspend) (struct snd_ac97 *ac97);
48094 - void (*resume) (struct snd_ac97 *ac97);
48095 + void (* const suspend) (struct snd_ac97 *ac97);
48096 + void (* const resume) (struct snd_ac97 *ac97);
48098 - void (*update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
48099 + void (* const update_jacks) (struct snd_ac97 *ac97); /* for jack-sharing */
48102 struct snd_ac97_bus_ops {
48103 @@ -477,7 +477,7 @@ struct snd_ac97_template {
48106 /* -- lowlevel (hardware) driver specific -- */
48107 - struct snd_ac97_build_ops * build_ops;
48108 + const struct snd_ac97_build_ops * build_ops;
48109 void *private_data;
48110 void (*private_free) (struct snd_ac97 *ac97);
48112 diff -urNp linux-2.6.36.1/include/trace/events/irq.h linux-2.6.36.1/include/trace/events/irq.h
48113 --- linux-2.6.36.1/include/trace/events/irq.h 2010-10-20 16:30:22.000000000 -0400
48114 +++ linux-2.6.36.1/include/trace/events/irq.h 2010-11-06 18:58:15.000000000 -0400
48117 TRACE_EVENT(irq_handler_entry,
48119 - TP_PROTO(int irq, struct irqaction *action),
48120 + TP_PROTO(int irq, const struct irqaction *action),
48122 TP_ARGS(irq, action),
48124 @@ -64,7 +64,7 @@ TRACE_EVENT(irq_handler_entry,
48126 TRACE_EVENT(irq_handler_exit,
48128 - TP_PROTO(int irq, struct irqaction *action, int ret),
48129 + TP_PROTO(int irq, const struct irqaction *action, int ret),
48131 TP_ARGS(irq, action, ret),
48133 @@ -84,7 +84,7 @@ TRACE_EVENT(irq_handler_exit,
48135 DECLARE_EVENT_CLASS(softirq,
48137 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
48138 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
48142 @@ -113,7 +113,7 @@ DECLARE_EVENT_CLASS(softirq,
48144 DEFINE_EVENT(softirq, softirq_entry,
48146 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
48147 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
48151 @@ -131,7 +131,7 @@ DEFINE_EVENT(softirq, softirq_entry,
48153 DEFINE_EVENT(softirq, softirq_exit,
48155 - TP_PROTO(struct softirq_action *h, struct softirq_action *vec),
48156 + TP_PROTO(const struct softirq_action *h, const struct softirq_action *vec),
48160 diff -urNp linux-2.6.36.1/include/video/uvesafb.h linux-2.6.36.1/include/video/uvesafb.h
48161 --- linux-2.6.36.1/include/video/uvesafb.h 2010-10-20 16:30:22.000000000 -0400
48162 +++ linux-2.6.36.1/include/video/uvesafb.h 2010-11-06 18:58:15.000000000 -0400
48163 @@ -177,6 +177,7 @@ struct uvesafb_par {
48164 u8 ypan; /* 0 - nothing, 1 - ypan, 2 - ywrap */
48165 u8 pmi_setpal; /* PMI for palette changes */
48166 u16 *pmi_base; /* protected mode interface location */
48167 + u8 *pmi_code; /* protected mode code location */
48170 u8 *vbe_state_orig; /*
48171 diff -urNp linux-2.6.36.1/init/do_mounts.c linux-2.6.36.1/init/do_mounts.c
48172 --- linux-2.6.36.1/init/do_mounts.c 2010-10-20 16:30:22.000000000 -0400
48173 +++ linux-2.6.36.1/init/do_mounts.c 2010-11-06 18:58:15.000000000 -0400
48174 @@ -217,11 +217,11 @@ static void __init get_fs_names(char *pa
48176 static int __init do_mount_root(char *name, char *fs, int flags, void *data)
48178 - int err = sys_mount(name, "/root", fs, flags, data);
48179 + int err = sys_mount((__force char __user *)name, (__force char __user *)"/root", (__force char __user *)fs, flags, (__force void __user *)data);
48183 - sys_chdir("/root");
48184 + sys_chdir((__force char __user *)"/root");
48185 ROOT_DEV = current->fs->pwd.mnt->mnt_sb->s_dev;
48186 printk("VFS: Mounted root (%s filesystem)%s on device %u:%u.\n",
48187 current->fs->pwd.mnt->mnt_sb->s_type->name,
48188 @@ -312,18 +312,18 @@ void __init change_floppy(char *fmt, ...
48189 va_start(args, fmt);
48190 vsprintf(buf, fmt, args);
48192 - fd = sys_open("/dev/root", O_RDWR | O_NDELAY, 0);
48193 + fd = sys_open((char __user *)"/dev/root", O_RDWR | O_NDELAY, 0);
48195 sys_ioctl(fd, FDEJECT, 0);
48198 printk(KERN_NOTICE "VFS: Insert %s and press ENTER\n", buf);
48199 - fd = sys_open("/dev/console", O_RDWR, 0);
48200 + fd = sys_open((__force const char __user *)"/dev/console", O_RDWR, 0);
48202 sys_ioctl(fd, TCGETS, (long)&termios);
48203 termios.c_lflag &= ~ICANON;
48204 sys_ioctl(fd, TCSETSF, (long)&termios);
48205 - sys_read(fd, &c, 1);
48206 + sys_read(fd, (char __user *)&c, 1);
48207 termios.c_lflag |= ICANON;
48208 sys_ioctl(fd, TCSETSF, (long)&termios);
48210 @@ -417,6 +417,6 @@ void __init prepare_namespace(void)
48213 devtmpfs_mount("dev");
48214 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
48216 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
48217 + sys_chroot((__force char __user *)".");
48219 diff -urNp linux-2.6.36.1/init/do_mounts.h linux-2.6.36.1/init/do_mounts.h
48220 --- linux-2.6.36.1/init/do_mounts.h 2010-10-20 16:30:22.000000000 -0400
48221 +++ linux-2.6.36.1/init/do_mounts.h 2010-11-06 18:58:15.000000000 -0400
48222 @@ -15,15 +15,15 @@ extern int root_mountflags;
48224 static inline int create_dev(char *name, dev_t dev)
48226 - sys_unlink(name);
48227 - return sys_mknod(name, S_IFBLK|0600, new_encode_dev(dev));
48228 + sys_unlink((__force char __user *)name);
48229 + return sys_mknod((__force char __user *)name, S_IFBLK|0600, new_encode_dev(dev));
48232 #if BITS_PER_LONG == 32
48233 static inline u32 bstat(char *name)
48235 struct stat64 stat;
48236 - if (sys_stat64(name, &stat) != 0)
48237 + if (sys_stat64((__force char __user *)name, (__force struct stat64 __user *)&stat) != 0)
48239 if (!S_ISBLK(stat.st_mode))
48241 diff -urNp linux-2.6.36.1/init/do_mounts_initrd.c linux-2.6.36.1/init/do_mounts_initrd.c
48242 --- linux-2.6.36.1/init/do_mounts_initrd.c 2010-10-20 16:30:22.000000000 -0400
48243 +++ linux-2.6.36.1/init/do_mounts_initrd.c 2010-11-06 18:58:15.000000000 -0400
48244 @@ -44,13 +44,13 @@ static void __init handle_initrd(void)
48245 create_dev("/dev/root.old", Root_RAM0);
48246 /* mount initrd on rootfs' /root */
48247 mount_block_root("/dev/root.old", root_mountflags & ~MS_RDONLY);
48248 - sys_mkdir("/old", 0700);
48249 - root_fd = sys_open("/", 0, 0);
48250 - old_fd = sys_open("/old", 0, 0);
48251 + sys_mkdir((__force const char __user *)"/old", 0700);
48252 + root_fd = sys_open((__force const char __user *)"/", 0, 0);
48253 + old_fd = sys_open((__force const char __user *)"/old", 0, 0);
48254 /* move initrd over / and chdir/chroot in initrd root */
48255 - sys_chdir("/root");
48256 - sys_mount(".", "/", NULL, MS_MOVE, NULL);
48258 + sys_chdir((__force const char __user *)"/root");
48259 + sys_mount((__force char __user *)".", (__force char __user *)"/", NULL, MS_MOVE, NULL);
48260 + sys_chroot((__force const char __user *)".");
48263 * In case that a resume from disk is carried out by linuxrc or one of
48264 @@ -67,15 +67,15 @@ static void __init handle_initrd(void)
48266 /* move initrd to rootfs' /old */
48267 sys_fchdir(old_fd);
48268 - sys_mount("/", ".", NULL, MS_MOVE, NULL);
48269 + sys_mount((__force char __user *)"/", (__force char __user *)".", NULL, MS_MOVE, NULL);
48270 /* switch root and cwd back to / of rootfs */
48271 sys_fchdir(root_fd);
48273 + sys_chroot((__force const char __user *)".");
48275 sys_close(root_fd);
48277 if (new_decode_dev(real_root_dev) == Root_RAM0) {
48278 - sys_chdir("/old");
48279 + sys_chdir((__force const char __user *)"/old");
48283 @@ -83,17 +83,17 @@ static void __init handle_initrd(void)
48286 printk(KERN_NOTICE "Trying to move old root to /initrd ... ");
48287 - error = sys_mount("/old", "/root/initrd", NULL, MS_MOVE, NULL);
48288 + error = sys_mount((__force char __user *)"/old", (__force char __user *)"/root/initrd", NULL, MS_MOVE, NULL);
48292 - int fd = sys_open("/dev/root.old", O_RDWR, 0);
48293 + int fd = sys_open((__force const char __user *)"/dev/root.old", O_RDWR, 0);
48294 if (error == -ENOENT)
48295 printk("/initrd does not exist. Ignored.\n");
48297 printk("failed\n");
48298 printk(KERN_NOTICE "Unmounting old root\n");
48299 - sys_umount("/old", MNT_DETACH);
48300 + sys_umount((__force char __user *)"/old", MNT_DETACH);
48301 printk(KERN_NOTICE "Trying to free ramdisk memory ... ");
48304 @@ -116,11 +116,11 @@ int __init initrd_load(void)
48305 * mounted in the normal path.
48307 if (rd_load_image("/initrd.image") && ROOT_DEV != Root_RAM0) {
48308 - sys_unlink("/initrd.image");
48309 + sys_unlink((__force const char __user *)"/initrd.image");
48314 - sys_unlink("/initrd.image");
48315 + sys_unlink((__force const char __user *)"/initrd.image");
48318 diff -urNp linux-2.6.36.1/init/do_mounts_md.c linux-2.6.36.1/init/do_mounts_md.c
48319 --- linux-2.6.36.1/init/do_mounts_md.c 2010-10-20 16:30:22.000000000 -0400
48320 +++ linux-2.6.36.1/init/do_mounts_md.c 2010-11-06 18:58:15.000000000 -0400
48321 @@ -170,7 +170,7 @@ static void __init md_setup_drive(void)
48322 partitioned ? "_d" : "", minor,
48323 md_setup_args[ent].device_names);
48325 - fd = sys_open(name, 0, 0);
48326 + fd = sys_open((__force char __user *)name, 0, 0);
48328 printk(KERN_ERR "md: open failed - cannot start "
48329 "array %s\n", name);
48330 @@ -233,7 +233,7 @@ static void __init md_setup_drive(void)
48334 - fd = sys_open(name, 0, 0);
48335 + fd = sys_open((__force char __user *)name, 0, 0);
48336 sys_ioctl(fd, BLKRRPART, 0);
48339 @@ -283,7 +283,7 @@ static void __init autodetect_raid(void)
48341 wait_for_device_probe();
48343 - fd = sys_open("/dev/md0", 0, 0);
48344 + fd = sys_open((__force char __user *)"/dev/md0", 0, 0);
48346 sys_ioctl(fd, RAID_AUTORUN, raid_autopart);
48348 diff -urNp linux-2.6.36.1/init/initramfs.c linux-2.6.36.1/init/initramfs.c
48349 --- linux-2.6.36.1/init/initramfs.c 2010-10-20 16:30:22.000000000 -0400
48350 +++ linux-2.6.36.1/init/initramfs.c 2010-11-06 18:58:15.000000000 -0400
48351 @@ -74,7 +74,7 @@ static void __init free_hash(void)
48355 -static long __init do_utime(char __user *filename, time_t mtime)
48356 +static long __init do_utime(__force char __user *filename, time_t mtime)
48358 struct timespec t[2];
48360 @@ -109,7 +109,7 @@ static void __init dir_utime(void)
48361 struct dir_entry *de, *tmp;
48362 list_for_each_entry_safe(de, tmp, &dir_list, list) {
48363 list_del(&de->list);
48364 - do_utime(de->name, de->mtime);
48365 + do_utime((__force char __user *)de->name, de->mtime);
48369 @@ -271,7 +271,7 @@ static int __init maybe_link(void)
48371 char *old = find_link(major, minor, ino, mode, collected);
48373 - return (sys_link(old, collected) < 0) ? -1 : 1;
48374 + return (sys_link((__force char __user *)old, (__force char __user *)collected) < 0) ? -1 : 1;
48378 @@ -280,11 +280,11 @@ static void __init clean_path(char *path
48382 - if (!sys_newlstat(path, &st) && (st.st_mode^mode) & S_IFMT) {
48383 + if (!sys_newlstat((__force char __user *)path, (__force struct stat __user *)&st) && (st.st_mode^mode) & S_IFMT) {
48384 if (S_ISDIR(st.st_mode))
48386 + sys_rmdir((__force char __user *)path);
48388 - sys_unlink(path);
48389 + sys_unlink((__force char __user *)path);
48393 @@ -305,7 +305,7 @@ static int __init do_name(void)
48394 int openflags = O_WRONLY|O_CREAT;
48396 openflags |= O_TRUNC;
48397 - wfd = sys_open(collected, openflags, mode);
48398 + wfd = sys_open((__force char __user *)collected, openflags, mode);
48401 sys_fchown(wfd, uid, gid);
48402 @@ -317,17 +317,17 @@ static int __init do_name(void)
48405 } else if (S_ISDIR(mode)) {
48406 - sys_mkdir(collected, mode);
48407 - sys_chown(collected, uid, gid);
48408 - sys_chmod(collected, mode);
48409 + sys_mkdir((__force char __user *)collected, mode);
48410 + sys_chown((__force char __user *)collected, uid, gid);
48411 + sys_chmod((__force char __user *)collected, mode);
48412 dir_add(collected, mtime);
48413 } else if (S_ISBLK(mode) || S_ISCHR(mode) ||
48414 S_ISFIFO(mode) || S_ISSOCK(mode)) {
48415 if (maybe_link() == 0) {
48416 - sys_mknod(collected, mode, rdev);
48417 - sys_chown(collected, uid, gid);
48418 - sys_chmod(collected, mode);
48419 - do_utime(collected, mtime);
48420 + sys_mknod((__force char __user *)collected, mode, rdev);
48421 + sys_chown((__force char __user *)collected, uid, gid);
48422 + sys_chmod((__force char __user *)collected, mode);
48423 + do_utime((__force char __user *)collected, mtime);
48427 @@ -336,15 +336,15 @@ static int __init do_name(void)
48428 static int __init do_copy(void)
48430 if (count >= body_len) {
48431 - sys_write(wfd, victim, body_len);
48432 + sys_write(wfd, (__force char __user *)victim, body_len);
48434 - do_utime(vcollected, mtime);
48435 + do_utime((__force char __user *)vcollected, mtime);
48441 - sys_write(wfd, victim, count);
48442 + sys_write(wfd, (__force char __user *)victim, count);
48446 @@ -355,9 +355,9 @@ static int __init do_symlink(void)
48448 collected[N_ALIGN(name_len) + body_len] = '\0';
48449 clean_path(collected, 0);
48450 - sys_symlink(collected + N_ALIGN(name_len), collected);
48451 - sys_lchown(collected, uid, gid);
48452 - do_utime(collected, mtime);
48453 + sys_symlink((__force char __user *)collected + N_ALIGN(name_len), (__force char __user *)collected);
48454 + sys_lchown((__force char __user *)collected, uid, gid);
48455 + do_utime((__force char __user *)collected, mtime);
48457 next_state = Reset;
48459 diff -urNp linux-2.6.36.1/init/Kconfig linux-2.6.36.1/init/Kconfig
48460 --- linux-2.6.36.1/init/Kconfig 2010-10-20 16:30:22.000000000 -0400
48461 +++ linux-2.6.36.1/init/Kconfig 2010-11-06 18:58:15.000000000 -0400
48462 @@ -1067,7 +1067,7 @@ config SLUB_DEBUG
48465 bool "Disable heap randomization"
48469 Randomizing heap placement makes heap exploits harder, but it
48470 also breaks ancient binaries (including anything libc5 based).
48471 diff -urNp linux-2.6.36.1/init/main.c linux-2.6.36.1/init/main.c
48472 --- linux-2.6.36.1/init/main.c 2010-10-20 16:30:22.000000000 -0400
48473 +++ linux-2.6.36.1/init/main.c 2010-11-06 18:58:50.000000000 -0400
48474 @@ -95,6 +95,7 @@ static inline void mark_rodata_ro(void)
48476 extern void tc_init(void);
48478 +extern void grsecurity_init(void);
48480 enum system_states system_state __read_mostly;
48481 EXPORT_SYMBOL(system_state);
48482 @@ -197,6 +198,47 @@ static int __init set_reset_devices(char
48484 __setup("reset_devices", set_reset_devices);
48486 +#if defined(CONFIG_X86_64) && defined(CONFIG_PAX_MEMORY_UDEREF)
48487 +extern void pax_enter_kernel_user(void);
48488 +extern void pax_exit_kernel_user(void);
48489 +extern pgdval_t clone_pgd_mask;
48492 +#if defined(CONFIG_X86) && defined(CONFIG_PAX_MEMORY_UDEREF)
48493 +static int __init setup_pax_nouderef(char *str)
48495 +#ifdef CONFIG_X86_32
48496 + unsigned int cpu;
48498 + for (cpu = 0; cpu < NR_CPUS; cpu++) {
48499 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].type = 3;
48500 + get_cpu_gdt_table(cpu)[GDT_ENTRY_KERNEL_DS].limit = 0xf;
48502 + asm("mov %0, %%ds" : : "r" (__KERNEL_DS) : "memory");
48503 + asm("mov %0, %%es" : : "r" (__KERNEL_DS) : "memory");
48504 + asm("mov %0, %%ss" : : "r" (__KERNEL_DS) : "memory");
48506 + memcpy(pax_enter_kernel_user, (unsigned char []){0xc3}, 1);
48507 + memcpy(pax_exit_kernel_user, (unsigned char []){0xc3}, 1);
48508 + clone_pgd_mask = ~(pgdval_t)0UL;
48513 +early_param("pax_nouderef", setup_pax_nouderef);
48516 +#ifdef CONFIG_PAX_SOFTMODE
48517 +unsigned int pax_softmode;
48519 +static int __init setup_pax_softmode(char *str)
48521 + get_option(&str, &pax_softmode);
48524 +__setup("pax_softmode=", setup_pax_softmode);
48527 static const char * argv_init[MAX_INIT_ARGS+2] = { "init", NULL, };
48528 const char * envp_init[MAX_INIT_ENVS+2] = { "HOME=/", "TERM=linux", NULL, };
48529 static const char *panic_later, *panic_param;
48530 @@ -743,6 +785,7 @@ int __init_or_module do_one_initcall(ini
48532 int count = preempt_count();
48534 + const char *msg1 = "", *msg2 = "";
48536 if (initcall_debug)
48537 ret = do_one_initcall_debug(fn);
48538 @@ -755,15 +798,15 @@ int __init_or_module do_one_initcall(ini
48539 sprintf(msgbuf, "error code %d ", ret);
48541 if (preempt_count() != count) {
48542 - strlcat(msgbuf, "preemption imbalance ", sizeof(msgbuf));
48543 + msg1 = " preemption imbalance";
48544 preempt_count() = count;
48546 if (irqs_disabled()) {
48547 - strlcat(msgbuf, "disabled interrupts ", sizeof(msgbuf));
48548 + msg2 = " disabled interrupts";
48549 local_irq_enable();
48552 - printk("initcall %pF returned with %s\n", fn, msgbuf);
48553 + if (msgbuf[0] || *msg1 || *msg2) {
48554 + printk("initcall %pF returned with %s%s%s\n", fn, msgbuf, msg1, msg2);
48558 @@ -893,7 +936,7 @@ static int __init kernel_init(void * unu
48561 /* Open the /dev/console on the rootfs, this should never fail */
48562 - if (sys_open((const char __user *) "/dev/console", O_RDWR, 0) < 0)
48563 + if (sys_open((__force const char __user *) "/dev/console", O_RDWR, 0) < 0)
48564 printk(KERN_WARNING "Warning: unable to open an initial console.\n");
48567 @@ -906,11 +949,13 @@ static int __init kernel_init(void * unu
48568 if (!ramdisk_execute_command)
48569 ramdisk_execute_command = "/init";
48571 - if (sys_access((const char __user *) ramdisk_execute_command, 0) != 0) {
48572 + if (sys_access((__force const char __user *) ramdisk_execute_command, 0) != 0) {
48573 ramdisk_execute_command = NULL;
48574 prepare_namespace();
48577 + grsecurity_init();
48580 * Ok, we have completed the initial bootup, and
48581 * we're essentially up and running. Get rid of the
48582 diff -urNp linux-2.6.36.1/init/noinitramfs.c linux-2.6.36.1/init/noinitramfs.c
48583 --- linux-2.6.36.1/init/noinitramfs.c 2010-10-20 16:30:22.000000000 -0400
48584 +++ linux-2.6.36.1/init/noinitramfs.c 2010-11-06 18:58:15.000000000 -0400
48585 @@ -29,17 +29,17 @@ static int __init default_rootfs(void)
48589 - err = sys_mkdir("/dev", 0755);
48590 + err = sys_mkdir((const char __user *)"/dev", 0755);
48594 - err = sys_mknod((const char __user *) "/dev/console",
48595 + err = sys_mknod((__force const char __user *) "/dev/console",
48596 S_IFCHR | S_IRUSR | S_IWUSR,
48597 new_encode_dev(MKDEV(5, 1)));
48601 - err = sys_mkdir("/root", 0700);
48602 + err = sys_mkdir((const char __user *)"/root", 0700);
48606 diff -urNp linux-2.6.36.1/ipc/compat.c linux-2.6.36.1/ipc/compat.c
48607 --- linux-2.6.36.1/ipc/compat.c 2010-10-20 16:30:22.000000000 -0400
48608 +++ linux-2.6.36.1/ipc/compat.c 2010-11-06 18:58:50.000000000 -0400
48609 @@ -241,6 +241,8 @@ long compat_sys_semctl(int first, int se
48610 struct semid64_ds __user *up64;
48611 int version = compat_ipc_parse_version(&third);
48613 + memset(&s64, 0, sizeof(s64));
48617 if (get_user(pad, (u32 __user *) uptr))
48618 @@ -421,6 +423,8 @@ long compat_sys_msgctl(int first, int se
48619 int version = compat_ipc_parse_version(&second);
48622 + memset(&m64, 0, sizeof(m64));
48624 switch (second & (~IPC_64)) {
48627 @@ -594,6 +598,8 @@ long compat_sys_shmctl(int first, int se
48629 int version = compat_ipc_parse_version(&second);
48631 + memset(&s64, 0, sizeof(s64));
48633 switch (second & (~IPC_64)) {
48636 diff -urNp linux-2.6.36.1/ipc/compat_mq.c linux-2.6.36.1/ipc/compat_mq.c
48637 --- linux-2.6.36.1/ipc/compat_mq.c 2010-10-20 16:30:22.000000000 -0400
48638 +++ linux-2.6.36.1/ipc/compat_mq.c 2010-11-06 18:58:50.000000000 -0400
48639 @@ -53,6 +53,9 @@ asmlinkage long compat_sys_mq_open(const
48640 void __user *p = NULL;
48641 if (u_attr && oflag & O_CREAT) {
48642 struct mq_attr attr;
48644 + memset(&attr, 0, sizeof(attr));
48646 p = compat_alloc_user_space(sizeof(attr));
48647 if (get_compat_mq_attr(&attr, u_attr) ||
48648 copy_to_user(p, &attr, sizeof(attr)))
48649 @@ -127,6 +130,8 @@ asmlinkage long compat_sys_mq_getsetattr
48650 struct mq_attr __user *p = compat_alloc_user_space(2 * sizeof(*p));
48653 + memset(&mqstat, 0, sizeof(mqstat));
48656 if (get_compat_mq_attr(&mqstat, u_mqstat) ||
48657 copy_to_user(p, &mqstat, sizeof(mqstat)))
48658 diff -urNp linux-2.6.36.1/ipc/mqueue.c linux-2.6.36.1/ipc/mqueue.c
48659 --- linux-2.6.36.1/ipc/mqueue.c 2010-10-20 16:30:22.000000000 -0400
48660 +++ linux-2.6.36.1/ipc/mqueue.c 2010-11-06 18:58:50.000000000 -0400
48661 @@ -153,6 +153,7 @@ static struct inode *mqueue_get_inode(st
48662 mq_bytes = (mq_msg_tblsz +
48663 (info->attr.mq_maxmsg * info->attr.mq_msgsize));
48665 + gr_learn_resource(current, RLIMIT_MSGQUEUE, u->mq_bytes + mq_bytes, 1);
48666 spin_lock(&mq_lock);
48667 if (u->mq_bytes + mq_bytes < u->mq_bytes ||
48668 u->mq_bytes + mq_bytes >
48669 diff -urNp linux-2.6.36.1/ipc/shm.c linux-2.6.36.1/ipc/shm.c
48670 --- linux-2.6.36.1/ipc/shm.c 2010-10-20 16:30:22.000000000 -0400
48671 +++ linux-2.6.36.1/ipc/shm.c 2010-11-06 18:58:50.000000000 -0400
48672 @@ -69,6 +69,14 @@ static void shm_destroy (struct ipc_name
48673 static int sysvipc_shm_proc_show(struct seq_file *s, void *it);
48676 +#ifdef CONFIG_GRKERNSEC
48677 +extern int gr_handle_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
48678 + const time_t shm_createtime, const uid_t cuid,
48679 + const int shmid);
48680 +extern int gr_chroot_shmat(const pid_t shm_cprid, const pid_t shm_lapid,
48681 + const time_t shm_createtime);
48684 void shm_init_ns(struct ipc_namespace *ns)
48686 ns->shm_ctlmax = SHMMAX;
48687 @@ -395,6 +403,14 @@ static int newseg(struct ipc_namespace *
48688 shp->shm_lprid = 0;
48689 shp->shm_atim = shp->shm_dtim = 0;
48690 shp->shm_ctim = get_seconds();
48691 +#ifdef CONFIG_GRKERNSEC
48693 + struct timespec timeval;
48694 + do_posix_clock_monotonic_gettime(&timeval);
48696 + shp->shm_createtime = timeval.tv_sec;
48699 shp->shm_segsz = size;
48700 shp->shm_nattch = 0;
48701 shp->shm_file = file;
48702 @@ -473,6 +489,8 @@ static inline unsigned long copy_shmid_t
48704 struct shmid_ds out;
48706 + memset(&out, 0, sizeof(out));
48708 ipc64_perm_to_ipc_perm(&in->shm_perm, &out.shm_perm);
48709 out.shm_segsz = in->shm_segsz;
48710 out.shm_atime = in->shm_atime;
48711 @@ -877,9 +895,21 @@ long do_shmat(int shmid, char __user *sh
48715 +#ifdef CONFIG_GRKERNSEC
48716 + if (!gr_handle_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime,
48717 + shp->shm_perm.cuid, shmid) ||
48718 + !gr_chroot_shmat(shp->shm_cprid, shp->shm_lapid, shp->shm_createtime)) {
48724 path = shp->shm_file->f_path;
48727 +#ifdef CONFIG_GRKERNSEC
48728 + shp->shm_lapid = current->pid;
48730 size = i_size_read(path.dentry->d_inode);
48733 diff -urNp linux-2.6.36.1/kernel/acct.c linux-2.6.36.1/kernel/acct.c
48734 --- linux-2.6.36.1/kernel/acct.c 2010-10-20 16:30:22.000000000 -0400
48735 +++ linux-2.6.36.1/kernel/acct.c 2010-11-06 18:58:15.000000000 -0400
48736 @@ -570,7 +570,7 @@ static void do_acct_process(struct bsd_a
48738 flim = current->signal->rlim[RLIMIT_FSIZE].rlim_cur;
48739 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = RLIM_INFINITY;
48740 - file->f_op->write(file, (char *)&ac,
48741 + file->f_op->write(file, (__force char __user *)&ac,
48742 sizeof(acct_t), &file->f_pos);
48743 current->signal->rlim[RLIMIT_FSIZE].rlim_cur = flim;
48745 diff -urNp linux-2.6.36.1/kernel/capability.c linux-2.6.36.1/kernel/capability.c
48746 --- linux-2.6.36.1/kernel/capability.c 2010-10-20 16:30:22.000000000 -0400
48747 +++ linux-2.6.36.1/kernel/capability.c 2010-11-06 18:58:50.000000000 -0400
48748 @@ -205,6 +205,9 @@ SYSCALL_DEFINE2(capget, cap_user_header_
48749 * before modification is attempted and the application
48752 + if (tocopy > ARRAY_SIZE(kdata))
48755 if (copy_to_user(dataptr, kdata, tocopy
48756 * sizeof(struct __user_cap_data_struct))) {
48758 @@ -306,10 +309,21 @@ int capable(int cap)
48762 - if (security_capable(cap) == 0) {
48763 + if (security_capable(cap) == 0 && gr_is_capable(cap)) {
48764 + current->flags |= PF_SUPERPRIV;
48770 +int capable_nolog(int cap)
48772 + if (security_capable(cap) == 0 && gr_is_capable_nolog(cap)) {
48773 current->flags |= PF_SUPERPRIV;
48779 EXPORT_SYMBOL(capable);
48780 +EXPORT_SYMBOL(capable_nolog);
48781 diff -urNp linux-2.6.36.1/kernel/compat.c linux-2.6.36.1/kernel/compat.c
48782 --- linux-2.6.36.1/kernel/compat.c 2010-10-20 16:30:22.000000000 -0400
48783 +++ linux-2.6.36.1/kernel/compat.c 2010-11-06 18:58:50.000000000 -0400
48786 #include <linux/linkage.h>
48787 #include <linux/compat.h>
48788 +#include <linux/module.h>
48789 #include <linux/errno.h>
48790 #include <linux/time.h>
48791 #include <linux/signal.h>
48792 diff -urNp linux-2.6.36.1/kernel/configs.c linux-2.6.36.1/kernel/configs.c
48793 --- linux-2.6.36.1/kernel/configs.c 2010-10-20 16:30:22.000000000 -0400
48794 +++ linux-2.6.36.1/kernel/configs.c 2010-11-06 18:58:50.000000000 -0400
48795 @@ -73,8 +73,19 @@ static int __init ikconfig_init(void)
48796 struct proc_dir_entry *entry;
48798 /* create the current config file */
48799 +#if defined(CONFIG_GRKERNSEC_PROC_ADD) || defined(CONFIG_GRKERNSEC_HIDESYM)
48800 +#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_HIDESYM)
48801 + entry = proc_create("config.gz", S_IFREG | S_IRUSR, NULL,
48802 + &ikconfig_file_ops);
48803 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
48804 + entry = proc_create("config.gz", S_IFREG | S_IRUSR | S_IRGRP, NULL,
48805 + &ikconfig_file_ops);
48808 entry = proc_create("config.gz", S_IFREG | S_IRUGO, NULL,
48809 &ikconfig_file_ops);
48815 diff -urNp linux-2.6.36.1/kernel/cred.c linux-2.6.36.1/kernel/cred.c
48816 --- linux-2.6.36.1/kernel/cred.c 2010-10-20 16:30:22.000000000 -0400
48817 +++ linux-2.6.36.1/kernel/cred.c 2010-11-06 18:58:50.000000000 -0400
48818 @@ -485,6 +485,8 @@ int commit_creds(struct cred *new)
48820 get_cred(new); /* we will require a ref for the subj creds too */
48822 + gr_set_role_label(task, new->uid, new->gid);
48824 /* dumpability changes */
48825 if (old->euid != new->euid ||
48826 old->egid != new->egid ||
48827 diff -urNp linux-2.6.36.1/kernel/debug/debug_core.c linux-2.6.36.1/kernel/debug/debug_core.c
48828 --- linux-2.6.36.1/kernel/debug/debug_core.c 2010-10-20 16:30:22.000000000 -0400
48829 +++ linux-2.6.36.1/kernel/debug/debug_core.c 2010-11-06 18:58:15.000000000 -0400
48830 @@ -71,7 +71,7 @@ int kgdb_io_module_registered;
48831 /* Guard for recursive entry */
48832 static int exception_level;
48834 -struct kgdb_io *dbg_io_ops;
48835 +const struct kgdb_io *dbg_io_ops;
48836 static DEFINE_SPINLOCK(kgdb_registration_lock);
48838 /* kgdb console driver is loaded */
48839 @@ -873,7 +873,7 @@ static void kgdb_initial_breakpoint(void
48841 * Register it with the KGDB core.
48843 -int kgdb_register_io_module(struct kgdb_io *new_dbg_io_ops)
48844 +int kgdb_register_io_module(const struct kgdb_io *new_dbg_io_ops)
48848 @@ -918,7 +918,7 @@ EXPORT_SYMBOL_GPL(kgdb_register_io_modul
48850 * Unregister it with the KGDB core.
48852 -void kgdb_unregister_io_module(struct kgdb_io *old_dbg_io_ops)
48853 +void kgdb_unregister_io_module(const struct kgdb_io *old_dbg_io_ops)
48855 BUG_ON(kgdb_connected);
48857 diff -urNp linux-2.6.36.1/kernel/debug/kdb/kdb_main.c linux-2.6.36.1/kernel/debug/kdb/kdb_main.c
48858 --- linux-2.6.36.1/kernel/debug/kdb/kdb_main.c 2010-10-20 16:30:22.000000000 -0400
48859 +++ linux-2.6.36.1/kernel/debug/kdb/kdb_main.c 2010-11-06 18:58:15.000000000 -0400
48860 @@ -1980,7 +1980,7 @@ static int kdb_lsmod(int argc, const cha
48861 list_for_each_entry(mod, kdb_modules, list) {
48863 kdb_printf("%-20s%8u 0x%p ", mod->name,
48864 - mod->core_size, (void *)mod);
48865 + mod->core_size_rx + mod->core_size_rw, (void *)mod);
48866 #ifdef CONFIG_MODULE_UNLOAD
48867 kdb_printf("%4d ", module_refcount(mod));
48869 @@ -1990,7 +1990,7 @@ static int kdb_lsmod(int argc, const cha
48870 kdb_printf(" (Loading)");
48872 kdb_printf(" (Live)");
48873 - kdb_printf(" 0x%p", mod->module_core);
48874 + kdb_printf(" 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
48876 #ifdef CONFIG_MODULE_UNLOAD
48878 diff -urNp linux-2.6.36.1/kernel/exit.c linux-2.6.36.1/kernel/exit.c
48879 --- linux-2.6.36.1/kernel/exit.c 2010-10-20 16:30:22.000000000 -0400
48880 +++ linux-2.6.36.1/kernel/exit.c 2010-11-06 18:58:50.000000000 -0400
48882 #include <asm/pgtable.h>
48883 #include <asm/mmu_context.h>
48885 +#ifdef CONFIG_GRKERNSEC
48886 +extern rwlock_t grsec_exec_file_lock;
48889 static void exit_mm(struct task_struct * tsk);
48891 static void __unhash_process(struct task_struct *p, bool group_dead)
48892 @@ -162,6 +166,8 @@ void release_task(struct task_struct * p
48893 struct task_struct *leader;
48896 + gr_del_task_from_ip_table(p);
48898 tracehook_prepare_release_task(p);
48899 /* don't need to get the RCU readlock here - the process is dead and
48900 * can't be modifying its own credentials. But shut RCU-lockdep up */
48901 @@ -331,11 +337,22 @@ static void reparent_to_kthreadd(void)
48903 write_lock_irq(&tasklist_lock);
48905 +#ifdef CONFIG_GRKERNSEC
48906 + write_lock(&grsec_exec_file_lock);
48907 + if (current->exec_file) {
48908 + fput(current->exec_file);
48909 + current->exec_file = NULL;
48911 + write_unlock(&grsec_exec_file_lock);
48914 ptrace_unlink(current);
48915 /* Reparent to init */
48916 current->real_parent = current->parent = kthreadd_task;
48917 list_move_tail(¤t->sibling, ¤t->real_parent->children);
48919 + gr_set_kernel_label(current);
48921 /* Set the exit signal to SIGCHLD so we signal init on exit */
48922 current->exit_signal = SIGCHLD;
48924 @@ -387,7 +404,7 @@ int allow_signal(int sig)
48925 * know it'll be handled, so that they don't get converted to
48926 * SIGKILL or just silently dropped.
48928 - current->sighand->action[(sig)-1].sa.sa_handler = (void __user *)2;
48929 + current->sighand->action[(sig)-1].sa.sa_handler = (__force void __user *)2;
48930 recalc_sigpending();
48931 spin_unlock_irq(¤t->sighand->siglock);
48933 @@ -423,6 +440,17 @@ void daemonize(const char *name, ...)
48934 vsnprintf(current->comm, sizeof(current->comm), name, args);
48937 +#ifdef CONFIG_GRKERNSEC
48938 + write_lock(&grsec_exec_file_lock);
48939 + if (current->exec_file) {
48940 + fput(current->exec_file);
48941 + current->exec_file = NULL;
48943 + write_unlock(&grsec_exec_file_lock);
48946 + gr_set_kernel_label(current);
48949 * If we were started as result of loading a module, close all of the
48950 * user space pages. We don't need them, and if we didn't close them
48951 @@ -963,6 +991,9 @@ NORET_TYPE void do_exit(long code)
48952 tsk->exit_code = code;
48953 taskstats_exit(tsk, group_dead);
48955 + gr_acl_handle_psacct(tsk, code);
48956 + gr_acl_handle_exit();
48961 diff -urNp linux-2.6.36.1/kernel/fork.c linux-2.6.36.1/kernel/fork.c
48962 --- linux-2.6.36.1/kernel/fork.c 2010-10-20 16:30:22.000000000 -0400
48963 +++ linux-2.6.36.1/kernel/fork.c 2010-11-06 19:20:52.000000000 -0400
48964 @@ -276,7 +276,7 @@ static struct task_struct *dup_task_stru
48965 *stackend = STACK_END_MAGIC; /* for overflow detection */
48967 #ifdef CONFIG_CC_STACKPROTECTOR
48968 - tsk->stack_canary = get_random_int();
48969 + tsk->stack_canary = pax_get_random_long();
48972 /* One for us, one for whoever does the "release_task()" (usually parent) */
48973 @@ -298,13 +298,78 @@ out:
48977 +static struct vm_area_struct *dup_vma(struct mm_struct *mm, struct vm_area_struct *mpnt)
48979 + struct vm_area_struct *tmp;
48980 + unsigned long charge;
48981 + struct mempolicy *pol;
48982 + struct file *file;
48985 + if (mpnt->vm_flags & VM_ACCOUNT) {
48986 + unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
48987 + if (security_vm_enough_memory(len))
48991 + tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
48996 + INIT_LIST_HEAD(&tmp->anon_vma_chain);
48997 + pol = mpol_dup(vma_policy(mpnt));
48999 + goto fail_nomem_policy;
49000 + vma_set_policy(tmp, pol);
49001 + if (anon_vma_fork(tmp, mpnt))
49002 + goto fail_nomem_anon_vma_fork;
49003 + tmp->vm_flags &= ~VM_LOCKED;
49004 + tmp->vm_next = tmp->vm_prev = NULL;
49005 + tmp->vm_mirror = NULL;
49006 + file = tmp->vm_file;
49008 + struct inode *inode = file->f_path.dentry->d_inode;
49009 + struct address_space *mapping = file->f_mapping;
49012 + if (tmp->vm_flags & VM_DENYWRITE)
49013 + atomic_dec(&inode->i_writecount);
49014 + spin_lock(&mapping->i_mmap_lock);
49015 + if (tmp->vm_flags & VM_SHARED)
49016 + mapping->i_mmap_writable++;
49017 + tmp->vm_truncate_count = mpnt->vm_truncate_count;
49018 + flush_dcache_mmap_lock(mapping);
49019 + /* insert tmp into the share list, just after mpnt */
49020 + vma_prio_tree_add(tmp, mpnt);
49021 + flush_dcache_mmap_unlock(mapping);
49022 + spin_unlock(&mapping->i_mmap_lock);
49026 + * Clear hugetlb-related page reserves for children. This only
49027 + * affects MAP_PRIVATE mappings. Faults generated by the child
49028 + * are not guaranteed to succeed, even if read-only
49030 + if (is_vm_hugetlb_page(tmp))
49031 + reset_vma_resv_huge_pages(tmp);
49035 +fail_nomem_anon_vma_fork:
49037 +fail_nomem_policy:
49038 + kmem_cache_free(vm_area_cachep, tmp);
49040 + vm_unacct_memory(charge);
49044 static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm)
49046 struct vm_area_struct *mpnt, *tmp, *prev, **pprev;
49047 struct rb_node **rb_link, *rb_parent;
49049 - unsigned long charge;
49050 - struct mempolicy *pol;
49052 down_write(&oldmm->mmap_sem);
49053 flush_cache_dup_mm(oldmm);
49054 @@ -316,8 +381,8 @@ static int dup_mmap(struct mm_struct *mm
49057 mm->mmap_cache = NULL;
49058 - mm->free_area_cache = oldmm->mmap_base;
49059 - mm->cached_hole_size = ~0UL;
49060 + mm->free_area_cache = oldmm->free_area_cache;
49061 + mm->cached_hole_size = oldmm->cached_hole_size;
49063 cpumask_clear(mm_cpumask(mm));
49064 mm->mm_rb = RB_ROOT;
49065 @@ -330,8 +395,6 @@ static int dup_mmap(struct mm_struct *mm
49068 for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) {
49069 - struct file *file;
49071 if (mpnt->vm_flags & VM_DONTCOPY) {
49072 long pages = vma_pages(mpnt);
49073 mm->total_vm -= pages;
49074 @@ -339,56 +402,13 @@ static int dup_mmap(struct mm_struct *mm
49079 - if (mpnt->vm_flags & VM_ACCOUNT) {
49080 - unsigned int len = (mpnt->vm_end - mpnt->vm_start) >> PAGE_SHIFT;
49081 - if (security_vm_enough_memory(len))
49085 - tmp = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
49089 - INIT_LIST_HEAD(&tmp->anon_vma_chain);
49090 - pol = mpol_dup(vma_policy(mpnt));
49091 - retval = PTR_ERR(pol);
49093 - goto fail_nomem_policy;
49094 - vma_set_policy(tmp, pol);
49096 - if (anon_vma_fork(tmp, mpnt))
49097 - goto fail_nomem_anon_vma_fork;
49098 - tmp->vm_flags &= ~VM_LOCKED;
49099 - tmp->vm_next = tmp->vm_prev = NULL;
49100 - file = tmp->vm_file;
49102 - struct inode *inode = file->f_path.dentry->d_inode;
49103 - struct address_space *mapping = file->f_mapping;
49106 - if (tmp->vm_flags & VM_DENYWRITE)
49107 - atomic_dec(&inode->i_writecount);
49108 - spin_lock(&mapping->i_mmap_lock);
49109 - if (tmp->vm_flags & VM_SHARED)
49110 - mapping->i_mmap_writable++;
49111 - tmp->vm_truncate_count = mpnt->vm_truncate_count;
49112 - flush_dcache_mmap_lock(mapping);
49113 - /* insert tmp into the share list, just after mpnt */
49114 - vma_prio_tree_add(tmp, mpnt);
49115 - flush_dcache_mmap_unlock(mapping);
49116 - spin_unlock(&mapping->i_mmap_lock);
49117 + tmp = dup_vma(mm, mpnt);
49119 + retval = -ENOMEM;
49124 - * Clear hugetlb-related page reserves for children. This only
49125 - * affects MAP_PRIVATE mappings. Faults generated by the child
49126 - * are not guaranteed to succeed, even if read-only
49128 - if (is_vm_hugetlb_page(tmp))
49129 - reset_vma_resv_huge_pages(tmp);
49132 * Link in the new vma and copy the page table entries.
49135 @@ -409,6 +429,31 @@ static int dup_mmap(struct mm_struct *mm
49140 +#ifdef CONFIG_PAX_SEGMEXEC
49141 + if (oldmm->pax_flags & MF_PAX_SEGMEXEC) {
49142 + struct vm_area_struct *mpnt_m;
49144 + for (mpnt = oldmm->mmap, mpnt_m = mm->mmap; mpnt; mpnt = mpnt->vm_next, mpnt_m = mpnt_m->vm_next) {
49145 + BUG_ON(!mpnt_m || mpnt_m->vm_mirror || mpnt->vm_mm != oldmm || mpnt_m->vm_mm != mm);
49147 + if (!mpnt->vm_mirror)
49150 + if (mpnt->vm_end <= SEGMEXEC_TASK_SIZE) {
49151 + BUG_ON(mpnt->vm_mirror->vm_mirror != mpnt);
49152 + mpnt->vm_mirror = mpnt_m;
49154 + BUG_ON(mpnt->vm_mirror->vm_mirror == mpnt || mpnt->vm_mirror->vm_mirror->vm_mm != mm);
49155 + mpnt_m->vm_mirror = mpnt->vm_mirror->vm_mirror;
49156 + mpnt_m->vm_mirror->vm_mirror = mpnt_m;
49157 + mpnt->vm_mirror->vm_mirror = mpnt;
49164 /* a new mm has just been created */
49165 arch_dup_mmap(oldmm, mm);
49167 @@ -417,14 +462,6 @@ out:
49168 flush_tlb_mm(oldmm);
49169 up_write(&oldmm->mmap_sem);
49171 -fail_nomem_anon_vma_fork:
49173 -fail_nomem_policy:
49174 - kmem_cache_free(vm_area_cachep, tmp);
49176 - retval = -ENOMEM;
49177 - vm_unacct_memory(charge);
49181 static inline int mm_alloc_pgd(struct mm_struct * mm)
49182 @@ -760,13 +797,14 @@ static int copy_fs(unsigned long clone_f
49183 spin_unlock(&fs->lock);
49187 + atomic_inc(&fs->users);
49188 spin_unlock(&fs->lock);
49191 tsk->fs = copy_fs_struct(fs);
49194 + gr_set_chroot_entries(tsk, &tsk->fs->root);
49198 @@ -1020,10 +1058,13 @@ static struct task_struct *copy_process(
49200 if (!vx_nproc_avail(1))
49201 goto bad_fork_free;
49203 + gr_learn_resource(p, RLIMIT_NPROC, atomic_read(&p->real_cred->user->processes), 0);
49205 if (atomic_read(&p->real_cred->user->processes) >=
49206 task_rlimit(p, RLIMIT_NPROC)) {
49207 - if (!capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE) &&
49208 - p->real_cred->user != INIT_USER)
49209 + if (p->real_cred->user != INIT_USER &&
49210 + !capable(CAP_SYS_ADMIN) && !capable(CAP_SYS_RESOURCE))
49211 goto bad_fork_free;
49214 @@ -1177,6 +1218,8 @@ static struct task_struct *copy_process(
49215 goto bad_fork_free_pid;
49218 + gr_copy_label(p);
49220 p->set_child_tid = (clone_flags & CLONE_CHILD_SETTID) ? child_tidptr : NULL;
49222 * Clear TID on mm_release()?
49223 @@ -1329,6 +1372,8 @@ bad_fork_cleanup_count:
49227 + gr_log_forkfail(retval);
49229 return ERR_PTR(retval);
49232 @@ -1434,6 +1479,8 @@ long do_fork(unsigned long clone_flags,
49233 if (clone_flags & CLONE_PARENT_SETTID)
49234 put_user(nr, parent_tidptr);
49236 + gr_handle_brute_check();
49238 if (clone_flags & CLONE_VFORK) {
49239 p->vfork_done = &vfork;
49240 init_completion(&vfork);
49241 @@ -1558,7 +1605,7 @@ static int unshare_fs(unsigned long unsh
49244 /* don't need lock here; in the worst case we'll do useless copy */
49245 - if (fs->users == 1)
49246 + if (atomic_read(&fs->users) == 1)
49249 *new_fsp = copy_fs_struct(fs);
49250 @@ -1681,7 +1728,8 @@ SYSCALL_DEFINE1(unshare, unsigned long,
49252 spin_lock(&fs->lock);
49253 current->fs = new_fs;
49255 + gr_set_chroot_entries(current, ¤t->fs->root);
49256 + if (atomic_dec_return(&fs->users))
49260 diff -urNp linux-2.6.36.1/kernel/futex.c linux-2.6.36.1/kernel/futex.c
49261 --- linux-2.6.36.1/kernel/futex.c 2010-11-26 18:26:25.000000000 -0500
49262 +++ linux-2.6.36.1/kernel/futex.c 2010-11-26 18:27:14.000000000 -0500
49264 #include <linux/mount.h>
49265 #include <linux/pagemap.h>
49266 #include <linux/syscalls.h>
49267 +#include <linux/ptrace.h>
49268 #include <linux/signal.h>
49269 #include <linux/module.h>
49270 #include <linux/magic.h>
49271 @@ -221,6 +222,11 @@ get_futex_key(u32 __user *uaddr, int fsh
49275 +#ifdef CONFIG_PAX_SEGMEXEC
49276 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && address >= SEGMEXEC_TASK_SIZE)
49281 * The futex address must be "naturally" aligned.
49283 @@ -1841,7 +1847,7 @@ retry:
49285 restart = ¤t_thread_info()->restart_block;
49286 restart->fn = futex_wait_restart;
49287 - restart->futex.uaddr = (u32 *)uaddr;
49288 + restart->futex.uaddr = uaddr;
49289 restart->futex.val = val;
49290 restart->futex.time = abs_time->tv64;
49291 restart->futex.bitset = bitset;
49292 @@ -2377,7 +2383,9 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
49294 struct robust_list_head __user *head;
49296 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
49297 const struct cred *cred = current_cred(), *pcred;
49300 if (!futex_cmpxchg_enabled)
49302 @@ -2393,11 +2401,16 @@ SYSCALL_DEFINE3(get_robust_list, int, pi
49306 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49307 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
49310 pcred = __task_cred(p);
49311 if (cred->euid != pcred->euid &&
49312 cred->euid != pcred->uid &&
49313 !capable(CAP_SYS_PTRACE))
49316 head = p->robust_list;
49319 @@ -2459,7 +2472,7 @@ retry:
49321 static inline int fetch_robust_entry(struct robust_list __user **entry,
49322 struct robust_list __user * __user *head,
49324 + unsigned int *pi)
49326 unsigned long uentry;
49328 diff -urNp linux-2.6.36.1/kernel/futex_compat.c linux-2.6.36.1/kernel/futex_compat.c
49329 --- linux-2.6.36.1/kernel/futex_compat.c 2010-10-20 16:30:22.000000000 -0400
49330 +++ linux-2.6.36.1/kernel/futex_compat.c 2010-11-06 18:58:50.000000000 -0400
49332 #include <linux/compat.h>
49333 #include <linux/nsproxy.h>
49334 #include <linux/futex.h>
49335 +#include <linux/ptrace.h>
49337 #include <asm/uaccess.h>
49339 @@ -135,7 +136,10 @@ compat_sys_get_robust_list(int pid, comp
49341 struct compat_robust_list_head __user *head;
49343 - const struct cred *cred = current_cred(), *pcred;
49344 +#ifndef CONFIG_GRKERNSEC_PROC_MEMMAP
49345 + const struct cred *cred = current_cred();
49346 + const struct cred *pcred;
49349 if (!futex_cmpxchg_enabled)
49351 @@ -151,11 +155,16 @@ compat_sys_get_robust_list(int pid, comp
49355 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
49356 + if (!ptrace_may_access(p, PTRACE_MODE_READ))
49359 pcred = __task_cred(p);
49360 if (cred->euid != pcred->euid &&
49361 cred->euid != pcred->uid &&
49362 !capable(CAP_SYS_PTRACE))
49365 head = p->compat_robust_list;
49368 diff -urNp linux-2.6.36.1/kernel/gcov/base.c linux-2.6.36.1/kernel/gcov/base.c
49369 --- linux-2.6.36.1/kernel/gcov/base.c 2010-10-20 16:30:22.000000000 -0400
49370 +++ linux-2.6.36.1/kernel/gcov/base.c 2010-11-06 18:58:15.000000000 -0400
49371 @@ -102,11 +102,6 @@ void gcov_enable_events(void)
49374 #ifdef CONFIG_MODULES
49375 -static inline int within(void *addr, void *start, unsigned long size)
49377 - return ((addr >= start) && (addr < start + size));
49380 /* Update list and generate events when modules are unloaded. */
49381 static int gcov_module_notifier(struct notifier_block *nb, unsigned long event,
49383 @@ -121,7 +116,7 @@ static int gcov_module_notifier(struct n
49385 /* Remove entries located in module from linked list. */
49386 for (info = gcov_info_head; info; info = info->next) {
49387 - if (within(info, mod->module_core, mod->core_size)) {
49388 + if (within_module_core_rw((unsigned long)info, mod)) {
49390 prev->next = info->next;
49392 diff -urNp linux-2.6.36.1/kernel/hrtimer.c linux-2.6.36.1/kernel/hrtimer.c
49393 --- linux-2.6.36.1/kernel/hrtimer.c 2010-10-20 16:30:22.000000000 -0400
49394 +++ linux-2.6.36.1/kernel/hrtimer.c 2010-11-06 18:58:15.000000000 -0400
49395 @@ -1401,7 +1401,7 @@ void hrtimer_peek_ahead_timers(void)
49396 local_irq_restore(flags);
49399 -static void run_hrtimer_softirq(struct softirq_action *h)
49400 +static void run_hrtimer_softirq(void)
49402 hrtimer_peek_ahead_timers();
49404 diff -urNp linux-2.6.36.1/kernel/kallsyms.c linux-2.6.36.1/kernel/kallsyms.c
49405 --- linux-2.6.36.1/kernel/kallsyms.c 2010-10-20 16:30:22.000000000 -0400
49406 +++ linux-2.6.36.1/kernel/kallsyms.c 2010-11-06 18:58:50.000000000 -0400
49408 * Changed the compression method from stem compression to "table lookup"
49409 * compression (see scripts/kallsyms.c for a more complete description)
49411 +#ifdef CONFIG_GRKERNSEC_HIDESYM
49412 +#define __INCLUDED_BY_HIDESYM 1
49414 #include <linux/kallsyms.h>
49415 #include <linux/module.h>
49416 #include <linux/init.h>
49417 @@ -53,12 +56,33 @@ extern const unsigned long kallsyms_mark
49419 static inline int is_kernel_inittext(unsigned long addr)
49421 + if (system_state != SYSTEM_BOOTING)
49424 if (addr >= (unsigned long)_sinittext
49425 && addr <= (unsigned long)_einittext)
49430 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
49431 +#ifdef CONFIG_MODULES
49432 +static inline int is_module_text(unsigned long addr)
49434 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END)
49437 + addr = ktla_ktva(addr);
49438 + return (unsigned long)MODULES_EXEC_VADDR <= addr && addr <= (unsigned long)MODULES_EXEC_END;
49441 +static inline int is_module_text(unsigned long addr)
49448 static inline int is_kernel_text(unsigned long addr)
49450 if ((addr >= (unsigned long)_stext && addr <= (unsigned long)_etext) ||
49451 @@ -69,13 +93,28 @@ static inline int is_kernel_text(unsigne
49453 static inline int is_kernel(unsigned long addr)
49456 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
49457 + if (is_kernel_text(addr) || is_kernel_inittext(addr))
49460 + if (ktla_ktva((unsigned long)_text) <= addr && addr < (unsigned long)_end)
49462 if (addr >= (unsigned long)_stext && addr <= (unsigned long)_end)
49466 return in_gate_area_no_task(addr);
49469 static int is_ksym_addr(unsigned long addr)
49472 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
49473 + if (is_module_text(addr))
49478 return is_kernel(addr);
49480 @@ -416,7 +455,6 @@ static unsigned long get_ksymbol_core(st
49482 static void reset_iter(struct kallsym_iter *iter, loff_t new_pos)
49484 - iter->name[0] = '\0';
49485 iter->nameoff = get_symbol_offset(new_pos);
49486 iter->pos = new_pos;
49488 @@ -464,6 +502,11 @@ static int s_show(struct seq_file *m, vo
49490 struct kallsym_iter *iter = m->private;
49492 +#ifdef CONFIG_GRKERNSEC_HIDESYM
49493 + if (current_uid())
49497 /* Some debugging symbols have no name. Ignore them. */
49498 if (!iter->name[0])
49500 @@ -504,7 +547,7 @@ static int kallsyms_open(struct inode *i
49501 struct kallsym_iter *iter;
49504 - iter = kmalloc(sizeof(*iter), GFP_KERNEL);
49505 + iter = kzalloc(sizeof(*iter), GFP_KERNEL);
49508 reset_iter(iter, 0);
49509 diff -urNp linux-2.6.36.1/kernel/kmod.c linux-2.6.36.1/kernel/kmod.c
49510 --- linux-2.6.36.1/kernel/kmod.c 2010-10-20 16:30:22.000000000 -0400
49511 +++ linux-2.6.36.1/kernel/kmod.c 2010-11-06 18:58:50.000000000 -0400
49512 @@ -90,6 +90,18 @@ int __request_module(bool wait, const ch
49516 +#ifdef CONFIG_GRKERNSEC_MODHARDEN
49517 + /* we could do a tighter check here, but some distros
49518 + are taking it upon themselves to remove CAP_SYS_MODULE
49519 + from even root-running apps which cause modules to be
49522 + if (current_uid()) {
49523 + gr_log_nonroot_mod_load(module_name);
49528 /* If modprobe needs a service that is in a module, we get a recursive
49529 * loop. Limit the number of running kmod threads to max_threads/2 or
49530 * MAX_KMOD_CONCURRENT, whichever is the smaller. A cleaner method
49531 diff -urNp linux-2.6.36.1/kernel/kprobes.c linux-2.6.36.1/kernel/kprobes.c
49532 --- linux-2.6.36.1/kernel/kprobes.c 2010-10-20 16:30:22.000000000 -0400
49533 +++ linux-2.6.36.1/kernel/kprobes.c 2010-11-06 18:58:15.000000000 -0400
49534 @@ -183,7 +183,7 @@ static kprobe_opcode_t __kprobes *__get_
49535 * kernel image and loaded module images reside. This is required
49536 * so x86_64 can correctly handle the %rip-relative fixups.
49538 - kip->insns = module_alloc(PAGE_SIZE);
49539 + kip->insns = module_alloc_exec(PAGE_SIZE);
49543 @@ -223,7 +223,7 @@ static int __kprobes collect_one_slot(st
49545 if (!list_is_singular(&kip->list)) {
49546 list_del(&kip->list);
49547 - module_free(NULL, kip->insns);
49548 + module_free_exec(NULL, kip->insns);
49552 @@ -1709,7 +1709,7 @@ static int __init init_kprobes(void)
49555 unsigned long offset = 0, size = 0;
49556 - char *modname, namebuf[128];
49557 + char *modname, namebuf[KSYM_NAME_LEN];
49558 const char *symbol_name;
49560 struct kprobe_blackpoint *kb;
49561 @@ -1835,7 +1835,7 @@ static int __kprobes show_kprobe_addr(st
49562 const char *sym = NULL;
49563 unsigned int i = *(loff_t *) v;
49564 unsigned long offset = 0;
49565 - char *modname, namebuf[128];
49566 + char *modname, namebuf[KSYM_NAME_LEN];
49568 head = &kprobe_table[i];
49570 diff -urNp linux-2.6.36.1/kernel/lockdep.c linux-2.6.36.1/kernel/lockdep.c
49571 --- linux-2.6.36.1/kernel/lockdep.c 2010-10-20 16:30:22.000000000 -0400
49572 +++ linux-2.6.36.1/kernel/lockdep.c 2010-11-06 18:58:15.000000000 -0400
49573 @@ -571,6 +571,10 @@ static int static_obj(void *obj)
49574 end = (unsigned long) &_end,
49575 addr = (unsigned long) obj;
49577 +#ifdef CONFIG_PAX_KERNEXEC
49578 + start = ktla_ktva(start);
49584 @@ -696,6 +700,7 @@ register_lock_class(struct lockdep_map *
49585 if (!static_obj(lock->key)) {
49587 printk("INFO: trying to register non-static key.\n");
49588 + printk("lock:%pS key:%pS.\n", lock, lock->key);
49589 printk("the code is fine but needs lockdep annotation.\n");
49590 printk("turning off the locking correctness validator.\n");
49592 diff -urNp linux-2.6.36.1/kernel/lockdep_proc.c linux-2.6.36.1/kernel/lockdep_proc.c
49593 --- linux-2.6.36.1/kernel/lockdep_proc.c 2010-10-20 16:30:22.000000000 -0400
49594 +++ linux-2.6.36.1/kernel/lockdep_proc.c 2010-11-06 18:58:15.000000000 -0400
49595 @@ -39,7 +39,7 @@ static void l_stop(struct seq_file *m, v
49597 static void print_name(struct seq_file *m, struct lock_class *class)
49600 + char str[KSYM_NAME_LEN];
49601 const char *name = class->name;
49604 diff -urNp linux-2.6.36.1/kernel/module.c linux-2.6.36.1/kernel/module.c
49605 --- linux-2.6.36.1/kernel/module.c 2010-10-20 16:30:22.000000000 -0400
49606 +++ linux-2.6.36.1/kernel/module.c 2010-11-06 18:58:50.000000000 -0400
49607 @@ -96,7 +96,8 @@ static BLOCKING_NOTIFIER_HEAD(module_not
49609 /* Bounds of module allocation, for speeding __module_address.
49610 * Protected by module_mutex. */
49611 -static unsigned long module_addr_min = -1UL, module_addr_max = 0;
49612 +static unsigned long module_addr_min_rw = -1UL, module_addr_max_rw = 0;
49613 +static unsigned long module_addr_min_rx = -1UL, module_addr_max_rx = 0;
49615 int register_module_notifier(struct notifier_block * nb)
49617 @@ -260,7 +261,7 @@ bool each_symbol(bool (*fn)(const struct
49620 list_for_each_entry_rcu(mod, &modules, list) {
49621 - struct symsearch arr[] = {
49622 + struct symsearch modarr[] = {
49623 { mod->syms, mod->syms + mod->num_syms, mod->crcs,
49624 NOT_GPL_ONLY, false },
49625 { mod->gpl_syms, mod->gpl_syms + mod->num_gpl_syms,
49626 @@ -282,7 +283,7 @@ bool each_symbol(bool (*fn)(const struct
49630 - if (each_symbol_in_section(arr, ARRAY_SIZE(arr), mod, fn, data))
49631 + if (each_symbol_in_section(modarr, ARRAY_SIZE(modarr), mod, fn, data))
49635 @@ -393,7 +394,7 @@ static inline void __percpu *mod_percpu(
49636 static int percpu_modalloc(struct module *mod,
49637 unsigned long size, unsigned long align)
49639 - if (align > PAGE_SIZE) {
49640 + if (align-1 >= PAGE_SIZE) {
49641 printk(KERN_WARNING "%s: per-cpu alignment %li > %li\n",
49642 mod->name, align, PAGE_SIZE);
49644 @@ -1565,15 +1566,18 @@ static void free_module(struct module *m
49645 destroy_params(mod->kp, mod->num_kp);
49647 /* This may be NULL, but that's OK */
49648 - module_free(mod, mod->module_init);
49649 + module_free(mod, mod->module_init_rw);
49650 + module_free_exec(mod, mod->module_init_rx);
49652 percpu_modfree(mod);
49654 /* Free lock-classes: */
49655 - lockdep_free_key_range(mod->module_core, mod->core_size);
49656 + lockdep_free_key_range(mod->module_core_rx, mod->core_size_rx);
49657 + lockdep_free_key_range(mod->module_core_rw, mod->core_size_rw);
49659 /* Finally, free the core (containing the module structure) */
49660 - module_free(mod, mod->module_core);
49661 + module_free_exec(mod, mod->module_core_rx);
49662 + module_free(mod, mod->module_core_rw);
49665 update_protections(current->mm);
49666 @@ -1666,7 +1670,9 @@ static int simplify_symbols(struct modul
49667 ksym = resolve_symbol_wait(mod, info, name);
49668 /* Ok if resolved. */
49669 if (ksym && !IS_ERR(ksym)) {
49670 + pax_open_kernel();
49671 sym[i].st_value = ksym->value;
49672 + pax_close_kernel();
49676 @@ -1685,7 +1691,9 @@ static int simplify_symbols(struct modul
49677 secbase = (unsigned long)mod_percpu(mod);
49679 secbase = info->sechdrs[sym[i].st_shndx].sh_addr;
49680 + pax_open_kernel();
49681 sym[i].st_value += secbase;
49682 + pax_close_kernel();
49686 @@ -1773,11 +1781,12 @@ static void layout_sections(struct modul
49687 || s->sh_entsize != ~0UL
49688 || strstarts(sname, ".init"))
49690 - s->sh_entsize = get_offset(mod, &mod->core_size, s, i);
49691 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
49692 + s->sh_entsize = get_offset(mod, &mod->core_size_rw, s, i);
49694 + s->sh_entsize = get_offset(mod, &mod->core_size_rx, s, i);
49695 DEBUGP("\t%s\n", name);
49698 - mod->core_text_size = mod->core_size;
49701 DEBUGP("Init section allocation order:\n");
49702 @@ -1791,12 +1800,13 @@ static void layout_sections(struct modul
49703 || s->sh_entsize != ~0UL
49704 || !strstarts(sname, ".init"))
49706 - s->sh_entsize = (get_offset(mod, &mod->init_size, s, i)
49707 - | INIT_OFFSET_MASK);
49708 + if ((s->sh_flags & SHF_WRITE) || !(s->sh_flags & SHF_ALLOC))
49709 + s->sh_entsize = get_offset(mod, &mod->init_size_rw, s, i);
49711 + s->sh_entsize = get_offset(mod, &mod->init_size_rx, s, i);
49712 + s->sh_entsize |= INIT_OFFSET_MASK;
49713 DEBUGP("\t%s\n", sname);
49716 - mod->init_text_size = mod->init_size;
49720 @@ -1964,7 +1974,7 @@ static void layout_symtab(struct module
49722 /* Put symbol section at end of init part of module. */
49723 symsect->sh_flags |= SHF_ALLOC;
49724 - symsect->sh_entsize = get_offset(mod, &mod->init_size, symsect,
49725 + symsect->sh_entsize = get_offset(mod, &mod->init_size_rx, symsect,
49726 info->index.sym) | INIT_OFFSET_MASK;
49727 DEBUGP("\t%s\n", info->secstrings + symsect->sh_name);
49729 @@ -1981,19 +1991,19 @@ static void layout_symtab(struct module
49732 /* Append room for core symbols at end of core part. */
49733 - info->symoffs = ALIGN(mod->core_size, symsect->sh_addralign ?: 1);
49734 - mod->core_size = info->symoffs + ndst * sizeof(Elf_Sym);
49735 + info->symoffs = ALIGN(mod->core_size_rx, symsect->sh_addralign ?: 1);
49736 + mod->core_size_rx = info->symoffs + ndst * sizeof(Elf_Sym);
49738 /* Put string table section at end of init part of module. */
49739 strsect->sh_flags |= SHF_ALLOC;
49740 - strsect->sh_entsize = get_offset(mod, &mod->init_size, strsect,
49741 + strsect->sh_entsize = get_offset(mod, &mod->init_size_rx, strsect,
49742 info->index.str) | INIT_OFFSET_MASK;
49743 DEBUGP("\t%s\n", info->secstrings + strsect->sh_name);
49745 /* Append room for core symbols' strings at end of core part. */
49746 - info->stroffs = mod->core_size;
49747 + info->stroffs = mod->core_size_rx;
49748 __set_bit(0, info->strmap);
49749 - mod->core_size += bitmap_weight(info->strmap, strsect->sh_size);
49750 + mod->core_size_rx += bitmap_weight(info->strmap, strsect->sh_size);
49753 static void add_kallsyms(struct module *mod, const struct load_info *info)
49754 @@ -2009,11 +2019,13 @@ static void add_kallsyms(struct module *
49755 /* Make sure we get permanent strtab: don't use info->strtab. */
49756 mod->strtab = (void *)info->sechdrs[info->index.str].sh_addr;
49758 + pax_open_kernel();
49760 /* Set types up while we still have access to sections. */
49761 for (i = 0; i < mod->num_symtab; i++)
49762 mod->symtab[i].st_info = elf_type(&mod->symtab[i], info);
49764 - mod->core_symtab = dst = mod->module_core + info->symoffs;
49765 + mod->core_symtab = dst = mod->module_core_rx + info->symoffs;
49768 for (ndst = i = 1; i < mod->num_symtab; ++i, ++src) {
49769 @@ -2026,10 +2038,12 @@ static void add_kallsyms(struct module *
49771 mod->core_num_syms = ndst;
49773 - mod->core_strtab = s = mod->module_core + info->stroffs;
49774 + mod->core_strtab = s = mod->module_core_rx + info->stroffs;
49775 for (*s = 0, i = 1; i < info->sechdrs[info->index.str].sh_size; ++i)
49776 if (test_bit(i, info->strmap))
49777 *++s = mod->strtab[i];
49779 + pax_close_kernel();
49782 static inline void layout_symtab(struct module *mod, struct load_info *info)
49783 @@ -2058,17 +2072,33 @@ static void dynamic_debug_remove(struct
49784 ddebug_remove_module(debug->modname);
49787 -static void *module_alloc_update_bounds(unsigned long size)
49788 +static void *module_alloc_update_bounds_rw(unsigned long size)
49790 void *ret = module_alloc(size);
49793 mutex_lock(&module_mutex);
49794 /* Update module bounds. */
49795 - if ((unsigned long)ret < module_addr_min)
49796 - module_addr_min = (unsigned long)ret;
49797 - if ((unsigned long)ret + size > module_addr_max)
49798 - module_addr_max = (unsigned long)ret + size;
49799 + if ((unsigned long)ret < module_addr_min_rw)
49800 + module_addr_min_rw = (unsigned long)ret;
49801 + if ((unsigned long)ret + size > module_addr_max_rw)
49802 + module_addr_max_rw = (unsigned long)ret + size;
49803 + mutex_unlock(&module_mutex);
49808 +static void *module_alloc_update_bounds_rx(unsigned long size)
49810 + void *ret = module_alloc_exec(size);
49813 + mutex_lock(&module_mutex);
49814 + /* Update module bounds. */
49815 + if ((unsigned long)ret < module_addr_min_rx)
49816 + module_addr_min_rx = (unsigned long)ret;
49817 + if ((unsigned long)ret + size > module_addr_max_rx)
49818 + module_addr_max_rx = (unsigned long)ret + size;
49819 mutex_unlock(&module_mutex);
49822 @@ -2344,7 +2374,7 @@ static int move_module(struct module *mo
49825 /* Do the allocs. */
49826 - ptr = module_alloc_update_bounds(mod->core_size);
49827 + ptr = module_alloc_update_bounds_rw(mod->core_size_rw);
49829 * The pointer to this block is stored in the module structure
49830 * which is inside the block. Just mark it as not being a
49831 @@ -2354,23 +2384,50 @@ static int move_module(struct module *mo
49835 - memset(ptr, 0, mod->core_size);
49836 - mod->module_core = ptr;
49837 + memset(ptr, 0, mod->core_size_rw);
49838 + mod->module_core_rw = ptr;
49840 - ptr = module_alloc_update_bounds(mod->init_size);
49841 + ptr = module_alloc_update_bounds_rw(mod->init_size_rw);
49843 * The pointer to this block is stored in the module structure
49844 * which is inside the block. This block doesn't need to be
49845 * scanned as it contains data and code that will be freed
49846 * after the module is initialized.
49848 - kmemleak_ignore(ptr);
49849 - if (!ptr && mod->init_size) {
49850 - module_free(mod, mod->module_core);
49851 + kmemleak_not_leak(ptr);
49852 + if (!ptr && mod->init_size_rw) {
49853 + module_free(mod, mod->module_core_rw);
49856 + memset(ptr, 0, mod->init_size_rw);
49857 + mod->module_init_rw = ptr;
49859 + ptr = module_alloc_update_bounds_rx(mod->core_size_rx);
49860 + kmemleak_not_leak(ptr);
49862 + module_free(mod, mod->module_init_rw);
49863 + module_free(mod, mod->module_core_rw);
49866 - memset(ptr, 0, mod->init_size);
49867 - mod->module_init = ptr;
49869 + pax_open_kernel();
49870 + memset(ptr, 0, mod->core_size_rx);
49871 + pax_close_kernel();
49872 + mod->module_core_rx = ptr;
49874 + ptr = module_alloc_update_bounds_rx(mod->init_size_rx);
49875 + kmemleak_not_leak(ptr);
49876 + if (!ptr && mod->init_size_rx) {
49877 + module_free_exec(mod, mod->module_core_rx);
49878 + module_free(mod, mod->module_init_rw);
49879 + module_free(mod, mod->module_core_rw);
49883 + pax_open_kernel();
49884 + memset(ptr, 0, mod->init_size_rx);
49885 + pax_close_kernel();
49886 + mod->module_init_rx = ptr;
49888 /* Transfer each section which specifies SHF_ALLOC */
49889 DEBUGP("final section addresses:\n");
49890 @@ -2381,16 +2438,41 @@ static int move_module(struct module *mo
49891 if (!(shdr->sh_flags & SHF_ALLOC))
49894 - if (shdr->sh_entsize & INIT_OFFSET_MASK)
49895 - dest = mod->module_init
49896 - + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
49898 - dest = mod->module_core + shdr->sh_entsize;
49899 + if (shdr->sh_entsize & INIT_OFFSET_MASK) {
49900 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
49901 + dest = mod->module_init_rw
49902 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
49904 + dest = mod->module_init_rx
49905 + + (shdr->sh_entsize & ~INIT_OFFSET_MASK);
49907 + if ((shdr->sh_flags & SHF_WRITE) || !(shdr->sh_flags & SHF_ALLOC))
49908 + dest = mod->module_core_rw + shdr->sh_entsize;
49910 + dest = mod->module_core_rx + shdr->sh_entsize;
49913 + if (shdr->sh_type != SHT_NOBITS) {
49915 +#ifdef CONFIG_PAX_KERNEXEC
49916 + if (!(shdr->sh_flags & SHF_WRITE) && (shdr->sh_flags & SHF_ALLOC)) {
49917 + pax_open_kernel();
49918 + memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
49919 + pax_close_kernel();
49923 - if (shdr->sh_type != SHT_NOBITS)
49924 memcpy(dest, (void *)shdr->sh_addr, shdr->sh_size);
49926 /* Update sh_addr to point to copy in image. */
49927 - shdr->sh_addr = (unsigned long)dest;
49929 +#ifdef CONFIG_PAX_KERNEXEC
49930 + if (shdr->sh_flags & SHF_EXECINSTR)
49931 + shdr->sh_addr = ktva_ktla((unsigned long)dest);
49935 + shdr->sh_addr = (unsigned long)dest;
49936 DEBUGP("\t0x%lx %s\n",
49937 shdr->sh_addr, info->secstrings + shdr->sh_name);
49939 @@ -2441,12 +2523,12 @@ static void flush_module_icache(const st
49940 * Do it before processing of module parameters, so the module
49941 * can provide parameter accessor functions of its own.
49943 - if (mod->module_init)
49944 - flush_icache_range((unsigned long)mod->module_init,
49945 - (unsigned long)mod->module_init
49946 - + mod->init_size);
49947 - flush_icache_range((unsigned long)mod->module_core,
49948 - (unsigned long)mod->module_core + mod->core_size);
49949 + if (mod->module_init_rx)
49950 + flush_icache_range((unsigned long)mod->module_init_rx,
49951 + (unsigned long)mod->module_init_rx
49952 + + mod->init_size_rx);
49953 + flush_icache_range((unsigned long)mod->module_core_rx,
49954 + (unsigned long)mod->module_core_rx + mod->core_size_rx);
49958 @@ -2518,8 +2600,10 @@ static void module_deallocate(struct mod
49960 kfree(info->strmap);
49961 percpu_modfree(mod);
49962 - module_free(mod, mod->module_init);
49963 - module_free(mod, mod->module_core);
49964 + module_free_exec(mod, mod->module_init_rx);
49965 + module_free_exec(mod, mod->module_core_rx);
49966 + module_free(mod, mod->module_init_rw);
49967 + module_free(mod, mod->module_core_rw);
49970 static int post_relocation(struct module *mod, const struct load_info *info)
49971 @@ -2747,10 +2831,12 @@ SYSCALL_DEFINE3(init_module, void __user
49972 mod->symtab = mod->core_symtab;
49973 mod->strtab = mod->core_strtab;
49975 - module_free(mod, mod->module_init);
49976 - mod->module_init = NULL;
49977 - mod->init_size = 0;
49978 - mod->init_text_size = 0;
49979 + module_free(mod, mod->module_init_rw);
49980 + module_free_exec(mod, mod->module_init_rx);
49981 + mod->module_init_rw = NULL;
49982 + mod->module_init_rx = NULL;
49983 + mod->init_size_rw = 0;
49984 + mod->init_size_rx = 0;
49985 mutex_unlock(&module_mutex);
49988 @@ -2781,10 +2867,16 @@ static const char *get_ksymbol(struct mo
49989 unsigned long nextval;
49991 /* At worse, next value is at end of module */
49992 - if (within_module_init(addr, mod))
49993 - nextval = (unsigned long)mod->module_init+mod->init_text_size;
49994 + if (within_module_init_rx(addr, mod))
49995 + nextval = (unsigned long)mod->module_init_rx+mod->init_size_rx;
49996 + else if (within_module_init_rw(addr, mod))
49997 + nextval = (unsigned long)mod->module_init_rw+mod->init_size_rw;
49998 + else if (within_module_core_rx(addr, mod))
49999 + nextval = (unsigned long)mod->module_core_rx+mod->core_size_rx;
50000 + else if (within_module_core_rw(addr, mod))
50001 + nextval = (unsigned long)mod->module_core_rw+mod->core_size_rw;
50003 - nextval = (unsigned long)mod->module_core+mod->core_text_size;
50006 /* Scan for closest preceeding symbol, and next symbol. (ELF
50007 starts real symbols at 1). */
50008 @@ -3030,7 +3122,7 @@ static int m_show(struct seq_file *m, vo
50011 seq_printf(m, "%s %u",
50012 - mod->name, mod->init_size + mod->core_size);
50013 + mod->name, mod->init_size_rx + mod->init_size_rw + mod->core_size_rx + mod->core_size_rw);
50014 print_unload_info(m, mod);
50016 /* Informative for users. */
50017 @@ -3039,7 +3131,7 @@ static int m_show(struct seq_file *m, vo
50018 mod->state == MODULE_STATE_COMING ? "Loading":
50020 /* Used by oprofile and other similar tools. */
50021 - seq_printf(m, " 0x%p", mod->module_core);
50022 + seq_printf(m, " 0x%p 0x%p", mod->module_core_rx, mod->module_core_rw);
50026 @@ -3075,7 +3167,17 @@ static const struct file_operations proc
50028 static int __init proc_modules_init(void)
50030 +#ifndef CONFIG_GRKERNSEC_HIDESYM
50031 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50032 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
50033 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50034 + proc_create("modules", S_IRUSR | S_IRGRP, NULL, &proc_modules_operations);
50036 proc_create("modules", 0, NULL, &proc_modules_operations);
50039 + proc_create("modules", S_IRUSR, NULL, &proc_modules_operations);
50043 module_init(proc_modules_init);
50044 @@ -3134,12 +3236,12 @@ struct module *__module_address(unsigned
50046 struct module *mod;
50048 - if (addr < module_addr_min || addr > module_addr_max)
50049 + if ((addr < module_addr_min_rx || addr > module_addr_max_rx) &&
50050 + (addr < module_addr_min_rw || addr > module_addr_max_rw))
50053 list_for_each_entry_rcu(mod, &modules, list)
50054 - if (within_module_core(addr, mod)
50055 - || within_module_init(addr, mod))
50056 + if (within_module_init(addr, mod) || within_module_core(addr, mod))
50060 @@ -3173,11 +3275,20 @@ bool is_module_text_address(unsigned lon
50062 struct module *__module_text_address(unsigned long addr)
50064 - struct module *mod = __module_address(addr);
50065 + struct module *mod;
50067 +#ifdef CONFIG_X86_32
50068 + addr = ktla_ktva(addr);
50071 + if (addr < module_addr_min_rx || addr > module_addr_max_rx)
50074 + mod = __module_address(addr);
50077 /* Make sure it's within the text section. */
50078 - if (!within(addr, mod->module_init, mod->init_text_size)
50079 - && !within(addr, mod->module_core, mod->core_text_size))
50080 + if (!within_module_init_rx(addr, mod) && !within_module_core_rx(addr, mod))
50084 diff -urNp linux-2.6.36.1/kernel/panic.c linux-2.6.36.1/kernel/panic.c
50085 --- linux-2.6.36.1/kernel/panic.c 2010-10-20 16:30:22.000000000 -0400
50086 +++ linux-2.6.36.1/kernel/panic.c 2010-11-13 16:29:01.000000000 -0500
50087 @@ -368,7 +368,7 @@ static void warn_slowpath_common(const c
50090 printk(KERN_WARNING "------------[ cut here ]------------\n");
50091 - printk(KERN_WARNING "WARNING: at %s:%d %pS()\n", file, line, caller);
50092 + printk(KERN_WARNING "WARNING: at %s:%d %pA()\n", file, line, caller);
50093 board = dmi_get_system_info(DMI_PRODUCT_NAME);
50095 printk(KERN_WARNING "Hardware name: %s\n", board);
50096 @@ -423,7 +423,8 @@ EXPORT_SYMBOL(warn_slowpath_null);
50098 void __stack_chk_fail(void)
50100 - panic("stack-protector: Kernel stack is corrupted in: %p\n",
50102 + panic("stack-protector: Kernel stack is corrupted in: %pA\n",
50103 __builtin_return_address(0));
50105 EXPORT_SYMBOL(__stack_chk_fail);
50106 diff -urNp linux-2.6.36.1/kernel/pid.c linux-2.6.36.1/kernel/pid.c
50107 --- linux-2.6.36.1/kernel/pid.c 2010-10-20 16:30:22.000000000 -0400
50108 +++ linux-2.6.36.1/kernel/pid.c 2010-11-06 18:58:50.000000000 -0400
50110 #include <linux/rculist.h>
50111 #include <linux/bootmem.h>
50112 #include <linux/hash.h>
50113 +#include <linux/security.h>
50114 #include <linux/pid_namespace.h>
50115 #include <linux/init_task.h>
50116 #include <linux/syscalls.h>
50117 @@ -45,7 +46,7 @@ struct pid init_struct_pid = INIT_STRUCT
50119 int pid_max = PID_MAX_DEFAULT;
50121 -#define RESERVED_PIDS 300
50122 +#define RESERVED_PIDS 500
50124 int pid_max_min = RESERVED_PIDS + 1;
50125 int pid_max_max = PID_MAX_LIMIT;
50126 @@ -416,7 +417,14 @@ EXPORT_SYMBOL(pid_task);
50128 struct task_struct *find_task_by_pid_ns(pid_t nr, struct pid_namespace *ns)
50130 - return pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
50131 + struct task_struct *task;
50133 + task = pid_task(find_pid_ns(vx_rmap_pid(nr), ns), PIDTYPE_PID);
50135 + if (gr_pid_is_chrooted(task))
50141 struct task_struct *find_task_by_vpid(pid_t vnr)
50142 diff -urNp linux-2.6.36.1/kernel/posix-cpu-timers.c linux-2.6.36.1/kernel/posix-cpu-timers.c
50143 --- linux-2.6.36.1/kernel/posix-cpu-timers.c 2010-10-20 16:30:22.000000000 -0400
50144 +++ linux-2.6.36.1/kernel/posix-cpu-timers.c 2010-11-13 16:31:56.000000000 -0500
50146 #include <linux/posix-timers.h>
50147 #include <linux/errno.h>
50148 #include <linux/math64.h>
50149 +#include <linux/security.h>
50150 #include <asm/uaccess.h>
50151 #include <linux/kernel_stat.h>
50152 #include <trace/events/timer.h>
50153 diff -urNp linux-2.6.36.1/kernel/power/hibernate.c linux-2.6.36.1/kernel/power/hibernate.c
50154 --- linux-2.6.36.1/kernel/power/hibernate.c 2010-10-20 16:30:22.000000000 -0400
50155 +++ linux-2.6.36.1/kernel/power/hibernate.c 2010-11-06 18:58:15.000000000 -0400
50156 @@ -50,14 +50,14 @@ enum {
50158 static int hibernation_mode = HIBERNATION_SHUTDOWN;
50160 -static struct platform_hibernation_ops *hibernation_ops;
50161 +static const struct platform_hibernation_ops *hibernation_ops;
50164 * hibernation_set_ops - set the global hibernate operations
50165 * @ops: the hibernation operations to use in subsequent hibernation transitions
50168 -void hibernation_set_ops(struct platform_hibernation_ops *ops)
50169 +void hibernation_set_ops(const struct platform_hibernation_ops *ops)
50171 if (ops && !(ops->begin && ops->end && ops->pre_snapshot
50172 && ops->prepare && ops->finish && ops->enter && ops->pre_restore
50173 diff -urNp linux-2.6.36.1/kernel/power/poweroff.c linux-2.6.36.1/kernel/power/poweroff.c
50174 --- linux-2.6.36.1/kernel/power/poweroff.c 2010-10-20 16:30:22.000000000 -0400
50175 +++ linux-2.6.36.1/kernel/power/poweroff.c 2010-11-06 18:58:15.000000000 -0400
50176 @@ -37,7 +37,7 @@ static struct sysrq_key_op sysrq_powerof
50177 .enable_mask = SYSRQ_ENABLE_BOOT,
50180 -static int pm_sysrq_init(void)
50181 +static int __init pm_sysrq_init(void)
50183 register_sysrq_key('o', &sysrq_poweroff_op);
50185 diff -urNp linux-2.6.36.1/kernel/power/process.c linux-2.6.36.1/kernel/power/process.c
50186 --- linux-2.6.36.1/kernel/power/process.c 2010-10-20 16:30:22.000000000 -0400
50187 +++ linux-2.6.36.1/kernel/power/process.c 2010-11-06 18:58:15.000000000 -0400
50188 @@ -40,6 +40,7 @@ static int try_to_freeze_tasks(bool sig_
50189 struct timeval start, end;
50190 u64 elapsed_csecs64;
50191 unsigned int elapsed_csecs;
50192 + bool timedout = false;
50194 do_gettimeofday(&start);
50196 @@ -50,6 +51,8 @@ static int try_to_freeze_tasks(bool sig_
50200 + if (time_after(jiffies, end_time))
50202 read_lock(&tasklist_lock);
50203 do_each_thread(g, p) {
50204 if (frozen(p) || !freezeable(p))
50205 @@ -64,9 +67,13 @@ static int try_to_freeze_tasks(bool sig_
50206 * It is "frozen enough". If the task does wake
50207 * up, it will immediately call try_to_freeze.
50209 - if (!task_is_stopped_or_traced(p) &&
50210 - !freezer_should_skip(p))
50211 + if (!task_is_stopped_or_traced(p) && !freezer_should_skip(p)) {
50214 + printk(KERN_ERR "Task refusing to freeze:\n");
50215 + sched_show_task(p);
50218 } while_each_thread(g, p);
50219 read_unlock(&tasklist_lock);
50221 @@ -75,7 +82,7 @@ static int try_to_freeze_tasks(bool sig_
50225 - if (!todo || time_after(jiffies, end_time))
50226 + if (!todo || timedout)
50230 diff -urNp linux-2.6.36.1/kernel/power/suspend.c linux-2.6.36.1/kernel/power/suspend.c
50231 --- linux-2.6.36.1/kernel/power/suspend.c 2010-10-20 16:30:22.000000000 -0400
50232 +++ linux-2.6.36.1/kernel/power/suspend.c 2010-11-06 18:58:15.000000000 -0400
50233 @@ -30,13 +30,13 @@ const char *const pm_states[PM_SUSPEND_M
50234 [PM_SUSPEND_MEM] = "mem",
50237 -static struct platform_suspend_ops *suspend_ops;
50238 +static const struct platform_suspend_ops *suspend_ops;
50241 * suspend_set_ops - Set the global suspend method table.
50242 * @ops: Pointer to ops structure.
50244 -void suspend_set_ops(struct platform_suspend_ops *ops)
50245 +void suspend_set_ops(const struct platform_suspend_ops *ops)
50247 mutex_lock(&pm_mutex);
50249 diff -urNp linux-2.6.36.1/kernel/printk.c linux-2.6.36.1/kernel/printk.c
50250 --- linux-2.6.36.1/kernel/printk.c 2010-10-20 16:30:22.000000000 -0400
50251 +++ linux-2.6.36.1/kernel/printk.c 2010-11-06 18:58:50.000000000 -0400
50252 @@ -268,6 +268,11 @@ int do_syslog(int type, char __user *buf
50256 +#ifdef CONFIG_GRKERNSEC_DMESG
50257 + if (grsec_enable_dmesg && !capable(CAP_SYS_ADMIN))
50261 error = security_syslog(type, from_file);
50264 diff -urNp linux-2.6.36.1/kernel/ptrace.c linux-2.6.36.1/kernel/ptrace.c
50265 --- linux-2.6.36.1/kernel/ptrace.c 2010-10-20 16:30:22.000000000 -0400
50266 +++ linux-2.6.36.1/kernel/ptrace.c 2010-11-06 18:58:50.000000000 -0400
50267 @@ -140,7 +140,7 @@ int __ptrace_may_access(struct task_stru
50268 cred->gid != tcred->egid ||
50269 cred->gid != tcred->sgid ||
50270 cred->gid != tcred->gid) &&
50271 - !capable(CAP_SYS_PTRACE)) {
50272 + !capable_nolog(CAP_SYS_PTRACE)) {
50276 @@ -148,7 +148,7 @@ int __ptrace_may_access(struct task_stru
50279 dumpable = get_dumpable(task->mm);
50280 - if (!dumpable && !capable(CAP_SYS_PTRACE))
50281 + if (!dumpable && !capable_nolog(CAP_SYS_PTRACE))
50284 return security_ptrace_access_check(task, mode);
50285 @@ -198,7 +198,7 @@ int ptrace_attach(struct task_struct *ta
50286 goto unlock_tasklist;
50288 task->ptrace = PT_PTRACED;
50289 - if (capable(CAP_SYS_PTRACE))
50290 + if (capable_nolog(CAP_SYS_PTRACE))
50291 task->ptrace |= PT_PTRACE_CAP;
50293 __ptrace_link(task, current);
50294 @@ -367,7 +367,7 @@ int ptrace_readdata(struct task_struct *
50298 - if (copy_to_user(dst, buf, retval))
50299 + if (retval > sizeof(buf) || copy_to_user(dst, buf, retval))
50303 @@ -578,18 +578,18 @@ int ptrace_request(struct task_struct *c
50304 ret = ptrace_setoptions(child, data);
50306 case PTRACE_GETEVENTMSG:
50307 - ret = put_user(child->ptrace_message, (unsigned long __user *) data);
50308 + ret = put_user(child->ptrace_message, (__force unsigned long __user *) data);
50311 case PTRACE_GETSIGINFO:
50312 ret = ptrace_getsiginfo(child, &siginfo);
50314 - ret = copy_siginfo_to_user((siginfo_t __user *) data,
50315 + ret = copy_siginfo_to_user((__force siginfo_t __user *) data,
50319 case PTRACE_SETSIGINFO:
50320 - if (copy_from_user(&siginfo, (siginfo_t __user *) data,
50321 + if (copy_from_user(&siginfo, (__force siginfo_t __user *) data,
50325 @@ -709,14 +709,21 @@ SYSCALL_DEFINE4(ptrace, long, request, l
50329 + if (gr_handle_ptrace(child, request)) {
50331 + goto out_put_task_struct;
50334 if (request == PTRACE_ATTACH) {
50335 ret = ptrace_attach(child);
50337 * Some architectures need to do book-keeping after
50342 arch_ptrace_attach(child);
50343 + gr_audit_ptrace(child);
50345 goto out_put_task_struct;
50348 diff -urNp linux-2.6.36.1/kernel/rcutree.c linux-2.6.36.1/kernel/rcutree.c
50349 --- linux-2.6.36.1/kernel/rcutree.c 2010-10-20 16:30:22.000000000 -0400
50350 +++ linux-2.6.36.1/kernel/rcutree.c 2010-11-06 18:58:15.000000000 -0400
50351 @@ -1357,7 +1357,7 @@ __rcu_process_callbacks(struct rcu_state
50353 * Do softirq processing for the current CPU.
50355 -static void rcu_process_callbacks(struct softirq_action *unused)
50356 +static void rcu_process_callbacks(void)
50359 * Memory references from any prior RCU read-side critical sections
50360 diff -urNp linux-2.6.36.1/kernel/resource.c linux-2.6.36.1/kernel/resource.c
50361 --- linux-2.6.36.1/kernel/resource.c 2010-10-20 16:30:22.000000000 -0400
50362 +++ linux-2.6.36.1/kernel/resource.c 2010-11-06 18:58:50.000000000 -0400
50363 @@ -133,8 +133,18 @@ static const struct file_operations proc
50365 static int __init ioresources_init(void)
50367 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
50368 +#ifdef CONFIG_GRKERNSEC_PROC_USER
50369 + proc_create("ioports", S_IRUSR, NULL, &proc_ioports_operations);
50370 + proc_create("iomem", S_IRUSR, NULL, &proc_iomem_operations);
50371 +#elif defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
50372 + proc_create("ioports", S_IRUSR | S_IRGRP, NULL, &proc_ioports_operations);
50373 + proc_create("iomem", S_IRUSR | S_IRGRP, NULL, &proc_iomem_operations);
50376 proc_create("ioports", 0, NULL, &proc_ioports_operations);
50377 proc_create("iomem", 0, NULL, &proc_iomem_operations);
50381 __initcall(ioresources_init);
50382 diff -urNp linux-2.6.36.1/kernel/rtmutex.c linux-2.6.36.1/kernel/rtmutex.c
50383 --- linux-2.6.36.1/kernel/rtmutex.c 2010-10-20 16:30:22.000000000 -0400
50384 +++ linux-2.6.36.1/kernel/rtmutex.c 2010-11-06 18:58:15.000000000 -0400
50385 @@ -511,7 +511,7 @@ static void wakeup_next_waiter(struct rt
50387 raw_spin_lock_irqsave(&pendowner->pi_lock, flags);
50389 - WARN_ON(!pendowner->pi_blocked_on);
50390 + BUG_ON(!pendowner->pi_blocked_on);
50391 WARN_ON(pendowner->pi_blocked_on != waiter);
50392 WARN_ON(pendowner->pi_blocked_on->lock != lock);
50394 diff -urNp linux-2.6.36.1/kernel/sched.c linux-2.6.36.1/kernel/sched.c
50395 --- linux-2.6.36.1/kernel/sched.c 2010-11-26 18:26:25.000000000 -0500
50396 +++ linux-2.6.36.1/kernel/sched.c 2010-11-26 18:27:14.000000000 -0500
50397 @@ -4436,6 +4436,8 @@ int can_nice(const struct task_struct *p
50398 /* convert nice value [19,-20] to rlimit style value [1,40] */
50399 int nice_rlim = 20 - nice;
50401 + gr_learn_resource(p, RLIMIT_NICE, nice_rlim, 1);
50403 return (nice_rlim <= task_rlimit(p, RLIMIT_NICE) ||
50404 capable(CAP_SYS_NICE));
50406 @@ -4469,7 +4471,8 @@ SYSCALL_DEFINE1(nice, int, increment)
50410 - if (increment < 0 && !can_nice(current, nice))
50411 + if (increment < 0 && (!can_nice(current, nice) ||
50412 + gr_handle_chroot_nice()))
50413 return vx_flags(VXF_IGNEG_NICE, 0) ? 0 : -EPERM;
50415 retval = security_task_setnice(current, nice);
50416 @@ -4612,6 +4615,7 @@ recheck:
50417 unsigned long rlim_rtprio =
50418 task_rlimit(p, RLIMIT_RTPRIO);
50420 + gr_learn_resource(p, RLIMIT_RTPRIO, param->sched_priority, 1);
50421 /* can't set/change the rt policy */
50422 if (policy != p->policy && !rlim_rtprio)
50424 @@ -6778,7 +6782,7 @@ static void init_sched_groups_power(int
50428 - WARN_ON(!sd || !sd->groups);
50429 + BUG_ON(!sd || !sd->groups);
50431 if (cpu != group_first_cpu(sd->groups))
50433 diff -urNp linux-2.6.36.1/kernel/sched_fair.c linux-2.6.36.1/kernel/sched_fair.c
50434 --- linux-2.6.36.1/kernel/sched_fair.c 2010-10-20 16:30:22.000000000 -0400
50435 +++ linux-2.6.36.1/kernel/sched_fair.c 2010-11-06 18:58:15.000000000 -0400
50436 @@ -3662,7 +3662,7 @@ static void nohz_idle_balance(int this_c
50437 * run_rebalance_domains is triggered when needed from the scheduler tick.
50438 * Also triggered for nohz idle balancing (with nohz_balancing_kick set).
50440 -static void run_rebalance_domains(struct softirq_action *h)
50441 +static void run_rebalance_domains(void)
50443 int this_cpu = smp_processor_id();
50444 struct rq *this_rq = cpu_rq(this_cpu);
50445 diff -urNp linux-2.6.36.1/kernel/signal.c linux-2.6.36.1/kernel/signal.c
50446 --- linux-2.6.36.1/kernel/signal.c 2010-10-20 16:30:22.000000000 -0400
50447 +++ linux-2.6.36.1/kernel/signal.c 2010-11-06 18:58:50.000000000 -0400
50448 @@ -45,12 +45,12 @@ static struct kmem_cache *sigqueue_cache
50450 int print_fatal_signals __read_mostly;
50452 -static void __user *sig_handler(struct task_struct *t, int sig)
50453 +static __sighandler_t sig_handler(struct task_struct *t, int sig)
50455 return t->sighand->action[sig - 1].sa.sa_handler;
50458 -static int sig_handler_ignored(void __user *handler, int sig)
50459 +static int sig_handler_ignored(__sighandler_t handler, int sig)
50461 /* Is it explicitly or implicitly ignored? */
50462 return handler == SIG_IGN ||
50463 @@ -60,7 +60,7 @@ static int sig_handler_ignored(void __us
50464 static int sig_task_ignored(struct task_struct *t, int sig,
50465 int from_ancestor_ns)
50467 - void __user *handler;
50468 + __sighandler_t handler;
50470 handler = sig_handler(t, sig);
50472 @@ -243,6 +243,9 @@ __sigqueue_alloc(int sig, struct task_st
50473 atomic_inc(&user->sigpending);
50476 + if (!override_rlimit)
50477 + gr_learn_resource(t, RLIMIT_SIGPENDING, atomic_read(&user->sigpending), 1);
50479 if (override_rlimit ||
50480 atomic_read(&user->sigpending) <=
50481 task_rlimit(t, RLIMIT_SIGPENDING)) {
50482 @@ -367,7 +370,7 @@ flush_signal_handlers(struct task_struct
50484 int unhandled_signal(struct task_struct *tsk, int sig)
50486 - void __user *handler = tsk->sighand->action[sig-1].sa.sa_handler;
50487 + __sighandler_t handler = tsk->sighand->action[sig-1].sa.sa_handler;
50488 if (is_global_init(tsk))
50490 if (handler != SIG_IGN && handler != SIG_DFL)
50491 @@ -705,6 +708,10 @@ static int check_kill_permission(int sig
50492 sig, info, t, vx_task_xid(t), t->pid, current->xid);
50496 + if (gr_handle_signal(t, sig))
50500 return security_task_kill(t, info, sig, 0);
50502 @@ -1025,7 +1032,7 @@ __group_send_sig_info(int sig, struct si
50503 return send_signal(sig, info, p, 1);
50508 specific_send_sig_info(int sig, struct siginfo *info, struct task_struct *t)
50510 return send_signal(sig, info, t, 0);
50511 @@ -1079,6 +1086,9 @@ force_sig_info(int sig, struct siginfo *
50512 ret = specific_send_sig_info(sig, info, t);
50513 spin_unlock_irqrestore(&t->sighand->siglock, flags);
50515 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, t);
50516 + gr_handle_crash(t, sig);
50521 @@ -1136,8 +1146,11 @@ int group_send_sig_info(int sig, struct
50522 ret = check_kill_permission(sig, info, p);
50526 + if (!ret && sig) {
50527 ret = do_send_sig_info(sig, info, p, true);
50529 + gr_log_signal(sig, !is_si_special(info) ? info->si_addr : NULL, p);
50534 diff -urNp linux-2.6.36.1/kernel/smp.c linux-2.6.36.1/kernel/smp.c
50535 --- linux-2.6.36.1/kernel/smp.c 2010-10-20 16:30:22.000000000 -0400
50536 +++ linux-2.6.36.1/kernel/smp.c 2010-11-06 18:58:15.000000000 -0400
50537 @@ -510,22 +510,22 @@ int smp_call_function(void (*func)(void
50539 EXPORT_SYMBOL(smp_call_function);
50541 -void ipi_call_lock(void)
50542 +void ipi_call_lock(void) __acquires(call_function.lock)
50544 raw_spin_lock(&call_function.lock);
50547 -void ipi_call_unlock(void)
50548 +void ipi_call_unlock(void) __releases(call_function.lock)
50550 raw_spin_unlock(&call_function.lock);
50553 -void ipi_call_lock_irq(void)
50554 +void ipi_call_lock_irq(void) __acquires(call_function.lock)
50556 raw_spin_lock_irq(&call_function.lock);
50559 -void ipi_call_unlock_irq(void)
50560 +void ipi_call_unlock_irq(void) __releases(call_function.lock)
50562 raw_spin_unlock_irq(&call_function.lock);
50564 diff -urNp linux-2.6.36.1/kernel/softirq.c linux-2.6.36.1/kernel/softirq.c
50565 --- linux-2.6.36.1/kernel/softirq.c 2010-10-20 16:30:22.000000000 -0400
50566 +++ linux-2.6.36.1/kernel/softirq.c 2010-11-06 18:58:15.000000000 -0400
50567 @@ -56,7 +56,7 @@ static struct softirq_action softirq_vec
50569 static DEFINE_PER_CPU(struct task_struct *, ksoftirqd);
50571 -char *softirq_to_name[NR_SOFTIRQS] = {
50572 +const char * const softirq_to_name[NR_SOFTIRQS] = {
50573 "HI", "TIMER", "NET_TX", "NET_RX", "BLOCK", "BLOCK_IOPOLL",
50574 "TASKLET", "SCHED", "HRTIMER", "RCU"
50576 @@ -190,7 +190,7 @@ EXPORT_SYMBOL(local_bh_enable_ip);
50578 asmlinkage void __do_softirq(void)
50580 - struct softirq_action *h;
50581 + const struct softirq_action *h;
50583 int max_restart = MAX_SOFTIRQ_RESTART;
50585 @@ -216,7 +216,7 @@ restart:
50586 kstat_incr_softirqs_this_cpu(h - softirq_vec);
50588 trace_softirq_entry(h, softirq_vec);
50591 trace_softirq_exit(h, softirq_vec);
50592 if (unlikely(prev_count != preempt_count())) {
50593 printk(KERN_ERR "huh, entered softirq %td %s %p"
50594 @@ -340,7 +340,7 @@ void raise_softirq(unsigned int nr)
50595 local_irq_restore(flags);
50598 -void open_softirq(int nr, void (*action)(struct softirq_action *))
50599 +void open_softirq(int nr, void (*action)(void))
50601 softirq_vec[nr].action = action;
50603 @@ -396,7 +396,7 @@ void __tasklet_hi_schedule_first(struct
50605 EXPORT_SYMBOL(__tasklet_hi_schedule_first);
50607 -static void tasklet_action(struct softirq_action *a)
50608 +static void tasklet_action(void)
50610 struct tasklet_struct *list;
50612 @@ -431,7 +431,7 @@ static void tasklet_action(struct softir
50616 -static void tasklet_hi_action(struct softirq_action *a)
50617 +static void tasklet_hi_action(void)
50619 struct tasklet_struct *list;
50621 diff -urNp linux-2.6.36.1/kernel/sys.c linux-2.6.36.1/kernel/sys.c
50622 --- linux-2.6.36.1/kernel/sys.c 2010-10-20 16:30:22.000000000 -0400
50623 +++ linux-2.6.36.1/kernel/sys.c 2010-11-06 18:58:50.000000000 -0400
50624 @@ -134,6 +134,12 @@ static int set_one_prio(struct task_stru
50629 + if (gr_handle_chroot_setpriority(p, niceval)) {
50634 no_nice = security_task_setnice(p, niceval);
50637 @@ -511,6 +517,9 @@ SYSCALL_DEFINE2(setregid, gid_t, rgid, g
50641 + if (gr_check_group_change(new->gid, new->egid, -1))
50644 if (rgid != (gid_t) -1 ||
50645 (egid != (gid_t) -1 && egid != old->gid))
50646 new->sgid = new->egid;
50647 @@ -540,6 +549,10 @@ SYSCALL_DEFINE1(setgid, gid_t, gid)
50648 old = current_cred();
50652 + if (gr_check_group_change(gid, gid, gid))
50655 if (capable(CAP_SETGID))
50656 new->gid = new->egid = new->sgid = new->fsgid = gid;
50657 else if (gid == old->gid || gid == old->sgid)
50658 @@ -620,6 +633,9 @@ SYSCALL_DEFINE2(setreuid, uid_t, ruid, u
50662 + if (gr_check_user_change(new->uid, new->euid, -1))
50665 if (new->uid != old->uid) {
50666 retval = set_user(new);
50668 @@ -664,6 +680,12 @@ SYSCALL_DEFINE1(setuid, uid_t, uid)
50669 old = current_cred();
50673 + if (gr_check_crash_uid(uid))
50675 + if (gr_check_user_change(uid, uid, uid))
50678 if (capable(CAP_SETUID)) {
50679 new->suid = new->uid = uid;
50680 if (uid != old->uid) {
50681 @@ -718,6 +740,9 @@ SYSCALL_DEFINE3(setresuid, uid_t, ruid,
50685 + if (gr_check_user_change(ruid, euid, -1))
50688 if (ruid != (uid_t) -1) {
50690 if (ruid != old->uid) {
50691 @@ -782,6 +807,9 @@ SYSCALL_DEFINE3(setresgid, gid_t, rgid,
50695 + if (gr_check_group_change(rgid, egid, -1))
50698 if (rgid != (gid_t) -1)
50700 if (egid != (gid_t) -1)
50701 @@ -828,6 +856,9 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
50702 old = current_cred();
50703 old_fsuid = old->fsuid;
50705 + if (gr_check_user_change(-1, -1, uid))
50708 if (uid == old->uid || uid == old->euid ||
50709 uid == old->suid || uid == old->fsuid ||
50710 capable(CAP_SETUID)) {
50711 @@ -838,6 +869,7 @@ SYSCALL_DEFINE1(setfsuid, uid_t, uid)
50719 @@ -864,12 +896,16 @@ SYSCALL_DEFINE1(setfsgid, gid_t, gid)
50720 if (gid == old->gid || gid == old->egid ||
50721 gid == old->sgid || gid == old->fsgid ||
50722 capable(CAP_SETGID)) {
50723 + if (gr_check_group_change(-1, -1, gid))
50726 if (gid != old_fsgid) {
50736 @@ -1607,7 +1643,7 @@ SYSCALL_DEFINE5(prctl, int, option, unsi
50737 error = get_dumpable(me->mm);
50739 case PR_SET_DUMPABLE:
50740 - if (arg2 < 0 || arg2 > 1) {
50745 diff -urNp linux-2.6.36.1/kernel/sysctl.c linux-2.6.36.1/kernel/sysctl.c
50746 --- linux-2.6.36.1/kernel/sysctl.c 2010-10-20 16:30:22.000000000 -0400
50747 +++ linux-2.6.36.1/kernel/sysctl.c 2010-11-06 18:58:50.000000000 -0400
50751 #if defined(CONFIG_SYSCTL)
50752 +#include <linux/grsecurity.h>
50753 +#include <linux/grinternal.h>
50755 +extern __u32 gr_handle_sysctl(const ctl_table *table, const int op);
50756 +extern int gr_handle_sysctl_mod(const char *dirname, const char *name,
50758 +extern int gr_handle_chroot_sysctl(const int op);
50760 /* External variables not in a header file. */
50761 extern int sysctl_overcommit_memory;
50762 @@ -190,6 +197,7 @@ static int sysrq_sysctl_handler(ctl_tabl
50766 +extern struct ctl_table grsecurity_table[];
50768 static struct ctl_table root_table[];
50769 static struct ctl_table_root sysctl_table_root;
50770 @@ -219,6 +227,20 @@ extern struct ctl_table epoll_table[];
50771 int sysctl_legacy_va_layout;
50774 +#ifdef CONFIG_PAX_SOFTMODE
50775 +static ctl_table pax_table[] = {
50777 + .procname = "softmode",
50778 + .data = &pax_softmode,
50779 + .maxlen = sizeof(unsigned int),
50781 + .proc_handler = &proc_dointvec,
50788 /* The default sysctl tables: */
50790 static struct ctl_table root_table[] = {
50791 @@ -271,6 +293,22 @@ static int max_extfrag_threshold = 1000;
50794 static struct ctl_table kern_table[] = {
50795 +#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
50797 + .procname = "grsecurity",
50799 + .child = grsecurity_table,
50803 +#ifdef CONFIG_PAX_SOFTMODE
50805 + .procname = "pax",
50807 + .child = pax_table,
50812 .procname = "sched_child_runs_first",
50813 .data = &sysctl_sched_child_runs_first,
50814 @@ -1173,6 +1211,13 @@ static struct ctl_table vm_table[] = {
50815 .proc_handler = proc_dointvec_minmax,
50819 + .procname = "heap_stack_gap",
50820 + .data = &sysctl_heap_stack_gap,
50821 + .maxlen = sizeof(sysctl_heap_stack_gap),
50823 + .proc_handler = proc_doulongvec_minmax,
50827 .procname = "nr_trim_pages",
50828 @@ -1688,6 +1733,16 @@ int sysctl_perm(struct ctl_table_root *r
50832 + if (table->parent != NULL && table->parent->procname != NULL &&
50833 + table->procname != NULL &&
50834 + gr_handle_sysctl_mod(table->parent->procname, table->procname, op))
50836 + if (gr_handle_chroot_sysctl(op))
50838 + error = gr_handle_sysctl(table, op);
50842 error = security_sysctl(table, op & (MAY_READ | MAY_WRITE | MAY_EXEC));
50845 @@ -2200,6 +2255,8 @@ static int proc_put_long(void __user **b
50849 + if (len > sizeof(tmp))
50850 + len = sizeof(tmp);
50851 if (copy_to_user(*buf, tmp, len))
50854 @@ -2505,8 +2562,11 @@ static int __do_proc_doulongvec_minmax(v
50857 val = convdiv * (*i) / convmul;
50860 err = proc_put_char(&buffer, &left, '\t');
50864 err = proc_put_long(&buffer, &left, val, false);
50867 diff -urNp linux-2.6.36.1/kernel/taskstats.c linux-2.6.36.1/kernel/taskstats.c
50868 --- linux-2.6.36.1/kernel/taskstats.c 2010-10-20 16:30:22.000000000 -0400
50869 +++ linux-2.6.36.1/kernel/taskstats.c 2010-11-06 18:58:50.000000000 -0400
50871 #include <linux/cgroup.h>
50872 #include <linux/fs.h>
50873 #include <linux/file.h>
50874 +#include <linux/grsecurity.h>
50875 #include <net/genetlink.h>
50876 #include <asm/atomic.h>
50878 +extern int gr_is_taskstats_denied(int pid);
50881 * Maximum length of a cpumask that can be specified in
50882 * the TASKSTATS_CMD_ATTR_REGISTER/DEREGISTER_CPUMASK attribute
50883 @@ -432,6 +435,9 @@ static int taskstats_user_cmd(struct sk_
50885 cpumask_var_t mask;
50887 + if (gr_is_taskstats_denied(current->pid))
50890 if (!alloc_cpumask_var(&mask, GFP_KERNEL))
50893 diff -urNp linux-2.6.36.1/kernel/time/tick-broadcast.c linux-2.6.36.1/kernel/time/tick-broadcast.c
50894 --- linux-2.6.36.1/kernel/time/tick-broadcast.c 2010-10-20 16:30:22.000000000 -0400
50895 +++ linux-2.6.36.1/kernel/time/tick-broadcast.c 2010-11-06 18:58:15.000000000 -0400
50896 @@ -116,7 +116,7 @@ int tick_device_uses_broadcast(struct cl
50897 * then clear the broadcast bit.
50899 if (!(dev->features & CLOCK_EVT_FEAT_C3STOP)) {
50900 - int cpu = smp_processor_id();
50901 + cpu = smp_processor_id();
50903 cpumask_clear_cpu(cpu, tick_get_broadcast_mask());
50904 tick_broadcast_clear_oneshot(cpu);
50905 diff -urNp linux-2.6.36.1/kernel/time/timer_list.c linux-2.6.36.1/kernel/time/timer_list.c
50906 --- linux-2.6.36.1/kernel/time/timer_list.c 2010-10-20 16:30:22.000000000 -0400
50907 +++ linux-2.6.36.1/kernel/time/timer_list.c 2010-11-06 18:58:50.000000000 -0400
50908 @@ -38,12 +38,16 @@ DECLARE_PER_CPU(struct hrtimer_cpu_base,
50910 static void print_name_offset(struct seq_file *m, void *sym)
50912 +#ifdef CONFIG_GRKERNSEC_HIDESYM
50913 + SEQ_printf(m, "<%p>", NULL);
50915 char symname[KSYM_NAME_LEN];
50917 if (lookup_symbol_name((unsigned long)sym, symname) < 0)
50918 SEQ_printf(m, "<%p>", sym);
50920 SEQ_printf(m, "%s", symname);
50925 @@ -112,7 +116,11 @@ next_one:
50927 print_base(struct seq_file *m, struct hrtimer_clock_base *base, u64 now)
50929 +#ifdef CONFIG_GRKERNSEC_HIDESYM
50930 + SEQ_printf(m, " .base: %p\n", NULL);
50932 SEQ_printf(m, " .base: %p\n", base);
50934 SEQ_printf(m, " .index: %d\n",
50936 SEQ_printf(m, " .resolution: %Lu nsecs\n",
50937 @@ -293,7 +301,11 @@ static int __init init_timer_list_procfs
50939 struct proc_dir_entry *pe;
50941 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
50942 + pe = proc_create("timer_list", 0400, NULL, &timer_list_fops);
50944 pe = proc_create("timer_list", 0444, NULL, &timer_list_fops);
50949 diff -urNp linux-2.6.36.1/kernel/time/timer_stats.c linux-2.6.36.1/kernel/time/timer_stats.c
50950 --- linux-2.6.36.1/kernel/time/timer_stats.c 2010-10-20 16:30:22.000000000 -0400
50951 +++ linux-2.6.36.1/kernel/time/timer_stats.c 2010-11-06 18:58:50.000000000 -0400
50952 @@ -269,12 +269,16 @@ void timer_stats_update_stats(void *time
50954 static void print_name_offset(struct seq_file *m, unsigned long addr)
50956 +#ifdef CONFIG_GRKERNSEC_HIDESYM
50957 + seq_printf(m, "<%p>", NULL);
50959 char symname[KSYM_NAME_LEN];
50961 if (lookup_symbol_name(addr, symname) < 0)
50962 seq_printf(m, "<%p>", (void *)addr);
50964 seq_printf(m, "%s", symname);
50968 static int tstats_show(struct seq_file *m, void *v)
50969 @@ -417,7 +421,11 @@ static int __init init_tstats_procfs(voi
50971 struct proc_dir_entry *pe;
50973 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
50974 + pe = proc_create("timer_stats", 0600, NULL, &tstats_fops);
50976 pe = proc_create("timer_stats", 0644, NULL, &tstats_fops);
50981 diff -urNp linux-2.6.36.1/kernel/time.c linux-2.6.36.1/kernel/time.c
50982 --- linux-2.6.36.1/kernel/time.c 2010-10-20 16:30:22.000000000 -0400
50983 +++ linux-2.6.36.1/kernel/time.c 2010-11-06 18:58:50.000000000 -0400
50984 @@ -93,6 +93,9 @@ SYSCALL_DEFINE1(stime, time_t __user *,
50987 vx_settimeofday(&tv);
50989 + gr_log_timechange();
50994 @@ -200,6 +203,8 @@ SYSCALL_DEFINE2(settimeofday, struct tim
50998 + gr_log_timechange();
51000 return do_sys_settimeofday(tv ? &new_ts : NULL, tz ? &new_tz : NULL);
51003 @@ -238,7 +243,7 @@ EXPORT_SYMBOL(current_fs_time);
51004 * Avoid unnecessary multiplications/divisions in the
51005 * two most common HZ cases:
51007 -unsigned int inline jiffies_to_msecs(const unsigned long j)
51008 +inline unsigned int jiffies_to_msecs(const unsigned long j)
51010 #if HZ <= MSEC_PER_SEC && !(MSEC_PER_SEC % HZ)
51011 return (MSEC_PER_SEC / HZ) * j;
51012 @@ -254,7 +259,7 @@ unsigned int inline jiffies_to_msecs(con
51014 EXPORT_SYMBOL(jiffies_to_msecs);
51016 -unsigned int inline jiffies_to_usecs(const unsigned long j)
51017 +inline unsigned int jiffies_to_usecs(const unsigned long j)
51019 #if HZ <= USEC_PER_SEC && !(USEC_PER_SEC % HZ)
51020 return (USEC_PER_SEC / HZ) * j;
51021 diff -urNp linux-2.6.36.1/kernel/timer.c linux-2.6.36.1/kernel/timer.c
51022 --- linux-2.6.36.1/kernel/timer.c 2010-10-20 16:30:22.000000000 -0400
51023 +++ linux-2.6.36.1/kernel/timer.c 2010-11-06 18:58:15.000000000 -0400
51024 @@ -1287,7 +1287,7 @@ void update_process_times(int user_tick)
51026 * This function runs timers and the timer-tq in bottom half context.
51028 -static void run_timer_softirq(struct softirq_action *h)
51029 +static void run_timer_softirq(void)
51031 struct tvec_base *base = __get_cpu_var(tvec_bases);
51033 diff -urNp linux-2.6.36.1/kernel/trace/ftrace.c linux-2.6.36.1/kernel/trace/ftrace.c
51034 --- linux-2.6.36.1/kernel/trace/ftrace.c 2010-10-20 16:30:22.000000000 -0400
51035 +++ linux-2.6.36.1/kernel/trace/ftrace.c 2010-11-06 18:58:15.000000000 -0400
51036 @@ -1108,13 +1108,18 @@ ftrace_code_disable(struct module *mod,
51040 + ret = ftrace_arch_code_modify_prepare();
51041 + FTRACE_WARN_ON(ret);
51045 ret = ftrace_make_nop(mod, rec, MCOUNT_ADDR);
51046 + FTRACE_WARN_ON(ftrace_arch_code_modify_post_process());
51048 ftrace_bug(ret, ip);
51049 rec->flags |= FTRACE_FL_FAILED;
51053 + return ret ? 0 : 1;
51057 diff -urNp linux-2.6.36.1/kernel/trace/ring_buffer.c linux-2.6.36.1/kernel/trace/ring_buffer.c
51058 --- linux-2.6.36.1/kernel/trace/ring_buffer.c 2010-10-20 16:30:22.000000000 -0400
51059 +++ linux-2.6.36.1/kernel/trace/ring_buffer.c 2010-11-06 18:58:15.000000000 -0400
51060 @@ -635,7 +635,7 @@ static struct list_head *rb_list_head(st
51061 * the reader page). But if the next page is a header page,
51062 * its flags will be non zero.
51066 rb_is_head_page(struct ring_buffer_per_cpu *cpu_buffer,
51067 struct buffer_page *page, struct list_head *list)
51069 diff -urNp linux-2.6.36.1/kernel/trace/trace.c linux-2.6.36.1/kernel/trace/trace.c
51070 --- linux-2.6.36.1/kernel/trace/trace.c 2010-10-20 16:30:22.000000000 -0400
51071 +++ linux-2.6.36.1/kernel/trace/trace.c 2010-11-06 18:58:15.000000000 -0400
51072 @@ -3943,10 +3943,9 @@ static const struct file_operations trac
51076 -static struct dentry *d_tracer;
51078 struct dentry *tracing_init_dentry(void)
51080 + static struct dentry *d_tracer;
51084 @@ -3966,10 +3965,9 @@ struct dentry *tracing_init_dentry(void)
51088 -static struct dentry *d_percpu;
51090 struct dentry *tracing_dentry_percpu(void)
51092 + static struct dentry *d_percpu;
51094 struct dentry *d_tracer;
51096 diff -urNp linux-2.6.36.1/kernel/trace/trace_output.c linux-2.6.36.1/kernel/trace/trace_output.c
51097 --- linux-2.6.36.1/kernel/trace/trace_output.c 2010-10-20 16:30:22.000000000 -0400
51098 +++ linux-2.6.36.1/kernel/trace/trace_output.c 2010-11-06 18:58:15.000000000 -0400
51099 @@ -278,7 +278,7 @@ int trace_seq_path(struct trace_seq *s,
51101 p = d_path(path, s->buffer + s->len, PAGE_SIZE - s->len);
51103 - p = mangle_path(s->buffer + s->len, p, "\n");
51104 + p = mangle_path(s->buffer + s->len, p, "\n\\");
51106 s->len = p - s->buffer;
51108 diff -urNp linux-2.6.36.1/kernel/trace/trace_stack.c linux-2.6.36.1/kernel/trace/trace_stack.c
51109 --- linux-2.6.36.1/kernel/trace/trace_stack.c 2010-10-20 16:30:22.000000000 -0400
51110 +++ linux-2.6.36.1/kernel/trace/trace_stack.c 2010-11-06 18:58:15.000000000 -0400
51111 @@ -50,7 +50,7 @@ static inline void check_stack(void)
51114 /* we do not handle interrupt stacks yet */
51115 - if (!object_is_on_stack(&this_size))
51116 + if (!object_starts_on_stack(&this_size))
51119 local_irq_save(flags);
51120 diff -urNp linux-2.6.36.1/lib/bug.c linux-2.6.36.1/lib/bug.c
51121 --- linux-2.6.36.1/lib/bug.c 2010-10-20 16:30:22.000000000 -0400
51122 +++ linux-2.6.36.1/lib/bug.c 2010-11-06 18:58:15.000000000 -0400
51123 @@ -133,6 +133,8 @@ enum bug_trap_type report_bug(unsigned l
51124 return BUG_TRAP_TYPE_NONE;
51126 bug = find_bug(bugaddr);
51128 + return BUG_TRAP_TYPE_NONE;
51132 diff -urNp linux-2.6.36.1/lib/debugobjects.c linux-2.6.36.1/lib/debugobjects.c
51133 --- linux-2.6.36.1/lib/debugobjects.c 2010-10-20 16:30:22.000000000 -0400
51134 +++ linux-2.6.36.1/lib/debugobjects.c 2010-11-06 18:58:15.000000000 -0400
51135 @@ -281,7 +281,7 @@ static void debug_object_is_on_stack(voi
51139 - is_on_stack = object_is_on_stack(addr);
51140 + is_on_stack = object_starts_on_stack(addr);
51141 if (is_on_stack == onstack)
51144 diff -urNp linux-2.6.36.1/lib/dma-debug.c linux-2.6.36.1/lib/dma-debug.c
51145 --- linux-2.6.36.1/lib/dma-debug.c 2010-10-20 16:30:22.000000000 -0400
51146 +++ linux-2.6.36.1/lib/dma-debug.c 2010-11-06 18:58:15.000000000 -0400
51147 @@ -861,7 +861,7 @@ out:
51149 static void check_for_stack(struct device *dev, void *addr)
51151 - if (object_is_on_stack(addr))
51152 + if (object_starts_on_stack(addr))
51153 err_printk(dev, NULL, "DMA-API: device driver maps memory from"
51154 "stack [addr=%p]\n", addr);
51156 diff -urNp linux-2.6.36.1/lib/inflate.c linux-2.6.36.1/lib/inflate.c
51157 --- linux-2.6.36.1/lib/inflate.c 2010-10-20 16:30:22.000000000 -0400
51158 +++ linux-2.6.36.1/lib/inflate.c 2010-11-06 18:58:15.000000000 -0400
51159 @@ -269,7 +269,7 @@ static void free(void *where)
51160 malloc_ptr = free_mem_ptr;
51163 -#define malloc(a) kmalloc(a, GFP_KERNEL)
51164 +#define malloc(a) kmalloc((a), GFP_KERNEL)
51165 #define free(a) kfree(a)
51168 diff -urNp linux-2.6.36.1/lib/Kconfig.debug linux-2.6.36.1/lib/Kconfig.debug
51169 --- linux-2.6.36.1/lib/Kconfig.debug 2010-10-20 16:30:22.000000000 -0400
51170 +++ linux-2.6.36.1/lib/Kconfig.debug 2010-11-06 19:03:24.000000000 -0400
51171 @@ -998,6 +998,7 @@ config LATENCYTOP
51172 depends on DEBUG_KERNEL
51173 depends on STACKTRACE_SUPPORT
51175 + depends on !GRKERNSEC_HIDESYM
51176 select FRAME_POINTER if !MIPS && !PPC && !S390 && !MICROBLAZE
51178 select KALLSYMS_ALL
51179 diff -urNp linux-2.6.36.1/lib/kref.c linux-2.6.36.1/lib/kref.c
51180 --- linux-2.6.36.1/lib/kref.c 2010-10-20 16:30:22.000000000 -0400
51181 +++ linux-2.6.36.1/lib/kref.c 2010-11-06 18:58:15.000000000 -0400
51182 @@ -52,7 +52,7 @@ void kref_get(struct kref *kref)
51184 int kref_put(struct kref *kref, void (*release)(struct kref *kref))
51186 - WARN_ON(release == NULL);
51187 + BUG_ON(release == NULL);
51188 WARN_ON(release == (void (*)(struct kref *))kfree);
51190 if (atomic_dec_and_test(&kref->refcount)) {
51191 diff -urNp linux-2.6.36.1/lib/parser.c linux-2.6.36.1/lib/parser.c
51192 --- linux-2.6.36.1/lib/parser.c 2010-10-20 16:30:22.000000000 -0400
51193 +++ linux-2.6.36.1/lib/parser.c 2010-11-06 18:58:15.000000000 -0400
51194 @@ -129,7 +129,7 @@ static int match_number(substring_t *s,
51198 - buf = kmalloc(s->to - s->from + 1, GFP_KERNEL);
51199 + buf = kmalloc((s->to - s->from) + 1, GFP_KERNEL);
51202 memcpy(buf, s->from, s->to - s->from);
51203 diff -urNp linux-2.6.36.1/lib/radix-tree.c linux-2.6.36.1/lib/radix-tree.c
51204 --- linux-2.6.36.1/lib/radix-tree.c 2010-10-20 16:30:22.000000000 -0400
51205 +++ linux-2.6.36.1/lib/radix-tree.c 2010-11-06 18:58:15.000000000 -0400
51206 @@ -80,7 +80,7 @@ struct radix_tree_preload {
51208 struct radix_tree_node *nodes[RADIX_TREE_MAX_PATH];
51210 -static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads) = { 0, };
51211 +static DEFINE_PER_CPU(struct radix_tree_preload, radix_tree_preloads);
51213 static inline gfp_t root_gfp_mask(struct radix_tree_root *root)
51215 diff -urNp linux-2.6.36.1/lib/vsprintf.c linux-2.6.36.1/lib/vsprintf.c
51216 --- linux-2.6.36.1/lib/vsprintf.c 2010-10-20 16:30:22.000000000 -0400
51217 +++ linux-2.6.36.1/lib/vsprintf.c 2010-11-13 16:31:35.000000000 -0500
51219 * - scnprintf and vscnprintf
51222 +#ifdef CONFIG_GRKERNSEC_HIDESYM
51223 +#define __INCLUDED_BY_HIDESYM 1
51225 #include <stdarg.h>
51226 #include <linux/module.h>
51227 #include <linux/types.h>
51228 @@ -574,7 +577,7 @@ char *symbol_string(char *buf, char *end
51229 unsigned long value = (unsigned long) ptr;
51230 #ifdef CONFIG_KALLSYMS
51231 char sym[KSYM_SYMBOL_LEN];
51232 - if (ext != 'f' && ext != 's')
51233 + if (ext != 'f' && ext != 's' && ext != 'a')
51234 sprint_symbol(sym, value);
51236 kallsyms_lookup(value, NULL, NULL, NULL, sym);
51237 @@ -947,6 +950,8 @@ char *uuid_string(char *buf, char *end,
51238 * - 'f' For simple symbolic function names without offset
51239 * - 'S' For symbolic direct pointers with offset
51240 * - 's' For symbolic direct pointers without offset
51241 + * - 'A' For symbolic direct pointers with offset approved for use with GRKERNSEC_HIDESYM
51242 + * - 'a' For symbolic direct pointers without offset approved for use with GRKERNSEC_HIDESYM
51243 * - 'R' For decoded struct resource, e.g., [mem 0x0-0x1f 64bit pref]
51244 * - 'r' For raw struct resource, e.g., [mem 0x0-0x1f flags 0x201]
51245 * - 'M' For a 6-byte MAC address, it prints the address in the
51246 @@ -989,7 +994,7 @@ char *pointer(const char *fmt, char *buf
51247 struct printf_spec spec)
51250 - return string(buf, end, "(null)", spec);
51251 + return string(buf, end, "(nil)", spec);
51255 @@ -998,6 +1003,13 @@ char *pointer(const char *fmt, char *buf
51259 +#ifdef CONFIG_GRKERNSEC_HIDESYM
51262 + return symbol_string(buf, end, ptr, spec, *fmt);
51266 return symbol_string(buf, end, ptr, spec, *fmt);
51269 diff -urNp linux-2.6.36.1/localversion-grsec linux-2.6.36.1/localversion-grsec
51270 --- linux-2.6.36.1/localversion-grsec 1969-12-31 19:00:00.000000000 -0500
51271 +++ linux-2.6.36.1/localversion-grsec 2010-11-06 18:58:50.000000000 -0400
51274 diff -urNp linux-2.6.36.1/Makefile linux-2.6.36.1/Makefile
51275 --- linux-2.6.36.1/Makefile 2010-11-26 18:26:23.000000000 -0500
51276 +++ linux-2.6.36.1/Makefile 2010-11-26 18:27:07.000000000 -0500
51277 @@ -229,8 +229,8 @@ CONFIG_SHELL := $(shell if [ -x "$$BASH"
51281 -HOSTCFLAGS = -Wall -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer
51282 -HOSTCXXFLAGS = -O2
51283 +HOSTCFLAGS = -Wall -W -Wmissing-prototypes -Wstrict-prototypes -O2 -fomit-frame-pointer -fno-delete-null-pointer-checks
51284 +HOSTCXXFLAGS = -O2 -fno-delete-null-pointer-checks
51286 # Decide whether to build built-in, modular, or both.
51287 # Normally, just do built-in.
51288 @@ -659,7 +659,7 @@ export mod_strip_cmd
51291 ifeq ($(KBUILD_EXTMOD),)
51292 -core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/
51293 +core-y += kernel/ mm/ fs/ ipc/ security/ crypto/ block/ grsecurity/
51295 vmlinux-dirs := $(patsubst %/,%,$(filter %/, $(init-y) $(init-m) \
51296 $(core-y) $(core-m) $(drivers-y) $(drivers-m) \
51297 diff -urNp linux-2.6.36.1/mm/bootmem.c linux-2.6.36.1/mm/bootmem.c
51298 --- linux-2.6.36.1/mm/bootmem.c 2010-10-20 16:30:22.000000000 -0400
51299 +++ linux-2.6.36.1/mm/bootmem.c 2010-11-06 18:58:15.000000000 -0400
51300 @@ -200,19 +200,30 @@ static void __init __free_pages_memory(u
51301 unsigned long __init free_all_memory_core_early(int nodeid)
51305 + u64 start, end, startrange, endrange;
51306 unsigned long count = 0;
51307 - struct range *range = NULL;
51308 + struct range *range = NULL, rangerange = { 0, 0 };
51311 nr_range = get_free_all_memory_range(&range, nodeid);
51312 + startrange = __pa(range) >> PAGE_SHIFT;
51313 + endrange = (__pa(range + nr_range) - 1) >> PAGE_SHIFT;
51315 for (i = 0; i < nr_range; i++) {
51316 start = range[i].start;
51317 end = range[i].end;
51318 + if (start <= endrange && startrange < end) {
51319 + BUG_ON(rangerange.start | rangerange.end);
51320 + rangerange = range[i];
51323 count += end - start;
51324 __free_pages_memory(start, end);
51326 + start = rangerange.start;
51327 + end = rangerange.end;
51328 + count += end - start;
51329 + __free_pages_memory(start, end);
51333 diff -urNp linux-2.6.36.1/mm/filemap.c linux-2.6.36.1/mm/filemap.c
51334 --- linux-2.6.36.1/mm/filemap.c 2010-10-20 16:30:22.000000000 -0400
51335 +++ linux-2.6.36.1/mm/filemap.c 2010-11-06 18:58:50.000000000 -0400
51336 @@ -1640,7 +1640,7 @@ int generic_file_mmap(struct file * file
51337 struct address_space *mapping = file->f_mapping;
51339 if (!mapping->a_ops->readpage)
51342 file_accessed(file);
51343 vma->vm_ops = &generic_file_vm_ops;
51344 vma->vm_flags |= VM_CAN_NONLINEAR;
51345 @@ -2036,6 +2036,7 @@ inline int generic_write_checks(struct f
51346 *pos = i_size_read(inode);
51348 if (limit != RLIM_INFINITY) {
51349 + gr_learn_resource(current, RLIMIT_FSIZE,*pos, 0);
51350 if (*pos >= limit) {
51351 send_sig(SIGXFSZ, current, 0);
51353 diff -urNp linux-2.6.36.1/mm/fremap.c linux-2.6.36.1/mm/fremap.c
51354 --- linux-2.6.36.1/mm/fremap.c 2010-10-20 16:30:22.000000000 -0400
51355 +++ linux-2.6.36.1/mm/fremap.c 2010-11-06 18:58:15.000000000 -0400
51356 @@ -156,6 +156,11 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
51358 vma = find_vma(mm, start);
51360 +#ifdef CONFIG_PAX_SEGMEXEC
51361 + if (vma && (mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_MAYEXEC))
51366 * Make sure the vma is shared, that it supports prefaulting,
51367 * and that the remapped range is valid and fully within
51368 @@ -224,7 +229,7 @@ SYSCALL_DEFINE5(remap_file_pages, unsign
51370 * drop PG_Mlocked flag for over-mapped range
51372 - unsigned int saved_flags = vma->vm_flags;
51373 + unsigned long saved_flags = vma->vm_flags;
51374 munlock_vma_pages_range(vma, start, start + size);
51375 vma->vm_flags = saved_flags;
51377 diff -urNp linux-2.6.36.1/mm/highmem.c linux-2.6.36.1/mm/highmem.c
51378 --- linux-2.6.36.1/mm/highmem.c 2010-10-20 16:30:22.000000000 -0400
51379 +++ linux-2.6.36.1/mm/highmem.c 2010-11-06 18:58:15.000000000 -0400
51380 @@ -117,9 +117,10 @@ static void flush_all_zero_pkmaps(void)
51381 * So no dangers, even with speculative execution.
51383 page = pte_page(pkmap_page_table[i]);
51384 + pax_open_kernel();
51385 pte_clear(&init_mm, (unsigned long)page_address(page),
51386 &pkmap_page_table[i]);
51388 + pax_close_kernel();
51389 set_page_address(page, NULL);
51392 @@ -178,9 +179,11 @@ start:
51395 vaddr = PKMAP_ADDR(last_pkmap_nr);
51397 + pax_open_kernel();
51398 set_pte_at(&init_mm, vaddr,
51399 &(pkmap_page_table[last_pkmap_nr]), mk_pte(page, kmap_prot));
51401 + pax_close_kernel();
51402 pkmap_count[last_pkmap_nr] = 1;
51403 set_page_address(page, (void *)vaddr);
51405 diff -urNp linux-2.6.36.1/mm/hugetlb.c linux-2.6.36.1/mm/hugetlb.c
51406 --- linux-2.6.36.1/mm/hugetlb.c 2010-10-20 16:30:22.000000000 -0400
51407 +++ linux-2.6.36.1/mm/hugetlb.c 2010-11-06 18:58:15.000000000 -0400
51408 @@ -2305,6 +2305,27 @@ static int unmap_ref_private(struct mm_s
51412 +#ifdef CONFIG_PAX_SEGMEXEC
51413 +static void pax_mirror_huge_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m)
51415 + struct mm_struct *mm = vma->vm_mm;
51416 + struct vm_area_struct *vma_m;
51417 + unsigned long address_m;
51420 + vma_m = pax_find_mirror_vma(vma);
51424 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
51425 + address_m = address + SEGMEXEC_TASK_SIZE;
51426 + ptep_m = huge_pte_offset(mm, address_m & HPAGE_MASK);
51427 + get_page(page_m);
51428 + hugepage_add_anon_rmap(page_m, vma_m, address_m);
51429 + set_huge_pte_at(mm, address_m, ptep_m, make_huge_pte(vma_m, page_m, 0));
51434 * Hugetlb_cow() should be called with page lock of the original hugepage held.
51436 @@ -2402,6 +2423,11 @@ retry_avoidcopy:
51437 make_huge_pte(vma, new_page, 1));
51438 page_remove_rmap(old_page);
51439 hugepage_add_new_anon_rmap(new_page, vma, address);
51441 +#ifdef CONFIG_PAX_SEGMEXEC
51442 + pax_mirror_huge_pte(vma, address, new_page);
51445 /* Make the old page be freed below */
51446 new_page = old_page;
51447 mmu_notifier_invalidate_range_end(mm,
51448 @@ -2555,6 +2581,10 @@ retry:
51449 && (vma->vm_flags & VM_SHARED)));
51450 set_huge_pte_at(mm, address, ptep, new_pte);
51452 +#ifdef CONFIG_PAX_SEGMEXEC
51453 + pax_mirror_huge_pte(vma, address, page);
51456 if ((flags & FAULT_FLAG_WRITE) && !(vma->vm_flags & VM_SHARED)) {
51457 /* Optimization, do the COW without a second fault */
51458 ret = hugetlb_cow(mm, vma, address, ptep, new_pte, page);
51459 @@ -2584,6 +2614,10 @@ int hugetlb_fault(struct mm_struct *mm,
51460 static DEFINE_MUTEX(hugetlb_instantiation_mutex);
51461 struct hstate *h = hstate_vma(vma);
51463 +#ifdef CONFIG_PAX_SEGMEXEC
51464 + struct vm_area_struct *vma_m;
51467 ptep = huge_pte_offset(mm, address);
51469 entry = huge_ptep_get(ptep);
51470 @@ -2591,6 +2625,26 @@ int hugetlb_fault(struct mm_struct *mm,
51471 return VM_FAULT_HWPOISON;
51474 +#ifdef CONFIG_PAX_SEGMEXEC
51475 + vma_m = pax_find_mirror_vma(vma);
51477 + unsigned long address_m;
51479 + if (vma->vm_start > vma_m->vm_start) {
51480 + address_m = address;
51481 + address -= SEGMEXEC_TASK_SIZE;
51483 + h = hstate_vma(vma);
51485 + address_m = address + SEGMEXEC_TASK_SIZE;
51487 + if (!huge_pte_alloc(mm, address_m, huge_page_size(h)))
51488 + return VM_FAULT_OOM;
51489 + address_m &= HPAGE_MASK;
51490 + unmap_hugepage_range(vma, address_m, address_m + HPAGE_SIZE, NULL);
51494 ptep = huge_pte_alloc(mm, address, huge_page_size(h));
51496 return VM_FAULT_OOM;
51497 diff -urNp linux-2.6.36.1/mm/Kconfig linux-2.6.36.1/mm/Kconfig
51498 --- linux-2.6.36.1/mm/Kconfig 2010-10-20 16:30:22.000000000 -0400
51499 +++ linux-2.6.36.1/mm/Kconfig 2010-11-06 18:58:50.000000000 -0400
51500 @@ -240,7 +240,7 @@ config KSM
51501 config DEFAULT_MMAP_MIN_ADDR
51502 int "Low address space to protect from user allocation"
51507 This is the portion of low virtual memory which should be protected
51508 from userspace allocation. Keeping a user from writing to low pages
51509 diff -urNp linux-2.6.36.1/mm/kmemleak.c linux-2.6.36.1/mm/kmemleak.c
51510 --- linux-2.6.36.1/mm/kmemleak.c 2010-10-20 16:30:22.000000000 -0400
51511 +++ linux-2.6.36.1/mm/kmemleak.c 2010-11-13 16:29:01.000000000 -0500
51512 @@ -355,7 +355,7 @@ static void print_unreferenced(struct se
51514 for (i = 0; i < object->trace_len; i++) {
51515 void *ptr = (void *)object->trace[i];
51516 - seq_printf(seq, " [<%p>] %pS\n", ptr, ptr);
51517 + seq_printf(seq, " [<%p>] %pA\n", ptr, ptr);
51521 diff -urNp linux-2.6.36.1/mm/maccess.c linux-2.6.36.1/mm/maccess.c
51522 --- linux-2.6.36.1/mm/maccess.c 2010-10-20 16:30:22.000000000 -0400
51523 +++ linux-2.6.36.1/mm/maccess.c 2010-11-06 18:58:15.000000000 -0400
51524 @@ -15,10 +15,10 @@
51525 * happens, handle that and return -EFAULT.
51528 -long __weak probe_kernel_read(void *dst, void *src, size_t size)
51529 +long __weak probe_kernel_read(void *dst, const void *src, size_t size)
51530 __attribute__((alias("__probe_kernel_read")));
51532 -long __probe_kernel_read(void *dst, void *src, size_t size)
51533 +long __probe_kernel_read(void *dst, const void *src, size_t size)
51536 mm_segment_t old_fs = get_fs();
51537 @@ -43,10 +43,10 @@ EXPORT_SYMBOL_GPL(probe_kernel_read);
51538 * Safely write to address @dst from the buffer at @src. If a kernel fault
51539 * happens, handle that and return -EFAULT.
51541 -long __weak probe_kernel_write(void *dst, void *src, size_t size)
51542 +long __weak probe_kernel_write(void *dst, const void *src, size_t size)
51543 __attribute__((alias("__probe_kernel_write")));
51545 -long __probe_kernel_write(void *dst, void *src, size_t size)
51546 +long __probe_kernel_write(void *dst, const void *src, size_t size)
51549 mm_segment_t old_fs = get_fs();
51550 diff -urNp linux-2.6.36.1/mm/madvise.c linux-2.6.36.1/mm/madvise.c
51551 --- linux-2.6.36.1/mm/madvise.c 2010-10-20 16:30:22.000000000 -0400
51552 +++ linux-2.6.36.1/mm/madvise.c 2010-11-06 18:58:15.000000000 -0400
51553 @@ -45,6 +45,10 @@ static long madvise_behavior(struct vm_a
51555 unsigned long new_flags = vma->vm_flags;
51557 +#ifdef CONFIG_PAX_SEGMEXEC
51558 + struct vm_area_struct *vma_m;
51561 switch (behavior) {
51563 new_flags = new_flags & ~VM_RAND_READ & ~VM_SEQ_READ;
51564 @@ -104,6 +108,13 @@ success:
51566 * vm_flags is protected by the mmap_sem held in write mode.
51569 +#ifdef CONFIG_PAX_SEGMEXEC
51570 + vma_m = pax_find_mirror_vma(vma);
51572 + vma_m->vm_flags = new_flags & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT);
51575 vma->vm_flags = new_flags;
51578 @@ -162,6 +173,11 @@ static long madvise_dontneed(struct vm_a
51579 struct vm_area_struct ** prev,
51580 unsigned long start, unsigned long end)
51583 +#ifdef CONFIG_PAX_SEGMEXEC
51584 + struct vm_area_struct *vma_m;
51588 if (vma->vm_flags & (VM_LOCKED|VM_HUGETLB|VM_PFNMAP))
51590 @@ -174,6 +190,21 @@ static long madvise_dontneed(struct vm_a
51591 zap_page_range(vma, start, end - start, &details);
51593 zap_page_range(vma, start, end - start, NULL);
51595 +#ifdef CONFIG_PAX_SEGMEXEC
51596 + vma_m = pax_find_mirror_vma(vma);
51598 + if (unlikely(vma->vm_flags & VM_NONLINEAR)) {
51599 + struct zap_details details = {
51600 + .nonlinear_vma = vma_m,
51601 + .last_index = ULONG_MAX,
51603 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, &details);
51605 + zap_page_range(vma, start + SEGMEXEC_TASK_SIZE, end - start, NULL);
51612 @@ -366,6 +397,16 @@ SYSCALL_DEFINE3(madvise, unsigned long,
51616 +#ifdef CONFIG_PAX_SEGMEXEC
51617 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
51618 + if (end > SEGMEXEC_TASK_SIZE)
51623 + if (end > TASK_SIZE)
51629 diff -urNp linux-2.6.36.1/mm/memory.c linux-2.6.36.1/mm/memory.c
51630 --- linux-2.6.36.1/mm/memory.c 2010-10-20 16:30:22.000000000 -0400
51631 +++ linux-2.6.36.1/mm/memory.c 2010-11-06 18:58:50.000000000 -0400
51632 @@ -259,8 +259,12 @@ static inline void free_pmd_range(struct
51635 pmd = pmd_offset(pud, start);
51637 +#if !defined(CONFIG_X86_32) || !defined(CONFIG_PAX_PER_CPU_PGD)
51639 pmd_free_tlb(tlb, pmd, start);
51644 static inline void free_pud_range(struct mmu_gather *tlb, pgd_t *pgd,
51645 @@ -291,9 +295,12 @@ static inline void free_pud_range(struct
51646 if (end - 1 > ceiling - 1)
51649 +#if !defined(CONFIG_X86_64) || !defined(CONFIG_PAX_PER_CPU_PGD)
51650 pud = pud_offset(pgd, start);
51652 pud_free_tlb(tlb, pud, start);
51658 @@ -1361,10 +1368,10 @@ int __get_user_pages(struct task_struct
51659 (VM_MAYREAD | VM_MAYWRITE) : (VM_READ | VM_WRITE);
51663 + while (nr_pages) {
51664 struct vm_area_struct *vma;
51666 - vma = find_extend_vma(mm, start);
51667 + vma = find_vma(mm, start);
51668 if (!vma && in_gate_area(tsk, start)) {
51669 unsigned long pg = start & PAGE_MASK;
51670 struct vm_area_struct *gate_vma = get_gate_vma(tsk);
51671 @@ -1416,7 +1423,7 @@ int __get_user_pages(struct task_struct
51676 + if (!vma || start < vma->vm_start ||
51677 (vma->vm_flags & (VM_IO | VM_PFNMAP)) ||
51678 !(vm_flags & vma->vm_flags))
51679 return i ? : -EFAULT;
51680 @@ -1491,7 +1498,7 @@ int __get_user_pages(struct task_struct
51681 start += PAGE_SIZE;
51683 } while (nr_pages && start < vma->vm_end);
51684 - } while (nr_pages);
51689 @@ -1636,6 +1643,10 @@ static int insert_page(struct vm_area_st
51690 page_add_file_rmap(page);
51691 set_pte_at(mm, addr, pte, mk_pte(page, prot));
51693 +#ifdef CONFIG_PAX_SEGMEXEC
51694 + pax_mirror_file_pte(vma, addr, page, ptl);
51698 pte_unmap_unlock(pte, ptl);
51700 @@ -1670,10 +1681,22 @@ out:
51701 int vm_insert_page(struct vm_area_struct *vma, unsigned long addr,
51705 +#ifdef CONFIG_PAX_SEGMEXEC
51706 + struct vm_area_struct *vma_m;
51709 if (addr < vma->vm_start || addr >= vma->vm_end)
51711 if (!page_count(page))
51714 +#ifdef CONFIG_PAX_SEGMEXEC
51715 + vma_m = pax_find_mirror_vma(vma);
51717 + vma_m->vm_flags |= VM_INSERTPAGE;
51720 vma->vm_flags |= VM_INSERTPAGE;
51721 return insert_page(vma, addr, page, vma->vm_page_prot);
51723 @@ -1759,6 +1782,7 @@ int vm_insert_mixed(struct vm_area_struc
51726 BUG_ON(!(vma->vm_flags & VM_MIXEDMAP));
51727 + BUG_ON(vma->vm_mirror);
51729 if (addr < vma->vm_start || addr >= vma->vm_end)
51731 @@ -2086,6 +2110,186 @@ static inline void cow_user_page(struct
51732 copy_user_highpage(dst, src, va, vma);
51735 +#ifdef CONFIG_PAX_SEGMEXEC
51736 +static void pax_unmap_mirror_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd)
51738 + struct mm_struct *mm = vma->vm_mm;
51740 + pte_t *pte, entry;
51742 + pte = pte_offset_map_lock(mm, pmd, address, &ptl);
51744 + if (!pte_present(entry)) {
51745 + if (!pte_none(entry)) {
51746 + BUG_ON(pte_file(entry));
51747 + free_swap_and_cache(pte_to_swp_entry(entry));
51748 + pte_clear_not_present_full(mm, address, pte, 0);
51751 + struct page *page;
51753 + flush_cache_page(vma, address, pte_pfn(entry));
51754 + entry = ptep_clear_flush(vma, address, pte);
51755 + BUG_ON(pte_dirty(entry));
51756 + page = vm_normal_page(vma, address, entry);
51758 + update_hiwater_rss(mm);
51759 + if (PageAnon(page))
51760 + dec_mm_counter_fast(mm, MM_ANONPAGES);
51762 + dec_mm_counter_fast(mm, MM_FILEPAGES);
51763 + page_remove_rmap(page);
51764 + page_cache_release(page);
51767 + pte_unmap_unlock(pte, ptl);
51770 +/* PaX: if vma is mirrored, synchronize the mirror's PTE
51772 + * the ptl of the lower mapped page is held on entry and is not released on exit
51773 + * or inside to ensure atomic changes to the PTE states (swapout, mremap, munmap, etc)
51775 +static void pax_mirror_anon_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
51777 + struct mm_struct *mm = vma->vm_mm;
51778 + unsigned long address_m;
51779 + spinlock_t *ptl_m;
51780 + struct vm_area_struct *vma_m;
51782 + pte_t *pte_m, entry_m;
51784 + BUG_ON(!page_m || !PageAnon(page_m));
51786 + vma_m = pax_find_mirror_vma(vma);
51790 + BUG_ON(!PageLocked(page_m));
51791 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
51792 + address_m = address + SEGMEXEC_TASK_SIZE;
51793 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
51794 + pte_m = pte_offset_map_nested(pmd_m, address_m);
51795 + ptl_m = pte_lockptr(mm, pmd_m);
51796 + if (ptl != ptl_m) {
51797 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
51798 + if (!pte_none(*pte_m))
51802 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
51803 + page_cache_get(page_m);
51804 + page_add_anon_rmap(page_m, vma_m, address_m);
51805 + inc_mm_counter_fast(mm, MM_ANONPAGES);
51806 + set_pte_at(mm, address_m, pte_m, entry_m);
51807 + update_mmu_cache(vma_m, address_m, entry_m);
51809 + if (ptl != ptl_m)
51810 + spin_unlock(ptl_m);
51811 + pte_unmap_nested(pte_m);
51812 + unlock_page(page_m);
51815 +void pax_mirror_file_pte(struct vm_area_struct *vma, unsigned long address, struct page *page_m, spinlock_t *ptl)
51817 + struct mm_struct *mm = vma->vm_mm;
51818 + unsigned long address_m;
51819 + spinlock_t *ptl_m;
51820 + struct vm_area_struct *vma_m;
51822 + pte_t *pte_m, entry_m;
51824 + BUG_ON(!page_m || PageAnon(page_m));
51826 + vma_m = pax_find_mirror_vma(vma);
51830 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
51831 + address_m = address + SEGMEXEC_TASK_SIZE;
51832 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
51833 + pte_m = pte_offset_map_nested(pmd_m, address_m);
51834 + ptl_m = pte_lockptr(mm, pmd_m);
51835 + if (ptl != ptl_m) {
51836 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
51837 + if (!pte_none(*pte_m))
51841 + entry_m = pfn_pte(page_to_pfn(page_m), vma_m->vm_page_prot);
51842 + page_cache_get(page_m);
51843 + page_add_file_rmap(page_m);
51844 + inc_mm_counter_fast(mm, MM_FILEPAGES);
51845 + set_pte_at(mm, address_m, pte_m, entry_m);
51846 + update_mmu_cache(vma_m, address_m, entry_m);
51848 + if (ptl != ptl_m)
51849 + spin_unlock(ptl_m);
51850 + pte_unmap_nested(pte_m);
51853 +static void pax_mirror_pfn_pte(struct vm_area_struct *vma, unsigned long address, unsigned long pfn_m, spinlock_t *ptl)
51855 + struct mm_struct *mm = vma->vm_mm;
51856 + unsigned long address_m;
51857 + spinlock_t *ptl_m;
51858 + struct vm_area_struct *vma_m;
51860 + pte_t *pte_m, entry_m;
51862 + vma_m = pax_find_mirror_vma(vma);
51866 + BUG_ON(address >= SEGMEXEC_TASK_SIZE);
51867 + address_m = address + SEGMEXEC_TASK_SIZE;
51868 + pmd_m = pmd_offset(pud_offset(pgd_offset(mm, address_m), address_m), address_m);
51869 + pte_m = pte_offset_map_nested(pmd_m, address_m);
51870 + ptl_m = pte_lockptr(mm, pmd_m);
51871 + if (ptl != ptl_m) {
51872 + spin_lock_nested(ptl_m, SINGLE_DEPTH_NESTING);
51873 + if (!pte_none(*pte_m))
51877 + entry_m = pfn_pte(pfn_m, vma_m->vm_page_prot);
51878 + set_pte_at(mm, address_m, pte_m, entry_m);
51880 + if (ptl != ptl_m)
51881 + spin_unlock(ptl_m);
51882 + pte_unmap_nested(pte_m);
51885 +static void pax_mirror_pte(struct vm_area_struct *vma, unsigned long address, pte_t *pte, pmd_t *pmd, spinlock_t *ptl)
51887 + struct page *page_m;
51890 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC))
51894 + page_m = vm_normal_page(vma, address, entry);
51896 + pax_mirror_pfn_pte(vma, address, pte_pfn(entry), ptl);
51897 + else if (PageAnon(page_m)) {
51898 + if (pax_find_mirror_vma(vma)) {
51899 + pte_unmap_unlock(pte, ptl);
51900 + lock_page(page_m);
51901 + pte = pte_offset_map_lock(vma->vm_mm, pmd, address, &ptl);
51902 + if (pte_same(entry, *pte))
51903 + pax_mirror_anon_pte(vma, address, page_m, ptl);
51905 + unlock_page(page_m);
51908 + pax_mirror_file_pte(vma, address, page_m, ptl);
51911 + pte_unmap_unlock(pte, ptl);
51916 * This routine handles present pages, when users try to write
51917 * to a shared page. It is done by copying the page to a new address
51918 @@ -2272,6 +2476,12 @@ gotten:
51920 page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
51921 if (likely(pte_same(*page_table, orig_pte))) {
51923 +#ifdef CONFIG_PAX_SEGMEXEC
51924 + if (pax_find_mirror_vma(vma))
51925 + BUG_ON(!trylock_page(new_page));
51929 if (!PageAnon(old_page)) {
51930 dec_mm_counter_fast(mm, MM_FILEPAGES);
51931 @@ -2323,6 +2533,10 @@ gotten:
51932 page_remove_rmap(old_page);
51935 +#ifdef CONFIG_PAX_SEGMEXEC
51936 + pax_mirror_anon_pte(vma, address, new_page, ptl);
51939 /* Free the old page.. */
51940 new_page = old_page;
51941 ret |= VM_FAULT_WRITE;
51942 @@ -2749,19 +2963,12 @@ static int do_swap_page(struct mm_struct
51944 if (vm_swap_full() || (vma->vm_flags & VM_LOCKED) || PageMlocked(page))
51945 try_to_free_swap(page);
51947 +#ifdef CONFIG_PAX_SEGMEXEC
51948 + if ((flags & FAULT_FLAG_WRITE) || !pax_find_mirror_vma(vma))
51954 - * Hold the lock to avoid the swap entry to be reused
51955 - * until we take the PT lock for the pte_same() check
51956 - * (to avoid false positives from pte_same). For
51957 - * further safety release the lock after the swap_free
51958 - * so that the swap count won't change under a
51959 - * parallel locked swapcache.
51961 - unlock_page(swapcache);
51962 - page_cache_release(swapcache);
51965 if (flags & FAULT_FLAG_WRITE) {
51966 ret |= do_wp_page(mm, vma, address, page_table, pmd, ptl, pte);
51967 @@ -2772,6 +2979,11 @@ static int do_swap_page(struct mm_struct
51969 /* No need to invalidate - it was non-present before */
51970 update_mmu_cache(vma, address, page_table);
51972 +#ifdef CONFIG_PAX_SEGMEXEC
51973 + pax_mirror_anon_pte(vma, address, page, ptl);
51977 pte_unmap_unlock(page_table, ptl);
51979 @@ -2783,48 +2995,10 @@ out_page:
51982 page_cache_release(page);
51984 - unlock_page(swapcache);
51985 - page_cache_release(swapcache);
51991 - * This is like a special single-page "expand_{down|up}wards()",
51992 - * except we must first make sure that 'address{-|+}PAGE_SIZE'
51993 - * doesn't hit another vma.
51995 -static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address)
51997 - address &= PAGE_MASK;
51998 - if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) {
51999 - struct vm_area_struct *prev = vma->vm_prev;
52002 - * Is there a mapping abutting this one below?
52004 - * That's only ok if it's the same stack mapping
52005 - * that has gotten split..
52007 - if (prev && prev->vm_end == address)
52008 - return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM;
52010 - expand_stack(vma, address - PAGE_SIZE);
52012 - if ((vma->vm_flags & VM_GROWSUP) && address + PAGE_SIZE == vma->vm_end) {
52013 - struct vm_area_struct *next = vma->vm_next;
52015 - /* As VM_GROWSDOWN but s/below/above/ */
52016 - if (next && next->vm_start == address + PAGE_SIZE)
52017 - return next->vm_flags & VM_GROWSUP ? 0 : -ENOMEM;
52019 - expand_upwards(vma, address + PAGE_SIZE);
52025 * We enter with non-exclusive mmap_sem (to exclude vma changes,
52026 * but allow concurrent faults), and pte mapped but not yet locked.
52027 * We return with mmap_sem still held, but pte unmapped and unlocked.
52028 @@ -2833,27 +3007,23 @@ static int do_anonymous_page(struct mm_s
52029 unsigned long address, pte_t *page_table, pmd_t *pmd,
52030 unsigned int flags)
52032 - struct page *page;
52033 + struct page *page = NULL;
52037 - pte_unmap(page_table);
52039 - /* Check if we need to add a guard page to the stack */
52040 - if (check_stack_guard_page(vma, address) < 0)
52041 - return VM_FAULT_SIGBUS;
52043 - /* Use the zero-page for reads */
52044 if (!(flags & FAULT_FLAG_WRITE)) {
52045 entry = pte_mkspecial(pfn_pte(my_zero_pfn(address),
52046 vma->vm_page_prot));
52047 - page_table = pte_offset_map_lock(mm, pmd, address, &ptl);
52048 + ptl = pte_lockptr(mm, pmd);
52050 if (!pte_none(*page_table))
52055 /* Allocate our own private page. */
52056 + pte_unmap(page_table);
52058 if (unlikely(anon_vma_prepare(vma)))
52060 page = alloc_zeroed_user_highpage_movable(vma, address);
52061 @@ -2872,6 +3042,11 @@ static int do_anonymous_page(struct mm_s
52062 if (!pte_none(*page_table))
52065 +#ifdef CONFIG_PAX_SEGMEXEC
52066 + if (pax_find_mirror_vma(vma))
52067 + BUG_ON(!trylock_page(page));
52070 inc_mm_counter_fast(mm, MM_ANONPAGES);
52071 page_add_new_anon_rmap(page, vma, address);
52073 @@ -2879,6 +3054,12 @@ setpte:
52075 /* No need to invalidate - it was non-present before */
52076 update_mmu_cache(vma, address, page_table);
52078 +#ifdef CONFIG_PAX_SEGMEXEC
52080 + pax_mirror_anon_pte(vma, address, page, ptl);
52084 pte_unmap_unlock(page_table, ptl);
52086 @@ -3021,6 +3202,12 @@ static int __do_fault(struct mm_struct *
52088 /* Only go through if we didn't race with anybody else... */
52089 if (likely(pte_same(*page_table, orig_pte))) {
52091 +#ifdef CONFIG_PAX_SEGMEXEC
52092 + if (anon && pax_find_mirror_vma(vma))
52093 + BUG_ON(!trylock_page(page));
52096 flush_icache_page(vma, page);
52097 entry = mk_pte(page, vma->vm_page_prot);
52098 if (flags & FAULT_FLAG_WRITE)
52099 @@ -3040,6 +3227,14 @@ static int __do_fault(struct mm_struct *
52101 /* no need to invalidate: a not-present page won't be cached */
52102 update_mmu_cache(vma, address, page_table);
52104 +#ifdef CONFIG_PAX_SEGMEXEC
52106 + pax_mirror_anon_pte(vma, address, page, ptl);
52108 + pax_mirror_file_pte(vma, address, page, ptl);
52113 mem_cgroup_uncharge_page(page);
52114 @@ -3187,6 +3382,12 @@ static inline int handle_pte_fault(struc
52115 if (flags & FAULT_FLAG_WRITE)
52116 flush_tlb_page(vma, address);
52119 +#ifdef CONFIG_PAX_SEGMEXEC
52120 + pax_mirror_pte(vma, address, pte, pmd, ptl);
52125 pte_unmap_unlock(pte, ptl);
52127 @@ -3203,6 +3404,10 @@ int handle_mm_fault(struct mm_struct *mm
52131 +#ifdef CONFIG_PAX_SEGMEXEC
52132 + struct vm_area_struct *vma_m;
52135 __set_current_state(TASK_RUNNING);
52137 count_vm_event(PGFAULT);
52138 @@ -3213,6 +3418,34 @@ int handle_mm_fault(struct mm_struct *mm
52139 if (unlikely(is_vm_hugetlb_page(vma)))
52140 return hugetlb_fault(mm, vma, address, flags);
52142 +#ifdef CONFIG_PAX_SEGMEXEC
52143 + vma_m = pax_find_mirror_vma(vma);
52145 + unsigned long address_m;
52150 + if (vma->vm_start > vma_m->vm_start) {
52151 + address_m = address;
52152 + address -= SEGMEXEC_TASK_SIZE;
52155 + address_m = address + SEGMEXEC_TASK_SIZE;
52157 + pgd_m = pgd_offset(mm, address_m);
52158 + pud_m = pud_alloc(mm, pgd_m, address_m);
52160 + return VM_FAULT_OOM;
52161 + pmd_m = pmd_alloc(mm, pud_m, address_m);
52163 + return VM_FAULT_OOM;
52164 + if (!pmd_present(*pmd_m) && __pte_alloc(mm, pmd_m, address_m))
52165 + return VM_FAULT_OOM;
52166 + pax_unmap_mirror_pte(vma_m, address_m, pmd_m);
52170 pgd = pgd_offset(mm, address);
52171 pud = pud_alloc(mm, pgd, address);
52173 @@ -3310,7 +3543,7 @@ static int __init gate_vma_init(void)
52174 gate_vma.vm_start = FIXADDR_USER_START;
52175 gate_vma.vm_end = FIXADDR_USER_END;
52176 gate_vma.vm_flags = VM_READ | VM_MAYREAD | VM_EXEC | VM_MAYEXEC;
52177 - gate_vma.vm_page_prot = __P101;
52178 + gate_vma.vm_page_prot = vm_get_page_prot(gate_vma.vm_flags);
52180 * Make sure the vDSO gets into every core dump.
52181 * Dumping its contents makes post-mortem fully interpretable later
52182 diff -urNp linux-2.6.36.1/mm/memory-failure.c linux-2.6.36.1/mm/memory-failure.c
52183 --- linux-2.6.36.1/mm/memory-failure.c 2010-10-20 16:30:22.000000000 -0400
52184 +++ linux-2.6.36.1/mm/memory-failure.c 2010-11-06 18:58:15.000000000 -0400
52185 @@ -53,7 +53,7 @@ int sysctl_memory_failure_early_kill __r
52187 int sysctl_memory_failure_recovery __read_mostly = 1;
52189 -atomic_long_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
52190 +atomic_long_unchecked_t mce_bad_pages __read_mostly = ATOMIC_LONG_INIT(0);
52192 #if defined(CONFIG_HWPOISON_INJECT) || defined(CONFIG_HWPOISON_INJECT_MODULE)
52194 @@ -975,7 +975,7 @@ int __memory_failure(unsigned long pfn,
52197 nr_pages = 1 << compound_order(hpage);
52198 - atomic_long_add(nr_pages, &mce_bad_pages);
52199 + atomic_long_add_unchecked(nr_pages, &mce_bad_pages);
52202 * We need/can do nothing about count=0 pages.
52203 @@ -1039,7 +1039,7 @@ int __memory_failure(unsigned long pfn,
52205 if (hwpoison_filter(p)) {
52206 if (TestClearPageHWPoison(p))
52207 - atomic_long_sub(nr_pages, &mce_bad_pages);
52208 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
52209 unlock_page(hpage);
52212 @@ -1155,7 +1155,7 @@ int unpoison_memory(unsigned long pfn)
52214 if (!get_page_unless_zero(page)) {
52215 if (TestClearPageHWPoison(p))
52216 - atomic_long_sub(nr_pages, &mce_bad_pages);
52217 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
52218 pr_debug("MCE: Software-unpoisoned free page %#lx\n", pfn);
52221 @@ -1169,7 +1169,7 @@ int unpoison_memory(unsigned long pfn)
52223 if (TestClearPageHWPoison(page)) {
52224 pr_debug("MCE: Software-unpoisoned page %#lx\n", pfn);
52225 - atomic_long_sub(nr_pages, &mce_bad_pages);
52226 + atomic_long_sub_unchecked(nr_pages, &mce_bad_pages);
52230 @@ -1352,7 +1352,7 @@ int soft_offline_page(struct page *page,
52234 - atomic_long_add(1, &mce_bad_pages);
52235 + atomic_long_add_unchecked(1, &mce_bad_pages);
52236 SetPageHWPoison(page);
52237 /* keep elevated page count for bad page */
52239 diff -urNp linux-2.6.36.1/mm/mempolicy.c linux-2.6.36.1/mm/mempolicy.c
52240 --- linux-2.6.36.1/mm/mempolicy.c 2010-10-20 16:30:22.000000000 -0400
52241 +++ linux-2.6.36.1/mm/mempolicy.c 2010-11-06 19:43:34.000000000 -0400
52242 @@ -642,6 +642,10 @@ static int mbind_range(struct mm_struct
52243 unsigned long vmstart;
52244 unsigned long vmend;
52246 +#ifdef CONFIG_PAX_SEGMEXEC
52247 + struct vm_area_struct *vma_m;
52250 vma = find_vma_prev(mm, start, &prev);
52251 if (!vma || vma->vm_start > start)
52253 @@ -672,6 +676,16 @@ static int mbind_range(struct mm_struct
52254 err = policy_vma(vma, new_pol);
52258 +#ifdef CONFIG_PAX_SEGMEXEC
52259 + vma_m = pax_find_mirror_vma(vma);
52261 + err = policy_vma(vma_m, new_pol);
52270 @@ -1098,6 +1112,17 @@ static long do_mbind(unsigned long start
52275 +#ifdef CONFIG_PAX_SEGMEXEC
52276 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
52277 + if (end > SEGMEXEC_TASK_SIZE)
52282 + if (end > TASK_SIZE)
52288 @@ -1312,6 +1337,14 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
52292 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
52293 + if (mm != current->mm &&
52294 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
52301 * Check if this process has the right to modify the specified
52302 * process. The right exists if the process has administrative
52303 @@ -1321,8 +1354,7 @@ SYSCALL_DEFINE4(migrate_pages, pid_t, pi
52305 tcred = __task_cred(task);
52306 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
52307 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
52308 - !capable(CAP_SYS_NICE)) {
52309 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
52313 @@ -2620,7 +2652,7 @@ int show_numa_map(struct seq_file *m, vo
52316 seq_printf(m, " file=");
52317 - seq_path(m, &file->f_path, "\n\t= ");
52318 + seq_path(m, &file->f_path, "\n\t\\= ");
52319 } else if (vma->vm_start <= mm->brk && vma->vm_end >= mm->start_brk) {
52320 seq_printf(m, " heap");
52321 } else if (vma->vm_start <= mm->start_stack &&
52322 diff -urNp linux-2.6.36.1/mm/migrate.c linux-2.6.36.1/mm/migrate.c
52323 --- linux-2.6.36.1/mm/migrate.c 2010-10-20 16:30:22.000000000 -0400
52324 +++ linux-2.6.36.1/mm/migrate.c 2010-11-06 18:58:50.000000000 -0400
52325 @@ -1098,6 +1098,14 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
52329 +#ifdef CONFIG_GRKERNSEC_PROC_MEMMAP
52330 + if (mm != current->mm &&
52331 + (mm->pax_flags & MF_PAX_RANDMMAP || mm->pax_flags & MF_PAX_SEGMEXEC)) {
52338 * Check if this process has the right to modify the specified
52339 * process. The right exists if the process has administrative
52340 @@ -1107,8 +1115,7 @@ SYSCALL_DEFINE6(move_pages, pid_t, pid,
52342 tcred = __task_cred(task);
52343 if (cred->euid != tcred->suid && cred->euid != tcred->uid &&
52344 - cred->uid != tcred->suid && cred->uid != tcred->uid &&
52345 - !capable(CAP_SYS_NICE)) {
52346 + cred->uid != tcred->suid && !capable(CAP_SYS_NICE)) {
52350 diff -urNp linux-2.6.36.1/mm/mlock.c linux-2.6.36.1/mm/mlock.c
52351 --- linux-2.6.36.1/mm/mlock.c 2010-10-20 16:30:22.000000000 -0400
52352 +++ linux-2.6.36.1/mm/mlock.c 2010-11-06 18:58:50.000000000 -0400
52354 #include <linux/pagemap.h>
52355 #include <linux/mempolicy.h>
52356 #include <linux/syscalls.h>
52357 +#include <linux/security.h>
52358 #include <linux/sched.h>
52359 #include <linux/module.h>
52360 #include <linux/rmap.h>
52361 @@ -135,13 +136,6 @@ void munlock_vma_page(struct page *page)
52365 -static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr)
52367 - return (vma->vm_flags & VM_GROWSDOWN) &&
52368 - (vma->vm_start == addr) &&
52369 - !vma_stack_continue(vma->vm_prev, addr);
52373 * __mlock_vma_pages_range() - mlock a range of pages in the vma.
52375 @@ -174,12 +168,6 @@ static long __mlock_vma_pages_range(stru
52376 if (vma->vm_flags & VM_WRITE)
52377 gup_flags |= FOLL_WRITE;
52379 - /* We don't try to access the guard page of a stack vma */
52380 - if (stack_guard_page(vma, start)) {
52381 - addr += PAGE_SIZE;
52385 while (nr_pages > 0) {
52388 @@ -445,6 +433,9 @@ static int do_mlock(unsigned long start,
52392 + if (end > TASK_SIZE)
52395 vma = find_vma_prev(current->mm, start, &prev);
52396 if (!vma || vma->vm_start > start)
52398 @@ -455,6 +446,11 @@ static int do_mlock(unsigned long start,
52399 for (nstart = start ; ; ) {
52400 unsigned int newflags;
52402 +#ifdef CONFIG_PAX_SEGMEXEC
52403 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
52407 /* Here we know that vma->vm_start <= nstart < vma->vm_end. */
52409 newflags = vma->vm_flags | VM_LOCKED;
52410 @@ -504,6 +500,7 @@ SYSCALL_DEFINE2(mlock, unsigned long, st
52411 lock_limit >>= PAGE_SHIFT;
52413 /* check against resource limits */
52414 + gr_learn_resource(current, RLIMIT_MEMLOCK, (current->mm->locked_vm << PAGE_SHIFT) + len, 1);
52415 if ((locked <= lock_limit) || capable(CAP_IPC_LOCK))
52416 error = do_mlock(start, len, 1);
52417 up_write(¤t->mm->mmap_sem);
52418 @@ -525,17 +522,23 @@ SYSCALL_DEFINE2(munlock, unsigned long,
52419 static int do_mlockall(int flags)
52421 struct vm_area_struct * vma, * prev = NULL;
52422 - unsigned int def_flags = 0;
52424 if (flags & MCL_FUTURE)
52425 - def_flags = VM_LOCKED;
52426 - current->mm->def_flags = def_flags;
52427 + current->mm->def_flags |= VM_LOCKED;
52429 + current->mm->def_flags &= ~VM_LOCKED;
52430 if (flags == MCL_FUTURE)
52433 for (vma = current->mm->mmap; vma ; vma = prev->vm_next) {
52434 - unsigned int newflags;
52435 + unsigned long newflags;
52437 +#ifdef CONFIG_PAX_SEGMEXEC
52438 + if ((current->mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE))
52442 + BUG_ON(vma->vm_end > TASK_SIZE);
52443 newflags = vma->vm_flags | VM_LOCKED;
52444 if (!(flags & MCL_CURRENT))
52445 newflags &= ~VM_LOCKED;
52446 @@ -567,6 +570,7 @@ SYSCALL_DEFINE1(mlockall, int, flags)
52447 lock_limit >>= PAGE_SHIFT;
52450 + gr_learn_resource(current, RLIMIT_MEMLOCK, current->mm->total_vm << PAGE_SHIFT, 1);
52451 if (!(flags & MCL_CURRENT) || (current->mm->total_vm <= lock_limit) ||
52452 capable(CAP_IPC_LOCK))
52453 ret = do_mlockall(flags);
52454 diff -urNp linux-2.6.36.1/mm/mmap.c linux-2.6.36.1/mm/mmap.c
52455 --- linux-2.6.36.1/mm/mmap.c 2010-10-20 16:30:22.000000000 -0400
52456 +++ linux-2.6.36.1/mm/mmap.c 2010-11-11 18:21:08.000000000 -0500
52458 #define arch_rebalance_pgtables(addr, len) (addr)
52461 +static inline void verify_mm_writelocked(struct mm_struct *mm)
52463 +#if defined(CONFIG_DEBUG_VM) || defined(CONFIG_PAX)
52464 + if (unlikely(down_read_trylock(&mm->mmap_sem))) {
52465 + up_read(&mm->mmap_sem);
52471 static void unmap_region(struct mm_struct *mm,
52472 struct vm_area_struct *vma, struct vm_area_struct *prev,
52473 unsigned long start, unsigned long end);
52474 @@ -69,22 +79,32 @@ static void unmap_region(struct mm_struc
52475 * x: (no) no x: (no) yes x: (no) yes x: (yes) yes
52478 -pgprot_t protection_map[16] = {
52479 +pgprot_t protection_map[16] __read_only = {
52480 __P000, __P001, __P010, __P011, __P100, __P101, __P110, __P111,
52481 __S000, __S001, __S010, __S011, __S100, __S101, __S110, __S111
52484 pgprot_t vm_get_page_prot(unsigned long vm_flags)
52486 - return __pgprot(pgprot_val(protection_map[vm_flags &
52487 + pgprot_t prot = __pgprot(pgprot_val(protection_map[vm_flags &
52488 (VM_READ|VM_WRITE|VM_EXEC|VM_SHARED)]) |
52489 pgprot_val(arch_vm_get_page_prot(vm_flags)));
52491 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
52492 + if (!(__supported_pte_mask & _PAGE_NX) &&
52493 + (vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC &&
52494 + (vm_flags & (VM_READ | VM_WRITE)))
52495 + prot = __pgprot(pte_val(pte_exprotect(__pte(pgprot_val(prot)))));
52500 EXPORT_SYMBOL(vm_get_page_prot);
52502 int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */
52503 int sysctl_overcommit_ratio = 50; /* default is 50% */
52504 int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT;
52505 +unsigned long sysctl_heap_stack_gap __read_mostly = 64*1024;
52506 struct percpu_counter vm_committed_as;
52509 @@ -230,6 +250,7 @@ static struct vm_area_struct *remove_vma
52510 struct vm_area_struct *next = vma->vm_next;
52513 + BUG_ON(vma->vm_mirror);
52514 if (vma->vm_ops && vma->vm_ops->close)
52515 vma->vm_ops->close(vma);
52516 if (vma->vm_file) {
52517 @@ -266,6 +287,7 @@ SYSCALL_DEFINE1(brk, unsigned long, brk)
52518 * not page aligned -Ram Gupta
52520 rlim = rlimit(RLIMIT_DATA);
52521 + gr_learn_resource(current, RLIMIT_DATA, (brk - mm->start_brk) + (mm->end_data - mm->start_data), 1);
52522 if (rlim < RLIM_INFINITY && (brk - mm->start_brk) +
52523 (mm->end_data - mm->start_data) > rlim)
52525 @@ -707,6 +729,12 @@ static int
52526 can_vma_merge_before(struct vm_area_struct *vma, unsigned long vm_flags,
52527 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
52530 +#ifdef CONFIG_PAX_SEGMEXEC
52531 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_start == SEGMEXEC_TASK_SIZE)
52535 if (is_mergeable_vma(vma, file, vm_flags) &&
52536 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
52537 if (vma->vm_pgoff == vm_pgoff)
52538 @@ -726,6 +754,12 @@ static int
52539 can_vma_merge_after(struct vm_area_struct *vma, unsigned long vm_flags,
52540 struct anon_vma *anon_vma, struct file *file, pgoff_t vm_pgoff)
52543 +#ifdef CONFIG_PAX_SEGMEXEC
52544 + if ((vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) && vma->vm_end == SEGMEXEC_TASK_SIZE)
52548 if (is_mergeable_vma(vma, file, vm_flags) &&
52549 is_mergeable_anon_vma(anon_vma, vma->anon_vma)) {
52551 @@ -768,13 +802,20 @@ can_vma_merge_after(struct vm_area_struc
52552 struct vm_area_struct *vma_merge(struct mm_struct *mm,
52553 struct vm_area_struct *prev, unsigned long addr,
52554 unsigned long end, unsigned long vm_flags,
52555 - struct anon_vma *anon_vma, struct file *file,
52556 + struct anon_vma *anon_vma, struct file *file,
52557 pgoff_t pgoff, struct mempolicy *policy)
52559 pgoff_t pglen = (end - addr) >> PAGE_SHIFT;
52560 struct vm_area_struct *area, *next;
52563 +#ifdef CONFIG_PAX_SEGMEXEC
52564 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE, end_m = end + SEGMEXEC_TASK_SIZE;
52565 + struct vm_area_struct *area_m = NULL, *next_m = NULL, *prev_m = NULL;
52567 + BUG_ON((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE < end);
52571 * We later require that vma->vm_flags == vm_flags,
52572 * so this tests vma->vm_flags & VM_SPECIAL, too.
52573 @@ -790,6 +831,15 @@ struct vm_area_struct *vma_merge(struct
52574 if (next && next->vm_end == end) /* cases 6, 7, 8 */
52575 next = next->vm_next;
52577 +#ifdef CONFIG_PAX_SEGMEXEC
52579 + prev_m = pax_find_mirror_vma(prev);
52581 + area_m = pax_find_mirror_vma(area);
52583 + next_m = pax_find_mirror_vma(next);
52587 * Can it merge with the predecessor?
52589 @@ -809,9 +859,24 @@ struct vm_area_struct *vma_merge(struct
52591 err = vma_adjust(prev, prev->vm_start,
52592 next->vm_end, prev->vm_pgoff, NULL);
52593 - } else /* cases 2, 5, 7 */
52595 +#ifdef CONFIG_PAX_SEGMEXEC
52596 + if (!err && prev_m)
52597 + err = vma_adjust(prev_m, prev_m->vm_start,
52598 + next_m->vm_end, prev_m->vm_pgoff, NULL);
52601 + } else { /* cases 2, 5, 7 */
52602 err = vma_adjust(prev, prev->vm_start,
52603 end, prev->vm_pgoff, NULL);
52605 +#ifdef CONFIG_PAX_SEGMEXEC
52606 + if (!err && prev_m)
52607 + err = vma_adjust(prev_m, prev_m->vm_start,
52608 + end_m, prev_m->vm_pgoff, NULL);
52615 @@ -824,12 +889,27 @@ struct vm_area_struct *vma_merge(struct
52616 mpol_equal(policy, vma_policy(next)) &&
52617 can_vma_merge_before(next, vm_flags,
52618 anon_vma, file, pgoff+pglen)) {
52619 - if (prev && addr < prev->vm_end) /* case 4 */
52620 + if (prev && addr < prev->vm_end) { /* case 4 */
52621 err = vma_adjust(prev, prev->vm_start,
52622 addr, prev->vm_pgoff, NULL);
52623 - else /* cases 3, 8 */
52625 +#ifdef CONFIG_PAX_SEGMEXEC
52626 + if (!err && prev_m)
52627 + err = vma_adjust(prev_m, prev_m->vm_start,
52628 + addr_m, prev_m->vm_pgoff, NULL);
52631 + } else { /* cases 3, 8 */
52632 err = vma_adjust(area, addr, next->vm_end,
52633 next->vm_pgoff - pglen, NULL);
52635 +#ifdef CONFIG_PAX_SEGMEXEC
52636 + if (!err && area_m)
52637 + err = vma_adjust(area_m, addr_m, next_m->vm_end,
52638 + next_m->vm_pgoff - pglen, NULL);
52645 @@ -944,14 +1024,11 @@ none:
52646 void vm_stat_account(struct mm_struct *mm, unsigned long flags,
52647 struct file *file, long pages)
52649 - const unsigned long stack_flags
52650 - = VM_STACK_FLAGS & (VM_GROWSUP|VM_GROWSDOWN);
52653 mm->shared_vm += pages;
52654 if ((flags & (VM_EXEC|VM_WRITE)) == VM_EXEC)
52655 mm->exec_vm += pages;
52656 - } else if (flags & stack_flags)
52657 + } else if (flags & (VM_GROWSUP|VM_GROWSDOWN))
52658 mm->stack_vm += pages;
52659 if (flags & (VM_RESERVED|VM_IO))
52660 mm->reserved_vm += pages;
52661 @@ -978,7 +1055,7 @@ unsigned long do_mmap_pgoff(struct file
52662 * (the exception is when the underlying filesystem is noexec
52663 * mounted, in which case we dont add PROT_EXEC.)
52665 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
52666 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
52667 if (!(file && (file->f_path.mnt->mnt_flags & MNT_NOEXEC)))
52670 @@ -1004,7 +1081,7 @@ unsigned long do_mmap_pgoff(struct file
52671 /* Obtain the address to map to. we verify (or select) it and ensure
52672 * that it represents a valid section of the address space.
52674 - addr = get_unmapped_area(file, addr, len, pgoff, flags);
52675 + addr = get_unmapped_area(file, addr, len, pgoff, flags | ((prot & PROT_EXEC) ? MAP_EXECUTABLE : 0));
52676 if (addr & ~PAGE_MASK)
52679 @@ -1015,6 +1092,31 @@ unsigned long do_mmap_pgoff(struct file
52680 vm_flags = calc_vm_prot_bits(prot) | calc_vm_flag_bits(flags) |
52681 mm->def_flags | VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC;
52683 +#ifdef CONFIG_PAX_MPROTECT
52684 + if (mm->pax_flags & MF_PAX_MPROTECT) {
52685 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC)) {
52686 + gr_log_rwxmmap(file);
52688 +#ifdef CONFIG_PAX_EMUPLT
52689 + vm_flags &= ~VM_EXEC;
52696 + if (!(vm_flags & VM_EXEC))
52697 + vm_flags &= ~VM_MAYEXEC;
52699 + vm_flags &= ~VM_MAYWRITE;
52703 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
52704 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && file)
52705 + vm_flags &= ~VM_PAGEEXEC;
52708 if (flags & MAP_LOCKED)
52709 if (!can_do_mlock())
52711 @@ -1026,6 +1128,7 @@ unsigned long do_mmap_pgoff(struct file
52712 locked += mm->locked_vm;
52713 lock_limit = rlimit(RLIMIT_MEMLOCK);
52714 lock_limit >>= PAGE_SHIFT;
52715 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
52716 if (locked > lock_limit && !capable(CAP_IPC_LOCK))
52719 @@ -1096,6 +1199,9 @@ unsigned long do_mmap_pgoff(struct file
52723 + if (!gr_acl_handle_mmap(file, prot))
52726 return mmap_region(file, addr, len, flags, vm_flags, pgoff);
52728 EXPORT_SYMBOL(do_mmap_pgoff);
52729 @@ -1172,10 +1278,10 @@ SYSCALL_DEFINE1(old_mmap, struct mmap_ar
52731 int vma_wants_writenotify(struct vm_area_struct *vma)
52733 - unsigned int vm_flags = vma->vm_flags;
52734 + unsigned long vm_flags = vma->vm_flags;
52736 /* If it was private or non-writable, the write bit is already clear */
52737 - if ((vm_flags & (VM_WRITE|VM_SHARED)) != ((VM_WRITE|VM_SHARED)))
52738 + if ((vm_flags & (VM_WRITE|VM_SHARED)) != (VM_WRITE|VM_SHARED))
52741 /* The backer wishes to know when pages are first written to? */
52742 @@ -1224,14 +1330,24 @@ unsigned long mmap_region(struct file *f
52743 unsigned long charged = 0;
52744 struct inode *inode = file ? file->f_path.dentry->d_inode : NULL;
52746 +#ifdef CONFIG_PAX_SEGMEXEC
52747 + struct vm_area_struct *vma_m = NULL;
52751 + * mm->mmap_sem is required to protect against another thread
52752 + * changing the mappings in case we sleep.
52754 + verify_mm_writelocked(mm);
52756 /* Clear old maps */
52759 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
52760 if (vma && vma->vm_start < addr + len) {
52761 if (do_munmap(mm, addr, len))
52763 - goto munmap_back;
52764 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
52765 + BUG_ON(vma && vma->vm_start < addr + len);
52768 /* Check against address space limit. */
52769 @@ -1280,6 +1396,16 @@ munmap_back:
52773 +#ifdef CONFIG_PAX_SEGMEXEC
52774 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vm_flags & VM_EXEC)) {
52775 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
52784 vma->vm_start = addr;
52785 vma->vm_end = addr + len;
52786 @@ -1303,6 +1429,19 @@ munmap_back:
52787 error = file->f_op->mmap(file, vma);
52789 goto unmap_and_free_vma;
52791 +#ifdef CONFIG_PAX_SEGMEXEC
52792 + if (vma_m && (vm_flags & VM_EXECUTABLE))
52793 + added_exe_file_vma(mm);
52796 +#if defined(CONFIG_PAX_PAGEEXEC) && defined(CONFIG_X86_32)
52797 + if ((mm->pax_flags & MF_PAX_PAGEEXEC) && !(vma->vm_flags & VM_SPECIAL)) {
52798 + vma->vm_flags |= VM_PAGEEXEC;
52799 + vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
52803 if (vm_flags & VM_EXECUTABLE)
52804 added_exe_file_vma(mm);
52806 @@ -1338,6 +1477,11 @@ munmap_back:
52807 vma_link(mm, vma, prev, rb_link, rb_parent);
52808 file = vma->vm_file;
52810 +#ifdef CONFIG_PAX_SEGMEXEC
52812 + BUG_ON(pax_mirror_vma(vma_m, vma));
52815 /* Once vma denies write, undo our temporary denial count */
52816 if (correct_wcount)
52817 atomic_inc(&inode->i_writecount);
52818 @@ -1346,6 +1490,7 @@ out:
52820 mm->total_vm += len >> PAGE_SHIFT;
52821 vm_stat_account(mm, vm_flags, file, len >> PAGE_SHIFT);
52822 + track_exec_limit(mm, addr, addr + len, vm_flags);
52823 if (vm_flags & VM_LOCKED) {
52824 if (!mlock_vma_pages_range(vma, addr, addr + len))
52825 mm->locked_vm += (len >> PAGE_SHIFT);
52826 @@ -1363,6 +1508,12 @@ unmap_and_free_vma:
52827 unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
52831 +#ifdef CONFIG_PAX_SEGMEXEC
52833 + kmem_cache_free(vm_area_cachep, vma_m);
52836 kmem_cache_free(vm_area_cachep, vma);
52839 @@ -1370,6 +1521,33 @@ unacct_error:
52843 +bool check_heap_stack_gap(struct vm_area_struct *vma, unsigned long addr, unsigned long len)
52846 +#ifdef CONFIG_STACK_GROWSUP
52847 + if (addr > sysctl_heap_stack_gap)
52848 + vma = find_vma(current->mm, addr - sysctl_heap_stack_gap);
52850 + vma = find_vma(current->mm, 0);
52851 + if (vma && (vma->vm_flags & VM_GROWSUP))
52857 + if (addr + len > vma->vm_start)
52860 + if (vma->vm_flags & VM_GROWSDOWN)
52861 + return sysctl_heap_stack_gap <= vma->vm_start - addr - len;
52862 +#ifdef CONFIG_STACK_GROWSUP
52863 + else if (vma->vm_prev && (vma->vm_prev->vm_flags & VM_GROWSUP))
52864 + return addr - vma->vm_prev->vm_end <= sysctl_heap_stack_gap;
52870 /* Get an address range which is currently unmapped.
52871 * For shmat() with addr=0.
52873 @@ -1396,18 +1574,23 @@ arch_get_unmapped_area(struct file *filp
52874 if (flags & MAP_FIXED)
52877 +#ifdef CONFIG_PAX_RANDMMAP
52878 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
52882 addr = PAGE_ALIGN(addr);
52883 - vma = find_vma(mm, addr);
52884 - if (TASK_SIZE - len >= addr &&
52885 - (!vma || addr + len <= vma->vm_start))
52887 + if (TASK_SIZE - len >= addr) {
52888 + vma = find_vma(mm, addr);
52889 + if (check_heap_stack_gap(vma, addr, len))
52893 if (len > mm->cached_hole_size) {
52894 - start_addr = addr = mm->free_area_cache;
52895 + start_addr = addr = mm->free_area_cache;
52897 - start_addr = addr = TASK_UNMAPPED_BASE;
52898 - mm->cached_hole_size = 0;
52899 + start_addr = addr = mm->mmap_base;
52900 + mm->cached_hole_size = 0;
52904 @@ -1418,34 +1601,40 @@ full_search:
52905 * Start a new search - just in case we missed
52908 - if (start_addr != TASK_UNMAPPED_BASE) {
52909 - addr = TASK_UNMAPPED_BASE;
52910 - start_addr = addr;
52911 + if (start_addr != mm->mmap_base) {
52912 + start_addr = addr = mm->mmap_base;
52913 mm->cached_hole_size = 0;
52918 - if (!vma || addr + len <= vma->vm_start) {
52920 - * Remember the place where we stopped the search:
52922 - mm->free_area_cache = addr + len;
52925 + if (check_heap_stack_gap(vma, addr, len))
52927 if (addr + mm->cached_hole_size < vma->vm_start)
52928 mm->cached_hole_size = vma->vm_start - addr;
52929 addr = vma->vm_end;
52933 + * Remember the place where we stopped the search:
52935 + mm->free_area_cache = addr + len;
52940 void arch_unmap_area(struct mm_struct *mm, unsigned long addr)
52943 +#ifdef CONFIG_PAX_SEGMEXEC
52944 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
52949 * Is this a new hole at the lowest possible address?
52951 - if (addr >= TASK_UNMAPPED_BASE && addr < mm->free_area_cache) {
52952 + if (addr >= mm->mmap_base && addr < mm->free_area_cache) {
52953 mm->free_area_cache = addr;
52954 mm->cached_hole_size = ~0UL;
52956 @@ -1463,7 +1652,7 @@ arch_get_unmapped_area_topdown(struct fi
52958 struct vm_area_struct *vma;
52959 struct mm_struct *mm = current->mm;
52960 - unsigned long addr = addr0;
52961 + unsigned long base = mm->mmap_base, addr = addr0;
52963 /* requested length too big for entire address space */
52964 if (len > TASK_SIZE)
52965 @@ -1472,13 +1661,18 @@ arch_get_unmapped_area_topdown(struct fi
52966 if (flags & MAP_FIXED)
52969 +#ifdef CONFIG_PAX_RANDMMAP
52970 + if (!(mm->pax_flags & MF_PAX_RANDMMAP))
52973 /* requesting a specific address */
52975 addr = PAGE_ALIGN(addr);
52976 - vma = find_vma(mm, addr);
52977 - if (TASK_SIZE - len >= addr &&
52978 - (!vma || addr + len <= vma->vm_start))
52980 + if (TASK_SIZE - len >= addr) {
52981 + vma = find_vma(mm, addr);
52982 + if (check_heap_stack_gap(vma, addr, len))
52987 /* check if free_area_cache is useful for us */
52988 @@ -1493,7 +1687,7 @@ arch_get_unmapped_area_topdown(struct fi
52989 /* make sure it can fit in the remaining address space */
52991 vma = find_vma(mm, addr-len);
52992 - if (!vma || addr <= vma->vm_start)
52993 + if (check_heap_stack_gap(vma, addr - len, len))
52994 /* remember the address as a hint for next time */
52995 return (mm->free_area_cache = addr-len);
52997 @@ -1510,7 +1704,7 @@ arch_get_unmapped_area_topdown(struct fi
52998 * return with success:
53000 vma = find_vma(mm, addr);
53001 - if (!vma || addr+len <= vma->vm_start)
53002 + if (check_heap_stack_gap(vma, addr, len))
53003 /* remember the address as a hint for next time */
53004 return (mm->free_area_cache = addr);
53006 @@ -1529,13 +1723,21 @@ bottomup:
53007 * can happen with large stack limits and large mmap()
53010 + mm->mmap_base = TASK_UNMAPPED_BASE;
53012 +#ifdef CONFIG_PAX_RANDMMAP
53013 + if (mm->pax_flags & MF_PAX_RANDMMAP)
53014 + mm->mmap_base += mm->delta_mmap;
53017 + mm->free_area_cache = mm->mmap_base;
53018 mm->cached_hole_size = ~0UL;
53019 - mm->free_area_cache = TASK_UNMAPPED_BASE;
53020 addr = arch_get_unmapped_area(filp, addr0, len, pgoff, flags);
53022 * Restore the topdown base:
53024 - mm->free_area_cache = mm->mmap_base;
53025 + mm->mmap_base = base;
53026 + mm->free_area_cache = base;
53027 mm->cached_hole_size = ~0UL;
53030 @@ -1544,6 +1746,12 @@ bottomup:
53032 void arch_unmap_area_topdown(struct mm_struct *mm, unsigned long addr)
53035 +#ifdef CONFIG_PAX_SEGMEXEC
53036 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && SEGMEXEC_TASK_SIZE <= addr)
53041 * Is this a new hole at the highest possible address?
53043 @@ -1551,8 +1759,10 @@ void arch_unmap_area_topdown(struct mm_s
53044 mm->free_area_cache = addr;
53046 /* dont allow allocations above current base */
53047 - if (mm->free_area_cache > mm->mmap_base)
53048 + if (mm->free_area_cache > mm->mmap_base) {
53049 mm->free_area_cache = mm->mmap_base;
53050 + mm->cached_hole_size = ~0UL;
53055 @@ -1660,6 +1870,28 @@ out:
53056 return prev ? prev->vm_next : vma;
53059 +#ifdef CONFIG_PAX_SEGMEXEC
53060 +struct vm_area_struct *pax_find_mirror_vma(struct vm_area_struct *vma)
53062 + struct vm_area_struct *vma_m;
53064 + BUG_ON(!vma || vma->vm_start >= vma->vm_end);
53065 + if (!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC)) {
53066 + BUG_ON(vma->vm_mirror);
53069 + BUG_ON(vma->vm_start < SEGMEXEC_TASK_SIZE && SEGMEXEC_TASK_SIZE < vma->vm_end);
53070 + vma_m = vma->vm_mirror;
53071 + BUG_ON(!vma_m || vma_m->vm_mirror != vma);
53072 + BUG_ON(vma->vm_file != vma_m->vm_file);
53073 + BUG_ON(vma->vm_end - vma->vm_start != vma_m->vm_end - vma_m->vm_start);
53074 + BUG_ON(vma->vm_pgoff != vma_m->vm_pgoff);
53075 + BUG_ON(vma->anon_vma != vma_m->anon_vma && vma->anon_vma->root != vma_m->anon_vma->root);
53076 + BUG_ON((vma->vm_flags ^ vma_m->vm_flags) & ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED | VM_RESERVED));
53082 * Verify that the stack growth is acceptable and
53083 * update accounting. This is shared with both the
53084 @@ -1676,6 +1908,7 @@ static int acct_stack_growth(struct vm_a
53087 /* Stack limit test */
53088 + gr_learn_resource(current, RLIMIT_STACK, size, 1);
53089 if (size > ACCESS_ONCE(rlim[RLIMIT_STACK].rlim_cur))
53092 @@ -1686,6 +1919,7 @@ static int acct_stack_growth(struct vm_a
53093 locked = mm->locked_vm + grow;
53094 limit = ACCESS_ONCE(rlim[RLIMIT_MEMLOCK].rlim_cur);
53095 limit >>= PAGE_SHIFT;
53096 + gr_learn_resource(current, RLIMIT_MEMLOCK, locked << PAGE_SHIFT, 1);
53097 if (locked > limit && !capable(CAP_IPC_LOCK))
53100 @@ -1716,37 +1950,48 @@ static int acct_stack_growth(struct vm_a
53101 * PA-RISC uses this for its stack; IA64 for its Register Backing Store.
53102 * vma is the last one with address > vma->vm_end. Have to extend vma.
53104 +#ifndef CONFIG_IA64
53107 int expand_upwards(struct vm_area_struct *vma, unsigned long address)
53112 if (!(vma->vm_flags & VM_GROWSUP))
53115 + /* Also guard against wrapping around to address 0. */
53116 + if (address < PAGE_ALIGN(address+1))
53117 + address = PAGE_ALIGN(address+1);
53122 * We must make sure the anon_vma is allocated
53123 * so that the anon_vma locking is not a noop.
53125 if (unlikely(anon_vma_prepare(vma)))
53127 + locknext = vma->vm_next && (vma->vm_next->vm_flags & VM_GROWSDOWN);
53128 + if (locknext && anon_vma_prepare(vma->vm_next))
53130 vma_lock_anon_vma(vma);
53132 + vma_lock_anon_vma(vma->vm_next);
53135 * vma->vm_start/vm_end cannot change under us because the caller
53136 * is required to hold the mmap_sem in read mode. We need the
53137 - * anon_vma lock to serialize against concurrent expand_stacks.
53138 - * Also guard against wrapping around to address 0.
53139 + * anon_vma locks to serialize against concurrent expand_stacks
53140 + * and expand_upwards.
53142 - if (address < PAGE_ALIGN(address+4))
53143 - address = PAGE_ALIGN(address+4);
53145 - vma_unlock_anon_vma(vma);
53150 /* Somebody else might have raced and expanded it already */
53151 - if (address > vma->vm_end) {
53152 + if (vma->vm_next && (vma->vm_next->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && vma->vm_next->vm_start - address < sysctl_heap_stack_gap)
53154 + else if (address > vma->vm_end && (!locknext || vma->vm_next->vm_start >= address)) {
53155 unsigned long size, grow;
53157 size = address - vma->vm_start;
53158 @@ -1758,6 +2003,8 @@ int expand_upwards(struct vm_area_struct
53159 perf_event_mmap(vma);
53163 + vma_unlock_anon_vma(vma->vm_next);
53164 vma_unlock_anon_vma(vma);
53167 @@ -1770,6 +2017,8 @@ static int expand_downwards(struct vm_ar
53168 unsigned long address)
53171 + bool lockprev = false;
53172 + struct vm_area_struct *prev;
53175 * We must make sure the anon_vma is allocated
53176 @@ -1783,6 +2032,15 @@ static int expand_downwards(struct vm_ar
53180 + prev = vma->vm_prev;
53181 +#if defined(CONFIG_STACK_GROWSUP) || defined(CONFIG_IA64)
53182 + lockprev = prev && (prev->vm_flags & VM_GROWSUP);
53184 + if (lockprev && anon_vma_prepare(prev))
53187 + vma_lock_anon_vma(prev);
53189 vma_lock_anon_vma(vma);
53192 @@ -1792,9 +2050,17 @@ static int expand_downwards(struct vm_ar
53195 /* Somebody else might have raced and expanded it already */
53196 - if (address < vma->vm_start) {
53197 + if (prev && (prev->vm_flags & (VM_READ | VM_WRITE | VM_EXEC)) && address - prev->vm_end < sysctl_heap_stack_gap)
53199 + else if (address < vma->vm_start && (!lockprev || prev->vm_end <= address)) {
53200 unsigned long size, grow;
53202 +#ifdef CONFIG_PAX_SEGMEXEC
53203 + struct vm_area_struct *vma_m;
53205 + vma_m = pax_find_mirror_vma(vma);
53208 size = vma->vm_end - address;
53209 grow = (vma->vm_start - address) >> PAGE_SHIFT;
53211 @@ -1802,10 +2068,21 @@ static int expand_downwards(struct vm_ar
53213 vma->vm_start = address;
53214 vma->vm_pgoff -= grow;
53215 + track_exec_limit(vma->vm_mm, vma->vm_start, vma->vm_end, vma->vm_flags);
53217 +#ifdef CONFIG_PAX_SEGMEXEC
53219 + vma_m->vm_start -= grow << PAGE_SHIFT;
53220 + vma_m->vm_pgoff -= grow;
53224 perf_event_mmap(vma);
53227 vma_unlock_anon_vma(vma);
53229 + vma_unlock_anon_vma(prev);
53233 @@ -1879,6 +2156,13 @@ static void remove_vma_list(struct mm_st
53235 long nrpages = vma_pages(vma);
53237 +#ifdef CONFIG_PAX_SEGMEXEC
53238 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_start >= SEGMEXEC_TASK_SIZE)) {
53239 + vma = remove_vma(vma);
53244 mm->total_vm -= nrpages;
53245 vm_stat_account(mm, vma->vm_flags, vma->vm_file, -nrpages);
53246 vma = remove_vma(vma);
53247 @@ -1924,6 +2208,16 @@ detach_vmas_to_be_unmapped(struct mm_str
53248 insertion_point = (prev ? &prev->vm_next : &mm->mmap);
53249 vma->vm_prev = NULL;
53252 +#ifdef CONFIG_PAX_SEGMEXEC
53253 + if (vma->vm_mirror) {
53254 + BUG_ON(!vma->vm_mirror->vm_mirror || vma->vm_mirror->vm_mirror != vma);
53255 + vma->vm_mirror->vm_mirror = NULL;
53256 + vma->vm_mirror->vm_flags &= ~VM_EXEC;
53257 + vma->vm_mirror = NULL;
53261 rb_erase(&vma->vm_rb, &mm->mm_rb);
53264 @@ -1952,14 +2246,33 @@ static int __split_vma(struct mm_struct
53265 struct vm_area_struct *new;
53268 +#ifdef CONFIG_PAX_SEGMEXEC
53269 + struct vm_area_struct *vma_m, *new_m = NULL;
53270 + unsigned long addr_m = addr + SEGMEXEC_TASK_SIZE;
53273 if (is_vm_hugetlb_page(vma) && (addr &
53274 ~(huge_page_mask(hstate_vma(vma)))))
53277 +#ifdef CONFIG_PAX_SEGMEXEC
53278 + vma_m = pax_find_mirror_vma(vma);
53281 new = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
53285 +#ifdef CONFIG_PAX_SEGMEXEC
53287 + new_m = kmem_cache_alloc(vm_area_cachep, GFP_KERNEL);
53289 + kmem_cache_free(vm_area_cachep, new);
53295 /* most fields are the same, copy all, and then fixup */
53298 @@ -1972,6 +2285,22 @@ static int __split_vma(struct mm_struct
53299 new->vm_pgoff += ((addr - vma->vm_start) >> PAGE_SHIFT);
53302 +#ifdef CONFIG_PAX_SEGMEXEC
53305 + INIT_LIST_HEAD(&new_m->anon_vma_chain);
53306 + new_m->vm_mirror = new;
53307 + new->vm_mirror = new_m;
53310 + new_m->vm_end = addr_m;
53312 + new_m->vm_start = addr_m;
53313 + new_m->vm_pgoff += ((addr_m - vma_m->vm_start) >> PAGE_SHIFT);
53318 pol = mpol_dup(vma_policy(vma));
53320 err = PTR_ERR(pol);
53321 @@ -1997,6 +2326,42 @@ static int __split_vma(struct mm_struct
53323 err = vma_adjust(vma, vma->vm_start, addr, vma->vm_pgoff, new);
53325 +#ifdef CONFIG_PAX_SEGMEXEC
53326 + if (!err && vma_m) {
53327 + if (anon_vma_clone(new_m, vma_m))
53328 + goto out_free_mpol;
53331 + vma_set_policy(new_m, pol);
53333 + if (new_m->vm_file) {
53334 + get_file(new_m->vm_file);
53335 + if (vma_m->vm_flags & VM_EXECUTABLE)
53336 + added_exe_file_vma(mm);
53339 + if (new_m->vm_ops && new_m->vm_ops->open)
53340 + new_m->vm_ops->open(new_m);
53343 + err = vma_adjust(vma_m, addr_m, vma_m->vm_end, vma_m->vm_pgoff +
53344 + ((addr_m - new_m->vm_start) >> PAGE_SHIFT), new_m);
53346 + err = vma_adjust(vma_m, vma_m->vm_start, addr_m, vma_m->vm_pgoff, new_m);
53349 + if (new_m->vm_ops && new_m->vm_ops->close)
53350 + new_m->vm_ops->close(new_m);
53351 + if (new_m->vm_file) {
53352 + if (vma_m->vm_flags & VM_EXECUTABLE)
53353 + removed_exe_file_vma(mm);
53354 + fput(new_m->vm_file);
53364 @@ -2009,10 +2374,18 @@ static int __split_vma(struct mm_struct
53365 removed_exe_file_vma(mm);
53366 fput(new->vm_file);
53368 - unlink_anon_vmas(new);
53373 +#ifdef CONFIG_PAX_SEGMEXEC
53375 + unlink_anon_vmas(new_m);
53376 + kmem_cache_free(vm_area_cachep, new_m);
53380 + unlink_anon_vmas(new);
53381 kmem_cache_free(vm_area_cachep, new);
53384 @@ -2025,6 +2398,15 @@ static int __split_vma(struct mm_struct
53385 int split_vma(struct mm_struct *mm, struct vm_area_struct *vma,
53386 unsigned long addr, int new_below)
53389 +#ifdef CONFIG_PAX_SEGMEXEC
53390 + if (mm->pax_flags & MF_PAX_SEGMEXEC) {
53391 + BUG_ON(vma->vm_end > SEGMEXEC_TASK_SIZE);
53392 + if (mm->map_count >= sysctl_max_map_count-1)
53397 if (mm->map_count >= sysctl_max_map_count)
53400 @@ -2036,11 +2418,30 @@ int split_vma(struct mm_struct *mm, stru
53401 * work. This now handles partial unmappings.
53402 * Jeremy Fitzhardinge <jeremy@goop.org>
53404 +#ifdef CONFIG_PAX_SEGMEXEC
53405 +int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
53407 + int ret = __do_munmap(mm, start, len);
53408 + if (ret || !(mm->pax_flags & MF_PAX_SEGMEXEC))
53411 + return __do_munmap(mm, start + SEGMEXEC_TASK_SIZE, len);
53414 +int __do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
53416 int do_munmap(struct mm_struct *mm, unsigned long start, size_t len)
53420 struct vm_area_struct *vma, *prev, *last;
53423 + * mm->mmap_sem is required to protect against another thread
53424 + * changing the mappings in case we sleep.
53426 + verify_mm_writelocked(mm);
53428 if ((start & ~PAGE_MASK) || start > TASK_SIZE || len > TASK_SIZE-start)
53431 @@ -2114,6 +2515,8 @@ int do_munmap(struct mm_struct *mm, unsi
53432 /* Fix up all other VM information */
53433 remove_vma_list(mm, vma);
53435 + track_exec_limit(mm, start, end, 0UL);
53440 @@ -2126,22 +2529,18 @@ SYSCALL_DEFINE2(munmap, unsigned long, a
53442 profile_munmap(addr);
53444 +#ifdef CONFIG_PAX_SEGMEXEC
53445 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) &&
53446 + (len > SEGMEXEC_TASK_SIZE || addr > SEGMEXEC_TASK_SIZE-len))
53450 down_write(&mm->mmap_sem);
53451 ret = do_munmap(mm, addr, len);
53452 up_write(&mm->mmap_sem);
53456 -static inline void verify_mm_writelocked(struct mm_struct *mm)
53458 -#ifdef CONFIG_DEBUG_VM
53459 - if (unlikely(down_read_trylock(&mm->mmap_sem))) {
53461 - up_read(&mm->mmap_sem);
53467 * this is really a simplified "do_mmap". it only handles
53468 * anonymous maps. eventually we may be able to do some
53469 @@ -2155,6 +2554,7 @@ unsigned long do_brk(unsigned long addr,
53470 struct rb_node ** rb_link, * rb_parent;
53471 pgoff_t pgoff = addr >> PAGE_SHIFT;
53473 + unsigned long charged;
53475 len = PAGE_ALIGN(len);
53477 @@ -2166,16 +2566,30 @@ unsigned long do_brk(unsigned long addr,
53479 flags = VM_DATA_DEFAULT_FLAGS | VM_ACCOUNT | mm->def_flags;
53481 +#if defined(CONFIG_PAX_PAGEEXEC) || defined(CONFIG_PAX_SEGMEXEC)
53482 + if (mm->pax_flags & (MF_PAX_PAGEEXEC | MF_PAX_SEGMEXEC)) {
53483 + flags &= ~VM_EXEC;
53485 +#ifdef CONFIG_PAX_MPROTECT
53486 + if (mm->pax_flags & MF_PAX_MPROTECT)
53487 + flags &= ~VM_MAYEXEC;
53493 error = get_unmapped_area(NULL, addr, len, 0, MAP_FIXED);
53494 if (error & ~PAGE_MASK)
53497 + charged = len >> PAGE_SHIFT;
53500 * mlock MCL_FUTURE?
53502 if (mm->def_flags & VM_LOCKED) {
53503 unsigned long locked, lock_limit;
53504 - locked = len >> PAGE_SHIFT;
53505 + locked = charged;
53506 locked += mm->locked_vm;
53507 lock_limit = rlimit(RLIMIT_MEMLOCK);
53508 lock_limit >>= PAGE_SHIFT;
53509 @@ -2192,22 +2606,22 @@ unsigned long do_brk(unsigned long addr,
53511 * Clear old maps. this also does some error checking for us
53514 vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
53515 if (vma && vma->vm_start < addr + len) {
53516 if (do_munmap(mm, addr, len))
53518 - goto munmap_back;
53519 + vma = find_vma_prepare(mm, addr, &prev, &rb_link, &rb_parent);
53520 + BUG_ON(vma && vma->vm_start < addr + len);
53523 /* Check against address space limits *after* clearing old maps... */
53524 - if (!may_expand_vm(mm, len >> PAGE_SHIFT))
53525 + if (!may_expand_vm(mm, charged))
53528 if (mm->map_count > sysctl_max_map_count)
53531 - if (security_vm_enough_memory(len >> PAGE_SHIFT))
53532 + if (security_vm_enough_memory(charged))
53535 /* Can we just expand an old private anonymous mapping? */
53536 @@ -2221,7 +2635,7 @@ unsigned long do_brk(unsigned long addr,
53538 vma = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
53540 - vm_unacct_memory(len >> PAGE_SHIFT);
53541 + vm_unacct_memory(charged);
53545 @@ -2235,11 +2649,12 @@ unsigned long do_brk(unsigned long addr,
53546 vma_link(mm, vma, prev, rb_link, rb_parent);
53548 perf_event_mmap(vma);
53549 - mm->total_vm += len >> PAGE_SHIFT;
53550 + mm->total_vm += charged;
53551 if (flags & VM_LOCKED) {
53552 if (!mlock_vma_pages_range(vma, addr, addr + len))
53553 - mm->locked_vm += (len >> PAGE_SHIFT);
53554 + mm->locked_vm += charged;
53556 + track_exec_limit(mm, addr, addr + len, flags);
53560 @@ -2286,8 +2701,10 @@ void exit_mmap(struct mm_struct *mm)
53561 * Walk the list again, actually closing and freeing it,
53562 * with preemption enabled, without holding any MM locks.
53566 + vma->vm_mirror = NULL;
53567 vma = remove_vma(vma);
53570 BUG_ON(mm->nr_ptes > (FIRST_USER_ADDRESS+PMD_SIZE-1)>>PMD_SHIFT);
53572 @@ -2301,6 +2718,10 @@ int insert_vm_struct(struct mm_struct *
53573 struct vm_area_struct * __vma, * prev;
53574 struct rb_node ** rb_link, * rb_parent;
53576 +#ifdef CONFIG_PAX_SEGMEXEC
53577 + struct vm_area_struct *vma_m = NULL;
53581 * The vm_pgoff of a purely anonymous vma should be irrelevant
53582 * until its first write fault, when page's anon_vma and index
53583 @@ -2323,7 +2744,22 @@ int insert_vm_struct(struct mm_struct *
53584 if ((vma->vm_flags & VM_ACCOUNT) &&
53585 security_vm_enough_memory_mm(mm, vma_pages(vma)))
53588 +#ifdef CONFIG_PAX_SEGMEXEC
53589 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (vma->vm_flags & VM_EXEC)) {
53590 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
53596 vma_link(mm, vma, prev, rb_link, rb_parent);
53598 +#ifdef CONFIG_PAX_SEGMEXEC
53600 + BUG_ON(pax_mirror_vma(vma_m, vma));
53606 @@ -2341,6 +2777,8 @@ struct vm_area_struct *copy_vma(struct v
53607 struct rb_node **rb_link, *rb_parent;
53608 struct mempolicy *pol;
53610 + BUG_ON(vma->vm_mirror);
53613 * If anonymous vma has not yet been faulted, update new pgoff
53614 * to match new location, to increase its chance of merging.
53615 @@ -2390,6 +2828,39 @@ struct vm_area_struct *copy_vma(struct v
53616 kmem_cache_free(vm_area_cachep, new_vma);
53620 +#ifdef CONFIG_PAX_SEGMEXEC
53621 +long pax_mirror_vma(struct vm_area_struct *vma_m, struct vm_area_struct *vma)
53623 + struct vm_area_struct *prev_m;
53624 + struct rb_node **rb_link_m, *rb_parent_m;
53625 + struct mempolicy *pol_m;
53627 + BUG_ON(!(vma->vm_mm->pax_flags & MF_PAX_SEGMEXEC) || !(vma->vm_flags & VM_EXEC));
53628 + BUG_ON(vma->vm_mirror || vma_m->vm_mirror);
53629 + BUG_ON(!mpol_equal(vma_policy(vma), vma_policy(vma_m)));
53631 + INIT_LIST_HEAD(&vma_m->anon_vma_chain);
53632 + if (anon_vma_clone(vma_m, vma))
53634 + pol_m = vma_policy(vma_m);
53636 + vma_set_policy(vma_m, pol_m);
53637 + vma_m->vm_start += SEGMEXEC_TASK_SIZE;
53638 + vma_m->vm_end += SEGMEXEC_TASK_SIZE;
53639 + vma_m->vm_flags &= ~(VM_WRITE | VM_MAYWRITE | VM_ACCOUNT | VM_LOCKED);
53640 + vma_m->vm_page_prot = vm_get_page_prot(vma_m->vm_flags);
53641 + if (vma_m->vm_file)
53642 + get_file(vma_m->vm_file);
53643 + if (vma_m->vm_ops && vma_m->vm_ops->open)
53644 + vma_m->vm_ops->open(vma_m);
53645 + find_vma_prepare(vma->vm_mm, vma_m->vm_start, &prev_m, &rb_link_m, &rb_parent_m);
53646 + vma_link(vma->vm_mm, vma_m, prev_m, rb_link_m, rb_parent_m);
53647 + vma_m->vm_mirror = vma;
53648 + vma->vm_mirror = vma_m;
53654 * Return true if the calling process may expand its vm space by the passed
53655 @@ -2401,7 +2872,7 @@ int may_expand_vm(struct mm_struct *mm,
53658 lim = rlimit(RLIMIT_AS) >> PAGE_SHIFT;
53660 + gr_learn_resource(current, RLIMIT_AS, (cur + npages) << PAGE_SHIFT, 1);
53661 if (cur + npages > lim)
53664 @@ -2471,6 +2942,17 @@ int install_special_mapping(struct mm_st
53665 vma->vm_start = addr;
53666 vma->vm_end = addr + len;
53668 +#ifdef CONFIG_PAX_MPROTECT
53669 + if (mm->pax_flags & MF_PAX_MPROTECT) {
53670 + if ((vm_flags & (VM_WRITE | VM_EXEC)) == (VM_WRITE | VM_EXEC))
53672 + if (!(vm_flags & VM_EXEC))
53673 + vm_flags &= ~VM_MAYEXEC;
53675 + vm_flags &= ~VM_MAYWRITE;
53679 vma->vm_flags = vm_flags | mm->def_flags | VM_DONTEXPAND;
53680 vma->vm_page_prot = vm_get_page_prot(vma->vm_flags);
53682 diff -urNp linux-2.6.36.1/mm/mprotect.c linux-2.6.36.1/mm/mprotect.c
53683 --- linux-2.6.36.1/mm/mprotect.c 2010-10-20 16:30:22.000000000 -0400
53684 +++ linux-2.6.36.1/mm/mprotect.c 2010-11-06 18:58:50.000000000 -0400
53685 @@ -23,10 +23,16 @@
53686 #include <linux/mmu_notifier.h>
53687 #include <linux/migrate.h>
53688 #include <linux/perf_event.h>
53690 +#ifdef CONFIG_PAX_MPROTECT
53691 +#include <linux/elf.h>
53694 #include <asm/uaccess.h>
53695 #include <asm/pgtable.h>
53696 #include <asm/cacheflush.h>
53697 #include <asm/tlbflush.h>
53698 +#include <asm/mmu_context.h>
53700 #ifndef pgprot_modify
53701 static inline pgprot_t pgprot_modify(pgprot_t oldprot, pgprot_t newprot)
53702 @@ -131,6 +137,48 @@ static void change_protection(struct vm_
53703 flush_tlb_range(vma, start, end);
53706 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
53707 +/* called while holding the mmap semaphor for writing except stack expansion */
53708 +void track_exec_limit(struct mm_struct *mm, unsigned long start, unsigned long end, unsigned long prot)
53710 + unsigned long oldlimit, newlimit = 0UL;
53712 + if (!(mm->pax_flags & MF_PAX_PAGEEXEC) || (__supported_pte_mask & _PAGE_NX))
53715 + spin_lock(&mm->page_table_lock);
53716 + oldlimit = mm->context.user_cs_limit;
53717 + if ((prot & VM_EXEC) && oldlimit < end)
53718 + /* USER_CS limit moved up */
53720 + else if (!(prot & VM_EXEC) && start < oldlimit && oldlimit <= end)
53721 + /* USER_CS limit moved down */
53722 + newlimit = start;
53725 + mm->context.user_cs_limit = newlimit;
53729 + cpus_clear(mm->context.cpu_user_cs_mask);
53730 + cpu_set(smp_processor_id(), mm->context.cpu_user_cs_mask);
53733 + set_user_cs(mm->context.user_cs_base, mm->context.user_cs_limit, smp_processor_id());
53735 + spin_unlock(&mm->page_table_lock);
53736 + if (newlimit == end) {
53737 + struct vm_area_struct *vma = find_vma(mm, oldlimit);
53739 + for (; vma && vma->vm_start < end; vma = vma->vm_next)
53740 + if (is_vm_hugetlb_page(vma))
53741 + hugetlb_change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot);
53743 + change_protection(vma, vma->vm_start, vma->vm_end, vma->vm_page_prot, vma_wants_writenotify(vma));
53749 mprotect_fixup(struct vm_area_struct *vma, struct vm_area_struct **pprev,
53750 unsigned long start, unsigned long end, unsigned long newflags)
53751 @@ -143,11 +191,29 @@ mprotect_fixup(struct vm_area_struct *vm
53753 int dirty_accountable = 0;
53755 +#ifdef CONFIG_PAX_SEGMEXEC
53756 + struct vm_area_struct *vma_m = NULL;
53757 + unsigned long start_m, end_m;
53759 + start_m = start + SEGMEXEC_TASK_SIZE;
53760 + end_m = end + SEGMEXEC_TASK_SIZE;
53763 if (newflags == oldflags) {
53768 + if (newflags & (VM_READ | VM_WRITE | VM_EXEC)) {
53769 + struct vm_area_struct *prev = vma->vm_prev, *next = vma->vm_next;
53771 + if (next && (next->vm_flags & VM_GROWSDOWN) && sysctl_heap_stack_gap > next->vm_start - end)
53774 + if (prev && (prev->vm_flags & VM_GROWSUP) && sysctl_heap_stack_gap > start - prev->vm_end)
53779 * If we make a private mapping writable we increase our commit;
53780 * but (without finer accounting) cannot reduce our commit if we
53781 @@ -164,6 +230,42 @@ mprotect_fixup(struct vm_area_struct *vm
53785 +#ifdef CONFIG_PAX_SEGMEXEC
53786 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && ((oldflags ^ newflags) & VM_EXEC)) {
53787 + if (start != vma->vm_start) {
53788 + error = split_vma(mm, vma, start, 1);
53791 + BUG_ON(!*pprev || (*pprev)->vm_next == vma);
53792 + *pprev = (*pprev)->vm_next;
53795 + if (end != vma->vm_end) {
53796 + error = split_vma(mm, vma, end, 0);
53801 + if (pax_find_mirror_vma(vma)) {
53802 + error = __do_munmap(mm, start_m, end_m - start_m);
53806 + vma_m = kmem_cache_zalloc(vm_area_cachep, GFP_KERNEL);
53811 + vma->vm_flags = newflags;
53812 + error = pax_mirror_vma(vma_m, vma);
53814 + vma->vm_flags = oldflags;
53822 * First try to merge with previous and/or next vma.
53824 @@ -194,9 +296,21 @@ success:
53825 * vm_flags and vm_page_prot are protected by the mmap_sem
53826 * held in write mode.
53829 +#ifdef CONFIG_PAX_SEGMEXEC
53830 + if ((mm->pax_flags & MF_PAX_SEGMEXEC) && (newflags & VM_EXEC) && ((vma->vm_flags ^ newflags) & VM_READ))
53831 + pax_find_mirror_vma(vma)->vm_flags ^= VM_READ;
53834 vma->vm_flags = newflags;
53836 +#ifdef CONFIG_PAX_MPROTECT
53837 + if (mm->binfmt && mm->binfmt->handle_mprotect)
53838 + mm->binfmt->handle_mprotect(vma, newflags);
53841 vma->vm_page_prot = pgprot_modify(vma->vm_page_prot,
53842 - vm_get_page_prot(newflags));
53843 + vm_get_page_prot(vma->vm_flags));
53845 if (vma_wants_writenotify(vma)) {
53846 vma->vm_page_prot = vm_get_page_prot(newflags & ~VM_SHARED);
53847 @@ -237,6 +351,17 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
53852 +#ifdef CONFIG_PAX_SEGMEXEC
53853 + if (current->mm->pax_flags & MF_PAX_SEGMEXEC) {
53854 + if (end > SEGMEXEC_TASK_SIZE)
53859 + if (end > TASK_SIZE)
53862 if (!arch_validate_prot(prot))
53865 @@ -244,7 +369,7 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
53867 * Does the application expect PROT_READ to imply PROT_EXEC:
53869 - if ((prot & PROT_READ) && (current->personality & READ_IMPLIES_EXEC))
53870 + if ((prot & (PROT_READ | PROT_WRITE)) && (current->personality & READ_IMPLIES_EXEC))
53873 vm_flags = calc_vm_prot_bits(prot);
53874 @@ -276,6 +401,11 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
53875 if (start > vma->vm_start)
53878 +#ifdef CONFIG_PAX_MPROTECT
53879 + if (current->mm->binfmt && current->mm->binfmt->handle_mprotect)
53880 + current->mm->binfmt->handle_mprotect(vma, vm_flags);
53883 for (nstart = start ; ; ) {
53884 unsigned long newflags;
53886 @@ -285,6 +415,14 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
53888 /* newflags >> 4 shift VM_MAY% in place of VM_% */
53889 if ((newflags & ~(newflags >> 4)) & (VM_READ | VM_WRITE | VM_EXEC)) {
53890 + if (prot & (PROT_WRITE | PROT_EXEC))
53891 + gr_log_rwxmprotect(vma->vm_file);
53897 + if (!gr_acl_handle_mprotect(vma->vm_file, prot)) {
53901 @@ -300,6 +438,9 @@ SYSCALL_DEFINE3(mprotect, unsigned long,
53904 perf_event_mmap(vma);
53906 + track_exec_limit(current->mm, nstart, tmp, vm_flags);
53910 if (nstart < prev->vm_end)
53911 diff -urNp linux-2.6.36.1/mm/mremap.c linux-2.6.36.1/mm/mremap.c
53912 --- linux-2.6.36.1/mm/mremap.c 2010-10-20 16:30:22.000000000 -0400
53913 +++ linux-2.6.36.1/mm/mremap.c 2010-11-06 18:58:15.000000000 -0400
53914 @@ -113,6 +113,12 @@ static void move_ptes(struct vm_area_str
53916 pte = ptep_clear_flush(vma, old_addr, old_pte);
53917 pte = move_pte(pte, new_vma->vm_page_prot, old_addr, new_addr);
53919 +#ifdef CONFIG_ARCH_TRACK_EXEC_LIMIT
53920 + if (!(__supported_pte_mask & _PAGE_NX) && (new_vma->vm_flags & (VM_PAGEEXEC | VM_EXEC)) == VM_PAGEEXEC)
53921 + pte = pte_exprotect(pte);
53924 set_pte_at(mm, new_addr, new_pte, pte);
53927 @@ -272,6 +278,11 @@ static struct vm_area_struct *vma_to_res
53928 if (is_vm_hugetlb_page(vma))
53931 +#ifdef CONFIG_PAX_SEGMEXEC
53932 + if (pax_find_mirror_vma(vma))
53936 /* We can't remap across vm area boundaries */
53937 if (old_len > vma->vm_end - addr)
53939 @@ -321,20 +332,25 @@ static unsigned long mremap_to(unsigned
53940 unsigned long ret = -EINVAL;
53941 unsigned long charged = 0;
53942 unsigned long map_flags;
53943 + unsigned long pax_task_size = TASK_SIZE;
53945 if (new_addr & ~PAGE_MASK)
53948 - if (new_len > TASK_SIZE || new_addr > TASK_SIZE - new_len)
53949 +#ifdef CONFIG_PAX_SEGMEXEC
53950 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
53951 + pax_task_size = SEGMEXEC_TASK_SIZE;
53954 + pax_task_size -= PAGE_SIZE;
53956 + if (new_len > TASK_SIZE || new_addr > pax_task_size - new_len)
53959 /* Check if the location we're moving into overlaps the
53960 * old location at all, and fail if it does.
53962 - if ((new_addr <= addr) && (new_addr+new_len) > addr)
53965 - if ((addr <= new_addr) && (addr+old_len) > new_addr)
53966 + if (addr + old_len > new_addr && new_addr + new_len > addr)
53969 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
53970 @@ -406,6 +422,7 @@ unsigned long do_mremap(unsigned long ad
53971 struct vm_area_struct *vma;
53972 unsigned long ret = -EINVAL;
53973 unsigned long charged = 0;
53974 + unsigned long pax_task_size = TASK_SIZE;
53976 if (flags & ~(MREMAP_FIXED | MREMAP_MAYMOVE))
53978 @@ -424,6 +441,17 @@ unsigned long do_mremap(unsigned long ad
53982 +#ifdef CONFIG_PAX_SEGMEXEC
53983 + if (mm->pax_flags & MF_PAX_SEGMEXEC)
53984 + pax_task_size = SEGMEXEC_TASK_SIZE;
53987 + pax_task_size -= PAGE_SIZE;
53989 + if (new_len > pax_task_size || addr > pax_task_size-new_len ||
53990 + old_len > pax_task_size || addr > pax_task_size-old_len)
53993 if (flags & MREMAP_FIXED) {
53994 if (flags & MREMAP_MAYMOVE)
53995 ret = mremap_to(addr, old_len, new_addr, new_len);
53996 @@ -473,6 +501,7 @@ unsigned long do_mremap(unsigned long ad
54000 + track_exec_limit(vma->vm_mm, vma->vm_start, addr + new_len, vma->vm_flags);
54004 @@ -499,7 +528,13 @@ unsigned long do_mremap(unsigned long ad
54005 ret = security_file_mmap(NULL, 0, 0, 0, new_addr, 1);
54009 + map_flags = vma->vm_flags;
54010 ret = move_vma(vma, addr, old_len, new_len, new_addr);
54011 + if (!(ret & ~PAGE_MASK)) {
54012 + track_exec_limit(current->mm, addr, addr + old_len, 0UL);
54013 + track_exec_limit(current->mm, new_addr, new_addr + new_len, map_flags);
54017 if (ret & ~PAGE_MASK)
54018 diff -urNp linux-2.6.36.1/mm/nommu.c linux-2.6.36.1/mm/nommu.c
54019 --- linux-2.6.36.1/mm/nommu.c 2010-10-20 16:30:22.000000000 -0400
54020 +++ linux-2.6.36.1/mm/nommu.c 2010-11-06 18:58:15.000000000 -0400
54021 @@ -62,7 +62,6 @@ int sysctl_overcommit_memory = OVERCOMMI
54022 int sysctl_overcommit_ratio = 50; /* default is 50% */
54023 int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT;
54024 int sysctl_nr_trim_pages = CONFIG_NOMMU_INITIAL_TRIM_EXCESS;
54025 -int heap_stack_gap = 0;
54027 atomic_long_t mmap_pages_allocated;
54029 @@ -757,15 +756,6 @@ struct vm_area_struct *find_vma(struct m
54030 EXPORT_SYMBOL(find_vma);
54034 - * - we don't extend stack VMAs under NOMMU conditions
54036 -struct vm_area_struct *find_extend_vma(struct mm_struct *mm, unsigned long addr)
54038 - return find_vma(mm, addr);
54042 * expand a stack to a given address
54043 * - not supported under NOMMU conditions
54045 @@ -1486,6 +1476,7 @@ int split_vma(struct mm_struct *mm, stru
54047 /* most fields are the same, copy all, and then fixup */
54049 + INIT_LIST_HEAD(&new->anon_vma_chain);
54050 *region = *vma->vm_region;
54051 new->vm_region = region;
54053 diff -urNp linux-2.6.36.1/mm/page_alloc.c linux-2.6.36.1/mm/page_alloc.c
54054 --- linux-2.6.36.1/mm/page_alloc.c 2010-10-20 16:30:22.000000000 -0400
54055 +++ linux-2.6.36.1/mm/page_alloc.c 2010-11-06 18:58:15.000000000 -0400
54056 @@ -642,6 +642,10 @@ static bool free_pages_prepare(struct pa
54060 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
54061 + unsigned long index = 1UL << order;
54064 trace_mm_page_free_direct(page, order);
54065 kmemcheck_free_shadow(page, order);
54067 @@ -660,6 +664,12 @@ static bool free_pages_prepare(struct pa
54068 debug_check_no_obj_freed(page_address(page),
54069 PAGE_SIZE << order);
54072 +#ifdef CONFIG_PAX_MEMORY_SANITIZE
54073 + for (; index; --index)
54074 + sanitize_highpage(page + index - 1);
54077 arch_free_page(page, order);
54078 kernel_map_pages(page, 1 << order, 0);
54080 @@ -774,8 +784,10 @@ static int prep_new_page(struct page *pa
54081 arch_alloc_page(page, order);
54082 kernel_map_pages(page, 1 << order, 1);
54084 +#ifndef CONFIG_PAX_MEMORY_SANITIZE
54085 if (gfp_flags & __GFP_ZERO)
54086 prep_zero_page(page, order, gfp_flags);
54089 if (order && (gfp_flags & __GFP_COMP))
54090 prep_compound_page(page, order);
54091 @@ -3997,7 +4009,7 @@ static void __init setup_usemap(struct p
54092 zone->pageblock_flags = alloc_bootmem_node(pgdat, usemapsize);
54095 -static void inline setup_usemap(struct pglist_data *pgdat,
54096 +static inline void setup_usemap(struct pglist_data *pgdat,
54097 struct zone *zone, unsigned long zonesize) {}
54098 #endif /* CONFIG_SPARSEMEM */
54100 diff -urNp linux-2.6.36.1/mm/percpu.c linux-2.6.36.1/mm/percpu.c
54101 --- linux-2.6.36.1/mm/percpu.c 2010-10-20 16:30:22.000000000 -0400
54102 +++ linux-2.6.36.1/mm/percpu.c 2010-11-06 18:58:15.000000000 -0400
54103 @@ -115,7 +115,7 @@ static unsigned int pcpu_first_unit_cpu
54104 static unsigned int pcpu_last_unit_cpu __read_mostly;
54106 /* the address of the first chunk which starts with the kernel static area */
54107 -void *pcpu_base_addr __read_mostly;
54108 +void *pcpu_base_addr __read_only;
54109 EXPORT_SYMBOL_GPL(pcpu_base_addr);
54111 static const int *pcpu_unit_map __read_mostly; /* cpu -> unit */
54112 diff -urNp linux-2.6.36.1/mm/rmap.c linux-2.6.36.1/mm/rmap.c
54113 --- linux-2.6.36.1/mm/rmap.c 2010-10-20 16:30:22.000000000 -0400
54114 +++ linux-2.6.36.1/mm/rmap.c 2010-11-06 18:58:15.000000000 -0400
54115 @@ -117,6 +117,10 @@ int anon_vma_prepare(struct vm_area_stru
54116 struct anon_vma *anon_vma = vma->anon_vma;
54117 struct anon_vma_chain *avc;
54119 +#ifdef CONFIG_PAX_SEGMEXEC
54120 + struct anon_vma_chain *avc_m = NULL;
54124 if (unlikely(!anon_vma)) {
54125 struct mm_struct *mm = vma->vm_mm;
54126 @@ -126,6 +130,12 @@ int anon_vma_prepare(struct vm_area_stru
54130 +#ifdef CONFIG_PAX_SEGMEXEC
54131 + avc_m = anon_vma_chain_alloc();
54133 + goto out_enomem_free_avc;
54136 anon_vma = find_mergeable_anon_vma(vma);
54139 @@ -144,6 +154,21 @@ int anon_vma_prepare(struct vm_area_stru
54140 /* page_table_lock to protect against threads */
54141 spin_lock(&mm->page_table_lock);
54142 if (likely(!vma->anon_vma)) {
54144 +#ifdef CONFIG_PAX_SEGMEXEC
54145 + struct vm_area_struct *vma_m = pax_find_mirror_vma(vma);
54148 + BUG_ON(vma_m->anon_vma);
54149 + vma_m->anon_vma = anon_vma;
54150 + avc_m->anon_vma = anon_vma;
54151 + avc_m->vma = vma;
54152 + list_add(&avc_m->same_vma, &vma_m->anon_vma_chain);
54153 + list_add(&avc_m->same_anon_vma, &anon_vma->head);
54158 vma->anon_vma = anon_vma;
54159 avc->anon_vma = anon_vma;
54161 @@ -157,12 +182,24 @@ int anon_vma_prepare(struct vm_area_stru
54163 if (unlikely(allocated))
54164 anon_vma_free(allocated);
54166 +#ifdef CONFIG_PAX_SEGMEXEC
54167 + if (unlikely(avc_m))
54168 + anon_vma_chain_free(avc_m);
54172 anon_vma_chain_free(avc);
54176 out_enomem_free_avc:
54178 +#ifdef CONFIG_PAX_SEGMEXEC
54180 + anon_vma_chain_free(avc_m);
54183 anon_vma_chain_free(avc);
54186 @@ -185,7 +222,7 @@ static void anon_vma_chain_link(struct v
54187 * Attach the anon_vmas from src to dst.
54188 * Returns 0 on success, -ENOMEM on failure.
54190 -int anon_vma_clone(struct vm_area_struct *dst, struct vm_area_struct *src)
54191 +int anon_vma_clone(struct vm_area_struct *dst, const struct vm_area_struct *src)
54193 struct anon_vma_chain *avc, *pavc;
54195 @@ -207,7 +244,7 @@ int anon_vma_clone(struct vm_area_struct
54196 * the corresponding VMA in the parent process is attached to.
54197 * Returns 0 on success, non-zero on failure.
54199 -int anon_vma_fork(struct vm_area_struct *vma, struct vm_area_struct *pvma)
54200 +int anon_vma_fork(struct vm_area_struct *vma, const struct vm_area_struct *pvma)
54202 struct anon_vma_chain *avc;
54203 struct anon_vma *anon_vma;
54204 diff -urNp linux-2.6.36.1/mm/shmem.c linux-2.6.36.1/mm/shmem.c
54205 --- linux-2.6.36.1/mm/shmem.c 2010-10-20 16:30:22.000000000 -0400
54206 +++ linux-2.6.36.1/mm/shmem.c 2010-11-06 19:42:24.000000000 -0400
54208 #include <linux/percpu_counter.h>
54209 #include <linux/swap.h>
54211 -static struct vfsmount *shm_mnt;
54212 +struct vfsmount *shm_mnt;
54214 #ifdef CONFIG_SHMEM
54216 diff -urNp linux-2.6.36.1/mm/slab.c linux-2.6.36.1/mm/slab.c
54217 --- linux-2.6.36.1/mm/slab.c 2010-10-20 16:30:22.000000000 -0400
54218 +++ linux-2.6.36.1/mm/slab.c 2010-11-06 18:58:50.000000000 -0400
54219 @@ -284,7 +284,7 @@ struct kmem_list3 {
54220 * Need this for bootstrapping a per node allocator.
54222 #define NUM_INIT_LISTS (3 * MAX_NUMNODES)
54223 -struct kmem_list3 __initdata initkmem_list3[NUM_INIT_LISTS];
54224 +struct kmem_list3 initkmem_list3[NUM_INIT_LISTS];
54225 #define CACHE_CACHE 0
54226 #define SIZE_AC MAX_NUMNODES
54227 #define SIZE_L3 (2 * MAX_NUMNODES)
54228 @@ -534,7 +534,7 @@ static inline void *index_to_obj(struct
54229 * reciprocal_divide(offset, cache->reciprocal_buffer_size)
54231 static inline unsigned int obj_to_index(const struct kmem_cache *cache,
54232 - const struct slab *slab, void *obj)
54233 + const struct slab *slab, const void *obj)
54235 u32 offset = (obj - slab->s_mem);
54236 return reciprocal_divide(offset, cache->reciprocal_buffer_size);
54237 @@ -560,14 +560,14 @@ struct cache_names {
54238 static struct cache_names __initdata cache_names[] = {
54239 #define CACHE(x) { .name = "size-" #x, .name_dma = "size-" #x "(DMA)" },
54240 #include <linux/kmalloc_sizes.h>
54246 static struct arraycache_init initarray_cache __initdata =
54247 - { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
54248 + { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
54249 static struct arraycache_init initarray_generic =
54250 - { {0, BOOT_CPUCACHE_ENTRIES, 1, 0} };
54251 + { {0, BOOT_CPUCACHE_ENTRIES, 1, 0}, {NULL} };
54253 /* internal cache of cache description objs */
54254 static struct kmem_cache cache_cache = {
54255 @@ -4557,15 +4557,66 @@ static const struct file_operations proc
54257 static int __init slab_proc_init(void)
54259 - proc_create("slabinfo",S_IWUSR|S_IRUGO,NULL,&proc_slabinfo_operations);
54260 + mode_t gr_mode = S_IRUGO;
54262 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
54263 + gr_mode = S_IRUSR;
54266 + proc_create("slabinfo",S_IWUSR|gr_mode,NULL,&proc_slabinfo_operations);
54267 #ifdef CONFIG_DEBUG_SLAB_LEAK
54268 - proc_create("slab_allocators", 0, NULL, &proc_slabstats_operations);
54269 + proc_create("slab_allocators", gr_mode, NULL, &proc_slabstats_operations);
54273 module_init(slab_proc_init);
54276 +void check_object_size(const void *ptr, unsigned long n, bool to)
54279 +#ifdef CONFIG_PAX_USERCOPY
54280 + struct kmem_cache *cachep;
54281 + struct slab *slabp;
54282 + struct page *page;
54283 + unsigned int objnr;
54284 + unsigned long offset;
54289 + if (ZERO_OR_NULL_PTR(ptr))
54292 + if (!virt_addr_valid(ptr))
54295 + page = virt_to_head_page(ptr);
54297 + if (!PageSlab(page)) {
54298 + if (object_is_on_stack(ptr, n) == -1)
54303 + cachep = page_get_cache(page);
54304 + slabp = page_get_slab(page);
54305 + objnr = obj_to_index(cachep, slabp, ptr);
54306 + BUG_ON(objnr >= cachep->num);
54307 + offset = ptr - index_to_obj(cachep, slabp, objnr) - obj_offset(cachep);
54308 + if (offset <= obj_size(cachep) && n <= obj_size(cachep) - offset)
54313 + pax_report_leak_to_user(ptr, n);
54315 + pax_report_overflow_from_user(ptr, n);
54319 +EXPORT_SYMBOL(check_object_size);
54322 * ksize - get the actual amount of memory allocated for a given object
54323 * @objp: Pointer to the object
54324 diff -urNp linux-2.6.36.1/mm/slob.c linux-2.6.36.1/mm/slob.c
54325 --- linux-2.6.36.1/mm/slob.c 2010-10-20 16:30:22.000000000 -0400
54326 +++ linux-2.6.36.1/mm/slob.c 2010-11-06 18:58:15.000000000 -0400
54328 * If kmalloc is asked for objects of PAGE_SIZE or larger, it calls
54329 * alloc_pages() directly, allocating compound pages so the page order
54330 * does not have to be separately tracked, and also stores the exact
54331 - * allocation size in page->private so that it can be used to accurately
54332 + * allocation size in slob_page->size so that it can be used to accurately
54333 * provide ksize(). These objects are detected in kfree() because slob_page()
54334 * is false for them.
54339 #include <linux/kernel.h>
54340 +#include <linux/sched.h>
54341 #include <linux/slab.h>
54342 #include <linux/mm.h>
54343 #include <linux/swap.h> /* struct reclaim_state */
54344 @@ -102,7 +103,8 @@ struct slob_page {
54345 unsigned long flags; /* mandatory */
54346 atomic_t _count; /* mandatory */
54347 slobidx_t units; /* free units left in page */
54348 - unsigned long pad[2];
54349 + unsigned long pad[1];
54350 + unsigned long size; /* size when >=PAGE_SIZE */
54351 slob_t *free; /* first free slob_t in page */
54352 struct list_head list; /* linked list of free pages */
54354 @@ -135,7 +137,7 @@ static LIST_HEAD(free_slob_large);
54356 static inline int is_slob_page(struct slob_page *sp)
54358 - return PageSlab((struct page *)sp);
54359 + return PageSlab((struct page *)sp) && !sp->size;
54362 static inline void set_slob_page(struct slob_page *sp)
54363 @@ -150,7 +152,7 @@ static inline void clear_slob_page(struc
54365 static inline struct slob_page *slob_page(const void *addr)
54367 - return (struct slob_page *)virt_to_page(addr);
54368 + return (struct slob_page *)virt_to_head_page(addr);
54372 @@ -210,7 +212,7 @@ static void set_slob(slob_t *s, slobidx_
54374 * Return the size of a slob block.
54376 -static slobidx_t slob_units(slob_t *s)
54377 +static slobidx_t slob_units(const slob_t *s)
54381 @@ -220,7 +222,7 @@ static slobidx_t slob_units(slob_t *s)
54383 * Return the next free slob block pointer after this one.
54385 -static slob_t *slob_next(slob_t *s)
54386 +static slob_t *slob_next(const slob_t *s)
54388 slob_t *base = (slob_t *)((unsigned long)s & PAGE_MASK);
54390 @@ -235,7 +237,7 @@ static slob_t *slob_next(slob_t *s)
54392 * Returns true if s is the last free block in its page.
54394 -static int slob_last(slob_t *s)
54395 +static int slob_last(const slob_t *s)
54397 return !((unsigned long)slob_next(s) & ~PAGE_MASK);
54399 @@ -254,6 +256,7 @@ static void *slob_new_pages(gfp_t gfp, i
54403 + set_slob_page(page);
54404 return page_address(page);
54407 @@ -370,11 +373,11 @@ static void *slob_alloc(size_t size, gfp
54411 - set_slob_page(sp);
54413 spin_lock_irqsave(&slob_lock, flags);
54414 sp->units = SLOB_UNITS(PAGE_SIZE);
54417 INIT_LIST_HEAD(&sp->list);
54418 set_slob(b, SLOB_UNITS(PAGE_SIZE), b + SLOB_UNITS(PAGE_SIZE));
54419 set_slob_page_free(sp, slob_list);
54420 @@ -476,10 +479,9 @@ out:
54421 * End of slob allocator proper. Begin kmem_cache_alloc and kmalloc frontend.
54424 -void *__kmalloc_node(size_t size, gfp_t gfp, int node)
54425 +static void *__kmalloc_node_align(size_t size, gfp_t gfp, int node, int align)
54428 - int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
54432 lockdep_trace_alloc(gfp);
54433 @@ -492,7 +494,10 @@ void *__kmalloc_node(size_t size, gfp_t
54438 + BUILD_BUG_ON(ARCH_KMALLOC_MINALIGN < 2 * SLOB_UNIT);
54439 + BUILD_BUG_ON(ARCH_SLAB_MINALIGN < 2 * SLOB_UNIT);
54440 + m[0].units = size;
54441 + m[1].units = align;
54442 ret = (void *)m + align;
54444 trace_kmalloc_node(_RET_IP_, ret,
54445 @@ -502,9 +507,9 @@ void *__kmalloc_node(size_t size, gfp_t
54447 ret = slob_new_pages(gfp | __GFP_COMP, get_order(size), node);
54449 - struct page *page;
54450 - page = virt_to_page(ret);
54451 - page->private = size;
54452 + struct slob_page *sp;
54453 + sp = slob_page(ret);
54457 trace_kmalloc_node(_RET_IP_, ret,
54458 @@ -514,6 +519,13 @@ void *__kmalloc_node(size_t size, gfp_t
54459 kmemleak_alloc(ret, size, 1, gfp);
54463 +void *__kmalloc_node(size_t size, gfp_t gfp, int node)
54465 + int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
54467 + return __kmalloc_node_align(size, gfp, node, align);
54469 EXPORT_SYMBOL(__kmalloc_node);
54471 void kfree(const void *block)
54472 @@ -529,13 +541,84 @@ void kfree(const void *block)
54473 sp = slob_page(block);
54474 if (is_slob_page(sp)) {
54475 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
54476 - unsigned int *m = (unsigned int *)(block - align);
54477 - slob_free(m, *m + align);
54479 + slob_t *m = (slob_t *)(block - align);
54480 + slob_free(m, m[0].units + align);
54482 + clear_slob_page(sp);
54483 + free_slob_page(sp);
54485 put_page(&sp->page);
54488 EXPORT_SYMBOL(kfree);
54490 +void check_object_size(const void *ptr, unsigned long n, bool to)
54493 +#ifdef CONFIG_PAX_USERCOPY
54494 + struct slob_page *sp;
54495 + const slob_t *free;
54496 + const void *base;
54501 + if (ZERO_OR_NULL_PTR(ptr))
54504 + if (!virt_addr_valid(ptr))
54507 + sp = slob_page(ptr);
54508 + if (!PageSlab((struct page*)sp)) {
54509 + if (object_is_on_stack(ptr, n) == -1)
54515 + base = page_address(&sp->page);
54516 + if (base <= ptr && n <= sp->size - (ptr - base))
54521 + /* some tricky double walking to find the chunk */
54522 + base = (void *)((unsigned long)ptr & PAGE_MASK);
54525 + while (!slob_last(free) && (void *)free <= ptr) {
54526 + base = free + slob_units(free);
54527 + free = slob_next(free);
54530 + while (base < (void *)free) {
54531 + slobidx_t m = ((slob_t *)base)[0].units, align = ((slob_t *)base)[1].units;
54532 + int size = SLOB_UNIT * SLOB_UNITS(m + align);
54535 + if (ptr < base + align)
54538 + offset = ptr - base - align;
54539 + if (offset < m) {
54540 + if (n <= m - offset)
54549 + pax_report_leak_to_user(ptr, n);
54551 + pax_report_overflow_from_user(ptr, n);
54555 +EXPORT_SYMBOL(check_object_size);
54557 /* can't use ksize for kmem_cache_alloc memory, only kmalloc */
54558 size_t ksize(const void *block)
54560 @@ -548,10 +631,10 @@ size_t ksize(const void *block)
54561 sp = slob_page(block);
54562 if (is_slob_page(sp)) {
54563 int align = max(ARCH_KMALLOC_MINALIGN, ARCH_SLAB_MINALIGN);
54564 - unsigned int *m = (unsigned int *)(block - align);
54565 - return SLOB_UNITS(*m) * SLOB_UNIT;
54566 + slob_t *m = (slob_t *)(block - align);
54567 + return SLOB_UNITS(m[0].units) * SLOB_UNIT;
54569 - return sp->page.private;
54572 EXPORT_SYMBOL(ksize);
54574 @@ -606,17 +689,25 @@ void *kmem_cache_alloc_node(struct kmem_
54578 +#ifdef CONFIG_PAX_USERCOPY
54579 + b = __kmalloc_node_align(c->size, flags, node, c->align);
54581 if (c->size < PAGE_SIZE) {
54582 b = slob_alloc(c->size, flags, c->align, node);
54583 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
54584 SLOB_UNITS(c->size) * SLOB_UNIT,
54587 + struct slob_page *sp;
54589 b = slob_new_pages(flags, get_order(c->size), node);
54590 + sp = slob_page(b);
54591 + sp->size = c->size;
54592 trace_kmem_cache_alloc_node(_RET_IP_, b, c->size,
54593 PAGE_SIZE << get_order(c->size),
54600 @@ -628,10 +719,16 @@ EXPORT_SYMBOL(kmem_cache_alloc_node);
54602 static void __kmem_cache_free(void *b, int size)
54604 - if (size < PAGE_SIZE)
54605 + struct slob_page *sp = slob_page(b);
54607 + if (is_slob_page(sp))
54608 slob_free(b, size);
54611 + clear_slob_page(sp);
54612 + free_slob_page(sp);
54614 slob_free_pages(b, get_order(size));
54618 static void kmem_rcu_free(struct rcu_head *head)
54619 @@ -644,14 +741,23 @@ static void kmem_rcu_free(struct rcu_hea
54621 void kmem_cache_free(struct kmem_cache *c, void *b)
54623 + int size = c->size;
54625 +#ifdef CONFIG_PAX_USERCOPY
54626 + if (size + c->align < PAGE_SIZE) {
54627 + size += c->align;
54632 kmemleak_free_recursive(b, c->flags);
54633 if (unlikely(c->flags & SLAB_DESTROY_BY_RCU)) {
54634 struct slob_rcu *slob_rcu;
54635 - slob_rcu = b + (c->size - sizeof(struct slob_rcu));
54636 - slob_rcu->size = c->size;
54637 + slob_rcu = b + (size - sizeof(struct slob_rcu));
54638 + slob_rcu->size = size;
54639 call_rcu(&slob_rcu->head, kmem_rcu_free);
54641 - __kmem_cache_free(b, c->size);
54642 + __kmem_cache_free(b, size);
54645 trace_kmem_cache_free(_RET_IP_, b);
54646 diff -urNp linux-2.6.36.1/mm/slub.c linux-2.6.36.1/mm/slub.c
54647 --- linux-2.6.36.1/mm/slub.c 2010-10-20 16:30:22.000000000 -0400
54648 +++ linux-2.6.36.1/mm/slub.c 2010-11-13 16:29:01.000000000 -0500
54649 @@ -392,7 +392,7 @@ static void print_track(const char *s, s
54653 - printk(KERN_ERR "INFO: %s in %pS age=%lu cpu=%u pid=%d\n",
54654 + printk(KERN_ERR "INFO: %s in %pA age=%lu cpu=%u pid=%d\n",
54655 s, (void *)t->addr, jiffies - t->when, t->cpu, t->pid);
54658 @@ -1873,6 +1873,8 @@ void kmem_cache_free(struct kmem_cache *
54660 page = virt_to_head_page(x);
54662 + BUG_ON(!PageSlab(page));
54664 slab_free(s, page, x, _RET_IP_);
54666 trace_kmem_cache_free(_RET_IP_, x);
54667 @@ -1917,7 +1919,7 @@ static int slub_min_objects;
54668 * Merge control. If this is set then no merging of slab caches will occur.
54669 * (Could be removed. This was introduced to pacify the merge skeptics.)
54671 -static int slub_nomerge;
54672 +static int slub_nomerge = 1;
54675 * Calculate the order of allocation given an slab object size.
54676 @@ -2344,7 +2346,7 @@ static int kmem_cache_open(struct kmem_c
54677 * list to avoid pounding the page allocator excessively.
54679 set_min_partial(s, ilog2(s->size));
54681 + atomic_set(&s->refcount, 1);
54683 s->remote_node_defrag_ratio = 1000;
54685 @@ -2487,8 +2489,7 @@ static inline int kmem_cache_close(struc
54686 void kmem_cache_destroy(struct kmem_cache *s)
54688 down_write(&slub_lock);
54690 - if (!s->refcount) {
54691 + if (atomic_dec_and_test(&s->refcount)) {
54692 list_del(&s->list);
54693 if (kmem_cache_close(s)) {
54694 printk(KERN_ERR "SLUB %s: %s called for cache that "
54695 @@ -2779,6 +2780,46 @@ void *__kmalloc_node(size_t size, gfp_t
54696 EXPORT_SYMBOL(__kmalloc_node);
54699 +void check_object_size(const void *ptr, unsigned long n, bool to)
54702 +#ifdef CONFIG_PAX_USERCOPY
54703 + struct page *page;
54704 + struct kmem_cache *s;
54705 + unsigned long offset;
54710 + if (ZERO_OR_NULL_PTR(ptr))
54713 + if (!virt_addr_valid(ptr))
54716 + page = get_object_page(ptr);
54719 + if (object_is_on_stack(ptr, n) == -1)
54725 + offset = (ptr - page_address(page)) % s->size;
54726 + if (offset <= s->objsize && n <= s->objsize - offset)
54731 + pax_report_leak_to_user(ptr, n);
54733 + pax_report_overflow_from_user(ptr, n);
54737 +EXPORT_SYMBOL(check_object_size);
54739 size_t ksize(const void *object)
54742 @@ -3048,7 +3089,7 @@ void __init kmem_cache_init(void)
54744 create_kmalloc_cache(&kmalloc_caches[0], "kmem_cache_node",
54745 sizeof(struct kmem_cache_node), GFP_NOWAIT);
54746 - kmalloc_caches[0].refcount = -1;
54747 + atomic_set(&kmalloc_caches[0].refcount, -1);
54750 hotplug_memory_notifier(slab_memory_callback, SLAB_CALLBACK_PRI);
54751 @@ -3160,7 +3201,7 @@ static int slab_unmergeable(struct kmem_
54753 * We may have set a slab to be unmergeable during bootstrap.
54755 - if (s->refcount < 0)
54756 + if (atomic_read(&s->refcount) < 0)
54760 @@ -3218,7 +3259,7 @@ struct kmem_cache *kmem_cache_create(con
54761 down_write(&slub_lock);
54762 s = find_mergeable(size, align, flags, name, ctor);
54765 + atomic_inc(&s->refcount);
54767 * Adjust the object sizes so that we clear
54768 * the complete object on kzalloc.
54769 @@ -3227,7 +3268,7 @@ struct kmem_cache *kmem_cache_create(con
54770 s->inuse = max_t(int, s->inuse, ALIGN(size, sizeof(void *)));
54772 if (sysfs_slab_alias(s, name)) {
54774 + atomic_dec(&s->refcount);
54777 up_write(&slub_lock);
54778 @@ -3941,7 +3982,7 @@ SLAB_ATTR_RO(ctor);
54780 static ssize_t aliases_show(struct kmem_cache *s, char *buf)
54782 - return sprintf(buf, "%d\n", s->refcount - 1);
54783 + return sprintf(buf, "%d\n", atomic_read(&s->refcount) - 1);
54785 SLAB_ATTR_RO(aliases);
54787 @@ -4673,7 +4714,13 @@ static const struct file_operations proc
54789 static int __init slab_proc_init(void)
54791 - proc_create("slabinfo", S_IRUGO, NULL, &proc_slabinfo_operations);
54792 + mode_t gr_mode = S_IRUGO;
54794 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
54795 + gr_mode = S_IRUSR;
54798 + proc_create("slabinfo", gr_mode, NULL, &proc_slabinfo_operations);
54801 module_init(slab_proc_init);
54802 diff -urNp linux-2.6.36.1/mm/util.c linux-2.6.36.1/mm/util.c
54803 --- linux-2.6.36.1/mm/util.c 2010-10-20 16:30:22.000000000 -0400
54804 +++ linux-2.6.36.1/mm/util.c 2010-11-06 18:58:15.000000000 -0400
54805 @@ -240,6 +240,12 @@ EXPORT_SYMBOL(strndup_user);
54806 void arch_pick_mmap_layout(struct mm_struct *mm)
54808 mm->mmap_base = TASK_UNMAPPED_BASE;
54810 +#ifdef CONFIG_PAX_RANDMMAP
54811 + if (mm->pax_flags & MF_PAX_RANDMMAP)
54812 + mm->mmap_base += mm->delta_mmap;
54815 mm->get_unmapped_area = arch_get_unmapped_area;
54816 mm->unmap_area = arch_unmap_area;
54818 diff -urNp linux-2.6.36.1/mm/vmalloc.c linux-2.6.36.1/mm/vmalloc.c
54819 --- linux-2.6.36.1/mm/vmalloc.c 2010-11-26 18:26:25.000000000 -0500
54820 +++ linux-2.6.36.1/mm/vmalloc.c 2010-11-26 18:27:14.000000000 -0500
54821 @@ -41,8 +41,19 @@ static void vunmap_pte_range(pmd_t *pmd,
54823 pte = pte_offset_kernel(pmd, addr);
54825 - pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
54826 - WARN_ON(!pte_none(ptent) && !pte_present(ptent));
54828 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
54829 + if ((unsigned long)MODULES_EXEC_VADDR <= addr && addr < (unsigned long)MODULES_EXEC_END) {
54830 + BUG_ON(!pte_exec(*pte));
54831 + set_pte_at(&init_mm, addr, pte, pfn_pte(__pa(addr) >> PAGE_SHIFT, PAGE_KERNEL_EXEC));
54837 + pte_t ptent = ptep_get_and_clear(&init_mm, addr, pte);
54838 + WARN_ON(!pte_none(ptent) && !pte_present(ptent));
54840 } while (pte++, addr += PAGE_SIZE, addr != end);
54843 @@ -93,6 +104,7 @@ static int vmap_pte_range(pmd_t *pmd, un
54844 unsigned long end, pgprot_t prot, struct page **pages, int *nr)
54847 + int ret = -ENOMEM;
54850 * nr is a running index into the array which helps higher level
54851 @@ -102,17 +114,30 @@ static int vmap_pte_range(pmd_t *pmd, un
54852 pte = pte_alloc_kernel(pmd, addr);
54856 + pax_open_kernel();
54858 struct page *page = pages[*nr];
54860 - if (WARN_ON(!pte_none(*pte)))
54862 - if (WARN_ON(!page))
54864 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
54865 + if (pgprot_val(prot) & _PAGE_NX)
54868 + if (WARN_ON(!pte_none(*pte))) {
54872 + if (WARN_ON(!page)) {
54876 set_pte_at(&init_mm, addr, pte, mk_pte(page, prot));
54878 } while (pte++, addr += PAGE_SIZE, addr != end);
54882 + pax_close_kernel();
54886 static int vmap_pmd_range(pud_t *pud, unsigned long addr,
54887 @@ -193,11 +218,20 @@ int is_vmalloc_or_module_addr(const void
54888 * and fall back on vmalloc() if that fails. Others
54889 * just put it in the vmalloc space.
54891 -#if defined(CONFIG_MODULES) && defined(MODULES_VADDR)
54892 +#ifdef CONFIG_MODULES
54893 +#ifdef MODULES_VADDR
54894 unsigned long addr = (unsigned long)x;
54895 if (addr >= MODULES_VADDR && addr < MODULES_END)
54899 +#if defined(CONFIG_X86_32) && defined(CONFIG_PAX_KERNEXEC)
54900 + if (x >= (const void *)MODULES_EXEC_VADDR && x < (const void *)MODULES_EXEC_END)
54906 return is_vmalloc_addr(x);
54909 @@ -218,8 +252,14 @@ struct page *vmalloc_to_page(const void
54911 if (!pgd_none(*pgd)) {
54912 pud_t *pud = pud_offset(pgd, addr);
54914 + if (!pud_large(*pud))
54916 if (!pud_none(*pud)) {
54917 pmd_t *pmd = pmd_offset(pud, addr);
54919 + if (!pmd_large(*pmd))
54921 if (!pmd_none(*pmd)) {
54924 @@ -293,13 +333,13 @@ static void __insert_vmap_area(struct vm
54925 struct rb_node *tmp;
54928 - struct vmap_area *tmp;
54929 + struct vmap_area *varea;
54932 - tmp = rb_entry(parent, struct vmap_area, rb_node);
54933 - if (va->va_start < tmp->va_end)
54934 + varea = rb_entry(parent, struct vmap_area, rb_node);
54935 + if (va->va_start < varea->va_end)
54936 p = &(*p)->rb_left;
54937 - else if (va->va_end > tmp->va_start)
54938 + else if (va->va_end > varea->va_start)
54939 p = &(*p)->rb_right;
54942 @@ -1237,6 +1277,16 @@ static struct vm_struct *__get_vm_area_n
54943 struct vm_struct *area;
54945 BUG_ON(in_interrupt());
54947 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
54948 + if (flags & VM_KERNEXEC) {
54949 + if (start != VMALLOC_START || end != VMALLOC_END)
54951 + start = (unsigned long)MODULES_EXEC_VADDR;
54952 + end = (unsigned long)MODULES_EXEC_END;
54956 if (flags & VM_IOREMAP) {
54957 int bit = fls(size);
54959 @@ -1462,6 +1512,11 @@ void *vmap(struct page **pages, unsigned
54960 if (count > totalram_pages)
54963 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
54964 + if (!(pgprot_val(prot) & _PAGE_NX))
54965 + flags |= VM_KERNEXEC;
54968 area = get_vm_area_caller((count << PAGE_SHIFT), flags,
54969 __builtin_return_address(0));
54971 @@ -1571,6 +1626,13 @@ static void *__vmalloc_node(unsigned lon
54972 if (!size || (size >> PAGE_SHIFT) > totalram_pages)
54975 +#if defined(CONFIG_MODULES) && defined(CONFIG_X86) && defined(CONFIG_PAX_KERNEXEC)
54976 + if (!(pgprot_val(prot) & _PAGE_NX))
54977 + area = __get_vm_area_node(size, align, VM_ALLOC | VM_KERNEXEC, VMALLOC_START, VMALLOC_END,
54978 + node, gfp_mask, caller);
54982 area = __get_vm_area_node(size, align, VM_ALLOC, VMALLOC_START,
54983 VMALLOC_END, node, gfp_mask, caller);
54985 @@ -1589,6 +1651,7 @@ static void *__vmalloc_node(unsigned lon
54990 void *__vmalloc(unsigned long size, gfp_t gfp_mask, pgprot_t prot)
54992 return __vmalloc_node(size, 1, gfp_mask, prot, -1,
54993 @@ -1605,6 +1668,7 @@ EXPORT_SYMBOL(__vmalloc);
54994 * For tight control over page level allocator and protection flags
54995 * use __vmalloc() instead.
54998 void *vmalloc(unsigned long size)
55000 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
55001 @@ -1619,6 +1683,7 @@ EXPORT_SYMBOL(vmalloc);
55002 * The resulting memory area is zeroed so it can be mapped to userspace
55003 * without leaking data.
55005 +#undef vmalloc_user
55006 void *vmalloc_user(unsigned long size)
55008 struct vm_struct *area;
55009 @@ -1646,6 +1711,7 @@ EXPORT_SYMBOL(vmalloc_user);
55010 * For tight control over page level allocator and protection flags
55011 * use __vmalloc() instead.
55013 +#undef vmalloc_node
55014 void *vmalloc_node(unsigned long size, int node)
55016 return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL,
55017 @@ -1668,10 +1734,10 @@ EXPORT_SYMBOL(vmalloc_node);
55018 * For tight control over page level allocator and protection flags
55019 * use __vmalloc() instead.
55022 +#undef vmalloc_exec
55023 void *vmalloc_exec(unsigned long size)
55025 - return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM, PAGE_KERNEL_EXEC,
55026 + return __vmalloc_node(size, 1, GFP_KERNEL | __GFP_HIGHMEM | __GFP_ZERO, PAGE_KERNEL_EXEC,
55027 -1, __builtin_return_address(0));
55030 @@ -1690,6 +1756,7 @@ void *vmalloc_exec(unsigned long size)
55031 * Allocate enough 32bit PA addressable pages to cover @size from the
55032 * page level allocator and map them into contiguous kernel virtual space.
55035 void *vmalloc_32(unsigned long size)
55037 return __vmalloc_node(size, 1, GFP_VMALLOC32, PAGE_KERNEL,
55038 @@ -1704,6 +1771,7 @@ EXPORT_SYMBOL(vmalloc_32);
55039 * The resulting memory area is 32bit addressable and zeroed so it can be
55040 * mapped to userspace without leaking data.
55042 +#undef vmalloc_32_user
55043 void *vmalloc_32_user(unsigned long size)
55045 struct vm_struct *area;
55046 @@ -1968,6 +2036,8 @@ int remap_vmalloc_range(struct vm_area_s
55047 unsigned long uaddr = vma->vm_start;
55048 unsigned long usize = vma->vm_end - vma->vm_start;
55050 + BUG_ON(vma->vm_mirror);
55052 if ((PAGE_SIZE-1) & (unsigned long)addr)
55055 diff -urNp linux-2.6.36.1/mm/vmstat.c linux-2.6.36.1/mm/vmstat.c
55056 --- linux-2.6.36.1/mm/vmstat.c 2010-10-20 16:30:22.000000000 -0400
55057 +++ linux-2.6.36.1/mm/vmstat.c 2010-11-06 18:58:50.000000000 -0400
55058 @@ -76,7 +76,7 @@ void vm_events_fold_cpu(int cpu)
55060 * vm_stat contains the global counters
55062 -atomic_long_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
55063 +atomic_long_unchecked_t vm_stat[NR_VM_ZONE_STAT_ITEMS];
55064 EXPORT_SYMBOL(vm_stat);
55067 @@ -328,7 +328,7 @@ void refresh_cpu_vm_stats(int cpu)
55068 v = p->vm_stat_diff[i];
55069 p->vm_stat_diff[i] = 0;
55070 local_irq_restore(flags);
55071 - atomic_long_add(v, &zone->vm_stat[i]);
55072 + atomic_long_add_unchecked(v, &zone->vm_stat[i]);
55073 global_diff[i] += v;
55075 /* 3 seconds idle till flush */
55076 @@ -366,7 +366,7 @@ void refresh_cpu_vm_stats(int cpu)
55078 for (i = 0; i < NR_VM_ZONE_STAT_ITEMS; i++)
55079 if (global_diff[i])
55080 - atomic_long_add(global_diff[i], &vm_stat[i]);
55081 + atomic_long_add_unchecked(global_diff[i], &vm_stat[i]);
55085 @@ -1050,10 +1050,16 @@ static int __init setup_vmstat(void)
55086 start_cpu_timer(cpu);
55088 #ifdef CONFIG_PROC_FS
55089 - proc_create("buddyinfo", S_IRUGO, NULL, &fragmentation_file_operations);
55090 - proc_create("pagetypeinfo", S_IRUGO, NULL, &pagetypeinfo_file_ops);
55091 - proc_create("vmstat", S_IRUGO, NULL, &proc_vmstat_file_operations);
55092 - proc_create("zoneinfo", S_IRUGO, NULL, &proc_zoneinfo_file_operations);
55094 + mode_t gr_mode = S_IRUGO;
55095 +#ifdef CONFIG_GRKERNSEC_PROC_ADD
55096 + gr_mode = S_IRUSR;
55098 + proc_create("buddyinfo", gr_mode, NULL, &fragmentation_file_operations);
55099 + proc_create("pagetypeinfo", gr_mode, NULL, &pagetypeinfo_file_ops);
55100 + proc_create("vmstat", gr_mode, NULL, &proc_vmstat_file_operations);
55101 + proc_create("zoneinfo", gr_mode, NULL, &proc_zoneinfo_file_operations);
55106 diff -urNp linux-2.6.36.1/net/8021q/vlan.c linux-2.6.36.1/net/8021q/vlan.c
55107 --- linux-2.6.36.1/net/8021q/vlan.c 2010-10-20 16:30:22.000000000 -0400
55108 +++ linux-2.6.36.1/net/8021q/vlan.c 2010-11-06 18:58:15.000000000 -0400
55109 @@ -627,8 +627,7 @@ static int vlan_ioctl_handler(struct net
55111 if (!capable(CAP_NET_ADMIN))
55113 - if ((args.u.name_type >= 0) &&
55114 - (args.u.name_type < VLAN_NAME_TYPE_HIGHEST)) {
55115 + if (args.u.name_type < VLAN_NAME_TYPE_HIGHEST) {
55116 struct vlan_net *vn;
55118 vn = net_generic(net, vlan_net_id);
55119 diff -urNp linux-2.6.36.1/net/atm/atm_misc.c linux-2.6.36.1/net/atm/atm_misc.c
55120 --- linux-2.6.36.1/net/atm/atm_misc.c 2010-10-20 16:30:22.000000000 -0400
55121 +++ linux-2.6.36.1/net/atm/atm_misc.c 2010-11-06 18:58:15.000000000 -0400
55122 @@ -17,7 +17,7 @@ int atm_charge(struct atm_vcc *vcc, int
55123 if (atomic_read(&sk_atm(vcc)->sk_rmem_alloc) <= sk_atm(vcc)->sk_rcvbuf)
55125 atm_return(vcc, truesize);
55126 - atomic_inc(&vcc->stats->rx_drop);
55127 + atomic_inc_unchecked(&vcc->stats->rx_drop);
55130 EXPORT_SYMBOL(atm_charge);
55131 @@ -39,7 +39,7 @@ struct sk_buff *atm_alloc_charge(struct
55134 atm_return(vcc, guess);
55135 - atomic_inc(&vcc->stats->rx_drop);
55136 + atomic_inc_unchecked(&vcc->stats->rx_drop);
55139 EXPORT_SYMBOL(atm_alloc_charge);
55140 @@ -86,7 +86,7 @@ EXPORT_SYMBOL(atm_pcr_goal);
55142 void sonet_copy_stats(struct k_sonet_stats *from, struct sonet_stats *to)
55144 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
55145 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
55147 #undef __HANDLE_ITEM
55149 @@ -94,7 +94,7 @@ EXPORT_SYMBOL(sonet_copy_stats);
55151 void sonet_subtract_stats(struct k_sonet_stats *from, struct sonet_stats *to)
55153 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
55154 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i,&from->i)
55156 #undef __HANDLE_ITEM
55158 diff -urNp linux-2.6.36.1/net/atm/proc.c linux-2.6.36.1/net/atm/proc.c
55159 --- linux-2.6.36.1/net/atm/proc.c 2010-10-20 16:30:22.000000000 -0400
55160 +++ linux-2.6.36.1/net/atm/proc.c 2010-11-06 18:58:50.000000000 -0400
55161 @@ -44,9 +44,9 @@ static void add_stats(struct seq_file *s
55162 const struct k_atm_aal_stats *stats)
55164 seq_printf(seq, "%s ( %d %d %d %d %d )", aal,
55165 - atomic_read(&stats->tx), atomic_read(&stats->tx_err),
55166 - atomic_read(&stats->rx), atomic_read(&stats->rx_err),
55167 - atomic_read(&stats->rx_drop));
55168 + atomic_read_unchecked(&stats->tx),atomic_read_unchecked(&stats->tx_err),
55169 + atomic_read_unchecked(&stats->rx),atomic_read_unchecked(&stats->rx_err),
55170 + atomic_read_unchecked(&stats->rx_drop));
55173 static void atm_dev_info(struct seq_file *seq, const struct atm_dev *dev)
55174 @@ -190,7 +190,12 @@ static void vcc_info(struct seq_file *se
55176 struct sock *sk = sk_atm(vcc);
55178 +#ifdef CONFIG_GRKERNSEC_HIDESYM
55179 + seq_printf(seq, "%p ", NULL);
55181 seq_printf(seq, "%p ", vcc);
55185 seq_printf(seq, "Unassigned ");
55187 diff -urNp linux-2.6.36.1/net/atm/resources.c linux-2.6.36.1/net/atm/resources.c
55188 --- linux-2.6.36.1/net/atm/resources.c 2010-10-20 16:30:22.000000000 -0400
55189 +++ linux-2.6.36.1/net/atm/resources.c 2010-11-06 18:58:15.000000000 -0400
55190 @@ -159,7 +159,7 @@ EXPORT_SYMBOL(atm_dev_deregister);
55191 static void copy_aal_stats(struct k_atm_aal_stats *from,
55192 struct atm_aal_stats *to)
55194 -#define __HANDLE_ITEM(i) to->i = atomic_read(&from->i)
55195 +#define __HANDLE_ITEM(i) to->i = atomic_read_unchecked(&from->i)
55197 #undef __HANDLE_ITEM
55199 @@ -167,7 +167,7 @@ static void copy_aal_stats(struct k_atm_
55200 static void subtract_aal_stats(struct k_atm_aal_stats *from,
55201 struct atm_aal_stats *to)
55203 -#define __HANDLE_ITEM(i) atomic_sub(to->i, &from->i)
55204 +#define __HANDLE_ITEM(i) atomic_sub_unchecked(to->i, &from->i)
55206 #undef __HANDLE_ITEM
55208 diff -urNp linux-2.6.36.1/net/ax25/af_ax25.c linux-2.6.36.1/net/ax25/af_ax25.c
55209 --- linux-2.6.36.1/net/ax25/af_ax25.c 2010-10-20 16:30:22.000000000 -0400
55210 +++ linux-2.6.36.1/net/ax25/af_ax25.c 2010-11-06 18:58:50.000000000 -0400
55211 @@ -1392,6 +1392,7 @@ static int ax25_getname(struct socket *s
55215 + memset(fsa, 0, sizeof(*fsa));
55217 ax25 = ax25_sk(sk);
55219 @@ -1403,7 +1404,6 @@ static int ax25_getname(struct socket *s
55221 fsa->fsa_ax25.sax25_family = AF_AX25;
55222 fsa->fsa_ax25.sax25_call = ax25->dest_addr;
55223 - fsa->fsa_ax25.sax25_ndigis = 0;
55225 if (ax25->digipeat != NULL) {
55226 ndigi = ax25->digipeat->ndigi;
55227 diff -urNp linux-2.6.36.1/net/bridge/br_multicast.c linux-2.6.36.1/net/bridge/br_multicast.c
55228 --- linux-2.6.36.1/net/bridge/br_multicast.c 2010-10-20 16:30:22.000000000 -0400
55229 +++ linux-2.6.36.1/net/bridge/br_multicast.c 2010-11-06 18:58:15.000000000 -0400
55230 @@ -1461,7 +1461,7 @@ static int br_multicast_ipv6_rcv(struct
55231 nexthdr = ip6h->nexthdr;
55232 offset = ipv6_skip_exthdr(skb, sizeof(*ip6h), &nexthdr);
55234 - if (offset < 0 || nexthdr != IPPROTO_ICMPV6)
55235 + if (nexthdr != IPPROTO_ICMPV6)
55238 /* Okay, we found ICMPv6 header */
55239 diff -urNp linux-2.6.36.1/net/bridge/br_stp_if.c linux-2.6.36.1/net/bridge/br_stp_if.c
55240 --- linux-2.6.36.1/net/bridge/br_stp_if.c 2010-10-20 16:30:22.000000000 -0400
55241 +++ linux-2.6.36.1/net/bridge/br_stp_if.c 2010-11-06 18:58:15.000000000 -0400
55242 @@ -145,7 +145,7 @@ static void br_stp_stop(struct net_bridg
55243 char *envp[] = { NULL };
55245 if (br->stp_enabled == BR_USER_STP) {
55246 - r = call_usermodehelper(BR_STP_PROG, argv, envp, 1);
55247 + r = call_usermodehelper(BR_STP_PROG, argv, envp, UMH_WAIT_PROC);
55248 br_info(br, "userspace STP stopped, return code %d\n", r);
55250 /* To start timers on any ports left in blocking */
55251 diff -urNp linux-2.6.36.1/net/bridge/netfilter/ebtables.c linux-2.6.36.1/net/bridge/netfilter/ebtables.c
55252 --- linux-2.6.36.1/net/bridge/netfilter/ebtables.c 2010-10-20 16:30:22.000000000 -0400
55253 +++ linux-2.6.36.1/net/bridge/netfilter/ebtables.c 2010-11-06 18:58:15.000000000 -0400
55254 @@ -1504,7 +1504,7 @@ static int do_ebt_get_ctl(struct sock *s
55255 tmp.valid_hooks = t->table->valid_hooks;
55257 mutex_unlock(&ebt_mutex);
55258 - if (copy_to_user(user, &tmp, *len) != 0){
55259 + if (*len > sizeof(tmp) || copy_to_user(user, &tmp, *len) != 0){
55260 BUGPRINT("c2u Didn't work\n");
55263 diff -urNp linux-2.6.36.1/net/compat.c linux-2.6.36.1/net/compat.c
55264 --- linux-2.6.36.1/net/compat.c 2010-10-20 16:30:22.000000000 -0400
55265 +++ linux-2.6.36.1/net/compat.c 2010-11-15 17:15:40.000000000 -0500
55266 @@ -41,10 +41,12 @@ static inline int iov_from_user_compat_t
55269 if (get_user(len, &uiov32->iov_len) ||
55270 - get_user(buf, &uiov32->iov_base)) {
55271 - tot_len = -EFAULT;
55274 + get_user(buf, &uiov32->iov_base))
55277 + if (len > INT_MAX - tot_len)
55278 + len = INT_MAX - tot_len;
55281 kiov->iov_base = compat_ptr(buf);
55282 kiov->iov_len = (__kernel_size_t) len;
55283 diff -urNp linux-2.6.36.1/net/core/dev.c linux-2.6.36.1/net/core/dev.c
55284 --- linux-2.6.36.1/net/core/dev.c 2010-10-20 16:30:22.000000000 -0400
55285 +++ linux-2.6.36.1/net/core/dev.c 2010-11-06 18:58:15.000000000 -0400
55286 @@ -2554,7 +2554,7 @@ int netif_rx_ni(struct sk_buff *skb)
55288 EXPORT_SYMBOL(netif_rx_ni);
55290 -static void net_tx_action(struct softirq_action *h)
55291 +static void net_tx_action(void)
55293 struct softnet_data *sd = &__get_cpu_var(softnet_data);
55295 @@ -3482,7 +3482,7 @@ void netif_napi_del(struct napi_struct *
55297 EXPORT_SYMBOL(netif_napi_del);
55299 -static void net_rx_action(struct softirq_action *h)
55300 +static void net_rx_action(void)
55302 struct softnet_data *sd = &__get_cpu_var(softnet_data);
55303 unsigned long time_limit = jiffies + 2;
55304 diff -urNp linux-2.6.36.1/net/core/iovec.c linux-2.6.36.1/net/core/iovec.c
55305 --- linux-2.6.36.1/net/core/iovec.c 2010-10-20 16:30:22.000000000 -0400
55306 +++ linux-2.6.36.1/net/core/iovec.c 2010-11-15 17:16:46.000000000 -0500
55311 -long verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode)
55312 +int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr *address, int mode)
55316 + int size, ct, err;
55318 if (m->msg_namelen) {
55319 if (mode == VERIFY_READ) {
55320 @@ -60,14 +59,13 @@ long verify_iovec(struct msghdr *m, stru
55323 for (ct = 0; ct < m->msg_iovlen; ct++) {
55324 - err += iov[ct].iov_len;
55326 - * Goal is not to verify user data, but to prevent returning
55327 - * negative value, which is interpreted as errno.
55328 - * Overflow is still possible, but it is harmless.
55331 - return -EMSGSIZE;
55332 + size_t len = iov[ct].iov_len;
55334 + if (len > INT_MAX - err) {
55335 + len = INT_MAX - err;
55336 + iov[ct].iov_len = len;
55342 diff -urNp linux-2.6.36.1/net/core/net-sysfs.c linux-2.6.36.1/net/core/net-sysfs.c
55343 --- linux-2.6.36.1/net/core/net-sysfs.c 2010-10-20 16:30:22.000000000 -0400
55344 +++ linux-2.6.36.1/net/core/net-sysfs.c 2010-11-06 18:58:15.000000000 -0400
55345 @@ -515,7 +515,7 @@ static ssize_t rx_queue_attr_store(struc
55346 return attribute->store(queue, attribute, buf, count);
55349 -static struct sysfs_ops rx_queue_sysfs_ops = {
55350 +static const struct sysfs_ops rx_queue_sysfs_ops = {
55351 .show = rx_queue_attr_show,
55352 .store = rx_queue_attr_store,
55354 diff -urNp linux-2.6.36.1/net/core/sock.c linux-2.6.36.1/net/core/sock.c
55355 --- linux-2.6.36.1/net/core/sock.c 2010-10-20 16:30:22.000000000 -0400
55356 +++ linux-2.6.36.1/net/core/sock.c 2010-11-06 18:58:15.000000000 -0400
55357 @@ -934,7 +934,7 @@ int sock_getsockopt(struct socket *sock,
55361 - if (copy_to_user(optval, address, len))
55362 + if (len > sizeof(address) || copy_to_user(optval, address, len))
55366 @@ -967,7 +967,7 @@ int sock_getsockopt(struct socket *sock,
55370 - if (copy_to_user(optval, &v, len))
55371 + if (len > sizeof(v) || copy_to_user(optval, &v, len))
55374 if (put_user(len, optlen))
55375 diff -urNp linux-2.6.36.1/net/dccp/ccids/ccid3.c linux-2.6.36.1/net/dccp/ccids/ccid3.c
55376 --- linux-2.6.36.1/net/dccp/ccids/ccid3.c 2010-10-20 16:30:22.000000000 -0400
55377 +++ linux-2.6.36.1/net/dccp/ccids/ccid3.c 2010-11-06 18:58:15.000000000 -0400
55379 static int ccid3_debug;
55380 #define ccid3_pr_debug(format, a...) DCCP_PR_DEBUG(ccid3_debug, format, ##a)
55382 -#define ccid3_pr_debug(format, a...)
55383 +#define ccid3_pr_debug(format, a...) do {} while (0)
55387 diff -urNp linux-2.6.36.1/net/dccp/dccp.h linux-2.6.36.1/net/dccp/dccp.h
55388 --- linux-2.6.36.1/net/dccp/dccp.h 2010-10-20 16:30:22.000000000 -0400
55389 +++ linux-2.6.36.1/net/dccp/dccp.h 2010-11-06 18:58:15.000000000 -0400
55390 @@ -44,9 +44,9 @@ extern int dccp_debug;
55391 #define dccp_pr_debug_cat(format, a...) DCCP_PRINTK(dccp_debug, format, ##a)
55392 #define dccp_debug(fmt, a...) dccp_pr_debug_cat(KERN_DEBUG fmt, ##a)
55394 -#define dccp_pr_debug(format, a...)
55395 -#define dccp_pr_debug_cat(format, a...)
55396 -#define dccp_debug(format, a...)
55397 +#define dccp_pr_debug(format, a...) do {} while (0)
55398 +#define dccp_pr_debug_cat(format, a...) do {} while (0)
55399 +#define dccp_debug(format, a...) do {} while (0)
55402 extern struct inet_hashinfo dccp_hashinfo;
55403 diff -urNp linux-2.6.36.1/net/decnet/sysctl_net_decnet.c linux-2.6.36.1/net/decnet/sysctl_net_decnet.c
55404 --- linux-2.6.36.1/net/decnet/sysctl_net_decnet.c 2010-10-20 16:30:22.000000000 -0400
55405 +++ linux-2.6.36.1/net/decnet/sysctl_net_decnet.c 2010-11-06 18:58:50.000000000 -0400
55406 @@ -173,7 +173,7 @@ static int dn_node_address_handler(ctl_t
55408 if (len > *lenp) len = *lenp;
55410 - if (copy_to_user(buffer, addr, len))
55411 + if (len > sizeof(addr) || copy_to_user(buffer, addr, len))
55415 @@ -236,7 +236,7 @@ static int dn_def_dev_handler(ctl_table
55417 if (len > *lenp) len = *lenp;
55419 - if (copy_to_user(buffer, devname, len))
55420 + if (len > sizeof(devname) || copy_to_user(buffer, devname, len))
55424 diff -urNp linux-2.6.36.1/net/ipv4/inet_diag.c linux-2.6.36.1/net/ipv4/inet_diag.c
55425 --- linux-2.6.36.1/net/ipv4/inet_diag.c 2010-10-20 16:30:22.000000000 -0400
55426 +++ linux-2.6.36.1/net/ipv4/inet_diag.c 2010-11-13 16:33:13.000000000 -0500
55427 @@ -114,8 +114,14 @@ static int inet_csk_diag_fill(struct soc
55428 r->idiag_retrans = 0;
55430 r->id.idiag_if = sk->sk_bound_dev_if;
55432 +#ifdef CONFIG_GRKERNSEC_HIDESYM
55433 + r->id.idiag_cookie[0] = 0;
55434 + r->id.idiag_cookie[1] = 0;
55436 r->id.idiag_cookie[0] = (u32)(unsigned long)sk;
55437 r->id.idiag_cookie[1] = (u32)(((unsigned long)sk >> 31) >> 1);
55440 r->id.idiag_sport = inet->inet_sport;
55441 r->id.idiag_dport = inet->inet_dport;
55442 @@ -201,8 +207,15 @@ static int inet_twsk_diag_fill(struct in
55443 r->idiag_family = tw->tw_family;
55444 r->idiag_retrans = 0;
55445 r->id.idiag_if = tw->tw_bound_dev_if;
55447 +#ifdef CONFIG_GRKERNSEC_HIDESYM
55448 + r->id.idiag_cookie[0] = 0;
55449 + r->id.idiag_cookie[1] = 0;
55451 r->id.idiag_cookie[0] = (u32)(unsigned long)tw;
55452 r->id.idiag_cookie[1] = (u32)(((unsigned long)tw >> 31) >> 1);
55455 r->id.idiag_sport = tw->tw_sport;
55456 r->id.idiag_dport = tw->tw_dport;
55457 r->id.idiag_src[0] = tw->tw_rcv_saddr;
55458 @@ -285,12 +298,14 @@ static int inet_diag_get_exact(struct sk
55462 +#ifndef CONFIG_GRKERNSEC_HIDESYM
55464 if ((req->id.idiag_cookie[0] != INET_DIAG_NOCOOKIE ||
55465 req->id.idiag_cookie[1] != INET_DIAG_NOCOOKIE) &&
55466 ((u32)(unsigned long)sk != req->id.idiag_cookie[0] ||
55467 (u32)((((unsigned long)sk) >> 31) >> 1) != req->id.idiag_cookie[1]))
55472 rep = alloc_skb(NLMSG_SPACE((sizeof(struct inet_diag_msg) +
55473 @@ -578,8 +593,14 @@ static int inet_diag_fill_req(struct sk_
55474 r->idiag_retrans = req->retrans;
55476 r->id.idiag_if = sk->sk_bound_dev_if;
55478 +#ifdef CONFIG_GRKERNSEC_HIDESYM
55479 + r->id.idiag_cookie[0] = 0;
55480 + r->id.idiag_cookie[1] = 0;
55482 r->id.idiag_cookie[0] = (u32)(unsigned long)req;
55483 r->id.idiag_cookie[1] = (u32)(((unsigned long)req >> 31) >> 1);
55486 tmo = req->expires - jiffies;
55488 diff -urNp linux-2.6.36.1/net/ipv4/inet_hashtables.c linux-2.6.36.1/net/ipv4/inet_hashtables.c
55489 --- linux-2.6.36.1/net/ipv4/inet_hashtables.c 2010-10-20 16:30:22.000000000 -0400
55490 +++ linux-2.6.36.1/net/ipv4/inet_hashtables.c 2010-11-06 18:58:50.000000000 -0400
55491 @@ -18,11 +18,14 @@
55492 #include <linux/sched.h>
55493 #include <linux/slab.h>
55494 #include <linux/wait.h>
55495 +#include <linux/security.h>
55497 #include <net/inet_connection_sock.h>
55498 #include <net/inet_hashtables.h>
55499 #include <net/route.h>
55500 #include <net/ip.h>
55502 +extern void gr_update_task_in_ip_table(struct task_struct *task, const struct inet_sock *inet);
55505 * Allocate and initialize a new local port bind bucket.
55506 * The bindhash mutex for snum's hash chain must be held here.
55507 @@ -506,6 +509,8 @@ ok:
55508 twrefcnt += inet_twsk_bind_unhash(tw, hinfo);
55509 spin_unlock(&head->lock);
55511 + gr_update_task_in_ip_table(current, inet_sk(sk));
55514 inet_twsk_deschedule(tw, death_row);
55516 diff -urNp linux-2.6.36.1/net/ipv4/inetpeer.c linux-2.6.36.1/net/ipv4/inetpeer.c
55517 --- linux-2.6.36.1/net/ipv4/inetpeer.c 2010-10-20 16:30:22.000000000 -0400
55518 +++ linux-2.6.36.1/net/ipv4/inetpeer.c 2010-11-06 18:58:15.000000000 -0400
55519 @@ -447,8 +447,8 @@ struct inet_peer *inet_getpeer(__be32 da
55521 p->v4daddr = daddr;
55522 atomic_set(&p->refcnt, 1);
55523 - atomic_set(&p->rid, 0);
55524 - atomic_set(&p->ip_id_count, secure_ip_id(daddr));
55525 + atomic_set_unchecked(&p->rid, 0);
55526 + atomic_set_unchecked(&p->ip_id_count, secure_ip_id(daddr));
55527 p->tcp_ts_stamp = 0;
55528 INIT_LIST_HEAD(&p->unused);
55530 diff -urNp linux-2.6.36.1/net/ipv4/ip_fragment.c linux-2.6.36.1/net/ipv4/ip_fragment.c
55531 --- linux-2.6.36.1/net/ipv4/ip_fragment.c 2010-10-20 16:30:22.000000000 -0400
55532 +++ linux-2.6.36.1/net/ipv4/ip_fragment.c 2010-11-06 18:58:15.000000000 -0400
55533 @@ -279,7 +279,7 @@ static inline int ip_frag_too_far(struct
55537 - end = atomic_inc_return(&peer->rid);
55538 + end = atomic_inc_return_unchecked(&peer->rid);
55541 rc = qp->q.fragments && (end - start) > max;
55542 diff -urNp linux-2.6.36.1/net/ipv4/netfilter/arp_tables.c linux-2.6.36.1/net/ipv4/netfilter/arp_tables.c
55543 --- linux-2.6.36.1/net/ipv4/netfilter/arp_tables.c 2010-10-20 16:30:22.000000000 -0400
55544 +++ linux-2.6.36.1/net/ipv4/netfilter/arp_tables.c 2010-11-06 18:58:50.000000000 -0400
55545 @@ -927,6 +927,7 @@ static int get_info(struct net *net, voi
55549 + memset(&info, 0, sizeof(info));
55550 info.valid_hooks = t->valid_hooks;
55551 memcpy(info.hook_entry, private->hook_entry,
55552 sizeof(info.hook_entry));
55553 diff -urNp linux-2.6.36.1/net/ipv4/netfilter/ip_tables.c linux-2.6.36.1/net/ipv4/netfilter/ip_tables.c
55554 --- linux-2.6.36.1/net/ipv4/netfilter/ip_tables.c 2010-10-20 16:30:22.000000000 -0400
55555 +++ linux-2.6.36.1/net/ipv4/netfilter/ip_tables.c 2010-11-06 18:58:50.000000000 -0400
55556 @@ -1124,6 +1124,7 @@ static int get_info(struct net *net, voi
55560 + memset(&info, 0, sizeof(info));
55561 info.valid_hooks = t->valid_hooks;
55562 memcpy(info.hook_entry, private->hook_entry,
55563 sizeof(info.hook_entry));
55564 diff -urNp linux-2.6.36.1/net/ipv4/netfilter/nf_nat_snmp_basic.c linux-2.6.36.1/net/ipv4/netfilter/nf_nat_snmp_basic.c
55565 --- linux-2.6.36.1/net/ipv4/netfilter/nf_nat_snmp_basic.c 2010-10-20 16:30:22.000000000 -0400
55566 +++ linux-2.6.36.1/net/ipv4/netfilter/nf_nat_snmp_basic.c 2010-11-06 18:58:15.000000000 -0400
55567 @@ -398,7 +398,7 @@ static unsigned char asn1_octets_decode(
55571 - *octets = kmalloc(eoc - ctx->pointer, GFP_ATOMIC);
55572 + *octets = kmalloc((eoc - ctx->pointer), GFP_ATOMIC);
55573 if (*octets == NULL) {
55574 if (net_ratelimit())
55575 pr_notice("OOM in bsalg (%d)\n", __LINE__);
55576 diff -urNp linux-2.6.36.1/net/ipv4/route.c linux-2.6.36.1/net/ipv4/route.c
55577 --- linux-2.6.36.1/net/ipv4/route.c 2010-10-20 16:30:22.000000000 -0400
55578 +++ linux-2.6.36.1/net/ipv4/route.c 2010-11-06 18:58:15.000000000 -0400
55579 @@ -2890,7 +2890,7 @@ static int rt_fill_info(struct net *net,
55580 expires = rt->dst.expires ? rt->dst.expires - jiffies : 0;
55582 inet_peer_refcheck(rt->peer);
55583 - id = atomic_read(&rt->peer->ip_id_count) & 0xffff;
55584 + id = atomic_read_unchecked(&rt->peer->ip_id_count) & 0xffff;
55585 if (rt->peer->tcp_ts_stamp) {
55586 ts = rt->peer->tcp_ts;
55587 tsage = get_seconds() - rt->peer->tcp_ts_stamp;
55588 diff -urNp linux-2.6.36.1/net/ipv4/tcp.c linux-2.6.36.1/net/ipv4/tcp.c
55589 --- linux-2.6.36.1/net/ipv4/tcp.c 2010-10-20 16:30:22.000000000 -0400
55590 +++ linux-2.6.36.1/net/ipv4/tcp.c 2010-11-13 16:29:01.000000000 -0500
55591 @@ -2246,7 +2246,7 @@ static int do_tcp_setsockopt(struct sock
55592 /* Values greater than interface MTU won't take effect. However
55593 * at the point when this call is done we typically don't yet
55594 * know which interface is going to be used */
55595 - if (val < 8 || val > MAX_TCP_WINDOW) {
55596 + if (val < 64 || val > MAX_TCP_WINDOW) {
55600 diff -urNp linux-2.6.36.1/net/ipv4/tcp_ipv4.c linux-2.6.36.1/net/ipv4/tcp_ipv4.c
55601 --- linux-2.6.36.1/net/ipv4/tcp_ipv4.c 2010-10-20 16:30:22.000000000 -0400
55602 +++ linux-2.6.36.1/net/ipv4/tcp_ipv4.c 2010-11-06 19:08:40.000000000 -0400
55603 @@ -86,6 +86,9 @@ int sysctl_tcp_tw_reuse __read_mostly;
55604 int sysctl_tcp_low_latency __read_mostly;
55605 EXPORT_SYMBOL(sysctl_tcp_low_latency);
55607 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55608 +extern int grsec_enable_blackhole;
55611 #ifdef CONFIG_TCP_MD5SIG
55612 static struct tcp_md5sig_key *tcp_v4_md5_do_lookup(struct sock *sk,
55613 @@ -1597,6 +1600,9 @@ int tcp_v4_do_rcv(struct sock *sk, struc
55617 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55618 + if (!grsec_enable_blackhole)
55620 tcp_v4_send_reset(rsk, skb);
55623 @@ -1659,12 +1665,19 @@ int tcp_v4_rcv(struct sk_buff *skb)
55624 TCP_SKB_CB(skb)->sacked = 0;
55626 sk = __inet_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
55629 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55632 goto no_tcp_socket;
55636 - if (sk->sk_state == TCP_TIME_WAIT)
55637 + if (sk->sk_state == TCP_TIME_WAIT) {
55638 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55644 if (unlikely(iph->ttl < inet_sk(sk)->min_ttl)) {
55645 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
55646 @@ -1714,6 +1727,10 @@ no_tcp_socket:
55648 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
55650 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55651 + if (!grsec_enable_blackhole || (ret == 1 &&
55652 + (skb->dev->flags & IFF_LOOPBACK)))
55654 tcp_v4_send_reset(NULL, skb);
55657 @@ -2400,7 +2417,11 @@ static void get_openreq4(struct sock *sk
55658 0, /* non standard timer */
55659 0, /* open_requests have no inode */
55660 atomic_read(&sk->sk_refcnt),
55661 +#ifdef CONFIG_GRKERNSEC_HIDESYM
55669 @@ -2450,7 +2471,12 @@ static void get_tcp4_sock(struct sock *s
55671 icsk->icsk_probes_out,
55673 - atomic_read(&sk->sk_refcnt), sk,
55674 + atomic_read(&sk->sk_refcnt),
55675 +#ifdef CONFIG_GRKERNSEC_HIDESYM
55680 jiffies_to_clock_t(icsk->icsk_rto),
55681 jiffies_to_clock_t(icsk->icsk_ack.ato),
55682 (icsk->icsk_ack.quick << 1) | icsk->icsk_ack.pingpong,
55683 @@ -2478,7 +2504,13 @@ static void get_timewait4_sock(struct in
55684 " %02X %08X:%08X %02X:%08lX %08X %5d %8d %d %d %p%n",
55685 i, src, srcp, dest, destp, tw->tw_substate, 0, 0,
55686 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
55687 - atomic_read(&tw->tw_refcnt), tw, len);
55688 + atomic_read(&tw->tw_refcnt),
55689 +#ifdef CONFIG_GRKERNSEC_HIDESYM
55698 diff -urNp linux-2.6.36.1/net/ipv4/tcp_minisocks.c linux-2.6.36.1/net/ipv4/tcp_minisocks.c
55699 --- linux-2.6.36.1/net/ipv4/tcp_minisocks.c 2010-10-20 16:30:22.000000000 -0400
55700 +++ linux-2.6.36.1/net/ipv4/tcp_minisocks.c 2010-11-06 18:58:50.000000000 -0400
55702 #include <net/inet_common.h>
55703 #include <net/xfrm.h>
55705 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55706 +extern int grsec_enable_blackhole;
55709 int sysctl_tcp_syncookies __read_mostly = 1;
55710 EXPORT_SYMBOL(sysctl_tcp_syncookies);
55712 @@ -700,6 +704,10 @@ listen_overflow:
55715 NET_INC_STATS_BH(sock_net(sk), LINUX_MIB_EMBRYONICRSTS);
55717 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55718 + if (!grsec_enable_blackhole)
55720 if (!(flg & TCP_FLAG_RST))
55721 req->rsk_ops->send_reset(sk, skb);
55723 diff -urNp linux-2.6.36.1/net/ipv4/tcp_probe.c linux-2.6.36.1/net/ipv4/tcp_probe.c
55724 --- linux-2.6.36.1/net/ipv4/tcp_probe.c 2010-10-20 16:30:22.000000000 -0400
55725 +++ linux-2.6.36.1/net/ipv4/tcp_probe.c 2010-11-06 18:58:50.000000000 -0400
55726 @@ -202,7 +202,7 @@ static ssize_t tcpprobe_read(struct file
55727 if (cnt + width >= len)
55730 - if (copy_to_user(buf + cnt, tbuf, width))
55731 + if (width > sizeof(tbuf) || copy_to_user(buf + cnt, tbuf, width))
55735 diff -urNp linux-2.6.36.1/net/ipv4/tcp_timer.c linux-2.6.36.1/net/ipv4/tcp_timer.c
55736 --- linux-2.6.36.1/net/ipv4/tcp_timer.c 2010-10-20 16:30:22.000000000 -0400
55737 +++ linux-2.6.36.1/net/ipv4/tcp_timer.c 2010-11-06 19:10:03.000000000 -0400
55739 #include <linux/gfp.h>
55740 #include <net/tcp.h>
55742 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55743 +extern int grsec_lastack_retries;
55746 int sysctl_tcp_syn_retries __read_mostly = TCP_SYN_RETRIES;
55747 int sysctl_tcp_synack_retries __read_mostly = TCP_SYNACK_RETRIES;
55748 int sysctl_tcp_keepalive_time __read_mostly = TCP_KEEPALIVE_TIME;
55749 @@ -198,6 +202,13 @@ static int tcp_write_timeout(struct sock
55753 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55754 + if ((sk->sk_state == TCP_LAST_ACK) &&
55755 + (grsec_lastack_retries > 0) &&
55756 + (grsec_lastack_retries < retry_until))
55757 + retry_until = grsec_lastack_retries;
55760 if (retransmits_timed_out(sk, retry_until, syn_set)) {
55761 /* Has it gone just too far? */
55763 diff -urNp linux-2.6.36.1/net/ipv4/udp.c linux-2.6.36.1/net/ipv4/udp.c
55764 --- linux-2.6.36.1/net/ipv4/udp.c 2010-10-20 16:30:22.000000000 -0400
55765 +++ linux-2.6.36.1/net/ipv4/udp.c 2010-11-06 18:58:50.000000000 -0400
55767 #include <linux/types.h>
55768 #include <linux/fcntl.h>
55769 #include <linux/module.h>
55770 +#include <linux/security.h>
55771 #include <linux/socket.h>
55772 #include <linux/sockios.h>
55773 #include <linux/igmp.h>
55774 @@ -107,6 +108,10 @@
55775 #include <net/xfrm.h>
55776 #include "udp_impl.h"
55778 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55779 +extern int grsec_enable_blackhole;
55782 struct udp_table udp_table __read_mostly;
55783 EXPORT_SYMBOL(udp_table);
55785 @@ -564,6 +569,9 @@ found:
55789 +extern int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
55790 +extern int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
55793 * This routine is called by the ICMP module when it gets some
55794 * sort of error condition. If err < 0 then the socket should
55795 @@ -832,9 +840,18 @@ int udp_sendmsg(struct kiocb *iocb, stru
55796 dport = usin->sin_port;
55800 + err = gr_search_udp_sendmsg(sk, usin);
55804 if (sk->sk_state != TCP_ESTABLISHED)
55805 return -EDESTADDRREQ;
55807 + err = gr_search_udp_sendmsg(sk, NULL);
55811 daddr = inet->inet_daddr;
55812 dport = inet->inet_dport;
55813 /* Open fast path for connected socket.
55814 @@ -1141,6 +1158,10 @@ try_again:
55818 + err = gr_search_udp_recvmsg(sk, skb);
55822 ulen = skb->len - sizeof(struct udphdr);
55825 @@ -1625,6 +1646,9 @@ int __udp4_lib_rcv(struct sk_buff *skb,
55828 UDP_INC_STATS_BH(net, UDP_MIB_NOPORTS, proto == IPPROTO_UDPLITE);
55829 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55830 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
55832 icmp_send(skb, ICMP_DEST_UNREACH, ICMP_PORT_UNREACH, 0);
55835 @@ -2051,7 +2075,12 @@ static void udp4_format_sock(struct sock
55836 sk_wmem_alloc_get(sp),
55837 sk_rmem_alloc_get(sp),
55838 0, 0L, 0, sock_i_uid(sp), 0, sock_i_ino(sp),
55839 - atomic_read(&sp->sk_refcnt), sp,
55840 + atomic_read(&sp->sk_refcnt),
55841 +#ifdef CONFIG_GRKERNSEC_HIDESYM
55846 atomic_read(&sp->sk_drops), len);
55849 diff -urNp linux-2.6.36.1/net/ipv6/exthdrs.c linux-2.6.36.1/net/ipv6/exthdrs.c
55850 --- linux-2.6.36.1/net/ipv6/exthdrs.c 2010-10-20 16:30:22.000000000 -0400
55851 +++ linux-2.6.36.1/net/ipv6/exthdrs.c 2010-11-06 18:58:15.000000000 -0400
55852 @@ -634,7 +634,7 @@ static struct tlvtype_proc tlvprochopopt
55853 .type = IPV6_TLV_JUMBO,
55854 .func = ipv6_hop_jumbo,
55860 int ipv6_parse_hopopts(struct sk_buff *skb)
55861 diff -urNp linux-2.6.36.1/net/ipv6/netfilter/ip6_tables.c linux-2.6.36.1/net/ipv6/netfilter/ip6_tables.c
55862 --- linux-2.6.36.1/net/ipv6/netfilter/ip6_tables.c 2010-10-20 16:30:22.000000000 -0400
55863 +++ linux-2.6.36.1/net/ipv6/netfilter/ip6_tables.c 2010-11-06 18:58:50.000000000 -0400
55864 @@ -1137,6 +1137,7 @@ static int get_info(struct net *net, voi
55868 + memset(&info, 0, sizeof(info));
55869 info.valid_hooks = t->valid_hooks;
55870 memcpy(info.hook_entry, private->hook_entry,
55871 sizeof(info.hook_entry));
55872 diff -urNp linux-2.6.36.1/net/ipv6/raw.c linux-2.6.36.1/net/ipv6/raw.c
55873 --- linux-2.6.36.1/net/ipv6/raw.c 2010-10-20 16:30:22.000000000 -0400
55874 +++ linux-2.6.36.1/net/ipv6/raw.c 2010-11-06 18:58:50.000000000 -0400
55875 @@ -601,7 +601,7 @@ out:
55879 -static int rawv6_send_hdrinc(struct sock *sk, void *from, int length,
55880 +static int rawv6_send_hdrinc(struct sock *sk, void *from, unsigned int length,
55881 struct flowi *fl, struct dst_entry **dstp,
55882 unsigned int flags)
55884 @@ -1243,7 +1243,13 @@ static void raw6_sock_seq_show(struct se
55888 - atomic_read(&sp->sk_refcnt), sp, atomic_read(&sp->sk_drops));
55889 + atomic_read(&sp->sk_refcnt),
55890 +#ifdef CONFIG_GRKERNSEC_HIDESYM
55895 + atomic_read(&sp->sk_drops));
55898 static int raw6_seq_show(struct seq_file *seq, void *v)
55899 diff -urNp linux-2.6.36.1/net/ipv6/tcp_ipv6.c linux-2.6.36.1/net/ipv6/tcp_ipv6.c
55900 --- linux-2.6.36.1/net/ipv6/tcp_ipv6.c 2010-10-20 16:30:22.000000000 -0400
55901 +++ linux-2.6.36.1/net/ipv6/tcp_ipv6.c 2010-11-06 18:58:50.000000000 -0400
55902 @@ -92,6 +92,10 @@ static struct tcp_md5sig_key *tcp_v6_md5
55906 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55907 +extern int grsec_enable_blackhole;
55910 static void tcp_v6_hash(struct sock *sk)
55912 if (sk->sk_state != TCP_CLOSE) {
55913 @@ -1627,6 +1631,9 @@ static int tcp_v6_do_rcv(struct sock *sk
55917 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55918 + if (!grsec_enable_blackhole)
55920 tcp_v6_send_reset(sk, skb);
55923 @@ -1706,12 +1713,20 @@ static int tcp_v6_rcv(struct sk_buff *sk
55924 TCP_SKB_CB(skb)->sacked = 0;
55926 sk = __inet6_lookup_skb(&tcp_hashinfo, skb, th->source, th->dest);
55929 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55932 goto no_tcp_socket;
55936 - if (sk->sk_state == TCP_TIME_WAIT)
55937 + if (sk->sk_state == TCP_TIME_WAIT) {
55938 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55944 if (hdr->hop_limit < inet6_sk(sk)->min_hopcount) {
55945 NET_INC_STATS_BH(net, LINUX_MIB_TCPMINTTLDROP);
55946 @@ -1759,6 +1774,10 @@ no_tcp_socket:
55948 TCP_INC_STATS_BH(net, TCP_MIB_INERRS);
55950 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
55951 + if (!grsec_enable_blackhole || (ret == 1 &&
55952 + (skb->dev->flags & IFF_LOOPBACK)))
55954 tcp_v6_send_reset(NULL, skb);
55957 @@ -1987,7 +2006,13 @@ static void get_openreq6(struct seq_file
55959 0, /* non standard timer */
55960 0, /* open_requests have no inode */
55963 +#ifdef CONFIG_GRKERNSEC_HIDESYM
55971 static void get_tcp6_sock(struct seq_file *seq, struct sock *sp, int i)
55972 @@ -2037,7 +2062,12 @@ static void get_tcp6_sock(struct seq_fil
55974 icsk->icsk_probes_out,
55976 - atomic_read(&sp->sk_refcnt), sp,
55977 + atomic_read(&sp->sk_refcnt),
55978 +#ifdef CONFIG_GRKERNSEC_HIDESYM
55983 jiffies_to_clock_t(icsk->icsk_rto),
55984 jiffies_to_clock_t(icsk->icsk_ack.ato),
55985 (icsk->icsk_ack.quick << 1 ) | icsk->icsk_ack.pingpong,
55986 @@ -2072,7 +2102,13 @@ static void get_timewait6_sock(struct se
55987 dest->s6_addr32[2], dest->s6_addr32[3], destp,
55988 tw->tw_substate, 0, 0,
55989 3, jiffies_to_clock_t(ttd), 0, 0, 0, 0,
55990 - atomic_read(&tw->tw_refcnt), tw);
55991 + atomic_read(&tw->tw_refcnt),
55992 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56000 static int tcp6_seq_show(struct seq_file *seq, void *v)
56001 diff -urNp linux-2.6.36.1/net/ipv6/udp.c linux-2.6.36.1/net/ipv6/udp.c
56002 --- linux-2.6.36.1/net/ipv6/udp.c 2010-10-20 16:30:22.000000000 -0400
56003 +++ linux-2.6.36.1/net/ipv6/udp.c 2010-11-06 18:58:50.000000000 -0400
56005 #include <linux/seq_file.h>
56006 #include "udp_impl.h"
56008 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56009 +extern int grsec_enable_blackhole;
56012 int ipv6_rcv_saddr_equal(const struct sock *sk, const struct sock *sk2)
56014 const struct in6_addr *sk_rcv_saddr6 = &inet6_sk(sk)->rcv_saddr;
56015 @@ -765,6 +769,9 @@ int __udp6_lib_rcv(struct sk_buff *skb,
56016 UDP6_INC_STATS_BH(net, UDP_MIB_NOPORTS,
56017 proto == IPPROTO_UDPLITE);
56019 +#ifdef CONFIG_GRKERNSEC_BLACKHOLE
56020 + if (!grsec_enable_blackhole || (skb->dev->flags & IFF_LOOPBACK))
56022 icmpv6_send(skb, ICMPV6_DEST_UNREACH, ICMPV6_PORT_UNREACH, 0);
56025 @@ -1399,7 +1406,12 @@ static void udp6_sock_seq_show(struct se
56029 - atomic_read(&sp->sk_refcnt), sp,
56030 + atomic_read(&sp->sk_refcnt),
56031 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56036 atomic_read(&sp->sk_drops));
56039 diff -urNp linux-2.6.36.1/net/irda/ircomm/ircomm_tty.c linux-2.6.36.1/net/irda/ircomm/ircomm_tty.c
56040 --- linux-2.6.36.1/net/irda/ircomm/ircomm_tty.c 2010-10-20 16:30:22.000000000 -0400
56041 +++ linux-2.6.36.1/net/irda/ircomm/ircomm_tty.c 2010-11-06 18:58:15.000000000 -0400
56042 @@ -281,16 +281,16 @@ static int ircomm_tty_block_til_ready(st
56043 add_wait_queue(&self->open_wait, &wait);
56045 IRDA_DEBUG(2, "%s(%d):block_til_ready before block on %s open_count=%d\n",
56046 - __FILE__,__LINE__, tty->driver->name, self->open_count );
56047 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count) );
56049 /* As far as I can see, we protect open_count - Jean II */
56050 spin_lock_irqsave(&self->spinlock, flags);
56051 if (!tty_hung_up_p(filp)) {
56053 - self->open_count--;
56054 + atomic_dec(&self->open_count);
56056 spin_unlock_irqrestore(&self->spinlock, flags);
56057 - self->blocked_open++;
56058 + atomic_inc(&self->blocked_open);
56061 if (tty->termios->c_cflag & CBAUD) {
56062 @@ -330,7 +330,7 @@ static int ircomm_tty_block_til_ready(st
56065 IRDA_DEBUG(1, "%s(%d):block_til_ready blocking on %s open_count=%d\n",
56066 - __FILE__,__LINE__, tty->driver->name, self->open_count );
56067 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count) );
56071 @@ -341,13 +341,13 @@ static int ircomm_tty_block_til_ready(st
56073 /* ++ is not atomic, so this should be protected - Jean II */
56074 spin_lock_irqsave(&self->spinlock, flags);
56075 - self->open_count++;
56076 + atomic_inc(&self->open_count);
56077 spin_unlock_irqrestore(&self->spinlock, flags);
56079 - self->blocked_open--;
56080 + atomic_dec(&self->blocked_open);
56082 IRDA_DEBUG(1, "%s(%d):block_til_ready after blocking on %s open_count=%d\n",
56083 - __FILE__,__LINE__, tty->driver->name, self->open_count);
56084 + __FILE__,__LINE__, tty->driver->name, atomic_read(&self->open_count));
56087 self->flags |= ASYNC_NORMAL_ACTIVE;
56088 @@ -416,14 +416,14 @@ static int ircomm_tty_open(struct tty_st
56090 /* ++ is not atomic, so this should be protected - Jean II */
56091 spin_lock_irqsave(&self->spinlock, flags);
56092 - self->open_count++;
56093 + atomic_inc(&self->open_count);
56095 tty->driver_data = self;
56097 spin_unlock_irqrestore(&self->spinlock, flags);
56099 IRDA_DEBUG(1, "%s(), %s%d, count = %d\n", __func__ , tty->driver->name,
56100 - self->line, self->open_count);
56101 + self->line, atomic_read(&self->open_count));
56103 /* Not really used by us, but lets do it anyway */
56104 self->tty->low_latency = (self->flags & ASYNC_LOW_LATENCY) ? 1 : 0;
56105 @@ -509,7 +509,7 @@ static void ircomm_tty_close(struct tty_
56109 - if ((tty->count == 1) && (self->open_count != 1)) {
56110 + if ((tty->count == 1) && (atomic_read(&self->open_count) != 1)) {
56112 * Uh, oh. tty->count is 1, which means that the tty
56113 * structure will be freed. state->count should always
56114 @@ -519,16 +519,16 @@ static void ircomm_tty_close(struct tty_
56116 IRDA_DEBUG(0, "%s(), bad serial port count; "
56117 "tty->count is 1, state->count is %d\n", __func__ ,
56118 - self->open_count);
56119 - self->open_count = 1;
56120 + atomic_read(&self->open_count));
56121 + atomic_set(&self->open_count, 1);
56124 - if (--self->open_count < 0) {
56125 + if (atomic_dec_return(&self->open_count) < 0) {
56126 IRDA_ERROR("%s(), bad serial port count for ttys%d: %d\n",
56127 - __func__, self->line, self->open_count);
56128 - self->open_count = 0;
56129 + __func__, self->line, atomic_read(&self->open_count));
56130 + atomic_set(&self->open_count, 0);
56132 - if (self->open_count) {
56133 + if (atomic_read(&self->open_count)) {
56134 spin_unlock_irqrestore(&self->spinlock, flags);
56136 IRDA_DEBUG(0, "%s(), open count > 0\n", __func__ );
56137 @@ -560,7 +560,7 @@ static void ircomm_tty_close(struct tty_
56141 - if (self->blocked_open) {
56142 + if (atomic_read(&self->blocked_open)) {
56143 if (self->close_delay)
56144 schedule_timeout_interruptible(self->close_delay);
56145 wake_up_interruptible(&self->open_wait);
56146 @@ -1012,7 +1012,7 @@ static void ircomm_tty_hangup(struct tty
56147 spin_lock_irqsave(&self->spinlock, flags);
56148 self->flags &= ~ASYNC_NORMAL_ACTIVE;
56150 - self->open_count = 0;
56151 + atomic_set(&self->open_count, 0);
56152 spin_unlock_irqrestore(&self->spinlock, flags);
56154 wake_up_interruptible(&self->open_wait);
56155 @@ -1364,7 +1364,7 @@ static void ircomm_tty_line_info(struct
56158 seq_printf(m, "Role: %s\n", self->client ? "client" : "server");
56159 - seq_printf(m, "Open count: %d\n", self->open_count);
56160 + seq_printf(m, "Open count: %d\n", atomic_read(&self->open_count));
56161 seq_printf(m, "Max data size: %d\n", self->max_data_size);
56162 seq_printf(m, "Max header size: %d\n", self->max_header_size);
56164 diff -urNp linux-2.6.36.1/net/key/af_key.c linux-2.6.36.1/net/key/af_key.c
56165 --- linux-2.6.36.1/net/key/af_key.c 2010-10-20 16:30:22.000000000 -0400
56166 +++ linux-2.6.36.1/net/key/af_key.c 2010-11-06 18:58:50.000000000 -0400
56167 @@ -3644,7 +3644,11 @@ static int pfkey_seq_show(struct seq_fil
56168 seq_printf(f ,"sk RefCnt Rmem Wmem User Inode\n");
56170 seq_printf(f ,"%p %-6d %-6u %-6u %-6u %-6lu\n",
56171 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56176 atomic_read(&s->sk_refcnt),
56177 sk_rmem_alloc_get(s),
56178 sk_wmem_alloc_get(s),
56179 diff -urNp linux-2.6.36.1/net/mac80211/ieee80211_i.h linux-2.6.36.1/net/mac80211/ieee80211_i.h
56180 --- linux-2.6.36.1/net/mac80211/ieee80211_i.h 2010-10-20 16:30:22.000000000 -0400
56181 +++ linux-2.6.36.1/net/mac80211/ieee80211_i.h 2010-11-06 18:58:15.000000000 -0400
56182 @@ -650,7 +650,7 @@ struct ieee80211_local {
56183 /* also used to protect ampdu_ac_queue and amdpu_ac_stop_refcnt */
56184 spinlock_t queue_stop_reason_lock;
56187 + atomic_t open_count;
56188 int monitors, cooked_mntrs;
56189 /* number of interfaces with corresponding FIF_ flags */
56190 int fif_fcsfail, fif_plcpfail, fif_control, fif_other_bss, fif_pspoll;
56191 diff -urNp linux-2.6.36.1/net/mac80211/iface.c linux-2.6.36.1/net/mac80211/iface.c
56192 --- linux-2.6.36.1/net/mac80211/iface.c 2010-10-20 16:30:22.000000000 -0400
56193 +++ linux-2.6.36.1/net/mac80211/iface.c 2010-11-06 18:58:15.000000000 -0400
56194 @@ -183,7 +183,7 @@ static int ieee80211_open(struct net_dev
56198 - if (local->open_count == 0) {
56199 + if (atomic_read(&local->open_count) == 0) {
56200 res = drv_start(local);
56203 @@ -215,7 +215,7 @@ static int ieee80211_open(struct net_dev
56204 * Validate the MAC address for this device.
56206 if (!is_valid_ether_addr(dev->dev_addr)) {
56207 - if (!local->open_count)
56208 + if (!atomic_read(&local->open_count))
56210 return -EADDRNOTAVAIL;
56212 @@ -309,7 +309,7 @@ static int ieee80211_open(struct net_dev
56214 hw_reconf_flags |= __ieee80211_recalc_idle(local);
56216 - local->open_count++;
56217 + atomic_inc(&local->open_count);
56218 if (hw_reconf_flags) {
56219 ieee80211_hw_config(local, hw_reconf_flags);
56221 @@ -328,7 +328,7 @@ static int ieee80211_open(struct net_dev
56223 drv_remove_interface(local, &sdata->vif);
56225 - if (!local->open_count)
56226 + if (!atomic_read(&local->open_count))
56230 @@ -418,7 +418,7 @@ static int ieee80211_stop(struct net_dev
56231 WARN_ON(!list_empty(&sdata->u.ap.vlans));
56234 - local->open_count--;
56235 + atomic_dec(&local->open_count);
56237 switch (sdata->vif.type) {
56238 case NL80211_IFTYPE_AP_VLAN:
56239 @@ -518,7 +518,7 @@ static int ieee80211_stop(struct net_dev
56241 ieee80211_recalc_ps(local, -1);
56243 - if (local->open_count == 0) {
56244 + if (atomic_read(&local->open_count) == 0) {
56245 ieee80211_clear_tx_pending(local);
56246 ieee80211_stop_device(local);
56248 diff -urNp linux-2.6.36.1/net/mac80211/main.c linux-2.6.36.1/net/mac80211/main.c
56249 --- linux-2.6.36.1/net/mac80211/main.c 2010-10-20 16:30:22.000000000 -0400
56250 +++ linux-2.6.36.1/net/mac80211/main.c 2010-11-06 18:58:15.000000000 -0400
56251 @@ -152,7 +152,7 @@ int ieee80211_hw_config(struct ieee80211
56252 local->hw.conf.power_level = power;
56255 - if (changed && local->open_count) {
56256 + if (changed && atomic_read(&local->open_count)) {
56257 ret = drv_config(local, changed);
56260 diff -urNp linux-2.6.36.1/net/mac80211/pm.c linux-2.6.36.1/net/mac80211/pm.c
56261 --- linux-2.6.36.1/net/mac80211/pm.c 2010-10-20 16:30:22.000000000 -0400
56262 +++ linux-2.6.36.1/net/mac80211/pm.c 2010-11-06 18:58:15.000000000 -0400
56263 @@ -95,7 +95,7 @@ int __ieee80211_suspend(struct ieee80211
56266 /* stop hardware - this must stop RX */
56267 - if (local->open_count)
56268 + if (atomic_read(&local->open_count))
56269 ieee80211_stop_device(local);
56271 local->suspended = true;
56272 diff -urNp linux-2.6.36.1/net/mac80211/rate.c linux-2.6.36.1/net/mac80211/rate.c
56273 --- linux-2.6.36.1/net/mac80211/rate.c 2010-10-20 16:30:22.000000000 -0400
56274 +++ linux-2.6.36.1/net/mac80211/rate.c 2010-11-06 18:58:15.000000000 -0400
56275 @@ -357,7 +357,7 @@ int ieee80211_init_rate_ctrl_alg(struct
56279 - if (local->open_count)
56280 + if (atomic_read(&local->open_count))
56283 if (local->hw.flags & IEEE80211_HW_HAS_RATE_CONTROL) {
56284 diff -urNp linux-2.6.36.1/net/mac80211/rc80211_pid_debugfs.c linux-2.6.36.1/net/mac80211/rc80211_pid_debugfs.c
56285 --- linux-2.6.36.1/net/mac80211/rc80211_pid_debugfs.c 2010-10-20 16:30:22.000000000 -0400
56286 +++ linux-2.6.36.1/net/mac80211/rc80211_pid_debugfs.c 2010-11-06 18:58:15.000000000 -0400
56287 @@ -192,7 +192,7 @@ static ssize_t rate_control_pid_events_r
56289 spin_unlock_irqrestore(&events->lock, status);
56291 - if (copy_to_user(buf, pb, p))
56292 + if (p > sizeof(pb) || copy_to_user(buf, pb, p))
56296 diff -urNp linux-2.6.36.1/net/mac80211/tx.c linux-2.6.36.1/net/mac80211/tx.c
56297 --- linux-2.6.36.1/net/mac80211/tx.c 2010-10-20 16:30:22.000000000 -0400
56298 +++ linux-2.6.36.1/net/mac80211/tx.c 2010-11-06 18:58:15.000000000 -0400
56299 @@ -173,7 +173,7 @@ static __le16 ieee80211_duration(struct
56300 return cpu_to_le16(dur);
56303 -static int inline is_ieee80211_device(struct ieee80211_local *local,
56304 +static inline int is_ieee80211_device(struct ieee80211_local *local,
56305 struct net_device *dev)
56307 return local == wdev_priv(dev->ieee80211_ptr);
56308 diff -urNp linux-2.6.36.1/net/mac80211/util.c linux-2.6.36.1/net/mac80211/util.c
56309 --- linux-2.6.36.1/net/mac80211/util.c 2010-10-20 16:30:22.000000000 -0400
56310 +++ linux-2.6.36.1/net/mac80211/util.c 2010-11-06 18:58:15.000000000 -0400
56311 @@ -1101,7 +1101,7 @@ int ieee80211_reconfig(struct ieee80211_
56312 local->resuming = true;
56314 /* restart hardware */
56315 - if (local->open_count) {
56316 + if (atomic_read(&local->open_count)) {
56318 * Upon resume hardware can sometimes be goofy due to
56319 * various platform / driver / bus issues, so restarting
56320 diff -urNp linux-2.6.36.1/net/netfilter/Kconfig linux-2.6.36.1/net/netfilter/Kconfig
56321 --- linux-2.6.36.1/net/netfilter/Kconfig 2010-10-20 16:30:22.000000000 -0400
56322 +++ linux-2.6.36.1/net/netfilter/Kconfig 2010-11-06 18:58:50.000000000 -0400
56323 @@ -708,6 +708,16 @@ config NETFILTER_XT_MATCH_ESP
56325 To compile it as a module, choose M here. If unsure, say N.
56327 +config NETFILTER_XT_MATCH_GRADM
56328 + tristate '"gradm" match support'
56329 + depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
56330 + depends on GRKERNSEC && !GRKERNSEC_NO_RBAC
56332 + The gradm match allows to match on grsecurity RBAC being enabled.
56333 + It is useful when iptables rules are applied early on bootup to
56334 + prevent connections to the machine (except from a trusted host)
56335 + while the RBAC system is disabled.
56337 config NETFILTER_XT_MATCH_HASHLIMIT
56338 tristate '"hashlimit" match support'
56339 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
56340 diff -urNp linux-2.6.36.1/net/netfilter/Makefile linux-2.6.36.1/net/netfilter/Makefile
56341 --- linux-2.6.36.1/net/netfilter/Makefile 2010-10-20 16:30:22.000000000 -0400
56342 +++ linux-2.6.36.1/net/netfilter/Makefile 2010-11-06 18:58:50.000000000 -0400
56343 @@ -74,6 +74,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CPU) +=
56344 obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o
56345 obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
56346 obj-$(CONFIG_NETFILTER_XT_MATCH_ESP) += xt_esp.o
56347 +obj-$(CONFIG_NETFILTER_XT_MATCH_GRADM) += xt_gradm.o
56348 obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT) += xt_hashlimit.o
56349 obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER) += xt_helper.o
56350 obj-$(CONFIG_NETFILTER_XT_MATCH_HL) += xt_hl.o
56351 diff -urNp linux-2.6.36.1/net/netfilter/xt_gradm.c linux-2.6.36.1/net/netfilter/xt_gradm.c
56352 --- linux-2.6.36.1/net/netfilter/xt_gradm.c 1969-12-31 19:00:00.000000000 -0500
56353 +++ linux-2.6.36.1/net/netfilter/xt_gradm.c 2010-11-06 18:58:50.000000000 -0400
56356 + * gradm match for netfilter
56357 + * Copyright © Zbigniew Krzystolik, 2010
56359 + * This program is free software; you can redistribute it and/or modify
56360 + * it under the terms of the GNU General Public License; either version
56361 + * 2 or 3 as published by the Free Software Foundation.
56363 +#include <linux/module.h>
56364 +#include <linux/moduleparam.h>
56365 +#include <linux/skbuff.h>
56366 +#include <linux/netfilter/x_tables.h>
56367 +#include <linux/grsecurity.h>
56368 +#include <linux/netfilter/xt_gradm.h>
56371 +gradm_mt(const struct sk_buff *skb, struct xt_action_param *par)
56373 + const struct xt_gradm_mtinfo *info = par->matchinfo;
56374 + bool retval = false;
56375 + if (gr_acl_is_enabled())
56377 + return retval ^ info->invflags;
56380 +static struct xt_match gradm_mt_reg __read_mostly = {
56383 + .family = NFPROTO_UNSPEC,
56384 + .match = gradm_mt,
56385 + .matchsize = XT_ALIGN(sizeof(struct xt_gradm_mtinfo)),
56386 + .me = THIS_MODULE,
56389 +static int __init gradm_mt_init(void)
56391 + return xt_register_match(&gradm_mt_reg);
56394 +static void __exit gradm_mt_exit(void)
56396 + xt_unregister_match(&gradm_mt_reg);
56399 +module_init(gradm_mt_init);
56400 +module_exit(gradm_mt_exit);
56401 +MODULE_AUTHOR("Zbigniew Krzystolik <zbyniu@destrukcja.pl>");
56402 +MODULE_DESCRIPTION("Xtables: Grsecurity RBAC match");
56403 +MODULE_LICENSE("GPL");
56404 +MODULE_ALIAS("ipt_gradm");
56405 +MODULE_ALIAS("ip6t_gradm");
56406 diff -urNp linux-2.6.36.1/net/netlink/af_netlink.c linux-2.6.36.1/net/netlink/af_netlink.c
56407 --- linux-2.6.36.1/net/netlink/af_netlink.c 2010-10-20 16:30:22.000000000 -0400
56408 +++ linux-2.6.36.1/net/netlink/af_netlink.c 2010-11-06 18:58:50.000000000 -0400
56409 @@ -2007,13 +2007,21 @@ static int netlink_seq_show(struct seq_f
56410 struct netlink_sock *nlk = nlk_sk(s);
56412 seq_printf(seq, "%p %-3d %-6d %08x %-8d %-8d %p %-8d %-8d %-8lu\n",
56413 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56420 nlk->groups ? (u32)nlk->groups[0] : 0,
56421 sk_rmem_alloc_get(s),
56422 sk_wmem_alloc_get(s),
56423 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56428 atomic_read(&s->sk_refcnt),
56429 atomic_read(&s->sk_drops),
56431 diff -urNp linux-2.6.36.1/net/netrom/af_netrom.c linux-2.6.36.1/net/netrom/af_netrom.c
56432 --- linux-2.6.36.1/net/netrom/af_netrom.c 2010-10-20 16:30:22.000000000 -0400
56433 +++ linux-2.6.36.1/net/netrom/af_netrom.c 2010-11-06 18:58:50.000000000 -0400
56434 @@ -840,6 +840,7 @@ static int nr_getname(struct socket *soc
56435 struct sock *sk = sock->sk;
56436 struct nr_sock *nr = nr_sk(sk);
56438 + memset(sax, 0, sizeof(*sax));
56441 if (sk->sk_state != TCP_ESTABLISHED) {
56442 @@ -854,7 +855,6 @@ static int nr_getname(struct socket *soc
56443 *uaddr_len = sizeof(struct full_sockaddr_ax25);
56445 sax->fsa_ax25.sax25_family = AF_NETROM;
56446 - sax->fsa_ax25.sax25_ndigis = 0;
56447 sax->fsa_ax25.sax25_call = nr->source_addr;
56448 *uaddr_len = sizeof(struct sockaddr_ax25);
56450 diff -urNp linux-2.6.36.1/net/packet/af_packet.c linux-2.6.36.1/net/packet/af_packet.c
56451 --- linux-2.6.36.1/net/packet/af_packet.c 2010-10-20 16:30:22.000000000 -0400
56452 +++ linux-2.6.36.1/net/packet/af_packet.c 2010-11-06 18:58:50.000000000 -0400
56453 @@ -1610,8 +1610,9 @@ static int packet_recvmsg(struct kiocb *
56456 vnet_hdr_len = sizeof(vnet_hdr);
56457 - if ((len -= vnet_hdr_len) < 0)
56458 + if (len < vnet_hdr_len)
56460 + len -= vnet_hdr_len;
56462 if (skb_is_gso(skb)) {
56463 struct skb_shared_info *sinfo = skb_shinfo(skb);
56464 @@ -1719,7 +1720,7 @@ static int packet_getname_spkt(struct so
56466 dev = dev_get_by_index_rcu(sock_net(sk), pkt_sk(sk)->ifindex);
56468 - strlcpy(uaddr->sa_data, dev->name, 15);
56469 + strncpy(uaddr->sa_data, dev->name, 14);
56471 memset(uaddr->sa_data, 0, 14);
56473 @@ -1742,6 +1743,7 @@ static int packet_getname(struct socket
56474 sll->sll_family = AF_PACKET;
56475 sll->sll_ifindex = po->ifindex;
56476 sll->sll_protocol = po->num;
56477 + sll->sll_pkttype = 0;
56479 dev = dev_get_by_index_rcu(sock_net(sk), po->ifindex);
56481 @@ -2120,7 +2122,7 @@ static int packet_getsockopt(struct sock
56482 case PACKET_HDRLEN:
56483 if (len > sizeof(int))
56485 - if (copy_from_user(&val, optval, len))
56486 + if (len > sizeof(val) || copy_from_user(&val, optval, len))
56490 @@ -2158,7 +2160,7 @@ static int packet_getsockopt(struct sock
56492 if (put_user(len, optlen))
56494 - if (copy_to_user(optval, data, len))
56495 + if (len > sizeof(st) || copy_to_user(optval, data, len))
56499 @@ -2637,7 +2639,11 @@ static int packet_seq_show(struct seq_fi
56502 "%p %-6d %-4d %04x %-5d %1d %-6u %-6u %-6lu\n",
56503 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56508 atomic_read(&s->sk_refcnt),
56511 diff -urNp linux-2.6.36.1/net/phonet/af_phonet.c linux-2.6.36.1/net/phonet/af_phonet.c
56512 --- linux-2.6.36.1/net/phonet/af_phonet.c 2010-10-20 16:30:22.000000000 -0400
56513 +++ linux-2.6.36.1/net/phonet/af_phonet.c 2010-11-06 18:58:50.000000000 -0400
56514 @@ -41,7 +41,7 @@ static struct phonet_protocol *phonet_pr
56516 struct phonet_protocol *pp;
56518 - if (protocol >= PHONET_NPROTO)
56519 + if (protocol < 0 || protocol >= PHONET_NPROTO)
56523 @@ -446,7 +446,7 @@ int __init_or_module phonet_proto_regist
56527 - if (protocol >= PHONET_NPROTO)
56528 + if (protocol < 0 || protocol >= PHONET_NPROTO)
56531 err = proto_register(pp->prot, 1);
56532 diff -urNp linux-2.6.36.1/net/phonet/socket.c linux-2.6.36.1/net/phonet/socket.c
56533 --- linux-2.6.36.1/net/phonet/socket.c 2010-10-20 16:30:22.000000000 -0400
56534 +++ linux-2.6.36.1/net/phonet/socket.c 2010-11-13 16:29:01.000000000 -0500
56535 @@ -535,7 +535,12 @@ static int pn_sock_seq_show(struct seq_f
56537 sk_wmem_alloc_get(sk), sk_rmem_alloc_get(sk),
56538 sock_i_uid(sk), sock_i_ino(sk),
56539 - atomic_read(&sk->sk_refcnt), sk,
56540 + atomic_read(&sk->sk_refcnt),
56541 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56546 atomic_read(&sk->sk_drops), &len);
56548 seq_printf(seq, "%*s\n", 127 - len, "");
56549 diff -urNp linux-2.6.36.1/net/sctp/proc.c linux-2.6.36.1/net/sctp/proc.c
56550 --- linux-2.6.36.1/net/sctp/proc.c 2010-10-20 16:30:22.000000000 -0400
56551 +++ linux-2.6.36.1/net/sctp/proc.c 2010-11-13 16:29:01.000000000 -0500
56552 @@ -212,7 +212,12 @@ static int sctp_eps_seq_show(struct seq_
56553 sctp_for_each_hentry(epb, node, &head->chain) {
56556 - seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ", ep, sk,
56557 + seq_printf(seq, "%8p %8p %-3d %-3d %-4d %-5d %5d %5lu ",
56558 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56563 sctp_sk(sk)->type, sk->sk_state, hash,
56564 epb->bind_addr.port,
56565 sock_i_uid(sk), sock_i_ino(sk));
56566 @@ -318,7 +323,12 @@ static int sctp_assocs_seq_show(struct s
56568 "%8p %8p %-3d %-3d %-2d %-4d "
56569 "%4d %8d %8d %7d %5lu %-5d %5d ",
56570 - assoc, sk, sctp_sk(sk)->type, sk->sk_state,
56571 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56576 + sctp_sk(sk)->type, sk->sk_state,
56577 assoc->state, hash,
56579 assoc->sndbuf_used,
56580 diff -urNp linux-2.6.36.1/net/sctp/socket.c linux-2.6.36.1/net/sctp/socket.c
56581 --- linux-2.6.36.1/net/sctp/socket.c 2010-10-20 16:30:22.000000000 -0400
56582 +++ linux-2.6.36.1/net/sctp/socket.c 2010-11-06 18:58:15.000000000 -0400
56583 @@ -1494,7 +1494,7 @@ SCTP_STATIC int sctp_sendmsg(struct kioc
56584 struct sctp_sndrcvinfo *sinfo;
56585 struct sctp_initmsg *sinit;
56586 sctp_assoc_t associd = 0;
56587 - sctp_cmsgs_t cmsgs = { NULL };
56588 + sctp_cmsgs_t cmsgs = { NULL, NULL };
56590 sctp_scope_t scope;
56592 @@ -4398,7 +4398,7 @@ static int sctp_getsockopt_peer_addrs(st
56593 addrlen = sctp_get_af_specific(temp.sa.sa_family)->sockaddr_len;
56594 if (space_left < addrlen)
56596 - if (copy_to_user(to, &temp, addrlen))
56597 + if (addrlen > sizeof(temp) || copy_to_user(to, &temp, addrlen))
56601 diff -urNp linux-2.6.36.1/net/socket.c linux-2.6.36.1/net/socket.c
56602 --- linux-2.6.36.1/net/socket.c 2010-10-20 16:30:22.000000000 -0400
56603 +++ linux-2.6.36.1/net/socket.c 2010-11-06 18:58:50.000000000 -0400
56605 #include <linux/nsproxy.h>
56606 #include <linux/magic.h>
56607 #include <linux/slab.h>
56608 +#include <linux/in.h>
56610 #include <asm/uaccess.h>
56611 #include <asm/unistd.h>
56612 @@ -105,6 +106,8 @@
56613 #include <linux/sockios.h>
56614 #include <linux/atalk.h>
56616 +#include <linux/grsock.h>
56618 static int sock_no_open(struct inode *irrelevant, struct file *dontcare);
56619 static ssize_t sock_aio_read(struct kiocb *iocb, const struct iovec *iov,
56620 unsigned long nr_segs, loff_t pos);
56621 @@ -313,7 +316,7 @@ static int sockfs_get_sb(struct file_sys
56625 -static struct vfsmount *sock_mnt __read_mostly;
56626 +struct vfsmount *sock_mnt __read_mostly;
56628 static struct file_system_type sock_fs_type = {
56630 @@ -1158,6 +1161,8 @@ static int __sock_create(struct net *net
56631 return -EAFNOSUPPORT;
56632 if (type < 0 || type >= SOCK_MAX)
56634 + if (protocol < 0)
56639 @@ -1289,6 +1294,16 @@ SYSCALL_DEFINE3(socket, int, family, int
56640 if (SOCK_NONBLOCK != O_NONBLOCK && (flags & SOCK_NONBLOCK))
56641 flags = (flags & ~SOCK_NONBLOCK) | O_NONBLOCK;
56643 + if(!gr_search_socket(family, type, protocol)) {
56644 + retval = -EACCES;
56648 + if (gr_handle_sock_all(family, type, protocol)) {
56649 + retval = -EACCES;
56653 retval = sock_create(family, type, protocol, &sock);
56656 @@ -1401,6 +1416,14 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
56658 err = move_addr_to_kernel(umyaddr, addrlen, (struct sockaddr *)&address);
56660 + if (gr_handle_sock_server((struct sockaddr *)&address)) {
56664 + err = gr_search_bind(sock, (struct sockaddr_in *)&address);
56668 err = security_socket_bind(sock,
56669 (struct sockaddr *)&address,
56671 @@ -1409,6 +1432,7 @@ SYSCALL_DEFINE3(bind, int, fd, struct so
56672 (struct sockaddr *)
56673 &address, addrlen);
56676 fput_light(sock->file, fput_needed);
56679 @@ -1432,10 +1456,20 @@ SYSCALL_DEFINE2(listen, int, fd, int, ba
56680 if ((unsigned)backlog > somaxconn)
56681 backlog = somaxconn;
56683 + if (gr_handle_sock_server_other(sock->sk)) {
56688 + err = gr_search_listen(sock);
56692 err = security_socket_listen(sock, backlog);
56694 err = sock->ops->listen(sock, backlog);
56697 fput_light(sock->file, fput_needed);
56700 @@ -1479,6 +1513,18 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
56701 newsock->type = sock->type;
56702 newsock->ops = sock->ops;
56704 + if (gr_handle_sock_server_other(sock->sk)) {
56706 + sock_release(newsock);
56710 + err = gr_search_accept(sock);
56712 + sock_release(newsock);
56717 * We don't need try_module_get here, as the listening socket (sock)
56718 * has the protocol module (sock->ops->owner) held.
56719 @@ -1517,6 +1563,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct
56720 fd_install(newfd, newfile);
56723 + gr_attach_curr_ip(newsock->sk);
56726 fput_light(sock->file, fput_needed);
56728 @@ -1549,6 +1597,7 @@ SYSCALL_DEFINE3(connect, int, fd, struct
56731 struct socket *sock;
56732 + struct sockaddr *sck;
56733 struct sockaddr_storage address;
56734 int err, fput_needed;
56736 @@ -1559,6 +1608,17 @@ SYSCALL_DEFINE3(connect, int, fd, struct
56740 + sck = (struct sockaddr *)&address;
56742 + if (gr_handle_sock_client(sck)) {
56747 + err = gr_search_connect(sock, (struct sockaddr_in *)sck);
56752 security_socket_connect(sock, (struct sockaddr *)&address, addrlen);
56754 diff -urNp linux-2.6.36.1/net/sunrpc/sched.c linux-2.6.36.1/net/sunrpc/sched.c
56755 --- linux-2.6.36.1/net/sunrpc/sched.c 2010-10-20 16:30:22.000000000 -0400
56756 +++ linux-2.6.36.1/net/sunrpc/sched.c 2010-11-06 18:58:15.000000000 -0400
56757 @@ -234,9 +234,9 @@ static int rpc_wait_bit_killable(void *w
56759 static void rpc_task_set_debuginfo(struct rpc_task *task)
56761 - static atomic_t rpc_pid;
56762 + static atomic_unchecked_t rpc_pid;
56764 - task->tk_pid = atomic_inc_return(&rpc_pid);
56765 + task->tk_pid = atomic_inc_return_unchecked(&rpc_pid);
56768 static inline void rpc_task_set_debuginfo(struct rpc_task *task)
56769 diff -urNp linux-2.6.36.1/net/sunrpc/xprtrdma/svc_rdma.c linux-2.6.36.1/net/sunrpc/xprtrdma/svc_rdma.c
56770 --- linux-2.6.36.1/net/sunrpc/xprtrdma/svc_rdma.c 2010-10-20 16:30:22.000000000 -0400
56771 +++ linux-2.6.36.1/net/sunrpc/xprtrdma/svc_rdma.c 2010-11-06 18:58:50.000000000 -0400
56772 @@ -106,7 +106,7 @@ static int read_reset_stat(ctl_table *ta
56776 - if (len && copy_to_user(buffer, str_buf, len))
56777 + if (len > sizeof(str_buf) || (len && copy_to_user(buffer, str_buf, len)))
56781 diff -urNp linux-2.6.36.1/net/sysctl_net.c linux-2.6.36.1/net/sysctl_net.c
56782 --- linux-2.6.36.1/net/sysctl_net.c 2010-10-20 16:30:22.000000000 -0400
56783 +++ linux-2.6.36.1/net/sysctl_net.c 2010-11-06 18:58:50.000000000 -0400
56784 @@ -46,7 +46,7 @@ static int net_ctl_permissions(struct ct
56785 struct ctl_table *table)
56787 /* Allow network administrator to have same access as root. */
56788 - if (capable(CAP_NET_ADMIN)) {
56789 + if (capable_nolog(CAP_NET_ADMIN)) {
56790 int mode = (table->mode >> 6) & 7;
56791 return (mode << 6) | (mode << 3) | mode;
56793 diff -urNp linux-2.6.36.1/net/tipc/socket.c linux-2.6.36.1/net/tipc/socket.c
56794 --- linux-2.6.36.1/net/tipc/socket.c 2010-10-20 16:30:22.000000000 -0400
56795 +++ linux-2.6.36.1/net/tipc/socket.c 2010-11-06 18:58:50.000000000 -0400
56796 @@ -395,6 +395,7 @@ static int get_name(struct socket *sock,
56797 struct sockaddr_tipc *addr = (struct sockaddr_tipc *)uaddr;
56798 struct tipc_sock *tsock = tipc_sk(sock->sk);
56800 + memset(addr, 0, sizeof(*addr));
56802 if ((sock->state != SS_CONNECTED) &&
56803 ((peer != 2) || (sock->state != SS_DISCONNECTING)))
56804 @@ -1451,8 +1452,9 @@ static int connect(struct socket *sock,
56809 - ; /* leave "res" unchanged */
56811 + /* leave "res" unchanged */
56813 sock->state = SS_DISCONNECTING;
56816 diff -urNp linux-2.6.36.1/net/unix/af_unix.c linux-2.6.36.1/net/unix/af_unix.c
56817 --- linux-2.6.36.1/net/unix/af_unix.c 2010-10-20 16:30:22.000000000 -0400
56818 +++ linux-2.6.36.1/net/unix/af_unix.c 2010-11-06 20:08:14.000000000 -0400
56819 @@ -764,6 +764,12 @@ static struct sock *unix_find_other(stru
56820 err = -ECONNREFUSED;
56821 if (!S_ISSOCK(inode->i_mode))
56824 + if (!gr_acl_handle_unix(path.dentry, path.mnt)) {
56829 u = unix_find_socket_byinode(inode);
56832 @@ -784,6 +790,13 @@ static struct sock *unix_find_other(stru
56834 struct dentry *dentry;
56835 dentry = unix_sk(u)->dentry;
56837 + if (!gr_handle_chroot_unix(u->sk_peer_pid)) {
56844 touch_atime(unix_sk(u)->mnt, dentry);
56846 @@ -869,11 +882,18 @@ static int unix_bind(struct socket *sock
56847 err = security_path_mknod(&nd.path, dentry, mode, 0);
56849 goto out_mknod_drop_write;
56850 + if (!gr_acl_handle_mknod(dentry, nd.path.dentry, nd.path.mnt, mode)) {
56852 + goto out_mknod_drop_write;
56854 err = vfs_mknod(nd.path.dentry->d_inode, dentry, mode, 0);
56855 out_mknod_drop_write:
56856 mnt_drop_write(nd.path.mnt);
56858 goto out_mknod_dput;
56860 + gr_handle_create(dentry, nd.path.mnt);
56862 mutex_unlock(&nd.path.dentry->d_inode->i_mutex);
56863 dput(nd.path.dentry);
56864 nd.path.dentry = dentry;
56865 @@ -891,6 +911,11 @@ out_mknod_drop_write:
56869 +#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
56870 + put_pid(sk->sk_peer_pid);
56871 + sk->sk_peer_pid = get_pid(task_tgid(current));
56874 list = &unix_socket_table[addr->hash];
56876 list = &unix_socket_table[dentry->d_inode->i_ino & (UNIX_HASH_SIZE-1)];
56877 @@ -2195,7 +2220,11 @@ static int unix_seq_show(struct seq_file
56878 unix_state_lock(s);
56880 seq_printf(seq, "%p: %08X %08X %08X %04X %02X %5lu",
56881 +#ifdef CONFIG_GRKERNSEC_HIDESYM
56886 atomic_read(&s->sk_refcnt),
56888 s->sk_state == TCP_LISTEN ? __SO_ACCEPTCON : 0,
56889 diff -urNp linux-2.6.36.1/net/wireless/reg.c linux-2.6.36.1/net/wireless/reg.c
56890 --- linux-2.6.36.1/net/wireless/reg.c 2010-10-20 16:30:22.000000000 -0400
56891 +++ linux-2.6.36.1/net/wireless/reg.c 2010-11-06 18:58:15.000000000 -0400
56893 printk(KERN_DEBUG format , ## args); \
56896 -#define REG_DBG_PRINT(args...)
56897 +#define REG_DBG_PRINT(args...) do {} while (0)
56900 /* Receipt of information from last regulatory request */
56901 diff -urNp linux-2.6.36.1/net/wireless/wext-core.c linux-2.6.36.1/net/wireless/wext-core.c
56902 --- linux-2.6.36.1/net/wireless/wext-core.c 2010-10-20 16:30:22.000000000 -0400
56903 +++ linux-2.6.36.1/net/wireless/wext-core.c 2010-11-06 18:58:15.000000000 -0400
56904 @@ -744,8 +744,7 @@ static int ioctl_standard_iw_point(struc
56907 /* Support for very large requests */
56908 - if ((descr->flags & IW_DESCR_FLAG_NOMAX) &&
56909 - (user_length > descr->max_tokens)) {
56910 + if (user_length > descr->max_tokens) {
56911 /* Allow userspace to GET more than max so
56912 * we can support any size GET requests.
56913 * There is still a limit : -ENOMEM.
56914 @@ -782,22 +781,6 @@ static int ioctl_standard_iw_point(struc
56918 - if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) {
56920 - * If this is a GET, but not NOMAX, it means that the extra
56921 - * data is not bounded by userspace, but by max_tokens. Thus
56922 - * set the length to max_tokens. This matches the extra data
56924 - * The driver should fill it with the number of tokens it
56925 - * provided, and it may check iwp->length rather than having
56926 - * knowledge of max_tokens. If the driver doesn't change the
56927 - * iwp->length, this ioctl just copies back max_token tokens
56928 - * filled with zeroes. Hopefully the driver isn't claiming
56929 - * them to be valid data.
56931 - iwp->length = descr->max_tokens;
56934 err = handler(dev, info, (union iwreq_data *) iwp, extra);
56936 iwp->length += essid_compat;
56937 diff -urNp linux-2.6.36.1/net/x25/x25_facilities.c linux-2.6.36.1/net/x25/x25_facilities.c
56938 --- linux-2.6.36.1/net/x25/x25_facilities.c 2010-10-20 16:30:22.000000000 -0400
56939 +++ linux-2.6.36.1/net/x25/x25_facilities.c 2010-11-11 18:50:38.000000000 -0500
56940 @@ -61,6 +61,8 @@ int x25_parse_facilities(struct sk_buff
56942 switch (*p & X25_FAC_CLASS_MASK) {
56943 case X25_FAC_CLASS_A:
56947 case X25_FAC_REVERSE:
56948 if((p[1] & 0x81) == 0x81) {
56949 @@ -104,6 +106,8 @@ int x25_parse_facilities(struct sk_buff
56952 case X25_FAC_CLASS_B:
56956 case X25_FAC_PACKET_SIZE:
56957 facilities->pacsize_in = p[1];
56958 @@ -125,6 +129,8 @@ int x25_parse_facilities(struct sk_buff
56961 case X25_FAC_CLASS_C:
56964 printk(KERN_DEBUG "X.25: unknown facility %02X, "
56965 "values %02X, %02X, %02X\n",
56966 p[0], p[1], p[2], p[3]);
56967 @@ -132,26 +138,27 @@ int x25_parse_facilities(struct sk_buff
56970 case X25_FAC_CLASS_D:
56971 + if (len < p[1] + 2)
56974 case X25_FAC_CALLING_AE:
56975 - if (p[1] > X25_MAX_DTE_FACIL_LEN)
56977 + if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
56979 dte_facs->calling_len = p[2];
56980 memcpy(dte_facs->calling_ae, &p[3], p[1] - 1);
56981 *vc_fac_mask |= X25_MASK_CALLING_AE;
56983 case X25_FAC_CALLED_AE:
56984 - if (p[1] > X25_MAX_DTE_FACIL_LEN)
56986 + if (p[1] > X25_MAX_DTE_FACIL_LEN || p[1] <= 1)
56988 dte_facs->called_len = p[2];
56989 memcpy(dte_facs->called_ae, &p[3], p[1] - 1);
56990 *vc_fac_mask |= X25_MASK_CALLED_AE;
56993 printk(KERN_DEBUG "X.25: unknown facility %02X,"
56994 - "length %d, values %02X, %02X, "
56996 - p[0], p[1], p[2], p[3], p[4], p[5]);
56997 + "length %d, values %02X, %02X\n",
56998 + p[0], p[1], p[2], p[3]);
57002 diff -urNp linux-2.6.36.1/net/x25/x25_in.c linux-2.6.36.1/net/x25/x25_in.c
57003 --- linux-2.6.36.1/net/x25/x25_in.c 2010-10-20 16:30:22.000000000 -0400
57004 +++ linux-2.6.36.1/net/x25/x25_in.c 2010-11-06 18:58:50.000000000 -0400
57005 @@ -119,6 +119,8 @@ static int x25_state1_machine(struct soc
57006 &x25->vc_facil_mask);
57008 skb_pull(skb, len);
57012 * Copy any Call User Data.
57014 diff -urNp linux-2.6.36.1/net/xfrm/xfrm_policy.c linux-2.6.36.1/net/xfrm/xfrm_policy.c
57015 --- linux-2.6.36.1/net/xfrm/xfrm_policy.c 2010-10-20 16:30:22.000000000 -0400
57016 +++ linux-2.6.36.1/net/xfrm/xfrm_policy.c 2010-11-06 18:58:15.000000000 -0400
57017 @@ -1501,7 +1501,7 @@ free_dst:
57023 xfrm_dst_alloc_copy(void **target, void *src, int size)
57026 @@ -1513,7 +1513,7 @@ xfrm_dst_alloc_copy(void **target, void
57032 xfrm_dst_update_parent(struct dst_entry *dst, struct xfrm_selector *sel)
57034 #ifdef CONFIG_XFRM_SUB_POLICY
57035 @@ -1525,7 +1525,7 @@ xfrm_dst_update_parent(struct dst_entry
57041 xfrm_dst_update_origin(struct dst_entry *dst, struct flowi *fl)
57043 #ifdef CONFIG_XFRM_SUB_POLICY
57044 diff -urNp linux-2.6.36.1/scripts/basic/fixdep.c linux-2.6.36.1/scripts/basic/fixdep.c
57045 --- linux-2.6.36.1/scripts/basic/fixdep.c 2010-10-20 16:30:22.000000000 -0400
57046 +++ linux-2.6.36.1/scripts/basic/fixdep.c 2010-11-06 18:58:15.000000000 -0400
57047 @@ -222,9 +222,9 @@ static void use_config(char *m, int slen
57049 static void parse_config_file(char *map, size_t len)
57051 - int *end = (int *) (map + len);
57052 + unsigned int *end = (unsigned int *) (map + len);
57053 /* start at +1, so that p can never be < map */
57054 - int *m = (int *) map + 1;
57055 + unsigned int *m = (unsigned int *) map + 1;
57058 for (; m < end; m++) {
57059 @@ -371,7 +371,7 @@ static void print_deps(void)
57060 static void traps(void)
57062 static char test[] __attribute__((aligned(sizeof(int)))) = "CONF";
57063 - int *p = (int *)test;
57064 + unsigned int *p = (unsigned int *)test;
57066 if (*p != INT_CONF) {
57067 fprintf(stderr, "fixdep: sizeof(int) != 4 or wrong endianess? %#x\n",
57068 diff -urNp linux-2.6.36.1/scripts/kallsyms.c linux-2.6.36.1/scripts/kallsyms.c
57069 --- linux-2.6.36.1/scripts/kallsyms.c 2010-10-20 16:30:22.000000000 -0400
57070 +++ linux-2.6.36.1/scripts/kallsyms.c 2010-11-06 18:58:15.000000000 -0400
57071 @@ -43,10 +43,10 @@ struct text_range {
57073 static unsigned long long _text;
57074 static struct text_range text_ranges[] = {
57075 - { "_stext", "_etext" },
57076 - { "_sinittext", "_einittext" },
57077 - { "_stext_l1", "_etext_l1" }, /* Blackfin on-chip L1 inst SRAM */
57078 - { "_stext_l2", "_etext_l2" }, /* Blackfin on-chip L2 SRAM */
57079 + { "_stext", "_etext", 0, 0 },
57080 + { "_sinittext", "_einittext", 0, 0 },
57081 + { "_stext_l1", "_etext_l1", 0, 0 }, /* Blackfin on-chip L1 inst SRAM */
57082 + { "_stext_l2", "_etext_l2", 0, 0 }, /* Blackfin on-chip L2 SRAM */
57084 #define text_range_text (&text_ranges[0])
57085 #define text_range_inittext (&text_ranges[1])
57086 diff -urNp linux-2.6.36.1/scripts/mod/file2alias.c linux-2.6.36.1/scripts/mod/file2alias.c
57087 --- linux-2.6.36.1/scripts/mod/file2alias.c 2010-10-20 16:30:22.000000000 -0400
57088 +++ linux-2.6.36.1/scripts/mod/file2alias.c 2010-11-06 18:58:15.000000000 -0400
57089 @@ -72,7 +72,7 @@ static void device_id_check(const char *
57090 unsigned long size, unsigned long id_size,
57096 if (size % id_size || size < id_size) {
57097 if (cross_build != 0)
57098 @@ -102,7 +102,7 @@ static void device_id_check(const char *
57099 /* USB is special because the bcdDevice can be matched against a numeric range */
57100 /* Looks like "usb:vNpNdNdcNdscNdpNicNiscNipN" */
57101 static void do_usb_entry(struct usb_device_id *id,
57102 - unsigned int bcdDevice_initial, int bcdDevice_initial_digits,
57103 + unsigned int bcdDevice_initial, unsigned int bcdDevice_initial_digits,
57104 unsigned char range_lo, unsigned char range_hi,
57105 unsigned char max, struct module *mod)
57107 @@ -437,7 +437,7 @@ static void do_pnp_device_entry(void *sy
57108 for (i = 0; i < count; i++) {
57109 const char *id = (char *)devs[i].id;
57110 char acpi_id[sizeof(devs[0].id)];
57114 buf_printf(&mod->dev_table_buf,
57115 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
57116 @@ -467,7 +467,7 @@ static void do_pnp_card_entries(void *sy
57118 for (j = 0; j < PNP_MAX_DEVICES; j++) {
57119 const char *id = (char *)card->devs[j].id;
57121 + unsigned int i2, j2;
57125 @@ -493,7 +493,7 @@ static void do_pnp_card_entries(void *sy
57126 /* add an individual alias for every device entry */
57128 char acpi_id[sizeof(card->devs[0].id)];
57132 buf_printf(&mod->dev_table_buf,
57133 "MODULE_ALIAS(\"pnp:d%s*\");\n", id);
57134 @@ -768,7 +768,7 @@ static void dmi_ascii_filter(char *d, co
57135 static int do_dmi_entry(const char *filename, struct dmi_system_id *id,
57139 + unsigned int i, j;
57141 sprintf(alias, "dmi*");
57143 diff -urNp linux-2.6.36.1/scripts/mod/modpost.c linux-2.6.36.1/scripts/mod/modpost.c
57144 --- linux-2.6.36.1/scripts/mod/modpost.c 2010-10-20 16:30:22.000000000 -0400
57145 +++ linux-2.6.36.1/scripts/mod/modpost.c 2010-11-06 18:58:15.000000000 -0400
57146 @@ -895,6 +895,7 @@ enum mismatch {
57147 ANY_INIT_TO_ANY_EXIT,
57148 ANY_EXIT_TO_ANY_INIT,
57149 EXPORT_TO_INIT_EXIT,
57153 struct sectioncheck {
57154 @@ -1003,6 +1004,12 @@ const struct sectioncheck sectioncheck[]
57155 .tosec = { INIT_SECTIONS, EXIT_SECTIONS, NULL },
57156 .mismatch = EXPORT_TO_INIT_EXIT,
57157 .symbol_white_list = { DEFAULT_SYMBOL_WHITE_LIST, NULL },
57159 +/* Do not reference code from writable data */
57161 + .fromsec = { DATA_SECTIONS, NULL },
57162 + .tosec = { TEXT_SECTIONS, NULL },
57163 + .mismatch = DATA_TO_TEXT
57167 @@ -1125,10 +1132,10 @@ static Elf_Sym *find_elf_symbol(struct e
57169 if (ELF_ST_TYPE(sym->st_info) == STT_SECTION)
57171 - if (sym->st_value == addr)
57173 /* Find a symbol nearby - addr are maybe negative */
57174 d = sym->st_value - addr;
57178 d = addr - sym->st_value;
57179 if (d < distance) {
57180 @@ -1397,6 +1404,14 @@ static void report_sec_mismatch(const ch
57181 tosym, prl_to, prl_to, tosym);
57184 + case DATA_TO_TEXT:
57187 + "The variable %s references\n"
57188 + "the %s %s%s%s\n",
57189 + fromsym, to, sec2annotation(tosec), tosym, to_p);
57193 fprintf(stderr, "\n");
57195 @@ -1720,7 +1735,7 @@ void __attribute__((format(printf, 2, 3)
57199 -void buf_write(struct buffer *buf, const char *s, int len)
57200 +void buf_write(struct buffer *buf, const char *s, unsigned int len)
57202 if (buf->size - buf->pos < len) {
57203 buf->size += len + SZ;
57204 @@ -1932,7 +1947,7 @@ static void write_if_changed(struct buff
57205 if (fstat(fileno(file), &st) < 0)
57208 - if (st.st_size != b->pos)
57209 + if (st.st_size != (off_t)b->pos)
57212 tmp = NOFAIL(malloc(b->pos));
57213 diff -urNp linux-2.6.36.1/scripts/mod/modpost.h linux-2.6.36.1/scripts/mod/modpost.h
57214 --- linux-2.6.36.1/scripts/mod/modpost.h 2010-10-20 16:30:22.000000000 -0400
57215 +++ linux-2.6.36.1/scripts/mod/modpost.h 2010-11-06 18:58:15.000000000 -0400
57216 @@ -92,15 +92,15 @@ void *do_nofail(void *ptr, const char *e
57222 + unsigned int pos;
57223 + unsigned int size;
57226 void __attribute__((format(printf, 2, 3)))
57227 buf_printf(struct buffer *buf, const char *fmt, ...);
57230 -buf_write(struct buffer *buf, const char *s, int len);
57231 +buf_write(struct buffer *buf, const char *s, unsigned int len);
57234 struct module *next;
57235 diff -urNp linux-2.6.36.1/scripts/mod/sumversion.c linux-2.6.36.1/scripts/mod/sumversion.c
57236 --- linux-2.6.36.1/scripts/mod/sumversion.c 2010-10-20 16:30:22.000000000 -0400
57237 +++ linux-2.6.36.1/scripts/mod/sumversion.c 2010-11-06 18:58:15.000000000 -0400
57238 @@ -455,7 +455,7 @@ static void write_version(const char *fi
57242 - if (write(fd, sum, strlen(sum)+1) != strlen(sum)+1) {
57243 + if (write(fd, sum, strlen(sum)+1) != (ssize_t)strlen(sum)+1) {
57244 warn("writing sum in %s failed: %s\n",
57245 filename, strerror(errno));
57247 diff -urNp linux-2.6.36.1/scripts/pnmtologo.c linux-2.6.36.1/scripts/pnmtologo.c
57248 --- linux-2.6.36.1/scripts/pnmtologo.c 2010-10-20 16:30:22.000000000 -0400
57249 +++ linux-2.6.36.1/scripts/pnmtologo.c 2010-11-06 18:58:15.000000000 -0400
57250 @@ -237,14 +237,14 @@ static void write_header(void)
57251 fprintf(out, " * Linux logo %s\n", logoname);
57252 fputs(" */\n\n", out);
57253 fputs("#include <linux/linux_logo.h>\n\n", out);
57254 - fprintf(out, "static unsigned char %s_data[] __initdata = {\n",
57255 + fprintf(out, "static unsigned char %s_data[] = {\n",
57259 static void write_footer(void)
57261 fputs("\n};\n\n", out);
57262 - fprintf(out, "const struct linux_logo %s __initconst = {\n", logoname);
57263 + fprintf(out, "const struct linux_logo %s = {\n", logoname);
57264 fprintf(out, "\t.type\t\t= %s,\n", logo_types[logo_type]);
57265 fprintf(out, "\t.width\t\t= %d,\n", logo_width);
57266 fprintf(out, "\t.height\t\t= %d,\n", logo_height);
57267 @@ -374,7 +374,7 @@ static void write_logo_clut224(void)
57268 fputs("\n};\n\n", out);
57270 /* write logo clut */
57271 - fprintf(out, "static unsigned char %s_clut[] __initdata = {\n",
57272 + fprintf(out, "static unsigned char %s_clut[] = {\n",
57275 for (i = 0; i < logo_clutsize; i++) {
57276 diff -urNp linux-2.6.36.1/security/apparmor/lsm.c linux-2.6.36.1/security/apparmor/lsm.c
57277 --- linux-2.6.36.1/security/apparmor/lsm.c 2010-10-20 16:30:22.000000000 -0400
57278 +++ linux-2.6.36.1/security/apparmor/lsm.c 2010-11-06 19:46:26.000000000 -0400
57279 @@ -619,7 +619,7 @@ static int apparmor_task_setrlimit(struc
57283 -static struct security_operations apparmor_ops = {
57284 +static struct security_operations apparmor_ops __read_only = {
57285 .name = "apparmor",
57287 .ptrace_access_check = apparmor_ptrace_access_check,
57288 diff -urNp linux-2.6.36.1/security/commoncap.c linux-2.6.36.1/security/commoncap.c
57289 --- linux-2.6.36.1/security/commoncap.c 2010-10-20 16:30:22.000000000 -0400
57290 +++ linux-2.6.36.1/security/commoncap.c 2010-11-26 18:18:12.000000000 -0500
57292 #include <linux/securebits.h>
57293 #include <linux/syslog.h>
57294 #include <linux/vs_context.h>
57295 +#include <net/sock.h>
57298 * If a non-root user executes a setuid-root binary in
57299 @@ -51,9 +52,11 @@ static void warn_setuid_and_fcaps_mixed(
57303 +extern kernel_cap_t gr_cap_rtnetlink(struct sock *sk);
57305 int cap_netlink_send(struct sock *sk, struct sk_buff *skb)
57307 - NETLINK_CB(skb).eff_cap = vx_mbcaps(current_cap());
57308 + NETLINK_CB(skb).eff_cap = vx_mbcaps(gr_cap_rtnetlink(sk));
57312 @@ -535,6 +538,9 @@ int cap_bprm_secureexec(struct linux_bin
57314 const struct cred *cred = current_cred();
57316 + if (gr_acl_enable_at_secure())
57319 if (cred->uid != 0) {
57320 if (bprm->cap_effective)
57322 diff -urNp linux-2.6.36.1/security/integrity/ima/ima_api.c linux-2.6.36.1/security/integrity/ima/ima_api.c
57323 --- linux-2.6.36.1/security/integrity/ima/ima_api.c 2010-10-20 16:30:22.000000000 -0400
57324 +++ linux-2.6.36.1/security/integrity/ima/ima_api.c 2010-11-06 18:58:15.000000000 -0400
57325 @@ -75,7 +75,7 @@ void ima_add_violation(struct inode *ino
57328 /* can overflow, only indicator */
57329 - atomic_long_inc(&ima_htable.violations);
57330 + atomic_long_inc_unchecked(&ima_htable.violations);
57332 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
57334 diff -urNp linux-2.6.36.1/security/integrity/ima/ima_fs.c linux-2.6.36.1/security/integrity/ima/ima_fs.c
57335 --- linux-2.6.36.1/security/integrity/ima/ima_fs.c 2010-10-20 16:30:22.000000000 -0400
57336 +++ linux-2.6.36.1/security/integrity/ima/ima_fs.c 2010-11-06 18:58:15.000000000 -0400
57337 @@ -28,12 +28,12 @@
57338 static int valid_policy = 1;
57339 #define TMPBUFLEN 12
57340 static ssize_t ima_show_htable_value(char __user *buf, size_t count,
57341 - loff_t *ppos, atomic_long_t *val)
57342 + loff_t *ppos, atomic_long_unchecked_t *val)
57344 char tmpbuf[TMPBUFLEN];
57347 - len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read(val));
57348 + len = scnprintf(tmpbuf, TMPBUFLEN, "%li\n", atomic_long_read_unchecked(val));
57349 return simple_read_from_buffer(buf, count, ppos, tmpbuf, len);
57352 diff -urNp linux-2.6.36.1/security/integrity/ima/ima.h linux-2.6.36.1/security/integrity/ima/ima.h
57353 --- linux-2.6.36.1/security/integrity/ima/ima.h 2010-10-20 16:30:22.000000000 -0400
57354 +++ linux-2.6.36.1/security/integrity/ima/ima.h 2010-11-06 18:58:15.000000000 -0400
57355 @@ -84,8 +84,8 @@ void ima_add_violation(struct inode *ino
57356 extern spinlock_t ima_queue_lock;
57358 struct ima_h_table {
57359 - atomic_long_t len; /* number of stored measurements in the list */
57360 - atomic_long_t violations;
57361 + atomic_long_unchecked_t len; /* number of stored measurements in the list */
57362 + atomic_long_unchecked_t violations;
57363 struct hlist_head queue[IMA_MEASURE_HTABLE_SIZE];
57365 extern struct ima_h_table ima_htable;
57366 diff -urNp linux-2.6.36.1/security/integrity/ima/ima_queue.c linux-2.6.36.1/security/integrity/ima/ima_queue.c
57367 --- linux-2.6.36.1/security/integrity/ima/ima_queue.c 2010-10-20 16:30:22.000000000 -0400
57368 +++ linux-2.6.36.1/security/integrity/ima/ima_queue.c 2010-11-06 18:58:15.000000000 -0400
57369 @@ -79,7 +79,7 @@ static int ima_add_digest_entry(struct i
57370 INIT_LIST_HEAD(&qe->later);
57371 list_add_tail_rcu(&qe->later, &ima_measurements);
57373 - atomic_long_inc(&ima_htable.len);
57374 + atomic_long_inc_unchecked(&ima_htable.len);
57375 key = ima_hash_key(entry->digest);
57376 hlist_add_head_rcu(&qe->hnext, &ima_htable.queue[key]);
57378 diff -urNp linux-2.6.36.1/security/Kconfig linux-2.6.36.1/security/Kconfig
57379 --- linux-2.6.36.1/security/Kconfig 2010-10-20 16:30:22.000000000 -0400
57380 +++ linux-2.6.36.1/security/Kconfig 2010-11-06 18:58:50.000000000 -0400
57383 menu "Security options"
57385 +source grsecurity/Kconfig
57389 + config PAX_PER_CPU_PGD
57392 + config TASK_SIZE_MAX_SHIFT
57394 + depends on X86_64
57395 + default 47 if !PAX_PER_CPU_PGD
57396 + default 42 if PAX_PER_CPU_PGD
57398 + config PAX_ENABLE_PAE
57400 + default y if (X86_32 && (MPENTIUM4 || MK8 || MPSC || MCORE2 || MATOM))
57403 + bool "Enable various PaX features"
57404 + depends on GRKERNSEC && (ALPHA || ARM || AVR32 || IA64 || MIPS || PARISC || PPC || SPARC || X86)
57406 + This allows you to enable various PaX features. PaX adds
57407 + intrusion prevention mechanisms to the kernel that reduce
57408 + the risks posed by exploitable memory corruption bugs.
57410 +menu "PaX Control"
57413 +config PAX_SOFTMODE
57414 + bool 'Support soft mode'
57415 + select PAX_PT_PAX_FLAGS
57417 + Enabling this option will allow you to run PaX in soft mode, that
57418 + is, PaX features will not be enforced by default, only on executables
57419 + marked explicitly. You must also enable PT_PAX_FLAGS support as it
57420 + is the only way to mark executables for soft mode use.
57422 + Soft mode can be activated by using the "pax_softmode=1" kernel command
57423 + line option on boot. Furthermore you can control various PaX features
57424 + at runtime via the entries in /proc/sys/kernel/pax.
57427 + bool 'Use legacy ELF header marking'
57429 + Enabling this option will allow you to control PaX features on
57430 + a per executable basis via the 'chpax' utility available at
57431 + http://pax.grsecurity.net/. The control flags will be read from
57432 + an otherwise reserved part of the ELF header. This marking has
57433 + numerous drawbacks (no support for soft-mode, toolchain does not
57434 + know about the non-standard use of the ELF header) therefore it
57435 + has been deprecated in favour of PT_PAX_FLAGS support.
57437 + If you have applications not marked by the PT_PAX_FLAGS ELF
57438 + program header then you MUST enable this option otherwise they
57439 + will not get any protection.
57441 + Note that if you enable PT_PAX_FLAGS marking support as well,
57442 + the PT_PAX_FLAG marks will override the legacy EI_PAX marks.
57444 +config PAX_PT_PAX_FLAGS
57445 + bool 'Use ELF program header marking'
57447 + Enabling this option will allow you to control PaX features on
57448 + a per executable basis via the 'paxctl' utility available at
57449 + http://pax.grsecurity.net/. The control flags will be read from
57450 + a PaX specific ELF program header (PT_PAX_FLAGS). This marking
57451 + has the benefits of supporting both soft mode and being fully
57452 + integrated into the toolchain (the binutils patch is available
57453 + from http://pax.grsecurity.net).
57455 + If you have applications not marked by the PT_PAX_FLAGS ELF
57456 + program header then you MUST enable the EI_PAX marking support
57457 + otherwise they will not get any protection.
57459 + Note that if you enable the legacy EI_PAX marking support as well,
57460 + the EI_PAX marks will be overridden by the PT_PAX_FLAGS marks.
57463 + prompt 'MAC system integration'
57464 + default PAX_HAVE_ACL_FLAGS
57466 + Mandatory Access Control systems have the option of controlling
57467 + PaX flags on a per executable basis, choose the method supported
57468 + by your particular system.
57470 + - "none": if your MAC system does not interact with PaX,
57471 + - "direct": if your MAC system defines pax_set_initial_flags() itself,
57472 + - "hook": if your MAC system uses the pax_set_initial_flags_func callback.
57474 + NOTE: this option is for developers/integrators only.
57476 + config PAX_NO_ACL_FLAGS
57479 + config PAX_HAVE_ACL_FLAGS
57482 + config PAX_HOOK_ACL_FLAGS
57488 +menu "Non-executable pages"
57492 + bool "Enforce non-executable pages"
57493 + depends on (PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS) && (ALPHA || (ARM && (CPU_V6 || CPU_V7)) || IA64 || MIPS || PARISC || PPC || S390 || SPARC || X86)
57495 + By design some architectures do not allow for protecting memory
57496 + pages against execution or even if they do, Linux does not make
57497 + use of this feature. In practice this means that if a page is
57498 + readable (such as the stack or heap) it is also executable.
57500 + There is a well known exploit technique that makes use of this
57501 + fact and a common programming mistake where an attacker can
57502 + introduce code of his choice somewhere in the attacked program's
57503 + memory (typically the stack or the heap) and then execute it.
57505 + If the attacked program was running with different (typically
57506 + higher) privileges than that of the attacker, then he can elevate
57507 + his own privilege level (e.g. get a root shell, write to files for
57508 + which he does not have write access to, etc).
57510 + Enabling this option will let you choose from various features
57511 + that prevent the injection and execution of 'foreign' code in
57514 + This will also break programs that rely on the old behaviour and
57515 + expect that dynamically allocated memory via the malloc() family
57516 + of functions is executable (which it is not). Notable examples
57517 + are the XFree86 4.x server, the java runtime and wine.
57519 +config PAX_PAGEEXEC
57520 + bool "Paging based non-executable pages"
57521 + depends on PAX_NOEXEC && (!X86_32 || M586 || M586TSC || M586MMX || M686 || MPENTIUMII || MPENTIUMIII || MPENTIUMM || MCORE2 || MATOM || MPENTIUM4 || MPSC || MK7 || MK8 || MWINCHIPC6 || MWINCHIP2 || MWINCHIP3D || MVIAC3_2 || MVIAC7)
57522 + select S390_SWITCH_AMODE if S390
57523 + select S390_EXEC_PROTECT if S390
57525 + This implementation is based on the paging feature of the CPU.
57526 + On i386 without hardware non-executable bit support there is a
57527 + variable but usually low performance impact, however on Intel's
57528 + P4 core based CPUs it is very high so you should not enable this
57529 + for kernels meant to be used on such CPUs.
57531 + On alpha, avr32, ia64, parisc, sparc, sparc64, x86_64 and i386
57532 + with hardware non-executable bit support there is no performance
57533 + impact, on ppc the impact is negligible.
57535 + Note that several architectures require various emulations due to
57536 + badly designed userland ABIs, this will cause a performance impact
57537 + but will disappear as soon as userland is fixed. For example, ppc
57538 + userland MUST have been built with secure-plt by a recent toolchain.
57540 +config PAX_SEGMEXEC
57541 + bool "Segmentation based non-executable pages"
57542 + depends on PAX_NOEXEC && X86_32
57544 + This implementation is based on the segmentation feature of the
57545 + CPU and has a very small performance impact, however applications
57546 + will be limited to a 1.5 GB address space instead of the normal
57549 +config PAX_EMUTRAMP
57550 + bool "Emulate trampolines" if (PAX_PAGEEXEC || PAX_SEGMEXEC) && (PARISC || X86)
57551 + default y if PARISC
57553 + There are some programs and libraries that for one reason or
57554 + another attempt to execute special small code snippets from
57555 + non-executable memory pages. Most notable examples are the
57556 + signal handler return code generated by the kernel itself and
57557 + the GCC trampolines.
57559 + If you enabled CONFIG_PAX_PAGEEXEC or CONFIG_PAX_SEGMEXEC then
57560 + such programs will no longer work under your kernel.
57562 + As a remedy you can say Y here and use the 'chpax' or 'paxctl'
57563 + utilities to enable trampoline emulation for the affected programs
57564 + yet still have the protection provided by the non-executable pages.
57566 + On parisc you MUST enable this option and EMUSIGRT as well, otherwise
57567 + your system will not even boot.
57569 + Alternatively you can say N here and use the 'chpax' or 'paxctl'
57570 + utilities to disable CONFIG_PAX_PAGEEXEC and CONFIG_PAX_SEGMEXEC
57571 + for the affected files.
57573 + NOTE: enabling this feature *may* open up a loophole in the
57574 + protection provided by non-executable pages that an attacker
57575 + could abuse. Therefore the best solution is to not have any
57576 + files on your system that would require this option. This can
57577 + be achieved by not using libc5 (which relies on the kernel
57578 + signal handler return code) and not using or rewriting programs
57579 + that make use of the nested function implementation of GCC.
57580 + Skilled users can just fix GCC itself so that it implements
57581 + nested function calls in a way that does not interfere with PaX.
57583 +config PAX_EMUSIGRT
57584 + bool "Automatically emulate sigreturn trampolines"
57585 + depends on PAX_EMUTRAMP && PARISC
57588 + Enabling this option will have the kernel automatically detect
57589 + and emulate signal return trampolines executing on the stack
57590 + that would otherwise lead to task termination.
57592 + This solution is intended as a temporary one for users with
57593 + legacy versions of libc (libc5, glibc 2.0, uClibc before 0.9.17,
57594 + Modula-3 runtime, etc) or executables linked to such, basically
57595 + everything that does not specify its own SA_RESTORER function in
57596 + normal executable memory like glibc 2.1+ does.
57598 + On parisc you MUST enable this option, otherwise your system will
57601 + NOTE: this feature cannot be disabled on a per executable basis
57602 + and since it *does* open up a loophole in the protection provided
57603 + by non-executable pages, the best solution is to not have any
57604 + files on your system that would require this option.
57606 +config PAX_MPROTECT
57607 + bool "Restrict mprotect()"
57608 + depends on (PAX_PAGEEXEC || PAX_SEGMEXEC)
57610 + Enabling this option will prevent programs from
57611 + - changing the executable status of memory pages that were
57612 + not originally created as executable,
57613 + - making read-only executable pages writable again,
57614 + - creating executable pages from anonymous memory,
57615 + - making read-only-after-relocations (RELRO) data pages writable again.
57617 + You should say Y here to complete the protection provided by
57618 + the enforcement of non-executable pages.
57620 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
57621 + this feature on a per file basis.
57623 +config PAX_ELFRELOCS
57624 + bool "Allow ELF text relocations (read help)"
57625 + depends on PAX_MPROTECT
57628 + Non-executable pages and mprotect() restrictions are effective
57629 + in preventing the introduction of new executable code into an
57630 + attacked task's address space. There remain only two venues
57631 + for this kind of attack: if the attacker can execute already
57632 + existing code in the attacked task then he can either have it
57633 + create and mmap() a file containing his code or have it mmap()
57634 + an already existing ELF library that does not have position
57635 + independent code in it and use mprotect() on it to make it
57636 + writable and copy his code there. While protecting against
57637 + the former approach is beyond PaX, the latter can be prevented
57638 + by having only PIC ELF libraries on one's system (which do not
57639 + need to relocate their code). If you are sure this is your case,
57640 + as is the case with all modern Linux distributions, then leave
57641 + this option disabled. You should say 'n' here.
57643 +config PAX_ETEXECRELOCS
57644 + bool "Allow ELF ET_EXEC text relocations"
57645 + depends on PAX_MPROTECT && (ALPHA || IA64 || PARISC)
57646 + select PAX_ELFRELOCS
57649 + On some architectures there are incorrectly created applications
57650 + that require text relocations and would not work without enabling
57651 + this option. If you are an alpha, ia64 or parisc user, you should
57652 + enable this option and disable it once you have made sure that
57653 + none of your applications need it.
57656 + bool "Automatically emulate ELF PLT"
57657 + depends on PAX_MPROTECT && (ALPHA || PARISC || SPARC)
57660 + Enabling this option will have the kernel automatically detect
57661 + and emulate the Procedure Linkage Table entries in ELF files.
57662 + On some architectures such entries are in writable memory, and
57663 + become non-executable leading to task termination. Therefore
57664 + it is mandatory that you enable this option on alpha, parisc,
57665 + sparc and sparc64, otherwise your system would not even boot.
57667 + NOTE: this feature *does* open up a loophole in the protection
57668 + provided by the non-executable pages, therefore the proper
57669 + solution is to modify the toolchain to produce a PLT that does
57670 + not need to be writable.
57672 +config PAX_DLRESOLVE
57673 + bool 'Emulate old glibc resolver stub'
57674 + depends on PAX_EMUPLT && SPARC
57677 + This option is needed if userland has an old glibc (before 2.4)
57678 + that puts a 'save' instruction into the runtime generated resolver
57679 + stub that needs special emulation.
57681 +config PAX_KERNEXEC
57682 + bool "Enforce non-executable kernel pages"
57683 + depends on PAX_NOEXEC && (PPC || X86) && (!X86_32 || X86_WP_WORKS_OK) && !XEN
57684 + select PAX_PER_CPU_PGD if X86_64 || (X86_32 && X86_PAE)
57686 + This is the kernel land equivalent of PAGEEXEC and MPROTECT,
57687 + that is, enabling this option will make it harder to inject
57688 + and execute 'foreign' code in kernel memory itself.
57690 +config PAX_KERNEXEC_MODULE_TEXT
57691 + int "Minimum amount of memory reserved for module code"
57693 + depends on PAX_KERNEXEC && X86_32 && MODULES
57695 + Due to implementation details the kernel must reserve a fixed
57696 + amount of memory for module code at compile time that cannot be
57697 + changed at runtime. Here you can specify the minimum amount
57698 + in MB that will be reserved. Due to the same implementation
57699 + details this size will always be rounded up to the next 2/4 MB
57700 + boundary (depends on PAE) so the actually available memory for
57701 + module code will usually be more than this minimum.
57703 + The default 4 MB should be enough for most users but if you have
57704 + an excessive number of modules (e.g., most distribution configs
57705 + compile many drivers as modules) or use huge modules such as
57706 + nvidia's kernel driver, you will need to adjust this amount.
57707 + A good rule of thumb is to look at your currently loaded kernel
57708 + modules and add up their sizes.
57712 +menu "Address Space Layout Randomization"
57716 + bool "Address Space Layout Randomization"
57717 + depends on PAX_EI_PAX || PAX_PT_PAX_FLAGS || PAX_HAVE_ACL_FLAGS || PAX_HOOK_ACL_FLAGS
57719 + Many if not most exploit techniques rely on the knowledge of
57720 + certain addresses in the attacked program. The following options
57721 + will allow the kernel to apply a certain amount of randomization
57722 + to specific parts of the program thereby forcing an attacker to
57723 + guess them in most cases. Any failed guess will most likely crash
57724 + the attacked program which allows the kernel to detect such attempts
57725 + and react on them. PaX itself provides no reaction mechanisms,
57726 + instead it is strongly encouraged that you make use of Nergal's
57727 + segvguard (ftp://ftp.pl.openwall.com/misc/segvguard/) or grsecurity's
57728 + (http://www.grsecurity.net/) built-in crash detection features or
57729 + develop one yourself.
57731 + By saying Y here you can choose to randomize the following areas:
57732 + - top of the task's kernel stack
57733 + - top of the task's userland stack
57734 + - base address for mmap() requests that do not specify one
57735 + (this includes all libraries)
57736 + - base address of the main executable
57738 + It is strongly recommended to say Y here as address space layout
57739 + randomization has negligible impact on performance yet it provides
57740 + a very effective protection.
57742 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control
57743 + this feature on a per file basis.
57745 +config PAX_RANDKSTACK
57746 + bool "Randomize kernel stack base"
57747 + depends on PAX_ASLR && X86_TSC && X86_32
57749 + By saying Y here the kernel will randomize every task's kernel
57750 + stack on every system call. This will not only force an attacker
57751 + to guess it but also prevent him from making use of possible
57752 + leaked information about it.
57754 + Since the kernel stack is a rather scarce resource, randomization
57755 + may cause unexpected stack overflows, therefore you should very
57756 + carefully test your system. Note that once enabled in the kernel
57757 + configuration, this feature cannot be disabled on a per file basis.
57759 +config PAX_RANDUSTACK
57760 + bool "Randomize user stack base"
57761 + depends on PAX_ASLR
57763 + By saying Y here the kernel will randomize every task's userland
57764 + stack. The randomization is done in two steps where the second
57765 + one may apply a big amount of shift to the top of the stack and
57766 + cause problems for programs that want to use lots of memory (more
57767 + than 2.5 GB if SEGMEXEC is not active, or 1.25 GB when it is).
57768 + For this reason the second step can be controlled by 'chpax' or
57769 + 'paxctl' on a per file basis.
57771 +config PAX_RANDMMAP
57772 + bool "Randomize mmap() base"
57773 + depends on PAX_ASLR
57775 + By saying Y here the kernel will use a randomized base address for
57776 + mmap() requests that do not specify one themselves. As a result
57777 + all dynamically loaded libraries will appear at random addresses
57778 + and therefore be harder to exploit by a technique where an attacker
57779 + attempts to execute library code for his purposes (e.g. spawn a
57780 + shell from an exploited program that is running at an elevated
57781 + privilege level).
57783 + Furthermore, if a program is relinked as a dynamic ELF file, its
57784 + base address will be randomized as well, completing the full
57785 + randomization of the address space layout. Attacking such programs
57786 + becomes a guess game. You can find an example of doing this at
57787 + http://pax.grsecurity.net/et_dyn.tar.gz and practical samples at
57788 + http://www.grsecurity.net/grsec-gcc-specs.tar.gz .
57790 + NOTE: you can use the 'chpax' or 'paxctl' utilities to control this
57791 + feature on a per file basis.
57795 +menu "Miscellaneous hardening features"
57797 +config PAX_MEMORY_SANITIZE
57798 + bool "Sanitize all freed memory"
57800 + By saying Y here the kernel will erase memory pages as soon as they
57801 + are freed. This in turn reduces the lifetime of data stored in the
57802 + pages, making it less likely that sensitive information such as
57803 + passwords, cryptographic secrets, etc stay in memory for too long.
57805 + This is especially useful for programs whose runtime is short, long
57806 + lived processes and the kernel itself benefit from this as long as
57807 + they operate on whole memory pages and ensure timely freeing of pages
57808 + that may hold sensitive information.
57810 + The tradeoff is performance impact, on a single CPU system kernel
57811 + compilation sees a 3% slowdown, other systems and workloads may vary
57812 + and you are advised to test this feature on your expected workload
57813 + before deploying it.
57815 + Note that this feature does not protect data stored in live pages,
57816 + e.g., process memory swapped to disk may stay there for a long time.
57818 +config PAX_MEMORY_UDEREF
57819 + bool "Prevent invalid userland pointer dereference"
57820 + depends on X86 && !UML_X86 && !XEN
57821 + select PAX_PER_CPU_PGD if X86_64
57823 + By saying Y here the kernel will be prevented from dereferencing
57824 + userland pointers in contexts where the kernel expects only kernel
57825 + pointers. This is both a useful runtime debugging feature and a
57826 + security measure that prevents exploiting a class of kernel bugs.
57828 + The tradeoff is that some virtualization solutions may experience
57829 + a huge slowdown and therefore you should not enable this feature
57830 + for kernels meant to run in such environments. Whether a given VM
57831 + solution is affected or not is best determined by simply trying it
57832 + out, the performance impact will be obvious right on boot as this
57833 + mechanism engages from very early on. A good rule of thumb is that
57834 + VMs running on CPUs without hardware virtualization support (i.e.,
57835 + the majority of IA-32 CPUs) will likely experience the slowdown.
57837 +config PAX_REFCOUNT
57838 + bool "Prevent various kernel object reference counter overflows"
57839 + depends on GRKERNSEC && (X86 || SPARC64)
57841 + By saying Y here the kernel will detect and prevent overflowing
57842 + various (but not all) kinds of object reference counters. Such
57843 + overflows can normally occur due to bugs only and are often, if
57844 + not always, exploitable.
57846 + The tradeoff is that data structures protected by an overflowed
57847 + refcount will never be freed and therefore will leak memory. Note
57848 + that this leak also happens even without this protection but in
57849 + that case the overflow can eventually trigger the freeing of the
57850 + data structure while it is still being used elsewhere, resulting
57851 + in the exploitable situation that this feature prevents.
57853 + Since this has a negligible performance impact, you should enable
57856 +config PAX_USERCOPY
57857 + bool "Bounds check heap object copies between kernel and userland"
57858 + depends on X86 || PPC || SPARC
57859 + depends on GRKERNSEC && (SLAB || SLUB || SLOB)
57861 + By saying Y here the kernel will enforce the size of heap objects
57862 + when they are copied in either direction between the kernel and
57863 + userland, even if only a part of the heap object is copied.
57865 + Specifically, this checking prevents information leaking from the
57866 + kernel heap during kernel to userland copies (if the kernel heap
57867 + object is otherwise fully initialized) and prevents kernel heap
57868 + overflows during userland to kernel copies.
57870 + Note that the current implementation provides the strictest checks
57871 + for the SLUB allocator.
57873 + If frame pointers are enabled on x86, this option will also
57874 + restrict copies into and out of the kernel stack to local variables
57875 + within a single frame.
57877 + Since this has a negligible performance impact, you should enable
57885 bool "Enable access key retention support"
57887 @@ -124,7 +623,7 @@ config INTEL_TXT
57888 config LSM_MMAP_MIN_ADDR
57889 int "Low address space for LSM to protect from user allocation"
57890 depends on SECURITY && SECURITY_SELINUX
57894 This is the portion of low virtual memory which should be protected
57895 from userspace allocation. Keeping a user from writing to low pages
57896 diff -urNp linux-2.6.36.1/security/min_addr.c linux-2.6.36.1/security/min_addr.c
57897 --- linux-2.6.36.1/security/min_addr.c 2010-10-20 16:30:22.000000000 -0400
57898 +++ linux-2.6.36.1/security/min_addr.c 2010-11-06 18:58:50.000000000 -0400
57899 @@ -14,6 +14,7 @@ unsigned long dac_mmap_min_addr = CONFIG
57901 static void update_mmap_min_addr(void)
57904 #ifdef CONFIG_LSM_MMAP_MIN_ADDR
57905 if (dac_mmap_min_addr > CONFIG_LSM_MMAP_MIN_ADDR)
57906 mmap_min_addr = dac_mmap_min_addr;
57907 @@ -22,6 +23,7 @@ static void update_mmap_min_addr(void)
57909 mmap_min_addr = dac_mmap_min_addr;
57915 diff -urNp linux-2.6.36.1/security/security.c linux-2.6.36.1/security/security.c
57916 --- linux-2.6.36.1/security/security.c 2010-10-20 16:30:22.000000000 -0400
57917 +++ linux-2.6.36.1/security/security.c 2010-11-06 18:58:50.000000000 -0400
57918 @@ -25,8 +25,8 @@ static __initdata char chosen_lsm[SECURI
57919 /* things that live in capability.c */
57920 extern void __init security_fixup_ops(struct security_operations *ops);
57922 -static struct security_operations *security_ops;
57923 -static struct security_operations default_security_ops = {
57924 +static struct security_operations *security_ops __read_only;
57925 +static struct security_operations default_security_ops __read_only = {
57929 @@ -67,7 +67,9 @@ int __init security_init(void)
57931 void reset_security_ops(void)
57933 + pax_open_kernel();
57934 security_ops = &default_security_ops;
57935 + pax_close_kernel();
57938 /* Save user chosen LSM */
57939 diff -urNp linux-2.6.36.1/security/selinux/hooks.c linux-2.6.36.1/security/selinux/hooks.c
57940 --- linux-2.6.36.1/security/selinux/hooks.c 2010-10-20 16:30:22.000000000 -0400
57941 +++ linux-2.6.36.1/security/selinux/hooks.c 2010-11-06 18:58:50.000000000 -0400
57943 #define NUM_SEL_MNT_OPTS 5
57945 extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
57946 -extern struct security_operations *security_ops;
57948 /* SECMARK reference count */
57949 atomic_t selinux_secmark_refcount = ATOMIC_INIT(0);
57950 @@ -5371,7 +5370,7 @@ static int selinux_key_getsecurity(struc
57954 -static struct security_operations selinux_ops = {
57955 +static struct security_operations selinux_ops __read_only = {
57958 .ptrace_access_check = selinux_ptrace_access_check,
57959 diff -urNp linux-2.6.36.1/security/smack/smack_lsm.c linux-2.6.36.1/security/smack/smack_lsm.c
57960 --- linux-2.6.36.1/security/smack/smack_lsm.c 2010-10-20 16:30:22.000000000 -0400
57961 +++ linux-2.6.36.1/security/smack/smack_lsm.c 2010-11-06 18:58:15.000000000 -0400
57962 @@ -3056,7 +3056,7 @@ static int smack_inode_getsecctx(struct
57966 -struct security_operations smack_ops = {
57967 +struct security_operations smack_ops __read_only = {
57970 .ptrace_access_check = smack_ptrace_access_check,
57971 diff -urNp linux-2.6.36.1/security/tomoyo/tomoyo.c linux-2.6.36.1/security/tomoyo/tomoyo.c
57972 --- linux-2.6.36.1/security/tomoyo/tomoyo.c 2010-10-20 16:30:22.000000000 -0400
57973 +++ linux-2.6.36.1/security/tomoyo/tomoyo.c 2010-11-06 18:58:15.000000000 -0400
57974 @@ -240,7 +240,7 @@ static int tomoyo_sb_pivotroot(struct pa
57975 * tomoyo_security_ops is a "struct security_operations" which is used for
57976 * registering TOMOYO.
57978 -static struct security_operations tomoyo_security_ops = {
57979 +static struct security_operations tomoyo_security_ops __read_only = {
57981 .cred_alloc_blank = tomoyo_cred_alloc_blank,
57982 .cred_prepare = tomoyo_cred_prepare,
57983 diff -urNp linux-2.6.36.1/sound/aoa/codecs/onyx.c linux-2.6.36.1/sound/aoa/codecs/onyx.c
57984 --- linux-2.6.36.1/sound/aoa/codecs/onyx.c 2010-10-20 16:30:22.000000000 -0400
57985 +++ linux-2.6.36.1/sound/aoa/codecs/onyx.c 2010-11-06 18:58:15.000000000 -0400
57986 @@ -54,7 +54,7 @@ struct onyx {
57991 + atomic_t open_count;
57992 struct codec_info *codec_info;
57994 /* mutex serializes concurrent access to the device
57995 @@ -753,7 +753,7 @@ static int onyx_open(struct codec_info_i
57996 struct onyx *onyx = cii->codec_data;
57998 mutex_lock(&onyx->mutex);
57999 - onyx->open_count++;
58000 + atomic_inc(&onyx->open_count);
58001 mutex_unlock(&onyx->mutex);
58004 @@ -765,8 +765,7 @@ static int onyx_close(struct codec_info_
58005 struct onyx *onyx = cii->codec_data;
58007 mutex_lock(&onyx->mutex);
58008 - onyx->open_count--;
58009 - if (!onyx->open_count)
58010 + if (atomic_dec_and_test(&onyx->open_count))
58011 onyx->spdif_locked = onyx->analog_locked = 0;
58012 mutex_unlock(&onyx->mutex);
58014 diff -urNp linux-2.6.36.1/sound/core/oss/pcm_oss.c linux-2.6.36.1/sound/core/oss/pcm_oss.c
58015 --- linux-2.6.36.1/sound/core/oss/pcm_oss.c 2010-10-20 16:30:22.000000000 -0400
58016 +++ linux-2.6.36.1/sound/core/oss/pcm_oss.c 2010-11-06 18:58:15.000000000 -0400
58017 @@ -2966,8 +2966,8 @@ static void snd_pcm_oss_proc_done(struct
58020 #else /* !CONFIG_SND_VERBOSE_PROCFS */
58021 -#define snd_pcm_oss_proc_init(pcm)
58022 -#define snd_pcm_oss_proc_done(pcm)
58023 +#define snd_pcm_oss_proc_init(pcm) do {} while (0)
58024 +#define snd_pcm_oss_proc_done(pcm) do {} while (0)
58025 #endif /* CONFIG_SND_VERBOSE_PROCFS */
58028 diff -urNp linux-2.6.36.1/sound/core/seq/seq_lock.h linux-2.6.36.1/sound/core/seq/seq_lock.h
58029 --- linux-2.6.36.1/sound/core/seq/seq_lock.h 2010-10-20 16:30:22.000000000 -0400
58030 +++ linux-2.6.36.1/sound/core/seq/seq_lock.h 2010-11-06 18:58:15.000000000 -0400
58031 @@ -23,10 +23,10 @@ void snd_use_lock_sync_helper(snd_use_lo
58032 #else /* SMP || CONFIG_SND_DEBUG */
58034 typedef spinlock_t snd_use_lock_t; /* dummy */
58035 -#define snd_use_lock_init(lockp) /**/
58036 -#define snd_use_lock_use(lockp) /**/
58037 -#define snd_use_lock_free(lockp) /**/
58038 -#define snd_use_lock_sync(lockp) /**/
58039 +#define snd_use_lock_init(lockp) do {} while (0)
58040 +#define snd_use_lock_use(lockp) do {} while (0)
58041 +#define snd_use_lock_free(lockp) do {} while (0)
58042 +#define snd_use_lock_sync(lockp) do {} while (0)
58044 #endif /* SMP || CONFIG_SND_DEBUG */
58046 diff -urNp linux-2.6.36.1/sound/drivers/mts64.c linux-2.6.36.1/sound/drivers/mts64.c
58047 --- linux-2.6.36.1/sound/drivers/mts64.c 2010-10-20 16:30:22.000000000 -0400
58048 +++ linux-2.6.36.1/sound/drivers/mts64.c 2010-11-06 18:58:15.000000000 -0400
58049 @@ -66,7 +66,7 @@ struct mts64 {
58050 struct pardevice *pardev;
58051 int pardev_claimed;
58054 + atomic_t open_count;
58055 int current_midi_output_port;
58056 int current_midi_input_port;
58057 u8 mode[MTS64_NUM_INPUT_PORTS];
58058 @@ -696,7 +696,7 @@ static int snd_mts64_rawmidi_open(struct
58060 struct mts64 *mts = substream->rmidi->private_data;
58062 - if (mts->open_count == 0) {
58063 + if (atomic_read(&mts->open_count) == 0) {
58064 /* We don't need a spinlock here, because this is just called
58065 if the device has not been opened before.
58066 So there aren't any IRQs from the device */
58067 @@ -704,7 +704,7 @@ static int snd_mts64_rawmidi_open(struct
58071 - ++(mts->open_count);
58072 + atomic_inc(&mts->open_count);
58076 @@ -714,8 +714,7 @@ static int snd_mts64_rawmidi_close(struc
58077 struct mts64 *mts = substream->rmidi->private_data;
58078 unsigned long flags;
58080 - --(mts->open_count);
58081 - if (mts->open_count == 0) {
58082 + if (atomic_dec_return(&mts->open_count) == 0) {
58083 /* We need the spinlock_irqsave here because we can still
58084 have IRQs at this point */
58085 spin_lock_irqsave(&mts->lock, flags);
58086 @@ -724,8 +723,8 @@ static int snd_mts64_rawmidi_close(struc
58090 - } else if (mts->open_count < 0)
58091 - mts->open_count = 0;
58092 + } else if (atomic_read(&mts->open_count) < 0)
58093 + atomic_set(&mts->open_count, 0);
58097 diff -urNp linux-2.6.36.1/sound/drivers/portman2x4.c linux-2.6.36.1/sound/drivers/portman2x4.c
58098 --- linux-2.6.36.1/sound/drivers/portman2x4.c 2010-10-20 16:30:22.000000000 -0400
58099 +++ linux-2.6.36.1/sound/drivers/portman2x4.c 2010-11-06 18:58:15.000000000 -0400
58100 @@ -84,7 +84,7 @@ struct portman {
58101 struct pardevice *pardev;
58102 int pardev_claimed;
58105 + atomic_t open_count;
58106 int mode[PORTMAN_NUM_INPUT_PORTS];
58107 struct snd_rawmidi_substream *midi_input[PORTMAN_NUM_INPUT_PORTS];
58109 diff -urNp linux-2.6.36.1/sound/oss/sb_audio.c linux-2.6.36.1/sound/oss/sb_audio.c
58110 --- linux-2.6.36.1/sound/oss/sb_audio.c 2010-10-20 16:30:22.000000000 -0400
58111 +++ linux-2.6.36.1/sound/oss/sb_audio.c 2010-11-06 18:58:15.000000000 -0400
58112 @@ -901,7 +901,7 @@ sb16_copy_from_user(int dev,
58113 buf16 = (signed short *)(localbuf + localoffs);
58116 - locallen = (c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
58117 + locallen = ((unsigned)c >= LBUFCOPYSIZE ? LBUFCOPYSIZE : c);
58118 if (copy_from_user(lbuf8,
58119 userbuf+useroffs + p,
58121 diff -urNp linux-2.6.36.1/sound/pci/ac97/ac97_codec.c linux-2.6.36.1/sound/pci/ac97/ac97_codec.c
58122 --- linux-2.6.36.1/sound/pci/ac97/ac97_codec.c 2010-10-20 16:30:22.000000000 -0400
58123 +++ linux-2.6.36.1/sound/pci/ac97/ac97_codec.c 2010-11-06 18:58:15.000000000 -0400
58124 @@ -1962,7 +1962,7 @@ static int snd_ac97_dev_disconnect(struc
58127 /* build_ops to do nothing */
58128 -static struct snd_ac97_build_ops null_build_ops;
58129 +static const struct snd_ac97_build_ops null_build_ops;
58131 #ifdef CONFIG_SND_AC97_POWER_SAVE
58132 static void do_update_power(struct work_struct *work)
58133 diff -urNp linux-2.6.36.1/sound/pci/ac97/ac97_patch.c linux-2.6.36.1/sound/pci/ac97/ac97_patch.c
58134 --- linux-2.6.36.1/sound/pci/ac97/ac97_patch.c 2010-10-20 16:30:22.000000000 -0400
58135 +++ linux-2.6.36.1/sound/pci/ac97/ac97_patch.c 2010-11-06 18:58:15.000000000 -0400
58136 @@ -371,7 +371,7 @@ static int patch_yamaha_ymf743_build_spd
58140 -static struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
58141 +static const struct snd_ac97_build_ops patch_yamaha_ymf743_ops = {
58142 .build_spdif = patch_yamaha_ymf743_build_spdif,
58143 .build_3d = patch_yamaha_ymf7x3_3d,
58145 @@ -455,7 +455,7 @@ static int patch_yamaha_ymf753_post_spdi
58149 -static struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
58150 +static const struct snd_ac97_build_ops patch_yamaha_ymf753_ops = {
58151 .build_3d = patch_yamaha_ymf7x3_3d,
58152 .build_post_spdif = patch_yamaha_ymf753_post_spdif
58154 @@ -502,7 +502,7 @@ static int patch_wolfson_wm9703_specific
58158 -static struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
58159 +static const struct snd_ac97_build_ops patch_wolfson_wm9703_ops = {
58160 .build_specific = patch_wolfson_wm9703_specific,
58163 @@ -533,7 +533,7 @@ static int patch_wolfson_wm9704_specific
58167 -static struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
58168 +static const struct snd_ac97_build_ops patch_wolfson_wm9704_ops = {
58169 .build_specific = patch_wolfson_wm9704_specific,
58172 @@ -677,7 +677,7 @@ static int patch_wolfson_wm9711_specific
58176 -static struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
58177 +static const struct snd_ac97_build_ops patch_wolfson_wm9711_ops = {
58178 .build_specific = patch_wolfson_wm9711_specific,
58181 @@ -871,7 +871,7 @@ static void patch_wolfson_wm9713_resume
58185 -static struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
58186 +static const struct snd_ac97_build_ops patch_wolfson_wm9713_ops = {
58187 .build_specific = patch_wolfson_wm9713_specific,
58188 .build_3d = patch_wolfson_wm9713_3d,
58190 @@ -976,7 +976,7 @@ static int patch_sigmatel_stac97xx_speci
58194 -static struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
58195 +static const struct snd_ac97_build_ops patch_sigmatel_stac9700_ops = {
58196 .build_3d = patch_sigmatel_stac9700_3d,
58197 .build_specific = patch_sigmatel_stac97xx_specific
58199 @@ -1023,7 +1023,7 @@ static int patch_sigmatel_stac9708_speci
58200 return patch_sigmatel_stac97xx_specific(ac97);
58203 -static struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
58204 +static const struct snd_ac97_build_ops patch_sigmatel_stac9708_ops = {
58205 .build_3d = patch_sigmatel_stac9708_3d,
58206 .build_specific = patch_sigmatel_stac9708_specific
58208 @@ -1252,7 +1252,7 @@ static int patch_sigmatel_stac9758_speci
58212 -static struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
58213 +static const struct snd_ac97_build_ops patch_sigmatel_stac9758_ops = {
58214 .build_3d = patch_sigmatel_stac9700_3d,
58215 .build_specific = patch_sigmatel_stac9758_specific
58217 @@ -1327,7 +1327,7 @@ static int patch_cirrus_build_spdif(stru
58221 -static struct snd_ac97_build_ops patch_cirrus_ops = {
58222 +static const struct snd_ac97_build_ops patch_cirrus_ops = {
58223 .build_spdif = patch_cirrus_build_spdif
58226 @@ -1384,7 +1384,7 @@ static int patch_conexant_build_spdif(st
58230 -static struct snd_ac97_build_ops patch_conexant_ops = {
58231 +static const struct snd_ac97_build_ops patch_conexant_ops = {
58232 .build_spdif = patch_conexant_build_spdif
58235 @@ -1486,7 +1486,7 @@ static const struct snd_ac97_res_table a
58236 { AC97_VIDEO, 0x9f1f },
58237 { AC97_AUX, 0x9f1f },
58238 { AC97_PCM, 0x9f1f },
58239 - { } /* terminator */
58240 + { 0, 0 } /* terminator */
58243 static int patch_ad1819(struct snd_ac97 * ac97)
58244 @@ -1560,7 +1560,7 @@ static void patch_ad1881_chained(struct
58248 -static struct snd_ac97_build_ops patch_ad1881_build_ops = {
58249 +static const struct snd_ac97_build_ops patch_ad1881_build_ops = {
58251 .resume = ad18xx_resume
58253 @@ -1647,7 +1647,7 @@ static int patch_ad1885_specific(struct
58257 -static struct snd_ac97_build_ops patch_ad1885_build_ops = {
58258 +static const struct snd_ac97_build_ops patch_ad1885_build_ops = {
58259 .build_specific = &patch_ad1885_specific,
58261 .resume = ad18xx_resume
58262 @@ -1674,7 +1674,7 @@ static int patch_ad1886_specific(struct
58266 -static struct snd_ac97_build_ops patch_ad1886_build_ops = {
58267 +static const struct snd_ac97_build_ops patch_ad1886_build_ops = {
58268 .build_specific = &patch_ad1886_specific,
58270 .resume = ad18xx_resume
58271 @@ -1881,7 +1881,7 @@ static int patch_ad1981a_specific(struct
58272 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
58275 -static struct snd_ac97_build_ops patch_ad1981a_build_ops = {
58276 +static const struct snd_ac97_build_ops patch_ad1981a_build_ops = {
58277 .build_post_spdif = patch_ad198x_post_spdif,
58278 .build_specific = patch_ad1981a_specific,
58280 @@ -1936,7 +1936,7 @@ static int patch_ad1981b_specific(struct
58281 ARRAY_SIZE(snd_ac97_ad1981x_jack_sense));
58284 -static struct snd_ac97_build_ops patch_ad1981b_build_ops = {
58285 +static const struct snd_ac97_build_ops patch_ad1981b_build_ops = {
58286 .build_post_spdif = patch_ad198x_post_spdif,
58287 .build_specific = patch_ad1981b_specific,
58289 @@ -2075,7 +2075,7 @@ static int patch_ad1888_specific(struct
58290 return patch_build_controls(ac97, snd_ac97_ad1888_controls, ARRAY_SIZE(snd_ac97_ad1888_controls));
58293 -static struct snd_ac97_build_ops patch_ad1888_build_ops = {
58294 +static const struct snd_ac97_build_ops patch_ad1888_build_ops = {
58295 .build_post_spdif = patch_ad198x_post_spdif,
58296 .build_specific = patch_ad1888_specific,
58298 @@ -2124,7 +2124,7 @@ static int patch_ad1980_specific(struct
58299 return patch_build_controls(ac97, &snd_ac97_ad198x_2cmic, 1);
58302 -static struct snd_ac97_build_ops patch_ad1980_build_ops = {
58303 +static const struct snd_ac97_build_ops patch_ad1980_build_ops = {
58304 .build_post_spdif = patch_ad198x_post_spdif,
58305 .build_specific = patch_ad1980_specific,
58307 @@ -2239,7 +2239,7 @@ static int patch_ad1985_specific(struct
58308 ARRAY_SIZE(snd_ac97_ad1985_controls));
58311 -static struct snd_ac97_build_ops patch_ad1985_build_ops = {
58312 +static const struct snd_ac97_build_ops patch_ad1985_build_ops = {
58313 .build_post_spdif = patch_ad198x_post_spdif,
58314 .build_specific = patch_ad1985_specific,
58316 @@ -2531,7 +2531,7 @@ static int patch_ad1986_specific(struct
58317 ARRAY_SIZE(snd_ac97_ad1985_controls));
58320 -static struct snd_ac97_build_ops patch_ad1986_build_ops = {
58321 +static const struct snd_ac97_build_ops patch_ad1986_build_ops = {
58322 .build_post_spdif = patch_ad198x_post_spdif,
58323 .build_specific = patch_ad1986_specific,
58325 @@ -2636,7 +2636,7 @@ static int patch_alc650_specific(struct
58329 -static struct snd_ac97_build_ops patch_alc650_ops = {
58330 +static const struct snd_ac97_build_ops patch_alc650_ops = {
58331 .build_specific = patch_alc650_specific,
58332 .update_jacks = alc650_update_jacks
58334 @@ -2788,7 +2788,7 @@ static int patch_alc655_specific(struct
58338 -static struct snd_ac97_build_ops patch_alc655_ops = {
58339 +static const struct snd_ac97_build_ops patch_alc655_ops = {
58340 .build_specific = patch_alc655_specific,
58341 .update_jacks = alc655_update_jacks
58343 @@ -2900,7 +2900,7 @@ static int patch_alc850_specific(struct
58347 -static struct snd_ac97_build_ops patch_alc850_ops = {
58348 +static const struct snd_ac97_build_ops patch_alc850_ops = {
58349 .build_specific = patch_alc850_specific,
58350 .update_jacks = alc850_update_jacks
58352 @@ -2962,7 +2962,7 @@ static int patch_cm9738_specific(struct
58353 return patch_build_controls(ac97, snd_ac97_cm9738_controls, ARRAY_SIZE(snd_ac97_cm9738_controls));
58356 -static struct snd_ac97_build_ops patch_cm9738_ops = {
58357 +static const struct snd_ac97_build_ops patch_cm9738_ops = {
58358 .build_specific = patch_cm9738_specific,
58359 .update_jacks = cm9738_update_jacks
58361 @@ -3053,7 +3053,7 @@ static int patch_cm9739_post_spdif(struc
58362 return patch_build_controls(ac97, snd_ac97_cm9739_controls_spdif, ARRAY_SIZE(snd_ac97_cm9739_controls_spdif));
58365 -static struct snd_ac97_build_ops patch_cm9739_ops = {
58366 +static const struct snd_ac97_build_ops patch_cm9739_ops = {
58367 .build_specific = patch_cm9739_specific,
58368 .build_post_spdif = patch_cm9739_post_spdif,
58369 .update_jacks = cm9739_update_jacks
58370 @@ -3227,7 +3227,7 @@ static int patch_cm9761_specific(struct
58371 return patch_build_controls(ac97, snd_ac97_cm9761_controls, ARRAY_SIZE(snd_ac97_cm9761_controls));
58374 -static struct snd_ac97_build_ops patch_cm9761_ops = {
58375 +static const struct snd_ac97_build_ops patch_cm9761_ops = {
58376 .build_specific = patch_cm9761_specific,
58377 .build_post_spdif = patch_cm9761_post_spdif,
58378 .update_jacks = cm9761_update_jacks
58379 @@ -3323,7 +3323,7 @@ static int patch_cm9780_specific(struct
58380 return patch_build_controls(ac97, cm9780_controls, ARRAY_SIZE(cm9780_controls));
58383 -static struct snd_ac97_build_ops patch_cm9780_ops = {
58384 +static const struct snd_ac97_build_ops patch_cm9780_ops = {
58385 .build_specific = patch_cm9780_specific,
58386 .build_post_spdif = patch_cm9761_post_spdif /* identical with CM9761 */
58388 @@ -3443,7 +3443,7 @@ static int patch_vt1616_specific(struct
58392 -static struct snd_ac97_build_ops patch_vt1616_ops = {
58393 +static const struct snd_ac97_build_ops patch_vt1616_ops = {
58394 .build_specific = patch_vt1616_specific
58397 @@ -3797,7 +3797,7 @@ static int patch_it2646_specific(struct
58401 -static struct snd_ac97_build_ops patch_it2646_ops = {
58402 +static const struct snd_ac97_build_ops patch_it2646_ops = {
58403 .build_specific = patch_it2646_specific,
58404 .update_jacks = it2646_update_jacks
58406 @@ -3831,7 +3831,7 @@ static int patch_si3036_specific(struct
58410 -static struct snd_ac97_build_ops patch_si3036_ops = {
58411 +static const struct snd_ac97_build_ops patch_si3036_ops = {
58412 .build_specific = patch_si3036_specific,
58415 @@ -3864,7 +3864,7 @@ static struct snd_ac97_res_table lm4550_
58416 { AC97_AUX, 0x1f1f },
58417 { AC97_PCM, 0x1f1f },
58418 { AC97_REC_GAIN, 0x0f0f },
58419 - { } /* terminator */
58420 + { 0, 0 } /* terminator */
58423 static int patch_lm4550(struct snd_ac97 *ac97)
58424 @@ -3898,7 +3898,7 @@ static int patch_ucb1400_specific(struct
58428 -static struct snd_ac97_build_ops patch_ucb1400_ops = {
58429 +static const struct snd_ac97_build_ops patch_ucb1400_ops = {
58430 .build_specific = patch_ucb1400_specific,
58433 diff -urNp linux-2.6.36.1/sound/pci/ens1370.c linux-2.6.36.1/sound/pci/ens1370.c
58434 --- linux-2.6.36.1/sound/pci/ens1370.c 2010-10-20 16:30:22.000000000 -0400
58435 +++ linux-2.6.36.1/sound/pci/ens1370.c 2010-11-06 18:58:15.000000000 -0400
58436 @@ -452,7 +452,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_audio
58437 { PCI_VDEVICE(ENSONIQ, 0x5880), 0, }, /* ES1373 - CT5880 */
58438 { PCI_VDEVICE(ECTIVA, 0x8938), 0, }, /* Ectiva EV1938 */
58441 + { 0, 0, 0, 0, 0, 0, 0 }
58444 MODULE_DEVICE_TABLE(pci, snd_audiopci_ids);
58445 diff -urNp linux-2.6.36.1/sound/pci/hda/patch_hdmi.c linux-2.6.36.1/sound/pci/hda/patch_hdmi.c
58446 --- linux-2.6.36.1/sound/pci/hda/patch_hdmi.c 2010-10-20 16:30:22.000000000 -0400
58447 +++ linux-2.6.36.1/sound/pci/hda/patch_hdmi.c 2010-11-06 18:58:15.000000000 -0400
58448 @@ -671,10 +671,10 @@ static void hdmi_non_intrinsic_event(str
58463 diff -urNp linux-2.6.36.1/sound/pci/intel8x0.c linux-2.6.36.1/sound/pci/intel8x0.c
58464 --- linux-2.6.36.1/sound/pci/intel8x0.c 2010-10-20 16:30:22.000000000 -0400
58465 +++ linux-2.6.36.1/sound/pci/intel8x0.c 2010-11-06 18:58:15.000000000 -0400
58466 @@ -444,7 +444,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_intel
58467 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
58468 { PCI_VDEVICE(AMD, 0x7445), DEVICE_INTEL }, /* AMD768 */
58469 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
58471 + { 0, 0, 0, 0, 0, 0, 0 }
58474 MODULE_DEVICE_TABLE(pci, snd_intel8x0_ids);
58475 @@ -2135,7 +2135,7 @@ static struct ac97_quirk ac97_quirks[] _
58476 .type = AC97_TUNE_HP_ONLY
58479 - { } /* terminator */
58480 + { 0, 0, 0, 0, NULL, 0 } /* terminator */
58483 static int __devinit snd_intel8x0_mixer(struct intel8x0 *chip, int ac97_clock,
58484 diff -urNp linux-2.6.36.1/sound/pci/intel8x0m.c linux-2.6.36.1/sound/pci/intel8x0m.c
58485 --- linux-2.6.36.1/sound/pci/intel8x0m.c 2010-10-20 16:30:22.000000000 -0400
58486 +++ linux-2.6.36.1/sound/pci/intel8x0m.c 2010-11-06 18:58:15.000000000 -0400
58487 @@ -239,7 +239,7 @@ static DEFINE_PCI_DEVICE_TABLE(snd_intel
58488 { PCI_VDEVICE(AMD, 0x746d), DEVICE_INTEL }, /* AMD8111 */
58489 { PCI_VDEVICE(AL, 0x5455), DEVICE_ALI }, /* Ali5455 */
58492 + { 0, 0, 0, 0, 0, 0, 0 }
58495 MODULE_DEVICE_TABLE(pci, snd_intel8x0m_ids);
58496 @@ -1264,7 +1264,7 @@ static struct shortname_table {
58497 { 0x5455, "ALi M5455" },
58498 { 0x746d, "AMD AMD8111" },
58504 static int __devinit snd_intel8x0m_probe(struct pci_dev *pci,
58505 diff -urNp linux-2.6.36.1/usr/gen_init_cpio.c linux-2.6.36.1/usr/gen_init_cpio.c
58506 --- linux-2.6.36.1/usr/gen_init_cpio.c 2010-10-20 16:30:22.000000000 -0400
58507 +++ linux-2.6.36.1/usr/gen_init_cpio.c 2010-11-06 18:58:15.000000000 -0400
58508 @@ -299,7 +299,7 @@ static int cpio_mkfile(const char *name,
58517 @@ -386,9 +386,10 @@ static char *cpio_replace_env(char *new_
58518 *env_var = *expanded = '\0';
58519 strncat(env_var, start + 2, end - start - 2);
58520 strncat(expanded, new_location, start - new_location);
58521 - strncat(expanded, getenv(env_var), PATH_MAX);
58522 - strncat(expanded, end + 1, PATH_MAX);
58523 + strncat(expanded, getenv(env_var), PATH_MAX - strlen(expanded));
58524 + strncat(expanded, end + 1, PATH_MAX - strlen(expanded));
58525 strncpy(new_location, expanded, PATH_MAX);
58526 + new_location[PATH_MAX] = 0;
58530 diff -urNp linux-2.6.36.1/virt/kvm/kvm_main.c linux-2.6.36.1/virt/kvm/kvm_main.c
58531 --- linux-2.6.36.1/virt/kvm/kvm_main.c 2010-10-20 16:30:22.000000000 -0400
58532 +++ linux-2.6.36.1/virt/kvm/kvm_main.c 2010-11-06 18:58:15.000000000 -0400
58533 @@ -1300,6 +1300,7 @@ static int kvm_vcpu_release(struct inode
58537 +/* cannot be const */
58538 static struct file_operations kvm_vcpu_fops = {
58539 .release = kvm_vcpu_release,
58540 .unlocked_ioctl = kvm_vcpu_ioctl,
58541 @@ -1767,6 +1768,7 @@ static int kvm_vm_mmap(struct file *file
58545 +/* cannot be const */
58546 static struct file_operations kvm_vm_fops = {
58547 .release = kvm_vm_release,
58548 .unlocked_ioctl = kvm_vm_ioctl,
58549 @@ -1864,6 +1866,7 @@ out:
58553 +/* cannot be const */
58554 static struct file_operations kvm_chardev_ops = {
58555 .unlocked_ioctl = kvm_dev_ioctl,
58556 .compat_ioctl = kvm_dev_ioctl,
58557 @@ -1873,6 +1876,9 @@ static struct miscdevice kvm_dev = {
58566 static void hardware_enable(void *junk)
58567 @@ -1974,7 +1980,7 @@ asmlinkage void kvm_handle_fault_on_rebo
58568 /* spin while reset goes on */
58569 local_irq_enable();
58574 /* Fault while not rebooting. We want the trace. */
58576 @@ -2208,7 +2214,7 @@ static void kvm_sched_out(struct preempt
58577 kvm_arch_vcpu_put(vcpu);
58580 -int kvm_init(void *opaque, unsigned vcpu_size, unsigned vcpu_align,
58581 +int kvm_init(const void *opaque, unsigned vcpu_size, unsigned vcpu_align,
58582 struct module *module)